markparz (Thu, 02 Feb 2017 23:35:02 GMT):
Discussions about using and developing the fabric-ca (formerly known as the COP component. fabric-ca is a runtime component which issues cryptographic material which can be used to participate in a Fabric network.

donjohnny (Thu, 02 Feb 2017 23:40:58 GMT):
Has joined the channel.

ashutosh_kumar (Fri, 03 Feb 2017 00:22:11 GMT):
Has joined the channel.

mastersingh24 (Fri, 03 Feb 2017 00:49:26 GMT):
Has joined the channel.

mastersingh24 (Fri, 03 Feb 2017 00:50:42 GMT):
welcome to fabric-ca rocket.chat!

salmanbaset (Fri, 03 Feb 2017 01:18:41 GMT):
Has joined the channel.

JonathanTan (Fri, 03 Feb 2017 01:53:49 GMT):
Has joined the channel.

tuand (Fri, 03 Feb 2017 02:10:18 GMT):
Has joined the channel.

grapebaba (Fri, 03 Feb 2017 02:21:45 GMT):
Has joined the channel.

timblankers (Fri, 03 Feb 2017 02:42:25 GMT):
Has joined the channel.

Ratnakar (Fri, 03 Feb 2017 02:51:51 GMT):
Has joined the channel.

SriramaSharma (Fri, 03 Feb 2017 03:24:08 GMT):
Has joined the channel.

harsha (Fri, 03 Feb 2017 05:27:52 GMT):
Has joined the channel.

JonathanLevi (Fri, 03 Feb 2017 07:47:21 GMT):
Has joined the channel.

ryokawajp (Fri, 03 Feb 2017 07:49:29 GMT):
Has joined the channel.

cca88 (Fri, 03 Feb 2017 08:18:51 GMT):
Has joined the channel.

jdockter (Fri, 03 Feb 2017 11:37:34 GMT):
Has joined the channel.

dante (Fri, 03 Feb 2017 13:10:33 GMT):
Has joined the channel.

silliman (Fri, 03 Feb 2017 13:54:35 GMT):
Has joined the channel.

gormand (Fri, 03 Feb 2017 14:24:55 GMT):
Has joined the channel.

ssaddem (Fri, 03 Feb 2017 15:50:47 GMT):
Has joined the channel.

latitiah (Fri, 03 Feb 2017 15:57:44 GMT):
Has joined the channel.

cdaughtr (Fri, 03 Feb 2017 16:24:48 GMT):
Has joined the channel.

smithbk (Fri, 03 Feb 2017 16:33:02 GMT):
Has joined the channel.

nnao (Fri, 03 Feb 2017 16:52:56 GMT):
Has joined the channel.

david_dornseifer (Fri, 03 Feb 2017 18:18:01 GMT):
Has joined the channel.

Nishi (Fri, 03 Feb 2017 18:30:14 GMT):
Has joined the channel.

rickr (Fri, 03 Feb 2017 18:51:59 GMT):
Has joined the channel.

rickr (Fri, 03 Feb 2017 18:52:18 GMT):
@mastersingh24 Blast off !!

fz (Fri, 03 Feb 2017 19:26:59 GMT):
Has joined the channel.

karkal (Fri, 03 Feb 2017 19:50:03 GMT):
Has joined the channel.

bsmita (Fri, 03 Feb 2017 20:04:07 GMT):
Has joined the channel.

ashutosh_kumar (Fri, 03 Feb 2017 20:07:07 GMT):
thanks @mastersingh24

ashutosh_kumar (Fri, 03 Feb 2017 20:07:20 GMT):
Will life be better here on this Pod ?

mastersingh24 (Fri, 03 Feb 2017 20:07:36 GMT):
hard to say ;)

mastersingh24 (Fri, 03 Feb 2017 20:07:42 GMT):
can life get any better?

rickr (Fri, 03 Feb 2017 20:09:01 GMT):
Did you mean _bitter_ ?

ashutosh_kumar (Fri, 03 Feb 2017 20:11:19 GMT):
We should have fun regardless , whether life become better or not.

ashutosh_kumar (Fri, 03 Feb 2017 20:44:43 GMT):
I have one question : How often we are going to vendor BCCSP code into Fabric-CA ? Will it be real time or manual process ?

mastersingh24 (Fri, 03 Feb 2017 21:41:47 GMT):
I think it will need to be manual although we can add a make target which updates it

ericmvaughn (Fri, 03 Feb 2017 22:04:30 GMT):
Has joined the channel.

mdavid (Fri, 03 Feb 2017 22:07:17 GMT):
Has joined the channel.

jeffgarratt (Fri, 03 Feb 2017 23:48:33 GMT):
Has joined the channel.

sachikoy (Fri, 03 Feb 2017 23:57:08 GMT):
Has joined the channel.

David.Yan (Sat, 04 Feb 2017 03:30:49 GMT):
Has joined the channel.

genggjh (Sat, 04 Feb 2017 03:41:41 GMT):
Has joined the channel.

bfuentes@fr.ibm.com (Sat, 04 Feb 2017 09:19:34 GMT):
Has joined the channel.

ruslan.kryukov (Sat, 04 Feb 2017 10:12:06 GMT):
Has joined the channel.

yury (Sat, 04 Feb 2017 11:45:58 GMT):
Has joined the channel.

seand20tech (Sat, 04 Feb 2017 16:20:20 GMT):
Has joined the channel.

MadhavaReddy (Sat, 04 Feb 2017 18:12:34 GMT):
Has joined the channel.

lehors (Sun, 05 Feb 2017 09:04:08 GMT):
Has joined the channel.

patchpon (Sun, 05 Feb 2017 10:06:39 GMT):
Has joined the channel.

kkpatel (Sun, 05 Feb 2017 18:02:17 GMT):
Has joined the channel.

Honglei (Sun, 05 Feb 2017 23:57:13 GMT):
Has joined the channel.

hanhzf (Mon, 06 Feb 2017 03:35:10 GMT):
Has joined the channel.

bryanhuang (Mon, 06 Feb 2017 04:28:58 GMT):
Has joined the channel.

kansi (Mon, 06 Feb 2017 05:10:56 GMT):
Has joined the channel.

Vadim (Mon, 06 Feb 2017 06:37:44 GMT):
Has joined the channel.

TakekiyoKubo (Mon, 06 Feb 2017 07:21:42 GMT):
Has joined the channel.

ibmamnt (Mon, 06 Feb 2017 07:49:37 GMT):
Has joined the channel.

pd93 (Mon, 06 Feb 2017 08:51:44 GMT):
Has joined the channel.

david.peyronnin (Mon, 06 Feb 2017 09:47:42 GMT):
Has joined the channel.

aarenw (Mon, 06 Feb 2017 10:01:22 GMT):
Has joined the channel.

Amjadnz (Mon, 06 Feb 2017 11:08:43 GMT):
Has joined the channel.

maximus rus (Mon, 06 Feb 2017 11:58:52 GMT):
Has joined the channel.

skarim (Mon, 06 Feb 2017 14:53:26 GMT):
Has joined the channel.

harrijk (Mon, 06 Feb 2017 15:13:33 GMT):
Has joined the channel.

nhrishi (Mon, 06 Feb 2017 15:13:59 GMT):
Has joined the channel.

klorenz (Mon, 06 Feb 2017 16:05:27 GMT):
Has joined the channel.

elli-androulaki (Mon, 06 Feb 2017 16:06:23 GMT):
Has joined the channel.

rocket.chat (Mon, 06 Feb 2017 16:11:34 GMT):
Has joined the channel.

yuki-kon (Mon, 06 Feb 2017 16:51:33 GMT):
Has joined the channel.

JonathanLevi (Mon, 06 Feb 2017 17:41:35 GMT):
Hi @ashutosh_kumar: the upside with a manual update is that it helps us keep that "separation"

JonathanLevi (Mon, 06 Feb 2017 17:43:02 GMT):
We will work with a set of API, so that it does not feel like the two are TOO intertwined....

JonathanLevi (Mon, 06 Feb 2017 17:43:20 GMT):
So even though one is contained inside the other's vendor folder - we should be able to build fabric-ca on its own, I believe.

JonathanLevi (Mon, 06 Feb 2017 17:44:12 GMT):
Why are you asking? Feel free to vendor as you need (while so many parts of moving)

ashutosh_kumar (Mon, 06 Feb 2017 17:49:02 GMT):
ok. I did not understand API part. Thanks for insight.

JonathanLevi (Mon, 06 Feb 2017 17:53:21 GMT):
NP. Yes, that came with "the ability to roll your own crypto", etc. Sure thing.

JonathanLevi (Mon, 06 Feb 2017 17:53:45 GMT):
Still, let me/us know if this causes any issues - thanks.

vpaprots (Mon, 06 Feb 2017 19:02:29 GMT):
Has joined the channel.

yedendra (Mon, 06 Feb 2017 19:34:06 GMT):
Has joined the channel.

forgeRW (Mon, 06 Feb 2017 20:36:23 GMT):
Has joined the channel.

crazybit (Tue, 07 Feb 2017 05:30:59 GMT):
Has joined the channel.

chadgates (Tue, 07 Feb 2017 06:58:03 GMT):
Has joined the channel.

bur (Tue, 07 Feb 2017 07:34:00 GMT):
Has joined the channel.

mbaizan (Tue, 07 Feb 2017 07:42:38 GMT):
Has joined the channel.

gatakka (Tue, 07 Feb 2017 09:28:24 GMT):
Has joined the channel.

bart.cant@gmail.com (Tue, 07 Feb 2017 12:13:35 GMT):
Has joined the channel.

andb (Tue, 07 Feb 2017 12:18:14 GMT):
Has joined the channel.

kenzhang (Tue, 07 Feb 2017 14:33:57 GMT):
Has joined the channel.

ikruiper (Tue, 07 Feb 2017 14:34:58 GMT):
Has joined the channel.

cbf (Tue, 07 Feb 2017 15:12:33 GMT):
Has joined the channel.

mpage (Tue, 07 Feb 2017 15:25:23 GMT):
Has joined the channel.

jansony1 (Tue, 07 Feb 2017 15:57:33 GMT):
Has joined the channel.

Asara (Tue, 07 Feb 2017 16:01:18 GMT):
Has joined the channel.

Asara (Tue, 07 Feb 2017 16:01:26 GMT):
Hey guys, trying to understand something

Asara (Tue, 07 Feb 2017 16:01:59 GMT):
with affiliations and banks, when you create an institution under there, and assign an auditor to that institution, does that mean the auditor account only has the ability to audit that one institution/bank?

Asara (Tue, 07 Feb 2017 16:02:13 GMT):
is there a way to have an auditor that can audit multiple institutions? or does that need to be handled via different accounts?

mastersingh24 (Tue, 07 Feb 2017 16:04:29 GMT):
@Asara - good question - it's not fully setup yet, but the idea is that the structure is more or less tree-based and you grant access to a node and anything under that node

Asara (Tue, 07 Feb 2017 16:06:46 GMT):
so can i designate a user as the auditor of 'banks_and_institutions'?

Asara (Tue, 07 Feb 2017 16:07:14 GMT):
i.e. users: masterAuditor: 8 password banks_and_institutions

Asara (Tue, 07 Feb 2017 16:22:28 GMT):
Like in the documentation, I see "Pre3K_BI: is available to TCA and auditors for banks and institutions." (https://github.com/hyperledger/fabric/blob/master/docs/tech/attributes.md), I'm just trying to ensure I am setting it correctly in membersrvc.yaml

mastersingh24 (Tue, 07 Feb 2017 16:24:32 GMT):
well I'm not sure if we actually implemented the ability for it to actually work properly, but yeah - if you release the pre-key at the top level it would work for the child nodes. @JonathanLevi - does this work in v0.6?

JonathanLevi (Tue, 07 Feb 2017 16:25:02 GMT):
So it kinda "works". The pre-key tree certainly does.

JonathanLevi (Tue, 07 Feb 2017 16:25:24 GMT):
TBH, the caveat is that you don't have attribute encryption set to true by design.

ashutosh_kumar (Tue, 07 Feb 2017 16:25:54 GMT):
in V1.0 , we have plumbing in place , have not tested it fully.

ashutosh_kumar (Tue, 07 Feb 2017 16:26:47 GMT):
which is pre-key at top level and we derive key at lower level based on top level pre key.

JonathanLevi (Tue, 07 Feb 2017 16:26:58 GMT):
So the ability to conditionally decrypt attribute- (say, values) based on the key generating key position in the tree, is something that you @Asara can use, but not really "out of the box".

JonathanLevi (Tue, 07 Feb 2017 16:27:09 GMT):
[ @ashutosh_kumar: one sec ]

JonathanLevi (Tue, 07 Feb 2017 16:27:39 GMT):
@Asara: what you are asking is even more advanced, as you are looking into a "cross-organization" audit.

JonathanLevi (Tue, 07 Feb 2017 16:28:40 GMT):
The design supports it [both in v0.6 and much more so in v1 as @ashutosh_kumar suggests]... but there needs to be also a supporting "business agreement" in place.

JonathanLevi (Tue, 07 Feb 2017 16:29:18 GMT):
To simplify (a bit), it can easily work if 2 organizations agree to use the same TCA.

JonathanLevi (Tue, 07 Feb 2017 16:30:19 GMT):
But in real life, this is not always the case, in which, they would need to agree on the "convention", accept the auditor, etc.

JonathanLevi (Tue, 07 Feb 2017 16:31:11 GMT):
Because even in v1, the auditor has to sit "on top" or somewhere "above" both organizations in the pre-key tree.

JonathanLevi (Tue, 07 Feb 2017 16:31:22 GMT):
Am I making any sense?

JonathanLevi (Tue, 07 Feb 2017 16:31:22 GMT):
@Asara: Am I making any sense?

JonathanLevi (Tue, 07 Feb 2017 16:31:31 GMT):
@ashutosh_kumar: back to you, sorry.

JonathanLevi (Tue, 07 Feb 2017 16:31:31 GMT):
[ @ashutosh_kumar: back to you, sorry. ]

ashutosh_kumar (Tue, 07 Feb 2017 16:33:07 GMT):
we have support for tree , not forest AFAIK.

troyronda (Tue, 07 Feb 2017 16:33:34 GMT):
Has joined the channel.

JonathanLevi (Tue, 07 Feb 2017 16:33:38 GMT):
@ashutosh_kumar: Yes, exactly.

JonathanLevi (Tue, 07 Feb 2017 16:34:17 GMT):
But, we can still support the cross organization audit (using a tree).

JonathanLevi (Tue, 07 Feb 2017 16:34:17 GMT):
But, we can still support the cross organization/company audit (using a tree).

Asara (Tue, 07 Feb 2017 16:35:16 GMT):
So essentially it is better to offload auditing to each institution/bank with their own separate user?

ashutosh_kumar (Tue, 07 Feb 2017 16:36:51 GMT):
@Asara , that makes sense.

JonathanLevi (Tue, 07 Feb 2017 16:45:22 GMT):
@Asara: it is certainly easier. But in many cases, banks have different requirements.

JonathanLevi (Tue, 07 Feb 2017 16:45:53 GMT):
The short answer/summary (and I hope I'm helping, rather than confusing):

JonathanLevi (Tue, 07 Feb 2017 16:46:27 GMT):
1. You need to have encrypted attributes in place, in order to allow a "selective" release/decryption of information (e.g., for auditing)

JonathanLevi (Tue, 07 Feb 2017 16:47:01 GMT):
2. It is MUCH easier to structure an hierarchy that resides within one issuing CA (that is, the TCA in your question)

JonathanLevi (Tue, 07 Feb 2017 16:47:50 GMT):
3. If you/one wants to take advantage of the pre-key tree hierarchy, then the auditors usually sit "above" the nodes they audit.

Asara (Tue, 07 Feb 2017 16:48:29 GMT):
So my setup right now is supposed to have 1 auditor auditing all the transactions across banks/institutions. all the institutions agree to that auditor being able to audit them

JonathanLevi (Tue, 07 Feb 2017 16:48:29 GMT):
4. I would start with modeling the problem/issue so that you can put even a few organizations in one pre-key tree (in terms of hierarchy).

JonathanLevi (Tue, 07 Feb 2017 16:48:31 GMT):
---

Asara (Tue, 07 Feb 2017 16:48:43 GMT):
i'll be back in 10 min sorry!

JonathanLevi (Tue, 07 Feb 2017 16:50:24 GMT):
That's good. Yes, what I meant in "3 and 4" [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NNjozYw4Xh4FjBC7q) @Asara

JonathanLevi (Tue, 07 Feb 2017 16:50:50 GMT):
Which is also what @ashutosh_kumar suggested as well.

JonathanLevi (Tue, 07 Feb 2017 16:51:08 GMT):
BTW: Speaking of which, we should really test this stuff in v1... !

Asara (Tue, 07 Feb 2017 17:53:40 GMT):
@JonathanLevi so its a little confusing to me. I still want to maintain different trees for each institution, but also want an overarching auditor. If i put everything under 1 bank, then delegation under that becomes weird since it overreaches

Asara (Tue, 07 Feb 2017 17:54:55 GMT):
`eca: affiliations: banks_and_institutions: banks: - bank1 - bank2 - bank3 institutions: - regulator1 `

Asara (Tue, 07 Feb 2017 17:54:55 GMT):
```eca: affiliations: banks_and_institutions: banks: - bank1 - bank2 - bank3 institutions: - regulator1 ````

Asara (Tue, 07 Feb 2017 17:55:04 GMT):
is what I *want*

Asara (Tue, 07 Feb 2017 17:55:32 GMT):
mostly because that way I can have 1 user that delegates on behalf of bank1 etc, and then the regulator can manage all the banks

rjones (Tue, 07 Feb 2017 18:03:39 GMT):
please migrate to https://chat.hyperledger.org

Asara (Tue, 07 Feb 2017 18:18:33 GMT):
or beyond that, is there a way to have subbanks/institutions?

sukrit.handa@gmail.com (Tue, 07 Feb 2017 18:33:06 GMT):
Has joined the channel.

Asara (Tue, 07 Feb 2017 18:57:35 GMT):
oh, and if i give a user delegation permissions, can they only delegate for that institution/bank? Is there a way to make a generic user that can act as a registrar and delegate to different institutions/banks?

Asara (Tue, 07 Feb 2017 18:57:44 GMT):
sorry if these are silly questions

JonathanLevi (Tue, 07 Feb 2017 19:01:59 GMT):
No, not silly question (I am just in between things), so if others can chime in that would be great.

JonathanLevi (Tue, 07 Feb 2017 19:02:34 GMT):
Just quickly: The pre-key construct is not bound by any height. As for your first question.

JonathanLevi (Tue, 07 Feb 2017 19:03:51 GMT):
Yes, you can delegate that "role".... in v1 it is called the *registrar* role. Works even/also from the SDK.

JonathanLevi (Tue, 07 Feb 2017 19:04:36 GMT):
____ We certainly need better documentation for these! ____

Asara (Tue, 07 Feb 2017 19:06:25 GMT):
I appreciate the help @JonathanLevi

Asara (Tue, 07 Feb 2017 19:06:40 GMT):
So does that mean I can do something like this:

Asara (Tue, 07 Feb 2017 19:06:46 GMT):
``` eca: affiliations: banks_and_institutions: banks: - unregulatedBank1 institutions: regulator1: - bank1 - bank2 - bank3 ```

Asara (Tue, 07 Feb 2017 19:10:52 GMT):
@JonathanLevi Is the registrar role bound to an affiliation? Can I have 1 registrar that can create clients for both bank1 and bank2?

skbodwell (Tue, 07 Feb 2017 19:12:19 GMT):
Has joined the channel.

mastersingh24 (Tue, 07 Feb 2017 19:13:50 GMT):
registrar is currently only bound to types of role it can create but not to specific affiliations

Asara (Tue, 07 Feb 2017 19:15:20 GMT):
Nice

Asara (Tue, 07 Feb 2017 19:15:29 GMT):
thanks @mastersingh24

mastersingh24 (Tue, 07 Feb 2017 19:36:11 GMT):
given the ongoing move to viper rather than the cfssl CLI, do we still need https://gerrit.hyperledger.org/r/#/c/4719/ ?

ashutosh_kumar (Tue, 07 Feb 2017 20:00:11 GMT):
@ASRA , We do not have that yet in 1.0. But here is how it is going to work. 1) You/Customer defines hierarchical tree structure 2) You/Customer defines Role based on hierarchy that you defined in step 1 3)You/Customer assigns user to that role 4)The fabric-ca API will generate key for any level that you are looking for.

ashutosh_kumar (Tue, 07 Feb 2017 20:00:32 GMT):
Fabric-ca will not play in 1 , 2 and 3.

mohamoud.egal (Tue, 07 Feb 2017 20:02:59 GMT):
Has joined the channel.

Asara (Tue, 07 Feb 2017 20:03:22 GMT):
nice. So in the current implementation, where do we stand?

Asara (Tue, 07 Feb 2017 20:03:23 GMT):
:)

mohamoud.egal (Tue, 07 Feb 2017 20:03:42 GMT):

Message Attachments

mohamoud.egal (Tue, 07 Feb 2017 20:03:46 GMT):
Hi all,

mohamoud.egal (Tue, 07 Feb 2017 20:04:12 GMT):

Message Attachments

ashutosh_kumar (Tue, 07 Feb 2017 20:54:00 GMT):
@Asara : We have plumbing in place , no full implementation yet.

ashutosh_kumar (Tue, 07 Feb 2017 20:54:36 GMT):
timeline , I cannot answer , but we'll prioritize it.

beauson45 (Tue, 07 Feb 2017 20:55:37 GMT):
Has joined the channel.

Asara (Tue, 07 Feb 2017 20:55:38 GMT):
@ashutosh_kumar fair enough. thanks!

lehors (Tue, 07 Feb 2017 21:56:20 GMT):
@smithbk Hi, I'm looking into your changes related to FAB-2012, bear with me if I'm missing something obvious but can you please tell me why we end up with two dirs: cli and cmd? I would think cli is the command, and if you split it in two, you might have two subdirs a la cli/server and cli/client. What's in cli then?

Adil.B (Tue, 07 Feb 2017 22:09:45 GMT):
Has joined the channel.

mrkiouak (Tue, 07 Feb 2017 23:52:25 GMT):
Has joined the channel.

smithbk (Wed, 08 Feb 2017 01:10:22 GMT):
@lehors The entire cli directory will eventually go away once the separate server and client commands under cmd are working, so there is an overlap during the transition of using cobra/viper. I've tried to describe this plan in https://jira.hyperledger.org/browse/FAB-2012

peter (Wed, 08 Feb 2017 02:11:05 GMT):
Has joined the channel.

ArulmuruganS (Wed, 08 Feb 2017 03:50:44 GMT):
Has joined the channel.

haidong (Wed, 08 Feb 2017 03:54:21 GMT):
Has joined the channel.

TimskiiTim (Wed, 08 Feb 2017 06:01:43 GMT):
Has joined the channel.

padmaja (Wed, 08 Feb 2017 07:02:50 GMT):
Has joined the channel.

AStepanov (Wed, 08 Feb 2017 07:49:58 GMT):
Has joined the channel.

14gracel (Wed, 08 Feb 2017 09:57:31 GMT):
Has joined the channel.

kushnir.grigoriy (Wed, 08 Feb 2017 13:49:03 GMT):
Has joined the channel.

frank.felhoffer (Wed, 08 Feb 2017 14:33:31 GMT):
Has joined the channel.

shalinigpt (Wed, 08 Feb 2017 15:56:35 GMT):
Has joined the channel.

jkirke (Wed, 08 Feb 2017 16:33:13 GMT):
Has joined the channel.

warong (Thu, 09 Feb 2017 02:52:49 GMT):
Has joined the channel.

Andy Zhang (Thu, 09 Feb 2017 02:58:23 GMT):
Has joined the channel.

guhaihua (Thu, 09 Feb 2017 03:31:41 GMT):
Has joined the channel.

t-watana (Thu, 09 Feb 2017 06:36:17 GMT):
Has joined the channel.

FlyingTiger (Thu, 09 Feb 2017 12:01:19 GMT):
Has joined the channel.

lehors (Thu, 09 Feb 2017 13:50:34 GMT):
@smithbk ok, thanks for the explanation, I had missed the last piece in the JIRA ticket

juslee (Thu, 09 Feb 2017 14:31:37 GMT):
Has joined the channel.

juslee (Thu, 09 Feb 2017 14:34:52 GMT):
Has left the channel.

ThiruVijayan (Thu, 09 Feb 2017 22:11:25 GMT):
Has joined the channel.

chenxl (Fri, 10 Feb 2017 01:32:51 GMT):
Has joined the channel.

NIKESHGOGIA (Fri, 10 Feb 2017 07:14:06 GMT):
Has joined the channel.

JonathanLevi (Fri, 10 Feb 2017 21:13:29 GMT):
(C) A team

JonathanLevi (Fri, 10 Feb 2017 21:13:56 GMT):
Any suggestion(s) regarding the environment var naming? https://jira.hyperledger.org/browse/FAB-2188

JonathanLevi (Fri, 10 Feb 2017 21:15:06 GMT):
I think that FABRIC_CA_.... is a better prefix, but I didn't want to short-circuit it. Please chime in should you have an objection...

JonathanLevi (Fri, 10 Feb 2017 21:15:12 GMT):
@baohua ^^^

baohua (Fri, 10 Feb 2017 21:15:12 GMT):
Has joined the channel.

baohua (Sat, 11 Feb 2017 00:20:36 GMT):
sure, and also suggest to consider if we need to keep the same style between fabric-peer, fabric-orderer and fabric-ca. currently they have names of `PEER_CFG_PATH`, `ORDERER_CFG_PATH` and `FABRIC_CA_HOME` as the default configuration paths.

baohua (Sat, 11 Feb 2017 00:21:22 GMT):
BTW, i personally think the `_PATH` and `_HOME` suffix could be moved, as the meaning is clear enough.

surabhi (Sat, 11 Feb 2017 17:59:03 GMT):
Has joined the channel.

frankylu (Sun, 12 Feb 2017 00:09:13 GMT):
Has joined the channel.

mastersingh24 (Sun, 12 Feb 2017 14:51:09 GMT):
[ @hydrachain - what exactly are you trying to do?](https://chat.hyperledger.org/channel/general?msg=FkkKbdNrFKrQgMBnW)

hydrachain (Sun, 12 Feb 2017 14:51:09 GMT):
Has joined the channel.

hydrachain (Mon, 13 Feb 2017 01:07:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mdxcsGagR4vZ6jxHf) @mastersingh24 I want to register a new user with go language

hydrachain (Mon, 13 Feb 2017 01:07:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mdxcsGagR4vZ6jxHf) @mastersingh24 For Fabric 0.6, how to register a new user with Go language? Just as Java SDK calls "Member" to register a new user.

Ashish (Mon, 13 Feb 2017 03:02:59 GMT):
Has joined the channel.

mjkong (Mon, 13 Feb 2017 04:27:02 GMT):
Has joined the channel.

thojest (Mon, 13 Feb 2017 09:51:46 GMT):
Has joined the channel.

thojest (Mon, 13 Feb 2017 09:54:50 GMT):
in the docker-compose-file what do i have to do to enable transaction certificates

thojest (Mon, 13 Feb 2017 10:07:43 GMT):
so im reading a bit about ECerts and TCerts...

thojest (Mon, 13 Feb 2017 10:07:50 GMT):
im talking of hyperledger v0.6

thojest (Mon, 13 Feb 2017 10:08:46 GMT):
in the protocol-spec, there is written that when you do not use TCerts and only ECerts, these have signature key pair and an encryption key pair.. Can maybe someone tell me what that means

thojest (Mon, 13 Feb 2017 10:09:26 GMT):
afaik in public key cryptography you have a private key and publish your public key.... then you can create signatures but you can also encrypt.... why do i need 2 pairs of k

thojest (Mon, 13 Feb 2017 10:09:35 GMT):
private keys in fabric.

thojest (Mon, 13 Feb 2017 10:09:53 GMT):
sry.... i mean 2 key pairs in fabric, one for encryption and one for signatures

Vadim (Mon, 13 Feb 2017 10:10:47 GMT):
@thojest can you post the link where you read that?

thojest (Mon, 13 Feb 2017 10:14:06 GMT):
https://github.com/hyperledger/fabric/blob/master/docs/protocol-spec.md#421-userclient-enrollment-process

thojest (Mon, 13 Feb 2017 10:14:26 GMT):
have to scroll a bit up

Vadim (Mon, 13 Feb 2017 10:16:31 GMT):
well can post here a citation?

Vadim (Mon, 13 Feb 2017 10:16:40 GMT):
I don't want to read the whole document

thojest (Mon, 13 Feb 2017 10:17:06 GMT):
:D

thojest (Mon, 13 Feb 2017 10:17:32 GMT):
Enrollment Certificates (ECerts) ECerts are long-term certificates. They are issued for all roles, i.e. users, non-validating peers, and validating peers. In the case of users, who submit transactions for candidate incorporation into the blockchain and who also own TCerts (discussed below), there are two possible structure and usage models for ECerts: Model A: ECerts contain the identity/enrollmentID of their owner and can be used to offer only nominal entity-authentication for TCert requests and/or within transactions. They contain the public part of two key pairs – a signature key-pair and an encryption/key agreement key-pair. ECerts are accessible to everyone. Model B: ECerts contain the identity/enrollmentID of their owner and can be used to offer only nominal entity-authentication for TCert requests. They contain the public part of a signature key-pair, i.e., a signature verification public key. ECerts are preferably accessible to only TCA and auditors, as relying parties. They are invisible to transactions, and thus (unlike TCerts) their signature key pairs do not play a non-repudiation role at that level.

Vadim (Mon, 13 Feb 2017 10:20:03 GMT):
I don't think that model A is implemented

Vadim (Mon, 13 Feb 2017 10:20:35 GMT):
in case you interested how to use TCerts in v0.6, I suggest you read the code of asset_management_interactive example

Vadim (Mon, 13 Feb 2017 10:20:41 GMT):
particulartly, https://github.com/hyperledger/fabric/blob/master/examples/chaincode/go/asset_management_interactive/app1/app1_internal.go#L160

thojest (Mon, 13 Feb 2017 10:20:48 GMT):
yeah thanks

thojest (Mon, 13 Feb 2017 10:20:58 GMT):
but from what i understand it is also possible to use only ECerts

Vadim (Mon, 13 Feb 2017 10:21:14 GMT):
so far TCerts are not implemented in v1

Vadim (Mon, 13 Feb 2017 10:21:14 GMT):
so far TCerts are not implemented in v1 (to my knowledge=

Vadim (Mon, 13 Feb 2017 10:21:14 GMT):
so far TCerts are not implemented in v1 (to my knowledge)

Vadim (Mon, 13 Feb 2017 10:21:23 GMT):
however, in v0.6 you can use TCerts

thojest (Mon, 13 Feb 2017 10:22:17 GMT):
so when i only enroll users then they get the ECert, correct?

Vadim (Mon, 13 Feb 2017 10:22:41 GMT):
yes, tcerts are meant to be one per transaction to hide the identity

thojest (Mon, 13 Feb 2017 10:23:02 GMT):
and when i want to use TCerts i have to write it into the chaincode?

thojest (Mon, 13 Feb 2017 10:23:08 GMT):
like in asset management

Vadim (Mon, 13 Feb 2017 10:23:25 GMT):
no, the transaction just gets signed with TCert instead of ECert

Vadim (Mon, 13 Feb 2017 10:23:50 GMT):
in case you have some logic in chaincode that needs ECert, you probably need to adjust something

thojest (Mon, 13 Feb 2017 10:24:28 GMT):
so my basic question is, when i have security ON

thojest (Mon, 13 Feb 2017 10:24:43 GMT):
then only enrolled users can query/invoke chaincode ?

Vadim (Mon, 13 Feb 2017 10:24:56 GMT):
I'd say so

thojest (Mon, 13 Feb 2017 10:25:05 GMT):
ok....

Vadim (Mon, 13 Feb 2017 10:25:16 GMT):
you can also just try and see what happens if user is not enrolled

thojest (Mon, 13 Feb 2017 10:25:25 GMT):
yeah will do that.

thojest (Mon, 13 Feb 2017 10:25:49 GMT):
so when i have enrolled a user... he can query chaincode

thojest (Mon, 13 Feb 2017 10:26:14 GMT):
lets say he queries e.g. in chaincodeexample02

thojest (Mon, 13 Feb 2017 10:26:20 GMT):
the asset holding of a person

thojest (Mon, 13 Feb 2017 10:26:33 GMT):
are here already TCerts included?

Vadim (Mon, 13 Feb 2017 10:26:47 GMT):
depends on your code

thojest (Mon, 13 Feb 2017 10:27:08 GMT):
on the chaincode? correct?

Vadim (Mon, 13 Feb 2017 10:27:22 GMT):
on the code which is calling your chaincode

Vadim (Mon, 13 Feb 2017 10:27:50 GMT):
in the chaincode you can verify who is calling by stub.GetCallerCertificate and then just using openssl to read it

thojest (Mon, 13 Feb 2017 10:27:51 GMT):
assume im using peer chaincode query ......

Vadim (Mon, 13 Feb 2017 10:28:32 GMT):
well I'm not exactly familiar with v0.6, but I think you can specify a user there, right?

thojest (Mon, 13 Feb 2017 10:28:41 GMT):
yeah thats possible

thojest (Mon, 13 Feb 2017 10:28:50 GMT):
but afaik this only has to do with ECerts

Vadim (Mon, 13 Feb 2017 10:29:00 GMT):
I'd also say so

thojest (Mon, 13 Feb 2017 10:29:14 GMT):
thats nice. at least i seem to understand a little bit :D

thojest (Mon, 13 Feb 2017 10:29:31 GMT):
fine... so now come TCerts into play

Vadim (Mon, 13 Feb 2017 10:29:35 GMT):
so you can try that asset_management_interative example, there it uses TCerts

Vadim (Mon, 13 Feb 2017 10:29:39 GMT):
I posted the link above

thojest (Mon, 13 Feb 2017 10:29:49 GMT):
ok ill have a look at it thanks

thojest (Mon, 13 Feb 2017 10:29:58 GMT):
maybe one last thing

thojest (Mon, 13 Feb 2017 10:30:03 GMT):
what is the sense of TCerts?

thojest (Mon, 13 Feb 2017 10:30:11 GMT):
user privacy?

Vadim (Mon, 13 Feb 2017 10:30:13 GMT):
to hide the identity of the caller

Vadim (Mon, 13 Feb 2017 10:30:15 GMT):
yes

thojest (Mon, 13 Feb 2017 10:30:31 GMT):
ok. this is the only reason?

Vadim (Mon, 13 Feb 2017 10:30:35 GMT):
yes

thojest (Mon, 13 Feb 2017 10:30:57 GMT):
thanks alot. with this basis i ll read a bit more and try the asset management demo.

Vadim (Mon, 13 Feb 2017 10:31:05 GMT):
ok, good luck

thojest (Mon, 13 Feb 2017 10:31:11 GMT):
ty

thojest (Mon, 13 Feb 2017 11:03:36 GMT):
is there a better documentation out?

thojest (Mon, 13 Feb 2017 11:04:01 GMT):
The structure of a Transaction Certificate (TCert) is as follows: TCertID – transaction certificate ID (preferably generated by TCA randomly in order to avoid unintended linkability via the Hidden Enrollment ID field). Hidden Enrollment ID: AES_EncryptK(enrollmentID), where key K = [HMAC(Pre-K, TCertID)]256-bit truncation and where three distinct key distribution scenarios for Pre-K are defined below as (a), (b) and (c). Hidden Private Keys Extraction: AES_EncryptTCertOwner_EncryptKey(TCertIndex || known padding/parity check vector) where || denotes concatenation, and where each batch has a unique (per batch) time-stamp/random offset that is added to a counter (initialized at 1 in this implementation) in order to generate TCertIndex. The counter can be incremented by 2 each time in order to accommodate generation by the TCA of the public keys and recovery by the TCert owner of the private keys of both types, i.e., signature key pairs and key agreement key pairs. Sign Verification Public Key – TCert signature verification public key. Key Agreement Public Key – TCert key agreement public key. Validity period – the time window during which the transaction certificate can be used for the outer/external signature of a transaction.

thojest (Mon, 13 Feb 2017 11:04:21 GMT):
i would be very thankful if...

thojest (Mon, 13 Feb 2017 11:04:53 GMT):
1) someone could explain the difference between sign verification public key and key agreement public key, and what exactly they are used for

thojest (Mon, 13 Feb 2017 11:05:02 GMT):
2) what is a pre-k

nhrishi (Mon, 13 Feb 2017 13:03:53 GMT):
Hi, I was wondering if chaincode has an API functions for user/application to explicitly sign and verify the content and send it as part of the transaction. Example - If a legal contract is deployed using a chaincode, we need participant to sign on the legal contract content. Can anyone pls advise.

Vadim (Mon, 13 Feb 2017 13:32:36 GMT):
@nhrishi the proposal is already signed when it reaches a chaincode, is it not enough for you?

Vadim (Mon, 13 Feb 2017 13:33:30 GMT):
also, the chaincode logic also verifies the validity of the signature

Vadim (Mon, 13 Feb 2017 13:33:30 GMT):
the chaincode logic also verifies the validity of the signature

Vadim (Mon, 13 Feb 2017 13:36:14 GMT):
if it's not enough for some reason, node-sdk has methods to sign and verify: https://github.com/hyperledger/fabric-sdk-node/blob/master/fabric-client/lib/impl/CryptoSuite_ECDSA_AES.js

nhrishi (Mon, 13 Feb 2017 14:02:48 GMT):
@Vadim Yup. This should help. btw i'm working v0.6 version. I think, I can set the metadata and HFC helps me sign it. In Chaincode, I can verify the signature.

Vadim (Mon, 13 Feb 2017 14:03:36 GMT):
as I understand, this explicit signature check is not needed in v1

nhrishi (Mon, 13 Feb 2017 14:06:08 GMT):
Yes, Thats my understanding as well. We can address this using endorsement policy. Correct?

Vadim (Mon, 13 Feb 2017 14:06:54 GMT):
endorsement policy is for signing results of the chaincode run by a peer, e.g. how many signatures from peers is needed

Vadim (Mon, 13 Feb 2017 14:07:14 GMT):
as I understand, you are asking about checking the signature of the peer who sends the proposal

nhrishi (Mon, 13 Feb 2017 14:10:21 GMT):
My scenario or usecase is to achieve multi-sig. If one participant propose a contract, it must be signed my M of N parties and verification of signature and digest.

nhrishi (Mon, 13 Feb 2017 14:12:34 GMT):
so in v0.6, I need to write a chaincode to implement M of N logic with signature verifications. Can it be addressed using endorsement policy in V1?

Vadim (Mon, 13 Feb 2017 14:13:30 GMT):
that's right, it should work

nhrishi (Mon, 13 Feb 2017 14:13:49 GMT):
Perfect !!

nhrishi (Mon, 13 Feb 2017 14:14:01 GMT):
Thanks much!

Vadim (Mon, 13 Feb 2017 14:14:22 GMT):
you're welcome

thojest (Mon, 13 Feb 2017 14:20:08 GMT):
hi when i enroll as a user, where are the certificates stored?

thojest (Mon, 13 Feb 2017 14:20:27 GMT):
i have the impression that only links to the real certificates are stored on my local machine

thojest (Mon, 13 Feb 2017 14:21:04 GMT):
so when i have a network of peers and membersrvc

thojest (Mon, 13 Feb 2017 14:21:16 GMT):
and i try to e.g. `peer network login admin`

thojest (Mon, 13 Feb 2017 14:21:48 GMT):
then i find the certificates in the docker container `/var/hyperledger/production/.membersrvc`

thojest (Mon, 13 Feb 2017 14:22:09 GMT):
and on my local machine i only find a "login-token" ?

ashutosh_kumar (Mon, 13 Feb 2017 14:23:33 GMT):
The certs are stored locally in SQL Lite database.

thojest (Mon, 13 Feb 2017 14:24:55 GMT):
locally means where membersrvc is running or on my host machine?

ashutosh_kumar (Mon, 13 Feb 2017 14:25:23 GMT):
@thojest : Your q on Pre K for TCert : Pre-K is root level random string that is being used to get lower level Key to generate Keys to be given out to auditors.

ashutosh_kumar (Mon, 13 Feb 2017 14:25:38 GMT):
Pre-K is at the Org level.

ashutosh_kumar (Mon, 13 Feb 2017 14:26:50 GMT):
where membersrvc is running.

thojest (Mon, 13 Feb 2017 14:26:57 GMT):
ahh nice

thojest (Mon, 13 Feb 2017 14:26:58 GMT):
thanks

thojest (Mon, 13 Feb 2017 14:27:11 GMT):
so these tokens i have on my host are only "links"?

ashutosh_kumar (Mon, 13 Feb 2017 14:27:27 GMT):
which tokens ?

thojest (Mon, 13 Feb 2017 14:27:47 GMT):
wait a sec

ashutosh_kumar (Mon, 13 Feb 2017 14:27:47 GMT):
one time password ?

thojest (Mon, 13 Feb 2017 14:31:14 GMT):
@ashutosh_kumar when i do `peer network login admin` for example

thojest (Mon, 13 Feb 2017 14:31:41 GMT):
it creates a file named `loginToken_admin` on my host machine in `/var/hyperledger/production/client`

ashutosh_kumar (Mon, 13 Feb 2017 14:34:30 GMT):
from Peer side , yes.

ashutosh_kumar (Mon, 13 Feb 2017 14:35:02 GMT):
in 1.0 , membersvc is completely isolated from fabric.

ashutosh_kumar (Mon, 13 Feb 2017 14:35:15 GMT):
we call in Fabric-ca.

thojest (Mon, 13 Feb 2017 14:35:23 GMT):
ok i ve heard about that

thojest (Mon, 13 Feb 2017 14:35:30 GMT):
but what is this loginToken_admin

thojest (Mon, 13 Feb 2017 14:35:33 GMT):
what is the purpose

ashutosh_kumar (Mon, 13 Feb 2017 14:35:59 GMT):
that is for register and enroll.

thojest (Mon, 13 Feb 2017 14:36:28 GMT):
ok but i dont understand... you told me that all the certs are stored on the machine of membersrvc

thojest (Mon, 13 Feb 2017 14:36:34 GMT):
no on peer side i have this token

thojest (Mon, 13 Feb 2017 14:36:42 GMT):
*now

ashutosh_kumar (Mon, 13 Feb 2017 14:36:55 GMT):
peer needs to enroll

ashutosh_kumar (Mon, 13 Feb 2017 14:37:03 GMT):
so they uses that token.

ashutosh_kumar (Mon, 13 Feb 2017 14:37:31 GMT):
when they are enrolled , the Enrollment certs are stored in msvc DB.

ashutosh_kumar (Mon, 13 Feb 2017 14:38:04 GMT):
whoever is in possession of that token can enroll.

thojest (Mon, 13 Feb 2017 14:38:18 GMT):
ahh ok

thojest (Mon, 13 Feb 2017 14:38:39 GMT):
thanks :+1:

dhwang (Mon, 13 Feb 2017 15:55:22 GMT):
Has joined the channel.

WebKruncher (Mon, 13 Feb 2017 18:55:15 GMT):
Has joined the channel.

WebKruncher (Mon, 13 Feb 2017 18:55:39 GMT):
I'm trying to use fabric-ca with a native Ubuntu build. I get errors trying to enroll the admin - Client Cert or Key not provided, if server requires mutual TLS, the connection will fail [error: open : no such file or directory] POST failure [Post http://localhost:7054/api/v1/cfssl/enroll: malformed HTTP response "\x15\x03\x01\x00\x02\x02\x16"]; not sending POST http://localhost:7054/api/v1/cfssl/enroll ... Has anyone else run into this? Can anyone help me out?

nage (Mon, 13 Feb 2017 19:26:16 GMT):
Has joined the channel.

lehors (Mon, 13 Feb 2017 20:48:39 GMT):
@mastersingh24 following up on our earlier conversation, while trying to build the latest fabric-ca within vagrant I get:

lehors (Mon, 13 Feb 2017 20:48:40 GMT):
Running all tests ... warning: "github.com/hyperledger/fabric-ca/..." matched no packages ok github.com/hyperledger/fabric-ca 0.021s coverage: 81.8% of statements Finished running all tests *** BEGIN FAILURES *** warning: "github.com/hyperledger/fabric-ca/..." matched no packages *** END FAILURES *** Makefile:143: recipe for target 'unit-tests' failed make: *** [unit-tests] Error 1

lehors (Mon, 13 Feb 2017 20:49:06 GMT):
I have to admit not to be sure what this is about

mastersingh24 (Mon, 13 Feb 2017 20:49:21 GMT):
that is an odd on indeed

mastersingh24 (Mon, 13 Feb 2017 20:49:27 GMT):
let me pull down the latest and try

mastersingh24 (Mon, 13 Feb 2017 20:50:57 GMT):
@lehors - what command are you running?

lehors (Mon, 13 Feb 2017 20:51:24 GMT):
make unit-tests

lehors (Mon, 13 Feb 2017 20:52:45 GMT):
it passes vet, lint, imports, builds everything and then:

lehors (Mon, 13 Feb 2017 20:53:04 GMT):
Running all tests ... warning: "github.com/hyperledger/fabric-ca/..." matched no packages

lehors (Mon, 13 Feb 2017 20:53:15 GMT):
ok github.com/hyperledger/fabric-ca 0.014s coverage: 81.8% of statements Finished running all tests *** BEGIN FAILURES *** warning: "github.com/hyperledger/fabric-ca/..." matched no packages *** END FAILURES *** Makefile:143: recipe for target 'unit-tests' failed make: *** [unit-tests] Error 1

mastersingh24 (Mon, 13 Feb 2017 20:54:56 GMT):
hmm - running straight on OSX seems to be working

lehors (Mon, 13 Feb 2017 20:55:13 GMT):
why doesn't that surprise me? ;-)

mastersingh24 (Mon, 13 Feb 2017 20:57:35 GMT):
I have a Linux system somewhere around here I can try as well a little later

lehors (Mon, 13 Feb 2017 21:01:23 GMT):
here is the deal, fabric's vagrant has go1.7.3 which evidently doesn't support go list somepackage/...

lehors (Mon, 13 Feb 2017 21:01:41 GMT):
it works fine on my windows env where I have go1.7.4

lehors (Mon, 13 Feb 2017 21:02:24 GMT):
sidenote: wasn't why vagrant was introduced in the first place? so that we all have the exact same env? :-P

lehors (Mon, 13 Feb 2017 21:02:24 GMT):
sidenote: wasn't that why vagrant was introduced in the first place? so that we all have the exact same env? :-P

lehors (Mon, 13 Feb 2017 21:04:58 GMT):
we really need to update the image so that we have the right env

lehors (Mon, 13 Feb 2017 21:05:24 GMT):
neither fabric nor fabric-ca builds successfully within our vagrant env

mastersingh24 (Mon, 13 Feb 2017 22:52:06 GMT):
it's also why we are trying hard to get rid of the vagrant env

s.narayanan (Mon, 13 Feb 2017 23:00:40 GMT):
Has joined the channel.

lehors (Mon, 13 Feb 2017 23:12:31 GMT):
ok but you can't expect everybody to be on MacOS

JonathanLevi (Tue, 14 Feb 2017 00:20:26 GMT):
As a side note 1: We have seen differences earlier between 1.7.4 and 1.7.3 (Greg and I used to work on different versions... and I believe we ended up allowing a 1.7.x check at the time... when we envisioned 1.7.5 at some point)

JonathanLevi (Tue, 14 Feb 2017 00:20:26 GMT):
As side note 1: We have seen differences earlier between 1.7.4 and 1.7.3 (Greg and I used to work on different versions... and I believe we ended up allowing a 1.7.x check at the time... when we envisioned 1.7.5 at some point

JonathanLevi (Tue, 14 Feb 2017 00:20:26 GMT):
As side note 1: We have seen differences earlier between 1.7.4 and 1.7.3 [Greg and I used to work with different versions... and I believe we ended up allowing a 1.7.x check at the time... when we envisioned 1.7.5 at some point :-(]

JonathanLevi (Tue, 14 Feb 2017 00:21:13 GMT):
Side note 2: What's better than a Valentine's party?

JonathanLevi (Tue, 14 Feb 2017 00:21:13 GMT):
Side note 2: What's better than a Valentine's (evening) party?

JonathanLevi (Tue, 14 Feb 2017 00:21:34 GMT):
[Hint, hint: https://github.com/golang/go/wiki/Go-1.8-Release-Party is just around the corner... ]

lehors (Tue, 14 Feb 2017 09:05:26 GMT):
@mastersingh24 it turns out that the reason go list doesn't work isn't because of the version of go but that go list doesn't work over symlinks apparently

lehors (Tue, 14 Feb 2017 09:06:31 GMT):
so, my initial statement that fabric-ca's make needs /opt/gopath/src/github.com/hyperledger/fabric-ca stands

passkit (Tue, 14 Feb 2017 09:10:03 GMT):
Has joined the channel.

passkit (Tue, 14 Feb 2017 09:13:25 GMT):
I'm following this documentation http://hyperledger-fabric.readthedocs.io/en/latest/Setup/ca-setup/ and can successfully set up a server and enrol with the sqlite database. But I am not able to enrol with wither a Postgres or MySQL config.

passkit (Tue, 14 Feb 2017 09:15:21 GMT):
Certificates work ok, but the tables are not initialising. If I create them manually (using the SQL from the source code), the client tries to read the user from the table, and (since a user does not yet exist) returns `Error response from server was 'sql: no rows in result set' for request:`

passkit (Tue, 14 Feb 2017 09:15:46 GMT):
How to correctly init the external databases and enrol the admin user?

passkit (Tue, 14 Feb 2017 09:16:02 GMT):
There is nothing in the docs to suggest how this is done

passkit (Tue, 14 Feb 2017 10:06:00 GMT):
After looking through the code, the DB is only bootstrapped if it does not exist.

passkit (Tue, 14 Feb 2017 10:07:01 GMT):
While this is practical for a file based DB, it may not be always practical for MYSQL or Postgres as the DB may be managed/administered separately and the user may not have create db rights

passkit (Tue, 14 Feb 2017 10:07:45 GMT):
Would propose changing the logic so that if the DB exists but the tables do not, then the tables are bootstrapped.

thojest (Tue, 14 Feb 2017 10:25:22 GMT):
Question: what will be changed in v1.0 regarding the membersrvc?

thojest (Tue, 14 Feb 2017 10:25:35 GMT):
i have heard that it gets a complete rework?

Vadim (Tue, 14 Feb 2017 10:26:47 GMT):
@thojest https://github.com/hyperledger/fabric-ca

thojest (Tue, 14 Feb 2017 10:30:19 GMT):
@Vadim thx... what are the differences to membersrvc?

Vadim (Tue, 14 Feb 2017 10:30:49 GMT):
well read the readme

Vadim (Tue, 14 Feb 2017 10:31:19 GMT):
also maybe this can be useful: https://docs.google.com/document/d/1Qg7ZEccOIsrShSHSNl4kBHOFvLYRhQ3903srJ6c_AZE/edit#

thojest (Tue, 14 Feb 2017 10:44:05 GMT):
@Vadim thx

dsanchezseco (Tue, 14 Feb 2017 11:16:52 GMT):
Has joined the channel.

passkit (Wed, 15 Feb 2017 07:10:31 GMT):
Trying to register a peer with `fabric-ca client` on a remote server, but the client always defaults to localhost.

passkit (Wed, 15 Feb 2017 07:12:44 GMT):
`fabric-ca client register -config client-config.json peer1.json https://my-fabric-ca-server.com:7054`

passkit (Wed, 15 Feb 2017 07:13:36 GMT):
Results in: `POST failure [Post http://localhost:7054/api/v1/cfssl/register: dial tcp [::1]:7054: getsockopt: connection refused]; not sending`

DannyWong (Wed, 15 Feb 2017 09:29:07 GMT):
Has joined the channel.

thojest (Wed, 15 Feb 2017 12:14:13 GMT):
hi again a question

thojest (Wed, 15 Feb 2017 12:14:37 GMT):
having a look at `/var/hyperledger/production/.membersrvc/`

thojest (Wed, 15 Feb 2017 12:15:30 GMT):
eca.priv is the private enrollment key

thojest (Wed, 15 Feb 2017 12:15:37 GMT):
eca.pub is the public enrollment key

thojest (Wed, 15 Feb 2017 12:16:11 GMT):
i suppose eca.cert is the enrollment certificate. what is the relation of it to eca.priv and eca.pub ?

thojest (Wed, 15 Feb 2017 12:16:24 GMT):
question is about fabric v0.6

Vadim (Wed, 15 Feb 2017 12:18:24 GMT):
try to read the cert with openssl and check whether the pub key in there is the same as eca.pub. My guess is that they are the same.

thojest (Wed, 15 Feb 2017 12:27:39 GMT):
thats true thx aloot

thojest (Wed, 15 Feb 2017 12:27:55 GMT):
what are these aca.* files

thojest (Wed, 15 Feb 2017 13:08:12 GMT):
ok attribute certificates

xixuejia (Wed, 15 Feb 2017 13:09:35 GMT):
Has joined the channel.

bobbiejc (Wed, 15 Feb 2017 14:15:29 GMT):
Has joined the channel.

WebKruncher (Wed, 15 Feb 2017 16:05:48 GMT):
I'm running the CA on Ubuntu, with tls disabled. The admin enroll works, and I can register a user, but I get an error trying to enroll the newly registered user... 2017/02/14 10:04:54 [WARNING] Client Cert or Key not provided, if server requires mutual TLS, the connection will fail [error: open : no such file or directory] POST failure [Post https://localhost:7054/api/v1/cfssl/enroll: http: server gave HTTP response to HTTPS client]; not sending... has anyone else run into this? Do I need tls enabled to enroll users?

sstone1 (Wed, 15 Feb 2017 19:31:17 GMT):
Has joined the channel.

murrekatt (Thu, 16 Feb 2017 06:18:24 GMT):
Has joined the channel.

wutongtree (Thu, 16 Feb 2017 09:49:14 GMT):
Has joined the channel.

VipinB (Thu, 16 Feb 2017 16:12:49 GMT):
Has joined the channel.

divyank (Thu, 16 Feb 2017 18:29:41 GMT):
Has joined the channel.

baohua (Fri, 17 Feb 2017 02:02:23 GMT):
Welcome to help give comments on this jira task (update those cfg variables): https://jira.hyperledger.org/browse/FAB-2118, thanks!

ylsGit (Fri, 17 Feb 2017 02:27:07 GMT):
Has joined the channel.

subaru365 (Fri, 17 Feb 2017 04:53:49 GMT):
Has joined the channel.

guhaihua (Fri, 17 Feb 2017 06:36:54 GMT):
@WebKruncher I found a fabric-ca version almost can run: https://gerrit.hyperledger.org/r/changes/5853/revisions/876e6f86799d10665411a8001c9e58b32f7b10d9/archive?format=tgz

guhaihua (Fri, 17 Feb 2017 06:49:56 GMT):
However, it has a small problem. The lines of cmd/fabric-ca-server/config.go:128-136 seems wrong, and it will not write to fabric-ca-server.db. This will make "fabric-ca-client enroll" error.

guhaihua (Fri, 17 Feb 2017 06:55:01 GMT):
Is anyone know how to fix this bug? Thanks!

guhaihua (Fri, 17 Feb 2017 07:00:26 GMT):
lib/spi/userregistry.go:26-34 // UserInfo contains information about a user type UserInfo struct { Name string Pass string Type string Group string Attributes []api.Attribute State int MaxEnrollments int }

guhaihua (Fri, 17 Feb 2017 08:36:58 GMT):
Good news, I have fix the bug. I will commit it to fabric-ca master as soon as possible.

levinkwong (Fri, 17 Feb 2017 09:09:08 GMT):
Has joined the channel.

WebKruncher (Fri, 17 Feb 2017 15:20:21 GMT):
@guhaihua that is good news - I don't see the problem in UserInfo - not sure what you mean - looking forward to your commit

JonathanLevi (Fri, 17 Feb 2017 17:39:47 GMT):
---

JonathanLevi (Fri, 17 Feb 2017 17:39:51 GMT):
https://gerrit.hyperledger.org/r/#/c/5763

JonathanLevi (Fri, 17 Feb 2017 17:40:20 GMT):
@skarim, @keith: can you please quickly address this and we'll merge it?

JonathanLevi (Fri, 17 Feb 2017 17:40:34 GMT):
Sorry, @smithbk ^^^

divyank (Fri, 17 Feb 2017 18:52:34 GMT):
hey all, I'm implementing the enroll functionality in go lang sdk. We are using the fabric-ca client.go code. There is an enroll method that returns Identity struct which includes ecert as type Signer. The issue here is that Signer struct include Unexported fields which the client need to use like (key and cert). Can we change the fields to be Exported? Thanks

smithbk (Fri, 17 Feb 2017 18:54:26 GMT):
I added a Key() and Cert() func to a later change set for that ... not yet merged

divyank (Fri, 17 Feb 2017 18:57:43 GMT):
Great! Can I have a link to the gerrit change set so I can track progress?

smithbk (Fri, 17 Feb 2017 19:05:15 GMT):
@JonathanLevi I just pushed https://gerrit.hyperledger.org/r/#/c/4363/ ... thanks

smithbk (Fri, 17 Feb 2017 19:06:25 GMT):
@divyank See https://gerrit.hyperledger.org/r/#/c/6037/

divyank (Fri, 17 Feb 2017 19:07:03 GMT):
@smithbk thank you

JonathanLevi (Fri, 17 Feb 2017 19:16:58 GMT):
@smithbk approved. We'll wait for the build... and merge it. Thanks.

firas.qutishat (Fri, 17 Feb 2017 19:37:44 GMT):
Has joined the channel.

johnwolpert (Sun, 19 Feb 2017 16:05:47 GMT):
Has joined the channel.

OlufAndrews (Mon, 20 Feb 2017 03:09:29 GMT):
Has joined the channel.

vinayakkumar (Mon, 20 Feb 2017 12:43:20 GMT):
Has joined the channel.

jyg (Mon, 20 Feb 2017 13:58:45 GMT):
Has joined the channel.

rkiouak (Mon, 20 Feb 2017 21:15:29 GMT):
Has joined the channel.

weeds (Tue, 21 Feb 2017 02:01:33 GMT):
Has joined the channel.

warm3snow (Tue, 21 Feb 2017 05:17:52 GMT):
Has joined the channel.

revichnr (Tue, 21 Feb 2017 09:11:51 GMT):
Has joined the channel.

shimron (Tue, 21 Feb 2017 10:22:10 GMT):
Has joined the channel.

v_thirugnanam (Tue, 21 Feb 2017 21:56:20 GMT):
Has joined the channel.

psa (Wed, 22 Feb 2017 13:05:21 GMT):
Has joined the channel.

bartcant (Thu, 23 Feb 2017 02:12:25 GMT):
Has joined the channel.

Ying (Thu, 23 Feb 2017 07:37:51 GMT):
Has joined the channel.

Ying (Thu, 23 Feb 2017 09:17:23 GMT):
hi, I run into a panic error when using latest version fabric-ca and running peer node start in a latest version fabric peer: (In peer)# peer node start --peer-defaultchain=false panic: Fatal error when setting up MSP from directory /etc/hyperledger/fabric/msp/sampleconfig: err CA Certificate did not have the Subject Key Identifier extension, (SN: 1000) My peerOrg0.pem is: -----BEGIN CERTIFICATE----- MIIBDTCBtQICA+gwCgYIKoZIzj0EAwIwEzERMA8GA1UEAwwIcGVlck9yZzAwHhcN MTcwMTI0MTk1NTQ1WhcNMTgwMTI0MTk1NTQ1WjATMREwDwYDVQQDDAhwZWVyT3Jn MDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOPl4xOwQok0p6QXyOOez3QQDvlf f/zbdp+2MC/2B/gLxfxXCmY4xU2autGOBWDNcRVWUnwV+Kb1bFmICpgRbAIwCgYI KoZIzj0EAwIDRwAwRAIgWI7c1ETv5d1Whmp47hA/Vu7OEBHL0RZ/YOpBJVCIPRYC IF+1fvl9HiboCx1pHaT7YUXoRmFgVTkEaI2ususgcGF4 -----END CERTIFICATE----- It seems I do need a SKI in the pem file, but no idea on how to get it? Thanks for any help~~

aambati (Thu, 23 Feb 2017 15:14:37 GMT):
Has joined the channel.

mastersingh24 (Thu, 23 Feb 2017 16:59:34 GMT):
@ying - so you were trying to use the material which came from fabric-ca and replace the certs that come in sampleconfig for the peer?

mastersingh24 (Thu, 23 Feb 2017 16:59:34 GMT):
@Ying - so you were trying to use the material which came from fabric-ca and replace the certs that come in sampleconfig for the peer?

mrkiouak (Thu, 23 Feb 2017 17:14:14 GMT):
hi, i'm working through the https://github.com/hyperledger/fabric/blob/master/docs/Setup/ca-setup.md doc, at the fabric-cient enroll bootstrap user step, it seems that 1) the param args to 'fabric-ca client enroll' have changed (if I specify http://localhost:7054 I get an error on 'open http://localhost:7054: no surch file or directory), and if I leave off the http://..., I appear get a POST to the right host (/api/v1/cfssl/enroll), auth basic, cert request, but it seems there is no aff/neg response from the server, and no cert.pem is created. In the server log, I see '2017/02/23 17:09:37 http: TLS handshake error from [::1]:40440: tls: oversized record received with length 21536'. Can anyone tell me if the readme setup is still correct for latest (or whatever the go get github.com/hyperle dger/fabric-ca dls)

beckmann (Thu, 23 Feb 2017 19:06:50 GMT):
Has joined the channel.

beckmann (Thu, 23 Feb 2017 19:06:54 GMT):
trying to install hackfest setup from http://hyperledger-fabric.readthedocs.io/en/latest/asset_setup. Getting certificate error when pulling the image configuration for fabric-ca. is a fix on the way?

weeds (Thu, 23 Feb 2017 19:14:31 GMT):
@beckmann i think a couple of people are struggling with same thing- so Nick isgoing to get on 30 minutes on the fabric channel to try to help

Ying (Fri, 24 Feb 2017 01:18:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=E5kiBPh8EFJJ5KGwi) Thanks @mastersingh24, my certs is from /hyperledger/hackfest/tmp/peer0, not the certs from /fabric-ca

CarlXK (Fri, 24 Feb 2017 01:59:58 GMT):
Has joined the channel.

Ying (Fri, 24 Feb 2017 03:05:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NYjrACgJxD3rWGpJw) @Ying Some update. In fabric/msp/mspimpl.go, there's a merge [FAB-1558] 3days ago, which adds check of SKI. It results in my panic. Still no idea how to make sure my CA has correct format.

sachikoy (Fri, 24 Feb 2017 09:44:41 GMT):
Hi, I'm using Fabric v0.6 and realized that Ecert expires in 90 days and we cannot re-issue Ecert. I cannot figure out how to set the cert expiration date at an arbitrary value. Is there any way to configure the expiration date without modifying the source code?

shubhamvrkr (Fri, 24 Feb 2017 10:02:06 GMT):
Has joined the channel.

nickmelis (Fri, 24 Feb 2017 12:33:15 GMT):
Has joined the channel.

nickmelis (Fri, 24 Feb 2017 12:33:46 GMT):
@sachikoy I have the same question. Is there a way to "un-enroll" a user?

nickmelis (Fri, 24 Feb 2017 12:33:46 GMT):
@sachikoy I probably have the same question. Is there a way to "un-enroll" a user?

nickmelis (Fri, 24 Feb 2017 12:33:46 GMT):
@sachikoy I probably have the same question. With Fabric v0.6, Is there a way to "un-enroll" a user?

farhan3 (Fri, 24 Feb 2017 18:35:39 GMT):
Has joined the channel.

farhan3 (Fri, 24 Feb 2017 19:09:29 GMT):
Hi - when enabling TLS between peers. Where would I add the root certificate that signs the peer certificates?

farhan3 (Fri, 24 Feb 2017 19:09:29 GMT):
Hi - in v0.6, when enabling TLS between peers. Where would I add the root certificate that signs the peer certificates?

farhan3 (Fri, 24 Feb 2017 19:10:22 GMT):
I'm getting an error: `grpc: addrConn.resetTransport failed to create client transport: connection error: desc = "tra nsport: x509: certificate signed by unknown authority"`

farhan3 (Fri, 24 Feb 2017 19:10:22 GMT):
I'm getting an error: ``` grpc: addrConn.resetTransport failed to create client transport: connection error: desc = "tra nsport: x509: certificate signed by unknown authority" ```

mastersingh24 (Fri, 24 Feb 2017 21:03:49 GMT):
[ unfrontautely the parameter seems to be hard-coded](https://chat.hyperledger.org/channel/fabric-ca?msg=86GXqRzkXRJSzuTTy) @sachikoy

pmullaney (Fri, 24 Feb 2017 23:01:10 GMT):
Has joined the channel.

pmullaney (Fri, 24 Feb 2017 23:16:49 GMT):
building the latest fabric-ca docker images and fabric-ca fails to start

sachikoy (Sat, 25 Feb 2017 00:28:16 GMT):
@mastersingh24 thanks for confirming.

sachikoy (Sat, 25 Feb 2017 00:29:14 GMT):
@nickmelis no, we cannot un-enroll a user as far as I know. In v1, it seems possible to "re-enroll" the same user again to issue a new Ecert.

slender (Sat, 25 Feb 2017 00:43:51 GMT):
Has joined the channel.

vdods (Sat, 25 Feb 2017 01:22:45 GMT):
Has joined the channel.

vdods (Sat, 25 Feb 2017 01:24:49 GMT):
Hi all, I've been using fabric 0.6 for a time, and am getting up to speed on 1.0 in order to port my software to use it. I'd like to understand the architectural differences regarding the peers and CA from version 0.6 to version 1.0. In particular, it looks like fabric-ca is a formally separated project now, and its use is optional. Does this mean that one can use HL Fabric without the CA entirely?

vdods (Sat, 25 Feb 2017 01:25:38 GMT):
Similarly, it looks like fabric-sdk-node has been split up into two separate node.js modules (fabric-client and fabric-ca-client), suggesting that each of these are separate and independent concerns.

rrader (Sat, 25 Feb 2017 14:53:14 GMT):
Has joined the channel.

smithbk (Sat, 25 Feb 2017 19:50:49 GMT):
@vdods Yes, you are correct. You may get certificates from fabric-ca or another CA in order to transact on the blockchain. Of course certs from other CAs may not preserve anonymity or unlinkability, but the fabric doesn't care where the certs are from, as long as they are signed by a CA that is configured to be trusted by the fabric.

vdods (Sat, 25 Feb 2017 19:52:37 GMT):
@smithbk Gotcha. But some CA is needed, presumably? If for nothing else than to authorize peers/orderers within a network?

smithbk (Sat, 25 Feb 2017 19:56:01 GMT):
Yes, the default MSP (Membership Service Provider) implementation in fabric requires an x509 cert from somewhere, based on the MSP policy for various operations

mastersingh24 (Sun, 26 Feb 2017 12:34:55 GMT):
[ You will notice that all of the SDKs will split out this functionality. You have the ability to load an existing identity (created from something other than fabric-ca) or optional to use the fabric-ca for identities. In the NodeJS case, having a separate package `fabric-ca-client` allows you to build identity mgmt apps outside of a normal client app if you so choose. We thought that separating this out would help enforce that type of behavior. Of course you can still use the enroll API within your client app](https://chat.hyperledger.org/channel/fabric-ca?msg=cvtRqAMhBL5B6tSEb) @vdods

bh4rtp (Mon, 27 Feb 2017 00:28:50 GMT):
Has joined the channel.

vdods (Mon, 27 Feb 2017 00:48:17 GMT):
@mastersingh24 Thanks!

silentspark (Mon, 27 Feb 2017 02:55:55 GMT):
Has joined the channel.

jimthematrix (Mon, 27 Feb 2017 05:16:27 GMT):
Has joined the channel.

jimthematrix (Mon, 27 Feb 2017 05:17:34 GMT):
@keit

jimthematrix (Mon, 27 Feb 2017 05:17:34 GMT):
@smithbk noticed that the default "admin" user is now not affiliated with any group, however this breaks the register() API because when I tried to register a user I must not specify a "group" value or I tried to set it to "null" or "", in all cases I get the following error from fabric-ca: ```Register failed with errors [[{"code":0,"message":"Failed getting affiliation group '': sql: no rows in result set"}]]```

jimthematrix (Mon, 27 Feb 2017 05:19:43 GMT):
what do i need to do to register a user without affiliation?

hyp0th3rmi4 (Mon, 27 Feb 2017 08:01:30 GMT):
Has joined the channel.

alisonb (Mon, 27 Feb 2017 11:13:06 GMT):
Has joined the channel.

mastersingh24 (Mon, 27 Feb 2017 12:56:50 GMT):
@jimthematrix - what are you passing in for the group value in the register request?

mastersingh24 (Mon, 27 Feb 2017 12:58:46 GMT):
if the role = client, you have to include a group

mastersingh24 (Mon, 27 Feb 2017 12:59:22 GMT):
assuming you are now using the fabric-ca-server defaults, you can try `org1` or `org2`

jimthematrix (Mon, 27 Feb 2017 13:51:57 GMT):
hmm, i thought the affiliation value can't be different than what the admin has. but i did notice that org1 and org2 in the sqlite database. will give it a try

mayerwa (Mon, 27 Feb 2017 13:58:31 GMT):
Has joined the channel.

mastersingh24 (Mon, 27 Feb 2017 13:58:55 GMT):
I think it just checks to see whether or not the affiliation exists

s.narayanan (Mon, 27 Feb 2017 17:39:00 GMT):
If external LDAP is used for authenticating the user (prior to enrollment) and for retrieving attribute values, do you still require the Fabric CA database? What is the state managed within this database?

mastersingh24 (Mon, 27 Feb 2017 18:33:47 GMT):
@s.narayanan - it is also used to store the actual certificates themselves

mastersingh24 (Mon, 27 Feb 2017 18:34:16 GMT):
LDAP simply replaces the user database but not the cert database

s.narayanan (Mon, 27 Feb 2017 18:38:28 GMT):
Thanks. So this is to store the Ecerts and Tcerts that are issued to clients?

ashutosh_kumar (Mon, 27 Feb 2017 18:44:02 GMT):
It stores ECerts. Support for TCert storage in Database is in the plans.

s.narayanan (Mon, 27 Feb 2017 18:58:27 GMT):
@ashutosh_kumar - thanks

bkvellanki (Mon, 27 Feb 2017 21:57:07 GMT):
Has joined the channel.

smithbk (Tue, 28 Feb 2017 07:38:18 GMT):
@jimthematrix @mastersingh24 @JonathanLevi WRT to the affiliation hierarchy, the empty string actually should be valid because it is the root affiliation, so that is a bug that the empty string isn't stored in the DB. As Gari said, "org1" or "org2" will work with the default config, but so will "org1.department1" for example, which is one of the leaves of the default hierarchy. We also plan on adding another authorization check to the register call which restricts a registrar from registering a user with an affiliation outside of its own affiliation subtree. For example, if a registrar has an affiliation of "org1", it can register other identities with "org1" or "org1.department1" affiliation but not "org2". The default bootstrap admin can register an identity with any affiliation because it is a registrar and it has an empty string affiliation.

JonathanLevi (Tue, 28 Feb 2017 14:06:47 GMT):
Good morning,

JonathanLevi (Tue, 28 Feb 2017 14:07:08 GMT):
@smithbk: "We also plan on *adding another authorization check* to the register call which restricts a registrar from registering a user with an affiliation outside of its own affiliation subtree..."

JonathanLevi (Tue, 28 Feb 2017 14:08:08 GMT):
Yes, please - I didn't realize it is not enforced yet... that was the main point/design of the tree/hierarchy.

JonathanLevi (Tue, 28 Feb 2017 14:09:01 GMT):
So at the moment, the registrar is kind of a *super admin* ?

smithbk (Tue, 28 Feb 2017 14:26:11 GMT):
@JonathanLevi The registrar can be restricted to the types of entities which can be registered (e.g. peer, orderer, app, user), so not quite super admin. The affiliation hierarchy is also used (or will be in the future) for audit, since the prekey is associated with each node in the hierarchy.

kletkeman (Tue, 28 Feb 2017 15:18:08 GMT):
Has joined the channel.

farhan3 (Tue, 28 Feb 2017 17:21:23 GMT):
Hi - is there a similar document like "HyperledgerFabric_LedgerV1_20170210.ptx" but for fabric-ca? I looked around in Jira but didn't see anything.

farhan3 (Tue, 28 Feb 2017 17:22:24 GMT):
Link for HyperledgerFabric_LedgerV1_20170210.ptx: https://jira.hyperledger.org/browse/FAB-758

JonathanLevi (Tue, 28 Feb 2017 21:46:40 GMT):
Let's see what we can do before the alpha. I think this is very important.

JonathanLevi (Tue, 28 Feb 2017 21:47:00 GMT):
I think we can/should prioritize it.

vpaprots (Wed, 01 Mar 2017 03:07:24 GMT):
@smithbk @JonathanLevi: This looks like a bug to me: ``` // LoadClient loads client configuration file func loadClient(loadIdentity bool, configFile string) (*lib.Client, *lib.Identity, error) { if configFile == "" { configFile = path.Join(filepath.Dir(util.GetDefaultConfigFile("fabric-ca-client")), "client-config.json") } log.Infof("Fabric-ca Client Configuration File: %s", configFile) client, err := lib.NewClient(configFile) if err != nil { log.Infof("NewClient error %s", err) return nil, nil, err } if loadIdentity { id, err2 := client.LoadMyIdentity() if err != nil { log.Infof("LoadMyIdentity error %s", err) return nil, nil, err2 } return client, id, nil } return client, nil, err } ``` The second `if err != nil {` will never trigger.

vpaprots (Wed, 01 Mar 2017 03:08:11 GMT):
getting quite the bit of fabric-ca failures when I make it `if err2 != nil {` though, so perhaps (hopefully?) I am wrong?

wwendy (Wed, 01 Mar 2017 03:32:41 GMT):
Has joined the channel.

ashutosh_kumar (Wed, 01 Mar 2017 04:11:20 GMT):
@smithbk : how registrar roles are being assigned ?

levinkwong (Wed, 01 Mar 2017 05:36:20 GMT):
by attributes, hf.Registrar.Roles

levinkwong (Wed, 01 Mar 2017 05:36:20 GMT):
@ashutosh_kumar By attributes, hf.Registrar.Roles

ibmamnt (Wed, 01 Mar 2017 06:04:24 GMT):
Hi I have raise the ticket, > https://jira.hyperledger.org/browse/FAB-2559 > fabric-ca-server.db is written on / in stead of /etc/hyperledger/fabric-ca-server Please close if this is known, and developer is already working on it. Thanks !

smithbk (Wed, 01 Mar 2017 12:44:02 GMT):
@vpaprots The loadClient call is from the cli directory which is going to be completely deleted soon since the cmd directory contains the new commands. I've been trying to wait for Allen Bailey to check in his change to fvt tests to be rebased on the new commands before I delete the cli directory. I assume this is somehow causing a test failure? I hate that you have to spend time on the cli directory stuff if this is the case, so I suggest that you just temporarily disable all test cases in cli/client and cli/server until we can delete it. You can disable the running of these test cases by editing this line in fabric-ca/scripts/run_tests

smithbk (Wed, 01 Mar 2017 12:44:05 GMT):
PKGS=`go list github.com/hyperledger/fabric-ca/... | grep -Ev '/vendor/|/api|/dbutil|/ldap'`

gatakka (Wed, 01 Mar 2017 12:45:18 GMT):
Hello, I have a question about TCerts and there usage. When CA returns TCert it contains x509 certificates, but where is private key for those TCerts to sign requests when I use them. I have to use private key from user that requested TCerts or private key is encrypted in TCert somehow and is unique PK for every TCert? Thank you!

smithbk (Wed, 01 Mar 2017 12:47:07 GMT):
@vpaprots Changing that line to the following should work

smithbk (Wed, 01 Mar 2017 12:49:26 GMT):
@gatakka Are you using an SDK?

smithbk (Wed, 01 Mar 2017 12:49:40 GMT):
node or java or python?

smithbk (Wed, 01 Mar 2017 12:51:32 GMT):
There is some magic with tcerts which is handled by the SDK

gatakka (Wed, 01 Mar 2017 12:52:13 GMT):
@smithbk no, I am playing with pure GO client using gRPC directly. I want to understand in more details how HL is working internally. My question is how is expected to use TCerts, not about exact technical implementation :)

gatakka (Wed, 01 Mar 2017 12:52:57 GMT):
and as far as I can see Nodejs SDK is not implemented TCerts

smithbk (Wed, 01 Mar 2017 12:54:12 GMT):
yeh, the state of that is a question for @jimthematrix and could ask on their channel, but I thought the node work on that was furthest along

smithbk (Wed, 01 Mar 2017 12:54:59 GMT):
OK, so at a high level, this is how tcerts work

smithbk (Wed, 01 Mar 2017 12:55:38 GMT):
The fabric-ca-server returns a key derivation function which is used by the client to generate the private key

gatakka (Wed, 01 Mar 2017 12:56:40 GMT):
I see, so we generate private key :) This is all what I need. Thank you!

smithbk (Wed, 01 Mar 2017 12:56:57 GMT):
np

gatakka (Wed, 01 Mar 2017 13:19:48 GMT):
@smithbk just one more question, when you say "The fabric-ca-server returns a key derivation function" this means that I have to make request to CA and get this "derivation function" or this function is embeded in TCerts response?

gatakka (Wed, 01 Mar 2017 13:20:22 GMT):
or is something that is always the same and client know how to derive this key and code is hardcoded?

gatakka (Wed, 01 Mar 2017 13:55:19 GMT):
I found the answer in docs, thank you!

smithbk (Wed, 01 Mar 2017 13:55:53 GMT):
Yes, server returns the key derivation function in get tcerts response

ashutosh_kumar (Wed, 01 Mar 2017 13:59:05 GMT):
SDK will do heavy lifting for you @gatakka .

gatakka (Wed, 01 Mar 2017 14:00:17 GMT):
there is no implementation in SDK for this in Nodejs, Python or java. Or at least I am not able to find any key deriving for Tcerts,

ashutosh_kumar (Wed, 01 Mar 2017 14:02:18 GMT):
We are in the mix of TCert code right now. If you look at 0.6 code , the TCert Private Key computation code is there. The SDK team will port that code to 1.0 branch. Hope it makes sense.

ashutosh_kumar (Wed, 01 Mar 2017 14:02:18 GMT):
We are in the mix of TCert server side code right now. If you look at 0.6 code , the TCert Private Key computation code is there. The SDK team will port that code to 1.0 branch. Hope it makes sense.

gatakka (Wed, 01 Mar 2017 14:02:52 GMT):
I see, because I look on master, but not in 0.6. I will take a lokk in 0.6. Thank you!

gatakka (Wed, 01 Mar 2017 14:02:52 GMT):
I see, because I look on master, but not in 0.6. I will take a look in 0.6. Thank you!

ashutosh_kumar (Wed, 01 Mar 2017 14:02:53 GMT):
I am not sure abt Python though.

ashutosh_kumar (Wed, 01 Mar 2017 14:03:38 GMT):
have not looked at Python code as I am Python illiterate.

Donald Liu (Thu, 02 Mar 2017 01:20:11 GMT):
Has joined the channel.

mrkiouak (Thu, 02 Mar 2017 02:22:07 GMT):
i'm getting an unexpected certificate error when running a node sdk example

mrkiouak (Thu, 02 Mar 2017 02:22:12 GMT):
'''error: [Peer.js]: GRPC client got an error response from the peer. Error: The creator certificate is not valid, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority at /chaintool-node_modules/nest/node_modules/grpc/src/node/src/client.js:434:17 error: [Chain.js]: Chain-sendPeersProposal - Promise is rejected: Error: Error: The creator certificate is not valid, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority at Object.callback (/chaintool-node_modules/nest/node_modules/fabric-client/lib/Peer.js:191:13) at /chaintool-node_modules/nest/node_modules/grpc/src/node/src/client.js:437:14'''

mrkiouak (Thu, 02 Mar 2017 02:22:39 GMT):
I've cleared all the store keys .hfc-* files in local and ~/

mrkiouak (Thu, 02 Mar 2017 02:23:05 GMT):
any other ideas what could be causing this error with a clean master & rerun make of fabric-ca

jansony1 (Thu, 02 Mar 2017 02:27:47 GMT):
HI Team. Please help me understand what is the difference between enroll a peer and register a peer..Thanks

suganuma (Thu, 02 Mar 2017 06:02:46 GMT):
Has joined the channel.

qasimhbti (Thu, 02 Mar 2017 07:17:47 GMT):
Has joined the channel.

gatakka (Thu, 02 Mar 2017 07:40:21 GMT):
Registration is what it says, just register user with proper attributes. It is permanent record. But you cannot use this register user in the system because he do not have valid certificates. To get certificates you enroll user. If certificate is compromised or expire you can enroll it again.

jansony1 (Thu, 02 Mar 2017 10:25:03 GMT):
Wow~thats pretty clear. @gatakka thanks

liuzhudong (Thu, 02 Mar 2017 10:43:10 GMT):
Has joined the channel.

DannyWong (Thu, 02 Mar 2017 12:20:46 GMT):
@gatakka i am wondering if a eCert of an user is compromised, we of course can enroll him/her again. But how about his existing ACL? (I know Fabric CA can put the compromised cert to its CRL such that no more new tx can be submitted)

mrkiouak (Thu, 02 Mar 2017 15:12:22 GMT):
Still facing this issue i encountered last night-- looks to be a fabric ca issue, would love if anyone familiar with the creator certificate is not valid error to let me know what i could look at

mrkiouak (Thu, 02 Mar 2017 15:12:23 GMT):
i'm getting an unexpected certificate error when running a node sdk example '''error: [Peer.js]: GRPC client got an error response from the peer. Error: The creator certificate is not valid, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority at /chaintool-node_modules/nest/node_modules/grpc/src/node/src/client.js:434:17 error: [Chain.js]: Chain-sendPeersProposal - Promise is rejected: Error: Error: The creator certificate is not valid, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority at Object.callback (/chaintool-node_modules/nest/node_modules/fabric-client/lib/Peer.js:191:13) at /chaintool-node_modules/nest/node_modules/grpc/src/node/src/client.js:437:14''' I've cleared all the store keys .hfc-* files in local and ~/ any other ideas what could be causing this error with a clean master & rerun make of fabric-ca

mrkiouak (Thu, 02 Mar 2017 15:12:36 GMT):
i'm running in the devenv vagrant on a windows host

weeds (Fri, 03 Mar 2017 03:09:53 GMT):
@elli-androulaki Able to help @mrkiouak?

Willson (Fri, 03 Mar 2017 04:00:05 GMT):
Has joined the channel.

elli-androulaki (Fri, 03 Mar 2017 08:48:10 GMT):
@mrkiouak, do you have more details on how the issue occurred/how to reproduce it? Aside this, potential reasons for signature verification failing: i) the certificate used has expired, the root CA certificate has expired, the hash function used at the client sdk side for signatures is different that SHA256 that the peer verifier side. Adding @aso and @adc to the discussion.

aso (Fri, 03 Mar 2017 08:48:10 GMT):
Has joined the channel.

adc (Fri, 03 Mar 2017 08:48:10 GMT):
Has joined the channel.

mastersingh24 (Fri, 03 Mar 2017 11:14:45 GMT):
@mrkiouak - what's your set up - how did you create the channel on the orderer, etc?

bh4rtp (Fri, 03 Mar 2017 13:32:35 GMT):
hi everyone. how to disable tls?

mrkiouak (Fri, 03 Mar 2017 14:13:19 GMT):
@elli-androulaki @aso @adc this is all running the fabric/test/ compose file, e.g. running with "defaults" for the example02 demo.

mrkiouak (Fri, 03 Mar 2017 14:15:28 GMT):
so i'm running in the latest fabric devenv vagrant, with latest fabric-ca

mrkiouak (Fri, 03 Mar 2017 14:15:35 GMT):
running make docker inb oth folders

mrkiouak (Fri, 03 Mar 2017 14:15:56 GMT):
docker-compose up -d from fabric/test

mrkiouak (Fri, 03 Mar 2017 14:16:14 GMT):
then attempting to install and instantiate my chaincode

mrkiouak (Fri, 03 Mar 2017 14:16:20 GMT):
receiving the cert error at this step

smithbk (Fri, 03 Mar 2017 14:17:05 GMT):
@mrkiouak I'll try to reproduce

mrkiouak (Fri, 03 Mar 2017 14:17:47 GMT):
fwiw, it didn't reproduce for @greg.haskins, but we weren't able to come up with a compelling reason why

greg.haskins (Fri, 03 Mar 2017 14:17:47 GMT):
Has joined the channel.

mrkiouak (Fri, 03 Mar 2017 14:18:10 GMT):
other than my host machine is windows and maybe theres some file system issue between windows & the vagrant env (greg is on mac osx)

smithbk (Fri, 03 Mar 2017 14:19:30 GMT):
the only reason I can see that happening is that when the fabric-ca starts, it isn't using the well-known key and cert that we have burned into the tests to trust

smithbk (Fri, 03 Mar 2017 14:20:11 GMT):
but the docker image should always use that one

mrkiouak (Fri, 03 Mar 2017 14:20:38 GMT):
yeah i'm struggling to come up with what the root cause is

mrkiouak (Fri, 03 Mar 2017 14:20:45 GMT):
I've rebuilt the vagrant etc.

mrkiouak (Fri, 03 Mar 2017 14:24:10 GMT):
and when I say my app, its just the fabric-chaintool latest example02

mrkiouak (Fri, 03 Mar 2017 14:24:18 GMT):
the goal is eventually to move to my app ;)

smithbk (Fri, 03 Mar 2017 14:58:49 GMT):
@mrkioak and I just talked offline with google hangout. For some reason, the tar.bz2 in the fabric-ca image which contains the well-known key and cert can't be extracted from inside the container.

greg.haskins (Fri, 03 Mar 2017 20:21:47 GMT):
@smithbk @mastersingh24 So I worked on @mrkiouak on this: Still not entirely sure what is going on, but the best we can gather, there is some kind of bad interaction between vagrant vboxsf and windows w.r.t. the fabric-ca build

greg.haskins (Fri, 03 Mar 2017 20:22:46 GMT):
we do see that fabric+vboxsf+windows = ok, fabric-ca+linux-native-fs = ok and fabric-ca+vboxsf+osx = ok

greg.haskins (Fri, 03 Mar 2017 20:23:11 GMT):
(correct me if I got any of that wrong @mrkiouak )

mrkiouak (Fri, 03 Mar 2017 20:24:58 GMT):
@ greg.haskins, @smithbk, @mastersingh24 no that all looks correct. Ontop of Keith's above message re: cert strangeness in container, I'm also seeing file changes to fabric-ca at some indeterminate point, possibly linked to "make docker" step in fabric-ca, and I don't see these file deletions in any of the repos except fabric-ca.

mrkiouak (Fri, 03 Mar 2017 20:25:43 GMT):
I'm temporarily moving to a Ubuntu vm running via VMware workstation, but will slowly chip away at whats going on

mrkiouak (Fri, 03 Mar 2017 20:26:01 GMT):
If anyone is successfully running latest of fabric-ca using vagrant on a windows laptop/desktop

mrkiouak (Fri, 03 Mar 2017 20:26:13 GMT):
would be helpful to compare our setups

greg.haskins (Fri, 03 Mar 2017 20:26:53 GMT):
thats what I am curious about too: whether any fabric-ca devs using a combo of fabric-devenv + windows

greg.haskins (Fri, 03 Mar 2017 20:27:14 GMT):
I use OSX and I believe @smithbk does as well

mlishok (Fri, 03 Mar 2017 20:42:27 GMT):
Has joined the channel.

rameshthoomu (Fri, 03 Mar 2017 20:45:59 GMT):
Has joined the channel.

smithbk (Fri, 03 Mar 2017 20:49:40 GMT):
Right, I have OSX.

smithbk (Fri, 03 Mar 2017 20:52:34 GMT):
@mrkiouak Could you pls open a jira item on this (so you can track) and paste the link here and on the fabric-quality channel? I just spoke with some folks with access to windows machines that could try to reproduce and they monitor the fabric-quality channel

mrkiouak (Fri, 03 Mar 2017 21:04:34 GMT):
https://jira.hyperledger.org/browse/FAB-2627

mastersingh24 (Fri, 03 Mar 2017 21:31:11 GMT):
I don't use Vagrant but I have built fabric-ca on Windows with straight Docker

mrkiouak (Fri, 03 Mar 2017 21:36:54 GMT):
right now i'd prefer to be able to run in a Linux based vagrant (espec as Linux will be the target deployment environment), but also I'm on a new windows personal laptop that I haven't installed any tooling on. I generally use a Cygwin/git bash type environment, and have not generally done ny work on a windows OS that requires c++ compilation etc.

mrkiouak (Fri, 03 Mar 2017 21:37:17 GMT):
with osx, homebrew made tooling installation to the terminal fairly painless

mrkiouak (Fri, 03 Mar 2017 21:37:39 GMT):
do you use any sort of package etc for installing tooling on your windows machine @mastersingh24 ?

mastersingh24 (Fri, 03 Mar 2017 23:51:31 GMT):
sorry @mrkiouak - was out on a personal errand. what I do is actually just do everything inside of Docker on Windows. I had been building it directly on Windows just using straight `go` commands, but things have gotten more complicated if you want to run the tests. To just run the executable, I simply do `go build`

mrkiouak (Fri, 03 Mar 2017 23:52:49 GMT):
in the docker on windows, i'd assume you're building the native executables rather than the docker images? (to avoid the docker-in-docker/--privileged)

mrkiouak (Fri, 03 Mar 2017 23:52:54 GMT):
thanks for the reply!

mrkiouak (Fri, 03 Mar 2017 23:53:04 GMT):
i had wondered if you did mean you had everything in docker...

mastersingh24 (Fri, 03 Mar 2017 23:57:13 GMT):
actually, I used Docker to build Docker images as well since you can just mount the Docker socket (the same way you get chaincode to deploy)

mrkiouak (Fri, 03 Mar 2017 23:59:09 GMT):
so you'll build the images from your windows-docker, then exit that docker and deploy containers from the windows os (not deployed from the Linux container where you built them)?

mastersingh24 (Sat, 04 Mar 2017 00:00:44 GMT):
exactly

mastersingh24 (Sat, 04 Mar 2017 00:01:15 GMT):
I saw someone else doing this - it might even have been the Docker project itself

mastersingh24 (Sat, 04 Mar 2017 00:01:48 GMT):
I hate Vagrant (even though Docker for Windows using a VM I just feel better about it)

mastersingh24 (Sat, 04 Mar 2017 00:01:48 GMT):
I hate Vagrant (even though Docker for Windows uses a VM I just feel better about it)

mastersingh24 (Sat, 04 Mar 2017 00:03:49 GMT):
I never saw much interest in it, so I didn't try to make it usable for others

mrkiouak (Sat, 04 Mar 2017 00:07:57 GMT):
it makes sense

mrkiouak (Sat, 04 Mar 2017 00:08:28 GMT):
when you build the images, do you need to manually move them to your windows host and upload them, or is docker somehow managing a unified image store?

greg.haskins (Sat, 04 Mar 2017 03:01:45 GMT):
@mrkiouak I dont want to answer for @mastersingh24, but from his description I suspect its a unified store by virtue of the way he is surfacing dockerd

greg.haskins (Sat, 04 Mar 2017 03:02:46 GMT):
the way I think of it is: the image store is 1:1 with dockerd, so if you are exposing dockerd to another context (such as volume mounting the UDS or exposing the TCP port) both contexts share one store

greg.haskins (Sat, 04 Mar 2017 03:03:02 GMT):
e.g. "docker images" will return the same set across both instances

mastersingh24 (Sat, 04 Mar 2017 09:38:45 GMT):
correct

passkit (Sun, 05 Mar 2017 05:58:04 GMT):
In the case that an endorser's certificate is revoked, how would this be communicated to the rest of the network. From what I have seen, nodes have certificates baked into the MSP folders. How does fabric-ca dynamically propagate certificate changes

mastersingh24 (Sun, 05 Mar 2017 16:10:35 GMT):
@passkit - there are a few concepts that apparently are not clear (we'll fix this as the documentation is being rolled out): 1) MSP (membership service provider) - this is a concept which allows for 2 things: - ability to use different types of membership providers. the default (and only one currently implemented) is an X509 provider - it allows for "identities" to be issued by different providers (e.g. if you have multiple companies participating in the blockchain, each company could manage/provide their own certificate authority for issuing certificates) 2) Based on 1), fabric peers / ordering nodes are not required to obtain their X509 material from fabric-ca but of course we provide fabric-ca for people with their own CAs to use 3) MSPs are used in 2 ways (and I admit this is confusing) - "LocalMSP" - think of local MSPs as "structures" which hold the cryptographic identity information for clients, peers and ordering nodes. They will contain the root CA which issued the identity as well as the signing certificate key pair for the client, peer, orderer. For example, when a peer starts up, it will populate its localMSP from the file artifacts reference in core.yaml and will use this information to actually sign endorsements (among other things) - "VerifyingMSPs" - similar to a "localMSP" except they DO NOT contain a signing identity (i.e. no reference to a private key for a signing keypair). (you'll note that one of the fields of an MSP is actually a revocation list and in the case of X509 provides this will be an X509 CRL 4) When channels are created, you actually specify which organizations are allowed to participate in that channel. Each organization will be associated with an MSP (and it would be a "verifying" MSP). When the genesis / config block for a channel is created, it will contain the list of organizations (each of which has its MSP info) 5) When a peer joins a channel, you give it the genesis / config block for the channel. The peer will parse that information and will have a map of channels with one of the properties of each channel being the list of MSPs for the channel 6) So let's say we have a channel (call it channelA) which has 3 orgs - Org1, Org2, Org3. Let's say that chaincode get's deployed with a policy that requires signatures from 2 out of the 3 orgs 7) So a client submits an endorsement proposal to peers from from at least 2 out of the 3 orgs, gots the proposal responses back, creates an transaction and submits it to the ordering service. A couple of things happened along the way: - each peer has the list of per channel MSPs and will actually check to make sure that the client who submitted the proposal is allowed to do so by verifying the signature of the proposal (the client signed it using its local MSP) and making sure that the client's certificate was issued by an MSP that's associated with the channel (there's more detail to how this works, but should be good enough for now) - when the client submits the transaction to the orderer, the same basic thing happens - signature is checked and orderer node checks to make sure that the certificate is valid / issue by one of the MSPs for the channel 8) Peer is connected to channelA and receives a block of transactions. Let's say it got a block which had the transaction submitted in step 7) above - the peer now needs to make sure that the endorsement policy for the transaction has been met (the endorsement policy is assocaited with the chaincode against which endorsement was requested). From step 6), we said that this requires signatures from 2 out of the 3 orgs and from step 5) the peer knows which orgs (and MSPs) are part of the channel. So the peer can make sure that there are enough valid signatures which meet the policy 9) OK - so finally - let's say that a peer (we'll call it org1Peer1) from Org1 was compromised. For simplicity, let's say that Org1 is only part of channelA. So we need to be able to tell all peers which have joined channelA that the certificate for org1Peer1 has been revoked. All peers need to receive and process this information at the same time (this is to ensure that the committing logic is deterministic). So we need to update the MSP for Org1 and propogate that information to all peers connected to channelA. Recall that one fof the fields for an MSP strcuture is a revocation list, so what needs to happen is that an update transaction is submitted to the ordering service which updates the Org1's MSP to know have a CRL containing the certificate for org1Peer1

mastersingh24 (Sun, 05 Mar 2017 16:10:35 GMT):
@passkit - there are a few concepts that apparently are not clear (we'll fix this as the documentation is being rolled out): 1) MSP (membership service provider) - this is a concept which allows for 2 things: - ability to use different types of membership providers. the default (and only one currently implemented) is an X509 provider - it allows for "identities" to be issued by different providers (e.g. if you have multiple companies participating in the blockchain, each company could manage/provide their own certificate authority for issuing certificates) 2) Based on 1), fabric peers / ordering nodes are not required to obtain their X509 material from fabric-ca but of course we provide fabric-ca for people with their own CAs to use 3) MSPs are used in 2 ways (and I admit this is confusing) - "LocalMSP" - think of local MSPs as "structures" which hold the cryptographic identity information for clients, peers and ordering nodes. They will contain the root CA which issued the identity as well as the signing certificate key pair for the client, peer, orderer. For example, when a peer starts up, it will populate its localMSP from the file artifacts reference in core.yaml and will use this information to actually sign endorsements (among other things) - "VerifyingMSPs" - similar to a "localMSP" except they DO NOT contain a signing identity (i.e. no reference to a private key for a signing keypair). (you'll note that one of the fields of an MSP is actually a revocation list and in the case of X509 provides this will be an X509 CRL 4) When channels are created, you actually specify which organizations are allowed to participate in that channel. Each organization will be associated with an MSP (and it would be a "verifying" MSP). When the genesis / config block for a channel is created, it will contain the list of organizations (each of which has its MSP info) 5) When a peer joins a channel, you give it the genesis / config block for the channel. The peer will parse that information and will have a map of channels with one of the properties of each channel being the list of MSPs for the channel 6) So let's say we have a channel (call it channelA) which has 3 orgs - Org1, Org2, Org3. Let's say that chaincode get's deployed with a policy that requires signatures from 2 out of the 3 orgs 7) So a client submits an endorsement proposal to peers from from at least 2 out of the 3 orgs, gots the proposal responses back, creates an transaction and submits it to the ordering service. A couple of things happened along the way: - each peer has the list of per channel MSPs and will actually check to make sure that the client who submitted the proposal is allowed to do so by verifying the signature of the proposal (the client signed it using its local MSP) and making sure that the client's certificate was issued by an MSP that's associated with the channel (there's more detail to how this works, but should be good enough for now) - when the client submits the transaction to the orderer, the same basic thing happens - signature is checked and orderer node checks to make sure that the certificate is valid / issue by one of the MSPs for the channel 8) Let's say a Peer is connected to channelA and receives a block of transactions. Let's say it got a block which had the transaction submitted in step 7) above. The peer now needs to make sure that the endorsement policy for the transaction has been met (the endorsement policy is assocaited with the chaincode against which endorsement was requested). From step 6), we said that this requires signatures from 2 out of the 3 orgs and from step 5) the peer knows which orgs (and MSPs) are part of the channel. So the peer can make sure that there are enough valid signatures which meet the policy 9) OK - so finally - let's say that a peer (we'll call it org1Peer1) from Org1 was compromised. For simplicity, let's say that Org1 is only part of channelA. So we need to be able to tell all peers which have joined channelA that the certificate for org1Peer1 has been revoked. All peers need to receive and process this information at the same time (this is to ensure that the committing logic is deterministic). So we need to update the MSP for Org1 and propogate that information to all peers connected to channelA. Recall that one fof the fields for an MSP strcuture is a revocation list, so what needs to happen is that an update transaction is submitted to the ordering service which updates the Org1's MSP to know have a CRL containing the certificate for org1Peer1

mastersingh24 (Sun, 05 Mar 2017 16:10:35 GMT):
@passkit - there are a few concepts that apparently are not clear (we'll fix this as the documentation is being rolled out): 1. MSP (membership service provider) - this is a concept which allows for 2 things: - ability to use different types of membership providers. the default (and only one currently implemented) is an X509 provider - it allows for "identities" to be issued by different providers (e.g. if you have multiple companies participating in the blockchain, each company could manage/provide their own certificate authority for issuing certificates) 2. Based on 1), fabric peers / ordering nodes are not required to obtain their X509 material from fabric-ca but of course we provide fabric-ca for people with their own CAs to use 3. MSPs are used in 2 ways (and I admit this is confusing) - "LocalMSP" - think of local MSPs as "structures" which hold the cryptographic identity information for clients, peers and ordering nodes. They will contain the root CA which issued the identity as well as the signing certificate key pair for the client, peer, orderer. For example, when a peer starts up, it will populate its localMSP from the file artifacts reference in core.yaml and will use this information to actually sign endorsements (among other things) - "VerifyingMSPs" - similar to a "localMSP" except they DO NOT contain a signing identity (i.e. no reference to a private key for a signing keypair). (you'll note that one of the fields of an MSP is actually a revocation list and in the case of X509 provides this will be an X509 CRL 4. When channels are created, you actually specify which organizations are allowed to participate in that channel. Each organization will be associated with an MSP (and it would be a "verifying" MSP). When the genesis / config block for a channel is created, it will contain the list of organizations (each of which has its MSP info) 5. When a peer joins a channel, you give it the genesis / config block for the channel. The peer will parse that information and will have a map of channels with one of the properties of each channel being the list of MSPs for the channel 6. So let's say we have a channel (call it channelA) which has 3 orgs - Org1, Org2, Org3. Let's say that chaincode get's deployed with a policy that requires signatures from 2 out of the 3 orgs 7. So a client submits an endorsement proposal to peers from from at least 2 out of the 3 orgs, gots the proposal responses back, creates an transaction and submits it to the ordering service. A couple of things happened along the way: - each peer has the list of per channel MSPs and will actually check to make sure that the client who submitted the proposal is allowed to do so by verifying the signature of the proposal (the client signed it using its local MSP) and making sure that the client's certificate was issued by an MSP that's associated with the channel (there's more detail to how this works, but should be good enough for now) - when the client submits the transaction to the orderer, the same basic thing happens - signature is checked and orderer node checks to make sure that the certificate is valid / issue by one of the MSPs for the channel 8. Let's say a Peer is connected to channelA and receives a block of transactions. Let's say it got a block which had the transaction submitted in step 7) above. The peer now needs to make sure that the endorsement policy for the transaction has been met (the endorsement policy is assocaited with the chaincode against which endorsement was requested). From step 6), we said that this requires signatures from 2 out of the 3 orgs and from step 5) the peer knows which orgs (and MSPs) are part of the channel. So the peer can make sure that there are enough valid signatures which meet the policy 9. OK - so finally - let's say that a peer (we'll call it org1Peer1) from Org1 was compromised. For simplicity, let's say that Org1 is only part of channelA. So we need to be able to tell all peers which have joined channelA that the certificate for org1Peer1 has been revoked. All peers need to receive and process this information at the same time (this is to ensure that the committing logic is deterministic). So we need to update the MSP for Org1 and propogate that information to all peers connected to channelA. Recall that one fof the fields for an MSP strcuture is a revocation list, so what needs to happen is that an update transaction is submitted to the ordering service which updates the Org1's MSP to know have a CRL containing the certificate for org1Peer1

mastersingh24 (Sun, 05 Mar 2017 16:10:35 GMT):
@passkit - there are a few concepts that apparently are not clear (we'll fix this as the documentation is being rolled out): 1. MSP (membership service provider) - this is a concept which allows for 2 things: - ability to use different types of membership providers. the default (and only one currently implemented) is an X509 provider - it allows for "identities" to be issued by different providers (e.g. if you have multiple companies participating in the blockchain, each company could manage/provide their own certificate authority for issuing certificates) 2. Based on 1), fabric peers / ordering nodes are not required to obtain their X509 material from fabric-ca but of course we provide fabric-ca for people with their own CAs to use 3. MSPs are used in 2 ways (and I admit this is confusing) - "LocalMSP" - think of local MSPs as "structures" which hold the cryptographic identity information for clients, peers and ordering nodes. They will contain the root CA which issued the identity as well as the signing certificate key pair for the client, peer, orderer. For example, when a peer starts up, it will populate its localMSP from the file artifacts reference in core.yaml and will use this information to actually sign endorsements (among other things) - "VerifyingMSPs" - similar to a "localMSP" except they DO NOT contain a signing identity (i.e. no reference to a private key for a signing keypair). (you'll note that one of the fields of an MSP is actually a revocation list and in the case of X509 provides this will be an X509 CRL 4. When channels are created, you actually specify which organizations are allowed to participate in that channel. Each organization will be associated with an MSP (and it would be a "verifying" MSP). When the genesis / config block for a channel is created, it will contain the list of organizations (each of which has its MSP info) 5. When a peer joins a channel, you give it the genesis / config block for the channel. The peer will parse that information and will have a map of channels with one of the properties of each channel being the list of MSPs for the channel 6. So let's say we have a channel (call it channelA) which has 3 orgs - Org1, Org2, Org3. Let's say that chaincode get's deployed with a policy that requires signatures from 2 out of the 3 orgs 7. So a client submits an endorsement proposal to peers from from at least 2 out of the 3 orgs, gots the proposal responses back, creates an transaction and submits it to the ordering service. A couple of things happened along the way: - each peer has the list of per channel MSPs and will actually check to make sure that the client who submitted the proposal is allowed to do so by verifying the signature of the proposal (the client signed it using its local MSP) and making sure that the client's certificate was issued by an MSP that's associated with the channel (there's more detail to how this works, but should be good enough for now) - when the client submits the transaction to the orderer, the same basic thing happens - signature is checked and orderer node checks to make sure that the certificate is valid / issue by one of the MSPs for the channel 8. Let's say a Peer is connected to channelA and receives a block of transactions. Let's say it got a block which had the transaction submitted in step 7) above. The peer now needs to make sure that the endorsement policy for the transaction has been met (the endorsement policy is assocaited with the chaincode against which endorsement was requested). From step 6), we said that this requires signatures from 2 out of the 3 orgs and from step 5) the peer knows which orgs (and MSPs) are part of the channel. So the peer can make sure that there are enough valid signatures which meet the policy 9. OK - so finally - let's say that a peer (we'll call it org1Peer1) from Org1 was compromised. For simplicity, let's say that Org1 is only part of channelA. So we need to be able to tell all peers which have joined channelA that the certificate for org1Peer1 has been revoked. All peers need to receive and process this information at the same time (this is to ensure that the committing logic is deterministic). So we need to update the MSP for Org1 and propogate that information to all peers connected to channelA. Recall that one fof the fields for an MSP structure is a revocation list, so what needs to happen is that an update transaction is submitted to the ordering service for channelA which updates Org1's MSP to know have a CRL containing the certificate for org1Peer1

passkit (Sun, 05 Mar 2017 16:15:35 GMT):
@mastersingh24 thanks for the detailed explanation. It's still unclear to me exactly how step 9 happens? Is there an API? From what I can see, fabric-ca, simply marks the cert as revoked with a date and reason.

mastersingh24 (Sun, 05 Mar 2017 16:16:04 GMT):
ah - I probably missed the easiest part of your question

mastersingh24 (Sun, 05 Mar 2017 16:16:21 GMT):
there's no direct connection between peer / ordering nodes and fabric-ca

mastersingh24 (Sun, 05 Mar 2017 16:18:33 GMT):
so basically, let's say the Org1 was using fabric-ca to issue it's certificates. And now Org1 wants to revoke the certificate for org1PeerOrg1. So it revokes the cert by calling the revoke API of it's fabric-ca. At this point, Org1 would need to generate a CRL from it's fabric-ca instance (which would be the list of all revoked certificates). That CRL would then be one of the inputs to step 9 above - but it is not automatic

mastersingh24 (Sun, 05 Mar 2017 16:19:53 GMT):
there's some consideration of adding an API to the fabric-ca which would basically do step 9 - you would need to provide the ordering service address and channel as inputs - but this does not exist at this point

passkit (Sun, 05 Mar 2017 16:21:23 GMT):
With certificates hard wired into peers and orderers, they are acting as their own de-facto authority. I can't get my head around how this can be secure.

mastersingh24 (Sun, 05 Mar 2017 16:53:18 GMT):
not sure what you mean?

mastersingh24 (Sun, 05 Mar 2017 16:53:37 GMT):
hard-wired?

mastersingh24 (Sun, 05 Mar 2017 16:54:36 GMT):
they are not hard-wired

mastersingh24 (Sun, 05 Mar 2017 16:57:00 GMT):
all of the crypto material for all of the partitipants / organizations in a channel are delivered to peers as config transactions within a config block. The block is obviously signed like any other block and of course there are polcies in place governing the configuration of channels

mastersingh24 (Sun, 05 Mar 2017 16:57:22 GMT):
not sure what you mean by "acting as their own de-facto authority"

passkit (Sun, 05 Mar 2017 17:06:04 GMT):
From my understanding, only the roots are included within the config block. No check is made by the peers directly with the CA to determine if the certs they are using remain valid. Therefore all certificates from signed by that organisation are deemed as trusted, even if they have been revoked (but not yet reflected in the CRL)

mastersingh24 (Sun, 05 Mar 2017 17:12:13 GMT):
still not sure which part you are questioning here? are you asking for the peer to check against some remote CRL for every interaction? (well OCSP would be better, but same idea)

mastersingh24 (Sun, 05 Mar 2017 17:12:50 GMT):
BTW - you really can't do that as you'll end up with non-deterministic behavior

mastersingh24 (Sun, 05 Mar 2017 17:14:30 GMT):
there is no way to know at what point in time a peer will validate / commit a transaction for a block. so there has to be a way for all peers to use the same revocation list at exactly the same point in time. that's why we distribute it via channels / blocks

mastersingh24 (Sun, 05 Mar 2017 17:16:08 GMT):
are you looking for the fabric-ca to directly publish the CRL to the fabric nodes each time a certificate is revoked? or are you looking for something else?

passkit (Sun, 05 Mar 2017 17:18:35 GMT):
I think directly publishing would solve the majority of the concerns I have. But simply knowing that upon revoking, the revoker has a responsibility to update the chain should be sufficient.

saism (Sun, 05 Mar 2017 19:49:42 GMT):
Has joined the channel.

JonathanLevi (Sun, 05 Mar 2017 21:42:21 GMT):
As always, there are pros and cons...

JonathanLevi (Sun, 05 Mar 2017 21:42:33 GMT):
It can be done in a "push" mode, or via "pull"

JonathanLevi (Sun, 05 Mar 2017 21:43:46 GMT):
It really depends on the "frequency" of such events occurring, which is tightly coupled with cost/resources one should invest.

JonathanLevi (Sun, 05 Mar 2017 21:44:22 GMT):
So you can either "directly" check every time you evaluate a certificate that has not been revoked.

JonathanLevi (Sun, 05 Mar 2017 21:44:22 GMT):
So you can either "directly" check every time you evaluate a certificate that it has not been revoked... not recommended.

JonathanLevi (Sun, 05 Mar 2017 21:45:03 GMT):
There is flexibility in terms of where you "look it up" / or how you obtain the latest "CRL" (of notifications/updates of thereof).

JonathanLevi (Sun, 05 Mar 2017 21:45:03 GMT):
There is flexibility in terms of where you "look it up" / or how you obtain the latest "CRL" (or receiving notifications/updates regarding the publishing of thereof).

JonathanLevi (Sun, 05 Mar 2017 21:45:57 GMT):
We are aware that different users are (and will) use this mechanism differently - we are trying to accommodate/support a wider set of use-cases rather than "dictate" a path.

JonathanLevi (Sun, 05 Mar 2017 21:49:06 GMT):
BTW: Is the "revoker" above is the "revoking [fabric] CA" ?

JonathanLevi (Sun, 05 Mar 2017 21:50:22 GMT):
I am also not sure what you meant here. Hope the above clarified that the certs are not hard wired... [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oQnXHPXirJ3ib8bK5)

Ying (Mon, 06 Mar 2017 06:02:01 GMT):
hi, anyone could help me clarifying which is which in blow #a & #b? a. Run command "./fabric-ca-client enroll -c client-config.yaml -u http://admin2:adminpw2@localhost:7054" in ca node, generating: a-1. ../testdata/key.pem; a-2. ../testdata/cert.pem. b. Check "ls /etc/hyperledger/fabric/msp/sampleconfig" in peer0, showing: b-1. admincerts/peerOrg0.pem; b-2. cacerts/peerOrg0.pem; b-3. keystore/peer0Signer.pem; b-4. signcerts/peer0Signer.pem. It seems #b-1 and #b-2 are the same cert, but #b-3 and #b-4 are different ones. So how should I use the certs generated in #a-1 and #a-2 in a peer? Many thanks.

kelvinzhong (Mon, 06 Mar 2017 07:18:42 GMT):
Has joined the channel.

arner (Mon, 06 Mar 2017 08:00:15 GMT):
Has joined the channel.

arner (Mon, 06 Mar 2017 08:13:38 GMT):
@mastersingh24 and @JonathanLevi thanks for elaborating. Is the peer able to get the user identity (eCert) based on a transaction (tCert)? And can the current implementation of fabric-ca? Or are the tCerts completely disconnected? (I know the CA could always keep the link when generating the tCerts, but what if he chooses to discard this information?)

JonathanLevi (Mon, 06 Mar 2017 08:20:29 GMT):
Hi @arner,

JonathanLevi (Mon, 06 Mar 2017 08:20:49 GMT):
1. So *completely* in completely disconnect, is a strong word ;-)

JonathanLevi (Mon, 06 Mar 2017 08:20:49 GMT):
1. So the word *completely* in "completely disconnected" above, is too strong a strong word ;-). The are "connected" but it is designed though that not everybody can "link" them.

JonathanLevi (Mon, 06 Mar 2017 08:21:18 GMT):
2. The connection between the ECert -> the various TCerts is indeed at at the TCA level.

JonathanLevi (Mon, 06 Mar 2017 08:21:45 GMT):
(the TCA part of the fabric-ca, right? It's a "server" or better "service")

JonathanLevi (Mon, 06 Mar 2017 08:22:21 GMT):
3. When this was designed - the main/key idea was that one would not be able to link TCerts back to the ECert.

JonathanLevi (Mon, 06 Mar 2017 08:23:40 GMT):
This is important for providing a few security aspects, like *transaction un-linkability*, in many cases *privacy*, and solves a lot of other headaches down the line...

JonathanLevi (Mon, 06 Mar 2017 08:24:31 GMT):
Noting, though (like you wrote) that when one requests a TCert (of a batch of them) an ECert is needed/presented.

arner (Mon, 06 Mar 2017 08:29:53 GMT):
Thanks! I was mostly thinking about the legal aspects of privacy. Having no link between eCert and tCert helps with regulations. If *noone* has the link that's different from *not everyone* being able to link it, even though we 'trust' the ca service.

arner (Mon, 06 Mar 2017 08:29:53 GMT):
Thanks! I was mostly thinking about the legal aspects of privacy. Having no link between ECert and TCert helps with regulations. If *noone* has the link that's different from *not everyone* being able to link it, even though we 'trust' the ca service.

arner (Mon, 06 Mar 2017 08:30:40 GMT):
But transaction un-linkability is very strong and I think it will help a lot with privacy regulations

arner (Mon, 06 Mar 2017 08:35:33 GMT):
If you choose to send certain attributes that are known with the CA (and 'locked in' your eCert during registration) with your transactions, are they encrypted? How do the peers decrypt this information? (_shim.readTCertAttributes_ if I remember correctly)

arner (Mon, 06 Mar 2017 08:35:33 GMT):
If you choose to send certain attributes that are known with the CA (and 'locked in' your ECert during registration) with your transactions, are they encrypted? How do the peers decrypt this information? (_shim.readTCertAttributes_ if I remember correctly)

JonathanLevi (Mon, 06 Mar 2017 09:54:33 GMT):
BTW, help me out here:

JonathanLevi (Mon, 06 Mar 2017 09:54:42 GMT):
ECerts and TCerts

JonathanLevi (Mon, 06 Mar 2017 09:55:08 GMT):
(I am trying to "enforce" consistency here, docs, code, etc.)

JonathanLevi (Mon, 06 Mar 2017 09:55:52 GMT):
Yes, unlink unlinkability is super important to many use-cases.

JonathanLevi (Mon, 06 Mar 2017 09:55:52 GMT):
Yes, unlinkability is super important/vital to many use-cases

JonathanLevi (Mon, 06 Mar 2017 09:56:27 GMT):
Attribute Encryption is another story... that requires some more work and a bit of a set up.

JonathanLevi (Mon, 06 Mar 2017 09:56:27 GMT):
Attribute Encryption is another story... which requires some more work and a bit of a set up.

JonathanLevi (Mon, 06 Mar 2017 09:56:27 GMT):
Just to clarify: A super flexible Attribute Encryption scheme, with selective release, the ability to query and allow certain participants access to the unencrypted datum, etc... is another story... which requires some more work and a bit of a set up.

JonathanLevi (Mon, 06 Mar 2017 09:57:37 GMT):
I know a few implementations that provide that on top of fabric... (so it is not impossible), but to do it correctly is not that simple.

JonathanLevi (Mon, 06 Mar 2017 09:58:06 GMT):
What you describe is one possible simplocation (pre-agreeing on what's not visible, etc.)

JonathanLevi (Mon, 06 Mar 2017 09:58:06 GMT):
What you describe is one possible simplification (pre-agreeing on what's not visible, etc.)

JonathanLevi (Mon, 06 Mar 2017 09:58:06 GMT):
What you describe is one possible simplification (pre-agreeing on what's not visible, etc.), pre-encrypting it, so that it is hidden from the (T)CA.

kelvinzhong (Mon, 06 Mar 2017 10:32:39 GMT):
@mastersingh24 hi~ i'm also confused about what @Ying mentions above, would you please help us out? what exact is the admincerts&cacerts?

arner (Mon, 06 Mar 2017 14:23:13 GMT):
Ok @JonathanLevi I thought that was part of basic functionality (in the client SDK you can specify attributes when registering and later for a transaction define which fieds you want to send) - but I'm not sure how it's implemented

ashutosh_kumar (Mon, 06 Mar 2017 14:38:38 GMT):
@arner , currently Attributes are passed in TCerts.

ashutosh_kumar (Mon, 06 Mar 2017 14:39:44 GMT):
we have APIs to retrieve (un)encrypted attributes from TCert.

Jonas.Hedin (Mon, 06 Mar 2017 14:42:39 GMT):
Has joined the channel.

o.o. (Mon, 06 Mar 2017 14:47:11 GMT):
Has joined the channel.

jeffreypicard (Mon, 06 Mar 2017 16:22:00 GMT):
Has joined the channel.

jeffreypicard (Mon, 06 Mar 2017 16:49:55 GMT):
I'm trying to figure out how to add more peers in the hackfest example. I think my confusion is along the like of what @Ying and @kelvinzhong are asking. How exactly do I generate the certs to add a new peer node to the setup? After that it seems fairly clear from the example how to put everything together, but getting the right certs is opaque to me.

weeds (Mon, 06 Mar 2017 22:49:32 GMT):
@jeffreypicard https://github.com/hyperledger/fabric/blob/master/examples/e2e_cli/end-to-end.rst I think this is worth looking at as it helps outline the client sdk testing and creating order genesis block, config transactions.

jeffreypicard (Mon, 06 Mar 2017 22:54:40 GMT):
@weeds Cool, thanks. This all uses the vagrant environment, does is translate well to the docker one?

weeds (Mon, 06 Mar 2017 23:06:08 GMT):
i probably should have sent you this--> https://gerrit.hyperledger.org/r/#/c/6607/8

jsong1230 (Tue, 07 Mar 2017 09:08:52 GMT):
Has joined the channel.

JonathanLevi (Tue, 07 Mar 2017 09:38:16 GMT):
@arner: Yes, I can confirm that this part works. Sure, you can specify a set of attributes that will be encapsulated in a TCert.

JonathanLevi (Tue, 07 Mar 2017 09:38:40 GMT):
With the API (that @ashutosh_kumar confirmed above) to retrieve them.

JonathanLevi (Tue, 07 Mar 2017 09:38:54 GMT):
I thought you are asking for a much more complicated feature.

JonathanLevi (Tue, 07 Mar 2017 09:39:44 GMT):
[aka, "cryptographers are not necessarily good sales people" ;-)] just didn't want to over-promise/commit.

JonathanLevi (Tue, 07 Mar 2017 09:40:32 GMT):
Long story short: I highly recommend the separation to TCerts, even if (first stage) you need to "trust" your TCA.

JonathanLevi (Tue, 07 Mar 2017 09:40:32 GMT):
Long story short: I highly recommend the separation to TCerts, even if (at first stage) you need to "trust" your TCA.

JonathanLevi (Tue, 07 Mar 2017 09:41:10 GMT):
I can easily help you to complicate matters, trust me on that one ;-). Better to start with a simple set up and extend (if/when) needed.

JonathanLevi (Tue, 07 Mar 2017 09:41:10 GMT):
I can easily help you complicate matters, trust me on that one ;-). Better to start with a simple set up and extend (if/when) needed.

JonathanLevi (Tue, 07 Mar 2017 09:41:10 GMT):
I can easily help you complicate matters, trust me on that one ;-). Better to start with a simple set up and extend (if/when) needed. But if/when transactions are linkable on an immutable chain, that's much worse that later on "upgrading" your TCA, for example.

StevenLanders (Tue, 07 Mar 2017 20:21:12 GMT):
Has joined the channel.

levinkwong (Wed, 08 Mar 2017 06:35:41 GMT):
@jeffreypicard Have you figure out how to generate those certs to add new peer node? I am also confused with this part, when I add a new peer to the channel, where does I get the admincerts and cacerts of other peers?

jeffreypicard (Wed, 08 Mar 2017 06:37:20 GMT):
I still haven't, no.

jeffreypicard (Wed, 08 Mar 2017 06:37:37 GMT):
And I need to for the research I'm doing right lol.

jeffreypicard (Wed, 08 Mar 2017 06:37:55 GMT):
I'm working on a different piece atm, been hitting walls with that.

levinkwong (Wed, 08 Mar 2017 06:38:43 GMT):
Also I wonder where can I obtain the genesis block? Other than the create channel command, let say I set up a network with 2 peer and 1 channel, after months/years, some other organization want to join my network, how can he get the genesis block? Anyone can help to clarify?

levinkwong (Wed, 08 Mar 2017 06:39:14 GMT):
@jeffreypicard Sure, if I get the answer, I will let you know too

jeffreypicard (Wed, 08 Mar 2017 06:40:04 GMT):
Word, same.

arner (Wed, 08 Mar 2017 10:45:31 GMT):
Is the payload of the transaction only encrypted by normal TLS? Of course it's signed by the TCert, but is there any other type of encryption going on to obscure the contents?

Vadim (Wed, 08 Mar 2017 10:55:45 GMT):
data-at-rest are not encrypted

Vadim (Wed, 08 Mar 2017 10:57:24 GMT):
@arner I can recommend you this FAQ: https://github.com/hyperledger/fabric/blob/master/docs/source/FAQ/architecture_FAQ.rst, see the chapter "Application-level Data access control"

SushilChaturvedi (Wed, 08 Mar 2017 12:13:37 GMT):
Has joined the channel.

Suma (Wed, 08 Mar 2017 15:42:20 GMT):
Has joined the channel.

bkvellanki (Thu, 09 Mar 2017 00:47:40 GMT):
How do we get the callermetadata in fabric v1. I dont see that method in shim. Is there a way read the caller certs and info in v1.

berserkr (Thu, 09 Mar 2017 00:54:15 GMT):
Has joined the channel.

CarlXK (Thu, 09 Mar 2017 06:54:20 GMT):

Message Attachments

CarlXK (Thu, 09 Mar 2017 06:54:31 GMT):
Could peer0's certificate be signed by both root CAs (or intermediate CAs) in org1 and org2? One organization should be all banks(bank1 bank2 bank……) or mixed business parties(bank1, corp1, corp2), or both ok? One root CA (or intermediate CA) should be only bind with one orgnization or can cross multi orgnization?

YE.Yaocheng (Thu, 09 Mar 2017 07:56:14 GMT):
Has joined the channel.

Ying (Thu, 09 Mar 2017 08:24:01 GMT):
hi all, I got an error of unknown authority: error[39m: [Peer.js]: GRPC client got an error response from the peer "grpc://localhost:7051". Error: The creator certificate is not valid, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority How to check the expected authority in peer side?

Ying (Thu, 09 Mar 2017 08:24:02 GMT):
thanks

Willson (Thu, 09 Mar 2017 08:30:19 GMT):
Hello guys, when i clone the fabric-ca,i got an error like this:$ git clone https://github.com/hyperledger/fabric-ca Cloning into 'fabric-ca'... remote: Counting objects: 4603, done. remote: Compressing objects: 100% (56/56), done. remote: Total 4603 (delta 17), reused 0 (delta 0), pack-reused 4546 Receiving objects: 100% (4603/4603), 19.19 MiB | 121.00 KiB/s, done. Resolving deltas: 100% (1367/1367), done. error: unable to create file vendor/github.com/cloudflare/cfssl/vendor/github.com/cloudflare/cfssl_trust/ca-bundle/SwissSignCA(RSAIKMay6199918:00:58)_2000-11-26_SHA1WithRSA.crt: Invalid argument error: unable to create file vendor/github.com/cloudflare/cfssl/vendor/github.com/cloudflare/cfssl_trust/ca-bundle/SwissSignCA(RSAIKMay6199918:00:58)_2000-11-26_SHA1WithRSA_2.crt: Invalid argument Checking out files: 100% (4056/4056), done. fatal: unable to checkout working tree warning: Clone succeeded, but checkout failed. You can inspect what was checked out with 'git status' and retry the checkout with 'git checkout -f HEAD' anybody now why?

icordoba (Thu, 09 Mar 2017 08:58:23 GMT):
Has joined the channel.

noyonthe1 (Thu, 09 Mar 2017 09:06:11 GMT):
Has joined the channel.

steigensonne (Thu, 09 Mar 2017 09:43:09 GMT):
Has joined the channel.

dragosh (Thu, 09 Mar 2017 09:50:58 GMT):
Has joined the channel.

pmcosta1 (Thu, 09 Mar 2017 11:19:30 GMT):
Has joined the channel.

CarlXK (Thu, 09 Mar 2017 12:12:41 GMT):
anyone can help me to understand my questions?

jeffchi (Thu, 09 Mar 2017 13:34:30 GMT):
Has joined the channel.

aberfou (Thu, 09 Mar 2017 13:47:14 GMT):
Has joined the channel.

ruslan.kryukov (Thu, 09 Mar 2017 14:44:38 GMT):
Why enrollment certificate (from sdk) which provided by fabric-ca is invalid for fabric-ca-private-key?

samirsadeghi (Thu, 09 Mar 2017 15:02:04 GMT):
Has joined the channel.

ruslan.kryukov (Thu, 09 Mar 2017 15:06:15 GMT):
Also when I try to install chaincode, I got error: certificate signed by unknown authority

ruslan.kryukov (Thu, 09 Mar 2017 15:06:27 GMT):
Sending proposal to peer failed because of gRPC failure=Status{code=UNKNOWN, description=The creator certificate is not valid, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority, cause=null}

ruslan.kryukov (Thu, 09 Mar 2017 15:08:47 GMT):
I had created certificates for fabric-ca, added it to server-config.json, add users and their passwords. After that I've created private key for peer, place it to keystore folder. I took csr from this key and created signed certificate with ca-cert

ruslan.kryukov (Thu, 09 Mar 2017 15:09:10 GMT):
I placed this certificate to signcerts folder

ruslan.kryukov (Thu, 09 Mar 2017 15:10:40 GMT):
added settings to configtx.yaml file and all this stuff successfuly loaded to ca, peer, orderer

ruslan.kryukov (Thu, 09 Mar 2017 15:11:55 GMT):
Finally I ran java app with sdk, successfuly enrolled to peer and try to send install proposal request

ruslan.kryukov (Thu, 09 Mar 2017 15:12:12 GMT):
but got error

ashutosh_kumar (Thu, 09 Mar 2017 15:55:05 GMT):
@ruslan.kryukov : what do you mean ?

ashutosh_kumar (Thu, 09 Mar 2017 15:55:05 GMT):
@ruslan.kryukov : what do you mean ? Can you please elaborate ?

weeds (Thu, 09 Mar 2017 17:05:25 GMT):
@elli-androulaki Hi Elli- there are a lot of questions here that maybe you can help with?

weeds (Thu, 09 Mar 2017 17:06:26 GMT):
@levinkwong I suggest that you go take a look at the CI that is running that does create this- https://jenkins.hyperledger.org/ check under fabric channel

weeds (Thu, 09 Mar 2017 17:07:02 GMT):
Here are a few tips for @jeffreypicard and @levinkwong:

weeds (Thu, 09 Mar 2017 17:07:53 GMT):
INSTALL CHAINCODE: Example shows installing sample go code onto one of x peer nodes peer chaincode install -n mycc -v 1.0 -p chaincode_example02 INSTANTIATE CHAINCODE: Instantiate the chaincode on a peer. This will launch a chaincode container for the targeted peer and set the endorsement policy for the chaincode. In this snippet, we define the policy as requiring an endorsement from one peer node that is a part of Org1. (ORG1 in our example in docker images contains PEER2 or PEER3) peer chaincode instantiate -C mychannel -n mycc -v 1.0 -p chaincode_example02 -c '{"Args":["init","a", "100", "b","200"]}' -P "AND('Org1MSP.member')“

weeds (Thu, 09 Mar 2017 17:08:35 GMT):
hopefully that helps

weeds (Thu, 09 Mar 2017 17:09:09 GMT):
(again this is for version 1.0)

elli-androulaki (Thu, 09 Mar 2017 17:37:51 GMT):
>Could peer0's certificate be signed by both root CAs (or intermediate CAs) in org1 and org2? @CarlXK, the code currently does not support this. Meaning that the peer at setup time is given a single id that corresponds to his owning organization. However, the MSP design does not forbid this, as long as the peer code is able to handle more than one signing identities per peer. >One organization should be all banks(bank1 bank2 bank……) or mixed business parties(bank1, corp1, corp2), or both ok? Right, this is up to the network deployers to figure out/decide. >One root CA (or intermediate CA) should be only bind with one orgnization or can cross multi orgnization? For the current implementation of the peer (where one peer can recognise one signing id), there has to be some point of distinction if the two organizations share the same rootCA, i.e., one organization should not have an overlapping id validity path with another one. Given this, a good practice would be that organizations that share the rootCA, would need to have different intermediate CAs.

elli-androulaki (Thu, 09 Mar 2017 17:39:08 GMT):
That said, soon we plan to push a code-drop where one can specify within an MSP (representing an Org) specific organization units. In this case an organization would be defined not only by means of rootCAs, and intermediate CAs but also by means of OUs included in the certificates.

elli-androulaki (Thu, 09 Mar 2017 17:40:10 GMT):
@CarlXK and I refer to properly "namespaced" OUs, such OUs in certificates with different CA paths would be different.

elli-androulaki (Thu, 09 Mar 2017 17:41:09 GMT):
@ruslan.kryukov, could you give more information on the error below? E.g., which sdk do you use? > Why enrollment certificate (from sdk) which provided by fabric-ca is invalid for fabric-ca-private-key?

elli-androulaki (Thu, 09 Mar 2017 17:43:38 GMT):
@bkvellanki, yes. There is a method in the shim through which one can obtain the entire proposal including the proposal creator cert. chaincodeshim.proto in protos would be more enlightening.

kostas (Thu, 09 Mar 2017 17:51:49 GMT):
Has joined the channel.

kostas (Thu, 09 Mar 2017 18:14:36 GMT):
> That said, soon we plan to push a code-drop where one can specify within an MSP (representing an Org) specific organization units. In this case an organization would be defined not only by means of rootCAs, and intermediate CAs but also by means of OUs included in the certificates.

kostas (Thu, 09 Mar 2017 18:18:13 GMT):
> For the current implementation of the peer (where one peer can recognise one signing id), there has to be some point of distinction if the two organizations share the same rootCA, i.e., one organization should not have an overlapping id validity path with another one.

kostas (Thu, 09 Mar 2017 18:19:07 GMT):
Naive question time: why?

kostas (Thu, 09 Mar 2017 18:19:07 GMT):
@elli-androulaki: Naive question time: why?

kostas (Thu, 09 Mar 2017 18:21:36 GMT):
(I have follow-up questions but I'll wait for this one first.)

jeffreypicard (Thu, 09 Mar 2017 18:27:35 GMT):
@weeds All of that makes sense, but I mean I want to launch a setup with 4,5,10,100, etc peers. I'm trying to figure out how to generate the certs for them.

weeds (Thu, 09 Mar 2017 19:20:31 GMT):
@mastersingh24 Master Gari- wondering if the cryptogen tool is something jeffreypicard could use? suggestions? I know this is pretty difficult to setup.

smithbk (Thu, 09 Mar 2017 20:42:58 GMT):
@CarlXK @elli-androulaki I think each peer could have a single identity and the chain's policy could be configured with an boolean expression to accomplish what you want, right? For example, if Peer0 is in ORG0, the policy would be "ORG0 OR (ORG1 and ORG2)"

smithbk (Thu, 09 Mar 2017 20:44:36 GMT):
@Wilson I can't reproduce that error. Have you made any progress on it?

smithbk (Thu, 09 Mar 2017 20:45:14 GMT):
@Willson wrong name ... I can't reproduce that error. Have you made any progress on it?

yacovm (Thu, 09 Mar 2017 21:18:00 GMT):
Has joined the channel.

elli-androulaki (Thu, 09 Mar 2017 21:28:04 GMT):
> @CarlXK @elli-androulaki I think each peer could have a single identity and the chain's policy could be configured with an boolean expression to accomplish what you want, right? For example, if Peer0 is in ORG0, the policy would be "ORG0 OR (ORG1 and ORG2)" @smithbk, yes one can configure the readers and writers of the channel/chain this way. But a peer would be able to show membership under exactly one organization/msp.

smithbk (Thu, 09 Mar 2017 21:34:46 GMT):
And is there a problem with showing membership of a peer under exactly one org/msp?

Willson (Fri, 10 Mar 2017 01:21:11 GMT):
@smithbk Maybe I have the lower version of git. It was working fine after I upgrate the git

kuangchao (Fri, 10 Mar 2017 01:50:11 GMT):
Has joined the channel.

WeiHu (Fri, 10 Mar 2017 02:48:31 GMT):
Has joined the channel.

ruslan.kryukov (Fri, 10 Mar 2017 03:50:02 GMT):
How to use msp roles "admin" and "member"? How can I assign them to users?

ruslan.kryukov (Fri, 10 Mar 2017 03:52:03 GMT):
Same question for readers and writers... i saw this hmmm policies (?) in a code

ruslan.kryukov (Fri, 10 Mar 2017 03:52:03 GMT):
Same question for readers and writers... i saw this hmmm policies (?) in code

ruslan.kryukov (Fri, 10 Mar 2017 03:59:01 GMT):
Also, my quesion above (about invalid certificate) is related to this situation: when I deploy code, peer throws error: unknown authority. i investigate peer's code and found that in Validate function peer verifies creator signature with ca cert (root). When I create signcert, I signed this cert by CA-cert with cfssl tool, also I check details of my signcert and saw Issuer: its CA.

ruslan.kryukov (Fri, 10 Mar 2017 03:59:01 GMT):
Also, my quesion above (about invalid certificate) is related to this situation: when I deploy code, peer throws error: unknown authority. I had investigated peer's code and found that in Validate function peer verifies creator signature with ca cert (root). When I create signcert, I signed this cert by CA-cert with cfssl tool, also I check details of my signcert and saw Issuer: its CA.

ruslan.kryukov (Fri, 10 Mar 2017 04:01:33 GMT):
I login to SDK and get enrollment cert, maybe he is incorrect... also I have modified SDK for setting MSP id for my purposes

ruslan.kryukov (Fri, 10 Mar 2017 04:02:00 GMT):
Cuz current version place hardcoded msp id DEFAULT

ruslan.kryukov (Fri, 10 Mar 2017 04:02:00 GMT):
Cuz current version places hardcoded msp id DEFAULT

CarlXK (Fri, 10 Mar 2017 04:03:18 GMT):
@elli-androulaki many thanks for your explanation, great helpful to me!!! another question: can the peers(belong to different orgs ORG1 ORG2..., different intermedia CAs Int-CA1,Int-CA2... but same root CA) join in one channel?

CarlXK (Fri, 10 Mar 2017 04:06:15 GMT):
just like in the picture , peer1 and peer4 can join in the same channel

CarlXK (Fri, 10 Mar 2017 04:07:18 GMT):
?

AlanLee (Fri, 10 Mar 2017 04:17:15 GMT):
Has joined the channel.

shaily (Fri, 10 Mar 2017 06:58:52 GMT):
Has joined the channel.

CarlXK (Fri, 10 Mar 2017 07:04:33 GMT):
@elli-androulaki in the PKI(or fabric ca), someone's private key leaked, we can revoke the paired key and generate new paired key, could we use the new key decrypt the old data(encrypted by leaked key)?

berserkr (Fri, 10 Mar 2017 07:06:46 GMT):
use the new key to decrypt all data encrypted with old private key?

DannyWong (Fri, 10 Mar 2017 07:24:08 GMT):
@CarlXK I dun think we can use the new key to decrypt the old data encrypted by the leaked key?...

DannyWong (Fri, 10 Mar 2017 07:24:50 GMT):
I think first at all, we need to add the leaked key to the CRL to prevent new invoke/deploy from the leaked eCert

DannyWong (Fri, 10 Mar 2017 07:25:28 GMT):
then the person who leaked the key should be assigned with the new key after some kind of validation in real-world

DannyWong (Fri, 10 Mar 2017 07:26:21 GMT):
then as the admin, add the new eCert to the smart contract ACL (upgrade config) of that user such that he can access them again

DannyWong (Fri, 10 Mar 2017 07:27:18 GMT):
if the content was encrypted... then the system need to implement some kind of admin function to fetch all these content and decrypt with the old key and reencrypt withthe new key...

CarlXK (Fri, 10 Mar 2017 07:37:21 GMT):
OK，got it, we need encrypt content use other key that generated by ourself.

DannyWong (Fri, 10 Mar 2017 07:49:04 GMT):
put another way round

DannyWong (Fri, 10 Mar 2017 07:49:14 GMT):
if you need to really encrypt the content in state

DannyWong (Fri, 10 Mar 2017 07:50:18 GMT):
we can encrypt per document with a symmetric key and this key wont be distributed.

DannyWong (Fri, 10 Mar 2017 07:51:42 GMT):
then use the ecert public key to encrypt the symmetric key, such that only the ecert owner can unlock the box to get the symmetric key

DannyWong (Fri, 10 Mar 2017 07:51:49 GMT):
for content decryption

DannyWong (Fri, 10 Mar 2017 07:52:07 GMT):
if that user really getting her key compromised

DannyWong (Fri, 10 Mar 2017 07:52:33 GMT):
then just need to reencrypt the symmetric key with the new pair of eCert pair

DannyWong (Fri, 10 Mar 2017 07:54:36 GMT):
also, for encrypting large content, symmetric is much faster...

CarlXK (Fri, 10 Mar 2017 08:01:48 GMT):
good solution, thanks~

bh4rtp (Fri, 10 Mar 2017 09:41:03 GMT):
hi all, who can tell me what are the uses of CA node?

glindsell (Fri, 10 Mar 2017 09:57:36 GMT):
Has joined the channel.

joshuajeeson (Fri, 10 Mar 2017 14:06:08 GMT):
Has joined the channel.

JatinderBali (Fri, 10 Mar 2017 15:42:15 GMT):
Has joined the channel.

DannyWong (Fri, 10 Mar 2017 15:55:58 GMT):
@bh4rtp Hyperledger Fabric is a permissioned blockchain. you need to obtain a membership in order to interact with the blockchain.

DannyWong (Fri, 10 Mar 2017 15:56:52 GMT):
the CA (certificate authority) is the subsystem for network administrator to register / issue something called enrollment cert to member (eCert)

DannyWong (Fri, 10 Mar 2017 15:57:18 GMT):
there is something called tCert as well. Please go to hyperledger doc in GitHub to have a further understanding

DannyWong (Fri, 10 Mar 2017 16:02:05 GMT):
Anyone successful to run "make docker" of fabric CA locally?

DannyWong (Fri, 10 Mar 2017 16:02:10 GMT):
i always failed at step 8

DannyWong (Fri, 10 Mar 2017 16:02:35 GMT):
Step 7/10 : RUN chmod +x /usr/local/bin/fabric-ca-server ---> Running in 2fdde1394620 ---> 027dd16e7a3f Removing intermediate container 2fdde1394620 Step 8/10 : ADD payload/fabric-ca.tar.bz2 $FABRIC_CA_HOME Error processing tar file(bzip2 data invalid: bad magic value in continuation file): make: *** [build/image/fabric-ca/.dummy-x86_64-0.7.0-snapshot-df922a1] Error 1

aambati (Fri, 10 Mar 2017 16:03:54 GMT):
@DannyWong I ran into the same problem...i resolved it with these steps: ``` • brew install gnu-tar --with-default-names • rm -rf fabric-ca/ • git clone http://gerrit.hyperledger.org/r/fabric-ca && (cd fabric-ca && curl -kLo `git rev-parse --git-dir`/hooks/commit-msg http://gerrit.hyperledger.org/r/tools/hooks/commit-msg; chmod +x `git rev-parse --git-dir`/hooks/commit-msg) • cd src/github.com/hyperledger/fabric-ca/ • make docker ```

DannyWong (Fri, 10 Mar 2017 16:04:29 GMT):
let me try, thanks!

DannyWong (Fri, 10 Mar 2017 16:05:10 GMT):
ahhh maybe the macos tar does not support bz2

DannyWong (Fri, 10 Mar 2017 16:05:27 GMT):
i dunno, i just bought my new macbook for development... my linux laptop was tossed... T_T

DannyWong (Fri, 10 Mar 2017 16:11:36 GMT):
@aambati you are da man.

DannyWong (Fri, 10 Mar 2017 16:11:40 GMT):
it works!

DannyWong (Fri, 10 Mar 2017 16:11:43 GMT):
brilliant, thanks mate.

elli-androulaki (Fri, 10 Mar 2017 16:58:13 GMT):
@CarlX: >another question: can the peers(belong to different orgs ORG1 ORG2..., different intermedia CAs Int-CA1,Int-CA2... but same root CA) join in one channel? >just like in the picture , peer1 and peer4 can join in the same channel Yes, peers coming from different organizations can join the same channel. Channel read permissions are specified by means of policies that use organizations as building blocks.

elli-androulaki (Fri, 10 Mar 2017 16:58:13 GMT):
@CarlXK : >another question: can the peers(belong to different orgs ORG1 ORG2..., different intermedia CAs Int-CA1,Int-CA2... but same root CA) join in one channel? >just like in the picture , peer1 and peer4 can join in the same channel Yes, peers coming from different organizations can join the same channel. Channel read permissions are specified by means of policies that use organizations as building blocks.

elli-androulaki (Fri, 10 Mar 2017 16:59:33 GMT):
@smithbk: > And is there a problem with showing membership of a peer under exactly one org/msp? Well in v1.0 we do not hide the organization a peer belongs to.

smithbk (Fri, 10 Mar 2017 17:42:42 GMT):
@elli-androulaki Elli, I was referring back to your previous statement as follows ...

smithbk (Fri, 10 Mar 2017 17:42:46 GMT):
@smithbk, yes one can configure the readers and writers of the channel/chain this way. But a peer would be able to show membership under exactly one organization/msp.

smithbk (Fri, 10 Mar 2017 17:47:39 GMT):
I thought you were implying by this that revealing which org a peer belongs to was a problem, but perhaps I misunderstood

bh4rtp (Sat, 11 Mar 2017 00:57:46 GMT):
@DannyWong this is a brief and clear description. thank you!

bh4rtp (Sat, 11 Mar 2017 07:22:50 GMT):
hi all. sdk first creates a proposal and then creates a transaction after endorsement. are there any relation between a proposal and a transaction?

bh4rtp (Sat, 11 Mar 2017 07:22:50 GMT):
hi all. sdk first creates a proposal and then creates a transaction after endorsement. is there any relation between a proposal and a transaction?

dRand (Sat, 11 Mar 2017 11:58:08 GMT):
Has joined the channel.

jeffgarratt (Sat, 11 Mar 2017 18:49:49 GMT):
@bh4rtp yes, they proposal responses are then compared and used for the subsequent transaction generation

bh4rtp (Sun, 12 Mar 2017 08:01:30 GMT):
@jeffgarratt thanks

rickr (Sun, 12 Mar 2017 16:52:20 GMT):
@smithbk Seems that response for enrollment has recently changed. The Cert appears in the a result object along with a CAName and CSChain. Must have missed the _heads up_ . The cert I assume is still the users signed Cert. As a client (SDK) what would I need CAName and CSChain for ?

mastersingh24 (Sun, 12 Mar 2017 18:43:58 GMT):
@rickr - the idea was to return enough info to populate an MSP. You would have the private key locally and now we return both the enrollment public (X509) cert as well as the root and intermediate certs as well

rickr (Sun, 12 Mar 2017 18:57:41 GMT):
Thx @mastersingh24 for that info. The SDK's should allow for pluggable certificate authorities. I think we know of already one Is this something we can expect (***demand***) for all to provide or would this only be unique for Fabric' s CA ? FYI @tsnyder

tsnyder (Sun, 12 Mar 2017 18:57:41 GMT):
Has joined the channel.

mastersingh24 (Sun, 12 Mar 2017 19:00:59 GMT):
The basic idea is to have complete loose coupling between the ca client and the fabric client

mastersingh24 (Sun, 12 Mar 2017 19:01:19 GMT):
there was really no standard X509 / PKI API we could pick

mastersingh24 (Sun, 12 Mar 2017 19:01:47 GMT):
but we tried to make the fabric-ca APIs friendly for providing all the info needed to spin up a client in as few calls as possible

rickr (Sun, 12 Mar 2017 19:03:21 GMT):
Yes, I provide an Java Interface for Enrollment info ... So I can add this information to that interface and expect it to be provided.

forestjqg (Mon, 13 Mar 2017 03:18:44 GMT):
Has joined the channel.

forestjqg (Mon, 13 Mar 2017 03:21:16 GMT):
Hi all: I am looking at the Hyperledger/fabirc 1.0 preview. I am trying to find the code for ECA,TCA just like the funtion as the code in 0.6 version for the member ship control But there are no related code in the folder msp for authorization. I checked the code in the fold msp, the code seems is not used in the other part code. And there are no even login function control in the code The feature for membership is not integrated in the current system or changed to another mechanism? Could anyone tell me about? And where i can get some information about membership? Thanks jia qinggang

levinkwong (Mon, 13 Mar 2017 03:26:36 GMT):
https://github.com/hyperledger/fabric-ca

levinkwong (Mon, 13 Mar 2017 03:27:02 GMT):
Check this instead of the fabric repo

forestjqg (Mon, 13 Mar 2017 03:46:01 GMT):
HI

forestjqg (Mon, 13 Mar 2017 03:46:06 GMT):
git clone ssh://YOUR-ID@gerrit.hyperledger.org:29418/fabric-ca

forestjqg (Mon, 13 Mar 2017 03:46:16 GMT):
for the fabric-ca

forestjqg (Mon, 13 Mar 2017 03:46:25 GMT):
instruction

forestjqg (Mon, 13 Mar 2017 03:46:48 GMT):
what is YOUR-ID?

forestjqg (Mon, 13 Mar 2017 03:46:55 GMT):
where can I got it?

forestjqg (Mon, 13 Mar 2017 03:48:11 GMT):
Warning: Permanently added '[gerrit.hyperledger.org]:29418,[198.145.29.90]:29418' (RSA) to the list of known hosts. Permission denied (publickey). fatal: Could not read from remote repository.

forestjqg (Mon, 13 Mar 2017 03:48:55 GMT):
what is this error for git clone /fabric-ca?

forestjqg (Mon, 13 Mar 2017 03:49:04 GMT):
Anyone can help?

levinkwong (Mon, 13 Mar 2017 03:49:08 GMT):
I just use https://github.com/hyperledger/fabric.git

levinkwong (Mon, 13 Mar 2017 03:51:03 GMT):
That one is for gerrit, should be a Linux foundation ID I guess

levinkwong (Mon, 13 Mar 2017 03:51:57 GMT):
github one is read only

reddy (Mon, 13 Mar 2017 05:35:25 GMT):
Has joined the channel.

Ying (Mon, 13 Mar 2017 08:09:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FHqskynon3w66dkSS) @forestjqg hi, try git clone https://github.com/hyperledger/fabric-ca

mastersingh24 (Mon, 13 Mar 2017 12:56:15 GMT):
@forestjqg - I just ran `make unit-tests` against the latest from the fabric-ca master. What OS are you using? I'm on a Mac. The only issue I had was a linting error

ashutosh_kumar (Mon, 13 Mar 2017 14:30:00 GMT):
@forestjqg : In 1.0 , there is no separate ECA , TCA. They have been collapsed into one CA , which is fabric CA.

antoniovassell (Mon, 13 Mar 2017 16:23:45 GMT):
Has joined the channel.

samdeir (Mon, 13 Mar 2017 19:40:43 GMT):
Has joined the channel.

mastersingh24 (Mon, 13 Mar 2017 20:02:12 GMT):
@skarim @smithbk - you guys ever seen this : ``` 2017/03/13 16:00:20 [DEBUG] DB: Insert Certificate 2017/03/13 16:00:20 [DEBUG] saved certificate with serial number 695620298446243379479052888339492385860462339133 and AKI d47ade133ab55e408d911f793e337541f69c2cc4 2017/03/13 16:00:20 [INFO] 127.0.0.1:65076 - "POST /api/v1/cfssl/enroll" 200 2017/03/13 16:00:20 [DEBUG] Received request POST /api/v1/cfssl/revoke Authorization: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIyakNDQVlDZ0F3SUJBZ0lVQkZpV1NmM21sWmZwRnQvdVg1WU1MNUJCdnowd0NnWUlLb1pJemowRUF3SXcKYURFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1aE1SUXdFZ1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVJrd0Z3WURWUVFERXhCbVlXSnlhV010ClkyRXRjMlZ5ZG1WeU1CNFhEVEUzTURNeE16RTVOVFV3TUZvWERURTRNREl4TURBek5UVXdNRm93RURFT01Bd0cKQTFVRUF4TUZZV1J0YVc0d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFTZHZzN2hudUdVMHY2dwp6ZlZWTFRvUEpsSzROWm1iOHdsMkZkamg4NENzOXVmMXgwZjJ5RlhoM281eEJZUWV3d1pGeDEzUWZaMDVYZ3ZECjk4WWJOc2dQbzJBd1hqQU9CZ05WSFE4QkFmOEVCQU1DQWdRd0RBWURWUjBUQVFIL0JBSXdBREFkQmdOVkhRNEUKRmdRVVoyTUVlNTVhTS95ZGpYUmFHcVVCbHB3MVRxc3dId1lEVlIwakJCZ3dGb0FVMUhyZUV6cTFYa0NOa1I5NQpQak4xUWZhY0xNUXdDZ1lJS29aSXpqMEVBd0lEU0FBd1JRSWdFMTNBbmhZWGxPN216RmQ1NGpNZzdQNTc5UWRTClVpc2NGcVFNdmo5Q3lKNENJUUM2OWhyVFNFTy9wVEVLOURNNmNUcHFZZ1RiUUZWT3U4UzNJa2ViNkd3cHhRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=.MEQCIAU87Ed55NfaZ+9j+8sOXH2RSgbwlX8kldxk20nGiX3rAiA2vSzaEaGxZ1UT4gE15DcEZqh0w4Q5rTtC3e02doczcA== {"aki":"d47ade133ab55e408d911f793e337541f69c2cc4","serial":"695620298446243379479052888339492385860462339133","reason":0} 2017/03/13 16:00:20 [DEBUG] Revoke request received 2017/03/13 16:00:20 [DEBUG] getUserAttrValue user=admin, attr=hf.Revoker 2017/03/13 16:00:20 [DEBUG] Getting user admin from the database 2017/03/13 16:00:20 [DEBUG] getUserAttrValue user=admin, name=hf.Revoker, value=1 2017/03/13 16:00:20 [DEBUG] Revoke request: {RevocationRequest:{Name: Serial:695620298446243379479052888339492385860462339133 AKI:d47ade133ab55e408d911f793e337541f69c2cc4 Reason:0}} 2017/03/13 16:00:20 [DEBUG] DB: Get certificate by serial (695620298446243379479052888339492385860462339133) and aki (d47ade133ab55e408d911f793e337541f69c2cc4) 2017/03/13 16:00:20 [ERROR] GetCertificateWithID [695620298446243379479052888339492385860462339133] [d47ade133ab55e408d911f793e337541f69c2cc4]: error [sql: no rows in result set] 2017/03/13 16:00:20 [ERROR] 2017/03/13 16:00:20 http: multiple response.WriteHeader calls 2017/03/13 16:00:20 [INFO] 127.0.0.1:65077 - "POST /api/v1/cfssl/revoke" 200 ```

mastersingh24 (Mon, 13 Mar 2017 20:02:29 GMT):
seems like revoke by SN/AKI is not working?

skarim (Mon, 13 Mar 2017 20:03:53 GMT):
serial number should be provided as hex. if you use openssl to get serial number it returns it in hex format. the aki is also in hex. so for consistency serial number was also converted to be in hex format.

mastersingh24 (Mon, 13 Mar 2017 20:04:35 GMT):
so we go to all the trouble to figure out how to convert decimal to hex and now its hex?

mastersingh24 (Mon, 13 Mar 2017 20:04:40 GMT):
;)

mastersingh24 (Mon, 13 Mar 2017 20:05:13 GMT):
ok - let me try that

skarim (Mon, 13 Mar 2017 20:06:11 GMT):
sure, it was suppose to make life easier :)

mastersingh24 (Mon, 13 Mar 2017 20:12:59 GMT):
except with debug logging, we still see the decimal serial number

mastersingh24 (Mon, 13 Mar 2017 20:13:08 GMT):
guess I missed this in the code :(

mastersingh24 (Mon, 13 Mar 2017 20:15:19 GMT):
is that change merged?

mastersingh24 (Mon, 13 Mar 2017 20:15:28 GMT):
still failing

mastersingh24 (Mon, 13 Mar 2017 20:16:11 GMT):
``` 2017/03/13 16:14:35 [DEBUG] Revoke request: {RevocationRequest:{Name: Serial:42413c448173ac4861a2e57b9ecd877878b5490f AKI:d47ade133ab55e408d911f793e337541f69c2cc4 Reason:0}} 2017/03/13 16:14:35 [DEBUG] DB: Get certificate by serial (42413c448173ac4861a2e57b9ecd877878b5490f) and aki (d47ade133ab55e408d911f793e337541f69c2cc4) 2017/03/13 16:14:35 [ERROR] 2017/03/13 16:14:35 http: multiple response.WriteHeader calls 2017/03/13 16:14:35 [INFO] 127.0.0.1:65262 - "POST /api/v1/cfssl/revoke" 200 ```

mastersingh24 (Mon, 13 Mar 2017 20:24:38 GMT):
``` 2017/03/13 16:23:16 [DEBUG] DB: Insert Certificate with [SN 05007ed65aedf437092c7d18ed09cf080a91d1383] and [AKI d47ade133ab55e408d911f793e337541f69c2cc4] 2017/03/13 16:23:16 [DEBUG] saved certificate with serial number 456896047095026683800334971903797800689320399747 2017/03/13 16:23:16 [INFO] 127.0.0.1:65386 - "POST /api/v1/cfssl/enroll" 200 2017/03/13 16:23:17 [DEBUG] Received request POST /api/v1/cfssl/revoke Authorization: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIyakNDQVlDZ0F3SUJBZ0lVWW9RdU4vUmRBdk5KKzZId095WFhXenZ4TDdZd0NnWUlLb1pJemowRUF3SXcKYURFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1aE1SUXdFZ1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVJrd0Z3WURWUVFERXhCbVlXSnlhV010ClkyRXRjMlZ5ZG1WeU1CNFhEVEUzTURNeE16SXdNVGd3TUZvWERURTRNREl4TURBME1UZ3dNRm93RURFT01Bd0cKQTFVRUF4TUZZV1J0YVc0d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFSL0RsQ0E3RzF3RXFFawpGZ1YvZmFzdU5MNmtXek9wVVgzay9XVXZKRzJYYkQwMXJ5RFB4L3hwQ0U0YTFNN3NaOXZnMHIxNUZCbXArQnIxCkVsRmJrUVJxbzJBd1hqQU9CZ05WSFE4QkFmOEVCQU1DQWdRd0RBWURWUjBUQVFIL0JBSXdBREFkQmdOVkhRNEUKRmdRVS9Oa21EVDM1amZnUFcwVEdvK2NOWG0yRzVYQXdId1lEVlIwakJCZ3dGb0FVMUhyZUV6cTFYa0NOa1I5NQpQak4xUWZhY0xNUXdDZ1lJS29aSXpqMEVBd0lEU0FBd1JRSWdKZGhoYjl2SldYLzlRZ3ZkMkJ1MEsyS1NOdWNOCmJtdjdZd055T1A2RGFhc0NJUUNVOVdra1crUFF4Q1NSQnUyTFNCVkNZQ25kc2YyMXNlYUo4QUxONk1QQVNRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=.MEUCIQDFjJv6QpaMc0RPnlJ39DSpqN0NTMUZNOp2akxuQsMFoQIgV9aZurw8iISMRkXHOrwaXCmZ6KvEZjTK9BrQ3XeBp3I= {"aki":"d47ade133ab55e408d911f793e337541f69c2cc4","serial":"5007ed65aedf437092c7d18ed09cf080a91d1383","reason":0} 2017/03/13 16:23:17 [DEBUG] Revoke request received 2017/03/13 16:23:17 [DEBUG] getUserAttrValue user=admin, attr=hf.Revoker 2017/03/13 16:23:17 [DEBUG] Getting user admin from the database 2017/03/13 16:23:17 [DEBUG] getUserAttrValue user=admin, name=hf.Revoker, value=1 2017/03/13 16:23:17 [DEBUG] Revoke request: {RevocationRequest:{Name: Serial:5007ed65aedf437092c7d18ed09cf080a91d1383 AKI:d47ade133ab55e408d911f793e337541f69c2cc4 Reason:0}} 2017/03/13 16:23:17 [DEBUG] DB: Get certificate by serial (5007ed65aedf437092c7d18ed09cf080a91d1383) and aki (d47ade133ab55e408d911f793e337541f69c2cc4) 2017/03/13 16:23:17 [ERROR] 2017/03/13 16:23:17 http: multiple response.WriteHeader calls 2017/03/13 16:23:17 [INFO] 127.0.0.1:65387 - "POST /api/v1/cfssl/revoke" 200 2017/03/13 16:23:17 [DEBUG] Received request ```

mastersingh24 (Mon, 13 Mar 2017 20:25:05 GMT):
`05007ed65aedf437092c7d18ed09cf080a91d1383` is what fabric-ca inserts

mastersingh24 (Mon, 13 Mar 2017 20:25:27 GMT):
`5007ed65aedf437092c7d18ed09cf080a91d1383` is what the node sdk extracts from the cert

mastersingh24 (Mon, 13 Mar 2017 20:26:51 GMT):
``` func GetSerialAsHex(serial *big.Int) string { hex := fmt.Sprintf("%x", serial) if utf8.RuneCountInString(hex) < 80 { hex = fmt.Sprintf("0%s", hex) } return hex } ```

mastersingh24 (Mon, 13 Mar 2017 20:26:58 GMT):
ah ha

mastersingh24 (Mon, 13 Mar 2017 20:27:14 GMT):
don't think we need the leading 0

skarim (Mon, 13 Mar 2017 20:28:08 GMT):
we don't but if you use openssl from command line it has an 0 in front, so I was just trying to be consistent with what it returned

mastersingh24 (Mon, 13 Mar 2017 20:42:00 GMT):
I'll add a leading zero

divyank (Mon, 13 Mar 2017 20:51:34 GMT):
Any plans to implement the fabric-ca/lib/GetTcertBatch method?

mastersingh24 (Mon, 13 Mar 2017 21:06:24 GMT):
@skarim - prepending a `0` to the hex string of the SN works os the NodeSDK is now working again. thx

skarim (Mon, 13 Mar 2017 21:10:29 GMT):
cool. just make sure that you only prepend in certain cases, when the hex is less 40 characters

smithbk (Mon, 13 Mar 2017 21:11:49 GMT):
@divyank There is identity.GetTCertBatch ... I assume you mean doing the necessary processing to compute the private keys for certs returned? Or can you clarify what you are asking?

divyank (Mon, 13 Mar 2017 21:16:36 GMT):
@smithbk If you look at the method it doesn't actually return the http response. It returns nil. I was wondering if there was a plan to complete it.

smithbk (Mon, 13 Mar 2017 21:42:24 GMT):
@divyank Yes, it is returning nil because that is only needed if you need to sign a transaction with a tcert from a Go app. Are you in need of that?

smithbk (Mon, 13 Mar 2017 21:44:16 GMT):
But yes, the short answer is we plan to do it ... I'm just trying to get a feel for use cases and priorities, etc

divyank (Mon, 13 Mar 2017 22:19:20 GMT):
@smithbk Thanks. We are working on a Go SDK and were hoping to reuse some of your client side code. Does fabric-ca plan to support key derivation as well?

smithbk (Mon, 13 Mar 2017 23:42:56 GMT):
@divyank We are refactoring the fabric-ca code to reuse bccsp's KeyDeriv func. Have you seen KeyDeriv in fabric/bccsp/bccsp.go?

smithbk (Mon, 13 Mar 2017 23:48:17 GMT):
Yes, we plan on supporting deriving the private keys associated with the public keys in the certs that are returned by the current get tcert batch code

smithbk (Mon, 13 Mar 2017 23:50:50 GMT):
i'm currently looking into generating self-signed tcerts also as per https://jira.hyperledger.org/browse/FAB-2441 ... so generating the private key is needed for that as well

forestjqg (Tue, 14 Mar 2017 05:29:10 GMT):
Hi all: I complied fabric-ca,when I execute the command "sudo ./fabric-ca-client register --enrollment.profile ../testdata/registerrequest.json -c ../testdata/fabric-ca-client-config.yaml" the resposne showed: 2017/03/14 13:19:48 [INFO] User provided config file: ../testdata/fabric-ca-client-config.yaml 2017/03/14 13:19:48 [INFO] Configuration file location: /home/qjia/src/github.com/hyperledger/fabric-ca/testdata/fabric-ca-client-config.yaml 2017/03/14 13:19:48 Before using BCCSP, please call InitFactories(). Falling back to bootBCCSP. Password: NMbmypLIKfZb do this succeed? what thsi means " Before using BCCSP, please call InitFactories(). Falling back to bootBCCSP"? anyone can help?

forestjqg (Tue, 14 Mar 2017 06:08:10 GMT):
Aother question: How to get TCERT through fabric-ca-client ?

smithbk (Tue, 14 Mar 2017 10:12:50 GMT):
@forestjqg hmm ... i just tried to reproduce that error with the latest and was unable, but also your command line is not quite right either

smithbk (Tue, 14 Mar 2017 10:14:44 GMT):
I just did the following successfully

smithbk (Tue, 14 Mar 2017 10:15:18 GMT):
To start default server: fabric-ca-server start -b admin:adminpw

smithbk (Tue, 14 Mar 2017 10:15:59 GMT):
To enroll admin: fabric-ca-client enroll -u http://admin:adminpw@localhost:7054

smithbk (Tue, 14 Mar 2017 10:16:55 GMT):
To register user fred: fabric-ca-client register --id.name fred --id.type user --id.affiliation org1.department1

smithbk (Tue, 14 Mar 2017 10:19:15 GMT):
You could also edit some fields in your $HOME/.fabric-ca-client/fabric-ca-client-config.yaml file under the "id" section to not have to provide command line options

SubhodI (Tue, 14 Mar 2017 10:23:24 GMT):
Has joined the channel.

smithbk (Tue, 14 Mar 2017 10:23:38 GMT):
Regarding tcerts for golang, only the server-side processing of tcerts has been completed. The client-side is currently being worked on for fabric-ca-client. Are you needing to get a tcert from a go app to sign a transaction, or is another language an option?

forestjqg (Tue, 14 Mar 2017 10:24:59 GMT):
OK, i will try your command again

forestjqg (Tue, 14 Mar 2017 10:25:46 GMT):
and Maybe I will use another language to get TCERT from ca-server

forestjqg (Tue, 14 Mar 2017 10:25:57 GMT):
then how to do it?

smithbk (Tue, 14 Mar 2017 10:27:27 GMT):
The node SDK may work. I have not personally tried it recently, but depending on your required timeline, etc, you could try. That said, we are working on the go solution

forestjqg (Tue, 14 Mar 2017 10:27:49 GMT):
ok

forestjqg (Tue, 14 Mar 2017 10:28:03 GMT):
i will wait your go solution

smithbk (Tue, 14 Mar 2017 10:29:08 GMT):
will you be using from a go app then? Just curious what the use case is.

forestjqg (Tue, 14 Mar 2017 10:30:36 GMT):
we are just want to use ca-server to get tcert to encrypt some tx data

forestjqg (Tue, 14 Mar 2017 10:30:47 GMT):
now it is not very clear now

forestjqg (Tue, 14 Mar 2017 10:31:03 GMT):
just want to study your solution first

smithbk (Tue, 14 Mar 2017 10:31:13 GMT):
ok, fair enough

forestjqg (Tue, 14 Mar 2017 10:31:26 GMT):
then want to integrate it to our app

smithbk (Tue, 14 Mar 2017 10:33:00 GMT):
You can monitor https://jira.hyperledger.org/browse/FAB-2441 if you want ... since the standard client tcert processing will need to be done as part of this self-signed solution also

SubhodI (Tue, 14 Mar 2017 10:33:06 GMT):
How does CA handles user certification revocation? Does CA/PEER maintains the revoked list?

smithbk (Tue, 14 Mar 2017 10:34:03 GMT):
yes, the certificates DB is managed by the fabric-ca-server and it maintains whether or not the cert has been revoked in that DB

forestjqg (Tue, 14 Mar 2017 10:34:55 GMT):
thanks

smithbk (Tue, 14 Mar 2017 10:35:00 GMT):
np

CarlXK (Tue, 14 Mar 2017 10:50:34 GMT):
use cryptogen tool can retrorse generate all certs(for msp, peer, order, root ca), do there have an example to forward generate all certs from ca root certificate？

smithbk (Tue, 14 Mar 2017 11:06:10 GMT):
you can enroll a peer or orderer and populate the local MSP directory with the following command:

smithbk (Tue, 14 Mar 2017 11:06:15 GMT):
fabric-ca-client enroll -u http://:@:7054 -M

smithbk (Tue, 14 Mar 2017 11:07:29 GMT):
@CarlXK Is that what you're looking for?

nickmelis (Tue, 14 Mar 2017 11:19:51 GMT):
Hi all, is this the right channel for v0.6 CA related questions?

nickmelis (Tue, 14 Mar 2017 11:20:41 GMT):
I am currently unable to register&enroll new users via Java SDK and the error is not very meaningful: sql: no rows in result set

nickmelis (Tue, 14 Mar 2017 11:21:02 GMT):
just wondering if there's any known issue related to registration and enrollment

smithbk (Tue, 14 Mar 2017 11:23:52 GMT):
That error means there was a failure looking up an enrollment ID on the server. I would guess that it is referring to the enrollment ID of the registrar and another guess is that perhaps that is because the DB on the server was deleted but the keystore on the client was not deleted

smithbk (Tue, 14 Mar 2017 11:24:23 GMT):
I would suggest deleting your client key store and trying again

smithbk (Tue, 14 Mar 2017 11:27:36 GMT):
or just to be safe, delete both client key store and server DB and that way you know you're starting in sync

nickmelis (Tue, 14 Mar 2017 11:35:21 GMT):
I'm using docker compose to run both ca and peer, I guess the db gets restarted every time I do docker-compose down. Do I have to delete the keyvaluestore every time I reset the DB?

smithbk (Tue, 14 Mar 2017 11:38:30 GMT):
yes

smithbk (Tue, 14 Mar 2017 11:40:18 GMT):
where is your client's keyvaluestore? Is it in one of the docker-compose containers?

smithbk (Tue, 14 Mar 2017 11:40:34 GMT):
i assume not

nickmelis (Tue, 14 Mar 2017 11:41:31 GMT):
no, it's in the client app (in a properties file)

smithbk (Tue, 14 Mar 2017 11:42:56 GMT):
right ... so yes, you'll need to delete it each time. The reason is that the ecert is kept in the keyvalstore and it tries to send it to the server but it doesn't know anything about it because it's DB was deleted and so it can't find that ID

nickmelis (Tue, 14 Mar 2017 11:50:53 GMT):
also, in v0.6, once I register&enroll a user, if I try to re-enroll it, I'll get an error right? And there's no way to un-enroll it right?

nickmelis (Tue, 14 Mar 2017 11:51:30 GMT):
so basically if I register an user from one app and then want to use it in another app, the only way I have is to copy the key from one keyvaluestore to another right?

smithbk (Tue, 14 Mar 2017 12:36:50 GMT):
yes, correct ... that is true for v0.6

nickmelis (Tue, 14 Mar 2017 12:44:08 GMT):
and hopefully not true anymore for v1.0 right?

smithbk (Tue, 14 Mar 2017 13:19:25 GMT):
in v1.0 it is possible to re-enroll or to use an enrollment secret multiple times based on configuration, but it is still possible to get a similar error if the DB is deleted and you try to send an ecert that it knows nothing about. The only improvements that I can think of to make here are:

smithbk (Tue, 14 Mar 2017 13:20:03 GMT):
1) better error message ... don't recall off the top of my head if we've already done that for v1, but we will if it hasn't

smithbk (Tue, 14 Mar 2017 13:21:48 GMT):
2) SDKs could recognize this error and retry as if the ecert were not in its keystore, but this would be a change on the SDK side of course. I think that would be a good jira item to open if you want to kick that off.

smithbk (Tue, 14 Mar 2017 13:22:49 GMT):
Of course the success/failure of retrying in #2 depends on how many times the enrollment secret is configured to be reused on the server

smithbk (Tue, 14 Mar 2017 13:25:18 GMT):
BTW, if LDAP authentication is configured, then you can reuse the password

debrajo (Tue, 14 Mar 2017 13:30:47 GMT):
Has joined the channel.

nickmelis (Tue, 14 Mar 2017 13:37:24 GMT):
interesting

smithbk (Tue, 14 Mar 2017 14:00:37 GMT):
Which part is "interesting"? :-)

dRand (Tue, 14 Mar 2017 14:02:19 GMT):
@smithbk @nickmelis regarding v0.6, I if you try to re-enroll an user you DON'T get an error

dRand (Tue, 14 Mar 2017 14:02:19 GMT):
@smithbk @nickmelis regarding v0.6, I if you try to re-enroll an user you DON'T get an error, at least if you use the node sdk

smithbk (Tue, 14 Mar 2017 14:03:30 GMT):
that's because the SDK recognizes that it is already enrolled and so doesn't send a request to the server

smithbk (Tue, 14 Mar 2017 14:03:47 GMT):
it knows this by looking in the keyvalstore

dRand (Tue, 14 Mar 2017 14:04:42 GMT):
I remember that calling the peer API from Postman does the same

smithbk (Tue, 14 Mar 2017 14:04:53 GMT):
but if you try to use that identity to register, that is when it will send a request to the server using that identity and if not recognized by server, will error out

smithbk (Tue, 14 Mar 2017 14:05:20 GMT):
the peer API or the membersrvc API?

smithbk (Tue, 14 Mar 2017 14:06:10 GMT):
you're probably talking about the REST API on the peer ... yeh, that is different than talking to membersrvc

nickmelis (Tue, 14 Mar 2017 14:13:20 GMT):
@dRand I'm currently using Java SDK

nickmelis (Tue, 14 Mar 2017 14:14:05 GMT):
and the problem is that the app doesn't have a way to detect a user is already enrolled if the keyvaluestore gets deleted (or the second enrollment comes from a separate app)

amilazzo (Tue, 14 Mar 2017 16:24:20 GMT):
Has joined the channel.

lignyxg (Tue, 14 Mar 2017 17:41:23 GMT):
Has joined the channel.

IngCr3at1on (Tue, 14 Mar 2017 18:18:40 GMT):
Has joined the channel.

hycind (Tue, 14 Mar 2017 19:04:31 GMT):
Has joined the channel.

StevenLanders (Tue, 14 Mar 2017 19:11:13 GMT):
I'm having this exact issue: https://jira.hyperledger.org/browse/FAB-1591 but having a hard time understanding how to work around it.

StevenLanders (Tue, 14 Mar 2017 19:11:26 GMT):
Getting this error: ``` 2017-03-14T18:59:31.791602304Z 2017/03/14 18:59:31 http: panic serving 172.17.0.7:52082: runtime error: invalid memory address or nil pointer dereference 2017-03-14T18:59:31.791618595Z goroutine 18 [running]: 2017-03-14T18:59:31.791621790Z net/http.(*conn).serve.func1(0xc4202a8000) 2017-03-14T18:59:31.791624343Z /opt/go/src/net/http/server.go:1491 +0x12a 2017-03-14T18:59:31.791626925Z panic(0xb6a160, 0xc420014040) 2017-03-14T18:59:31.791629166Z /opt/go/src/runtime/panic.go:458 +0x243 2017-03-14T18:59:31.791632133Z github.com/hyperledger/fabric-ca/cli/server.(*signHandler).Handle(0xc4202e2b60, 0x115a4a0, 0xc4200d4340, 0xc4200b41e0, 0xc420437401, 0xc420436080) 2017-03-14T18:59:31.791634821Z /opt/gopath/src/github.com/hyperledger/fabric-ca/cli/server/enroll.go:76 +0x20d 2017-03-14T18:59:31.791637744Z github.com/hyperledger/fabric-ca/vendor/github.com/cloudflare/cfssl/api.HTTPHandler.ServeHTTP(0x1151fe0, 0xc4202e2b60, 0xc4202e2b70, 0x1, 0x1, 0x115a4a0, 0xc4200d4340, 0xc4200b41e0) 2017-03-14T18:59:31.791640673Z /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/cloudflare/cfssl/api/api.go:85 +0x3e4 2017-03-14T18:59:31.791643156Z github.com/hyperledger/fabric-ca/vendor/github.com/cloudflare/cfssl/api.(*HTTPHandler).ServeHTTP(0xc4202e05a0, 0x115a4a0, 0xc4200d4340, 0xc4200b41e0) 2017-03-14T18:59:31.791645548Z :4 +0x8c ```

StevenLanders (Tue, 14 Mar 2017 19:11:48 GMT):
(when I enroll the default admin/adminpw user)

StevenLanders (Tue, 14 Mar 2017 19:13:21 GMT):
im thinking i'm missing some key or something

smithbk (Tue, 14 Mar 2017 19:29:21 GMT):
Looks like you're using an fairly old version of fabric-ca since I see "fabric-ca/cli" in the stack. Can you try with a recent build?

StevenLanders (Tue, 14 Mar 2017 19:29:41 GMT):
ah, was using the "getting setup" version, i'll update

CarlXK (Wed, 15 Mar 2017 01:41:14 GMT):
@smithbk i will try it, hope it works~

CarlXK (Wed, 15 Mar 2017 01:41:14 GMT):
@smithbk thanks, i will try it, hope it works~

DannyWong (Wed, 15 Mar 2017 02:47:34 GMT):
Hi @here, if i am using LDAP as the user registry of Fabric CA, can I specify a set of "LDAP attributes" to be included in Ecert (not tCert)

DannyWong (Wed, 15 Mar 2017 02:58:54 GMT):
my question is... seems the attribute support is mainly on tCert base...

DannyWong (Wed, 15 Mar 2017 03:00:06 GMT):
and another question is that.... I want to design the owner/access control with the trusted attribute from a trusted eCert, instead of directly managing the ACL on eCert...

DannyWong (Wed, 15 Mar 2017 03:00:23 GMT):
such that when that eCert really COMPROMISED and we use the reenroll eCert feature

DannyWong (Wed, 15 Mar 2017 03:01:04 GMT):
the previously created assets by that compromised eCert can STILL be accessed

SubhodI (Wed, 15 Mar 2017 05:17:24 GMT):
@smithbk thanks

CarlXK (Wed, 15 Mar 2017 06:39:10 GMT):
@smithbk ca default configuration : hf.Registrar.Roles: "client,user,peer,validator,auditor,ca" , why no orderer now?

drstki (Wed, 15 Mar 2017 09:13:38 GMT):
Has joined the channel.

drstki (Wed, 15 Mar 2017 09:16:32 GMT):
question regarding v0.6: I can use HFC SDK for register and enroll new users, but I cannot change to other affiliation than those pre-defined in the membersrvc.yaml file. Is that not possible with v0.6?

drstki (Wed, 15 Mar 2017 09:21:12 GMT):
another question regarding v0.6: I can use handleUserRequest function to add additional variable for this registrationRequest, but I am not able to freely define new var's. Do we have any documentation what kind of variable can be defined?

jaguarg (Wed, 15 Mar 2017 10:11:25 GMT):
Has joined the channel.

ecn (Wed, 15 Mar 2017 10:11:46 GMT):
Has joined the channel.

jaguarg (Wed, 15 Mar 2017 10:12:11 GMT):
Hello, I would like to know if there is a way not have the accounts / secrets in clear text in the memberssrvc.yaml ?

mychewcents (Wed, 15 Mar 2017 12:27:47 GMT):
Has joined the channel.

balashevich (Wed, 15 Mar 2017 12:31:43 GMT):
Has joined the channel.

smithbk (Wed, 15 Mar 2017 13:33:09 GMT):
@CarlXK Yeh, although the config file has a default set of roles, fabric-ca doesn't mandate what the allowable set of types are. Since it just treats them as strings, you can add orderer or any types you want to that list.

smithbk (Wed, 15 Mar 2017 13:35:05 GMT):
@drstki No, the set of affiliations are always predefined in both v0.6 and v1.0. The affiliation hierarchy must be predefined.

smithbk (Wed, 15 Mar 2017 13:36:42 GMT):
@drski I'd have to look at the v0.6 code as I don't recall off the top of my head, but wondering if you are planning on moving to v1.0 since it is so far along now

drstki (Wed, 15 Mar 2017 13:53:58 GMT):
@smithbk Thanks for this quick answer. As affiliations are predefined either in v1.0, how can we change the existing definition, as it is part of the docker container that is working as fabric-ca?

drstki (Wed, 15 Mar 2017 13:55:13 GMT):
do we have to build our own container?

drstki (Wed, 15 Mar 2017 13:57:43 GMT):
maybe it is a good idea to provide more "general" names for the affiliation that do not have a context like a bank or institution?

smithbk (Wed, 15 Mar 2017 14:10:51 GMT):
@drstki The v1 image uses "org" and "department" rather than "institution" and "bank"

smithbk (Wed, 15 Mar 2017 14:11:46 GMT):
Extending the image and providing your own config file with your own affiliation tree is probably the best option for now

drstki (Wed, 15 Mar 2017 14:14:38 GMT):
@smithbk ok, very good! Thanks.

smithbk (Wed, 15 Mar 2017 14:14:48 GMT):
We were considering allowing passing in an entire subtree of any part of the default configuration to override it (e.g. --affiliation "JSON-definition") , but that needs more thought and not sure if/when it will make it.

smithbk (Wed, 15 Mar 2017 14:16:27 GMT):
the other option is another REST API to dynamically add new nodes to the affiliation hierarchy ... or perhaps in a more generic way of modifying the config ... but again requires more thought and would not be short term

CarlXK (Wed, 15 Mar 2017 15:44:35 GMT):
@smithbk so i can add a string like "test" and the generated certs also can run with order/peer/ca node?

smithbk (Wed, 15 Mar 2017 15:49:21 GMT):
@CarlXK yes, you can today but may change for v1 as we finalize the authorization linkage between types and ACLs in fabric

CarlXK (Wed, 15 Mar 2017 15:53:08 GMT):
ok, thanks~ @smithbk

Lin-YiTang (Wed, 15 Mar 2017 16:15:29 GMT):
Has joined the channel.

joshuajeeson (Wed, 15 Mar 2017 17:37:02 GMT):
Hiya, What is the procedure for 3rd party PKI integration ? Is there some documentation ?

ashutosh_kumar (Wed, 15 Mar 2017 18:05:16 GMT):
There is no Third Party PKI integration per se.

ashutosh_kumar (Wed, 15 Mar 2017 18:05:39 GMT):
you can use Cert issued by third parties.

smithbk (Wed, 15 Mar 2017 21:15:09 GMT):
I think we want to be crisp about what is meant by and needed for 3rd party PKI integration. For example, it is possible to "integrate" with a corporate CA by issuing a CA cert for fabric CA server and still get tcerts for blockchain. Can you clarify what is meant/needed for "3rd party PKI integration"?

JonathanLevi (Wed, 15 Mar 2017 22:46:35 GMT):
---

JonathanLevi (Wed, 15 Mar 2017 22:47:24 GMT):
Are we good with `fabric-ca` for the *v1.0.0-alpha*? Any known blockers before we finalize?

JonathanLevi (Wed, 15 Mar 2017 22:48:41 GMT):
I believe we have merged a lot over the last few days/weeks... but if there's anything, now is a good time to say something ;-)

CarlXK (Thu, 16 Mar 2017 02:30:37 GMT):
@smithbk @ashutosh_kumar a channelA with 5 peers(peer1 2 3 4 5) joined, definitely they own all transcations' data in the channel. if peer1 & peer2 & peer3 conplete a transcation tran1，peer1 use his tcert. does the tran1 invisible for peer4 & peer5?

smithbk (Thu, 16 Mar 2017 03:00:47 GMT):
@JonathanLevi I will have another readthedocs update in the morning, but otherwise all I know of.

smithbk (Thu, 16 Mar 2017 03:01:14 GMT):
Well, there is https://gerrit.hyperledger.org/r/#/c/7245, but is not a blocker ... just a spurious message

smithbk (Thu, 16 Mar 2017 03:07:06 GMT):
@CarlXK well, a peer is not using a tcert ... but all peers in a channel have access to the data in the channel as you say. I'm not sure I understand the question though. There is a difference between seeing the transaction and knowing the identity of someone who has used a tcert. The identity would not be seen, though they would know what CA signed it, and if each org has its own CA, then you would know which orgs were involved. But I'm not sure I'm getting to the question. Maybe you can elaborate.

CarlXK (Thu, 16 Mar 2017 03:21:23 GMT):
@smithbk peer1 has a sdk connected, sdk1 use the tcert to complete the transcation trans1

CarlXK (Thu, 16 Mar 2017 03:24:07 GMT):
could the tcert implement transaction data's visibility?

mychewcents (Thu, 16 Mar 2017 04:36:55 GMT):
I guess the newer update to Fabric-CA uses fabric-ca-server and fabric-ca-client as commands, is this the latest one or the one with fabric-ca server and fabric-ca client is the latest one? I'm a bit confused because the documentation states the second one but the files state the first one. Could someone please clarify that?

mychewcents (Thu, 16 Mar 2017 05:15:36 GMT):
Also, can anyone please make me understand what does admincerts, cacerts, keycerts and signcerts stand for in MSP? As much as I know, keycerts manages the private keys, cacerts are the CA public keys. I don't specifically get the other two.

Vadim (Thu, 16 Mar 2017 08:42:21 GMT):
@mychewcents you could find the answers here: https://docs.google.com/document/d/1Qg7ZEccOIsrShSHSNl4kBHOFvLYRhQ3903srJ6c_AZE/edit#heading=h.2rmho7iqstbu

mychewcents (Thu, 16 Mar 2017 08:53:41 GMT):
Thanks @Vadim

JonathanLevi (Thu, 16 Mar 2017 10:34:06 GMT):
Yes, *fabric-ca-server* and *fabric-ca-client*

JonathanLevi (Thu, 16 Mar 2017 10:35:57 GMT):
Keith, OK, we are working on it (I have just restarted the build, which failed last night - for a different reason) [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Dj88b5j7TcGz2uXya)

JonathanLevi (Thu, 16 Mar 2017 11:24:27 GMT):
--- Final call(s) to any other blocking issues anyone here may be aware of regarding *fabric-ca*...

JonathanLevi (Thu, 16 Mar 2017 11:25:06 GMT):
Mind you, the *v1.0.0-alpha* is not going to be our final release/tag ;-)... but just in case.

JonathanLevi (Thu, 16 Mar 2017 11:25:22 GMT):
We still have time, especially for items that don't break the API.

smithbk (Thu, 16 Mar 2017 11:28:54 GMT):
None from me Jonathan

smithbk (Thu, 16 Mar 2017 11:32:23 GMT):
@mychewcents Hi, what documentation are you looking at which still uses the fabric-ca executable commands? The readthedocs has been updated at http://hyperledger-fabric.readthedocs.io/en/latest/Setup/ca-setup.html

mychewcents (Thu, 16 Mar 2017 11:34:39 GMT):
Yes @smithbk My bad. I had visited the link a while back. It is updated. Thanks for the update.

smithbk (Thu, 16 Mar 2017 11:37:57 GMT):
np

xiejunxi (Thu, 16 Mar 2017 11:43:20 GMT):
Has joined the channel.

jaguarg (Thu, 16 Mar 2017 14:56:55 GMT):
Hello, in the sample deployment (latest build) channel_test.sh is not refering to the CA.

jaguarg (Thu, 16 Mar 2017 14:56:55 GMT):
actually i don't see where peer0,peer1,peer2,orderer are refering to the ca

jaguarg (Thu, 16 Mar 2017 15:03:09 GMT):
or vice versa

mastersingh24 (Thu, 16 Mar 2017 17:39:28 GMT):
@jaguarg - orderer and peer nodes don't have a dependency on the fabric-ca (this is different than v0.6) and never actually make a connection to the fabric-ca. But the crypto material we generated to bootstrap them was issued by the fabric-ca

toddinpal (Thu, 16 Mar 2017 18:49:19 GMT):
Has joined the channel.

toddinpal (Thu, 16 Mar 2017 18:51:50 GMT):
I'm trying to understand fabric-ca use of LDAP and can't find any LDAP references in the code. What am I missing?

toddinpal (Thu, 16 Mar 2017 19:03:05 GMT):
nvm, I thought the msp part of the fabric tree was fabric-ca...

RahulBagaria (Fri, 17 Mar 2017 03:56:36 GMT):
Has joined the channel.

JaemanHong (Fri, 17 Mar 2017 05:11:22 GMT):
Has joined the channel.

andyxf1029 (Fri, 17 Mar 2017 06:08:29 GMT):
Has joined the channel.

Ying (Fri, 17 Mar 2017 07:15:32 GMT):
[ ](https://chat.hype rledger.org/channel/fabric-ca?msg=87RQioNKTHyRRK5DF) @mastersingh24 any plan to acess crypto via sdk? Instead of command. Thks.

mastersingh24 (Fri, 17 Mar 2017 09:13:03 GMT):
you can access the fabric-ca from NodeJS using the fabric-ca-client package

mastersingh24 (Fri, 17 Mar 2017 09:13:03 GMT):
@ying you can access the fabric-ca from NodeJS using the fabric-ca-client package

mastersingh24 (Fri, 17 Mar 2017 09:13:03 GMT):
@Ying you can access the fabric-ca from NodeJS using the fabric-ca-client package

suganuma (Fri, 17 Mar 2017 15:26:21 GMT):
I'm working for TLS support for sdk-java. How do we configure fabric-ca-server to start with mutual TLS enabled? The command 'fabric-ca-server start --tls.enabled --tls.certfile xxx --tls.keyfile yyy' doesn't seem to make mutual TLS to request client to send its certificate. In the case of fabric-ca-client, it takes the flag --tls.certfiles for the list of trusted cert files (in addition to --tls.client.certfile and --tls.client.keyfile). How can we specify the trusted cert store for fabric-ca-server? thanks.

mastersingh24 (Fri, 17 Mar 2017 16:54:58 GMT):
@suganuma - we are not using mutual TLS at this point. One way is fine

ZionTam (Sat, 18 Mar 2017 00:07:47 GMT):
Has joined the channel.

ZionTam (Sat, 18 Mar 2017 00:12:20 GMT):
The sample code sfhackfest seems not work with 1.0 alpha images,some errors and finally only order iamge start successfully

bobsummerwill (Sat, 18 Mar 2017 02:43:50 GMT):
Has joined the channel.

andrea.turli (Sat, 18 Mar 2017 07:31:30 GMT):
Has joined the channel.

Ying (Sun, 19 Mar 2017 04:00:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tvHzsNpG2Z2uhCvTk) @mastersingh24 [ ] got it, let me try. Thanks mastersingh24.

Xiao (Mon, 20 Mar 2017 07:09:17 GMT):
Has joined the channel.

kuangchao (Mon, 20 Mar 2017 08:01:03 GMT):
I have a Facebook Fabirc forum on Facebook, welcome to join https://www.facebook.com/groups/876837335752599

Xiao (Mon, 20 Mar 2017 08:18:07 GMT):
Hi there, I am getting started with fabric-ca 1.0 alpha. When I registered a client with eid:testReg01, I got the OTP:aUPpkhfABimu. Then, I tried to revoke this id with command: "fabric-ca-client revoke -a aUPpkhfABimu -s 100229249896927144834477463181983606340117464934 -r superseded", and I got the response "2017/03/20 08:12:20 [FATAL] Failed to parse response [invalid character '{' after top-level value] for request: POST http://localhost:7049/revoke Authorization: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNPekNDQWVLZ0F3SUJBZ0lVRVk1dlhKbzhVM3F3QnJSMC9ucFhUdythQjJZd0NnWUlLb1pJemowRUF3SXcKYURFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1aE1SUXdFZ1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVJrd0Z3WURWUVFERXhCbVlXSnlhV010ClkyRXRjMlZ5ZG1WeU1CNFhEVEUzTURNeU1EQTNNVGd3TUZvWERURTRNREl4TmpFMU1UZ3dNRm93WFRFTE1Ba0cKQTFVRUJoTUNWVk14RnpBVkJnTlZCQWdURGs1dmNuUm9JRU5oY205c2FXNWhNUlF3RWdZRFZRUUtFd3RJZVhCbApjbXhsWkdkbGNqRVBNQTBHQTFVRUN4TUdSbUZpY21sak1RNHdEQVlEVlFRREV3VmhaRzFwYmpCWk1CTUdCeXFHClNNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJHeVRPeCtkYm5oN1dhTEp2TGVwMllsK0N0NTR5bTBDSHJ2amQyVzIKVnNvbE1CZXhua2haR0QvUFM5aEd6NHlzOWk5VDUzSTd5WEhXWTJ2aXNFZUQ2TFNqZFRCek1BNEdBMVVkRHdFQgovd1FFQXdJQ0JEQU1CZ05WSFJNQkFmOEVBakFBTUIwR0ExVWREZ1FXQkJTWjE4M05zNnVmeWoxanp5ZkQrdWxNClI4OTVPVEFmQmdOVkhTTUVHREFXZ0JTbEh5ZjRDWGhHVFdPb0kwaXp0QUVkKy8vSlF6QVRCZ05WSFJFRUREQUsKZ2dob2IzTjBibUZ0WlRBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCZXRvdXhJUnFMVDR4TzBWRnZQOUV5R09CZApYRkxaZXJvWEUySFNGWk5rQ1FJZ2RqVlAyVzVUUVlmYkhqTG1ibVcyTlhQRjJGZGZBREtvZXBYVXlwWVVtL1E9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K.MEUCIQCklJC45ZTjic19obOaSidYV3vau0fDcnOSD8GD3s5EOgIgX4R6kL8SJKHOlkbXfigbsqK/ACsETJT1UgfmajEsU9E= {"serial":"100229249896927144834477463181983606340117464934","aki":"aUPpkhfABimu","reason":4}

Xiao (Mon, 20 Mar 2017 08:19:52 GMT):
And I got "2017/03/20 08:10:32 [ERROR] 2017/03/20 08:10:32 http: multiple response.WriteHeader calls 2017/03/20 08:10:32 [INFO] [::1]:57025 - "POST /revoke" 200 " in fabric ca server side. Could anyone help me explain why this happens? Cheers.

dorrakhribi (Mon, 20 Mar 2017 10:21:45 GMT):
Has joined the channel.

zlliu (Mon, 20 Mar 2017 11:45:11 GMT):
Has joined the channel.

dannysun85 (Mon, 20 Mar 2017 12:18:22 GMT):
Has joined the channel.

smithbk (Mon, 20 Mar 2017 12:45:31 GMT):
This may be a bug in how it handles an error path. Would need to investigate. But this should fail with an unknown certificate because the value of the "-a" option should be the AKI value from a certificate. It is not the OTP value.

smithbk (Mon, 20 Mar 2017 12:49:11 GMT):
@Xiao I was able to reproduce the bad error reporting

smithbk (Mon, 20 Mar 2017 12:49:46 GMT):
Can you open a jira item so you can track?

Xiao (Mon, 20 Mar 2017 15:05:33 GMT):
Thank you for your response @smithbk ! I'm sorry that jira is not available for me now, and I wish I could try it sometime later. Here I feel confused about the params of *AKI*... How can I get the AKI value? Or which certificate should I have to make the revocation? And which Serial Number should I use here after the revocation flag "-s" ? Cheers:)

smithbk (Mon, 20 Mar 2017 15:13:36 GMT):
@Xiao You can use openssl to display the AKI and serial number of a cert

smithbk (Mon, 20 Mar 2017 15:13:52 GMT):
$ openssl x509 -in cert.pem -text -noout -serial Certificate: Data: Version: 3 (0x2) Serial Number: 4a:2d:a2:cc:52:c7:f0:3f:1c:97:cb:0c:44:11:b3:4f:7b:b9:57:f8 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=fabric-ca-server Validity Not Before: Mar 20 12:34:00 2017 GMT Not After : Feb 16 20:34:00 2018 GMT Subject: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=admin Subject Public Key Info: Public Key Algorithm: id-ecPublicKey EC Public Key: pub: 04:dd:1c:0f:9d:b9:f3:17:e9:fc:5f:ab:f2:47:5e: 5d:8a:45:05:10:08:06:9a:a4:87:05:7c:38:5c:a1: 3e:b0:da:b0:e1:6e:1f:2e:56:95:5a:39:11:8f:73: 3f:a1:df:fd:1b:97:60:9b:45:c8:cc:86:70:e7:be: b9:9c:41:e6:72 ASN1 OID: prime256v1 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 49:D0:65:85:73:C0:CA:04:11:EA:55:74:8C:20:1D:8D:84:91:C3:11 X509v3 Authority Key Identifier: keyid:B4:65:6B:37:92:E2:BA:15:92:7C:5E:CE:FB:73:CD:8D:0F:16:0B:08 X509v3 Subject Alternative Name: DNS:Keiths-MBP.nc.rr.com Signature Algorithm: ecdsa-with-SHA256 30:44:02:20:4d:86:f5:61:38:ef:12:5f:56:f0:55:c6:d7:8d: ac:ba:ae:cf:3e:96:d5:35:78:dc:2b:22:e9:05:c1:fe:c6:d0: 02:20:72:c9:97:ab:39:05:8a:3b:85:a0:69:a2:b0:90:63:50: da:a9:76:2f:84:47:d5:1d:22:d9:b7:a9:14:e2:8b:89 serial=4A2DA2CC52C7F03F1C97CB0C4411B34F7BB957F8

smithbk (Mon, 20 Mar 2017 15:14:29 GMT):
Assuming the cert is in "cert.pem"

smithbk (Mon, 20 Mar 2017 15:15:04 GMT):
The AKI is "B4:65:6B:37:92:E2:BA:15:92:7C:5E:CE:FB:73:CD:8D:0F:16:0B:08", but without the colons

smithbk (Mon, 20 Mar 2017 15:15:22 GMT):
and the serial number is 4A2DA2CC52C7F03F1C97CB0C4411B34F7BB957F8

smithbk (Mon, 20 Mar 2017 15:16:27 GMT):
AKI is "Authority Key Identifier"

Xiao (Mon, 20 Mar 2017 15:33:09 GMT):
@smithbk OIC...Thank you soooooooo much for your explaination:)

smithbk (Mon, 20 Mar 2017 15:39:07 GMT):
yw

Godwin (Tue, 21 Mar 2017 05:27:53 GMT):
Has joined the channel.

xiangyw (Tue, 21 Mar 2017 07:09:53 GMT):
Has joined the channel.

bh4rtp (Tue, 21 Mar 2017 08:07:24 GMT):
@keith.mcauliffe is fabric ca Feb 16 movie recorded by you? i found fabric-ca-client doesn't support -f xxx.json now. would you please give me the content of your nonintca.json? because the step 4 can still be successful even though nonintca has no hf.IntermediateCA attribute.

keith.mcauliffe (Tue, 21 Mar 2017 08:07:24 GMT):
Has joined the channel.

CarlXK (Tue, 21 Mar 2017 08:15:21 GMT):
no json now ,like this:./fabric-ca-client register -c client/rootadmin/config.yaml --id.name intca --id.type ca --id.affiliation org1 --id.attr hf.IntermediateCA=true

bh4rtp (Tue, 21 Mar 2017 08:22:03 GMT):
@CarlXK thanks. i did like you. run ./fabric-ca-client register -c client/rootadmin/config.yaml --id.nainitialize the intermediate CA serverme nonintca --id.type ca --id.affiliation org1 --id.attr hf.IntermediateCA=false. and then fabric-ca-server init -c server/nonint/config.yaml -b admin:adminpw -u http://nonintca:XXXXXX@localhost:7054. The intermediate CA server was initialized ok. is this correct?

bh4rtp (Tue, 21 Mar 2017 08:22:03 GMT):
@CarlXK thanks. i did like you. run ./fabric-ca-client register -c client/rootadmin/config.yaml --id.name nonintca --id.type ca --id.affiliation org1 --id.attr hf.IntermediateCA=false. and then fabric-ca-server init -c server/nonint/config.yaml -b admin:adminpw -u http://nonintca:XXXXXX@localhost:7054. The intermediate CA server was initialized ok. is this correct?

bh4rtp (Tue, 21 Mar 2017 08:22:03 GMT):
@CarlXK thanks. i did like you. run ./fabric-ca-client register -c client/rootadmin/config.yaml --id.name nonintca --id.type ca --id.affiliation org1 --id.attr hf.IntermediateCA=false. and then fabric-ca-server init -c server/nonint/config.yaml -b admin:adminpw -u http://nonintca:DaBuYOAvQiLK@localhost:7054. The intermediate CA server was initialized ok. is this correct?

bh4rtp (Tue, 21 Mar 2017 08:24:47 GMT):
According to the movie, the intermediate CA server should fail to initialize.

CarlXK (Tue, 21 Mar 2017 08:25:29 GMT):
yes

CarlXK (Tue, 21 Mar 2017 08:26:09 GMT):
i didn't try command for nointca

CarlXK (Tue, 21 Mar 2017 08:26:25 GMT):
my commands below: 1. Start the root CA server ./fabric-ca-server init -c server/root/config.yaml ./fabric-ca-server start -c server/root/config.yaml -b rootadmin:rootadminpw 2. Enroll the root CA administrator ./fabric-ca-client enroll -c client/rootadmin/config.yaml -u http://rootadmin:rootadminpw@localhost:7054 3. Register two identities with the root CA to allow an intermeidate CA to initialize ./fabric-ca-client register -c client/rootadmin/config.yaml --id.name intca --id.type ca --id.affiliation org1 --id.attr hf.IntermediateCA=true cDrcGkiCwvEv ./fabric-ca-client register -c client/rootadmin/config.yaml -f --id.name nointca --id.type ca --id.affiliation org1 --id.attr hf.IntermediateCA=false ucBddTzschox 4. Fail to initialize the intermediate CA server with non-intermediate identity ./fabric-ca-server init -c server/nonint/config.yaml -b admin:adminpw -u http://nonintca:ucBddTzschox@localhost:7054 5. Initialize the intermediate CA server with intermediate identity(with "hf.IntermediateCA" attribute) ./fabric-ca-server init -c server/int/config.yaml -b admin:adminpw -u http://intca:cDrcGkiCwvEv@localhost:7054 6. Stop the server 7. Start the intermediate CA server ./fabric-ca-server start -c server/int/config.yaml 8. Enroll the intermediate CA administrator ./fabric-ca-client enroll -c client/intadmin/config.yaml -u http://admin:adminpw@localhost:7054 9. Register a peer identity ./fabric-ca-client register -c client/intadmin/config.yaml --id.name peer1 --id.type peer --id.affiliation org1 ./fabric-ca-client register -c client/intadmin/config.yaml --id.name peer2 --id.type peer --id.affiliation org1 10. Enroll the peer ./fabric-ca-client enroll -c client/peer/config.yaml -u http://peer1:ceIYPwacZuSA@localhost:7054

CarlXK (Tue, 21 Mar 2017 08:26:54 GMT):
didn't try the step 4

passkit (Tue, 21 Mar 2017 11:12:36 GMT):
Seems like the certfiles paramater in fabric-ca-server-config.yaml is ignored (at east when using Postgres) ```db: type: postgres datasource: host=us-east-2a.blockchain.passkit.com port=5432 user=postgres password=postgres dbname=fabric_ca sslmode=verify-ca tls: enabled: true certfileslist: ca.cert.pem # Comma Separated (e.g. root.pem, root2.pem) client: certfile: client.chain.cert.pem keyfile: client.key.pem``` The certificate is ignoted and verify-ca or verify-full will fail. But if is specified as an array, then it works: ```db: type: postgres datasource: host=us-east-2a.blockchain.passkit.com port=5432 user=postgres dbname=fabric_ca sslmode=verify-full tls: enabled: true certfileslist: - ca.cert.pem client: certfile: client.chain.cert.pem keyfile: client.key.pem```

passkit (Tue, 21 Mar 2017 11:12:36 GMT):
Seems like the certfiles paramater in fabric-ca-server-config.yaml is ignored (at east when using Postgres) ```db: type: postgres datasource: host=us-east-2a.blockchain.passkit.com port=5432 user=postgres password=postgres dbname=fabric_ca sslmode=verify-ca tls: enabled: true certfiles: ca.cert.pem # Comma Separated (e.g. root.pem, root2.pem) client: certfile: client.chain.cert.pem keyfile: client.key.pem``` The certificate is ignoted and verify-ca or verify-full will fail. But if is specified as an array, then it works: ```db: type: postgres datasource: host=us-east-2a.blockchain.passkit.com port=5432 user=postgres dbname=fabric_ca sslmode=verify-full tls: enabled: true certfileslist: - ca.cert.pem client: certfile: client.chain.cert.pem keyfile: client.key.pem```

passkit (Tue, 21 Mar 2017 11:12:36 GMT):
Seems like the certfiles paramater in fabric-ca-server-config.yaml is ignored (at east when using Postgres) ```db: type: postgres datasource: host=example.com port=5432 user=postgres dbname=fabric_ca sslmode=verify-full tls: enabled: true certfiles: ca.cert.pem # Comma Separated (e.g. root.pem, root2.pem) client: certfile: client.chain.cert.pem keyfile: client.key.pem``` The certificate is ignoted and verify-ca or verify-full will fail. But if is specified as an array, then it works: ```db: type: postgres datasource: host=example.com port=5432 user=postgres dbname=fabric_ca sslmode=verify-full tls: enabled: true certfileslist: - ca.cert.pem client: certfile: client.chain.cert.pem keyfile: client.key.pem```

passkit (Tue, 21 Mar 2017 11:12:36 GMT):
Seems like the database certfiles paramater in fabric-ca-server-config.yaml is ignored (at least when using Postgres) ```db: type: postgres datasource: host=example.com port=5432 user=postgres dbname=fabric_ca sslmode=verify-full tls: enabled: true certfiles: ca.cert.pem # Comma Separated (e.g. root.pem, root2.pem) client: certfile: client.cert.pem keyfile: client.key.pem``` The certificate is ignored and verify-ca or verify-full will fail. ```2017/03/21 18:59:00 [DEBUG] Initializing 'postgres' data base at 'host=example.com port=5432 user=postgres dbname=fabric_ca sslmode=verify-full' 2017/03/21 18:59:00 [DEBUG] Using postgres database, connecting to database... 2017/03/21 18:59:00 [DEBUG] Database Name: fabric_ca 2017/03/21 18:59:00 [DEBUG] Connection String: host=example.com port=5432 user=postgres dbname=fabric_ca sslmode=verify-full sslcert=client.cert.pem sslkey=client.key.pem 2017/03/21 18:59:00 [ERROR] Failed to connect to Postgres database [error: x509: certificate signed by unknown authority] Error: x509: certificate signed by unknown authority ``` But if is specified as an array, then it works: ```db: type: postgres datasource: host=example.com port=5432 user=postgres dbname=fabric_ca sslmode=verify-full tls: enabled: true certfileslist: - ca.cert.pem client: certfile: client.cert.pem keyfile: client.key.pem```

passkit (Tue, 21 Mar 2017 11:28:09 GMT):
`processCertFiles()` is not called in the server `configInit()`

passkit (Tue, 21 Mar 2017 11:28:09 GMT):
`processCertFiles()` is not called in the server `configInit()` or anytime before the connection is initiated.

passkit (Tue, 21 Mar 2017 11:44:32 GMT):
https://jira.hyperledger.org/browse/FAB-2845

shanlusun (Tue, 21 Mar 2017 14:45:13 GMT):
Has joined the channel.

DannyWong (Tue, 21 Mar 2017 15:36:35 GMT):
@here, these days i am having some challenges from clients with strong Ethereum background... about our Fabric CA

DannyWong (Tue, 21 Mar 2017 15:37:31 GMT):
the Fabric CA (although we can have multiple CA in each organization) with the MSP

DannyWong (Tue, 21 Mar 2017 15:38:25 GMT):
but still it is a quite centralized piece of software within this decentralized system....

DannyWong (Tue, 21 Mar 2017 15:38:30 GMT):
what do you guys think

thojest (Tue, 21 Mar 2017 15:39:10 GMT):
@DannyWong i think it is somehow true but you will also run into this problem on permissioned chains dont you?

smithbk (Tue, 21 Mar 2017 15:42:28 GMT):
@DannyWong You should have multiple roots of trust (i.e. multiple root fabric-ca-servers) in a single chain, so this would not be centralized ... right?

DannyWong (Tue, 21 Mar 2017 15:42:59 GMT):
@smithbk please shed some insight...

DannyWong (Tue, 21 Mar 2017 15:43:09 GMT):
I need to enlightenment... hahaha

DannyWong (Tue, 21 Mar 2017 15:43:14 GMT):
some*

smithbk (Tue, 21 Mar 2017 15:44:29 GMT):
Each org on the blockchain would have its own root fabric-ca-servers with its own root of trust

smithbk (Tue, 21 Mar 2017 15:45:53 GMT):
So if you have a channel with two orgs, the MSP config for that channel would have two roots of trust, one for each org

smithbk (Tue, 21 Mar 2017 15:46:20 GMT):
Make sense?

smithbk (Tue, 21 Mar 2017 15:48:07 GMT):
Maybe what is confusing is that some people have thought that the purpose for root fabric-ca-servers and intermediate fabric-ca-servers was to have one root for the chain and one intermediate for each org, but that is not the purpose of intermediate CAs

smithbk (Tue, 21 Mar 2017 15:48:19 GMT):
Is that perhaps part of the confusion?

smithbk (Tue, 21 Mar 2017 15:51:59 GMT):
Or maybe you can elaborate on what you mean by "quite centralized piece of software within this decentralized system" and I can try to answer more specifically. For example, do you mean centralized from a trust perspective or from an operational HA perspective, or other?

DannyWong (Tue, 21 Mar 2017 16:10:41 GMT):
operational, i already architect it to HA

DannyWong (Tue, 21 Mar 2017 16:11:37 GMT):
for the MSP, we understand, if we have 2 orgs within same channel. we can have 2 CA with two different root of trust

DannyWong (Tue, 21 Mar 2017 16:12:53 GMT):
then the MSP of each peer will have both root of trust's pubic key. When it receives an incoming endorsement request, the verifying MSP can verify whether it should further proceed.

DannyWong (Tue, 21 Mar 2017 16:13:12 GMT):
then after execution of chaincode, then it will use its local MSP to sign the response and send it back to SDK

DannyWong (Tue, 21 Mar 2017 16:13:17 GMT):
i understand this

DannyWong (Tue, 21 Mar 2017 16:14:47 GMT):
but from architecture perspective, the ledger data for example.... we can scale A LOT of peers within one Org to make sure when there is a node goes down / dead, there are always redundent

DannyWong (Tue, 21 Mar 2017 16:15:10 GMT):
and also scale out

DannyWong (Tue, 21 Mar 2017 16:16:25 GMT):
we can spray more TPS from clients (i.e. SDK) to the endorser farm within single org (we assume the endorsement from another org can scale out in same way at this moment)

DannyWong (Tue, 21 Mar 2017 16:17:09 GMT):
then the clients upon receiving the responses, then they create tx from these responses, sign it then send them to Orderer

DannyWong (Tue, 21 Mar 2017 16:17:43 GMT):
Orderer with Kafka should be able to process thing in ultra fast manner

DannyWong (Tue, 21 Mar 2017 16:18:35 GMT):
also, as the SDK, i just need to shoot tx to orderer service (any orderer node / or simply a load balancer IP of orderer node farm)

DannyWong (Tue, 21 Mar 2017 16:19:30 GMT):
so.... the only piece of software (Fabric-CA + LDAP) is very centralized (traditional)...

DannyWong (Tue, 21 Mar 2017 16:20:49 GMT):
Maybe the problem is that... in Ethereum, actually the identity can be integrated on smart contract (i.e. our chaincode) level

DannyWong (Tue, 21 Mar 2017 16:22:43 GMT):
which is an Ethereum Account, then you can create a Person contract by setting the owner of this contract as that Ethereum account. Also, the public/private key in Ethereum can be generated deterministically with those wallet-12-word-passphrase... So the admin operation overhead from their side is really lower than us

DannyWong (Tue, 21 Mar 2017 16:24:37 GMT):
Let me still think about it.... Welcome everyone to share their thought!!!

smithbk (Tue, 21 Mar 2017 16:33:03 GMT):
So your concern is performance (scalability and/or latency) of requests for tcerts from the fabric-ca-server?

smithbk (Tue, 21 Mar 2017 16:35:35 GMT):
Even with clustering of fabric-ca-server's?

raj (Tue, 21 Mar 2017 17:30:02 GMT):
Has joined the channel.

ashutosh_kumar (Tue, 21 Mar 2017 18:09:00 GMT):
@DannyWong : First point Fabric-CA does not play role in real time transaction/invocation of chain code etc. It used be that way in 0.6 , but in 1.0 , it has been decoupled. Fabric-CA role is merely to provide Enrollment Cert for the Blockchain member that do not have or do not want to use existing CA. It provides Transaction Certificate also.

ashutosh_kumar (Tue, 21 Mar 2017 18:09:43 GMT):
In MSP , it is not mandatory to use Fabric-CA issued key material.

ashutosh_kumar (Tue, 21 Mar 2017 18:11:21 GMT):
from HA perpspective , here is the flow 1) Client App -> 2) Internal Load Balancer -> 3) Fabric CA -> 4) Internal Load Balancer -> 5) DB .

ashutosh_kumar (Tue, 21 Mar 2017 18:12:02 GMT):
If there is Master Slave config or Hot cold config 4) might not be required.

ashutosh_kumar (Tue, 21 Mar 2017 18:12:58 GMT):
We can also generate EC Pub/Private Key deterministically , if requirement arises.

kletkeman (Tue, 21 Mar 2017 21:11:20 GMT):
@here fabric-ca build is failing because **goimports** is not found. I have tried the obvious **go get** on it, but it exist immediately without a message (title bar sometimes flashes though). This is on Mac. I got the fabric built, although tests ran forever and then crapped out on behave (with lots of other issues after the unit tests), but I need the ca to spin up a network ... Any thoughts on how to get past this?

kletkeman (Tue, 21 Mar 2017 21:11:20 GMT):
@here fabric-ca build is failing because **goimports** is not found. I have tried the obvious **go get** on it, but it exits immediately without a message (title bar sometimes flashes though). This is on Mac. I got the fabric built, although tests ran forever and then crapped out on behave (with lots of other issues after the unit tests), but I need the ca to spin up a network ... Any thoughts on how to get past this?

kletkeman (Tue, 21 Mar 2017 21:11:41 GMT):
p.s. I installed golang 1.8 just in case, but it made no difference.

smithbk (Tue, 21 Mar 2017 21:16:32 GMT):
@kletkeman So if you type "which goimports", nothing is found? And installing with "go get golang.org/x/tools/cmd/goimports" doesn't install it?

smithbk (Tue, 21 Mar 2017 21:18:40 GMT):
And "ls $GOPATH/bin" shows what?

kletkeman (Tue, 21 Mar 2017 21:24:28 GMT):
@smithbk nothing shown for which, and the ls shows that it is physically there ... hmmmm ``` go-outline go-symbols gocode godef goimports golint gopkgs gorename goreturns gotests guru ```

kletkeman (Tue, 21 Mar 2017 21:26:07 GMT):
@smithbk I mentioned that go get does not work for me -- I tried it again copying your command (same as the one I used but just in case) and it just returns without doing anything ... but perhaps if I delete the one that is there ....

kletkeman (Tue, 21 Mar 2017 22:12:47 GMT):
Solves with the generous help of @smithbk ... I had a path problem that only manifested on the build of fabric-ca today. I had two copies of goroot/bin on the path and no gopath/bin so all is well now

kletkeman (Tue, 21 Mar 2017 22:12:47 GMT):
Solved with the generous help of @smithbk ... I had a path problem that only manifested on the build of fabric-ca today. I had two copies of goroot/bin on the path and no gopath/bin so all is well now

sbso (Wed, 22 Mar 2017 06:44:05 GMT):
Has joined the channel.

ruslan.kryukov (Wed, 22 Mar 2017 06:48:00 GMT):
Hello guys, how do you plan to implement user roles?

DannyWong (Wed, 22 Mar 2017 07:17:24 GMT):
@ashutosh_kumar i fully understand how to do HA. My view is that, by design, the Fabric-CA can be (keyword is "can be") a passive role during tx execution. It also enables SDK to acquire a batch of tcert with TTL. However, some use cases will require us to make the Fabric-CA always on. 1) We need to do online register/enroll all the time 2) Client might have concern to store batch of tCert (including the private key) in the server, they might prefer to obtain tCert one by one for each tx (even with slower response) And it seems that the SDK key/value stores caching the private key as well... The key problem from me is that... the Fabric-CA LDAP/MySQL/PostgreSQL.. are not decentralized....

K Sai Anirudh (Wed, 22 Mar 2017 11:46:16 GMT):
Has joined the channel.

K Sai Anirudh (Wed, 22 Mar 2017 11:51:16 GMT):
Hi, If the Fabric-ca server is compromised. Can an anonymous user spoof as a client to make transactions?

Vadim (Wed, 22 Mar 2017 12:05:37 GMT):
@K Sai Anirudh by "compromised" you mean that some hacker can sign any certificates that are trusted by the blockchain network?

K Sai Anirudh (Wed, 22 Mar 2017 12:10:13 GMT):
@Vadim : I have basic knowledge of PKI, by compromised I meant that the hacker generates his own public and private key pair and makes other peers and clients believe that this new public key belongs to some legitimate user

Vadim (Wed, 22 Mar 2017 12:11:17 GMT):
so usually CAs only sign the CSRs, and public/private key pairs are anyway need to be generated by hacker

Vadim (Wed, 22 Mar 2017 12:11:41 GMT):
if he can sign it by CA which is trusted by BC network, then he can send transactions, of course

K Sai Anirudh (Wed, 22 Mar 2017 12:17:54 GMT):
ok, then the whole BC network can be manipulated. Does clustering of CA servers just load balances or it also distributes data?

Vadim (Wed, 22 Mar 2017 12:18:17 GMT):
there is no data to distribute among CAs

Vadim (Wed, 22 Mar 2017 12:18:28 GMT):
it's for load balancing

Vadim (Wed, 22 Mar 2017 12:18:59 GMT):
also, if you compromise a peer and get his private key, you can submit transactions on his behalf

Vadim (Wed, 22 Mar 2017 12:19:41 GMT):
if somebody steals your bitcoin wallet and key, he can do with your bitcoins whatever he wants

K Sai Anirudh (Wed, 22 Mar 2017 12:20:44 GMT):
is there some CA in bitcoin network also?

Vadim (Wed, 22 Mar 2017 12:21:03 GMT):
no, everybody generates key pair and it's trusted by network

Vadim (Wed, 22 Mar 2017 12:21:03 GMT):
no, everybody generates key pair and it's trusted by the network

Vadim (Wed, 22 Mar 2017 12:21:39 GMT):
so you could say that bitcoin uses self-signed "certificates"

mmani99 (Wed, 22 Mar 2017 12:22:29 GMT):
Has joined the channel.

K Sai Anirudh (Wed, 22 Mar 2017 12:25:27 GMT):
ok, so by using BC network instead of central database we can still do some illegitimate transactions, but these transactions will be recorded whereas in central database there will not be any record?

Vadim (Wed, 22 Mar 2017 12:28:32 GMT):
well it's heavily use case related and for example, you could restrict access in the chaincode to registered users only, so compromising CA won't do anything bad in that sense, because "hacker's identities" signed by that CA still won't be able to do anything on the chaincode level

Vadim (Wed, 22 Mar 2017 12:29:03 GMT):
and of course, the "hacker" won't be able to remove his traces in the system

smithbk (Wed, 22 Mar 2017 12:38:29 GMT):
@K Sai Anirudh Just to be clear, the fabric CA server never sees the client's private key, so even if the fabric CA server is compromised, it would not allow impersonation of a client

agaragiola (Wed, 22 Mar 2017 13:02:13 GMT):
Has joined the channel.

ashutosh_kumar (Wed, 22 Mar 2017 13:05:09 GMT):
we need to keep in mind that fabric-ca will be one of software components managed by blockchain members. So , it is assumed that enterprise(blockchain members) put adequate security around fabric-ca based on consumption and deployment model. Same is true for HA case also. Introduction of Fabric-CA in the enterprise should not be disruptive from Security and HA perspective.

ashutosh_kumar (Wed, 22 Mar 2017 13:14:35 GMT):
@DannyWong : I do not understand your concern exactly. All the components of Fabric-CA can be HAed and be made online , including TCert generation. If you think Identity and ACL enforcement is not part of runtime invocation , that might be a limitation.

JR (Wed, 22 Mar 2017 13:34:23 GMT):
Has joined the channel.

JonathanLevi (Wed, 22 Mar 2017 17:51:43 GMT):
Good morning!

JonathanLevi (Wed, 22 Mar 2017 17:52:19 GMT):
Nope, Bitcoin is considered a non-permissioned network/system [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6JceJDbaciCyGnD6w)

JonathanLevi (Wed, 22 Mar 2017 17:53:37 GMT):
Bitcoin (and specifically the Bitcoin blockchain), will allow one to "post a transaction" if they pay for it.

JonathanLevi (Wed, 22 Mar 2017 17:53:37 GMT):
Generally speaking, Bitcoin (and specifically the Bitcoin blockchain), will allow one to "post a transaction" if they pay for it.

JonathanLevi (Wed, 22 Mar 2017 17:54:47 GMT):
So, if you allow me to simplify it a lot, then if you think about the public ledger of Bitcoin, as a public, append-only log file...

JonathanLevi (Wed, 22 Mar 2017 17:55:24 GMT):
Then for a fee, you will be allowed to append a record, for a charge.

JonathanLevi (Wed, 22 Mar 2017 17:56:29 GMT):
In fabric, and specifically in the/most enterprises use-cases (as Ash notes above), many of the plays/use-cases require and mandate that only users/nodes with sufficient permissions will be able to do so.

JonathanLevi (Wed, 22 Mar 2017 17:58:44 GMT):
So if, for a moment, we don't dive in to the details such as where a node stores its private keys, etc... the fabric-ca provides a highly scalable, that was/is design (in fabric 1.0) to support many instances of CAs, in a grid, in a cluster, cloud environments, etc...

JonathanLevi (Wed, 22 Mar 2017 17:59:34 GMT):
And the main point is that in fabric's ledger, participants, organizations, members, etc... can choose, grant and revoke access to that (permissioned) ledger.

qingdu (Wed, 22 Mar 2017 19:00:55 GMT):
Has joined the channel.

VipinB (Wed, 22 Mar 2017 20:11:03 GMT):
@here please try to have someone represent fabric-ca in the Identity-WG calls

VipinB (Wed, 22 Mar 2017 20:15:23 GMT):
@here next one on April 5th 2017

Shadow-Hawk (Thu, 23 Mar 2017 01:10:24 GMT):
Has joined the channel.

xf891220 (Thu, 23 Mar 2017 05:50:46 GMT):
Has joined the channel.

AbhilekhSingh (Thu, 23 Mar 2017 06:35:16 GMT):
Has joined the channel.

AbhilekhSingh (Thu, 23 Mar 2017 06:38:59 GMT):
Hi I'm trying to install fabric-ca cli

AbhilekhSingh (Thu, 23 Mar 2017 06:39:01 GMT):
root@b359ca3a656d:/opt/gopath/src/github.com/hyperledger# GOPATH=/opt/gopath go get github.com/hyperledger/fabric-ca can't load package: package github.com/hyperledger/fabric-ca: no buildable Go source files in /opt/gopath/src/github.com/hyperledger/fabric-ca

AbhilekhSingh (Thu, 23 Mar 2017 06:39:35 GMT):
What i'm doing here?

AbhilekhSingh (Thu, 23 Mar 2017 07:18:52 GMT):
fabric-ca-client enroll -c client/rootadmin/config.yaml -u http://admin:adminpw@172.17.0.1:8054 2017/03/23 07:18:15 [INFO] User provided config file: client/rootadmin/config.yaml 2017/03/23 07:18:15 [INFO] Configuration file location: /opt/gopath/src/github.com/hyperledger/fabric/peer/client/rootadmin/config.yaml 2017/03/23 07:18:15 Initialize BCCSP [SW] 2017/03/23 07:18:15 [INFO] received CSR 2017/03/23 07:18:15 [INFO] generating key: ecdsa-256 2017/03/23 07:18:16 [INFO] encoded CSR Error: Failed to parse response [invalid character 'p' after top-level value] for request: POST http://172.17.0.1:8054/enroll Authorization: Basic YWRtaW46YWRtaW5wdw== {"hosts":null,"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBQzCB6QIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETBICGzQmud6auyE2\ntA5TBp9JfYNvRM/pH2jKt2l0Ib2ep6ivQP3vCui6840DxZIsVeKJaZpzLYdjsaLb\nl3ajpKAqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDoIMYjM1OWNhM2E2NTZk\nMAoGCCqGSM49BAMCA0kAMEYCIQCjkHsqryY4wwch2Lot8SBiNgglxIh8t1HH2Dn9\noLga0wIhAKweKrkVraXdYxzQZkAKmHcrB2MG++x+0JYSQWXgWPIC\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":""} Usage: fabric-ca-client enroll -u http://user:userpw@serverAddr:serverPort [flags] Global Flags: -c, --config string Configuration file (default "/root/.fabric-ca-client/fabric-ca-client-config.yaml") --csr.cn string The common name field of the certificate signing request to a parent fabric-ca-server --csr.serialnumber string The serial number in a certificate signing request to a parent fabric-ca-server -d, --debug Enable debug level logging --enrollment.hosts string Comma-separated host list --enrollment.label string Label to use in HSM operations --enrollment.profile string Name of the signing profile to use in issuing the certificate --id.affiliation string The identity's affiliation --id.attr string Attributes associated with this identity (e.g. hf.Revoker=true) --id.maxenrollments int The maximum number of times the secret can be reused to enroll. --id.name string Unique name of the identity --id.secret string The enrollment secret for the identity being registered --id.type string Type of identity being registered (e.g. 'peer, app, user') -M, --mspdir string Membership Service Provider directory (default "msp") -m, --myhost string Hostname to include in the certificate signing request during enrollment (default "b359ca3a656d") --tls.certfiles string PEM-encoded comma separated list of trusted certificate files (e.g. root1.pem, root2.pem) --tls.client.certfile string PEM-encoded certificate file when mutual authenticate is enabled --tls.client.keyfile string PEM-encoded key file when mutual authentication is enabled --tls.enabled Enable TLS for client connection -u, --url string URL of fabric-ca-server (default "http://localhost:7054") 2017/03/23 07:18:16 [FATAL] Failed to parse response [invalid character 'p' after top-level value] for request: POST http://172.17.0.1:8054/enroll Authorization: Basic YWRtaW46YWRtaW5wdw== {"hosts":null,"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBQzCB6QIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETBICGzQmud6auyE2\ntA5TBp9JfYNvRM/pH2jKt2l0Ib2ep6ivQP3vCui6840DxZIsVeKJaZpzLYdjsaLb\nl3ajpKAqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDoIMYjM1OWNhM2E2NTZk\nMAoGCCqGSM49BAMCA0kAMEYCIQCjkHsqryY4wwch2Lot8SBiNgglxIh8t1HH2Dn9\noLga0wIhAKweKrkVraXdYxzQZkAKmHcrB2MG++x+0JYSQWXgWPIC\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":""} root@b359ca3a656d:/opt/gopath/src/github.com/hyperledger/fabric/peer#

AbhilekhSingh (Thu, 23 Mar 2017 07:19:04 GMT):
Can anyone help me in resolving this?

AbhilekhSingh (Thu, 23 Mar 2017 07:19:24 GMT):
this is my CA server

AbhilekhSingh (Thu, 23 Mar 2017 07:19:25 GMT):
cat /etc/hyperledger/fabric-ca/server-config.json { "tls_disable":true, "ca_cert":"/.fabric-ca/ec.pem", "ca_key":"/.fabric-ca/ec-key.pem", "users": { "admin": { "pass": "adminpw", "type": "client", "group": "bank_a", "attrs": [{"name":"hf.Registrar.Roles","value":"client,peer,validator,auditor"}, {"name":"hf.Registrar.DelegateRoles", "value": "client"}] } }, "groups": { "banks_and_institutions": { "banks": ["bank_a", "bank_b", "bank_c"], "institutions": ["institution_a"] } }, "signing": { "default": { "usages": ["cert sign"], "expiry": "8000h" } } }

AbhilekhSingh (Thu, 23 Mar 2017 07:19:33 GMT):
Can anyone help me in resolving this?

xuzhao103389 (Thu, 23 Mar 2017 10:37:42 GMT):
Has joined the channel.

matanyahu (Thu, 23 Mar 2017 10:53:03 GMT):
Has joined the channel.

xuzhao103389 (Thu, 23 Mar 2017 11:04:39 GMT):
I have built the fabric-ca source code

xuzhao103389 (Thu, 23 Mar 2017 11:04:52 GMT):
from the web page, I see : fabric-ca server configuration options The server configuration file is in $HOME/fabric-ca-server-config.yaml.

xuzhao103389 (Thu, 23 Mar 2017 11:05:00 GMT):
but I cant find that yaml file

xuzhao103389 (Thu, 23 Mar 2017 11:05:21 GMT):
I download the source code from : https://github.com/hyperledger/fabric-ca

xuzhao103389 (Thu, 23 Mar 2017 11:05:32 GMT):
who can help tell me why

xuzhao103389 (Thu, 23 Mar 2017 11:05:34 GMT):
thanks

xuzhao103389 (Thu, 23 Mar 2017 11:55:03 GMT):
I do npm install

xuzhao103389 (Thu, 23 Mar 2017 11:55:22 GMT):
finally , I got some warings: npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^1.0.0 (node_modules/chokidar/node_modules/fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.1.1: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

xuzhao103389 (Thu, 23 Mar 2017 11:55:28 GMT):
I am using Ubuntu OS

AbhilekhSingh (Thu, 23 Mar 2017 12:00:48 GMT):
ert, _ := stub.GetCreator() giving same value I'm invoking the chaincode from different users I'm trying e2e_cli example and check both user has different keystore/key.pem How can I check whether from which private key it is signed I'm getting this output -----BEGIN -----\nMIIBYzCCAQmgAwIBAwICA+gwCgYIKoZIzj0EAwIwEzERMA8GA1UEAwwIcGVlck9y\nZzAwHhcNMTcwMjIwMTkwNjExWhcNMTgwMjIwMTkwNjExWjAQMQ4wDAYDVQQDDAVw\nZWVyMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEF6dfqjqfbIgZuOR+dgoJMl\n/FaUlGI70A/ixmVUY83Yp4YtV3FDBSOPiO5O+s8pHnpbwB1LqhrxAx1Plr0M/UWj\nUDBOMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFBY2bc84vLEwkX1fSAER2p48jJXw\nMB8GA1UdIwQYMBaAFFQzuQR1RZP/Qn/BNDtGSa8n4eN/MAoGCCqGSM49BAMCA0gA\nMEUCIQDeDZ71L+OTYcbbqiDNRf0L8OExO59mH1O3xpdwMAM0MgIgXySG4sv9yV31\nWcWRFfRFyu7o3T72kqiLZ1nkDuJ8jWI=\n-----END -----

xuzhao103389 (Thu, 23 Mar 2017 12:47:23 GMT):
I cant do make docker command within the fabric-ca dir

xuzhao103389 (Thu, 23 Mar 2017 12:47:44 GMT):
root@ruts1:/hyperledger/src/github.com/hyperledger/fabric-ca# make docker make: Nothing to be done for 'docker'.

xuzhao103389 (Thu, 23 Mar 2017 12:47:55 GMT):
what is the problem?

smithbk (Thu, 23 Mar 2017 12:55:03 GMT):
@AbhilekhSingh There are separate executables for fabric-ca-client and fabric-ca-server. To install both, do the following:

smithbk (Thu, 23 Mar 2017 12:55:09 GMT):
go get github.com/hyperledger/fabric-ca/cmd/...

AbhilekhSingh (Thu, 23 Mar 2017 12:55:16 GMT):
yes

smithbk (Thu, 23 Mar 2017 12:55:25 GMT):
sorry: go get github.com/hyperledger/fabric-ca/cmd/...

AbhilekhSingh (Thu, 23 Mar 2017 12:55:25 GMT):
Already found out :)

AbhilekhSingh (Thu, 23 Mar 2017 12:55:48 GMT):
ert, _ := stub.GetCreator() giving same value I'm invoking the chaincode from different users I'm trying e2e_cli example and check both user has different keystore/key.pem How can I check whether from which private key it is signed I'm getting this output -----BEGIN -----\nMIIBYzCCAQmgAwIBAwICA+gwCgYIKoZIzj0EAwIwEzERMA8GA1UEAwwIcGVlck9y\nZzAwHhcNMTcwMjIwMTkwNjExWhcNMTgwMjIwMTkwNjExWjAQMQ4wDAYDVQQDDAVw\nZWVyMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEF6dfqjqfbIgZuOR+dgoJMl\n/FaUlGI70A/ixmVUY83Yp4YtV3FDBSOPiO5O+s8pHnpbwB1LqhrxAx1Plr0M/UWj\nUDBOMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFBY2bc84vLEwkX1fSAER2p48jJXw\nMB8GA1UdIwQYMBaAFFQzuQR1RZP/Qn/BNDtGSa8n4eN/MAoGCCqGSM49BAMCA0gA\nMEUCIQDeDZ71L+OTYcbbqiDNRf0L8OExO59mH1O3xpdwMAM0MgIgXySG4sv9yV31\nWcWRFfRFyu7o3T72kqiLZ1nkDuJ8jWI=\n-----END -----

AbhilekhSingh (Thu, 23 Mar 2017 12:55:56 GMT):
Can you help me in this?

AbhilekhSingh (Thu, 23 Mar 2017 12:56:31 GMT):
which certificate used by peer in cli container for signing transaction ? (e2e_cli example)

smithbk (Thu, 23 Mar 2017 13:01:00 GMT):
trying to decode unsuccessfully so far

smithbk (Thu, 23 Mar 2017 13:03:42 GMT):
the PEM encoding header should look like this

smithbk (Thu, 23 Mar 2017 13:03:45 GMT):
-----BEGIN EC PRIVATE KEY-----

smithbk (Thu, 23 Mar 2017 13:03:55 GMT):
how did you gen that one?

AbhilekhSingh (Thu, 23 Mar 2017 13:07:06 GMT):
I printed the certiificate

AbhilekhSingh (Thu, 23 Mar 2017 13:07:14 GMT):
adminCert, _ := stub.GetCreator() if len(adminCert) == 0 { fmt.Println("Invalid admin certificate. Empty!!!!!.") return shim.Error("Invalid admin certificate. Empty.") } fmt.Printf("The administrator is [%x]", adminCert)

AbhilekhSingh (Thu, 23 Mar 2017 13:07:54 GMT):
I don't think so transaction will have private key

AbhilekhSingh (Thu, 23 Mar 2017 13:08:19 GMT):
I guess header will have enrollment certificate and transcation will be signed by private key

AbhilekhSingh (Thu, 23 Mar 2017 13:08:48 GMT):
stub.GetCreator() takes signature from transaction header

AbhilekhSingh (Thu, 23 Mar 2017 13:08:57 GMT):
So it should be certificate

smithbk (Thu, 23 Mar 2017 13:09:18 GMT):
ok, didn't realize that was printed from chaincode ... looking

AbhilekhSingh (Thu, 23 Mar 2017 13:09:35 GMT):
thanks

xuzhao103389 (Thu, 23 Mar 2017 13:23:13 GMT):
so why cant I do "make docker" for the fabric-ca?

xuzhao103389 (Thu, 23 Mar 2017 13:23:44 GMT):
from the link https://github.com/hyperledger/fabric-sdk-node , I should be able to do "make docker"

smithbk (Thu, 23 Mar 2017 13:38:32 GMT):
@AbhilekhSingh From looking at the stub code, it appears to be returning the DER encoded cert. Have you tried decoding it with x509.ParseCertificate(asn1Data)?

smithbk (Thu, 23 Mar 2017 13:42:01 GMT):
@xuzhao103389 Are you sure that it wasn't already built? If you say "docker images", do you see a "hyperledger/fabric-ca" image?

smithbk (Thu, 23 Mar 2017 13:42:53 GMT):
You can run "make docker-clean" and then "make docker" again

xuzhao103389 (Thu, 23 Mar 2017 13:48:48 GMT):
thanks , my fault

AbhilekhSingh (Thu, 23 Mar 2017 13:54:12 GMT):
@smithbk cert, _ := stub.GetCreator()

AbhilekhSingh (Thu, 23 Mar 2017 13:54:13 GMT):
decoded_cert, _ := x509.ParseCertificate(cert)

AbhilekhSingh (Thu, 23 Mar 2017 13:54:18 GMT):
it returning null

smithbk (Thu, 23 Mar 2017 14:24:02 GMT):
@aso Hi Ale, can you help @AbhilekhSingh? Thanks

smithbk (Thu, 23 Mar 2017 14:25:57 GMT):
@AbhilekhSingh Can you check the error response from both of those calls? May not help but worth a shot

smithbk (Thu, 23 Mar 2017 14:28:56 GMT):
@AbhilekhSingh you might also try asking on the fabric-crypto channel

aso (Thu, 23 Mar 2017 14:52:40 GMT):
``` func deserializeIdentity(serializedID []byte) (*x509.Certificate, error) { sId := &msp.SerializedIdentity{} err := proto.Unmarshal(serializedID, sId) if err != nil { return nil, fmt.Errorf("Could not deserialize a SerializedIdentity, err %s", err) } bl, _ := pem.Decode(sId.IdBytes) if bl == nil { return nil, fmt.Errorf("Could not decode the PEM structure") } cert, err := x509.ParseCertificate(bl.Bytes) if err != nil { return nil, fmt.Errorf("ParseCertificate failed %s", err) } return cert, nil } ```

aso (Thu, 23 Mar 2017 14:52:51 GMT):
try this function, pass in the creator

aso (Thu, 23 Mar 2017 14:53:03 GMT):
it's hacky, but it'll get you there

divyank (Thu, 23 Mar 2017 15:12:30 GMT):
Why was client.newIdentity() made private?

ersudiplama (Thu, 23 Mar 2017 15:31:28 GMT):
Has joined the channel.

smithbk (Thu, 23 Mar 2017 15:34:35 GMT):
It wasn't needed public because fabric-ca-client didn't need it, but there is no reason it can't be public and would be needed for an SDK

smithbk (Thu, 23 Mar 2017 15:35:37 GMT):
There are some other functions which should also probably be public ... loadIdentity, etc

smithbk (Thu, 23 Mar 2017 15:37:13 GMT):
@divyank Do you want to open a jira item to track?

divyank (Thu, 23 Mar 2017 15:48:53 GMT):
Made one here: https://jira.hyperledger.org/browse/FAB-2866

divyank (Thu, 23 Mar 2017 15:49:15 GMT):
Would you accept a change set for this item?

xuzhao103389 (Thu, 23 Mar 2017 15:53:07 GMT):
where can I get the file CA_root_cert.pem

xuzhao103389 (Thu, 23 Mar 2017 15:53:12 GMT):
in which dir

xuzhao103389 (Thu, 23 Mar 2017 15:53:18 GMT):
I cant find CA_root_cert.pem

smithbk (Thu, 23 Mar 2017 17:03:17 GMT):
@divyank Yes, of course

smithbk (Thu, 23 Mar 2017 17:06:59 GMT):
@xuzhao103389 If you are using the fabric-ca-client to enroll, it places the CA chain in the msp/cacerts directory as MSP espects ... and can use the "-M" option to specify where that directory is

smithbk (Thu, 23 Mar 2017 17:07:43 GMT):
The fabric-ca-server exposes a "GET /info" endpoint which returns this and does not require an authorization header on that request

smithbk (Thu, 23 Mar 2017 17:09:12 GMT):
or if you want manually get the root cert from where the fabric-ca-server runs, it is named "ca-cert.pem" in the server's home directory

divyank (Thu, 23 Mar 2017 18:23:12 GMT):
@smithbk Please review the fix: https://gerrit.hyperledger.org/r/#/c/7401/

david.stark (Thu, 23 Mar 2017 19:59:57 GMT):
Has joined the channel.

smithbk (Thu, 23 Mar 2017 20:00:00 GMT):
@divyank done ... thanks

passkit (Thu, 23 Mar 2017 20:22:33 GMT):
Current build of fabric-ca is segfaulting when I try to enrol the admin user. I am using postgres with TLS.

passkit (Thu, 23 Mar 2017 20:24:07 GMT):

Message Attachments

smithbk (Thu, 23 Mar 2017 21:25:16 GMT):
@passkit Pls run server with "-d" debug option, reproduce, and upload the server logs to a jira item. Thanks

lohitkrishnan (Fri, 24 Mar 2017 07:00:25 GMT):
Has joined the channel.

rennman (Fri, 24 Mar 2017 16:47:44 GMT):
Has joined the channel.

smithbk (Fri, 24 Mar 2017 16:55:40 GMT):
@passkit Could you provide some config info to Allen at @rennman as he is trying to reproduce the problem you posted

rennman (Fri, 24 Mar 2017 17:00:43 GMT):
Hi @passkit ... more specifically, I need to see the authentication mechanism used for the postgres server in the pg_hba.conf file, or as much as you can share. I need to know which auth mechanism that the server is configured to use for IPv4 connections. Also, if you have the corresponding config for the 'datasrc' parameter in the fabric-ca's yaml file, that would help tie them together. The problem is apparently related to an os call to get the current user to login to the DB

xuzhao103389 (Fri, 24 Mar 2017 19:24:56 GMT):
Hi , what are the APIs to get TCert and Ecert in fabric-ca project?

xuzhao103389 (Fri, 24 Mar 2017 19:25:20 GMT):
is there any example for the certificate authentication?

xuzhao103389 (Fri, 24 Mar 2017 19:30:15 GMT):
I remember in V0.6 , we have asset_management example

smithbk (Fri, 24 Mar 2017 19:32:06 GMT):
See GetECert and GetTCertBatch functions in lib/identity.go ... although the signature of the GetTCertBatch may change slightly to accomodate self-signed tcerts

xuzhao103389 (Fri, 24 Mar 2017 19:32:42 GMT):
thanks a million

xuzhao103389 (Fri, 24 Mar 2017 19:32:46 GMT):
I will have a look

smithbk (Fri, 24 Mar 2017 19:33:14 GMT):
By certificate authentication, do you mean for use in chaincode, or from SDK perspective?

xuzhao103389 (Fri, 24 Mar 2017 19:33:31 GMT):
both of them

xuzhao103389 (Fri, 24 Mar 2017 19:33:47 GMT):
I want to code in nodejs sdk

xuzhao103389 (Fri, 24 Mar 2017 19:34:12 GMT):
but will also need to have example for chaincode

smithbk (Fri, 24 Mar 2017 19:35:39 GMT):
@jimthematrix Is the best to answer the status of the node.js SDK

smithbk (Fri, 24 Mar 2017 19:38:31 GMT):
@Aso can comment on crypto library for chaincode

xuzhao103389 (Fri, 24 Mar 2017 19:38:54 GMT):
thank you

GaneshBagalur (Fri, 24 Mar 2017 20:14:41 GMT):
Has joined the channel.

passkit (Fri, 24 Mar 2017 23:53:32 GMT):
@rennman I'm using `cert certfile=1` for IPv4 & IPv6 with `host=myhost.com port=5432 user=postgres dbname=fabric_ca sslmode=verify-full`.

passkit (Fri, 24 Mar 2017 23:56:20 GMT):
I can confirm the problem is with the certificates not being sent when trying to add a record. Adding my chain to the trust store and setting `PGSSLCERT` and `PGSSLKEY` environment variables is a hacky way to get around it.

passkit (Sat, 25 Mar 2017 02:19:13 GMT):
Is there any documentation on the MSP and various types of certificates? I'm unclear on the role of the admincerts - all the examples contain the roots of peers but I cannot find anything explaining their role or purpose.

passkit (Sat, 25 Mar 2017 02:28:30 GMT):
In the sample config it is a signed certificate with Server and Client Authentication extended key usage. What extended usage roles (if any) are required for peers, endorsing peers, orderers, cli, etc.?

passkit (Sat, 25 Mar 2017 06:43:03 GMT):
Managed to find this https://docs.google.com/document/d/1Qg7ZEccOIsrShSHSNl4kBHOFvLYRhQ3903srJ6c_AZE/edit which answered most of my questions - a little frustrating that the end to end example directs you to examine crypto material that promotes every node as an administrator - leaves you thinking that there must be some reason they would need to do that.

MikeGardiner (Mon, 27 Mar 2017 13:28:38 GMT):
Has joined the channel.

MikeGardiner (Mon, 27 Mar 2017 13:29:09 GMT):
So I'm trying to run fabric-ca-server using p11.. after correcting the yaml file to be "csp" rather than "crypto" and changing "software" to "pkcs11" then adding the p11 stuff.. I get an error: Hash Family not supported [] while initializing the BCCSP PKCS11. SHA2 seems like it should be the valid option for hash_family but since the error message indicates an empty string I must have something wrong

mastersingh24 (Mon, 27 Mar 2017 13:53:22 GMT):
Hi @MikeGardiner - you might want to try to format the YAML like this: ``` CSP: default: PKCS11 SW: Hash: SHA3 Security: 256 PKCS11: Hash: SHA3 Security: 256 Library: /path/to/lib Pin: mypin Label: mylabel ``` you should be able to use SHA2 or SHA2 and set the security to 256 or 384

MikeGardiner (Mon, 27 Mar 2017 13:59:12 GMT):
Thanks @mastersingh24 I had hash_family and security_level rather than Hash/Security It still seems as though it doesn't work though "Hash Family not supported [sha2]"

mastersingh24 (Mon, 27 Mar 2017 14:03:56 GMT):
hmm - I'm pretty sure that's the right YAML - gimme a few and I'll take a deeper look

MikeGardiner (Mon, 27 Mar 2017 14:10:02 GMT):
Yep, it's right. it has to be SHA2 rather than sha2

mastersingh24 (Mon, 27 Mar 2017 14:15:41 GMT):
cool

mastersingh24 (Mon, 27 Mar 2017 14:16:02 GMT):
BUT - in any case, looks like we need to generate a proper sample config and better document it

mastersingh24 (Mon, 27 Mar 2017 14:16:23 GMT):
we are looking at some better ways to configure providers in general so this might be a work in progress :(

andrewdlt (Mon, 27 Mar 2017 14:21:59 GMT):
Has joined the channel.

salmanbaset (Mon, 27 Mar 2017 17:42:14 GMT):
qq. is node.js sdk working with hyperledger 1.0 to register and enroll users?

mastersingh24 (Mon, 27 Mar 2017 17:44:45 GMT):
@salmanbaset - yes - the register and enroll APIs work with fabric-ca

salmanbaset (Mon, 27 Mar 2017 17:49:28 GMT):
thanks. let me give node.js modules a try.

cgrecu (Mon, 27 Mar 2017 19:40:07 GMT):
Has joined the channel.

cgrecu (Mon, 27 Mar 2017 19:43:42 GMT):
hey guys, what is the recommended way to provide settings when starting fabric-ca ? I could not see in git any yaml config example. I created a fabric-ca docker container, went inside and checked /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml

smithbk (Tue, 28 Mar 2017 01:00:41 GMT):
@cgrecu You can use the following command to generate a default fabric-ca-server config

smithbk (Tue, 28 Mar 2017 01:01:04 GMT):
fabric-ca-server init -b admin:adminpw

smithbk (Tue, 28 Mar 2017 01:01:55 GMT):
That will create a fabric-ca-server-config.yaml file in the local directory with a single bootstrap user preregistered with name "admin" and password "adminpw"

smithbk (Tue, 28 Mar 2017 01:05:31 GMT):
You can then edit the config file as needed, and the leading comments in that file describe how to use command line options and env vars to override values in the config file if needed

mychewcents (Tue, 28 Mar 2017 07:40:03 GMT):
Guys, I had a doubt on, can we use multiple Certs to sign a single transaction in Fabric? If so, how can I configure that? If not, is there any work around for this?

Vadim (Tue, 28 Mar 2017 07:41:32 GMT):
@mychewcents if you want to enforce that a transaction is approved by several parties, you can use endorsement policies

mychewcents (Tue, 28 Mar 2017 07:42:37 GMT):
@Vadim can I PM in sometime to talk about it in detail. Because, I'm stuck with this since last week?

Vadim (Tue, 28 Mar 2017 07:44:10 GMT):
I unfortunately don't have a lot of time to talk about it in detail, but if you studied e2e_cli example, there you can see the endorsement policy set on the chaincode: https://github.com/hyperledger/fabric/blob/master/examples/e2e_cli/scripts/script.sh#L93

mychewcents (Tue, 28 Mar 2017 07:45:50 GMT):
Yes. I have read that. I'll take a look at it again. No problem. I'll message you anyways. Whenever you are available, please reply. No urgency. Is that ok?

Vadim (Tue, 28 Mar 2017 07:49:05 GMT):
@mychewcents you can also read https://github.com/hyperledger/fabric/blob/master/docs/source/endorsement-policies.rst

mastersingh24 (Tue, 28 Mar 2017 10:19:55 GMT):
[what's the error? ](https://chat.hyperledger.org/channel/fabric?msg=eAZZ4MddtMACzNXzy) @moeentariq

moeentariq (Tue, 28 Mar 2017 10:19:55 GMT):
Has joined the channel.

moeentariq (Tue, 28 Mar 2017 10:20:18 GMT):
fabric-ca-server command not found

moeentariq (Tue, 28 Mar 2017 10:20:59 GMT):
I have start the server through docker . but unable to connect with the CLI

moeentariq (Tue, 28 Mar 2017 10:23:01 GMT):
ds@blockchain ~]$ docker container ls CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 2fcabe07acbe hyperledger/fabric-ca "sh -c 'fabric-ca-..." 3 days ago Up 3 days 0.0.0.0:7054->7054/tcp fabric-ca-server

JasonD (Tue, 28 Mar 2017 10:29:58 GMT):
Has joined the channel.

moeentariq (Tue, 28 Mar 2017 10:36:19 GMT):
fabric-ca-server command not found error

moeentariq (Tue, 28 Mar 2017 11:00:34 GMT):
any one here to help me . ?

Vadim (Tue, 28 Mar 2017 11:05:32 GMT):
@moeentariq what are you trying to do?

moeentariq (Tue, 28 Mar 2017 11:06:16 GMT):
how to connect with the CLI in fabric-ca

Vadim (Tue, 28 Mar 2017 11:08:53 GMT):
`docker exec -i -t /bin/bash``

Vadim (Tue, 28 Mar 2017 11:08:53 GMT):
`docker exec -i -t /bin/bash`

cgrecu (Tue, 28 Mar 2017 13:04:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=eTAnnXHZmaLoe7Ltg) @smithbk thank you ;)

smithbk (Tue, 28 Mar 2017 13:20:57 GMT):
@moeentariq See https://hyperledger-fabric.readthedocs.io/en/latest/Setup/ca-setup.html#getting-started for how to install fabric-ca-server and fabric-ca-client natively

moeentariq (Tue, 28 Mar 2017 13:22:03 GMT):
fabric-ca-server command not running through this guide .

moeentariq (Tue, 28 Mar 2017 13:22:15 GMT):
is there any env variable settings ?

in0rdr (Tue, 28 Mar 2017 16:25:11 GMT):
Has joined the channel.

in0rdr (Tue, 28 Mar 2017 16:25:55 GMT):
hi there, how does "enrollment" and "registration" play together? Is the one required for the other? Why is "enrollment" different from "registration" and what is the difference? http://hyperledger-fabric.readthedocs.io/en/latest/Setup/ca-setup.html#table-of-contents

xuzhao103389 (Tue, 28 Mar 2017 16:45:59 GMT):
I got am error when doing the fabric-ca test

xuzhao103389 (Tue, 28 Mar 2017 16:46:15 GMT):
FAIL coverage: 91.8% of statements FAIL github.com/hyperledger/fabric-ca/cmd/fabric-ca-server 0.861s error: exit status 1 panic: EOF goroutine 1 [running]: panic(0x4daca0, 0xc42000a190) /opt/go/src/runtime/panic.go:500 +0x1a1 main.main() /opt/gopath/src/github.com/AlekSi/gocov-xml/gocov-xml.go:60 +0x15fd *** END FAILURES *** Makefile:144: recipe for target 'unit-tests' failed make: *** [unit-tests] Error 1

xuzhao103389 (Tue, 28 Mar 2017 16:46:44 GMT):
I downloaded the source code today from git clone https://github.com/hyperledger/fabric-ca

xuzhao103389 (Tue, 28 Mar 2017 16:47:25 GMT):
the stack is: --- FAIL: TestErrors (0.06s) main_test.go:67: FAILED: in: [fabric-ca-server init -c nzZICQZMIGxliJkOApzbozYHgnxiLjXNNOhJcPSKVHVnBtsXLMnMogOrUljAiElZZdrRcrHaOlGHwsIpqMeNjYChHNMpeevUOcBZdvwanLDyAQgNjTCYnOvZmXqVSeahzPxIYRZZBwySxJGAIeRNkScTIIYKOXCdNwWRGBgYfbhCsGCkIQUiYXTiovRktNNQxErLszoObeaWqEqTSIKgtUwVPYqsGbVqjLvifiVygxPYJHPoLgNWLIvAzkoYDOehDZIcW.yaml -b user:pass]; out: Failed to read config file: open /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/nzZICQZMIGxliJkOApzbozYHgnxiLjXNNOhJcPSKVHVnBtsXLMnMogOrUljAiElZZdrRcrHaOlGHwsIpqMeNjYChHNMpeevUOcBZdvwanLDyAQgNjTCYnOvZmXqVSeahzPxIYRZZBwySxJGAIeRNkScTIIYKOXCdNwWRGBgYfbhCsGCkIQUiYXTiovRktNNQxErLszoObeaWqEqTSIKgtUwVPYqsGbVqjLvifiVygxPYJHPoLgNWLIvAzkoYDOehDZIcW.yaml: protocol error; expected: file name too long

smithbk (Tue, 28 Mar 2017 17:26:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8fsPFJq62Avfj2ATh) @moeentariq What exactly isn't working according to the guide?

smithbk (Tue, 28 Mar 2017 17:28:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=a3iwtZyosG7cahYrN) @in0rdr Registration is done by an administrator and is like inviting someone to the party. It is creating identity profile information in the server's DB so that they can enroll

smithbk (Tue, 28 Mar 2017 17:29:02 GMT):
Enrollment is then like accepting the invitation to the party. It is using the enrollment ID and password to get an enrollment certificate

smithbk (Tue, 28 Mar 2017 17:29:11 GMT):
Registration always precedes enrollment

smithbk (Tue, 28 Mar 2017 17:32:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QbTF5nq9E4ytyrtEa) @xuzhao103389 Is there a reason you need to pass in that for the config file name? Looks like your OS or shell doesn't like the length of it

smithbk (Tue, 28 Mar 2017 17:33:36 GMT):
Or, you just did "make unit-tests"? What OS are you on?

smithbk (Tue, 28 Mar 2017 17:36:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8fsPFJq62Avfj2ATh) @moeentariq BTW, there is an update to readthedocs still awaiting review but it is up-to-date with what is checked in. See https://gerrit.hyperledger.org/r/7273

xuzhao103389 (Tue, 28 Mar 2017 17:36:33 GMT):
I am using vagrant, the OS is Ubuntu

smithbk (Tue, 28 Mar 2017 17:37:06 GMT):
and you're running vagrant on what host OS?

xuzhao103389 (Tue, 28 Mar 2017 17:39:09 GMT):
my host is redhat

smithbk (Tue, 28 Mar 2017 17:39:52 GMT):
Have you tried running natively, not inside vagrant?

xuzhao103389 (Tue, 28 Mar 2017 17:40:59 GMT):
I tried to run in another VM 2 weeks ago

xuzhao103389 (Tue, 28 Mar 2017 17:41:05 GMT):
and that is fine

rennman (Tue, 28 Mar 2017 19:51:21 GMT):
@xuzhao103389 Hi ... I looked at your issue, and I think it is related to shared FS between host and guest OS'es ... can you verify that a small modification of the error-case test solves the issue? The server is creating the config files relative to the $PWD when the test runs, which happens to be a sync'ed directory in vargrant. For non-error case, this is fine...but in the error cases, the errors (in particular FS errors) tend to be OS-specific. Change the config filename of the failing test to reference a directory that is not shared: at :84 in main_test.go - {[]string{cmdName, "init", "-c", fmt.Sprintf("%s.yaml", longFileName), "-b", "user:pass"}, "file name too long"}, + {[]string{cmdName, "init", "-c", fmt.Sprintf("/tmp/%s.yaml", longFileName), "-b", "user:pass"}, "file name too long"}, If this works, I'll submit a PR

in0rdr (Tue, 28 Mar 2017 21:34:54 GMT):
@smithbk thank you very much. now it makes sense for me.

zzying (Wed, 29 Mar 2017 02:24:55 GMT):
Has joined the channel.

AbhilekhSingh (Wed, 29 Mar 2017 07:06:37 GMT):
Hi, When I enroll the user it created keystore, signcerts, cacerts

AbhilekhSingh (Wed, 29 Mar 2017 07:06:54 GMT):
I tried to use this user for invoking chaincode

AbhilekhSingh (Wed, 29 Mar 2017 07:07:04 GMT):
But it requires the admincerts also

AbhilekhSingh (Wed, 29 Mar 2017 07:07:16 GMT):
Who can I get it and why it requires that

AbhilekhSingh (Wed, 29 Mar 2017 07:07:22 GMT):
panic: Fatal error when setting up MSP from directory /opt/gopath/src/github.com/hyperledger/fabric/peer/msp: err Could not load a valid admin certificate from directory /opt/gopath/src/github.com/hyperledger/fabric/peer/msp/admincerts, err Could not read directory open /opt/gopath/src/github.com/hyperledger/fabric/peer/msp/admincerts: no such file or directory, err /opt/gopath/src/github.com/hyperledger/fabric/peer/msp/admincerts

AbhilekhSingh (Wed, 29 Mar 2017 10:07:09 GMT):
Can anyone answer this please

Vadim (Wed, 29 Mar 2017 10:42:24 GMT):
@AbhilekhSingh you can use cryptogen to generate all necessary certs

AbhilekhSingh (Wed, 29 Mar 2017 10:43:35 GMT):
I used CA server

AbhilekhSingh (Wed, 29 Mar 2017 10:43:55 GMT):
It's generating only these 3 keystore, signcerts, cacerts

AbhilekhSingh (Wed, 29 Mar 2017 10:45:40 GMT):
fabric-ca-client enroll --config /opt/gopath/src/github.com/hyperledger/fabric/peer/fabric-ca-server-config.yaml -u http://admin:adminpw@localhost:7054

AbhilekhSingh (Wed, 29 Mar 2017 10:45:45 GMT):
this is the command I used

Vadim (Wed, 29 Mar 2017 10:45:49 GMT):
I did not use that one

AbhilekhSingh (Wed, 29 Mar 2017 10:46:05 GMT):
which one u used?

Vadim (Wed, 29 Mar 2017 10:46:12 GMT):
cryptogen tool

AbhilekhSingh (Wed, 29 Mar 2017 10:46:25 GMT):
any example u have

Vadim (Wed, 29 Mar 2017 10:47:08 GMT):
https://github.com/hyperledger/fabric/tree/master/common/tools/cryptogen just build it and run it, the usage is very simple

AbhilekhSingh (Wed, 29 Mar 2017 10:47:27 GMT):
got it. Thanks

smithbk (Wed, 29 Mar 2017 15:11:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Edg7AHzjxSX2PCMoS) @AbhilekhSingh By the way, you can also use the "-M " option to place enrollment artifacts in the MSP directory for a peer or orderer

AbhilekhSingh (Thu, 30 Mar 2017 05:59:37 GMT):
@smithbk yes that I know. The problem is peer command require admincerts but enroll is not generating it?

in0rdr (Thu, 30 Mar 2017 07:20:38 GMT):
Hi, I'm trying to enroll with swagger api, but everytime I get {"code":9002,"message":"CSR Decode failed"} I used "cfssl genkey csr.json" (json file from testdata folder) and pasted the "csr" part of the json output (from cfssl)

Vadim (Thu, 30 Mar 2017 08:54:03 GMT):
@in0rdr apparently, the CSR you are posting is not in the right format

in0rdr (Thu, 30 Mar 2017 08:55:04 GMT):
Isn't this the required PEM format? -----BEGIN CERTIFICATE REQUEST-----\nMIIBZzCCAQ0CAQAwczELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9s\naW5hMRAwDgYDVQQHEwdSYWxlaWdoMRswGQYDVQQKExJIeXBlcmxlZGdlcBggq\nhkjOPQMBBwNCAAQaLVbSZ+InygamZao4Ujvdwjouul8fwLDNfa3zhilgMpiyNVxo\nm6v0gesHnKXLBT6OanqNXCDahURrKYW7QC4uoDgwNgYJKoZIhvcNAQkOMSkwJzAl\nBgNVHREEHjAcggpteWhvc3QuY29tgg8XlvNZvMzYv1Bw2ejtvlWACIGwP/m+i\nB+VQMGaKe9X3P2NcNuWha9OmLtAs522mRpps\n-----END CERTIFICATE REQUEST-----\n

in0rdr (Thu, 30 Mar 2017 08:55:19 GMT):
Or how should I format then?

Vadim (Thu, 30 Mar 2017 08:56:15 GMT):
If I were you, I'd check how SDK is doing it

Vadim (Thu, 30 Mar 2017 08:56:28 GMT):
https://github.com/hyperledger/fabric-sdk-node/blob/master/fabric-ca-client/lib/FabricCAClientImpl.js#L118

Vadim (Thu, 30 Mar 2017 08:56:46 GMT):
could be that it does not like the \n signs

Vadim (Thu, 30 Mar 2017 08:57:09 GMT):
try replacing it with newlines

in0rdr (Thu, 30 Mar 2017 09:27:31 GMT):
If I remove the \n i get "Failed to unmarshal enroll: invalid character '\\n' in string literal" If I just remove the \n and continue on the same line i get the same error as in the beginning ("CSR Decode failed")

in0rdr (Thu, 30 Mar 2017 09:29:02 GMT):
The sdk js code uses "privateKey.generateCSR(...)" but I don't know where this generateCSR() is defined?

in0rdr (Thu, 30 Mar 2017 09:29:19 GMT):
https://github.com/hyperledger/fabric-sdk-node/blob/master/fabric-ca-client/lib/FabricCAClientImpl.js#L141

in0rdr (Thu, 30 Mar 2017 09:30:21 GMT):
Where can I find the utils.js(https://github.com/hyperledger/fabric-sdk-node/blob/master/fabric-ca-client/lib/FabricCAClientImpl.js#L20) file ?

in0rdr (Thu, 30 Mar 2017 09:41:10 GMT):
I now created a new CSR with openssl (openssl req -nodes -new -newkey rsa:2048 -sha256 -out csr.pem) where I chose "admin" as the CN (common name), but still it sais "CSR Decode failed" even though https://www.sslshopper.com/csr-decoder.html decodes just fine. This is the request: -----BEGIN CERTIFICATE REQUEST-----MIICmjCCAYICAQAwVTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEOMAwGA1UEAwwFYWRtaW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjdj4YroIZ9TbPM9x4gepthFfnpkwKw+MpyHYKWab5fKihOY6Ib3CmLmGCH3Zf12Htv08gF96Gr04Vw3Rhj9iPfK1IOtcL+Dou+ZkTUd3QZyvb4bViREe27kc1I1msZMZ4VgcCg3DQ5NPzRJXJSfMnm7HbijtF+P9Uo2LQiNClogtTWjheuG0X09IiRsWn1bComiN/wHoDpfN+FoEtVLhPEnsq8GCH1D0DxDUx4LdbSALROud2FfTAHh4lkhDk8Cw7ikJ3M8UGWA7bchwSUj8VmfAKt7CCJfImgZCd2JvU1Z9S1JMqZhzQvr9GwATszdZhCUySl4jrYKeW05Tpk3k9AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAVawNSZjQfy2uR+eKDODDd0/EBHEuMRacYb+TnImqSJ0pAeANVNyF0a00NW/gLw+h8RbScBeHqSpjyILRPMdTPsVmbXM7l7fs6H6KR4zdgYwTXO6KLgOKbEPQkgF2WRZLMY93q/EvPz5kp1pXZlVDqAZm0zuuAZkfz+Bzwry67W7CHEcpWHXpmqV8sfdsl3zFSa2+1YKjFF+uJZ6xdPU9eFuVJ2PHHaNOwiS9KIlWxBdLs33PuxWmZdqb7S5cf3OjKGZEMWLhuE8p89p+9/hvQLIJXneQMtukPWlQcfs+OBpWgu1JCUSqd0TyMQ3rEAsiUWaAjQWzKDkgVJ/tc7mGvA==-----END CERTIFICATE REQUEST-----

in0rdr (Thu, 30 Mar 2017 09:41:44 GMT):
it's just a bit longer than the one generated with cfssl but basically the error is the same

Vadim (Thu, 30 Mar 2017 10:53:14 GMT):
@in0rdr as I see, the last line `-----END CERTIFICATE REQUEST-----` is not on the new line

Vadim (Thu, 30 Mar 2017 10:53:21 GMT):
that might be critical

in0rdr (Thu, 30 Mar 2017 12:05:49 GMT):
@Vadim thanks for your help. The line breaks are indeed the problem. If I decode it locally "cfssl certinfo -csr csr.pem" and the file contains all the line breaks it decodes fine. Json API request cannot contain "real" newlines. So I substituted all newlines with "\n" but that does not work.

in0rdr (Thu, 30 Mar 2017 12:17:59 GMT):
I am experimenting with Postman tool by the way, maybe that's the problem

Vadim (Thu, 30 Mar 2017 12:20:34 GMT):
@in0rdr you can try to escape the newlines like this: "\\n"

in0rdr (Thu, 30 Mar 2017 12:31:57 GMT):
@Vadim does not work either

deepakvparmar (Fri, 31 Mar 2017 06:43:39 GMT):
Has joined the channel.

deepakvparmar (Fri, 31 Mar 2017 06:45:27 GMT):
I am having running network of fabric 1.0, in which fabric-ca instance is already running as a part of docker-compose yaml file. Now, I would like to enroll new user in running fabric-ca instance, but not able to find fabric-ca-client command in docker container of fabric-ca. Kindly guide me.

deepakvparmar (Fri, 31 Mar 2017 07:05:34 GMT):
Following is screenshot of my running fabric 1.0 server :

deepakvparmar (Fri, 31 Mar 2017 07:06:23 GMT):
vagrant@localhost ~/go/src/github.com/hyperledger/fabric-ca/build/docker/bin $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 4232294e49c1 google/cadvisor:latest "/usr/bin/cadvisor -l" 35 minutes ago Up 35 minutes 0.0.0.0:8080->8080/tcp cadvisor aa4888ea1060 sfhackfest22017/fabric-peer:x86_64-0.7.0-snapshot-c7b3fe0 "sh -c './channel_tes" 42 hours ago Up 34 minutes cli e25fc9e4d263 sfhackfest22017/fabric-peer:x86_64-0.7.0-snapshot-c7b3fe0 "peer node start --pe" 42 hours ago Up 34 minutes 0.0.0.0:8056->7051/tcp peer2 135fcd593721 sfhackfest22017/fabric-peer:x86_64-0.7.0-snapshot-c7b3fe0 "peer node start --pe" 42 hours ago Up 34 minutes 0.0.0.0:8055->7051/tcp peer1 1e8820c1471d sfhackfest22017/fabric-ca:x86_64-0.7.0-snapshot-6294c57 "sh -c 'sleep 10; fab" 42 hours ago Up 34 minutes 0.0.0.0:8054->7054/tcp ca f0b8f143f582 sfhackfest22017/fabric-orderer:x86_64-0.7.0-snapshot-c7b3fe0 "orderer" 42 hours ago Up 34 minutes 0.0.0.0:8050->7050/tcp orderer

deepakvparmar (Fri, 31 Mar 2017 07:07:54 GMT):
Fabric-Ca is running as docker container, Now I am trying to enroll new user using fabric-ca-client enroll -c "config.yaml" http://admin:adminpw@localhost:7054 , but getting following error:

deepakvparmar (Fri, 31 Mar 2017 07:08:12 GMT):
vagrant@localhost ~/go/src/github.com/hyperledger/fabric-ca/build/docker/bin $ ./fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 2017/03/31 06:49:52 [INFO] User provided config file: /home/vagrant/.fabric-ca-client/fabric-ca-client-config.yaml 2017/03/31 06:49:52 [INFO] Configuration file location: /home/vagrant/.fabric-ca-client/fabric-ca-client-config.yaml 2017/03/31 06:49:52 Initialize BCCSP [SW] 2017/03/31 06:49:52 [INFO] received CSR 2017/03/31 06:49:52 [INFO] generating key: ecdsa-256 2017/03/31 06:49:52 [INFO] encoded CSR 2017/03/31 06:49:52 [FATAL] POST failure [Post http://localhost:7054/enroll: dial tcp [::1]:7054: getsockopt: connection refused]; not sending POST http://localhost:7054/enroll Authorization: Basic YWRtaW46YWRtaW5wdw== {"hosts":null,"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBPzCB5gIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsk1VPWHK5My0v52V\nBUxv01gkF7AsojnnD6rkM3qQ4RhodlRVUJQvembqgIr1eIvPZWHceYAMoM8BcmLI\nTp8xCKAnMCUGCSqGSIb3DQEJDjEYMBYwFAYDVR0RBA0wC4IJbG9jYWxob3N0MAoG\nCCqGSM49BAMCA0gAMEUCIAnF0gu4XdDBoobmDvmYdmPreSDZV+MKO8crY8lb1GSF\nAiEAw2ogeF9YPBR36ABKrunTrz5t0TpOp1d46Sg5fpaMwo8=\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":""}

deepakvparmar (Fri, 31 Mar 2017 07:09:28 GMT):
Do I need start Fabric-Ca server using "fabric-ca-server start -b admin:adminpw? As Fabric-ca server container is already running, How can i access to running ca container?

smithbk (Fri, 31 Mar 2017 07:15:06 GMT):
Apparently the listening port of the fabric-ca-server running in docker is not available from within your vagrant. Yes, you could just run the server inside vagrant by issuing this from vagrant:

smithbk (Fri, 31 Mar 2017 07:15:29 GMT):
fabric-ca-server start -b admin:adminpw

deepakvparmar (Fri, 31 Mar 2017 08:34:14 GMT):
@smithbk : Thank You. You mean to say if I will execute "fabric-ca-server start -b admin:adminpw" command, then I can able to enroll and register new user into running instance of fabric-ca of docker container

deepakvparmar (Fri, 31 Mar 2017 08:34:16 GMT):
?

smithbk (Fri, 31 Mar 2017 13:13:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NPaEAWSRfjw8hRBNi) @deepakvparmar I mean that you can run the fabric-ca-server inside vagrant with that command. In this case, it is not running inside docker.

Lin-YiTang (Sat, 01 Apr 2017 11:22:10 GMT):
how manual make all .pem of msp,tls

kpsid (Sat, 01 Apr 2017 13:36:04 GMT):
Has joined the channel.

subbu165 (Sat, 01 Apr 2017 15:45:43 GMT):
Has joined the channel.

Shadow-Hawk (Sun, 02 Apr 2017 12:05:42 GMT):
Hi, could someone tell me which mechanism Fabric employ: Key Policy Attribute Based Encryption or Ciphertext Policy Attribute Based Encryption? Thank you!

krupabathia (Mon, 03 Apr 2017 06:25:41 GMT):
Has joined the channel.

smithbk (Mon, 03 Apr 2017 12:40:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JuCqyzgrAcD9cnhWC) @Lin-YiTang Sorry, I'm not following the question. Can you elaborate? Thanks

smithbk (Mon, 03 Apr 2017 13:06:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8Lpk9zkt2KHoJFctw) @Shadow-Hawk Are you asking how to make access control decisions in chaincode? Attributes in tcerts is described here https://github.com/hyperledger/fabric/blob/v0.6/docs/tech/attributes.md

kmad (Mon, 03 Apr 2017 16:31:14 GMT):
Has joined the channel.

mjkong (Mon, 03 Apr 2017 16:48:50 GMT):
Failed signing for endpoint enroll: Failed to insert record into database: Error 1292: Incorrect datetime value: '0000-00-00' for column 'revoked_at' at row 1

s.narayanan (Mon, 03 Apr 2017 18:32:14 GMT):
What is the meaning of member when an endorsement policy refers to Org1MSP.member? Does this mean member that has been issued cert by Org1. The documentation refers to "role" being member or admin. Appreciate if someone could clarify

smithbk (Mon, 03 Apr 2017 18:41:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4SkNju8DTMrx4eiSY) @s.narayanan Yes, an MSP org1.member means the cert was issued by org1

s.narayanan (Mon, 03 Apr 2017 18:49:07 GMT):
@smithbk thanks. Could you also clarify the role of "admin" when we refer to this in an endorsement policy?

smithbk (Mon, 03 Apr 2017 18:50:33 GMT):
@s.narayanan This is an admin under the admincerts MSP directory.

smithbk (Mon, 03 Apr 2017 18:56:40 GMT):
Does that clarify? If not, you may want to look at this doc: https://docs.google.com/document/d/1Qg7ZEccOIsrShSHSNl4kBHOFvLYRhQ3903srJ6c_AZE/edit#heading=h.2rmho7iqstbu and see section 2.4 for example

s.narayanan (Mon, 03 Apr 2017 22:14:26 GMT):
@smithbk thanks. I reviewed the document. If I understand this correctly, the node can endorse using signing key that is based on its identity (signcerts) or admin identity (admincerts)? As well, a few related questions on authorization based on user identity attributes. I presume the attibute values are returned as part of TCert from a MSP. If an application does not use TCerts, then how would you do ACLs based on such attributes

Shadow-Hawk (Tue, 04 Apr 2017 04:29:16 GMT):
@smithbk Thanks for your response, What I want to know is that whether the attributes based on the theory of https://en.wikipedia.org/wiki/Attribute-based_encryption.

AbhishekSeth (Tue, 04 Apr 2017 06:23:54 GMT):
Has joined the channel.

bh4rtp (Tue, 04 Apr 2017 08:48:38 GMT):
@smithbk what is the use of the admin:adminpw? Is this only used on the ca local side?

smithbk (Tue, 04 Apr 2017 12:05:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bq6MiPMAYFfS3DquP) @s.narayanan TCerts are generated by fabric CA, not by an MSP. But yes, attribute values are part of a TCert and an application would be required to use tcerts to do ACLs based on these attributes. More generally speaking though, fabric does not mandate how chaincode does ACLs. For example, chaincode could look at any field in the x509 certificate associated with the transaction payload, or the transient data field could be used to pass any credentials which are checked by the chaincode (which is not written to the ledger), or some combination of the two.

smithbk (Tue, 04 Apr 2017 12:06:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cy3bb5yzFJnXzpAd7) @Shadow-Hawk No, attributes in tcerts are not based on ABE. The secret key is not dependent upon the attributes.

smithbk (Tue, 04 Apr 2017 12:13:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=B7DR5mnsDhY5nRgcj) @bh4rtp The use of admin:adminpw is to provide a user/pass for a pre-registered bootstrap administrator which has the authority to register other users. The "-b admin:adminpw" option is used the 1st time you start the fabric-ca-server (or on the "fabric-ca-server init" command) to provide a user/pass to fill in the "registry.identities" section of the server's config file with a single bootstrap user. Of course you can manually create any configuration file you want with as many users in it as you want, but the "-b admin:adminpw" forces you to provide your own user/pass for at least one user that will have registrar authority. I hope this helps. Let me know if you have additional questions.

bh4rtp (Tue, 04 Apr 2017 12:19:21 GMT):
@smithbk thanks. it is clear. but when it comes some sdk examples like ibm-marbles, the user login with admin in web browser. does this login processing using admincert or admin:adminpw?

bh4rtp (Tue, 04 Apr 2017 12:19:21 GMT):
@smithbk thanks. it is clear. but when it comes to some sdk examples like ibm-marbles, the user login with admin in web browser. does this login processing using admincert or admin:adminpw?

bh4rtp (Tue, 04 Apr 2017 12:19:21 GMT):
@smithbk thanks. it is clear. but when it comes to some sdk examples like ibm-marbles, the user logins with admin in web browser. does this login processing using admincert or admin:adminpw?

smithbk (Tue, 04 Apr 2017 12:38:44 GMT):
@bh4rtp I'd have to look at the source of that example as I'm not sure what its login maps to. But MSP in the fabric only deals with certs, not userid/pass, so it definitely isn't MSP directly. @mastersingh24 Gari, can you comment?

tiennv (Tue, 04 Apr 2017 15:57:02 GMT):
Has joined the channel.

smithbk (Tue, 04 Apr 2017 17:38:27 GMT):
@bh4rtp The ibm-marbles app uses the same user/pass that is used to setup the fabric-ca administrator, which is admin:adminpw by default

rohitbordia (Tue, 04 Apr 2017 22:12:36 GMT):
Has joined the channel.

rohitbordia (Tue, 04 Apr 2017 22:13:04 GMT):
Hi Guys, Im trying to run fabric-java-sdk test and its failing while running docker command

rohitbordia (Tue, 04 Apr 2017 22:13:27 GMT):
Pulling ca (hyperledger/fabric-ca:latest)... ERROR: manifest for hyperledger/fabric-ca:latest not found

rohitbordia (Tue, 04 Apr 2017 22:13:57 GMT):
when using a different image from hackfest example : sfhackfest22017/fabric-ca:x86_64-0.7.0-snapshot-6294c57

rohitbordia (Tue, 04 Apr 2017 22:14:08 GMT):
then getting exception while running Test

rohitbordia (Tue, 04 Apr 2017 22:14:17 GMT):
ava.lang.ClassCastException: org.glassfish.json.JsonStringImpl cannot be cast to javax.json.JsonObject 017-04-04 14:45:12 ERROR HFCAClient:305 - org.glassfish.json.JsonStringImpl cannot be cast to javax.json.JsonObject java.lang.ClassCastException: org.glassfish.json.JsonStringImpl cannot be cast to javax.json.JsonObject at org.glassfish.json.JsonObjectBuilderImpl$JsonObjectImpl.getJsonObject(JsonObjectBuilderImpl.java:184) at org.hyperledger.fabric_ca.sdk.HFCAClient.enroll(HFCAClient.java:292)

rohitbordia (Tue, 04 Apr 2017 22:15:06 GMT):
anyone faced this problem

smithbk (Wed, 05 Apr 2017 00:20:08 GMT):
@rohitbordia The fabric-ca CI isn't publishing the latest image to docker hub yet, but you can pull the latest from github and build "hyperledger/fabric-ca:latest" image by running "make docker"

smithbk (Wed, 05 Apr 2017 00:22:46 GMT):
I haven't seen that error before, but someone on the fabric-sdk-java-dev channel may know if it still happens with the latest fabric-ca image

bh4rtp (Wed, 05 Apr 2017 00:58:42 GMT):
@smithbk thanks. is this a potential security hole of fabric if tls is not used?

AmberZhang (Wed, 05 Apr 2017 02:43:08 GMT):
Has joined the channel.

LordGoodman (Wed, 05 Apr 2017 06:02:16 GMT):
Has joined the channel.

LordGoodman (Wed, 05 Apr 2017 06:02:21 GMT):
could anybody tell me where can i find more detail about msp(membership service provider)

jongeun.park (Wed, 05 Apr 2017 09:39:58 GMT):
Has joined the channel.

smithbk (Wed, 05 Apr 2017 12:40:43 GMT):
Try https://docs.google.com/document/d/1Qg7ZEccOIsrShSHSNl4kBHOFvLYRhQ3903srJ6c_AZE/edit#heading=h.2rmho7iqstbu

smithbk (Wed, 05 Apr 2017 12:42:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nMQm3iDmdKAs3u96v) @LordGoodman To reply: https://docs.google.com/document/d/1Qg7ZEccOIsrShSHSNl4kBHOFvLYRhQ3903srJ6c_AZE/edit#heading=h.2rmho7iqstbu

rangak (Wed, 05 Apr 2017 18:08:53 GMT):
Has joined the channel.

srss (Wed, 05 Apr 2017 20:07:14 GMT):
Has joined the channel.

AbhishekSeth (Thu, 06 Apr 2017 05:58:40 GMT):
hey all, I am running in "dev mode" of fabric 1.0. I want to test my chaincodes using nodeSDK. My question is can I bypass the security thing and do the txns in security_disabled mode? I tried making "security_enabled" to be "false" in the chain.js inside "lib" folder of "fabric-client" but while deploying it is still calling "getIdentity" kind of APIs. @mastersingh24, any clue sir? Any help is highly appreciated!!

PushpalathaHiremath (Thu, 06 Apr 2017 05:59:09 GMT):
Has joined the channel.

Vadim (Thu, 06 Apr 2017 06:52:31 GMT):
@AbhishekSeth if I correctly understood, the getIdentity() errors have nothing to do with security. They just tell that you haven't enrolled any user before calling chain.initialize()

Vadim (Thu, 06 Apr 2017 06:52:31 GMT):
@AbhishekSeth if I correctly understood you (pls provide more info), the getIdentity() errors have nothing to do with security. They just tell that you haven't enrolled any user before calling chain.initialize()

AbhishekSeth (Thu, 06 Apr 2017 09:07:43 GMT):
@Vadim, if I do security_enabled=false, then I don't need to enroll any user before calling chain.initialize(). Is my understanding not correct?

Vadim (Thu, 06 Apr 2017 09:08:03 GMT):
where do you set that?

AbhishekSeth (Thu, 06 Apr 2017 09:08:37 GMT):
in the chain.js file inside lib folder of fabric-client

AbhishekSeth (Thu, 06 Apr 2017 09:09:38 GMT):
Okay, can u tell me how I run a setup in dev mode without requiring CA server and client?

Vadim (Thu, 06 Apr 2017 09:11:40 GMT):
@AbhishekSeth you mean you set it here? https://github.com/hyperledger/fabric-sdk-node/blob/master/fabric-client/lib/Chain.js

Vadim (Thu, 06 Apr 2017 09:12:53 GMT):
I don't think it's going to work and I don't think you can run anything without users

Vadim (Thu, 06 Apr 2017 09:13:08 GMT):
devmode means that you can start chaincode manually and not in a docker container

LordGoodman (Thu, 06 Apr 2017 09:21:13 GMT):
@smithbk Thanks you help

ranjan008 (Thu, 06 Apr 2017 09:27:08 GMT):
Has joined the channel.

AbhishekSeth (Thu, 06 Apr 2017 09:33:57 GMT):
@Vadim, Yeah.. I was setting it there only. I know dev mode means start chaincode manually instead of docker-container. But my problem was I had issues with CA thing. So i thought of not using CA, users and stuff.

Vadim (Thu, 06 Apr 2017 09:34:19 GMT):
@AbhishekSeth I don't think it's possible

AbhishekSeth (Thu, 06 Apr 2017 09:34:19 GMT):
But are u saying that without user enrollment, I cant deploy chaincode.

Vadim (Thu, 06 Apr 2017 09:34:32 GMT):
you need some user to sign the proposal

Vadim (Thu, 06 Apr 2017 09:34:48 GMT):
check how it's done in tests, it's not that hard

AbhishekSeth (Thu, 06 Apr 2017 09:35:06 GMT):
In V0.6, we had option of deploying without enrolling users. Is it not true for V1.0?

Vadim (Thu, 06 Apr 2017 09:37:13 GMT):
@AbhishekSeth no

Vadim (Thu, 06 Apr 2017 09:37:38 GMT):
fabric expects that all proposals are signed

AbhishekSeth (Thu, 06 Apr 2017 09:39:09 GMT):
okay... So i will have to have Fabric-ca server and fabric-ca-client. Right?

Vadim (Thu, 06 Apr 2017 09:39:40 GMT):
you only need a certificate and key pair which is trusted by your fabric, they do that in tests

Vadim (Thu, 06 Apr 2017 09:41:03 GMT):
ok, I'm wrong, in tests they enroll with fabric-ca

Vadim (Thu, 06 Apr 2017 09:41:07 GMT):
so you need it

lizhih (Thu, 06 Apr 2017 09:45:56 GMT):
Has joined the channel.

in0rdr (Thu, 06 Apr 2017 12:02:40 GMT):
Is it possible to query all the users/peers/etc in the blockchain network with the fabric-ca-client?

Vadim (Thu, 06 Apr 2017 12:13:07 GMT):
@in0rdr it's not possible

in0rdr (Thu, 06 Apr 2017 12:18:08 GMT):
@Vadim thanks. Isn't it important to know who participants on the blockchain?

Vadim (Thu, 06 Apr 2017 12:18:43 GMT):
the participanting CAs are encoded into the channel config tx

in0rdr (Thu, 06 Apr 2017 12:19:13 GMT):
only the CAs or also the peers and users?

Vadim (Thu, 06 Apr 2017 12:20:01 GMT):
only CAs

PushpalathaHiremath (Thu, 06 Apr 2017 12:45:52 GMT):

Message Attachments

pmullaney (Thu, 06 Apr 2017 15:59:58 GMT):
@AbhishekSeth: just an fyi on devmode, its possible to run in devmode without a CA from the peer command line - using it right now - whatever limitation you are seeing must be in the sdk

RahulAgrawal (Fri, 07 Apr 2017 04:16:54 GMT):
Has joined the channel.

AbhishekSeth (Fri, 07 Apr 2017 05:54:24 GMT):
Hey all, I am struggling with CA a big time. Can anyone plzz explain where and how the certs and keys created as PEM files under msp folder are used?

AbhishekSeth (Fri, 07 Apr 2017 05:56:03 GMT):

Message Attachments

AbhishekSeth (Fri, 07 Apr 2017 05:56:43 GMT):
I am running in "dev mode". Orderer, peer and ca server, all are up and running. I am using NodeSDK to deploy the chaincode in which user I am giving is "admin". But I am getting the above error.

AbhishekSeth (Fri, 07 Apr 2017 05:57:53 GMT):
What all CA related things are required to successfully deploy the chainocde having user as "admin"?

in0rdr (Fri, 07 Apr 2017 08:48:50 GMT):
@AbhishekSeth The certificates are also used to create the genesis block, where the chain configuration is stored, see: http://hyperledger-fabric.readthedocs.io/en/latest/configtxgen.html but I don't know how the certs are used exactly (i.e. when the peer.pem, cacert.pem and admincert.pem is used)

Jay (Fri, 07 Apr 2017 09:03:30 GMT):
Has joined the channel.

AbhishekSeth (Fri, 07 Apr 2017 09:07:48 GMT):
@in0rdr, okay.. Do u have any clue of the problem I am facing regarding deployment using NodeSdk as i mentioned just above?

Vadim (Fri, 07 Apr 2017 09:08:42 GMT):
@AbhishekSeth I think I told you yesterday that this is because the certificate for your admin was issued by the CA which is not trusted by the network

AbhishekSeth (Fri, 07 Apr 2017 09:09:57 GMT):
@Vadim, How do I make CA trusted to the network?

Vadim (Fri, 07 Apr 2017 09:10:26 GMT):
use the ca config and certs from the sdk-tests

AbhishekSeth (Fri, 07 Apr 2017 09:16:06 GMT):
@Vadim, u mean from /fabric-sdk-node/test/fixtures/msp/local folder?

AbhishekSeth (Fri, 07 Apr 2017 09:20:31 GMT):
By the way, the other confusion is: When I enroll admin using CA, certs and keys are generated of PEM type and stored in the `msp` folder. But while deploying, the NodeSDK refers to a `keyValueStore` folder as mentioned in config.json and looks for admin cert. And there is something called `.hfc-key-store` folder where private and public keys are stored. I dont understand how `msp`, `keyValueStore`, `.hfc-key-store` folders are related and how to use them together...

AbhishekSeth (Fri, 07 Apr 2017 09:21:30 GMT):
@Vadim, u have idea regarding these?

Vadim (Fri, 07 Apr 2017 09:30:55 GMT):
@AbhishekSeth run docker compose up in this folder: https://github.com/hyperledger/fabric-sdk-node/tree/master/test/fixtures to start

Vadim (Fri, 07 Apr 2017 09:30:55 GMT):
@AbhishekSeth run docker compose up in this folder: https://github.com/hyperledger/fabric-sdk-node/tree/master/test/fixtures to start your network together with CA which is trusted

Vadim (Fri, 07 Apr 2017 09:32:03 GMT):
nodesdk stores the enrollment artifacts (cert and key) in the keyValueStore

Vadim (Fri, 07 Apr 2017 09:33:10 GMT):
"When I enroll admin using CA" <- I guess you mean fabric-ca-client? I've never used it, but I guess it stores the certificates in that folder

Vadim (Fri, 07 Apr 2017 09:33:30 GMT):
when you use sdk, you don't need fabric-ca-client

AbhishekSeth (Fri, 07 Apr 2017 09:49:30 GMT):
@Vadim, let me try this. thanks

LordGoodman (Fri, 07 Apr 2017 10:30:34 GMT):
Could somebody tell me how to discover other peers in the same channel

sb2407 (Fri, 07 Apr 2017 10:58:34 GMT):
Has joined the channel.

smithbk (Fri, 07 Apr 2017 15:03:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4FBRr8Wk8X49fX4pN) @LordGoodman All anchor peers for a channel are in the config transaction/block for that channel. More specific info of which APIs to use are going to depend on which SDK you are using

greg.haskins (Fri, 07 Apr 2017 16:13:47 GMT):
is anyone familar with the new "mspid" field needed during enrollment

greg.haskins (Fri, 07 Apr 2017 16:13:58 GMT):
(not sure if this is an SDK construct, or something visible to the ca

greg.haskins (Fri, 07 Apr 2017 16:14:28 GMT):
but my older SDK client is suddenly failing on account of fabric-sdk-node commit 378f37c0ee

greg.haskins (Fri, 07 Apr 2017 16:14:38 GMT):
its not clear to me how to "fix"

smithbk (Fri, 07 Apr 2017 19:00:04 GMT):
@greg.haskins It isn't visible to the ca so between SDK and fabric. Is this node or java SDK?

greg.haskins (Fri, 07 Apr 2017 19:08:21 GMT):
@smithbk node

greg.haskins (Fri, 07 Apr 2017 19:08:46 GMT):
I am going to try "Org1MSP" as that what I see other things doing

greg.haskins (Fri, 07 Apr 2017 19:09:04 GMT):
would be good to have guidance on what is expect there in the doc, if its not already covered

smithbk (Fri, 07 Apr 2017 19:26:56 GMT):
@greg.haskins Yeh, looks like you're already asking on fabric-sdk-node which would know better. I'm not sure what the MSP ID would be for your config ... or which node test it is. I'm sure you see the following if end-to-end:

smithbk (Fri, 07 Apr 2017 19:26:59 GMT):
test/integration/e2e/e2eUtils.js: { role: { name: 'member', mspId: ORGS['org1'].mspid }},

greg.haskins (Fri, 07 Apr 2017 19:31:13 GMT):
Thanks @smithbk

greg.haskins (Fri, 07 Apr 2017 19:31:23 GMT):
you may know the answer, even if this is SDK specific

greg.haskins (Fri, 07 Apr 2017 19:31:30 GMT):
```error: [Peer.js]: GRPC client got an error response from the peer "grpc://localhost:7051". Error: Failed to deserialize creator identity, err Expected MSP ID DEFAULT, received Org1MSP```

greg.haskins (Fri, 07 Apr 2017 19:31:38 GMT):
any suggestions on that?

greg.haskins (Fri, 07 Apr 2017 19:32:02 GMT):
should I just use "MSP ID DEFAULT"

greg.haskins (Fri, 07 Apr 2017 19:32:03 GMT):
?

pmullaney (Fri, 07 Apr 2017 20:07:37 GMT):
@greg.haskins: looking at something similar now and I think that the MSPID that you set in the sdk has to match what you set in the peer and orderer( could be set via CORE_PEER_LOCALMSPID in a docker-compose for example)

pmullaney (Fri, 07 Apr 2017 20:09:12 GMT):
so in your case, DEFAULT indicates that you are probably picking up from core.yaml(localMspId: DEFAULT)

greg.haskins (Fri, 07 Apr 2017 20:15:15 GMT):
@pmullaney thx, will try that

smithbk (Fri, 07 Apr 2017 20:15:17 GMT):
@greg.haskins @pmullaney Yes, Paul is correct. You should use "DEFAULT" if you haven't changed

greg.haskins (Fri, 07 Apr 2017 20:16:09 GMT):
yep, seemed to get past that error

greg.haskins (Fri, 07 Apr 2017 20:16:13 GMT):
on to the next one ;)

greg.haskins (Fri, 07 Apr 2017 20:16:15 GMT):
thanks all

smithbk (Fri, 07 Apr 2017 20:16:52 GMT):
np

greg.haskins (Fri, 07 Apr 2017 20:17:40 GMT):
actually, it worked!

greg.haskins (Fri, 07 Apr 2017 20:17:42 GMT):
thx again

greg.haskins (Fri, 07 Apr 2017 20:17:56 GMT):
(secondary failures were caused by stuff cached, i think

greg.haskins (Fri, 07 Apr 2017 20:18:08 GMT):
once I blew away all the ~/.hfc* type things, working again

pmullaney (Fri, 07 Apr 2017 20:18:15 GMT):
cool

smithbk (Fri, 07 Apr 2017 20:18:59 GMT):
a day with progress is always good :grimacing:

greg.haskins (Fri, 07 Apr 2017 20:19:10 GMT):
heh, well, i spoke too soon

greg.haskins (Fri, 07 Apr 2017 20:19:20 GMT):
i got a successful install() done, but now in instantiate()

greg.haskins (Fri, 07 Apr 2017 20:19:30 GMT):
```error:Error: Verifying MSPs not found in the chain object, make sure "intialize()" is called first.```

greg.haskins (Fri, 07 Apr 2017 20:19:34 GMT):
anyone know what that is?

greg.haskins (Fri, 07 Apr 2017 20:19:51 GMT):
(im sure this is more SDK specific, but someone may know)

pmullaney (Fri, 07 Apr 2017 20:21:17 GMT):
sounds familiar looking

smithbk (Fri, 07 Apr 2017 20:22:36 GMT):
Did you call initialize on the chain?

pmullaney (Fri, 07 Apr 2017 20:28:30 GMT):
yea, sounds like you need to call initialize on chain - most of the sdk test do right after retrieving the admin user creds

rjagadee (Fri, 07 Apr 2017 21:56:11 GMT):
Has joined the channel.

greg.haskins (Sat, 08 Apr 2017 02:19:47 GMT):
Yeah, I added that but then ran into a different problem which is that I think I do not have a channel created

yahtoo (Sat, 08 Apr 2017 21:43:49 GMT):
Has joined the channel.

hcsatish (Sun, 09 Apr 2017 15:53:32 GMT):
Has joined the channel.

king3000 (Mon, 10 Apr 2017 01:49:23 GMT):
Has joined the channel.

Rymd (Mon, 10 Apr 2017 08:33:13 GMT):
Has joined the channel.

o.o. (Mon, 10 Apr 2017 08:34:25 GMT):
I am getting an error when trying to do a chaincode init/Instantiate: `Identity store rejected 2 : Peer Identity [ ,,, ] cannot be validated. No MSP found able to do that.` Now I am using two organisations, and this is the other peer complaining - the first one looking ok. Am I doing something wrong in setting up the peers with different OrgxMSP's; or is the problem that the other peer tries to validate the sender belonging to the first peer msp; or something else? Sorry if this is not the correct channel.

o.o. (Mon, 10 Apr 2017 08:34:25 GMT):
I am getting an error when trying to do a chaincode init/Instantiate: ```Identity store rejected 2 : Peer Identity [ ,,, ] cannot be validated. No MSP found able to do that.``` Now I am using two organisations, and this is the other peer complaining - the first one looking ok. Am I doing something wrong in setting up the peers with different OrgxMSP's; or is the problem that the other peer tries to validate the sender belonging to the first peer msp; or something else? Sorry if this is not the correct channel.

o.o. (Mon, 10 Apr 2017 08:34:25 GMT):
I am getting an error when trying to do a chaincode init/Instantiate: ```Identity store rejected 2 : Peer Identity [ ... ] cannot be validated. No MSP found able to do that.``` Now I am using two organisations, and this is the other peer complaining - the first one looking ok. Am I doing something wrong in setting up the peers with different OrgxMSP's; or is the problem that the other peer tries to validate the sender belonging to the first peer msp; or something else? Sorry if this is not the correct channel.

o.o. (Mon, 10 Apr 2017 08:47:29 GMT):
It is in `authenticateRemotePeer` that it finds the issue; and then comes `GossipStream -> ERRO 027 Authentication failed` leading to eventual unresponsiveness timeout from the first peer.

o.o. (Mon, 10 Apr 2017 08:47:29 GMT):
It is in `authenticateRemotePeer` that it finds the issue; and then comes `GossipStream -> ERRO 027 Authentication failed`. This repeats three times leading to eventual unresponsiveness timeout from the first peer.

nickmelis (Mon, 10 Apr 2017 09:40:18 GMT):
is there the ability to un-enroll a user or to set an enrollment timeout in v1.0?

o.o. (Mon, 10 Apr 2017 09:53:19 GMT):
@nickmelis I saw that there is ´revoke´ in the ca docks: http://hyperledger-fabric.readthedocs.io/en/latest/Setup/ca-setup.html#revoking-a-certificate-or-identity

o.o. (Mon, 10 Apr 2017 09:53:19 GMT):
@nickmelis I saw that there is a `revoke` in the ca docks: http://hyperledger-fabric.readthedocs.io/en/latest/Setup/ca-setup.html#revoking-a-certificate-or-identity

nickmelis (Mon, 10 Apr 2017 09:54:43 GMT):
yup @o.o. I've seen that one. Just wondering if there's the ability to configure an enrollment timeout. But maybe if I can re-enroll a user I can probably work around it

mastersingh24 (Mon, 10 Apr 2017 11:36:37 GMT):
@nickmelis - what problem are you trying to solve?

nickmelis (Mon, 10 Apr 2017 11:41:25 GMT):
at the moment the major limitation is that I can't re-enroll a previously enrolled user

nickmelis (Mon, 10 Apr 2017 11:42:25 GMT):
for example creating a user from one app and then using that user from another app is currently impossible, unless I physically copy across the entries in keyvaluestore.properties

mastersingh24 (Mon, 10 Apr 2017 12:02:31 GMT):
well that's always going to be the issue when using cryptographic keys

mastersingh24 (Mon, 10 Apr 2017 12:02:46 GMT):
there is an option to set "max enrollments" for the CA and on a per user basis

mastersingh24 (Mon, 10 Apr 2017 12:02:57 GMT):
this will allow you to enroll the user multiple times

mastersingh24 (Mon, 10 Apr 2017 12:03:28 GMT):
although I'm not sure if this is really any better than just enrolling once and then sharing the creds across apps as appropriate

nickmelis (Mon, 10 Apr 2017 12:05:24 GMT):
and how can I share the credentials without having to copy-paste the keyvaluestore.properties entries?

smithbk (Mon, 10 Apr 2017 13:15:01 GMT):
@nickmelis Well 1st I'd like to make sure what you mean by "creating the user from app". Do you mean registeration or registration/enrollment?

smithbk (Mon, 10 Apr 2017 13:20:27 GMT):
@nickmelis You can of course register the user from one app and then enroll the user from another app, but the 2nd app will need to somehow know the enrollment ID and secret. That is assumed to be out-of-band from fabric CA perspective

PushpalathaHiremath (Mon, 10 Apr 2017 13:27:24 GMT):
HI All, Which is the user we need to use to register orderer? 2017/04/10 17:39:55 [DEBUG] Getting user admin from the database 2017/04/10 17:39:55 [DEBUG] Registration of 'orderer1' failed: User 'admin' may not register type 'orderer' 2017/04/10 17:39:55 [INFO] [::1]:54934 - "POST /register" 0 2017/04/10 17:40:51 [DEBUG] Received request POST /enroll

zian (Mon, 10 Apr 2017 13:57:10 GMT):
Has joined the channel.

jworthington (Mon, 10 Apr 2017 14:18:57 GMT):
Has joined the channel.

smithbk (Mon, 10 Apr 2017 15:39:46 GMT):
@PushpalathaHiremath You can use any identity type (e.g. peer) to register an orderer identity currently since identity types are not used to make authorization decisions by the fabric.

anbu22 (Mon, 10 Apr 2017 18:46:21 GMT):
Has joined the channel.

greg.haskins (Mon, 10 Apr 2017 20:31:08 GMT):
does anyone have a good understanding of the MSP configuration w.r.t. the SDK?

greg.haskins (Mon, 10 Apr 2017 20:31:59 GMT):
I am trying to drive an instantiate() operation and I am being told by the SDK that there are no MSPs for the channel

greg.haskins (Mon, 10 Apr 2017 20:32:16 GMT):
its not clear if its in my backend config or how I am driving the SDK

AmberZhang (Tue, 11 Apr 2017 02:49:23 GMT):
@mastersingh24 What kind of situations need to enroll one user multiple times?

PushpalathaHiremath (Tue, 11 Apr 2017 04:52:39 GMT):
@smithbk : Thank you. Will try it now.

PushpalathaHiremath (Tue, 11 Apr 2017 08:54:35 GMT):
Anyone came across this issue? error: [Peer.js]: GRPC client got an error response from the peer. Error: Failed to deserialize creator identity, err MSP DEFAULT is unknown at /Users/Pushpalatha/go/FABRIC_V1.0/hackfest/node_modules/grpc/src/node/src/client.js:434:17 error: [Chain.js]: Chain-sendPeersProposal - Promise is rejected: Error: Error: Failed to deserialize creator identity, err MSP DEFAULT is unknown at Object.callback (/Users/Pushpalatha/go/FABRIC_V1.0/hackfest/node_modules/fabric-client/lib/Peer.js:191:13)

nickmelis (Tue, 11 Apr 2017 09:19:27 GMT):
@smithbk do you know if the same thing is possible with the old membersrvc?

nickmelis (Tue, 11 Apr 2017 09:19:48 GMT):
> You can of course register the user from one app and then enroll the user from another app, but the 2nd app will need to somehow know the enrollment ID and secret.

nickmelis (Tue, 11 Apr 2017 09:20:20 GMT):
using v0.6 with Java SDK at the moment, and it looks like there's no way to register but not enroll a user

Oleksbor (Tue, 11 Apr 2017 09:28:10 GMT):
Has joined the channel.

smithbk (Tue, 11 Apr 2017 09:48:33 GMT):
Yes, it was also possible as a later feature added in V0.6, but am not sure if the java SDK supported it ... thought it did

mastersingh24 (Tue, 11 Apr 2017 11:14:04 GMT):
@nickmelis - looks like the Java SDK v0.6 has separate register ( https://github.com/hyperledger/fabric-sdk-java/blob/v0.6/src/main/java/org/hyperledger/fabric/sdk/MemberServicesImpl.java#L130 ) and enroll ( https://github.com/hyperledger/fabric-sdk-java/blob/v0.6/src/main/java/org/hyperledger/fabric/sdk/MemberServicesImpl.java#L181 ) functions

mastersingh24 (Tue, 11 Apr 2017 11:14:32 GMT):
of course with v0.6 you can only enroll once

jworthington (Tue, 11 Apr 2017 11:42:22 GMT):
yesterday I install fabric-ca and unit tests succeeded (something like 83%). today I installed on another server and unit tests fail (again about 83%)

jworthington (Tue, 11 Apr 2017 11:42:24 GMT):
2017/04/11 11:26:01 [ERROR] Server has stopped serving: accept tcp [::]:7054: use of closed network connection --- FAIL: TestClientCommandsTLS (0.05s) main_test.go:535: Server start failed: TLS listen failed: listen tcp 0.0.0.0:7054: bind: address already in use

yp (Tue, 11 Apr 2017 13:41:57 GMT):
Has joined the channel.

yp (Tue, 11 Apr 2017 13:49:01 GMT):
hi all , I register user with [ca] type on root CA server[192.168.1.1] . on sub CA server , enroll this user , and init sub CA server with [-u 192.168.1.1:7054]. I got this error: Initialization failure: Failed to initialize CA: Error response from server was: Authorization failure

yp (Tue, 11 Apr 2017 13:49:34 GMT):
error on root CA : 2017/04/11 21:40:18 [DEBUG] Getting user from the database 2017/04/11 21:40:18 [DEBUG] Failed to get user '': sql: no rows in result set

yp (Tue, 11 Apr 2017 13:50:56 GMT):
how can i init CA server with [-u] ?

yp (Tue, 11 Apr 2017 13:58:23 GMT):
I also try register sub CA server user with `./fabric-ca-client register --id.name org2 --id.type user --id.affiliation org2 --id.secret org2pw --id.attr hf.Registrar.Roles="ca" --id.attr hf.Revoker=true --id.attr hf.IntermediateCA=true` and got same error.

aambati (Tue, 11 Apr 2017 14:01:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NzLffqj9zh8Raiohu) @jworthington I have seen this error before..it happens intermittently...We think this is due to the way tests in different files are run parallelly by go..we are working on using unique ports in the tests

skarim (Tue, 11 Apr 2017 15:23:27 GMT):
@yp I followed the instructions you posted and did not run into any issue. It would be helpful to have the full logs and more detailed step by step instructions on what you doing

yp (Tue, 11 Apr 2017 17:35:37 GMT):

Message Attachments

yp (Tue, 11 Apr 2017 17:36:14 GMT):
@skarim [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DdqE7D6JZXR3ibr4u)

yp (Tue, 11 Apr 2017 17:38:56 GMT):
@skarim I'm not sure if this process is correct...

yp (Tue, 11 Apr 2017 17:38:56 GMT):
@skarim I'm not sure this process is correct...

jworthington (Tue, 11 Apr 2017 22:01:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YdrunctnzPtzE6iJg) @aambati Thx. I checked on the first server that had not had an issue yesterday and it did today. No changes at all to that server.

leungjob (Wed, 12 Apr 2017 02:52:40 GMT):
Has joined the channel.

PushpalathaHiremath (Wed, 12 Apr 2017 04:59:12 GMT):
Hi All, How can we delete/remove a channel permanently ? Is there a way? Plz let me know if anyone has any idea.

sitomani (Wed, 12 Apr 2017 07:11:13 GMT):
Has joined the channel.

jworthington (Wed, 12 Apr 2017 13:03:19 GMT):
Trying to modify the server config to use postgres. The docs and such say the server config file is fabric-ca-server-config.yaml. But then it also says it is a JSON file, and the example in testdata has a JSON serverconfig. It looks like maybe the JSON is the equivalent of the flags passed to fabric-ca-server when starting? Does the yaml AND the JSON need the db (and cert) details? If the details are in the yaml or passed as flags is the JSON needed? It's all quite confusing from the docs. And what is a parent ca server as mentioned?

SyneBlockChainTeam (Wed, 12 Apr 2017 13:11:24 GMT):
Has joined the channel.

SyneBlockChainTeam (Wed, 12 Apr 2017 13:13:51 GMT):
@mastersingh24 Please let us know about working with Users in fabric v1.0 just like we have been using them in fabric v0.6. This is because, earlier Registrar API was there to authenticate users, before passing with REST calls in security context property. As these methods are not available in fabric v1.0, hence we are looking for their alternate approach in fabric-ca service. Any help/clue is appreciated. Thanks

jworthington (Wed, 12 Apr 2017 13:28:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JoWLBAB5nafm5C4td) @SyneBlockChainTeam I am very interested in this topic. One immediate question is the 'users' in the config files. Is that ONLY for the 'admin' account? I am struggling to understand how to embed the security in the certs. In particular, the depth of granularity. I will want one user at one org to see column/field a but not b. But another user at the same org can see b but not a. Or edit, etc. Also inheritance. So several people might be in Accounting dept of orgA, but some can edit divisionA but not DivisionB, etc. Trying to understand the possible security models in fabric-ca to implement those kinds of security models. In .6 I created structs to hold the users and put users in the chain when created. On invoke/query I looked them up in the chain to get their details. I am sure that is not a good way to go, but I couldn't figure anything else out. Now that 1.0 can embed better in the certs I still have the same questions on designing enterprise security models.

aambati (Wed, 12 Apr 2017 14:12:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6AuRkhvALoCBem2v4) @jworthington Both json and yml formats are supported for server configuration file. Yes, some of the config values can also be passed to the fabric-ca-server as command line options and they override the value in config file. Yes, if TLS is enabled between server and db, db.tls section in the config file must be specified.

aambati (Wed, 12 Apr 2017 14:22:37 GMT):
@jworthington Let me see if I can explain parent CA server. You can potentially setup multiple CA servers. You can designate one of the servers are parent CA server and others as intermediaries or sub CA servers. The sub CA servers need to be started with -u option. The cert of the sub CA servers is signed by the root CA server's certificate, there by forming a ca cert chain.

aambati (Wed, 12 Apr 2017 14:29:06 GMT):
@jworthington we have improved the doc recently , are you looking at https://hyperledger-fabric.readthedocs.io/en/latest/Setup/ca-setup.html

StuartWilloughby (Wed, 12 Apr 2017 14:36:55 GMT):
Has joined the channel.

SyneBlockChainTeam (Wed, 12 Apr 2017 14:38:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ToLyQzMLYJgwnvq8Z) @jworthington We have just started reading CA service for 1.0. Incase we explore it we will share that. Thanks

msoumeit (Wed, 12 Apr 2017 17:07:24 GMT):
Has joined the channel.

jworthington (Wed, 12 Apr 2017 19:20:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Rw3Q5dybu5ms8uB76) @aambati Thx

jworthington (Wed, 12 Apr 2017 19:21:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=j2NKK4fq2JjDh2Diy) @SyneBlockChainTeam Thx

jworthington (Wed, 12 Apr 2017 19:23:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=svkLDYBc7jsn2mTqg) @aambati That seems to be newer than the one I have been using. Let me review it. Thx

izelpii (Wed, 12 Apr 2017 21:54:49 GMT):
Has joined the channel.

izelpii (Wed, 12 Apr 2017 22:04:33 GMT):
Has left the channel.

reoim10 (Thu, 13 Apr 2017 00:53:22 GMT):
Has joined the channel.

yp (Thu, 13 Apr 2017 02:45:37 GMT):
hi all , is there any way to create orderer's key/cert from ca server? which type I should use when register orderer ? client? peer?

medlahbib (Thu, 13 Apr 2017 08:08:25 GMT):
Has joined the channel.

yp (Thu, 13 Apr 2017 10:14:42 GMT):
insert into DB with `[{"name":"hf.Revoker","value":"*1*"}]` when I init server, but with `[{"name":"hf.Revoker","value":"*true*"}]` when I register , is this OK??

Senthil1 (Thu, 13 Apr 2017 11:09:10 GMT):
Has joined the channel.

haiderny (Thu, 13 Apr 2017 14:11:24 GMT):
Has joined the channel.

SyneBlockChainTeam (Thu, 13 Apr 2017 14:12:33 GMT):
To setup fabric-CA (server and client ), we executed following commands with the help of online documentation but faced error which setting up CLIENT: DOCKER build: $ cd ~/work/src/github.com/hyperledger/fabric-ca $ make docker (worked fine) Terminal 1 $ cd ~/work/src/github.com/hyperledger/fabric-ca/docker/server $ docker-compose up (worked file) Terminal 2 $ cd ~/work/src/github.com/hyperledger/fabric-ca/docker/examples/client-server-flow $ docker-compose up (failed) WARNING: The CSR_CONFIG variable is not set. Defaulting to a blank string. WARNING: The CA_CERTIFICATE variable is not set. Defaulting to a blank string. WARNING: The CA_KEY_CERTIFICATE variable is not set. Defaulting to a blank string. WARNING: The FABRIC_CA_CONFIG variable is not set. Defaulting to a blank string. Starting fabric-ca ERROR: for fabric-ca Cannot start service fabric-ca: driver failed programming external connectivity on endpoint fabric-ca (3e522e034edae4bc16be10ff96cea589090eb464354af5408b2a8721f4654414): Bind for 0.0.0.0:7054 failed: port is already allocated ERROR: Encountered errors while bringing up the project. Please give us clue to resolve this issue. Regards.

SyneBlockChainTeam (Thu, 13 Apr 2017 14:12:33 GMT):
*To setup fabric-CA (server and client ), we executed following commands with the help of online documentation but faced error which setting up CLIENT:* _DOCKER build:_ $ cd ~/work/src/github.com/hyperledger/fabric-ca $ make docker (worked fine) _Terminal 1_ ' $ cd ~/work/src/github.com/hyperledger/fabric-ca/docker/server $ docker-compose up ' (worked file) _Terminal 2_ $ cd ~/work/src/github.com/hyperledger/fabric-ca/docker/examples/client-server-flow $ docker-compose up (failed) WARNING: The CSR_CONFIG variable is not set. Defaulting to a blank string. WARNING: The CA_CERTIFICATE variable is not set. Defaulting to a blank string. WARNING: The CA_KEY_CERTIFICATE variable is not set. Defaulting to a blank string. WARNING: The FABRIC_CA_CONFIG variable is not set. Defaulting to a blank string. Starting fabric-ca ERROR: for fabric-ca Cannot start service fabric-ca: driver failed programming external connectivity on endpoint fabric-ca (3e522e034edae4bc16be10ff96cea589090eb464354af5408b2a8721f4654414): Bind for 0.0.0.0:7054 failed: port is already allocated ERROR: Encountered errors while bringing up the project. Please give us clue to resolve this issue. Regards.

SyneBlockChainTeam (Thu, 13 Apr 2017 14:12:33 GMT):
*To setup fabric-CA (server and client ), we executed following commands with the help of online documentation but faced error which setting up CLIENT:* _DOCKER build:_ $ cd ~/work/src/github.com/hyperledger/fabric-ca $ make docker (worked fine) _Terminal 1_ ''' $ cd ~/work/src/github.com/hyperledger/fabric-ca/docker/server $ docker-compose up ''' (worked file) _Terminal 2_ $ cd ~/work/src/github.com/hyperledger/fabric-ca/docker/examples/client-server-flow $ docker-compose up (failed) WARNING: The CSR_CONFIG variable is not set. Defaulting to a blank string. WARNING: The CA_CERTIFICATE variable is not set. Defaulting to a blank string. WARNING: The CA_KEY_CERTIFICATE variable is not set. Defaulting to a blank string. WARNING: The FABRIC_CA_CONFIG variable is not set. Defaulting to a blank string. Starting fabric-ca ERROR: for fabric-ca Cannot start service fabric-ca: driver failed programming external connectivity on endpoint fabric-ca (3e522e034edae4bc16be10ff96cea589090eb464354af5408b2a8721f4654414): Bind for 0.0.0.0:7054 failed: port is already allocated ERROR: Encountered errors while bringing up the project. Please give us clue to resolve this issue. Regards.

SyneBlockChainTeam (Thu, 13 Apr 2017 14:12:33 GMT):
*To setup fabric-CA (server and client ), we executed following commands with the help of online documentation but faced error which setting up CLIENT:* _DOCKER build:_ $ cd ~/work/src/github.com/hyperledger/fabric-ca $ make docker (worked fine) _Terminal 1_ $ cd ~/work/src/github.com/hyperledger/fabric-ca/docker/server $ docker-compose up (worked file) _Terminal 2_ $ cd ~/work/src/github.com/hyperledger/fabric-ca/docker/examples/client-server-flow $ docker-compose up (failed) WARNING: The CSR_CONFIG variable is not set. Defaulting to a blank string. WARNING: The CA_CERTIFICATE variable is not set. Defaulting to a blank string. WARNING: The CA_KEY_CERTIFICATE variable is not set. Defaulting to a blank string. WARNING: The FABRIC_CA_CONFIG variable is not set. Defaulting to a blank string. Starting fabric-ca ERROR: for fabric-ca Cannot start service fabric-ca: driver failed programming external connectivity on endpoint fabric-ca (3e522e034edae4bc16be10ff96cea589090eb464354af5408b2a8721f4654414): Bind for 0.0.0.0:7054 failed: port is already allocated ERROR: Encountered errors while bringing up the project. Please give us clue to resolve this issue. Regards.

SyneBlockChainTeam (Thu, 13 Apr 2017 14:12:33 GMT):
*To setup fabric-CA (server and client ), we executed following commands with the help of online documentation but faced error which setting up CLIENT:* _DOCKER build:_ $ cd ~/work/src/github.com/hyperledger/fabric-ca $ make docker (worked fine) _Terminal 1_ $ cd ~/work/src/github.com/hyperledger/fabric-ca/docker/server $ docker-compose up (worked fine) _Terminal 2_ $ cd ~/work/src/github.com/hyperledger/fabric-ca/docker/examples/client-server-flow $ docker-compose up (failed with following error) WARNING: The CSR_CONFIG variable is not set. Defaulting to a blank string. WARNING: The CA_CERTIFICATE variable is not set. Defaulting to a blank string. WARNING: The CA_KEY_CERTIFICATE variable is not set. Defaulting to a blank string. WARNING: The FABRIC_CA_CONFIG variable is not set. Defaulting to a blank string. Starting fabric-ca ERROR: for fabric-ca Cannot start service fabric-ca: driver failed programming external connectivity on endpoint fabric-ca (3e522e034edae4bc16be10ff96cea589090eb464354af5408b2a8721f4654414): Bind for 0.0.0.0:7054 failed: port is already allocated ERROR: Encountered errors while bringing up the project. Please give us clue to resolve this issue. Regards.

mastersingh24 (Thu, 13 Apr 2017 15:18:57 GMT):
@SyneBlockChainTeam - you actually ended up trying to start 2 instances of the fabric-ca - ``` Terminal 2_ $ cd ~/work/src/github.com/hyperledger/fabric-ca/docker/examples/client-server-flow $ docker-compose up ```

mastersingh24 (Thu, 13 Apr 2017 15:19:20 GMT):
that actually starts both a fabric-ca and fabric clients

mastersingh24 (Thu, 13 Apr 2017 15:19:54 GMT):
but ``` Terminal 1_ $ cd ~/work/src/github.com/hyperledger/fabric-ca/docker/server $ docker-compose up ``` also started a fabric-ca

mastersingh24 (Thu, 13 Apr 2017 15:20:04 GMT):
so that's why you have the port conflict

jworthington (Thu, 13 Apr 2017 15:21:18 GMT):
CA server seems to be starting fine on postgres. debug shows db initialized. shows user registry initialized. shows listening fine. On initial enroll request for user admin debug shows 2017/04/13 15:12:42 [DEBUG] Getting user admin from the database 2017/04/13 15:12:42 [DEBUG] Failed to get user 'admin': pq: relation "users" does not exist

jworthington (Thu, 13 Apr 2017 15:21:48 GMT):
what did I miss?

jworthington (Thu, 13 Apr 2017 15:27:46 GMT):
NM. Soon as I type the question I think, hmm, i had manually created the db in postgres as an earlier error said no db. Seems if the db exists then start -b assumes the users tables exists and does not insert admin. drop table, restart, done. FYI.

giridharg (Thu, 13 Apr 2017 17:50:01 GMT):
Has joined the channel.

chrisconway (Thu, 13 Apr 2017 17:50:13 GMT):
Has joined the channel.

chrisconway (Thu, 13 Apr 2017 21:31:00 GMT):
I'm trying to figure out the best way to configure the fabric ca to use non-default certificates for a production environment. I noticed the fabric-ca start command generates the same key/certificate pair. Additionally, I attempted creating my own certificates with openssl and copying them to the assorted MSP folders to no avail. What is the best way to maintain a hyperledger network with my own certificates? Is there a tutorial on how to do it somewhere? Thank you in advance :)

LordGoodman (Fri, 14 Apr 2017 03:32:32 GMT):
@chrisconway I am interesting in the same question , could you offer more details ? Like after copying your own certificates to the MSP what did you do

LordGoodman (Fri, 14 Apr 2017 03:34:27 GMT):
@chrisconway I am interesting in the same question , could you offer more details ? What did you do after copying your own certificates to the MSP

yp (Fri, 14 Apr 2017 05:51:37 GMT):
@jworthington if you use .yaml file to init ca server , the -b parameter is ignored， so you have to make sure that user/pass in .yaml file is not blank. otherwise , the user/pass was blank in DB

lignyxg (Fri, 14 Apr 2017 07:09:08 GMT):
If I want to register an identity for orderer node, what identity type should I use in the field "--id.type"? The server side .yaml file's attrs field says `hf.Registrar.Roles:"client, user,peer,validator,auditor,ca"`, or the roles here don't matter at all?

SyneBlockChainTeam (Fri, 14 Apr 2017 09:45:29 GMT):
@mastersingh24 Thanks for your reply. Today we also tried by only executing client-server-flow as below... $ cd ~/work/src/github.com/hyperledger/fabric-ca/docker/examples/client-server-flow $ docker-compose up Error Log: sharadsharma@ubuntu:~$ cd ~/work/src/github.com/hyperledger/fabric-ca/docker/examples/client-server-flow sharadsharma@ubuntu:~/work/src/github.com/hyperledger/fabric-ca/docker/examples/client-server-flow$ docker-compose up WARNING: The CSR_CONFIG variable is not set. Defaulting to a blank string. WARNING: The CA_CERTIFICATE variable is not set. Defaulting to a blank string. WARNING: The CA_KEY_CERTIFICATE variable is not set. Defaulting to a blank string. WARNING: The FABRIC_CA_CONFIG variable is not set. Defaulting to a blank string. Starting fabric-ca Creating sdk-client Creating bob-client Creating admin-client Attaching to fabric-ca, bob-client, sdk-client, admin-client fabric-ca | sh: 1: fabric-ca: not found fabric-ca exited with code 127 bob-client | sh: 1: fabric-ca: not found sdk-client | sh: 1: fabric-ca: not found admin-client | sh: 1: fabric-ca: not found bob-client exited with code 127 sdk-client exited with code 127 admin-client exited with code 127 Please let us know, if we need to set some prerequisite before executing above. Thanks.

SyneBlockChainTeam (Fri, 14 Apr 2017 09:45:29 GMT):
@mastersingh24 Thanks for your reply. Today we also tried by only executing client-server-flow as below... $ cd ~/work/src/github.com/hyperledger/fabric-ca/docker/examples/client-server-flow $ docker-compose up We receive error "...fabric-ca: not found" and if we we execute server first, we receive "...port is already allocated" Error Log: sharadsharma@ubuntu:~$ cd ~/work/src/github.com/hyperledger/fabric-ca/docker/examples/client-server-flow sharadsharma@ubuntu:~/work/src/github.com/hyperledger/fabric-ca/docker/examples/client-server-flow$ docker-compose up WARNING: The CSR_CONFIG variable is not set. Defaulting to a blank string. WARNING: The CA_CERTIFICATE variable is not set. Defaulting to a blank string. WARNING: The CA_KEY_CERTIFICATE variable is not set. Defaulting to a blank string. WARNING: The FABRIC_CA_CONFIG variable is not set. Defaulting to a blank string. Starting fabric-ca Creating sdk-client Creating bob-client Creating admin-client Attaching to fabric-ca, bob-client, sdk-client, admin-client fabric-ca | sh: 1: fabric-ca: not found fabric-ca exited with code 127 bob-client | sh: 1: fabric-ca: not found sdk-client | sh: 1: fabric-ca: not found admin-client | sh: 1: fabric-ca: not found bob-client exited with code 127 sdk-client exited with code 127 admin-client exited with code 127 Please let us know, if we need to set some prerequisite before executing above. Thanks.

SyneBlockChainTeam (Fri, 14 Apr 2017 09:45:29 GMT):
@mastersingh24 Thanks for your reply. Today we also tried by only executing client-server-flow as below... $ cd ~/work/src/github.com/hyperledger/fabric-ca/docker/examples/client-server-flow $ docker-compose up We receive error "...fabric-ca: not found" (yesterday we executed server first, but received "...port is already allocated") Error Log: sharadsharma@ubuntu:~$ cd ~/work/src/github.com/hyperledger/fabric-ca/docker/examples/client-server-flow sharadsharma@ubuntu:~/work/src/github.com/hyperledger/fabric-ca/docker/examples/client-server-flow$ docker-compose up WARNING: The CSR_CONFIG variable is not set. Defaulting to a blank string. WARNING: The CA_CERTIFICATE variable is not set. Defaulting to a blank string. WARNING: The CA_KEY_CERTIFICATE variable is not set. Defaulting to a blank string. WARNING: The FABRIC_CA_CONFIG variable is not set. Defaulting to a blank string. Starting fabric-ca Creating sdk-client Creating bob-client Creating admin-client Attaching to fabric-ca, bob-client, sdk-client, admin-client fabric-ca | sh: 1: fabric-ca: not found fabric-ca exited with code 127 bob-client | sh: 1: fabric-ca: not found sdk-client | sh: 1: fabric-ca: not found admin-client | sh: 1: fabric-ca: not found bob-client exited with code 127 sdk-client exited with code 127 admin-client exited with code 127 Please let us know, if we need to set some prerequisite before executing above command. Thanks.

chrisconway (Fri, 14 Apr 2017 16:11:27 GMT):
@LordGoodman My team is using docker to create our hyperledger network. We mapped out where the sample config certs and keys were placed on peers, cas, and orderers. After using openssl to create the crypto assets and copying them to our estimation of their homes, I run our custom start script. The ca with custom crypto crashes immediately. I'm currently working on a new 2003 parse error and am hopeful this suggests I have the crypto assets in the right places; my anticipated fix is to look into openssl commands for key formatting because I noticed a small difference between the sample private keys and the openssl keys.

rmohta (Fri, 14 Apr 2017 18:18:53 GMT):
Has joined the channel.

rmohta (Fri, 14 Apr 2017 18:19:08 GMT):
In examples/e2e_cli docker-compose file, we are not starting any container for fabric-ca. Is there any particular reason for that? If we don't have a ca, how will we enroll a new member?

mastersingh24 (Fri, 14 Apr 2017 19:49:36 GMT):
@rmohta - Yeah - well you'll notice that there is no direct tie between fabric and fabric-ca. The e2e_cli is a specific test / example just for fabric. Thinking about how best to provide an end to end package

bh4rtp (Sat, 15 Apr 2017 06:34:44 GMT):
hi, what has been changed for fabric-ca? make fabric-ca failed with an error at the beginning.

bh4rtp (Sat, 15 Apr 2017 06:34:44 GMT):
hi, what has been changed in fabric-ca? make fabric-ca failed with an error at the beginning.

bh4rtp (Sat, 15 Apr 2017 06:34:49 GMT):
lib/tls/tls.go:62: cfg.CertFilesList undefined (type *ClientTLSConfig has no field or method CertFilesList)

bh4rtp (Sat, 15 Apr 2017 06:35:41 GMT):
lib/tls/tls.go:62: cfg.CertFilesList undefined (type *ClientTLSConfig has no field or method CertFilesList)Makefile:97: recipe for target 'build/docker/bin/fabric-ca-client' failed make: *** [build/docker/bin/fabric-ca-client] Error 2

choas (Sat, 15 Apr 2017 16:34:13 GMT):
Has joined the channel.

choas (Sat, 15 Apr 2017 16:35:47 GMT):
lib/tls/tls.go have to be adjusted: - log.Debugf("CA Files: %s\n", cfg.CertFilesList) + log.Debugf("CA Files: %s\n", cfg.CertFiles)

choas (Sat, 15 Apr 2017 16:35:47 GMT):
lib/tls/tls.go has to be adjusted: - log.Debugf("CA Files: %s\n", cfg.CertFilesList) + log.Debugf("CA Files: %s\n", cfg.CertFiles)

choas (Sat, 15 Apr 2017 16:35:47 GMT):
lib/tls/tls.go has to be adjusted at line 62: - log.Debugf("CA Files: %s\n", cfg.CertFilesList) + log.Debugf("CA Files: %s\n", cfg.CertFiles)

bh4rtp (Sun, 16 Apr 2017 01:21:30 GMT):
@choas thanks. the bug is fixed.

bh4rtp (Sun, 16 Apr 2017 01:32:50 GMT):
also make fabric-ca can not pass.

bh4rtp (Sun, 16 Apr 2017 01:32:57 GMT):
Removing intermediate container 14190e1faa08 Successfully built 0ac63939330e docker tag hyperledger/openldap hyperledger/openldap:x86_64-1.0.0-snapshot-de5f4bd Checking Go files for license headers ... All go files have license headers Running go vet ... YOU MUST FIX THE FOLLOWING GO VET PROBLEMS: lib/dbutil/dbutil.go:111: arg root for printf verb %s of wrong type: byte Makefile:82: recipe for target 'vet' failed make: *** [vet] Error 1

bh4rtp (Sun, 16 Apr 2017 01:53:46 GMT):
```var root string

bh4rtp (Sun, 16 Apr 2017 01:53:46 GMT):
```var root string root = clientTLSConfig.CertFiles[0]

bh4rtp (Sun, 16 Apr 2017 01:54:33 GMT):
```root = clientTLSConfig.CertFiles[0]

bh4rtp (Sun, 16 Apr 2017 01:54:33 GMT):
i just modify like this to fix go vet error.

kouohhashi (Sun, 16 Apr 2017 17:01:17 GMT):
Has joined the channel.

HubertYoung (Mon, 17 Apr 2017 03:47:42 GMT):
Has joined the channel.

HubertYoung (Mon, 17 Apr 2017 03:49:30 GMT):
How can fabric-ca used to control the security of trancations?I cannot find any examples from the docs.

HubertYoung (Mon, 17 Apr 2017 03:51:09 GMT):
@mastersingh24 How fabric and fabric-ca link with each other?

achraf17 (Mon, 17 Apr 2017 08:46:00 GMT):
Has joined the channel.

yong (Mon, 17 Apr 2017 09:05:40 GMT):
Has joined the channel.

yong (Mon, 17 Apr 2017 09:06:55 GMT):
Ask a question, how to configure the fabric and fabric-ca can be linked together, such as doing some account based transactions?

net0410 (Mon, 17 Apr 2017 13:03:17 GMT):
Has joined the channel.

aambati (Mon, 17 Apr 2017 13:48:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tDek7i8otbqbeESWd) @yp I see that no one replied to this question..type can be any arbitrary string from Fabric CA perspective...but it might mean something in other hyperledger components

aambati (Mon, 17 Apr 2017 14:21:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jvrXAXzLN68E3mmmx) @yp Value of "hf.Revoker" is not being checked, so it could be any value. As long as "hf.Revoker" attribute is there for an identity, that identity is deemed a Revoker and is allowed to revoker another identity that is affiliated to the Revoker's affiliation... Having said that, I think it should check if hf.Revoker is set to true when determining if an identity has revoker authority. I will open a JIRA ticket to track this issue

aambati (Mon, 17 Apr 2017 14:39:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pDipp6myR2itsuZpX) @yp If you have created a configuration file and specified that to the init command (via -c option), then -b option is ignored..you have to specify the bootstrap user information in the configuration file

aambati (Mon, 17 Apr 2017 14:43:24 GMT):
To add to my previous comment, -b option is only used when the server configuration file does not exist and fabric-ca-server is forced to create a default configuration file

aambati (Mon, 17 Apr 2017 15:22:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Gjvux2ghaBEvm7rCx) @bh4rtp This was fixed yesterday

assasinx93 (Mon, 17 Apr 2017 16:05:39 GMT):
Has joined the channel.

smithbk (Mon, 17 Apr 2017 18:26:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DmEwfxS4wvMogmcrt) @HubertYoung The SDK's link them together. Which SDK are you using? Both the java and node SDK's have end-to-end examples which demonstrate how to get certs from fabric-ca and how to use them in fabric

smithbk (Mon, 17 Apr 2017 18:27:10 GMT):
For example, here is the java SDK's end-to-end example: https://github.com/hyperledger/fabric-sdk-java/blob/master/src/test/java/org/hyperledger/fabric/sdkintegration/End2endIT.java

smithbk (Mon, 17 Apr 2017 18:29:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GzDcCCiie5RfLN6py) @yong Did the above answer your question? If not, pls elaborate on "account based transaction"

chrisconway (Mon, 17 Apr 2017 23:47:27 GMT):
Please help clarify my interpretation of the docs. The CSR.cn field needs to be simultaneously set to the bootstrap user id and the hostname of the fabric-ca-server to bootstrap a fabric ca if the fabric ca will connect remotely over TLS. According to http://hyperledger-fabric.readthedocs.io/en/latest/Setup/ca-setup.html#enrolling-a-peer-identity "First, if needed, customize the CSR (Certificate Signing Request) section in the client configuration file. Note that csr.cn field must be set to the ID of the bootstrap user." AND "If you are going to connect to the fabric-ca-server remotely over TLS, replace “localhost” in the CSR section below with the hostname where you will be running your fabric-ca-server." according to http://hyperledger-fabric.readthedocs.io/en/latest/Setup/ca-setup.html#csr-fields

net0310 (Mon, 17 Apr 2017 23:53:55 GMT):
Has joined the channel.

YoungHoonKim (Tue, 18 Apr 2017 00:40:03 GMT):
Has joined the channel.

HubertYoung (Tue, 18 Apr 2017 03:25:01 GMT):
@smithbk Thanks.I haven't used sdk.

yonchin (Tue, 18 Apr 2017 03:39:51 GMT):
Has joined the channel.

HubertYoung (Tue, 18 Apr 2017 03:48:02 GMT):
I ran the java end-to-end example and got a error. 2017-04-18 11:37:41 ERROR OrdererClient:129 - sendTransaction error Send transactions failed. Reason: INTERNAL org.hyperledger.fabric.sdk.exception.TransactionException: Send transactions failed. Reason: INTERNAL at org.hyperledger.fabric.sdk.OrdererClient.sendTransaction(OrdererClient.java:128)

akshay.lawange (Tue, 18 Apr 2017 06:53:49 GMT):
Has joined the channel.

akshay.lawange (Tue, 18 Apr 2017 06:54:26 GMT):
hi... i have got this error while creating the channel Error connecting: rpc error: code = 14 desc = grpc: RPC failed fast due to transport failure Error: rpc error: code = 14 desc = grpc: RPC failed fast due to transport failure any ideas?

akshay.lawange (Tue, 18 Apr 2017 06:54:41 GMT):
i have used this command

akshay.lawange (Tue, 18 Apr 2017 06:54:42 GMT):
CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peer/peer0/localMspConfig CORE_PEER_ADDRESS=peer0:7051 CORE_PEER_LOCALMSPID="Org0MSP" peer channel create -o orderer:7050 -c mychannel -f crypto/orderer/channel.tx

net0310 (Tue, 18 Apr 2017 11:11:10 GMT):
@here

net0310 (Tue, 18 Apr 2017 11:11:14 GMT):
does it possible that fabric-ca replace Public Key Infrastructure in real world?

net0310 (Tue, 18 Apr 2017 11:11:18 GMT):
I am confused by it..

smithbk (Tue, 18 Apr 2017 11:44:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uTysZ9tofCX9dhwys) @HubertYoung Jim @Jimthematrix or Rick @Rickr could answer this, or probably want to post on the fabric-sdk-java channel for this as it is specific to the java SDK (if you haven't already)

smithbk (Tue, 18 Apr 2017 11:51:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZsRNMkExu4QsDpMk4) @net0310 Yes, it is intended to be usable in real world. Can you say what is confusing?

net0310 (Tue, 18 Apr 2017 11:57:33 GMT):
To certificate user or client, fabric-ca used rdbms (hsqldb, mysql, ldap) not blockchain network. isn't it?

smithbk (Tue, 18 Apr 2017 11:59:35 GMT):
correct, but there will be multiple CAs (i.e. multiple roots of trust) transacting on a single blockchain

smithbk (Tue, 18 Apr 2017 12:02:38 GMT):
for example, if two companies have a bi-lateral contract and are transacting on the blockchain, each customer could have their own fabric-ca-server set up with totally different roots of trust, and the endorsement policy would require signatures from members under both CAs

smithbk (Tue, 18 Apr 2017 12:03:46 GMT):
does that help?

net0310 (Tue, 18 Apr 2017 12:04:26 GMT):
I think I understand now. thank you :)

smithbk (Tue, 18 Apr 2017 12:04:41 GMT):
yw

smithbk (Tue, 18 Apr 2017 12:08:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6fgQCcpz6y8ex3HLh) @akshay.lawange Not sure off the top of my head. Two suggestions: 1) Try posting to the "fabric-peer-endorser-committer" channel and 2) enable verbose debug if you haven't already.

akshay.lawange (Tue, 18 Apr 2017 12:47:35 GMT):
ok..thanks @smithbk i will try now..

suganuma (Tue, 18 Apr 2017 15:16:29 GMT):
@smithbk Hi, a quick question. Does the certificate returned from enroll and reenroll include the extra parameters specified in the request body (e.g. profile, label, hosts)? Maybe yes for hosts as "Alternative Names". How about the others? I'm writing a testcase to check them in sdk java. thanks.

luckydogchina (Wed, 19 Apr 2017 03:02:19 GMT):
Has joined the channel.

Amjadnz (Wed, 19 Apr 2017 06:56:11 GMT):
guys anybody to help here with my query?

Amjadnz (Wed, 19 Apr 2017 06:56:29 GMT):
Hyperledger Fabric 1.0

Amjadnz (Wed, 19 Apr 2017 06:56:45 GMT):
Docker installation of 3 peers, 1 orderer, 1 ca and 1 cli

Amjadnz (Wed, 19 Apr 2017 06:56:50 GMT):
```peer0 | 2017-04-19 06:30:56.875 UTC [comm--1] sendToEndpoint -> WARN 345 Failed obtaining connection for peer0:7051, PKIid:[10 7 68 69 70 peer0 | 2017-04-19 06:30:56.877 UTC [comm--1] createConnection -> WARN 346 Remote endpoint claims to be a different peer, expected [112 101 101 114 48 58 55 48 53 49] but got [49 55 50 46 50 49 46 48 46 56 58 55 48 53 49] peer0 | 2017-04-19 06:30:56.878 UTC [comm--1] sendToEndpoint -> WARN 347 Failed obtaining connection for peer0:7051, PKIid:[112 101 101 114 48 58 55 48 53 49] reason: Authentication failure```

Amjadnz (Wed, 19 Apr 2017 06:56:57 GMT):
When I start the docker-compose

Amjadnz (Wed, 19 Apr 2017 06:57:18 GMT):
I get the error that there is a `Authetication Failure` - as shown above

Amjadnz (Wed, 19 Apr 2017 06:57:35 GMT):
This is my docker-compose extract

Amjadnz (Wed, 19 Apr 2017 06:57:51 GMT):
```peer0: container_name: peer0 #image: sfhackfest22017/fabric-peer:x86_64-0.7.0-snapshot-c7b3fe0 image: modified_peer_20170227_0:latest environment: - CORE_PEER_ADDRESSAUTODETECT=true - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock - CORE_LOGGING_LEVEL=DEBUG - CORE_PEER_NETWORKID=peer0 - CORE_NEXT=true - CORE_PEER_ENDORSER_ENABLED=true - CORE_PEER_ID=peer0 - CORE_PEER_PROFILE_ENABLED=true - CORE_PEER_COMMITTER_LEDGER_ORDERER=orderer:7050 - CORE_PEER_GOSSIP_ORGLEADER=true - CORE_PEER_GOSSIP_IGNORESECURITY=true - CORE_LEDGER_STATE_STATEDATABASE=CouchDB - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb0:5984 working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer command: peer node start --peer-defaultchain=false ports: - 8051:7051 - 8053:7053 links: - orderer:orderer - couchdb0:couchdb0 depends_on: - orderer - couchdb0 volumes: - /var/run/:/host/var/run/ - ./tmp/peer0:/etc/hyperledger/fabric/msp/sampleconfig - /home/tts/src/:/etc/tts/src networks: - bridge ```

Amjadnz (Wed, 19 Apr 2017 06:58:33 GMT):
Can I regenerate the PKIs of the peer and associate with CA.

Amjadnz (Wed, 19 Apr 2017 08:46:19 GMT):
```peer0 | 2017-04-19 08:36:15.527 UTC [comm--1] createConnection -> WARN 235 Remote endpoint claims to be a different peer, expected [112 101 101 114 48 58 55 48 53 49] but got [49 55 50 46 50 49 46 48 46 56 58 55 48 53 49] peer0 | 2017-04-19 08:36:15.527 UTC [comm--1] sendToEndpoint -> WARN 236 Failed obtaining connection for peer0:7051, PKIid:[112 101 101 114 48 58 55 48 53 49] reason: Authentication failure```

Amjadnz (Wed, 19 Apr 2017 08:46:32 GMT):
Same error I got - can anybody from CA team help me here?

Amjadnz (Wed, 19 Apr 2017 08:46:55 GMT):
I tried clearing all the containers and recreating them

Amjadnz (Wed, 19 Apr 2017 08:47:14 GMT):
Channel Creation is find - CouchDB is getting updated a new DB is created as well

Amjadnz (Wed, 19 Apr 2017 08:47:25 GMT):
When I want to deploy this particular error is coming up

hustmark (Wed, 19 Apr 2017 08:57:57 GMT):
Has joined the channel.

steigensonne (Wed, 19 Apr 2017 10:02:32 GMT):
I have two questions on ACL. 1) When does "affiliation" is used/work? actually when I put different affiliations on each different user, but it seems not working. 2) In version 0.6, we can use the specific attributes of ACL in runtime of chaincode, but how can I use in the same way in the version 1.0? I hope I could get answers. Appreciate of your advices and helps in advnace.

MEDALIZML (Wed, 19 Apr 2017 10:24:26 GMT):
Has joined the channel.

SotirisAlfonsos (Wed, 19 Apr 2017 10:38:21 GMT):
Has joined the channel.

assasinx93 (Wed, 19 Apr 2017 16:34:36 GMT):
Hi guys,

assasinx93 (Wed, 19 Apr 2017 16:34:53 GMT):
I wanted to create a new user and enroll it with the FabricCA service.

assasinx93 (Wed, 19 Apr 2017 16:35:31 GMT):
Will the FabricCAImpl.js class do this for me? (create .pem encoded certs)

JohnWhitton (Wed, 19 Apr 2017 19:05:29 GMT):
Has joined the channel.

mastersingh24 (Wed, 19 Apr 2017 21:51:24 GMT):
[ Basically - https://fabric-sdk-node.github.io/FabricCAClient.html - look at the register and enroll methods](https://chat.hyperledger.org/channel/fabric-ca?msg=5ePe27ArPJoFBM9m4) @assasinx93

ada-wang (Thu, 20 Apr 2017 01:55:41 GMT):
Has joined the channel.

lignyxg (Thu, 20 Apr 2017 02:04:57 GMT):
Does fabric v1 use T-certs ? I don't see any configuration like "CORE_PEER_PKI_TCA_PADDR" in v0.6

assasinx93 (Thu, 20 Apr 2017 04:16:50 GMT):
@mastersingh24 Yeah I was looking at that today. Thanks. I'll do some experimentation and see if it works.

akshay111meher (Thu, 20 Apr 2017 07:23:20 GMT):
Has joined the channel.

steigensonne (Thu, 20 Apr 2017 07:42:14 GMT):
I have two questions on ACL. 1) When does "affiliation" is used/work? actually when I put different affiliations on each different user, but it seems not working. 2) In version 0.6, we can use the specific attributes of ACL in runtime of chaincode, but how can I use in the same way in the version 1.0? I hope I could get answers. Appreciate of your advices and helps in advnace.

artemius22 (Thu, 20 Apr 2017 07:53:59 GMT):
Has joined the channel.

joe-alewine (Thu, 20 Apr 2017 15:54:46 GMT):
Has joined the channel.

smithbk (Thu, 20 Apr 2017 19:25:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8TawjwpLxsDsrJZW6) @lignyxg A lot of the work for tcerts was done in fabric-ca but could not be contained for v1 in fabric and SDKs, so that should be coming in v1.1, assuming the community agrees. But you can of course use ecerts. Do you have a need for tcerts now, or just asking?

smithbk (Thu, 20 Apr 2017 19:29:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NYznde7GqXhr9xaTu) @steigensonne 1) Affiliations are currently used as follows: a) During registration. See #2 under http://hyperledger-fabric.readthedocs.io/en/latest/Setup/ca-setup.html#registering-a-new-identity and b) during revocation. See http://hyperledger-fabric.readthedocs.io/en/latest/Setup/ca-setup.html#revoking-a-certificate-or-identity

smithbk (Thu, 20 Apr 2017 19:30:24 GMT):
2) The ability to get attributes from tcerts in chaincode should come in v1.1, again subject to community approval

smithbk (Thu, 20 Apr 2017 19:35:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3rhbR8ZTavhxx7QQ3) @Amjadnz I can't tell what is causing the authentication failure from the default logs. The best would be if you could upload instructions on how to reproduce with a docker-compose file, etc to a jira item. Once you do that, if you'll ping me, I'll be glad to take a look.

smithbk (Thu, 20 Apr 2017 19:38:38 GMT):
@Amjadnz WRT your question "Can I regenerate the PKIs of the peer and associate with CA." ... No, CA server must issue the cert

smithbk (Thu, 20 Apr 2017 19:39:31 GMT):
You can use the "fabric-ca-client enroll" or "fabric-ca-client reenroll" commands on the peer to get ecerts for the peer

lignyxg (Fri, 21 Apr 2017 03:02:35 GMT):
@smithbk Thanks for your reply. I was just asking, since Tcerts in 0.6 can protect privacy for counterparties in some degree right? It'll be nice for v1.0 to have the same capacity

AngelMilanov (Fri, 21 Apr 2017 08:12:43 GMT):
Has joined the channel.

jinyu18 (Fri, 21 Apr 2017 08:13:13 GMT):
Has joined the channel.

ada-wang (Fri, 21 Apr 2017 09:05:45 GMT):
hello, guys. I found that fabric-ca has a merge in apr 19. And I remake, fabric-ca:x86_64-1.0.0-snapshot-e583181 is OK. But ,

ada-wang (Fri, 21 Apr 2017 09:05:46 GMT):
+ rm -f /etc/dpkg/dpkg.cfg.d/02apt-speedup + rm -rf /container/file rm: cannot remove '/container/file': Directory not empty The command '/bin/sh -c /container/build.sh' returned a non-zero code: 1 make: *** [build/image/openldap/.dummy-x86_64-1.0.0-snapshot-e583181] Error 1

ada-wang (Fri, 21 Apr 2017 09:06:11 GMT):
BUT, make openldap has Error

mcao (Fri, 21 Apr 2017 12:32:28 GMT):
Has joined the channel.

mcao (Fri, 21 Apr 2017 14:22:15 GMT):
Hi guys, I suppose that perhaps I am not the first one to ask this, but... it is there any detailed tutorial (e.g. step-by-step) about how to generate certificates by using fabric-ca and then configuring fabric accordingly? I already read all the documentation in http://hyperledger-fabric.readthedocs.io. Perhaps I am leaking some background knowledge, but I am having troubles in configuring properly a simple fabric network from the certificates issued by fabric-ca. Thanks in advance.

Amjadnz (Sat, 22 Apr 2017 14:34:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zswXFogguXaE8Xpi3) @smithbk Thanks - I would try that and would update the group

Amjadnz (Sat, 22 Apr 2017 14:36:05 GMT):
@smithbk have to ever come accross a message like the below

Amjadnz (Sat, 22 Apr 2017 14:36:11 GMT):
```peer chaincode instantiate -o orderer0:7050 --tls false --cafile $GOPATH/src/github.com/hyperledger/fabric/peer/crypto/orderer/localMspConfig/cacerts/ordererOrg0.pem -C aj005 -n aj005 -v 1.0 -p tts/sc/user05 -c '{"Args":["init"]}' -P "OR ('Org0MSP.member')" ```

Amjadnz (Sat, 22 Apr 2017 14:36:40 GMT):
Response after waiting for 5 minutes or so

Amjadnz (Sat, 22 Apr 2017 14:36:44 GMT):
```2017-04-22 11:37:07.148 UTC [logging] InitFromViper -> DEBU 001 Setting default logging level to DEBUG for command 'chaincode' 2017-04-22 11:37:07.163 UTC [msp] GetLocalMSP -> DEBU 002 Returning existing local MSP 2017-04-22 11:37:07.163 UTC [msp] GetDefaultSigningIdentity -> DEBU 003 Obtaining default signing identity 2017-04-22 11:37:07.174 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 004 Using default escc 2017-04-22 11:37:07.174 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 005 Using default vscc 2017-04-22 11:37:07.177 UTC [msp] Sign -> DEBU 006 Sign: plaintext: 0A8B050A5508032205616A3030352A40...304D53500A04657363630A0476736363 2017-04-22 11:37:07.177 UTC [msp] Sign -> DEBU 007 Sign: digest: C0955F453C7309BFB4096941118E7F28B3901A655C2E08C6365D36027EF3388B Error: Error endorsing chaincode: rpc error: code = 2 desc = Timeout expired while starting chaincode aj005:1.0(networkid:dev,peerid:peer0,tx:3edd80708ea8ed61285933575b094356a743d142c6431ef8445f9120d932d136)```

Amjadnz (Sat, 22 Apr 2017 14:37:05 GMT):
the issue is "Time out" - I can see the docker containers being created

Amjadnz (Sat, 22 Apr 2017 14:37:45 GMT):
docker images output

Amjadnz (Sat, 22 Apr 2017 14:37:49 GMT):
```REPOSITORY TAG IMAGE ID CREATED SIZE dev-peer0-aj005-1.0 latest ca2bae4d3179 3 hours ago 176 MB dev-peer0-aj004-1.0 latest e6773217c7e4 4 hours ago 176 MB dev-peer0-aj002-1.0 latest f3e828838f17 2 days ago 176 MB ```

Amjadnz (Sat, 22 Apr 2017 14:38:28 GMT):
I tried many versions - as you can see v2 to v5 to make this happen but each time the same stuff.

Amjadnz (Sat, 22 Apr 2017 14:38:59 GMT):
My init function is also very small just returns `shim.Success(nil)`

Amjadnz (Sat, 22 Apr 2017 14:39:15 GMT):
Steps followed were

Amjadnz (Sat, 22 Apr 2017 14:44:24 GMT):
```Step 1: Create new channel with TX and BLOCK files (as per the getting started on fabric site) Step 2: Create a new channel at the start up by pasing the channel name CHANNEL_NAME=aj005 docker-compose -f ./docker-compose.yaml up -d Step 3: Create a new network of peers using docker-compose.yaml this creates 4 Peers Peer 0, Peer 1 for (ORG0) and Peer 2 and Peer 3 (for ORG1) 1 Orderer 4 Couch DB State DBs 1 Fabric CA 1 Cli Step 4: All start up fine and I login to CLI (as per the fabric site) Step 5: Create channels again within CLI (by passing peer0 to peer3) - All looks fine. Step 6: Join the channels - all is fine here too (no errors) Step 7: Deploy the chaincode - all fine here too (no errors) Step 8: Initialize the chain code - here is where the things breaks and cannot get hte container up and running. ```

Amjadnz (Sat, 22 Apr 2017 14:44:38 GMT):
Can any body help here

ioctl (Sat, 22 Apr 2017 16:33:17 GMT):
Has joined the channel.

assasinx93 (Sat, 22 Apr 2017 19:12:40 GMT):
Hi guys, what are the attributes we should register a new user with so that we can invoke chaincode with that user??

s.narayanan (Sat, 22 Apr 2017 21:51:49 GMT):
A few questions related to fabric-ca 1. What is stored within fabric-ca database? If external LDAP is used then user attributes (for authorization) will be pulled from LDAP and is not stored locally in fabric-ca database? Also, for HA is it necessary to use MySQL or PostGres or default SQLite sufficient? 2. Consider a scenario where two organizations are part of channel, and trust model is federated in that each such organization will run its own Certification Authority that will be used to register and enroll its users, and fabric components (such as peer nodes) that are owned and operated by the organization. In this model, should a Root CA be used to establish trust between the organizations (i.e. Root CA issuing certs to organizations’ intermediate CAs)? For instance, an endorsing peer in organization 2 needs to be able to trust the signer certificate from organization 1 (that has been used to sign the transaction proposal). Does this not create a single point of trust? Can organization choose to use different Root CAs? If they can, how is this configured. Appreciate any pointers to relevant documentation ...

chiutceric (Sun, 23 Apr 2017 13:50:49 GMT):
Has joined the channel.

assasinx93 (Sun, 23 Apr 2017 17:28:01 GMT):
Does anyone know what user attributes to set for a new user so that they can use invoke functions from the chaincode?

Willson (Mon, 24 Apr 2017 02:09:22 GMT):
@mcao I have the same question, did you find a solution?

mcao (Mon, 24 Apr 2017 07:25:13 GMT):
@Willson unfortunately not yet

HubertYoung (Mon, 24 Apr 2017 08:27:33 GMT):
Any ideas about this error?2017-04-24 16:10:53 ERROR EventHub:206 - EventHub:peer1 terminated is false shutdown is false has error UNKNOWN: Error during Chat, stopping handler: stream error: code = 13 desc = "grpc: failed to unmarshal the received message proto: peer.Register: illegal tag 0 (wire type 2)" org.hyperledger.fabric.sdk.exception.EventHubException: io.grpc.StatusRuntimeException: UNKNOWN: Error during Chat, stopping handler: stream error: code = 13 desc = "grpc: failed to unmarshal the received message proto: peer.Register: illegal tag 0 (wire type 2)" at org.hyperledger.fabric.sdk.EventHub$2.onError(EventHub.java:207) at io.grpc.stub.ClientCalls$StreamObserverToCallListenerAdapter.onClose(ClientCalls.java:392) at io.grpc.internal.ClientCallImpl.closeObserver(ClientCallImpl.java:428) at io.grpc.internal.ClientCallImpl.access$100(ClientCallImpl.java:76) at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl.close(ClientCallImpl.java:514) at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl.access$700(ClientCallImpl.java:431) at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInContext(ClientCallImpl.java:546) at io.grpc.internal.ContextRunnable.run(ContextRunnable.java:52) at io.grpc.internal.SerializingExecutor$TaskRunner.run(SerializingExecutor.java:152) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)

warm3snow (Mon, 24 Apr 2017 08:46:25 GMT):
Does anyone know how to set the public key when execute `enroll`. In fabric-ca, it seems the fabric-ca-server returns `key.pem` and `cert.pem`. Now I want to generate my own keypair.

cshields (Mon, 24 Apr 2017 10:17:04 GMT):
Has joined the channel.

warm3snow (Mon, 24 Apr 2017 10:39:53 GMT):
In fabric-ca, the fabric-ca-server returns `key.pem` and `cert.pem`. Now I want to generate my own keypair. Is there a config like `--enrollment.publickey` in the `fabric-ca-client enroll -u http://x:x@ip:port` CLI command?

LordGoodman (Mon, 24 Apr 2017 11:01:58 GMT):
How to generate certificates like those under e2e_cli/crypto

warm3snow (Mon, 24 Apr 2017 11:05:19 GMT):
@LordGoodman [Fabric-CA](http://hyperledger-fabric.readthedocs.io/en/latest/Setup/ca-setup.html)

LordGoodman (Mon, 24 Apr 2017 11:08:06 GMT):
@warm3snow yes, could I do this through openssl?

warm3snow (Mon, 24 Apr 2017 11:14:09 GMT):
@LordGoodman I think it's ok

LordGoodman (Mon, 24 Apr 2017 11:20:31 GMT):
@warm3snow how ? I try few times, but it just broke my heart.

YoungHoonKim (Mon, 24 Apr 2017 12:09:28 GMT):
one channel is one chaincode ? or one channel are many chaincode?

toddinpal (Mon, 24 Apr 2017 12:19:09 GMT):
@YoungHoonKim Many chaincodes can be deployed to a single channel

YoungHoonKim (Mon, 24 Apr 2017 12:23:58 GMT):
thank you.

net0310 (Mon, 24 Apr 2017 12:40:50 GMT):
@toddinpal How can I configure multi chain code by one single channel?

net0310 (Mon, 24 Apr 2017 12:40:54 GMT):
can I get any sample codes?

net0310 (Mon, 24 Apr 2017 12:40:54 GMT):
Can I get any sample codes?

ashutosh_kumar (Mon, 24 Apr 2017 13:41:06 GMT):
@LordGoodman , I answered your q on Fabric Crypto channel.

aambati (Mon, 24 Apr 2017 15:24:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CcW4CveKqFMXqKjG9) @s.narayanan 1. currently certs, affiliations and identities are stored in CA db...yes, if LDAP is used, identities are not stored in DB, rather pulled from LDAP. 2. root ca issuing certs to org's intermediate CAs is one way to establish trust between orgs. I am sure orgs can have different root CAs and establish trust, but not sure exactly though, as i am still new to this...May be posting this question in other channel like fabric-questions might get an answer

AramBarnett (Mon, 24 Apr 2017 15:43:49 GMT):
Has joined the channel.

smithbk (Mon, 24 Apr 2017 15:45:27 GMT):
@s.narayanan No, a channel can (and most often should) have multiple roots of trust so that there is no SPoT. So in your example of a channel with two orgs, there would a separate CA associated with each org and the channel contains an endorsement policy which requires signatures from both orgs. The fabric/examples/e2e_cli is an example which has two different orgs

smithbk (Mon, 24 Apr 2017 15:49:38 GMT):
Have you seen the end-to-end example at https://github.com/hyperledger/fabric/blob/master/examples/e2e_cli/end-to-end.rst

s.narayanan (Mon, 24 Apr 2017 16:41:50 GMT):
@aambati please clarify what you meant by affiliations

dhwang (Mon, 24 Apr 2017 17:26:54 GMT):
How does one enable TLS communication from an intermediate CA to a root CA? Without TLS, intermediate CA can be started with fabric-ca-server start -c /etc/hyperledger/fabric-ca/int-ca.yaml -d -b admin:adminpw --url http://admin:adminpw@root_ca_ip:7054 But with HTTPS, I get the following error:"2017/04/24 17:23:05 [DEBUG] Client Cert or Key not provided, if server requires mutual TLS, the connection will fail: open : no such file or directory" Mutual TLS is not enabled on ROOT CA. It seems to me that intermediate CA shouldn't have to specify a client cert when initializing.

rennman (Mon, 24 Apr 2017 18:23:27 GMT):
@dhwang correct, you shouldn't need a client cert when initializing (I think 'Client Cert or Key not provided' is merely informational, hence the ). You just need to validate the cert of the server to which you're connecting by providing a list of trusted signing CA's using 'tls.clientauth.certfiles' parameter. The nomenclature 'clientauth' might be misleading...in this case it just indicates the policy that governs how client authentication will be handled. So if clientauth.type = noclientcert (the default), then tls.clientauth.certfiles will not be used

rennman (Mon, 24 Apr 2017 18:25:22 GMT):
@dhwang oops, mis-spoke, tls.clientauth.certfiles *will* be used (to validate the server cert) but a client cert (on the side that opens the connection) will not be needed

skarim (Mon, 24 Apr 2017 18:34:05 GMT):
@dhwang Your intermediate CA is essentially is working like a client, in your intermediate CA config file you will need to have `tls.Certfiles` that will point to a list of trusted signing certificates of the Root CA certificate

aambati (Mon, 24 Apr 2017 18:58:04 GMT):
@s.narayanan I think of affiliations as hierarchical tags..each identity can be tagged (affiliated) to (with) one affiliation in the hierarchy. When an identity is associated with an affiliation, it is affiliated with that and all the child affiliations. See @smithbk answer on how affiliations are used in Fabric CA: https://chat.hyperledger.org/channel/fabric-ca?msg=Gg9RiTnKD8gjFXZjP

pand (Tue, 25 Apr 2017 03:09:44 GMT):
Has joined the channel.

joe-alewine (Tue, 25 Apr 2017 03:27:04 GMT):
Can someone describe the difference in the kinds of background information (I've seen it described as "information-scoped messages") peers share when they're under the same CA (operating under different instances) as compared to the information they share when there are peers whose certs come from different CAs?

joe-alewine (Tue, 25 Apr 2017 03:27:04 GMT):
Can someone describe the difference in the kinds of background information (I've seen it described as "information-scoped messages") peers share when they were registered by one CA with different instances as compared to the information peers share when they were registered by entirely different CAs? Thanks.

rmohta (Tue, 25 Apr 2017 06:06:43 GMT):
Does anyone know how to resolve the below error for fabric-ca? `2017/04/25 05:25:21 [DEBUG] validate local profile 2017/04/25 05:25:21 [DEBUG] profile is valid 2017/04/25 05:25:21 [DEBUG] Loading CA: /etc/hyperledger/fabric-ca-server/ca-cert.pem 2017/04/25 05:25:21 [DEBUG] Loading CA key: /etc/hyperledger/fabric-ca-server/ca-key.pem 2017/04/25 05:25:21 [DEBUG] validating configuration 2017/04/25 05:25:21 [DEBUG] validate local profile 2017/04/25 05:25:21 [DEBUG] profile is valid 2017/04/25 05:25:21 [DEBUG] validate local profile 2017/04/25 05:25:21 [DEBUG] profile is valid 2017/04/25 05:25:21 [DEBUG] Initializing TCert handler 2017/04/25 05:25:21 [DEBUG] TLS is enabled 2017/04/25 05:25:21 [INFO] Listening at https://0.0.0.0:7054 2017/04/25 05:34:13 http: TLS handshake error from 172.20.0.1:33966: tls: oversized record received with length 21536 2017/04/25 05:34:13 http: TLS handshake error from 172.20.0.1:33968: tls: oversized record received with length 21536 `

rmohta (Tue, 25 Apr 2017 06:06:43 GMT):
Does anyone know how to resolve the below error for fabric-ca? ` 2017/04/25 05:25:21 [DEBUG] validate local profile 2017/04/25 05:25:21 [DEBUG] profile is valid 2017/04/25 05:25:21 [DEBUG] Loading CA: /etc/hyperledger/fabric-ca-server/ca-cert.pem 2017/04/25 05:25:21 [DEBUG] Loading CA key: /etc/hyperledger/fabric-ca-server/ca-key.pem 2017/04/25 05:25:21 [DEBUG] validating configuration 2017/04/25 05:25:21 [DEBUG] validate local profile 2017/04/25 05:25:21 [DEBUG] profile is valid 2017/04/25 05:25:21 [DEBUG] validate local profile 2017/04/25 05:25:21 [DEBUG] profile is valid 2017/04/25 05:25:21 [DEBUG] Initializing TCert handler 2017/04/25 05:25:21 [DEBUG] TLS is enabled 2017/04/25 05:25:21 [INFO] Listening at https://0.0.0.0:7054 2017/04/25 05:34:13 http: TLS handshake error from 172.20.0.1:33966: tls: oversized record received with length 21536 2017/04/25 05:34:13 http: TLS handshake error from 172.20.0.1:33968: tls: oversized record received with length 21536 `

rmohta (Tue, 25 Apr 2017 06:06:43 GMT):
Does anyone know how to resolve the below error for fabric-ca? ``` 2017/04/25 05:25:21 [DEBUG] validate local profile 2017/04/25 05:25:21 [DEBUG] profile is valid 2017/04/25 05:25:21 [DEBUG] Loading CA: /etc/hyperledger/fabric-ca-server/ca-cert.pem 2017/04/25 05:25:21 [DEBUG] Loading CA key: /etc/hyperledger/fabric-ca-server/ca-key.pem 2017/04/25 05:25:21 [DEBUG] validating configuration 2017/04/25 05:25:21 [DEBUG] validate local profile 2017/04/25 05:25:21 [DEBUG] profile is valid 2017/04/25 05:25:21 [DEBUG] validate local profile 2017/04/25 05:25:21 [DEBUG] profile is valid 2017/04/25 05:25:21 [DEBUG] Initializing TCert handler 2017/04/25 05:25:21 [DEBUG] TLS is enabled 2017/04/25 05:25:21 [INFO] Listening at https://0.0.0.0:7054 2017/04/25 05:34:13 http: TLS handshake error from 172.20.0.1:33966: tls: oversized record received with length 21536 2017/04/25 05:34:13 http: TLS handshake error from 172.20.0.1:33968: tls: oversized record received with length 21536 ```

rmohta (Tue, 25 Apr 2017 06:08:11 GMT):
^^ This happens when I try to enroll a user from NodeSDK

mcao (Tue, 25 Apr 2017 07:19:59 GMT):
@rmohta, that happened to me too...

jworthington (Tue, 25 Apr 2017 09:34:03 GMT):
I get the same handshake error, except EOF ionstead of oversized record. In Node I am getting cert not for signing. I assume I have the wrong cert somewhere. I am not using the local docker image but a remote ca server. I have no issues using the ca-client to enroll remotely. But I can't get it to work in Node. It's killing me.

Amjadnz (Tue, 25 Apr 2017 12:31:37 GMT):
Hi a question if anybody is aware How to limit a particular PEER to execute a particular method on the SMART contract? I mean I have a security setup being done in chaincode that does all the CRUD to the Role Document. I do not want anyone other than peer0 to call this method? the method of lets take "Create role" All can execute "queries" no issues there but creating and updated I have to restrict Any ideas?

Amjadnz (Tue, 25 Apr 2017 12:37:09 GMT):
Forget that - I found it in the samples

Amjadnz (Tue, 25 Apr 2017 12:37:10 GMT):
thanks again

HubertYoung (Tue, 25 Apr 2017 12:56:45 GMT):
Hi.I configure the fabric-ca-server to connect to Postgres,but i can't find any tables created in database.Any ideas?

berserkr (Tue, 25 Apr 2017 13:48:27 GMT):
You have to do that as well

berserkr (Tue, 25 Apr 2017 13:48:38 GMT):
when you write the if

berserkr (Tue, 25 Apr 2017 13:48:57 GMT):
you need to explicitly create the tables

HubertYoung (Tue, 25 Apr 2017 14:05:37 GMT):
@berserkr But the end2end example runs correctly and i can't find the db file generated by sqlite3 in the path /etc/hyperledger/fabric-ca-server.That's strange.

smithbk (Tue, 25 Apr 2017 14:22:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WSDaGZPdL3ob5WFfd) @joe-alewine Can you point to where you've seen the term "information-scoped messages"? If you haven't already, I recommend posting to the fabric-gossip channel as this is controlled by gossip. At a high level, I believe gossip will route according to the channel's application readers policy which is part of the configuration block for that channel and tied to the MSPs for that channel. If you then have a single MSP with multiple orgs, then gossip would send messages to peers in all of those orgs. But if you have a one-to-one mapping between MSPs and orgs, then gossip would route to only the peers associated with those MSPs/orgs. @yacovm Is that correct?

yacovm (Tue, 25 Apr 2017 14:24:17 GMT):
It's not precise.

yacovm (Tue, 25 Apr 2017 14:24:27 GMT):
Thanks a lot for the tagging Keith :)

yacovm (Tue, 25 Apr 2017 14:24:40 GMT):
@joe-alewine can we take it to the #fabric-gossip channel?

yacovm (Tue, 25 Apr 2017 14:24:44 GMT):
I'll exlpain

joe-alewine (Tue, 25 Apr 2017 14:24:48 GMT):
@smithbk Saw it here: https://gerrit.hyperledger.org/r/#/c/8273/1

joe-alewine (Tue, 25 Apr 2017 14:24:50 GMT):
Sure

smithbk (Tue, 25 Apr 2017 14:24:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4d4JzazKS7DEeXWsX) @HubertYoung @skarim Hmm, Saad should be able to help

joe-alewine (Tue, 25 Apr 2017 14:24:53 GMT):
:)

yacovm (Tue, 25 Apr 2017 14:25:13 GMT):
@smithbk thanks for the tagging

skarim (Tue, 25 Apr 2017 14:36:25 GMT):
@HubertYoung Hi Hubert, can you enable debug mode on server and provide the logs? It will allow us to see what is happening?

skarim (Tue, 25 Apr 2017 14:36:25 GMT):
@HubertYoung Hi Hubert, can you enable debug mode on server and provide the logs? It will allow us to see what is happening

smithbk (Tue, 25 Apr 2017 14:37:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZjQXussuQ3C5EPiPb) @rmohta @jimthematrix Jim, have you seen this?

smithbk (Tue, 25 Apr 2017 14:38:15 GMT):
This is from node SDK

rmohta (Tue, 25 Apr 2017 14:39:00 GMT):
@smithbk when I changed my CA url from http://ca:7054 to https://ca:7054 - I got the above error in addition to `tls: EOF`

smithbk (Tue, 25 Apr 2017 15:21:16 GMT):
@rmohta So is TLS enabled on fabric-ca?

rmohta (Tue, 25 Apr 2017 15:22:00 GMT):
Yes

smithbk (Tue, 25 Apr 2017 15:55:13 GMT):
Is this happening on chaincode install?

jimthematrix (Tue, 25 Apr 2017 16:25:17 GMT):
@rmohta @smithbk i haven't seen this error personally, but from googling it seems this happens when either side of the tls connection doesn't have TLS enabled. from the log the fabric-ca server is clearly tls enabled. so you should double-check that you are instructing the SDK to connect with tls enabled, by passing a tlsoptions object to the constructor of FabricCAClient: ```new caService(caUrl, tlsOptions); ``` the object should have two properties: ```var tlsOptions = { trustedRoots: [], verify: false };

jimthematrix (Tue, 25 Apr 2017 16:25:55 GMT):
using `verify: false` allows you to blindly trust the server certs during TLS handshake so you don't have to configure the trusted root, obviously you should only do this during development

matanyahu (Tue, 25 Apr 2017 19:09:22 GMT):
I hope that I am asking this question in a right place: Can anyone redirect me to the documentation where it can be explained how a combination of eCerts and tCerts guarantees, that on the one hand transactions written into the ledger will remain confidential but will be easily linkable to a particular identity? I understand that transactions are signed by a handshake of public tCerts from party A and B. However, I am not sure how is an auditor capable of linking these with A and B.

rmohta (Tue, 25 Apr 2017 22:56:14 GMT):
@jimthematrix ah that makes sense. What should the trustedRoots have here? location of cacerts.pem file?

William_weicong (Wed, 26 Apr 2017 01:58:36 GMT):
Has joined the channel.

prashiyn (Wed, 26 Apr 2017 05:40:57 GMT):
Has joined the channel.

mcao (Wed, 26 Apr 2017 08:48:11 GMT):
@smithbk Hi, sorry if I am about to ask a silly question. I think I understand how to use fabric-ca to issue MSP certificates and how t configure them in fabric.

mcao (Wed, 26 Apr 2017 08:48:11 GMT):
@smithbk Hi, first of all thank you very mmuch for your replies and help. I think I understand how to use fabric-ca to issue MSP certificates and how t configure them in fabric. But regarding the TLS certificates... can fabric-ca be used to issue them too or is it a completely different matter? If yes, how or which of the generated MSP certificates should be eligible? Sorry if the question does not too much sense because I am no expert in TLS.

swangbj (Wed, 26 Apr 2017 09:24:56 GMT):
Has joined the channel.

smithbk (Wed, 26 Apr 2017 11:30:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=y78oKiLTha2oJ8f7g) @matanyahu TCert support has been deferred until v1.1, so that is the reason there is no documentation describing all of this. But just to clarify, TCerts provide anonymity and unlinkability, unless sufficient secret info is shared with an auditor. But this will be documented in v1.1.

jimthematrix (Wed, 26 Apr 2017 12:40:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jAqj96hg28ciJuFbH) @rmohta must be the data for the ca root certs (byte[])

tixu (Wed, 26 Apr 2017 12:41:49 GMT):
Has joined the channel.

smithbk (Wed, 26 Apr 2017 13:16:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ujzamAuoXMT8CAniE) @mcao Hi, you should be able to use an ecert for TLS also. For example, change core.yaml's settings so that peer.tls.cert points to msp/signcerts/cert.pem and peer.tls.key points to msp/keystore/key.pem. Let me know if you have issues or want to talk further

SyneBlockChainTeam (Wed, 26 Apr 2017 14:11:24 GMT):
we are getting following error in fabric-ca-client.. ``` $~/work/src/github.com/hyperledger/fabric-ca$ fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 2017/04/26 19:24:35 [INFO] User provided config file: /home/sharadsharma/.fabric-ca-client/fabric-ca-client-config.yaml 2017/04/26 19:24:35 [INFO] Configuration file location: /home/sharadsharma/.fabric-ca-client/fabric-ca-client-config.yaml 2017/04/26 19:24:35 Initialize BCCSP [SW] 2017/04/26 19:24:35 [INFO] received CSR 2017/04/26 19:24:35 [INFO] generating key: ecdsa-256 2017/04/26 19:24:35 [INFO] encoded CSR 2017/04/26 19:24:35 [FATAL] Error response from server was: Authorization failure```

smithbk (Wed, 26 Apr 2017 14:15:56 GMT):
Debug logging on the fabric-ca-server should give you the reason for the auth failure. We can't give more info to the client for security reasons

smithbk (Wed, 26 Apr 2017 16:48:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XpRDAqYcBgk3cNgcK) @SyneBlockChainTeam Did you find the reason?

greg.haskins (Thu, 27 Apr 2017 02:10:13 GMT):
@smithbk @JonathanLevi are we doing anything with TLS + CA these days?

greg.haskins (Thu, 27 Apr 2017 02:10:46 GMT):
im interested in integrating this: https://gerrit.hyperledger.org/r/#/c/8579/ with CA

greg.haskins (Thu, 27 Apr 2017 02:11:47 GMT):
IOW, I want to inject a config/key-pair into a fabric-ca container just as I do for the orderer/peers and stand it up as part of that composition

greg.haskins (Thu, 27 Apr 2017 02:11:58 GMT):
i assume that is supported..now its just a question of '

greg.haskins (Thu, 27 Apr 2017 02:12:09 GMT):
"how" but I figured id start at the source

ansonlau3 (Thu, 27 Apr 2017 06:41:23 GMT):
Has joined the channel.

enidz (Thu, 27 Apr 2017 09:06:13 GMT):
Has joined the channel.

kelvinzhong (Thu, 27 Apr 2017 10:26:54 GMT):
hi, i'm trying to understand what's the advantage of using tcert instead of just using ecert to sign the data.

kelvinzhong (Thu, 27 Apr 2017 10:26:59 GMT):
anyone could help?

smithbk (Thu, 27 Apr 2017 12:45:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qo7hHxCmrA2iJh43X) @greg.haskins Greg, you can use the following env vars to enable TLS and set TLS cert and key file: FABRIC_CA_SERVER_TLS_ENABLED, FABRIC_CA_SERVER_TLS_CERTFILE, FABRIC_CA_SERVER_TLS_KEYFILE. BTW, you can always generate a config file as follows and the comments in the header give instructions about configuration options, using command line or env vars: fabric-ca-server init -b admin:adminpw

smithbk (Thu, 27 Apr 2017 12:48:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sAcM25n4z27MSyefS) @kelvinzhong TCerts will be supported in v1.1, but the advantage is that they provide anonymity (can't tell by looking on the ledger who performed the transaction) and unlinkability (in addition to not knowing who performed the transaction, you also can't tell by looking on the ledger that 2 transactions were performed by the same user)

dbshah (Thu, 27 Apr 2017 13:37:02 GMT):
Has joined the channel.

dbshah (Thu, 27 Apr 2017 13:49:25 GMT):
https://jira.hyperledger.org/browse/FAB-3457, opened this issue, please let me know if i need to add more info

rohitbordia (Thu, 27 Apr 2017 17:01:41 GMT):
HI guys

rohitbordia (Thu, 27 Apr 2017 17:02:05 GMT):
looking at this document to install : http://hyperledger-fabric.readthedocs.io/en/latest/Setup/ca-setup.html fabric-ca

rohitbordia (Thu, 27 Apr 2017 17:02:15 GMT):
is this the correct document

rohitbordia (Thu, 27 Apr 2017 21:51:50 GMT):
github.com/miekg/pkcs11/pkcs11.go:29:18: fatal error: ltdl.h: No such file or directory

rohitbordia (Thu, 27 Apr 2017 21:52:00 GMT):
anyone had issue

silliman (Thu, 27 Apr 2017 23:03:03 GMT):
@rohitbordia This is a common problem and the fix is to install *libtool* and *libltdl-dev* (your package name may vary depending on your platform) https://jira.hyperledger.org/browse/FAB-2854

aambati (Fri, 28 Apr 2017 01:11:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9mibMeWmd8RWjfEY6) @rohitbordia that is the correct document

bmkor (Fri, 28 Apr 2017 02:33:23 GMT):
Has joined the channel.

bmkor (Fri, 28 Apr 2017 02:36:24 GMT):
Hi all. In starting the ca server, I can specify the parent ca server via -u. But I can't see an attempt to connect to the parent ca server in the debug log. Is it normal? Appreciate any help. Thanks.

bmkor (Fri, 28 Apr 2017 02:52:25 GMT):
My bad. Found the relevant document.

bmkor (Fri, 28 Apr 2017 02:52:25 GMT):
My bad. Found the relevant document. Thanks.

bmkor (Fri, 28 Apr 2017 04:05:41 GMT):
Sorry guys. After going through the document and try to init the ca server by supplying the parent url. It still goes without asking the parent URL for enrolment. Did browse through the server_test.go for the case of intermediate CA server but still can't make it. Any help? [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=P6ruyKfTf32JqEnyk) @bmkor

kelvinzhong (Fri, 28 Apr 2017 05:46:58 GMT):
@silliman that make sense! And thx for reply!

kelvinzhong (Fri, 28 Apr 2017 05:46:58 GMT):
@smithbk that make sense! And thx for reply!

sandroku63 (Fri, 28 Apr 2017 07:22:38 GMT):
Has joined the channel.

wsh_bob (Fri, 28 Apr 2017 08:08:34 GMT):
Has joined the channel.

saism (Fri, 28 Apr 2017 08:47:56 GMT):
I get 404 on using getcacert command, enroll and register are working fine, any known reason for this?

bmkor (Fri, 28 Apr 2017 08:54:15 GMT):
Succeed in connecting to parent server finally. However, the arg -u seems not working. I included parentserverurl in .yaml in order to connect to the parent server. [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wSBbLX2KKmys29u8F) @bmkor

bmkor (Fri, 28 Apr 2017 08:54:15 GMT):
Succeeded in connecting to parent server finally. However, the arg -u seems not working. I included parentserverurl in .yaml in order to connect to the parent server. [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wSBbLX2KKmys29u8F) @bmkor

houssemchebbi (Fri, 28 Apr 2017 11:39:48 GMT):
Has joined the channel.

vugranam (Fri, 28 Apr 2017 12:13:00 GMT):
Has joined the channel.

jkirke (Fri, 28 Apr 2017 15:04:36 GMT):
Has left the channel.

rohitbordia (Fri, 28 Apr 2017 17:57:42 GMT):
fabric-ca-server start -c its not picking config file any idea

smithbk (Fri, 28 Apr 2017 19:48:53 GMT):
is working for me ... are you using latest? What exactly are you passing? relative or absolute path

smithbk (Fri, 28 Apr 2017 19:49:48 GMT):
```Keiths-MBP:bin keith$ fabric-ca-server start -b a:b -c /tmp/config.yaml 2017/04/28 15:49:16 [INFO] Created default configuration file at /tmp/config.yaml 2017/04/28 15:49:16 [INFO] Starting server in home directory: /tmp 2017/04/28 15:49:16 [INFO] CA Home Directory: /tmp 2017/04/28 15:49:16 [INFO] generating key: &{A:ecdsa S:256} 2017/04/28 15:49:16 [INFO] encoded CSR 2017/04/28 15:49:16 [INFO] signed certificate with serial number 332657908187629311545840118605064673735674617057 2017/04/28 15:49:16 [INFO] The CA key and certificate were generated for CA 2017/04/28 15:49:16 [INFO] The key was stored by BCCSP provider 'SW' 2017/04/28 15:49:16 [INFO] The certificate is at: /tmp/ca-cert.pem 2017/04/28 15:49:16 [INFO] Initialized sqlite3 database at /tmp/fabric-ca-server.db 2017/04/28 15:49:16 [INFO] Home directory for CA '': /tmp 2017/04/28 15:49:16 [INFO] Listening at http://0.0.0.0:7054 ```

smithbk (Fri, 28 Apr 2017 19:56:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vteyrrxKcR2dfYNuw) @bmkor Could you open a jira item for that with instructions of how to reproduce?

smithbk (Fri, 28 Apr 2017 20:12:40 GMT):
@bmkor There is a fix for one issue that would affect this. If you use what is currently in master + pull this change set down: https://gerrit.hyperledger.org/r/#/c/8735/ ... then this should work as follows

smithbk (Fri, 28 Apr 2017 20:13:11 GMT):
```Keiths-MBP:bin keith$ fabric-ca-server start -b a:b -c root/config.yaml -p 7055 2017/04/28 16:09:20 [INFO] Created default configuration file at /Users/keith/go/src/github.com/hyperledger/fabric-ca/bin/root/config.yaml 2017/04/28 16:09:20 [INFO] Starting server in home directory: /Users/keith/go/src/github.com/hyperledger/fabric-ca/bin/root 2017/04/28 16:09:20 [INFO] CA Home Directory: /Users/keith/go/src/github.com/hyperledger/fabric-ca/bin/root 2017/04/28 16:09:20 [INFO] generating key: &{A:ecdsa S:256} 2017/04/28 16:09:20 [INFO] encoded CSR 2017/04/28 16:09:20 [INFO] signed certificate with serial number 253926999735069648183527455450277209060103842645 2017/04/28 16:09:20 [INFO] The CA key and certificate were generated for CA 2017/04/28 16:09:20 [INFO] The key was stored by BCCSP provider 'SW' 2017/04/28 16:09:20 [INFO] The certificate is at: /Users/keith/go/src/github.com/hyperledger/fabric-ca/bin/root/ca-cert.pem 2017/04/28 16:09:20 [INFO] Initialized sqlite3 database at /Users/keith/go/src/github.com/hyperledger/fabric-ca/bin/root/fabric-ca-server.db 2017/04/28 16:09:20 [INFO] Home directory for CA '': /Users/keith/go/src/github.com/hyperledger/fabric-ca/bin/root 2017/04/28 16:09:20 [INFO] Listening at http://0.0.0.0:7055 2017/04/28 16:10:00 [INFO] signed certificate with serial number 57689210005373897597625190488342634511137876400 2017/04/28 16:10:00 [INFO] [::1]:51133 - "POST /enroll" 200 ```

smithbk (Fri, 28 Apr 2017 20:13:38 GMT):
```Keiths-MBP:bin keith$ fabric-ca-server start -b c:d -c intermediate/config.yaml -u http://a:b@localhost:7055 2017/04/28 16:10:00 [INFO] Created default configuration file at /Users/keith/go/src/github.com/hyperledger/fabric-ca/bin/intermediate/config.yaml 2017/04/28 16:10:00 [INFO] Starting server in home directory: /Users/keith/go/src/github.com/hyperledger/fabric-ca/bin/intermediate 2017/04/28 16:10:00 [INFO] CA Home Directory: /Users/keith/go/src/github.com/hyperledger/fabric-ca/bin/intermediate 2017/04/28 16:10:00 [INFO] generating key: &{A:ecdsa S:256} 2017/04/28 16:10:00 [INFO] encoded CSR 2017/04/28 16:10:00 [INFO] The CA key and certificate were generated for CA 2017/04/28 16:10:00 [INFO] The key was stored by BCCSP provider 'SW' 2017/04/28 16:10:00 [INFO] The certificate is at: /Users/keith/go/src/github.com/hyperledger/fabric-ca/bin/intermediate/ca-cert.pem 2017/04/28 16:10:00 [INFO] Initialized sqlite3 database at /Users/keith/go/src/github.com/hyperledger/fabric-ca/bin/intermediate/fabric-ca-server.db 2017/04/28 16:10:00 [INFO] Home directory for CA '': /Users/keith/go/src/github.com/hyperledger/fabric-ca/bin/intermediate 2017/04/28 16:10:00 [INFO] Listening at http://0.0.0.0:7054 ```

rohitbordia (Fri, 28 Apr 2017 20:28:56 GMT):
@smithbk : I made that work using absolute path thanks

rohitbordia (Fri, 28 Apr 2017 20:29:01 GMT):
I have another error : error: invalid DSN: missing the slash separating the database name

rohitbordia (Fri, 28 Apr 2017 20:29:09 GMT):
I have updated to mysql

rohitbordia (Fri, 28 Apr 2017 20:29:30 GMT):
host=localhost port=3306 user=root password=passwd dbname=fabric

smithbk (Fri, 28 Apr 2017 20:30:14 GMT):
@skarim Saad, any ideas on the "invalid DSN" error above?

skarim (Fri, 28 Apr 2017 20:33:02 GMT):
@rohitbordia MySQL uses a different syntax, please see http://hyperledger-fabric.readthedocs.io/en/latest/Setup/ca-setup.html#configuring-the-database on how to set the datasource option for MySQL

rohitbordia (Fri, 28 Apr 2017 20:36:57 GMT):
updated and getting this : Failed to query 'INFORMATION_SCHEMA.SCHEMATA

rohitbordia (Fri, 28 Apr 2017 20:37:29 GMT):
ca_peerOrg1 | 2017/04/28 20:35:07 [ERROR] Failed to connect to MySQL database [error: dial tcp [::1]:3306: getsockopt: connection refused] ca_peerOrg1 | Error: Failed to query 'INFORMATION_SCHEMA.SCHEMATA table: dial tcp [::1]:3306: getsockopt: connection refused

rohitbordia (Fri, 28 Apr 2017 20:40:08 GMT):
@skarim :any idea on above error

skarim (Fri, 28 Apr 2017 20:40:52 GMT):
Is your MySQL server running and listening on port 3306?

rohitbordia (Fri, 28 Apr 2017 20:41:15 GMT):
yes

rohitbordia (Fri, 28 Apr 2017 20:41:37 GMT):
c88ad45cb4d4 mysql "docker-entrypoint..." About an hour ago Up About an hour 3306/tcp mysql

skarim (Fri, 28 Apr 2017 20:42:35 GMT):
can I see the connection string that you used?

rohitbordia (Fri, 28 Apr 2017 20:43:11 GMT):
root:passwd@tcp(localhost:3306)/fabric

rohitbordia (Fri, 28 Apr 2017 20:43:28 GMT):
fabric is the name of database , I have created

skarim (Fri, 28 Apr 2017 20:45:10 GMT):
hmm, for some reason it can't find the server. You are running fabric-ca and mysql in two separate docker containers I imagine?

rohitbordia (Fri, 28 Apr 2017 20:45:18 GMT):
yes

skarim (Fri, 28 Apr 2017 20:45:43 GMT):
instead of localhost in your connection string, can you give the name of the docker container your mysql server is running in

rohitbordia (Fri, 28 Apr 2017 20:46:08 GMT):
sure let me try

rohitbordia (Fri, 28 Apr 2017 20:47:07 GMT):
lookup mysql on 127.0.0.11:53: no such host

rohitbordia (Fri, 28 Apr 2017 20:47:29 GMT):
root:passwd@tcp(mysql:3306)/fabric

skarim (Fri, 28 Apr 2017 20:48:31 GMT):
@rennman Have you seen such errors when working with docker images of MySQL and Fabric-ca

skarim (Fri, 28 Apr 2017 20:49:24 GMT):
it seems like it can't reach the mysql server from another docker container

rohitbordia (Fri, 28 Apr 2017 20:49:28 GMT):
Im trying to add ip address also

rennman (Fri, 28 Apr 2017 20:53:20 GMT):
@rohitbordia are you setting up the docker containers with docker compose and exploiting the links directive? generally container to container networking is accomplished either by explicit overlay networks, or relying on the docker default bridge w/ links ... if you've defined the mysql service and establshed links between the containers, you should see an entry in /etc/hosts for each linked container

rennman (Fri, 28 Apr 2017 20:53:46 GMT):
I generally run all the daemons in a single container for simplicty

rohitbordia (Fri, 28 Apr 2017 20:55:15 GMT):
I'm trying to run fabric-ca using docker compose. But, mysql is already running on docker

rohitbordia (Fri, 28 Apr 2017 20:56:03 GMT):
do I need to expose the port so that other container can connect

rennman (Fri, 28 Apr 2017 20:57:29 GMT):
if they're on the same machine and talking container to container, generally no...can you run docker inspect and find out what the private ip is on the docker bridge? you can then use that ip@ in the mysql connect string

rohitbordia (Fri, 28 Apr 2017 20:58:22 GMT):
ok

rohitbordia (Fri, 28 Apr 2017 20:59:34 GMT):
@rennman : "bridge": { "IPAMConfig": null, "Links": null, "Aliases": null, "NetworkID": "43184e03625b0b7ae8bb8784b660a2e4550d80cf0792c81add65af6ac7b8c722", "EndpointID": "e57bfa41668b624ccaeb3f09d9b230c60d4b603461a631068eb3ccaff2423110", "Gateway": "172.17.0.1", "IPAddress": "172.17.0.2", "IPPrefixLen": 16, "IPv6Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "MacAddress": "02:42:ac:11:00:02" }

rohitbordia (Fri, 28 Apr 2017 20:59:50 GMT):
I have tried : "IPAddress": "172.17.0.2"

rennman (Fri, 28 Apr 2017 20:59:51 GMT):
172.17.0.2 should work

rennman (Fri, 28 Apr 2017 20:59:54 GMT):
ok

rohitbordia (Fri, 28 Apr 2017 21:00:07 GMT):
Failed to connect to MySQL database [error: dial tcp 172.17.0.2:3306: getsockopt:

rennman (Fri, 28 Apr 2017 21:00:19 GMT):
hmm

rennman (Fri, 28 Apr 2017 21:01:31 GMT):
can you determine if the fabric container is on the same lan?

rohitbordia (Fri, 28 Apr 2017 21:02:42 GMT):
"fabricca_default": { "IPAMConfig": null, "Links": null, "Aliases": [ "57361f404e4f", "ca0" ], "NetworkID": "fcb6710162d4f40179e87c499bf63cfbf576f6990910e6de58c0af736392b214", "EndpointID": "1f704eaef49e6fdb3cfd521e50d9ff89c4d10f684fc3459bf243b2c967eb6b6b", "Gateway": "172.26.0.1", "IPAddress": "172.26.0.2", "IPPrefixLen": 16, "IPv6Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "MacAddress": "02:42:ac:1a:00:02" }

rennman (Fri, 28 Apr 2017 21:03:18 GMT):
ah, appears not to be

rohitbordia (Fri, 28 Apr 2017 21:03:55 GMT):
update my docker-compose to use the default bridge for fabric-ca

rennman (Fri, 28 Apr 2017 21:04:19 GMT):
that's prob a good start

rohitbordia (Fri, 28 Apr 2017 21:04:23 GMT):
ok

rennman (Fri, 28 Apr 2017 21:05:53 GMT):
if both services were started in the same compose, you could link them...otherwise, you'll need to get them on the same network and manually code the ip@

rohitbordia (Fri, 28 Apr 2017 21:06:08 GMT):
aah ok

rennman (Fri, 28 Apr 2017 21:07:21 GMT):
I think alternatively you can expose the ports, and then I think the container can both access the localhost addr, but you'll have to issue 'docker ps' and/or inspect to determine the NAT port mapping

rennman (Fri, 28 Apr 2017 21:07:27 GMT):
either way, I think linking is simpler

rohitbordia (Fri, 28 Apr 2017 21:08:05 GMT):
ok, Im adding mysql in the same compose file

rennman (Fri, 28 Apr 2017 21:08:27 GMT):
k, I'm highly optimistic :)

rohitbordia (Fri, 28 Apr 2017 21:18:35 GMT):
@rennman :(

rennman (Fri, 28 Apr 2017 21:19:11 GMT):
arg....ok, can you send me your docker-compose.yaml

rohitbordia (Fri, 28 Apr 2017 21:20:52 GMT):
ok

rohitbordia (Fri, 28 Apr 2017 21:23:29 GMT):
@rennman : sent

zhangchao (Sat, 29 Apr 2017 00:40:07 GMT):
Has joined the channel.

zhangchao (Sat, 29 Apr 2017 00:42:20 GMT):
I pulled a latest version of fabric-ca, but 'make docker' failed with error:

zhangchao (Sat, 29 Apr 2017 00:42:49 GMT):
ubuntu@hyperledger-devenv:7f114bb:/opt/gopath/src/github.com/hyperledger/fabric-ca$ make docker Building build/docker/bin/fabric-ca-server # github.com/hyperledger/fabric-ca/cmd/fabric-ca-server cmd/fabric-ca-server/config.go:325: serverCfg.DB undefined (type *lib.ServerConfig has no field or method DB) cmd/fabric-ca-server/config.go:330: serverCfg.LDAP undefined (type *lib.ServerConfig has no field or method LDAP) Makefile:97: recipe for target 'build/docker/bin/fabric-ca-server' failed make: *** [build/docker/bin/fabric-ca-server] Error 2

zhangchao (Sat, 29 Apr 2017 00:43:39 GMT):
can anyone give some help on this error？

bmkor (Sat, 29 Apr 2017 01:56:31 GMT):
Thanks smith. Just woke up in my side. By the way, how to enable TLS in connecting intermediate CA server with parent CA server? By marking tls.enabled to be true in .yaml just like enabling TLS between client and server? [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pHzLRZq6CHd8piv6F) @smithbk

jimthematrix (Sat, 29 Apr 2017 03:26:05 GMT):
@smithbk fabric-ca build in node-sdk verify CI is failing with the following error: ```03:06:41 + git clone ssh://hyperledger-jobbuilder@gerrit.hyperledger.org:29418/fabric-ca /w/workspace/fabric-sdk-node-verify-x86_64/gopath/src/github.com/hyperledger/fabric-ca 03:06:41 Cloning into '/w/workspace/fabric-sdk-node-verify-x86_64/gopath/src/github.com/hyperledger/fabric-ca'... 03:06:46 Total 5529 (delta 32), reused 5435 (delta 32) 03:06:47 + cd /w/workspace/fabric-sdk-node-verify-x86_64/gopath/src/github.com/hyperledger/fabric-ca 03:06:47 ++ git log -1 --pretty=format:%h 03:06:47 + CA_COMMIT=10a9b73 03:06:47 + echo '======> CA_COMMIT <======= 10a9b73' 03:06:47 ======> CA_COMMIT <======= 10a9b73 03:06:47 + make docker 03:06:47 Building build/docker/bin/fabric-ca-client 03:07:28 Building build/docker/bin/fabric-ca-server 03:08:04 # github.com/hyperledger/fabric-ca/cmd/fabric-ca-server 03:08:04 cmd/fabric-ca-server/config.go:325: serverCfg.DB undefined (type *lib.ServerConfig has no field or method DB) 03:08:04 cmd/fabric-ca-server/config.go:330: serverCfg.LDAP undefined (type *lib.ServerConfig has no field or method LDAP) 03:08:05 Makefile:97: recipe for target 'build/docker/bin/fabric-ca-server' failed 03:08:05 make: *** [build/docker/bin/fabric-ca-server] Error 2 03:08:05 Build step 'Execute shell' marked build as failure

jimthematrix (Sat, 29 Apr 2017 03:28:08 GMT):
I see the same error when building locally after pulling the latest

jimthematrix (Sat, 29 Apr 2017 03:30:54 GMT):
this seems to be happening after this commit: ```commit 720d546b830d95b4213ac838dfcf0e5a787544ce Merge: 4b58d5c 75f402c Author: Christopher Ferris Date: Fri Apr 28 20:15:41 2017 +0000 Merge "[FAB-1463] Add TLS support to CA server's LDAP client"

zhangchao (Sat, 29 Apr 2017 08:20:28 GMT):
@jimthematrix I encounter this error as well, it's most probably a bug

zhangchao (Sat, 29 Apr 2017 08:20:58 GMT):
can anyone report a bug in JIRA?

smithbk (Sat, 29 Apr 2017 11:40:07 GMT):
See http://gerrit.hyperledger.org/r/8755 [FAB-3518] Fix fabric-ca-server build failure

smithbk (Sat, 29 Apr 2017 11:40:29 GMT):
The question is how CI passed? Investigating that now

zhangchao (Sat, 29 Apr 2017 14:13:23 GMT):
@smithbk , I use the config.go fixed by FAB3518, the previous failure is resolved, but has a new error, like this:

zhangchao (Sat, 29 Apr 2017 14:13:40 GMT):
ubuntu@hyperledger-devenv:7f114bb:/opt/gopath/src/github.com/hyperledger/fabric-ca$ make docker Building build/docker/bin/fabric-ca-client Building build/docker/bin/fabric-ca-server Building build/fabric-ca.tar.bz2 tar: Cowardly refusing to create an empty archive Try 'tar --help' or 'tar --usage' for more information. Makefile:142: recipe for target 'build/fabric-ca.tar.bz2' failed make: *** [build/fabric-ca.tar.bz2] Error 2

smithbk (Sat, 29 Apr 2017 15:01:56 GMT):
@zhangchao I'm unable to reproduce. Did you try "make docker-clean" first? What env/OS are you on?

zhangchao (Sat, 29 Apr 2017 15:05:10 GMT):
yes, I cleaned before make docker

zhangchao (Sat, 29 Apr 2017 15:05:53 GMT):
I am using latest vagrant box version v20170428.0.0

zhangchao (Sat, 29 Apr 2017 15:07:11 GMT):
I am suspecting the box has something wrong since all historical fabric-ca commit level failed to build

zhangchao (Sat, 29 Apr 2017 15:07:48 GMT):
can you show the vagrant box version?

smithbk (Sat, 29 Apr 2017 15:16:21 GMT):
I am building natively on mac

rohitbordia (Sun, 30 Apr 2017 00:42:11 GMT):
Thanks @rennman , was able to run mysql with fabric-ca

bmkor (Sun, 30 Apr 2017 02:31:26 GMT):
Thanks Smith. So I assume it is fixed and do I still need to open this issue in JIRA? [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pHzLRZq6CHd8piv6F) @smithbk

bmkor (Sun, 30 Apr 2017 02:31:26 GMT):
Thanks Smith. So it is supposed to be fixed? Let me know if I still need to open this issue in JIRA. [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pHzLRZq6CHd8piv6F) @smithbk

smithbk (Sun, 30 Apr 2017 11:39:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hknxpQSPCLvsxMQaz) @bmkor Yes, it is fixed

smithbk (Sun, 30 Apr 2017 11:39:40 GMT):
And merged

bmkor (Sun, 30 Apr 2017 11:55:01 GMT):
Thanks Smith. May I ask if the connection between intermediate CA and parent CA server supporting TLS? [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QofogoRehbKQCv8aa) @smithbk

smithbk (Sun, 30 Apr 2017 12:07:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=br8phJvsy7hq6hcxH) @bmkor Yes, it supports TLS

bmkor (Sun, 30 Apr 2017 12:10:11 GMT):
Thanks. Wondering if this TLS can be enabled in .yaml same as connection with client and server? Thanks again. [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QSjrFiagLgy5Peqwx) @smithbk

smithbk (Sun, 30 Apr 2017 12:15:04 GMT):
You mean instead of using the "-u" option on command line?

smithbk (Sun, 30 Apr 2017 12:15:40 GMT):
You should be able to add the following to the config file, though I haven't personally tried yet

smithbk (Sun, 30 Apr 2017 12:15:55 GMT):
```client:

smithbk (Sun, 30 Apr 2017 12:17:04 GMT):
Make that

smithbk (Sun, 30 Apr 2017 12:17:12 GMT):
```client: URL: https://admin:adminpw@localhost:7055```

bmkor (Sun, 30 Apr 2017 12:34:54 GMT):
My bad. I would like to know if I can enable TLS between intermediate CA server and parent server in .yaml by setting tls.enabled to be true? :) [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HRF2sAnNAAmgaCgXz) @smithbk

smithbk (Sun, 30 Apr 2017 12:40:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HhvShphRLTkjNueFp) @bmkor Yes, setting tls.enabled to true on the parent server and adding a client section which has the TLS certfiles for the client connection, telling it which cert files to trust. That said, I unfortunately have to leave now but I will do this myself in the next day and provide instructions

smithbk (Sun, 30 Apr 2017 12:40:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HhvShphRLTkjNueFp) @bmkor Yes, setting tls.enabled to true on the parent server and adding a client section to the intermediate server's yaml which has the TLS certfiles for the client connection, telling it which cert files to trust. That said, I unfortunately have to leave now but I will do this myself in the next day and provide instructions

zjb0807 (Mon, 01 May 2017 10:07:16 GMT):
Has joined the channel.

ksingh299 (Mon, 01 May 2017 13:34:23 GMT):
Has joined the channel.

ksingh299 (Mon, 01 May 2017 13:56:41 GMT):
Hi All. I am running against the dockerhub image of the fabric CA: hyperledger/fabric-ca:x86_64-1.0.0-alpha. The enrollment works fine without TLS. However, when I enable TLS, I am getting the "ecc cert not for signing" error.

ksingh299 (Mon, 01 May 2017 13:56:49 GMT):
Error: Calling enrollment endpoint failed with error [Error: write EPROTO 140736535651264:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2512: 140736535651264:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3544: ] at ClientRequest. (……… /node_modules/fabric-ca-client/lib/FabricCAClientImpl.js:575:12) at emitOne (events.js:96:13) at ClientRequest.emit (events.js:188:7) at TLSSocket.socketErrorListener (_http_client.js:310:9) at emitOne (events.js:96:13) at TLSSocket.emit (events.js:188:7) at onwriteError (_stream_writable.js:346:10) at onwrite (_stream_writable.js:364:5) at WritableState.onwrite (_stream_writable.js:90:5) at fireErrorCallbacks (net.js:468:13) at TLSSocket.Socket._destroy (net.js:509:3) at WriteWrap.afterWrite (net.js:803:10)

ksingh299 (Mon, 01 May 2017 13:57:28 GMT):
Has anyone seen this error before or any thoughts on how to resolve this?

ksingh299 (Mon, 01 May 2017 14:00:39 GMT):
@jworthington you saw similar error before. Were you able to resolve your issue?

s.narayanan (Mon, 01 May 2017 14:05:53 GMT):
A few questions related to fabric CA HA configuration: a) do we need to use Postgres or MySQL for HA, or can default SQLite be used in HA configuration ? b) can CouchDB be used as the underlying database for Fabric CA c) if we use SQLLite in short term, can we migrate to using MySQL in future?

rohitbordia (Mon, 01 May 2017 20:05:50 GMT):
HI, did anyone had a working LDAP connectivity . Im trying to use an existing ldap

rohitbordia (Mon, 01 May 2017 20:05:51 GMT):
Binding to the LDAP server as admin user %scn=svc.grtfcs,ou=ServiceAccounts,ou=Process,dc=e1ads,dc=aexp,dc=com ca_peerOrg1 | 2017/05/01 20:03:47 [DEBUG] Failed to get user 'svc.grtfcs': LDAP bind failure as cn=svc.grtfcs,ou=ServiceAccounts,ou=Process,dc=e1ads,dc=aexp,dc=com: LDAP Result Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580

rohitbordia (Mon, 01 May 2017 20:06:44 GMT):
ldap://cn=svc.grtfcs,ou=ServiceAccounts,ou=Process,dc=e1ads,dc=example,dc=com:svc.grtfcs@host:389/dc=e1ads,dc=example,dc=com

ashutosh_kumar (Mon, 01 May 2017 20:29:07 GMT):
How does user shows up in Service account tree ?

ashutosh_kumar (Mon, 01 May 2017 20:29:44 GMT):
are you using something like ISIM(IBM Identity Manager ) ?

rohitbordia (Mon, 01 May 2017 20:40:28 GMT):
internal LDAP

rohitbordia (Mon, 01 May 2017 20:43:10 GMT):
its Active Directory LDAP

rohitbordia (Mon, 01 May 2017 20:44:13 GMT):
user are in : ou=People,dc=e1ads,dc=aexp,dc=com

ashutosh_kumar (Mon, 01 May 2017 20:48:31 GMT):
your admin user should belong there or similar tree.

smithbk (Mon, 01 May 2017 20:51:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LJT9ELGgBbFQvd6YG) @s.narayanan a) You must use postgres or MySQL. SQLite is an embedded DB running in a single process only. b) No, we don't support CouchDB but have thought about it. I encourage you to open a jira feature request for this. c) We don't support migration of data from SQLite DBs to another if you want to migrate the state.

rohitbordia (Mon, 01 May 2017 20:52:04 GMT):
@ashutosh_kumar : it does belong to : ou=Process,dc=e1ads,dc=aexp,dc=com which is what I have

rohitbordia (Mon, 01 May 2017 20:52:23 GMT):
I have a java program which lets me connect using the same ldap and user/pass

smithbk (Mon, 01 May 2017 20:53:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jdK8AWBfdDkP3ueh5) @rohitbordia There is a simple test script for ldap at fabric-ca/scripts/run_ldap_tests if you haven't seen it

ashutosh_kumar (Mon, 01 May 2017 20:54:32 GMT):
ok.

rohitbordia (Mon, 01 May 2017 21:04:01 GMT):
@smithbk : thanks I looked at it.. But not understanding how i can provide pass in my ldap url

smithbk (Tue, 02 May 2017 00:37:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Wthrcgnvr27eu7Gwx) @rohitbordia You can either modify the config file at this portion: ```############################################################################# # LDAP section # If LDAP is enabled, the fabric-ca-server calls LDAP to: # 1) authenticate enrollment ID and secret (i.e. username and password) # for enrollment requests; # 2) To retrieve identity attributes ############################################################################# ldap: # Enables or disables the LDAP client (default: false) enabled: false # The URL of the LDAP server url: ldap://:@:/```

smithbk (Tue, 02 May 2017 00:39:02 GMT):
Or start with the following options: ```--ldap.enabled --ldap.url ldap://:@:/```

smithbk (Tue, 02 May 2017 00:39:30 GMT):
Or use env variables instead of command line args

smithbk (Tue, 02 May 2017 00:46:15 GMT):
Note the following in the usage message also:

smithbk (Tue, 02 May 2017 00:46:17 GMT):
--ldap.userfilter string The LDAP user filter to use when searching for users (default "(uid=%s)")

smithbk (Tue, 02 May 2017 00:51:24 GMT):
Looking more closely, are you sure that the and are correct?

smithbk (Tue, 02 May 2017 01:00:29 GMT):
fabric-ca-server uses the library described at https://godoc.org/gopkg.in/ldap.v2

smithbk (Tue, 02 May 2017 01:00:38 GMT):
In particular, we call

smithbk (Tue, 02 May 2017 01:01:23 GMT):
conn, err = ldap.Dial("tcp", ":") where host and port from from the LDAP URL passed in

smithbk (Tue, 02 May 2017 01:01:27 GMT):
and then

smithbk (Tue, 02 May 2017 01:02:35 GMT):
err := conn.Bind(, )

smithbk (Tue, 02 May 2017 01:02:53 GMT):
The last call is failing

smithbk (Tue, 02 May 2017 01:03:46 GMT):
If you can open a jira item and provide instructions on how to reproduce, I can try to debug that library

smithbk (Tue, 02 May 2017 01:04:15 GMT):
to see what is happening

rohitbordia (Tue, 02 May 2017 02:36:39 GMT):
@smithbk : yes , I have reset the password twice

Lakshmipadmaja (Tue, 02 May 2017 04:59:40 GMT):
Has joined the channel.

Amjadnz (Tue, 02 May 2017 09:10:52 GMT):
Is there a YAML file that I can use with Fabric V1.0 that sets up the FABRIC-CA too and its properties?

Amjadnz (Tue, 02 May 2017 09:11:18 GMT):
I'm using DOCKER and currently can operate with CURL commands. Now Moving to NodeJS SDK.

Amjadnz (Tue, 02 May 2017 09:11:50 GMT):
There is a dependency to use Fabric-CA and unfortunately - we do not have a default fabric-ca as part of the regular yaml file

noursaadallah (Tue, 02 May 2017 09:23:26 GMT):
Has joined the channel.

Amjadnz (Tue, 02 May 2017 09:26:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9aMksBFsPho8ioxEr) @smithbk Thanks @smithbk

Amjadnz (Tue, 02 May 2017 09:26:51 GMT):
Can you help me with the following query:

Amjadnz (Tue, 02 May 2017 09:26:56 GMT):
Is there a YAML file that I can use with Fabric V1.0 that sets up the FABRIC-CA too and its properties?

Amjadnz (Tue, 02 May 2017 09:28:00 GMT):
I have the fabric-ca image in the docker environment. But as of now no peer is using it as all of them are using pre-defined MSPs (as per sample getting started guide)

Amjadnz (Tue, 02 May 2017 09:28:27 GMT):
And no documentation of how to include a CA to make all of them talk and in-effect make use of NODE SDK

kelvinzhong (Tue, 02 May 2017 09:36:22 GMT):
hi @smithbk , I wonder if using tcert instead of ecert, how could I tell which user own this tcert? should i query CA for everytime?

sanjay15004New (Tue, 02 May 2017 10:12:59 GMT):
Has joined the channel.

sanjay15004New (Tue, 02 May 2017 10:15:05 GMT):
hi. we need to implement tls in hyperledger fabric 1.0. that provides privacy over channel. Why then tls is required. Is this adding extra security over channel?

AbhishekSeth (Tue, 02 May 2017 10:20:22 GMT):
Hey.. I am running fabric-setup in prod mode. I use NodeSDK for channel creation and chaincode deployment. Currently I am using `admin` user in the configuration. How do I enroll a *new* user and use that user for all my txns?

smithbk (Tue, 02 May 2017 11:12:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xLfg8hwY8SqNBZs9d) @rohitbordia Can you open a jira item and include instructions on how to reproduce?

Amjadnz (Tue, 02 May 2017 11:12:32 GMT):
@muralisr Can you help please?

muralisr (Tue, 02 May 2017 11:12:32 GMT):
Has joined the channel.

Amjadnz (Tue, 02 May 2017 11:12:52 GMT):
```curl -s -X GET \ "http://localhost:4000/channels/aj001/chaincodes/sc_userole?peer=peer2&args=%5B%22readItem%22%2C%22a-1%22%2C%22role-1%22%2C%22user-1%22%2C%22tr-1%22%2C%221%22%5D&chaincodeVersion=v1" \ -H "authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0OTM3MjU3NjksInVzZXJuYW1lIjoiSmltIiwib3JnTmFtZSI6Im9yZzEiLCJpYXQiOjE0OTM3MjIxNjl9.1gGMHUjpHqi5G8-1kE00YvWswid4m-lZfhzXRBtfQg0" \ -H "cache-control: no-cache" \ -H "content-type: application/json" \ -H "x-access-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0OTM3MjU3NjksInVzZXJuYW1lIjoiSmltIiwib3JnTmFtZSI6Im9yZzEiLCJpYXQiOjE0OTM3MjIxNjl9.1gGMHUjpHqi5G8-1kE00YvWswid4m-lZfhzXRBtfQg0"```

Amjadnz (Tue, 02 May 2017 11:13:07 GMT):
NODE SDK is used locally to check the query command

Amjadnz (Tue, 02 May 2017 11:13:44 GMT):
At NodeJS log : ```[2017-05-02 15:02:16.291] [ERROR] Query - TypeError: identityProto.SerializedIdentity is not a constructor at Identity.serialize (/home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc/node_modules/fabric-client/lib/msp/identity.js:113:28) at Chain.buildTransactionID (/home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc/node_modules/fabric-client/lib/Chain.js:2125:49) at helper.getRegisteredUsers.then (/home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc/app/query.js:39:17)```

Amjadnz (Tue, 02 May 2017 11:13:44 GMT):
```[2017-05-02 15:02:16.291] [ERROR] Query - TypeError: identityProto.SerializedIdentity is not a constructor at Identity.serialize (/home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc/node_modules/fabric-client/lib/msp/identity.js:113:28) at Chain.buildTransactionID (/home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc/node_modules/fabric-client/lib/Chain.js:2125:49) at helper.getRegisteredUsers.then (/home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc/app/query.js:39:17)```

Amjadnz (Tue, 02 May 2017 11:14:37 GMT):
All the query methods are fine on CLI "curl" commands.

Amjadnz (Tue, 02 May 2017 11:15:22 GMT):
CLI output:

Amjadnz (Tue, 02 May 2017 11:15:25 GMT):
```2017-05-02 11:15:06.571 UTC [logging] InitFromViper -> DEBU 001 Setting default logging level to DEBUG for command 'chaincode' 2017-05-02 11:15:06.589 UTC [msp] GetLocalMSP -> DEBU 002 Returning existing local MSP 2017-05-02 11:15:06.589 UTC [msp] GetDefaultSigningIdentity -> DEBU 003 Obtaining default signing identity 2017-05-02 11:15:06.589 UTC [msp] Sign -> DEBU 004 Sign: plaintext: 0A91050A5B08032205616A3030312A40...0A06726F6C652D310A06757365722D31 2017-05-02 11:15:06.589 UTC [msp] Sign -> DEBU 005 Sign: digest: 1F1714D023700986193585958132304500FF924B9D406CF9DEB8B654C4A4A9F5 Query Result: [{"Key":"a-1", "Record":{"roleId":"role-1","status":"1","userId":"user-1"}}] 2017-05-02 11:15:06.683 UTC [main] main -> INFO 006 Exiting.....```

muralisr (Tue, 02 May 2017 11:16:10 GMT):
@Amjadnz wish I could but I haven't caught up with node-sdk recently...

muralisr (Tue, 02 May 2017 11:16:17 GMT):
ah I see @smithbk typing...

Amjadnz (Tue, 02 May 2017 11:16:28 GMT):
Oh I see - sorry mate

Amjadnz (Tue, 02 May 2017 11:16:42 GMT):
So Sir Smith can you help please?

smithbk (Tue, 02 May 2017 11:16:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SLLHgQNsj99TWkJbP) @Amjadnz By yaml file, I assume you mean a docker-compose file?

Amjadnz (Tue, 02 May 2017 11:17:18 GMT):
Yea. I got that item covered as I added a fabric-ca-server to my docker-compose

Amjadnz (Tue, 02 May 2017 11:17:39 GMT):
It got up and running - but how do I connect the peers to talk to the fabric server

smithbk (Tue, 02 May 2017 11:17:59 GMT):
Also, for others looking at this, there is one at fabric-sdk-node/test/fixtures/docker-compose.yaml

Amjadnz (Tue, 02 May 2017 11:18:26 GMT):
``` fabric-ca-server: image: hyperledger/fabric-ca container_name: fabric-ca-server ports: - "7054:7054" environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server volumes: - "./fabric-ca-server:/etc/hyperledger/fabric-ca-server" command: sh -c 'fabric-ca-server start -b admin:adminpw'```

Amjadnz (Tue, 02 May 2017 11:18:42 GMT):
Yes - exactly I got the same from there.

Amjadnz (Tue, 02 May 2017 11:20:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pnMfL2ZzdfN8oyLS3) @smithbk thanks mate - that solves my issue

Amjadnz (Tue, 02 May 2017 11:20:42 GMT):
that docker file is what I was looking at

smithbk (Tue, 02 May 2017 11:20:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ktbvgLTzi7XWLn9gQ) @Amjadnz So this is the latest error you're trying to figure out?

Amjadnz (Tue, 02 May 2017 11:21:19 GMT):
Yes - Now when I am logging in "user registration" - all is fine (I get back the token JSON)

Amjadnz (Tue, 02 May 2017 11:21:40 GMT):
When I am trying to invoke a query - essentially that gives me this error.

smithbk (Tue, 02 May 2017 11:22:04 GMT):
How are invoking the query?

smithbk (Tue, 02 May 2017 11:22:23 GMT):
Are you just running the e2e example as is?

Amjadnz (Tue, 02 May 2017 11:22:33 GMT):
the query is from the CURL command as of now. Its a HTTP POST to the PEER0 and PEER1

Amjadnz (Tue, 02 May 2017 11:22:45 GMT):
ACtually its a post to the NODEJS server

Amjadnz (Tue, 02 May 2017 11:23:08 GMT):
Yes - as it is. But my chaincode is different.

smithbk (Tue, 02 May 2017 11:23:17 GMT):
And then what does the nodejs server do with the POST?

smithbk (Tue, 02 May 2017 11:23:44 GMT):
This is probably more a question for @jimthematrix but I'll try

Amjadnz (Tue, 02 May 2017 11:23:46 GMT):
Well - its sends the data to the required peer -

Amjadnz (Tue, 02 May 2017 11:24:13 GMT):
and it should recieve a JSON result back to the command prompt

Amjadnz (Tue, 02 May 2017 11:24:26 GMT):
```curl -s -X GET \ "http://localhost:4000/channels/aj001/chaincodes/sc_userole?peer=peer2&args=%5B%22readItem%22%2C%22a-1%22%2C%22role-1%22%2C%22user-1%22%2C%22tr-1%22%2C%221%22%5D&chaincodeVersion=v1" \ -H "authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0OTM3MjU3NjksInVzZXJuYW1lIjoiSmltIiwib3JnTmFtZSI6Im9yZzEiLCJpYXQiOjE0OTM3MjIxNjl9.1gGMHUjpHqi5G8-1kE00YvWswid4m-lZfhzXRBtfQg0" \ -H "cache-control: no-cache" \ -H "content-type: application/json" \ -H "x-access-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0OTM3MjU3NjksInVzZXJuYW1lIjoiSmltIiwib3JnTmFtZSI6Im9yZzEiLCJpYXQiOjE0OTM3MjIxNjl9.1gGMHUjpHqi5G8-1kE00YvWswid4m-lZfhzXRBtfQg0"```

Amjadnz (Tue, 02 May 2017 11:24:36 GMT):
This is from the testAPI.sh from NODE JS

Amjadnz (Tue, 02 May 2017 11:25:07 GMT):
I changed the "channel, chaincode, peer, args, token"

smithbk (Tue, 02 May 2017 11:25:41 GMT):
You mean ./examples/balance-transfer/testAPIs.sh ?

Amjadnz (Tue, 02 May 2017 11:25:47 GMT):
yea

smithbk (Tue, 02 May 2017 11:26:03 GMT):
looking ... not familiar with it

Amjadnz (Tue, 02 May 2017 11:26:15 GMT):
I want to try with command prompt before moving on to the full fledge UI solution

Amjadnz (Tue, 02 May 2017 11:29:34 GMT):
Can @jimthematrix help here and throw some light?

smithbk (Tue, 02 May 2017 11:31:18 GMT):
Yes, I think we'll need to get @jimthematrix involved here because I'm not familiar with what that script is doing and not sure what token is being returned by the "users" endpoint. That is not on fabric-ca.

Amjadnz (Tue, 02 May 2017 11:32:27 GMT):
Ok @smithbk seems to be fine. Lets wait till @jimthematrix comes to my rescue.

Amjadnz (Tue, 02 May 2017 11:33:30 GMT):
regarding the sample docker file - I presume that for using it we need to generate the entire set of MSP for both orderer, peers and cli and embed the FABRIC-CA-SERVER yaml in the current e2e_cli docker.yaml

Amjadnz (Tue, 02 May 2017 11:33:34 GMT):
Is my assumption right?

Amjadnz (Tue, 02 May 2017 11:35:10 GMT):
As I guess the samples are using predefined certs and that may not be fine with fabric-ca-server. they have to be regenerated and reenrolled using fabric-ca-client.

smithbk (Tue, 02 May 2017 11:36:30 GMT):
I was speaking with @jimthematrix yesterday and he was going to remove the fabric-ca-server-config.yaml from the node repo altogether and use env variables instead, which is what I recommend. I'm not sure if he has pushed a change set to do that yet or not. But as of yesterday, yes, node.js repo included a fabric-ca-server-config.yaml which unfortunately had a syntax error

Amjadnz (Tue, 02 May 2017 11:38:21 GMT):
I c. Env variables are good to have at docker level - configuration wise.

Amjadnz (Tue, 02 May 2017 11:39:45 GMT):
Let me get my feet wet - into the MSP thing and if needed disturb you again.

Amjadnz (Tue, 02 May 2017 11:40:09 GMT):
:-)

smithbk (Tue, 02 May 2017 11:40:42 GMT):
and yes, he is using pre-canned cert and key file because the fabric-ca-server start command uses the --ca.certfile and --ca.keyfile options

smithbk (Tue, 02 May 2017 11:40:44 GMT):
ok

jimthematrix (Tue, 02 May 2017 12:06:32 GMT):
@Amjadnz sorry was tied up yesterday trying to fix build breaks. the "xxx is not a constructor" problem you were seeing is a result of npm module `grpc` upgrade last week. we haven't got around to investigate why but for now the fix is to limit the version range to <1.3.0: https://gerrit.hyperledger.org/r/#/c/8823/1/fabric-client/package.json

jimthematrix (Tue, 02 May 2017 12:07:44 GMT):
until the above CR get fixed, you can manually update your fabric-client/package.json, delete the fabric-sdk-node/node_modules folder and npm install again to get back the compatible version of grpc

jimthematrix (Tue, 02 May 2017 12:07:44 GMT):
while the above CR is getting reviewed, you can manually update your fabric-client/package.json, delete the fabric-sdk-node/node_modules folder and npm install again to get back the compatible version of grpc

jimthematrix (Tue, 02 May 2017 12:10:02 GMT):
also as @smithbk mentioned the local copies of server config yaml are removed now (so we are not susceptible to format changes) in favor of env variables in docker-compose.yaml

jimthematrix (Tue, 02 May 2017 12:12:21 GMT):
@Amjadnz the updated examples/balance-transfer generates a JWT token from the /login endpoint that captures the username and mspid (loosely equivalent to org id). this token is required on all subsequent calls for authorization purposes

jimthematrix (Tue, 02 May 2017 12:12:46 GMT):
we'll add a more detailed README to explain the design of the sample web app

Amjadnz (Tue, 02 May 2017 13:07:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mf9hf85Kp5ovoLtXf) @jimthematrix Ok - that clears somethings. Would give a shot and try again.

Amjadnz (Tue, 02 May 2017 13:18:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mf9hf85Kp5ovoLtXf) @jimthematrix

Amjadnz (Tue, 02 May 2017 13:18:32 GMT):
```[tts@bc-adx-node3 sc]$ npm list grpc sc@0.0.1 /home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc └─┬ fabric-client@1.0.0-alpha └── grpc@1.3.0 ```

Amjadnz (Tue, 02 May 2017 13:18:53 GMT):
and I start the node server - post the query again.

Amjadnz (Tue, 02 May 2017 13:18:56 GMT):
But the same result

Amjadnz (Tue, 02 May 2017 13:19:20 GMT):
```TypeError: identityProto.SerializedIdentity is not a constructor at Identity.serialize (/home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc/node_modules/fabric-client/lib/msp/identity.js:113:28) at Chain.buildTransactionID (/home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc/node_modules/fabric-client/lib/Chain.js:2125:49) at helper.getRegisteredUsers.then (/home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc/app/query.js:39:17)```

Amjadnz (Tue, 02 May 2017 13:19:56 GMT):
Actually let me try less than 1.3.0

Amjadnz (Tue, 02 May 2017 13:23:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SDmNRDaxMedjmcqAz) @jimthematrix - this part is clear as I am getting the JWT token back and the same is used to push for an invoke or a query

Amjadnz (Tue, 02 May 2017 13:26:02 GMT):
@jimthematrix - Unfortunately with v1.2.4 also of GRPC - the same result.

Amjadnz (Tue, 02 May 2017 13:26:13 GMT):
```TypeError: identityProto.SerializedIdentity is not a constructor at Identity.serialize (/home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc/node_modules/fabric-client/lib/msp/identity.js:113:28) at Chain.buildTransactionID (/home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc/node_modules/fabric-client/lib/Chain.js:2125:49) at helper.getRegisteredUsers.then (/home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc/app/query.js:39:17)```

Amjadnz (Tue, 02 May 2017 13:26:31 GMT):
Can we do -G to downgrade the npm module grpc

jimthematrix (Tue, 02 May 2017 13:29:10 GMT):
@Amjadnz what is the version in fabric-sdk-node/node_modules/grpc/package.json? v1.2.4 should work and eliminate that error

jimthematrix (Tue, 02 May 2017 13:29:39 GMT):
also what's your host environment? win, mac, linux?

Amjadnz (Tue, 02 May 2017 13:31:46 GMT):
Mine is MAC - there was another node_modules within my NODEJS app as well

Amjadnz (Tue, 02 May 2017 13:31:56 GMT):
there it is still showing 1.3.0

Amjadnz (Tue, 02 May 2017 13:32:01 GMT):
let me downgrade that and try again

aambati (Tue, 02 May 2017 13:33:34 GMT):
K0ws@tme

Amjadnz (Tue, 02 May 2017 13:39:08 GMT):
@jimthematrix - when I do a `npm list grpc` - this is showin 1.2.4 in fabric-sdk-client\fabric-client folder

Amjadnz (Tue, 02 May 2017 13:39:28 GMT):
But it is showing 1.3.0 in my examples folder

jimthematrix (Tue, 02 May 2017 13:40:47 GMT):
need to make sure you are using the right version depending on where you are running it from

Amjadnz (Tue, 02 May 2017 13:40:54 GMT):
Yep

Amjadnz (Tue, 02 May 2017 13:41:20 GMT):
Now clearing all and starting all over - better be sure before getting back to you :-)

Amjadnz (Tue, 02 May 2017 14:07:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8fWoAAtLoeMcx2evQ) @jimthematrix - Yes JIM That seems to have solved the problem with "XXX constructor" issue.

Amjadnz (Tue, 02 May 2017 14:08:29 GMT):
The change was to do in my NodeJSApplication/node_modules/fabric-client/package.json - and update the version to "<1.3.0"

Amjadnz (Tue, 02 May 2017 14:08:53 GMT):
then run the `npm install` - that took care of the items regarding the "Constructor" issue.

Amjadnz (Tue, 02 May 2017 14:09:19 GMT):
Am running into another certificate issue - I believe - the certs I have to update to match the cert of the SDK - or vice versa.

Amjadnz (Tue, 02 May 2017 14:09:34 GMT):
```[2017-05-02 18:06:36.898] [INFO] Helper - Successfully loaded member from persistence error: [Peer.js]: GRPC client got an error response from the peer "grpcs://localhost:7051". Error: The creator certificate is not valid, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority at /home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc/node_modules/fabric-client/node_modules/grpc/src/node/src/client.js:434:17 error: [Chain.js]: Chain-sendPeersProposal - Promise is rejected: Error: The creator certificate is not valid, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority at /home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc/node_modules/fabric-client/node_modules/grpc/src/node/src/client.js:434:17 ```

Amjadnz (Tue, 02 May 2017 14:10:51 GMT):
Any suggestions from your side - so that I do it right the first time

jimthematrix (Tue, 02 May 2017 15:05:45 GMT):
@Amjadnz this could be due to a few things: first I would try is clearing out any existing persisted users from the state store (the path is /tmp/hfc-test* if you are using the code from tests). if not fixed I would check to make sure the fabric-ca server is started with the correct key and cert that match the localMSP dir cacerts folder of the peer

jimthematrix (Tue, 02 May 2017 15:06:47 GMT):
basically the above error means the fabric-ca server that issued the user enrollment cert is not matching the peer's recognized CA root

yong (Wed, 03 May 2017 01:17:16 GMT):
I use the certificate and private key generated by fabric-ca to perform peer channel -o orderer0:7050 -c create $CHANNEL_NAME -f /etc/hyperledger/orderer/channel.tx Error: Got status: BAD_REQUEST error occurred unexpected. Appear in orderer node Orderer0 2017-05-02 08:16:04.635 UTC | [orderer/common/broadcast] Handle WARN 179 Rejecting broadcast message because, of filter error: Rejected by rule: *sigfilter.sigFilter Orderer0 2017-05-02 08:16:04.637 UTC [orderer/common/deliver] | Handle WARN 17a Error reading from stream: - > stream error: code = 1 desc = "context canceled". How to solve it?

Amjadnz (Wed, 03 May 2017 02:58:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=c4zAKPTYKwGzQg4eF) @jimthematrix Thanks mate - I need to try that. Would update of my status,

ada-wang (Wed, 03 May 2017 03:07:29 GMT):
I have a question about "fabric-ca-client register --id.affiliation" this attr. Using snapshot-09107e7 and start "-b admin:adminpw", I cannot register new affiliation like "org1.test", "org1.department1.test" , only the built-in affiliation can be used. SO this function is not implemented yet?

jimthematrix (Wed, 03 May 2017 03:32:50 GMT):
@ada-wang to do what you wanted you need to use a custom fabric-ca-server-config.yaml. one way to achieve this (node sdk test/fixture/docker-compose.yaml used to do this) is map a folder in your host to `/etc/hyperledger/fabric-ca-server` in docker and have a custom copy of the `fabric-ca-server-config.yaml` file

jimthematrix (Wed, 03 May 2017 03:33:14 GMT):
@smithbk may have other suggestions though

kelvinzhong (Wed, 03 May 2017 03:44:28 GMT):
hi all, i wonder what's the different between 'admin' and 'root ca'? it looks the same in the examples

ada-wang (Wed, 03 May 2017 05:41:12 GMT):
@jimthematrix thx!

mychewcents (Wed, 03 May 2017 06:13:02 GMT):
I'm trying to register a new user using Node-SDK and it gives me: cannot unmarshal number into Go value of type string error. Anyone knows how to solve this error?

albert.lacambra (Wed, 03 May 2017 06:20:06 GMT):
Has joined the channel.

xuanyue202 (Wed, 03 May 2017 07:19:54 GMT):
Has joined the channel.

xuanyue202 (Wed, 03 May 2017 07:21:36 GMT):
hi all, currently the id.attr information does not go into the certificate. Is it by design? If so, how can I do role-based access control in cc without a fabric-ca-server?

nickmelis (Wed, 03 May 2017 10:00:22 GMT):
is there any enrollment timeout? If so, is this configurable?

smithbk (Wed, 03 May 2017 10:28:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mPwpw5fCqtJhRk47m) @ada-wang Correct, we don't support dynamic registration of new affiliations currently. You must edit the configuration file and restart fabric-ca-server. If this is required, pls open a jira item. Thanks

smithbk (Wed, 03 May 2017 10:38:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gBzZYq2aoTrFwQ8XY) @kelvinzhong admin is the default bootstrap user name; root ca is an instance of fabric-ca-server which is using a self-signed certificate as its CA signing certificate, as opposed to an intermediate CA which is an instance of fabric-ca-server which uses a certificate signed by the root CA as its CA signing certificate

smithbk (Wed, 03 May 2017 10:44:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cB6Wj2t3Gd9pkhmZm) @mychewcents That would generally mean that something in the body of the request sent by the SDK was an integer but was expecting a string. When the fabric-ca-server tries to unmarshal it using Go deserialization, it fails. I assume you are using the latest code. If yes, do you have a trace of the request body?

smithbk (Wed, 03 May 2017 10:50:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FM27Fs9TPhBSoCugW) @xuanyue202 The id.attr info doesn't currently go into an e-cert but it does go into a tcert when requested (either in the clear or encrypted); however, support for tcerts in fabric is delayed until v1.1.

smithbk (Wed, 03 May 2017 10:54:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jvJ9pBKkx7KnQBGwE) @nickmelis I assume you're asking how to configure the expiration time of an issued certificate. If yes, you can set both a max (and default) expiration on the server. See the "expiry" attribute in fabric-ca-server.yaml below: ```############################################################################# # Signing section ############################################################################# signing: profiles: ca: usage: - cert sign expiry: 8000h caconstraint: isca: true default: usage: - cert sign expiry: 8000h ```

smithbk (Wed, 03 May 2017 10:59:10 GMT):
@nickmelis The client can also request an ecert with an expiration which is shorter than this if desired.

nickmelis (Wed, 03 May 2017 10:59:59 GMT):
@smithbk when you say "the client", do you know if this is available via Java SDK?

nickmelis (Wed, 03 May 2017 11:00:35 GMT):
probably a question for #fabric-sdk-java isn't it?

nickmelis (Wed, 03 May 2017 11:01:24 GMT):
by the way configuration plus client being able to "override" it gives me all the flexibility I need. Thanks for the info

smithbk (Wed, 03 May 2017 11:03:24 GMT):
Yes, question for fabric-sdk-java channel assuming you're using that SDK ... yw

bmkor (Wed, 03 May 2017 13:47:49 GMT):
Mind telling us more on the difference between roles like admin, user, client, peer, validator, etc? Apart from those obvious roles like orderer and peer, I always get puzzled. Thanks. @smithbk

smithbk (Wed, 03 May 2017 13:58:24 GMT):
@bmkor The fabric-ca doesn't limit the roles (or type of identity) which can be configured. They are just a list of strings. So that list can be tweaked to what makes sense for fabric going forward.

bmkor (Wed, 03 May 2017 14:04:22 GMT):
I see. Thanks [](https://chat.hyperledger.org/channel/fabric-ca?msg=5cMYYHNfXmzjjeh6R) @smithbk

Dpkkmr (Wed, 03 May 2017 17:54:56 GMT):
Has joined the channel.

kelvinzhong (Thu, 04 May 2017 01:56:31 GMT):
@smithbk thx for the explain! i thought the bootstrap user is the root ca at first, as the ca server required a bootstrap user to be started

bmkor (Thu, 04 May 2017 04:28:56 GMT):
In enrolling the fabric CA, msp information will be generated. Wondering how can we generate admincerts? I just saw signcerts, keystone & cacerte. Someone can help? Thanks in advance.

bmkor (Thu, 04 May 2017 04:28:56 GMT):
In enrolling an id by using fabric CA client, msp information will be generated. Wondering how can we generate admincerts? I just saw signcerts, keystone & cacerte. Someone can help? Thanks in advance.

linyuadam (Thu, 04 May 2017 09:28:29 GMT):
Has joined the channel.

himansri (Thu, 04 May 2017 11:23:05 GMT):
Has joined the channel.

akash42145 (Thu, 04 May 2017 11:39:42 GMT):
Has joined the channel.

smithbk (Thu, 04 May 2017 12:39:37 GMT):
@bmkor A bit kludgey at the moment, but the following should work:

smithbk (Thu, 04 May 2017 12:39:45 GMT):
```export FABRIC_CA_CLIENT_HOME=/tmp/client fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 mkdir $FABRIC_CA_CLIENT_HOME/msp/admincerts cp $FABRIC_CA_CLIENT_HOME/msp/signcerts/cert.pem $FABRIC_CA_CLIENT_HOME/msp/admincerts fabric-ca-client reenroll```

smithbk (Thu, 04 May 2017 12:40:49 GMT):
You actually don't have to do the reenroll unless you want different certificates for signcerts and admincerts

bmkor (Thu, 04 May 2017 12:41:05 GMT):
Thanks a lot! What's the purpose of admincerts btw? [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BzD7gMQfbPrj6n2q2) @smithbk

smithbk (Thu, 04 May 2017 12:45:10 GMT):
it is used for performing admin channel operations .... such as config updates, chain code install etc

bmkor (Thu, 04 May 2017 12:56:34 GMT):
Thanks. So when will need both (admincerts & signcerts) to be different? Seem they are the same?[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2RMuCnsLsWqHfckNb) @smithbk

William.Z (Thu, 04 May 2017 13:04:20 GMT):
Has joined the channel.

Amjadnz (Thu, 04 May 2017 13:13:06 GMT):
@smithbk - I have cleared the /tmp/hfc-key-store folder to retest the SDK integration.

Amjadnz (Thu, 04 May 2017 13:13:27 GMT):
and when I issue a command to register a new user

Amjadnz (Thu, 04 May 2017 13:13:45 GMT):
```curl -s -X POST \ http://localhost:4000/users \ -H "cache-control: no-cache" \ -H "content-type: application/x-www-form-urlencoded" \ -d 'username=Jim&orgName=org1'```

Amjadnz (Thu, 04 May 2017 13:14:00 GMT):
I get the following error in the log

Amjadnz (Thu, 04 May 2017 13:14:24 GMT):
```info: [crypto_ecdsa_aes]: This class requires a CryptoKeyStore to save keys, using the store: {"opts":{"path":"/root/.hfc-key-store"}} error: [Client.js]: Failed to load user "admin" from local key value store. Error: Error: Private key missing from key store. Can not establish the signing identity for user admin at _mspImpl.cryptoSuite.importKey.then.then (/home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc/node_modules/fabric-client/lib/User.js:260:11) error: [Client.js]: Failed to load an instance of requested user "admin" from the state store on this Client instance. Error: Error: Private key missing from key store. Can not establish the signing identity for user admin at _mspImpl.cryptoSuite.importKey.then.then (/home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc/node_modules/fabric-client/lib/User.js:260:11) [2017-05-04 17:07:15.954] [DEBUG] Helper - Jim failed to register [2017-05-04 17:07:15.954] [ERROR] Helper - Jim enrollment failed (node:6788) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 1): Error: Cannot save null userContext. (node:6788) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 2): TypeError: Cannot read property '_enrollmentSecret' of undefined```

Amjadnz (Thu, 04 May 2017 13:14:37 GMT):
Probably I cleared the admin user priv key as well.

Amjadnz (Thu, 04 May 2017 13:14:54 GMT):
Can I re-enroll the user again?

smithbk (Thu, 04 May 2017 13:25:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RZaEF5N6StK7ruYZs) @bmkor You need admincerts for certain more privileged operations such as installing chaincode and signcerts is used to signing endorsements

smithbk (Thu, 04 May 2017 13:27:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aN6hQwfiZBvnX7QyD) @Amjadnz Assuming the default settings for fabric-ca-server, yes, you can enroll again

Amjadnz (Thu, 04 May 2017 13:31:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ei3ACNivJnpzFFvm3) @smithbk So the process is I have to enroll the admin user first - right to sovle my case

Amjadnz (Thu, 04 May 2017 13:31:25 GMT):
and then enroll the other ones

Amjadnz (Thu, 04 May 2017 13:31:41 GMT):
As I lost the keys when clearing the /tmp folder

Amjadnz (Thu, 04 May 2017 13:51:05 GMT):
I should have backup my keys. But learnt the hard way I guess

smithbk (Thu, 04 May 2017 13:52:06 GMT):
@amjadnz Yes, you'll need to start with admin 1st. Of course if you prefer, you could statically pre-register multiple users by adding them to the "registry.identities" section of the server's config file

smithbk (Thu, 04 May 2017 13:53:21 GMT):
by default, there is only a single bootstrap admin with "root privileges" which can dynamically register other users

Amjadnz (Thu, 04 May 2017 13:56:27 GMT):
thanks @smithbk - would try to overcome and if needed would pass a shout to you :-)

s.narayanan (Thu, 04 May 2017 14:12:36 GMT):
If we use Postgres as the database for Fabric CA, are there any version restrictions to be aware of? Specifically are there are specific versions that are supported?

Amjadnz (Thu, 04 May 2017 14:19:41 GMT):
@jimthematrix - can you please help me here. It is related to the NODE SDK setup. I cleared the directory as you suggested. Setup all the things as needed an now am enrolling the user through the SDK

Amjadnz (Thu, 04 May 2017 14:19:46 GMT):
```info: [FabricCAClientImpl.js]: Successfully constructed Fabric CA client from options - {"protocol":"http","hostname":"localhost","port":7054,"tlsOptions":{"trustedRoots":[],"verify":false}} info: [FabricCAClientImpl.js]: Successfully constructed Fabric CA service client: endpoint - {"protocol":"http","hostname":"localhost","port":7054} info: [Client.js]: Failed to load user "Jim" from local key value store info: [FabricCAClientImpl.js]: Successfully constructed Fabric CA client from options - {"protocol":"http","hostname":"localhost","port":7054} info: [FabricCAClientImpl.js]: Successfully constructed Fabric CA service client: endpoint - {"protocol":"http","hostname":"localhost","port":7054} info: [crypto_ecdsa_aes]: This class requires a CryptoKeyStore to save keys, using the store: {"opts":{"path":"/root/.hfc-key-store"}} error: [Client.js]: Failed to load user "admin" from local key value store. Error: Error: Private key missing from key store. Can not establish the signing identity for user admin at _mspImpl.cryptoSuite.importKey.then.then (/home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc/node_modules/fabric-client/lib/User.js:260:11) error: [Client.js]: Failed to load an instance of requested user "admin" from the state store on this Client instance. Error: Error: Private key missing from key store. Can not establish the signing identity for user admin at _mspImpl.cryptoSuite.importKey.then.then (/home/tts/src/github.com/hyperledger/fabric-sdk-node/examples/sc/node_modules/fabric-client/lib/User.js:260:11) [2017-05-04 18:17:21.789] [DEBUG] Helper - Jim failed to register [2017-05-04 18:17:21.790] [ERROR] Helper - Jim enrollment failed (node:25779) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 1): Error: Cannot save null userContext. (node:25779) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 2): TypeError: Cannot read property '_enrollmentSecret' of undefined```

Amjadnz (Thu, 04 May 2017 14:20:27 GMT):
The same question I asked @smithbk too and he has helped me from fabric ca point of view.

Amjadnz (Thu, 04 May 2017 14:20:48 GMT):
Command used to register the user

Amjadnz (Thu, 04 May 2017 14:20:51 GMT):
```curl -s -X POST \ http://localhost:4000/users \ -H "cache-control: no-cache" \ -H "content-type: application/x-www-form-urlencoded" \ -d 'username=Jim&orgName=org1'```

Amjadnz (Thu, 04 May 2017 14:24:10 GMT):
If I use fabric-client process directly the data is fine

Amjadnz (Thu, 04 May 2017 14:24:19 GMT):
```[root@bc-adx-node3 bin]# pwd /home/tts/src/github.com/hyperledger/fabric-ca/build/docker/bin```

Amjadnz (Thu, 04 May 2017 14:24:39 GMT):
```[root@bc-adx-node3 bin]# ./fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 2017/05/04 18:23:23 [INFO] User provided config file: /tmp/client/fabric-ca-client-config.yaml 2017/05/04 18:23:23 [INFO] Configuration file location: /tmp/client/fabric-ca-client-config.yaml 2017/05/04 18:23:23 [INFO] generating key: &{A:ecdsa S:256} 2017/05/04 18:23:23 [INFO] encoded CSR 2017/05/04 18:23:23 [INFO] Stored client certificate at /tmp/client/msp/signcerts/cert.pem 2017/05/04 18:23:23 [INFO] Stored CA certificate chain at /tmp/client/msp/cacerts/localhost-7054.pem```

smithbk (Thu, 04 May 2017 14:25:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qdAPzySzMytF86ysv) @s.narayanan Saad @skarim did that work. We will support the version that he tested with and later. He will post the version here in a bit, but it was the latest version as of a couple of months ago.

s.narayanan (Thu, 04 May 2017 14:30:19 GMT):
@smithbk thanks, will look for response from @skarim

Amjadnz (Thu, 04 May 2017 14:40:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rHXLow9Em9dvuARoS) @Amjadnz @smithbk any further help you can provide to my issue

Amjadnz (Thu, 04 May 2017 14:40:20 GMT):
I tried the fabric-ca-client - enroll is fine

Amjadnz (Thu, 04 May 2017 14:41:01 GMT):
But with SDK - the same enrol is looking for admin cred in `.hfc-key-store` - unable to find it is rejecting the enrollment part

rennman (Thu, 04 May 2017 14:50:14 GMT):
@s.narayanan the versions that were tested in the lab are postgres 9.4.10 on s390x and 9.5.6 on amd64

jimthematrix (Thu, 04 May 2017 14:50:50 GMT):
@Amjadnz we were just made aware of that error regarding private key missing from keystore. we are investigating...

Amjadnz (Thu, 04 May 2017 14:51:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Z8u9DKyt3GBqFPXMA) @jimthematrix Ok Sure I would wait

Amjadnz (Thu, 04 May 2017 15:22:38 GMT):
@jimthematrix - another item during my testing builds

Amjadnz (Thu, 04 May 2017 15:22:42 GMT):
```[root@bc-adx-node3 fabric-sdk-node]# node test/integration/e2e.js info: Returning a new winston logger with default configurations module.js:471 throw err; ^ Error: Cannot find module './api.js' at Function.Module._resolveFilename (module.js:469:15) at Function.Module._load (module.js:417:25) at Module.require (module.js:497:17) at require (internal/module.js:20:19) at Object. (/home/tts/src/github.com/hyperledger/fabric-sdk-node/node_modules/fabric-ca-client/lib/FabricCAClientImpl.js:19:11) at Module._compile (module.js:570:32) at Object.Module._extensions..js (module.js:579:10) at Module.load (module.js:487:32) at tryModuleLoad (module.js:446:12) at Function.Module._load (module.js:438:3)```

Amjadnz (Thu, 04 May 2017 15:22:55 GMT):
This is for running the "e2e.js"

Amjadnz (Thu, 04 May 2017 15:42:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8xM7h2oiZJ2Lqk4cZ) @Amjadnz - this item is not an issue as I did not do the `gulp ca ` commands

Amjadnz (Thu, 04 May 2017 15:42:34 GMT):
However the test build again are failing - due to the store issue - this is only for your information.

s.narayanan (Thu, 04 May 2017 16:33:08 GMT):
@renman we have a requirement to run on RHEL 7.x in Linux on Z platform. Presume that would be 9.4.10

rohitbordia (Thu, 04 May 2017 16:34:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Lb2vxWaQsZYcLBiX9) @smithbk if we used mysql/postgress we have to manually insert these identities

rohitbordia (Thu, 04 May 2017 16:37:00 GMT):
with sqllite , I see the admin , and attributes are inserted. should be same for other type of db's?

smithbk (Thu, 04 May 2017 17:32:23 GMT):
@rohitbordia Yes, dynamic registration is supported for all 3 DBs. Are you saying that is not working for you? If not, pls open a jira item with instructions on how to reproduce.

rohitbordia (Thu, 04 May 2017 17:35:07 GMT):
I don't see its working for mysql as I tried using it and had to manually insert data .

rohitbordia (Thu, 04 May 2017 17:36:17 GMT):
btw, do we have example of using the enrol, register api anyone?

ishan.gulhane (Thu, 04 May 2017 17:57:13 GMT):
Has joined the channel.

samwood (Thu, 04 May 2017 18:17:29 GMT):
Has joined the channel.

samwood (Thu, 04 May 2017 18:19:02 GMT):
I'm trying to "make docker" off the fabric-ca v1.0.0-alpha branch (OS X) and getting "Step 8/10 : ADD payload/fabric-ca.tar.bz2 $FABRIC_CA_HOME Error processing tar file(bzip2 data invalid: bad magic value in continuation file): make: *** [build/image/fabric-ca/.dummy-x86_64-1.0.0-alpha] Error 1", do folks know a workaround?

samwood (Thu, 04 May 2017 18:19:02 GMT):
I'm trying to "make docker" off the fabric-ca v1.0.0-alpha branch (OS X ) and getting "Step 8/10 : ADD payload/fabric-ca.tar.bz2 $FABRIC_CA_HOME Error processing tar file(bzip2 data invalid: bad magic value in continuation file): make: *** [build/image/fabric-ca/.dummy-x86_64-1.0.0-alpha] Error 1", do folks know a workaround?

jimthematrix (Thu, 04 May 2017 19:53:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=x7FC92qYhuDnMTpte) @Amjadnz answered your question regarding this error in the #fabric-sdk-node channel

ishan.gulhane (Thu, 04 May 2017 21:06:35 GMT):
Please help me. I am trying to setup the NODE SDK . When I am trying to create a channel I am getting the following error ``` info: [crypto_ecdsa_aes]: This class requires a CryptoKeyStore to save keys, using the store: {"opts":{"path":"/Users/ishan/.hfc-key-store"}} info: [Client.js]: Successfully loaded user "admin" from local key value store ok 1 Successfully loaded member from persistence ok 2 Successfully enrolled user 'admin' not ok 3 TypeError: _commonProto.Envelope.decode is not a function at /Users/ishan/Documents/node/marbles/fabric-sdk-node/node_modules/fabric-client/lib/Chain.js:427:42 --- operator: fail at: hfc.newDefaultKeyValueStore.then.then.then (/Users/ishan/Documents/node/marbles/fabric-sdk-node/test/integration/e2e/create-channel.js:96:5) ... ok 4 Successfully waited to make sure new channel was created. 1..4 # tests 4 # pass 3 # fail 1 ```

Amjadnz (Thu, 04 May 2017 21:46:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7cia965FZ6czavPHN) @jimthematrix Ok Jim. But can you clarify how to clear the state store as well.

Amjadnz (Thu, 04 May 2017 22:06:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7cia965FZ6czavPHN) @jimthematrix Thanks JIM and @smithbk - Was able to solve the problem

Amjadnz (Thu, 04 May 2017 22:08:36 GMT):
the store is placed under `tmp` folder for `github.com/hyperledger/fabric-sdk-node`. Rename the `tmp` folder and create an empty `tmp` folder and restart the node using `node app`

Amjadnz (Thu, 04 May 2017 22:11:45 GMT):
first enroll admin: ```curl -s -X POST http://localhost:4000/users -H "cache-control: no-cache" -H "content-type: application/x-www-form-urlencoded" -d 'username=admin&orgName=org1'```

Amjadnz (Thu, 04 May 2017 22:11:52 GMT):
```curl -s -X POST http://localhost:4000/users -H "cache-control: no-cache" -H "content-type: application/x-www-form-urlencoded" -d 'username=admin&orgName=org1'```

Amjadnz (Thu, 04 May 2017 22:11:59 GMT):
then comes the regular user

Amjadnz (Thu, 04 May 2017 22:12:06 GMT):
```curl -s -X POST http://localhost:4000/users -H "cache-control: no-cache" -H "content-type: application/x-www-form-urlencoded" -d 'username=Amjad&orgName=org1'```

Amjadnz (Thu, 04 May 2017 22:12:29 GMT):
output as follows

Amjadnz (Thu, 04 May 2017 22:12:33 GMT):
```{"success":true,"secret":"oNxocZuMAQHf","message":"Amjad enrolled Successfully","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0OTM5Mzk0NDEsInVzZXJuYW1lIjoiQW1qYWQiLCJvcmdOYW1lIjoib3JnMSIsImlhdCI6MTQ5MzkzNTg0MX0.HMaqtrrSyPVRR-PSG7vBX1_Z6w8is1bEPHtCC-5v0GI"}```

bbjj040471 (Fri, 05 May 2017 03:16:26 GMT):
Has joined the channel.

bbjj040471 (Fri, 05 May 2017 03:18:37 GMT):
i change db to postgre ,how to init table , now i have question about "pq: relation "users" does not exist"

sujayv (Fri, 05 May 2017 06:30:05 GMT):
Has joined the channel.

Haojun (Fri, 05 May 2017 07:26:25 GMT):
Has joined the channel.

akash42145 (Fri, 05 May 2017 07:48:58 GMT):
Hi I am new hyperledger fabric, and using fabric-node-sdk. I wanted to add (register and enroll ) new peer to any organisation. I am using below command in CA container to generate MSP for peer1 export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 fabric-ca-client register --id.name peer1 --id.type peer --id.affiliation org1.department1 --id.secret peer1pw export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1 fabric-ca-client enroll -u http://peer1:peer1pw@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/msp And contains of MSP folder I am coping to fabric-sdk-node\test\fixtures\tls\peers\peer1 fabric-sdk-node\test\fixtures\channel\crypto-config\peerOrganizations\org1.example.com\peers\peer1.org1.example.com And fabric-sdk-node\test\Integration\e2e\config.json added entry for peer1 with org1. Staring the peer1 container but node join-channel.js is failing routines:ssl3_get_server_certificate:certificate verify failed. events.js:160 throw er; // Unhandled 'error' event ^ Error: Connect Failed

daijianw (Fri, 05 May 2017 11:24:06 GMT):
Has joined the channel.

haikalmegrhi (Fri, 05 May 2017 12:11:08 GMT):
Has joined the channel.

haikalmegrhi (Fri, 05 May 2017 12:15:03 GMT):
Hi all Hello Im following the Hyperledger latest doc and after some queries and calling contracts i want to see ledger's content is there is a command or a method to visualize it ! thank you

mihaig (Fri, 05 May 2017 12:47:35 GMT):
Has joined the channel.

smithbk (Fri, 05 May 2017 12:51:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2cDcPEQt9A6dsW7yv) @bbjj040471 @skarim Saad, pls help with this postgres question

smithbk (Fri, 05 May 2017 12:55:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Pwr62zacf2wvRh3Ef) @akash42145 Try the following:

smithbk (Fri, 05 May 2017 12:55:43 GMT):
```mkdir $FABRIC_CA_CLIENT_HOME/msp/admincerts cp $FABRIC_CA_CLIENT_HOME/msp/signcerts/* $FABRIC_CA_CLIENT_HOME/msp/admincerts```

smithbk (Fri, 05 May 2017 12:58:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hxoQJ5QLnb7HF9fr2) @haikalmegrhi Pls try on the #fabric-ledger channel ... @dave.enyeart

dave.enyeart (Fri, 05 May 2017 12:58:29 GMT):
Has joined the channel.

dave.enyeart (Fri, 05 May 2017 13:05:45 GMT):
@haikalmegrhi To understand data access patterns I'll point you to docs https://hyperledger-fabric.readthedocs.io/en/latest/ledger.html and an example https://github.com/hyperledger/fabric/blob/master/examples/chaincode/go/marbles02/marbles_chaincode.go

dave.enyeart (Fri, 05 May 2017 13:05:45 GMT):
@haikalmegrhi To understand data access patterns I'll point you to docs https://hyperledger-fabric.readthedocs.io/en/latest/ledger.html and charts https://jira.hyperledger.org/browse/FAB-758 and an example https://github.com/hyperledger/fabric/blob/master/examples/chaincode/go/marbles02/marbles_chaincode.go

dave.enyeart (Fri, 05 May 2017 13:05:58 GMT):
If you have follow-up questions please take them to #fabric-ledger

skarim (Fri, 05 May 2017 13:27:42 GMT):
@bbjj040471 Did you already create the database that you wanted to use with fabric-ca? If so, it assumes that the tables have also been created already. You can try to remove the database, and then specify the db name in the configuration of fabric-ca and it should create the database and tables for you.

albert.lacambra (Fri, 05 May 2017 13:29:34 GMT):
I using the cryptogen tool and I have generated the following structure

albert.lacambra (Fri, 05 May 2017 13:29:36 GMT):
org1.example.com │ ├── ca │ │ ├── 2243f0e652e6c932bc01b7745070ebc3863a8013cc27e1b957c98c25e3b8956b_sk │ │ └── org1.example.com-cert.pem │ ├── msp │ │ ├── admincerts │ │ │ └── Admin@org1.example.com-cert.pem │ │ ├── cacerts │ │ │ └── org1.example.com-cert.pem │ │ ├── keystore │ │ └── signcerts │ │ └── org1.example.com-cert.pem │ ├── peers │ │ ├── peer0.org1.example.com │ │ │ ├── admincerts │ │ │ │ └── Admin@org1.example.com-cert.pem │ │ │ ├── cacerts │ │ │ │ └── org1.example.com-cert.pem │ │ │ ├── keystore │ │ │ │ └── d4581233e3cc48e451bc589006271a5b510aef46d2bccb42c01f0348750e5f54_sk │ │ │ └── signcerts │ │ │ └── peer0.org1.example.com-cert.pem │ │ └── peer1.org1.example.com │ │ ├── admincerts │ │ │ └── Admin@org1.example.com-cert.pem │ │ ├── cacerts │ │ │ └── org1.example.com-cert.pem │ │ ├── keystore │ │ │ └── fcd0c3444c6a899f0b5d0f89b2a4bdf70ff298da79b17b160f825ca2aa66504e_sk │ │ └── signcerts │ │ └── peer1.org1.example.com-cert.pem

albert.lacambra (Fri, 05 May 2017 13:30:34 GMT):
does someone knows what are all this certificates and why are they used for? Exist some clear diagram or doc explaining it? On the official docs does not explain that mach

akashmar (Fri, 05 May 2017 18:33:52 GMT):
Has joined the channel.

Amjadnz (Fri, 05 May 2017 18:36:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=c4zAKPTYKwGzQg4eF) @jimthematrix I tried all combinations but It seems there is still this same issue.

Amjadnz (Fri, 05 May 2017 18:36:27 GMT):
Right now I have the same setup to take the folder structure between my peers and orderer and node-sdk.

Amjadnz (Fri, 05 May 2017 18:36:43 GMT):
Unfortunately - all seems to be throwing the same error of "create" cannot be verified.

Amjadnz (Fri, 05 May 2017 18:37:25 GMT):
Is there any process/documentation where I restart the whole process and issue my own certificates - for PEERS/ORGANISATIONS and start afresh.

Amjadnz (Fri, 05 May 2017 18:38:21 GMT):
We have a naming issue too in the fabric-node-sdk with Org1 and Org2 and in the e2e-cli it is Org0 and Org1

Amjadnz (Fri, 05 May 2017 18:39:30 GMT):
Is it a valid observation - any hints can help me push forward and close the last part of my case study (the NODE-SDK)

Amjadnz (Sat, 06 May 2017 16:04:20 GMT):
@jimthematrix - please avoid the last question - as I've found way to generate all the CERTS.

akash42145 (Sun, 07 May 2017 07:02:03 GMT):
Hello , I am using fabric-node-sdk test folder example. I am trying to register and enroll new in organisation 1 . I have generated the certificates and copied to the project /hyperledger/fabric-sdk-node/test/fixtures/channel/crypto-config/peerOrganizations/org1.example.com/peers/peer1 folder.

akash42145 (Sun, 07 May 2017 07:06:22 GMT):
Hello , I am using fabric-node-sdk test folder example. I am trying to register and enroll new in organisation 1 . I have generated the certificates and copied to the project /hyperledger/fabric-sdk-node/test/fixtures/channel/crypto-config/peerOrganizations/org1.example.com/peers/peer1 folder. And It is giving error while running the e2e.js . I wanted to know whether i need to generate "twoorgs.genesis.block" and "mychannel.tx" once again to utilize new peer. And what is the way to generate these file in fabric-node-sdk.

akash42145 (Sun, 07 May 2017 07:26:01 GMT):
new peer I am tring to register and enroll.

hanlsin (Sun, 07 May 2017 14:33:24 GMT):
Has joined the channel.

smithbk (Mon, 08 May 2017 10:17:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kC3LkxaF8pYY5FLHP) @akash42145 Pls ask in fabric-sdk-node channel if you haven't already

net0310 (Mon, 08 May 2017 10:47:54 GMT):
What kind of ECDSA curve does fabric-ca use to generate a key pair?

smithbk (Mon, 08 May 2017 12:30:39 GMT):
This one: https://golang.org/pkg/crypto/elliptic/#P256

smithbk (Mon, 08 May 2017 12:31:30 GMT):
@net0310 ^^^^

ashutosh_kumar (Mon, 08 May 2017 13:38:13 GMT):
The curve supported is Short Weierstrass curves with a=-3 , which is golang curve implementation.

JonathanLevi (Mon, 08 May 2017 13:47:10 GMT):
@ashutosh_kumar, just to mention that I miss you ;-)

Amjadnz (Mon, 08 May 2017 20:10:07 GMT):
@smithbk - I've tried registering create channel - and it fails always with this command

Amjadnz (Mon, 08 May 2017 20:10:23 GMT):
```CORE_PEER_LOCALMSPID="OrdererMSP" CORE_PEER_MSPCONFIGPATH=./crypto/ca/orderer0/localMspConfig peer channel create -o orderer0:7050 -c aj001 -f ./crypto/ca/orderer0/channel.tx --tls true --cafile ./crypto/ca/ca.org0```

Amjadnz (Mon, 08 May 2017 20:10:34 GMT):
```2017-05-07 05:55:05.384 UTC [logging] InitFromViper -> DEBU 001 Setting default logging level to DEBUG for command 'channel' 2017-05-07 05:55:05.384 UTC [msp] GetLocalMSP -> DEBU 002 Returning existing local MSP 2017-05-07 05:55:05.384 UTC [msp] GetDefaultSigningIdentity -> DEBU 003 Obtaining default signing identity Error connecting: rpc error: code = 14 desc = grpc: RPC failed fast due to transport failure Error: rpc error: code = 14 desc = grpc: RPC failed fast due to transport failure Usage: peer channel create [flags]```

Amjadnz (Mon, 08 May 2017 20:12:06 GMT):
I've created new Orgs as under here.

Amjadnz (Mon, 08 May 2017 20:12:11 GMT):
```ca - master folder ├── ca.org0 ├── ca.org0.ttsme.com-cert.key ├── ca.org1 ├── ca.org1.ttsme.com-cert.key ├── ca.org2 ├── ca.org2.ttsme.com-cert.key ├── ca.org3 ├── ca.org3.ttsme.com-cert.key ├── orderer0 │ ├── fabric-ca-client-config.yaml │ └── localMspConfig │ ├── admincerts │ │ └── cert.pem (*) │ ├── cacerts │ │ └── org0-ttsme-com.pem (***) │ ├── keystore │ │ └── key.pem │ └── signcerts │ └── cert.pem (*) ├── peer1 │ ├── fabric-ca-client-config.yaml │ └── localMspConfig │ ├── cacerts │ │ └── org1-ttsme-com.pem(***) │ ├── keystore │ │ └── key.pem │ └── signcerts │ └── cert.pem ├── peer2 │ ├── fabric-ca-client-config.yaml │ └── localMspConfig │ ├── cacerts │ │ └── org1-ttsme-com.pem(***) │ ├── keystore │ │ └── key.pem │ └── signcerts │ └── cert.pem ├── peer3 │ ├── fabric-ca-client-config.yaml │ └── localMspConfig │ ├── cacerts │ │ └── org2-ttsme-com.pem(***) │ ├── keystore │ │ └── key.pem │ └── signcerts │ └── cert.pem └── peer4 ├── fabric-ca-client-config.yaml └── localMspConfig ├── cacerts │ └── org2-ttsme-com.pem(***) ├── keystore │ └── key.pem └── signcerts └── cert.pem```

Amjadnz (Mon, 08 May 2017 20:12:37 GMT):
(***) stands for ca-certs

Amjadnz (Mon, 08 May 2017 20:13:13 GMT):
Checks were done to ensure that they individual - ca-certs were issued by the respective fabric-ca

Amjadnz (Mon, 08 May 2017 20:13:46 GMT):
Orderer part of docker yaml

Amjadnz (Mon, 08 May 2017 20:13:50 GMT):
``` orderer0: container_name: orderer0 image: hyperledger/fabric-orderer environment: - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=e2ecli_default - ORDERER_GENERAL_LOGLEVEL=debug - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0 - ORDERER_GENERAL_GENESISMETHOD=file - ORDERER_GENERAL_GENESISFILE=/var/hyperledger/orderer0/orderer.block - ORDERER_GENERAL_LOCALMSPID=OrdererMSP - ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer0/localMspConfig # enabled TLS - ORDERER_GENERAL_TLS_ENABLED=true - ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer0/localMspConfig/keystore/key.pem - ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer0/localMspConfig/signcerts/cert.pem - ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer0/localMspConfig/cacerts/org0-ttsme-com.pem,/var/hyperledger/peer1/localMspConfig/cacerts/org1-ttsme-com.pem,/var/hyperledger/peer2/localMspC onfig/org2-ttsme-com.pem] working_dir: /opt/gopath/src/github.com/hyperledger/fabric depends_on: - ca0 - ca1 - ca2 command: orderer volumes: - ./certs/ca/:/var/hyperledger/ ports: - 7050:7050 ```

Amjadnz (Mon, 08 May 2017 20:14:03 GMT):
Can you help please - here?

Amjadnz (Mon, 08 May 2017 20:17:12 GMT):
Or what might cause this behaviour?

dbshah (Mon, 08 May 2017 21:09:02 GMT):
Is there a plan to add `parentserver` in the config file itself? this will help in running multiple instances of the ca-server and still have them all have a parent server that they get their certs signed from.

dbshah (Mon, 08 May 2017 21:09:45 GMT):
Also, the `parentserver.caname` argument on the command line does not work

nickgaski (Mon, 08 May 2017 21:09:49 GMT):
Has joined the channel.

greg.haskins (Mon, 08 May 2017 21:14:09 GMT):
@JonathanLevi @smithbk what, if any, is the mechanism to grant Role.ADMIN entitlements with the CA ?

nickgaski (Mon, 08 May 2017 21:14:37 GMT):
@Amjadnz - I don't think the certs are being mounted correctly

greg.haskins (Mon, 08 May 2017 21:14:51 GMT):
IOW, I need the peer to see me as an admin for install() purposes, and I am using an ecert that the CA signed

tkuhrt (Mon, 08 May 2017 21:16:50 GMT):
Has joined the channel.

nickgaski (Mon, 08 May 2017 21:21:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZDQu6gETDgampk3FJ) @nickgaski actually I take that back, you did it very nicely. However, I think you need to pass the full path including your working directory for that cafile to enable the TLS connection. so `opt/gopath/src/github.com/ / / / / / / /` all the way to your cafile

greg.haskins (Mon, 08 May 2017 21:25:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NGQ24ruPzSYoN83Y2) @nickgaski FWIW, a lot of this stuff is no longer even necessary because we support relative pathing, etc

greg.haskins (Mon, 08 May 2017 21:25:12 GMT):
not sure of the context here, but in case that helps

smithbk (Mon, 08 May 2017 21:48:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=h79TNmdNrMAKXsBwy) @greg.haskins Greg, you need to put your ecert in the msp/admincerts directory on the peer in order to have install privs

greg.haskins (Mon, 08 May 2017 21:49:52 GMT):
@smithbk to be clear: I am using username/password with SDK+CA to get it

greg.haskins (Mon, 08 May 2017 21:50:39 GMT):
maybe I am misunderstanding something, but shouldnt I be able to configure the CA to generate an RBAC entitlement for a given principal when the ecert is generated?

greg.haskins (Mon, 08 May 2017 21:51:38 GMT):
1) I dont physically have the ecert...its buried in the SDK/CA process, and 2) even if I did, distribution in that manner seems untenable

greg.haskins (Mon, 08 May 2017 21:53:24 GMT):
FWIW, I do have the MSP all set up properly such that the CA and peers are all part of the same org

smithbk (Mon, 08 May 2017 21:56:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8FEgd7Pk9gw2uSq38) @dbshah Yes, it actually should be supported now but @skarim has a new change set which puts this in the default server's yaml that gets generated. Saad, pls comment on status. And @dbshah, pls open a jira item on the parenserver.caname issue.

greg.haskins (Mon, 08 May 2017 21:57:44 GMT):
@smithbk to put it another way, I was under the impression that the admincerts-based entitlement was for channel creation, and that bootstraps other entitlements such as chaincode install

greg.haskins (Mon, 08 May 2017 21:58:04 GMT):
or is that not true?

smithbk (Mon, 08 May 2017 21:59:31 GMT):
@greg.haskins V1 doesn't support tcerts with attributes,

greg.haskins (Mon, 08 May 2017 21:59:53 GMT):
I do have the Admin@org keypair from the cryptogen process, but I only use it for channel creation

greg.haskins (Mon, 08 May 2017 22:00:48 GMT):
so should we not be using the ca/enrollment process for v1.0?

greg.haskins (Mon, 08 May 2017 22:01:16 GMT):
or to put it another way: how do I install chaincode via SDK in v1.0?

smithbk (Mon, 08 May 2017 22:02:19 GMT):
you could set up an intermediate CA for issuing install identities

greg.haskins (Mon, 08 May 2017 22:02:31 GMT):
are there docs on this?

smithbk (Mon, 08 May 2017 22:03:56 GMT):
the readthedocs shows how to set up a intermediate CA ... doesn't show specifically how to apply it to this scenario, but just requires putting that intermediate CA's cert in the admincerts folder of peer

greg.haskins (Mon, 08 May 2017 22:04:26 GMT):
what is the suggested flow if what I am doing is unusual?

greg.haskins (Mon, 08 May 2017 22:05:07 GMT):
basically, set up a hyperledger network, create a channel, install a chaincode, instantiate the chaincode, invokte it

smithbk (Mon, 08 May 2017 22:05:08 GMT):
one flow is using the fabric-ca-client

smithbk (Mon, 08 May 2017 22:05:59 GMT):
to get an ecert to then use to install on the peer

greg.haskins (Mon, 08 May 2017 22:06:00 GMT):
right now i am stuck at step 3 because the ecert that the CA gives me doesnt not grant sufficient privilege for the install

smithbk (Mon, 08 May 2017 22:06:05 GMT):
but you need to use the SDK

greg.haskins (Mon, 08 May 2017 22:06:34 GMT):
I am, I create the channel via CLI, and then swtich to SDK for remaining steps

smithbk (Mon, 08 May 2017 22:07:35 GMT):
you create the channel from peer CLI? Then you could just copy the cert from the signcerts folder into the admincerts folder

smithbk (Mon, 08 May 2017 22:07:53 GMT):
that would then allow the peer's identity to install the chaincode

greg.haskins (Mon, 08 May 2017 22:08:02 GMT):
well, i dont really _want_ to ;)

greg.haskins (Mon, 08 May 2017 22:08:09 GMT):
im trying to model a real setup

greg.haskins (Mon, 08 May 2017 22:08:43 GMT):
I do have an Admin@org identity that is pre-installed in each peers admincerts

greg.haskins (Mon, 08 May 2017 22:08:51 GMT):
and I use that to join the channel

greg.haskins (Mon, 08 May 2017 22:09:18 GMT):
but then I am trying to bootstrap to an SDK client who logs in with admin/adminpw, gets an ecert, and installs code

greg.haskins (Mon, 08 May 2017 22:10:01 GMT):
IIUC, you are saying this is not yet possible though

greg.haskins (Mon, 08 May 2017 22:10:04 GMT):
I have this setup

greg.haskins (Mon, 08 May 2017 22:10:07 GMT):
```registry: # Maximum number of times a password/secret can be reused for enrollment # (default: 0, which means there is no limit) maxEnrollments: 0 # Contains identity information which is used when LDAP is disabled identities: - name: admin pass: adminpw type: client affiliation: "" attrs: hf.Registrar.Roles: "client,user,peer,validator,auditor,ca" hf.Registrar.DelegateRoles: "client,user,validator,auditor" hf.Revoker: true hf.IntermediateCA: true```

greg.haskins (Mon, 08 May 2017 22:10:24 GMT):
I was thinking it was just a matter of assigning the proper attrs to the principal

greg.haskins (Mon, 08 May 2017 22:10:28 GMT):
but those are not supported?

smithbk (Mon, 08 May 2017 22:11:33 GMT):
correct, they are not supported

greg.haskins (Mon, 08 May 2017 22:12:09 GMT):
hmm...im not clear on how one would actually use ca::enroll() then

smithbk (Mon, 08 May 2017 22:12:10 GMT):
msp is only looking at trusted roots or a specific cert

smithbk (Mon, 08 May 2017 22:12:35 GMT):
I thought the ca.enroll could load an identity from a file

greg.haskins (Mon, 08 May 2017 22:12:46 GMT):
are you saying a) dont use the CA, or b) you can use ca::enroll() and then somehow export it from the SDK and manually distribute it around the network?

smithbk (Mon, 08 May 2017 22:12:55 GMT):
but you would need to ask @jimthematrix

greg.haskins (Mon, 08 May 2017 22:14:49 GMT):
so should I just disable the CA and not use it for 1.0?

smithbk (Mon, 08 May 2017 22:15:17 GMT):
I don't know about exporting from SDK. Need to ask @jimthematrix , but I thought you could import. So one way is to do the enroll from the fabric-ca-client, copy cert to admincerts, and import into SDK

greg.haskins (Mon, 08 May 2017 22:15:19 GMT):
e.g. just use standard CA/openssl

smithbk (Mon, 08 May 2017 22:16:27 GMT):
the problem is not with the CA ... i don't see how use standard is going to help

smithbk (Mon, 08 May 2017 22:17:13 GMT):
you still have to import it in the SDK and distribute it

greg.haskins (Mon, 08 May 2017 22:17:38 GMT):
i guess I am fuzzy on what the CA is doing...my understanding was its a facility to generate TCerts from ECerts and to allow RBAC assignments...but if I cant generate TCerts or RBAC assignments, its just standard x509s right?

greg.haskins (Mon, 08 May 2017 22:18:26 GMT):
IOW, I should just do standard x509 PKI practices and give my clients their own key pairs?

smithbk (Mon, 08 May 2017 22:21:06 GMT):
Greg, let me talk to some folks in Zurich tomorrow and see if we can come up with other alternatives. OK?

greg.haskins (Mon, 08 May 2017 22:21:14 GMT):
ok, thanks Keith

greg.haskins (Mon, 08 May 2017 22:21:55 GMT):
for now, ill just distribute the Admin@org credentials

greg.haskins (Mon, 08 May 2017 22:32:18 GMT):
@smithbk for context, I am trying to use this facility: https://github.com/hyperledger/fabric/commit/8288a7fc2490f75210ea3e879016a2aa99435835#diff-bd05406146c5029db8d665c7a8ba99a3R79

greg.haskins (Mon, 08 May 2017 22:33:14 GMT):
which, IIUC means I can have an RBAC assignment that carries similar entitlement capability as physically placing the cert under admincerts on all the peers

greg.haskins (Mon, 08 May 2017 22:33:51 GMT):
but its not clear how one can/should generate that cert...I was assuming fabric-ca's attribute feature was it, but I guess that was wrong

greg.haskins (Mon, 08 May 2017 22:34:04 GMT):
any clarity the Zurich team has on this issue appreciated

jimthematrix (Mon, 08 May 2017 23:17:06 GMT):
hi @greg.haskins I think your question can be answered with the following code snippet from fabric/msp/mspimpl.go: ```func (msp *bccspmsp) SatisfiesPrincipal(id Identity, principal *m.MSPPrincipal) error { switch principal.PrincipalClassification { // in this case, we have to check whether the // identity has a role in the msp - member or admin case m.MSPPrincipal_ROLE: // Principal contains the msp role mspRole := &m.MSPRole{} err := proto.Unmarshal(principal.Principal, mspRole) if err != nil { return fmt.Errorf("Could not unmarshal MSPRole from principal, err %s", err) } // at first, we check whether the MSP // identifier is the same as that of the identity if mspRole.MspIdentifier != msp.name { return fmt.Errorf("The identity is a member of a different MSP (expected %s, got %s)", mspRole.MspIdentifier, id.GetMSPIdentifier()) } // now we validate the different msp roles switch mspRole.Role { case m.MSPRole_MEMBER: // in the case of member, we simply check // whether this identity is valid for the MSP mspLogger.Debugf("Checking if identity satisfies MEMBER role for %s", msp.name) return msp.Validate(id) case m.MSPRole_ADMIN: mspLogger.Debugf("Checking if identity satisfies ADMIN role for %s", msp.name) // in the case of admin, we check that the // id is exactly one of our admins for _, admincert := range msp.admins { if bytes.Equal(id.(*identity).cert.Raw, admincert.(*identity).cert.Raw) { return nil } } return errors.New("This identity is not an admin") default: return fmt.Errorf("Invalid MSP role type %d", int32(mspRole.Role)) }

jimthematrix (Mon, 08 May 2017 23:18:06 GMT):
as you can see for MSPRole_Member, the checking is done with Validate() that checks the cert's trust chain. but for MSPRole_Admin, it's comparing with the specific raw certs under msp/admincerts

jimthematrix (Mon, 08 May 2017 23:18:45 GMT):
so admin identities used by SDKs but be pre-previsioned at the time of the peer's bootstrap

jimthematrix (Mon, 08 May 2017 23:18:45 GMT):
so admin identities used by SDKs must be pre-previsioned at the time of the peer's bootstrap

jimthematrix (Mon, 08 May 2017 23:19:05 GMT):
as such they can't be dynamically enrolled (with fabric-ca or other ca)

jimthematrix (Mon, 08 May 2017 23:23:26 GMT):
as @smithbk mentioned until attribute-based certs are re-enabled some time later, the process of using admin identities has to be treated differently than regular members. node SDK has Client.createUser() that's designed specifically for this purpose. java SDK allows you to implement a User interface where you can do similar things like loading the identity materials (private key etc.) for the admin from files

greg.haskins (Mon, 08 May 2017 23:51:17 GMT):
That's helpful @jimthematrix , thank you.

greg.haskins (Mon, 08 May 2017 23:51:40 GMT):
Related question: which functions require admin role?

greg.haskins (Mon, 08 May 2017 23:51:59 GMT):
So far we have channel-join and chaincode-install

greg.haskins (Mon, 08 May 2017 23:52:06 GMT):
Any others?

amber-zhang (Tue, 09 May 2017 00:52:03 GMT):
Has joined the channel.

greg.haskins (Tue, 09 May 2017 01:28:48 GMT):
does anyone understand what assigns the MSPRole?

greg.haskins (Tue, 09 May 2017 01:29:14 GMT):
I would have thought it was in the configtx.yaml::AdminPrincipal, but that didnt seem to have an impact

greg.haskins (Tue, 09 May 2017 01:29:57 GMT):
@jimthematrix where I was going with this is I was wondering if I could configure the channel to basically only require Role.MEMBER to install()

jingge (Tue, 09 May 2017 01:43:52 GMT):
Has joined the channel.

jimthematrix (Tue, 09 May 2017 01:45:02 GMT):
now chaincode instantiate too requires admin

jimthematrix (Tue, 09 May 2017 01:47:50 GMT):
this would be a question on the #fabric-crypto channel

greg.haskins (Tue, 09 May 2017 01:54:44 GMT):
this is going to be really awkward to use for 1.0 I think

jimthematrix (Tue, 09 May 2017 02:02:23 GMT):
the whole channel config policies is still a blur to me, it's pretty complicated and i haven't spent enough time digging through it

jimthematrix (Tue, 09 May 2017 02:02:51 GMT):
not sure how the `AdminPrincipal` in configtx.yaml fits in

jimthematrix (Tue, 09 May 2017 02:04:26 GMT):
although i'm pretty sure the operations listed above that require admin roles are targeting the MSPRole (MSPRole_MEMBER and MSPRole_ADMIN) directly, without involving the AdminPrincipal mapping

nauqnew (Tue, 09 May 2017 03:38:55 GMT):
Has joined the channel.

bmkor (Tue, 09 May 2017 06:57:09 GMT):
Would like to ask if Parentserver URL will be called when and only when client get a ca cert? Hope anyone can help or give me a hint. Thanks a lot.

bmkor (Tue, 09 May 2017 06:57:09 GMT):
Would like to ask if Parentserver URL will be called when and only when a client gets a ca cert? Hope anyone can help or give me a hint. Thanks a lot.

rock_martin (Tue, 09 May 2017 10:21:52 GMT):
Has joined the channel.

bmkor (Tue, 09 May 2017 10:50:45 GMT):
I got a remote parent fabric CA server which I wanna connect to. But if without specifying the cacount to be 1 or more in .yaml, I can't see my local child fabric CA server trying to connect to its parent. What have I missed? Anyone would give me a hint? Thanks a lot.

smithbk (Tue, 09 May 2017 13:34:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iW2D96ugRkhAkfkwx) @bmkor Yes, the parent server URL for an intermediate CA is only used to get a CA cert. It is NOT used to get ecerts. This is not related to the multi CA support provided by the --cacount or --cafiles args. BTW, there is a bug when starting the intermediate CA currently which is fixed by a change set which is not yet merged. The fix is in this change set: https://gerrit.hyperledger.org/r/#/c/8944/

smithbk (Tue, 09 May 2017 13:35:18 GMT):
@bmkor For example, the following is starting a root CA: ```fabric-ca-server start -c root/config.yaml -b a:b -p 7055```

smithbk (Tue, 09 May 2017 13:35:18 GMT):
@bmkor For example, the following is starting a root CA:

smithbk (Tue, 09 May 2017 13:35:29 GMT):
```fabric-ca-server start -c root/config.yaml -b a:b -p 7055```

smithbk (Tue, 09 May 2017 13:35:43 GMT):
And this to start the intermediate CA:

smithbk (Tue, 09 May 2017 13:36:20 GMT):
```fabric-ca-server start -c intermediate/config.yaml -b c:d -u http://a:b@localhost:7055```

jchenibm (Tue, 09 May 2017 13:40:20 GMT):
Has joined the channel.

qizhang (Tue, 09 May 2017 14:57:31 GMT):
Has joined the channel.

qizhang (Tue, 09 May 2017 15:08:47 GMT):
I have setup a Marbles Blockchain with two clients. Now I want to revoke the ECERT from one client so as to prevent it from accessing the Blockchain. Therefore, I logged into one of the fabric-ca container and issued "fabric-ca-client revoke -e -r reason". However, the container complains: "Error: Enrollment information does not exist. Please execute enroll command first." The client has been tested and it actually works, but why it complains that the client has not enrolled? Also, is there any method to check which id has been enrolled? Thanks!

dhwang (Tue, 09 May 2017 17:48:06 GMT):
When starting an intermediate CA, is it necessary to include the CA certificate? I thought by including the URL of root ca, a certificate will be signed. eg fabric-ca-server start -b admin:password --url https://admin:password@localhost:7054 but I get the error message: "No CA certificate files provided"

smithbk (Tue, 09 May 2017 17:48:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WGx39ciM5tkoD5BCa) @qizhang To revoke a certificate requires certain privileges so the revoke request must be sent with someone's proof of identity. That error means that the container from which you executed "fabric-ca-client revoke", you had not enrolled so it doesn't know who is trying to issue the revoke.

smithbk (Tue, 09 May 2017 17:48:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WGx39ciM5tkoD5BCa) @qizhang To revoke a certificate requires certain privileges so the revoke request must be sent with someone's proof of identity. That error means that the machine from which you executed "fabric-ca-client revoke", you had not enrolled so it doesn't know who is trying to issue the revoke.

smithbk (Tue, 09 May 2017 17:54:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RE7PgAgC7o83GSjtY) @dhwang Hmm ... is it possible that you are starting the root and intermediate CA in the same directory. You are definitely starting them on the same local port, so you'd get a listen error for sure. I guess you saw my examples to bmkor above and the comment about the bug which is fixed in the change set I mentioned

dhwang (Tue, 09 May 2017 17:55:17 GMT):
@smithbk My root ca and int ca are on different servers.

dhwang (Tue, 09 May 2017 17:55:39 GMT):
I changed the URL in my example to localhost. but it's a real ip address.

smithbk (Tue, 09 May 2017 17:55:46 GMT):
oh, ok

smithbk (Tue, 09 May 2017 17:56:26 GMT):
let me look for that error in the code ... hold on

smithbk (Tue, 09 May 2017 18:01:20 GMT):
oh, sorry ... yeh, since you are using "https", you also need to specify a cert file. Let me get the exact syntax. @skarim is actually working on a change set now to help with this

qizhang (Tue, 09 May 2017 18:06:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rs7Fh5rXrNd79Yx7F) @smithbk Thanks! Since the Clients are working, I assume the both clients have been enrolled already. What I should do is to enroll the fabric-ca container, is that correct? According to the Hyperledger document, two commands need to be issued to enroll an identity. 1. export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin, and 2 fabric-ca-client enroll -u http://admin:adminpw@localhost:7054. However, I cannot find the #HOME/fabric-ca/clients/admin directory in the fabric-ca container. Also, I am not sure which username and password I should use in the second command.

qizhang (Tue, 09 May 2017 18:06:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rs7Fh5rXrNd79Yx7F) @smithbk Thanks! I checked the Hyperledger document. It says using the commands 1. export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin and 2. fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 to enroll an identify. So I assume that issuing these two commands in the fabric-ca container is the thing that I should do. However, from inside the fabric-ca container, I cannot find the $HOME/fabric-ca/admin directory. Also, what is the username and password that I should use the enroll? How can I figure out the IP address and port of the fabric-ca-server, so that I can specify as the parameter of -u?

qizhang (Tue, 09 May 2017 18:06:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rs7Fh5rXrNd79Yx7F) @smithbk Thanks! Since the Clients are working, I assume the both clients have been enrolled already. What I should do is to enroll the fabric-ca container, is that correct? According to the Hyperledger document, two commands need to be issued to enroll an identity. 1. export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin, and 2 fabric-ca-client enroll -u http://admin:adminpw@localhost:7054. However, I cannot find the #HOME/fabric-ca/clients/admin directory in the fabric-ca container. Also, I am sure which username and password I should use in the second command.

dhwang (Tue, 09 May 2017 18:08:18 GMT):
@smithbk Thanks! Since I am using httpS, I figured I should need a tls cert, not ca cert. But it's asking me for a CA cert.

smithbk (Tue, 09 May 2017 18:10:05 GMT):
Yes, that's a bad error message. I'll open a jira item to fix

smithbk (Tue, 09 May 2017 18:16:34 GMT):
@dhwang You should be able to add the following to your intermediate's server config file

smithbk (Tue, 09 May 2017 18:16:44 GMT):
```client: tls: certfiles: - tls-cert.pem```

smithbk (Tue, 09 May 2017 18:17:39 GMT):
As long as tls-cert.pem is the cert used for tls by the root CA, then it should work

smithbk (Tue, 09 May 2017 18:18:27 GMT):
FAB 2715 will make this easier and doc it

smithbk (Tue, 09 May 2017 18:49:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AmPeSTd2nXSmyjfxT) @qizhang The fabric-ca-client will create the home directory when you enroll. Specifying the FABRIC_CA_CLIENT_HOME env variable just allows you to maintain multiple clients on a single machine if needed. The default home directory is $HOME/.fabric-ca-client if you don't set that env variable. Regarding the user/pass to use, it must be the user/pass of a statically or dynamically registered identity with the fabric-ca-server. The example shows starting the "bootstrap administrator" which is basically like "root" with all privileges that is pre-registered with name "admin" and password "adminpw", but that is just a sample.

smithbk (Tue, 09 May 2017 18:49:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AmPeSTd2nXSmyjfxT) @qizhang The fabric-ca-client will create the home directory when you enroll. Specifying the FABRIC_CA_CLIENT_HOME env variable just allows you to maintain multiple clients on a single machine if needed. The default home directory is $HOME/.fabric-ca-client if you don't set that env variable. Regarding the user/pass to use, it must be the user/pass of a statically or dynamically user that has been registered with the fabric-ca-server. The example shows starting the "bootstrap administrator" which is basically like "root" with all privileges that is pre-registered with name "admin" and password "adminpw", but that is just a sample.

joshuajeeson (Tue, 09 May 2017 20:30:48 GMT):
I am testing the pkcs11.go on its own, wondering why for logging logger was used even though the file is importing github.com/op/go-logging

joshuajeeson (Tue, 09 May 2017 20:30:48 GMT):
I am testing the pkcs11.go on its own, wondering why for logging purpose 'logger' is being referred to, while the file is importing 'github.com/op/go-logging'

theofilis (Tue, 09 May 2017 20:43:17 GMT):
Has joined the channel.

smithbk (Wed, 10 May 2017 00:27:01 GMT):
It's using the name of the package imported https://github.com/op/go-logging/blob/master/backend.go#L5

s.narayanan (Wed, 10 May 2017 01:19:53 GMT):
Since keys are used extensively within hyperledger fabric, are there any specific guidance/best practices around managing secure access to keystores, specifically ensuring secure access to keys held within keystore (from node sdk, peers, orderers etc.). I am interested in cases where HSM may not be an option and software key store may need to be used

kelvinzhong (Wed, 10 May 2017 02:36:03 GMT):
@smithbk hi, last time you said "admin is the default bootstrap user name; root ca is an instance of fabric-ca-server which is using a self-signed certificate as its CA signing certificate"

kelvinzhong (Wed, 10 May 2017 02:37:20 GMT):
but from the example in sdk, the cacert is the same as the admincert, so in fabric-ca is using the bootstrap user as the root ca?

zhouhuangjing (Wed, 10 May 2017 04:24:52 GMT):
Has joined the channel.

bareshift (Wed, 10 May 2017 05:32:49 GMT):
Has joined the channel.

jordipainan (Wed, 10 May 2017 08:12:06 GMT):
Has joined the channel.

CarlXK (Wed, 10 May 2017 08:36:12 GMT):
@rameshthoomu @nickgaski could you help for the below error run it on CentOS 7.3 , follow getting_started.rst ``` CRIT 002 Error reading configuration: Unsupported Config Type "" panic: Error reading configuration: Unsupported Config Type "" goroutine 1 [running]: panic(0x88ade0, 0xc4201b86c0) /opt/go/go1.7.linux.amd64/src/runtime/panic.go:500 +0x1a1 github.com/hyperledger/fabric/vendor/github.com/op/go-logging.(*Logger).Panicf(0xc420159d40, 0x95e309, 0x1f, 0xc4201b85e0, 0x1, 0x1) /w/workspace/fabric-binaries/gopath/src/github.com/hyperledger/fabric/vendor/github.com/op/go-logging/logger.go:194 +0x127 github.com/hyperledger/fabric/common/configtx/tool/localconfig.Load(0x7ffe9102b621, 0x7, 0x0) /w/workspace/fabric-binaries/gopath/src/github.com/hyperledger/fabric/common/configtx/tool/localconfig/config.go:195 +0x79c main.main() /w/workspace/fabric-binaries/gopath/src/github.com/hyperledger/fabric/common/configtx/tool/configtxgen/main.go:204 +0x405 ```

smithbk (Wed, 10 May 2017 10:37:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TzZfpMiemfKSBMDTo) @s.narayanan I think the specific recommendations would depend on where you store your keys. For example, if using CouchDB, some recommendations are at http://guide.couchdb.org/draft/source.html#security. A pretty obvious recommendation for all is of course to use TLS to access

smithbk (Wed, 10 May 2017 10:43:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AnFW9krNF4a3SZqkp) @kelvinzhong There can be multiple admincerts. They are a list of specific certificates which are allowed to perform admin options. It just so happens that in the SDK example, they are using the cacert as one of the admincerts, but this does not currently have to be the case, since the fabric-ca-server is not directly connecting to a peer or orderer today to perform any administrative operations. In the future, if/when the fabric-ca-server were to support pushing a CRL (Certificate Revocation List) update as a channel config operation, then it may need to be one of the admincerts.

smithbk (Wed, 10 May 2017 10:48:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hWnTQGdtiTTkXZJ2Z) @kelvinzhong Not sure I understand the question "so in fabric-ca is using the bootstrap user as the root ca" ... fabric-ca is not using the bootstrap user as the root CA. Think of the "bootstrap identity" as the "user/pass for the fabric-ca-server's administrator". It allows someone to remotely manage the fabric-ca-server by (for example) dynamically registering an identity which can then be used to enroll a peer.

smithbk (Wed, 10 May 2017 10:48:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hWnTQGdtiTTkXZJ2Z) @kelvinzhong Not sure I understand the question "so in fabric-ca is using the bootstrap user as the root ca" ... fabric-ca is not using the bootstrap user as the root CA. Think of the "bootstrap identity" as the "user/pass for the fabric-ca-server's administrator". It allows someone to remotely manage the fabric-ca-server. For example, the administrator can dynamically register another identity which can then be used to enroll a peer.

kelvinzhong (Wed, 10 May 2017 10:51:48 GMT):
well, my confuse is about the relationship between the rootca cert and the admin cert

kelvinzhong (Wed, 10 May 2017 10:52:12 GMT):
as i know the bootstrap user should be the admin user

kelvinzhong (Wed, 10 May 2017 10:52:31 GMT):
and the admin could register other members

kelvinzhong (Wed, 10 May 2017 10:53:05 GMT):
but there is a ca cert shows in the sdk example, the ca cert is the same as the admin cert

kelvinzhong (Wed, 10 May 2017 10:53:52 GMT):
so in what case would the ca cert is different to the admin cert

smithbk (Wed, 10 May 2017 10:55:35 GMT):
First off, there can be multiple admin certs, each of them identifying who can perform an admin operation

smithbk (Wed, 10 May 2017 10:56:35 GMT):
I don't know why the SDK example chose to use the cacert as the only admin cert. My guess is that it was just easier to do but did not mean to imply that it must be that way

kelvinzhong (Wed, 10 May 2017 10:57:07 GMT):
so the admin could be not the bootstrap user right?

smithbk (Wed, 10 May 2017 10:57:16 GMT):
Correct

kelvinzhong (Wed, 10 May 2017 10:57:25 GMT):
the bootstrap user is the root ca

smithbk (Wed, 10 May 2017 10:57:41 GMT):
no, they are different

kelvinzhong (Wed, 10 May 2017 10:58:15 GMT):
so how come the root ca cert, as the example shows is the bootstrap user

smithbk (Wed, 10 May 2017 10:58:50 GMT):
What example?

kelvinzhong (Wed, 10 May 2017 10:59:38 GMT):

Message Attachments

smithbk (Wed, 10 May 2017 11:00:51 GMT):
Where do you see this? I'd like to make sure I'm understanding the context

kelvinzhong (Wed, 10 May 2017 11:01:12 GMT):
in the java sdk e2etest

kelvinzhong (Wed, 10 May 2017 11:01:53 GMT):
there have 2 org and they have different cacert, but inside one org, the admincert is same as the cacert

smithbk (Wed, 10 May 2017 11:04:24 GMT):
ok, again it does not have to be, but I assume they did that because it was just easier in doing the example but did not intend to imply that it must be that way. We'll need to ask the person who wrote the e2etest to know for sure why they chose to do this, which would be either @jimthematrix or @rickr

smithbk (Wed, 10 May 2017 11:05:55 GMT):
You could ask this in the #fabric-sdk-java channel also

kelvinzhong (Wed, 10 May 2017 11:06:51 GMT):
okay, i would keep look into this, and very appreciate for your help!!!

smithbk (Wed, 10 May 2017 11:07:25 GMT):
np ... hope they can clarify it for you

kelvinzhong (Wed, 10 May 2017 11:07:36 GMT):
lol

dhwang (Wed, 10 May 2017 14:46:15 GMT):
I have a strange issue(bug?). I tried configuring TLS to both mysql and root-ca for my int-ca. But I got the following error message: [ERROR] Failed to connect to MySQL database [error: Error 1045: Access denied for user '///-ca/'@'172.18.0.3' (using password: YES)] Notice the user is messed up. But in my yaml file has the right credential: datasource: 'root:pass@tcp(mariadb:3306)/fabricca?parseTime=true&tls=skip-verify' This problem only happens when I configure TLS to root-ca. Is this related to: https://gerrit.hyperledger.org/r/#/c/8944 ?

dhwang (Wed, 10 May 2017 14:56:37 GMT):
I think there is another bug where I have to specify CA cert for int-ca. I get the following error: Error: Failed to initialize CA: Failed to get client TLS config: No CA certificate files provided If I don't specify ca: in the yaml file. I though ca: is only needed for root-ca. Int-ca only needs --url from the command line?

tomconte (Wed, 10 May 2017 14:57:50 GMT):
Has joined the channel.

dhwang (Wed, 10 May 2017 15:15:02 GMT):
@smithbk I don't think it's just an incorrect error message related to "Error: Failed to initialize CA: Failed to get client TLS config: No CA certificate files provided". That error message only goes away if I actually specified ca: certfile/keyfile which I shouldn't have to. I've already specified the TLS cert like you suggested: client: tls: client: certfile: certificate.pem keyfile: key.pem certfiles: root-tls-cert.pem

HansDeLeenheer (Wed, 10 May 2017 16:01:49 GMT):
Has joined the channel.

smithbk (Wed, 10 May 2017 16:10:27 GMT):
@dhwang Can you provide the exact steps? Or better yet, edit https://jira.hyperledger.org/browse/FAB-3759 which I opened yesterday for the issue you reported

praveennagpal (Thu, 11 May 2017 08:26:00 GMT):
Has joined the channel.

bluefire (Thu, 11 May 2017 10:53:33 GMT):
Has joined the channel.

qizhang (Thu, 11 May 2017 12:48:42 GMT):
I have a Blockchain setup running the marbles example, where two clients (client1 and client2) are accessing the same channel. I am wondering how can I use the config update transaction to change the access control of the channel, so as to prevent client1 from access it.

dhwang (Thu, 11 May 2017 13:38:57 GMT):
@smithbk I added some detail for FAB-3759. Can you please take a look? I don't think it's a problem with just the error message.

dhuseby (Thu, 11 May 2017 14:17:53 GMT):
Has joined the channel.

ada-wang (Fri, 12 May 2017 01:41:05 GMT):
Hello, everyone. In make process, I have this error.

ada-wang (Fri, 12 May 2017 01:41:09 GMT):
+ rm -f /etc/dpkg/dpkg.cfg.d/02apt-speedup + rm -rf /container/file rm: cannot remove '/container/file': Directory not empty The command '/bin/sh -c /container/build.sh' returned a non-zero code: 1 make: *** [build/image/openldap/.dummy-x86_64-1.0.0-snapshot-73a4215] Error 1

ada-wang (Fri, 12 May 2017 01:41:46 GMT):
fabric-ca image OK, and running OK.

ada-wang (Fri, 12 May 2017 01:42:06 GMT):
But, I cannot make openldap successfully.

harsha (Fri, 12 May 2017 10:18:33 GMT):
@ada-wang Can you try cleaning up via `make clean` and issue `make openldap`

harsha (Fri, 12 May 2017 10:18:33 GMT):
@ada-wang Can you try cleaning up via `make clean` and issue `git pull` and `make openldap`

puneetsharma86 (Sat, 13 May 2017 18:34:29 GMT):
Has joined the channel.

puneetsharma86 (Sat, 13 May 2017 18:40:07 GMT):
Unable to login into docker container dockercompose_vp0_1 using command peer network login test_user0 -p MS9qrN8hFjlE. However getting below error :error on client login: rpc error: code = 2 desc = Identity or token does not match. Can anyone help me resolving this.

puneetsharma86 (Sat, 13 May 2017 18:42:09 GMT):

Message Attachments

puneetsharma86 (Sun, 14 May 2017 15:09:10 GMT):
cn anyone help?

berserkr (Mon, 15 May 2017 00:41:48 GMT):
did register w the registrar?

ada-wang (Mon, 15 May 2017 02:36:48 GMT):
@harsha THX, I'll try it.

smithbk (Mon, 15 May 2017 13:46:48 GMT):
@puneetsharma86 This looks like an error from v0.6. Can you provide more details of your use case?

svasilyev (Mon, 15 May 2017 15:56:35 GMT):
Has joined the channel.

lucas7788 (Tue, 16 May 2017 01:24:38 GMT):
Has joined the channel.

lucas7788 (Tue, 16 May 2017 01:25:05 GMT):
Has left the channel.

lignyxg (Tue, 16 May 2017 02:48:06 GMT):
Is there any design doc for farbic-ca?

puneetsharma86 (Tue, 16 May 2017 05:26:09 GMT):
Thanks Smithbk for responding, Yes i am trying to run Marble app locally.

puneetsharma86 (Tue, 16 May 2017 05:28:16 GMT):
For that I followed the below given steps till now Creating a Local Hyperledger Network There is a convenient docker-compose image that will get you a network very quickly. Follow the docker compose Setup Instructions. Make sure your network is alive and reachable by testing the HTTP chain endpoint. To do this open your browser and browse to the peer. If you are running Windows with docker-toolbox then click http://192.168.99.100:7050/chain If you are running Linux/OS X/Windows 10 with native docker then click http://localhost:7050/chain If you changed the default port for peer 0 then you will need to edit the URL above to use that port instead of 7050. You should see a response like: { "height": 1, "currentBlockHash": "lJ5dfqGBmhpkn1yHgbpbLnK9GEzrzsAnCm0AJZCIr0GaYznWDCt7j9yC09fGUe2MNXS+HEooKBbajHb+T40kIg==", "previousBlockHash": "UYTfnosVy6PqW59Gs4roQTLZ5av/t8sMrkWDKetAwFzoueZ3SkIcW6qPVLQPHuxCJO17AxLYsjzmYNN1fNtwFg==" } It will not be identical, but as long as you see some JSON response things are good and you can continue If you get a timeout or some other error message then your network is not yet running or you are not entering the correct URL. Finished The network is all setup. Next we need to copy the peer data and pass it to our demo node.js application. This is done by editing the mycreds_docker_compose.json file which lives in the root of the marbles app. We have added two mycreds files. One as a docker-compose example and one as a bluemix network example. Line 154 uses mycreds_docker_compose.json and should NOT be commented out. Line 155 with mycreds_bluemix.json should be commented out. Double check that app.js is using the correct file. All we must do is edit the file with information about your network. If you want more details of setup options then take a look at the SDK's documentation. Below is a sample showing the information that must be in the JSON file. You may see other example JSON files that include much more information. Those extra fields are either legacy or simply extra. You only need to set the fields that are in the sample below: sample mycreds.json { "credentials": { "peers": [ { "api_host": "192.168.99.100", //replace with your hostname or ip of a peer "api_port_tls": 443, //replace with your https port (omit if NOT using tls) "api_port": 7050, //replace with your http port (omit if using tls) "id": "12345-_vp0" //unique name to identify peer (anything you want) } ], "users": [ { "enrollId": "bob", //enroll username "enrollSecret": "NOE63pEQbL25 " //enroll's secret } ] } } Remove any comments in your json file Do you see the "credentials" field in your json file? It should be the outter most field like in the sample above. If its not there you need to add it such that peers and users are inside credentials. Marbles only talks to 1 peer. Therefore, you should have 1 entry in the peers array and 1 entry in the users array. You can omit the users array entirely if the network does not use Membership Services. The default docker-compose example does use Membership Services. You will need to look up the default enroll ID/users for your Hyperledger Fabric version to populate the users array. Fabric version 0.6.1 enroll Ids can be found in the membersrvc.yaml file. (pick IDs that have a 1 next to the ID, not a 4) Example membersrvc.yaml line: alice: 1 CMS10pEQlB16 bank_a Maps to: { "enrollId": "alice", "enrollSecret": "CMS10pEQlB16" } You can omit the field api_port_tls if the network does not support TLS. The default docker-compose example does not support TLS. Once you have edited mycreds_docker_compose.json you are ready to run Marbles.

puneetsharma86 (Tue, 16 May 2017 05:33:30 GMT):
From the above instructions Follow the docker compose Setup Instructions:docker website: https://hub.docker.com/r/ibmblockchain/fabric-peer/ I started the docker image from docker terminal and then deployed , invoked and queried the example given on the docker website. I am able to *resolve the login error* which i faced earlier.

albert.lacambra (Tue, 16 May 2017 06:08:24 GMT):
hi I am having the following error "code":0,"message":"Failed getting affiliation 'myorg1': sql: no rows in result set"}

albert.lacambra (Tue, 16 May 2017 06:08:46 GMT):
does know someone how can I add ords into the fabric-CA?

albert.lacambra (Tue, 16 May 2017 06:08:48 GMT):
thx

albert.lacambra (Tue, 16 May 2017 06:09:35 GMT):
the error happens when enrolling a user

puneetsharma86 (Tue, 16 May 2017 07:00:07 GMT):
I am following the link :https://hyperledger-fabric.readthedocs.io/en/v0.6/Setup/Chaincode-setup.html to deploy the chaincode. Successfully deployed and invoked the chaincode as given below screenshot.

puneetsharma86 (Tue, 16 May 2017 07:00:50 GMT):

Message Attachments

puneetsharma86 (Tue, 16 May 2017 07:01:55 GMT):
while issuing query in docker , it is giving the following error.

puneetsharma86 (Tue, 16 May 2017 07:07:12 GMT):

Message Attachments

puneetsharma86 (Tue, 16 May 2017 07:07:51 GMT):
Can anyone help me resolving this error. I am using Docker on Windows 7.

oooo (Tue, 16 May 2017 08:51:40 GMT):
Has joined the channel.

kelvinzhong (Tue, 16 May 2017 09:05:53 GMT):
@puneetsharma86 not sure which version ur using, for now there is no deploy chaincode but install chaincode and instantiate chaincode

kelvinzhong (Tue, 16 May 2017 09:06:12 GMT):
u would better ask in fabric channel

smithbk (Tue, 16 May 2017 11:05:28 GMT):
@puneetsharma86 Many people are beginning to use the v1.0.0-alpha version. The v1.0.0-alpha2 version will be cut any day. If you really need to get v0.6 working, which is quite different, then for the chaincode error above I think @muralisr would be best to answer

puneetsharma86 (Tue, 16 May 2017 11:17:46 GMT):
bric

muralisr (Tue, 16 May 2017 11:35:28 GMT):
@puneetsharma86 been a while since I looked into 0.6. ... one thing, some of the logs say "-n myccc" while the above error screen shot has "-n mycc" ...not sure if thats significant

SoumyaP (Tue, 16 May 2017 15:18:42 GMT):
Has joined the channel.

puneetsharma86 (Tue, 16 May 2017 16:01:58 GMT):
@muralisr : I deployed the code using myccc chaincode id. If that makes the difference then i will try deploy the code using mycc chaincode id.

puneetsharma86 (Tue, 16 May 2017 16:35:54 GMT):
However earlier i tried with mycc as well, it was giving me same error.

ymchee (Tue, 16 May 2017 16:50:49 GMT):
Has joined the channel.

troyronda (Tue, 16 May 2017 21:05:21 GMT):
@smithbk: https://jira.hyperledger.org/browse/FAB-3958 (bccsp vendoring is outdated)

berserkr (Tue, 16 May 2017 22:27:48 GMT):
Hi All, I am trying to synch up with upstream

berserkr (Tue, 16 May 2017 22:28:08 GMT):
however, after merging all changes with our branch, we are having an issue with the CA

berserkr (Tue, 16 May 2017 22:28:15 GMT):
we are getting the following error: intermediate certs folder not found at [/var/hyperledger/fabric/crypto-config/intermediatecerts

berserkr (Tue, 16 May 2017 22:28:19 GMT):
any one seen that before?

berserkr (Tue, 16 May 2017 22:28:25 GMT):
or know how to resolv eit?

ZionTam (Wed, 17 May 2017 00:57:26 GMT):
about ldap issue,i start openldap docker and successfully connect,the ca config ``` ldap: enabled: true url: ldap://cn=admin,dc=example,dc=org:admin@localhost:10389/dc=example,dc=org userfilter: (uid=%s) tls: certfiles: - ldap-server-cert.pem client: certfile: ldap-client-cert.pem keyfile: ldap-client-key.pem ``` but when i run ca client,found error,i can't enroll ``` tams-MacBook-Pro:fabric-ca tam$ fabric-ca-client enroll -u http://admin:admin@localhost:7054 2017/05/17 08:36:08 [INFO] User provided config file: /Users/tam/fabric-ca/clients/admin/fabric-ca-client-config.yaml 2017/05/17 08:36:08 [INFO] Configuration file location: /Users/tam/fabric-ca/clients/admin/fabric-ca-client-config.yaml 2017/05/17 08:36:08 [INFO] generating key: &{A:ecdsa S:256} 2017/05/17 08:36:08 [INFO] encoded CSR ``` any suggestion?

ZionTam (Wed, 17 May 2017 00:57:26 GMT):
about ldap issue,i start openldap docker and successfully connect,the ca config ``` ldap: enabled: true url: ldap://cn=admin,dc=example,dc=org:admin@localhost:10389/dc=example,dc=org userfilter: (uid=%s) tls: certfiles: - ldap-server-cert.pem client: certfile: ldap-client-cert.pem keyfile: ldap-client-key.pem ``` but when i run ca client,found error,i can't enroll ``` $ fabric-ca-client enroll -u http://admin:admin@localhost:7054 2017/05/17 08:36:08 [INFO] User provided config file: /Users/tam/fabric-ca/clients/admin/fabric-ca-client-config.yaml 2017/05/17 08:36:08 [INFO] Configuration file location: /Users/tam/fabric-ca/clients/admin/fabric-ca-client-config.yaml 2017/05/17 08:36:08 [INFO] generating key: &{A:ecdsa S:256} 2017/05/17 08:36:08 [INFO] encoded CSR ``` any suggestion?

passkit (Wed, 17 May 2017 05:18:06 GMT):
I see that fabric-ca-server-config.yaml is included in .gitignore. Is there an example config file that shows how to configure for multiple root CAs?

passkit (Wed, 17 May 2017 05:36:32 GMT):
Found in docs/source/users-guide.rst

chenxuan (Wed, 17 May 2017 06:24:34 GMT):
Has joined the channel.

chenxuan (Wed, 17 May 2017 06:28:58 GMT):
whereis sdk about fabric-ca

antitoine (Wed, 17 May 2017 07:18:49 GMT):
Has joined the channel.

gitSrinidhi (Wed, 17 May 2017 08:03:40 GMT):
Has joined the channel.

mastersingh24 (Wed, 17 May 2017 10:47:05 GMT):
[Each of the SDKs (Node, Java, Go, Python includes a library/package for interacting with fabric-ca. For example, with the NodeSDK, you can use the fabric-ca-client - https://www.npmjs.com/package/fabric-ca-client ](https://chat.hyperledger.org/channel/fabric-ca?msg=iQcikzGRS8mT3gbuG) @chenxuan

eric.wall (Wed, 17 May 2017 11:08:23 GMT):
Has joined the channel.

eric.wall (Wed, 17 May 2017 11:08:52 GMT):
What are you guys view on the single-point-of-failure aspect of the Fabric-CA component? Is this risk distilled somehow by the possibility to run several CA servers in a cluster?

eric.wall (Wed, 17 May 2017 11:10:13 GMT):
Second question: Is the Fabric-CA Root server something managed by the Linux Foundation? Or does every instance of Fabric have to generate their own self-signed root-server? And if so, is this root-server online during normal operations and can control the CA cluster?

eric.wall (Wed, 17 May 2017 11:11:18 GMT):
I mean, what could actually happen if a Fabric CA-server (or the root server for that matter) is hacked?

smithbk (Wed, 17 May 2017 11:43:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hDy9sfEYjdXc3cY77) @berserkr I haven't seen this error. Can you give more detail of when you see it? Is there a jira for this with more detail perhaps?

smithbk (Wed, 17 May 2017 11:50:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=m6unYrFFcyTxrCwrS) @eric.wall Yes, running in a cluster to avoid SPoF, but you still need a HA DB such as MarianDB (an HA plugin for MySQL).

smithbk (Wed, 17 May 2017 11:53:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8YF4J7RYPATMvfKdi) @eric.wall No, it is not managed by Linux Foundation. Every root fabric CA server can either have a self-signed cert or use an intermediate CA cert issued by an external CA. The root-server should not be online during normal operations. It should only be running when enrolling or reenrolling the intermediate CA servers

smithbk (Wed, 17 May 2017 11:55:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mn7rDZq28zjdZBH2m) @eric.wall If the root server is hacked, then assuming its cert is listed as a trusted root cacert in MSPs, then it should be removed/replaced with a new cert. Each MSP in fabric also has a CRL which should be used to revoke a compromised non-root cert

eric.wall (Wed, 17 May 2017 13:51:10 GMT):
Thank you for your answers @smithbk

eric.wall (Wed, 17 May 2017 13:52:18 GMT):
When you say running a cluster could avoid SPoF, you mean that in the sense that a cluster is tolerant of faults. But what I'm interested in are Byzantine faults, when a CA in the cluster gets hacked.

eric.wall (Wed, 17 May 2017 13:53:07 GMT):
Couldn't a CA get hacked and cause a huge damage to the network?

smithbk (Wed, 17 May 2017 13:54:22 GMT):
The protection in this case would be multiple CAs with totally different roots of trust + endorsement policies which require multiple signatures from different CAs

smithbk (Wed, 17 May 2017 13:55:10 GMT):
but that is handled by the fabric blockchain itself with the v1 architecture ... it is not the result of something specifically in fabric-ca

eric.wall (Wed, 17 May 2017 14:47:02 GMT):
That is true

eric.wall (Wed, 17 May 2017 14:47:07 GMT):
Thank you @smithbk

smithbk (Wed, 17 May 2017 14:47:41 GMT):
sure, np

albert.lacambra (Wed, 17 May 2017 20:41:19 GMT):
hi,

albert.lacambra (Wed, 17 May 2017 20:41:25 GMT):
I am having troubles on query peers

albert.lacambra (Wed, 17 May 2017 20:41:30 GMT):
The creator certificate is not valid, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority

albert.lacambra (Wed, 17 May 2017 20:42:11 GMT):
why is the ca not valid for the peer?

albert.lacambra (Wed, 17 May 2017 20:57:11 GMT):
fabric-ca-server start --ca.certfile crypto-config/peerOrganizations/org1.example.com/ca/org1.example.com-cert.pem

albert.lacambra (Wed, 17 May 2017 20:57:30 GMT):
CORE_PEER_MSPCONFIGPATH=crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com

WebKruncher (Thu, 18 May 2017 02:28:34 GMT):
I'm getting an error when trying to instantiate chaincode on a peer... I get Failed to generate platform-specific docker build: Error creating container: no such image. O

berserkr (Thu, 18 May 2017 05:07:25 GMT):
@albert.lacambra I saw that as well, best thing to do is rebuild from source, clean state that is. I was able to get e2e working that way with alpha2

hzfeng (Thu, 18 May 2017 06:59:17 GMT):
Has joined the channel.

albert.lacambra (Thu, 18 May 2017 07:15:11 GMT):
thank you @berserkr . My understanding is that the certs are not being recgnized

albert.lacambra (Thu, 18 May 2017 07:15:28 GMT):
maybe can some verify how the certificates works

albert.lacambra (Thu, 18 May 2017 07:16:41 GMT):
an organization has a ca folder, an msp (membership service provider), a peers folder and a user folder

albert.lacambra (Thu, 18 May 2017 07:17:53 GMT):
the ca is the certificate of the ca itself an the pem cert and the private key are those that needs to be passed tro the fabric-ca-server (options --ca.certfile, --ca.keyfile)

albert.lacambra (Thu, 18 May 2017 07:18:51 GMT):
for each organization peer we found a subfolder under peer

albert.lacambra (Thu, 18 May 2017 07:19:18 GMT):
e.g. peer0.org2.example.com

albert.lacambra (Thu, 18 May 2017 07:20:13 GMT):
a peer must pass this folder (or its content) using the env CORE_PEER_MSPCONFIGPATH=...

albert.lacambra (Thu, 18 May 2017 07:21:17 GMT):
the orderer will also receive its msp certs using the local ORDERER_GENERAL_LOCALMSPDIR env

albert.lacambra (Thu, 18 May 2017 07:21:42 GMT):
is until here correct?

albert.lacambra (Thu, 18 May 2017 07:22:27 GMT):
what I do not see is how orderer and peers authentify themselves since they do not share CA nor root certs (tls off)

albert.lacambra (Thu, 18 May 2017 07:23:16 GMT):
is the orderer able to recognise peer certificates because of the channel.tx contents (contains all the implied certificates)

albert.lacambra (Thu, 18 May 2017 07:23:42 GMT):
please, correct me if some of the statements are not correct

albert.lacambra (Thu, 18 May 2017 07:59:16 GMT):
another doubg that I have, when running the e2e example with twoOrgs, I do not see any certificate chain, so how are the (anchor) peers able to communicate an trust each other, when they are not sharing CA?

prashiyn (Thu, 18 May 2017 10:56:58 GMT):
While enrolling a user using fabric-ca-client and the -M option for mspDir, the software bccsp keystore is defaults to msp/keystore, totally ignoring the mspDir provided with the -M option. Is this default behaviour?

SanketPanchamia (Thu, 18 May 2017 11:44:18 GMT):
Has joined the channel.

eric.wall (Thu, 18 May 2017 11:56:12 GMT):
I'm confused with the possible roles one can enroll/register with the CA: "client,user,peer,validator,auditor,ca"

eric.wall (Thu, 18 May 2017 11:57:10 GMT):
My idea would be "client (SDK), comitter, orderer, endorser, ca"

eric.wall (Thu, 18 May 2017 11:57:24 GMT):
Are the comitter, orderer and endorser embedded within the peer?

eric.wall (Thu, 18 May 2017 11:57:56 GMT):
What is the "user", "validator" and "auditor"? These seem like remnants from 0.6 ?

smithbk (Thu, 18 May 2017 13:19:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=isQmE5Dr2q7AcKaCz) @prashiyn hmm, seems to work for me with both absolute and relative path: Keiths-MBP:bin keith$ fabric-ca-client enroll -u http://a:b@localhost:7054 -M /tmp/msp 2017/05/18 09:17:28 [INFO] User provided config file: /Users/keith/.fabric-ca-client/fabric-ca-client-config.yaml 2017/05/18 09:17:28 [INFO] Created a default configuration file at /Users/keith/.fabric-ca-client/fabric-ca-client-config.yaml 2017/05/18 09:17:28 [INFO] generating key: &{A:ecdsa S:256} 2017/05/18 09:17:28 [INFO] encoded CSR 2017/05/18 09:17:28 [INFO] Stored client certificate at /tmp/msp/signcerts/cert.pem 2017/05/18 09:17:28 [INFO] Stored CA certificate chain at /tmp/msp/cacerts/localhost-7054.pem Keiths-MBP:bin keith$ fabric-ca-client enroll -u http://a:b@localhost:7054 -M foomsp 2017/05/18 09:18:01 [INFO] User provided config file: /Users/keith/.fabric-ca-client/fabric-ca-client-config.yaml 2017/05/18 09:18:01 [INFO] Configuration file location: /Users/keith/.fabric-ca-client/fabric-ca-client-config.yaml 2017/05/18 09:18:01 [INFO] generating key: &{A:ecdsa S:256} 2017/05/18 09:18:01 [INFO] encoded CSR 2017/05/18 09:18:01 [INFO] Stored client certificate at /Users/keith/.fabric-ca-client/foomsp/signcerts/cert.pem 2017/05/18 09:18:01 [INFO] Stored CA certificate chain at /Users/keith/.fabric-ca-client/foomsp/cacerts/localhost-7054.pem

smithbk (Thu, 18 May 2017 13:23:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3KEB5hcxJmgsq2hmu) @eric.wall The role names are just strings to fabric-ca and can be configured with any set of strings; but you are absolutely right that the default names should match the v1 role names. Could you open a jira for this? BTW, currently the role names are only used in fabric-ca during register and aren't put into the cert, so can't be checked in the fabric, though this may not always be true

eric.wall (Thu, 18 May 2017 13:32:57 GMT):
Alright, I'll spin up a jira. But how are they mapped exactly?

eric.wall (Thu, 18 May 2017 13:33:57 GMT):
How do the committer, orderer and endorser map on to those strings?

prashiyn (Thu, 18 May 2017 13:41:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wWNE7A8E6PEQjwWbR) @smithbk Sure, the signcerts and cacerts are stored in the mspDir provided. There is also a private-key generated and that always gets recorded in the msp/keystore and ignores the mspDir config. Further this file in the keystore have big names like 18fe79f13160f8b346de60f45fb69c7f21d17d79778b99cb61ca2568a526e649_sk. However in client.go ( in fabric-ca/lib) the keyfile name is hardcoded to 'key.pem'

prashiyn (Thu, 18 May 2017 13:43:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mygWvoRuqGaKRQFjv) @prashiyn Ofcourse unless the fabric-ca-client-config.yaml states a directory explicitly in bccps.filestore.keystorage

smithbk (Thu, 18 May 2017 13:54:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mygWvoRuqGaKRQFjv) @prashiyn OK, I'll investigate the msp/keystore part. Can you open a jira item? Regarding the keystore filenames, the long file name is actually derived from the hash of the public key, and the code knows how to find this file 1st even though the config file has a hard-coded name. The hard-coded name is used/needed only when importing a key and cert into the server that you want it to use, and even in that case, it will import to the long hash name and use that in future operations.

eric.wall (Thu, 18 May 2017 13:59:33 GMT):
By the way I don't think I can create a Jira, I don't have a login

smithbk (Thu, 18 May 2017 14:13:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=27959yJtXnqwieqzN) @eric.wall You can create one at https://identity.linuxfoundation.org/

ydk210999 (Thu, 18 May 2017 14:36:24 GMT):
Has joined the channel.

ydk210999 (Thu, 18 May 2017 14:37:06 GMT):
Has left the channel.

smithbk (Thu, 18 May 2017 16:22:58 GMT):
@eric.wall Hi Eric, were you able to open a jira item?

smithbk (Thu, 18 May 2017 16:32:01 GMT):
I'll go ahead and open

smithbk (Thu, 18 May 2017 16:40:33 GMT):
See https://jira.hyperledger.org/browse/FAB-4015

prashiyn (Thu, 18 May 2017 17:04:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WcjNwBqgX9subrQKB) @smithbk Thanks for your quick response. I will open an item in jira.

prashiyn (Thu, 18 May 2017 17:07:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jv27eGDirEiMCZ5vA) @prashiyn I was refering to this piece of code in client.go func (c *Client) LoadIdentity(keyFile, certFile string) (*Identity, error) { cert, err := util.ReadFile(certFile) if err != nil { log.Debugf("No cert found at %s", certFile) return nil, err } key, _, _, err := util.GetSignerFromCertFile(certFile, c.csp) if err != nil { // Fallback: attempt to read out of keyFile and import log.Debugf("No key found in BCCSP keystore, attempting fallback") key, err = util.ImportBCCSPKeyFromPEM(keyFile, c.csp, true) if err != nil { return nil, fmt.Errorf("Could not find the private key in BCCSP keystore nor in keyfile %s: %s", keyFile, err) } } return c.NewIdentity(key, cert) }

prashiyn (Thu, 18 May 2017 17:09:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zKxD6prvLqfNj46Z9) @prashiyn Here the keyFile is defined as c.keyFile = path.Join(keyDir, "key.pem") . Speficically looking for a key.pem. And actually the fabric-ca-client prints error saying could not find private key in BCCSP keystore etc...

SanketPanchamia (Fri, 19 May 2017 06:54:06 GMT):

Message Attachments

SanketPanchamia (Fri, 19 May 2017 06:54:10 GMT):
Hi, i am getting started with setting up fabric-ca and following the steps from the guide here https://media.readthedocs.org/pdf/hyperledger-fabric/latest/hyperledger-fabric.pdf I am trying to run the fabric-ca from the docker image but it keeps giving me this error.

enidz (Fri, 19 May 2017 06:56:30 GMT):
make fabric-ca-server fabric-ca-client ls bin

enidz (Fri, 19 May 2017 06:56:30 GMT):
``` make fabric-ca-server fabric-ca-client ls bin ```

enidz (Fri, 19 May 2017 06:56:30 GMT):
``` cd /opt/gopath/src/github.com/hyperledger/fabric-ca make fabric-ca-server fabric-ca-client ls bin ```

enidz (Fri, 19 May 2017 06:56:46 GMT):
?

SanketPanchamia (Fri, 19 May 2017 07:45:20 GMT):

Message Attachments

SanketPanchamia (Fri, 19 May 2017 07:45:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BeAoSo2gjxoWK4Ay9) @enidz Still the same issue

Vadim (Fri, 19 May 2017 07:46:00 GMT):
@SanketPanchamia `./fabric-ca-server init`

SanketPanchamia (Fri, 19 May 2017 07:47:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zcB45j263D3SfE6pc) @Vadim awesome. Thanks

FengChen_1982 (Fri, 19 May 2017 08:10:21 GMT):
Has joined the channel.

FengChen_1982 (Fri, 19 May 2017 08:11:35 GMT):
@here After I created a channel following the instructions in the e2e_cli sample. Do I have to build a CA server before I want to use my Node.js applcation to access the peer?

kelvinzhong (Fri, 19 May 2017 08:13:05 GMT):
it depends

kelvinzhong (Fri, 19 May 2017 08:13:55 GMT):
but since the tcert and revoke seems not functional yet, you don't need a ca server to access the peer

kelvinzhong (Fri, 19 May 2017 08:15:13 GMT):
one of the pki ca advantage is off line validation

SanketPanchamia (Fri, 19 May 2017 09:22:20 GMT):

Message Attachments

SanketPanchamia (Fri, 19 May 2017 09:22:23 GMT):
I am now able to get the CA server up and running and i see a server config file. But i do not see a client config file created. Do i need to explicitly create one?

prashiyn (Fri, 19 May 2017 12:47:13 GMT):
@SanketPanchamia just run the fabric-ca-client enroll -u http://admin:@host:port and client config will be created by the ca-client if one is not already there

SanketPanchamia (Fri, 19 May 2017 13:27:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NrA9oSk9MBRJ7coYN) @prashiyn Yes @prashiyn i did figure that out. Now my question is if i register and enroll a new user, shouldnt there be a new config file and a new set of certificates and key generated? I am able to register and enroll a new user but dont see a new config file nor the existing gets updated.

smithbk (Fri, 19 May 2017 13:42:00 GMT):
@SanketPanchamia Registration creates a user entry in fabric-ca-server's DB with an associated password. Enrollment is what creates an enrollment certificate. You can set the FABRIC_CA_CLIENT_HOME environment variable (or the "-c " option) to change the home directory; otherwise, the $HOME/.fabric-ca-client directory is used for the client. The "fabric-ca-client enroll" command will overwrite a previous ecert found with that home directory, so if you are simulating different users/identities, just be sure to use a different home directory for each.

praveennagpal (Fri, 19 May 2017 14:26:39 GMT):
I am getting the following error on making the docker image of fabric-ca on the latest code base

praveennagpal (Fri, 19 May 2017 14:26:40 GMT):
Praveens-MacBook-Pro:fabric-ca praveennagpal$ make docker Building docker fabric-ca image docker build -t hyperledger/fabric-ca build/image/fabric-ca Sending build context to Docker daemon 40.5 MB Step 1/10 : FROM hyperledger/fabric-baseos:x86_64-0.3.0 ---> c3a4cf3b3350 Step 2/10 : ENV FABRIC_CA_HOME /etc/hyperledger/fabric-ca-server ---> Using cache ---> db5c15f2bb13 Step 3/10 : RUN mkdir -p $FABRIC_CA_HOME /var/hyperledger/fabric-ca-server ---> Using cache ---> 0a604c14f145 Step 4/10 : COPY payload/fabric-ca-client /usr/local/bin ---> Using cache ---> 085895404007 Step 5/10 : RUN chmod +x /usr/local/bin/fabric-ca-client ---> Using cache ---> 3e00d3f652d8 Step 6/10 : COPY payload/fabric-ca-server /usr/local/bin ---> Using cache ---> 0cd9a9df93e2 Step 7/10 : RUN chmod +x /usr/local/bin/fabric-ca-server ---> Using cache ---> f252e561d4e4 Step 8/10 : ADD payload/fabric-ca.tar.bz2 $FABRIC_CA_HOME Error processing tar file(bzip2 data invalid: bad magic value in continuation file): make: *** [build/image/fabric-ca/.dummy-x86_64-1.0.0-alpha3-snapshot-8206d83] Error 1

ehabing (Fri, 19 May 2017 14:50:09 GMT):
Has joined the channel.

smithbk (Fri, 19 May 2017 16:43:32 GMT):
@praveennagpal hmm ... what OS are you on, and what version of docker?

smithbk (Fri, 19 May 2017 16:44:52 GMT):
I just ran again locally on OSX with no issues

smithbk (Fri, 19 May 2017 16:45:09 GMT):
Can you try "make docker-clean" 1st?

aambati (Fri, 19 May 2017 18:25:49 GMT):
these are my settings: ```// Place your settings in this file to overwrite the default settings { // Controls the rendering size of tabs in characters. Accepted values: "auto", 2, 4, 6, etc. If set to "auto", the value will be guessed when a file is opened. "editor.tabSize": 3, "editor.renderWhitespace": true, // Controls if the editor will insert spaces for tabs. Accepted values: "auto", true, false. If set to "auto", the value will be guessed when a file is opened. "editor.insertSpaces": true, // When opening a file, `editor.tabSize` and `editor.insertSpaces` will be detected based on the file contents. "editor.detectIndentation": true, "window.zoomLevel": -1, "workbench.sideBar.location": "left", "go.testTimeout": "60s", "go.testFlags": [ "-ldflags", "-X github.com/hyperledger/fabric/common/metadata.Version=1.0.0-snapshot-57592ec8 -X github.com/hyperledger/fabric/common/metadata.BaseVersion=0.3.0 -X github.com/hyperledger/fabric/common/metadata.BaseDockerLabel=org.hyperledger.fabric -X github.com/hyperledger/fabric/common/metadata.DockerNamespace=hyperledger -X github.com/hyperledger/fabric/common/metadata.BaseDockerNamespace=hyperledger" ], "editor.formatOnSave": true }```

dbshah (Fri, 19 May 2017 19:52:37 GMT):
Hey, for the alpha2 code i am seeing this error using ca-client, enroll call goes through but the getcacert call gives openssl error, any ideas? ``` root@orderer-0a:/client# fabric-ca-client enroll -u https://adminOrderer:adminOrdererpw@fabric-ca-0a.net_blockchain.com:7054 --caname OrdererCA 2017/05/19 19:50:24 [INFO] User provided config file: /client/fabric-ca-client-config.yaml 2017/05/19 19:50:24 [INFO] Created a default configuration file at /client/fabric-ca-client-config.yaml 2017/05/19 19:50:24 [INFO] generating key: &{A:ecdsa S:256} 2017/05/19 19:50:24 [INFO] encoded CSR 2017/05/19 19:50:24 [INFO] TLS Enabled 2017/05/19 19:50:24 [INFO] Stored client certificate at /client/msp/signcerts/cert.pem 2017/05/19 19:50:24 [INFO] Stored CA certificate chain at /client/msp/cacerts/fabric-ca-0a-net_blockchain-com-7054-OrdererCA.pem root@orderer-0a:/client# FABRIC_CA_CLIENT_HOME=/client/ca2 fabric-ca-client getcacert -u https://fabric-ca-0a.net_blockchain.com:7054 --caname PeerOrg1CA Error: POST failure [Post https://fabric-ca-0a.net_blockchain.com:7054/cainfo: x509: certificate signed by unknown authority]; not sending POST https://fabric-ca-0a.net_blockchain.com:7054/cainfo Authorization: {"caname":"PeerOrg1CA"} ```

dbshah (Fri, 19 May 2017 19:52:37 GMT):
Hey, for the alpha2 code i am seeing this error using ca-client, enroll call goes through but the getcacert call gives openssl error, any ideas? ``` root@orderer-0a:/client# fabric-ca-client enroll -u https://adminOrderer:adminOrdererpw@fabric-ca-0a.net_blockchain.com:7054 --caname OrdererCA 2017/05/19 19:50:24 [INFO] User provided config file: /client/fabric-ca-client-config.yaml 2017/05/19 19:50:24 [INFO] Created a default configuration file at /client/fabric-ca-client-config.yaml 2017/05/19 19:50:24 [INFO] generating key: &{A:ecdsa S:256} 2017/05/19 19:50:24 [INFO] encoded CSR 2017/05/19 19:50:24 [INFO] TLS Enabled 2017/05/19 19:50:24 [INFO] Stored client certificate at /client/msp/signcerts/cert.pem 2017/05/19 19:50:24 [INFO] Stored CA certificate chain at /client/msp/cacerts/fabric-ca-0a-net_blockchain-com-7054-OrdererCA.pem root@orderer-0a:/client# fabric-ca-client getcacert -u https://fabric-ca-0a.net_blockchain.com:7054 --caname PeerOrg1CA Error: POST failure [Post https://fabric-ca-0a.net_blockchain.com:7054/cainfo: x509: certificate signed by unknown authority]; not sending POST https://fabric-ca-0a.net_blockchain.com:7054/cainfo Authorization: {"caname":"PeerOrg1CA"} ```

praveennagpal (Sat, 20 May 2017 09:12:35 GMT):
@smithbk: I am on Mac OSX (10.11.3) EI Capitan

praveennagpal (Sat, 20 May 2017 09:13:26 GMT):
anyways I have got the image from getting started instructions..earlier fabric-ca image was not part of it..now I can see that when i use the e2e yaml files

smithbk (Sat, 20 May 2017 13:28:01 GMT):
@praveennagpal Did you try "make docker-clean" first before "make docker"? The bad magic value error usually means that an executable has been previously built in one container and now trying to use in a different container with different OS.

praveennagpal (Sat, 20 May 2017 13:33:48 GMT):
I did. But still got the error.

smithbk (Sat, 20 May 2017 13:36:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jWYCv8ySKP2u6rPqE) @dbshah There is a change set which fixes an issue with TLS. See https://gerrit.hyperledger.org/r/#/c/9235/. I'm not sure if that is the same problem you're having or not. I'm struggling a bit to see how the "unknown authority" error could occur on the client TLS connection prior to sending the request. Are you using client authentication on TLS? Pls add the "-d" option to get more debug info. Better yet, if you can open a jira item with instructions on how to reproduce, I can take a look.

smithbk (Sat, 20 May 2017 13:45:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yuSyx3prFXmJFqr2A) @praveennagpal Pls type "bzip2" and tell me what you see.

smithbk (Sat, 20 May 2017 13:55:37 GMT):
ah, see http://stackoverflow.com/questions/41465720/error-building-peer-bzip2-data-invalid-in-goshim-tar-bz2

smithbk (Sat, 20 May 2017 13:56:20 GMT):
Apparent issue between OSX's bsdtar and gnutar

praveennagpal (Sat, 20 May 2017 15:09:51 GMT):
Praveens-MacBook-Pro:fabric-ca praveennagpal$ bzip2 bzip2: I won't write compressed data to a terminal. bzip2: For help, type: `bzip2 --help'.

praveennagpal (Sat, 20 May 2017 15:10:09 GMT):
I have installed gnutar

praveennagpal (Sat, 20 May 2017 15:10:22 GMT):
earlier as mention in the SO link

Calvin_Heo (Mon, 22 May 2017 02:51:27 GMT):
Has joined the channel.

rmohta (Mon, 22 May 2017 03:30:31 GMT):
@here Any idea how we can get this done using #fabric-ca https://chat.hyperledger.org/channel/fabric-sdk-node?msg=X8eCS9kwvTDHvYzvo

rmohta (Mon, 22 May 2017 03:30:31 GMT):
@here Any idea how we can get this done using #fabric-ca ?? Chat regarding this https://chat.hyperledger.org/channel/fabric-sdk-node?msg=X8eCS9kwvTDHvYzvo

rmohta (Mon, 22 May 2017 03:31:49 GMT):
and is this (^^^^) even a valid usecase?

SanketPanchamia (Mon, 22 May 2017 04:09:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xdenof8YC7isWX7Kn) @smithbk Thanks Mate. Will try that

SanketPanchamia (Mon, 22 May 2017 06:28:55 GMT):

Message Attachments

SanketPanchamia (Mon, 22 May 2017 06:29:00 GMT):
Trying to enroll a client and it gives me this authorization failure message

SanketPanchamia (Mon, 22 May 2017 06:36:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wz4ZrckXxCvCDpLyh) @SanketPanchamia If i do not change my FABRIC_CA_CLIENT_HOME and leave it at the default, it works. I tried giving full permissions to the new folder i created for storing the certificates. Still same issue

SanketPanchamia (Mon, 22 May 2017 07:04:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JhpqrmSM6oTe6rYEd) @smithbk I am also getting the same error on my client CA

smithbk (Mon, 22 May 2017 07:47:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=v5jQJsvkqaMt2mgtg) @SanketPanchamia I suggest you start the server with the "-d" option (for debug) and see what it logs for this failure

SanketPanchamia (Mon, 22 May 2017 08:58:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RLxXy4mNHKYtr8e4q) @smithbk Is there a log file that gets created? Since i am using the same system as server and client.

SanketPanchamia (Mon, 22 May 2017 09:14:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=p8nSsZfyF5hatEcf7) @SanketPanchamia Never mind. I got it to work now. SOme issue with my system permissions. Thanks @smithbk

praveennagpal (Mon, 22 May 2017 13:40:12 GMT):
@smithbk What exactly is the difference between using cryptoconfig tool used for certificate generation and provided as part of getting started instructions and using the Fabric CA server directly from the client perspective?

smithbk (Mon, 22 May 2017 13:49:53 GMT):
Cryptogen is more convenient to set up an entire network, especially for test, but also exposes all keys to one person. Fabric CA does not expose private keys and also supports hierarchical certs, i.e. Intermediate CA

praveennagpal (Mon, 22 May 2017 13:56:28 GMT):
Thanks @smithbk I get this. So what is the role of local MSP? Is it expected from the app to store the signing certificate produced by the CA server into a file system for creating a MSP.

Asara (Mon, 22 May 2017 14:20:47 GMT):
Hey guys. Is it possible to update a CA user?

smithbk (Mon, 22 May 2017 14:22:44 GMT):
Not currently, except to revoke an id altogether, what would you like to update in particular?

smithbk (Mon, 22 May 2017 14:25:29 GMT):
The role of the local MSP is to sign as the identity of the peer or ordered, and to control CC installs to a peer

smithbk (Mon, 22 May 2017 14:28:08 GMT):
When you enroll a peer or orderer, the private key used to generate the cert request is stored in the local MSP of the peer or orderer

Vadim (Mon, 22 May 2017 14:29:35 GMT):
@smithbk I'm not sure this is correct, because if enroll happens with an sdk, then the private key is stored on the sdk host, peers and orderers don't have it

vivekraut (Mon, 22 May 2017 14:51:34 GMT):
Has joined the channel.

vivekraut (Mon, 22 May 2017 14:59:23 GMT):
is it possible to use fabric-ca-client to register and enroll a new user with the fabric-ca server running on Bluemix blockchain vNext Beta service plan?

smithbk (Mon, 22 May 2017 15:04:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BaWHP489BYKhfBb5Z) @Vadim Hi, can you clarify which part is not correct? Yes, when enrolling an identity from an SDK, the private key is stored by the SDK, but when enrolling a peer or orderer, the private key is stored in the local MSP of the peer or orderer.

smithbk (Mon, 22 May 2017 15:14:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2TpsZZGfcc2niTPK2) @praveennagpal WRT this question: "Is it expected from the app to store the signing certificate produced by the CA server into a file system for creating a MSP." If I understand your question correctly, no, the app does not need to store the CA's signing cert. This is because the app doesn't need to function as an MSP. The app simply needs to enroll to get ecert(s) and then use that to sign it. When that cert is sent to a peer with a valid signature, it will be found valid as long as the CA's signing cert is also one of the cacerts (or intermediatecerts) of the local MSP or of the channel, depending on which operation is being performed.

smithbk (Mon, 22 May 2017 15:16:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9t3KZqb6A87u3yCuf) @vivekraut I'm not sure, but will investigate and let you know

samwood (Mon, 22 May 2017 18:56:43 GMT):
in fabric 0.6 it seems the certs issued by membersrvc expire after 3 months by default, do folks know how to renew those certs?

SanketPanchamia (Tue, 23 May 2017 05:08:27 GMT):
Once I have a user revoked, can i use the same id to enroll a new user or that is not allowed in the HLF?

hzfeng (Tue, 23 May 2017 08:28:08 GMT):
register

houssemchebbi (Tue, 23 May 2017 09:31:50 GMT):
hello ! i have this error when i try to enroll admin / adminpw from node sdk ! ... does any one encounter this error before or have a solution plz !! "Failed to enroll user 'admin'. ReferenceError: ca_client is not defined"

bmalavan (Tue, 23 May 2017 13:21:08 GMT):
Has joined the channel.

smithbk (Tue, 23 May 2017 14:20:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GNXQ362JYkqP8q879) @SanketPanchamia If you revoke the entire identity (not just a specific certficate), then that ID may not be reused. It remains in fabric-ca-server's DB but is in revoked state. This is for security reasons.

smithbk (Tue, 23 May 2017 14:22:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jimFMRj5LJKtwKF85) @houssemchebbi @jimthematrix Jim, do you recognize this error from the node SDK?

smithbk (Tue, 23 May 2017 14:33:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4LcouuDaT8Mrw5SMx) @samwood v0.6 does not support certificate renewal. The only option I can think of for v0.6 is to dynamically register a new identity and then enroll with that identity. Is there any reason you can't move to v1?

jimthematrix (Tue, 23 May 2017 15:18:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RPxAoGpBZpe7aarob) @smithbk the error indicates application code not defining `ca_client` before using it, not something in the SDK itself

jimthematrix (Tue, 23 May 2017 15:18:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RPxAoGpBZpe7aarob) @smithbk @houssemchebbi the error indicates application code not defining `ca_client` before using it, not something in the SDK itself

prashiyn (Tue, 23 May 2017 17:29:25 GMT):
@smithbk , while registering a user in fabric-ca using fabric-ca-client, the ca-client uses the referer id ( admin@adminpw) who has the requisite permissions to create user. The ca-client always looks for msp directory in the FABRIC_CA_CLIENT_HOME for this admin user. Is there a way to let fabric-ca-client to look at a different directory for admin credentials for registering a new user?

smithbk (Tue, 23 May 2017 17:47:56 GMT):
@prashiyn Use "-M" option ... is that what you're looking for?

smithbk (Tue, 23 May 2017 17:48:37 GMT):
Also wondering what the use case is here

prashiyn (Tue, 23 May 2017 18:33:31 GMT):
@smithbk Sorry my mistake. was registering user using config file and docker-compose and gave the path to the config file relative to local directory instead of mount directory. So ca-client was always recreating a default config file instead of picking up config file with the --config option. So was thinking of wired ways to get the ca-client to pick up a different config file :( .

baohua (Wed, 24 May 2017 01:41:03 GMT):
Welcome for reviewing this simple change, thanks! https://gerrit.hyperledger.org/r/#/c/9121/

samwood (Wed, 24 May 2017 06:16:25 GMT):
@smithbk thank you. does v1.0 support cert renewal ?

vivekraut (Wed, 24 May 2017 06:36:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=72QNctgjRb9zhMGf2) @smithbk did you get a chance to try this out?

tiue (Wed, 24 May 2017 10:14:20 GMT):
Has joined the channel.

smithbk (Wed, 24 May 2017 11:29:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7RjkPyZoxNbjwCGhp) @baohua Hi Baohua, thanks for the change set. I definitely agree that PKCK8 is better than the old PKCS1, but am just wondering, are you using something that can only consume PKCS8? Was something not working with PKCS1?

smithbk (Wed, 24 May 2017 11:30:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LBytgNknjGBqzb3sF) @samwood Yes, v1.0 supports cert renewal by issuing "fabric-ca-client reenroll"

smithbk (Wed, 24 May 2017 11:40:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=i5TsejKeBTNYLJNw8) @vivekraut I haven't gotten a response yet from Paul Tippett. Let me try someone else. The question is two-fold: 1) Is the fabric-ca-server reachable from a network perspective, and if yes, 2) Do you have access to credentials for an identity which would allow you to register and enroll a new user. This is what I'm trying to find out for beta service plan.

ShafqatMasood (Wed, 24 May 2017 11:50:02 GMT):
Has joined the channel.

ShafqatMasood (Wed, 24 May 2017 12:19:35 GMT):
Hi, when i am running ./network_setup.sh up innovationlab 10000 couchdb with COMPOSE_FILE=docker-compose-e2e.yaml uncommented i am getting this error Pulling ca1 (hyperledger/fabric-ca:latest)... ERROR: manifest for hyperledger/fabric-ca:latest not found ERROR !!!! Unable to pull the images

ShafqatMasood (Wed, 24 May 2017 12:19:35 GMT):
Hi, when i am running ./network_setup.sh up mychannel 10000 couchdb with COMPOSE_FILE=docker-compose-e2e.yaml uncommented i am getting this error Pulling ca1 (hyperledger/fabric-ca:latest)... ERROR: manifest for hyperledger/fabric-ca:latest not found ERROR !!!! Unable to pull the images

ashutosh_kumar (Wed, 24 May 2017 12:44:56 GMT):
@vivekraut , fabric ca end point is available on internet on HSBN , so you can perform all possible fabric ca calls.

vivekraut (Wed, 24 May 2017 12:46:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=govahi7NHuiHfrwPM) @ashutosh_kumar I am trying to get the CA certificate using the below command. It works fine when the fabric-ca server is running locally but the same command fails if pointing to the CA service running on Bluemix (vNext beta) ubuntu@hyperledger-devenv:2470d35:/opt/gopath/src/github.com/hyperledger/fabric-ca/bin$ fabric-ca-client getcacert -u http://localhost:7054 2017/05/19 11:14:11 [INFO] Stored CA certificate chain at /home/ubuntu/fabric-ca/clients/admin/msp/cacerts/localhost-7054.pem ubuntu@hyperledger-devenv:2470d35:/opt/gopath/src/github.com/hyperledger/fabric-ca/bin$ fabric-ca-client getcacert -u https://: Error: Failed to parse response: invalid character 'p' after top-level value 404 page not found

mizaoyu (Wed, 24 May 2017 12:56:24 GMT):
Has joined the channel.

baohua (Wed, 24 May 2017 12:56:26 GMT):
@smithbk hi smith, yeap, the reason to make this change is that now we have lots of PKCS8 certs in the projects, with only one PKCS1 cert. Sometimes, it would confuse people to verify those certs together due to the diff format. And IMHO, PKCS8 should be more popular and modern format. How do u think? :)

mizaoyu (Wed, 24 May 2017 13:10:37 GMT):
Hi everyone, I am following https://github.com/hyperledger/fabric-sdk-node. After I run "docker-compose up --force-recreate" in the fabric-sdk-node/test/fixtures folder, it got stuck at a step "setModuleLevel -> DEBU 197 Module 'grpc' logger enabled for log level 'ERROR'" and doesn't output anything else afterwards, as in the following snapshoot. I am not sure whether it is a desired result or it's a mistake.

mizaoyu (Wed, 24 May 2017 13:11:39 GMT):

Message Attachments

smithbk (Wed, 24 May 2017 13:13:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QNjnhY5ddLpC9TnpB) @baohua Yes, I agree. I was just wondering if there was something specific breaking because of PKCS1. Thanks

baohua (Wed, 24 May 2017 13:13:41 GMT):
yeap :)

smithbk (Wed, 24 May 2017 13:14:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=R8tTwXdJShnE8binS) @mizaoyu Hi, could you post this to the fabric-sdk-node channel. Thanks

mizaoyu (Wed, 24 May 2017 13:15:49 GMT):
ok. thank you

srvnnp (Wed, 24 May 2017 13:38:14 GMT):
Has joined the channel.

smithbk (Wed, 24 May 2017 13:39:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=F36CZ34g2TYX3CphS) @smithbk So the answer is yes to #1 and #2. I was told that they provide a couple of admin users which you can use to register and enroll new users.

smithbk (Wed, 24 May 2017 13:48:49 GMT):
@baohua I agree that using PKCS8 is better, but at this point in the cycle, we are only making bug fixes and beefing up the test cases. So I don't think we are going to get this through, unless it fixes a bug.

baohua (Wed, 24 May 2017 13:51:41 GMT):
sure, from my point, this change helps provide convenience for the usage/development, but certainly there's no obvious bug now.

smithbk (Wed, 24 May 2017 13:54:04 GMT):
yeh, i agree, I wish we could get more of these type of changes in as well, but the door is closing for v1 ... thanks

smithbk (Wed, 24 May 2017 13:56:00 GMT):
of course if you want to post to the fabric-pr-review or fabric-maintainers channel to try to get this in, that would be fine as well

baohua (Wed, 24 May 2017 14:10:21 GMT):
sure, and currently people are discussing on related issues at the fabric channel. some believe should focus on bug, some suggest also consider other related ones :)

saptarshee (Wed, 24 May 2017 15:52:01 GMT):
Has joined the channel.

SandySun2000 (Wed, 24 May 2017 16:38:45 GMT):
Has joined the channel.

bmatsuo (Wed, 24 May 2017 19:39:20 GMT):
Has joined the channel.

gbolo (Wed, 24 May 2017 19:42:19 GMT):
Has joined the channel.

davidoevans (Wed, 24 May 2017 20:00:54 GMT):
Has joined the channel.

davidoevans (Wed, 24 May 2017 20:05:03 GMT):
What is the relationship between fabric-ca and blockchain?

davidoevans (Wed, 24 May 2017 20:40:43 GMT):
i'll try answering my own question. fabric-ca provides certificate authority administration to assign roles and policies for any participant that can invoke queries or transactions on the fabric blockchain. let me know if that makes sense...thx

SanketPanchamia (Thu, 25 May 2017 05:15:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yAZQcfH7XT8HEFitS) @davidoevans Correct. It is the CA that will issue the certificates to the enrolled users.

prashiyn (Thu, 25 May 2017 07:01:56 GMT):
What purpose does the chainfile key in config.yaml serve? is it the same as the -u option ?

vivekraut (Thu, 25 May 2017 08:44:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=F36CZ34g2TYX3CphS) @smithbk @ashutosh_kumar I raised a ticket on IBM site and as per them this is a known issue - https://jira.hyperledger.org/browse/FAB-4097

prashiyn (Thu, 25 May 2017 09:47:39 GMT):
I get the following error `Principal deserialization failed: (The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority)` from the orderer while creating the channel. openssl verify verifies is properly whereas its failing in the msp. Is there anything I am missing

davidoevans (Thu, 25 May 2017 10:48:33 GMT):
Thanks @SanketPanchamia - Can you clarify the scope of valid 'enrolled users'? Is a car dealership an org each of those would need their own key? Same question for salesman at a car dealership... Same question again for customers of a car dealership?

smithbk (Thu, 25 May 2017 12:11:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yAZQcfH7XT8HEFitS) @davidoevans Yes, fabric-ca-server is a CA which issues certificates which may be used to transact on the blockchain. It also provides renewal and revocation features. The configuration of policies for ACLs in the blockchain are performed in the blockchain and reference certificates issued by fabric-ca.

smithbk (Thu, 25 May 2017 12:18:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TaBD4M4PG7doCyFct) @prashiyn The chainfile may contain multiple certificates which form a certificate chain. The 1st one in the list is always the root of trust (which may be the root CA or an external CA if the root CA has for example a Verisign cert) and the last one is always the server's signing certificate. The entire chain is needed by someone validating a signature from the CA to fully verify the signature. It allows someone to only trust the root but to verify signatures from multiple intermediate CAs. Make sense?

smithbk (Thu, 25 May 2017 12:20:27 GMT):
So it is different from the -u option, and you could generally call getcacert on CAs of other orgs to get the chain to trust for that org.

smithbk (Thu, 25 May 2017 12:23:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=34NS28bfEZs8YM8ca) @prashiyn It sounds like the MSP associated with the identity is missing either a cacert or an intermediatecert, so it can't build the chain of trust up to a root that it trusts (i.e. one of the cacerts certificates)

smithbk (Thu, 25 May 2017 12:27:00 GMT):
You could look at the issuer of the identity's cert, and add that certificate as a cacerts (or intermediatecerts) of the MSP

prashiyn (Thu, 25 May 2017 14:04:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=otCLcpYDnZwmDsAna) @smithbk Thanks a ton. Makes sense. Works for me like a charm

Hangyu (Fri, 26 May 2017 05:18:04 GMT):
Has joined the channel.

chenxuan (Fri, 26 May 2017 06:35:54 GMT):
github.com/hyperledger/fabric-ca/vendor/github.com/mattn/go-sqlite3(.data.rel): unexpected R_X86_64_64 relocation for dynamic

Jay (Fri, 26 May 2017 09:24:36 GMT):
tcert

smithbk (Fri, 26 May 2017 13:31:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=d4mPbezHHoxa7Dfxk) @chenxuan Hi, maybe I'm missing some context. Is this happening when installing on some platform?

rameshthoomu (Fri, 26 May 2017 14:32:05 GMT):
@smithbk @skarim ReadTheDocs (RTD) doc build process is implemented for fabric-ca repository.. Please access documentation link from here http://hyperledger-fabric-ca.readthedocs.io/en/latest/

smithbk (Fri, 26 May 2017 14:56:10 GMT):
Thanks ... there is a typo in the title

rameshthoomu (Fri, 26 May 2017 16:43:22 GMT):
:( will submit patch.. Shall I?

smithbk (Fri, 26 May 2017 17:18:48 GMT):
yes, thanks

nhrishi (Sat, 27 May 2017 12:15:49 GMT):
Hi, We're integrating fabric-sdk-node with fabric-v1-alpha2 CA. We're running with TLS options. Weálso passed tlsOption with CA pem. But we're getting below error - "[2017-05-27 08:04:25.896] [ERROR] Helper - Error: Calling enrollment endpoint failed with error [Error: connect ECONNREFUSED 0.0.0.0:7054]". Can someone pls advise. Thanks.

raasiel (Sun, 28 May 2017 11:52:15 GMT):
Has joined the channel.

bmalavan (Sun, 28 May 2017 19:22:40 GMT):
Hi, I am trying to build fabric-ca from alpha2 tag. When I am executing `make all`, project hits and error when downloading python 2.7.11, its failing with bad request. However, when i use `wget http://archive.ubuntu.com/ubuntu/pool/main/p/python-defaults/python_2.7.11-1_amd64.deb' I am able to download. Please find the error log. any clue is appreciated: ```Reading package lists... + dpkg-divert --local --rename --add /sbin/initctl Leaving 'local diversion of /sbin/initctl to /sbin/initctl.distrib' + ln -sf /bin/true /sbin/initctl + dpkg-divert --local --rename --add /usr/bin/ischroot Adding 'local diversion of /usr/bin/ischroot to /usr/bin/ischroot.distrib' + ln -sf /bin/true /usr/bin/ischroot + apt-get install -y --no-install-recommends apt-utils python locales python-pip Reading package lists... Building dependency tree... Reading state information... The following additional packages will be installed: apt libapt-pkg5.0 libpython-stdlib libpython2.7-minimal libpython2.7-stdlib python-minimal python-pip-whl python2.7 python2.7-minimal Suggested packages: aptitude | synaptic | wajig apt-doc python-apt python-doc python-tk python2.7-doc binfmt-support Recommended packages: python-all-dev python-setuptools python-wheel The following NEW packages will be installed: libpython-stdlib libpython2.7-minimal libpython2.7-stdlib python python-minimal python-pip python-pip-whl python2.7 python2.7-minimal The following packages will be upgraded: apt apt-utils libapt-pkg5.0 locales 4 upgraded, 9 newly installed, 0 to remove and 65 not upgraded. Need to get 10.3 MB of archives. After this operation, 18.5 MB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 libapt-pkg5.0 amd64 1.2.20 [707 kB] Get:2 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 apt amd64 1.2.20 [1042 kB] Get:3 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 apt-utils amd64 1.2.20 [196 kB] Get:4 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 libpython2.7-minimal amd64 2.7.12-1ubuntu0~16.04.1 [339 kB] Get:5 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 python2.7-minimal amd64 2.7.12-1ubuntu0~16.04.1 [1295 kB] Get:6 http://archive.ubuntu.com/ubuntu xenial/main amd64 python-minimal amd64 2.7.11-1 [28.2 kB] Get:7 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 libpython2.7-stdlib amd64 2.7.12-1ubuntu0~16.04.1 [1884 kB] Get:8 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 python2.7 amd64 2.7.12-1ubuntu0~16.04.1 [224 kB] Get:9 http://archive.ubuntu.com/ubuntu xenial/main amd64 libpython-stdlib amd64 2.7.11-1 [7656 B] Err:10 http://archive.ubuntu.com/ubuntu xenial/main amd64 python amd64 2.7.11-1 400 Bad Request [IP: 91.189.88.149 80] Get:11 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 locales all 2.23-0ubuntu7 [3222 kB] Get:12 http://archive.ubuntu.com/ubuntu xenial-updates/universe amd64 python-pip-whl all 8.1.1-2ubuntu0.4 [1110 kB] Get:13 http://archive.ubuntu.com/ubuntu xenial-updates/universe amd64 python-pip all 8.1.1-2ubuntu0.4 [144 kB] Fetched 10.2 MB in 2s (4287 kB/s) E: Failed to fetch http://archive.ubuntu.com/ubuntu/pool/main/p/python-defaults/python_2.7.11-1_amd64.deb 400 Bad Request [IP: 91.189.88.149 80] E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing? The command '/bin/sh -c /container/build.sh' returned a non-zero code: 100 Makefile:113: recipe for target 'build/image/openldap/.dummy-x86_64-1.0.0-alpha2' failed make: *** [build/image/openldap/.dummy-x86_64-1.0.0-alpha2] Error 100```

nharshita (Mon, 29 May 2017 07:10:54 GMT):
Has joined the channel.

guruce (Mon, 29 May 2017 07:19:30 GMT):
Has joined the channel.

kesavannb (Mon, 29 May 2017 07:31:34 GMT):
Has joined the channel.

harsha (Mon, 29 May 2017 12:34:32 GMT):
Can you try, `make clean` and re-try `make all`

bmalavan (Mon, 29 May 2017 13:12:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=z8z3cAR2NmWBdz83P) @harsha Did that several times

harsha (Mon, 29 May 2017 13:23:35 GMT):
It works perfect for me..

rasmustrew (Tue, 30 May 2017 10:56:51 GMT):
Has joined the channel.

rasmustrew (Tue, 30 May 2017 10:57:03 GMT):
Hi! I have a question about starting a new chain and enrolling users. I am using the Java SDK. I have been looking at the Getting Started tutorial on readthedocs, there they use the cryptogen tool to generate keys, and use these keys to start a new chain. However, by doing this they completely bypass the CA? Is this a good way to do it? Should the CA not be used to create the keys/certificates for this?

smithbk (Tue, 30 May 2017 13:58:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=suwumZatn2iyDW8AG) @nhrishi Shouldn't the "0.0.0.0" be "127.0.0.1"? Although "0.0.0.0" is OK for a listening endpoint on the server-side to mean any IP addr, it can't be used on the client-side which appears to be the case here.

smithbk (Tue, 30 May 2017 14:03:16 GMT):
@bmalavan Hi, can you give exact steps to reproduce, including platform, URL for cloning repo, etc?

smithbk (Tue, 30 May 2017 14:09:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3Z4BGTof4hBnguNHy) @rasmustrew The e2e tests for both node and java SDK use the fabric-ca. Have you seen those? @jimthematrix can point to them

jimthematrix (Tue, 30 May 2017 15:18:16 GMT):
@rasmustrew https://github.com/hyperledger/fabric-sdk-java/blob/master/src/test/java/org/hyperledger/fabric/sdkintegration/End2endIT.java#L155

bmalavan (Tue, 30 May 2017 17:25:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6nE6HH48LtuuZ8jzR) @smithbk Please find the steps ``` git clone http://gerrit.hyperledger.org/r/fabric-ca git checkout v1.0.0-alpha2 cd fabric-ca make clean make all This happened after creating fabric-ca image and while building openldap image ```

smithbk (Tue, 30 May 2017 17:26:58 GMT):
@bmalavan What OS are you on?

smithbk (Tue, 30 May 2017 17:27:27 GMT):
:-) thanks

smithbk (Tue, 30 May 2017 18:08:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BckZYM8eguzKebcSp) @bmalavan @rennman Allen, this is apparently an openldap issue on ubuntu 16.04. Can you try to reproduce with these steps? Thanks

hmchen (Tue, 30 May 2017 18:47:26 GMT):
Has joined the channel.

guillermo.correa (Tue, 30 May 2017 21:01:05 GMT):
Has joined the channel.

troyronda (Wed, 31 May 2017 00:42:52 GMT):
re: cert revocation documentation. I see the first part of the procedure on https://hyperledger-fabric.readthedocs.io/en/latest/Setup/ca-setup.html#revoking-a-certificate-or-identity ... it would be helpful to link to the documentation for the next step (submitting the updated crl).

rasmustrew (Wed, 31 May 2017 08:13:38 GMT):
@smithbk I have looked at them, they do indeed use the cryptogen tool. However that does not really answer my question. "By doing this they completely bypass the CA? Is this a good way to do it? Should the CA not be used to create the keys/certificates for this?" I am uncertain whether the way they do it in the e2e scenario is the best practice.

Vadim (Wed, 31 May 2017 08:14:33 GMT):
@rasmustrew cryptogen is used to quickly bootstrap the network for dev purposes and generate all that 10+ certificates

Vadim (Wed, 31 May 2017 08:15:28 GMT):
you can then take the ca cert and tell your fabric-ca to use it, so you will be able to generate user certs on the fly which are trusted by your network

VamsiKrishnak (Wed, 31 May 2017 10:02:46 GMT):
Has joined the channel.

rasmustrew (Wed, 31 May 2017 10:03:32 GMT):
@Vadim What about admin certs? Can i make admin certs through the CA? Right now i have created a CA that uses the Certs from cryptogen. I then try to enroll "admin:adminpw" and i get some credentials back from the CA. I then try to use these to sign on the creation of a new channel, but i get an error back stating that this user is not an admin.

Vadim (Wed, 31 May 2017 10:53:59 GMT):
@rasmustrew you can create admin certs over ca, but then you have to manually copy them to the msp/admincerts of each peer

rasmustrew (Wed, 31 May 2017 10:55:48 GMT):
i see, thank you!

rasmustrew (Wed, 31 May 2017 10:57:59 GMT):
So it is a bit of a pain to add new orgs to an existing network, as their new admin cert would then need to be manually copied to all existing peers. Do you know if there any plans to automate this process?

Vadim (Wed, 31 May 2017 10:59:57 GMT):
most likely yes, there is probably even Jira ticket for that, but I'm not the right person to ask

smithbk (Wed, 31 May 2017 11:04:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Hx2thnijaWnNcnpLM) @rasmustrew Hi, the e2e test that I was referring to is not the one in the fabric repo, but in the fabric-sdk-java repo. See https://github.com/hyperledger/fabric-sdk-java#end-to-end-test-scenario. Note that it uses fabric-ca as it mentions the following: "The test defines one Fabric orderer and two organizations (peerOrg1, peerOrg2), each of which has 2 peers, one fabric-ca service."

rasmustrew (Wed, 31 May 2017 11:07:27 GMT):
@smithbk Yes that is the one i was looking at. It does use the CA, but not for the admin certs, those are read from the file created by cryptogen.

smithbk (Wed, 31 May 2017 11:07:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iXXsWGyje39Qkv3Em) @Vadim Yes, see https://jira.hyperledger.org/browse/FAB-3752

rasmustrew (Wed, 31 May 2017 11:08:04 GMT):
That is excellent to hear!

smithbk (Wed, 31 May 2017 11:08:37 GMT):
But this is planned for post v1. Feel free to add a comment to the jira item

MikkelPetersen (Wed, 31 May 2017 11:25:35 GMT):
Has joined the channel.

jyg007 (Wed, 31 May 2017 15:20:09 GMT):
Has joined the channel.

Asara (Wed, 31 May 2017 17:08:51 GMT):
Hey guys, I am trying to enroll the bootstrap user, and am hitting this error: ``` docker exec -i -t c27 bash root@c276c0fc87e0:/# fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 root@c276c0fc87e0:/# fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 2017/05/31 17:07:27 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/05/31 17:07:27 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/05/31 17:07:27 [INFO] generating key: &{A:ecdsa S:256} 2017/05/31 17:07:27 [INFO] encoded CSR Error: POST failure [Post http://localhost:7054/enroll: malformed HTTP response "\x15\x03\x01\x00\x02\x02\x16"]; not sending POST http://localhost:7054/enroll ```

Asara (Wed, 31 May 2017 18:22:42 GMT):
What is the best way to set up TLS credentials for SDK clients?

Asara (Wed, 31 May 2017 18:35:27 GMT):
As in, if I set up e2e with TLS enabled, what would be the best method to get grpc credentials?

smithbk (Wed, 31 May 2017 22:27:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fzwFvdZhiQ453Hnh4) @Asara @jimthematrix Which SDK are you using? I recommend posting this to the appropriate SDK channel. The node and java SDKs have their own end-to-end tests which hopefully demonstrate how to use TLS, but @jimthematrix would know for sure.

jimthematrix (Thu, 01 Jun 2017 02:02:38 GMT):
@Asara *node SDK* ``` client.newOrderer( ORGS.orderer.url, { 'pem': caroots, 'ssl-target-name-override': ORGS.orderer['server-hostname'] } ) ``` ``` let peer = client.newPeer( ORGS[org][key].requests, { pem: Buffer.from(data).toString(), 'ssl-target-name-override': ORGS[org][key]['server-hostname'] } ); ```` similar in java sdk, you pass in the grpc credentials (server cert root, target name override) as a java.util.Properties object when constructing an orderer or peer object

blockcloud (Thu, 01 Jun 2017 08:14:31 GMT):
Has joined the channel.

jrosmith (Thu, 01 Jun 2017 13:15:00 GMT):
Has joined the channel.

bobbiejc (Thu, 01 Jun 2017 15:27:11 GMT):
@mastersingh24 is it possible to enroll in the fabric with external certificates? Is there documentation for doing this somewhere?

bobbiejc (Thu, 01 Jun 2017 15:27:22 GMT):
@guillermo.correa FYI ^^

mastersingh24 (Thu, 01 Jun 2017 17:20:01 GMT):
@bobbiejc - None of the Fabric components (peer, orderer, SDKs) require you to use the fabric-ca to get your crypto material. As a matter of fact, if you take a look at the scripts and compose files in https://github.com/hyperledger/fabric/tree/master/examples/e2e_cli you'll see that we actually generate all the crypto material simply using a command line tool (which under the covers is just Go crypto code)

bobbiejc (Thu, 01 Jun 2017 17:34:36 GMT):
right --- i think that the trick is figuring out where to put all the self-generated crypto files (which is essentially reverse engineering the scripts)

bobbiejc (Thu, 01 Jun 2017 17:34:57 GMT):
Is there documentation for bringing your own certificates?

bobbiejc (Thu, 01 Jun 2017 17:35:03 GMT):
@mastersingh24

bobbiejc (Thu, 01 Jun 2017 17:35:05 GMT):
^^

bobbiejc (Thu, 01 Jun 2017 17:36:19 GMT):
@guillermo.correa ^^

mastersingh24 (Thu, 01 Jun 2017 17:37:12 GMT):
[http://hyperledger-fabric.readthedocs.io/en/latest/msp.html ](https://chat.hyperledger.org/channel/fabric-ca?msg=qNuCNC4DKiR2TCeZm) @bobbiejc

bobbiejc (Thu, 01 Jun 2017 17:46:26 GMT):
@mastersingh24 thanks. If I'm reading this correctly, this process has to be done manually on each peer?

mastersingh24 (Thu, 01 Jun 2017 18:00:40 GMT):
@bobbiejc - Yes - that's the "penalty" we paid for separating out membership services

mastersingh24 (Thu, 01 Jun 2017 18:01:00 GMT):
Of course you can easily add your own "client" into a custom container to do the work for you

mastersingh24 (Thu, 01 Jun 2017 18:01:11 GMT):
That's how we would use the fabric-ca-client

bobbiejc (Thu, 01 Jun 2017 18:01:26 GMT):
0k

mastersingh24 (Thu, 01 Jun 2017 18:02:00 GMT):
But it's pretty straightforward once you get going ;)

ambatigaan (Fri, 02 Jun 2017 04:31:36 GMT):
Has joined the channel.

MDBijman (Fri, 02 Jun 2017 09:38:15 GMT):
Has joined the channel.

dbshah (Fri, 02 Jun 2017 17:51:12 GMT):
Seeing this error(last line) when i am trying to start 2 instances of CA, alpha3-e4e0a0d ``` 2017/06/02 17:49:30 [DEBUG] Initializing default CA in directory /mnt/ca 2017/06/02 17:49:30 [DEBUG] Init CA with home /mnt/ca and config {CA:{Name:OrdererCA Keyfile:/mnt/crypto/ca/OrdererCA-a/msp/keystore/key.pem Certfile:/mnt/crypto/ca/OrdererCA-a/msp/signcerts/cert.pem Chainfile:/mnt/crypto/ca/OrdererCA-a/msp/cacerts/caroot.pem} Signing:0xc4202b9480 CSR:{CN: Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[fabric-ca-0a] KeyRequest: CA:0xc4202b5e60 SerialNumber:} Registry:{MaxEnrollments:0 Identities:[{Name:admin Pass:adminpw Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Registrar.DelegateRoles:client,user,validator,auditor hf.Revoker:1 hf.IntermediateCA:1 hf.Registrar.Roles:client,user,peer,validator,auditor,ca]} {Name:adminCA Pass:adminCApw Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.IntermediateCA:1 hf.Registrar.Roles:client,user,peer,validator,auditor,ca hf.Registrar.DelegateRoles:client,user,validator,auditor hf.Revoker:1]} {Name:adminOrderer Pass:adminOrdererpw Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Revoker:1 hf.IntermediateCA:1 hf.Registrar.Roles:client,user,peer,validator,auditor,ca,orderer hf.Registrar.DelegateRoles:client,user,validator,auditor,orderer]}]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{Enabled:false URL:ldap://:@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) TLS:{Enabled:false CertFiles:[ldap-server-cert.pem] Client:{KeyFile:ldap-client-key.pem CertFile:ldap-client-cert.pem}}} DB:{Type:sqlite3 Datasource:OrdererCA-a.db TLS:{Enabled:false CertFiles:[db-server-cert.pem] Client:{KeyFile:db-client-key.pem CertFile:db-client-cert.pem}}} CSP:0xc4202b42c0 Client: Intermediate:{ParentServer:{URL:http://adminCA:adminCApw@fabric-ca-parent.net_blockchain.com:7054 CAName:OrdererCA-parent} TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{Name: Secret: Profile: Label: CSR: CAName:}}} 2017/06/02 17:49:30 [DEBUG] CA Home Directory: /mnt/ca 2017/06/02 17:49:30 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc4202a88d0 Pkcs11Opts:} 2017/06/02 17:49:30 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc4202ad690 DummyKeystore:} 2017/06/02 17:49:30 [DEBUG] Initialize key material 2017/06/02 17:49:30 [DEBUG] Making CA filenames absolute 2017/06/02 17:49:30 [INFO] The CA key and certificate already exist 2017/06/02 17:49:30 [INFO] The key is stored by BCCSP provider 'SW' 2017/06/02 17:49:30 [INFO] The certificate is at: /mnt/crypto/ca/OrdererCA-a/msp/signcerts/cert.pem 2017/06/02 17:49:30 [DEBUG] Loading CN from existing enrollment information 2017/06/02 17:49:30 [DEBUG] Initializing 'sqlite3' database at '/mnt/ca/OrdererCA-a.db' 2017/06/02 17:49:30 [DEBUG] Using sqlite database, connect to database in home (/mnt/ca/OrdererCA-a.db) directory 2017/06/02 17:49:30 [DEBUG] Database (/mnt/ca/OrdererCA-a.db) exists 2017/06/02 17:49:30 [DEBUG] Successfully opened sqlite3 DB 2017/06/02 17:49:30 [DEBUG] Initializing identity registry 2017/06/02 17:49:30 [DEBUG] Initialized DB identity registry 2017/06/02 17:49:30 [INFO] Initialized sqlite3 database at /mnt/ca/OrdererCA-a.db 2017/06/02 17:49:30 [DEBUG] Initializing enrollment signer 2017/06/02 17:49:30 [DEBUG] validating configuration 2017/06/02 17:49:30 [DEBUG] validate local profile 2017/06/02 17:49:30 [DEBUG] profile is valid 2017/06/02 17:49:30 [DEBUG] validate local profile 2017/06/02 17:49:30 [DEBUG] profile is valid 2017/06/02 17:49:30 [DEBUG] CA initialization successful Error: Common name 'adminCA' is used in '' and '' ```

Asara (Fri, 02 Jun 2017 17:52:55 GMT):
Is there a way to use the cryptogen tool to create SDK clients?

Asara (Fri, 02 Jun 2017 17:55:32 GMT):
I'm not sure how I should go about creating the credentials for SDK clients

smithbk (Fri, 02 Jun 2017 19:08:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=b8R7eYFBQRd2buZef) @dbshah You can have the same identities in multiple CAs in the same server, but both the CA name and the common name of the CA must be unique for each CA. It is complaining about the common name (i.e. the "csr.cn" attribute I believe). I'd have to see the config files to be more specific.

smithbk (Fri, 02 Jun 2017 19:10:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Am99yj4AxsGEFG6eW) @Asara If you're using fabric-ca (which I assume is the case if you're posting to this channel), the SDKs can get an identity by enrolling

smithbk (Fri, 02 Jun 2017 19:11:49 GMT):
@Asara Which SDK are you using?

Asara (Fri, 02 Jun 2017 19:12:14 GMT):
node SDK

Asara (Fri, 02 Jun 2017 19:12:28 GMT):
I bring up fabric using the docker e2e compose files

Asara (Fri, 02 Jun 2017 19:12:51 GMT):
the sdk needs an initial set of keys to communicate with the fabric though.

Asara (Fri, 02 Jun 2017 19:13:04 GMT):
ask in GRPC credentials (I think)(

Asara (Fri, 02 Jun 2017 19:13:04 GMT):
ask in GRPC credentials (I think)

smithbk (Fri, 02 Jun 2017 19:13:30 GMT):
There is an e2e example in the node SDK repo. Have you seen that?

Asara (Fri, 02 Jun 2017 19:15:38 GMT):
No I haven't. Not sure which example you are mentioning. https://github.com/hyperledger/fabric-sdk-node/tree/v1.0.0-alpha2

Asara (Fri, 02 Jun 2017 19:15:51 GMT):
only has the balance-transfer example, which does not use e2e as far as I can tell

smithbk (Fri, 02 Jun 2017 19:20:37 GMT):
@jimthematrix Jim, can you point to the node e2e example? I thought it was under test/fixtures

smithbk (Fri, 02 Jun 2017 19:21:42 GMT):
@Asara, you could also try the fabric-sdk-node channel

Asara (Fri, 02 Jun 2017 19:24:13 GMT):
@Asara take a look at fabric-sdk-node/test/integration/e2e/config.json, and see what settings are used there and how was what @jimthematrix pointed me to

Asara (Fri, 02 Jun 2017 19:24:13 GMT):
@Asara take a look at fabric-sdk-node/test/integration/e2e/config.json, and see what settings are used there and how was what @jimthematrix pointed me to in the fabric-sdk-node channel

Asara (Fri, 02 Jun 2017 19:24:16 GMT):
https://github.com/hyperledger/fabric-sdk-node/tree/master/test/integration/e2e

Asara (Fri, 02 Jun 2017 19:24:32 GMT):
which doesn't really help in terms of SDK client credential creation, as far as I can tell.

smithbk (Fri, 02 Jun 2017 19:29:36 GMT):
Sorry, but @jimthematrix will need to point you to the correct example to enroll with fabric-ca in order to get credentials

Asara (Fri, 02 Jun 2017 19:30:21 GMT):
Hey looks like it is there! Mostly in: https://github.com/hyperledger/fabric-sdk-node/blob/master/test/integration/e2e/e2eUtils.js

Asara (Fri, 02 Jun 2017 19:30:25 GMT):
Thanks :D

smithbk (Fri, 02 Jun 2017 19:30:41 GMT):
ok, good

Asara (Fri, 02 Jun 2017 20:17:21 GMT):
Alright, I'm confused again. The e2e integration tests make sense to me, but this still doesn't tell me the process of how to get my initial grpc tls key/cert for SDK users. The generateArtifacts script makes it for Orderers and Peers, but what is the process of getting my initial set of GRPC credentials for the SDK to then actually create users on the Fabric.

Asara (Fri, 02 Jun 2017 20:17:27 GMT):
Sorry if I'm being daft :)

ffilozov1 (Fri, 02 Jun 2017 21:53:21 GMT):
Has joined the channel.

jimthematrix (Sun, 04 Jun 2017 02:44:52 GMT):
@Asara you can use either the balance-transfer example or the test/integration/e2e to get a sense of how things are done. the balance-transfer is based created based on the e2e test code.

jimthematrix (Sun, 04 Jun 2017 02:46:23 GMT):
you asked about tls key/cert for grpc, I showed you the code snippet above on how to pass them when you construct the Peer or the Orderer object in the SDK. if you have further questions on that please be more specific

jimthematrix (Sun, 04 Jun 2017 02:49:02 GMT):
you asked about "create users": not sure exactly what you are referring to. identities in the fabric (peers/orderers) are established with x509 certificates. you need to be familiar with the PKI concepts to understand how different pieces fit together. basically the SDK need to have access to a private key and a corresponding x509 certificate for the user identity, so that it can use it to sign grpc requests.

jimthematrix (Sun, 04 Jun 2017 02:50:54 GMT):
the certificate can be generated/issued by any standard CA, or you can use fabric-ca to dynamically register (add a user to the fabric-ca) and enroll (get a signed certificate) a user

jimthematrix (Sun, 04 Jun 2017 02:52:25 GMT):
check out fabric-sdk-node/test/unit/util.js: - getSubmitter() to see how to establish user identities with fabric-ca - getAdmin() to see how to establish user identities with pre-generated key and cert without fabric-ca

SanketPanchamia (Mon, 05 Jun 2017 06:32:27 GMT):
Hi, I am able to setup my node sdk app and use Postman to run some chaincodes that I have written. Currently i am using only the default CA that comes with the node sdk. So all users that i enroll are enrolled with admin privileges. I now want to write some permissions for specific users using node sdk. Any pointers?

jun (Mon, 05 Jun 2017 08:52:38 GMT):
Has joined the channel.

dirainbow (Mon, 05 Jun 2017 09:37:20 GMT):
Has joined the channel.

smithbk (Mon, 05 Jun 2017 12:50:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8iQLcMPryhidDdrQR) @SanketPanchamia Pls give a specific example of a permission that you want to enforce? I'm guessing that you want specific users to be able to perform certain operations in your chaincode but not allow other users. If yes, then you could save the certificates of these permitted users into some world state variable in chaincode, and then check in chaincode to see if the caller owns one of those certificates before allowing them to perform the operation.

vdods (Mon, 05 Jun 2017 21:31:13 GMT):
Has left the channel.

vdods (Mon, 05 Jun 2017 21:32:42 GMT):
Has joined the channel.

vdods (Mon, 05 Jun 2017 21:32:50 GMT):
Hi all, this is probably a dumb question.. what is the difference between a CA and an MSP? It seems like perhaps a subtle difference.

vdods (Mon, 05 Jun 2017 21:41:30 GMT):
My current guess would be CA handles creation of certificates for use in establishing trust, while the MSP handles user registration and enrollment.. is that far off?

smithbk (Mon, 05 Jun 2017 22:40:57 GMT):
@vdods MSP (Membership Services Provider) is the API which fabric calls to perform membership-related checks. The term MSP is also used to refer to the default implementation of the MSP API, which is an X509-based implementation. At a high-level, you can think of the MSP in the fabric as the code which is called to ensure the caller is permitted to perform some operation. For example, when chaincode is installed on a peer, the peer's local MSP is called to make sure the caller is authorized to do so.

smithbk (Mon, 05 Jun 2017 22:44:44 GMT):
@vdods The fabric CA consists of a server and client component. The server issues certificates which can be used to sign transactions which are then sent to the fabric. Or you can get certificates from another CA. As long as the fabric's policies which consist of MSPs trust the CA's certificate, any CA can be used. The fabric CA client is both a library and a CLI to do things like enrolling orderers or peers with the fabric CA.

SanketPanchamia (Tue, 06 Jun 2017 04:12:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pJ4Gzf6sMnxgvd5Ne) @smithbk Yes that is what i intend to do. So i did come across an example of chaincode with access control where i can define the roles of the users. https://github.com/hyperledger-archives/fabric/tree/master/examples/chaincode/go/asset_management02 . Although i still need some help in taking this forward. If ok, I can have a direct chat with you on this too.

evgenhvost (Tue, 06 Jun 2017 11:18:12 GMT):
Has joined the channel.

pvrbharg (Tue, 06 Jun 2017 19:50:04 GMT):
Has joined the channel.

vdods (Tue, 06 Jun 2017 20:16:18 GMT):
@smithbk Ok, thanks. So say from appserver0 (e.g. running fabric-sdk-node) I register a new user on ca0 that peer0 trusts. What keys/certs does each of appserver0, ca0, and peer0 get? Does peer0 have its own internal model of who is authorized to instantiate/transact/etc, or does it just somehow check that the credentials presented within the transaction are signed by the CA? Or perhaps something else entirely?

smithbk (Tue, 06 Jun 2017 20:31:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BdJdbLEaEYhHR9nY8) @vdods Peer0 will have ca0's cert in it's list of trusted certs in its MSP (Membership Service Provider) ... so yes, it has its own model of who is authorized which is defined by MSP ... which is the same for both peers and orderers

vdods (Tue, 06 Jun 2017 21:18:27 GMT):
@smithbk But peer0 doesn't handle any sort of "private enrollment" where it keeps copies of member certs or anything? It's just dealing with certs handed in by transactions?

vdods (Tue, 06 Jun 2017 21:18:46 GMT):
And checks that those certs are signed by its trusted CA?

smithbk (Tue, 06 Jun 2017 21:50:20 GMT):
@vdods The only specific end entity cert kept is for administrator to identify for example who can install chaincode on the peer. Otherwise, it is just the CAs root certificate and no member certs are kept.

vdods (Tue, 06 Jun 2017 21:50:49 GMT):
Ah ok.. and it's only that admin who can install chaincode?

smithbk (Tue, 06 Jun 2017 22:00:40 GMT):
yes ... though there can be multiple admins

smithbk (Tue, 06 Jun 2017 22:02:07 GMT):
you may be interested in https://jira.hyperledger.org/browse/FAB-3752 as well

vdods (Tue, 06 Jun 2017 22:03:36 GMT):
Awesome, thanks!

pvrbharg (Wed, 07 Jun 2017 04:21:56 GMT):
@jimthematrix @smithbk @Asara Could you please guide me as to where I would start - given I got 3 certificates (a certificate for BC test node server(.cer), an intermediate CA certificate (.cer) and a root certificate (.cer) and a pkcs # 7 certificates file (.p7b) and I need to use these to set up e2e sample running on this BC test node server? I am looking for any kind of structured documented how-to asset that I can follow - to use the given customer generated certificates along with cryptogen tool and existing sample. I have reviewed a) https://hyperledger-fabric.readthedocs.io/en/latest/msp.html b) http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#overview documents and not 100% sure. Thanks.

bernardo9999 (Wed, 07 Jun 2017 05:17:20 GMT):
Has joined the channel.

Vipul_Bajaj (Wed, 07 Jun 2017 08:57:05 GMT):
Has joined the channel.

zhasni (Wed, 07 Jun 2017 11:12:41 GMT):
Has joined the channel.

vivekraut (Wed, 07 Jun 2017 18:14:21 GMT):
Hi, I am trying to enroll a user by calling the Fabric-CA server. I am getting the following error

vivekraut (Wed, 07 Jun 2017 18:14:22 GMT):
Error: Failed to get client TLS config: Failed to PEM decode certificate

vivekraut (Wed, 07 Jun 2017 18:14:30 GMT):
anybody faced this error?

vivekraut (Wed, 07 Jun 2017 18:14:57 GMT):
i am using the bluemix blockchain v1 service

jaswanth (Thu, 08 Jun 2017 05:12:40 GMT):
Has joined the channel.

Souvik.Dey (Thu, 08 Jun 2017 07:34:07 GMT):
Has joined the channel.

Souvik.Dey (Thu, 08 Jun 2017 07:34:12 GMT):
Awe are using configtxgen tool to generate to generate channel.tx for alpha images channel.tx: �^C v R^H^B^Z^F^H��^E"^Dhdfc*@ce8e83cafa8db0576c5408501e8732591518d37c779c2344211030e022aaf0d8^R ^Dcert^R^XQ�P�g^^��X��ĒiÒW͒^Z^R�^B �^B ^Dhdfc^RO^R) ^KApplication^R^Z^R^K ^GOrg1MSP^R^@^R^K ^GOrg2MSP^R^@^Z" Consortium^R^T^R^R ^PSampleConsortium^Z�^A^R�^A ^KApplication^Rx^H^A^R^K ^GOrg1MSP^R^@^R^K ^GOrg2MSP^R^@"^Z ^FAdmins^R^P^R^N^H^C^R ^FAdmins^P^B"^Z ^GWriters^R^O^R^M^H^C^R ^GWriters"^Z ^GReaders^R^O^R^M^H^C^R ^GReaders*^FAdmins^Z" Consortium^R^T^R^R ^PSampleConsortium^R- ^Dcert^R^X�;0��2��D�V��^H�y傁��}^R signature^R signature certificate files are missing in the file. We are unable to create channel using channel.tx we are creating channel using cmd :peer channel create -o orderer.example.com:7050 -c abcd -f channel.tx please provide any solution to create multiple channel using alpha images

smithbk (Thu, 08 Jun 2017 09:30:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=B6baeBFPZqYYkXs4d) @pvrbharg I was contacted via email also and responded earlier with the following: 1) Create a default config file as follows: # fabric-ca-server init -b admin:adminpw This will create a fabric-ca-server-config.yaml file in the current directory. Note in particular this section: ############################################################################# # The CA section contains information related to the Certificate Authority # including the name of the CA, which should be unique for all members # of a blockchain network. It also includes the key and certificate files # used when issuing enrollment certificates (ECerts) and transaction # certificates (TCerts). # The chainfile (if it exists) contains the certificate chain which # should be trusted for this CA, where the 1st in the chain is always the # root CA certificate. ############################################################################# ca: # Name of this CA name: # Key file (default: ca-key.pem) keyfile: ca-key.pem # Certificate file (default: ca-cert.pem) certfile: ca-cert.pem # Chain file (default: chain-cert.pem) chainfile: ca-chain.pem 2) Convert your files from crt to pem. You can use openssl. 3) Either rename the pem files from #2 to "ca-key.pem" and "ca-cert.pem" and place in the current directory, or change the filenames in the yaml file. The ca-chain.pem file will almost always be the same as ca-cert.pem file for the root CA. 4) Start the server # fabric-ca-server start

smithbk (Thu, 08 Jun 2017 09:39:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aprmGgjP63AEQYaEy) @vivekraut The fabric-ca-client is unable to PEM decode the tls.certfiles file you are providing. Can you print it with openssl and see what you get? openssl x509 -in -text -noout

vivekraut (Thu, 08 Jun 2017 09:42:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7kFWfqg6TghL5tyBA) @smithbk It prints fine if I remove the "\r\n" values from the certificate.

hangyuliu (Thu, 08 Jun 2017 09:50:02 GMT):
Has joined the channel.

smithbk (Thu, 08 Jun 2017 09:51:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GJAz2HukpG4YP4hP8) @Souvik.Dey I suggest trying the fabric-consensus and fabric-crypto channels. I tried searching for the error "certificate files are missing in the file" but no hits.

pvrbharg (Thu, 08 Jun 2017 18:59:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qdvievPXooGWf8cPi) @smithbk Yes you did and thank you! I followed up my response in an out-of-band email for your review/validation. I gratefully thank you!

l1nux (Thu, 08 Jun 2017 19:43:06 GMT):
Has joined the channel.

l1nux (Thu, 08 Jun 2017 19:43:22 GMT):
How to reinstate a revoke user?

butch.g (Fri, 09 Jun 2017 02:02:45 GMT):
Has joined the channel.

vivekraut (Fri, 09 Jun 2017 03:35:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fMpnz5vwqmtRR6Xar) @vivekraut Thanks @smithbk I was able to use the correct format certificate and get the users registered and enrolled with Fabric-CA on Bluemix Blockchain vNext.

smithbk (Fri, 09 Jun 2017 11:41:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=szzSFzHeTWqQ3S9CB) @l1nux It is not supported currently. Feel free to open a jira item for this.

l1nux (Fri, 09 Jun 2017 13:45:50 GMT):
I tried this test: 1) register a user, a secret is returned, save the secret 2) enroll the user with the secret returned from registration 3) revoke user 4) enroll the revoked user with saved user 'secret' ... and it seems to work. The question is while waiting for CA folks to support this feature, is it advisable to reinstate revoked user this way?

l1nux (Fri, 09 Jun 2017 13:45:50 GMT):
@smithbk I tried this test: 1) register a user, a secret is returned, save the secret 2) enroll the user with the secret returned from registration 3) revoke user 4) enroll the revoked user with saved user 'secret' ... and it seems to work. The question is while waiting for CA folks to support this feature, is it advisable to reinstate revoked user this way?

dbshah (Fri, 09 Jun 2017 14:24:24 GMT):
Hey i am seeing this debug message, what does it mean? I am not using/changing bccsp part ``` 2017/06/08 21:04:42 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting key for SKI [[51 78 139 6 91 164 241 123 123 194 188 182 50 63 199 132 0 109 8 207 214 210 249 139 184 115 159 144 102 202 50 81]] /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw.(*impl).GetKey /opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:218 github.com/hyperledger/fabric-ca/util.GetSignerFromCert /opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:340 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:424 github.com/hyperledger/fabric-ca/lib.(*Server).listenAndServe /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:124 github.com/hyperledger/fabric-ca/lib.(*Server).Start /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/start.go:41 main.runStart /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:95 main.RunMain /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:82 main.main /opt/go/src/runtime/proc.go:192 runtime.main /opt/go/src/runtime/asm_amd64.s:2087 runtime.goexit Caused by: Key type not recognized ```

aambati (Fri, 09 Jun 2017 17:48:17 GMT):
@dbshah i think this is expected message when debug is turned on

aambati (Fri, 09 Jun 2017 17:48:17 GMT):
@dbshah i think this is expected message when tls is enabled and debug is turned on

aambati (Fri, 09 Jun 2017 17:48:30 GMT):
do you see `2017/06/06 11:15:34 [DEBUG] Attempting fallback with certfile ` after that message

dbshah (Fri, 09 Jun 2017 17:50:19 GMT):
i cant find that, but i just wanted to make sure we are setting the bccsp paths correct

l1nux (Fri, 09 Jun 2017 17:58:16 GMT):
How does one programmatically getting the certificate ski and serial number? I am using the fabric-client api to register/enroll/revoke user, wanted to revoke user by cert ski and serial.

aambati (Fri, 09 Jun 2017 18:00:29 GMT):
i would use openssl...```serial=$(openssl x509 -in userecert.pem -serial -noout | cut -d "=" -f 2) aki=$(openssl x509 -in userecert.pem -text | awk '/keyid/ {gsub(/ *keyid:|:/,"",$1);print tolower($0)}') fabric-ca-client revoke -s $serial -a $aki -r affiliationchange```

aambati (Fri, 09 Jun 2017 18:00:29 GMT):
@l1nux i would use openssl...```serial=$(openssl x509 -in userecert.pem -serial -noout | cut -d "=" -f 2) aki=$(openssl x509 -in userecert.pem -text | awk '/keyid/ {gsub(/ *keyid:|:/,"",$1);print tolower($0)}') fabric-ca-client revoke -s $serial -a $aki -r affiliationchange```

aambati (Fri, 09 Jun 2017 18:01:33 GMT):
that is an example from user guide: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html

aambati (Fri, 09 Jun 2017 18:03:03 GMT):
if you are asking if there is a fabric-ca-client command to get the serial and aki of a user cert, answer is no

l1nux (Fri, 09 Jun 2017 18:34:29 GMT):
@aambati thanks. Let me clarify, I meant to do it in nodejs. I tried using jsrsasign package to read the certificate, I seems to be able to get the serial number using this package but can't seems to be able to get the certs aki (keyid) though. Any advice?

jrezwan (Sun, 11 Jun 2017 16:15:01 GMT):
Has joined the channel.

pvrbharg (Mon, 12 Jun 2017 04:33:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=h7aQdBbfnsFvoZWyk) @pvrbharg Thank you for guiding my setup and getting my work validated. Thanks.

YoshihiroNarikiyo (Mon, 12 Jun 2017 06:07:11 GMT):
Has joined the channel.

jaswanth (Mon, 12 Jun 2017 07:31:54 GMT):
I am trying to get the user information from fabric-ca ..my user details are as follow in fabric-ca-server-config.yaml : ``` - name: jim pass: jimpw type: client affiliation: "org1.department2" attrs: hf.Registrar.Roles: "client,user" hf.Registrar.DelegateRoles: "client,user" hf.Revoker: true hf.IntermediateCA: true foo:boo foo1:boo1``` using node sdk I tried to enroll the jim and it was succefull.. After enrolling the user information i got is ```` _name: 'jim', _roles: null, _affiliation: '', _enrollmentSecret: '',``` In user information secret,roles are null and i didnot find attrs

jaswanth (Mon, 12 Jun 2017 07:31:54 GMT):
I am trying to get the user information from fabric-ca ..my user details are as follow in fabric-ca-server-config.yaml : ``` - name: jim pass: jimpw type: client affiliation: "org1.department2" attrs: hf.Registrar.Roles: "client,user" hf.Registrar.DelegateRoles: "client,user" hf.Revoker: true hf.IntermediateCA: true foo:boo foo1:boo1``` using node sdk I tried to enroll the jim and it was successfull.. After enrolling the user information i got is ```` _name: 'jim', _roles: null, _affiliation: '', _enrollmentSecret: '',``` In user information secret,roles are null and i didnot find attrs

jaswanth (Mon, 12 Jun 2017 07:31:54 GMT):
I am trying to get the user information from fabric-ca ..my user details are as follow in fabric-ca-server-config.yaml : ``` - name: jim pass: jimpw type: client affiliation: "org1.department2" attrs: hf.Registrar.Roles: "client,user" hf.Registrar.DelegateRoles: "client,user" hf.Revoker: true hf.IntermediateCA: true foo:boo foo1:boo1``` using node sdk I tried to enroll the jim and it was successfull.. After enrolling the user information i got this ```` _name: 'jim', _roles: null, _affiliation: '', _enrollmentSecret: '',``` In user information secret,roles are null and i didnot find attrs

jaswanth (Mon, 12 Jun 2017 07:32:46 GMT):
how can i get the foo and foo1 fields in user

jaswanth (Mon, 12 Jun 2017 07:32:46 GMT):
how can I get the foo and foo1 fields of user ..so that i can use them in my node app

bluefireH (Mon, 12 Jun 2017 11:20:04 GMT):
Has joined the channel.

smithbk (Mon, 12 Jun 2017 11:56:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WMrTFQyrAEwyfg7ox) @jaswanth Hi, attributes are currently only placed in tcerts (transaction certificates) which are not yet supported by SDKs. As part of https://jira.hyperledger.org/browse/FAB-3752 which is unfortunately not in v1, you would be able to tell fabric-ca which attributes to put into ecerts (enrollment certificates). So currently attributes are only used within fabric-ca-server itself to make access control decisions, using the "hf.*" attributes. I encourage you to add a comment to FAB-3752 regarding your use case, or to open a new jira item and assign it to the fabric-ca component.

yecineoueslati (Mon, 12 Jun 2017 13:28:41 GMT):
Has joined the channel.

l1nux (Mon, 12 Jun 2017 14:23:34 GMT):
If I run everything locally (client, ca, peer.. etc all on my laptop), where are all the registered/enrolled users' cert and keys are stored? I want to use openssl to get the cert's aki to revoke a user.

l1nux (Mon, 12 Jun 2017 16:03:29 GMT):
I tried to revoke a user by revoking the user cert serial and aki. I used 'openssl' to get the cert serial # and its aki but the revoke returns an error : *Failed to retrieve certificate for the provided serial number and AKI: sql: no rows in result set*. Could I have given the wrong serial or ski? Let me show you what openssl returns: Certificate: Data: Version: 3 (0x2) Serial Number: 3c:a9:01:07:3b:eb:0f:c7:37:c9:fd:9b:6a:55:dc:77:47:c9:5c:c9 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=California, L=San Francisco, O=Internet Widgets, Inc., OU=WWW, CN=example.com Validity Not Before: Jun 12 15:00:00 2017 GMT Not After : May 11 23:00:00 2018 GMT Subject: CN=admin4@maersk_new.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:8c:69:5b:7a:b3:7f:36:f9:fb:f3:14:e4:8c:74: 22:67:63:8a:83:88:1f:e0:00:fe:48:ef:26:01:9d: 0c:08:78:eb:c3:61:75:65:12:39:c5:4a:6b:2e:e4: 84:56:13:e4:f0:93:1f:e7:fb:f6:cb:cb:eb:66:7c: 5f:fa:2c:5e:11 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 3B:D0:A8:8F:B0:D7:A1:95:74:7D:3F:98:72:0D:0E:1C:B8:7F:D0:82 X509v3 Authority Key Identifier: keyid:17:67:42:3D:AA:9E:82:3F:C4:C5:1D:9F:5B:C3:99:D1:B5:9C:48:10 Signature Algorithm: ecdsa-with-SHA256 30:44:02:20:5a:29:7b:ab:22:90:35:8c:d0:e7:df:64:3c:20: ce:1f:1a:a7:7b:65:7d:94:a4:19:b7:d4:ee:e3:4a:05:49:1b: 02:20:2c:6f:bc:73:0a:4f:05:4d:42:ef:6f:8a:d4:62:41:e0: 77:da:67:20:39:a4:e4:c7:04:da:b1:c6:fe:c4:ed:75 serial=3CA901073BEB0FC737C9FD9B6A55DC7747C95CC9 Can you verify if the serial number is 3CA901073BEB0FC737C9FD9B6A55DC7747C95CC9 and the aki is : 17:67:42:3D:AA:9E:82:3F:C4:C5:1D:9F:5B:C3:99:D1:B5:9C:48:10 (of course without the colons)?

l1nux (Mon, 12 Jun 2017 16:03:29 GMT):
I tried to revoke a user by revoking the user cert serial and aki. I used 'openssl' to get the cert serial # and its aki but the revoke returns an error : *Failed to retrieve certificate for the provided serial number and AKI: sql: no rows in result set*. Could I have given the wrong serial or ski? Let me show you what openssl returns: Certificate: Data: Version: 3 (0x2) Serial Number: 3c:a9:01:07:3b:eb:0f:c7:37:c9:fd:9b:6a:55:dc:77:47:c9:5c:c9 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=California, L=San Francisco, O=Internet Widgets, Inc., OU=WWW, CN=example.com Validity Not Before: Jun 12 15:00:00 2017 GMT Not After : May 11 23:00:00 2018 GMT Subject: CN=admin4@maersk_new.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:8c:69:5b:7a:b3:7f:36:f9:fb:f3:14:e4:8c:74: 22:67:63:8a:83:88:1f:e0:00:fe:48:ef:26:01:9d: 0c:08:78:eb:c3:61:75:65:12:39:c5:4a:6b:2e:e4: 84:56:13:e4:f0:93:1f:e7:fb:f6:cb:cb:eb:66:7c: 5f:fa:2c:5e:11 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 3B:D0:A8:8F:B0:D7:A1:95:74:7D:3F:98:72:0D:0E:1C:B8:7F:D0:82 X509v3 Authority Key Identifier: keyid:17:67:42:3D:AA:9E:82:3F:C4:C5:1D:9F:5B:C3:99:D1:B5:9C:48:10 Signature Algorithm: ecdsa-with-SHA256 30:44:02:20:5a:29:7b:ab:22:90:35:8c:d0:e7:df:64:3c:20: ce:1f:1a:a7:7b:65:7d:94:a4:19:b7:d4:ee:e3:4a:05:49:1b: 02:20:2c:6f:bc:73:0a:4f:05:4d:42:ef:6f:8a:d4:62:41:e0: 77:da:67:20:39:a4:e4:c7:04:da:b1:c6:fe:c4:ed:75 serial=3CA901073BEB0FC737C9FD9B6A55DC7747C95CC9 *Can you verify if the serial number is 3CA901073BEB0FC737C9FD9B6A55DC7747C95CC9 and the aki is : 17:67:42:3D:AA:9E:82:3F:C4:C5:1D:9F:5B:C3:99:D1:B5:9C:48:10 (of course without the colons)?*

l1nux (Mon, 12 Jun 2017 16:03:29 GMT):
I tried to revoke a user by revoking the user cert serial and aki. I used 'openssl' to get the cert serial # and its aki but the revoke returns an error : *Failed to retrieve certificate for the provided serial number and AKI: sql: no rows in result set*. Could I have given the wrong serial or ski? Let me show you what openssl returns, can you pls verify the cert serial and aki: Certificate: Data: Version: 3 (0x2) Serial Number: 3c:a9:01:07:3b:eb:0f:c7:37:c9:fd:9b:6a:55:dc:77:47:c9:5c:c9 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=California, L=San Francisco, O=Internet Widgets, Inc., OU=WWW, CN=example.com Validity Not Before: Jun 12 15:00:00 2017 GMT Not After : May 11 23:00:00 2018 GMT Subject: CN=admin4@maersk_new.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:8c:69:5b:7a:b3:7f:36:f9:fb:f3:14:e4:8c:74: 22:67:63:8a:83:88:1f:e0:00:fe:48:ef:26:01:9d: 0c:08:78:eb:c3:61:75:65:12:39:c5:4a:6b:2e:e4: 84:56:13:e4:f0:93:1f:e7:fb:f6:cb:cb:eb:66:7c: 5f:fa:2c:5e:11 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 3B:D0:A8:8F:B0:D7:A1:95:74:7D:3F:98:72:0D:0E:1C:B8:7F:D0:82 X509v3 Authority Key Identifier: keyid:17:67:42:3D:AA:9E:82:3F:C4:C5:1D:9F:5B:C3:99:D1:B5:9C:48:10 Signature Algorithm: ecdsa-with-SHA256 30:44:02:20:5a:29:7b:ab:22:90:35:8c:d0:e7:df:64:3c:20: ce:1f:1a:a7:7b:65:7d:94:a4:19:b7:d4:ee:e3:4a:05:49:1b: 02:20:2c:6f:bc:73:0a:4f:05:4d:42:ef:6f:8a:d4:62:41:e0: 77:da:67:20:39:a4:e4:c7:04:da:b1:c6:fe:c4:ed:75 serial=3CA901073BEB0FC737C9FD9B6A55DC7747C95CC9 *Can you verify if the serial number is 3CA901073BEB0FC737C9FD9B6A55DC7747C95CC9 and the aki is : 17:67:42:3D:AA:9E:82:3F:C4:C5:1D:9F:5B:C3:99:D1:B5:9C:48:10 (of course without the colons)?*

reubent 1 (Mon, 12 Jun 2017 16:34:18 GMT):
Has joined the channel.

reubent 1 (Mon, 12 Jun 2017 16:34:43 GMT):
Hello there - I have a quick question which didn't belong in #fabric :D We're doing some work around using certificates generated outside of the provided scripts for the CA and I've noticed the only curve type I can get to work is prime256v1. Is this deliberate? This curve type appears to have some issues this ticket in a totally unrelated project sums up quite well - https://github.com/nodejs/node/issues/1495

l1nux (Mon, 12 Jun 2017 19:56:06 GMT):
Is there a bug in revoke user with cert serial and aki? I tried the same CA's sql to retrieve cert with my cert serial and aki on CA db and it does return a record, but CA claimed 'no rows in result set', any idea? This v1.0 (alpha2 CA image)

jaswanth (Tue, 13 Jun 2017 05:15:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=X67vYYZttQXQCYA3q) @smithbk I just want to restrict some users from performing CURD operations on ledger so they can only view data in ledger . can you suggest me how can i do that

hangyuliu (Tue, 13 Jun 2017 07:42:30 GMT):
liuhy@liuhy ~/work5/src/github.com/hyperledger/fabric-sdk-go/test/integration $ ./app 2017/06/13 15:40:01 Using config file: ../fixtures/config/config_test.yaml 2017/06/13 15:40:01 http://localhost:7054 2017/06/13 15:40:01 fabric_sdk_go Logging level: debug 15:40:01.679 [SW_BCCSP] DEBU : KeyStore path [/tmp/keystore] missing [true]: [] 15:40:01.679 [SW_BCCSP] DEBU : Creating KeyStore at [/tmp/keystore]... 15:40:01.679 [SW_BCCSP] DEBU : KeyStore created at [/tmp/keystore]. 15:40:01.679 [SW_BCCSP] DEBU : KeyStore opened at [/tmp/keystore]...done 15:40:01.679 [BCCSP_FACTORY] DEBU : Initialize BCCSP [SW] 15:40:01.679 [fabric_sdk_go] INFO : KeyStore path [/tmp/enroll_user] missing [true]: [%!s()] 15:40:01.691 [fabric_sdk_go] INFO : Constructed fabricCAClient instance: &{0xc420224000} 2017/06/13 15:40:01 [INFO] received CSR 2017/06/13 15:40:01 [INFO] generating key: ecdsa-256 2017/06/13 15:40:01 [INFO] encoded CSR --- FAIL: TestChainCodeInvoke (0.06s) end_to_end_test.go:41: Create client failed: Enroll return error: Enroll failed: POST failure [Post http://localhost:7054/enroll: malformed HTTP response "\x15\x03\x01\x00\x02\x02\x16"]; not sending POST http://localhost:7054/enroll Authorization: Basic YWRtaW46YWRtaW5wdw== {"hosts":null,"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIHuMIGVAgEAMBAxDjAMBgNVBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0D\nAQcDQgAE1oa24tSXMR5JGhuN0G159NuDumg7wBfMcttAzSt/z4Ia/gxLxtzxqwpA\nTLBpRtE/NTZPRS8cYUrDKT5ShpabaqAjMCEGCSqGSIb3DQEJDjEUMBIwEAYDVR0R\nBAkwB4IFbGl1aHkwCgYIKoZIzj0EAwIDSAAwRQIgHRPvbsPc7YvDOPhbb33phMFW\nuWfVFijuUKI5hOKvxAUCIQCUW611XbHTN3Pe6nE9hj3XsqTxnhGJD7vUSrAZ8hQY\nCg==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":""} FAIL I use the go - SDK errors, anyone know ?

luckydogchina (Tue, 13 Jun 2017 10:05:15 GMT):
Can we set the authority to query when we Commit a transaction ? For example,A Make a Transaction t, and set the authority that B can query t and others can not. @here

chenxuan (Tue, 13 Jun 2017 12:13:31 GMT):
java.lang.Exception: POST request to http://localhost:7054/api/v1/enroll with request body: {"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIHKMHICAQAwEDEOMAwGA1UEAxMFYWRtaW4wWTATBgcqhkjOPQIBBggqhkjOPQMB\nBwNCAASJ5b2FtsMj8mNmxJFEPX+4uaXHpYJp2Bz9PFMYJ2MleG4yjcA0mnMfrUiP\nQ8UBW3eNOQNzMcGuOezo4LDdBS04oAAwCgYIKoZIzj0EAwIDSAAwRQIhAM3GUS5l\nWYga/3/8Ijcd/FlwRFaXRWmPUa4brAOLF+8GAiAxC86A2NJdY6VZeq/DMV0AcpyJ\n3vpAoQBu6awFOBml8A==\n-----END CERTIFICATE REQUEST-----\n"}, failed with status code: 404. Response: 404 page not found

ecn (Tue, 13 Jun 2017 12:15:18 GMT):
Hello, I have my fabric-ca server started, with some user, let's suppose I created a peer identity. How do I tell my peer to use the fabric CA ?

lyriarte (Tue, 13 Jun 2017 13:06:25 GMT):
Has joined the channel.

divyank (Tue, 13 Jun 2017 16:03:31 GMT):
Does fabric-ca-client provide a way to override server host for TLS validation?

pvrbharg (Tue, 13 Jun 2017 16:32:48 GMT):
@smithbk @aambati @skarim We now need to know how to run crypto-gen tool to use a customer provisioned root, intermediate (chained) and customer server provisioned certificates - so that we can setup a QA node instance that uses cryptographic material (x509 certs) for our various network entities and the certs are parked in the folder titled ``crypto-config``. We just want to use the same tool to generate crypto artifacts in the same manner - however we want to pass in the root and intermediate pem/key artifacts to the tool (parameterized). Thanks.

smithbk (Tue, 13 Jun 2017 16:39:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZyGHFFJ3rfn9D55X4) @pvrbharg Last I checked, cryptogen only supports self-signed certs, and only generates certificates but does not allow you to plug in your own

smithbk (Tue, 13 Jun 2017 16:40:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jkYdruLaZ2Pbt6WMA) @smithbk You can ask on fabric-crypto channel or @mastersingh24 would know off the top of his head

smithbk (Tue, 13 Jun 2017 16:41:56 GMT):
@pvrbharg It sounds like you just need to layout the certificates that you already have in the correct format that MSP expects and not use cryptogen for that

pvrbharg (Tue, 13 Jun 2017 17:24:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2hjpkTxuRDhahBNHD) @smithbk The crypto-config folder has tons of depth with sub-folders - multiple times and has pem and key material - I think doing manually would be error prone and non-trivial - especially if orgs, peers or network components are customized and multiple. Do you agree? In theory doable but not fun and we may end up debugging and answering more - due to manual errors or lack of skills (even self). Please share your wisdom

smithbk (Tue, 13 Jun 2017 17:28:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mdGaeExnFYY76fj7T) @pvrbharg Can't disagree. So let's take 2 steps back please. Are you planning on using the fabric-ca?

praveennagpal (Tue, 13 Jun 2017 17:49:27 GMT):
@smithbk - Is there any benefit in using fabric-ca over crypto-config as ultimately peers and orderers expect MSP folder structure in their configuration?

smithbk (Tue, 13 Jun 2017 17:51:26 GMT):
The fabric-ca-client enroll command stores the ecert and ca-cert into the MSP folder structure.

praveennagpal (Tue, 13 Jun 2017 17:53:51 GMT):
I saw there is a -M cli option with fabric client. But I was using the fabric-node sdk and could not find any option of storing the certs in folder structure.

praveennagpal (Tue, 13 Jun 2017 17:54:21 GMT):
it actually stores it in the key store

pvrbharg (Tue, 13 Jun 2017 18:05:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bGoyposFqrk6eLDs9) @smithbk Yes we want to use fabric-ca (customized). Here is how - we want to use well-known root ca, intermediate ca, on a customer provisioned QA server node(s), MySQL database and multiple root CAs after setting up with one initial root CA that is well known. We would need to bring in customer LDAP at some point (replacing MySQL). We then want to spin up a e2e network using this setup on one QA instance node - using Docker compose supplied and run example 2 script. Once this proof point is established (I called this milestone as IVT on one node - Installation Verification Testing - using e2e example). We would then expand this setup to 2 node (physical) platform with a partner node joining the BC network. This would prove a second level proof point (on boarding a partner node in the network using custom setup Fabric-ca). We plan to finally on board a customer web and mobile applications which would use a BC application deployed to the setup (instead of example 2). We also want to automate provisioning of BC network - once figured out the process. Hope this helps.

smithbk (Tue, 13 Jun 2017 22:52:19 GMT):
Anyone interested in a security overview of the fabric CA server, please see https://docs.google.com/document/d/1x7bbSkLt3VLexNMECJXbOYJ3xX8Ck9Q6O6W1dmnVaRQ

smithbk (Tue, 13 Jun 2017 22:52:23 GMT):
Comments welcome

smithbk (Tue, 13 Jun 2017 22:57:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EfrA5wYay7CuPevRQ) @pvrbharg Sorry for delay in responding. Had to focus on that doc for a bit. So when you say you want to use a well-known root CA and intermediate CA, do you mean that you will be starting a fabric-ca-server with a CA certificate that is issued by a well-known CA or intermediate CA? This may be easier to discuss by phone and we can then paste the conclusion back to rocket chat for others to see.

pvrbharg (Tue, 13 Jun 2017 23:38:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Jq6tGHrKNBFRehbZB) @smithbk Dear Keith - yes and I am good to connect with you on phone. Let me explain what we need to do on phone so we may progress more quickly. Thanks

LeoKotschenreuther (Wed, 14 Jun 2017 11:26:31 GMT):
Has joined the channel.

LeoKotschenreuther (Wed, 14 Jun 2017 11:53:51 GMT):
I'm having some trouble using the fabric-ca-client when TLS is enabled for the fabric-ca-server. I followed the e2e example here and used the docker-compose-e2e.yaml file to figure out how to setup my CA: https://github.com/hyperledger/fabric/tree/master/examples/e2e_cli Now my fabric-ca-server seems to start fine, however my fabric-ca-client doesn't work properly. When I try to enroll a user I get the following error: ``` root@0cfa1529ad7e:/etc/hyperledger/fabric-ca-server# fabric-ca-client enroll -u http://admin:adminpw@0.0.0.0:7054 2017/06/14 11:52:26 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/06/14 11:52:26 [INFO] Created a default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/06/14 11:52:26 [INFO] generating key: &{A:ecdsa S:256} 2017/06/14 11:52:26 [INFO] encoded CSR Error: POST failure [Post http://0.0.0.0:7054/enroll: malformed HTTP response "\x15\x03\x01\x00\x02\x02\x16"]; not sending POST http://0.0.0.0:7054/enroll Authorization: Basic eEtmUER3aWZHZDplSGo2Qk40Ynph {"hosts":["0cfa1529ad7e"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBRjCB7gIBADBiMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxEzARBgNV\nBAMTCnhLZlBEd2lmR2QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT/LhytqXXZ\nG9QicmRobUz9LhSTK0qC8nMIfEyzBNyBm8yh04SCXL3NKMxp/9NH2EcsN1EFeWgz\n902mK7Qy7HNWoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggwwY2ZhMTUy\nOWFkN2UwCgYIKoZIzj0EAwIDRwAwRAIgHpDH1CMY8LT26b2aLL+nbvrtfox8q+3t\nvK1uk46Ug2YCICP9iZUsPLMWo6yGQcIw0JZbieD9BySdIf+CwahzRVUQ\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","CAName":""} ``` The CA Server gives the following output: ```

dhwang (Wed, 14 Jun 2017 13:20:24 GMT):
Once the admin user is created when starting fabric-ca for the first time, is there a way to change its password? (other than going into the database and modify the row directly)

dhwang (Wed, 14 Jun 2017 13:22:05 GMT):
@LeoKotschenreuther Try changing the url to HTTPS. ie. "https://admin:adminpw@0.0.0.0:7054"

LeoKotschenreuther (Wed, 14 Jun 2017 13:29:46 GMT):
@dhwang thanks, that improved it somewhat.

LeoKotschenreuther (Wed, 14 Jun 2017 13:33:08 GMT):
Now I get the following output: ``` root@2e94c28348a5:/etc/hyperledger/fabric-ca-server# fabric-ca-client enroll -u https://$ADMIN_USER:$ADMIN_SECRET@0.0.0.0:7054 2017/06/14 13:31:30 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/06/14 13:31:30 [INFO] generating key: &{A:ecdsa S:256} 2017/06/14 13:31:30 [INFO] encoded CSR 2017/06/14 13:31:30 [INFO] TLS Enabled Error: Failed to get client TLS config: No TLS certificate files were provided ``` This make somewhat sense since I didn't provide any certificates to the client. I generated all my certificates with the Hyperledger Cryptoconfig tool. Where would I find the correct certificates for the client?

LeoKotschenreuther (Wed, 14 Jun 2017 13:35:11 GMT):
I assume that I would provide the certificat(s) with "--tls.certfiles", right?

dhwang (Wed, 14 Jun 2017 14:05:33 GMT):
@LeoKotschenreuther You need to specify both the client certs in the fabric-ca-client-config.yaml file and use --tls.certfiles to specify the fabric-ca server cert so that the client trusts it. eg. in fabric-ca-client-config.yaml # Enable TLS tls: enabled: true certfile: /var/hyperledger/fabric-ca/tls/server.crt keyfile: /var/hyperledger/fabric-ca/tls/server.key Sorry, I am not sure where to look for TLS cert with crytoconfig tool. I use openssl to generate the TLS certs.

s.narayanan (Wed, 14 Jun 2017 15:06:13 GMT):
I am are trying to use Fabric CA with PostgreSQL on alpha 1. Our connection string is as per the documentation: datasource: host=localhost port=5432 user=Username password=Password dbname=fabric-ca-server sslmode=disable. However, the Fabric CA server start fails with an error that indicates that Fabric CA is unable to connect to the database. The error message also suggests that username is being used as database name. The error message is " Failed to connect to Postgres database, database "Username" does not exist". Appreciate any assistance on the issue, as well any insight on why the error message suggest that the username is being used as dbname to connect to the database

l1nux (Wed, 14 Jun 2017 21:12:30 GMT):
@smithbk where does one create fabric ca bug report?

smithbk (Wed, 14 Jun 2017 22:02:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=R9xFbtHX63qXG8mgk) @l1nux On jira at https://jira.hyperledger.org. You will need a linux foundation ID which you can get at https://identity.linuxfoundation.org/. When opening, be sure to add "fabric-ca" as a "Component"

smithbk (Wed, 14 Jun 2017 22:03:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=R8K9vnhzw5bYx6fra) @s.narayanan I think @skarim was helping with this. Any progress?

smithbk (Wed, 14 Jun 2017 22:06:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LBnpHNBeqezMrbumX) @LeoKotschenreuther Yes, using --tls.certfiles is correct. Did you get it working?

mraikwar (Thu, 15 Jun 2017 02:43:20 GMT):
Has joined the channel.

nhrishi (Thu, 15 Jun 2017 06:06:07 GMT):
Hi, I'm using latest beta version of fabric and fabric-sdk-node. User registration and enrollment is working fine but when i try to invoke a chaincode, getting a below errror error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: Failed to deserialize creator identity, err The supplied identity is not valid, Verify() returned x509: certificate has expired or is not yet valid". Can someone pls advise. Thanks.

akdj (Thu, 15 Jun 2017 08:23:13 GMT):
Has joined the channel.

smithbk (Thu, 15 Jun 2017 11:04:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hvimTPy8CFQQK4ZAP) @nhrishi Try the fabric-crypto channel for this one

AnilOner (Thu, 15 Jun 2017 12:02:09 GMT):
Has joined the channel.

laxpio (Thu, 15 Jun 2017 12:39:35 GMT):
Has joined the channel.

dhwang (Thu, 15 Jun 2017 13:36:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hvimTPy8CFQQK4ZAP) @nhrishi You may be having the issue: https://jira.hyperledger.org/browse/FAB-4617

simsc (Thu, 15 Jun 2017 13:48:41 GMT):
Has joined the channel.

mastersingh24 (Thu, 15 Jun 2017 14:00:33 GMT):
[ moving this to #fabric-crypto ](https://chat.hyperledger.org/channel/fabric-ca?msg=hvimTPy8CFQQK4ZAP) @nhrishi

caoyu (Fri, 16 Jun 2017 03:24:46 GMT):
Has joined the channel.

gauravgiri (Fri, 16 Jun 2017 05:05:24 GMT):
Has joined the channel.

nhrishi (Fri, 16 Jun 2017 06:50:03 GMT):
thanks @mastersingh24 @dhwang @smithbk

outis (Fri, 16 Jun 2017 08:33:16 GMT):
Has joined the channel.

hangyuliu (Fri, 16 Jun 2017 09:55:14 GMT):
Error: POST failure [Post http://0.0.0.0:7054/enroll: malformed HTTP response "\x15\x03\x01\x00\x02\x02\x16"]; not sending use https://..............

hangyuliu (Fri, 16 Jun 2017 09:56:26 GMT):
Using HTTPS can solve this problem

jtclark (Fri, 16 Jun 2017 14:57:53 GMT):
Has joined the channel.

jtclark (Fri, 16 Jun 2017 15:14:42 GMT):
hi all. I'm current prepping the patch in fabric-ca for https://jira.hyperledger.org/browse/FAB-1446. As I'm not familiar with the fabric-ca codebase, can someone here help me to identify all of the packages within the codebase using SQL?

smithbk (Fri, 16 Jun 2017 15:43:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TKkaYcqeSLHgTNExj) @jtclark Two packages: lib and lib/dbutil

jtclark (Fri, 16 Jun 2017 15:44:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=i2QxXBtH7x82wWdK5) @smithbk thx

snowy13 (Sat, 17 Jun 2017 05:26:39 GMT):
Has joined the channel.

VickyWang (Mon, 19 Jun 2017 05:29:46 GMT):
Has joined the channel.

sfukazu (Mon, 19 Jun 2017 06:33:00 GMT):
Has joined the channel.

alexliu (Mon, 19 Jun 2017 07:30:14 GMT):
Has joined the channel.

jsong1230 (Mon, 19 Jun 2017 09:05:07 GMT):
expiration

akdj (Mon, 19 Jun 2017 10:10:02 GMT):
Hello, can I use directly the fabric-ca image? or Did I need to create some config.yaml inside its container, before to use? I read in the document, that by setting env variable when running fabric-ca container, it will automatically create some config.yaml files

akdj (Mon, 19 Jun 2017 10:11:39 GMT):
but if I run hyperledger fabric on multimachine with swarm and keep the default example.com certificates, may I edit and modify the config yaml files?

bmatsuo (Mon, 19 Jun 2017 16:52:55 GMT):
Is there a process for rotating the root CA certificate? I haven't found any docs regarding it. I found Jira ticket FAB-3734. But it wasn't clear that rotation of the CA cert was within the scope of that ticket.

bmatsuo (Mon, 19 Jun 2017 16:55:44 GMT):
I tried to do the same for fabric v0.6 when the generated certificate expired and it proved to be.. difficlut

bmatsuo (Mon, 19 Jun 2017 16:55:44 GMT):
I tried to do the same for fabric v0.6 when the generated certificate expired and it proved to be.. difficult

smithbk (Mon, 19 Jun 2017 18:46:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sf8RBXMno9bLgFuod) @akdj You just need to set env variables or use command line options on the "fabric-ca-server start" command to override default values. It will automatically create the fabric-ca-server-config.yaml for you with the default values plus any overrides specified. Or if you prefer, you can manually edit the config file of course. If you have a more specific question about what you want to set, will be glad to answer more specifically.

smithbk (Mon, 19 Jun 2017 19:20:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mz3EAkguQMxMKa6KX) @bmatsuo There is no doc for that yet but the process will be similar to the following. I hope to make this more automated post v1. (1) Use "fabric-ca-server init" to generate a new root CA cert, doing in another directory so as not to overwrite the existing one (2) Push the new root CA cert to fabric so that fabric trusts the new and the old equally for some period of time (3) Restart the root CA with the new root CA cert. (4) Enroll intermediate CAs with new root CA. (5) Enroll orderers, peers, and clients as needed with the intermediate CA. (6) Update fabric to forget the old root CA.

bmatsuo (Mon, 19 Jun 2017 19:26:13 GMT):
@smithbk Thanks for the info. Glad the workflow exists even if not automated.

j3ffyang (Tue, 20 Jun 2017 02:28:49 GMT):
Has joined the channel.

dongqi (Tue, 20 Jun 2017 08:33:43 GMT):
Has joined the channel.

akdj (Tue, 20 Jun 2017 10:03:05 GMT):
@smithbk thank you :)

tomveugelers (Tue, 20 Jun 2017 15:15:29 GMT):
Has joined the channel.

LeoKotschenreuther (Tue, 20 Jun 2017 21:39:08 GMT):
@smithbk Yes, it is working now, at least as long as I use the fully qualified domain name the certificates were created for. If I use the IP address of the CA, I get the following output: ``` root@aa0476e5be87:/etc/hyperledger/fabric-ca-server# fabric-ca-client enroll -u https://$ADMIN_USER:$ADMIN_SECRET@0.0.0.0:7054 2017/06/20 21:38:54 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/06/20 21:38:54 [INFO] generating key: &{A:ecdsa S:256} 2017/06/20 21:38:54 [INFO] encoded CSR 2017/06/20 21:38:54 [INFO] TLS Enabled Error: POST failure [Post https://0.0.0.0:7054/enroll: x509: cannot validate certificate for 0.0.0.0 because it doesn't contain any IP SANs]; not sending POST https://0.0.0.0:7054/enroll Authorization: Basic WnBmWURweWJYTDoyZm1kOTd6OGxW {"hosts":["9bd2ca3df64b"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBRzCB7gIBADBiMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxEzARBgNV\nBAMTClpwZllEcHliWEwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ5nFHSlzwf\nRwM6yLnxHaogBGgDpmMyNedeogiCuSnY5v0VmVpsMRqTU64+oidZ6dz1mGgzlixr\nh1GvcOVjQKqooCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggw5YmQyY2Ez\nZGY2NGIwCgYIKoZIzj0EAwIDSAAwRQIhAIyyZPySPlYsZER69rJKT9o2EVmifPNu\nmyQ8+rd8wO5DAiAW4vAL5KEPUbPAlnKzwL3/MYA5uIgAmMZ3BGiJ5gYdIg==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","CAName":""} ```

smithbk (Tue, 20 Jun 2017 22:06:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Z95LnTAXw5eZZHAuZ) @LeoKotschenreuther You should be able to add multiple entries with the "--csr.hosts" option. --csr.hosts stringSlice A list of comma-separated host names in a certificate signing request

smithbk (Tue, 20 Jun 2017 22:07:38 GMT):
It says "host names" but ip addresses should also work

LeoKotschenreuther (Tue, 20 Jun 2017 22:19:29 GMT):
@smithbk Thanks a lot! Yes, IP address do also work.

LeoKotschenreuther (Tue, 20 Jun 2017 22:19:29 GMT):
@smithbk Thanks a lot! Yes, IP addresses do also work.

LeoKotschenreuther (Tue, 20 Jun 2017 23:32:51 GMT):
@smithbk I have to take back what I said. Adding `--csr.hosts 0.0.0.0` doesn't change the behavior at all for my local setup.

tinywell (Wed, 21 Jun 2017 01:43:13 GMT):
Has joined the channel.

yyyyyyy9 (Wed, 21 Jun 2017 02:07:54 GMT):
Has joined the channel.

arner (Wed, 21 Jun 2017 07:56:07 GMT):
Hi, I'm trying to work with certificates generated by the `configtxgen`. Creating and joining channels works fine, but when I try to instantiate a chaincode on a channel, the chaincode exits with the following message: ``` 2017-06-20 14:46:58.440 UTC [bccsp] initBCCSP -> DEBU 001 Initialize BCCSP [SW] 2017-06-20 14:46:58.462 UTC [shim] userChaincodeStreamGetter -> ERRO 002 Error trying to connect to local peer: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.aab1.torchbetatest.nl") Error starting Simple chaincode: Error trying to connect to local peer: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.myorg.example.com") ``` The peer is using the tls certificates from the `tls` directory. Should I check the ca, orderer or peer config? Thanks..

arner (Wed, 21 Jun 2017 07:56:07 GMT):
Hi, I'm trying to work with certificates generated by the `configtxgen`. Creating and joining channels works fine, but when I try to instantiate a chaincode on a channel, the chaincode exits with the following message: ``` 2017-06-20 14:46:58.440 UTC [bccsp] initBCCSP -> DEBU 001 Initialize BCCSP [SW] 2017-06-20 14:46:58.462 UTC [shim] userChaincodeStreamGetter -> ERRO 002 Error trying to connect to local peer: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.myorg.example.com") Error starting Simple chaincode: Error trying to connect to local peer: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.myorg.example.com") ``` The peer is using the tls certificates from the `tls` directory. Should I check the ca, orderer or peer config? Thanks..

smithbk (Wed, 21 Jun 2017 11:48:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EvegXbm8ny4svHsan) @arner This would be a problem in the peer config I assume. Murali @muralisr would be the best to answer more specifically.

smithbk (Wed, 21 Jun 2017 11:56:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ksaK6FuYKkN5gEgcX) @LeoKotschenreuther 0.0.0.0 is only a meaningful wildcard address for the listening side of a connection and would not match localhost or 127.0.0.1. Try "--csr.hosts localhost,127.0.0.1,`hostname`" which should put 3 hosts/addresses in the certificate.

praveennagpal (Wed, 21 Jun 2017 12:15:23 GMT):
@smithbk I have set up my own organisation in a lab environment. Currently I have used cryptoconfig to generate certificates and its all working ok on the network. If I have to do dynamic user enrollment, I am intending to use fabric-ca for it. However, I am unable to enrol as the affiliations for my organisation don't exist inside the fabric-ca image by default. What is the best way to add affiliations? Is there a way available using fabric node ca client?

praveennagpal (Wed, 21 Jun 2017 12:16:09 GMT):
I have created started a ca service per organisation

smithbk (Wed, 21 Jun 2017 12:37:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=96tGXGH3pw7aqvb9d) @praveennagpal I just pushed the following changeset yesterday: https://gerrit.hyperledger.org/r/#/c/10871/. It contains a fabric-ca-cryptogen.sh script which uses fabric-ca (server and client) instead of using cryptogen for the e2e_cli example. Hopefully this helps. Regarding affiliations, there is currently no way to set via args or env variables, so you'll need to provide your own config file and pass in a volume ... i.e. the docker run -v option.

arner (Wed, 21 Jun 2017 13:30:21 GMT):
Thanks @smithbk. @muralisr, could it have something to do with the CORE_PEER_TLS_ROOTCERT_FILE that gets copied to the chaincode container? I noticed that it's not the same as the ones in the tls directory of the peer but I'm not sure where it should be coming from.

LeoKotschenreuther (Wed, 21 Jun 2017 15:46:57 GMT):
@smithbk The enroll command still gives me the same output. This is what I execute: ``` root@ac54e703bb83:/etc/hyperledger/fabric-ca-server# fabric-ca-client enroll -u https://admin:adminpw@0.0.0.0:7054 --csr.hosts localhost,127.0.0.1,ca.org1.example.com ``` I still get the error message that says `Error: POST failure [Post https://0.0.0.0:7054/enroll: x509: cannot validate certificate for 0.0.0.0 because it doesn't contain any IP SANs]; not sending`.

smithbk (Wed, 21 Jun 2017 16:58:36 GMT):
@LeoKotschenreuther Where exactly do you see that error message?

LeoKotschenreuther (Wed, 21 Jun 2017 16:59:45 GMT):
@smithbk It's part of the output I get when calling the fabric-ca-client enroll command: ``` root@ac54e703bb83:/etc/hyperledger/fabric-ca-server# fabric-ca-client enroll -u https://admin:adminpw@0.0.0.0:7054 --csr.hosts localhost,127.0.0.1,ca.org1.example.com 2017/06/21 15:47:26 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/06/21 15:47:26 [INFO] generating key: &{A:ecdsa S:256} 2017/06/21 15:47:26 [INFO] encoded CSR 2017/06/21 15:47:26 [INFO] TLS Enabled Error: POST failure [Post https://0.0.0.0:7054/enroll: x509: cannot validate certificate for 0.0.0.0 because it doesn't contain any IP SANs]; not sending POST https://0.0.0.0:7054/enroll Authorization: Basic WnBmWURweWJYTDoyZm1kOTd6OGxW {"hosts":["localhost","127.0.0.1","ca.org1.sap.com"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBXDCCAQICAQAwYjELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9s\naW5hMRQwEgYDVQQKEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRMwEQYD\nVQQDEwpacGZZRHB5YlhMMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDNRHCXun\n0gTVczHDmVdXRn5Y+I/8V7zsmd9vCSBiHzlmi3fy1AU+oFX2MRmg54LfnTqrWFts\ns5R3UvMJ9Mo9QKA+MDwGCSqGSIb3DQEJDjEvMC0wKwYDVR0RBCQwIoIJbG9jYWxo\nb3N0gg9jYS5vcmcxLnNhcC5jb22HBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIhAIKm\nWaX+v8o5UIRtxYC+L3WXCHx7++zJa1a6NTUenAwUAiA3Q0Mosn+t/3DQOhXKm2JH\n7aQ0MozX+oSb5gqt0pF6Jw==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","CAName":""} ```

smithbk (Wed, 21 Jun 2017 17:01:14 GMT):
oh ... so adding --csr.hosts to the enroll command isn't going to help because this is happening when the client tries to open the TLS connection to the server. This means that the TLS server that the server was started with is wrong.

smithbk (Wed, 21 Jun 2017 17:02:13 GMT):
How did you generate the server's TLS cert?

LeoKotschenreuther (Wed, 21 Jun 2017 17:09:56 GMT):
I generated them with the cryptogen tool from the Hyperledger Fabric Repo.

smithbk (Wed, 21 Jun 2017 17:13:16 GMT):
The URL should be https://admin:adminpw@localhost:7054, not 0.0.0.0

LeoKotschenreuther (Wed, 21 Jun 2017 17:13:17 GMT):
The enroll command works just fine if I use the fully qualified domain name instead of the IP (so ca.org1.example.com instead of 0.0.0.0) in the enroll url

smithbk (Wed, 21 Jun 2017 17:13:39 GMT):
0.0.0.0 is not a valid IP addr

smithbk (Wed, 21 Jun 2017 17:14:38 GMT):
the only time that can be used is on the server when you want to say I want to listen on any of my network interfaces on my machine ... it is a wildcard for listening IP addr and can't be used on the client side

LeoKotschenreuther (Wed, 21 Jun 2017 17:15:49 GMT):
If I use 127.0.0.1 I get the exact same output

LeoKotschenreuther (Wed, 21 Jun 2017 17:16:08 GMT):
If I use localhost, I get `Error: POST failure [Post https://127.0.0.1:7054/enroll: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs]; not sending`

LeoKotschenreuther (Wed, 21 Jun 2017 17:16:08 GMT):
If I use localhost, I get `Error: POST failure [Post https://localhost:7054/enroll: x509: certificate is valid for ca.org1.example.com, not localhost]; not sending`

smithbk (Wed, 21 Jun 2017 17:16:43 GMT):
pls print your server's TLS cert using openssl

smithbk (Wed, 21 Jun 2017 17:17:07 GMT):
openssl x509 -in $1 -text -noout

smithbk (Wed, 21 Jun 2017 17:17:13 GMT):
where $1 is the file name

LeoKotschenreuther (Wed, 21 Jun 2017 17:19:27 GMT):
Here we go: ``` root@c0f1215514ee:/etc/hyperledger/fabric-ca-server# openssl x509 -in ../fabric-ca-server-config/ca.org1.example.com-cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: b2:2c:45:49:f7:be:50:98:7b:dc:7c:99:1a:c5:48:39 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1.example.com Validity Not Before: Jun 20 21:03:07 2017 GMT Not After : Jun 18 21:03:07 2027 GMT Subject: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1.example.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:99:73:04:28:4e:9a:5c:a0:74:53:43:f8:59:92: d0:51:25:f1:85:fa:91:0b:af:bf:9b:53:0e:51:59: bf:99:9d:9f:18:17:64:3b:d0:52:9d:99:83:a4:0c: bd:8b:14:55:b3:02:76:fb:d9:17:58:56:a5:87:4c: d2:7e:a2:67:4d ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign X509v3 Extended Key Usage: Any Extended Key Usage, TLS Web Server Authentication X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: F1:C2:EA:5C:74:DF:8E:76:63:59:DF:6B:8B:83:2C:5B:A8:71:29:2B:C2:0A:C6:D7:46:F0:F8:C7:61:98:2E:C8 Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:fb:68:c6:10:8e:9d:8b:f8:41:bc:bb:e7:4a: 11:13:b5:45:0e:47:4a:55:13:2d:b2:1d:58:f6:66:a6:5b:ad: f3:02:20:34:be:08:a0:f1:a5:8d:ea:15:f3:08:60:5a:e6:34: 0a:bb:d9:65:74:5e:cd:fc:af:9b:28:29:6e:53:9a:3d:17 ```

smithbk (Wed, 21 Jun 2017 17:20:52 GMT):
The CN value is the hostname

smithbk (Wed, 21 Jun 2017 17:21:36 GMT):
In order to allow multiple hostnames or IP addrs to be used, and additional X509v3 extensions must be added

smithbk (Wed, 21 Jun 2017 17:21:48 GMT):
hold on a sec and I'll print one

smithbk (Wed, 21 Jun 2017 17:24:00 GMT):
Certificate: Data: Version: 3 (0x2) Serial Number: 36:83:ee:e4:02:a9:e7:2b:0c:6f:70:28:cf:07:69:08:7b:88:44:ff Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=admin Validity Not Before: Jun 21 17:18:00 2017 GMT Not After : Jun 21 17:18:00 2018 GMT Subject: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=admin Subject Public Key Info: Public Key Algorithm: id-ecPublicKey EC Public Key: pub: 04:d5:13:34:15:6d:c9:05:4c:c3:05:04:d7:6c:23: c5:1d:e7:0b:69:f5:6e:a3:88:b4:81:1e:ab:ce:62: 95:d8:07:48:5d:db:4d:93:e6:a4:c7:38:d6:a3:85: a7:44:2a:df:52:0e:dc:84:19:c5:68:78:82:a4:d5: a0:54:0c:d6:4b ASN1 OID: prime256v1 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 5A:37:2D:62:CD:89:97:60:81:C4:11:19:D9:17:2C:3A:90:FD:1F:4D X509v3 Subject Alternative Name: DNS:intermediate Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:d3:9a:fb:6b:9e:7c:a1:01:15:7e:c3:a6:9f: 0c:aa:a1:43:33:f7:2e:af:de:da:ec:07:00:ab:2c:5b:b5:d1: dd:02:20:6d:2d:e3:e3:68:20:b1:3e:57:be:79:1a:f0:2b:66: 73:7d:fc:24:5a:05:c9:d9:91:fc:f6:bc:1d:31:9c:00:3b

smithbk (Wed, 21 Jun 2017 17:25:15 GMT):
```Certificate: Data: Version: 3 (0x2) Serial Number: 36:83:ee:e4:02:a9:e7:2b:0c:6f:70:28:cf:07:69:08:7b:88:44:ff Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=admin Validity Not Before: Jun 21 17:18:00 2017 GMT Not After : Jun 21 17:18:00 2018 GMT Subject: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=admin Subject Public Key Info: Public Key Algorithm: id-ecPublicKey EC Public Key: pub: 04:d5:13:34:15:6d:c9:05:4c:c3:05:04:d7:6c:23: c5:1d:e7:0b:69:f5:6e:a3:88:b4:81:1e:ab:ce:62: 95:d8:07:48:5d:db:4d:93:e6:a4:c7:38:d6:a3:85: a7:44:2a:df:52:0e:dc:84:19:c5:68:78:82:a4:d5: a0:54:0c:d6:4b ASN1 OID: prime256v1 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 5A:37:2D:62:CD:89:97:60:81:C4:11:19:D9:17:2C:3A:90:FD:1F:4D X509v3 Subject Alternative Name: DNS:intermediate Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:d3:9a:fb:6b:9e:7c:a1:01:15:7e:c3:a6:9f: 0c:aa:a1:43:33:f7:2e:af:de:da:ec:07:00:ab:2c:5b:b5:d1: dd:02:20:6d:2d:e3:e3:68:20:b1:3e:57:be:79:1a:f0:2b:66: 73:7d:fc:24:5a:05:c9:d9:91:fc:f6:bc:1d:31:9c:00:3b```

smithbk (Wed, 21 Jun 2017 17:26:14 GMT):
Note the "Subject Alternative Name" extension. It can have multiple names, being DNS and/or IP address.

smithbk (Wed, 21 Jun 2017 17:31:02 GMT):
So you can either use openssl to generate one with the SAN entries that you want, or can use fabric-ca-enroll to do it for you

smithbk (Wed, 21 Jun 2017 17:31:13 GMT):
See https://gerrit.hyperledger.org/r/#/c/10871/

smithbk (Wed, 21 Jun 2017 17:31:47 GMT):
There is a fabric-ca-cryptogen.sh script which uses fabric CA to do what cryptogen does for the e2e_cli example

smithbk (Wed, 21 Jun 2017 17:32:02 GMT):
In that script, see the tlsEnroll function

smithbk (Wed, 21 Jun 2017 17:48:54 GMT):
Just to be clear, if you want to use fabric-ca-client enroll to generate a TLS cert for the fabric-ca-server, you must first start it with TLS disabled, do the enroll on the same machine like the tlsEnroll function in fabric-ca-cryptogen.sh does, and then you can restart the fabric-ca-server with TLS enabled

LeoKotschenreuther (Wed, 21 Jun 2017 18:05:01 GMT):
Thanks a lot for the help. I will check out both openssl and fabric-ca-client enroll and see what suits me best.

s.narayanan (Wed, 21 Jun 2017 19:10:27 GMT):
If we use LDAP for authentication, I have a few questions: 1. Is the bootstrap user the user used in the configuration of ldap within the fabric ca configuration file? 2. If answer to above question is yes, do we need to set up the user with appropriate attributes in LDAP (for instance bootstrap user is set up with hf.Registrar.Roles: “client , user, peer …” 3. The bootstrap user must be enrolled through fabric ca to be able to then enroll other users 4. Now when it comes to new identity, we use the bootstrap user’s identity to register a new user. This would return a one time password. 5. Enroll the new user with the enrollment ID and secret (i.e. the password from #4). Do we need to do #4? Can we not do #5 since the user must have a credentials set up in LDAP?

rcyrus (Wed, 21 Jun 2017 19:13:02 GMT):
Has joined the channel.

dinesh.rivankar (Thu, 22 Jun 2017 05:38:37 GMT):
Has joined the channel.

PushpalathaHiremath (Thu, 22 Jun 2017 07:48:57 GMT):

Message Attachments

arner (Thu, 22 Jun 2017 09:21:56 GMT):
Does anyone have a suggestion for resources to learn about all this crypto stuff?

smithbk (Thu, 22 Jun 2017 12:31:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ToWzRhNeYDh5kYGW3) @s.narayanan If LDAP is enabled, this disables registration completely and means that the "registry" section of the config is ignored because LDAP is used as the registry. Registration is disabled because it is expected that you registry users using the LDAP APIs rather than "fabric-ca-client register"; in other words, registration goes directly to LDAP rather than through the fabric-ca-server. There is really no need for a "bootstrap user" when LDAP is enabled. You just need to make sure that the correct identities have the "hf.Revoker" and "hf.IntermediateCA" attributes in LDAP to authorize them as needed for these non-registration operations. The "hf.Registrar.*" attributes don't apply because registration is disabled. A couple of other notes ... 1) the fabric-ca-server only needs read access to LDAP, not write access 2) max_enrollments are not enforced when LDAP is enabled.

smithbk (Thu, 22 Jun 2017 12:39:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QvBWS8CPMJktW5f5g) @PushpalathaHiremath I'm not sure what the client is in this case, but it looks like it is attempting to handshake with SSLv3, but fabric and fabric-ca require version TLS v1.2 or above for security reasons.

vinitesh (Thu, 22 Jun 2017 13:11:15 GMT):
Has joined the channel.

smithbk (Thu, 22 Jun 2017 13:12:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wFeuqP4wpEHsKYMs3) @arner I think it depends on which level you want to understand. I tend to think of the following levels from bottom up: 1) At the lowest level is the crypto which signs and checks digital signatures. BCCSP (BlockChain Crypto Service Provider) is both an API and a default implementation which does this. 2) Above that is the crypto which uses digital signatures to build an identity layer. This is the MSP (Membership Service Provider) layer, which is also both an API and a default implementation. The default implementation of MSP uses standard X509 certificates to perform membership operations. Good terms to google are "X509 certificates" and "PKIX" (short for "Public Key Infrastructure Exchange). 3.1) Above that would be a policy layer, or could think of it as the authorization layer. For example, at this layer are the policies which specify who can install chaincode, create channels, etc. 3.2) And then there is Fabric CA which is the default Certificate Authority to issue and revoke X509 certificates. That is, fabric CA issues (and revokes) X509 certificates which are used in fabric as mentioned above.

smithbk (Thu, 22 Jun 2017 13:29:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qBjkwQzDprQS9qKuJ) @smithbk @nickgaski Nick, any other pointers to our doc?

nickgaski (Thu, 22 Jun 2017 13:32:13 GMT):
The MSP piece is a useful resource - http://hyperledger-fabric.readthedocs.io/en/latest/msp.html

nickgaski (Thu, 22 Jun 2017 13:32:24 GMT):
as is this synopsis from Gari

nickgaski (Thu, 22 Jun 2017 13:32:43 GMT):
`1. MSP (membership service provider) - this is a concept which allows for 2 things: - ability to use different types of membership providers. the default (and only one currently implemented) is an X509 provider - it allows for "identities" to be issued by different providers (e.g. if you have multiple companies participating in the blockchain, each company could manage/provide their own certificate authority for issuing certificates) 2. Based on 1), fabric peers / ordering nodes are not required to obtain their X509 material from fabric-ca but of course we provide fabric-ca for people with their own CAs to use 3. MSPs are used in 2 ways (and I admit this is confusing) - "LocalMSP" - think of local MSPs as "structures" which hold the cryptographic identity information for clients, peers and ordering nodes. They will contain the root CA which issued the identity as well as the signing certificate key pair for the client, peer, orderer. For example, when a peer starts up, it will populate its localMSP from the file artifacts reference in core.yaml and will use this information to actually sign endorsements (among other things) - "VerifyingMSPs" - similar to a "localMSP" except they DO NOT contain a signing identity (i.e. no reference to a private key for a signing keypair). (you'll note that one of the fields of an MSP is actually a revocation list and in the case of X509 provides this will be an X509 CRL 4. When channels are created, you actually specify which organizations are allowed to participate in that channel. Each organization will be associated with an MSP (and it would be a "verifying" MSP). When the genesis / config block for a channel is created, it will contain the list of organizations (each of which has its MSP info) 5. When a peer joins a channel, you give it the genesis / config block for the channel. The peer will parse that information and will have a map of channels with one of the properties of each channel being the list of MSPs for the channel 6. So let's say we have a channel (call it channelA) which has 3 orgs - Org1, Org2, Org3. Let's say that chaincode get's deployed with a policy that requires signatures from 2 out of the 3 orgs 7. So a client submits an endorsement proposal to peers from from at least 2 out of the 3 orgs, gots the proposal responses back, creates an transaction and submits it to the ordering service. A couple of things happened along the way: - each peer has the list of per channel MSPs and will actually check to make sure that the client who submitted the proposal is allowed to do so by verifying the signature of the proposal (the client signed it using its local MSP) and making sure that the client's certificate was issued by an MSP that's associated with the channel (there's more detail to how this works, but should be good enough for now) - when the client submits the transaction to the orderer, the same basic thing happens - signature is checked and orderer node checks to make sure that the certificate is valid / issue by one of the MSPs for the channel 8. Let's say a Peer is connected to channelA and receives a block of transactions. Let's say it got a block which had the transaction submitted in step 7) above. The peer now needs to make sure that the endorsement policy for the transaction has been met (the endorsement policy is assocaited with the chaincode against which endorsement was requested). From step 6), we said that this requires signatures from 2 out of the 3 orgs and from step 5) the peer knows which orgs (and MSPs) are part of the channel. So the peer can make sure that there are enough valid signatures which meet the policy 9. OK - so finally - let's say that a peer (we'll call it org1Peer1) from Org1 was compromised. For simplicity, let's say that Org1 is only part of channelA. So we need to be able to tell all peers which have joined channelA that the certificate for org1Peer1 has been revoked. All peers need to receive and process this information at the same time (this is to ensure that the committing logic is deterministic). So we need to update the MSP for Org1 and propogate that information to all peers connected to channelA. Recall that one fof the fields for an MSP structure is a revocation list, so what needs to happen is that an update transaction is submitted to the ordering service for channelA which updates Org1's MSP to know have a CRL containing the certificate for org1Peer1`

s.narayanan (Thu, 22 Jun 2017 14:02:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kdchaPRbF3qZ3uBpQ) @smithbk Thanks. To summarize then: 1) Since LDAP is registry no need to register users 2) We need define a specific identity in LDAP with hf.Revoker attributes, this identity needs to be enrolled (i.e. must have an Ecert issued) and then can be used for any cert revocation operation 3) For all other users, as long as they exist in LDAP (i.e. one can authenticate through LDAP), the users can self enroll.

smithbk (Thu, 22 Jun 2017 14:45:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZNqLfuJoJES8ECKZt) @s.narayanan Correct

s.narayanan (Thu, 22 Jun 2017 14:45:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=W5b88LFpKZtqQG7g9) @smithbk Thanks

vinitesh (Thu, 22 Jun 2017 16:23:24 GMT):
@here Hello, Any idea how the ca server will add user attributes(like roles) to enrollment certificate.These attributes will be required in chaincode to perform role based authorization checks for invoking user.

smithbk (Thu, 22 Jun 2017 18:05:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Z9YPmt57rAh7Q8oie) @vinitesh It doesn't add attributes to ecerts currently and will not be in v1. It would have been done as part of https://jira.hyperledger.org/browse/FAB-3752 but was held til post v1

jmcnevin (Thu, 22 Jun 2017 18:40:47 GMT):
Has joined the channel.

jmcnevin (Thu, 22 Jun 2017 19:26:21 GMT):
So, say I revoke an identity with fabric-ca-client. Does anyone have a list of example commands that would be necessary to actually update the CRL on peers and orderers?

smithbk (Thu, 22 Jun 2017 19:40:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PfsCkvktNwK9ies39) @jmcnevin @aso @jyellick @jimthematrix Ale, Jason, Jim, do any of you have commands or code which updates the CRL?

jyellick (Thu, 22 Jun 2017 19:40:08 GMT):
Has joined the channel.

jyellick (Thu, 22 Jun 2017 19:40:50 GMT):
@smithbk Updating the CRL is done exactly the same way as any other config update

jyellick (Thu, 22 Jun 2017 19:41:06 GMT):
Let me get the document link

jyellick (Thu, 22 Jun 2017 19:41:25 GMT):
https://github.com/hyperledger/fabric/tree/master/examples/configtxupdate

jyellick (Thu, 22 Jun 2017 19:42:31 GMT):
The rough process is: 1. Get the current config 2. Turn it into a human readable form via `configtxlator` 3. Modify a copy of the human readable form as desired 4. Give the orginal and updated configs to `configtxlator` and it will give back the computed config update 5. Submit the update for ordering

jyellick (Thu, 22 Jun 2017 19:43:54 GMT):
If you are using go, you could bind directly into the `configtxlator` code, or, it is available as a REST API. There is currently no CLI, so the example uses `curl` to access the REST interface

jyellick (Thu, 22 Jun 2017 19:45:40 GMT):
For the CRL, there is a field named `revocation_list` in the MSP config. (alongside `name`, `root_certs`, `admins` etc.). By default this field is not populated so does not appear in the config output, but you may create it.

jyellick (Thu, 22 Jun 2017 19:46:12 GMT):
The field is to be set to an array of revocation list bytes: ``` // Identity revocation list repeated bytes revocation_list = 5; ```

jyellick (Thu, 22 Jun 2017 19:46:12 GMT):
The field is to be set to an array of revocation list bytes as defined in `fabric/protos/msp/msp_config.proto` ``` // Identity revocation list repeated bytes revocation_list = 5; ```

jyellick (Thu, 22 Jun 2017 19:46:41 GMT):
My understanding is that this is a standard X.509 CRL representation, but you can check with the crypto team for confirmation

jmcnevin (Thu, 22 Jun 2017 19:50:52 GMT):
@jyellick What would be the easiest way to get the list of revoked certs out of fabric-ca? Would I need to query the backend database directly?

jyellick (Thu, 22 Jun 2017 19:52:54 GMT):
@jmcnevin I'll have to defer to @smithbk on this. I can only speak to what happens to the CRL as managed by a channel's config

smithbk (Thu, 22 Jun 2017 20:03:02 GMT):
Currently it is assumed that the same client that revokes in fabric-ca will revoke in fabric as there is no fabric-ca API to get the list ... though this is something I know we need. @jmcnevin I'd welcome you to open a jira item for this so you can track

chaae (Fri, 23 Jun 2017 00:13:49 GMT):
Has joined the channel.

chaae (Fri, 23 Jun 2017 00:29:57 GMT):
Hi, anyone know how to fix this issue? -> https://developer.ibm.com/answers/questions/371902/hyperledger-node-sdk-enroll-failure-v10-alpha-cert.html I am using the beta version, and did get SDK to run with original network configurations. After adding a channel, and replacing some artifacts (regenerated with new configtx profiles), I run into the above error.

chaae (Fri, 23 Jun 2017 00:29:57 GMT):
Hi, anyone know how to fix this issue? (when enrolling admin) -> https://developer.ibm.com/answers/questions/371902/hyperledger-node-sdk-enroll-failure-v10-alpha-cert.html I am using the beta version, and did get SDK to run with original network configurations. After adding a channel, and replacing some artifacts (regenerated with new configtx profiles), I run into the above error.

terrypst (Fri, 23 Jun 2017 08:58:14 GMT):
Has joined the channel.

Dpkkmr (Fri, 23 Jun 2017 08:58:40 GMT):

Message Attachments

Dpkkmr (Fri, 23 Jun 2017 08:59:34 GMT):
Hi All, I'm trying to enroll a user but it is failing each time. Any help in resolving this is appreciated. Thanks.

Dpkkmr (Fri, 23 Jun 2017 08:59:34 GMT):
Hi All, I'm trying to enroll a user using node SDK but it is failing. Any help in resolving is appreciated. Thanks.

Dpkkmr (Fri, 23 Jun 2017 08:59:34 GMT):
Hi All, I'm trying to enroll a user using node SDK but it is failing. Any help in resolving this is appreciated. Thanks.

terrypst (Fri, 23 Jun 2017 09:01:22 GMT):
Hi guys, i didn't find the documentation that can help me to understand what are the different roles in *hf.Registrar.Roles: "client,user,peer,validator,auditor"* Could you explain the function of each one ? Thanks a lot !

terrypst (Fri, 23 Jun 2017 09:02:04 GMT):
Which one can make transaction ? Which one can't ?

vinitesh (Fri, 23 Jun 2017 09:26:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mhD3jN9X5QGtziMGP) Thanks @smithbk

smithbk (Fri, 23 Jun 2017 12:20:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=53TNGQerR7EbGjT5b) @terrypst Roles

smithbk (Fri, 23 Jun 2017 12:20:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=53TNGQerR7EbGjT5b) @terrypst The role is currently only used by fabric-ca-server and is not used within fabric, so any of them can make a transaction.

smithbk (Fri, 23 Jun 2017 12:27:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DkqfTn5rvxwp66fCz) @Dpkkmr The error you pasted is for a "register" request, not an "enroll" request. Was there another error in logs for enroll?

smithbk (Fri, 23 Jun 2017 12:37:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=L2Tc8xgoqSqJPJ7Gz) @chaae @jimthematrix Apparently the node TLS client expects the fabric-ca-server's TLS cert to have a "Certificate Sign" key usage. For example, here is a snippet from a server TLS cert with this usage as printed by openssl:```X509v3 extensions: X509v3 Key Usage: critical Certificate Sign``` So you need to regen the server's TLS cert with this usage. See the "tlsEnroll" function in the "examples/e2e_cli/fabric-ca-cryptogen.sh" script at https://gerrit.hyperledger.org/r/#/c/10871/ for an example of how to use fabric-ca-client to generate a TLS cert for the fabric-ca-server itself ... that may be helpful.

terrypst (Fri, 23 Jun 2017 12:39:58 GMT):
@smithbk Oh ok, so i can't manage for now which users are authorized or not to make an invoke or a query inside an organization ?

smithbk (Fri, 23 Jun 2017 12:44:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pqGnTxhH9Jzbe9RTe) @terrypst IIRC, there is a "channelWriters" policy for the channel ... not sure the name is exactly that. If you don't see it, let me know and track it down

smithbk (Fri, 23 Jun 2017 12:44:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pqGnTxhH9Jzbe9RTe) @terrypst IIRC, there is a "channelWriters" policy for the channel ... yes, search for "channelWriters" in https://docs.google.com/document/d/1Qg7ZEccOIsrShSHSNl4kBHOFvLYRhQ3903srJ6c_AZE

saism (Fri, 23 Jun 2017 20:45:32 GMT):
so -m option on fabric-ca-client gives us TLS certs? CA cert is identical with or without it, how tlsEnroll different?

ThePleasurable (Sat, 24 Jun 2017 12:23:14 GMT):
Has joined the channel.

smithbk (Sat, 24 Jun 2017 16:32:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3swCAQN3ey8zAzA6f) @saism CA cert is the root cert used to issue TLS certs and enrollment certs and does not need to have the hostname extensions. The advantage is that a client only needs to have a single CA cert in its TLS trust store but can then connect over TLS to any endpoint that has a TLS cert issued by the CA (e.g. using fabric-ca-client with the -m options). The alternative if self-signed certs are used on the server-side of a TLS connection is that every client must have the server's cert in its trust store for each server to which it connects.

bh4rtp (Mon, 26 Jun 2017 01:03:12 GMT):
how to configure mysql datasource? there is an error when doing tests at the end of making. ```--- FAIL: TestNewUserRegistryMySQL (0.31s) Error Trace: server_test.go:1264 Error: "Failed to connect to MySQL database: Error 1045: Access denied for user ''@'localhost' (using password: NO)" does not contain "permission denied" FAIL ```

bh4rtp (Mon, 26 Jun 2017 01:03:12 GMT):
how to configure mysql datasource? there is an error when running all tests at the end of making. ```--- FAIL: TestNewUserRegistryMySQL (0.31s) Error Trace: server_test.go:1264 Error: "Failed to connect to MySQL database: Error 1045: Access denied for user ''@'localhost' (using password: NO)" does not contain "permission denied" FAIL ```

jaguarg (Mon, 26 Jun 2017 09:58:28 GMT):
Hi, i am now up and running with composer and composer REST server. But I am looking for a way to auth the API calls. Right now the API is using the account that I specified when starting `composer-rest-server -p hlfv1 -n my-network -i admin -s adminpw -N always`

jaguarg (Mon, 26 Jun 2017 09:59:34 GMT):
I am adding participants and identities, but how do I then authenticate these users against the API ?

aambati (Mon, 26 Jun 2017 14:16:14 GMT):
@bh4rtp I don't think you need to do any configuration to run the unit tests...they need to pass out of the box..On what operating system did you run the tests?

bh4rtp (Mon, 26 Jun 2017 15:26:36 GMT):
@aambati ubuntu 16.04. does the mysql unit test run in the container and have nothing with the host ubuntu mysql settings?

bh4rtp (Mon, 26 Jun 2017 15:26:36 GMT):
@aambati ubuntu 16.04. does the mysql unit test run in the container and have nothing to do with the host ubuntu mysql settings?

skarim (Mon, 26 Jun 2017 18:16:23 GMT):
@bh4rtp If you are running make unit-tests on your host machine than it will interact with any mysql settings you have. But this error seems to be happening because the test case is trying to change the permission on a file to not have read permissions. Then when it tries to read the file it is expecting "perminssion denied" but that doesn't seem to be happening. So I wonder if there is something on your system that is preventing the test case from changing file permission.

jmcnevin (Mon, 26 Jun 2017 20:35:12 GMT):
CC'ing this from another channel, forgive my spam: I'm trying to understand how one would bootstrap a production network with a fabric-ca server... I've enrolled an identity in fabric-ca and have stored the ecerts in a msp directory, but running configtxgen to generate an orderer genesis block, there's no admincerts directory... where would I get the certs for that directory?

bh4rtp (Tue, 27 Jun 2017 00:27:34 GMT):
@skarim that's strange because i did `make` fabric-ca using root user and reported this error.

bh4rtp (Tue, 27 Jun 2017 00:27:34 GMT):
@skarim that's strange because i did `make` fabric-ca using root user and reported this error. notice that the error message shows with empty user ''.

bh4rtp (Tue, 27 Jun 2017 00:33:19 GMT):
i think it is caused by accessing mysql with no password, while i set the root password.

n-someya (Tue, 27 Jun 2017 07:04:11 GMT):
Has joined the channel.

AlexanderEx123 (Tue, 27 Jun 2017 07:58:11 GMT):
Has joined the channel.

ShermanHLee (Tue, 27 Jun 2017 16:38:43 GMT):
Has joined the channel.

pschnap (Tue, 27 Jun 2017 18:21:44 GMT):
Has joined the channel.

pschnap (Tue, 27 Jun 2017 18:22:13 GMT):
is there something special I need to do to hook up a CA to a network of peers/orderer?

pschnap (Tue, 27 Jun 2017 18:24:19 GMT):
I'm trying to run a modified version of one of the first-network examples and I have the CA, peers, and orderer running but my Java SDK doesn't seem to be able to connect to the peers after enrolling with the CA -- it may just be bad config on my part but I wanted to check everything else too

webdaford (Tue, 27 Jun 2017 18:47:35 GMT):
Has joined the channel.

aambati (Tue, 27 Jun 2017 19:23:40 GMT):
@pschnap what error do you see when trying to connect java sdk to peer? What identity are you trying to enroll using the Java SDK? Specifically what example are you running? it will also help if you can tell us what modification you made to the example.

aambati (Tue, 27 Jun 2017 19:28:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FbHPZoEx5x7FgZge6) @bh4rtp Can you please run that particular unit test (`go test -run TestNewUserRegistryMySQL`) and check if the file permissions were changed? `ls -ltr testdata/root.pem` should show all dashes. Before you run, you need to comment out lines 1258 to 1269, assuming you got the latest code

aambati (Tue, 27 Jun 2017 19:28:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FbHPZoEx5x7FgZge6) @bh4rtp Can you please run that particular unit test ( `go test -run TestNewUserRegistryMySQL` ) and check if the file permissions were changed? `ls -ltr testdata/root.pem` should show all dashes. Before you run, you need to comment out lines 1258 to 1269, assuming you got the latest code

pschnap (Tue, 27 Jun 2017 21:04:20 GMT):
@aambati I had gotten it to connect to the CA to enroll using a custom docker setup for the containers but it would complain about a bad transaction constructing the SDK client after that. I've since switched to using the e2e docker-compose-e2e-template.yaml docker-compose file and it's not able to enroll w/ the CA now. I'll check my settings again tomorrow, I might have the wrong cert configured

bh4rtp (Wed, 28 Jun 2017 00:14:24 GMT):
@aambati ok. let me try the unit test.

rezamt (Wed, 28 Jun 2017 07:07:35 GMT):
Has joined the channel.

Gerard9494 (Wed, 28 Jun 2017 07:38:31 GMT):
Has joined the channel.

Gerard9494 (Wed, 28 Jun 2017 07:39:25 GMT):
How can i give an fabric-ca-server-config.yaml specific when i run the server using docker-compose? This is what i do right now, but it doesn't work ca.org1.example.com: image: hyperledger/fabric-ca:x86_64-1.0.0-rc1 environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/28fac2ea7fc90b5eaf5d4d4260fb2e019729a50d1ae0e3c8889f1ef472d617ca_sk #fabric-sdk-node/examples/balance-transfer/artifacts/channel/crypto-config/peerOrganizations/org1.example.com/ca - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/28fac2ea7fc90b5eaf5d4d4260fb2e019729a50d1ae0e3c8889f1ef472d617ca_sk ports: - "7054:7054" command: sh -c 'fabric-ca-server start -b admin:adminpw -d --config fabric-ca-server-config2.yaml' volumes: - ./channel/crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config container_name: ca_peerOrg1 Thanks!

xinpei8 (Wed, 28 Jun 2017 14:51:36 GMT):
Has joined the channel.

rohitbordia (Wed, 28 Jun 2017 14:59:01 GMT):
@aambati & @pvrbharg : why your key works in alpha1 and not in alpha2 - everything else the same

rohitbordia (Wed, 28 Jun 2017 14:59:43 GMT):
i mean our keys

pvrbharg (Wed, 28 Jun 2017 15:05:58 GMT):
thanks Rohit and I would let Anil respond to us

rohitbordia (Wed, 28 Jun 2017 15:06:54 GMT):
@aambati : could it be the pkcs was changed and our key is in the older pkcs?

5igm4 (Wed, 28 Jun 2017 15:07:42 GMT):
Has joined the channel.

aambati (Wed, 28 Jun 2017 15:09:28 GMT):
@rohitbordia fabric-ca always had code to handle rsa keys and in alpha1 it did support rsa keys..but starting alpha2, fabric-ca started using bccsp (crypto layer that abstracts where the keys are stored hsm or file system)...bccsp (blockchain crypto service provider) does not support rsa keys..as a result, fabric-ca stopped supporting rsa keys

rohitbordia (Wed, 28 Jun 2017 15:10:26 GMT):
you mean to say , : openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout ca-key.pem this is not the correct way?

aambati (Wed, 28 Jun 2017 15:11:36 GMT):
yeah, i suggest using ecdsa keys

aambati (Wed, 28 Jun 2017 15:12:19 GMT):
i have heard talk that bccsp will support rsa keys post 1.0 (not official statement though, just what i heard)

rohitbordia (Wed, 28 Jun 2017 15:12:27 GMT):
ok

rohitbordia (Wed, 28 Jun 2017 15:15:19 GMT):
@aambati : do you have example command to generate ecdsa key using openssl

aambati (Wed, 28 Jun 2017 15:18:32 GMT):
@rohitbordia https://superuser.com/questions/1103401/generate-an-ecdsa-key-and-csr-with-openssl has a good example

rohitbordia (Wed, 28 Jun 2017 15:19:20 GMT):
@aambati : thanks

aambati (Wed, 28 Jun 2017 15:27:58 GMT):
np

rohitbordia (Wed, 28 Jun 2017 16:06:11 GMT):
@aambati , question for you

rohitbordia (Wed, 28 Jun 2017 16:06:52 GMT):
our internal cert aut can take only : Public Key Algorithm must be RSA. Public Key Size must be at least 2048 bit.

aambati (Wed, 28 Jun 2017 16:07:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cijkXYrx5gSD3Bcbw) @jmcnevin cryptogen is the tool that example use to generate certs needed to setup a network...it consumes configuration file called crypto-config.yml that is used to specify org name, number of users, etc., please crypto-config.yaml in examples/e2e_cli. It creates crypto material for an admin user (Admin@) and puts it in the admincerts folder of msp directory of the peer.

rohitbordia (Wed, 28 Jun 2017 16:07:11 GMT):
which means, I cannot do ecdsa

aambati (Wed, 28 Jun 2017 16:10:51 GMT):
@rohitbordia Bobbie and I had a brief discussion on the way forward for your pilot , since your tool does not support ECDSA keys, she is going to send a note

aambati (Wed, 28 Jun 2017 16:10:51 GMT):
@rohitbordia Bobbie and I had a brief discussion on the way forward for your pilot , since your tool does not support ECDSA keys...she is going to send a note

rohitbordia (Wed, 28 Jun 2017 16:11:22 GMT):
ok thanks

skarim (Wed, 28 Jun 2017 16:28:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KxDLjsHDKC4obdkgc) @Gerard9494 If you want to use fabric-ca-server-config2.yaml, you need to make sure that is located in the home directory you specified using the environment variable, which is FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server

Gerard9494 (Thu, 29 Jun 2017 07:23:00 GMT):
Hello @skarim, thanks for your answer!

AlexanderEx123 (Thu, 29 Jun 2017 08:17:02 GMT):
someone can tell me how to save account ROLE permanent in CA?

rolo (Thu, 29 Jun 2017 08:49:37 GMT):
Has joined the channel.

rolo (Thu, 29 Jun 2017 08:59:42 GMT):
good morning people! I'm posting this here because there is no membersrvc chat. I'm using Fabric for a new project and I had to change the membersrvc.yaml file to remove test users. Since the change I'm unable to enroll the admin user, I get `Error: Identity lookup error: sql: no rows in result set`. Has anyone had this issue before? Can you guys please help me debug, point me to the right direction? Thanks!

warm3snow (Thu, 29 Jun 2017 09:00:32 GMT):
Hi, we all know digital certificate has a expiry date. In fabric, the certificate is bound to digital asset. How can I transfer my asset if my Ecert or Tcert is expired? I think the signature will not pass the verification.

reubent 1 (Thu, 29 Jun 2017 12:59:42 GMT):
@rolo have you got the three tables in your SQL schema?

reubent 1 (Thu, 29 Jun 2017 12:59:57 GMT):
If you do, you'll need to insert the bootstrap identity

rolo (Thu, 29 Jun 2017 13:00:33 GMT):
hi @reubent 1 to be honest I have never touched anything inside membersrvc and I don't know how to check the db. do you have any suggestions?

reubent 1 (Thu, 29 Jun 2017 13:02:09 GMT):
What I mean is that you need the first identity to be in the table to be able to add others through the CA

reubent 1 (Thu, 29 Jun 2017 13:04:12 GMT):
If you do something like `INSERT INTO users (id, token, type, affiliation, attributes, state, max_enrollments) VALUES ("admin", "adminpassword", "client", "name of your Org", '[{"name":"hf.Revoker","value":"1"},{"name":"hf.IntermediateCA","value":"0"},{"name":"hf.Registrar.Roles","value":"client,user,peer,validator,auditor"},{"name":"hf.Registrar.DelegateRoles","value":"client,user,validator,auditor"}]', 4, -1)` that should give you an ID to bootstrap the others

rolo (Thu, 29 Jun 2017 13:05:09 GMT):
yes but I thought that automatically done when I provide the membersrvc.yaml file with affiliations and users pre-defined

rolo (Thu, 29 Jun 2017 13:05:21 GMT):
https://github.com/hyperledger-archives/fabric/blob/master/membersrvc/membersrvc.yaml

reubent 1 (Thu, 29 Jun 2017 13:05:45 GMT):
in my experience it's happened successfully when we've used sqlite but not with mysql - i presume that you're right it's meant to work either way

rolo (Thu, 29 Jun 2017 13:05:47 GMT):
it works with this yaml file, no problem. admin enrolls. I have my custom yaml file though which doesn't work

reubent 1 (Thu, 29 Jun 2017 13:06:04 GMT):
are you running 0.6?

rolo (Thu, 29 Jun 2017 13:06:23 GMT):
yes, 0.6. I'm wondeing if the affiliations should have a specific tree structure.

reubent 1 (Thu, 29 Jun 2017 13:07:09 GMT):
shame my colleague @nickmelis isn't in today - he's much more familiar with 0.6 than I am. I've been working with the CA service in 1.0

rolo (Thu, 29 Jun 2017 13:08:21 GMT):
I see. Thanks anyway. I'll trry to rebuild my membersrvc docker image and plying with the yaml file

pschnap (Thu, 29 Jun 2017 13:49:00 GMT):
how do I register peers w/ the CA? If I already have certificates for peers/orgs, do I have to register? (I would be searching the documentation but for some reason I can't access readthedocs.io, it says the server is down)

rolo (Thu, 29 Jun 2017 13:52:39 GMT):
if you already have peers registered you only need to enroll them

pschnap (Thu, 29 Jun 2017 13:53:14 GMT):
ok; how is that done?

pschnap (Thu, 29 Jun 2017 13:53:38 GMT):
through the CA's REST interface?

pschnap (Thu, 29 Jun 2017 13:53:56 GMT):
or is there a command-line option? (<-- preferred)

rolo (Thu, 29 Jun 2017 13:56:30 GMT):
don't know without the docs :D sorry

rolo (Thu, 29 Jun 2017 13:56:53 GMT):
I only used the javascript HFC to enroll peers

pschnap (Thu, 29 Jun 2017 13:58:31 GMT):
ah

pschnap (Thu, 29 Jun 2017 13:58:35 GMT):
thx for the input!

pschnap (Thu, 29 Jun 2017 13:58:47 GMT):
@rolo ^

skarim (Thu, 29 Jun 2017 14:16:44 GMT):
@pschnap If you already have certificates to use for your peers. You don't need to register with fabric-ca. The purpose of registering and enrolling with the fabric-ca is to get an certificate. Put if you already have ones you'd like to use, then you need to place those certificates in the Peer in the MSP directory. Then configure your core.yaml to point to this MSP directory. http://hyperledger-fabric.readthedocs.io/en/latest/msp.html - this section in the docs guides you on how to do that . Let me know if you can't access it, I can ping you the instructions directly.

skarim (Thu, 29 Jun 2017 14:16:44 GMT):
@pschnap If you already have certificates to use for your peers. You don't need to register with fabric-ca. The purpose of registering and enrolling with the fabric-ca is to get an certificate. But if you already have ones you'd like to use, then you need to place those certificates in the Peer in the MSP directory. Then configure your core.yaml to point to this MSP directory. http://hyperledger-fabric.readthedocs.io/en/latest/msp.html - this section in the docs guides you on how to do that . Let me know if you can't access it, I can ping you the instructions directly.

svergara (Thu, 29 Jun 2017 17:55:33 GMT):
Has joined the channel.

svergara (Thu, 29 Jun 2017 17:55:48 GMT):
Hi, is there a way to change the certification authority in hyperledger? I was thinking of using the national certification authority (which gives each citizen an id) within a blockchain. Is this possible?

ashutosh_kumar (Thu, 29 Jun 2017 18:28:58 GMT):
@svergara , you can use your own certificate in fabric.

svergara (Thu, 29 Jun 2017 18:30:39 GMT):
@ashutosh_kumar I did not mean certificate, I meant CA.

svergara (Thu, 29 Jun 2017 18:30:39 GMT):
@ashutosh_kumar I did not mean certificate, I meant CA. May I use my own CA?

ashutosh_kumar (Thu, 29 Jun 2017 18:32:54 GMT):
I do not understand. You'll have CA Cert and Cert issued by CA. You can use these 2 in Fabric in MSP.

skarim (Thu, 29 Jun 2017 19:10:04 GMT):
@svergara You can use your own CA to issue certificates, these certificates must be properly configured in the MSP directory for them to be used in the fabric. See http://hyperledger-fabric.readthedocs.io/en/latest/msp.html

pschnap (Thu, 29 Jun 2017 19:33:01 GMT):
Thanks @skarim , I'm able to access the documentation now, so I'll take a look!

Gerard9494 (Fri, 30 Jun 2017 09:19:23 GMT):
Hello, How can i add a new department at one organization without having to delete the whole BD and initialise a new one? Thanks !

skarim (Fri, 30 Jun 2017 13:58:30 GMT):
@Gerard9494 Currently, the database gets bootstrapped when the DB gets created for the first time. So, unfortunately at the moment you will have to add the department in the server configuration yaml, delete the DB, and restart the server again. This will create a new DB that will have the new department. Going forward post v1, we would like to dynamically support adding new affiliations. Another option would be to directly modify the affiliations table in DB to add a department.

Gerard9494 (Fri, 30 Jun 2017 14:03:40 GMT):
Ok, @skarim! Thanks for your answer

rolo (Fri, 30 Jun 2017 14:18:42 GMT):
Hi guys, I'm using the official fabric membershipsrvc image and when I try to register a new peer I get `Invalid affiliation group: ` it seems to be empty. Do you have any ideas?

Sandeep (Fri, 30 Jun 2017 14:35:20 GMT):
Has joined the channel.

sandp125 (Fri, 30 Jun 2017 14:38:27 GMT):
Has joined the channel.

ariannagolf (Fri, 30 Jun 2017 20:34:38 GMT):
Has joined the channel.

awa (Sun, 02 Jul 2017 10:52:51 GMT):
Has joined the channel.

lancelot186 (Sun, 02 Jul 2017 12:04:34 GMT):
Has joined the channel.

pandabcai (Mon, 03 Jul 2017 00:15:29 GMT):
Has joined the channel.

smithbk (Mon, 03 Jul 2017 14:00:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dGs8dfgPnEZEzb8zA) @rolo fabric-ca replaces fabric membershipsrvc for v1. See http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html

smithbk (Mon, 03 Jul 2017 14:02:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=i6AYGyzuvNRPxna4r) @Gerard9494 I'd also suggest that you open a jira item to track dynamically adding affiliations

pschnap (Mon, 03 Jul 2017 15:31:13 GMT):
I've been working on a modified version of the `first-network` example, trying to add CAs to the mix. I got things to come up using docker(-compose), but when I'm trying to instantiate chaincode I get errors from the gossip service saying `Don't have certificate for membership: ...` or `Alive message isn't authentic, someone must be spoofing membership: ...` and it times out. Does anyone have any idea what might be going on?

yacovm (Mon, 03 Jul 2017 15:38:08 GMT):
These are not errors

yacovm (Mon, 03 Jul 2017 15:38:13 GMT):
they are in DEBUG

yacovm (Mon, 03 Jul 2017 15:38:18 GMT):
@pschnap

pschnap (Mon, 03 Jul 2017 15:40:56 GMT):
@yacovm sorry, used the wrong term.

pschnap (Mon, 03 Jul 2017 15:41:20 GMT):
My issue still stands, though, the chaincode won't instantiate; any help would be very much appreciated!

yacovm (Mon, 03 Jul 2017 15:44:00 GMT):
This has nothing to do with the chaincode

yacovm (Mon, 03 Jul 2017 15:44:16 GMT):
rest assured no one hacked into your demo network (as far as I know)

yacovm (Mon, 03 Jul 2017 15:44:48 GMT):
These messages have nothing to do with instantiate

yacovm (Mon, 03 Jul 2017 15:44:58 GMT):
if the instantiation fails it tells you why it failed

yacovm (Mon, 03 Jul 2017 15:45:07 GMT):
did it tell anything?

pschnap (Mon, 03 Jul 2017 15:51:57 GMT):
it was a timeout expiration during instantiation

pschnap (Mon, 03 Jul 2017 15:52:36 GMT):
my guess is the certificates and/or CA are incorrectly configured and so the gossip not behaving correctly is causing the timeout

pschnap (Mon, 03 Jul 2017 15:53:49 GMT):
here's the message it prints: > Error endorsing chaincode: rpc error: code = Unknown desc = Timeout expired while starting chaincode mycc:1.0 ....

yacovm (Mon, 03 Jul 2017 15:54:24 GMT):
nope, gossip not behaving correctly can't fail an instantiate transaction

pschnap (Mon, 03 Jul 2017 15:54:38 GMT):
hm

yacovm (Mon, 03 Jul 2017 15:54:43 GMT):
now for your problem

yacovm (Mon, 03 Jul 2017 15:54:45 GMT):
do `docker ps -a`

yacovm (Mon, 03 Jul 2017 15:54:50 GMT):
do you see the container?

yacovm (Mon, 03 Jul 2017 15:54:57 GMT):
the chaincode container I mean

pschnap (Mon, 03 Jul 2017 15:56:09 GMT):
I have four peers, two CAs, one orderer, one cli

pschnap (Mon, 03 Jul 2017 15:56:20 GMT):
no chaincode container

yacovm (Mon, 03 Jul 2017 15:56:36 GMT):
I think it got removed when the instantiate failed

yacovm (Mon, 03 Jul 2017 15:56:43 GMT):
try again to instantiate and quickly do `docker ps -a`

yacovm (Mon, 03 Jul 2017 15:56:51 GMT):
and try to see the container starting up

pschnap (Mon, 03 Jul 2017 15:56:53 GMT):
ok, one moment

yacovm (Mon, 03 Jul 2017 15:57:00 GMT):
it will either not be able to start up

yacovm (Mon, 03 Jul 2017 15:57:03 GMT):
or will start up and fail

yacovm (Mon, 03 Jul 2017 15:57:08 GMT):
when it fails do quickly `docker logs`

yacovm (Mon, 03 Jul 2017 15:57:11 GMT):
to see its output

yacovm (Mon, 03 Jul 2017 15:57:43 GMT):
we really need to add docker logs output to fabric so it will be shown in the logs @muralisr :/

pschnap (Mon, 03 Jul 2017 15:59:13 GMT):
ah, yes, it quits after one second

pschnap (Mon, 03 Jul 2017 16:00:17 GMT):
the error it gives is `Error trying to connect to local peer: x509: certificate signed by unknown authority....`

awattez (Mon, 03 Jul 2017 16:00:53 GMT):
Has joined the channel.

pschnap (Mon, 03 Jul 2017 16:01:19 GMT):
I can redo my crypto if you think that'd help

pschnap (Mon, 03 Jul 2017 16:03:19 GMT):
I think I'll do that, let me rebuild my config and the network, shouldn't be more than a minute

pschnap (Mon, 03 Jul 2017 16:06:42 GMT):
the chaincode container has the same error even with fresh config & crypto

pschnap (Mon, 03 Jul 2017 16:12:06 GMT):
looks like the identity it's trying to validate and can't is that of the CA, which is what I'm trying to add

pschnap (Mon, 03 Jul 2017 17:47:45 GMT):
@yacovm thanks for your help! I'll keep digging

zaishengming (Tue, 04 Jul 2017 07:00:23 GMT):
Has joined the channel.

sandroku63 (Tue, 04 Jul 2017 08:26:16 GMT):
I have a question, how to leveraging an OpenLDAP backend, but proxy the requests to Active Directory for authentication ?

reubent 1 (Tue, 04 Jul 2017 08:51:02 GMT):
@sandroku63 https://blogs.msdn.microsoft.com/alextch/2012/04/25/configuring-openldap-pass-through-authentication-to-active-directory/

sandroku63 (Tue, 04 Jul 2017 09:00:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AvuBdeLTX2ynALooW) @reubent 1 Thank you, I have read this document, so I can not use ldap proxy for authentication?

reubent 1 (Tue, 04 Jul 2017 09:06:21 GMT):
You'd probably have to make some changes to the encryption AD accepts which might not be a great idea. I think MS still do a "services for UNIX" addon which sorts some of this stuff out. MSDN is generally the best reference point.

sandroku63 (Tue, 04 Jul 2017 09:09:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rzMuFvkq9T55c94Fs) @reubent 1 OK, thank you for your suggestion.

baoyangc (Tue, 04 Jul 2017 10:53:40 GMT):
Has joined the channel.

dinesh.rivankar (Tue, 04 Jul 2017 12:04:34 GMT):
We have 2 endorsing peer, each running their own CA. Dose all this CA share there enrollment details with other in the network?

trygvevang (Tue, 04 Jul 2017 12:45:45 GMT):
Has joined the channel.

rolo (Tue, 04 Jul 2017 15:43:29 GMT):
hi guys, using fabric 0.6 I'm trying to enroll a new peer to the network, it registers successfully but enrollment gives a weird error `13:26:30.844 [crypto] Errorf -> ERRO 030 [validator.111111121] Failed unmarshalling enrollment chain key [id=111111121]: [Failed to parse private key]` has anyone seen this before?

absingh0 (Tue, 04 Jul 2017 16:08:41 GMT):
Has joined the channel.

Xie.YZ (Wed, 05 Jul 2017 09:32:50 GMT):
Has joined the channel.

Xie.YZ (Wed, 05 Jul 2017 09:33:57 GMT):
hi all, does anybody can explain how fabric-ca work and how works with msp?

Xie.YZ (Wed, 05 Jul 2017 12:57:06 GMT):
ok

Xie.YZ (Wed, 05 Jul 2017 12:57:19 GMT):
I have know it's mechanism

smithbk (Wed, 05 Jul 2017 13:04:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2mZK6KrDZNthADMbZ) @Xie.YZ I guess this means that you know how fabric-ca and MSP relate to each other, but for the benefit of others, I'll answer anyway ... the fabric-ca-client is able to create an MSP directory structure which is used as the local MSP for a peer or orderer.

Xie.YZ (Wed, 05 Jul 2017 13:04:51 GMT):
@smithbk yes, you're right

Xie.YZ (Wed, 05 Jul 2017 13:05:06 GMT):
you're really kind hearted

Xie.YZ (Wed, 05 Jul 2017 13:05:10 GMT):
thanks

smithbk (Wed, 05 Jul 2017 13:05:18 GMT):
np

smithbk (Wed, 05 Jul 2017 13:17:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=u6WCo5HwJNQFo6mwz) @rolo Hi, let me ask first if you could use v1? That has been our focus and has been a while since looking at v0.6. That said, if v0.6 is a requirement, pls enable verbose trace preceding the error above and will be glad to investigate.

smithbk (Wed, 05 Jul 2017 13:28:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=P9uuzYAhRMzv7SPSL) @dinesh.rivankar The two CAs do not need to communicate with or trust or share enrollment details with one another directly. The root certificates (and intermediate certs if any) of the two CAs must be associated with any channel which is used to transact between identities associated with the two CAs. If this doesn't answer specifically enough, perhaps you can ask the question more specifically.

baoyangc (Wed, 05 Jul 2017 15:45:55 GMT):
how can set loglevel for composer-rest-server

baoyangc (Wed, 05 Jul 2017 15:46:30 GMT):
sorry wrong message

absingh0 (Thu, 06 Jul 2017 08:41:08 GMT):
Hi All, Do anyone know how to solve this issue? ```Error: Failed to store certificate: open /etc/hyperledger/fabric-ca-server-config/ca.org2.example.com-cert.pem: read-only file system```

absingh0 (Thu, 06 Jul 2017 08:41:51 GMT):
While trying to run container for fabric-ca, I am getting the above error.

absingh0 (Thu, 06 Jul 2017 08:42:21 GMT):
Thanks in advance :)

smithbk (Thu, 06 Jul 2017 13:53:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AGihouZKm7DgteWWK) @absingh0 I believe that means you either mounted that file system as read-only with docker or the underlying file system is read only on the native host.

absingh0 (Thu, 06 Jul 2017 15:51:38 GMT):
``` ```

absingh0 (Thu, 06 Jul 2017 15:53:31 GMT):

Message Attachments

absingh0 (Thu, 06 Jul 2017 15:54:10 GMT):
@smithbk I have attached the docker-compose.yaml file which I am using to run the containers.

absingh0 (Thu, 06 Jul 2017 15:54:10 GMT):
@smithbk I have attached the docker-compose.yaml file which I am using to run the containers. ^^^

jmcnevin (Thu, 06 Jul 2017 19:54:09 GMT):
So, we're planning on using fabric-ca for our MSP, but I'm a little unclear as to whether cryptogen is still necessary to stand up a network under that scenario. We we just bootstrap a fabric-ca server, I'm not sure how to: * create admin users for the org using fabric-ca * create TLS certs * create the orderer genesis block... do I need to pull the root cert out of fabric-ca to do this?

jmcnevin (Thu, 06 Jul 2017 19:54:09 GMT):
So, we're planning on using fabric-ca for our MSP, but I'm a little unclear as to whether cryptogen is still necessary to stand up a network under that scenario. If we just bootstrap a fabric-ca server, I'm not sure how to: * create admin users for the org using fabric-ca * create TLS certs * create the orderer genesis block... do I need to pull the root cert out of fabric-ca to do this?

smithbk (Thu, 06 Jul 2017 21:25:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=G3ksmbSRT4pumdari) @jmcnevin See the fabric-ca-cryptogen.sh script at https://gerrit.hyperledger.org/r/#/c/10871/ ... It worked a little over a week ago but not sure that it does now with recent changes to MSP wrt TLS certs, but it still should give you the basic idea.

SasagawaHiroshi (Fri, 07 Jul 2017 02:09:33 GMT):
Has joined the channel.

baoyangc (Fri, 07 Jul 2017 09:37:59 GMT):
is there a way to change enrollmentSecret ?

smithbk (Fri, 07 Jul 2017 11:28:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GqAxNN7jgHghfRfpr) @baoyangc No, not currently, though I certainly agree that it is needed along with adding/removing attributes, etc. See https://jira.hyperledger.org/browse/FAB-5203

jmcnevin (Fri, 07 Jul 2017 12:46:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XsjuJo8HEG9WF7tk5) @smithbk Thanks :)

paul.sitoh (Sat, 08 Jul 2017 18:35:40 GMT):
Has joined the channel.

mavericklam (Mon, 10 Jul 2017 03:43:14 GMT):
Has joined the channel.

mavericklam (Mon, 10 Jul 2017 03:44:56 GMT):
hey all, I use cryptogen tool to generate the cert, but when I am using nodejs sdk to read the cert and test the api it shows up this error: any hint Enroll User adminfailed with error Error: Calling enrollment endpoint failed with error [Error: write EPROTO 140737235354560:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2512: 140737235354560:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3544:

mavericklam (Mon, 10 Jul 2017 03:45:28 GMT):
this error keeps happening when I try to enroll the user

smithbk (Mon, 10 Jul 2017 11:59:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=75TswyozpAw2GWLPm) @mavericklam So you started fabric-ca-server with TLS enabled and using certificates generated by cryptogen. Is this correct? If yes, then the problem seems to be that the server's TLS certificate doesn't have a correct key usage. What TLS certificate are you using? Can you print that cert using the "openssl x509 -in -text -noout" command and paste the results here?

Gaurav_Impro (Mon, 10 Jul 2017 14:34:23 GMT):
Has joined the channel.

dushyant (Tue, 11 Jul 2017 07:05:37 GMT):
Has joined the channel.

mavericklam (Tue, 11 Jul 2017 08:07:47 GMT):
thanx[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EGFpGNfjnFJwP7zHA) @smithbk

mavericklam (Tue, 11 Jul 2017 08:08:04 GMT):
problem solved. Thanks for your hint! :)[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EGFpGNfjnFJwP7zHA) @smithbk

dushyant (Tue, 11 Jul 2017 08:28:39 GMT):
Hi all, I have a question on the role of fabric-ca, Is fabric-ca just an implementation of fabric MSP or is it supposed to be an abstraction over other MSP implementations (e.g. Identity Mixer)?

smithbk (Tue, 11 Jul 2017 11:57:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MyuoSFfdhr9uyDGhk) @dushyant fabric-ca does not include Identity Mixer (which is not x509-based). fabric-ca is a CA (Certificate Authority) which issues, renews, and revokes *x509 certificates* that can be used/consumed by MSP in fabric.

anik (Tue, 11 Jul 2017 13:06:04 GMT):
Has joined the channel.

dushyant (Tue, 11 Jul 2017 14:37:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kcQN6uBiHgKbsDuM7) @smithbk i see thanks

VamsiKrishnak (Tue, 11 Jul 2017 15:11:16 GMT):
@smithbk @here hi, how to check fabric-ca server version

aambati (Tue, 11 Jul 2017 15:13:32 GMT):
@VamsiKrishnak CHANGELOG.md in the fabric-ca root should have version information

VamsiKrishnak (Tue, 11 Jul 2017 15:24:48 GMT):
@aambati is there any specific command like fabric.

smithbk (Tue, 11 Jul 2017 15:25:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rpTRQY4GekvTcH3Ck) @VamsiKrishnak No, not currently ... needs to be added

VamsiKrishnak (Tue, 11 Jul 2017 15:26:18 GMT):
@smithbk @aambati thanks

smithbk (Tue, 11 Jul 2017 15:40:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zhikcQ5oQue2zn8Y6) @VamsiKrishnak You can subscribe to https://jira.hyperledger.org/browse/FAB-5250 if you want to follow when this goes in

rajeev20 (Tue, 11 Jul 2017 15:47:42 GMT):
Has joined the channel.

JiuZhuYou (Wed, 12 Jul 2017 06:34:29 GMT):
Has joined the channel.

JoostZ (Wed, 12 Jul 2017 09:29:48 GMT):
Has joined the channel.

zhasni (Wed, 12 Jul 2017 09:47:28 GMT):
Hi I still got weird error with custom configuration using post v1.0.0-beta version (rc1 and the finall 1.0.0...) I used to launch in a docker container cli ``` peer chaincode instantiate -o orderer.chainorchestra.net:7050 --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA -C $CHANNEL_NAME -n ex02cc -v 1.0 -p github.com/hyperledger/fabric/examples/chaincode/go/chaincode_example02 -c '{"Args":["init","a", "100", "b","200"]}' -P "OR ('ChainOrchestraInternalMSP.member')" ``` But in post v1.0.0-beta version (rc1 and the finall 1.0.0...) I got this Error MSG ``` Error: unknown shorthand flag: 'p' in -p ``` Since this option is not implemented anymore I launch the same without the -p option ``` peer chaincode instantiate -o orderer.chainorchestra.net:7050 --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA -C $CHANNEL_NAME -n ex02cc -v 1.0 -c '{"Args":["init","a", "100", "b","200"]}' -P "OR ('ChainOrchestraInternalMSP.member')" ``` This result to spawned a new docker image and the corresponding container : ``` dev-peer0.co_internal.chainorchestra.net-ex02cc-1.0 latest 0b781ef1ec30 24 hours ago 173MB ... 28cbee31245a dev-peer0.co_internal.chainorchestra.net-ex02cc-1.0 "chaincode -peer.a..." 24 hours ago Up 24 hours dev-peer0.co_internal.ch ainorchestra.net-ex02cc-1.0 ``` But when I try to interact with this chaincode for example : ``` peer chaincode query -C $CHANNEL_NAME -n ex02cc -c '{"Args":["query","a"]}' ``` I got this error : ``` Error: Error endorsing query: rpc error: code = Unknown desc = could not find chaincode with name 'ex02cc' - make sure the chaincode ex02cc has been successfully instantiated and try again - ``` Same thing for invoque... I haven't try with another chaincode The same procedure/commands works fine with fabric/example/e2e_cli Any Idea what's the cause of this behaviour ? Thx

zhasni (Wed, 12 Jul 2017 09:47:28 GMT):
Hi I still got weird error with custom configuration using post v1.0.0-beta version (rc1 and the finall 1.0.0...) I used to launch in a docker container cli ``` peer chaincode instantiate -o orderer.chainorchestra.net:7050 --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA -C $CHANNEL_NAME -n ex02cc -v 1.0 -p github.com/hyperledger/fabric/examples/chaincode/go/chaincode_example02 -c '{"Args":["init","a", "100", "b","200"]}' -P "OR ('ChainOrchestraInternalMSP.member')" ``` But in post v1.0.0-beta version (rc1 and the finall 1.0.0...) I got this Error MSG ``` Error: unknown shorthand flag: 'p' in -p ``` Since this option is not implemented anymore I launch the same CMD without the -p option ``` peer chaincode instantiate -o orderer.chainorchestra.net:7050 --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA -C $CHANNEL_NAME -n ex02cc -v 1.0 -c '{"Args":["init","a", "100", "b","200"]}' -P "OR ('ChainOrchestraInternalMSP.member')" ``` This result to spawned a new docker image and the corresponding container : ``` dev-peer0.co_internal.chainorchestra.net-ex02cc-1.0 latest 0b781ef1ec30 24 hours ago 173MB ... 28cbee31245a dev-peer0.co_internal.chainorchestra.net-ex02cc-1.0 "chaincode -peer.a..." 24 hours ago Up 24 hours dev-peer0.co_internal.ch ainorchestra.net-ex02cc-1.0 ``` But when I try to interact with this chaincode for example : ``` peer chaincode query -C $CHANNEL_NAME -n ex02cc -c '{"Args":["query","a"]}' ``` I got this error : ``` Error: Error endorsing query: rpc error: code = Unknown desc = could not find chaincode with name 'ex02cc' - make sure the chaincode ex02cc has been successfully instantiated and try again - ``` Same thing for invoque... I haven't try with another chaincode The same procedure/commands works fine with fabric/example/e2e_cli Any Idea what's the cause of this behaviour ? Thx

ssaddem (Wed, 12 Jul 2017 17:01:48 GMT):
guys no new videos on your youtube channel tutorial how fabric-ca work with peers ? architecture rules schema ..... now with 1.0 is released

ssaddem (Wed, 12 Jul 2017 17:01:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aTdyAG6XtANXkaqat) @smithbk

smithbk (Wed, 12 Jul 2017 20:57:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=a3RLCpcairCHamSvu) @ssaddem Can you elaborate on what you mean by "architecture rules schema"?

jtsiros (Wed, 12 Jul 2017 22:31:49 GMT):
Has joined the channel.

jtsiros (Wed, 12 Jul 2017 22:35:43 GMT):
hey guys, quick question regarding Fabric CA certificates. Is it possible to use the transaction certs for other purposes such as signing arbitrary pieces of text and having a third party validate that signature (basically a Digital Signature verification and request)

smithbk (Thu, 13 Jul 2017 00:19:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dy3WbbifRzEoJfghv) @jtsiros Yes, that would be possible, but we postponed transaction certificate support until post v1 so that we could revisit the implementation. There are a couple under consideration. But it would be helpful to know more about your use case. Could you elaborate? Are anonymity and unlinkability requirements?

sandroku63 (Thu, 13 Jul 2017 04:02:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kdchaPRbF3qZ3uBpQ)

sandroku63 (Thu, 13 Jul 2017 04:04:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kdchaPRbF3qZ3uBpQ) @smithbk hi, I have a problem, I have successfully enroll an AD account, ( leveraging an OpenLDAP backend, but proxy the requests to Active Directory) , but how add the "hf.Revoker" and "hf.IntermediateCA" attributes in AD account ? many thanks

ssaddem (Thu, 13 Jul 2017 08:08:12 GMT):
i meant architecture*,* rules *and* schema [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aTdyAG6XtANXkaqat) @smithbk

ssaddem (Thu, 13 Jul 2017 08:08:12 GMT):
i meant architecture, rules *and* schema [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aTdyAG6XtANXkaqat) @smithbk

ssaddem (Thu, 13 Jul 2017 08:08:12 GMT):
i meant architecture*,* rules *and* schema [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aTdyAG6XtANXkaqat) @smithbk

smithbk (Thu, 13 Jul 2017 08:11:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=so5rgbCcG4EZrTNCQ) @ssaddem No youtube, but see https://docs.google.com/document/d/1x7bbSkLt3VLexNMECJXbOYJ3xX8Ck9Q6O6W1dmnVaRQ/edit#heading=h.7c6wruwg6m95 ... Is this the type of content you're looking for?

ssaddem (Thu, 13 Jul 2017 08:18:56 GMT):
thx i ganna read it but (TL;DR) :sweat: a video will be welcome :D

ssaddem (Thu, 13 Jul 2017 08:18:56 GMT):
thx i ganna read it but (TL;DR) :sweat: a video would be welcome :D

smithbk (Thu, 13 Jul 2017 11:38:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Eb8uTf3kbvBaowcbG) @sandroku63 This would currently require a custom schema for AD. See https://jira.hyperledger.org/browse/FAB-3416 for discussion on this.

jmcnevin (Thu, 13 Jul 2017 14:06:05 GMT):
Quick question... I'm currently thinking about how we could deploy new chaincode across organizations if you need to have peer admin rights to install chaincode on a peer... Is there currently any way that you would be able to create an peer admincert that would be recognized across CAs? Would using intermediate CAs allow for this?

ssaddem (Thu, 13 Jul 2017 14:07:16 GMT):
guys how from chaincode i can retrive roles and attributes of user who send request ?

ssaddem (Thu, 13 Jul 2017 14:07:26 GMT):
like member srvc

passkit (Thu, 13 Jul 2017 14:12:08 GMT):
``` 2017/07/13 21:58:57 [DEBUG] TLS is enabled 2017/07/13 21:58:57 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting key for SKI [[23 66 145 200 134 231 142 136 76 125 59 123 100 249 106 135 238 126 75 234 228 185 33 140 70 43 238 127 168 113 73 128]] /Users/Nick/Documents/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw.(*impl).GetKey /Users/Nick/Documents/go/src/github.com/hyperledger/fabric-ca/util/csp.go:218 github.com/hyperledger/fabric-ca/util.GetSignerFromCert /Users/Nick/Documents/go/src/github.com/hyperledger/fabric-ca/util/csp.go:340 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair /Users/Nick/Documents/go/src/github.com/hyperledger/fabric-ca/lib/server.go:424 github.com/hyperledger/fabric-ca/lib.(*Server).listenAndServe /Users/Nick/Documents/go/src/github.com/hyperledger/fabric-ca/lib/server.go:124 github.com/hyperledger/fabric-ca/lib.(*Server).Start /Users/Nick/Documents/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/start.go:41 main.runStart /Users/Nick/Documents/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute /Users/Nick/Documents/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC /Users/Nick/Documents/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute /Users/Nick/Documents/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:95 main.RunMain /Users/Nick/Documents/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:82 main.main /usr/local/go/src/runtime/proc.go:194 runtime.main /usr/local/go/src/runtime/asm_amd64.s:2198 runtime.goexit Caused by: Key type not recognized 2017/07/13 21:58:57 [DEBUG] Attempting fallback with certfile /Users/Nick/Downloads/fabric-ca 3/server.full-chain.cert.pem and keyfile /Users/Nick/Downloads/fabric-ca 3/server.key.pem 2017/07/13 21:58:57 [DEBUG] Client authentication type requested: noclientcert 2017/07/13 21:58:57 [INFO] Listening on https://0.0.0.0:7054 ```

passkit (Thu, 13 Jul 2017 14:12:34 GMT):
Seeing the above errors when launching fabric-ca v1.0.0

passkit (Thu, 13 Jul 2017 14:14:00 GMT):
From the error message, it seems like BCCSP is searching the keystore folder first, rather than taking the 'certfile' and 'keyfile' provided in the yaml file

passkit (Thu, 13 Jul 2017 14:15:49 GMT):
Is this behaviour expected? I cannot see anything in the documentation

smithbk (Thu, 13 Jul 2017 14:21:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DYPinMXrjMwd6fAeA) @jmcnevin admincerts just does a byte comparison, so I think you could just use the same admincert across multiple orgs. That said, take care that you aren't creating a central point of trust in using a single "root" like user across orgs. I guess it depends on exactly what the use case is.

smithbk (Thu, 13 Jul 2017 14:25:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Euo49rb4qgt6DWXju) @ssaddem This isn't possible in v1 but certainly important for post v1. This was part of transaction certificate support which didn't make v1. See https://jira.hyperledger.org/browse/FAB-3752 for a related issue. I hope to work on that soon which involves putting attributes in enrollment certificates which would give you what you want.

jmcnevin (Thu, 13 Jul 2017 14:26:44 GMT):
Thanks again, @smithbk

aambati (Thu, 13 Jul 2017 14:27:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WBozNMtNzGATuz6WA) @passkit i will look into it...can you provide your yaml file?

aambati (Thu, 13 Jul 2017 14:28:19 GMT):
@passkit sorry, on second look, it seems that message is inoccous

aambati (Thu, 13 Jul 2017 14:28:23 GMT):
it is a debug message

aambati (Thu, 13 Jul 2017 14:28:33 GMT):
i think there is no error

passkit (Thu, 13 Jul 2017 14:29:14 GMT):
Yes - seems benign and then falls back to the keys provided

aambati (Thu, 13 Jul 2017 14:29:19 GMT):
yes

smithbk (Thu, 13 Jul 2017 14:30:10 GMT):
Yes, it tries to find the key in keystore 1st and if it doesn't find it, can import it ... so yes, just a debug message

smithbk (Thu, 13 Jul 2017 14:31:12 GMT):
but will be fixed to not log stack trace

passkit (Thu, 13 Jul 2017 14:31:54 GMT):
That would help - the stack trace made me think was something more serious.

smithbk (Thu, 13 Jul 2017 14:35:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FvDpQ6uD2QPM6atXD) @aambati @vpaprots Vlad, can you take a look?

ssaddem (Thu, 13 Jul 2017 14:40:43 GMT):
@smithbk thx but when should be implemented or at least knowing the admin ?

smithbk (Thu, 13 Jul 2017 14:43:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rMQDvdxAQwZBfd3v5) @ssaddem The admincerts is already implemented ... not sure I understand

passkit (Thu, 13 Jul 2017 14:53:30 GMT):
One more quick question - how to get a CRL from fabric-ca. Cannot see anything in the documentation or swagger file.

smithbk (Thu, 13 Jul 2017 15:04:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NagosSruqMMGoW6GQ) @passkit We currently assume that the same client that revokes a certificate will add to the CRL of fabric, in which case you don't need to get a CRL; this assumption will be removed in the future though. See https://jira.hyperledger.org/browse/FAB-5300

passkit (Thu, 13 Jul 2017 15:08:22 GMT):
Yes, that's a pretty big assumption. There is a big difference in implementing an api command and compiling and signing a CRL file.

smithbk (Thu, 13 Jul 2017 15:09:44 GMT):
How will you use the CRL?

passkit (Thu, 13 Jul 2017 15:19:25 GMT):
We are building a B to C applicaiton. If users stop subscribing, then they will lose their rights to access the chain. We will revoke their certificate. Volumes will be large and will requite automation. We therefore wish to automate the generation of a CRL and applying it to the chain.

smithbk (Thu, 13 Jul 2017 15:21:09 GMT):
ok, thanks ... could you add that use case to https://jira.hyperledger.org/browse/FAB-5300 ... would be helpful to prioritize

ssaddem (Thu, 13 Jul 2017 15:29:15 GMT):
@smithbk i mean in chaincode i want to implement rbac so i have to implement the user list in my ledger, and give only to admin to manage this list

smithbk (Thu, 13 Jul 2017 15:34:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HjtYEoNZnn7QX3eo2) @ssaddem I plan to start on https://jira.hyperledger.org/browse/FAB-3752 by early next week. I'll try to keep it updated with status so you can monitor it. Not sure at this point how long it will take.

smithbk (Thu, 13 Jul 2017 15:34:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HjtYEoNZnn7QX3eo2) @ssaddem I plan to start on https://jira.hyperledger.org/browse/FAB-3752 (which will include general RBAC for ecerts) by early next week. I'll try to keep it updated with status so you can monitor it. Not sure at this point how long it will take.

ssaddem (Thu, 13 Jul 2017 15:37:55 GMT):
@smithbk thx a lot

smithbk (Thu, 13 Jul 2017 15:38:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=igux9h6BCZctpvKc8) @ssaddem np ... thanks for the input

passkit (Thu, 13 Jul 2017 15:46:12 GMT):
@smithbk have updated the issue. I think currently it is impossible to generate a CRL without manual queries against the fabric database, since items like serial numbers are not readily available via the API. Manually generating CRL files with openssl requires the maintenance of an openssl certificate database file - the need to manage 2 separate databases conflicts with the objectives of fabric-ca.

smithbk (Thu, 13 Jul 2017 15:47:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4f9MeMpbXjbNDYRDG) @passkit Totally agree ... definitely needed

passkit (Thu, 13 Jul 2017 15:49:23 GMT):
I see that cloudflare have already implemented an API, so it may not be too much work. If the issue drags on, then I may look at it myself, but now I have little capacity to do so.

smithbk (Thu, 13 Jul 2017 15:50:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ReGo9uTyNnKiQ25Wz) @passkit Yeh, I don't think it will be very difficult ... any help is welcomed if we don't get to it before you free up

skarim (Thu, 13 Jul 2017 17:47:12 GMT):
Please see proposal on handling fabric-ca attributes with LDAP configured. https://jira.hyperledger.org/browse/FAB-3416?focusedCommentId=28332&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-28332

vpaprots (Thu, 13 Jul 2017 17:54:36 GMT):
@passkit Did that error actually kill the executable? [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=km4Qk4CH65XMJSsju)

passkit (Thu, 13 Jul 2017 17:54:51 GMT):
No, not at all

vpaprots (Thu, 13 Jul 2017 17:54:53 GMT):
looks too me like an excesivelly loud debug message that I put in..

vpaprots (Thu, 13 Jul 2017 17:54:59 GMT):
(sorry about that)

vpaprots (Thu, 13 Jul 2017 17:55:19 GMT):
the key point there is the `Attempting fallback with certfile...`

vpaprots (Thu, 13 Jul 2017 17:55:24 GMT):
and it looks like that worked..

vpaprots (Thu, 13 Jul 2017 17:56:25 GMT):
you could shut it up if you copy your tls keyfile into your bccsp keystore

vpaprots (Thu, 13 Jul 2017 17:56:51 GMT):
(look for a folder `keystore`)

vpaprots (Thu, 13 Jul 2017 17:58:56 GMT):
its probably configured in your config file, where the keystore directory is..

vpaprots (Thu, 13 Jul 2017 17:59:05 GMT):
(under the bccsp stanza)

passkit (Thu, 13 Jul 2017 17:59:44 GMT):
Yeah, it's not problem really. Calculating the SKI for the filename is too much trouble.

vpaprots (Thu, 13 Jul 2017 18:00:05 GMT):
oh, you dont have to

vpaprots (Thu, 13 Jul 2017 18:00:09 GMT):
just move it there..

vpaprots (Thu, 13 Jul 2017 18:00:35 GMT):
if at first it cant find the ski by name.. it will open the files there and match the SKI to what it opened

vpaprots (Thu, 13 Jul 2017 18:01:43 GMT):
(just dont go pointing your keystore to `/tmp` or some such! thats a lot of files it will try to open. Need to put some defensive checks there)

vpaprots (Thu, 13 Jul 2017 18:01:43 GMT):
(just dont go pointing your keystore to `/tmp` or some such! thats a lot of files it will try to open. Need to put some defensive checks there. Though, not something you have to worry with the default config)

passkit (Thu, 13 Jul 2017 18:04:36 GMT):
For my setup, I run in an container and then pull the crypto materials from s3 using IAM roles - I was caching keys for the CAs but then it would crash because it expected a full MSP setup and could not find a CA folder.

passkit (Thu, 13 Jul 2017 18:05:46 GMT):
Feels a bit convoluted. Either accept the file paths OR go with MSP and Keystore. Now it tries to do both, but I can see little benefit in the keystore search seeing that the file has to be specified and present in the config file

vpaprots (Thu, 13 Jul 2017 18:06:37 GMT):
ah.. we started with specifying files only..

vpaprots (Thu, 13 Jul 2017 18:08:07 GMT):
but that only lets you specify software keys.. we also need to be able to store keys elsewhere (concrete example, a crypto card, but not limited t that.. curiously you could probably modify BCCSP to teach it about S3.. interesting)

vpaprots (Thu, 13 Jul 2017 18:09:09 GMT):
I dont think that you need to specify the keyfile in the config, do you? just the cert

passkit (Thu, 13 Jul 2017 18:09:39 GMT):
Not sure - to be honest I hadn't tried and the docs make no mention of a keystore.

agunde (Thu, 13 Jul 2017 19:36:31 GMT):
Has joined the channel.

ShermanHLee (Thu, 13 Jul 2017 20:36:48 GMT):
Hi all would anyone know if inside fabric-ca there is a private key that I may use to arbitrarily generate a digital signature for users, and if so what kind of algorithm would that key be using? I am trying to write a utility tool for this purpose

smithbk (Thu, 13 Jul 2017 20:58:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Hwrs6AjWA3GqBuMar) @ShermanHLee Is this tool for interacting with the blockchain? If yes, the node or java SDK would be the way to go

ShermanHLee (Thu, 13 Jul 2017 21:14:11 GMT):
To be more specific, I am trying to create a public key from some ecdsa private key, and then expect to produce a signature that can be used for validation. What would your suggestion be in that case?

smithbk (Thu, 13 Jul 2017 23:40:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XqotAZ5dLHDkG7FGs) @ShermanHLee Do you have a language preference? If using golang, you could use the fabric/bccsp abstraction or if you want to use the ecdsa classes directly, see fabric/bccsp/sw/ecdsa.go and how they make use of this package: https://golang.org/pkg/crypto/ecdsa/

smithbk (Thu, 13 Jul 2017 23:41:52 GMT):
Not that the Public function on the PrivateKey class to get public key from private: https://golang.org/pkg/crypto/ecdsa/#PrivateKey

smithbk (Thu, 13 Jul 2017 23:41:52 GMT):
Note that the Public function on the PrivateKey class to get public key from private: https://golang.org/pkg/crypto/ecdsa/#PrivateKey

smithbk (Thu, 13 Jul 2017 23:41:52 GMT):
Note the Public function on the PrivateKey class to get public key from private: https://golang.org/pkg/crypto/ecdsa/#PrivateKe

ShermanHLee (Thu, 13 Jul 2017 23:54:04 GMT):
I am using golang indeed; I made some progress using the ecdsa package earlier. Thank you for pointing me to the bccsp package My follow-up question is this: are there existing ecdsa private keys stored on the user side of network that I can use as input for the validation logic?

smithbk (Thu, 13 Jul 2017 23:55:35 GMT):
1st, you're going to use the private key to sign and public key to verify

smithbk (Thu, 13 Jul 2017 23:56:23 GMT):
The location of the private key depends on where the key pair is generated

smithbk (Thu, 13 Jul 2017 23:56:33 GMT):
and stored

ShermanHLee (Thu, 13 Jul 2017 23:57:34 GMT):
@smithbk Just to be clear, I cannot use any of the certificates generated by member sevices?

ShermanHLee (Thu, 13 Jul 2017 23:58:22 GMT):
I'm trying to avoid generating new key pairs and want to reuse the certificates that are already there

smithbk (Thu, 13 Jul 2017 23:59:03 GMT):
Yes, you could ... if you want to get certs issued from fabric ca, I'd recommend using the fabric-ca/lib/Client APIs as are used by fabric-ca/cmd/fabric-ca-client

smithbk (Thu, 13 Jul 2017 23:59:47 GMT):
When using the lib/Client class, you call Enroll and returns an Identity object

smithbk (Fri, 14 Jul 2017 00:00:47 GMT):
That has a GetECert function

ShermanHLee (Fri, 14 Jul 2017 00:01:27 GMT):
I have already accomplished this; what about the msp directory? Are there keys inside that I will be able to use?

smithbk (Fri, 14 Jul 2017 00:01:55 GMT):
Yes, the msp/keystore contains the private keys

ShermanHLee (Fri, 14 Jul 2017 00:02:24 GMT):
So can I parse that as a ecdsa private key?

smithbk (Fri, 14 Jul 2017 00:02:29 GMT):
yes

smithbk (Fri, 14 Jul 2017 00:03:13 GMT):
though you could also just use GetECert().Key() and drill down from there also

smithbk (Fri, 14 Jul 2017 00:03:24 GMT):
up to you

ShermanHLee (Fri, 14 Jul 2017 00:03:37 GMT):
Awesome that has cleared things up a bit

ShermanHLee (Fri, 14 Jul 2017 00:04:19 GMT):
What format would I need to parse the private key in go?

ShermanHLee (Fri, 14 Jul 2017 00:04:58 GMT):
I have been running into some errors on that, for example: ```x509: failed to parse EC private key: asn1: structure error: tags don't match (4 vs {class:0 tag:16 length:19 isCompound:true}) {optional:false explicit:false application:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} @5```

smithbk (Fri, 14 Jul 2017 00:05:53 GMT):
The file is a PEM-encoded file if that's what you mean

smithbk (Fri, 14 Jul 2017 00:06:35 GMT):
Actually, one benefit of using the lib classes rather than trying to do this yourself is that it would also work if there is an HSM involved

smithbk (Fri, 14 Jul 2017 00:07:01 GMT):
If you try to load files directly out of keystore, it will not support HSMs

ShermanHLee (Fri, 14 Jul 2017 00:08:03 GMT):
I think currently there is only lib support for Java and Node

smithbk (Fri, 14 Jul 2017 00:08:23 GMT):
I mean the fabric-ca/lib classes

smithbk (Fri, 14 Jul 2017 00:08:31 GMT):
in go

smithbk (Fri, 14 Jul 2017 00:09:14 GMT):
We should probably take this off this channel and do direct

ShermanHLee (Fri, 14 Jul 2017 00:09:15 GMT):
What if you want to do it on a mobile device instead?

sandroku63 (Fri, 14 Jul 2017 02:02:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4P236wrnmReJMXaZi) @smithbk OK, Thank you for your reply.

zhangmenghang (Fri, 14 Jul 2017 08:25:58 GMT):
Has joined the channel.

jtclark (Fri, 14 Jul 2017 13:42:22 GMT):
hi all

skarim (Fri, 14 Jul 2017 13:42:48 GMT):
@channel Please see proposal on handling fabric-ca attributes with LDAP configured. If any objections to the approach outlined please let us know. Thanks. https://jira.hyperledger.org/browse/FAB-3416?focusedCommentId=28332&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-28332

jtclark (Fri, 14 Jul 2017 13:43:40 GMT):
needs some help with something... trying to get safesql running locally against the lib/ and lib/dbutil packages

jtclark (Fri, 14 Jul 2017 13:43:48 GMT):
I'm having an issue with getting the packages to load

jtclark (Fri, 14 Jul 2017 13:44:18 GMT):
eventually, this will be added to our daily test suite

jtclark (Fri, 14 Jul 2017 13:45:02 GMT):
so, I'd like to get it working locally in order to figure out how to script the automation around the jenkins job that will run safesql on a daily basis

jtclark (Fri, 14 Jul 2017 13:45:18 GMT):
when I run it, I see the following error:

jtclark (Fri, 14 Jul 2017 13:45:25 GMT):
`go/src/fabric-ca/vendor/github.com/miekg/pkcs11/pkcs11.go:29:10: fatal error: 'ltdl.h' file not found`

jtclark (Fri, 14 Jul 2017 13:46:26 GMT):
not sure if this is a environment variable, or path issue.....

yacovm (Fri, 14 Jul 2017 14:18:58 GMT):
`sudo apt install libtool libltdl-dev`

yacovm (Fri, 14 Jul 2017 14:18:58 GMT):
`sudo apt-get install libtool libltdl-dev`

yacovm (Fri, 14 Jul 2017 14:18:58 GMT):
`sudo apt-get install libltdl-dev`

jtclark (Fri, 14 Jul 2017 17:08:25 GMT):
@yacovm +1

jtclark (Fri, 14 Jul 2017 17:08:43 GMT):
qq... would anyone object to adding a vagrantfile to fabric-ca?

jtclark (Fri, 14 Jul 2017 17:09:25 GMT):
just to have an isolated linux env to test in....

smithbk (Fri, 14 Jul 2017 19:16:06 GMT):
np with adding vagrantfile from my perspective, but you could also use docker, right? I thought we were trying to move away from vagrant in general

jtclark (Fri, 14 Jul 2017 19:34:40 GMT):
true.

jtclark (Fri, 14 Jul 2017 19:34:52 GMT):
perhaps a dockerfile is a better choice.

smithbk (Fri, 14 Jul 2017 19:36:42 GMT):
We already build an FVT image to which you could add any dependencies for CI which are not also dependencies for the normal runtime

smithbk (Fri, 14 Jul 2017 19:36:42 GMT):
We already build an FVT docker image to which you could add any dependencies for CI which are not also dependencies for the normal runtime

smithbk (Fri, 14 Jul 2017 19:38:39 GMT):
Here is my little script which builds the image and "logs me in" to the image which you could start with

smithbk (Fri, 14 Jul 2017 19:38:50 GMT):
cd $GOPATH/src/github.com/hyperledger/fabric-ca make docker-clean make docker-fvt docker run -v $PWD:/opt/gopath/src/github.com/hyperledger/fabric-ca -ti hyperledger/fabric-ca-fvt bash

smithbk (Fri, 14 Jul 2017 19:40:26 GMT):
And the docker file (or what it is built from) is at fabric-ca/images/fabric-ca-fvt/Dockerfile.in

jtclark (Fri, 14 Jul 2017 20:20:26 GMT):
:thumbsup:

smithbk (Fri, 14 Jul 2017 20:30:39 GMT):
oh, and you can just add a script to the fabric-ca/scripts/fvt directory to run safesql and it will automatically be run as part of CI. If it exits with non-zero, CI will fail

smithbk (Fri, 14 Jul 2017 20:31:30 GMT):
@rennman is the FVT guru and can help with that if needed

sileicheng (Mon, 17 Jul 2017 01:08:26 GMT):
Has joined the channel.

dushyantbehl (Mon, 17 Jul 2017 07:56:03 GMT):
Has joined the channel.

FollowingGhosts (Mon, 17 Jul 2017 09:38:28 GMT):
Has joined the channel.

linyuadam (Mon, 17 Jul 2017 10:11:45 GMT):
Hi, all, I have a question how the SDK talked to the CA when TLS enabled. Because I cannot see any TLS cert need to use in the SDK.

Vadim (Mon, 17 Jul 2017 10:50:01 GMT):
@linyuadam I suppose you ask about node-sdk? It looks like it's disabled in tests, but I guess you can just enable it and provide your trusted roots: https://github.com/hyperledger/fabric-sdk-node/blob/release/test/integration/fabric-ca-services-tests.js#L55

Vadim (Mon, 17 Jul 2017 10:50:01 GMT):
@linyuadam I suppose you ask about the node-sdk? It looks like it's disabled in tests, but I guess you can just enable it and provide your trusted roots: https://github.com/hyperledger/fabric-sdk-node/blob/release/test/integration/fabric-ca-services-tests.js#L55

jtclark (Mon, 17 Jul 2017 13:21:28 GMT):
@smithbk :point_up: I'm going to look into this

jtclark (Mon, 17 Jul 2017 13:21:53 GMT):
i.e adding the script to fabric-ca/scripts/fvt

smithbk (Mon, 17 Jul 2017 13:22:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=X97JppzSa8yp2HsNg) @jtclark sounds good

jtclark (Mon, 17 Jul 2017 13:26:44 GMT):
@smithbk what do you think the best practice is (inside this project) to load the safesql go package prior to running it in the script?

smithbk (Mon, 17 Jul 2017 13:30:19 GMT):
@jtclark Add an apt-get entry to fabric-ca/images/fabric-ca-fvt/Dockerfile.in to install safesql

jtclark (Mon, 17 Jul 2017 13:30:32 GMT):
ah

jtclark (Mon, 17 Jul 2017 13:30:32 GMT):
ok

jtclark (Mon, 17 Jul 2017 13:30:50 GMT):
go get or apt-get?

jtclark (Mon, 17 Jul 2017 13:30:57 GMT):
not sure it's a deb pkg

smithbk (Mon, 17 Jul 2017 13:31:03 GMT):
either

jtclark (Mon, 17 Jul 2017 13:31:36 GMT):
:thumbsup:

jtclark (Mon, 17 Jul 2017 13:33:09 GMT):
ah yes....I see where you've added the go deps....

jtclark (Mon, 17 Jul 2017 15:08:17 GMT):
@smithbk the output generated from safesql... currently, I'm redirecting that output to a file called `safesql_report.log`. I'd like that report to be viewable via CI (so the devs can correct any sql injections found, etc.)

jtclark (Mon, 17 Jul 2017 15:08:55 GMT):
from the fabric-ca project, I assume there's a best practice for exposing this file up to the CI (i.e. publisher in JJB)

jtclark (Mon, 17 Jul 2017 15:08:57 GMT):
?

jtclark (Mon, 17 Jul 2017 15:10:09 GMT):
well, lemme prep the patch, and you can see exactly what's going on here...

jtclark (Mon, 17 Jul 2017 15:13:23 GMT):
@smithbk https://gerrit.hyperledger.org/r/#/c/11687/

smithbk (Mon, 17 Jul 2017 15:41:09 GMT):
@rennman Allen is the FVT guru. Allen can you help @jtclark ? Thanks

jtclark (Mon, 17 Jul 2017 15:47:15 GMT):
@smithbk thx

rameshthoomu (Mon, 17 Jul 2017 16:10:23 GMT):
@jtclark yes we can keep this as a artificat on each fabric-ca job.. But if we print this log in docker container then we have to use `docker cp` command to copy .log file to local file system

jtclark (Mon, 17 Jul 2017 16:11:08 GMT):
I see. I should add that step at the end of the script

rameshthoomu (Mon, 17 Jul 2017 16:13:12 GMT):
yes

rameshthoomu (Mon, 17 Jul 2017 16:14:00 GMT):
Did you test this patch? https://gerrit.hyperledger.org/r/#/c/11687/

jtclark (Mon, 17 Jul 2017 16:17:37 GMT):
@rameshthoomu about to test it locally, if i can

rameshthoomu (Mon, 17 Jul 2017 16:18:03 GMT):
ok.. Before submit next patch,, please test this locally..

smithbk (Mon, 17 Jul 2017 18:36:33 GMT):
I'm beginning work on RBAC (Role-Based Access Control) for enrollment certificates. See https://jira.hyperledger.org/browse/FAB-5346 ... comments welcome

lehors (Mon, 17 Jul 2017 22:34:22 GMT):
@smithbk I'm facing some issues with the unit-tests on vagrant and would like some explanation, who should I ask about the server API?

smithbk (Mon, 17 Jul 2017 22:37:19 GMT):
@lehors What issues?

lehors (Mon, 17 Jul 2017 22:38:00 GMT):
essentially there are tests that fail because the temp data isn't cleaned before the test starts

lehors (Mon, 17 Jul 2017 22:39:05 GMT):
there are a bunch of os.removeAll in the code but the error code isn't tested and while it evidently works fine on other platform it fails on windows with a text file busy

lehors (Mon, 17 Jul 2017 22:39:49 GMT):
I'm trying to find the source of the problem - but I can't seem to find why the file is still open

lehors (Mon, 17 Jul 2017 22:40:33 GMT):
I've addressed some such problems, and submitted a CR last week but I'm now facing some that I can't seem to crack

smithbk (Mon, 17 Jul 2017 22:40:58 GMT):
Yeh, I'd have to find a windows machine to reproduce. If you can put some data in jira, I'll be glad to investigate

lehors (Mon, 17 Jul 2017 22:41:44 GMT):
nah, I'm not asking you to solve it (yet ;-), I just need to understand how the API is meant to be used

lehors (Mon, 17 Jul 2017 22:42:22 GMT):
for one thing, what is the point of the renew parameter in server.Init(renew) ?

smithbk (Mon, 17 Jul 2017 22:43:11 GMT):
If true, it will recreate the signing key crypto material even if it already exists

lehors (Mon, 17 Jul 2017 22:43:23 GMT):
ah ok

lehors (Mon, 17 Jul 2017 22:44:32 GMT):
can you please walk with me through lib/server_test.go:TestServerInit() ?

lehors (Mon, 17 Jul 2017 22:44:41 GMT):
it calls Init twice with false

lehors (Mon, 17 Jul 2017 22:44:46 GMT):
then once with true

smithbk (Mon, 17 Jul 2017 22:45:58 GMT):
Each tests as follows

smithbk (Mon, 17 Jul 2017 22:47:01 GMT):
1) make sure it creates cert with renew false and doesn't exist

smithbk (Mon, 17 Jul 2017 22:47:37 GMT):
2) doesn't create cert and does exist (because it was created in step 1)

smithbk (Mon, 17 Jul 2017 22:47:56 GMT):
3) make sure it creates cert with renew true and does exist (again from step 1)

lehors (Mon, 17 Jul 2017 22:48:16 GMT):
ok

smithbk (Mon, 17 Jul 2017 22:48:17 GMT):
those are the 3 cases to get test coverage

lehors (Mon, 17 Jul 2017 22:48:36 GMT):
in all this it only creates one db, right?

lehors (Mon, 17 Jul 2017 22:48:42 GMT):
the default ca

smithbk (Mon, 17 Jul 2017 22:49:09 GMT):
there are tests for multiple CAs also, but in this test case, yes

smithbk (Mon, 17 Jul 2017 22:49:13 GMT):
only default CA

smithbk (Mon, 17 Jul 2017 22:49:27 GMT):
i have to run to dinner ... will check back later

lehors (Mon, 17 Jul 2017 22:49:33 GMT):
sure, thanks

linyuadam (Tue, 18 Jul 2017 03:30:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RRdQiqxAALjjpEr7a) @Vadim Got it. Thank you.

rohitrocket (Tue, 18 Jul 2017 09:41:27 GMT):
Has joined the channel.

rohitrocket (Tue, 18 Jul 2017 10:06:36 GMT):
Does anyone has a google doc made by users within this community on MSP and fabric ca ?

smithbk (Tue, 18 Jul 2017 11:11:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=exo3pbk3bwPzwEsPL) @rohitrocket Not sure exactly what you're looking for (made by users?), but here is the one on MSP: https://docs.google.com/document/d/1Qg7ZEccOIsrShSHSNl4kBHOFvLYRhQ3903srJ6c_AZE/edit#heading=h.2rmho7iqstbu and the one on fabric CA security: https://docs.google.com/document/d/1x7bbSkLt3VLexNMECJXbOYJ3xX8Ck9Q6O6W1dmnVaRQ/edit#heading=h.7c6wruwg6m95 and fabric CA user's guide: http://hyperledgerdocs.readthedocs.io/en/latest/Setup/ca-setup.html

rohitrocket (Tue, 18 Jul 2017 11:14:43 GMT):
Okay thanks. No I saw the older messages here and someone was writing a doc based on the issues and concepts of MSP and CA.

rohitrocket (Tue, 18 Jul 2017 11:15:05 GMT):
thats why I asked here...anyways I will look into it. thanks again :)

narayanprusty (Tue, 18 Jul 2017 11:49:37 GMT):
Has joined the channel.

narayanprusty (Tue, 18 Jul 2017 11:50:02 GMT):
I wanted to know a bit about membership. When I generate crypto files from cryptogen tool I don't see that all of the crypto files generated from a root CA. They are all just pub/priv keys of different orgs which are put in genesis block. So how does authentication for add/remove organisations from network work. Can any organisation who is part of the network can add/remove any other organisation

smithbk (Tue, 18 Jul 2017 15:06:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LbQWiaFSzAGhgGqvE) @narayanprusty See section 3 entitled "Channel Access Control" of https://docs.google.com/document/d/1Qg7ZEccOIsrShSHSNl4kBHOFvLYRhQ3903srJ6c_AZE and note the following paragraph:

smithbk (Tue, 18 Jul 2017 15:07:29 GMT):
The admins of the channel or “channelAdmins”, i.e., the policy to authenticate any request associated to reconfiguration of specific channel parameters. Admins may determine the identities or groups of identities (MSPPrincipals, and the way to combine them) that have admin access to the chain configuration. Such policies specify the (combination of) MSPPrincipals that should sign chain-specific reconfigurations for the reconfiguration to be applied.

smithbk (Tue, 18 Jul 2017 15:08:43 GMT):
The policy for who is required to approve addition or removal of an organization is configurable and can require signatures from all organizations if that is what you want

lehors (Tue, 18 Jul 2017 16:10:01 GMT):
@smithbk hi, following up on last night's discussion, I have found that unless the CA DB is closed between two calls to server.Init I end up with a failure trying to remove the DB file (fabric-ca-server.db): "text file busy"

lehors (Tue, 18 Jul 2017 16:11:43 GMT):
I've been digging into the code and one thing I don't quite understand is why a new DB is created every time

lehors (Tue, 18 Jul 2017 16:12:21 GMT):
there is code to check that the db already exists, if it does it skips the whole initialization process but it then still creates a sqlx.DB

lehors (Tue, 18 Jul 2017 16:12:21 GMT):
there is code to check that the db already exists, if it does it skips the whole initialization process but it then still opens a sqlx.DB

lehors (Tue, 18 Jul 2017 16:12:29 GMT):
that seems to be the source of the problem

lehors (Tue, 18 Jul 2017 16:13:43 GMT):
do you know the logic behind this?

lehors (Tue, 18 Jul 2017 16:18:55 GMT):
I added to TestServerInit code to close the DB between calls to server.Init and the problem goes away

lehors (Tue, 18 Jul 2017 16:19:27 GMT):
so it seems that for every open we need a close or the file will remain locked and the delete fails

lehors (Tue, 18 Jul 2017 16:20:31 GMT):
just closing it once after the mutliple Inits doesn't suffice

smithbk (Tue, 18 Jul 2017 16:37:41 GMT):
good catch ... sounds like the correct fix would be to add to server.Stop to close the DB for all CAs and then add a call to Stop in the test case after each Init

lehors (Tue, 18 Jul 2017 16:38:25 GMT):
yeah, it's a bit more tricky actually because the server isn't started in this case

lehors (Tue, 18 Jul 2017 16:38:38 GMT):
but ok, you're confirming that I'm on the right track

lehors (Tue, 18 Jul 2017 16:39:03 GMT):
I will keep working on my CR :)

smithbk (Tue, 18 Jul 2017 16:39:48 GMT):
yeh, or could create a server.Clean that is the opposite of server.Init ... and is Clean is also called from Stop ... just a thought

smithbk (Tue, 18 Jul 2017 16:39:48 GMT):
yeh, or could create a server.Clean that is the opposite of server.Init ... and then Clean is also called from Stop ... just a thought

lehors (Tue, 18 Jul 2017 16:40:12 GMT):
very good, this is exactly what I'm doing :-)

smithbk (Tue, 18 Jul 2017 16:40:22 GMT):
cool .. thanks

yeyc.linuxf (Wed, 19 Jul 2017 06:32:02 GMT):
Has joined the channel.

AmitDubey (Wed, 19 Jul 2017 10:09:33 GMT):
Has joined the channel.

AmitDubey (Wed, 19 Jul 2017 10:10:50 GMT):
Hi All, Anyone facing issues with fabric-ca npm install in the fabric samples repo??

AmitDubey (Wed, 19 Jul 2017 10:11:21 GMT):
for fabcar, to be specific

smithbk (Wed, 19 Jul 2017 13:33:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZhrjDeNSfc2Qpjvf6) @AmitDubey Try asking on the fabric-sdk-node channel

jtclark (Wed, 19 Jul 2017 13:44:57 GMT):
GM

jtclark (Wed, 19 Jul 2017 13:45:40 GMT):
@smithbk, @rennman still working on adding safesql to the fvt tests.... at the point where I'm seeing "cannot import absolute path" when the script runs

jtclark (Wed, 19 Jul 2017 13:46:52 GMT):
not a golang wiz, but apparently there's an issue with providing the abs path to the pkgs that I want to inspect for sql injections

pvrbharg (Wed, 19 Jul 2017 15:27:18 GMT):
@smithbk @bkvellanki @mastersingh24 @muralisr @aambati @skarim Team - I want to make sure the following are possible CA options for our customers and I did not miss anything or stating anything incorrectly. I did have this question from multiple customers. Thanks.

pvrbharg (Wed, 19 Jul 2017 15:27:21 GMT):
Customer CA options +++++++++++++++++++ Option 1: Use the Hyperledger Fabric CA as a Certificate Authority (CA) for Hyperledger Fabric (both client and server components). Use HSM capability for private key protection Option 2: Have your fabric-CA-Server work with Root and Intermediate CA providers such as DigiCert and VeriSign - work with your in-house processes to set the Hyperledger Fabric CA work with commercial CA providers Option 3: Not use Hyperledger Fabric CA as a Certificate Authority (CA) for Hyperledger Fabric at all and get the commercial CA providers to work with your needs Option 4: Use cryptogen tool - for sandbox, dev and other testing purposes - IBM self-signed certificate provisioning tool +++++++++++++++++++

aambati (Wed, 19 Jul 2017 15:29:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iEYeRFwmN5dB5ethW) @jtclark I can work with you , can you please ping me the error message

aambati (Wed, 19 Jul 2017 15:32:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NNb8AG5FdTFmikdfT) @pvrbharg i think those are the possible options

pvrbharg (Wed, 19 Jul 2017 15:36:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=McR96SsXGF5FannRq) @aambati Thank you and I have not missed anything else correct (when I meant Commercial CA providers, I also consider multiple of them if relevant and one or more intermediate CAs (chain of certs all the way up to root). Please let me know and I would get back to our customers. Thanks.

smithbk (Wed, 19 Jul 2017 15:45:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZpJzjDb5fsmZCizda) @pvrbharg Yes, those of the options, but should clarify what the following means: "work with your in-house processes to set the Hyperledger Fabric CA work with commercial CA providers". In particular, it means that fabric-ca-server can use a CA signing certificate which is issued by another CA (e.g. digitcert, verisign, in-house, etc). A "CA signing certificate" is one that has the X509v3 Basic Constraints CA bit set to true. It does not mean that the fabric-ca-server process communicates with another type of CA via some API or REST calls, because no such standard APIs exist across all CAs.

smithbk (Wed, 19 Jul 2017 15:45:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZpJzjDb5fsmZCizda) @pvrbharg Yes, those are the options, but should clarify what the following means: "work with your in-house processes to set the Hyperledger Fabric CA work with commercial CA providers". In particular, it means that fabric-ca-server can use a CA signing certificate which is issued by another CA (e.g. digitcert, verisign, in-house, etc). A "CA signing certificate" is one that has the X509v3 Basic Constraints CA bit set to true. It does not mean that the fabric-ca-server process communicates with another type of CA via some API or REST calls, because no such standard APIs exist across all CAs.

agunde (Wed, 19 Jul 2017 15:46:35 GMT):
Has left the channel.

pvrbharg (Wed, 19 Jul 2017 15:53:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9unB4qgQ994AGYNGi) @smithbk I gratefully thank you, Keith - makes the point very very clear - "Have CA signing certificate with X509v3 Basic Constraints CA bit set to true provisioned by means other than API or REST calls - to use with fabric-ca-server". This is what I would revise and make it more clear. THANK YOU

baoyangc (Wed, 19 Jul 2017 17:01:39 GMT):
017/07/19 16:55:50 [DEBUG] Received request POST /api/v1/register Authorization: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNGakNDQWJ5Z0F3SUJBZ0lRTHhHcXVnYjJEamd0V3RFM3RrRHJGVEFLQmdncWhrak9QUVFEQWpCeE1Rc3cKQ1FZRFZRUUdFd0pWVXpFVE1CRUdBMVVFQ0JNS1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRUJ4TU5VMkZ1SUVaeQpZVzVqYVhOamJ6RVlNQllHQTFVRUNoTVBiM0puTVM1elpHTm9iMmt1WTI5dE1Sc3dHUVlEVlFRREV4SmpZUzV2CmNtY3hMbk5rWTJodmFTNWpiMjB3SGhjTk1UY3dOekU1TURNeE1EQTFXaGNOTWpjd056RTNNRE14TURBMVdqQmEKTVFzd0NRWURWUVFHRXdKVlV6RVRNQkVHQTFVRUNCTUtRMkZzYVdadmNtNXBZVEVXTUJRR0ExVUVCeE1OVTJGdQpJRVp5WVc1amFYTmpiekVlTUJ3R0ExVUVBd3dWUVdSdGFXNUFiM0puTVM1elpHTm9iMmt1WTI5dE1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVtV3QvWnRhV1NIZXRGOERNbW0vSkl5dkttdWlYeXJ2R0wyZ1QKRkVwV3h0R3dHTUNuNnVTeWhzTGZvRkZidThvTHBhOEdRcGlZbGNrYm40dnhzNzZXenFOTk1Fc3dEZ1lEVlIwUApBUUgvQkFRREFnZUFNQXdHQTFVZEV3RUIvd1FDTUFBd0t3WURWUjBqQkNRd0lvQWdKdktIUFI1OXJqdm9CNlY0CmpCZlZEaGlMelNjWnJQdXhBNFIzUks4ejBCOHdDZ1lJS29aSXpqMEVBd0lEU0FBd1JRSWhBSTZOYUZscGk0NlkKcDgyVERXUjdvQlFiaWkxQUducWFDY1pvYWdxaW5wb0ZBaUJzZ0FDSVJvWnNXNG1UTDBNZmc5OGU1bkR5UUJ2VwpPWUUrdjhuby9sclZzZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K.MEUCIQDnisX6NRuBRpuezKfxzcjphUWRijHOoI1AFItTgCnJMQIgajiGG9Bfs+2yE22miFp/PRA+es211Kny23vN10lZ6tg= {"id":"chai22","type":"client","affiliation":"org1","max_enrollments":0,"attrs":[],"caName":"ca.org1.sdchoi.com"} 2017/07/19 16:55:50 [DEBUG] Directing traffic to CA ca.org1.sdchoi.com 2017/07/19 16:55:50 [DEBUG] Checking for revocation/expiration of certificate owned by 'Admin@org1.sdchoi.com' 2017/07/19 16:55:50 [DEBUG] DB: Get certificate by serial (2f11aaba06f60e382d5ad137b640eb15) and aki (26f2873d1e7dae3be807a5788c17d50e188bcd2719acfbb103847744af33d01f) 2017/07/19 16:55:50 [ERROR] No certificates found for provided serial and aki root@k8s3:~# ``` when i execute `composer identity import -p org1 -u Org1Admin -c crypto-config/peerOrganizations/org1.sdchoi.com/users/Admin@org1.sdchoi.com/msp/signcerts/Admin@org1.sdchoi.com-cert.pem -k crypto-config/peerOrganizations/org1.sdchoi.com/users/Adm

baoyangc (Wed, 19 Jul 2017 17:02:02 GMT):
what's this error meaning?

smithbk (Wed, 19 Jul 2017 17:17:15 GMT):
It means the certificate that was used to sign the register request could not be found in the fabric-ca's DB. Is it possible that the server's DB was deleted and recreated when restarting the fabric-ca-server?

baoyangc (Wed, 19 Jul 2017 18:01:57 GMT):
yes restarted

baoyangc (Wed, 19 Jul 2017 18:02:02 GMT):
thanks

baoyangc (Wed, 19 Jul 2017 18:02:53 GMT):
but why i can add participant with the same certificate

baoyangc (Wed, 19 Jul 2017 18:03:25 GMT):
```DEBUG=* composer participant add -p org1 -n 'banquanjia' -i Org1Admin -s adminpw -d '{"$class":"cn.bqj.copyright.BanquanjiaUser","userId":"chai24","createTime":"2017-06-29T07:11:44z","email":"sdfas@gmail.com"}' ibm-concerto Factory.newResource created chai24 +0ms Participant was added to participant registry. Command succeeded```

RezwanKabir (Wed, 19 Jul 2017 18:10:48 GMT):
Has joined the channel.

smithbk (Wed, 19 Jul 2017 18:50:54 GMT):
@baoyangc I'm not sure what composer is doing there. What is it calling in fabric ca?

gauthampamu (Thu, 20 Jul 2017 00:17:29 GMT):
Has joined the channel.

gauthampamu (Thu, 20 Jul 2017 00:22:05 GMT):
In the fabric-samples, the first network sample does not start a CA but the cryptoconfig creates few users, is it possible to use these credentials to connect to the network with Nodejs. If you look in the nodejs application invoke.js in fabcab, it provide the wallet path that contains three files (pub,priv and file with PeerAdmin). Cryptoconfig tool generates two folders Admin@org1.example.com User1@org1.example.com in first network sample so how should we use the files in msp and tls folder under this directory in the nodejs application to connect. Thanks in advance.

gauthampamu (Thu, 20 Jul 2017 00:25:06 GMT):
The documentation explains that application will need to connect to the ca to enroll new users but it does not explain how the network (peer or orderer) is authenticating the request before processing the request.

rohitrocket (Thu, 20 Jul 2017 08:36:12 GMT):
hi all

rohitrocket (Thu, 20 Jul 2017 08:36:56 GMT):

Message Attachments

chifalcon (Thu, 20 Jul 2017 09:12:25 GMT):
Has joined the channel.

chifalcon (Thu, 20 Jul 2017 09:12:30 GMT):
Dear all, I am developing on Fabric1.0. As I know that each transaction requires a TCert, to make the transaction only visible inside a channel. This is done by encrypting the Tx data using each channel member's vkeys (TCerts). For example: channel 1 has memebers of A, B, C, D, and A and B conducted an Tx1. This Tx data will be encrypted by A's private key VkeyA and B's private key VkeyB before updating to channel ledger. Since C and D in this same channel are supposed to be able to see the Tx content. This Tx will also be encrypted by C's VkeyC and D's VkeyD. Therefore, if the member No for a channel is big, the key managmenet wil be super heavy. Can you please tell me if my understanding is correct, or not? If it is really like this, I guess it is questionable that transaction throughput can be high because of the heavy encryption before commiting and TCerts issuing workload. -- thanks. -Eric

chifalcon (Thu, 20 Jul 2017 09:43:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6XPKgiCSF4iy26oQj) @rohitrocket try remove double quotation marks. Otherwise, ensuring that the usernamw and pw must be the same ones you used when run fabric-ca-server init -b username:pw

Sujeeban (Thu, 20 Jul 2017 09:43:45 GMT):
Has joined the channel.

smithbk (Thu, 20 Jul 2017 12:20:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6XPKgiCSF4iy26oQj) @rohitrocket Hmm ... I've never seen this. What version of fabric-ca are you using? What steps did you take to reproduce? Perhaps try "export FABRIC_CA_CLIENT_HOME=/tmp/client" first and try again to make it recreate the config file.

smithbk (Thu, 20 Jul 2017 12:20:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6XPKgiCSF4iy26oQj) @rohitrocket Hmm ... I've never seen this. What version of fabric-ca are you using? What OS are you on? What steps did you take to reproduce? Perhaps try "export FABRIC_CA_CLIENT_HOME=/tmp/client" first and try again to make it recreate the config file.

rohitrocket (Thu, 20 Jul 2017 12:21:05 GMT):
sure @smithbk

smithbk (Thu, 20 Jul 2017 12:29:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8h3A8Ht8KD2dArWNf) @gauthampamu The admin and users created by cryptogen can't be imported into fabric-ca. For how to get the node SDK to read the cryptogen identity info from disk, you could ask @jimthematrix or post on the fabric-sdk-node channel. But if you are talking about registering and enrolling, then that requires using fabric-ca in which case you can't use the admin and users as generated by cryptogen.

gauthampamu (Thu, 20 Jul 2017 12:35:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TyRKdy8p3pgmTM4rW) @smithbk Thanks for answering my question. I had fabric v1.0 code and I don't see the fabric-ca-cryotogen.sh tool. Is that new and will it work with v1.0

smithbk (Thu, 20 Jul 2017 13:11:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FEtpaSNawFh8Qpawo) @gauthampamu Yes, the fabric-ca-cryptogen.sh tool is new and has not been merged. It was working until they changed MSP just before v1 shipped. Though I think it is mostly correct now, I have not had time to debug a hang in the e2e_cli test when using fabric-ca-cryptogen.sh with v1.0.0, but hopefully soon

gauthampamu (Thu, 20 Jul 2017 13:50:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=o2YkaiHyS3wAhDdmZ) @smithbk So to try the fabric-ca-cryptogen.sh I just need to checkout the three files listed in the change set and try the script to run the e2e cli test with docker-compose-e2e-fabric-ca.yaml file. Do we need to make any changes to any scripts. Let me know when you fix the issue with the hang. Also just to be clear, if we are setting up a blockchain network for a pilot or production, we should not use the crytogen tool because we cannot import those into fabric ca. If we use fabric ca in the network and until fabric-ca-cryptogen.sh is merged, what is the option to create all the certificates. Should we use the fabric-ca-client command line tool to generate and populate the msp directory structure as documented in http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enrolling-a-peer-identity

smithbk (Thu, 20 Jul 2017 14:02:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8jE5RRWdytJsrLM92) @gauthampamu Yes, you just need those 3 files. No changes to other scripts other than those. Yes, you can follow the progress of the change set to know when the hang is resolved and it is merged. BTW, the fabric-ca-cryptogen.sh script uses fabric-ca-client to populate the msp directories under crypto-config

smithbk (Thu, 20 Jul 2017 14:02:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8jE5RRWdytJsrLM92) @gauthampamu Yes, you just need those 3 files and to "export USE_FABRIC_CA_CRYPTOGEN=true" before running it as mentioned in the change set comments. No changes to other scripts other than those. Yes, you can follow the progress of the change set to know when the hang is resolved and it is merged. BTW, the fabric-ca-cryptogen.sh script uses fabric-ca-client to populate the msp directories under crypto-config

gauthampamu (Thu, 20 Jul 2017 16:15:12 GMT):
@smithbk If the fabric CA is not configured with persistance (mysql), if we stop the container for ca, do I have to remove the keystore files and again enroll the user to download the credentials.

smithbk (Thu, 20 Jul 2017 16:25:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=K5PpG8DZ2brP2AmJ6) @gauthampamu fabric CA is always persistent, but the default sqlite is an embedded DB which can't be clustered across multiple processes as it just writes to the local "fabric-ca-server.db" file (by default). Of course if the file system goes away, then the persistence to that file goes away.

baoyangc (Thu, 20 Jul 2017 17:06:31 GMT):
there is a -env: CORE_PEER_LOCALMSPID=Org1MSP, after we set ca server, do the peer need this env var

n91 (Thu, 20 Jul 2017 21:11:28 GMT):
Has joined the channel.

n91 (Thu, 20 Jul 2017 21:11:41 GMT):
How can I use a different user name other than User1 ?

gauthampamu (Thu, 20 Jul 2017 21:53:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6dHLjzRWJS8bAxKxR) @smithbk Is it possible to provide an external volume even with sqlite or do we have to use the mysql to persistent even when you stop and start the containers.

smithbk (Thu, 20 Jul 2017 21:54:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oKcPXHeHPsoRAqAsi) @gauthampamu Yes, you can use an external volume with sqlite

smithbk (Thu, 20 Jul 2017 21:54:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oKcPXHeHPsoRAqAsi) @gauthampamu Yes, you can use an external volume with sqlite. That is a docker thing.

gauthampamu (Thu, 20 Jul 2017 21:57:16 GMT):
I have a question on how to configure separate CA for each organization. For example if I have a network with two CA, one ca for each organization. What is the requirement for having separate CA for each organisation, do they all need to use single third party CA. If would be nice if the diagram in the documentation shows the CA of different organization.

duwenhui (Fri, 21 Jul 2017 09:00:39 GMT):
Has joined the channel.

duwenhui (Fri, 21 Jul 2017 09:01:21 GMT):
root@master:first-network# ./fabric-ca-server start -b admin:adminpw -p 3050 --db.type mysql --db.tls.certfiles ApsaraDB-CA-Chain.pem --tls.enabled --db.datasource ****:****@tcp$rm-2ze81ji2iw67g5j74.mysql.rds.aliyuncs.com:3306$/fabric_ca_org1?parseTime=true&tls=custom [1] 18294 root@master:first-network# 2017/07/21 16:59:48 [INFO] Configuration file location: /nfs-share/fabric-samples/first-network/fabric-ca-server-config.yaml 2017/07/21 16:59:48 [INFO] Starting server in home directory: /nfs-share/fabric-samples/first-network 2017/07/21 16:59:48 [INFO] The CA key and certificate already exist 2017/07/21 16:59:48 [INFO] The key is stored by BCCSP provider 'SW' 2017/07/21 16:59:48 [INFO] The certificate is at: /nfs-share/fabric-samples/first-network/ca-cert.pem Error: Failed to connect to MySQL database: Error 1044: Access denied for user 'blockchain'@'%' to database '1'

duwenhui (Fri, 21 Jul 2017 09:01:31 GMT):
这是什么问题啊？

duwenhui (Fri, 21 Jul 2017 09:01:48 GMT):
what 's the problem?

indirajith (Fri, 21 Jul 2017 10:20:17 GMT):
Has joined the channel.

smithbk (Fri, 21 Jul 2017 11:38:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4S3y6JKmkhsWtLTig) @gauthampamu No, the two CAs do not need to use a single 3rd party CA. They can be totally unrelated with different roots of trust.

smithbk (Fri, 21 Jul 2017 11:45:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dTQitvbbGcBmka2F5) @duwenhui It looks to me that the value of the "--db.datasource" arg has invalid characters. Is there a new line or stray characters? It is hard to read so am not sure.

duwenhui (Fri, 21 Jul 2017 11:49:33 GMT):
i have solved this problem. I modified the database name fabric_ca_org1 to fabric_ca_one.

gbolo (Fri, 21 Jul 2017 14:28:59 GMT):
hey folks

gbolo (Fri, 21 Jul 2017 14:29:02 GMT):
question

gbolo (Fri, 21 Jul 2017 14:29:32 GMT):
when i run the fabric-ca-client to enroll an admin user (the bootstrap user) how do i force the ca client to create the admincerts directory?

gbolo (Fri, 21 Jul 2017 14:29:41 GMT):
currently i just copy signedcerts for admincerts

smithbk (Fri, 21 Jul 2017 15:14:34 GMT):
There is no way for fabric-ca-client to know which certs should go into the admincerts folder because it is up to you which identities are administrators, so you will have to populate the admincerts folder yourself. We hope to make ease this in the future with https://jira.hyperledger.org/browse/FAB-3752

smithbk (Fri, 21 Jul 2017 15:14:34 GMT):
There is no way for fabric-ca-client to know which certs should go into the admincerts folder because it is up to you which identities are administrators, so you will have to populate the admincerts folder yourself. We hope to make this easier in the future with https://jira.hyperledger.org/browse/FAB-3752

gbolo (Fri, 21 Jul 2017 15:28:04 GMT):
@smithbk I see, thaks

ptone (Sun, 23 Jul 2017 05:06:42 GMT):
Has joined the channel.

noyonthe1 (Sun, 23 Jul 2017 13:55:14 GMT):
Can anybody tell me how to deploy fabric-ca in physical machine? Is there any instruction out there for full physical machine deployment of hyperledger network with at least 2 peer, 1 ca , 1 orderer and 1 couchDB?

ptone (Sun, 23 Jul 2017 16:40:38 GMT):
is the idea that each member (MSP) have their own fabric-CA scoped to their roots, or that their only be one fabric-CA for a given network, with each MSP admin having some scoped access?

ptone (Sun, 23 Jul 2017 17:07:27 GMT):
Somewhat answering my own question - but given Fabric-CA is tied 1:1 with an LDAP server, and given that MSP are ideally 1:1 with a corp or organization - that means more likely that each MSP would run its own Fabric-CA server

vdods (Sun, 23 Jul 2017 21:22:50 GMT):
@smithbk So just confirming what you said (which seems to be consistent with what I'm seeing) -- cryptogen, say as in the hyperledger/fabric-tools:x86_64-1.0.0 docker image, does not produce crypto materials usable by fabric-ca ?

vdods (Sun, 23 Jul 2017 21:23:04 GMT):
And if not, then what is the deficiency?

vdods (Sun, 23 Jul 2017 21:43:13 GMT):
Peripherally related questions; I'm looking at generating all the crypto material myself because of 1) the lack of a tool that does this currently, and 2) I want total control over it, including being able to provide my own CA certs instead of having fabric-ca generate them (which I'm having a lot of trouble with at the moment). My questions are 1) what crypto materials does each entity (peer, orderer, ca, [web]server) need to function? and 2) can those materials be retrieved exclusively by using fabric-ca-client?

vdods (Sun, 23 Jul 2017 22:09:52 GMT):
As a test, I ran a `fabric-ca-server` instance locally, and then with two separate FABRIC_CA_CLIENT_HOME directories (to represent say two different machines), ran `fabric-ca-client enroll` on the same user (admin) -- but got different certs, which is sort of confusing. Is this the intended functionality?

vdods (Sun, 23 Jul 2017 22:10:56 GMT):
Alternatively, is this ok? This is partly an attempt to retrieve the certs for various members from the CA and place them on the various peers/orderers/ec

vdods (Sun, 23 Jul 2017 22:10:56 GMT):
Alternatively, is this ok? This is partly an attempt to retrieve the certs for various members from the CA and place them on the various peers/orderers/etc

ptone (Sun, 23 Jul 2017 23:04:53 GMT):
I think the client behavior you describe is as intended. The friction point I hit was that when enabling TLS - you need to preconfigure each different client_home dir with both config file and server crt

vdods (Sun, 23 Jul 2017 23:30:36 GMT):
Also, I'm trying to figure out how to get the right certs in the right places (duplicating the functionality of cryptogen). For example, each peer msp has a single cert/key pair (for itself presumably, which I'm assuming could be obtained via `fabric-ca-client enroll`), but also has certs for the CA and the admin. Can those be retrieved via `fabric-ca-client`, or do they have to be communicated via some other band?

ptone (Sun, 23 Jul 2017 23:54:46 GMT):
@vdods I'm puzzling through some of that same stuff - this post describes the step using just raw cfssl tool https://github.com/ChoiSD/how-to-Hyperledger-Fabric/blob/master/Docs/Add-Peer-On-Existing-Org.md

smithbk (Mon, 24 Jul 2017 01:02:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ChdjX7GYECXLdBdHB) @ptone Yes, you are correct.

smithbk (Mon, 24 Jul 2017 01:08:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ikXhZrgx5ifk7s3GB) @vdods fabric-ca-server maintains identities and certificates that it issues in a DB. When cryptogen generates certificates, they are not in the DB which is why they can't be used.

smithbk (Mon, 24 Jul 2017 01:10:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hromWQ8kdyR7beDu5) @vdods What trouble are you having with fabric-ca? I'll be glad to help

smithbk (Mon, 24 Jul 2017 01:13:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9mYxdPw9ASQjD88NC) @vdods Yes, it is intended behavior. Every time you enroll, you will get a different certificate. Even with a single client directory, a "fabric-ca-client reenroll" will get different cert. This is the way it is supposed to work.

smithbk (Mon, 24 Jul 2017 01:24:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oBfmKPmzpAWMPbQYH) @ptone @vdods Have you looked at the fabric-ca-cryptogen.sh script at https://gerrit.hyperledger.org/r/#/c/10871/5/examples/e2e_cli/fabric-ca-cryptogen.sh to see how to use fabric-ca to layout the MSP directory? The fabric-ca-client enroll command can't populate the admincerts part of the MSP directories because it doesn't know which identities are administrators.

ptone (Mon, 24 Jul 2017 02:00:42 GMT):
@smithbk thank - will take a look at that - I'm guessing that will answer the tls part as well. An area I'm a bit confused about is why a peer even needs an admin cert?

jaswanth (Mon, 24 Jul 2017 04:14:19 GMT):
hi all ,I am running balance transfer example (rc1 version) ,when i provide a fabric-ca-server-config.yaml file to the ca , the enrollment is failed it worked fine for alpha version , can anyone suggest how to provide users fir

jaswanth (Mon, 24 Jul 2017 04:14:20 GMT):
ca

liuwenliang0632 (Mon, 24 Jul 2017 05:53:30 GMT):
Has joined the channel.

duwenhui (Mon, 24 Jul 2017 06:59:30 GMT):
my ca config file for deploy:

duwenhui (Mon, 24 Jul 2017 06:59:33 GMT):
version: "3" networks: hyperledger-ov: external: name: hyperledger-ov services: ca0: deploy: replicas: 1 restart_policy: condition: on-failure delay: 5s max_attempts: 3 hostname: ca.org1.sdchoi.com image: hyperledger/fabric-ca:x86_64-1.0.0 networks: hyperledger-ov: aliases: - ca.org1.sdchoi.com environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca.org1.sdchoi.com - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.sdchoi.com-cert.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/5214ed04bfb6d30934ef6d9981f1efe733cf62f0c5f6160a3e43f013f80518b2_sk ports: - 7054:7054 command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.sdchoi.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/5214ed04bfb6d30934ef6d9981f1efe733cf62f0c5f6160a3e43f013f80518b2_sk -b admin:adminpw --db.type mysql --db.datasource blockchain:YW346abB2017_cQaz@tcp(rm-2ze81ji2iw67g5j74.mysql.rds.aliyuncs.com:3306)/fabric_ca_one?parseTime=true&tls=custom -d' volumes: - ./crypto-config/peerOrganizations/org1.sdchoi.com/ca/:/etc/hyperledger/fabric-ca-server-config

duwenhui (Mon, 24 Jul 2017 07:02:30 GMT):
but i can't deploy this docker container. I 'cant find the reason, but i test the case in the host: ./fabric-ca-server start -b admin:adminpw -p 3050 --db.type mysql --db.datasource blockchain:YW346abB2017_cQaz@tcp$rm-2ze81ji2iw67g5j74.mysql.rds.aliyuncs.com:3306$/fabric_ca_one?parseTime=true&tls=custom it scussed.

duwenhui (Mon, 24 Jul 2017 07:03:17 GMT):
the error messsage in docker is :3fb30611a43 hyperledger/fabric-ca@sha256:b7094644bcbf6c28948fcdd0c38ffe65f98889a57da0e1bf23bd18731ef44800 "sh -c 'fabric-ca-..." 7 minutes ago Exited (2) 7 minutes ago hyperledger-ca_ca0.1.8bhyewqtlwyxcyn8soxnta4w0 ea0670e6272c hyperledger/fabric-ca@sha256:b7094644bcbf6c28948fcdd0c38ffe65f98889a57da0e1bf23bd18731ef44800 "sh -c 'fabric-ca-..." 7 minutes ago Exited (2) 7 minutes ago hyperledger-ca_ca0.1.ul0jp6z2ewr9egnlf42eedrvm 3e2e9ee1b6c7 hyperledger/fabric-ca@sha256:b7094644bcbf6c28948fcdd0c38ffe65f98889a57da0e1bf23bd18731ef44800 "sh -c 'fabric-ca-..." 7 minutes ago Exited (2) 7 minutes ago hyperledger-ca_ca0.1.wldvyuyuumj8k3izn2ifh36qr 372d51e6a4a4 hyperledger/fabric-ca@sha256:b7094644bcbf6c28948fcdd0c38ffe65f98889a57da0e1bf23bd18731ef44800 "sh -c 'fabric-ca-..." 7 minutes ago Exited (2) 7 minutes ago hyperledger-ca_ca0.1.5bv4lt7wtxft8eqsvb1luica1

Vadim (Mon, 24 Jul 2017 07:10:48 GMT):
@duwenhui try `docker logs 3fb30611a43 `

JanRzepecki (Mon, 24 Jul 2017 07:23:21 GMT):
Has joined the channel.

duwenhui (Mon, 24 Jul 2017 07:23:38 GMT):
@Vadim docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 6d54a7d8c66b hyperledger/fabric-ca@sha256:b7094644bcbf6c28948fcdd0c38ffe65f98889a57da0e1bf23bd18731ef44800 "sh -c 'fabric-ca-..." 3 seconds ago Exited (0) 2 seconds ago hyperledger-ca_ca0.1.7drc1teibh4ehexl67qqxk9ju root@swarm1:/nfs-share/fabric-samples/first-network# docker logs 6d54a7d8c66b

duwenhui (Mon, 24 Jul 2017 07:23:42 GMT):
no logs

duwenhui (Mon, 24 Jul 2017 07:26:00 GMT):
I deleted the parameter "-d"

Vadim (Mon, 24 Jul 2017 07:26:01 GMT):
you run it in a swarm? perhaps then `docker service ps --no-trunc`

duwenhui (Mon, 24 Jul 2017 07:27:42 GMT):
@Vadim root@master:first-network# docker service ls ID NAME MODE REPLICAS IMAGE atmq9o9tuj3o hyperledger-ca_ca1 replicated 1/1 hyperledger/fabric-ca:x86_64-1.0.0 m2juflydfssd hyperledger-ca_ca0 replicated 0/1 hyperledger/fabric-ca:x86_64-1.0.0 root@master:first-network# docker service ps m2juflydfssd --no-trunc ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS 7drc1teibh4ehexl67qqxk9ju hyperledger-ca_ca0.1 hyperledger/fabric-ca:x86_64-1.0.0@sha256:b7094644bcbf6c28948fcdd0c38ffe65f98889a57da0e1bf23bd18731ef44800 iZ2zeghxqa1c7ounw13byzZ Shutdown Complete 4 minutes ago

kleniu (Mon, 24 Jul 2017 09:06:27 GMT):
Has joined the channel.

liuwenliang0632 (Mon, 24 Jul 2017 10:25:06 GMT):
@smithbk there is no ca.crt at dir crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls

liuwenliang0632 (Mon, 24 Jul 2017 10:28:59 GMT):
when i use fabric-ca-cryotogen.sh

smithbk (Mon, 24 Jul 2017 11:25:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=j6BpMgGgLPZXbsBxy) @ptone The peer needs an admincert to identify who is able to install chaincode on the peer.

smithbk (Mon, 24 Jul 2017 11:31:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9nhFBcr22GYYvj5yb) @liuwenliang0632 Hmm ... I'll look into this in a couple of hours when I get into office, but looking at my directory after running fabric-ca-cryptogen.sh, the ca.crt file exists ... but will try again to make sure nothing has changed

Ismail-Boukili (Mon, 24 Jul 2017 11:57:32 GMT):
Has joined the channel.

mastersingh24 (Mon, 24 Jul 2017 13:19:46 GMT):
@smithbk @skarim - You guys need to pull down https://gerrit.hyperledger.org/r/#/c/11847/ and rebase your CRs

mastersingh24 (Mon, 24 Jul 2017 13:20:09 GMT):
@aambati ^^^^

ankursam (Mon, 24 Jul 2017 13:27:50 GMT):
Has joined the channel.

smithbk (Mon, 24 Jul 2017 13:57:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mxLWq76z5Tvbnheyk) @mastersingh24 Thanks ... I've rebased https://gerrit.hyperledger.org/r/#/c/10953/ which is another one needed to make CI pass reliably, so the others will be rebased on top of the latest patch set of 10953. I just did that for https://gerrit.hyperledger.org/r/#/c/10717/

aambati (Mon, 24 Jul 2017 14:16:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=e4evnK8FrKLPsDLsM) @mastersingh24 ok

joshhw (Mon, 24 Jul 2017 15:15:37 GMT):
Has joined the channel.

joshhw (Mon, 24 Jul 2017 15:20:53 GMT):
@smithbk You seem to have a grasp on this tech, so I have some questions in regards to the certificate authority and MSP. Does the fabric-ca handle generating and managing the MSP? or do I need to configure the MSP separate of the CA? Is the MSP outside of the CA or is it a part of it?

joshhw (Mon, 24 Jul 2017 15:20:53 GMT):
@smithbk I feel like there is a large gap of information regarding what goes into a standard development environment for using fabric and what each piece does. How did you gain this insight, because the tutorials seem to overlook many details and I've been reading through the shell scripts but, I still dont know what components are needed for a dev environment and what each component does in regards to its role in the system.@smithbk You seem to have a grasp on this tech, so I have some questions in regards to the certificate authority and MSP. Does the fabric-ca handle generating and managing the MSP? or do I need to configure the MSP separate of the CA? Is the MSP outside of the CA or is it a part of it?

smithbk (Mon, 24 Jul 2017 16:12:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gsmTSR6LvDe5zd4QN) @joshhw The MSP is outside the CA. The "fabric-ca-client enroll" command creates most of the MSP directory which can then be used by the MSP code inside a peer or orderer. The enroll command does not create the "admincerts" subdirectory as mentioned earlier because it doesn't know which identities should be administrators for the peer or orderer. However, the "fabric-ca-cryptogen.sh" script mentioned above does create an admin identity for peer and orderer and so is able to populate the admincerts folder also.

joshhw (Mon, 24 Jul 2017 16:43:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TiMEBwJFWJpgdQRdZ) @smithbk I feel like there is a large gap of information regarding what goes into a standard development environment for using fabric and what each piece does. How did you gain this insight, because the tutorials seem to overlook many details and I've been reading through the shell scripts but, I still dont know what components are needed for a dev environment and what each component does in regards to its role in the system.

smithbk (Mon, 24 Jul 2017 16:52:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2SZ5yZJdnAj38hGd7) @joshhw @nickgaski From a high level, the starting point would be http://hyperledger-fabric-docs.readthedocs.io/en/latest/arch-deep-dive.html ... you've mentioned two components (MSP and fabric CA), but are there other pieces that you feel there are gaps? Nick, any comments from a doc perspective?

lehors (Mon, 24 Jul 2017 18:35:35 GMT):
@here sorry for being clueless but what are the fvt-tests about?

Juan.Arias (Mon, 24 Jul 2017 20:28:55 GMT):
Has joined the channel.

smithbk (Mon, 24 Jul 2017 21:04:57 GMT):
They test the fabric-ca-server with other dependencies like an LDAP server, mysql-server, and postgres

smithbk (Mon, 24 Jul 2017 21:05:17 GMT):
and haproxy for clustering

howardhou (Tue, 25 Jul 2017 01:27:23 GMT):
Has joined the channel.

liuwenliang0632 (Tue, 25 Jul 2017 06:32:14 GMT):
@smithbk i am sorry to ask again. about ca.crt missing. the log show [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TqGFiDJi9khwQbo59)

liuwenliang0632 (Tue, 25 Jul 2017 06:32:14 GMT):
@smithbk i am sorry to ask again. about ca.crt missing. the log show cp: cannot stat ‘crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/msp/tlscacerts/*’: No such file or directory cp: cannot stat ‘crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/msp/tlscacerts/*’: No such file or directory[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TqGFiDJi9khwQbo59)

liuwenliang0632 (Tue, 25 Jul 2017 06:32:14 GMT):
@smithbk i am sorry to ask again. about ca.crt missing. the log show ------------------------------cp: cannot stat ‘crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/msp/tlscacerts/*’: No such file or directory cp: cannot stat ‘crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/msp/tlscacerts/*’: No such file or directory[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TqGFiDJi9khwQbo59)

liuwenliang0632 (Tue, 25 Jul 2017 08:50:09 GMT):
how can set tls enable when used fabric-ca-cryptogen.sh

RobHekkelman (Tue, 25 Jul 2017 12:52:51 GMT):
Has joined the channel.

smithbk (Tue, 25 Jul 2017 13:30:32 GMT):
@liuwenliang0632 Try pulling down https://gerrit.hyperledger.org/r/#/c/11103/ into your fabric-ca repo. I am working on trying to get it working with the e2e_cli example. It is currently failing at the "Querying chaincode on org1/peer0" step because peer0 is unable to connect over TLS to the orderer. I'll post here when I get it working.

smithbk (Tue, 25 Jul 2017 17:50:49 GMT):
@liuwenliang0632 OK, fabric-ca-cryptogen.sh is now working for fabric/examples/e2e_cli, though to use it you have to pull from some change sets that aren't yet merged. See https://gerrit.hyperledger.org/r/#/c/10871/ and follow the instructions in the change set comment.

vdods (Tue, 25 Jul 2017 19:14:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=icrzXcSDshy7aXpci) @smithbk I did glance at it earlier, but I'll take a deeper look now. Is there an estimate for when this CR will be merged? Am I correct in understanding that there's currently no straightforward way (e.g. cryptogen) to generate crypto materials for use in a Fabric 1.0 app (including everything, CA, orderer(s), peer(s), client app)

vdods (Tue, 25 Jul 2017 19:22:57 GMT):
Looking at fabric-ca-cryptogen.sh, it looks like the `admin` account (with password `adminpw`, ostensibly created during `fabric-ca-server --init`) is distinct from the `Admin@orgname` account that's registered during the bash function `setupOrg`. Are these admins distinct? And if so, what is the function and role of each?

vdods (Tue, 25 Jul 2017 20:03:04 GMT):
Also, this always confused me -- in fabric-ca-server-config.yaml, there is `ca.keyfile: ca-key.pem`, but no file named `ca-key.pem` exists anywhere I can find. There is `ca-cert.pem` which is the corresponding cert specified in the config file by `ca.certfile: ca-cert.pem`.

mastersingh24 (Tue, 25 Jul 2017 20:20:55 GMT):
@vdods - We probably overload the use of "admin / Admin" although to be fair, you are not required to use fabric-ca with fabric. Within fabric, you'll notice that MSPs have admincerts - these are explicit certificates which are used to represent admin users in terms of organizations across fabric. At the same time, fabric-ca also has an admin user as the initial bootstrap identity for fabric-ca. Of course it's possible that you could add the fabric-ca admin certificate to the admincerts of an MSP (https://chat.hyperledger.org/channel/fabric-ca?msg=MjWjsDnhHKK66NdQ2) @vdods

vdods (Tue, 25 Jul 2017 20:22:11 GMT):
@mastersingh24 So there is a distinction between the CA's `admin` account, and the `Admin@orgname` accounts that are registered and appear with users?

mastersingh24 (Tue, 25 Jul 2017 20:24:10 GMT):
The `Admin@orgname` came from `cryptogen` originally and cryptogen did not require the use of fabric-ca. However cryptogen did provide the root CA key pair in case you wanted to later add a fabric-ca in order to create additional members for an organization. But `Admin@orgname` was generated without enrolling with fabric-ca - it was just a cert that was created and signed by cryptogen

mastersingh24 (Tue, 25 Jul 2017 20:24:40 GMT):
And yeah - generally speaking the CA'a admin account would not be the same as the admins for an org in terms of an MSP

mastersingh24 (Tue, 25 Jul 2017 20:25:06 GMT):
(separate of duties and all)

mastersingh24 (Tue, 25 Jul 2017 20:25:45 GMT):
When I originally wrote `cryptogen`, I was just trying to make it easy for people to figure out which user was an admin

vdods (Tue, 25 Jul 2017 20:27:02 GMT):
Ok -- so does this scenario sound correct? The CA's admin account is used to create a 'WebAppAdmin' account to be used for a specific web app that drives a peer network, and that account is able to create other user accounts (but not other admins). Then the CA admin's duty is done, and the rest of the work is done by WebAppAdmin?

mastersingh24 (Tue, 25 Jul 2017 20:28:37 GMT):
Yeah - that definitely makes sense

vdods (Tue, 25 Jul 2017 20:29:13 GMT):
Ok -- how about the discrepancy with the ca-key.pem not existing?

vdods (Tue, 25 Jul 2017 20:29:48 GMT):
This doesn't seem like a problem for now, but I'm eventually want to provide my own key/cert for the CA's `init` run

mastersingh24 (Tue, 25 Jul 2017 20:30:56 GMT):
fabric-ca actually uses bccsp when it starts up and generates key(s). You'll actually find the private key that is used in the msp/keystore directory

mastersingh24 (Tue, 25 Jul 2017 20:30:56 GMT):
fabric-ca actually uses bccsp when it starts up and generates key(s). You'll actually find the private key that is used in the `msp/keystore` directory

mastersingh24 (Tue, 25 Jul 2017 20:31:31 GMT):
But, if msp/keystore does not exist, I believe it will then pick up the ca.keyfile parameter

mastersingh24 (Tue, 25 Jul 2017 20:31:31 GMT):
But, if msp/keystore does not exist, I believe it will then pick up the `ca.keyfile` parameter

mastersingh24 (Tue, 25 Jul 2017 20:33:18 GMT):
Another way to put it is that if you supply the root CA key pair, you can use the file parameters to specify the correct key material to use. But when fabric-ca generates the key pair on startup, the private key ends up in `msp/keystore`

vdods (Tue, 25 Jul 2017 20:34:06 GMT):
Ok, that makes sense. Though you may want to change the generation of fabric-ca-server-config.yaml to reflect that. It's quite misleading. If you like, I can create a Jira ticket

mastersingh24 (Tue, 25 Jul 2017 20:34:16 GMT):
Please do

mastersingh24 (Tue, 25 Jul 2017 20:34:41 GMT):
I've been meaning to do so :(

vdods (Tue, 25 Jul 2017 20:36:39 GMT):
One last question (I really appreciate your time! :) ) -- if I create a directory with fabric-ca-server-config.yaml, a cert file, a key file, and the config.yaml specifies those filenames as well as a bootstrap account and secret under registry.identities (e.g. admin and adminpw), and I run fabric-ca-server init (with no -b), it will use the specified keys and bootstrap account, instead of generating a new config file and keys, correct?

vdods (Tue, 25 Jul 2017 20:37:53 GMT):
And I suppose same for the TLS key and cert

vdods (Tue, 25 Jul 2017 20:49:49 GMT):
@mastersingh24 Ok, ticket created. I assigned it to you.

smithbk (Tue, 25 Jul 2017 21:05:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MjWjsDnhHKK66NdQ2) @vdods The admin/adminpw identity is the administrator of the organization's CA used to register other identities. The Admin@orgname is the administrator for a peer or orderer.

smithbk (Tue, 25 Jul 2017 21:14:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rX3BtCgbDsXZMEmxQ) @vdods Yes, if the config file and/or keys already exist, it will use them ... and the -b option is only needed if there is no config file. If the -b option is used and the config file already exists, it is ignored.

vdods (Tue, 25 Jul 2017 21:21:14 GMT):
@smithbk which one is ignored? The -b or the config?

smithbk (Tue, 25 Jul 2017 21:22:16 GMT):
-b

vdods (Tue, 25 Jul 2017 21:22:52 GMT):
Ok, sweet. Thanks!

linyuadam (Wed, 26 Jul 2017 03:17:06 GMT):
Hi, all, sometimes I encountered a problem: after I instantiate the chaincode and the chaincode container successfully appear; but when I invoke, it said cannot find corresponding chaincode. I run my network in Docker Swarm with service name like peer0, peer1. The certs name are like 'peer0.example.com'. So I have DNS map peer0.example.com to the host ip. Then when I create channel and install, instantiate chaincode using sth like peer0.example.com:7051, on and off it has such a problem. But if I use sth like peer0:7051, it seldom has such a problem. Is there anyone having some idea on that? Many thanks in advance.

linyuadam (Wed, 26 Jul 2017 03:17:55 GMT):
This problem is not always happening. Just sometimes.

benjamin_J_sb (Wed, 26 Jul 2017 08:18:58 GMT):
Has joined the channel.

Rohit-Thukral (Wed, 26 Jul 2017 08:33:49 GMT):
Has joined the channel.

howardhou (Wed, 26 Jul 2017 09:00:48 GMT):
Has left the channel.

kmohanar (Wed, 26 Jul 2017 11:59:12 GMT):
Has joined the channel.

noyonthe1 (Wed, 26 Jul 2017 13:54:20 GMT):
I want to deploy 2 fabric-peer, one fabric-orderer and one fabric-ca in separate physical Linux machine. Is there any physical machine deployment guideline with fabric-ca not with cryptogen? Anybody can help me on that?

aambati (Wed, 26 Jul 2017 14:03:20 GMT):
@noyonthe1 you would need to build the fabric ca server executable.. for that : 1. Get golang 2. Set GOPATH env variable 2. get the code from github repository (go get https://github.com/hyperledger/fabric-ca/...), put it under $GOPATH 3. cd to $GOPATH/src/github.com/hyperledger/fabric-ca and build fabric-ca-server (make fabric-ca-server) 4. Once you have the executable in the $GOPATH/src/github.com/hyperledger/fabric-ca/bin directory, you can refer to the https://hyperledger-fabric-ca.readthedocs.io/en/latest/ to use fabric-ca

aambati (Wed, 26 Jul 2017 14:03:20 GMT):
@noyonthe1 you would need to build the fabric ca server executable.. for that : 1. Get golang 2. Set GOPATH env variable 2. get the code from github repository (go get https://github.com/hyperledger/fabric-ca/...) 3. cd to $GOPATH/src/github.com/hyperledger/fabric-ca and build fabric-ca-server (make fabric-ca-server) 4. Once you have the executable in the $GOPATH/src/github.com/hyperledger/fabric-ca/bin directory, you can refer to the https://hyperledger-fabric-ca.readthedocs.io/en/latest/ to use fabric-ca

aambati (Wed, 26 Jul 2017 14:03:20 GMT):
@noyonthe1 you would need to build the fabric ca server executable.. for that : 1. Get golang 2. Set GOPATH env variable 2. get the code from github repository (go get https://github.com/hyperledger/fabric-ca/...) 3. cd to $GOPATH/src/github.com/hyperledger/fabric-ca and build fabric-ca-server (make fabric-ca-server) 4. Once you have the executable in the $GOPATH/src/github.com/hyperledger/fabric-ca/bin directory, you can refer to the https://hyperledger-fabric-ca.readthedocs.io/en/latest/ on how to use fabric-ca server

aambati (Wed, 26 Jul 2017 14:05:51 GMT):
actually, getting started section https://hyperledger-fabric-ca.readthedocs.io/en/latest/ has the steps i outlined as well

aambati (Wed, 26 Jul 2017 14:05:51 GMT):
actually, getting started section in https://hyperledger-fabric-ca.readthedocs.io/en/latest/ has the steps i outlined as well

aambati (Wed, 26 Jul 2017 14:13:00 GMT):

Message Attachments

noyonthe1 (Wed, 26 Jul 2017 16:49:17 GMT):
@aambati this will make a docker fabric-ca image right?

noyonthe1 (Wed, 26 Jul 2017 16:49:17 GMT):
@aambati this will make a docker fabric-ca image right? I have successfully build fabric-ca and used it with docker-compose network setup but actually, I want to deploy it on a physical machine. How can I run it as a service, Is there any documentation for that? BTW, thanks for the link. Let me go through it. :)

smithbk (Wed, 26 Jul 2017 17:14:06 GMT):
@noyonthe1 To install fabric-ca-server: ```go get github.com/hyperledger/fabric-ca/cmd/fabric-ca-server```

smithbk (Wed, 26 Jul 2017 17:14:32 GMT):
To install fabric-ca-client: ```go get github.com/hyperledger/fabric-ca/cmd/fabric-ca-client```

smithbk (Wed, 26 Jul 2017 17:16:34 GMT):
Or install both as described at http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#install

smithbk (Wed, 26 Jul 2017 17:18:12 GMT):
To start it as a service will depend on the OS of your physical machine

noyonthe1 (Wed, 26 Jul 2017 17:41:06 GMT):
@smithbk thanks for your help. I'll try that out.

jtsiros (Wed, 26 Jul 2017 23:19:43 GMT):
Hey team. I'm attempting to use the fabric_ca container in my own example with the following volume mount: ``` volumes: - ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config``` I'm pointing the CA server to the certs generated by the crypto tool. For some reason, When I attempt to register a new user, I'm getting the following error in the Java SDK: ``` 2017-07-26 16:13:12.408 ERROR 10006 --- [nio-8080-exec-2] o.hyperledger.fabric_ca.sdk.HFCAClient : POST request to http://localhost:7054/api/v1/register failed request body {"id":"794fb76c-69ef-4ed8-967c-463cf7292b0f","type":"user","max_enrollments":0,"affiliation":"Org1","attrs":[]} with status code: 400. Response: {"success":false,"result":null,"errors":[{"code":400,"message":"Authorization failure"}],"messages":[]} ``` Here are the logs from the CA server: ``` 2017/07/26 23:13:12 [DEBUG] Received request POST /api/v1/register Authorization: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNHakNDQWNDZ0F3SUJBZ0lSQU5mTkVDdm9rOUM2aFQ1OFhKWi9sSkF3Q2dZSUtvWkl6ajBFQXdJd2N6RUwKTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY1REVk5oYmlCRwpjbUZ1WTJselkyOHhHVEFYQmdOVkJBb1RFRzl5WnpFdVpYaGhiWEJzWlM1amIyMHhIREFhQmdOVkJBTVRFMk5oCkxtOXlaekV1WlhoaGJYQnNaUzVqYjIwd0hoY05NVGN3TmpJek1USXpNekU1V2hjTk1qY3dOakl4TVRJek16RTUKV2pCYk1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LUTJGc2FXWnZjbTVwWVRFV01CUUdBMVVFQnhNTgpVMkZ1SUVaeVlXNWphWE5qYnpFZk1CMEdBMVVFQXd3V1ZYTmxjakZBYjNKbk1TNWxlR0Z0Y0d4bExtTnZiVEJaCk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkhWNlgva1d1UUs2eGhYZTlPZW5RWktESTcvemF4N1kKallsUnZVbEhnQ29xS0l5OGZGQWF0M2dsR2JWWDFvbzJvWjdjTUpWbEZuYnVpUGRyZzR2a3lqZWpUVEJMTUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBTUJnTlZIUk1CQWY4RUFqQUFNQ3NHQTFVZEl3UWtNQ0tBSUE1eWtpVG9zL01YCmhNaXBQRnVPOXZUQnlSMmVibGQ4UmNNeFkyQ2Y1QUFSTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFEYkNEclcKZXFaNHl3N3ZjRWhuTkV4aVJaVHYweGNWYlJGOEpnR296THo2cXdJZ1pvWGNxeHZrSmFCZFpwd3pnNGYwUnZWUQpRcmpKTVVSWFhjaFExTW5kNStvPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==.MEUCIQCQpbuKlNyi0Ig22VxWFlafc4zA8MgbeHDHJ05+ed0UdwIgYrM9ACaGvfENWek5ouQNfkKf6PmEYAlehWVxl37pTKU= {"id":"794fb76c-69ef-4ed8-967c-463cf7292b0f","type":"user","max_enrollments":0,"affiliation":"Org1","attrs":[]} 2017/07/26 23:13:12 [DEBUG] Directing traffic to default CA 2017/07/26 23:13:12 [DEBUG] Checking for revocation/expiration of certificate owned by 'User1@org1.example.com' 2017/07/26 23:13:12 [DEBUG] DB: Get certificate by serial (d7cd102be893d0ba853e7c5c967f9490) and aki (e729224e8b3f31784c8a93c5b8ef6f4c1c91d9e6e577c45c33163609fe40011) 2017/07/26 23:13:12 [ERROR] No certificates found for provided serial and aki ``` Any ideas what might be wrong?

jtsiros (Wed, 26 Jul 2017 23:20:48 GMT):
I've assigned User1 as the user for my app to interact with fabric and the CA server

jtsiros (Wed, 26 Jul 2017 23:25:11 GMT):
here is my docker-compose ca service: ``` ca.org1.example.com: image: hyperledger/fabric-ca:x86_64-1.0.0 environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/0e729224e8b3f31784c8a93c5b8ef6f4c1c91d9e6e577c45c33163609fe40011_sk - FABRIC_CA_SERVER_TLS_ENABLED=false - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/0e729224e8b3f31784c8a93c5b8ef6f4c1c91d9e6e577c45c33163609fe40011_sk ports: - "7054:7054" command: sh -c 'fabric-ca-server start -b admin:adminpw -d' volumes: - ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config container_name: ca_peerOrg1 ```

aambati (Wed, 26 Jul 2017 23:27:25 GMT):
@jtsiros Looks like User1@org1.example.com is trying to register 794fb76c-69ef-4ed8-967c-463cf7292b0f, but User1@org1.example.com is not known to fabric-ca ...what do you mean by "I'm pointing the CA server to the certs generated by the crypto tool."

jtsiros (Wed, 26 Jul 2017 23:31:16 GMT):
@aambati in fabric-examples, the crypto-config folders have User1 certs generated: ``` peerOrganizations/org1.example.com/users ls Admin@org1.example.com User1@org1.example.com ```

jtsiros (Wed, 26 Jul 2017 23:31:31 GMT):
how do I get fabric_ca to recognize those users?

jtsiros (Wed, 26 Jul 2017 23:38:21 GMT):
is the `fabric-ca-client` the only way?

aambati (Wed, 26 Jul 2017 23:52:47 GMT):
you can use fabric-ca-client or the rest api ...either way you need to register these users with fabric-ca-server first..they need to have hf.Registrar.Roles and hf.Revoker attributes so they can register and revoke other users...you can use admin user to register these users

aambati (Wed, 26 Jul 2017 23:53:31 GMT):
more info on hf.Registrar.Roles and hf.Revoker can be found at https://hyperledger-fabric-ca.readthedocs.io/en/latest

jtsiros (Wed, 26 Jul 2017 23:55:48 GMT):
@aambati last question, where can I find what the default affiliation is set to?

jtsiros (Wed, 26 Jul 2017 23:55:54 GMT):
where e*

aambati (Wed, 26 Jul 2017 23:56:18 GMT):
admin:adminpw is the bootstrap user for the fabric-ca server per your docker compose file

aambati (Wed, 26 Jul 2017 23:56:18 GMT):
admin (with pass: adminpw) is the bootstrap user for the fabric-ca server per your docker compose file

aambati (Thu, 27 Jul 2017 00:00:48 GMT):
default affiliation for an identity is "", which is the root of the affiliation tree

smithbk (Thu, 27 Jul 2017 01:03:26 GMT):
@jtsiros You can't register users generated from cryptogen into fabric-ca. The correct way is to use fabric-ca to generate the crypto material. See https://gerrit.hyperledger.org/r/#/c/10871/ and follow the instructions in the change set comment.

smithbk (Thu, 27 Jul 2017 01:03:26 GMT):
@jtsiros You can't register users generated from cryptogen into fabric-ca since the certificates will not be in the fabric-ca-server's database. The correct way is to use fabric-ca to generate the crypto material from the beginning. See https://gerrit.hyperledger.org/r/#/c/10871/ and follow the instructions in the change set comment.

snehalpansare (Thu, 27 Jul 2017 07:08:25 GMT):
Has joined the channel.

n-horiguchi (Thu, 27 Jul 2017 09:47:19 GMT):
Has joined the channel.

duwenhui (Thu, 27 Jul 2017 10:28:06 GMT):
cat enroll.log 2017/07/27 18:17:54 [INFO] User provided config file: crypto-config/ordererOrganizations/example.com/ca/intermediate/tls/fabric-ca-client-config.yaml 2017/07/27 18:17:54 [INFO] Created a default configuration file at /home/dwh/gocode/src/github.com/hyperledger/fabric/examples/e2e_cli/crypto-config/ordererOrganizations/example.com/ca/intermediate/tls/fabric-ca-client-config.yaml 2017/07/27 18:17:54 [DEBUG] Client configuration settings: &{Debug:true URL:http://admin:adminpw@localhost:7055 MSPDir:msp TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{Name: Secret: Profile:tls Label: CSR: CAName:} CSR:{CN:admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[intermediate intermediate] KeyRequest: CA: SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:-1 Affiliation: Attributes:[{Name: Value:}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName:} CAInfo:{CAName:} CAName: CSP:0xc420198f00} 2017/07/27 18:17:54 [DEBUG] Entered runEnroll 2017/07/27 18:17:54 [DEBUG] Enrolling &{Name:admin Secret:adminpw Profile:tls Label: CSR:0xc420090c00 CAName:} 2017/07/27 18:17:54 [DEBUG] Initializing client with config: &{Debug:true URL:http://localhost:7055 MSPDir:msp TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{Name:admin Secret:adminpw Profile:tls Label: CSR:0xc420090c00 CAName:} CSR:{CN:admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[intermediate intermediate] KeyRequest: CA: SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:-1 Affiliation: Attributes:[{Name: Value:}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName:} CAInfo:{CAName:} CAName: CSP:0xc420198f00} 2017/07/27 18:17:54 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc420181da0 Pkcs11Opts:} 2017/07/27 18:17:54 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42019bfe0 DummyKeystore:} 2017/07/27 18:17:54 [DEBUG] GenCSR &{CN:admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[intermediate intermediate] KeyRequest: CA: SerialNumber:} 2017/07/27 18:17:54 [INFO] generating key: &{A:ecdsa S:256} 2017/07/27 18:17:54 [DEBUG] generate key from request: algo=ecdsa, size=256 2017/07/27 18:17:54 [INFO] encoded CSR 2017/07/27 18:17:54 [DEBUG] Sending request POST http://localhost:7055/enroll Authorization: Basic YWRtaW46YWRtaW5wdw== {"hosts":["intermediate","intermediate"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBUDCB9wIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERuzYvWLCTsloGeGA\nLDDVrsShOzt8Yp1iFjI3QOazbILn4GXTwrMvdV6xBeNCtvluZAH9OPaoKf/p5oxX\niqf84aA4MDYGCSqGSIb3DQEJDjEpMCcwJQYDVR0RBB4wHIIMaW50ZXJtZWRpYXRl\nggxpbnRlcm1lZGlhdGUwCgYIKoZIzj0EAwIDSAAwRQIhALlPH9yw2r3Jg1kmHxVH\n9BOB6B8wjm0ojMvhHKs8ifckAiAx9sK1bxIKzEUhTpmjCOrcCxlKzb++b2654EQ9\n8+4kzA==\n-----END CERTIFICATE REQUEST-----\n","profile":"tls","crl_override":"","label":"","CAName":""} Error: POST failure [Post http://localhost:7055/enroll: dial tcp [::1]:7055: getsockopt: connection refused]; not sending POST http://localhost:7055/enroll Authorization: Basic YWRtaW46YWRtaW5wdw== {"hosts":["intermediate","intermediate"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBUDCB9wIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERuzYvWLCTsloGeGA\nLDDVrsShOzt8Yp1iFjI3QOazbILn4GXTwrMvdV6xBeNCtvluZAH9OPaoKf/p5oxX\niqf84aA4MDYGCSqGSIb3DQEJDjEpMCcwJQYDVR0RBB4wHIIMaW50ZXJtZWRpYXRl\nggxpbnRlcm1lZGlhdGUwCgYIKoZIzj0EAwIDSAAwRQIhALlPH9yw2r3Jg1kmHxVH\n9BOB6B8wjm0ojMvhHKs8ifckAiAx9sK1bxIKzEUhTpmjCOrcCxlKzb++b2654EQ9\n8+4kzA==\n-----END CERTIFICATE REQUEST-----\n","profile":"tls","crl_override":"","label":"","CAName":""} How to solve this problem?

dinesh.rivankar (Thu, 27 Jul 2017 11:06:43 GMT):
Why do we have constrains on minimum 4 Kafka nodes.

smithbk (Thu, 27 Jul 2017 12:09:20 GMT):
@duwenhui For some reason, the fabric-ca-server failed to start on port 7055. There must be an earlier error message indicating why. ```Error: POST failure [Post http://localhost:7055/enroll: dial tcp [::1]:7055: getsockopt: connection refused]; not sending```

smithbk (Thu, 27 Jul 2017 12:11:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mWXhZeNDK5wh3YZcd) @dinesh.rivankar You could try this on the #fabric-consensus channel (@kostas)

magg (Thu, 27 Jul 2017 12:12:40 GMT):
Has joined the channel.

Ashish (Thu, 27 Jul 2017 12:20:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=H8hkok8ZCsTtrY5d3) @aambati I went through the Fabric client part. But you have mentioned about a rest API as well. Where do I find the details of this REST API ?

Vadim (Thu, 27 Jul 2017 12:22:04 GMT):
@Ashish https://github.com/hyperledger/fabric-ca/blob/release/swagger/swagger-fabric-ca.json

Ashish (Thu, 27 Jul 2017 12:25:48 GMT):
Thanks @Vadim. This is good This means Fabric-CA exposes REST endpoints, which can be used to enroll, register etc.. rite?

Vadim (Thu, 27 Jul 2017 12:27:41 GMT):
yes

smithbk (Thu, 27 Jul 2017 13:14:38 GMT):
@Ashish And I'll add that depending on which language you are using, it would be easier to use and SDK/library. The creation of the authorization header for all except the enroll and info endpoints requires some work that is already done by fabric-ca/lib/Client for go and by the node and java SDKs. I'm less clear on the status of the go and python SDKs.

smithbk (Thu, 27 Jul 2017 13:14:38 GMT):
@Ashish And I'll add that depending on which language you are using, it would be easier to use an SDK/library. The creation of the authorization header for all except the enroll and info endpoints requires some work that is already done by fabric-ca/lib/Client for go and by the node and java SDKs. I'm less clear on the status of the go and python SDKs.

Ashish (Thu, 27 Jul 2017 13:17:19 GMT):
Thank you @smithbk , I was seeping through the Java SDK code E2EIT example and I could find some code which indicates what you mentioned.

vdods (Thu, 27 Jul 2017 17:26:03 GMT):
Has left the channel.

vdods (Thu, 27 Jul 2017 17:27:06 GMT):
Has joined the channel.

vdods (Thu, 27 Jul 2017 17:27:13 GMT):
Is there a way, say as the admin account, to query fabric-ca for data on the registered accounts? E.g. user name, role, affiliation, what enrollment certs are currently active for them, etc.

vdods (Thu, 27 Jul 2017 17:27:53 GMT):
Or is it more appropriate to configure fabric-ca to use LDAP and then use all the existing tools for LDAP to do that?

vdods (Thu, 27 Jul 2017 17:40:23 GMT):
@smithbk In fabric-ca-cryptogen.sh, how does the registration process determine if an admin account is being created or not? Presumably it's not tied to the name `Admin`, and more than one admin account could be created.

vdods (Thu, 27 Jul 2017 17:42:08 GMT):
The shell commands used to create admin and user accounts are otherwise identical

aambati (Thu, 27 Jul 2017 17:45:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hmMuFaRPXN9cqSKmd) @vdods fabric-ca does not have a way to list registered identities...i think configuring fabric-ca to use LDAP is the way to go

vdods (Thu, 27 Jul 2017 17:45:33 GMT):
@aambati Thanks

vdods (Thu, 27 Jul 2017 17:56:14 GMT):
@smithbk Ah whoops, it's specified by the admincerts dir in the peer's MSP. Though how would one add an admin at runtime, without pre-loading an admin cert into the peer's MSP dir?

smithbk (Thu, 27 Jul 2017 17:58:45 GMT):
@vdods You have to manually populate the admincerts directory, but see https://jira.hyperledger.org/browse/FAB-3752 for future work to remove this requirement

vdods (Thu, 27 Jul 2017 18:01:16 GMT):
@smithbk Ok, thanks!

baoyangc (Thu, 27 Jul 2017 18:25:36 GMT):
the fabric ca alway print that:`http: TLS handshake error from 10.255.0.3:51641: read tcp 10.255.0.27:7054->10.255.0.3:51641: read: connection reset by peer`

baoyangc (Thu, 27 Jul 2017 18:25:50 GMT):
how to deal with this

jtsiros (Thu, 27 Jul 2017 19:38:50 GMT):
@smithbk thanks! I'm using `fabric-samples`, how would I go about getting that to work with those examples?

smithbk (Thu, 27 Jul 2017 19:47:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SQ47WBSt4ZTzxgC4y) @jtsiros Do you mean how do you get fabric-ca-cryptogen.sh to work with fabric-samples?

jtsiros (Thu, 27 Jul 2017 19:51:45 GMT):
@smithbk yes

smithbk (Thu, 27 Jul 2017 19:58:03 GMT):
How many orderers and peers does the sample you're working on have?

smithbk (Thu, 27 Jul 2017 19:59:37 GMT):
The "ORGS" variable at the top of fabric-ca-cryptogen.sh can be modified if one of the samples is expecting a different number. But if the naming pattern is different from e2e_cli, then it may take more work. Which sample are you talking about?

jtsiros (Thu, 27 Jul 2017 20:02:25 GMT):
just one

jtsiros (Thu, 27 Jul 2017 20:02:25 GMT):
just one orderer and two peers, same org

smithbk (Thu, 27 Jul 2017 20:04:22 GMT):
Try modifying the "ORGS" variable according to the comment at the top of fabric-ca-cryptogen.sh. Let me know if something isn't clear there

smithbk (Thu, 27 Jul 2017 20:06:43 GMT):
Try the following for 1 orderer and 2 peers in one org, though you may need to change the name of the org: ```ORGS="\ orderer:example.com:7054:7055:1 \ peer:org1.example.com:7056:7057:2 \ "```

jtsiros (Thu, 27 Jul 2017 20:15:31 GMT):
ok I'll try it, thanks!

jtsiros (Thu, 27 Jul 2017 20:33:26 GMT):
@smithbk I'm getting some errors when running it in the network folder: ``` ▲ fabric-samples/network-01/network ./fabric-ca-cryptogen.sh ################################################################# ####### Generating crypto material using Fabric CA ########## ################################################################# Checking executables ... Cleaning up ... Stopping CA server in crypto-config/ordererOrganizations/example.com/ca/root with PID 47712 ... Setting up organizations ... Starting CA server in crypto-config/ordererOrganizations/example.com/ca/root on port 7054 ... ./fabric-ca-cryptogen.sh: line 160: 47930 Killed: 9 $SERVER start -p $port -b admin:adminpw $DEBUG > $homeDir/server.log 2>&1 FATAL: CA server is not running at crypto-config/ordererOrganizations/example.com/ca/root; see logs at crypto-config/ordererOrganizations/example.com/ca/root/server.log ``` Here is how my docker-compose file is setting up the CA server: ``` ca.org1.example.com: image: hyperledger/fabric-ca:x86_64-1.0.0 environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/0e729224e8b3f31784c8a93c5b8ef6f4c1c91d9e6e577c45c33163609fe40011_sk - FABRIC_CA_SERVER_TLS_ENABLED=false - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/0e729224e8b3f31784c8a93c5b8ef6f4c1c91d9e6e577c45c33163609fe40011_sk ports: - "7054:7054" command: sh -c 'fabric-ca-server start -b admin:adminpw -d' volumes: - ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config container_name: ca_peerOrg1 ``` Here is my ORGS config:

jtsiros (Thu, 27 Jul 2017 20:33:33 GMT):
``` ORGS="\ orderer:example.com:7054:7054:1 \ peer:org1.example.com:7050:7050:1 \ " ```

asamk (Thu, 27 Jul 2017 20:53:33 GMT):
Has joined the channel.

jtsiros (Thu, 27 Jul 2017 21:39:40 GMT):
@smithbk OK, It seems I need to run this before I start everything up.

jtsiros (Thu, 27 Jul 2017 21:39:46 GMT):
thanks for the help!

howardhou (Fri, 28 Jul 2017 01:27:04 GMT):
Has joined the channel.

duwenhui (Fri, 28 Jul 2017 06:45:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SZft7z9cbkL35ZmMZ) @smithbk I searched for the previous reply and still couldn't find the answer. I tried the ./fabric-ca-client enroll -u http://admin:adminpw@localhost:7055, which executed successfully. Can you tell a clearer solution?

duwenhui (Fri, 28 Jul 2017 07:01:06 GMT):
@smithbk I tryed this commit, https://gerrit.hyperledger.org/r/#/c/10871/ but it always faild. dwh@dwh-ThinkPad-E470:~/gocode/src/github.com/hyperledger/fabric-0adb26c/examples/e2e_cli$ ./network_setup.sh up setting to default channel 'mychannel' mychannel ################################################################# ####### Generating crypto material using Fabric CA ########## ################################################################# Checking executables ... Setting up organizations ... Starting CA server in crypto-config/ordererOrganizations/example.com/ca/root on port 7054 ... CA server is started in crypto-config/ordererOrganizations/example.com/ca/root and listening on port 7054 FATAL: Failed to enroll crypto-config/ordererOrganizations/example.com/ca/root/tls with CA at http://admin:adminpw@localhost:7054; see crypto-config/ordererOrganizations/example.com/ca/root/tls/enroll.log dwh@dwh-ThinkPad-E470:~/gocode/src/github.com/hyperledger/fabric-0adb26c/examples/e2e_cli$ dwh@dwh-ThinkPad-E470:~/gocode/src/github.com/hyperledger/fabric-0adb26c/examples/e2e_cli$ cat crypto-config/ordererOrganizations/example.com/ca/root/tls/enroll.log 2017/07/28 14:57:21 [INFO] User provided config file: crypto-config/ordererOrganizations/example.com/ca/root/tls/fabric-ca-client-config.yaml 2017/07/28 14:57:21 [INFO] Created a default configuration file at /home/dwh/gocode/src/github.com/hyperledger/fabric-0adb26c/examples/e2e_cli/crypto-config/ordererOrganizations/example.com/ca/root/tls/fabric-ca-client-config.yaml 2017/07/28 14:57:21 [DEBUG] Client configuration settings: &{Debug:true URL:http://admin:adminpw@localhost:7054 MSPDir:msp TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{Name: Secret: Profile:tls Label: CSR: CAName:} CSR:{CN:admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[root root] KeyRequest: CA: SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:-1 Affiliation: Attributes:[{Name: Value:}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName:} CAInfo:{CAName:} CAName: CSP:0xc420198840} 2017/07/28 14:57:21 [DEBUG] Entered runEnroll 2017/07/28 14:57:21 [DEBUG] Enrolling &{Name:admin Secret:adminpw Profile:tls Label: CSR:0xc420090c00 CAName:} 2017/07/28 14:57:21 [DEBUG] Initializing client with config: &{Debug:true URL:http://localhost:7054 MSPDir:msp TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{Name:admin Secret:adminpw Profile:tls Label: CSR:0xc420090c00 CAName:} CSR:{CN:admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[root root] KeyRequest: CA: SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:-1 Affiliation: Attributes:[{Name: Value:}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName:} CAInfo:{CAName:} CAName: CSP:0xc420198840} 2017/07/28 14:57:21 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc420181ce0 Pkcs11Opts:} 2017/07/28 14:57:21 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42019b4d0 DummyKeystore:} 2017/07/28 14:57:21 [DEBUG] GenCSR &{CN:admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[root root] KeyRequest: CA: SerialNumber:} 2017/07/28 14:57:21 [INFO] generating key: &{A:ecdsa S:256} 2017/07/28 14:57:21 [DEBUG] generate key from request: algo=ecdsa, size=256 2017/07/28 14:57:21 [INFO] encoded CSR 2017/07/28 14:57:21 [DEBUG] Sending request POST http://localhost:7054/enroll Authorization: Basic YWRtaW46YWRtaW5wdw== {"hosts":["root","root"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBPzCB5wIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzbsQZnltvuIDFxsM\nEFXkaO9LcLUOyP8VTngPGZxsABrUBSW90e5NpzQRqUnBp9ZCEAe/aj8K/XU7cCpX\naQTeoKAoMCYGCSqGSIb3DQEJDjEZMBcwFQYDVR0RBA4wDIIEcm9vdIIEcm9vdDAK\nBggqhkjOPQQDAgNHADBEAiBXfDROz8cnEUVYnes9RW7o0VtKBMccU6roVVzJW0Q2\n1QIgDA+0jAzizKWq1SMEdG8Ndk0Z09G5nxuS+XpSHlzICuw=\n-----END CERTIFICATE REQUEST-----\n","profile":"tls","crl_override":"","label":"","CAName":""} 2017/07/28 14:57:22 [DEBUG] Received response statusCode=400 (400 Bad Request) Error: Error response from server was: Authorization failure dwh@dwh-ThinkPad-E470:~/gocode/src/github.com/hyperledger/fabric-0adb26c/examples/e2e_cli$ That's why I asked the question before?

baoyangc (Fri, 28 Jul 2017 09:27:33 GMT):
do we have a tool to create database table for fabric-ca?

Ashish (Fri, 28 Jul 2017 11:15:10 GMT):
I went through the Fabric CA Server API - swagger.json and thought I would check the end points Postman. First off, I saw that I have to enroll as an Admin, who can create users in the ca. In the enroll, I populated the Basic Authentication header with admin and adminpw Then i realized that I do not have a "A PEM-encoded string containing the CSR (Certificate Signing Request) based on PKCS #10." required in the *request* . So I went and checked in the *crypto-config* directory and under "peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp", I found two folders "keystore" and signcerts. I checked and found that they are the keypairs for Admin@org1.example.com . Then i created the CSR and then i had to convert the CSR to PEM encoded CSR, which i managed with the awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' mycsr.pem But when i fired the request, it said invalid.

Vadim (Fri, 28 Jul 2017 11:19:49 GMT):
@Ashish is there any reason you don't use SDKs? They handle that for you.

Ashish (Fri, 28 Jul 2017 11:21:57 GMT):
@Vadim i just realized that its better to use the SDK , :)

Ashish (Fri, 28 Jul 2017 11:23:33 GMT):
But @Vadim , I am going through the E2EIT.java and there they are expecting an admin to be present all the time

Ashish (Fri, 28 Jul 2017 11:23:46 GMT):
is this admin same as Admin@org1.example.com ?

Ashish (Fri, 28 Jul 2017 11:24:01 GMT):
or is this the admin which we bootstrap the fabric ca?

Vadim (Fri, 28 Jul 2017 11:26:38 GMT):
@Ashish I don't know, I need to check the code

Ashish (Fri, 28 Jul 2017 11:29:23 GMT):
``'HFCAClient ca = sampleOrg.getCAClient(); final String orgName = sampleOrg.getName(); final String mspid = sampleOrg.getMSPID(); ca.setCryptoSuite(CryptoSuite.Factory.getCryptoSuite()); SampleUser admin = sampleStore.getMember(TEST_ADMIN_NAME, orgName); if (!admin.isEnrolled()) { //Preregistered admin only needs to be enrolled with Fabric caClient. admin.setEnrollment(ca.enroll(admin.getName(), "adminpw")); admin.setMspId(mspid); } sampleOrg.setAdmin(admin); // The admin of this org ```

Ashish (Fri, 28 Jul 2017 11:29:23 GMT):
```HFCAClient ca = sampleOrg.getCAClient(); final String orgName = sampleOrg.getName(); final String mspid = sampleOrg.getMSPID(); ca.setCryptoSuite(CryptoSuite.Factory.getCryptoSuite()); SampleUser admin = sampleStore.getMember(TEST_ADMIN_NAME, orgName); if (!admin.isEnrolled()) { //Preregistered admin only needs to be enrolled with Fabric caClient. admin.setEnrollment(ca.enroll(admin.getName(), "adminpw")); admin.setMspId(mspid); } sampleOrg.setAdmin(admin); // The admin of this org```

Ashish (Fri, 28 Jul 2017 11:30:00 GMT):
i think they are.

Ashish (Fri, 28 Jul 2017 11:30:47 GMT):
let me try executing this snippet alone..

Ashish (Fri, 28 Jul 2017 11:31:59 GMT):
@Vadim I have decided to follow your advice in this matter anyway. Its better to use the SDK.

Vadim (Fri, 28 Jul 2017 11:36:10 GMT):
@Ashish that's CA admin, not admin@org.example

Ashish (Fri, 28 Jul 2017 11:49:46 GMT):
Hmm, Yes. So this is the admin which we bootstrap the CA instance with. Okay.

baoyangc (Fri, 28 Jul 2017 12:14:20 GMT):
do we hava a tool to do `fabric-ca-server init ` only

baoyangc (Fri, 28 Jul 2017 12:14:24 GMT):
?

Ashish (Fri, 28 Jul 2017 12:17:24 GMT):
if you are using the fabric-ca-crypogen.sh, then you could create an altered version of the startCA() , say initCA() to call init instead of start.

smallX (Fri, 28 Jul 2017 12:31:37 GMT):
Has joined the channel.

smallX (Fri, 28 Jul 2017 12:33:39 GMT):
please check `http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#table-of-contents`, MySQL: 5.17.16 or later

duwenhui (Fri, 28 Jul 2017 13:45:34 GMT):
@smithbk 2017/07/28 13:41:50 http: TLS handshake error from 10.255.0.2:64728: read tcp 10.255.0.25:7054->10.255.0.2:64728: read: connection reset by peer 2017/07/28 13:41:50 http: TLS handshake error from 10.255.0.2:8363: read tcp 10.255.0.25:7054->10.255.0.2:8363: read: connection reset by peer 2017/07/28 13:41:51 http: TLS handshake error from 10.255.0.3:38377: read tcp 10.255.0.25:7054->10.255.0.3:38377: read: connection reset by peer 2017/07/28 13:41:51 http: TLS handshake error from 10.255.0.2:45541: read tcp 10.255.0.25:7054->10.255.0.2:45541: read: connection reset by peer 2017/07/28 13:41:51 http: TLS handshake error from 10.255.0.3:55336: read tcp 10.255.0.25:7054->10.255.0.3:55336: read: connection reset by peer 2017/07/28 13:41:51 http: TLS handshake error from 10.255.0.2:10042: read tcp 10.255.0.25:7054->10.255.0.2:10042: read: connection reset by peer 2017/07/28 13:41:51 http: TLS handshake error from 10.255.0.3:60263: read tcp 10.255.0.25:7054->10.255.0.3:60263: read: connection reset by peer 2017/07/28 13:41:51 http: TLS handshake error from 10.255.0.2:43964: read tcp 10.255.0.25:7054->10.255.0.2:43964: read: connection reset by peer 2017/07/28 13:41:52 http: TLS handshake error from 10.255.0.3:21472: read tcp 10.255.0.25:7054->10.255.0.3:21472: read: connection reset by peer 2017/07/28 13:41:52 http: TLS handshake error from 10.255.0.2:24066: read tcp 10.255.0.25:7054->10.255.0.2:24066: read: connection reset by peer 2017/07/28 13:41:52 http: TLS handshake error from 10.255.0.3:24437: read tcp 10.255.0.25:7054->10.255.0.3:24437: read: connection reset by peer 2017/07/28 13:41:52 http: TLS handshake error from 10.255.0.2:56061: read tcp 10.255.0.25:7054->10.255.0.2:56061: read: connection reset by peer 2017/07/28 13:41:52 http: TLS handshake error from 10.255.0.3:13923: read tcp 10.255.0.25:7054->10.255.0.3:13923: read: connection reset by peer 2017/07/28 13:41:52 http: TLS handshake error from 10.255.0.3:47385: read tcp 10.255.0.25:7054->10.255.0.3:47385: read: connection reset by peer 2017/07/28 13:41:52 http: TLS handshake error from 10.255.0.3:56826: read tcp 10.255.0.25:7054->10.255.0.3:56826: read: connection reset by peer When I started a FAbric - ca service, I enable TLS, and there was this error. How to solve this problems?

smithbk (Fri, 28 Jul 2017 14:11:25 GMT):
@duwenhui Are you using "http" or "https" on the client?

smithbk (Fri, 28 Jul 2017 14:11:25 GMT):
@duwenhui Are you using "http" or "https" on the client? Looks like "http" but should be "https"

jmcnevin (Fri, 28 Jul 2017 15:22:11 GMT):
Could someone clarify what I need to do to create an identity in the admin role for a CA?

jmcnevin (Fri, 28 Jul 2017 15:23:25 GMT):
Using fabric-ca-client specifically

jmcnevin (Fri, 28 Jul 2017 15:46:31 GMT):
nvm, I think I understand what's happening

PranavBurnwal (Fri, 28 Jul 2017 19:25:17 GMT):
Has joined the channel.

vdods (Sat, 29 Jul 2017 02:44:16 GMT):
Has configtxgen changed since the change-over to fabric-ca-crypttogen.sh ? I'm getting `2017-07-28 08:01:27.660 UTC [configvalues/msp] TemplateGroupMSPWithAdminRolePrincipal -> CRIT 002 Setting up the MSP manager failed, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority` when I try to run configtxgen, though it doesn't indicate which org or which files are involved

vdods (Sat, 29 Jul 2017 02:46:42 GMT):
this is for the command `configtxgen -profile TwoOrgsOrdererGenesis -outputBlock /generated-artifacts/orderer.genesis.block`

sampath06 (Sat, 29 Jul 2017 02:47:14 GMT):
Has joined the channel.

vdods (Sat, 29 Jul 2017 02:47:23 GMT):
But `configtxgen -profile TwoOrgsChannel -outputCreateChannelTx /generated-artifacts/mychannel.tx -channelID mychannel` works fine.

vdods (Sat, 29 Jul 2017 02:48:50 GMT):
Additionally, this is with the intermediate CA generation enabled. Perhaps it's because configtxgen is somehow not seeing the root CA's cert?

vdods (Sat, 29 Jul 2017 03:04:33 GMT):
Hmm.. looks like it's because there are probably missing files in the expected MSP directory structure: http://hyperledger-fabric.readthedocs.io/en/latest/msp.html#msp-setup-on-the-peer-orderer-side -- in particular, the `intermediatecerts` subdir of `msp`. But it looks like the intermediate CA's cert is being copied into the `cacerts` dir, which is meant for the root CA's cert.

vdods (Sat, 29 Jul 2017 03:32:48 GMT):
Changing `INTERMEDIATE_CA` to `false` in `fabric-ca-cryptogen.sh` fixed the configtxgen problem (for that case, obviously the case where intermediate CAs are used is still not functioning)

duwenhui (Sat, 29 Jul 2017 03:58:27 GMT):
@smithbk [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KxfW4968AM4MyjPwm) @smithbk It seemed to have no any client connection to him。 as long as the ca service is running and immediately reports the error.

duwenhui (Sat, 29 Jul 2017 04:39:54 GMT):
@smithbk 2017/07/29 04:37:24 http: TLS handshake error from 10.255.0.3:62811: read tcp 10.255.0.27:7054->10.255.0.3:62811: read: connection reset by peer 2017/07/29 04:37:25 http: TLS handshake error from 10.255.0.2:20900: read tcp 10.255.0.27:7054->10.255.0.2:20900: read: connection reset by peer 2017/07/29 04:37:25 http: TLS handshake error from 10.255.0.3:21621: read tcp 10.255.0.27:7054->10.255.0.3:21621: read: connection reset by peer 2017/07/29 04:37:25 http: TLS handshake error from 10.255.0.2:35641: read tcp 10.255.0.27:7054->10.255.0.2:35641: read: connection reset by peer 2017/07/29 04:37:25 http: TLS handshake error from 10.255.0.3:26055: read tcp 10.255.0.27:7054->10.255.0.3:26055: read: connection reset by peer 2017/07/29 04:37:25 http: TLS handshake error from 10.255.0.3:34424: read tcp 10.255.0.27:7054->10.255.0.3:34424: read: connection reset by peer The IP 10.255.0.3:34424 and 10.255.0.2 is from docker swarm ingress network, I think it was a bug of Docker swarm. It will auto requests CA server in other swarm network of CA Server by http。

sampath06 (Sat, 29 Jul 2017 05:23:21 GMT):
Hello, How do I bring up a peer/orderer node and connect it to a fabric-ca node that is running on another physical server? Most of the examples I see have the CA and the nodes being started in the same docker-compose file. I would like to start them on different nodes and not really sure how to do it. Any pointers would be great. Thanks.

vdods (Sat, 29 Jul 2017 05:59:46 GMT):
docker-compose is just providing a hostname abstraction for each container, i.e. each container is treated as a separate host. Thus you just specify the URL of the other machine to have it talk to that one

vdods (Sat, 29 Jul 2017 05:59:46 GMT):
@sampath06 docker-compose is just providing a hostname abstraction for each container, i.e. each container is treated as a separate host. Thus you just specify the URL of the other machine to have it talk to that one

vdods (Sat, 29 Jul 2017 06:00:08 GMT):
So nothing special needs to be done -- just use the correct URLs in the correct place

sampath06 (Sat, 29 Jul 2017 06:09:51 GMT):
@vdods Sorry for the basic questions. Where do I specify the hostname of the CA for the peer to connect to? In the docker-compose files, I dont see a hostname field.

vdods (Sat, 29 Jul 2017 06:10:23 GMT):
@sampath06 You're working with fabric v1.0.0, correct?

sampath06 (Sat, 29 Jul 2017 06:10:52 GMT):
yes. thats right

vdods (Sat, 29 Jul 2017 06:12:47 GMT):
So as far as I know, for now there's no automatic login of the peer into the CA (like there was in v0.6, IIRC). The peer has a member services provider (a `msp` subdir) which contains certs and keys of various kinds (described here http://hyperledger-fabric.readthedocs.io/en/latest/msp.html#msp-setup-on-the-peer-orderer-side ).

vdods (Sat, 29 Jul 2017 06:13:25 GMT):
The files in the `msp` subdir are obtained through connecting to the CA, but that's done out of band for now it seems.

vdods (Sat, 29 Jul 2017 06:14:46 GMT):
Currently, the way that's done is through this `fabric-ca-cryptogen.sh` script that's been mentioned several times in the recent chat history of this channel. It's a little ad-hoc and there seem to be some gaps (that e.g. I'm having to fill in myself on my project). For example, putting all the right materials on the right servers

sampath06 (Sat, 29 Jul 2017 06:14:48 GMT):
so basically, I generate the certificates and keys on the CA, copy them to the correct directory structure on the servers where the peers are to be started and then start them without referring to the CA itself?

vdods (Sat, 29 Jul 2017 06:15:23 GMT):
Yes, for now. I'd imagine that in the future, there would be a way to do it more automatically/intuitively

vdods (Sat, 29 Jul 2017 06:15:47 GMT):
Disclaimer: I'm also still figuring this out, so my understanding may not be perfect

sampath06 (Sat, 29 Jul 2017 06:20:26 GMT):
Great.. I am in the same boat and the information looks really fragmented. So any pointers helps. Thanks

vdods (Sat, 29 Jul 2017 06:25:43 GMT):
Yeah, it's not nearly in a seamless setup state

MeenakshiSingh (Sat, 29 Jul 2017 18:01:46 GMT):
Has joined the channel.

MeenakshiSingh (Sat, 29 Jul 2017 18:12:03 GMT):
Is MSP setup required at each node running a role..ie., at peers, orderers etc? How exactly does MSP work with CA authority?

vdods (Sun, 30 Jul 2017 00:25:44 GMT):
@MeenakshiSingh Yes to your first question. For the second question, the MSP is independent from the CA (in that you can use whatever CA you want). The MSP just keeps track of the certs/keys for the participating users, admins, etc.

liuwenliang0632 (Mon, 31 Jul 2017 02:03:59 GMT):
@smithbk is this will merge into 1.0.1? https://gerrit.hyperledger.org/r/#/c/10871/5

kitakei8 (Mon, 31 Jul 2017 05:25:23 GMT):
Has joined the channel.

kitakei8 (Mon, 31 Jul 2017 05:27:46 GMT):
Hello Team, I tried running "Writing Your First Application", http://hyperledger-fabric.readthedocs.io/en/latest/write_first_app.html

kitakei8 (Mon, 31 Jul 2017 05:32:36 GMT):
It ran successfully, but I have a question... According to basic-network/docker-compose.yml, ca.example.com container execute "fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/a22daf356b2aab5792ea53e35f66fccef1d7f1aa2b3a2b92dbfbf96a448ea26a_sk -b admin:adminpw -d", but the keyfile "a22daf356b2aab5792ea53e35f66fccef1d7f1aa2b3a2b92dbfbf96a448ea26a_sk" doesn't exist anywhere. Instead, the file "0e729224e8b3f31784c8a93c5b8ef6f4c1c91d9e6e577c45c33163609fe40011_sk" exists in basic-network/crypto-config/peerOrganizations/org1.example.com/ca/ directory. Why does it run ?

MeenakshiSingh (Mon, 31 Jul 2017 10:01:39 GMT):
@vdods Thanks. I have a node with CA setup. I have registered and enrolled peer0 with the CA which generated the cacert, signcert and keystore. Now, I am launching the docker-compose.yaml file from the fabric-samples/basic-network directory. I removed the fabric-ca section from here and updated the location from where the crypto material for peer0 is to be copied into the docker-container. Below is my docker-compose.yml file

MeenakshiSingh (Mon, 31 Jul 2017 10:01:47 GMT):
networks: basic: services: orderer.example.com: container_name: orderer.example.com image: hyperledger/fabric-orderer:x86_64-1.0.0 environment: - ORDERER_GENERAL_LOGLEVEL=debug - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0 - ORDERER_GENERAL_GENESISMETHOD=file - ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block - ORDERER_GENERAL_LOCALMSPID=OrdererMSP - ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/msp/orderer/msp working_dir: /opt/gopath/src/github.com/hyperledger/fabric/orderer command: orderer ports: - 7050:7050 volumes: - ./config/:/etc/hyperledger/configtx - ./crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/:/etc/hyperledger/msp/orderer - ./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/:/etc/hyperledger/msp/peerOrg1 networks: - basic peer0.org1.example.com: container_name: peer0.org1.example.com image: hyperledger/fabric-peer:x86_64-1.0.0 environment: - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock - CORE_PEER_ID=peer0.org1.example.com - CORE_LOGGING_PEER=debug - CORE_CHAINCODE_LOGGING_LEVEL=DEBUG - CORE_PEER_LOCALMSPID=Org1MSP - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/peer/ #- CORE_PEER_MSPCONFIGPATH=/home/ubuntu/fabric-ca/client/peer0/msp - CORE_PEER_ADDRESS=peer0.org1.example.com:7051 # # the following setting starts chaincode containers on the same # # bridge network as the peers # # https://docs.docker.com/compose/networking/ - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_basic - CORE_LEDGER_STATE_STATEDATABASE=CouchDB - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb:5984 working_dir: /opt/gopath/src/github.com/hyperledger/fabric command: peer node start # command: peer node start --peer-chaincodedev=true ports: - 7051:7051 - 7053:7053 volumes: - /var/run/:/host/var/run/ #- ./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/msp/peer #- ./crypto-config/peerOrganizations/org1.example.com/users:/etc/hyperledger/msp/users #- ./config:/etc/hyperledger/configtx - /home/ubuntu/fabric-ca/client/peer0/msp:/etc/hyperledger/msp/peer #- ./crypto-config/peerOrganizations/org1.example.com/users:/etc/hyperledger/msp/users - ./config:/etc/hyperledger/configtx depends_on: - orderer.example.com networks: - basic couchdb: container_name: couchdb image: hyperledger/fabric-couchdb:x86_64-1.0.0 ports: - 5984:5984 environment: DB_URL: http://localhost:5984/member_db networks: - basic cli: container_name: cli image: hyperledger/fabric-tools:x86_64-1.0.0 tty: true environment: - GOPATH=/opt/gopath - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock - CORE_LOGGING_LEVEL=DEBUG - CORE_PEER_ID=cli - CORE_PEER_ADDRESS=peer0.org1.example.com:7051 - CORE_PEER_LOCALMSPID=Org1MSP - CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp - CORE_CHAINCODE_KEEPALIVE=10 working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer command: /bin/bash volumes: - /var/run/:/host/var/run/ - ./../chaincode/:/opt/gopath/src/github.com/ - ./crypto-config:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ networks: - basic #depends_on: # - orderer.example.com # - peer0.org1.example.com # - couchdb

MeenakshiSingh (Mon, 31 Jul 2017 10:02:36 GMT):
I am getting the following error:

MeenakshiSingh (Mon, 31 Jul 2017 10:02:48 GMT):
`peer0.org1.example.com | 2017-07-31 06:55:57.074 UTC [main] main -> ERRO 001 Cannot run peer because error when setting up MSP from directory /etc/hyperledger/msp/peer/: err Could not load a valid admin certificate from directory /etc/hyperledger/msp/peer/admincerts, err stat /etc/hyperledger/msp/peer/admincerts: no such file or directory peer0.org1.example.com exited with code 1 ERROR: An HTTP request took too long to complete. Retry with --verbose to obtain debug information. If you encounter this issue regularly because of slow network conditions, consider setting COMPOSE_HTTP_TIMEOUT to a higher value (current value: 60).`

MeenakshiSingh (Mon, 31 Jul 2017 10:02:48 GMT):
```peer0.org1.example.com | 2017-07-31 06:55:57.074 UTC [main] main -> ERRO 001 Cannot run peer because error when setting up MSP from directory /etc/hyperledger/msp/peer/: err Could not load a valid admin certificate from directory /etc/hyperledger/msp/peer/admincerts, err stat /etc/hyperledger/msp/peer/admincerts: no such file or directory peer0.org1.example.com exited with code 1 ERROR: An HTTP request took too long to complete. Retry with --verbose to obtain debug information. If you encounter this issue regularly because of slow network conditions, consider setting COMPOSE_HTTP_TIMEOUT to a higher value (current value: 60)```

prempatidar (Mon, 31 Jul 2017 10:04:13 GMT):
Has joined the channel.

vikas_hada (Mon, 31 Jul 2017 12:32:45 GMT):
Has joined the channel.

GeneralResearch (Mon, 31 Jul 2017 12:35:06 GMT):
Has joined the channel.

aambati (Mon, 31 Jul 2017 14:17:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fAPHmupTScKGYJip8) @sampath06 You can use either fabric-ca-client to generate the cert and key and put them in the mp directory structure or you can use fabric SDK to do the same

jtclark (Mon, 31 Jul 2017 14:18:14 GMT):
@smithbk, @rennman - when either of you have a moment, I'd like to chat with you about https://gerrit.hyperledger.org/r/#/c/11687

aambati (Mon, 31 Jul 2017 14:18:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2uMJB64BGDbRAhkpj) @liuwenliang0632 I think he was shooting for it to go in 1.1

aambati (Mon, 31 Jul 2017 14:49:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4wiXsHrwj3QsLL4ue) @kitakei8 fabric-ca-server uses bccsp as the crypto provider ( as all other fabric components)...BCCSP first looks in its keystore (by default it is file based keystore) for the key, if not found there, it will load from the specified file. So, check the bccsp section in the fabric-ca-server config file to see the path to bccsp's keystore. Also, in the docker-compose file, notice that host directory `./crypto-config/peerOrganizations/org1.example.com/ca/` is mapped to the container dir `/etc/hyperledger/fabric-ca-server-config`

aambati (Mon, 31 Jul 2017 15:00:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dYwSvDkfuPk2TExiB) @MeenakshiSingh seems like msp that fabric-ca-client creates is not complete as it does not have admincerts directory . What happens if you create admincerts directory and restart

htyagi90 (Mon, 31 Jul 2017 16:56:39 GMT):
Has joined the channel.

vdods (Mon, 31 Jul 2017 17:43:01 GMT):
@MeenakshiSingh I think you'll also need to make sure the correct cert is in the admincerts dir, because that's how you indicate to the MSP that a particular user is an admin (it's not via some yaml configuration or anything)

jtsiros (Mon, 31 Jul 2017 18:26:03 GMT):
I ended up following @smithbk 's suggestion using `fabric-ca-cryptogen.sh` with a small sample network with one orderer and one peer, however `startFabric.sh` is complaining when I run it after the network is started with: ``` 2017-07-31 18:17:59.281 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP 2017-07-31 18:17:59.281 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity 2017-07-31 18:17:59.282 UTC [channelCmd] InitCmdFactory -> INFO 003 Endorser and orderer connections initialized 2017-07-31 18:17:59.285 UTC [msp] GetLocalMSP -> DEBU 004 Returning existing local MSP 2017-07-31 18:17:59.285 UTC [msp] GetDefaultSigningIdentity -> DEBU 005 Obtaining default signing identity 2017-07-31 18:17:59.285 UTC [msp] GetLocalMSP -> DEBU 006 Returning existing local MSP 2017-07-31 18:17:59.285 UTC [msp] GetDefaultSigningIdentity -> DEBU 007 Obtaining default signing identity 2017-07-31 18:17:59.285 UTC [msp/identity] Sign -> DEBU 008 Sign: plaintext: 0AC5060A074F7267314D535012B9062D...53616D706C65436F6E736F727469756D 2017-07-31 18:17:59.285 UTC [msp/identity] Sign -> DEBU 009 Sign: digest: 2DBB998E9245B1F17AA73C73D9C82FF329CE4A082BBAF2E69D0CFBC341E5B834 2017-07-31 18:17:59.285 UTC [msp] GetLocalMSP -> DEBU 00a Returning existing local MSP 2017-07-31 18:17:59.285 UTC [msp] GetDefaultSigningIdentity -> DEBU 00b Obtaining default signing identity 2017-07-31 18:17:59.286 UTC [msp] GetLocalMSP -> DEBU 00c Returning existing local MSP 2017-07-31 18:17:59.286 UTC [msp] GetDefaultSigningIdentity -> DEBU 00d Obtaining default signing identity 2017-07-31 18:17:59.286 UTC [msp/identity] Sign -> DEBU 00e Sign: plaintext: 0AFC060A1508021A0608D7E8FDCB0522...049672E64C3BF9519AEDA91F12612962 2017-07-31 18:17:59.286 UTC [msp/identity] Sign -> DEBU 00f Sign: digest: 7F5321FD9CE6B5117D7CB8F27FA4B126217219F6009FC2E2810BBE44F961138C Error: Got unexpected status: BAD_REQUEST ``` Seems like it is failing on the very first command to create a channel: ``` docker exec -e "CORE_PEER_LOCALMSPID=Org1MSP" -e "CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin@org1.example.com/msp" peer0.org1.example.com peer channel create -o orderer.example.com:7050 -c mychannel -f /etc/hyperledger/configtx/mychannel.tx ``` Any helpful suggestions on what might be going on?

jtsiros (Mon, 31 Jul 2017 18:26:03 GMT):
I ended up following @smithbk 's suggestion using `fabric-ca-cryptogen.sh` with a small sample network with one orderer and one peer, however `startFabric.sh` is complaining when I run it after the network is started with: ``` 2017-07-31 18:17:59.281 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP 2017-07-31 18:17:59.281 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity 2017-07-31 18:17:59.282 UTC [channelCmd] InitCmdFactory -> INFO 003 Endorser and orderer connections initialized 2017-07-31 18:17:59.285 UTC [msp] GetLocalMSP -> DEBU 004 Returning existing local MSP 2017-07-31 18:17:59.285 UTC [msp] GetDefaultSigningIdentity -> DEBU 005 Obtaining default signing identity 2017-07-31 18:17:59.285 UTC [msp] GetLocalMSP -> DEBU 006 Returning existing local MSP 2017-07-31 18:17:59.285 UTC [msp] GetDefaultSigningIdentity -> DEBU 007 Obtaining default signing identity 2017-07-31 18:17:59.285 UTC [msp/identity] Sign -> DEBU 008 Sign: plaintext: 0AC5060A074F7267314D535012B9062D...53616D706C65436F6E736F727469756D 2017-07-31 18:17:59.285 UTC [msp/identity] Sign -> DEBU 009 Sign: digest: 2DBB998E9245B1F17AA73C73D9C82FF329CE4A082BBAF2E69D0CFBC341E5B834 2017-07-31 18:17:59.285 UTC [msp] GetLocalMSP -> DEBU 00a Returning existing local MSP 2017-07-31 18:17:59.285 UTC [msp] GetDefaultSigningIdentity -> DEBU 00b Obtaining default signing identity 2017-07-31 18:17:59.286 UTC [msp] GetLocalMSP -> DEBU 00c Returning existing local MSP 2017-07-31 18:17:59.286 UTC [msp] GetDefaultSigningIdentity -> DEBU 00d Obtaining default signing identity 2017-07-31 18:17:59.286 UTC [msp/identity] Sign -> DEBU 00e Sign: plaintext: 0AFC060A1508021A0608D7E8FDCB0522...049672E64C3BF9519AEDA91F12612962 2017-07-31 18:17:59.286 UTC [msp/identity] Sign -> DEBU 00f Sign: digest: 7F5321FD9CE6B5117D7CB8F27FA4B126217219F6009FC2E2810BBE44F961138C Error: Got unexpected status: BAD_REQUEST Usage: peer channel create [flags] Flags: -c, --channelID string In case of a newChain command, the channel ID to create. -f, --file string Configuration transaction file generated by a tool such as configtxgen for submitting to orderer -t, --timeout int Channel creation timeout (default 5) Global Flags: --cafile string Path to file containing PEM-encoded trusted certificate(s) for the ordering endpoint --logging-level string Default logging level and overrides, see core.yaml for full syntax -o, --orderer string Ordering service endpoint --test.coverprofile string Done (default "coverage.cov") --tls Use TLS when communicating with the orderer endpoint -v, --version Display current version of fabric peer server ``` Seems like it is failing on the very first command to create a channel: ``` docker exec -e "CORE_PEER_LOCALMSPID=Org1MSP" -e "CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin@org1.example.com/msp" peer0.org1.example.com peer channel create -o orderer.example.com:7050 -c mychannel -f /etc/hyperledger/configtx/mychannel.tx ``` Any helpful suggestions on what might be going on?

kly4 (Mon, 31 Jul 2017 18:47:35 GMT):
Has joined the channel.

jmcnevin (Mon, 31 Jul 2017 19:08:28 GMT):
How would I send affiliation setups to fabric-ca-server through an ENV variable?

rjones (Mon, 31 Jul 2017 19:11:11 GMT):
Has joined the channel.

rjones (Mon, 31 Jul 2017 19:11:43 GMT):
@mastersingh24 : I see this error on the `z` builds for `fabric-ca`: ```java.nio.file.InvalidPathException: Malformed input or input contains unmappable characters: /w/workspace/fabric-ca-verify-s390x/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/cloudflare/cfssl/vendor/github.com/cloudflare/cfssl_trust/intermediate_ca/?????????_2003-3-3_SHA1WithRSA.crt```

rjones (Mon, 31 Jul 2017 19:11:49 GMT):
they all fail right at the top.

rjones (Mon, 31 Jul 2017 20:10:09 GMT):
@rennman see above

rjones (Mon, 31 Jul 2017 20:10:36 GMT):
@mastersingh24 https://logs.hyperledger.org/production/vex-yul-hyp-jenkins-1/fabric-ca-verify-s390x/1484/console.log.gz

aambati (Mon, 31 Jul 2017 20:16:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=N5hwHcQbD8CXgiFC8) @jmcnevin You can only specify affiliations in the server configuration file.

mastersingh24 (Mon, 31 Jul 2017 20:19:58 GMT):
@rjones - those files have not changed though - they have been part of the repo for a long time and the patch does not modify them.

mastersingh24 (Mon, 31 Jul 2017 20:19:58 GMT):
@rjones - those files have not changed though

aambati (Mon, 31 Jul 2017 20:20:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PAgrzvGftdXqvyuAF) @jtsiros Quick question , you are using the latest patch set https://gerrit.hyperledger.org/r/#/c/10871/

jtsiros (Mon, 31 Jul 2017 20:20:48 GMT):
@aambati I'm running v1.0.0 tag.

aambati (Mon, 31 Jul 2017 20:26:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hvNYzmk3ebphrugXs) @rjones it is complaining about this file `行政院_2003-3-3_SHA1WithRSA.crt`

aambati (Mon, 31 Jul 2017 20:27:29 GMT):
there are two files with double byte characters

aambati (Mon, 31 Jul 2017 20:27:29 GMT):
there are two files with double byte characters: https://github.com/hyperledger/fabric-ca/tree/release/vendor/github.com/cloudflare/cfssl/vendor/github.com/cloudflare/cfssl_trust/intermediate_ca

aambati (Mon, 31 Jul 2017 20:29:40 GMT):
Gari is right that those two files exist in 1.0.0 as well

rjones (Tue, 01 Aug 2017 01:47:56 GMT):
@mastersingh24 @aambati I manually logged on to all of the Z builders and removed /w/workspace/* . builds now work on those machines.

saifulislamsaaif (Tue, 01 Aug 2017 02:26:09 GMT):
Has joined the channel.

saifulislamsaaif (Tue, 01 Aug 2017 02:28:23 GMT):
Build fabric fail due to test case failing for TestNewUserRegistryMySQL.

saifulislamsaaif (Tue, 01 Aug 2017 02:28:36 GMT):
Getting error "Failed to connect to MySQL database: dial tcp 127.0.0.1:3306: getsockopt: connection refused" does not contain "permission denied"

saifulislamsaaif (Tue, 01 Aug 2017 02:57:44 GMT):
Similar issue also reported on jira (https://jira.hyperledger.org/browse/FAB-5427)

gauthampamu (Tue, 01 Aug 2017 03:20:48 GMT):
I have few questions about fabric-ca and LDAP server. I wanted to understand what is the recommended configuration for fabric-ca. Is there any advantage for using LDAP. Is it recommeded configuration for production deployment. http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#fabric-ca-server In the documentation that when the sdk send the enrollement request, you have to send the request with a basic authorization header but does it mean we don't need the register request because the user is already present in the LDAP system. When Fabric CA is configured with database, it stores the id and secret and also attributes, state and max enrollement in the database. So when you configure CA with LDAP, does it still store the information on max enrollment and other attributes in LDAP server.

liuwenliang0632 (Tue, 01 Aug 2017 03:59:31 GMT):
@vdods why i make the key is short then should be ,when i use "Adding one peer on an existing organization"

paapighoda (Tue, 01 Aug 2017 05:44:34 GMT):
Has joined the channel.

Ashish (Tue, 01 Aug 2017 06:18:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5ob6sPp5Jvs2aykTh) @vdods Can i add multiple number of admins by adding Admin1@org1.example.com-cert.pem , Admin2@org1.example-cert.pem etc.. ?

paapighoda (Tue, 01 Aug 2017 06:20:35 GMT):
Has left the channel.

Ashish (Tue, 01 Aug 2017 06:39:38 GMT):
If we use the Fabric-CA to register a new user, it becomes associated with that CA instance rite?

Ashish (Tue, 01 Aug 2017 06:39:55 GMT):
How are we linking the CA instance to an Org ?

Ashish (Tue, 01 Aug 2017 06:42:27 GMT):
If we do not link a CA instance to an Org or any peers within that Org, then how does the addition of a user get reflected on the Org ( ie amongst the peers in that Org ) ?

Ashish (Tue, 01 Aug 2017 07:06:30 GMT):
If I am using the Java SDK, how can we add a user to an org ( peers of an org ) - which is up an running?

Ashish (Tue, 01 Aug 2017 07:57:22 GMT):

Message Attachments

Ashish (Tue, 01 Aug 2017 07:58:36 GMT):
The node SDK document mentions that the users which are created by SDK would be of MEMBER role, who won't be able to perform the following : create/update channel; install/instantiate chaincode; query installed/instantiated chaincodes

Ashish (Tue, 01 Aug 2017 07:58:48 GMT):
So what is the point of creating these users ?

mastersingh24 (Tue, 01 Aug 2017 09:16:37 GMT):
@Ashish - So this area is a bit tricky as we are dealing with the classic "chicken and egg" problem when it comes to populating the admins for peers. The current issue is that the admin(s) for a peer are specified by explicitly including their certificate(s) in each peer's local MSP ( http://hyperledger-fabric.readthedocs.io/en/latest/msp.html#msp-setup-on-the-peer-orderer-side). What this means is that you will need to enroll any user(s) you want to act as admins for your peer(s) and then add their public certificates to the local MSP(s) of your peer(s). (only peer admins can perform the roles outlined above)

Ashish (Tue, 01 Aug 2017 09:31:00 GMT):
If I manually add the public certs to the local MSP(s) while they are up and running, will they still work? I mean do we have to restart the peer node to accept a new Admin ? My idea is to start them with "default Admin / No admins" , then later once we get a Actual Administrator on-boarded, make him the active admin user.

Ashish (Tue, 01 Aug 2017 09:31:00 GMT):
@mastersingh24 , Thank you Gari. Just wonderng, if I manually add the public certs to the local MSP(s) while they are up and running, will they still work? I mean do we have to restart the peer node to accept a new Admin ? My idea is to start them with "default Admin / No admins" , then later once we get a Actual Administrator on-boarded, make him the active admin user.

mastersingh24 (Tue, 01 Aug 2017 09:48:09 GMT):
Unfortunately you will need to restart the peers - the local MSP is only updated at startup

Ashish (Tue, 01 Aug 2017 10:16:22 GMT):
Ohkay , :(

MeenakshiSingh (Tue, 01 Aug 2017 12:10:02 GMT):
@aambati and @vdods How do i generate the admincerts? After starting fabric-ca server, I initialized it and enrolled the admin using the fabric-ca client. Still it didn't generate any admincerts.

ancythomas (Tue, 01 Aug 2017 12:21:06 GMT):
Has joined the channel.

ancythomas (Tue, 01 Aug 2017 12:26:21 GMT):
Hi,, In the fabric-ca documentation, I have seen that peer identity can be registered, what about organizations? how can they be registered/enrolled?

ancythomas (Tue, 01 Aug 2017 12:38:54 GMT):
Also, among the files generated in the crypto-config folder, the keystore folder in: crypto-config\peerOrganizations\org1.example.com\msp\ is empty, but the keystore folder in : crypto-config\peerOrganizations\org1.example.com\peers\peer0.org1.example.com\msp\ contains a key. Could anyone please explain the reason?

aambati (Tue, 01 Aug 2017 14:13:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GfLg3q2933aDTLmHe) @MeenakshiSingh You should register and enroll a user with fabric-ca and place the user's cert in the admincerts msp folder...By doing that you are indicating to the peer that the user is an admin

aambati (Tue, 01 Aug 2017 15:12:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=unDBhDa29CNk2GfPw) @gauthampamu Using LDAP , there is no need to register users, users just need to enroll to get their certificates. Fabric CA server will not store attributes in the LDAP, it just reads user info from LDAP. Currently, ldap users can enroll unlimited number of times. Whether to use LDAP with Fabric CA server really depends on whether you want use your existing user registry and not have to register the users again. Obviously, that means max enrollments is not enforced.

gauthampamu (Tue, 01 Aug 2017 15:44:26 GMT):
@aambati Thanks for the response. If max enrollment is not enforced, what is the impact of that ?

gauthampamu (Tue, 01 Aug 2017 15:47:40 GMT):
Does it mean you can create multiple signing identities with the same ldap userid and password. When you enroll you get the signer identity ? Can you explain what is stored in the signing Identity and where is it validated and verified by the Peer. {"name":"Jim","mspid":"Org1MSP","roles":null,"affiliation":"","enrollmentSecret":"KIxDSRGFGnoF","enrollment":{"signingIdentity":"b142dca7d05c8647fc38ac79ceecc0702c425e02267c038aeddac456aa6bacb9","identity":{"certificate":"-----BEGIN CERTIFICATE-----\nMIIB7zCCAZWgAwIBAgIUAgMWzQsu45Af34rAJg07wPWRcscwCgYIKoZIzj0EAwIw\nczELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh\nbiBGcmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMT\nE2NhLm9yZzEuZXhhbXBsZS5jb20wHhcNMTcwNzMxMTY1ODAwWhcNMTgwNzMxMTY1\nODAwWjAOMQwwCgYDVQQDEwNKaW0wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR7\n8r1DOu85TxPOAMxVjvyeNV0wntNAGQBzKM6kDZ0KTJhlPGDLhu7kPfw/asLpT7IQ\ngbfI6sd5WMdLb8DfhId0o2wwajAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIw\nADAdBgNVHQ4EFgQUF1UbrEYfHteEJ1/hwAhdzVWgX14wKwYDVR0jBCQwIoAgDnKS\nJOiz8xeEyKk8W4729MHJHZ5uV3xFwzFjYJ/kABEwCgYIKoZIzj0EAwIDSAAwRQIh\nAJg7gFnbAOxH8YCram6imFK0ZLt5VYoLhxVsOTvj1O5pAiA0GdN/gGzZAayDGuYd\nYMIQjZT4UjagG1DlNElF2rTrdw==\n-----END CERTIFICATE-----\n"}}}

aambati (Tue, 01 Aug 2017 18:02:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kjuXhbQMGmcRz8N2i) @ancythomas Why do you need to register an organization? As far as fabric-ca, you can register any identity. It does not really care whether the identity is an user, client, peer, orderer or organization. But, what is the need to have an identity for an org?

aambati (Tue, 01 Aug 2017 18:04:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=L59S2X8MqeFYSZ243) @gauthampamu a user will be able reenroll unlimited number of times.

aambati (Tue, 01 Aug 2017 18:30:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sW4NTiXLNDgNePizX) @gauthampamu When you enroll an identity with a Fabric CA, you get an certificate (aka ECert, enrollment certificate) for the identity...this certificate is signed by the Fabric CA's root cert. For example, if the enrolled identity needs to be admin for the peer, the cert must be in the admincerts folder of the peer's local MSP

vdods (Tue, 01 Aug 2017 18:34:40 GMT):
@liuwenliang0632 I'm not sure I understand your question

gauthampamu (Tue, 01 Aug 2017 18:34:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AMmCsSvYDfaSuFNsL) @aambati Thanks for the response. What the significance of the signing identity in the keystore file "signingIdentity":"b142dca7d05c8647fc38ac79ceecc0702c425e02267c038aeddac456aa6bacb9". I am assuming the "identity:" is the eCert.

vdods (Tue, 01 Aug 2017 18:36:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5eLedkAbNFyEg24EP) @Ashish Yes I believe so -- just put the users' certs in the admincerts directory under the msp dir of the peer or orderer. They don't have to be named "admin", it's only the presence of their certs in the admincerts subdir that makes them an admin.

vdods (Tue, 01 Aug 2017 18:39:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=L6g4GYpNSHznvFiSq) @Ashish Yes -- using fabric-ca to register new users indeed associates that user with the CA and the org that CA belongs to. As far as I understand (@mastersingh24 can correct me if I'm wrong), an active CA isn't strictly needed -- just the correct certs/keys in the MSP dir signed by the correct authorities. A CA could just be used to create certs/keys one time for a fixed number of users, and then the CA is shutdown and the peers/orderers just keep functioning using the materials in the MSP dir (at least until the certs expire)

mastersingh24 (Tue, 01 Aug 2017 18:40:34 GMT):
@vdods - Correct yet again!

mastersingh24 (Tue, 01 Aug 2017 18:41:15 GMT):
fabric-ca is not required in the runtime path for the peer or orderer nodes and once clients have enrolled it is out of their path as well

vdods (Tue, 01 Aug 2017 19:15:15 GMT):
Thanks

Asara (Tue, 01 Aug 2017 19:27:51 GMT):
Not sure why, but when the CA comes up it is overwriting the cacert that I am passing it

Asara (Tue, 01 Aug 2017 19:39:11 GMT):
Anyone else have this issue?

Asara (Tue, 01 Aug 2017 19:39:50 GMT):
The docker-compose process seems to replace my ca.org1.exaple.com cert with something that points to ``` Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=fabric-ca-server ```

aambati (Tue, 01 Aug 2017 19:40:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DruPrvGCipJnPdAHB) @Asara how are you running the fabric ca server? can u ping fabric-ca section of the docker compose file

Asara (Tue, 01 Aug 2017 19:41:16 GMT):
Not sure what you mean @aambati

Asara (Tue, 01 Aug 2017 19:41:22 GMT):
I am running it via docker compose

Asara (Tue, 01 Aug 2017 19:41:57 GMT):
I am using ansible to template out yaml files for docker

Asara (Tue, 01 Aug 2017 19:42:21 GMT):
The yaml file ends up looking like this: ``` services: ca0: image: hyperledger/fabric-ca environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca.org1.example.com - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/org1-keystore_sk ports: - "7054:7054" command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/org1-keystore_sk -b admin:adminpw -d' volumes: - /etc/hosts/:/etc/hosts - ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config container_name: ca_peerOrg1 ```

Asara (Tue, 01 Aug 2017 19:43:59 GMT):
I think i figured it out. Ignore me :)

aambati (Tue, 01 Aug 2017 19:45:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cAvcBXKFsMgH8N3zD) @Asara can you share what the problem was for the benefit of others

Asara (Tue, 01 Aug 2017 19:46:11 GMT):
Passing the wrong private key, which i assume made it regenerate a config

liuwenliang0632 (Wed, 02 Aug 2017 02:10:11 GMT):
how

liuwenliang0632 (Wed, 02 Aug 2017 02:10:11 GMT):
how can i create an peer msp and tls?

someoneapp (Wed, 02 Aug 2017 03:43:10 GMT):
Has joined the channel.

ancythomas (Wed, 02 Aug 2017 04:54:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZBbM9ADrbcoJad8JT) @aambati oh,,okay thanks

MeenakshiSingh (Wed, 02 Aug 2017 06:54:14 GMT):
@aambati So, first I should initialize and start fabric-ca server then enroll the admin using `fabric-ca-client enroll -u http://admin:adminpw@localhost:7054`. Now this admin can be used for enrolling users and peers. So to register and enroll a user, I should do `export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin`, `fabric-ca-client register --id.name user1 --id.type user --id.affiliation org1.department1 --id.secret user1pw --id.attrs 'hf.Revoker=true,foo=bar'`, `export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/user1`, `fabric-ca-client enroll -u http://user1:user1pw@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/msp'. Now the certificates generated in the msp directory are to be copied in the admincerts?

chenshiok (Wed, 02 Aug 2017 08:54:38 GMT):
Has joined the channel.

ancythomas (Wed, 02 Aug 2017 10:36:22 GMT):
Is the attrs that are specified during user registration being stored anywhere? if yes,where can we find it?

ngeorge (Wed, 02 Aug 2017 11:22:04 GMT):
Has joined the channel.

bitnut (Wed, 02 Aug 2017 12:39:52 GMT):
Has joined the channel.

aambati (Wed, 02 Aug 2017 13:54:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TfsZPRLWNSaBjgees) @ancythomas They are stored in the user's table of fabric ca database

aambati (Wed, 02 Aug 2017 14:00:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RzT2LS8hZLaBRNHuk) @MeenakshiSingh That is correct. assuming that $HOME/fabric-ca/clients/admin/msp/signcerts has ECert for admin

MohammadObaid (Wed, 02 Aug 2017 14:36:53 GMT):
Has joined the channel.

MohammadObaid (Wed, 02 Aug 2017 14:51:48 GMT):
Hey all. I am working on fabric-sdk-node and I want to add organizations in it so that user can enroll in y new organization and invoke transactions on blockchain. To acheive this I first added affiliations in my custom-fabric-ca.yaml file and pass that to fabric-ca server in my docker-compose file. However it dosent work out for me . Is there a way I can create my custom fabric-ca image which contains added affiliation and all other things so that new user can enroll in added orgnaizations?

amod (Wed, 02 Aug 2017 15:00:43 GMT):
Has joined the channel.

Eric.Bui (Wed, 02 Aug 2017 15:31:48 GMT):
Has joined the channel.

Eric.Bui (Wed, 02 Aug 2017 15:41:19 GMT):

Message Attachments

Eric.Bui (Wed, 02 Aug 2017 15:53:17 GMT):
and I have a chaincode X with endorsing policy must be endorsed by EP1 and EP2. what happen with CA of EP2 is revoked? do users still can execute the chaincode X properly?

MeenakshiSingh (Wed, 02 Aug 2017 18:37:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=eo5a3MngqQoLgoXwK) @aambati These commands generated the cacerts, signcerts and keystore for each of the roles i.e., admin, user and peer. None of these were with the name: Admin1@org1.example-cert.pem. Can You please clarify what certificates are to be kept in cacerts and signcerts as all the roles(admin, user and peer) have the certificates with the same name in their respective directories. Also do I need to copy the keystore contents of all i.e., admin, user and peer to keystore directory of mspconfig folder?

MeenakshiSingh (Wed, 02 Aug 2017 18:37:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=eo5a3MngqQoLgoXwK) @aambati These commands generated the cacerts, signcerts and keystore for each of the roles i.e., admin, user and peer. None of these were with the name: Admin1@org1.example-cert.pem. How should I generate these admincerts? Can You please clarify what certificates are to be kept in cacerts and signcerts as all the roles(admin, user and peer) have the certificates with the same name in their respective directories. Also do I need to copy the keystore contents of all i.e., admin, user and peer to keystore directory of mspconfig folder?

aambati (Wed, 02 Aug 2017 19:29:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KANDYEhh6ug7aWw3a) @Eric.Bui do these peers belong to one organization or two organization. Each organization can use it's own CA or same CA. Key is each organization has it's own CA signing certificate. Each org can have one or more peers that are members of multiple channels. I think currently these channels should belong to one network. But may be in the future these channels can belong to multiple networks (as your picture indicates)

aambati (Wed, 02 Aug 2017 19:30:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qpTuDgYbEZD9Wjrrq) @Eric.Bui I don't understand what you meant by "CA of EP2 is revoked". Can you please elaborate.

aambati (Wed, 02 Aug 2017 20:54:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PpaHy6aEGPukoQtbh) @MeenakshiSingh If you want user to be admin of your peer, then place the user's cert (from `$HOME/fabric-ca/clients/user1/msp/signcerts` directory) in the `admincerts` folder of the peer's msp. Also, place corresponding private key ((from `$HOME/fabric-ca/clients/user1/msp/keystore` directory) into keystore of the peer's msp. Similarly, copy peer's cert and key into signcerts and keystore folders of peer's msp, respectively. Then copy CA cert (either from `$HOME/fabric-ca/clients/user1/msp/cacerts` or `$HOME/fabric-ca/clients/admin/msp/keystore`) to cacerts folder of peer's msp.

aambati (Wed, 02 Aug 2017 20:54:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PpaHy6aEGPukoQtbh) @MeenakshiSingh If you want user1 to be admin of your peer, then place the user's cert (from `$HOME/fabric-ca/clients/user1/msp/signcerts` directory) in the `admincerts` folder of the peer's msp. Also, place corresponding private key ((from `$HOME/fabric-ca/clients/user1/msp/keystore` directory) into keystore of the peer's msp. Similarly, copy peer's cert and key into signcerts and keystore folders of peer's msp, respectively. Then copy CA cert (either from `$HOME/fabric-ca/clients/user1/msp/cacerts` or `$HOME/fabric-ca/clients/admin/msp/keystore`) to cacerts folder of peer's msp.

gauthampamu (Wed, 02 Aug 2017 21:13:18 GMT):
I have question on TCerts, I have heard from everyone that we don't support TCerts in v1.0. On the Fabric CA documentation, it explains it supports TCerts. 1) So does the CA support TCerts ? 2) If it supports does it mean that it supports it but fabric SDK does not use it when submitting the transaction proposals. Also do we sign the transactions with ECerts ? Does it mean we link identity with the transactions ? http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html ..."issuance of Transaction Certificates (TCerts), providing both anonymity and unlinkability when transacting on a Hyperledger Fabric blockchain"

gauthampamu (Wed, 02 Aug 2017 21:19:03 GMT):
If you have network with more than one organization and I was told that you could have separate fabric ca for each organization. So let says you register and enroll a member with fabric CA1 and you have eCerts. Now when you submit the transaction problem to both peer0 of Org1 and Peer0 of Org2, will the request to Peer0 of Org2 check the identity of the application/user that submitted the transactions.

vdods (Thu, 03 Aug 2017 00:09:46 GMT):
Hi all, what's the status of https://gerrit.hyperledger.org/r/#/c/10871/ ? This is the `fabric-sh-cryptogen.sh` script.

vdods (Thu, 03 Aug 2017 00:09:46 GMT):
Hi all and @smithbk , what's the status of https://gerrit.hyperledger.org/r/#/c/10871/ ? This is the `fabric-sh-cryptogen.sh` script.

Eric.Bui (Thu, 03 Aug 2017 02:17:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7bBpcPhpLeME3JGL4) @aambati 1. in our network typology, these channels belongs to multiple networks. 2. in our network typology, I have bank A belong to the network and bank A have own an intermediate self-certificate (iCA), then bank A has an Endorsing Peer A1. Similarly, bank B has and Endorsing Peer B1. My channel has chaincode X which must endorsed by Endorsing Peer A1 and Endorsing Peer B1. Suppose when bank A withdraw my channel and the intermediate self-certificate (iCA) will be revoked (revocation) by our admin, as a result, the Certificate of Endorsing Peer A1 ( which issued by Bank A's iCA) will be revoked too. So what happens when my end-user invoke the chaincode X which must be endorsed by Endorsing Peer A1?

ArnabChatterjee (Thu, 03 Aug 2017 04:58:36 GMT):
Has joined the channel.

MeenakshiSingh (Thu, 03 Aug 2017 06:55:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ttQ6S2HRt6vSZkNBe) @aambati Thanks a lot. I was able to generate the certificates and start a peer. If I have to start multiple peers/users in the same organization, then what should be the directory structure of mspconfig folder?

Madhavi Elamandyam (Thu, 03 Aug 2017 07:05:44 GMT):
Has joined the channel.

sklump (Thu, 03 Aug 2017 11:35:44 GMT):
Has joined the channel.

aambati (Thu, 03 Aug 2017 12:44:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HTAGXYk5crx75XmLu) @MeenakshiSingh They could use same MSP or different MSP. You can rename cert.pem to peer1cert.pem or peer2cert.pem...file name does not matter.

gauthampamu (Thu, 03 Aug 2017 13:05:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YGaiseJHquYsp6LB3) @aambati Since we don't store attributes with LDAP, can we say that we cannot have users with different type and affiliations , like peer or app or user, as mentioned in https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#registering-a-new-identity.

gauthampamu (Thu, 03 Aug 2017 13:06:13 GMT):
So it is limitation with using LDAP

MeenakshiSingh (Thu, 03 Aug 2017 13:06:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dMHCuWSmK9v3gPdxs) @aambati ok..got it...but both the peers will try to use the same ports: 7051 and 7053. Due to which I am getting port already in use exception.

aambati (Thu, 03 Aug 2017 14:53:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hisJG3Xq4q7h3ejoe) @gauthampamu TCert function is in Fabric CA but not used by the Fabric components including SDK. I think Ecerts are being used to sign the transactions today.

aambati (Thu, 03 Aug 2017 15:16:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fPBbqzNKXSh8Dw5tr) @gauthampamu A transaction proposal is submitted to a peer, you also specify which channel it is submitted against. Each channel config block has information of all the peers that are members of the channel. Peer information includes org MSP name and the signing certs associated with the org. Using this channel config information, a peer can determine the user submitting the transaction is signed by one of the signing certs that are in the channel config and can check if the user satisfies the channel policies.

aambati (Thu, 03 Aug 2017 15:20:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GxtFxZs9yf7aqJ7sG) @vdods It is in review but the script it self can be used with 1.0.0 or above versions. Once committers accept the change it will be put into next patch release or next minor release 1.1

Eric.Bui (Thu, 03 Aug 2017 15:29:01 GMT):
Hi all, may I know how we can recover/ reset password for the end-user?

Eric.Bui (Thu, 03 Aug 2017 15:29:18 GMT):
if he forgot his password

gauthampamu (Thu, 03 Aug 2017 15:44:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ik5ZX5DG6bZGgrp9H) @aambati Thanks for the response. Is the TCert user details (group, etc) still on track for 1.1? Is there an ETA on 1.1?

aambati (Thu, 03 Aug 2017 16:05:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RC8NbRFfGokSxkj9q) @gauthampamu It is a limitation currently. There is a JIRA item for this issue: https://jira.hyperledger.org/browse/FAB-3416. It seems affiliations and maxenrollments will not be supported for LDAP users according to the JIRA item. But plan is to support users attributes

aambati (Thu, 03 Aug 2017 16:12:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Z5RfEPb48XZ3jS9mF) @MohammadObaid Can you please explain what you meant by "However it dosent work out for me . " If you have specified affiliations in the config file, they will be read by fabric ca server.

aambati (Thu, 03 Aug 2017 16:19:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=b629i4c9Dmz4rLL32) @Eric.Bui I am not an expert in the area of your question. But I would think when Bank A with draws from the channel, channel endorsement policy is also updated, so when a transaction is submitted , it needs to be endorsed by Peer B1 only. @muralisr do you want happens in this scenario. Also, try asking this question in fabric-peer-endorser-committer channel

aambati (Thu, 03 Aug 2017 16:20:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WEjZama9E5BmYA2wk) @gauthampamu i am not sure. @mastersingh24 do you know answer to this question?

aambati (Thu, 03 Aug 2017 16:23:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DxA7BxuoqMMvfJnEu) @Eric.Bui There is no need for password as long as the user has a valid enrollment certificate. Only way to get password again, is to reregister the user with Fabric CA.

Eric.Bui (Thu, 03 Aug 2017 16:27:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jxiNHBif37YoQ86NH) @aambati many thank :thumbsup:

sklump (Thu, 03 Aug 2017 16:33:32 GMT):
Hello. I have one simple* baby step toward evolving a fabric network topology. Starting with the byfn sample included in v1.0.0, I would like to swap out the default CA with one I set up with my own openssl.cnf. What is a good approach to this end?

sklump (Thu, 03 Aug 2017 16:34:31 GMT):
i.e., have our own CA issue the certificates instead of L=San Francisco, C=CA

sklump (Thu, 03 Aug 2017 16:34:35 GMT):
dammit ST=CA

Eric.Bui (Thu, 03 Aug 2017 16:54:55 GMT):
Hi we are trying to design a decentralised CA network topology. Here is our proposal: 1. each bank will be issued an iCA by root CA and with configuration: their iCA can't be revoked by root CA and only revoked by themselves. So it make the system more decentralised as root CA can't control them. 2. After that, each bank can issue multi CAs, iCAs for their peer, clients. But we see that the root CA is still an centralised system. The system will be failed at single point if the root CA is malicious. Root CA can reset the bank's iCA password by himself and Root CA can refuse to verify membership of bank iCA. Is there anything wrong with our design?

Eric.Bui (Thu, 03 Aug 2017 16:55:22 GMT):

Message Attachments

vdods (Thu, 03 Aug 2017 17:03:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fxW6o3CZA34BXxFmk) @aambati I am using a modified version of it, though I'm getting `The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority` errors from the peer upon channel join, and I'm finding it rather difficult to debug, since it doesn't indicate which identity it has or which one it expects.

aambati (Thu, 03 Aug 2017 17:14:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FCMXsJxnTCoMDMt7H) @vdods I know that was a problem with the initial patch set, but Keith corrected that problem in the later patch set. So, pls make sure you are using the latest patch set of that change set.

rjones (Thu, 03 Aug 2017 17:43:35 GMT):
Has left the channel.

aambati (Thu, 03 Aug 2017 19:28:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=acS5eTTABSeSTcpRJ) @sklump Once the blockchain network is setup, CA is not really not involved in the operation of the network. Just make sure your CA root signing cert is all organization's MSPs. What are your specific concerns?

MohammadObaid (Thu, 03 Aug 2017 19:39:00 GMT):
@aambati That's the problem I am facing. Although affiliations are added which I see through my docker logs but when I try to enroll new users on my custom organizations I got the following error

MohammadObaid (Thu, 03 Aug 2017 19:39:19 GMT):

Message Attachments

sklump (Thu, 03 Aug 2017 19:40:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4sntSjWbvNEtAeCSn) @aambati We want to be able to tie down node membership with our existing certificate policies. E.g, the private keys signing the node membership approval must be X strong, stored on Y-approved hardware, with Z configuration. Additionally, as it stands, any inspection of certificates anywhere along the network will show stuff that is definitely not our preferred branding. At the moment I'm looking for any kind of win where I can say we can customize the network beyond byfn. I'm sure it's possible, but at present I see nothing but magic.

aambati (Thu, 03 Aug 2017 19:47:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rK7zwxdkEtkPwbSop) @MohammadObaid That error has nothing to do with affiliations, imo. Error is obvious, it is not able to find ca-chain.pem. Is it there at a different location? Can you pls ping fabric-ca section of your docker compose file.

MohammadObaid (Thu, 03 Aug 2017 19:49:22 GMT):
@aambati Here is my docker-compose file https://gist.github.com/mohammadobaid1/49694dfe782e690e0a46b0983bf60ad0

sklump (Thu, 03 Aug 2017 19:50:03 GMT):
If I change out all the certificates and keys in the various sub-directories of crypto-config/ after generation (via byfn.sh -m generate), will the docker container pick up those changes and run with them (possibly after a restart)? This may be a dumb question. I am sure it won't be my dumbest. Thanks for being here and humouring a noob and doing this.

aambati (Thu, 03 Aug 2017 20:01:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YyzC5D9oY5tpne8LZ) @Eric.Bui "After that, each bank can issue multi CAs, iCAs for their peer, clients." - did you mean each bank's iCA will issue certificates to their peers and clients? Why do peers/clients need their own intermediate ca certs? I don't see anything wrong with your design, but I do not understand the concern though. Particularly, your statement : "Root CA can reset the bank's iCA password by himself and Root CA can refuse to verify membership of bank iCA."

vdods (Thu, 03 Aug 2017 22:43:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EtK3JRp5LzGRsNoYD) @aambati Unforunately, even after updating, I'm still getting the same error. This doesn't have to do with TLS though, it occurs when the peer is invited to join the channel.

vdods (Thu, 03 Aug 2017 22:44:51 GMT):
I think I might just try to debug this myself -- the error messages aren't particularly useful, so I'm not sure which cert is the problem.

vdods (Thu, 03 Aug 2017 22:59:17 GMT):
One thing though is I'm trying all of this with TLS *disabled* -- I want to get that working before I try to add TLS. Even though they're theoretically independent concerns, could that possibly be causing the problem? I had this working pre-1.0.0 release using the old cryptogen

jtsiros (Thu, 03 Aug 2017 23:28:45 GMT):
Hey guys, I'm following the fabcar tutorial on v1.0.0 (http://hyperledger-fabric.readthedocs.io/en/latest/write_first_app.html) and for example sake, I'm on the command line of the CA server (through `docker exec`) that gets setup as part of the network. The `fabric-ca-client` is using the provided config file: ``` 2017/08/03 23:19:07 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml ``` When I attempt to register a new user, I seem to get an authorization failure: ``` root@645290165cdc:/# fabric-ca-client register -u "http://localhost:7054" --id.name "User2" --id.secret "123" --id.type "user" --id.affiliation "org1.department1" 2017/08/03 23:19:07 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw@serverAddr:serverPort root@645290165cdc:/# fabric-ca-client enroll -u http://user2:ida@localhost:7054 2017/08/03 23:20:25 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/08/03 23:20:25 [INFO] Created a default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/08/03 23:20:25 [INFO] generating key: &{A:ecdsa S:256} 2017/08/03 23:20:25 [INFO] encoded CSR Error: Error response from server was: Authorization failure root@645290165cdc:/# fabric-ca-client enroll -u http://user2:ida@localhost:7054 -d 2017/08/03 23:21:56 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/08/03 23:21:56 [DEBUG] Client configuration settings: &{Debug:true URL:http://user2:ida@localhost:7054 MSPDir:msp TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{Name: Secret: Profile: Label: CSR: CAName:} CSR:{CN:user2 Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[645290165cdc] KeyRequest: CA: SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:-1 Affiliation: Attributes:[{Name: Value:}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName:} CAInfo:{CAName:} CAName: CSP:0xc4201ba100} 2017/08/03 23:21:56 [DEBUG] Entered runEnroll 2017/08/03 23:21:56 [DEBUG] Enrolling &{Name:user2 Secret:ida Profile: Label: CSR:0xc4200952c0 CAName:} 2017/08/03 23:21:56 [DEBUG] Initializing client with config: &{Debug:true URL:http://localhost:7054 MSPDir:msp TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{Name:user2 Secret:ida Profile: Label: CSR:0xc4200952c0 CAName:} CSR:{CN:user2 Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[645290165cdc] KeyRequest: CA: SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:-1 Affiliation: Attributes:[{Name: Value:}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName:} CAInfo:{CAName:} CAName: CSP:0xc4201ba100} 2017/08/03 23:21:56 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc4201a7980 Pkcs11Opts:} 2017/08/03 23:21:56 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc4201b7520 DummyKeystore:} 2017/08/03 23:21:56 [DEBUG] GenCSR &{CN:user2 Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[645290165cdc] KeyRequest: CA: SerialNumber:} 2017/08/03 23:21:56 [INFO] generating key: &{A:ecdsa S:256} 2017/08/03 23:21:56 [DEBUG] generate key from request: algo=ecdsa, size=256 2017/08/03 23:21:56 [INFO] encoded CSR 2017/08/03 23:21:56 [DEBUG] Sending request POST http://localhost:7054/enroll Authorization: Basic dXNlcjI6aWRh {"hosts":["645290165cdc"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBQjCB6QIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBXVzZXIyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqbi6tXhvmwB9pRNY\nDt5SXcEHjY+ZzuBWJmeXpG7QTjoZdHpmda/hL1p7NsrGE/3kVzAdPAvYDZf0Xus9\ngqk6aKAqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDoIMNjQ1MjkwMTY1Y2Rj\nMAoGCCqGSM49BAMCA0gAMEUCIQC2FwOPqrTEm3c72sxBPPFuhwQYzJ+/mZEZsz10\nQbNPqgIgCbKKFFxVwWTqBRN9AQvuLSH8fx3Qy87e0rQ/u0kIPlY=\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","CAName":""} 2017/08/03 23:21:56 [DEBUG] Received response statusCode=400 (400 Bad Request) Error: Error response from server was: Authorization failure ``` Any ideas why?

jtsiros (Thu, 03 Aug 2017 23:28:45 GMT):
Hey guys, I'm following the fabcar tutorial on v1.0.0 (http://hyperledger-fabric.readthedocs.io/en/latest/write_first_app.html) and for example sake, I'm on the command line of the CA server (through `docker exec`) that gets setup as part of the network. The `fabric-ca-client` is using the provided config file: ``` 2017/08/03 23:19:07 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml ``` When I attempt to register a new user, I seem to get an authorization failure: ``` root@645290165cdc:/# fabric-ca-client register -u "http://localhost:7054" --id.name "User2" --id.secret "123" --id.type "user" --id.affiliation "org1.department1" 2017/08/03 23:19:07 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw@serverAddr:serverPort root@645290165cdc:/# fabric-ca-client enroll -u http://user2:123@localhost:7054 2017/08/03 23:20:25 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/08/03 23:20:25 [INFO] Created a default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/08/03 23:20:25 [INFO] generating key: &{A:ecdsa S:256} 2017/08/03 23:20:25 [INFO] encoded CSR Error: Error response from server was: Authorization failure root@645290165cdc:/# fabric-ca-client enroll -u http://user2:123@localhost:7054 -d 2017/08/03 23:21:56 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/08/03 23:21:56 [DEBUG] Client configuration settings: &{Debug:true URL:http://user2:123@localhost:7054 MSPDir:msp TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{Name: Secret: Profile: Label: CSR: CAName:} CSR:{CN:user2 Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[645290165cdc] KeyRequest: CA: SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:-1 Affiliation: Attributes:[{Name: Value:}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName:} CAInfo:{CAName:} CAName: CSP:0xc4201ba100} 2017/08/03 23:21:56 [DEBUG] Entered runEnroll 2017/08/03 23:21:56 [DEBUG] Enrolling &{Name:user2 Secret:ida Profile: Label: CSR:0xc4200952c0 CAName:} 2017/08/03 23:21:56 [DEBUG] Initializing client with config: &{Debug:true URL:http://localhost:7054 MSPDir:msp TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{Name:user2 Secret:ida Profile: Label: CSR:0xc4200952c0 CAName:} CSR:{CN:user2 Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[645290165cdc] KeyRequest: CA: SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:-1 Affiliation: Attributes:[{Name: Value:}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName:} CAInfo:{CAName:} CAName: CSP:0xc4201ba100} 2017/08/03 23:21:56 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc4201a7980 Pkcs11Opts:} 2017/08/03 23:21:56 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc4201b7520 DummyKeystore:} 2017/08/03 23:21:56 [DEBUG] GenCSR &{CN:user2 Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[645290165cdc] KeyRequest: CA: SerialNumber:} 2017/08/03 23:21:56 [INFO] generating key: &{A:ecdsa S:256} 2017/08/03 23:21:56 [DEBUG] generate key from request: algo=ecdsa, size=256 2017/08/03 23:21:56 [INFO] encoded CSR 2017/08/03 23:21:56 [DEBUG] Sending request POST http://localhost:7054/enroll Authorization: Basic dXNlcjI6aWRh {"hosts":["645290165cdc"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBQjCB6QIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBXVzZXIyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqbi6tXhvmwB9pRNY\nDt5SXcEHjY+ZzuBWJmeXpG7QTjoZdHpmda/hL1p7NsrGE/3kVzAdPAvYDZf0Xus9\ngqk6aKAqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDoIMNjQ1MjkwMTY1Y2Rj\nMAoGCCqGSM49BAMCA0gAMEUCIQC2FwOPqrTEm3c72sxBPPFuhwQYzJ+/mZEZsz10\nQbNPqgIgCbKKFFxVwWTqBRN9AQvuLSH8fx3Qy87e0rQ/u0kIPlY=\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","CAName":""} 2017/08/03 23:21:56 [DEBUG] Received response statusCode=400 (400 Bad Request) Error: Error response from server was: Authorization failure ``` Any ideas why?

jtsiros (Thu, 03 Aug 2017 23:32:37 GMT):
Hey guys, I'm following the fabcar tutorial on v1.0.0 (http://hyperledger-fabric.readthedocs.io/en/latest/write_first_app.html) and for example sake, I'm on the command line of the CA server (through `docker exec`) that gets setup as part of the network. The `fabric-ca-client` is using the provided config file: ``` 2017/08/03 23:19:07 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml ``` When I attempt to register a new user, I seem to get an authorization failure: ``` root@645290165cdc:/# fabric-ca-client register -u "http://localhost:7054" --id.name "User2" --id.secret "123" --id.type "user" --id.affiliation "org1.department1" 2017/08/03 23:19:07 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw@serverAddr:serverPort root@645290165cdc:/# fabric-ca-client enroll -u http://user2:123@localhost:7054 2017/08/03 23:20:25 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/08/03 23:20:25 [INFO] Created a default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/08/03 23:20:25 [INFO] generating key: &{A:ecdsa S:256} 2017/08/03 23:20:25 [INFO] encoded CSR Error: Error response from server was: Authorization failure root@645290165cdc:/# fabric-ca-client enroll -u http://user2:123@localhost:7054 -d 2017/08/03 23:21:56 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/08/03 23:21:56 [DEBUG] Client configuration settings: &{Debug:true URL:http://user2:123@localhost:7054 MSPDir:msp TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{Name: Secret: Profile: Label: CSR: CAName:} CSR:{CN:user2 Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[645290165cdc] KeyRequest: CA: SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:-1 Affiliation: Attributes:[{Name: Value:}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName:} CAInfo:{CAName:} CAName: CSP:0xc4201ba100} 2017/08/03 23:21:56 [DEBUG] Entered runEnroll 2017/08/03 23:21:56 [DEBUG] Enrolling &{Name:user2 Secret:ida Profile: Label: CSR:0xc4200952c0 CAName:} 2017/08/03 23:21:56 [DEBUG] Initializing client with config: &{Debug:true URL:http://localhost:7054 MSPDir:msp TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{Name:user2 Secret:ida Profile: Label: CSR:0xc4200952c0 CAName:} CSR:{CN:user2 Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[645290165cdc] KeyRequest: CA: SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:-1 Affiliation: Attributes:[{Name: Value:}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName:} CAInfo:{CAName:} CAName: CSP:0xc4201ba100} 2017/08/03 23:21:56 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc4201a7980 Pkcs11Opts:} 2017/08/03 23:21:56 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc4201b7520 DummyKeystore:} 2017/08/03 23:21:56 [DEBUG] GenCSR &{CN:user2 Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[645290165cdc] KeyRequest: CA: SerialNumber:} 2017/08/03 23:21:56 [INFO] generating key: &{A:ecdsa S:256} 2017/08/03 23:21:56 [DEBUG] generate key from request: algo=ecdsa, size=256 2017/08/03 23:21:56 [INFO] encoded CSR 2017/08/03 23:21:56 [DEBUG] Sending request POST http://localhost:7054/enroll Authorization: Basic dXNlcjI6aWRh {"hosts":["645290165cdc"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBQjCB6QIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBXVzZXIyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqbi6tXhvmwB9pRNY\nDt5SXcEHjY+ZzuBWJmeXpG7QTjoZdHpmda/hL1p7NsrGE/3kVzAdPAvYDZf0Xus9\ngqk6aKAqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDoIMNjQ1MjkwMTY1Y2Rj\nMAoGCCqGSM49BAMCA0gAMEUCIQC2FwOPqrTEm3c72sxBPPFuhwQYzJ+/mZEZsz10\nQbNPqgIgCbKKFFxVwWTqBRN9AQvuLSH8fx3Qy87e0rQ/u0kIPlY=\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","CAName":""} 2017/08/03 23:21:56 [DEBUG] Received response statusCode=400 (400 Bad Request) Error: Error response from server was: Authorization failure ``` Any ideas why?

jtsiros (Thu, 03 Aug 2017 23:32:37 GMT):
Hey guys, I'm following the fabcar tutorial on v1.0.0 (http://hyperledger-fabric.readthedocs.io/en/latest/write_first_app.html) and for example sake, I'm on the command line of the CA server (through `docker exec`) that gets setup as part of the network. The `fabric-ca-client` is using the provided config file: ``` 2017/08/03 23:19:07 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml ``` When I attempt to register a new user, I seem to get an authorization failure: ``` root@645290165cdc:/# fabric-ca-client register -u "http://localhost:7054" --id.name "User2" --id.secret "123" --id.type "user" --id.affiliation "org1.department1" 2017/08/03 23:19:07 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw@serverAddr:serverPort root@645290165cdc:/# fabric-ca-client enroll -u http://user2:123@localhost:7054 2017/08/03 23:20:25 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/08/03 23:20:25 [INFO] Created a default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/08/03 23:20:25 [INFO] generating key: &{A:ecdsa S:256} 2017/08/03 23:20:25 [INFO] encoded CSR Error: Error response from server was: Authorization failure root@645290165cdc:/# fabric-ca-client enroll -u http://user2:123@localhost:7054 -d 2017/08/03 23:21:56 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/08/03 23:21:56 [DEBUG] Client configuration settings: &{Debug:true URL:http://user2:123@localhost:7054 MSPDir:msp TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{Name: Secret: Profile: Label: CSR: CAName:} CSR:{CN:user2 Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[645290165cdc] KeyRequest: CA: SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:-1 Affiliation: Attributes:[{Name: Value:}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName:} CAInfo:{CAName:} CAName: CSP:0xc4201ba100} 2017/08/03 23:21:56 [DEBUG] Entered runEnroll 2017/08/03 23:21:56 [DEBUG] Enrolling &{Name:user2 Secret:ida Profile: Label: CSR:0xc4200952c0 CAName:} 2017/08/03 23:21:56 [DEBUG] Initializing client with config: &{Debug:true URL:http://localhost:7054 MSPDir:msp TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{Name:user2 Secret:123 Profile: Label: CSR:0xc4200952c0 CAName:} CSR:{CN:user2 Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[645290165cdc] KeyRequest: CA: SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:-1 Affiliation: Attributes:[{Name: Value:}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName:} CAInfo:{CAName:} CAName: CSP:0xc4201ba100} 2017/08/03 23:21:56 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc4201a7980 Pkcs11Opts:} 2017/08/03 23:21:56 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc4201b7520 DummyKeystore:} 2017/08/03 23:21:56 [DEBUG] GenCSR &{CN:user2 Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[645290165cdc] KeyRequest: CA: SerialNumber:} 2017/08/03 23:21:56 [INFO] generating key: &{A:ecdsa S:256} 2017/08/03 23:21:56 [DEBUG] generate key from request: algo=ecdsa, size=256 2017/08/03 23:21:56 [INFO] encoded CSR 2017/08/03 23:21:56 [DEBUG] Sending request POST http://localhost:7054/enroll Authorization: Basic dXNlcjI6aWRh {"hosts":["645290165cdc"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBQjCB6QIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBXVzZXIyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqbi6tXhvmwB9pRNY\nDt5SXcEHjY+ZzuBWJmeXpG7QTjoZdHpmda/hL1p7NsrGE/3kVzAdPAvYDZf0Xus9\ngqk6aKAqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDoIMNjQ1MjkwMTY1Y2Rj\nMAoGCCqGSM49BAMCA0gAMEUCIQC2FwOPqrTEm3c72sxBPPFuhwQYzJ+/mZEZsz10\nQbNPqgIgCbKKFFxVwWTqBRN9AQvuLSH8fx3Qy87e0rQ/u0kIPlY=\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","CAName":""} 2017/08/03 23:21:56 [DEBUG] Received response statusCode=400 (400 Bad Request) Error: Error response from server was: Authorization failure ``` Any ideas why?

jtsiros (Thu, 03 Aug 2017 23:32:59 GMT):
I would think the Admin user is already enrolled

jtsiros (Thu, 03 Aug 2017 23:32:59 GMT):
It seems there is an Admin user is already configured

jtsiros (Thu, 03 Aug 2017 23:45:04 GMT):
I'm using the latest commit from the fabric-samples repo: ``` commit ca8fad315128a528dc8f3eab2395105723d5f95b (HEAD -> release, origin/release, origin/HEAD) Author: Jim Zhang Date: Tue Jul 11 16:02:23 2017 -0400 ```

vdods (Fri, 04 Aug 2017 01:25:41 GMT):
Ok, I think I know the problem, but not the solution: Somehow the cert from `fabric-ca/testdata/ecTest.der` (search for "Internet Widgets") made it into the MSP of the peer -- BUT that cert (and the text "Internet Widgets" is not found in the MSP materials I'm providing to the peer, so it must be getting it somehow else.

vdods (Fri, 04 Aug 2017 01:26:49 GMT):
Ignore the "HIPPO"s, they're just the thing I can easily grep for in my logs.. ``` 2017-08-04 01:17:04.865 UTC [msp] getUniqueValidationChain -> DEBU 20f HIPPO bccspmsp.getUniqueValidationChain; *opts.Roots = {map[gB=��?��[Ùѵ�H:[0]] map[01 0 UUS10U San Francisco10U Internet Widgets, Inc.1 0 U WWW10U example.com:[0]] [0xc420283200]} 2017-08-04 01:17:04.865 UTC [msp] getUniqueValidationChain -> DEBU 210 HIPPO bccspmsp.getUniqueValidationChain; opts.Roots.Subjects(): [ 2017-08-04 01:17:04.865 UTC [msp] getUniqueValidationChain -> DEBU 211 HIPPO "01 0 UUS10U San Francisco10U Internet Widgets, Inc.1 0 U WWW10U example.com" 2017-08-04 01:17:04.865 UTC [msp] getUniqueValidationChain -> DEBU 212 HIPPO ] 2017-08-04 01:17:05.127 UTC [nodeCmd] func3 -> DEBU 213 sig: terminated ```

vdods (Fri, 04 Aug 2017 01:27:00 GMT):
This is the peer's log.

vdods (Fri, 04 Aug 2017 01:28:33 GMT):
On the other hand, the orderer functions normally for channel creation, having the right root and intermediate certs: ``` 2017-08-04 01:17:04.700 UTC [msp] getUniqueValidationChain -> DEBU 173c HIPPO bccspmsp.getUniqueValidationChain; opts.Intermediates.Subjects(): [ 2017-08-04 01:17:04.700 UTC [msp] getUniqueValidationChain -> DEBU 173d HIPPO "0]1 0 UUS10North Carolina10U Uyperledger10 Fabric10 Uadmin" 2017-08-04 01:17:04.700 UTC [msp] getUniqueValidationChain -> DEBU 173e HIPPO ] 2017-08-04 01:17:04.700 UTC [msp] getUniqueValidationChain -> DEBU 1740 HIPPO bccspmsp.getUniqueValidationChain; opts.Roots.Subjects(): [ 2017-08-04 01:17:04.700 UTC [cauthdsl] func2 -> DEBU 1741 0xc42002c000 principal evaluation succeeds for identity 0 2017-08-04 01:17:04.700 UTC [msp] getUniqueValidationChain -> DEBU 1742 HIPPO "0h1 0 UUS10North Carolina10U Uyperledger10 Fabric10Ufabric-ca-server" 2017-08-04 01:17:04.700 UTC [cauthdsl] func1 -> DEBU 1743 0xc42002c000 gate 1501809424697162511 evaluation succeeds ```

Eric.Bui (Fri, 04 Aug 2017 04:11:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XniMbvarhJaxptsow) @aambati you are right, bank's client & peer don't need iCA. but each bank's will able to issue certificate for their own peers & clients. Make the system more decentralized an private as the bank can add peers into network anywhere and anytime. In order to decentralize the CA topology, we are going to create multi levels for iCA like this: 1. our company own the Root CA and use the Root CA issued 3 unrevoked iCA. hosted into 3 iCA server level 1 2. next, we use one of each iCA level 1 to issue bank unrevoked iCA then banks can issue CA for their peers & clients. And banks will have their own iCA server as well as. My concern is that: 1. If someone can get my Root CA, then reset password for all unrevoked iCA at level 1. After that he do self-revoked.Because all of iCA at level 1 are be revoked, then all bank iCA will be revoked too. And make the whole system down. is it correct? 2. is there any way to set a endorsing policy that if Root CA want to reset password for iCA at level 1, need to get endorsed by other iCAs at level 1 too. another question is that: how do CA servers of the cluster maintain the same database?

Eric.Bui (Fri, 04 Aug 2017 04:11:23 GMT):

Message Attachments

gauthampamu (Fri, 04 Aug 2017 05:33:17 GMT):
For a production environment, What is the recommended approach to generate MSP certificates and their signing keys? I would assume we should not use cryptogen tool. Can we say that you should use it purely for development and not for real production network setup. Is the fabric-ca-client recommended way to generate the key and enroll the userid to get the signed certs. If the customer is interested to leveraging their own CA, then do still need fabric CA server ? Is there way to configure a Fabric CA with existing CA ?

dnzdlklc (Fri, 04 Aug 2017 10:16:35 GMT):
Has joined the channel.

mastersingh24 (Fri, 04 Aug 2017 10:21:12 GMT):
[What exactly are you trying to do? ](https://chat.hyperledger.org/channel/general?msg=ZbCJF8YtDHcesvCtx) @dnzdlklc

mastersingh24 (Fri, 04 Aug 2017 10:21:35 GMT):
Technically you don't need the fabric-ca for development

mastersingh24 (Fri, 04 Aug 2017 10:22:09 GMT):
Have you taken a look at the fabric-samples which bring up some simple networks to get you started?

dnzdlklc (Fri, 04 Aug 2017 10:23:45 GMT):
Yes I thought that too...but what I'm trying to achieve is start a 2 peer block (2 organisations, 1 node for each) and create some sort of nodeJS app to allow chaincode deployment onto this dev blockchain...rather than manual installation of chain-code via CLI. Looking around it seems to allow a NodeJS application to achieve such task in need to be already enrolled as "user"

dnzdlklc (Fri, 04 Aug 2017 10:24:00 GMT):
BTW thank you for getting back :)

dnzdlklc (Fri, 04 Aug 2017 10:24:23 GMT):
I already got the blockchain network with 2 peers up and running

dnzdlklc (Fri, 04 Aug 2017 10:25:07 GMT):
I can install chaincode and instantiate in a channel and make queries etc...however I'd like to achieve that through some sort of NodeJS REST app if possible at all

mastersingh24 (Fri, 04 Aug 2017 10:26:48 GMT):
@gauthampamu - Have you read though http://hyperledger-fabric.readthedocs.io/en/latest/msp.html ? It describes how to construct / setup MSPs and the crypto material that is required. Fabric CA is provided as an option for managing / generating the crypto material and the fabric-ca-client has an option to store the enrollment material in an MSP compatible folder structure. If you want to use an external CA, that's fine as well but you'll have to structure the crypto material in the MSP folder structure yourself. Fabric CA does not communicate with other 3rd party CAs (https://chat.hyperledger.org/channel/fabric-ca?msg=Z9AxvD6vv85nTHeBe)

mastersingh24 (Fri, 04 Aug 2017 10:31:34 GMT):
@dnzdlklc - You can actually use the same crypto material that the peer CLI uses within your Node app to do the same thing (since install and instantiate actually require an admin identity)

MeenakshiSingh (Fri, 04 Aug 2017 10:32:33 GMT):
Hi while starting the peers I got the following error ```peer1.org1.example.com | 2017-08-04 10:30:50.768 UTC [gossip/discovery] handleAliveMessage -> ERRO 1be Bad configuration detected: Received AliveMessage from a peer with the same PKI-ID as myself: ```

MeenakshiSingh (Fri, 04 Aug 2017 10:33:14 GMT):
I have generated the required certificates and kept in mspconfig folder. My docker-compose contents are as follows:

MeenakshiSingh (Fri, 04 Aug 2017 10:34:24 GMT):
peer1.org1.example.com: container_name: peer1.org1.example.com image: hyperledger/fabric-peer:x86_64-1.0.0 environment: - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock - CORE_PEER_ID=peer1.org1.example.com - CORE_PEER_ADDRESSAUTODETECT=false - CORE_PEER_ENDORSER_ENABLED=true - CORE_PEER_TLS_ENABLED=false - CORE_PEER_GOSSIP_ORGLEADER=false - CORE_PEER_GOSSIP_USELEADERELECTION=true - CORE_PEER_PROFILE_ENABLED=true - CORE_PEER_GOSSIP_EXTERNALENDPOINT=X.X.X.223:7051 - CORE_LOGGING_PEER=debug - CORE_CHAINCODE_LOGGING_LEVEL=DEBUG - CORE_PEER_LOCALMSPID=Org1MSP - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/peer/ - CORE_PEER_ADDRESS=X.X.X.223:7051 # # the following setting starts chaincode containers on the same # # bridge network as the peers # # https://docs.docker.com/compose/networking/ - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_basic - CORE_LEDGER_STATE_STATEDATABASE=CouchDB - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb1:5984 working_dir: /opt/gopath/src/github.com/hyperledger/fabric command: peer node start # command: peer node start --peer-chaincodedev=true ports: - 7051:7051 - 7053:7053 volumes: #- /var/run/:/host/var/run/ #- ./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/msp/peer - /home/ubuntu/mspconfig:/etc/hyperledger/msp/peer #- ./crypto-config/peerOrganizations/org1.example.com/users:/etc/hyperledger/msp/users #- ./config:/etc/hyperledger/configtx depends_on: #- orderer.example.com - couchdb1 networks: - basic peer2.org1.example.com: container_name: peer2.org1.example.com image: hyperledger/fabric-peer:x86_64-1.0.0 environment: - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock - CORE_PEER_ID=peer2.org1.example.com - CORE_PEER_ADDRESSAUTODETECT=false - CORE_PEER_ENDORSER_ENABLED=true - CORE_PEER_TLS_ENABLED=false - CORE_PEER_GOSSIP_ORGLEADER=false - CORE_PEER_GOSSIP_USELEADERELECTION=true - CORE_PEER_PROFILE_ENABLED=true - CORE_LOGGING_PEER=debug - CORE_CHAINCODE_LOGGING_LEVEL=DEBUG - CORE_PEER_LOCALMSPID=Org1MSP - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/peer/ - CORE_PEER_ADDRESS=X.X.X.223:8051 - CORE_PEER_GOSSIP_BOOTSTRAP=X.X.X..223:7051 # # the following setting starts chaincode containers on the same # # bridge network as the peers # # https://docs.docker.com/compose/networking/ - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_basic - CORE_LEDGER_STATE_STATEDATABASE=CouchDB - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb2:5984 working_dir: /opt/gopath/src/github.com/hyperledger/fabric command: peer node start # command: peer node start --peer-chaincodedev=true ports: - 8051:8051 - 8053:8053 volumes: #- /var/run/:/host/var/run/ #- ./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/msp/peer - /home/ubuntu/mspconfig:/etc/hyperledger/msp/peer #- ./crypto-config/peerOrganizations/org1.example.com/users:/etc/hyperledger/msp/users #- ./config:/etc/hyperledger/configtx depends_on: #- orderer.example.com - couchdb2 networks: - basic

mastersingh24 (Fri, 04 Aug 2017 11:13:39 GMT):
@MeenakshiSingh - You are using the same MSP crypto material for both peers as you've mounted the same host path on both peers: `- /home/ubuntu/mspconfig:/etc/hyperledger/msp/peer` This results in both of the peers using the same MSP and hence the 1Received AliveMessage from a peer with the same PKI-ID as myself`

mastersingh24 (Fri, 04 Aug 2017 11:13:39 GMT):
@MeenakshiSingh - You are using the same MSP crypto material for both peers as you've mounted the same host path on both peers: `- /home/ubuntu/mspconfig:/etc/hyperledger/msp/peer` This results in both of the peers using the same MSP and hence the `Received AliveMessage from a peer with the same PKI-ID as myself`

MeenakshiSingh (Fri, 04 Aug 2017 11:54:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2AehGEQS88e7LLMg6) @mastersingh24 Yes, I have kept the crypto-material for both the peers(renaming signcerts as peer1cert.pem and peer2cert.pem) in mspconfig folder. Does this mean that I have to keep certificates for each peer separately i.e., have two MSP configurations within the same node. I read somewhere that MSPs can be shared. Also, are signcerts the ECerts?

dnzdlklc (Fri, 04 Aug 2017 12:44:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XfKTudhtgwNi4vTgT) @mastersingh24 can you elaborate on how to go about with this?

randytorres (Fri, 04 Aug 2017 13:22:09 GMT):
Has joined the channel.

mastersingh24 (Fri, 04 Aug 2017 13:53:54 GMT):
You'll want to use separate crypto material (e.g. unique certificates) for each peer and you'll need to use separate MSP folders for each. Technically you can use the same MSP for multiple peers but then they will not be able to communicate via gossip (which is the error you were getting) (https://chat.hyperledger.org/channel/fabric-ca?msg=v5cmYA2pCN3FpWs4z) @MeenakshiSingh

jtclark (Fri, 04 Aug 2017 14:28:36 GMT):
good morning

jtclark (Fri, 04 Aug 2017 14:40:50 GMT):
need some assistance with https://gerrit.hyperledger.org/r/#/c/11687/

jtclark (Fri, 04 Aug 2017 14:41:36 GMT):
I'd like to get this merged today, but I need some help understanding what we can do now that we know the safesql tool looks for main() functions in the go pkgs that it scans for sql injection vulnerabilities

jmcnevin (Fri, 04 Aug 2017 14:45:41 GMT):
Quick question, but is it _recommended_ that a typical network member would have at least one intermediate CA? Are there any benefits to that over having a single CA?

Vadim (Fri, 04 Aug 2017 14:49:01 GMT):
@jmcnevin for security reasons, you probably don't want your root ca running all the time

jmcnevin (Fri, 04 Aug 2017 15:03:47 GMT):
Just curious, but I notice that the fabric-ca docker image has a ca-cert.pem and ca-key.pem baked in.. are those supposed to be there?

jtclark (Fri, 04 Aug 2017 15:56:13 GMT):
@mastersingh24 :point_up_2_tone1: is this something you can help with?

aambati (Fri, 04 Aug 2017 15:57:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YtzHSA2a6oX83RRZc) @vdods not sure how ecTest.der got in to peer's msp...that file is in https://github.com/hyperledger/fabric-ca/tree/release/testdata ...I will investigate

mastersingh24 (Fri, 04 Aug 2017 16:04:48 GMT):
They were originally built into the fabric-ca container to make it easier to work with the default / sample MSP which ships with the peer. You'll notice that all of our sample configs override them via environment variables ( https://github.com/hyperledger/fabric-samples/blob/release/balance-transfer/artifacts/docker-compose.yaml#L14 ) (https://chat.hyperledger.org/channel/fabric-ca?msg=QuSjDa3e5EpJ7j7Ff) @jmcnevin

mastersingh24 (Fri, 04 Aug 2017 16:05:25 GMT):
But @jmcnevin you might want to file a JIRA and we can remove them in the future

DrissB (Fri, 04 Aug 2017 16:21:37 GMT):
Has joined the channel.

aambati (Fri, 04 Aug 2017 18:43:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HaGBhhNsjPGMHpSqS) @MohammadObaid i don't see any problems in the docker-compose file...The `Chain file does not exist at /etc/hyperledger/fabric-ca-server/ca-chain.pem` is thrown by getCAChain function (https://github.com/hyperledger/fabric-ca/blob/release/lib/ca.go#L347) if ca-chain.pem file is not present for intermediate CAs..but your docker-compose file suggests that you are running fabric-cas as root ca...can you send me the logs of the fabric-ca server?

eacoeytaux (Fri, 04 Aug 2017 19:52:52 GMT):
Has joined the channel.

MeenakshiSingh (Sat, 05 Aug 2017 03:15:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TLLFE3vZSmEQwopka) @mastersingh24 Ok. Got it..Thanks a lot

MeenakshiSingh (Sat, 05 Aug 2017 03:24:34 GMT):
I have a couple of doubts: 1. What exactly does the environment variable `CORE_PEER_GOSSIP_BOOTSTRAP` does? Does it enable gossip only between peers belonging to the same organization, and if so, if there are 4 peers within the same org, does each have to have a comma separated ip address list of all other peers in `CORE_PEER_GOSSIP_BOOTSTRAP`. A link/reference to documentation with all the env variables for 1.0 with explanation would be helpful. 2. What are anchor peers and what are their roles. Does the `CORE_PEER_GOSSIP_ORGLEADER` set the anchor peer?

Selvam_Annamalai (Sat, 05 Aug 2017 04:50:00 GMT):
Has joined the channel.

Selvam_Annamalai (Sat, 05 Aug 2017 04:50:27 GMT):
Hi, I am trying to execute first-network tutorial. I am getting below error when I execute ./byfn.sh -m up command. Can you tell me how to resolve this issue? Build your first network (BYFN) end-to-end test Channel name : mychannel Creating channel... CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/c rypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto /peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key CORE_PEER_LOCALMSPID=Org1MSP CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypt o/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt CORE_PEER_TLS_ENABLED=true CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypt o/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp CORE_PEER_ID=cli CORE_LOGGING_LEVEL=DEBUG CORE_PEER_ADDRESS=peer0.org1.example.com:7051 2017-08-05 03:27:29.240 UTC [main] main -> ERRO 001 Cannot run peer because erro r when setting up MSP from directory /opt/gopath/src/github.com/hyperledger/fabr ic/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/m sp: err CA Certificate is not valid, (SN: 23928727680478186216358925795005272960 ) [Could not obtain certification chain, err The supplied identity is not valid, Verify() returned x509: certificate has expired or is not yet valid] !!!!!!!!!!!!!!! Channel creation failed !!!!!!!!!!!!!!!! ========= ERROR !!! FAILED to execute End-2-End Scenario ===========

MeenakshiSingh (Sun, 06 Aug 2017 04:49:36 GMT):
Hi... I am setting up kafka ordering service on an aws node. How do I use CA to generate the required crypto-materials for Orderers (couldn't find anything in the documentation). My peers are running in different nodes. Do I have to copy their public/private keys in the orderer node. The directory structure here https://github.com/yeasy/docker-compose-files/tree/master/hyperledger/1.0/kafka seems different from the one defined for MSPs. Can anybody please guide me on how to achieve this.

kumar (Sun, 06 Aug 2017 04:52:27 GMT):
Has joined the channel.

kumar (Sun, 06 Aug 2017 04:54:02 GMT):
Hi, is there any sample example which demonstrates fabric-ca with adding new peers to the network/channel and deploy new chaincode. Please share any url if there is one

y204990 (Sun, 06 Aug 2017 16:24:54 GMT):
Has joined the channel.

smithbk (Mon, 07 Aug 2017 13:33:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ba7p9pFrixRcy7G2x) @MeenakshiSingh See fabric-ca-cryptogen.sh script at https://gerrit.hyperledger.org/r/#/c/10871/ and read the commit coment for how to use. As far as I can tell, the directory structure under https://github.com/yeasy/docker-compose-files/tree/master/hyperledger/1.0/kafka/crypto-config is the same (or very similar) to that generated by fabric-ca-cryptogen.sh. What differences do you see?

smithbk (Mon, 07 Aug 2017 14:02:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=S4TPLbPJzHq3Rm5v9) @kumar I assume you mean you want to just add another peer to an existing org. In this case, you simply need to register and enroll a new identity for the peer. The peer identity type can be "peer" of course and does not need any attributes. There is currently no documentation specific to this task since it is the same as for other identities, but if you would like to open a jira item, I'll be glad to add to the doc.

aambati (Mon, 07 Aug 2017 15:17:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LvwKqSo4Tv9W4o5rc) @Selvam_Annamalai Is this reproducible? I mean if you try `byfn.sh -m up` again, are you seeing same error? Which platform are you trying this on/

ShermanHLee (Mon, 07 Aug 2017 17:22:36 GMT):
@smithbk @kumar when trying to register a new peer, have you encounter a problem where this error occurs? `Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw@serverAddr:serverPort` My understanding is that you need to register first before enrolling?

smithbk (Mon, 07 Aug 2017 17:25:28 GMT):
@ShermanHLee Yes, it is true that you must register before enrolling an identity, but the registration of an identity must be performed by another identity (call it the "registrar identity"). That is what the error message is referring to.

smithbk (Mon, 07 Aug 2017 17:27:34 GMT):
When you start the fabric-ca-server, there must be at least one bootstrap identity which is effectively "pre-registered". You can then enroll as that identity which has the appropriate attributes to allow you to register other identities, and then register/enroll other identities. Make sense?

htyagi90 (Mon, 07 Aug 2017 20:56:34 GMT):
I'm following the Fabric-ca getting started tutorial. I've started the server using the docker container

htyagi90 (Mon, 07 Aug 2017 20:56:57 GMT):
but in the container I cannot find any fabric-ca-client configuration file.

htyagi90 (Mon, 07 Aug 2017 20:57:11 GMT):
any suggestions on if I've missed something ?

aambati (Mon, 07 Aug 2017 21:14:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FXMKby2KizBWeBaSW) @htyagi90 There will not be fabric-ca-client configuration file

mescoba1 (Mon, 07 Aug 2017 21:42:00 GMT):
Has joined the channel.

mavstronaut (Tue, 08 Aug 2017 04:04:13 GMT):
Has joined the channel.

ArigelaSatyanarayana (Tue, 08 Aug 2017 04:10:10 GMT):
Has joined the channel.

DarshanBc (Tue, 08 Aug 2017 08:47:11 GMT):
Has joined the channel.

MeenakshiSingh (Tue, 08 Aug 2017 10:19:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sybGqSySCWKPj93Yw) @smithbk I used the pre-generated certificates for the orderer, for now. However, when I tried to register and enrroll the orderer, I got `admin may not register the type orderer`. error. I am unsure whether my approach is correct or not. Can you please clarify on the following points: 1. I manually copied the various certificates of the peers at the orderer node and the channel.tx artifact at the peer nodes. So, if a new peer joins the network, does that mean that, I have to bring down the network, copy its certificates and then restart? 2.The directory structure at this link: https://github.com/yeasy/docker-compose-files/tree/master/hyperledger/1.0/kafka link has 2 MSP folders viz., `crypto-config/peerOrganizations/org1.example.com/msp` and `crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/`. So, can you guide me on what certificates to keep where? 3. Additionally, how do I mention the orderers in the ca-certs generated for the organization?

Selvam_Annamalai (Tue, 08 Aug 2017 10:23:47 GMT):
I want to setup one org with 2 peers in one computer(One IP Address) and another org with 2 peers in another computer(Different IP address). I also want both the orgs to be in the same network. Can you please tell me the steps to be followed and the changes that I have to make in yaml files? Thanks in advance.

smithbk (Tue, 08 Aug 2017 11:00:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FXMKby2KizBWeBaSW) @htyagi90 The client config file is generated automatically when you enroll ... after issuing for example ```fabric-ca-client enroll -u http://username:password@localhost:7054```

smithbk (Tue, 08 Aug 2017 11:11:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Qbv5Gmin4tMHNzYHK) @MeenakshiSingh When registering a new identity as the bootstrap admin identity, it uses the hf.Registrar.Roles attribute value (see below) to determine the valid ideintity types. ```registry: # Maximum number of times a password/secret can be reused for enrollment # (default: -1, which means there is no limit) maxenrollments: -1 # Contains identity information which is used when LDAP is disabled identities: - name: admin pass: adminpw type: client affiliation: "" maxenrollments: -1 attrs: hf.Registrar.Roles: "client,user,peer,validator,auditor" hf.Registrar.DelegateRoles: "client,user,validator,auditor" hf.Revoker: true hf.IntermediateCA: true ```We really should have 'orderer' listed there by default, but since the type of the identity is not used by fabric today, it really does not matter what type you use. You can specify any of those values, so just use "peer" instead of "orderer" for now.

smithbk (Tue, 08 Aug 2017 11:11:46 GMT):
To clarify the other points:

smithbk (Tue, 08 Aug 2017 11:12:24 GMT):
1) When a new peer joins the network, you do not need to restart any other processes

smithbk (Tue, 08 Aug 2017 11:23:15 GMT):
2) The 1st msp directory at 2nd msp folder at crypto-config/peerOrganizations/org1.example.com/msp` contains the public key material for the org1.example.com CA. And the msp directory at config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/ contains the public and private key material for peer 0 of org1.

smithbk (Tue, 08 Aug 2017 11:26:57 GMT):
3) The orderers CA key material are under the ordererOrganizations directory, and configtxgen uses that to put into the appropriate place of the genesis block.

htyagi90 (Tue, 08 Aug 2017 12:26:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QDXf2NAKCTyxGaLgk) @smithbk I've a network of 4 peers in 2 organisations already setup on my machine, I wanted to enroll them to the fabric-ca server.

htyagi90 (Tue, 08 Aug 2017 12:27:24 GMT):
What should I provide as username and password field, coz apparently they are docker containers.

smithbk (Tue, 08 Aug 2017 12:47:24 GMT):
@htyagi90 You need to register an identity and provide the username and password that will be used on the enroll command.

smithbk (Tue, 08 Aug 2017 12:48:11 GMT):
You can see how to register and enroll in the user's guide info

pd93 (Tue, 08 Aug 2017 13:10:10 GMT):
Getting `unsupported certificate purpose` back from the CA. Anyone know what causes this?

smithbk (Tue, 08 Aug 2017 13:11:49 GMT):
When does this occur? Can you give the context? How to reproduce?

pd93 (Tue, 08 Aug 2017 13:15:09 GMT):
Hey, I'm using the node sdk and the e2e network

pd93 (Tue, 08 Aug 2017 13:15:09 GMT):
@smithbk Hey, I'm using the node sdk and the e2e network

pd93 (Tue, 08 Aug 2017 13:15:22 GMT):
I'm trying to enroll an admin user with `ca_client.enroll`

smithbk (Tue, 08 Aug 2017 13:17:35 GMT):
@pd93 Could you start the fabric-ca-server with "-d" option (if not already) and then paste the server logs for handling this request

smithbk (Tue, 08 Aug 2017 13:19:43 GMT):
Is it possible that you started the fabric-ca-server with a signing certificate which does not have the CA bit set?

pd93 (Tue, 08 Aug 2017 13:20:14 GMT):
I assume you mean in the docker-compose. The `-d` option is already there and there is nothing in my CA logs :/ Which makes me think it's a connection issue maybe?

pd93 (Tue, 08 Aug 2017 13:20:29 GMT):
by "the CA bit" do you mean the long hash ... _sk thing?

smithbk (Tue, 08 Aug 2017 13:21:15 GMT):
oh, so maybe the error is not coming the server at all, if you aren't seeing anything in the logs. You should probably ask on the fabric-sdk-node channel

pd93 (Tue, 08 Aug 2017 13:21:40 GMT):
Hmm okay. Will do. Thanks

htyagi90 (Tue, 08 Aug 2017 13:44:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7W2CYd8dQN3KPKP2T) @smithbk I've been following that. But there it says that client ocnfiguration file must exist in the client home. And I can't see any. Do I have to create one by myself ?

htyagi90 (Tue, 08 Aug 2017 13:51:52 GMT):
somehow, the client configuration file is not being created

smithbk (Tue, 08 Aug 2017 13:53:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zqr3EbHGfAbcSud9D) @htyagi90 The client config must already exist for all commands except for the enroll command. You can think of "enroll" as "login" which creates the config file and certificate to be used to issue other commands for a specific identity. If this isn't clear and you give me more info on what you are trying to accomplish, I'll try to help.

htyagi90 (Tue, 08 Aug 2017 13:57:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=du3XqAETDW4tZNK2Y) @smithbk I have a ca-server running on a docker instance on my local machine. I can exec into the bash of the same, and the 'fabrica-ca-server' and 'fabric-ca-client' commands can run from the container.

htyagi90 (Tue, 08 Aug 2017 13:57:53 GMT):
now I've two questions : 1. How to enroll other peer container (on same local machine) to this CA server. 2. From where do I run my client cli commands. From inside the ca server ?

smithbk (Tue, 08 Aug 2017 13:58:47 GMT):
1) To enroll other peer, you must perform 3 steps as follows:

smithbk (Tue, 08 Aug 2017 13:59:28 GMT):
a) enroll the bootstrap admin identity that was used to start the server ... likely admin:adminpw by default

smithbk (Tue, 08 Aug 2017 14:00:18 GMT):
FABRIC_CA_CLIENT_HOME=`pwd`/admin fabric-ca-client enroll -u http://admin:adminpw@host:7054

smithbk (Tue, 08 Aug 2017 14:00:47 GMT):
b) register a peer identity as the bootstrap identity

smithbk (Tue, 08 Aug 2017 14:01:25 GMT):
FABRIC_CA_CLIENT_HOME=`pwd/admin fabric-ca-client register --id.name peer1 --id.type peer --id.affiliation org1

smithbk (Tue, 08 Aug 2017 14:01:28 GMT):
for example

smithbk (Tue, 08 Aug 2017 14:01:46 GMT):
c) enroll the peer identity using a different home directory

smithbk (Tue, 08 Aug 2017 14:02:38 GMT):
FABRIC_CA_CLIENT_HOME=`pwd`/peer1 fabric-ca-client enroll -u http://peer1:password-from-b@host:7054

smithbk (Tue, 08 Aug 2017 14:03:50 GMT):
2) You can run the client commands from inside the container or from outside. It depends on where you want the home directory for the admin and peer1 to be

htyagi90 (Tue, 08 Aug 2017 15:15:10 GMT):
So, I cloned the fabric-ca repo again, and ran tha make command from inside the repo. I got the following error :

htyagi90 (Tue, 08 Aug 2017 15:15:22 GMT):

Message Attachments

mescoba1 (Tue, 08 Aug 2017 16:10:39 GMT):
When building a network, where are the CA ports declared (i.e. the CA url / endpoint)?

smithbk (Tue, 08 Aug 2017 17:05:40 GMT):
You mean when starting the server?

smithbk (Tue, 08 Aug 2017 17:05:40 GMT):
You mean when starting the server? The "-p " option

mescoba1 (Tue, 08 Aug 2017 17:23:35 GMT):
Is a CA server needed when creating an instance of blockchain fabric?

mescoba1 (Tue, 08 Aug 2017 17:23:35 GMT):
Is a CA server needed when creating an instance of fabric?

mescoba1 (Tue, 08 Aug 2017 17:23:35 GMT):
Is a CA server needed when creating an instance of fabric? @smithbk

smithbk (Tue, 08 Aug 2017 17:26:08 GMT):
x509 certificates are required to run fabric, and fabric-ca is one way of creating those certificates

smithbk (Tue, 08 Aug 2017 17:26:19 GMT):
it is not the only way

mescoba1 (Tue, 08 Aug 2017 17:32:45 GMT):
Oh okay, I am currently using a composer script to get a network running

mescoba1 (Tue, 08 Aug 2017 17:33:57 GMT):
At what step would you use the fabric-ca to get your certificates? When creating the genesis block? Starting the network? Or Creating a channel?

smithbk (Tue, 08 Aug 2017 17:36:29 GMT):
before all of those ... the 1st step is to create crypto material for the various identities which must communicate, so it is the very first step. If you look at the fabric/examples/e2e_cli example at the network_setup.sh script, it creates the crypto-config directory first with all of the certificates. It is this step.

mescoba1 (Tue, 08 Aug 2017 18:02:30 GMT):
It uses cryptogen when generatingCerts from network_setup.sh

mescoba1 (Tue, 08 Aug 2017 18:03:38 GMT):
The CA appears to be in the 2e2.yaml file

mescoba1 (Tue, 08 Aug 2017 18:03:38 GMT):
The CA appears to be in the docker-compose-e2e.yaml file

mescoba1 (Tue, 08 Aug 2017 18:03:48 GMT):
```COMPOSE_FILE=docker-compose-cli.yaml COMPOSE_FILE_COUCH=docker-compose-couch.yaml #COMPOSE_FILE=docker-compose-e2e.yaml```

mescoba1 (Tue, 08 Aug 2017 18:04:10 GMT):
But in network script it looks commented out

smithbk (Tue, 08 Aug 2017 18:34:53 GMT):
Yes, you can use cryptogen to generate certs and is the preferred method if you are just trying to get things working quickly. However, if you were trying to do this in the real world so that no one person or piece of software has access to all of the private keys for all organizations, then you would use fabric-ca.

smithbk (Tue, 08 Aug 2017 18:37:57 GMT):
No matter which method is used, once the certificates are generated, you do not need to communicate with a CA from that point forward in order to use those certificates to transact on the blockchain.

mescoba1 (Tue, 08 Aug 2017 18:45:50 GMT):
I am trying to create users dynamically for clients with the node sdk

mescoba1 (Tue, 08 Aug 2017 18:46:19 GMT):
Each user needs its own certs and keys

mescoba1 (Tue, 08 Aug 2017 18:48:02 GMT):
My previous networks I played around with relied on cryptogen

smithbk (Tue, 08 Aug 2017 19:15:04 GMT):
ok, then you'll need to use fabric-ca. Now that we know that, what issue are you hitting?

gauthampamu (Tue, 08 Aug 2017 20:29:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ttQ6S2HRt6vSZkNBe) @aambati Can you explain why you need to copy the private key (from `$HOME/fabric-ca/clients/user1/msp/keystore` directory) into keystore of the peer's msp. I thought you just need to enroll the id for the peer and it will copy that key to the keystore but I just want to understand why you will need the provide key of the user. Similar if you have multiple application id, do we have to copy the private key of all the application id to the keystore file on the peer.

mescoba1 (Tue, 08 Aug 2017 20:31:04 GMT):
At this point, I'm trying to spawn a fabric-ca server in a docker container and use the port to interface with SDK. I found example code that does that with `docker-compose.yaml` file, it lists a ca as a service

mescoba1 (Tue, 08 Aug 2017 20:31:27 GMT):
Going to see if I can use that to build my network

mescoba1 (Tue, 08 Aug 2017 20:31:39 GMT):
And try to interface with sdk

jtclark (Tue, 08 Aug 2017 21:24:59 GMT):
@smithbk, @rennman - made some comments on https://jira.hyperledger.org/browse/FAB-1446. Need some guidance on what you think the next move is.

smithbk (Tue, 08 Aug 2017 21:47:29 GMT):
@jtclark I just responded in jira

dongqi (Wed, 09 Aug 2017 03:14:12 GMT):
I change 'example.com' to 'xitest.com', when i start order, I'm having this question: The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority

dongqi (Wed, 09 Aug 2017 03:14:21 GMT):

Message Attachments

dongqi (Wed, 09 Aug 2017 03:15:24 GMT):
how can i solve it?

mescoba1 (Wed, 09 Aug 2017 03:53:54 GMT):

Message Attachments

mescoba1 (Wed, 09 Aug 2017 03:54:17 GMT):
I'm getting this error when trying to connect to the corresponding port? Any ideas?

smithbk (Wed, 09 Aug 2017 03:57:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=whhHqZ4WE7hCfDwWQ) @mescoba1 Looks like the CA server does not have TLS enabled but you're trying to connect over https rather than http

smithbk (Wed, 09 Aug 2017 04:05:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XxKTrj8mcqPFnCYim) @dongqi Not sure where you changed to 'xitest.com' but my guess is that you didn't change the name in all of the appropriate places (e.g. configtx yaml file) or didn't regen crypto material, genesis block, etc

dongqi (Wed, 09 Aug 2017 04:14:57 GMT):
@smithbk thank you, i solved the question just now. i just redo it, but i still don't konw where i was wrong, maybe i forget change the name in configuration files.

MeenakshiSingh (Wed, 09 Aug 2017 06:01:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HBQHJSSEwPqhQ8JGg) @smithbk Ok..so if for a new peer joins the network, we can place its certificates at the orderer and it will be able to recognize it without a restart? The configtx gen tool generates the channel.tx artifact which still needs to be copied at peers right? Also, How are the peers made aware of the orderer node?

DarshanBc (Wed, 09 Aug 2017 09:02:45 GMT):
Hi while installing in chaincode I am getting this error `2017-08-09 08:56:24.495 UTC [msp/identity] Sign -> DEBU 00d Sign: plaintext: 0A8A070A5C08031A0C08B89CABCC0510...077FFE2F0000FFFFB684B535002E0000 2017-08-09 08:56:24.495 UTC [msp/identity] Sign -> DEBU 00e Sign: digest: 3209C6DDB1AEF8C14154ABA6FF7B0449E9716AC0BC11E28F8A12A430E7E2F159 2017-08-09 08:56:24.497 UTC [chaincodeCmd] install -> DEBU 00f Installed remotely response: 2017-08-09 08:56:24.497 UTC [main] main -> INFO 010 Exiting..... 2017-08-09 08:56:24.609 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP 2017-08-09 08:56:24.609 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity 2017-08-09 08:56:24.609 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 003 Using default escc 2017-08-09 08:56:24.609 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 004 Using default vscc 2017-08-09 08:56:24.610 UTC [msp/identity] Sign -> DEBU 005 Sign: plaintext: 0A95070A6708031A0C08B89CABCC0510...324D53500A04657363630A0476736363 2017-08-09 08:56:24.610 UTC [msp/identity] Sign -> DEBU 006 Sign: digest: 0C9810D77E2FC4EE3B0E1917FD94CDB2D453BA76C7E758282C7FAD45F34E7C8F 2017-08-09 08:56:38.294 UTC [msp/identity] Sign -> DEBU 007 Sign: plaintext: 0A95070A6708031A0C08B89CABCC0510...053A78FC7316ED5C63D48A1B58C3068B 2017-08-09 08:56:38.294 UTC [msp/identity] Sign -> DEBU 008 Sign: digest: 2EDA73AEB2D7FF7167301154CEB7B83A7FA0248F047E01703D6DB64494EA4CC8 2017-08-09 08:56:38.296 UTC [main] main -> INFO 009 Exiting..... 2017-08-09 08:56:48.382 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP 2017-08-09 08:56:48.382 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity 2017-08-09 08:56:48.382 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 003 Using default escc 2017-08-09 08:56:48.382 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 004 Using default vscc 2017-08-09 08:56:48.383 UTC [msp/identity] Sign -> DEBU 005 Sign: plaintext: 0A97070A6908031A0C08D09CABCC0510...1A0E0A0A696E69744C65646765720A00 2017-08-09 08:56:48.383 UTC [msp/identity] Sign -> DEBU 006 Sign: digest: 733A4D71FED33B153CF8B0335BF79B2B8E5B31B383D389CC6A8E1A5FF74DA0C7 Error: Error endorsing invoke: rpc error: code = Unknown desc = Error executing chaincode: Failed to execute transaction (Timeout expired while executing transaction) -

henryhs (Wed, 09 Aug 2017 09:06:00 GMT):
Has joined the channel.

MeenakshiSingh (Wed, 09 Aug 2017 12:09:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pWXbvbGbDAeo6Kyua) @smithbk Ok..Thanks for the detailed explanation. I have a few more doubts however. So the fabric-ca used to register the orderer role, needs a user to be admin. What should be the id.affiliation for the user here considering the orderer will provide service to all the organizations.

aambati (Wed, 09 Aug 2017 12:40:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=J7L9wWmKdDXNHQCoE) @gauthampamu When you enroll the peer identity using fabric-ca-client, you can run it with -M option to point to the peer's MSP dir...then fabric-ca-client will put the peer's cert and private key in the signcerts, keystore folder of the peer's msp respectively. And for user certs, the only ones that would go into peer's msp are the admin certs, afaik. So, you enroll a user that would be a peer admin, copy the user cert to the admincerts folder of the peer's msp and private key to the peer's msp. Private key of the admin will be used to sign payload of any transactions (like, update chaincode) submitted by the admin. I don't think application certs and keys would need to be in peer msp.

smithbk (Wed, 09 Aug 2017 13:25:21 GMT):
@gauthampamu @aambati You should not copy a private key. Only user1's certificate is copied to the admincerts directory of the peer.

BhavishaDawda (Wed, 09 Aug 2017 13:53:11 GMT):
Has joined the channel.

smithbk (Wed, 09 Aug 2017 15:14:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7fjihW3c4LPaNe4uG) @MeenakshiSingh See https://jira.hyperledger.org/browse/FAB-5679

jtclark (Wed, 09 Aug 2017 16:01:20 GMT):
@smithbk hi there. saw your response. while I agree that we should resolve the issues, the 'skipping' part is what I have to wrap my head around, since safesql doesn't have a skip param, AFAIK

smithbk (Wed, 09 Aug 2017 16:32:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BvJKAyp4WWDKwK9KH) @jtclark I was thinking of writing a script (or grep with appropriate patterns) to filter out the output from safesql that you want to ignore/skip. There would be no changes to safesql.

jtclark (Wed, 09 Aug 2017 16:41:21 GMT):
@smithbk I could perhaps try something like this

jtclark (Wed, 09 Aug 2017 16:41:22 GMT):
thx

jtclark (Wed, 09 Aug 2017 16:42:05 GMT):
@smithbk perhaps it's a good idea to add the issue to the stripe/safesql repo

jtclark (Wed, 09 Aug 2017 16:42:33 GMT):
issue meaning feature request to allow for a "skip" option

smithbk (Wed, 09 Aug 2017 16:43:21 GMT):
yes, that would certainly be easier if they supported

mescoba1 (Wed, 09 Aug 2017 17:18:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=B8Kd3Hmux2NELtz4v) @smithbk Chaning to http fixed the error, thank you!

RezwanKabir (Wed, 09 Aug 2017 19:41:25 GMT):
Can anyone provide me the `fabric-ca-server-config.yaml` for balance transfer project ? I wanted to override my yaml for fabric-ca-client CLI commands

smithbk (Wed, 09 Aug 2017 19:46:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wTtoYrSWo99Z7jcsY) @RezwanKabir I'm not aware of one and don't know who is working on that project

vdods (Wed, 09 Aug 2017 19:53:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JM2Fh9SZitgFWjCMY) @mastersingh24 @aambati I eventually found these files that were baked into the docker image. I'd recommend taking them out, as well as the default config. For all hyperledger/fabric-* images (peer, orderer, ca). This will force people to face the configuration explicitly, as well as provide their own cert/key material. Otherwise some percentage of people will not do this, and there will be a security hole where an adversary has the CA cert/key

C0rWin (Wed, 09 Aug 2017 20:03:05 GMT):
Has joined the channel.

mescoba1 (Wed, 09 Aug 2017 23:59:27 GMT):

Message Attachments

MeenakshiSingh (Thu, 10 Aug 2017 02:43:07 GMT):
@smithbk Ok..so if for a new peer joins the network, we can place its certificates at the orderer and it will be able to recognize it without a restart? The configtx gen tool generates the channel.tx artifact which still needs to be copied at peers right? Also, How are the peers made aware of the orderer node?

sampath06 (Thu, 10 Aug 2017 08:35:30 GMT):
Building fabric-ca on mac, I am getting the following error:

sampath06 (Thu, 10 Aug 2017 08:37:07 GMT):
Error processing tar file(bzip2 data invalid: bad magic value in continuation file): make: *** [build/image/fabric-ca/.dummy-x86_64-1.0.1-snapshot-a21585d] Error 1

sampath06 (Thu, 10 Aug 2017 08:37:24 GMT):
Any clues on what the problem could be?

sampath06 (Thu, 10 Aug 2017 08:48:48 GMT):
Found the solution here.. https://stackoverflow.com/questions/41465720/error-building-peer-bzip2-data-invalid-in-goshim-tar-bz2

sampath06 (Thu, 10 Aug 2017 09:15:21 GMT):
I was looking at fabric-ca-crypogen.sh. In that each organization starts its own root CA. For the peers and orderers to talk to each other, dont we need a common root CA?

Selvam_Annamalai (Thu, 10 Aug 2017 10:03:46 GMT):
I have modified the first network • Generated certificates and channel artifacts in the first machine with configtx and crypto-config yaml files (which contains both the org details,the 4 nodes & one Orderer) by running the command ./byfn.sh –m generate • Updated docker-compose-cli, docker-compose-couch, docker-compose-e2e-template and docker-compose-base yaml files to contain first org, 2 peer nodes and 1 Orderer. • Started the network (First Org with 2 nodes and Orderer) in the first machine by running the command ./byfn.sh –m up • Copied the generated certificates and the channel artifacts in to the second machine • Updated docker-compose-cli, docker-compose-couch, docker-compose-e2e-template and docker-compose-base yaml files to contain second org, 2 peer nodes and without Orderer. • Did not call CreateChannel function in script.sh file. Commented out. • Started the network (Second Org with 2 nodes without Orderer) in the second machine by running the command ./byfn.sh –m up • Got the exception “Error: genesis block file not found open mychannel.block: no such file or directory” during Channel Join Operation. Can you please tell me how to resolve this issue?

DarshanBc (Thu, 10 Aug 2017 10:04:38 GMT):
Hi how to give access to a particular user over a particular channel

smithbk (Thu, 10 Aug 2017 11:40:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yHDHFETccNrTR9TLp) @mescoba1 Probably stating the obvious, but that means that the client certificate being used was not issued by one of the cacerts of MSP associated with the MSP ID of that identity. The "Authority Key Identifier" is the client certificate must match the "Subject Key Identifier" of the issuer. You can see both of those fields by printing the cert with openssl.

smithbk (Thu, 10 Aug 2017 11:44:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uGuKmkYCrWnjXmaFx) @sampath06 No, in fact the power of this model is that there is no single trusted root and therefore no SPoT (Single Point of Trust). Each channel has multiple MSPs associated with it and policies which control the number of signatures and from which orgs are acceptable to do things like make a configuration change.

smithbk (Thu, 10 Aug 2017 12:08:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fYkFNQmri4QuYDBwe) @Selvam_Annamalai @Barry [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fYkFNQmri4QuYDBwe) @Selvam_Annamalai Looks like you didn't copy the genesis block file (mychannel.block) over to the 2nd machine. That said, I don't see how this will work since the hostname of the 2nd machine would not be in the genesis block. I'm sure some folks in system test have done this or something similar and may have a process down that would be helpful. @bmos299 Barry, could you help?

bmos299 (Thu, 10 Aug 2017 12:08:35 GMT):
Has joined the channel.

ancythomas (Thu, 10 Aug 2017 12:53:18 GMT):
Hi .. can someone please tell me,, if an external json config file, be accessed from chaincode program. If yes, how? I have already tried using os.Open() and io/ioutil.ReadFile(). But, both are getting error that,,no such file exists.

Vadim (Thu, 10 Aug 2017 13:04:13 GMT):
@ancythomas which SDK do you use? E.g. node-sdk removes everything which is not *.go, so your file will not be included into the chaincode package. I also think that it would be more handy to pass that JSON into the Init function and save it in the chaincode state.

gauthampamu (Thu, 10 Aug 2017 13:29:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2sPjWurF28JzjacAZ) @smithbk Thanks for correcting.

gauthampamu (Thu, 10 Aug 2017 13:33:37 GMT):
I am having problem enrolling admin user using fabric-ca-client with TLS. I copied the certfile.pem of the CA to the FABRIC_CA_CLIENT_HOME folder and also specified the TLS configuration in the client.yaml file.

gauthampamu (Thu, 10 Aug 2017 13:33:39 GMT):
export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin Gauthams-MBP-2:admin gauthampamu$ fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 2017/08/10 08:31:36 [INFO] User provided config file: /Users/gauthampamu/fabric-ca/clients/admin/fabric-ca-client-config.yaml 2017/08/10 08:31:36 [INFO] generating key: &{A:ecdsa S:256} 2017/08/10 08:31:36 [INFO] encoded CSR 2017/08/10 08:31:36 [INFO] TLS Enabled Error: POST failure [Post https://localhost:7054/enroll: x509: certificate is valid for ca.org1.example.com, not localhost]; not sending POST https://localhost:7054/enroll Authorization: Basic YWRtaW46YWRtaW5wdw== {"hosts":["Gauthams-MBP-2"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBQzCB6wIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsldWLTGPou/e3Nl1\nkMbIgKhq464iulx0EAOYrzHyLMb4Pz8o8Cnx/9S5VgkDKTOQYoz8L6q1JAdZJ/de\np0VqEKAsMCoGCSqGSIb3DQEJDjEdMBswGQYDVR0RBBIwEIIOR2F1dGhhbXMtTUJQ\nLTIwCgYIKoZIzj0EAwIDRwAwRAIgfr5j/c8HbPVrt3V7tir64EJPdX+MA3NDXesK\ngD2XQgkCICc1/eb5S7AGwN+cOo8g0XSWuowTDjEmRYonb3xJ2HJu\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","CAName":""}

gauthampamu (Thu, 10 Aug 2017 13:34:30 GMT):
# URL of the Fabric-ca-server (default: http://localhost:7054) url: https://localhost:7054 tls: enabled: true # TLS section for secure socket connection certfiles: - certfile.pem client: certfile: keyfile:

Vadim (Thu, 10 Aug 2017 13:35:14 GMT):
@ancythomas the client fails to validate the server, because the server is expected to be available at ca.org1.example.com (as his cert suggests), but you access it over localhost

gauthampamu (Thu, 10 Aug 2017 13:38:15 GMT):
I am using the sample balance transfer sample and it already has the certificates that are generated so how should I connect from my Mac. The same configuration is working when you enroll from the Nodejs REST application. If you look in the networkconfig.json file of balance transfer, it connect using localhost.

gauthampamu (Thu, 10 Aug 2017 13:38:16 GMT):
{ "network-config": { "orderer": { "url": "grpcs://localhost:7050", "server-hostname": "orderer.example.com", "tls_cacerts": "../artifacts/channel/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt" }, "org1": { "name": "peerOrg1", "mspid": "Org1MSP", "ca": "https://localhost:7054", "peer1": {

gauthampamu (Thu, 10 Aug 2017 13:38:33 GMT):
So why is not working with you use fabric-ca-client tool

Vadim (Thu, 10 Aug 2017 13:39:41 GMT):
@gauthampamu you should use ca.org1.example.com as a connection address, or disable TLS or generate a certificate for localhost

Vadim (Thu, 10 Aug 2017 13:40:21 GMT):
perhaps it is possible to disable certificate check at the client, but I don't know for sure

gauthampamu (Thu, 10 Aug 2017 13:42:31 GMT):
I have already disabled TLS and it is working without TLS but I wanted to get it working with TLS. Right now I am using the configuration that comes with the fabric sample. In the actual project, I will generate the certificates and when I generate them I will generate them using the VM hostname instead of the container name.

gauthampamu (Thu, 10 Aug 2017 13:43:16 GMT):
It would be helpful to find out how to disable certificate check at the client for the fabric-ca-client tool because the same configuration is working for the Nodejs application.

Vadim (Thu, 10 Aug 2017 13:43:33 GMT):
because nodejs uses ssl-hostname-override

Vadim (Thu, 10 Aug 2017 13:44:02 GMT):
you probably need to run fabric-ca-client from within the docker network, i.e. it should be in the container

Vadim (Thu, 10 Aug 2017 13:44:11 GMT):
never used it really, so don't know

smithbk (Thu, 10 Aug 2017 13:48:33 GMT):
ssl-hostname-override is only for development and shouldn't be used in a real scenario because it would be a security issue

smithbk (Thu, 10 Aug 2017 13:49:42 GMT):
It is possible to create a cert with both the real hostname and localhost so that either is accepted and I can show how to do this, though there seem to be mixed opinions on whether this is good or not from a security perspective

smithbk (Thu, 10 Aug 2017 13:50:15 GMT):
But the simplest thing if possible is to use the real hostname

gauthampamu (Thu, 10 Aug 2017 13:50:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hXPMtBZw89shxJZRy) @smithbk I will definitely generate the certificates in the real network setup with the real hostname but we should have ability to try the fabric sample with TLS.

smithbk (Thu, 10 Aug 2017 13:52:52 GMT):
@gauthampamu So you are using fabric-ca-cryptogen.sh? Is this correct?

gauthampamu (Thu, 10 Aug 2017 13:53:49 GMT):
In the case of balance-transfer sample in fabric-samples, it is already generated..it is not generating them when you run the application.

smithbk (Thu, 10 Aug 2017 13:55:07 GMT):
If you used the default cryptogen to generate crypto-config, then you will not be able to use fabric-ca-client (or server)

smithbk (Thu, 10 Aug 2017 14:00:31 GMT):
@gauthampamu Have you seen https://jira.hyperledger.org/browse/FAB-5310? This shows how to run the fabric/examples/e2e_cli using fabric-ca

smithbk (Thu, 10 Aug 2017 14:00:31 GMT):
@gauthampamu Have you seen https://gerrit.hyperledger.org/r/#/c/10871/? This shows how to run the fabric/examples/e2e_cli using fabric-ca

torresjeff (Thu, 10 Aug 2017 14:39:57 GMT):
Has joined the channel.

eetti (Thu, 10 Aug 2017 14:54:04 GMT):
Has joined the channel.

sampath06 (Thu, 10 Aug 2017 15:37:16 GMT):
I generated the certificates using fabric-ca-cryptogen.sh. Then when I try to start the orderer, I am getting an error |>orderer.myorg.com | 2017-08-10 15:35:07.368 UTC [orderer/main] initializeLocalMsp -> CRIT 016 Failed to initialize local MSP: The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority

sampath06 (Thu, 10 Aug 2017 15:37:29 GMT):
Any ideas?

htyagi90 (Thu, 10 Aug 2017 15:47:35 GMT):
I'm running the getting started steps for fabric-ca-server. I'm trying to enroll admin for a Org using fabric-ca-client tool, but get the following error

htyagi90 (Thu, 10 Aug 2017 15:47:45 GMT):
`himanshus-mbp:bin himanshutyagi$ ./fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --tls.client.keyfile /Users/himanshutyagi/.fabric-ca-client/msp/keystore/110b96876d26422aa8d4001a85c9e8a5674503b7dd48c6637bc584306800896c_sk 2017/08/10 11:46:23 [INFO] User provided config file: /Users/himanshutyagi/.fabric-ca-client/fabric-ca-client-config.yaml 2017/08/10 11:46:23 [INFO] generating key: &{A:ecdsa S:256} 2017/08/10 11:46:23 [INFO] encoded CSR 2017/08/10 11:46:23 [INFO] TLS Enabled Error: Failed to get client TLS config: No TLS certificate files were provided`

smithbk (Thu, 10 Aug 2017 15:50:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ztkTxn59MrTxwgsfc) @sampath06 Did you generate the genesis block / transaction after running fabric-ca-cryptogen.sh? And is this for fabric/examples/e2e_cli?

smithbk (Thu, 10 Aug 2017 15:51:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SGBRBtmMA8TZPusyZ) @htyagi90 You need "--tls.certfiles rather than "--tls.client.keyfile"

eetti (Thu, 10 Aug 2017 15:51:16 GMT):
@smithbk Please which branch can I find the fabric-ca-cryptogen.sh script? Thanks

smithbk (Thu, 10 Aug 2017 15:52:34 GMT):
https://gerrit.hyperledger.org/r/#/c/10871/ ... see the commit comments ... it is not yet merged. You can follow the status of https://jira.hyperledger.org/browse/FAB-5310 for that

eetti (Thu, 10 Aug 2017 15:57:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kBnmWP9Dz26szMKLt) @smithbk Thanks

htyagi90 (Thu, 10 Aug 2017 16:09:22 GMT):
When we enroll with ca server, two certificates are generated in the .fabric-ca-client msp directory as follows : `.fabric-ca-client/msp/signcerts/` - client cert `.fabric-ca-client/msp/cacerts/` - root cert

htyagi90 (Thu, 10 Aug 2017 16:09:27 GMT):
what is the difference between the two

mastersingh24 (Thu, 10 Aug 2017 17:08:31 GMT):
`cacerts` contains the public certificate of the CA (e.g. the root certificate used to sign the certificate issued to to the client who enrolled) `signcerts` actually contains the issued / signed certificate

berserkr (Thu, 10 Aug 2017 18:02:42 GMT):
Is there a good example showing how to use the fabric-ca to generate certificates for the msps, integrate them, launch the conianers, then at the same time, being able to generate certs for clients, and use them to transact? So far I've been able to get everything to work with static certs/certs generated through cryptogen, but once the fabric-ca is involved we are all running into issues left and right :)

smithbk (Thu, 10 Aug 2017 18:37:21 GMT):
Have you looked at the fabric-ca-crytogen.sh script at https://gerrit.hyperledger.org/r/#/c/10871 ?

smithbk (Thu, 10 Aug 2017 18:37:21 GMT):
@berserkr Have you looked at the fabric-ca-crytogen.sh script at https://gerrit.hyperledger.org/r/#/c/10871 ?

smithbk (Thu, 10 Aug 2017 18:39:02 GMT):
It shows how fabric-ca is used for the fabric/examples/e2e_cli

rennman (Thu, 10 Aug 2017 18:40:16 GMT):
I was working on it some last week when I got tapped to do this other bccsp work ... right, I had a branch that I was trying to get working ... however, along the way the person with whom I was working who was the AMEX contact was able to get it to work

rennman (Thu, 10 Aug 2017 18:41:12 GMT):
I think I have some code that was working for me, but I'll have to go back and try it again

rennman (Thu, 10 Aug 2017 18:42:13 GMT):
btw, if you have a few minutes, I'd like to run the latest results by you before the 3pm scrum

Vrai1127 (Thu, 10 Aug 2017 18:49:40 GMT):
Has joined the channel.

Vrai1127 (Thu, 10 Aug 2017 18:53:22 GMT):
Could someone help list down pros/cons of using Cryptogen tool versus Fabric CA for production network? Even if Fabric CA is preferred, would it be a good choice to start with Cryptogen for first production release (time to market) and later move to FABRIC CA. But what would be the implications of doing so i.e. changes to be done once decision is done to move from Cryptogen to FabricCA

htyagi90 (Thu, 10 Aug 2017 19:05:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZfRuaHPhj5mM3GSHe) @smithbk the link doesn't work. Also, I had a question, in the e2e_cli example, it is said that the `docker-compose-e2e` provides an example for end-to-end implementation of a network with ca server, and peers. But in the compose file, the ca server `ca-cert.pem` and the key are already created. My question is, given a already running network of peers, how to embed ca server and enroll these peers ?

Vrai1127 (Thu, 10 Aug 2017 19:45:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gpn798juSgd4QXhDj) @Vrai1127 @smithbk if you could please help with my questions

smithbk (Thu, 10 Aug 2017 19:47:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gpn798juSgd4QXhDj) @Vrai1127 cryptogen was never intended for production use because all of the private keys could be copied by whoever runs the tool. It was always intended for development. In terms of transitioning from cryptogen to fabric CA, you would need to enroll each identity at some later time with fabric CA; in other words, it is not possible to have cryptogen generate a certificate and then use that certificate to talk to fabric CA.

smithbk (Thu, 10 Aug 2017 19:48:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=H7foD6YrFZX6kP3DP) @htyagi90 This link works for me https://gerrit.hyperledger.org/r/#/c/10871/ ... not for you?

smithbk (Thu, 10 Aug 2017 19:50:12 GMT):
Given an already running network of peers, as mentioned above, you would need to enroll the peers with the CA server, stop and restart the peer with the new certificate from fabric CA.

torresjeff (Thu, 10 Aug 2017 19:56:42 GMT):
Hi, I was just reading about Fabric CA at http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html and it says that one of the features that the Fabric CA offers is: `issuance of Transaction Certificates (TCerts), providing both anonymity and unlinkability when transacting on a Hyperledger Fabric blockchain`

torresjeff (Thu, 10 Aug 2017 19:57:03 GMT):
but doesn't this defeat the purpose of HLF? aren't we supposed to know who does what in the network? unlike bitcoin for example, where it is completely anonymous

torresjeff (Thu, 10 Aug 2017 19:57:10 GMT):
@here can someone help me understand this better? Thanks!

smithbk (Thu, 10 Aug 2017 20:02:35 GMT):
1st as an aside, even though fabric CA supports issuance of TCerts, the client SDK code to make those tcerts usable for transactions is not done, so we should probably remove this statement about TCerts to avoid confusion. That said, tcerts are still usable to make sure someone is authorized to transact because you know that the tcert was issued by a CA that is trusted, but you just don't know anything else.

smithbk (Thu, 10 Aug 2017 20:02:35 GMT):
1st as an aside, even though fabric CA supports issuance of TCerts, the client SDK code to make those tcerts usable for transactions is not done, so we should probably remove this statement about TCerts to avoid confusion. That said, tcerts would still usable to make sure someone is authorized to transact because you know that the tcert was issued by a CA that is trusted, but you just don't know anything else.

smithbk (Thu, 10 Aug 2017 20:02:35 GMT):
1st as an aside, even though fabric CA supports issuance of TCerts, the client SDK code to make those tcerts usable for transactions is not done, so we should probably remove this statement about TCerts to avoid confusion. That said, tcerts would still be usable to make sure someone is authorized to transact because you know that the tcert was issued by a CA that is trusted, but you just don't know anything else.

torresjeff (Thu, 10 Aug 2017 20:13:08 GMT):
so, what's the point of providing anonymity? Does this mean that we can't know who invoked certain transaction in the blockchain?

torresjeff (Thu, 10 Aug 2017 20:15:22 GMT):
what if as an auditor, I want to know what company A did in the blockchain? I would be unable to do it because of anonimity?

smithbk (Thu, 10 Aug 2017 20:15:27 GMT):
It would be possible to allow the chaincode to know the identity (through an attribute for example with a separate key) but then not write that identity to the ledger for others to see.

smithbk (Thu, 10 Aug 2017 20:18:27 GMT):
Auditors could be given a key to see the identity ... I'm speaking of what is future, not currently implemented

smithbk (Thu, 10 Aug 2017 20:19:33 GMT):
Today, we are only using ECerts which has the identity in the clear

torresjeff (Thu, 10 Aug 2017 20:20:19 GMT):
alright, thanks!

smithbk (Thu, 10 Aug 2017 20:20:27 GMT):
np

eetti (Thu, 10 Aug 2017 21:13:56 GMT):
What would be the most suitable curve (prime256v1, secp384r1, secp521r1) to use when creating EDSCA keys for a PROD environment

gauthampamu (Thu, 10 Aug 2017 21:30:00 GMT):
@smithbk What is the recommended value for key and what is the security/performance implication with using 256v1. Is secp521r1 more secure than 256v1 ?

smithbk (Thu, 10 Aug 2017 21:44:27 GMT):
Considerations are security, compatibility, and performance. I think all of the ones you've listed are secure but will leave it to the actually cryptographers to say definitively. Elli @elli-androulaki, can you comment? From what I've read, I would stay with our default prime256v1. For example, see the following at https://security.stackexchange.com/questions/78621/which-elliptic-curve-should-i-use: ```"Interoperability" means that you would probably prefer it if SSL clients can actually connect to your server; otherwise, having a SSL server would be rather pointless. This simplifies the question a lot: in practice, average clients only support two curves, the ones which are designated in so-called NSA Suite B: these are NIST curves P-256 and P-384 (in OpenSSL, they are designated as, respectively, "prime256v1" and "secp384r1"). If you use any other curve, then some widespread Web browsers (e.g. Internet Explorer, Firefox...) will be unable to talk to your server. Use P-256 to minimize trouble. If you feel that your manhood is threatened by using a 256-bit curve where a 384-bit curve is available, then use P-384: it will increases your computational and network costs (a factor of about 3 for CPU, a few extra dozen bytes on the network) but this is likely to be negligible in practice (in a SSL-powered Web server, the heavy cost is in "Web", not "SSL").```

smithbk (Thu, 10 Aug 2017 21:44:27 GMT):
Considerations are security, compatibility, and performance. I think all of the ones you've listed are secure but will leave it to the cryptographers to say definitively. Elli @elli-androulaki, can you comment? I would stay with our default prime256v1. For example, see the following at https://security.stackexchange.com/questions/78621/which-elliptic-curve-should-i-use: ```"Interoperability" means that you would probably prefer it if SSL clients can actually connect to your server; otherwise, having a SSL server would be rather pointless. This simplifies the question a lot: in practice, average clients only support two curves, the ones which are designated in so-called NSA Suite B: these are NIST curves P-256 and P-384 (in OpenSSL, they are designated as, respectively, "prime256v1" and "secp384r1"). If you use any other curve, then some widespread Web browsers (e.g. Internet Explorer, Firefox...) will be unable to talk to your server. Use P-256 to minimize trouble. If you feel that your manhood is threatened by using a 256-bit curve where a 384-bit curve is available, then use P-384: it will increases your computational and network costs (a factor of about 3 for CPU, a few extra dozen bytes on the network) but this is likely to be negligible in practice (in a SSL-powered Web server, the heavy cost is in "Web", not "SSL").```

mescoba1 (Thu, 10 Aug 2017 22:46:09 GMT):
Is _fabric-ca-cryptogen.sh_ meant to consume a file?

mescoba1 (Thu, 10 Aug 2017 22:46:36 GMT):
I'm not sure where or how the root and intermediate ports are chosen

mescoba1 (Thu, 10 Aug 2017 22:48:09 GMT):
Or the order in which the scripts are run, _fabric-ca-cryptogen.sh_ then network-setup.sh (minus the generateArticfacts.sh)?

aambati (Fri, 11 Aug 2017 02:34:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Ai7gR8v569pZXbzsu) @mescoba1 I don't think it consumes a file. The topology is hardcoded in the script in the ORGS variable

aambati (Fri, 11 Aug 2017 02:34:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Ai7gR8v569pZXbzsu) @mescoba1 I does not it consumes a file. The topology is hardcoded in the script in the ORGS variable

mescoba1 (Fri, 11 Aug 2017 03:49:34 GMT):
Would the docker-compose.yml file have to reflect the topology as well? @aambati

sampath06 (Fri, 11 Aug 2017 04:34:07 GMT):
I was trying out the docker-compose-e2e setup. I setup the private keys and started and all the instances started up. Now, I am trying to bring up the cli to create channels and proceed. The command I run is ```root@ff61c6eff471:/opt/gopath/src/github.com/hyperledger/fabric/peer# export CHANNEL_NAME=mychannel root@ff61c6eff471:/opt/gopath/src/github.com/hyperledger/fabric/peer# peer channel create -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls $CORE_PEER_TLS_ENABLED --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem ```

sampath06 (Fri, 11 Aug 2017 04:34:55 GMT):
But I am getting an error ``` orderer.example.com | 2017-08-11 04:30:04.824 UTC [cauthdsl] func2 -> ERRO 1bf Principal deserialization failure (The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority) for identity 0a074f7267314d53501290062d2d2d2d2d424547494e202d2d2d2d2d0a4d4949434a544343416379674177494241674952414e677a4b714b78447455524d44704645716d722f753077436759494b6f5a497a6a304541774977667a454c0a4d416b474131554542684d4356564d78457a415242674e5642416754436b4e6862476c6d62334a7561574578466a415542674e564241635444564e68626942470a636d467559326c7a593238784754415842674e5642416f54454739795a7a45755a586868625842735a53356a623230784b44416d42674e5642414d5448324e680a4c573131636d3131636d4630615739754c6d39795a7a45755a586868625842735a53356a623230774868634e4d5463774e7a49334d5459314e7a4d315768634e0a4d6a63774e7a49314d5459314e7a4d31576a42624d517377435159445651514745774a56557a45544d4245474131554543424d4b5132467361575a76636d35700a595445574d4251474131554542784d4e5532467549455a795957356a61584e6a627a45664d4230474131554541777757515752746157354162334a6e4d53356c0a654746746347786c4c6d4e766254425a4d424d4742797147534d34394167454743437147534d34394177454841304941424a756862616f6f7864434e76474a6d0a374f57567466662b6e58777a71563051375463537234354a505a5447596c556b576232556c435670556536775938542f2f7a436236525258434d564a507738770a5649764f42576d6a5454424c4d41344741315564447745422f775145417749486744414d42674e5648524d4241663845416a41414d437347413155644977516b0a4d434b41494f5931766b5a67714d5056514a796257767238496e667366685875486e424a6777585a71425465453554474d416f4743437147534d343942414d430a413063414d455143494559624842694a36517731647a5a37447763646d66506b3332635636364d334d74346b6c4b39514b675444416941347265637a6237746a0a56323543795272496751686c784a5a416248694a735a4755752b4c364b32455961673d3d0a2d2d2d2d2d454e44202d2d2d2d2d0a orderer.example.com | 2017-08-11 04:30:04.824 UTC [cauthdsl] func2 -> DEBU 1c0 0xc42010e590 principal evaluation fails orderer.example.com | 2017-08-11 04:30:04.826 UTC [cauthdsl] func1 -> DEBU 1c1 0xc42010e590 gate 1502425804824210657 evaluation fails orderer.example.com | 2017-08-11 04:30:04.826 UTC [orderer/common/broadcast] Handle -> WARN 1c2 Rejecting CONFIG_UPDATE because: Error authorizing update: Error validating DeltaSet: Policy for [Groups] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining ``` How do I setup the CLI instance correctly?

sampath06 (Fri, 11 Aug 2017 05:10:36 GMT):
I tried connecting to the peer and running the channel create command.. Even that failed with authentication error ```peer channel create -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls $CORE_PEER_TLS_ENABLED --cafile /etc/hyperledger/fabric/msp/tlscacerts/tlsca.org1.example.com-cert.pem 2017-08-11 04:49:01.452 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP 2017-08-11 04:49:01.452 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity 2017-08-11 04:49:01.458 UTC [grpc] Printf -> DEBU 003 Failed to dial orderer.example.com:7050: connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority"; please retry. Error: Error connecting due to rpc error: code = Internal desc = connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority" ```

DarshanBc (Fri, 11 Aug 2017 09:40:50 GMT):
I am working on fabric example server was started with this command ''' command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY -b admin:adminpw -d ''' I am trying to register a user with this command ```fabric-ca-client register --id.name user0 --id.type user --id.affiliation org1.example.com --id.attrs 'hf.Revoke=true'' ``` I am getting this error `Failed getting affiliation 'org1.example.com': sql: no rows in result set`

DarshanBc (Fri, 11 Aug 2017 09:40:50 GMT):
I am working on fabric example server was started with this command ``` command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY -b admin:adminpw -d ``` I am trying to register a user with this command ```fabric-ca-client register --id.name user0 --id.type user --id.affiliation org1.example.com --id.attrs 'hf.Revoke=true'' ``` I am getting this error `Failed getting affiliation 'org1.example.com': sql: no rows in result set`

DarshanBc (Fri, 11 Aug 2017 09:40:50 GMT):
I am working on fabric example server was started with this command ``` command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY -b admin:adminpw -d ``` I am trying to register a user with this command `fabric-ca-client register --id.name user0 --id.type user --id.affiliation org1.example.com --id.attrs 'hf.Revoke=true'' ` I am getting this error `Failed getting affiliation 'org1.example.com': sql: no rows in result set`

sampath06 (Fri, 11 Aug 2017 10:15:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MasPv7mYvpoFFC2v2) @sampath06 I loaded up the correct file and am now getting the following error ``` (The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com")) ``` Any clues on what is going wrong here?

DarshanBc (Fri, 11 Aug 2017 10:22:05 GMT):
I registered a user and generated a password now is there a way to change it

rwadhwa (Fri, 11 Aug 2017 11:01:58 GMT):
Has joined the channel.

DarshanBc (Fri, 11 Aug 2017 11:14:35 GMT):
How to enroll a user for a particular channel

smithbk (Fri, 11 Aug 2017 13:05:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cCDJcWXB4PrkLgbdk) @aambati The fabric-ca-cryptogen.sh script was originally intended to work with only fabric/examples/e2e_cli and to function as a visible example of what fabric-ca-server and fabric-ca-client commands to use in order to set up a network. The ORGS variable at the top of the script would also allow you to change the topology easily, though not with the same degree of control as provided by crypto-config.yaml. Now we are looking to take it to the next step and provide a solution which will also read crypto-config.yaml, though we're still evaluating the best way to accomplish this. The can monitor the status of https://jira.hyperledger.org/browse/FAB-5310 and feel free to add comments there as well

smithbk (Fri, 11 Aug 2017 13:05:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cCDJcWXB4PrkLgbdk) @mescoba1 The fabric-ca-cryptogen.sh script was originally intended to work with only fabric/examples/e2e_cli and to function as a visible example of what fabric-ca-server and fabric-ca-client commands to use in order to set up a network. The ORGS variable at the top of the script would also allow you to change the topology easily, though not with the same degree of control as provided by crypto-config.yaml. Now we are looking to take it to the next step and provide a solution which will also read crypto-config.yaml, though we're still evaluating the best way to accomplish this. The can monitor the status of https://jira.hyperledger.org/browse/FAB-5310 and feel free to add comments there as well

smithbk (Fri, 11 Aug 2017 13:05:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cCDJcWXB4PrkLgbdk) @mescoba1 The fabric-ca-cryptogen.sh script was originally intended to work with only fabric/examples/e2e_cli and to function as a visible example of what fabric-ca-server and fabric-ca-client commands to use in order to set up a network. The ORGS variable at the top of the script would also allow you to change the topology easily, though not with the same degree of control as provided by crypto-config.yaml. Now we are looking to take it to the next step and provide a solution which will also read crypto-config.yaml, though we're still evaluating the best way to accomplish this. You can monitor the status of https://jira.hyperledger.org/browse/FAB-5310 and feel free to add comments there as well

smithbk (Fri, 11 Aug 2017 13:07:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gtGhaedDFg6xqWDra) @mescoba1 Yes, it would reflect the topology

smithbk (Fri, 11 Aug 2017 13:15:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wniuFaSL75zzwjuan) @DarshanBc Try with an affiliation or "org1", or "org1.department1". It must be one of the affiliations that are listed in the "affiliation" section of the fabric-ca-server-config.yaml file. See the "Affiliation" section of this doc for a description of affiliations: https://docs.google.com/document/d/1x7bbSkLt3VLexNMECJXbOYJ3xX8Ck9Q6O6W1dmnVaRQ/edit#heading=h.clxlfzdu60es

smithbk (Fri, 11 Aug 2017 13:24:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5C2Y5XgutHdsEspZ3) @DarshanBc Users are not directly registered with a channel. Each channel has multiple MSPs. An MSP typically contains the root CA certificate in its msp/cacerts directory. So if a CA associated with one of the channels MSPs issues a certificate to a user, that user can perform non-admin type transactions on that channel. There are admin type actions such as installing chaincode on a channel which would require that the user's certificate be stored in the msp/admincerts directory of the peer. See https://jira.hyperledger.org/browse/FAB-3752 for ongoing work to make it easier to grant admin access without having to update the MSP.

gauthampamu (Fri, 11 Aug 2017 13:25:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bJJ6zSYvMEj3TLsDn) @smithbk Thanks

smithbk (Fri, 11 Aug 2017 13:27:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=43KyjLHBPSznQEyp6) @DarshanBc We don't support modifying a password currently, but you can make a password a "one time password" by setting max_enrollments to 1. This means you exchange your username and password for a certificate and from that point forward, you use the private key associated with the issued certificate to authentication yourself. You can also use "fabric-ca-client reenroll" which authenticates using your private key and generates a new certificate.

sampath06 (Fri, 11 Aug 2017 13:46:33 GMT):
Does anyone have some documentation of running the e2e docker script. I am not able to configure using the CA

DarshanBc (Fri, 11 Aug 2017 13:51:17 GMT):
How to get a certificate for the user from Channel msp

DarshanBc (Fri, 11 Aug 2017 13:51:17 GMT):
How to get a certificate for the user from CA associated with Channel msp

DarshanBc (Fri, 11 Aug 2017 13:51:17 GMT):
How to get a certificate for the user from CA associated with Channel MSP

jmcnevin (Fri, 11 Aug 2017 15:09:19 GMT):
Starting fabric-ca-server with the `--config` parameter seems to set the CA home directory to the same directory as the config file, even though I've set the FABRIC_CA_SERVER_HOME env... is that proper behavior?

jmcnevin (Fri, 11 Aug 2017 15:25:02 GMT):
Also, question about the docs here: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enabling-tls : This seems to imply that we should be using the CA server's root cert for TLS communication, but is that really recommended?

Vadim (Fri, 11 Aug 2017 16:12:15 GMT):
@jmcnevin not exactly, it means that the server cert is expected to be signed by this root cert

smithbk (Fri, 11 Aug 2017 17:13:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uFkCBPDHMKgLRAbdh) @jmcnevin Yes, that is correct. We currently assume the config file will always be in the home directory, and in fact, we are trying to get away from that option altogether as it has caused problems. See https://jira.hyperledger.org/browse/FAB-2840

sampath06 (Sat, 12 Aug 2017 04:55:48 GMT):
I brought up a network using the byfn script and the docker-compose-e2e.yaml file. Now I am trying to bring up another organisation/peers on a different server. I changed the config files to create an Org3 organisation and copied the mychannel.block from the original server. The instances came up and the peer join command seems to work. But, I am getting the following error on the orderer ``` Principal deserialization failure (MSP Org3MSP is unknown) ``` So how do I setup the orderer to recognise the new peers? Do I need to copy over some files on to the orderer for it to recognise peers from Org3?

DarshanBc (Sat, 12 Aug 2017 07:29:28 GMT):
how to add the user's certificate to the channel config block

DarshanBc (Sat, 12 Aug 2017 07:29:28 GMT):
@here how to add the user's certificate(which I get after enrolling a user) to the channel config block so that I authorize my user to transact over that channel

yoyokeen (Sat, 12 Aug 2017 08:14:01 GMT):
Has joined the channel.

DarshanBc (Sat, 12 Aug 2017 09:44:42 GMT):
What do you mean by max enrollment 1

silverkrypt (Sat, 12 Aug 2017 14:19:02 GMT):
Has joined the channel.

silverkrypt (Sat, 12 Aug 2017 14:22:06 GMT):
What is the enroll method supported by the fabric-ca? Can I point the SDK to an external EST server?

acosta_rodrigo (Sat, 12 Aug 2017 17:03:29 GMT):
Has joined the channel.

sampath06 (Sat, 12 Aug 2017 19:35:42 GMT):
I was trying out the balance-transfer samples. It works perfectly as it is. But when I tried regenerating the crypt files using cryptogen, the add channel command started failing. I did change the KEYS in the docker-compose.yaml file to use the private keys from crypto-config/peerOrganizations/org1.example.com/ca. What else should I change for this to work? The error from the orderer logs ``` 2017-08-12 19:34:10.598 UTC [cauthdsl] func2 -> ERRO 1b4 Principal deserialization failure (The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com")) for identity 0a074f72 ```

ydk210999 (Sun, 13 Aug 2017 07:22:52 GMT):
Has joined the channel.

mastersingh24 (Sun, 13 Aug 2017 08:26:37 GMT):
@sampath06 - if you change the crypto material, you will also need to regenerate the orderer / channel config as well

mastersingh24 (Sun, 13 Aug 2017 08:27:00 GMT):
(basically you'll need to run configtxgen again)

sampath06 (Sun, 13 Aug 2017 09:56:42 GMT):
@mastersingh24 I did run configtxgen also.. Even that didnt help

jworthington (Sun, 13 Aug 2017 12:37:24 GMT):
trying to set up ca server. using postgres on a different server. init -b claims to have completed successfully, but does not create tables or insert admin, aff, and certs. Connects to db fine. tried creating db and tables manually, no luck. dropped tables, no luck, dropped db, says no db. How to get init -b to create and insert admin? Works fine if I use local sqlite, but not remote postgres.

smithbk (Sun, 13 Aug 2017 15:35:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wBAgDcZYZTJDzDrKs) @jworthington I suggest starting the server with "-d" (if not already) and looking carefully to see if there were any warnings or errors when trying to communicate the the postgres server. You may also want to look at fabric-ca/scripts/fvt/fabric-ca_setup.sh to see if you see any differences between how you are initializing postgres and how the test cases do so. If that doesn't reveal anything, pls open a jira item with logs and details on how to reproduce and will be glad to help. Attention Saad @skarim

jworthington (Sun, 13 Aug 2017 15:37:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CBipi9ENyjLkqMzoT) @smithbk thx. will do.

wy (Sun, 13 Aug 2017 15:39:11 GMT):
Has joined the channel.

smithbk (Sun, 13 Aug 2017 15:40:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ijp2D85WnTq2mMgGh) @DarshanBc See the "maxenrollments" settings in fabric-ca-server-config.yaml. This is a way of limiting the number of times that the user password (AKA "enrollment secret") can be used to get an enrollment certificate. By default, there is no limit by setting to -1. You can set it for the entire CA or on a per-user basis. The effective max value used is the minimum of the register.maxenrollments setting (the per CA one) and the per-user/identity one

smithbk (Sun, 13 Aug 2017 15:48:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WcHWuG59v2AmzpABQ) @DarshanBc By default, an ACL policy grants access to ".Member", which means any user with a certificate issued by the CA corresponding to the org will have access. If the policy is ".Admin", then the user's specific certificate must be in the appropriate msp/admincerts directory.

smithbk (Sun, 13 Aug 2017 15:56:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NRPr7Am36Xo7q2gXN) @silverkrypt You would either use fabric-ca or EST, not both. No, you can't point the SDK to an external EST server, but you can use any protocol you want from an SDK to get a certificate and then use that certificate via the SDK APIs to transact on the blockchain. This assumes that the EST server's root CA cert is trusted for the channel.

DarshanBc (Mon, 14 Aug 2017 04:35:15 GMT):
In Balance transfer example when a user is registered anenrolled voa API call a token is returned what exactly is it

DarshanBc (Mon, 14 Aug 2017 04:35:15 GMT):
In Balance transfer example when a user is registered and enrolled via REST API call a token is returned what exactly is it

sampath06 (Mon, 14 Aug 2017 04:53:54 GMT):
@DarshanBc It is used by the node app for authorizing the users. You can check the testApi.sh script to see how it is being used

silverkrypt (Mon, 14 Aug 2017 05:06:42 GMT):
What is the affiliation path in the register request? what does it signify?

DarshanBc (Mon, 14 Aug 2017 05:10:00 GMT):
@sampath06 yes that I got to know but what exactly is it public key or what is it because when I register and enrolled a user using CLI I didnot get any token like that

silverkrypt (Mon, 14 Aug 2017 06:28:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QP6jm3cABJqqaXWyY) @smithbk Got it. Thanks!

silverkrypt (Mon, 14 Aug 2017 06:42:02 GMT):
When I revoke somebody using the /revoke method the crl is updated

silverkrypt (Mon, 14 Aug 2017 06:42:02 GMT):
When I revoke somebody using the /revoke method the crl is updated. Does this need to be manually configured in each nodes MSP?

silverkrypt (Mon, 14 Aug 2017 06:42:02 GMT):
When I revoke somebody using the /revoke method the crl is updated. Does this crl need to be manually put in each nodes MSP?

C0rWin (Mon, 14 Aug 2017 07:19:23 GMT):
Has left the channel.

sampath06 (Mon, 14 Aug 2017 07:27:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mdG4xiKdpHCPnptLC) @DarshanBc This is not related to hyperchain but is the bearer token used by the node app. Have a look at https://www.npmjs.com/package/express-bearer-token

DarshanBc (Mon, 14 Aug 2017 07:42:21 GMT):
@sampath06 Thank you I got It

DarshanBc (Mon, 14 Aug 2017 09:11:26 GMT):
I am very new to field of crypto Can Anybody explain/post some link to know what are the crypto artifacts( certs and keys )that are generated and stored in crypto-config directory with respect to basic network example

smithbk (Mon, 14 Aug 2017 18:45:20 GMT):
First, here is a description of the MSP sub-directories:

smithbk (Mon, 14 Aug 2017 18:45:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fFeH9Qzb8kN3dbixa) @DarshanBc To further describe what is under the crypto-config directory structure, there are two types of MSP directories: those with a private key (in the keystore directory) and those without. Those with a private key correspond to the private credentials of a particular identity used to digitally sign on behalf of that identity. For example, crypto-config/ordererOrganizations/example.com/users/Admin@example.com/msp is the private directory for the orderer's administrator. Those without a private key represent the public crypto material needed in order to validate an identity. For example, ./crypto-config/peerOrganizations/org1.example.com/msp contains all you need in order to validate that something was signed by a member of the org1 organization.

smithbk (Mon, 14 Aug 2017 18:45:40 GMT):
1) admincerts are the certificates of admin identities

smithbk (Mon, 14 Aug 2017 18:46:27 GMT):
2) cacerts contains the root certificate(s) of one or more CAs

smithbk (Mon, 14 Aug 2017 18:46:58 GMT):
3) keystore contains the private keys associated with certificates in signcerts

smithbk (Mon, 14 Aug 2017 18:47:36 GMT):
4) signcerts contains the certificate(s) associated with an identity that can digitally sign

smithbk (Mon, 14 Aug 2017 18:48:26 GMT):
5) tlscacerts contains the TLS certificate(s) which an identity will trust when connecting over TLS/SSL

smithbk (Mon, 14 Aug 2017 18:48:58 GMT):
6) intermediatecacerts - optional directory containing the intermediate CA certificates

smithbk (Mon, 14 Aug 2017 18:49:27 GMT):
7) intermediatetlscacerts - optional directory containing the intermediate TLS certificates

berserkr (Mon, 14 Aug 2017 18:50:24 GMT):
@smithbk To get it working with the sdk, and the fabric-ca-server we need to get new certs from the ca right, then use the client to generate certs for all msps in the network?

berserkr (Mon, 14 Aug 2017 18:50:46 GMT):
basically, replacing all certs in the network with certs generated by the fabric-ca-client?

berserkr (Mon, 14 Aug 2017 18:51:10 GMT):
this is done while the network is running, then we will need to restart the network

berserkr (Mon, 14 Aug 2017 18:51:21 GMT):
is this right right way of going about it?

smithbk (Mon, 14 Aug 2017 18:53:30 GMT):
@berserkr To use the fabric-ca-server, it is easiest to use it to generate the crypto material from the beginning, prior to running configtxgen

berserkr (Mon, 14 Aug 2017 18:54:04 GMT):
mmm, ok, so generate the crypto material, then place the certs in the msp sub directories?

smithbk (Mon, 14 Aug 2017 18:55:48 GMT):
You can use the fabric-ca-cryptogen.sh which generates the crypto-config directory for you as expected for fabric/examples/e2e_cli. See https://gerrit.hyperledger.org/r/#/c/10871/

smithbk (Mon, 14 Aug 2017 18:55:48 GMT):
You can use the fabric-ca-cryptogen.sh script which generates the crypto-config directory for you as expected for fabric/examples/e2e_cli. See https://gerrit.hyperledger.org/r/#/c/10871/

smithbk (Mon, 14 Aug 2017 18:57:59 GMT):
I encourage you to look at what the fabric-ca-crytogen.sh script does. It is intended to show you how to use the fabric ca commands in a real world scenario

berserkr (Mon, 14 Aug 2017 19:04:36 GMT):
yeah that is what i was planning on doing

berserkr (Mon, 14 Aug 2017 19:04:38 GMT):
thank you!

torresjeff (Mon, 14 Aug 2017 21:35:19 GMT):
@smithbk difference between MSP and CA?

smithbk (Mon, 14 Aug 2017 22:13:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dMbnuELTPgBe2koLt) @torresjeff MSP is what the fabric uses to answer questions like: "Is this transaction signed by someone I should allow to transact on this channel?" or "Is this signed by someone I should allow to install chaincode?", etc. A CA is something that issues certificates.

torresjeff (Mon, 14 Aug 2017 23:13:45 GMT):
@smithbk thanks!

qsmen (Tue, 15 Aug 2017 02:37:06 GMT):
Has joined the channel.

qsmen (Tue, 15 Aug 2017 05:21:40 GMT):
Hi, how does a peer, say A, verify the certificate of another peer, say B? If the two peer are in the same org, it is easy,just read the local CA to verify. If they are not in the same org, how to? know the name of CA from B's signature and then get the CA of B's org from the genesis block? Thank you.

DarshanBc (Tue, 15 Aug 2017 06:52:59 GMT):
@smithbk Thanks and Thanks a lot

smithbk (Tue, 15 Aug 2017 07:01:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kBRRWCDHNCQ6BWG3p) @qsmen Yes, from the genesis block, or more accurately, from the most recent config block. The genesis block is the 1st config block of a channel's ledger, but as operations such as "add org", "remove org", or "renew org's CA cert" occur, a config update would write a new config block to the ledger.

qsmen (Tue, 15 Aug 2017 07:11:57 GMT):
@smithbk ， Thanks. I 瑟Would you kindly tell me the corresponding source code?

qsmen (Tue, 15 Aug 2017 07:13:00 GMT):
@smithbk ， Thanks. I see. would you kindly tell me the corresponding source code?

qsmen (Tue, 15 Aug 2017 07:14:22 GMT):
in fabric project

qsmen (Tue, 15 Aug 2017 07:35:18 GMT):
VSCC

qsmen (Tue, 15 Aug 2017 07:35:32 GMT):
VSCC？

smithbk (Tue, 15 Aug 2017 13:12:27 GMT):
VSCC is for validating prior to commit. The low level call to validate is at fabric/msp/mspimpl.go, the Validate function. You can see where that is called from. Or starting higher up, you could for example look at fabric/core/common/validation/msgvalidation.go to see how messages are validated and eventually call MSP's Validate function.

Jonny (Tue, 15 Aug 2017 14:10:17 GMT):
Has joined the channel.

eetti (Tue, 15 Aug 2017 18:33:07 GMT):
If the user certs are created _externally_ without using fabric-ca or cryptogen is there a need for MSP ? And of not, how do I configure it to work without an MSP. Thanks

eetti (Tue, 15 Aug 2017 18:33:07 GMT):
If the user certs are created _externally_ without using fabric-ca or cryptogen is there a need for MSP ? And if not, how do I configure it to work without an MSP. Thanks

smithbk (Tue, 15 Aug 2017 18:45:25 GMT):
MSP is always used. It is the API that fabric uses to check membership. If you create certs externally, then the thing that differs is that you must manually initialize MSP.

smithbk (Tue, 15 Aug 2017 18:45:25 GMT):
MSP is always used. It is the API that fabric uses to check membership and make access control decisions. If you create certs externally, then the thing that differs is that you must manually initialize MSP.

eetti (Tue, 15 Aug 2017 18:49:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GXs45cF6WLTbAWnjD) @smithbk Thank you. So in that case I have to create my msp folder and include all the subfolders {admincerts,cacerts,keystore,signcerts} and copy the certs into that folder?

smithbk (Tue, 15 Aug 2017 18:55:58 GMT):
correct

vdods (Tue, 15 Aug 2017 19:27:24 GMT):
Hi all, when I'm connecting via grpcs to an orderer, peer, etc, which cert do I need to provide to TLS? In particular, can I provide the root CA cert which presumably has a cert chain down to the server's TLS cert? I'm using fabric-ca-cryptogen.sh

smithbk (Tue, 15 Aug 2017 19:29:19 GMT):
yes, you can ... in fact that is preferable because by using the root CA cert, if the server's TLS cert is renewed due to expiration, you don't have to change the client

vdods (Tue, 15 Aug 2017 19:45:12 GMT):
Awesome, that's what I was hoping

berserkr (Tue, 15 Aug 2017 21:11:56 GMT):
@smithbk thank you for your help! the fabric-ca is now working :) Now one question, if the network is down and we do ./network_start.sh up, will it generate new certs?

Vrai1127 (Tue, 15 Aug 2017 21:16:52 GMT):
@berserkr it will be great if you could list down broader steps on getting fabric-ca working. Also any keys issues faced

berserkr (Tue, 15 Aug 2017 21:20:32 GMT):
``` fabric @ FAB-5652 Prepare fabric for 1.0.2 release, fabric-ca @ FAB-5653 Prepare fabric-ca for v1.0.2 release ```

berserkr (Tue, 15 Aug 2017 21:20:45 GMT):
Those are the levels I am using

berserkr (Tue, 15 Aug 2017 21:22:03 GMT):
then, build the fabric (make clean; make release; make docker), then download and apply patches from https://gerrit.hyperledger.org/r/#/c/10871/ - make sure to set env var, then run `./network_setup.sh restart`

berserkr (Tue, 15 Aug 2017 21:22:41 GMT):
with that you will have an e2e network using the fabric-ca instead of cryptogen, you can now use the fabric-ca client to enroll new users

Eman0 (Wed, 16 Aug 2017 00:08:35 GMT):
Has joined the channel.

zhuxubin01 (Wed, 16 Aug 2017 02:23:04 GMT):
Has joined the channel.

leminhy89 (Wed, 16 Aug 2017 03:43:55 GMT):
Has joined the channel.

DarshanBc (Wed, 16 Aug 2017 04:50:27 GMT):
What is so special about this user admin:adminpw because I see in helper.js of balance transfer he is directly enrolled not registered and this user's object is used to register other users(yes, as per the documentation user must be registered and then enrolled )

DarshanBc (Wed, 16 Aug 2017 04:50:27 GMT):
What is so special about this user `admin:adminpw` because I see in helper.js of balance transfer he is directly enrolled not registered and this user's object is used to register other users(yes, as per the documentation user must be registered and then enrolled )

DarshanBc (Wed, 16 Aug 2017 06:43:29 GMT):
can anybody explain when to use fabricCAclient and fabricCAService Class in node sdk

spipes (Wed, 16 Aug 2017 08:22:17 GMT):
Has joined the channel.

zws (Wed, 16 Aug 2017 09:09:31 GMT):
Has joined the channel.

qsmen (Wed, 16 Aug 2017 09:11:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BRPprCYEM6PSfJKAv) @smithbk Thank you very much. In msgvalidation.go, there is func checkSignatureFromCreator(creatorBytes []byte, sig []byte, msg []byte, ChainID string) error { mspObj := mspmgmt.GetIdentityDeserializer(ChainID)//从chainID来获得msp对象，这里面就应该包含了CA，重点分析； // get the identity of the creator creator, err := mspObj.DeserializeIdentity(creatorBytes) // ensure that creator is a valid certificate err = creator.Validate() // validate the signature err = creator.Verify(msg, sig) return nil }

qsmen (Wed, 16 Aug 2017 09:16:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BRPprCYEM6PSfJKAv) @smithbk Thank you. one more question:func checkSignatureFromCreator(creatorBytes []byte, sig []byte, msg []byte, ChainID string) error { mspObj := mspmgmt.GetIdentityDeserializer(ChainID) creator, err := mspObj.DeserializeIdentity(creatorBytes) err = creator.Validate() }

qsmen (Wed, 16 Aug 2017 09:17:53 GMT):
for mspObj := mspmgmt.GetIdentityDeserializer(ChainID), from ChainID, we get the genesis block? and from the block we get the root cert or CA and put it in mspObj?

qsmen (Wed, 16 Aug 2017 09:18:51 GMT):
for err = creator.Validate(), do we use CA to validate the certificate?

qsmen (Wed, 16 Aug 2017 09:23:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BRPprCYEM6PSfJKAv) @smithbk Thank you very much. one more question : in func checkSignatureFromCreator(creatorBytes []byte, sig []byte, msg []byte, ChainID string) error { mspObj := mspmgmt.GetIdentityDeserializer(ChainID) creator, err := mspObj.DeserializeIdentity(creatorBytes) err = creator.Validate() }//for the mspObj := mspmgmt.GetIdentityDeserializer(ChainID), from ChainID, we get the genesis block? and from the block we get the root cert or CA and put it in mspObj? // for err = creator.Validate(), we use the CA to validate the certificate?

qsmen (Wed, 16 Aug 2017 09:27:45 GMT):
what does VSCC validate? I think the mspimpl.go aims to implement the msp. While msgvalidation first get genesis block from chainID and get the CA, and validate sign cert with CA and use sign cert to verify the signature. Am I right?

qsmen (Wed, 16 Aug 2017 09:44:10 GMT):
in transaction flow, it is said "The transactions within the block are validated to ensure endorsement policy is fulfilled and to ensure that there have been no changes to ledger state for read set variables since the read set was generated by the transaction execution". So the vscc should check endorsement policy and ledger state. To check endorsement policy, should we need the CA to validate the endorser's sign cert?

Subramanyam (Wed, 16 Aug 2017 10:28:55 GMT):
Has joined the channel.

sklump (Wed, 16 Aug 2017 11:54:25 GMT):
Just a quick line to note that release 1.0.1 of the hyperledger components breaks the first-network samples. The initial docker error is that there is no 'latest' tag; explicitly specifying :x86_64-1.0.1 on all images and running byfn.sh: `Creating peer0.org1.example.com Creating orderer.example.com Creating peer1.org2.example.com Creating peer0.org2.example.com Creating peer1.org1.example.com Creating cli ____ _____ _ ____ _____ / ___| |_ _| / \ | _ \ |_ _| \___ \ | | / _ \ | |_) | | | ___) | | | / ___ \ | _ < | | |____/ |_| /_/ \_\ |_| \_\ |_| Build your first network (BYFN) end-to-end test Channel name : mychannel Creating channel... CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key CORE_PEER_LOCALMSPID=Org1MSP CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt CORE_PEER_TLS_ENABLED=true CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp CORE_PEER_ID=cli CORE_LOGGING_LEVEL=DEBUG CORE_PEER_ADDRESS=peer0.org1.example.com:7051 2017-08-16 11:28:45.317 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP 2017-08-16 11:28:45.317 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity 2017-08-16 11:28:45.320 UTC [channelCmd] InitCmdFactory -> INFO 003 Endorser and orderer connections initialized 2017-08-16 11:28:45.321 UTC [msp] GetLocalMSP -> DEBU 004 Returning existing local MSP 2017-08-16 11:28:45.321 UTC [msp] GetDefaultSigningIdentity -> DEBU 005 Obtaining default signing identity 2017-08-16 11:28:45.321 UTC [msp] GetLocalMSP -> DEBU 006 Returning existing local MSP 2017-08-16 11:28:45.321 UTC [msp] GetDefaultSigningIdentity -> DEBU 007 Obtaining default signing identity 2017-08-16 11:28:45.321 UTC [msp/identity] Sign -> DEBU 008 Sign: plaintext: 0A88060A074F7267314D535012FC052D...53616D706C65436F6E736F727469756D 2017-08-16 11:28:45.321 UTC [msp/identity] Sign -> DEBU 009 Sign: digest: FE0BE684056EB549F2CBEA2D2982527DB4BF9BE3918B9F2D0CF34E4008632A85 2017-08-16 11:28:45.321 UTC [msp] GetLocalMSP -> DEBU 00a Returning existing local MSP 2017-08-16 11:28:45.321 UTC [msp] GetDefaultSigningIdentity -> DEBU 00b Obtaining default signing identity 2017-08-16 11:28:45.321 UTC [msp] GetLocalMSP -> DEBU 00c Returning existing local MSP 2017-08-16 11:28:45.321 UTC [msp] GetDefaultSigningIdentity -> DEBU 00d Obtaining default signing identity 2017-08-16 11:28:45.322 UTC [msp/identity] Sign -> DEBU 00e Sign: plaintext: 0ABF060A1508021A0608EDD8D0CC0522...5B25704609856307789AC6510BE574CC 2017-08-16 11:28:45.322 UTC [msp/identity] Sign -> DEBU 00f Sign: digest: 5C4817BA0F16948EB282C8EC0BEEA8380B63F47BE2F08172EE5441538373354C Error: Got unexpected status: BAD_REQUEST Usage: peer channel create [flags] Flags: -c, --channelID string In case of a newChain command, the channel ID to create. -f, --file string Configuration transaction file generated by a tool such as configtxgen for submitting to orderer -t, --timeout int Channel creation timeout (default 5) Global Flags: --cafile string Path to file containing PEM-encoded trusted certificate(s) for the ordering endpoint --logging-level string Default logging level and overrides, see core.yaml for full syntax -o, --orderer string Ordering service endpoint --test.coverprofile string Done (default "coverage.cov") --tls Use TLS when communicating with the orderer endpoint -v, --version Display current version of fabric peer server !!!!!!!!!!!!!!! Channel creation failed !!!!!!!!!!!!!!!! ========= ERROR !!! FAILED to execute End-2-End Scenario =========== `

sklump (Wed, 16 Aug 2017 11:55:54 GMT):
Explicitly specifying tag :x86_64-1.0.0 restores expected operation.

Vadim (Wed, 16 Aug 2017 11:56:45 GMT):
@sklump check the orderer logs

smithbk (Wed, 16 Aug 2017 12:57:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SDab4pqgv6KMPid7Q) @qsmen Communication with the CA is not required nor desired during any stage of transaction processing. Signature checking in order to ensure the endorsement policy was satisfied is done locally using the crypto material that is in the most recent config block for each channel, or the genesis block if no config changes have occurred for the channel.

mescoba1 (Wed, 16 Aug 2017 18:18:28 GMT):
I was looking at `fabric-ca-cryptogen.sh` and the file stops the CAs at the end. It looks like it doesn't use a docker container to launch the servers. If I wanted CAs to run on a docker container where should I launch the docker-compose? I need the CA's to be running after the `generateArtifacts.sh` so I can enroll new users

mescoba1 (Wed, 16 Aug 2017 18:20:27 GMT):
When I run docker-compose on the `docker-compose-e2e.yml` after the network script, it wants to relaunch my peers and orderers

LeoKotschenreuther (Wed, 16 Aug 2017 18:22:43 GMT):
Has left the channel.

smithbk (Wed, 16 Aug 2017 18:40:36 GMT):
Did you try with "--no-recreate" option of docker-compose up?

mescoba1 (Wed, 16 Aug 2017 18:50:14 GMT):
The CA containers didn't show up

smithbk (Wed, 16 Aug 2017 19:00:45 GMT):
Does your compose file look like this? https://gerrit.hyperledger.org/r/#/c/10871/6/examples/e2e_cli/docker-compose-e2e-fabric-ca.yaml

mescoba1 (Wed, 16 Aug 2017 19:01:33 GMT):
Yes

mescoba1 (Wed, 16 Aug 2017 19:03:37 GMT):
When I comment out stopAllCAs it leaves port 7054 open for me to register users

mescoba1 (Wed, 16 Aug 2017 19:04:27 GMT):
The Ca isn't running on a container however

smithbk (Wed, 16 Aug 2017 19:06:53 GMT):
Right ... if it is failing when you start the container, then you'll need to do "docker logs " to see why it failed

smithbk (Wed, 16 Aug 2017 19:08:22 GMT):
If the container goes away too fast, then you may be able to append something to the "command" line to make the container stay around

smithbk (Wed, 16 Aug 2017 19:08:31 GMT):
haven't done that personally though

RezwanKabir (Wed, 16 Aug 2017 19:18:06 GMT):
@smithbk I got the same result. and in ca log I got the error `Error: open /etc/hyperledger/fabric-ca-server-config/tls-cert.pem: no such file or directory`

smithbk (Wed, 16 Aug 2017 19:20:11 GMT):
volumes: - ./crypto-config/peerOrganizations/org1.example.com/ca/intermediate:/etc/hyperledger/fabric-ca-server-config

smithbk (Wed, 16 Aug 2017 19:20:45 GMT):
are you in the e2e_cli directory when you issue docker-compose up?

smithbk (Wed, 16 Aug 2017 19:21:20 GMT):
oh, you set intermediate CA to false

smithbk (Wed, 16 Aug 2017 19:21:41 GMT):
so you'll need to change the volume mount to "ca/root"

smithbk (Wed, 16 Aug 2017 19:21:53 GMT):
not "ca/intermediate"

RezwanKabir (Wed, 16 Aug 2017 19:24:18 GMT):
this time I made intermediate = true and volume mapped to `./crypto-config/peerOrganizations/org1.example.com/ca/intermediate:/etc/hyperledger/fabric-ca-server-config` and I am in e2e_cli directory now. :)

RezwanKabir (Wed, 16 Aug 2017 19:28:07 GMT):
actually in my `crypto-config/peerOrganizations/org1.example.com/ca/intermediate` directory I have ca-cert.pem file but no tls-cert.pem

RezwanKabir (Wed, 16 Aug 2017 20:51:17 GMT):
tried with tls disabled.Upto Instantiation is done. chaincode container is created. But when I call invoke it shows `Failed to verify certificate: Failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "fabric-ca-server"`

farhan3 (Wed, 16 Aug 2017 22:16:20 GMT):
Hi - when I'm using the fabric-ca-client executable to enrol users, it calls `POST /enroll`, however, when I'm using the Nodejs fabric-ca-client package, it calls `POST /api/v1/enroll`. Why is this different, is one more correct than the other?

berserkr (Wed, 16 Aug 2017 23:30:30 GMT):
@smithbk have you seen this before: ```################################################################ ####### Generating crypto material using Fabric CA ########## ################################################################# Checking executables ... Setting up organizations ... Starting CA server in crypto-config/ordererOrganizations/example.com/ca/root on port 7054 ... ./fabric-ca-cryptogen.sh: line 161: 61678 Killed: 9 $SERVER start -p $port -b admin:adminpw $DEBUG > $homeDir/server.log 2>&1 FATAL: CA server is not running at crypto-config/ordererOrganizations/example.com/ca/root; see logs at crypto-config/ordererOrganizations/example.com/ca/root/server.log```

berserkr (Wed, 16 Aug 2017 23:30:42 GMT):
ca will not start

berserkr (Wed, 16 Aug 2017 23:31:10 GMT):
log is empty - mac os x

berserkr (Wed, 16 Aug 2017 23:31:33 GMT):
on release for both fabic and fabric-ca

smithbk (Thu, 17 Aug 2017 00:09:02 GMT):
Yes, it is a mac issue. The easiest work around is:

smithbk (Thu, 17 Aug 2017 00:09:11 GMT):
# sudo ln -s /usr/bin/true /usr/local/bin/dsymutil https://github.com/golang/go/issues/19734

smithbk (Thu, 17 Aug 2017 00:09:11 GMT):
# sudo ln -s /usr/bin/true /usr/local/bin/dsymutil See https://github.com/golang/go/issues/19734 for details on problem

berserkr (Thu, 17 Aug 2017 00:55:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5cqDJHuz9QKCwQeyq) worked like a charm, just needed to re-compile the binaries :)

qsmen (Thu, 17 Aug 2017 00:56:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4WX8vo7rNJKXqyRz4) @smithbk , Thank you. I see that root cert is got from configuration block, and is used to validate the sign cert which will be used to check signature. The configuration block is stored locally and indexed by chainID.

qsmen (Thu, 17 Aug 2017 00:58:21 GMT):
for example, in msgvaliation.go, the func checkSignatureFromCreator(creatorBytes []byte, sig []byte, msg []byte, ChainID string) error { mspObj := mspmgmt.GetIdentityDeserializer(ChainID) creator, err := mspObj.DeserializeIdentity(creatorBytes) err = creator.Validate() }which contain mspObj := mspmgmt.GetIdentityDeserializer(ChainID), here from ChainID, we get the configuration block and from the block we get the root cert and put it in mspObj? for err = creator.Validate(), we use the root cert to validate the certificate?

qsmen (Thu, 17 Aug 2017 00:58:30 GMT):
is this the right understanding?

smithbk (Thu, 17 Aug 2017 01:18:18 GMT):
yes, sounds correct

qsmen (Thu, 17 Aug 2017 02:01:02 GMT):
@smithbk , thank you very much.

YashGanthe (Thu, 17 Aug 2017 05:47:35 GMT):
Has joined the channel.

rock_martin (Thu, 17 Aug 2017 05:53:23 GMT):
There needs to be a way to connect a chaincode container to a network. In the case where a user runs a peer on one machine, but wants to run that peers chaincode on a different machine, they may need to have additional control over what network the chaincode container connects to. An example of such a scenario would be wanting the peer to communicate with the chaincode container over a docker overlay network.

YashGanthe (Thu, 17 Aug 2017 06:10:50 GMT):
I am able to revoke a certificate using fabric-ca-client revoke. If I have to publish the revocation so that the orderer is aware of the revocation, I need a CRL file. How do I obtain the CRL file after running he fabric-ca-client?

Vadim (Thu, 17 Aug 2017 07:32:50 GMT):
@rock_martin you can specify the overlay network name over the "CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE" parameter

Vadim (Thu, 17 Aug 2017 07:33:13 GMT):
then the peer will attach the chaincode container to the docker network with that name

rock_martin (Thu, 17 Aug 2017 07:38:17 GMT):
@Vadim Are you saying as "CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE"= host

Vadim (Thu, 17 Aug 2017 07:38:50 GMT):
I say that you set CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=

rock_martin (Thu, 17 Aug 2017 07:39:20 GMT):
@Vadim Thanks

smithbk (Thu, 17 Aug 2017 08:38:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=z7ctATRc5YR3jdfaS) @YashGanthe Not currently supported but is a future. See https://jira.hyperledger.org/browse/FAB-5300. Feel free to add a comment wrt priority

YashGanthe (Thu, 17 Aug 2017 08:49:07 GMT):
@smithbk the comment in the JIRA says: Add support for getting a CRL from the fabric-ca-server. We currently assume that the same client that revokes a certificate in fabric-ca-server will also add to the CRL of the appropriate channels in fabric, but this is not a good long-term assumption. There may be other reasons to need to retrieve the CRL also.

YashGanthe (Thu, 17 Aug 2017 08:49:36 GMT):
How does the client add to the CRL? And what does it add?

smithbk (Thu, 17 Aug 2017 08:50:16 GMT):
yes, totally agree that it is not a good long term assumption

smithbk (Thu, 17 Aug 2017 08:50:29 GMT):
it is just work that has not been done yet

smithbk (Thu, 17 Aug 2017 08:51:49 GMT):
The client would need to submit a config update to the appropriate channel with the new CRL

YashGanthe (Thu, 17 Aug 2017 08:52:02 GMT):
I mean currently, what is the mechanism for sending a config update to the channel?

smithbk (Thu, 17 Aug 2017 08:52:37 GMT):
Using the configtxlator ... just a sec and will get link ... but doesn't show specific example of CRL

YashGanthe (Thu, 17 Aug 2017 08:53:07 GMT):
Is it enough to take the public key bytes from the revoked cert and stick it in the config update?

smithbk (Thu, 17 Aug 2017 08:54:02 GMT):
No, it is not the entire certificate. Just the AKI and serial. Let me try to find a couple of links to point to.

smithbk (Thu, 17 Aug 2017 08:54:27 GMT):
For configtxlator, see http://hyperledger-fabric.readthedocs.io/en/latest/configtxlator.html?highlight=configtxlator

Vadim (Thu, 17 Aug 2017 08:56:48 GMT):
@smithbk does it not need the actual CRL to be in the config update?

YashGanthe (Thu, 17 Aug 2017 08:57:18 GMT):
I am able to run configtxlator. But I ma not sure what I need to put in the revocation_list tag of the config object

smithbk (Thu, 17 Aug 2017 08:57:47 GMT):
Yes, but each entry of a CRL consists of a 2-tuple:

Vadim (Thu, 17 Aug 2017 08:58:54 GMT):
ah, ok

YashGanthe (Thu, 17 Aug 2017 08:59:53 GMT):
The proto file indicates that the revocation list is a collection of bytestreams

YashGanthe (Thu, 17 Aug 2017 08:59:55 GMT):
repeated bytes revocation_list = 5;

YashGanthe (Thu, 17 Aug 2017 09:00:06 GMT):
Not a tuple

Vadim (Thu, 17 Aug 2017 09:02:53 GMT):
I think @smithbk meant that within a CRL there is a tuple, but into the revocation_list you need to put the actual CRL

smithbk (Thu, 17 Aug 2017 09:03:55 GMT):
@elli-androulaki Elli, can you give details here? At one point, each CRL entry was to consist of an tuple, but am trying to find the definition. I assume the serialized []byte is of some struct. Is there an example or test case that you could point to?

Vadim (Thu, 17 Aug 2017 09:05:40 GMT):
I've also found this: https://github.com/hyperledger/fabric/blob/d9c320297bd2a4eff2eb253ce84dc431ef860972/msp/mspimpl.go#L775

Vadim (Thu, 17 Aug 2017 09:06:16 GMT):
i.e. seems that revocation_list contains PEM-encoded CRLs

smithbk (Thu, 17 Aug 2017 09:09:13 GMT):
Yeh, I think the 2-tuple may be ... Authority Key ID and Subject Key ID ... rather than serial

smita0709 (Thu, 17 Aug 2017 09:34:42 GMT):
Has joined the channel.

YashGanthe (Thu, 17 Aug 2017 09:42:16 GMT):
I tried sending the PEM-encoded byte stream found between the BEGIN and END lines. Fabric did not complain. So I believe it is a PEM encoded CRL that it expects and not a 2-tuple

DarshanBc (Thu, 17 Aug 2017 12:38:42 GMT):
How to query all transactions done by particular user and transactions done on a particular state

jmcnevin (Thu, 17 Aug 2017 12:58:07 GMT):
I've been using the multi-ca functionality of fabric-ca to use one ca for msp certs, and another for tls certs... is there anything else I would need to do during network setup to make sure those certificates work for that purpose? I found this commit detailing some profile changes: https://gerrit.hyperledger.org/r/#/c/11103/11/cmd/fabric-ca-server/config.go

smithbk (Thu, 17 Aug 2017 14:50:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qA2G6BtMJiTCLDusj) @jmcnevin I think it is easier to use the tls profile since it has the key usage set appropriately for TLS by default; otherwise, I assume you set the key usage for the default profile of your TLS CA appropriately.

jmcnevin (Thu, 17 Aug 2017 14:55:06 GMT):
I put that tls profile into my server config, and have been generating certs using `--caname "CA2" --enrollment.profile tls` and that seems to be working. I can get a channel created, and I can join peers to the channel. My only problem is that when it comes time for my peers to talk to the orderers, something just doesn't seem to be working correctly.

jmcnevin (Thu, 17 Aug 2017 14:56:06 GMT):
Detailing my issues here: https://stackoverflow.com/questions/45736954/setting-up-tls-communication-between-orderers-and-peers?noredirect=1#comment78432402_45736954

tskzh (Thu, 17 Aug 2017 15:24:36 GMT):
Has joined the channel.

mescoba1 (Thu, 17 Aug 2017 16:57:30 GMT):
@smithbk when looking at the logs for trying to bring up the CA compose file with --no-recreate flag I ger ```[DEBUG] No key found in BCCSP keystore, attempting fallback Error: Could not find the private key in BCCSP keystore nor in keyfile /etc/hyperledger/fabric-ca-server-config/ca-key.pem: open /etc/hyperledger/fabric-ca-server-config/ca-key.pem: no such file or directory```

mescoba1 (Thu, 17 Aug 2017 16:58:20 GMT):
That is log for ca_peerOrg1

smithbk (Thu, 17 Aug 2017 17:23:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=K9W2TotEgQzmjLHQ5) @mescoba1 The private key should have been in the msp/keystore directory as generated by the script. I assume you checked that directory.

mescoba1 (Thu, 17 Aug 2017 17:34:17 GMT):
I cant see inside the container as it stopped

smithbk (Thu, 17 Aug 2017 17:35:05 GMT):
You can look on your host file system, to the directory the volume is mounted

mescoba1 (Thu, 17 Aug 2017 17:39:11 GMT):
I see `ca-cert.pem` and `ca-chain.pem` but not `tls-cert.pem` (ca_peerOrg1) or `ca-key.pem` (ca_peerOrg2)

smithbk (Thu, 17 Aug 2017 17:39:42 GMT):
what is in the msp directory?

mescoba1 (Thu, 17 Aug 2017 17:41:42 GMT):

Message Attachments

smithbk (Thu, 17 Aug 2017 17:43:50 GMT):
And org1's intermediate CA is the one failing to start?

smithbk (Thu, 17 Aug 2017 17:45:42 GMT):
cd to peerOrganizations/org1.example.com/ca/intermediate and try to issue "fabric-ca-server start" on your host machine. Of course you'll need to use the full path to fabric-ca-server executable

mescoba1 (Thu, 17 Aug 2017 17:55:37 GMT):
Okay the server is running

Eman0 (Thu, 17 Aug 2017 18:04:21 GMT):
How do peers discover the addresses of each other’s in the network? Does the signed “alive” message contain the peer address?

smithbk (Thu, 17 Aug 2017 18:32:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=odvht2zDNbTZ3jMFd) @mescoba1 Did you get it started in docker? If it runs in the host but not the container, it must be that the volume mapping is wrong or not in the correct directory when starting docker.

smithbk (Thu, 17 Aug 2017 18:34:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9QxEeDxB9GtMxQiN4) @Eman0 The orderer and anchor peer addresses are in the genesis block (or subsequent config block).

mescoba1 (Thu, 17 Aug 2017 18:34:10 GMT):
It runs on host @smithbk

mescoba1 (Thu, 17 Aug 2017 18:34:46 GMT):
`./crypto-config/peerOrganizations/org1.example.com/ca/intermediate:/etc/hyperledger/fabric-ca-server-config`

smithbk (Thu, 17 Aug 2017 18:36:49 GMT):
so if you're in the fabric/examples/e2e_cli directory when you invoke docker-compose, does it start successfully? assuming you don't have anything else running on that port

mescoba1 (Thu, 17 Aug 2017 18:41:02 GMT):
I get the same thing

mescoba1 (Thu, 17 Aug 2017 18:41:03 GMT):
Error: open /etc/hyperledger/fabric-ca-server-config/tls-cert.pem: no such file or directory

mescoba1 (Thu, 17 Aug 2017 18:42:02 GMT):
When I run docker-compose-e2e-fabric.yaml by itself

mescoba1 (Thu, 17 Aug 2017 18:43:11 GMT):
```peer0.org2.example.com | 2017-08-17 18:42:39.838 UTC [main] main -> ERRO 001 Cannot run peer because error when setting up MSP from directory /etc/hyperledger/fabric/msp: err Could not load a valid signer certificate from directory /etc/hyperledger/fabric/msp/signcerts, err stat /etc/hyperledger/fabric/msp/signcerts: no such file or directory```

smithbk (Thu, 17 Aug 2017 19:06:50 GMT):
Let's take this off this channel. I'll ping direct

farhan3 (Thu, 17 Aug 2017 19:53:38 GMT):
Hi - when enrolling new users with fabric-ca via the Nodejs SDK (https://fabric-sdk-node.github.io/FabricCAClient.html#register__anchor_, there is a field to set attributes via the attrs field. Does anyone know how these attributes can then be accessed in the chaincode?

farhan3 (Thu, 17 Aug 2017 19:54:53 GMT):
I tried using the GetCreator method in the chaincode (https://github.com/hyperledger/fabric/blob/release/core/chaincode/shim/interfaces.go#L169), but it only returns the cert, not any of the attributes

smithbk (Thu, 17 Aug 2017 20:09:41 GMT):
In order to retrieve attributes from chaincode, the attributes must be added to the certificate used for the transaction.

smithbk (Thu, 17 Aug 2017 20:09:55 GMT):
That is what I have just been working on

smithbk (Thu, 17 Aug 2017 20:10:05 GMT):
See https://gerrit.hyperledger.org/r/#/c/12519/ as the 4th change set

smithbk (Thu, 17 Aug 2017 20:11:00 GMT):
For a description of how it works, see https://gerrit.hyperledger.org/r/#/c/12519/2/docs/source/users-guide.rst and scroll down to see the big block of green (new text) discussing this

smithbk (Thu, 17 Aug 2017 20:14:15 GMT):
Also see https://jira.hyperledger.org/browse/FAB-5825 for work to be done in SDKs to enable requesting ECerts with attributes via the SDK enroll call

smithbk (Thu, 17 Aug 2017 20:14:55 GMT):
Until that is done, the only way would be by using the "fabric-ca-client register" command to register attributes which should be default be placed in the ECert

farhan3 (Thu, 17 Aug 2017 20:40:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vcYM7PDcJzyqYohLj) @smithbk I see. Guess I need to wait a bit longer. For now, I'll use the transient field in transactions to pass the attribute info. Thank you!

sampath06 (Fri, 18 Aug 2017 03:15:35 GMT):
@smithbk Can we find users with specific attributes set?

qsmen (Fri, 18 Aug 2017 05:52:29 GMT):
Hello，what 's the relationship between cert used in TLS and cert in MSP

qsmen (Fri, 18 Aug 2017 05:53:35 GMT):
Hello，what 's the relationship between the cert used in TLS and the sign cert in MSP? thank you.

qsmen (Fri, 18 Aug 2017 06:06:17 GMT):
why not use the sign cert in msp to establish TLS?

qsmen (Fri, 18 Aug 2017 06:06:52 GMT):
Fabric is already complex enough

Vadim (Fri, 18 Aug 2017 06:07:17 GMT):
@qsmen for security reasons, better to have each cert serving its purpose only, i.e. signcert for signing transactions and tlscert for TLS connection

qsmen (Fri, 18 Aug 2017 06:10:13 GMT):
Thank you, Vadim. if we use one cert for the two scenarios, must it lead to security problem or just a possibility?

Vadim (Fri, 18 Aug 2017 06:11:40 GMT):
if it gets compromised, then since it's used for two purposes both will be compromised too, while using two certs limits the damage when one cert gets compromised

qsmen (Fri, 18 Aug 2017 06:12:22 GMT):
ok, I see. Thank you.

ranjan008 (Fri, 18 Aug 2017 07:32:50 GMT):
I have created a new user using fabric-sdk-go and trying to access the chaincode methods but its giving error signed by unknown authority and also when creating users separately will it generate all the relevant user certificates required for interaction itself or will have to do it separately?

rikmoedt (Fri, 18 Aug 2017 07:58:27 GMT):
Has joined the channel.

kutenglaoshu (Fri, 18 Aug 2017 10:07:44 GMT):
Has joined the channel.

smithbk (Fri, 18 Aug 2017 10:57:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2NgAsPzuKWGErjpbG) @sampath06 There are no fabric-ca-server REST APIs to search for users. Of course you could query directly against the 'users' table of the DB using sql.

smithbk (Fri, 18 Aug 2017 10:58:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5Ep3pXxmWjj8prLn9) @ranjan008 This is a question for the fabric-sdk-go channel

Ashish (Fri, 18 Aug 2017 11:04:09 GMT):
@Vadim One doubt Vadim, If I am creating the certificates using Cryptogen, where I am specifying as below ``OrdererOrgs: - Name: Orderer Domain: Orderer Specs: - Hostname: orderer ``

Ashish (Fri, 18 Aug 2017 11:04:09 GMT):
@Vadim One doubt Vadim, If I am creating the certificates using Cryptogen, where I am specifying as below ```OrdererOrgs: - Name: Orderer Domain: Orderer Specs: - Hostname: orderer ```

Ashish (Fri, 18 Aug 2017 11:04:47 GMT):
and I have brought up my network,

Ashish (Fri, 18 Aug 2017 11:05:15 GMT):
but when I try to create a channel., i get the tls handshake error

Ashish (Fri, 18 Aug 2017 11:05:49 GMT):
"certificate validation failed, and it says does not contain any IP SANs"

Ashish (Fri, 18 Aug 2017 11:07:57 GMT):
peer channel create -o <*IPADDRESS*>:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA

Ashish (Fri, 18 Aug 2017 11:08:18 GMT):
because i am specifying the ipaddress of the orderer..

dsanchezseco (Fri, 18 Aug 2017 11:22:32 GMT):
@Ashish I'd the same problem you have to do something like ``` Specs: - Hostname: orderer SANS: - 172.31.13.225

dsanchezseco (Fri, 18 Aug 2017 11:23:22 GMT):
but i cannot make it work on a distributed env yet

dsanchezseco (Fri, 18 Aug 2017 11:23:32 GMT):
i'm missing something somewhere

Ashish (Fri, 18 Aug 2017 11:24:05 GMT):
thank you @dsanchezseco ,will try that now.

Ashish (Fri, 18 Aug 2017 11:24:25 GMT):
when u mentioned distributed environment, what did u mean by that ?

dsanchezseco (Fri, 18 Aug 2017 11:25:46 GMT):
have the peers on different machines

Ashish (Fri, 18 Aug 2017 11:30:49 GMT):
ohkay,

eetti (Fri, 18 Aug 2017 19:46:16 GMT):
I got this error when trying to generate orderer genesis block ``` Setting up the MSP manager failed, err getIdentityFromBytes error: failed to parse x509 cert, err asn1: structure error: tags don't match (6 vs {class:0 tag:16 length:224 isCompound:true}) {optional:false explicit:false application:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} ObjectIdentifier @3 Failed to generate orderer genesis block... ``` The certs I am using were generated with openssl/internal CA team. I don't understand what the error means. can anyone help, thanks.

eetti (Fri, 18 Aug 2017 19:46:16 GMT):
I got this error when trying to generate orderer genesis block ``` Setting up the MSP manager failed, err getIdentityFromBytes error: failed to parse x509 cert, err asn1: structure error: tags don't match (6 vs {class:0 tag:16 length:224 isCompound:true}) {optional:false explicit:false application:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} ObjectIdentifier @3 Failed to generate orderer genesis block... ``` The certs I am using were generated with openssl. I don't understand what the error means. can anyone help, thanks.

GeneralResearch (Fri, 18 Aug 2017 19:53:07 GMT):
Death to dockers

Eric.Bui (Sat, 19 Aug 2017 09:29:37 GMT):
Hi all, could I know how do I generate public key & private key for admin?

mastersingh24 (Sat, 19 Aug 2017 10:40:58 GMT):
@eetti - Could you provide a few more details on exactly what you were doing here? And can you share the openssl command you used to generate the certificates? (https://chat.hyperledger.org/channel/fabric-ca?msg=stPoegXzS9mB6PSKB)

mastersingh24 (Sat, 19 Aug 2017 10:42:04 GMT):
[moved this to #fabric-crypto ](https://chat.hyperledger.org/channel/fabric-ca?msg=stPoegXzS9mB6PSKB) @eetti

Hangyu (Mon, 21 Aug 2017 01:51:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Jcfro2YY6M9aeaSeu) @RezwanKabir Actually I encountered the same error when I tried to invoke via Java-sdk. But when I use the certificate of User1 genereated by fabric-ca-cryptogen.sh, it went successfully. I am guessing that when enrolled user via intermediate CA, it needs the root CA running at the same time? haven't tried it yet though. Could you give me the update on how are you doing with this error?

Claude-ZHENG (Mon, 21 Aug 2017 02:41:37 GMT):
Has joined the channel.

Claude-ZHENG (Mon, 21 Aug 2017 02:57:28 GMT):
hi everybody. does anyone could instruct me in generating tls cert for client? i'm a little confused with the ca-client-docs in the part *Enabling TLS*. In which it's written like: ``` The following sections may be configured in the fabric-ca-client-config.yaml. tls: # Enable TLS (default: false) enabled: true certfiles: - root.pem client: certfile: tls_client-cert.pem keyfile: tls_client-key.pem ``` But i found there is no field about *tls.enabled* in the fabric-ca-client-configuratioin.ymal. will it work if i add it manually? And for the server i started by this command `fabric-ca-server start -b admin:adminpw` should i enable the server by adding --tls.enabled when starting it?

Claude-ZHENG (Mon, 21 Aug 2017 03:05:47 GMT):
``` and i'm trying to enroll by `fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 -d --tls.certfiles ../../server/ca-cert.pem` It's ok without error. But i found no tlscert in client/admin folder. Thanks in advance for any suggestions.

Claude-ZHENG (Mon, 21 Aug 2017 03:05:47 GMT):
More specifically for the environement, `FABRIC_CA_HOME=$HOME/fabric-ca/server` and `FABRIC_CA_CLIENT_HOME=#HOME/fabric-ca/client/admin` and i'm trying to enroll by `fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 -d --tls.certfiles ../../server/ca-cert.pem` It's ok without error. But i found no tlscert in client/admin folder. Thanks in advance for any suggestions.

Hangyu (Mon, 21 Aug 2017 07:30:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=936XKbhc2XQZLaEvb) @Hangyu I used fabric-ca container to register users using sdk. After successfully running network.sh, I ran docker-compose-e2e.yaml and then used java-sdk to register new users and then try to invoke. but I keep getting the following error. could you take a look at it and tell me where I did wrong? thanks very much @smithbk

Claude-ZHENG (Mon, 21 Aug 2017 07:36:18 GMT):
@Hangyu do you use nodejs sdk? i succed to register a user and invoke the cc by that user. maybe i can help you to figure out your problem.

Hangyu (Mon, 21 Aug 2017 07:41:36 GMT):
@Claude-ZHENG Thanks for your reply. I used Java-sdk and kept getting that error. Does it have something to do with the SDK? I used Java-sdk to register user and went well. But when I followed https://gerrit.hyperledger.org/r/#/c/10871/ It did not go well. I tried both cases of intermediate CA on and off, but got the same error.

Claude-ZHENG (Mon, 21 Aug 2017 07:57:45 GMT):
I know that scrip which is trying generating all the cryptos by fabric-ca instead of cryptogen tool. And i got an error about the tls cert. No tls cert was created. So according to what you said, you got also problems with that script. and what's the relevance with java sdk?

Hangyu (Mon, 21 Aug 2017 08:04:34 GMT):
Yes, about tls, I also got the error you mentioned. But I turned tls off then ran network.sh script successfully. and I used sdk to register user and invoke but didn't work. however, when I used the certificate which fabric-ca-cryptogen.sh generated such as User1, I can invoke from sdk. this problem has been bothering me for two days... By the way, when you said you did it by node sdk, do you mean in the case of fabric-ca-cryptogen.sh? @Claude-ZHENG

Claude-ZHENG (Mon, 21 Aug 2017 08:15:40 GMT):
no. i used the crytos generated by the tool. I understand your matter. That is you well start the network with certs and keys generated by fabric-ca-cryptogen.sh, and could usd a already registered user: User1 to invoke cc via java sdk. but failed on an user registerer by java sdk after the nerwork has already been launched. So have you succeded the register/enroll operations on a network based on cyptogen tool?

Claude-ZHENG (Mon, 21 Aug 2017 08:16:32 GMT):
@Hangyu

Hangyu (Mon, 21 Aug 2017 08:19:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rP8xMSdiGF7bKqfcH) @Claude-ZHENG Yes, it went well when using cryptogen. I am trying to see how intermediate ca works...

Claude-ZHENG (Mon, 21 Aug 2017 08:25:21 GMT):
ok i'm afraid we're in the same case. node sdk goes well with cryptogen in register/enroll and even invoke operations. and nowadays i'm trying to use ca instead of tool. and i found that script, so i'm trying to figure out the tls problems but not like you to use it with tls enabled and test it with sdk. good luck. sorry for not helping you.

Claude-ZHENG (Mon, 21 Aug 2017 08:25:43 GMT):
@Hangyu

Hangyu (Mon, 21 Aug 2017 08:29:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=eMQMvZpFuDxNZHyCX) @Claude-ZHENG It's all right. I'll let you know if there are updates on my case. I think the tls error is within the fabric-ca as it failed to generated in the proper folder. I suggest you to turn it off and see how it's going. Anyway, please keep me updated:)

Claude-ZHENG (Mon, 21 Aug 2017 08:34:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fEeqXotjsvFiWCfaT) @Hangyu no problem.

smithbk (Mon, 21 Aug 2017 10:59:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JQCCrQ5mivWaHwGg8) @Claude-ZHENG Yes, you can manually add the "enabled: true", but I recommend removing the "client" section unless you require TLS client authentication, which I doubt is the case

smithbk (Mon, 21 Aug 2017 11:07:09 GMT):
@Hangyu @Claude-ZHENG With regard to the following error: ``` `Failed to verify certificate: Failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "fabric-ca-server"``` Which log files are you seeing this in? I need to know who the client and who the server is when this error occurs. I'm assuming this in in the fabric-ca-server's logs when trying to use the fabric-ca-client to communicate with it. If yes, I assume you are trying to use "fabric-ca-client register" or some command which requires token authentication. This error means that you are trying to authenticate with an enrollment certificate which was not issued by the CA to which you are sending the request. My guess is that you are using an old enrollment certificate and the root CA's certificate was deleted and recreated. I suggest that you issue the "fabric-ca-client enroll -u ..." command again to get an enrollment certificate that is issued by the current CA with it's current root certificate.

smithbk (Mon, 21 Aug 2017 11:07:09 GMT):
Otherwise, if you will give me more details on how to recreate this error, then I can help.

smithbk (Mon, 21 Aug 2017 11:31:03 GMT):
@Claude-ZHENG @Hangyu With regard to the error ```Failed to verify certificate: Failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "fabric-ca-server"``` I assume you are seeing this in the fabric-ca-server's logs when trying to use one of the fabric-ca-client commands which require token authentication (register, revoke, or reenroll). This error means that the enrollment certificate which is being used by the fabric-ca-client was not issued by the CA to which it is being sent. My guess is that the CA's signing certificate has been deleted and recreated, or you are somehow using an old enrollment certificate. Try to issue the "fabric-client-client enroll -u ..." command again to issue an enrollment certificate by the current CA's signing certificate.

smithbk (Mon, 21 Aug 2017 11:31:50 GMT):
If this is an an accurate description of what you are seeing, then please provide more details on how to reproduce the problem so I can help.

DarshanBc (Mon, 21 Aug 2017 11:34:28 GMT):
If I have a consortium of 2 companies and I have 2 chaincodes can I restrict access company 1 to access chaincode 1 and company 2 to access chaincode 1 and 2

DarshanBc (Mon, 21 Aug 2017 11:34:28 GMT):
If I have a consortium of 2 companies and I have 2 chaincodes can I restrict access of company 1 to chaincode 1 and company 2 to chaincode 1 and 2

smithbk (Mon, 21 Aug 2017 11:38:59 GMT):
Do the two chaincodes call one another? Any reason they wouldn't be on separate channels otherwise?

smithbk (Mon, 21 Aug 2017 11:38:59 GMT):
@DarshanBc Do the two chaincodes call one another? Any reason they wouldn't be on separate channels otherwise?

DarshanBc (Mon, 21 Aug 2017 11:49:43 GMT):
No they dont

DarshanBc (Mon, 21 Aug 2017 11:49:43 GMT):
@smithbk No they dont

DarshanBc (Mon, 21 Aug 2017 11:49:43 GMT):
@smithbk No they dont call one another The reason I cant put them on separate channel is operations done by these chaincodes are on the same key in a single channel

smithbk (Mon, 21 Aug 2017 13:18:53 GMT):
@DarshanBc Not exactly sure what the "same key" refers to here, but seems you could use the same client's key across multiple channels. Having more info about the use case at a higher level may also be helpful. But I would also suggest asking it on a different channel such as fabric-peer-endorser-committer

DarshanBc (Mon, 21 Aug 2017 13:41:34 GMT):
@smithbk Its like this I have a switch person from one group must be able to only switch it on person from other group should be able only switch it off

gauthampamu (Mon, 21 Aug 2017 14:04:27 GMT):
I have question on adding fabric-ca. If you start the fabric using certs generated manually using external CA used by the client, is it possible to add the fabric-ca after you start the network in future. We are generating the CSR using openssl tool. I wanted to find out if there any instructions on how we should generate the CSR for ECSDA and TLS certs. Any special parameters we should use for the CSR.

ashutosh_kumar (Mon, 21 Aug 2017 16:48:11 GMT):
@gauthampamu , IMO it'll not be possible as you need to bring external CA's Private Key to your setup. You can use the cert for MSP.

ashutosh_kumar (Mon, 21 Aug 2017 16:48:11 GMT):
@gauthampamu , IMO it'll not be possible as you need to bring external CA's Private Key to your setup. You can use the cert for MSP config.

gauthampamu (Mon, 21 Aug 2017 16:50:09 GMT):
Just want to clarify...for example...if I use the external CAs to sign the certs and setup the network and year from now, is it possible to start the fabric ca server and use the certs signed by the fabric ca for adding new peers to existing organization etc.

ashutosh_kumar (Mon, 21 Aug 2017 16:52:03 GMT):
you need to recycle certs.

smithbk (Mon, 21 Aug 2017 17:07:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GL4GP7TPeQRztzpry) @DarshanBc Could you rephrase? I'm having difficult parsing this

Hangyu (Tue, 22 Aug 2017 01:08:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YbrmLpNc7o3rv6Wvj) @smithbk thank you very much. this time commented out **stopAllCAs** after running network.sh, and repeated what I did before and it went successfully. I am guessing the signing certificated has got recreated when I try to start fabric-ca container by docker-compose-e2e.yaml. I noticed that it says **FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/ca-key.pem** but actually, there is no ca-key.pem in the intermediate folder, maybe that is the reason? below is what I did and failed before: ``` 1. running network.sh, and it worked well. 2. turn off tls of fabric-ca in docker-compose-e2e.yaml. (because there is always this error of not being able to find tls-cert.pem) 3. **docker-compose -f docker-compose-e2e.yaml up --no-recreate 4. register&enroll new user using sdk 5. invoke with new user and here comes the error Failed to verify certificate: Failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "fabric-ca-server ``` so what should I do to restart the intermediate ca in the form of fabric-ca container? thanks for your help

DarshanBc (Tue, 22 Aug 2017 04:14:35 GMT):
@smithbk I have a data on the ledger say current status of it is "0000" only person from organisation 1 should be able to alter it to "1111" person from org2 should not change its status from "1111" same way only person from org2 must be able to make it "0000" hence I have made 2 functions on 2 different chaincodes so that if permissions are given accordinly to access respective code then my problem would be solved

sampath06 (Tue, 22 Aug 2017 05:03:13 GMT):
@DarshanBc I have a similar use case. Was wondering if the chaincode could check if the person belongs to the correct organisation before making the change?

DarshanBc (Tue, 22 Aug 2017 05:23:59 GMT):
According to my understanding of the document Authentication and authorization in fabric is at the channel level need to know if something can be done at the level of chaincode

DarshanBc (Tue, 22 Aug 2017 05:23:59 GMT):
@sampath06 According to my understanding of the document Authentication and authorization in fabric is at the channel level need to know if something can be done at the level of chaincode

Vadim (Tue, 22 Aug 2017 07:02:55 GMT):
@DarshanBc you can execute stub.GetCreator() in the chaincode and that will return to you the MSP name and the creator of the transaction

Vadim (Tue, 22 Aug 2017 07:03:16 GMT):
based upon that, you can program any logic you like in your chaincode

DarshanBc (Tue, 22 Aug 2017 07:35:03 GMT):
oh ok Thank you @Vadim

MoulaliMvg (Tue, 22 Aug 2017 08:14:05 GMT):
Has joined the channel.

YashGanthe (Tue, 22 Aug 2017 09:26:16 GMT):
The following documentation suggests openssl as one of the ways for generating the certificates for configuring an MSP: http://hyperledger-fabric.readthedocs.io/en/latest/msp.html#how-to-generate-msp-certificates-and-their-signing-keys I have tried the cryptogen and fabric-ca-client tools and was successful in generating the MSP certificates. I am looking for a read-to-use script that uses openssl to generate the certificates. I prefer using openssl as it let me generate a CRL file after revoking a certificate. The other two alternatives do not seem to have the feature yet. If anyone has managed to generate certificates using openssl in the folder structure expected by MSP, please let me know.

Subramanyam (Tue, 22 Aug 2017 11:43:54 GMT):
Can you anyone assist me how to implement the smart contract integration on data validation (consensus with validating peers) example in hyperledger fabric sdk node.js

sklump (Tue, 22 Aug 2017 11:50:55 GMT):
Has left the channel.

Vadim (Tue, 22 Aug 2017 11:56:25 GMT):
@Subramanyam have you seen https://github.com/hyperledger/fabric-samples/blob/release/balance-transfer/app.js?

Subramanyam (Tue, 22 Aug 2017 11:57:39 GMT):
ha already i went with this example but i didn't get relevant data of smart contract implementation of node.js

Subramanyam (Tue, 22 Aug 2017 11:57:51 GMT):
@Vadim

Vadim (Tue, 22 Aug 2017 11:58:03 GMT):
smart contract is not implemented in nodejs

Vadim (Tue, 22 Aug 2017 11:59:35 GMT):
@Subramanyam it's a golang smart contract which is in https://github.com/hyperledger/fabric-samples/tree/release/balance-transfer/artifacts/src/github.com/example_cc

Vadim (Tue, 22 Aug 2017 11:59:59 GMT):
if you want to develop your contracts in js, you should probably go with fabric-composer

Subramanyam (Tue, 22 Aug 2017 12:05:11 GMT):
@Vadim In hperledger fabric sdk node.js have to develop the contracts, can you assist any example by your colleagues

Vadim (Tue, 22 Aug 2017 12:06:03 GMT):
I don't really understand your question, you are supposed to write smart contracts in golang, not in nodejs

Vadim (Tue, 22 Aug 2017 12:06:53 GMT):
the examples of integration with a smart contract are in https://github.com/hyperledger/fabric-samples, so if you have concrete questions about that, I can try to answer them.

Subramanyam (Tue, 22 Aug 2017 12:15:28 GMT):
@Vadim In the above link provided by you for implement the smart contract in go lang, how to identify the validating peers

Vadim (Tue, 22 Aug 2017 12:15:55 GMT):
currently, you should know it beforehand

Vadim (Tue, 22 Aug 2017 12:17:44 GMT):
@Subramanyam also, perhaps it's better to discuss this in #fabric-sdk-node

Subramanyam (Tue, 22 Aug 2017 12:19:00 GMT):
@Vadim thank you and i'll raise in fabric-sdk-node

samdeir (Tue, 22 Aug 2017 16:39:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=o3xgMZdi2hNWsy3hX) @aambati @eric.biu did you find a way to re-register the user? ATM, when we register a user we can't revoke its identity and reuse the same name again... any thoughts? Cheers

samdeir (Tue, 22 Aug 2017 16:43:30 GMT):
G'day! Is there a proper way to delete a user's registration and re-use the same identity again? Example: 1- successfully register user: SATOSHI 2- Revoke user SATOSHI 3- Try registering SATOSHI again. (It fails ATM with 'Already registered' message) Any piece of advice would be really helpful. Cheers!

skarim (Tue, 22 Aug 2017 17:00:11 GMT):
@samdeir Currently there is no way to re-register a user directly from the client. If you would like to re-register the user, the user will need to be deleted from the users table in the fabric-ca database. Now if you register again using the same id, you will not get the already registered message.

smithbk (Tue, 22 Aug 2017 18:26:20 GMT):
@samdeir Can you give more details for your use case on exactly why you need to delete and recreate the user? I assume a registration update function is what you really need, not to delete the user?

smithbk (Tue, 22 Aug 2017 23:46:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TfEoM7hGHCmPGFYpz) @DarshanBc I think someone mentioned earlier that you could get the MSPID of the caller and make authorization decisions based on that. For example, the following code snippet should get the mspid: ``` serializedID, err := stub.GetCreator() if err != nil { return nil, fmt.Errorf("Failed to get creator: %s", err) } // Deserialize the identity id, err := msp.DeserializeIdentity(serializedID) if err != nil { return nil, fmt.Errorf("Failed to deserialize identity: %s", err) } mspid := id.GetMSPIdentier()```

luckydogchina (Wed, 23 Aug 2017 02:54:57 GMT):
Hi everyone! Now there is a problem confusing me that `Whether the endorser can only make proposal for the same organization's client `

DarshanBc (Wed, 23 Aug 2017 03:13:03 GMT):
@smithbk Thank you

Subramanyam (Wed, 23 Aug 2017 05:31:02 GMT):
@Vadim I supposed to create smart contracts in go lang and assist the example of consensus with validating peers in the smart contract chaincode

Hai-XuCheng (Wed, 23 Aug 2017 08:41:42 GMT):
Has joined the channel.

falix (Wed, 23 Aug 2017 09:06:04 GMT):
Has joined the channel.

samdeir (Wed, 23 Aug 2017 12:44:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hi6JBaESdAFbzg4SC) @smithbk I just wanted to update the user password , so yes i'm looking for registration update function, is there any?

smithbk (Wed, 23 Aug 2017 12:49:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YShs74fhWogFq8TGS) @samdeir No, not currently, but wanted to make sure I understand the requirements

LaurenceBonney (Wed, 23 Aug 2017 13:17:02 GMT):
Has joined the channel.

LaurenceBonney (Wed, 23 Aug 2017 13:20:41 GMT):
Hi there, I'm facing some issues authorising a java SDK app using the fabcar fabric-samples demo, its getting a certificate from the preconfigured CA container. The provided certificate seems to be not authorised (certificate signed by unknown authority) when we try and connect to the peer/orderer containers. The node.js samples packaged (query.js/invoke.js) do work for me, but they use a pregenerated certificate rather than requesting one from the CA. I've not modified any of the existing certificate configuration of the fabcar/basic-network demos so I'm using the certificates provided out of the box. The node.js precanned certificate is issued by: Issuer: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1.example.com The certificate we are given from the CA is issued by: Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=fabric-ca-server When I use the CA issued certificate with the nodejs query.js sample it fails in the same way. Any ideas?

Vadim (Wed, 23 Aug 2017 13:22:38 GMT):
@LaurenceBonney which certificates did you use to start your CA?

Vadim (Wed, 23 Aug 2017 13:25:52 GMT):
I'm also not sure, but perhaps might need to adapt this: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#initializing-the-server

Vadim (Wed, 23 Aug 2017 13:26:05 GMT):
namely, the CSR section of the config file

LaurenceBonney (Wed, 23 Aug 2017 13:26:45 GMT):
@Vadim I'm using the stock configuration so in the basic-network/docker-compose.yml ca.example.com: image: hyperledger/fabric-ca:x86_64-1.0.0 environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca.example.com ports: - "7054:7054" command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/a22daf356b2aab5792ea53e35f66fccef1d7f1aa2b3a2b92dbfbf96a448ea26a_sk -b admin:adminpw -d' volumes: - ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config container_name: ca.example.com networks: - basic

LaurenceBonney (Wed, 23 Aug 2017 13:27:25 GMT):
@Vadim I'll take a look at that link, thanks

Vadim (Wed, 23 Aug 2017 13:27:28 GMT):
then you need either to edit that yaml file

Vadim (Wed, 23 Aug 2017 13:27:48 GMT):
or provide the same values over the command line arguments when you start fabric-ca-server

Vadim (Wed, 23 Aug 2017 13:28:02 GMT):
check which over `fabric-ca-server -h`

LaurenceBonney (Wed, 23 Aug 2017 13:36:30 GMT):
Okay so its a configuration issue, thats fine I wanted to make sure we weren't just misunderstanding how we should obtain a certificate from the CA. I'll have a play with the configuration and see how it goes.

LaurenceBonney (Wed, 23 Aug 2017 14:22:45 GMT):
@Vadim I regenerated my certs using the generage.sh script provided and tweaked the docker-compose.yml script, everything seems to have lined up and my certs are matching now and I can invoke the sample chaincode. Thank you for you help!

LaurenceBonney (Wed, 23 Aug 2017 14:22:45 GMT):
@Vadim I regenerated my certs using the generate.sh script provided and tweaked the docker-compose.yml script, everything seems to have lined up and my certs are matching now and I can invoke the sample chaincode. Thank you for you help!

MohammadObaid (Wed, 23 Aug 2017 18:45:07 GMT):
Hey @Vadim I am deploying fabric architecture on real systems . I have a case study to implement on it. Now for that I need to add organizations in my fabric-ca . Default docker image for fabric-ca consist of only two organizations. Is it possible that I can create my custom fabric-ca docker image? Second thing I want to know does fabric-ca docker image need to be downloaded on every peer's computer or only in one system,? How would fabric-ca works in real distributed systems

ksachdeva (Thu, 24 Aug 2017 01:37:26 GMT):
Has joined the channel.

qsmen (Thu, 24 Aug 2017 02:08:39 GMT):
hello，are transaction certs used in fabric 1.0? can we know who sign a transaction just from the signature signed by the transaction cert? Thank you.

smithbk (Thu, 24 Aug 2017 02:29:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wHLLpGLttzen8Hkuj) @MohammadObaid In a real world scenario, you would typically have a different fabric-ca-server for each organization, each having a different root of trust. Yes, you can create your own customer fabric-ca-server docker image. Every peer would have a fabric-ca-client (not a fabric-ca-server) in order to enroll the peer. You could easily make an image with both peer and fabric-ca-client.

smithbk (Thu, 24 Aug 2017 02:30:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=paEDwWrjuTozB9obJ) @qsmen No, transaction certs aren't supported in fabric v1, but will come in the future (not too distant).

qsmen (Thu, 24 Aug 2017 03:04:28 GMT):
Thank you Smithbk.

asadhayat (Thu, 24 Aug 2017 09:44:04 GMT):
Has joined the channel.

OlufAndrews (Thu, 24 Aug 2017 16:42:17 GMT):
Has left the channel.

MohammadObaid (Thu, 24 Aug 2017 18:03:49 GMT):
@smithbk Do you mean each organization have their own fabric-ca server which generates intermediate certificate and other cryptographic material for their peers right? If yes then what is the purpose of `affiliate` section in fabric-ca-server configuration file in which we mention number of organizations

MohammadObaid (Thu, 24 Aug 2017 18:45:20 GMT):
@smithbk If I am using fabric-ca-server and fabric-ca-client for generating certificates and public keys and private keys then do I need to use MSP? What is the difference between fabric-ca and msp?

smithbk (Thu, 24 Aug 2017 18:51:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YNdC4tmLnN89if2g5) @MohammadObaid You have to obtain a certificate before you can transact on the fabric's blockchain. The fabric CA allows you to obtain and manage certificates. You then use those certificates to transact, and it is MSP's job within fabric to validate and sign transactions using those certificates that were obtained from fabric CA.

MohammadObaid (Thu, 24 Aug 2017 19:08:24 GMT):
@smithbk ok thanks :) Just one more question In demo application cryptogen tool is used to generate those certificates from fabric-ca automatically right? In real world every peer should get certificate from fabric-ca-server using commands mentioned in fabric-ca doc right?

smithbk (Thu, 24 Aug 2017 19:10:37 GMT):
Yes, that is correct about using fabric CA in the real world, or using another CA. But actually, cryptogen generates the certificates itself. It does not call fabric-ca-server to do this.

MohammadObaid (Thu, 24 Aug 2017 19:12:02 GMT):
ok

gauthampamu (Fri, 25 Aug 2017 02:16:48 GMT):
For the fabric-ca server CA cert can we use the RSA based certificate ? I noticed when you generate the self signed CA cert, it creates it a ECDSA cert with ecdsa-sha256 but can we use the RSA based cert for the CA cert.

gauthampamu (Fri, 25 Aug 2017 02:27:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TvMB9i9zMjSizvpss) @smithbk In real world, I am assuming we should not use self signed CA Cert that one that is generated by the Fabric-CA-server init -b command. I would imagine you have to specify the CA file that you get from certificate management division in the organization. I have a question related to it. I have posted it above.

smithbk (Fri, 25 Aug 2017 11:13:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sxaGYGFNWs2Ae4g9P) @gauthampamu The fabric does not officially support RSA, last I heard. You can confirm by asking on the fabric-crypto channel. Regarding whether you use the CA cert generated by fabric-ca-server or not, yes, generally speaking you would want probably want to use a CA signing certificate that was issued by your organization, but that really depends upon the PKI requirements of an organization. There is not anything insecure about fabric-ca-server generating its own self-signed.

DarshanBc (Fri, 25 Aug 2017 11:17:00 GMT):
How exactly encryption and decryption along with public/private key work in hyperledger

smithbk (Fri, 25 Aug 2017 11:30:47 GMT):
There is currently no encryption done by the fabric itself. The design is to use channels so that data goes only where it is supposed to go (i.e. to the orgs involved in the channel). For finer-grained privacy within orgs, the application needs to perform encryption/decryption.

AuHuR (Fri, 25 Aug 2017 12:03:55 GMT):
Has joined the channel.

gauthampamu (Fri, 25 Aug 2017 12:17:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LMoxWFjptCbGv6Eug) @smithbk I understand that we don't support RSA and we have to use ECDSA certs for the peers and members but can we configure the Fabric CA server ca cert with RSA and can it issue ECDSA Certs. Will it be able to issue ECDSA certs when its CA cert is configured with RSA.

mastersingh24 (Fri, 25 Aug 2017 13:18:16 GMT):
Just use EC crypto

DarshanBc (Fri, 25 Aug 2017 15:44:23 GMT):
@smithbk ok let me put this way what role does the private/public key play with respect to channel

smithbk (Fri, 25 Aug 2017 15:57:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nbtFyjj3Px7Y3umQR) @DarshanBc I don't understand the question ... it is normal PKI stuff.

DarshanBc (Fri, 25 Aug 2017 16:30:14 GMT):
if I invoke a transaction how the user's public/private keys are used

mastersingh24 (Fri, 25 Aug 2017 17:09:40 GMT):
@DarshanBc - Have you taken a look at http://hyperledger-fabric.readthedocs.io/en/latest/txflow.html and http://hyperledger-fabric.readthedocs.io/en/latest/msp.html ?

chrism28 (Fri, 25 Aug 2017 23:03:50 GMT):
Has joined the channel.

flycoderRuan (Sat, 26 Aug 2017 02:59:09 GMT):
Has joined the channel.

Vrai1127 (Sat, 26 Aug 2017 19:07:37 GMT):
My Question is pretty fundamental. Q is who hosts the network? Does one of the organization host network to get it started and others join the network through peers? Again these peers are running in the network hosted by one organization. So doesn't that mean one of the organization has little more control than others? Actually I'm fine with it if that's how it has to be. I just want to be clear that network is hosted/originated by 1 org, others join the network through proper credentials. But all the components like ledger, couchdb, chaincode etc for each peer are all within that hosted network not in individual's organization own infrastructure.

fintanmcelroy (Sun, 27 Aug 2017 08:07:49 GMT):
Has joined the channel.

qiang0723 (Sun, 27 Aug 2017 10:46:18 GMT):
Has joined the channel.

smithbk (Sun, 27 Aug 2017 11:36:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Xhqg7NEiKfNvCs7p3) @Vrai1127 No one organization has to host the network. For example, each organization could have peers running on hosts that they control completely. One organization need not have more control than other organizations.

Vrai1127 (Sun, 27 Aug 2017 16:18:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6CwPt5HP2HbskiisX) @smithbk Then my question is how does the bootstrapping of the network happens. Who is running the ordering service/orderers. Who creates the channel. Someone has to at first place create a genesis block, isn't it? All the examples I have seen so far is like boostrapping the docker services on a one VM. Is there a good way/example to really understand the distributed nature of blockchain. Please help

bgaisford (Sun, 27 Aug 2017 19:25:30 GMT):
Has joined the channel.

Vrai1127 (Mon, 28 Aug 2017 03:05:45 GMT):
few questions 1) Does fabric-ca server plays any role during actual transactions i.e. generating Tcerts etc. Or it's role is done once users are enrolled. Does Fabric V1.0 even have Tcerts? 2)Also is there a recommendation around each organization having its own CA or could we have one for the entire network? Any guidelines? 3) Is there a related one to one or one-to-many between CA to MSP. 4) Are there sample config files for both server and client available?

harik (Mon, 28 Aug 2017 08:02:06 GMT):
Has joined the channel.

harik (Mon, 28 Aug 2017 08:04:51 GMT):
I have setup my fabric-ca-server with postgres , Initialization was successful , server also started successfully . i got the error "error response from server was : Authorization failure" while enrolling client . Any help would be appreciated !

harik (Mon, 28 Aug 2017 08:06:04 GMT):
postgres log shows : could not receive data from client , connection reset by peer

hangyuliu (Mon, 28 Aug 2017 08:29:38 GMT):
question,enroll user log shows : user req prikey: 12345abcdef1362 cert: keykey123 Registered User: 12345abcdef1070, Secret: keykey123 2017/08/28 15:56:29 [INFO] generating key: &{A:ecdsa S:256} 2017/08/28 15:56:29 [INFO] encoded CSR 2017/08/28 15:56:29 Error enroling user: Enroll failed: Error response from server was: CSR Decode failed who encountered this problem, how to solve the problem

harik (Mon, 28 Aug 2017 09:03:05 GMT):
@Vrai1127 we do not have any tcerts in fabric V1.0 as per my understanding , we will be using same ecerts during transactions .

smithbk (Mon, 28 Aug 2017 11:29:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8sXR4e6Tr9btZSntm) @harik That is correct

smithbk (Mon, 28 Aug 2017 11:38:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2ZcGoxj3qq3XSg3mf) @Vrai1127 1) fabric does not call fabric-ca on the transaction path, so yes, it is done once enrolled. There is also reenrollment and revocation, but that is just between the client and fabric-ca and does not involve talking to a fabric peer or orderer. 2) The standard design would be to have one per organization. You don't want to have a single root of trust so that is the root CA's private key is compromised, then it would compromise the entire network. 3) It is possible to have 1-1 or 1-many between CA and MSP. In the 1-many, each MSP would have a different OU. 4) See https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#file-formats. The fabric-ca-server and fabric-ca-client can also generate their own default config files.

smithbk (Mon, 28 Aug 2017 11:44:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cA5sKRmk2gWC9pcw8) @hangyuliu If you'll provide version, debug logs, and how to reproduce, I'll take a look

smithbk (Mon, 28 Aug 2017 11:45:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=woHvAWDW8E7ciiToG) @harik What does the fabric-ca-server logs show, with "-d" for debug enabled?

harik (Mon, 28 Aug 2017 11:50:12 GMT):
@smithbk i was able to resolve the issue , if we create a database and give the same in datasource ,it will not create any tables and we get the above error . I have given the database name without creating it and then started fabric-ca-server init , fabric-ca-server created database and also all the tables , i was able to enroll the client successfully . Thanks for responding !

smithbk (Mon, 28 Aug 2017 12:00:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bgx3ofbWQTqvaqaTi) @Vrai1127 I don't know of a long example that would provide a detailed answer, but let me try at a high level at least. For a distributed ordering service, two or more organizations would share their CA certificate and hostname(s) for one or more orderers which they will host with one another. This is done out-of-band. One of the organizations could generate the genesis block and share with all others. The config update policy (which all others would be able to see) could require signatures from an admin from all organizations (for example). Each organization would be able to verify that they agree with the config update policy (and others) before actually starting their orderer. The same type of process would be done before starting a peer.

Vrai1127 (Mon, 28 Aug 2017 12:12:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MkMD96xxRZswcBGve) @smithbk for 2) does each organization needs to run it's own fabric ca server or it could mean 1 server generating multiple CAs and each assigned to one organization. Sorry I'm confused with MSP-Org-CA mapping. What will be the standard and more frequently used config between three.

smithbk (Mon, 28 Aug 2017 12:17:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aQbQrS3Np6K7co7rQ) @Vrai1127 You could have one fabric-ca-server hosting multiple CAs but you would want to make sure that each CA has different admin credentials and even a different person who would be able to configure the CA by modifying the file on the file system.

mastersingh24 (Mon, 28 Aug 2017 14:38:32 GMT):
@smithbk @anilk 9 @skarim - anything you guys think REALLY needs to be in v1.0.2 besides for https://gerrit.hyperledger.org/r/12779 ?

mastersingh24 (Mon, 28 Aug 2017 14:38:55 GMT):
Not sure it's worth backporting other stuff at this point given some of the internal changes

smithbk (Mon, 28 Aug 2017 14:44:42 GMT):
No, that's all Gari

mastersingh24 (Mon, 28 Aug 2017 15:14:37 GMT):
Excellent. Then we are pretty much done ;)

Vrai1127 (Mon, 28 Aug 2017 22:07:53 GMT):
Could anyone point me to a good read on Permissions and the ACL piece. Is there a mechanism in fabric to control who access what asset and what they could do to that asset. (I want to understand how this is done outside of composer)

saurabhxtiwari (Tue, 29 Aug 2017 10:34:26 GMT):
Has joined the channel.

smithbk (Tue, 29 Aug 2017 12:32:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fPfbPGs8YC43KLtcm) @Vrai1127 The following talks about MSP's ACL mechanism: https://docs.google.com/document/d/1Qg7ZEccOIsrShSHSNl4kBHOFvLYRhQ3903srJ6c_AZE/edit#heading=h.2rmho7iqstbu

Vrai1127 (Tue, 29 Aug 2017 18:31:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xKo6PMLtmbiL88mu4) @smithbk also could you please advice what defines asset level control for e.g. 1 firm has access to lease a vehicle but will not have access to scrap. At what place asset level access is defined. Is there an example to look at?

smithbk (Tue, 29 Aug 2017 19:34:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HmRqZFPC49jqDEZfc) @Vrai1127 So you mean ACL within chaincode. I don't know if there is a sample, but you would have to call GetCreator() on the stub which returns a []byte which is a serialized version of an MSP identity, which is a string (the MSPID) followed by a PEM-representation of the caller's x509 certificate. You could extract the MSPID string and make an authorization decision based on that.

vdods (Tue, 29 Aug 2017 22:59:27 GMT):
Does anyone know when the FABRIC_CA_LOGGING_LEVEL env var was deprecated in favor of the `-d` flag? Or presumably FABRIC_CA_DEBUG=true, though I can't seem to get this to work? It's rather inconvenient to have the different components of fabric use different conventions for logging levels.

vdods (Tue, 29 Aug 2017 23:07:58 GMT):
Also, if I'm using an intermediate CA subordinate to a root CA, when I specify the trusted roots for the TLS options for the CA (say in fabric-sdk-node), do I need to specify the cert for the root and the intermediate? Currently I'm only specifying the root CA's cert, and it's failing with Error: Calling enrollment endpoint failed with error [Error: unable to verify the first certificate]`

mescoba1 (Tue, 29 Aug 2017 23:10:01 GMT):
Has left the channel.

vdods (Tue, 29 Aug 2017 23:25:55 GMT):
Adding the intermediate CA's cert (as a second cert in the list of trusted roots) produces a different error: `Error: Calling enrollment endpoint failed with error [Error: certificate signature failure]`

NeerajKumar (Wed, 30 Aug 2017 07:15:03 GMT):
Has joined the channel.

NeerajKumar (Wed, 30 Aug 2017 07:17:00 GMT):
hey i have been following 'Bring your first network' for bringing my first network up, is it also starting the fabric-ca-server, if yes how am i be able to use fabric-ca-server to add a user to it

DarshanBc (Wed, 30 Aug 2017 10:41:37 GMT):
Hi After crypto artifacts again I am trying to run balance transfer its giving this error```using the store: {"opts":{"path":"/tmp/fabric-client-kvs_peerOrg2"}} [2017-08-30 16:10:04.235] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore.js - constructor [2017-08-30 16:10:04.236] [DEBUG] Helper - [utils.CryptoKeyStore]: _getKeyStore returning ks [2017-08-30 16:10:04.236] [DEBUG] Helper - [crypto_ecdsa_aes]: generateKey, store.setValue [2017-08-30 16:10:04.237] [DEBUG] Helper - [ecdsa/key.js]: ECDSA curve param X: 51fd4a6a4b13a238e62ed66ee9a9b515bde84453f6cc863b3fb9d8ef5ad661bb [2017-08-30 16:10:04.237] [DEBUG] Helper - [ecdsa/key.js]: ECDSA curve param Y: 61520973daaf7d9dd54ad5606c125b735041c64363e66d4f0a1ce9d0badd89c5 [2017-08-30 16:10:04.242] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore -- setValue [2017-08-30 16:10:04.312] [ERROR] Helper - Error: Calling enrollment endpoint failed with error [Error: write EPROTO 140004699469632:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2512: 140004699469632:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3544: ] at ClientRequest. (/home/rtcin/go/src/github.com/hyperledger/fabric-samples/balance-transfer/node_modules/fabric-ca-client/lib/FabricCAClientImpl.js:712:12) at emitOne (events.js:96:13) at ClientRequest.emit (events.js:188:7) at TLSSocket.socketErrorListener (_http_client.js:310:9) at emitOne (events.js:96:13) at TLSSocket.emit (events.js:188:7) at onwriteError (_stream_writable.js:346:10) at onwrite (_stream_writable.js:364:5) at WritableState.onwrite (_stream_writable.js:90:5) at fireErrorCallbacks (net.js:468:13) [2017-08-30 16:10:04.313] [DEBUG] Helper - Darsh001 failed to register [2017-08-30 16:10:04.313] [ERROR] Helper - Darsh001 enrollment failed ```

DarshanBc (Wed, 30 Aug 2017 10:41:37 GMT):
Hi After crypto artifacts again I am trying to run balance transfer its giving this error```using the store: {"opts":{"path":"/tmp/fabric-client-kvs_peerOrg2"}} [2017-08-30 16:10:04.235] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore.js - constructor [2017-08-30 16:10:04.236] [DEBUG] Helper - [utils.CryptoKeyStore]: _getKeyStore returning ks [2017-08-30 16:10:04.236] [DEBUG] Helper - [crypto_ecdsa_aes]: generateKey, store.setValue [2017-08-30 16:10:04.237] [DEBUG] Helper - [ecdsa/key.js]: ECDSA curve param X: 51fd4a6a4b13a238e62ed66ee9a9b515bde84453f6cc863b3fb9d8ef5ad661bb [2017-08-30 16:10:04.237] [DEBUG] Helper - [ecdsa/key.js]: ECDSA curve param Y: 61520973daaf7d9dd54ad5606c125b735041c64363e66d4f0a1ce9d0badd89c5 [2017-08-30 16:10:04.242] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore -- setValue [2017-08-30 16:10:04.312] [ERROR] Helper - Error: Calling enrollment endpoint failed with error [Error: write EPROTO 140004699469632:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2512: 140004699469632:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3544: ] at ClientRequest. (/home/.../go/src/github.com/hyperledger/fabric-samples/balance-transfer/node_modules/fabric-ca-client/lib/FabricCAClientImpl.js:712:12) at emitOne (events.js:96:13) at ClientRequest.emit (events.js:188:7) at TLSSocket.socketErrorListener (_http_client.js:310:9) at emitOne (events.js:96:13) at TLSSocket.emit (events.js:188:7) at onwriteError (_stream_writable.js:346:10) at onwrite (_stream_writable.js:364:5) at WritableState.onwrite (_stream_writable.js:90:5) at fireErrorCallbacks (net.js:468:13) [2017-08-30 16:10:04.313] [DEBUG] Helper - Darsh001 failed to register [2017-08-30 16:10:04.313] [ERROR] Helper - Darsh001 enrollment failed ```

DarshanBc (Wed, 30 Aug 2017 10:41:37 GMT):
Hi After generating crypto artifacts again I am trying to run balance transfer its giving this error```using the store: {"opts":{"path":"/tmp/fabric-client-kvs_peerOrg2"}} [2017-08-30 16:10:04.235] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore.js - constructor [2017-08-30 16:10:04.236] [DEBUG] Helper - [utils.CryptoKeyStore]: _getKeyStore returning ks [2017-08-30 16:10:04.236] [DEBUG] Helper - [crypto_ecdsa_aes]: generateKey, store.setValue [2017-08-30 16:10:04.237] [DEBUG] Helper - [ecdsa/key.js]: ECDSA curve param X: 51fd4a6a4b13a238e62ed66ee9a9b515bde84453f6cc863b3fb9d8ef5ad661bb [2017-08-30 16:10:04.237] [DEBUG] Helper - [ecdsa/key.js]: ECDSA curve param Y: 61520973daaf7d9dd54ad5606c125b735041c64363e66d4f0a1ce9d0badd89c5 [2017-08-30 16:10:04.242] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore -- setValue [2017-08-30 16:10:04.312] [ERROR] Helper - Error: Calling enrollment endpoint failed with error [Error: write EPROTO 140004699469632:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2512: 140004699469632:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3544: ] at ClientRequest. (/home/.../go/src/github.com/hyperledger/fabric-samples/balance-transfer/node_modules/fabric-ca-client/lib/FabricCAClientImpl.js:712:12) at emitOne (events.js:96:13) at ClientRequest.emit (events.js:188:7) at TLSSocket.socketErrorListener (_http_client.js:310:9) at emitOne (events.js:96:13) at TLSSocket.emit (events.js:188:7) at onwriteError (_stream_writable.js:346:10) at onwrite (_stream_writable.js:364:5) at WritableState.onwrite (_stream_writable.js:90:5) at fireErrorCallbacks (net.js:468:13) [2017-08-30 16:10:04.313] [DEBUG] Helper - Darsh001 failed to register [2017-08-30 16:10:04.313] [ERROR] Helper - Darsh001 enrollment failed ```

anishman (Wed, 30 Aug 2017 11:47:04 GMT):
Has joined the channel.

smithbk (Wed, 30 Aug 2017 12:30:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bkB3RpmRnrh3akR6Q) @vdods It has been this way since the beginning of v1. The env variable prefix is FABRIC_CA_SERVER, so FABRIC_CA_SERVER_DEBUG should work. The original reason for using a different logger is because it is built on top of cfssl and we used the same logger as cfssl. Yes, we should change to use the same logger as fabric. Feel free to open a jira item to track.

smithbk (Wed, 30 Aug 2017 12:34:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hneL4beGGDJ5c2DCd) @vdods Not sure on the node SDK ... best to ask on the fabric-sdk-node channel

smithbk (Wed, 30 Aug 2017 12:38:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SARLLT8P4tpu8Ckny) @NeerajKumar Yes it starts fabric-ca-servers ... grep for fabric-ca in docker-compose-e2e-template.yaml. To register and enroll users, see https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#fabric-ca-client

smithbk (Wed, 30 Aug 2017 12:41:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cgEFbBHiGpeTEfKCN) @DarshanBc Not sure. You could try printing the cert with openssl if you haven't already. And could ask on the fabric-crypto channel.

Vrai1127 (Wed, 30 Aug 2017 15:49:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BKLDShuNeFYGvQqK3) @smithbk thanks for your prompt response. Another related question : What's an advice if we have to control the access at user level for e.g. User 1 (under MSPId of Org1) should not be able to update or read transactions on the blockchain from other users (from same MSP or a different one). Is there a good way to control that except looking at the user id & checking that against some sort of permissions list stored on the blockchain? Please advice

smithbk (Wed, 30 Aug 2017 15:55:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XW2pvxFYCZRaFhLv5) @Vrai1127 That's it currently, but the following is targeted for v1.1: https://jira.hyperledger.org/browse/FAB-5346

Vrai1127 (Wed, 30 Aug 2017 19:35:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3oRAEbZ9fZQeFEeQR) @smithbk so FAB-5346 will control a user at SDK level itself? Now all these options are to control user/MSP access at chaincode/SDK level. But my understanding is all peers could read each other transactions as long as they are on the same channel i.e. they don't need chaincode to read.. Is there a way to protect user1 (role as investor) from User 2 (same role as investor) in accessing it's data (maintain true privacy)? It is a distributed ledger so everyone has exact same copy of the ledger at their corresponding Peers.

smithbk (Wed, 30 Aug 2017 19:58:21 GMT):
@Vrai1127 We don't support any privacy features within a channel. It sounds to me like you may need to do this at the application level, but would need more details on the scenario. What do you want user 2 to be able to do in this case?

vdods (Wed, 30 Aug 2017 20:03:47 GMT):
@smithbk Thanks!

greg.haskins (Wed, 30 Aug 2017 20:14:09 GMT):
Has left the channel.

Vrai1127 (Wed, 30 Aug 2017 20:14:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mk8WyxpJroh6rELcs) @smithbk lets take a scenario both users are investors(two different organizations ORG1 ORG2) in a same venture/fund/other financial arrangement(another organization ORG3). The promised return on the investment could be different for each investor(even if the invested amount is same). Ideally as a firm launching that venture(ORG3), I don't want the investors to have ability to see each other's data especially data like amount invested, return on investment etc. Now as we discussed earlier I could control this on application side either at SDK/Chaincode/MSP level but the fact that each peer will have it's own copy of full ledger & state db, there is always a risk that participants could find a back channel to read other's data?

smithbk (Wed, 30 Aug 2017 21:05:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rquSiKKsRvDLi9xYk) @Vrai1127 If an ORG1 user is investing and ORG3 is the fund manager and you don't want an ORG2 user to see any of the data, you would not allow ORG2 to be on the channel. More generally stated, there are two cases: 1) You don't want another org member to see ANY data. In this case, you create separate channels so the data never flows to ORGs that shouldn't see it. 2) You need to share some data between orgs but not all data. In this case, you would need a feature called "side DB" which is coming in v1.1. In this model, you can create collections containing a subset of the channel's ORGs and instead of doing a PutState, you would make another call to put the state to a particular collection, which means the data only goes to the orgs in that collection

Vrai1127 (Wed, 30 Aug 2017 21:11:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jaL3qWi7e7obN573S) @smithbk for 2) in your response is there gerrit item I could refer to. That definitely seems to be the more probable scenario. Also appreciate your response. These are very helpful! Kudos to you!

smithbk (Wed, 30 Aug 2017 22:07:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=e5RJMo3ntKjhxpmkz) @Vrai1127 See https://jira.hyperledger.org/browse/FAB-1151

vdods (Thu, 31 Aug 2017 01:18:31 GMT):
Is there any way to not just revoke a user's enrollment, but to do that AND delete a user's registration? I.e. delete their presence from the CA? Example use case: deleting a user's account in such a way where a different user can, at a later time, make an unrelated account with the same name?

vdods (Thu, 31 Aug 2017 01:19:50 GMT):
And other related things like querying (without registering or enrolling) if a user with the given name is registered (or enrolled) with a CA?

smithbk (Thu, 31 Aug 2017 01:45:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ztqezcZBvdPdamdaS) @vdods 1) No, it is not possible to delete an account. The current thinking is that this would be a problem with some audit capabilities, though we don't have all audit requirements yet. 2) We plan to add an endpoint to return the certificates associated with an enrollment ID.

ArnabChatterjee (Thu, 31 Aug 2017 01:52:16 GMT):
Hi All, I was going through the link: https://hyperledger-fabric.readthedocs.io/en/latest/msp.html#msp-setup-on-the-peer-orderer-side and really having a hard time understanding the role of each type of certificates that are used in here. Can anyone provide any simpler explanation about MSP and certificates?

ArnabChatterjee (Thu, 31 Aug 2017 01:52:49 GMT):
@smithbk Could you please help me? :)

ArnabChatterjee (Thu, 31 Aug 2017 01:58:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9QjDTqm7jBjdspRGR) @smithbk I am not really sure of this. But isn't peer supposed to use TLS? https://github.com/hyperledger/fabric/blob/release/examples/e2e_cli/base/peer-base.yaml#L18

ArnabChatterjee (Thu, 31 Aug 2017 01:59:29 GMT):
And doesn't TLS use TCERTS? Please correct me if I am wrong.

ArnabChatterjee (Thu, 31 Aug 2017 02:26:35 GMT):
And also if TCERTS are not working how does stub.GetCreator() work in CC? I thought that TCERTS are supposed to carry information about the user who is invoking CC.

Vadim (Thu, 31 Aug 2017 06:33:25 GMT):
@ArnabChatterjee stub.GetCreator() returns a ECERT (more precise, any cert that was used to sign the proposal)

rwadhwa (Thu, 31 Aug 2017 06:48:29 GMT):
Hi All, I have a question. Let's say that I have a network already up.. For ex: Bring Your First Network, is it already bringing Fabric CA server up by default with it? I think, No. Can you tell me how do I do it? How do connect a network with a CA.

Vadim (Thu, 31 Aug 2017 10:52:37 GMT):
@rwadhwa check the balance-transfer, it has CA and uses it to enroll users

rwadhwa (Thu, 31 Aug 2017 11:56:41 GMT):
@Vadim Okay. Let me check. However, what I'm trying to achieve is, I'm bringing the standalone server and using Hyperledger Composer .bna file to deploy the chaincode in the already up network.

smithbk (Thu, 31 Aug 2017 12:10:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YBsppahaefR5dHpqB) @ArnabChatterjee Suppose you have an MSP for ORG1 and a client certificate CLIENT which you need to validate. These directories are used to evaluate policies as follows. 1) ORG1.MEMBER is true if all of the following are true: a) We can build a trust chain between the root CAs in "cacerts" and CLIENT using "intermediatecerts". For example, if CLIENT was issued by I1 in "intermediatecerts" and I1 was issued by R1 in "cacerts", we can build a trust chain. b) If OUs are listed in config.yaml, CLIENT must additionally contain the specified OUs. c) CLIENT is not in "clrs". 2) ORG1.ADMIN is true if all of the following are true: a) CLIENT equals exactly one of the certificates in "admincerts". b) CLIENT is not in "crls" When connecting over TLS to a endpoint that claims to be in ORG1, the TLS client trusts "tlscacerts" and "tlsintermediatecerts" to make sure it is indeed connecting to an endpoint in ORG1.

smithbk (Thu, 31 Aug 2017 12:10:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YBsppahaefR5dHpqB) @ArnabChatterjee Suppose you have an MSP for ORG1 and a client certificate CLIENT which you need to validate. These directories are used to evaluate policies as follows.``` 1) ORG1.MEMBER is true if all of the following are true: a) We can build a trust chain between the root CAs in "cacerts" and CLIENT using "intermediatecerts". For example, if CLIENT was issued by I1 in "intermediatecerts" and I1 was issued by R1 in "cacerts", we can build a trust chain. b) If OUs are listed in config.yaml, CLIENT must additionally contain the specified OUs. c) CLIENT is not in "clrs". 2) ORG1.ADMIN is true if all of the following are true: a) CLIENT equals exactly one of the certificates in "admincerts". b) CLIENT is not in "crls" When connecting over TLS to a endpoint that claims to be in ORG1, the TLS client trusts "tlscacerts" and "tlsintermediatecerts" to make sure it is indeed connecting to an endpoint in ORG1.```

lehors (Thu, 31 Aug 2017 15:59:23 GMT):
@smithbk following up on our discussion the other day and your statement that init shouldn't leave the DB open https://chat.hyperledger.org/channel/fabric-pr-review?msg=CiELHAAL53ZFSA5Tv

lehors (Thu, 31 Aug 2017 15:59:55 GMT):
I tried to add a close at the end of Init but then every operation after that fails because they try to access the db which is closed

lehors (Thu, 31 Aug 2017 16:00:13 GMT):
so it seems to be that the db is expected to be left open

lehors (Thu, 31 Aug 2017 16:00:13 GMT):
so it seems that the db is expected to be left open

lehors (Thu, 31 Aug 2017 16:01:32 GMT):
GetUser for example just accesses the db

lehors (Thu, 31 Aug 2017 16:01:32 GMT):
GetUser for example just accesses the db and will fail if Init closes it

lehors (Thu, 31 Aug 2017 16:02:31 GMT):
where is the db supposed to be opened before GetUser is called if not Init?

lehors (Thu, 31 Aug 2017 16:14:46 GMT):
I think it's easier to leave the code as is (i.e. Init opens and leaves the db open) and make closeDB public so it can be called when needed

lehors (Thu, 31 Aug 2017 16:15:12 GMT):
but I'll wait to hear from you to push any more changes

DarshanBc (Thu, 31 Aug 2017 18:34:00 GMT):
How to get mspid from a tx_id inside chaincode

Vrai1127 (Thu, 31 Aug 2017 19:58:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7tJFdtnSimmZgnFw7) @smithbk Is it not recommended to use SQLite with Fabric CA? Is SQLITE option only for test?

Vrai1127 (Thu, 31 Aug 2017 21:20:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HmRqZFPC49jqDEZfc) @smithbk I read through the link https://docs.google.com/document/d/1Qg7ZEccOIsrShSHSNl4kBHOFvLYRhQ3903srJ6c_AZE/edit#heading=h.2rmho7iqstbu Regarding Section 3 Channel Access Control, could you please confirm that currently only the default policies apply in Fabric i.e. for readers & writers ALL the members of the MSP have read & write access. So currently there is no mechanism to override these?

mastersingh24 (Fri, 01 Sep 2017 08:42:00 GMT):
@Vrai1127 - `Is it not recommended to use SQLite with Fabric CA? Is SQLITE option only for test?` - if you only wish to run a single instance of the fabric-ca, then SQLITE is fine. You would not be able to provide a "highly available" solution as you'd only have a single instance of the fabric-ca process and SQLITE is not a shared database. (Of course you could play tricks with shared filesystem, etc but probably not worth doing that given that the other database options all have fault tolerant deployment options)

mastersingh24 (Fri, 01 Sep 2017 08:44:42 GMT):
@Vrai1127 - ``` could you please confirm that currently only the default policies apply in Fabric i.e. for readers & writers ALL the members of the MSP have read & write access. So currently there is no mechanism to override these? ``` You are correct on the defaults and using the `configtxgen` tool you can't override these. However, you should take a look at http://hyperledger-fabric.readthedocs.io/en/latest/configtx.html# , especially the section on the `configtxlator` tool which will allow you to reconfigure / set different policies

eetti (Fri, 01 Sep 2017 11:19:23 GMT):
I got this error when trying to create a channel ``` Rejecting CONFIG_UPDATE because: Proposed configuration has no application group members, but consortium contains members. ``` I have peer1.aaa.aaa.com as the address of the anchor peer. And in the cli container, I set the CORE_PEER_ADDRESS to the IP address of the peer. Could this be the reason? Or os there something else that I am missing.

Vrai1127 (Fri, 01 Sep 2017 11:27:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pdBmtysXj6ygx7eNg) @mastersingh24 using configtxlator could I really restrict a specific member of MSP to have read only access?

rwadhwa (Fri, 01 Sep 2017 13:26:46 GMT):
Hi, While deploying the network, I'm getting Handshaker factory creation failed with TSI_INVALID_ARGUMENT

rwadhwa (Fri, 01 Sep 2017 13:26:56 GMT):
Any idea what's the reason for this?

ascatox (Fri, 01 Sep 2017 13:51:04 GMT):
Has joined the channel.

mastersingh24 (Fri, 01 Sep 2017 22:34:10 GMT):
Sorry @Vrai1127 - Got caught up in a few things and missed this. You would basically need to add the "writers" explicitly to the ChannelWriters and ChannelReaders groups and then only add the read-only member(s) to the ChannelReaders group

rwadhwa (Sat, 02 Sep 2017 12:14:13 GMT):
Hi, Can someone tell me where exactly root certificates are present where I will bring up any fabric network?

glenlau (Sat, 02 Sep 2017 13:09:49 GMT):
Has joined the channel.

smithbk (Sat, 02 Sep 2017 16:51:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=T4nLLSqb7qQKapreN) @rwadhwa For each MSPDir in the configtx.yaml file, a root certificate must be in that MSP directory's "cacerts" subdirectory

rwadhwa (Sat, 02 Sep 2017 16:52:03 GMT):
Hi @smithbk , Let me check.

rwadhwa (Sat, 02 Sep 2017 16:54:42 GMT):
There is a ca directory...not cacerts?...Is that what you are referring to?

smithbk (Sat, 02 Sep 2017 17:11:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=khpf2vFxDdzQSEYDA) @rwadhwa No, there should be a "cacerts" directory in each MSP directory as described in https://hyperledger-fabric.readthedocs.io/en/latest/msp.html#msp-setup-on-the-peer-orderer-side

rwadhwa (Sat, 02 Sep 2017 17:17:58 GMT):
@smithbk Okay, I'm using the Balance Transfer Test Application. There were no folders created like this. Do I need to change something to create those folders?

Vrai1127 (Sat, 02 Sep 2017 17:20:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QTmpFAhCwvPHpBB7S) @mastersingh24 How do and where do I explicitly do this? Is it possible to do this at bootstrapping and afterwards through node sdk?

smithbk (Sat, 02 Sep 2017 17:25:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9pzrpcr3wZad23TyC) @rwadhwa If you look at the 3 MSPDir directories referenced in fabric-samples/balance-transfer/artifacts/channel/configtx.yaml, you will see a "cacerts" directory in each of those. For example, see fabric-samples/balance-transfer/artifacts/channel/crypto-config/peerOrganizations/org1.example.com/msp/cacerts

rwadhwa (Sat, 02 Sep 2017 17:27:00 GMT):
@smithbk Correct. Thanks for pointing it out.

rwadhwa (Sat, 02 Sep 2017 17:28:28 GMT):
Now, the issue is, I'm trying to deploy the network via .bna file from Hyperledger composer, which uses a connection profile (a connection.json file), in which if we use TLS, we need to provide root certificate in the "cacert" field in json file.

rwadhwa (Sat, 02 Sep 2017 17:29:08 GMT):
I was getting confused with values should I use, and I tried all possible ways. Still It didn't work. I will try once again.

rwadhwa (Sat, 02 Sep 2017 17:29:11 GMT):
Thanks

smithbk (Sat, 02 Sep 2017 17:29:58 GMT):
np, good luck

Vrai1127 (Sun, 03 Sep 2017 17:19:18 GMT):
How do I decide on number of peers for each Organisation. Is there a rule based on # of users to be enrolled?

Vrai1127 (Sun, 03 Sep 2017 17:19:18 GMT):
1) How do I decide on number of peers for each Organisation. Is there a rule based on # of users to be enrolled? 2) On MSP documentation link http://hyperledger-fabric.readthedocs.io/en/latest/msp.html under best practices scenario :"Multiple organizations using a single MSP". This corresponds to a case of a consortium of organisations that are governed by similar membership architecture. One needs to know here that peers would propagate organization-scoped messages to the peers that have an identity under the same MSP regardless of whether they belong to the same actual organization. What does it mean? Anyways on the same channel there is nothing private?

Vrai1127 (Sun, 03 Sep 2017 17:19:18 GMT):
1) How do I decide on number of peers for each Organisation. Is there a rule based on # of users to be enrolled? 2) On MSP documentation link http://hyperledger-fabric.readthedocs.io/en/latest/msp.html under best practices scenario :"Multiple organizations using a single MSP". This corresponds to a case of a consortium of organisations that are governed by similar membership architecture. *One needs to know here that peers would propagate organization-scoped messages to the peers that have an identity under the same MSP regardless of whether they belong to the same actual organization.* What does it mean? Anyways on the same channel there is nothing private? If these peers (Organisations) are on different channels but under same MSP would they still receive each other messages?

qq597332855 (Mon, 04 Sep 2017 07:40:39 GMT):
Has joined the channel.

qq597332855 (Mon, 04 Sep 2017 07:42:48 GMT):
I tried to run the E2E example’‘’org.hyperledger.fabric_ca.sdk.exception.EnrollmentException: Url:http://10.60.248.32:7054, Failed to enroll user admin‘’‘ ’‘’Caused by: org.apache.http.NoHttpResponseException: 10.60.248.32:7054 failed to respond‘’‘

qq597332855 (Mon, 04 Sep 2017 07:53:44 GMT):
Please send it to me by e-mail，597332855@qq.com

Smithatv (Mon, 04 Sep 2017 08:58:14 GMT):
Has joined the channel.

Smithatv (Mon, 04 Sep 2017 09:01:27 GMT):
Hello, i am getting "Error: Error response from server was: Failed getting affiliation 'peerorgs.1A':sql: no rows in result set" . I checked in the fabric-ca-server.db and the entry is found in the db

Smithatv (Mon, 04 Sep 2017 09:01:30 GMT):

Message Attachments

Smithatv (Mon, 04 Sep 2017 09:02:03 GMT):
can someone help me understand why am i getting this error?

Smithatv (Mon, 04 Sep 2017 09:14:51 GMT):
The command i executed is: fabric-ca-client register --id.name <> --id.type peer --id.affiliation peerorgs.1A

aambati (Mon, 04 Sep 2017 14:17:47 GMT):
@Smithatv Can you post relevant logs from the server side?

Smithatv (Mon, 04 Sep 2017 16:20:37 GMT):

Message Attachments

Smithatv (Mon, 04 Sep 2017 16:21:47 GMT):
@aambati , please take a look

skarim (Tue, 05 Sep 2017 00:06:54 GMT):
@Smithatv The screenshot you posted is from client side, can you provide server side logs?

Smithatv (Tue, 05 Sep 2017 02:59:37 GMT):
i am using CLI . can you please tell me how to collect the logs ? i used -d option for both server init and start ..

AlexAlper (Tue, 05 Sep 2017 04:52:54 GMT):
Has joined the channel.

Smithatv (Tue, 05 Sep 2017 08:44:06 GMT):
Please help

mastersingh24 (Tue, 05 Sep 2017 10:01:58 GMT):
@Smithatv - what version of the fabric-ca are you using? I've also asked the same over in stackoverflow

mastersingh24 (Tue, 05 Sep 2017 10:02:10 GMT):
Can you also share your fabric-ca-server config file?

Smithatv (Tue, 05 Sep 2017 10:35:26 GMT):

Message Attachments

Smithatv (Tue, 05 Sep 2017 10:35:27 GMT):
I am using hyperledger/fabric-ca:x86_64-1.0.0

DarshanBc (Tue, 05 Sep 2017 10:44:33 GMT):
Hi I am trying to create a system with 3Orgs with logs I can see while creating CA a default org1,org2 affiliations are taken as fabric-CA-server-config file how to edit it

DarshanBc (Tue, 05 Sep 2017 10:44:33 GMT):
Hi I am trying to create a system with 3Orgs inside a docker with logs I can see while creating CA a default org1,org2 affiliations are taken as fabric-CA-server-config file how to edit it

Smithatv (Tue, 05 Sep 2017 10:49:49 GMT):
@mastersingh24 , please take a look

DarshanBc (Tue, 05 Sep 2017 10:58:13 GMT):
```ca_peerMfg | 2017/09/05 10:37:21 [DEBUG] Init CA with home /etc/hyperledger/fabric-ca-server and config {CA:{Name: Keyfile:/etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY Certfile:/etc/hyperledger/fabric-ca-server-config/ca.mfg.example.com-cert.pem Chainfile:ca-chain.pem} Signing:0xc4202a4280 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[ac91091f5cb6 localhost] KeyRequest: CA:0xc4202a3560 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{Name:admin Pass:adminpw Type:client Affiliation: MaxEnrollments:-1 Attrs:map[hf.Revoker:1 hf.IntermediateCA:1 hf.Registrar.Roles:client,user,peer,validator,auditor hf.Registrar.DelegateRoles:client,user,validator,auditor]}]} Affiliations:map[org1:[department1 department2] org2:[department1]] LDAP:{Enabled:false URL:ldap://:@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) TLS:{Enabled:false CertFiles:[ldap-server-cert.pem] Client:{KeyFile:ldap-client-key.pem CertFile:ldap-client-cert.pem}}} DB:{Type:sqlite3 Datasource:fabric-ca-server.db TLS:{Enabled:false CertFiles:[db-server-cert.pem] Client:{KeyFile:db-client-key.pem CertFile:db-client-cert.pem}}} CSP:0xc4202a2f00 Client: Intermediate:{ParentServer:{URL: CAName:} TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{Name: Secret: Profile: Label: CSR: CAName:}}}``` ``` My org1 name is mfg but I can see `Affiliations:map[org1:[department1 department2] org2:[department1]]` How do I change it

DarshanBc (Tue, 05 Sep 2017 10:58:13 GMT):
```ca_peerMfg | 2017/09/05 10:37:21 [DEBUG] Init CA with home /etc/hyperledger/fabric-ca-server and config {CA:{Name: Keyfile:/etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY Certfile:/etc/hyperledger/fabric-ca-server-config/ca.mfg.example.com-cert.pem Chainfile:ca-chain.pem} Signing:0xc4202a4280 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[ac91091f5cb6 localhost] KeyRequest: CA:0xc4202a3560 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{Name:admin Pass:adminpw Type:client Affiliation: MaxEnrollments:-1 Attrs:map[hf.Revoker:1 hf.IntermediateCA:1 hf.Registrar.Roles:client,user,peer,validator,auditor hf.Registrar.DelegateRoles:client,user,validator,auditor]}]} Affiliations:map[org1:[department1 department2] org2:[department1]] LDAP:{Enabled:false URL:ldap://:@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) TLS:{Enabled:false CertFiles:[ldap-server-cert.pem] Client:{KeyFile:ldap-client-key.pem CertFile:ldap-client-cert.pem}}} DB:{Type:sqlite3 Datasource:fabric-ca-server.db TLS:{Enabled:false CertFiles:[db-server-cert.pem] Client:{KeyFile:db-client-key.pem CertFile:db-client-cert.pem}}} CSP:0xc4202a2f00 Client: Intermediate:{ParentServer:{URL: CAName:} TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{Name: Secret: Profile: Label: CSR: CAName:}}}``` My org1 name is mfg but I can see `Affiliations:map[org1:[department1 department2] org2:[department1]]` How do I change it

mastersingh24 (Tue, 05 Sep 2017 10:58:38 GMT):
@Smithatv - So you are running the fabric-ca-server as a Docker container? How are you passing in your config file?

Smithatv (Tue, 05 Sep 2017 11:00:00 GMT):

Message Attachments

Smithatv (Tue, 05 Sep 2017 11:00:23 GMT):
this is how i run it using docker-compose up

DarshanBc (Tue, 05 Sep 2017 11:02:15 GMT):
@mastersingh24 I am running fabric-ca-server as a Docker container How to pass config file

Smithatv (Tue, 05 Sep 2017 11:02:50 GMT):
docker-compose -f up

Smithatv (Tue, 05 Sep 2017 11:08:20 GMT):
@mastersingh24 please help

mastersingh24 (Tue, 05 Sep 2017 11:59:36 GMT):
So if you use a docker-compose.yaml that looks like the following: ``` # # Copyright IBM Corp. All Rights Reserved. # # SPDX-License-Identifier: Apache-2.0 # fabric-ca-server: image: hyperledger/fabric-ca container_name: fabric-ca-server ports: - "7054:7054" environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_DEBUG=true volumes: - "./fabric-ca-server:/etc/hyperledger/fabric-ca-server" command: sh -c 'fabric-ca-server start -b admin:adminpw' ```

mastersingh24 (Tue, 05 Sep 2017 12:02:19 GMT):
Then in the same directory as this `docker-compose.yaml` file you need to create a directory named `fabric-ca-server` Then copy your config file (make sure it is named `fabric-ca-server-config.yaml` ) into the `fabric-ca-server` directory

mastersingh24 (Tue, 05 Sep 2017 12:03:55 GMT):
You can then run `docker-compose up` and in the logs (which are now in debug) you should see that your affiliations have been created

paul.sitoh (Tue, 05 Sep 2017 12:05:40 GMT):
Is the volume `./fabric-ca-server` where you hold member certs and keys?

lehors (Tue, 05 Sep 2017 12:09:49 GMT):
hi there

lehors (Tue, 05 Sep 2017 12:10:30 GMT):
after the latest git pull I don't see any debugging trace when running the unit tests and I can't seem to figure out how to turn them on

lehors (Tue, 05 Sep 2017 12:10:47 GMT):
could anyone tell me please?

mastersingh24 (Tue, 05 Sep 2017 12:13:45 GMT):
@paul.sitoh - it's being used as the `FABRIC_CA_HOME` which is where the fabric-ca-server finds / creates the various artifacts which would include by default a config file name `fabric-ca-server-config.yaml`, an `msp` directory to hold the signing key, the DB file for sqllite, etc

mastersingh24 (Tue, 05 Sep 2017 12:14:27 GMT):
@Smithatv - https://stackoverflow.com/a/46054669/6160507 as well

smithbk (Tue, 05 Sep 2017 12:15:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XChR6Pspgb7LggdwK) @lehors You mean when running "make unit-tests"? You should see debug when running "go test" in any package. Are you not seeing that?

lehors (Tue, 05 Sep 2017 12:18:08 GMT):
go test

lehors (Tue, 05 Sep 2017 12:18:58 GMT):
no log

smithbk (Tue, 05 Sep 2017 12:24:50 GMT):
will look into it

mastersingh24 (Tue, 05 Sep 2017 12:25:20 GMT):
(https://chat.hyperledger.org/channel/fabric-crypto?msg=sAsYZCbq48PacPfoN) @DarshanBc

DarshanBc (Tue, 05 Sep 2017 12:26:01 GMT):
I have 3 CA servers obviously they have3 different ports so what should I mention in ca server config file in ports: ___

DarshanBc (Tue, 05 Sep 2017 12:26:01 GMT):
@mastersingh24 I have 3 CA servers obviously they have3 different ports so what should I mention in ca server config file in ports: ___

DarshanBc (Tue, 05 Sep 2017 12:26:01 GMT):
@mastersingh24 I have 3 CA servers obviously they have3 different listening ports so what should I mention in ca server config file in ports: ___

smithbk (Tue, 05 Sep 2017 12:29:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dbwRWiva7Hwgt369o) @DarshanBc You specify the port with "-p" option or in config file at ```# Server's listening port (default: 7054) port: 7054```

rwadhwa (Tue, 05 Sep 2017 12:30:18 GMT):
Hi All, Generally in every example, I see that fabric-ca server which is used , is being picked from an already existing image. Where do we mention the configuration for that so that it can be picked accordingly by the ca server? And What's the use of CA Client when CA Server is handling all the things?

DarshanBc (Tue, 05 Sep 2017 12:30:35 GMT):
oh ok Thank you @smithbk

lehors (Tue, 05 Sep 2017 12:32:16 GMT):
@smithbk welcome back, did you see my message from last week regarding the closing of the db?

DarshanBc (Tue, 05 Sep 2017 12:32:23 GMT):
In first network example ca-cert key is given as CA1_PRIVATE_KEY but in balance transfer example its hard-coded whats the difference between them

smithbk (Tue, 05 Sep 2017 12:32:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5xMsBrXXkxsR7A3Fn) @DarshanBc You can generate a config file with the `fabric-ca-client enroll` command and even though the command fails, you can edit the default config file generated and run again. We will be adding an option to generate the config file only but doesn't exist yet

lehors (Tue, 05 Sep 2017 12:32:56 GMT):
I've been chasing more cases where the db is left open btw

rwadhwa (Tue, 05 Sep 2017 12:33:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dLr7HF6573s3XxJmH) @DarshanBc CA_PRIVATE_KEY is replaced with the key at network startup.

smithbk (Tue, 05 Sep 2017 12:34:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Fe3vcopuivommhnbg) @lehors Not yet ... just trying to find unanswered questions here now

smithbk (Tue, 05 Sep 2017 12:38:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xvCr8r3RjttADNWrh) @rwadhwa The config for the fabric-ca-server in the examples is generally via env vars and command line options. The CA client is a CLI which can be used in an orderer or peer container to enroll the orderer or peer. In fact, I'll be checking in a change to the fabric-ca Makefile soon to build images with the and soon and am working on a sample which uses these.

smithbk (Tue, 05 Sep 2017 12:38:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xvCr8r3RjttADNWrh) @rwadhwa The config for the fabric-ca-server in the examples is generally via env vars and command line options. The CA client is a CLI which can be used in an orderer or peer container to enroll the orderer or peer. In fact, I'll be checking in a change to the fabric-ca Makefile to build images with the and soon and am working on a sample which uses these.

smithbk (Tue, 05 Sep 2017 12:39:33 GMT):
@rwadhwa If you have more specific questions, will be glad to answer

rwadhwa (Tue, 05 Sep 2017 12:45:23 GMT):
@smithbk Thanks for the info. Yes, I have many questions. ;) Once you are done with the changes, Please do share it with us. I will check and will ask other questions later on. Thanks a lot. :)

DarshanBc (Tue, 05 Sep 2017 13:23:48 GMT):
this is my content of docker-compose.yaml file for CA ```ca.mfg.example.com: image: hyperledger/fabric-ca:x86_64-1.0.0 environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.mfg.example.com-cert.pem - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.mfg.example.com-cert.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY ports: - "7054:7054" command: sh -c 'fabric-ca-server start -b admin:adminpw -d' volumes: - ./channel/crypto-config/peerOrganizations/mfg.example.com/ca/:/etc/hyperledger/fabric-ca-server-config - ./fabric-ca-server:/etc/hyperledger/fabric-ca-server container_name: ca_peerMfg```

DarshanBc (Tue, 05 Sep 2017 13:24:13 GMT):
with this I am not able to bring up my CA server

DarshanBc (Tue, 05 Sep 2017 13:25:56 GMT):
I have mentioned only about affliation in my fabric-ca-server-config.yaml

DarshanBc (Tue, 05 Sep 2017 13:25:59 GMT):
```affiliations: mfg: - department1 - department2 seller: - department1 -department2 service: - department1 - department2```

smithbk (Tue, 05 Sep 2017 13:29:17 GMT):
@DarshanBc we can debug directly and can report results back here for others

DarshanBc (Tue, 05 Sep 2017 13:52:14 GMT):
Error is resolved fabric-ca-server-config.yaml had indentation problem

DarshanBc (Tue, 05 Sep 2017 13:52:14 GMT):
@smithbk Error is resolved fabric-ca-server-config.yaml had indentation problem

DarshanBc (Tue, 05 Sep 2017 13:53:25 GMT):
when I tried to regiser user I am getting this error ```[2017-09-05 19:20:48.863] [DEBUG] SampleWebApp - End point : /users [2017-09-05 19:20:48.864] [DEBUG] SampleWebApp - User name : Jim [2017-09-05 19:20:48.864] [DEBUG] SampleWebApp - Org name : mfg [2017-09-05 19:20:48.868] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore.js - constructor [2017-09-05 19:20:48.871] [ERROR] Helper - Failed to get registered user: Jim, error: TypeError: Cannot read property 'setStateStore' of undefined at hfc.newDefaultKeyValueStore.then (/home/rtcin/go/src/github.com/hyperledger/fabric-samples/CustomApp/app/helper.js:235:9) ```

DarshanBc (Tue, 05 Sep 2017 13:53:25 GMT):
when I tried to regiser user I am getting this error ```[2017-09-05 19:20:48.863] [DEBUG] SampleWebApp - End point : /users [2017-09-05 19:20:48.864] [DEBUG] SampleWebApp - User name : Jim [2017-09-05 19:20:48.864] [DEBUG] SampleWebApp - Org name : mfg [2017-09-05 19:20:48.868] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore.js - constructor [2017-09-05 19:20:48.871] [ERROR] Helper - Failed to get registered user: Jim, error: TypeError: Cannot read property 'setStateStore' of undefined at hfc.newDefaultKeyValueStore.then (/home/.../go/src/github.com/hyperledger/fabric-samples/CustomApp/app/helper.js:235:9) ```

DarshanBc (Tue, 05 Sep 2017 13:54:42 GMT):
this is my config.json ```{ "host":"localhost", "port":"4000", "jwt_expiretime": "36000", "channelName":"mychannel", "GOPATH":"../artifacts", "keyValueStore":"/tmp/fabric-client-kvs", "eventWaitTime":"30000", "orderer":"grpcs://localhost:7050", "users":[ { "username":"admin", "secret":"adminpw" } ] } ```

DarshanBc (Tue, 05 Sep 2017 13:59:10 GMT):
I had put a logger.debug(store) I got this `[2017-09-05 19:28:10.108] [DEBUG] Helper - FileKeyValueStore { _dir: '/tmp/fabric-client-kvs_peerMfg' } `

DarshanBc (Tue, 05 Sep 2017 13:59:10 GMT):
I had put a logger.debug(store) I got this ```[2017-09-05 19:28:10.108] [DEBUG] Helper - FileKeyValueStore { _dir: '/tmp/fabric-client-kvs_peerMfg' } ```

skarim (Tue, 05 Sep 2017 14:02:35 GMT):
@DarshanBc Did you enroll the bootstrap user before trying to register a user? From the config file it seems the bootstrap user is admin. You need to have ecert before you can register users, the you get an ecert by enrolling.

skarim (Tue, 05 Sep 2017 14:03:17 GMT):
Also, the error seems to be coming from the node SDK, might try their channel to see if they have any ideas as well

Vrai1127 (Tue, 05 Sep 2017 14:51:54 GMT):
@mastersingh24 @smithbk could you please advice on below. 1) How do I decide on number of peers for each Organisation. Is there a rule based on # of users to be enrolled? 2) On MSP documentation link http://hyperledger-fabric.readthedocs.io/en/latest/msp.html under best practices scenario :"Multiple organizations using a single MSP". This corresponds to a case of a consortium of organisations that are governed by similar membership architecture. * One needs to know here that peers would propagate organization-scoped messages to the peers that have an identity under the same MSP regardless of whether they belong to the same actual organization. * What does it mean? Anyways on the same channel there is nothing private? If these peers (Organisations) are on different channels but under same MSP would they still receive each other messages?

smithbk (Tue, 05 Sep 2017 15:06:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nF6Ns33Qrjw8rcHih) @Vrai1127 1) The number of peers per org really depends primarily on network topology and performance requirements, so can't give any general guidelines ... well, other than to say that two are recommended in different geo locations to avoid a SPoF (Single Point of Failure) for the org

smithbk (Tue, 05 Sep 2017 15:08:52 GMT):
@Vrai1127 2) Yes, it is simply saying that message propagation is scoped by MSP, so if you want a message to go to one peer but not another, then they need to be on different MSPs

lehors (Tue, 05 Sep 2017 15:09:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nBAu6hEx7A6ErxNTA) @smithbk ok, found the source of the change, the new benchmarking tests by default discard log output server_benchmarks_test.go:TestMain()

smithbk (Tue, 05 Sep 2017 15:10:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HR7quK8ifWCyjQQ8K) @lehors Thanks for tracking down ... I obviously got side-tracked. We'll take care of fixing this.

smithbk (Tue, 05 Sep 2017 15:10:37 GMT):
or @aambati will :-)

lehors (Tue, 05 Sep 2017 15:11:31 GMT):
now, more importantly I'm interested in having a chat on server.Init() and closeDB() when you have a moment

lehors (Tue, 05 Sep 2017 15:13:17 GMT):
I'm referring to this: https://chat.hyperledger.org/channel/fabric-ca?msg=n7B6bm2aB2PWBpw4C

DarshanBc (Tue, 05 Sep 2017 15:51:11 GMT):
@skarim error triggered when registering bootstrap user

Vrai1127 (Tue, 05 Sep 2017 16:28:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3oRAEbZ9fZQeFEeQR) @smithbk In GetCreator(), I could find MSPid(which is essentially Organisation) but how about if I would like to control access for particular user from that organization. Could I get client user id? Say for Org1 I have users setup as admin1, Bob, Pat and I want to control access for Bob. Could I identify if the transaction is submitted by Bob and then take action accordingly?

skarim (Tue, 05 Sep 2017 16:33:33 GMT):
@DarshanBc If registering is the first action you are doing after bringing up the fabric-ca server then the register will fail. This is because only an enrolled identity can register a user. However, since you want this user to be a bootstrap user. I would suggest modifying your config file to include this user, as it currently includes the admin user. I would take a look at the readthedocs for the flow for registering a user and enrolling a bootstrap user. https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enrolling-the-bootstrap-identity

smithbk (Tue, 05 Sep 2017 16:46:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=outAzXFrup2eyavgx) @Vrai1127 In v1.1 this should be easier, but if you need to do this now, you just need to know that the byte buffer returned by GetCreator() is the serialization of MSPID and PEM-encoded x509 certificate. Here is a snipper to convert the PEM part of the byte buffer to a certificate. ```// GetX509CertificateFromPEM get an X509 certificate from bytes in PEM format func GetX509CertificateFromPEM(cert []byte) (*x509.Certificate, error) { block, _ := pem.Decode(cert) if block == nil { return nil, errors.New("Failed to PEM decode certificate") } x509Cert, err := x509.ParseCertificate(block.Bytes) if err != nil { return nil, errors.Wrap(err, "Error parsing certificate") } return x509Cert, nil } ``` You could then get the common name from the cert to identity the enrollment ID

Vrai1127 (Tue, 05 Sep 2017 16:56:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DaKxz3EGkuywfH3xY) @smithbk thank you so much. How would it be easier in V1.1. Also when will 1.1 be out and is there a place to look at all the changes coming into 1.1

glotov (Tue, 05 Sep 2017 17:03:28 GMT):
Has joined the channel.

smithbk (Tue, 05 Sep 2017 17:44:42 GMT):
@Vrai1127 See https://jira.hyperledger.org/secure/Dashboard.jspa?selectPageId=10701 for v1.1 and what I was just referring to will be a change set under https://jira.hyperledger.org/browse/FAB-5346

gauthampamu (Tue, 05 Sep 2017 18:25:43 GMT):
certificate expiration

gauthampamu (Tue, 05 Sep 2017 18:28:17 GMT):
I would like to understand the steps we have to perform when the certificate expires. Are these the current steps to update the certs ?

gauthampamu (Tue, 05 Sep 2017 18:28:25 GMT):
1) Stop the Peer

gauthampamu (Tue, 05 Sep 2017 18:28:25 GMT):
1) Stop the Peer (Do we have to stop the peer ?)

gauthampamu (Tue, 05 Sep 2017 18:28:31 GMT):
2) Update the certs in the Peer

gauthampamu (Tue, 05 Sep 2017 18:29:01 GMT):
3) Update the channel configuration in the Orderer.

gauthampamu (Tue, 05 Sep 2017 18:29:09 GMT):
4) Restart the Peer

Vrai1127 (Tue, 05 Sep 2017 18:30:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iapdWgHe3aeCYoQfL) @smithbk could you please advice on this

Vrai1127 (Tue, 05 Sep 2017 18:30:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iapdWgHe3aeCYoQfL) @smithbk @mastersingh24 could you please advice on this

gauthampamu (Tue, 05 Sep 2017 18:58:26 GMT):
Do we need to update the channel configuration when the cert expires ?

mastersingh24 (Tue, 05 Sep 2017 19:04:06 GMT):
No

mastersingh24 (Tue, 05 Sep 2017 19:04:13 GMT):
We don't deal with expired certs today

gauthampamu (Tue, 05 Sep 2017 19:29:42 GMT):
@mastersingh24 Lets assume we keep track on the expiration of certs outside using some other mechanism. I wanted to know the steps to renew the certs..

mastersingh24 (Tue, 05 Sep 2017 19:32:14 GMT):
I meant we don't actually enforce any expiration at all within Fabric at this point. If you need to renew root / intermediate certificates used within Org MSPs then yes - you would need to do issue channel config update transactions on every channel to which the Org(s) belong

mastersingh24 (Tue, 05 Sep 2017 19:32:35 GMT):
I would hope that you are using long term root certificates

gauthampamu (Tue, 05 Sep 2017 21:17:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dbhShsochamKHAj6B) @mastersingh24 Is that a problem that Fabric does not enforce expiration. Do we support certificate revocation ? Like for example if we want to revoke a certificate issues to member, can we update the CRL to the peer, will it enforce the CRL.

gauthampamu (Tue, 05 Sep 2017 21:17:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dbhShsochamKHAj6B) @mastersingh24 Is't that a problem that Fabric does not enforce expiration. Do we support certificate revocation ? Like for example if we want to revoke a certificate issues to member, can we update the CRL to the peer, will it enforce the CRL.

smithbk (Tue, 05 Sep 2017 22:00:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=n4bMJ2Wm7CkZYfkog) @gauthampamu Yes, CRLs in MSPs are enforced today and you would need to update the CRL via a config update tx. The issue with checking expiration is that it is non-deterministic since it is dependent upon the clock on a peer. We can't tolerate non-determinism at commit time, but I thought it was going to be added for endorsement. @mastersingh24 Is that planned or is there a problem with doing that?

gauthampamu (Tue, 05 Sep 2017 22:04:54 GMT):
So to update the CRL, you have to update it via config update TX. Where can I find code for it. Is it not possible to update the CRL on the peer servers directly !!

gauthampamu (Tue, 05 Sep 2017 22:04:54 GMT):
So to update the CRL, you have to update it via config update TX ? Where can I find code for it. Is it not possible to update the CRL on the peer servers directly !!

smithbk (Tue, 05 Sep 2017 22:07:35 GMT):
For the local MSP, yes, but that is used for chaincode install ... for other operations such as create channel, it is going to use the CRL in a config block

AbhishekSeth (Wed, 06 Sep 2017 05:28:36 GMT):
hey, I want to use a `new user` for my channel creation, installing chaincodes etc instead of `admin`. First I enrolled `admin`, then I tried registering the new user using `register` api of fabric-ca-client using enrolled admin. But it gives me this error: `Error: fabric-ca request register failed with errors [[{"code":400,"message":"Authorization failure"}]]` Any help would be appreciated.

rwadhwa (Wed, 06 Sep 2017 06:21:17 GMT):
Hi

rwadhwa (Wed, 06 Sep 2017 06:21:44 GMT):
While creating a channel for a peer, I'm getting the below error : Principal deserialization failure (The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.scriptdrop.com"))

rwadhwa (Wed, 06 Sep 2017 06:21:51 GMT):
Any idea about this?

rwadhwa (Wed, 06 Sep 2017 06:22:26 GMT):
Principal deserialization failure (The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com"))

rwadhwa (Wed, 06 Sep 2017 06:22:49 GMT):
I'm getting this above error while creating the channel

rwadhwa (Wed, 06 Sep 2017 06:28:02 GMT):
Below that: Policy for [Groups] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining

Katiyman (Wed, 06 Sep 2017 07:09:19 GMT):
Has joined the channel.

Katiyman (Wed, 06 Sep 2017 07:10:17 GMT):
Hello All .. One help needed. Can some please point me to some link explaining the nodesdk intercation with the fabric-ca .. TIA

VictorKuriashkin (Wed, 06 Sep 2017 10:36:34 GMT):
Has joined the channel.

mastersingh24 (Wed, 06 Sep 2017 11:00:37 GMT):
@Katiyman - https://github.com/hyperledger/fabric-sdk-node/blob/release/test/integration/fabric-ca-services-tests.js#L66

Othman.Darwish (Wed, 06 Sep 2017 12:11:39 GMT):
Has joined the channel.

skarim (Wed, 06 Sep 2017 13:48:48 GMT):
@AbhishekSeth Do you have the server side logs for when that error occurred?

DarshanBc (Wed, 06 Sep 2017 14:11:21 GMT):
I have endorsement policy AND('Org1.member', 'Org2.member') my question is when I invoke a transaction on a chaincode on what basis a transaction gets signature from org1.member and org2.member

mastersingh24 (Wed, 06 Sep 2017 14:20:10 GMT):
@DarshanBc - probably better to ask these types of questions in #fabric-peer-endorser-committer , but the quick answer is that you would invoke the chaincode on at least one peer from Org1 and at least one peer from Org2

mastersingh24 (Wed, 06 Sep 2017 14:21:27 GMT):
[ I'd suggest looking at https://github.com/hyperledger/fabric-sdk-node/blob/release/test/integration/fabric-ca-services-tests.js#L75 to make sure that you are actually using the enrolled admin ID when making the register call](https://chat.hyperledger.org/channel/fabric-ca?msg=c8ZtG8SejPb2LrZoP) @skarim

Smithatv (Wed, 06 Sep 2017 17:28:36 GMT):
functionally what is the difference between rolls : Users,Validator,peer,auditor,client (--id.attrs '"hf.Registrar.Roles=peer,user,validator,auditor,client" )

Smithatv (Wed, 06 Sep 2017 17:31:36 GMT):
what i am looking for is that, there must be something which user is allowed to perform and peer is not and Validator can perform and peer can not .. etc etc

smithbk (Wed, 06 Sep 2017 17:37:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Ax2BY5REZ2D2y39GJ) @Smithatv The identity types are not currently used by fabric. The only differentiation made by MSP in fabric are those that are admins and those that are not (via the msp/admincerts directory)

Smithatv (Wed, 06 Sep 2017 17:41:47 GMT):
@smithbk , sorry i did not understand ... i am asking about the rolls .. if the type is peer and the role is Auditor .. what does it mean ?

Smithatv (Wed, 06 Sep 2017 17:44:18 GMT):

Message Attachments

smithbk (Wed, 06 Sep 2017 17:44:22 GMT):
Unfortunate naming ... type is one of the roles

smithbk (Wed, 06 Sep 2017 17:44:32 GMT):
so think of them as the same

Smithatv (Wed, 06 Sep 2017 17:45:34 GMT):
if i define like the above ... how are they different from each other in terms of ACL

smithbk (Wed, 06 Sep 2017 17:49:35 GMT):
See the "POST /api/v1/register" section of https://docs.google.com/document/d/1x7bbSkLt3VLexNMECJXbOYJ3xX8Ck9Q6O6W1dmnVaRQ ... in particular, the following: ```Let registrar refer to the identity of the invoker of this endpoint, and registree refer to the identity which is being registered as found in the body of the POST request. Three authorization checks are made as follows: The registrar must have the "hf.Registrar.Roles" attribute with a comma-separated list of values where one of the values equals the type of the registree. This is a way of limiting the types of identities that a specific registrar is allowed to register. For example, if the registrar has the "hf.Registrar.Roles" attribute with a value of "peer,app,user", the registrar can register identities of type peer, app, and user, but not orderer. ```

Smithatv (Wed, 06 Sep 2017 17:51:48 GMT):

Message Attachments

Smithatv (Wed, 06 Sep 2017 17:52:07 GMT):
i would like to achieve something like the above

Smithatv (Wed, 06 Sep 2017 18:03:14 GMT):

Message Attachments

Smithatv (Wed, 06 Sep 2017 18:03:39 GMT):
how do i specify read/write access at system (genesis) level ?

Smithatv (Wed, 06 Sep 2017 18:05:24 GMT):
is it even possible :-)

Smithatv (Wed, 06 Sep 2017 18:05:36 GMT):
sorry , if my question is not valid

Smithatv (Wed, 06 Sep 2017 18:17:08 GMT):
kindly help , i need to implement access control like the above

smithbk (Wed, 06 Sep 2017 18:46:18 GMT):
just back to desk ... this really doesn't relate to fabric-ca, at least not currently. The ACL is not very fine-grain today though @muralisr has been working on making it more so and think you may need that. I suggest you check with him.

smithbk (Wed, 06 Sep 2017 18:46:18 GMT):
just back to desk ... this really doesn't relate to fabric-ca, at least not currently. The ACL in fabric is not very fine-grain today though @muralisr has been working on making it more so and think you may need that. I suggest you check with him.

guoger (Thu, 07 Sep 2017 02:30:15 GMT):
Has joined the channel.

codestone (Thu, 07 Sep 2017 02:34:34 GMT):
Has joined the channel.

codestone (Thu, 07 Sep 2017 02:35:12 GMT):
hello,every one .I'm not good at ca and my forgive me about my poor english

codestone (Thu, 07 Sep 2017 02:35:52 GMT):
i want to know how can i create a root certificates with fabric-ca-server

codestone (Thu, 07 Sep 2017 02:40:10 GMT):
and when is use fabric-ca-server and fabric-ca-client create a admin user, and use it to create channel,it doesn't make things

codestone (Thu, 07 Sep 2017 02:42:12 GMT):
anybody have documents about ca something? if convenience,please share with me,thanks and bestwishs

Smithatv (Thu, 07 Sep 2017 02:51:38 GMT):
@muralisr, please help

DarshanBc (Thu, 07 Sep 2017 03:13:54 GMT):
Can a signature to a transaction be made conditional

DarshanBc (Thu, 07 Sep 2017 03:13:54 GMT):
Can a signature to a transaction proposal be made conditional

ygnr (Thu, 07 Sep 2017 03:33:32 GMT):
Has joined the channel.

smithbk (Thu, 07 Sep 2017 03:51:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zHWzTqonczuFom9oJ) @codestone See https://hyperledger-fabric-ca.readthedocs.io/en/latest/ and https://docs.google.com/document/d/1x7bbSkLt3VLexNMECJXbOYJ3xX8Ck9Q6O6W1dmnVaRQ ... the fabric-ca-server will automatically create it's own root cert when you start it

codestone (Thu, 07 Sep 2017 03:54:05 GMT):
@smithbk

codestone (Thu, 07 Sep 2017 03:57:53 GMT):
@smithbk the tool of cryptogen make ca-cert.pem ,i use openssl open it ,show as below: X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign X509v3 Extended Key Usage: Any Extended Key Usage X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 76:F9:AD:BE:CF:C5:5F:41:E4:67:33:EB:32:95:EC:9B:3B:32:F0:54:9C:A3:85:69:F4:69:65:F4:AB:E6:41:CE while i use ca-server make root certs output as below: X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 X509v3 Subject Key Identifier: 5A:93:6A:9B:56:FB:2F:1E:D1:BF:F3:B5:4E:FE:DE:F5:C4:42:C3:61 you can see difference about them. the x509v3 extensions of x509v3 Key Usage:critical does it matter when i use for fabric?

codestone (Thu, 07 Sep 2017 03:59:08 GMT):
and when i create a root cert.the Issuer's cn must be the fabric server's domain?

jethdg (Thu, 07 Sep 2017 04:16:48 GMT):
Has joined the channel.

Katiyman (Thu, 07 Sep 2017 04:56:36 GMT):
One query what is the difference betwoeen fabric-membersrvc adn fabric-ca?

Lavanya5896 (Thu, 07 Sep 2017 05:28:01 GMT):
Has joined the channel.

Lavanya5896 (Thu, 07 Sep 2017 05:54:10 GMT):
Hi I am working with the balance transfer example in that example I created one more organization named org3 and I created membership services for that organization and I am trying to enroll the user in that organization(org3) with the following curl command the command is working fine for enrolling in org1 and org2. curl -s -X POST http://localhost:4000/users -H "content-type: application/x-www-form-urlencoded" -d 'username=Jim&orgName=org3' iam getting the below issue

Lavanya5896 (Thu, 07 Sep 2017 05:54:32 GMT):

Message Attachments

lehors (Thu, 07 Sep 2017 07:45:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zS5LqoHvPJEhWeAdR) @Katiyman there is no difference, fabric-ca is basically the new name

Katiyman (Thu, 07 Sep 2017 07:55:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6723i55FGvunoKdsv) @lehors Thanks

kkado (Thu, 07 Sep 2017 08:44:48 GMT):
Has joined the channel.

boliang (Thu, 07 Sep 2017 08:47:26 GMT):
Has joined the channel.

codestone (Thu, 07 Sep 2017 11:28:42 GMT):
Hello , who can tell me how to make root cert with fabric-ca-server? when i use fabric-ca-client enroll with admin,it return me a cachain,does is be the root cacert?

smithbk (Thu, 07 Sep 2017 12:11:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KaYkeDTpgouCykFPB) @codestone To get the root cert from a server, use `fabric-ca-client getcacert -M $MSPDIR -u http://localhost:7054` and the root cert will be placed in the $MSPDIR/cacerts directory

smithbk (Thu, 07 Sep 2017 12:18:33 GMT):
@codestone Though the enroll command also downloads the root CA cert ... note the last log message below which tells you where it stores it. ```$ fabric-ca-client enroll -u http://a:b@localhost:7054 2017/09/07 08:17:19 [INFO] User provided config file: /Users/keith/.fabric-ca-client/fabric-ca-client-config.yaml 2017/09/07 08:17:19 [INFO] generating key: &{A:ecdsa S:256} 2017/09/07 08:17:19 [INFO] encoded CSR 2017/09/07 08:17:19 [INFO] Stored client certificate at /Users/keith/.fabric-ca-client/msp/signcerts/cert.pem 2017/09/07 08:17:19 [INFO] Stored CA root certificate at /Users/keith/.fabric-ca-client/msp/cacerts/localhost-7054.pem ```

smithbk (Thu, 07 Sep 2017 12:20:27 GMT):
Note that enroll requires a username and password but getcacert does not

Katiyman (Thu, 07 Sep 2017 12:32:31 GMT):
Hello All... while working with fabric-Ca and working with it i noticed that in the certificated table in the DB i see multiple certificates for admin. what is the significance of that

muralisr (Thu, 07 Sep 2017 12:33:55 GMT):
@Smithatv can you specify what exactly you are looking for wrt ACL please ?

smithbk (Thu, 07 Sep 2017 13:12:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SLeN6PXfbG2EaqWxT) @Katiyman A single identity can have multiple certificates. For example, consider a) logging in from multiple devices b) key rotation prior to expiration

andyz (Fri, 08 Sep 2017 03:18:12 GMT):
Has joined the channel.

codestone (Fri, 08 Sep 2017 03:55:51 GMT):
@smithbk thank you very much. and i use openssl look localhost-7054.pem‘s content.and the extensions have : X509v3 Key Usage: critical Certificate Sign, CRL Sign while the fabric's cryptogen generate root cert have: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign fabric-ca-server's root cacert doesn't have "Digital Signature","Key Encipherment",does it take affect when use ca-server take place cryptogen? I use ca-server create peer's cert, admin cert and orderer's cert。however,it cannot create channel

Smithatv (Fri, 08 Sep 2017 06:00:17 GMT):
while registering and enrolling an entity , is it possible to specify and make sure who is validating node and who is not ?

Smithatv (Fri, 08 Sep 2017 06:00:41 GMT):
basically "Access control based on attributes on certificates " how does it work

rwadhwa (Fri, 08 Sep 2017 07:09:19 GMT):
In any network, Am I supposed to modify the fabric-ca-server-config.yaml manually?

sushantdm (Fri, 08 Sep 2017 07:59:00 GMT):
Has joined the channel.

Smithatv (Fri, 08 Sep 2017 08:51:22 GMT):
@smithbk, while registering and enrolling an entity , is it possible to specify and make sure who is going to be validating node and who is not ? basically "Access control based on attributes on certificates " how does it work

Smithatv (Fri, 08 Sep 2017 08:51:27 GMT):
please help ..

7sigma (Fri, 08 Sep 2017 08:58:33 GMT):
Has joined the channel.

7sigma (Fri, 08 Sep 2017 09:00:43 GMT):
Hi, the fabric ca always generates a new CA ; however the ca cert and key file are provided. Now if we register and enroll a new user, the user certificate is issue using the new CA. The complication is this wont allow me to perform invoke or query transaction as the channel is configured with the predefined CA. Pl guide me

7sigma (Fri, 08 Sep 2017 09:01:23 GMT):
Is it possible to issue certificates from the CA defined in ca and key file

tsrb (Fri, 08 Sep 2017 09:32:47 GMT):
Has joined the channel.

rwadhwa (Fri, 08 Sep 2017 09:43:42 GMT):
@7sigma I haven't done that myself, but you need to update the channel with peer channel update command, passing the new channel tx file.

7sigma (Fri, 08 Sep 2017 10:09:14 GMT):
Thanks @rwadhwa Does it mean to update the channel with the CA cert file enabling the users to transact in the channel

sai_ganesh (Fri, 08 Sep 2017 10:13:29 GMT):
Has joined the channel.

Smithatv (Fri, 08 Sep 2017 11:25:00 GMT):
@rwadhwa , while generating the certificates , is there a way to define the roles by which we can control the level of access to the channel and chain code ?

sai_ganesh (Fri, 08 Sep 2017 12:00:47 GMT):
Hi all. We are trying to create users and get them enrolled using the facric-ca module of the sdk, but are unable to use new users in the chaincode that we install and instantiate. Only users generated by the cryptogen tool are available in the network. How to enable the newly created users to participate in the network as well?

rwadhwa (Fri, 08 Sep 2017 12:28:58 GMT):
@Smithatv I don't think so. Roles can be set separately in the fabric-ca-server-config.yaml

SethiSaab (Fri, 08 Sep 2017 12:31:52 GMT):
Has joined the channel.

SethiSaab (Fri, 08 Sep 2017 12:32:01 GMT):
hi team

SethiSaab (Fri, 08 Sep 2017 12:32:33 GMT):
when i M TRYINGTO RUN this command i am not able to see the repository in Go folder and not able to start the server go get -u github.com/hyperledger/fabric-ca/cmd/...

SethiSaab (Fri, 08 Sep 2017 12:32:43 GMT):
please help me ow to fix this

smithbk (Fri, 08 Sep 2017 13:29:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MZsJkuKXRcWx4BLux) @Smithatv It is not currently possible to distinguish between a peer, orderer, or end user certificate based on some attribute in the cert. There is work on-going for this purpose but things need to be worked out. See https://jira.hyperledger.org/browse/FAB-5668

smithbk (Fri, 08 Sep 2017 13:31:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=J2kmMDN6c7YY3QAhn) @rwadhwa Yes, you may customize the fabric-ca-server-config.yaml manually if you need to, but for more cases you should be able use command line args or env variables. One example where you must provide your own config file today is to define your own affiliation hierarchy.

smithbk (Fri, 08 Sep 2017 13:33:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=v2H3tHFZskdG3gYEA) @7sigma If you provide your own CA signing certificate and key, fabric-ca-server will use it and not generate its own when it starts. Perhaps you did not place them in the correct location?

smithbk (Fri, 08 Sep 2017 13:38:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zB352kbnkjTZq8KFP) @sai_ganesh If you started off with cryptogen, you need to start fabric-ca-server with the CA signing certificate that cryptogen created. This will enable fabric-ca-server to issue certificates that are signed by the certificate that is already trusted by the blockchain network and so could then transact on the blockchain.

smithbk (Fri, 08 Sep 2017 13:43:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5hFRCSzd828vyfoxE) @Smithatv The only way to restrict access to a channel to a subset of CA members is to use the "org1.admin" rather than "org1.member" policy. org1.member allows anyone in, but org1.admin allows only the specific certificates found in the msp/admincerts directory

smithbk (Fri, 08 Sep 2017 13:45:02 GMT):
There is also ongoing work to support ABAC (Attribute-Based Access Control) which would require making changes to the chaincode. You can follow the status of that by following https://jira.hyperledger.org/browse/FAB-5346

7sigma (Fri, 08 Sep 2017 13:56:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Tb44QAvyS9NTRCWMy) @smithbk Thanks, I did that will check the details again and get back.

SethiSaab (Fri, 08 Sep 2017 14:16:26 GMT):
Hi Team i am facing issue while running this command " fabric-ca-server " it is aying command not found

SethiSaab (Fri, 08 Sep 2017 14:16:40 GMT):
i have followed everything properly as mentioned in docs

SethiSaab (Fri, 08 Sep 2017 14:17:19 GMT):
somebody please guide me as i am new to hyperledger

skarim (Fri, 08 Sep 2017 14:24:24 GMT):
@SethiSaab Is you GOPATH properly set? In the fabric-ca folder, do you see a bin folder? If so, do you see the binary for the fabric-ca-server inside? I would also make sure that your PATH environment variable is set correctly so that it can find this bin folder.

SethiSaab (Fri, 08 Sep 2017 14:30:02 GMT):
yes i have set the gopath to /public/goprojects and goroot = /home/usr/local ............................i can see the bin folder but there is no binary inside

SethiSaab (Fri, 08 Sep 2017 14:30:18 GMT):
@skarim yes i have set the gopath to /public/goprojects and goroot = /home/usr/local ............................i can see the bin folder but there is no binary inside

SethiSaab (Fri, 08 Sep 2017 14:31:15 GMT):
fabric-ca-server is present in golang/bin

SethiSaab (Fri, 08 Sep 2017 14:31:30 GMT):
not in hyperledger/fabric-ca/bin

SethiSaab (Fri, 08 Sep 2017 14:31:42 GMT):
can you please help me to fix this

SethiSaab (Fri, 08 Sep 2017 14:31:44 GMT):
?

paul.sitoh (Fri, 08 Sep 2017 15:48:32 GMT):
Folks, is the Fabric CA server's configuration file baked into the docker image?

paul.sitoh (Fri, 08 Sep 2017 15:49:43 GMT):
I looked at the e2e example: ``` ca0: image: hyperledger/fabric-ca environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca-org1 - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY ports: - "7054:7054" command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY -b admin:adminpw -d' volumes: - ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config container_name: ca_peerOrg1 ```

paul.sitoh (Fri, 08 Sep 2017 15:50:30 GMT):
I can't see where the CA server file is

SethiSaab (Fri, 08 Sep 2017 17:54:17 GMT):
@skarim thanks bro it worked for me

skarim (Fri, 08 Sep 2017 17:58:08 GMT):
glad to hear

kostas (Fri, 08 Sep 2017 20:17:44 GMT):
Has left the channel.

SethiSaab (Sun, 10 Sep 2017 13:14:33 GMT):
Hi Team i am getting error while running fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 this command . it is saying Authorization faliure ... i have checked in fabric-ca-server-config.yaml and credentials are correct

rwadhwa (Sun, 10 Sep 2017 17:47:54 GMT):
@7sigma Thanks for the details. :)

skarim (Sun, 10 Sep 2017 17:53:10 GMT):
@SethiSaab Please provide the server side logs when that error occurs

smithbk (Sun, 10 Sep 2017 18:22:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zXKLQJgcdM53qcS5y) @SethiSaab What do the server logs say?

smithbk (Sun, 10 Sep 2017 18:22:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zXKLQJgcdM53qcS5y) @SethiSaab What do the server logs say? They should give a more specific error.

CodeReaper (Sun, 10 Sep 2017 19:59:14 GMT):
Has joined the channel.

Katiyman (Mon, 11 Sep 2017 06:08:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GeZGR4WQbY6WX5T8B) @smithbk what are the credentials that you are passing when starting the server?

Katiyman (Mon, 11 Sep 2017 06:08:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GeZGR4WQbY6WX5T8B) @SethiSaab what are the credentials that you are passing when starting the server?

Katiyman (Mon, 11 Sep 2017 06:12:39 GMT):
Hello all, if i am using the fabric-CA do i still need to generate crypto artifacts using cryptogen? how do i relate these two? TIA

bh4rtp (Mon, 11 Sep 2017 06:34:59 GMT):
is there any documentation about how to add organizations dynamically?

aambati (Mon, 11 Sep 2017 13:51:44 GMT):
@bh4rtp when you say organizations, do you mean affiliations? if so, they can only be added and removed via configuration file.

aambati (Mon, 11 Sep 2017 13:51:44 GMT):
@bh4rtp when you say organizations, do you mean affiliations? if so, currently they can only be added and removed via configuration file.

Smithatv (Tue, 12 Sep 2017 05:06:05 GMT):
at the chain code level, or at the fabric-ca-client CLI , is it possible to get the id details(rolls and affiliations) based on the id name ?

Smithatv (Tue, 12 Sep 2017 06:24:28 GMT):
admincerts folder is getting generated when i register the entity .. any idea why ?

Smithatv (Tue, 12 Sep 2017 06:34:23 GMT):
sorry , i meant admincerts folder is not getting generated when i register the entity .. please help

codestone (Tue, 12 Sep 2017 08:54:50 GMT):
in the ca system,after a user execute a reenroll operation, does the old cert can be use?

codestone (Tue, 12 Sep 2017 08:55:33 GMT):
hello brothers,any one can help?

kustrun (Tue, 12 Sep 2017 10:11:16 GMT):
Has joined the channel.

Smithatv (Tue, 12 Sep 2017 10:26:30 GMT):
@smithbk , how do i generate admincerts ? i m ausing fabric-ca-client for registering and enrolling the entities

vpetryk (Tue, 12 Sep 2017 11:08:02 GMT):
Has joined the channel.

smithbk (Tue, 12 Sep 2017 12:34:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BKWkHNHFFNQTpD6xW) @Smithatv You just register and enroll a client as normal and then copy the resulting certificate from the /signcerts/* into the organization's msp/admincerts directory. Obviously this must be done before creating the genesis block or other artifacts.

smithbk (Tue, 12 Sep 2017 12:37:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NejtMbAnidMc2oCvK) @codestone Yes, the old cert can still be used. If you want to prevent it from being used, it must be added to the appropriate CRLs of the local MSPs and channel MSPs

smithbk (Tue, 12 Sep 2017 12:39:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=R3QkTffjobHAkifnk) @Smithatv No, the roles and affiliations are not placed in the enrollment certificate so there is no way to get them from chaincode. We are working on allowing custom attributes to be added but is not yet complete. See https://jira.hyperledger.org/browse/FAB-5346

Smithatv (Tue, 12 Sep 2017 19:06:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QJiCfgLqw2Behkv3E) @smithbk Thanks smithbk

Smithatv (Tue, 12 Sep 2017 19:07:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wqZv9LsMRgv9C5r37) @smithbk , then what is the difference between tool cryptogen and fabric-ca-server/client ?

vdods (Wed, 13 Sep 2017 01:45:14 GMT):
Hi all, I'm learning about CA administration, and have come across a choice between CRLs (the legacy option) and OCSP (which is allegedly the newer, preferred option). Can anyone comment on this? Does fabric-ca and the fabric peer/orderer MSPs support OCSP, or do they only support CRLs?

DarshanBc (Wed, 13 Sep 2017 08:53:53 GMT):
can Anybody explain `var ORGS = hfc.getConfigSetting('network-config');` `var channel = hfc.getConfigSetting('channelName');` this line I read the document but couldn't understand from where value of network-config and channelName is assigned

smithbk (Wed, 13 Sep 2017 10:04:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=G9tawiHibrFkTe6DH) @vdods Short answer is no, OCSP is not supported. Since it requires making a network call to an OCSP responder, it would introduce non-determinism. Since the CRL is in the config block which is part of the ledger, each peer can deterministically evaluate the CRL

kustrun (Wed, 13 Sep 2017 10:06:07 GMT):
Hi! While I am trying to connect with Heroku PostgreSQL database I get the following error. Anyone had the same problem? ```2017/09/13 09:52:34 [FATAL] Initialization failure: Failed to connect to Postgres database: pq: database "uqrvxrepgopmvf" does not exist``` Datasource setup: ```db: type: postgres datasource: host=ec2-54-247-175-255.eu-west-1.compute.amazonaws.com port=5432 user=uqrvxrepgopmvf password=fc4cc1e762e00b5cfaea6eb9dc7a23e27811fd36696a70a3c012ff42f3e19308 dbname=d7a35mlll407ki sslmode=require tls: enabled: false certfiles: - db-server-cert.pem client: certfile: db-client-cert.pem keyfile: db-client-key.pem ```

kustrun (Wed, 13 Sep 2017 10:06:07 GMT):
Hi! While I am trying to connect with Heroku PostgreSQL database I get the following error. Anyone had the same problem? ``` 2017/09/13 09:52:34 [FATAL] Initialization failure: Failed to connect to Postgres database: pq: database "uqrvxrepgopmvf" does not exist ``` Datasource setup: ``` db: type: postgres datasource: host=ec2-54-247-175-255.eu-west-1.compute.amazonaws.com port=5432 user=uqrvxrepgopmvf password=fc4cc1e762e00b5cfaea6eb9dc7a23e27811fd36696a70a3c012ff42f3e19308 dbname=d7a35mlll407ki sslmode=require tls: enabled: false certfiles: - db-server-cert.pem client: certfile: db-client-cert.pem keyfile: db-client-key.pem ```

smithbk (Wed, 13 Sep 2017 10:07:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=m6wj35CGLCzFnXRaz) @DarshanBc Try the fabric-sdk-node channel, but the app is going to need to specific the channel name

smithbk (Wed, 13 Sep 2017 10:46:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mXz2eeKHNQBrg8ktf) @kustrun Haven't seen this, but could you try replacing "dbname" with "DBName" in the datasource and tell me what behavior you see? The fabric-ca-server strips the dbname out of the datasource to do the initial ping test and it is this that is failing. Apparently for heroku it does more than just connect to the database and is trying to find the specific dbname, and assumes it to be the same as "user" if "dbname" is not found. By changing the case, it will prevent fabric-ca-server from removing it from the datasource before using it to do the ping test, and if heroku treats "dbname" as case-insensitive, then changing the case of "dbname" could be a work around.

DarshanBc (Wed, 13 Sep 2017 11:35:28 GMT):
Hi I am renaming orgs and brining multi organizational network I am getting this error ```[2017-09-13 17:03:31.919] [ERROR] Helper - Error: Calling enrollment endpoint failed with error [Error: write EPROTO 139797101311808:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2512: 139797101311808:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3544: ] at ClientRequest. (/home/rtcin/go/src/github.com/hyperledger/fabric-samples/CustomApp/node_modules/fabric-ca-client/lib/FabricCAClientImpl.js:712:12) at emitOne (events.js:96:13) at ClientRequest.emit (events.js:188:7) at TLSSocket.socketErrorListener (_http_client.js:310:9) at emitOne (events.js:96:13) at TLSSocket.emit (events.js:188:7) at onwriteError (_stream_writable.js:346:10) at onwrite (_stream_writable.js:364:5) at WritableState.onwrite (_stream_writable.js:90:5) at fireErrorCallbacks (net.js:468:13) [2017-09-13 17:03:31.919] [DEBUG] Helper - Jim failed to register [2017-09-13 17:03:31.919] [ERROR] Helper - Jim enrollment failed (node:18399) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 1): Error: Cannot save null userContext. (node:18399) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 2): TypeError: Cannot read property '_enrollmentSecret' of null``` can someone help

DarshanBc (Wed, 13 Sep 2017 11:35:28 GMT):
Hi I am renaming orgs and brining multi organizational network I am getting this error ```[2017-09-13 17:03:31.919] [ERROR] Helper - Error: Calling enrollment endpoint failed with error [Error: write EPROTO 139797101311808:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2512: 139797101311808:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3544: ] at ClientRequest. (/home/.../go/src/github.com/hyperledger/fabric-samples/CustomApp/node_modules/fabric-ca-client/lib/FabricCAClientImpl.js:712:12) at emitOne (events.js:96:13) at ClientRequest.emit (events.js:188:7) at TLSSocket.socketErrorListener (_http_client.js:310:9) at emitOne (events.js:96:13) at TLSSocket.emit (events.js:188:7) at onwriteError (_stream_writable.js:346:10) at onwrite (_stream_writable.js:364:5) at WritableState.onwrite (_stream_writable.js:90:5) at fireErrorCallbacks (net.js:468:13) [2017-09-13 17:03:31.919] [DEBUG] Helper - Jim failed to register [2017-09-13 17:03:31.919] [ERROR] Helper - Jim enrollment failed (node:18399) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 1): Error: Cannot save null userContext. (node:18399) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 2): TypeError: Cannot read property '_enrollmentSecret' of null``` can someone help

smithbk (Wed, 13 Sep 2017 12:45:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AgYifafxMyL7unw3A) @DarshanBc The "not for signing" implies that the issued certificate did not have the proper "usage". Anyway, I recommend asking on the fabric-sdk-node channel since this is using the node SDK

s.narayanan (Wed, 13 Sep 2017 15:35:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qjZNdrhy3hsDQtw3W) @smithbk To clarify this further, my understanding is that renew/revoke of root/intermediate certs are handled through channel config update transaction. However, how to handle the following two scenarios: expiration/revocation of certs managed at the Node SDK layer (e.g. user enrollment certs), expiration/revocation of peer or orderer certs. Presume for either one could update the local MSP CRL directly in peer or orderer (which would be pain to do across all servers)? I presume this would prevent user with expired/revoked cert from requesting endorsement and peer with expired/revoked cert from delivering blocks or accepting blocks from orderer whose cert is no longer valid.

smithbk (Wed, 13 Sep 2017 15:48:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ATiK7yDLQorPwrj44) @s.narayanan The local MSP is only used to sign and for access control of peer admin functions (e.g. install chaincode). For operations that are channel specific (e.g. endorsement), the channel's MSP is used for access control, so the CRL would have to be updated via a config block update for these, not the local MSP.

s.narayanan (Wed, 13 Sep 2017 15:52:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jrvTnTWxXCnW33Tgc) @smithbk thanks. Does this mean for the two scenarios I outlined (certs managed at Node SDK layer) and peer/orderer certs, we need to update the CRL through the config block update? Appreciate if you could point me to any documentation or examples of the conflig block update transaction.

smithbk (Wed, 13 Sep 2017 15:54:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=c7oNuMMLmuS5iMxGq) @s.narayanan @aambati is working on a sample for CRL update using configtxlator

smithbk (Wed, 13 Sep 2017 15:54:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=c7oNuMMLmuS5iMxGq) @s.narayanan Yes, you need to update CRL thru config block update. Unfortunately we don't have an API to update the local MSP today, so that would be manual. @aambati is working on a sample for CRL update using configtxlator

s.narayanan (Wed, 13 Sep 2017 16:00:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zKBYr2JYYQawmS5HJ) @smithbk Thanks.

CallMain (Thu, 14 Sep 2017 06:41:25 GMT):
Has joined the channel.

kustrun (Thu, 14 Sep 2017 07:27:58 GMT):
I stil get the same error. Even if I capitalize DBName. [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZiCTf5yjpMB4CSKWe) @smithbk

kustrun (Thu, 14 Sep 2017 07:27:58 GMT):
@smithbk I stil get the same error. Even if I capitalize DBName. [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZiCTf5yjpMB4CSKWe)

shubhamvrkr (Thu, 14 Sep 2017 07:46:20 GMT):
Hi, while registering a new user i am getting the following error on fabric-ca-server DB: Get certificate by serial (cbb41968d1e52277ef33d0c20533b6f) and aki (f1448187ca5e8c5480e216eb8e0d87ad07e44dadb9791d379a077a8177983a62) 2017/09/14 06:41:53 [ERROR] No certificates found for provided serial and aki

WatserAanDeHand (Thu, 14 Sep 2017 07:55:42 GMT):
Has joined the channel.

skarim (Thu, 14 Sep 2017 13:51:29 GMT):
@shubhamvrkr The aki does not seem correct, it looks to be too long. Do you have the complete server logs?

acloudfan (Thu, 14 Sep 2017 16:21:43 GMT):
Has joined the channel.

tongli (Thu, 14 Sep 2017 16:59:15 GMT):
Has joined the channel.

tongli (Thu, 14 Sep 2017 16:59:55 GMT):
@here trying to setup fabric-ca. got the following from the fabric-ca container log. not sure it is ok or not, can someone shed a bit light?

tongli (Thu, 14 Sep 2017 16:59:55 GMT):
wonder if this msg "Could not load TLS certificate with BCCSP: Could not find matching private key for SKI" is ok or not ok.

tongli (Thu, 14 Sep 2017 17:00:37 GMT):
2017/09/14 13:33:30 [DEBUG] CA initialization successful 2017/09/14 13:33:30 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server 2017/09/14 13:33:30 [DEBUG] 1 CA instance(s) running on server 2017/09/14 13:33:30 [DEBUG] TLS is enabled 2017/09/14 13:33:30 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting key for SKI [[69 115 104 148 145 139 19 111 35 165 118 91 210 242 240 104 14 140 115 154 170 243 20 250 63 166 109 90 212 248 91 58]] /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw.(*impl).GetKey /opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:218 github.com/hyperledger/fabric-ca/util.GetSignerFromCert /opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:340 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:450 github.com/hyperledger/fabric-ca/lib.(*Server).listenAndServe /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:127 github.com/hyperledger/fabric-ca/lib.(*Server).Start /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/start.go:41 main.runStart /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:95 main.RunMain /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:82 main.main /opt/go/src/runtime/proc.go:192 runtime.main /opt/go/src/runtime/asm_amd64.s:2087 runtime.goexit Caused by: Key type not recognized 2017/09/14 13:33:30 [DEBUG] Attempting fallback with certfile /etc/hyperledger/fabric-ca-server-config/tlsca/tlsca.orga-cert.pem and keyfile /etc/hyperledger/fabric-ca-server-config/tlsca/45736894918b136f23a5765bd2f2f0680e8c739aaaf314fa3fa66d5ad4f85b3a_sk 2017/09/14 13:33:30 [DEBUG] Client authentication type requested: noclientcert 2017/09/14 13:33:30 [INFO] Listening on %!s(int=7054)%!(EXTRA string=https://0.0.0.0:7054)```

tongli (Thu, 14 Sep 2017 17:02:46 GMT):
```

tongli (Thu, 14 Sep 2017 17:03:01 GMT):
wonder if this msg "Could not load TLS certificate with BCCSP: Could not find matching private key for SKI" is ok or not ok

gbolo (Thu, 14 Sep 2017 17:09:51 GMT):
@tongli I believe that this means that bccsp could not find the matching private key for the x509 cert

tongli (Thu, 14 Sep 2017 17:11:38 GMT):
@gbolo for which certificate? I have both FABRIC_CA_SERVER_CA_KEYFILE and FABRIC_CA_SERVER_CA_CERTFILE setup and they loaded correctly.

tongli (Thu, 14 Sep 2017 17:11:59 GMT):
do not know what other private key is needed.

gbolo (Thu, 14 Sep 2017 17:12:49 GMT):
those are the signing keys. wjhat about your tls key/cert?

gbolo (Thu, 14 Sep 2017 17:13:20 GMT):
looks like your ca server is falling back to using the signing key and cert for tls

tongli (Thu, 14 Sep 2017 17:13:58 GMT):
when FABRIC_CA_SERVER_TLS_ENABLED is true, I also setup FABRIC_CA_SERVER_TLS_KEYFILE and FABRIC_CA_SERVER_TLS_CERTFILE

gbolo (Thu, 14 Sep 2017 17:14:19 GMT):
this section: ``` tls: # Enable TLS (default: false) enabled: false # TLS for the server's listening port certfile: ca-cert.pem keyfile: ca-key.pem ```

tongli (Thu, 14 Sep 2017 17:14:34 GMT):
these are the certs created by cryptogen

tongli (Thu, 14 Sep 2017 17:14:49 GMT):
hmmm, even if the enabled to be false, you still need to setup keys?

gbolo (Thu, 14 Sep 2017 17:15:17 GMT):
if tls si set to false, then 7054 is plain http and the certs/key in this section is not needed

gbolo (Thu, 14 Sep 2017 17:16:26 GMT):
@tongli I have a sample deployment here which also bootstraps the fabric: https://github.com/gbolo/dockerfiles/tree/master/hyperledger-fabric/softhsm/compose

gbolo (Thu, 14 Sep 2017 17:17:27 GMT):
instructions to test this is available here: https://linuxctl.com/2017/08/bootstrapping-hyperledger-fabric-1.0/#testing-out-the-bootstrapping

tongli (Thu, 14 Sep 2017 17:17:45 GMT):
in my deployment, I create these certs by using cryptogen, then start ca by using the certs and private keys generated by cryptogen.

tongli (Thu, 14 Sep 2017 17:18:22 GMT):
when ca starts up, I see that log (above), it also says that the ca key loaded successfully.

gbolo (Thu, 14 Sep 2017 17:18:40 GMT):
show me your deployment

gbolo (Thu, 14 Sep 2017 17:19:40 GMT):
for my deployment, i do not use cryptogen. and instead create my own tls keys for tls and define it here: ``` - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_TLS_CERTFILE=/data/tls/server_wild_fabric.linuxctl.com.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/data/tls/server_wild_fabric.linuxctl.com-key.pem ```

tongli (Thu, 14 Sep 2017 17:19:58 GMT):
give me few minutes, I just destroyed the env.

tongli (Thu, 14 Sep 2017 17:20:06 GMT):
let me get it backup.

tongli (Thu, 14 Sep 2017 17:20:24 GMT):
yeah, similar

gbolo (Thu, 14 Sep 2017 17:21:22 GMT):
you can verify if yur tls certs are different by running: `openssl s_client -connect FQDN_OF_CA_SERVER:7054`

tongli (Thu, 14 Sep 2017 17:21:26 GMT):
do you also see the affiliations get setup always as org1 department 1?

tongli (Thu, 14 Sep 2017 17:21:50 GMT):
seems to me these things are hard coded, no matter what I set, it always shows up as org1 department 1 and few others.

gbolo (Thu, 14 Sep 2017 17:22:07 GMT):
in production deployemnt, your tls certs should be different than your signing keys (the ca key which is used to sign enrollment certs or members in the fabric)

gbolo (Thu, 14 Sep 2017 17:22:07 GMT):
in production deployemnt, your tls certs should be different than your signing keys (the ca key which is used to sign enrollment certs for members in the fabric)

tongli (Thu, 14 Sep 2017 17:31:35 GMT):
ca key and ca cert are from ca directory

tongli (Thu, 14 Sep 2017 17:31:48 GMT):
tls key and tls cert are from tlsca directory

tongli (Thu, 14 Sep 2017 17:31:52 GMT):
they are different.

gbolo (Thu, 14 Sep 2017 17:35:13 GMT):
did you confirm that they get correctly loaded using the above openssl command?

tongli (Thu, 14 Sep 2017 17:41:16 GMT):
I just tried it with tls enabled false, no errors.

tongli (Thu, 14 Sep 2017 17:41:24 GMT):
trying when tls enabled to true, now.

gbolo (Thu, 14 Sep 2017 17:44:12 GMT):
when tls is enabled, run the above `openssl` command and confirm that its the correct cert

tongli (Thu, 14 Sep 2017 17:46:25 GMT):
Here is the results when tls is enabled.

tongli (Thu, 14 Sep 2017 17:46:33 GMT):
```ibmadmin@fabric001:~$ openssl s_client -connect 172.15.212.10:7054 CONNECTED(00000003) depth=0 C = US, ST = California, L = San Francisco, O = orga, CN = tlsca.orga verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = California, L = San Francisco, O = orga, CN = tlsca.orga verify error:num=26:unsupported certificate purpose verify return:1 depth=0 C = US, ST = California, L = San Francisco, O = orga, CN = tlsca.orga verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=orga/CN=tlsca.orga i:/C=US/ST=California/L=San Francisco/O=orga/CN=tlsca.orga --- Server certificate -----BEGIN CERTIFICATE----- MIICGjCCAcCgAwIBAgIRAPWpCCYpntbacHRJzqMtDsowCgYIKoZIzj0EAwIwXjEL MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG cmFuY2lzY28xDTALBgNVBAoTBG9yZ2ExEzARBgNVBAMTCnRsc2NhLm9yZ2EwHhcN MTcwOTE0MTc0MjA3WhcNMjcwOTEyMTc0MjA3WjBeMQswCQYDVQQGEwJVUzETMBEG A1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzENMAsGA1UE ChMEb3JnYTETMBEGA1UEAxMKdGxzY2Eub3JnYTBZMBMGByqGSM49AgEGCCqGSM49 AwEHA0IABHKfxBxksUECxgnre+ySEPiBSLqtbXnkUVdV7Qc65eRiHa58bcw22bpS 7ktmtHnKHnogaLYFYle8LrkbFwnX9gGjXzBdMA4GA1UdDwEB/wQEAwIBpjAPBgNV HSUECDAGBgRVHSUAMA8GA1UdEwEB/wQFMAMBAf8wKQYDVR0OBCIEIMsZdBYdBnWR DzbelL4C96cuRUQr2t2GQrqQltxpslMFMAoGCCqGSM49BAMCA0gAMEUCIQDTHfX3 SGBYVyLhyQT6PLt5rds/fxYQfn7lgeSBam6EmAIgci7P1ZAyBgmidCkr/YwXYoPk KqVUxo4oIz8m/53d4vE= -----END CERTIFICATE----- subject=/C=US/ST=California/L=San Francisco/O=orga/CN=tlsca.orga issuer=/C=US/ST=California/L=San Francisco/O=orga/CN=tlsca.orga --- No client certificate CA names sent Peer signing digest: SHA384 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 963 bytes and written 431 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-ECDSA-AES256-GCM-SHA384 Session-ID: 70DF7ED31393C90A53982120FDAF100120B59867699B1EFD320B77739ED8B789 Session-ID-ctx: Master-Key: D0D0914B877A04F2FC15DA3ED4A6C82940BD29FDADF79342467D43E6D58595FBCFF73BB81048907CECDDB8E5ABE82694 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket: 0000 - 50 19 50 cd 56 ad 99 fd-1e e8 a9 ff fb 29 43 ee P.P.V........)C. 0010 - a1 e4 75 7d d0 db f2 26-80 f5 f6 32 f2 52 c5 68 ..u}...&...2.R.h 0020 - 3a b8 90 8a d2 9c 36 99-07 8e 70 ca 95 06 36 26 :.....6...p...6& 0030 - 4d e4 ca e4 35 5d 86 90-07 62 3e e7 7d 15 87 03 M...5]...b>.}... 0040 - fe 6a 84 aa 17 41 39 83-a8 6d 16 68 9b a9 a9 8d .j...A9..m.h.... 0050 - ec 88 dd a3 49 99 76 49-6e d3 17 5e 9c 56 0e a4 ....I.vIn..^.V.. 0060 - 54 c7 14 80 2c fa 89 ab-21 b8 7e 1a cd b7 54 a7 T...,...!.~...T. 0070 - 57 cb e2 5a ae 92 28 5b- W..Z..([ Start Time: 1505411159 Timeout : 300 (sec) Verify return code: 26 (unsupported certificate purpose) --- ```

tongli (Thu, 14 Sep 2017 17:47:39 GMT):
here is the container log.

gbolo (Thu, 14 Sep 2017 17:48:43 GMT):
looks like its the right cert then?

tongli (Thu, 14 Sep 2017 17:49:03 GMT):
I am pretty sure they are fine since peers and orderers all working.

tongli (Thu, 14 Sep 2017 17:49:15 GMT):
what puzzled me is the error from the ca container log.

tongli (Thu, 14 Sep 2017 17:49:32 GMT):
```2017/09/14 17:43:09 [DEBUG] TLS is enabled 2017/09/14 17:43:09 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting key for SKI [[203 25 116 22 29 6 117 145 15 54 222 148 190 2 247 167 46 69 68 43 218 221 134 66 186 144 150 220 105 178 83 5]] /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw.(*impl).GetKey /opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:218 github.com/hyperledger/fabric-ca/util.GetSignerFromCert /opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:340 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:450 github.com/hyperledger/fabric-ca/lib.(*Server).listenAndServe /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:127 github.com/hyperledger/fabric-ca/lib.(*Server).Start /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/start.go:41 main.runStart /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:95 main.RunMain /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:82 main.main /opt/go/src/runtime/proc.go:192 runtime.main /opt/go/src/runtime/asm_amd64.s:2087 runtime.goexit Caused by: Key type not recognized 2017/09/14 17:43:09 [DEBUG] Attempting fallback with certfile /etc/hyperledger/fabric-ca-server-config/tlsca/tlsca.orga-cert.pem and keyfile /etc/hyperledger/fabric-ca-server-config/tlsca/cb1974161d0675910f36de94be02f7a72e45442bdadd8642ba9096dc69b25305_sk 2017/09/14 17:43:09 [DEBUG] Client authentication type requested: noclientcert 2017/09/14 17:43:09 [INFO] Listening on %!s(int=7054)%!(EXTRA string=https://0.0.0.0:7054)```

gbolo (Thu, 14 Sep 2017 17:50:46 GMT):
perhaps BCCSP has support (or plans to have support) for loading tls cert from msp directory

gbolo (Thu, 14 Sep 2017 17:51:27 GMT):
i know msp has tlscacerts directory

gbolo (Thu, 14 Sep 2017 17:51:45 GMT):
from my understanding, its used to populate truststore

aambati (Thu, 14 Sep 2017 17:51:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QDbgujZ3xsuuck8yL) @tongli That is a debug message, so it is inoccous..in later version this message is not being logged...

tongli (Thu, 14 Sep 2017 17:52:34 GMT):
@aambati oh. ok.

gbolo (Thu, 14 Sep 2017 17:52:45 GMT):
@aambati why is bcssp trying to load a tls cert and key that's defined in the config file?

tongli (Thu, 14 Sep 2017 17:53:05 GMT):
@gbolo exactly.

aambati (Thu, 14 Sep 2017 17:53:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AfzKYnztHdRK4vjPQ) @tongli they are loaded from the configuration file...default configuration file has org1.dept1, org1.dept2 and org2

tongli (Thu, 14 Sep 2017 17:54:18 GMT):
another issue is about affiliations

tongli (Thu, 14 Sep 2017 17:54:31 GMT):
I always see things like this in the ca logs

tongli (Thu, 14 Sep 2017 17:54:35 GMT):
```2017/09/14 17:43:09 [DEBUG] Loading affiliations table 2017/09/14 17:43:09 [DEBUG] Adding affiliation org1 2017/09/14 17:43:09 [DEBUG] DB: Add affiliation org1 2017/09/14 17:43:09 [DEBUG] Adding affiliation org1.department1 2017/09/14 17:43:09 [DEBUG] DB: Add affiliation org1.department1 2017/09/14 17:43:09 [DEBUG] Adding affiliation org1.department2 2017/09/14 17:43:09 [DEBUG] DB: Add affiliation org1.department2 2017/09/14 17:43:09 [DEBUG] Adding affiliation org2 2017/09/14 17:43:09 [DEBUG] DB: Add affiliation org2 2017/09/14 17:43:09 [DEBUG] Adding affiliation org2.department1 2017/09/14 17:43:09 [DEBUG] DB: Add affiliation org2.department1```

tongli (Thu, 14 Sep 2017 17:54:51 GMT):
regardless what I do with the settings

tongli (Thu, 14 Sep 2017 17:54:57 GMT):
seems to me this is hard coded.

tongli (Thu, 14 Sep 2017 17:55:29 GMT):
@aambati @gbolo how do I get rid of these things?

aambati (Thu, 14 Sep 2017 17:55:50 GMT):
@tongli affiliations are loaded from the server configuration file

gbolo (Thu, 14 Sep 2017 17:55:51 GMT):
@tongli these are the defaults: ``` ############################################################################# # Affiliation section ############################################################################# affiliations: org1: - department1 - department2 org2: - department1 ```

gbolo (Thu, 14 Sep 2017 17:55:59 GMT):
they can be changed

gbolo (Thu, 14 Sep 2017 17:56:09 GMT):
they are in config file

tongli (Thu, 14 Sep 2017 17:56:11 GMT):
@gbolo yes, I tried to use env to get rid of it.

tongli (Thu, 14 Sep 2017 17:56:15 GMT):
I can not do it.

gbolo (Thu, 14 Sep 2017 17:56:28 GMT):
paste your env var here

tongli (Thu, 14 Sep 2017 17:56:41 GMT):
for example, FABRIC_CA_SERVER_AFFILIATIONS=""

tongli (Thu, 14 Sep 2017 17:56:48 GMT):
would not do anything about it.

tongli (Thu, 14 Sep 2017 17:57:04 GMT):
org1, org2 still shows up in the log.

gbolo (Thu, 14 Sep 2017 17:57:27 GMT):
yea, i think that they cannot be overriden by env. cause its a more complicated data structure

gbolo (Thu, 14 Sep 2017 17:57:43 GMT):
its a map with arrays

tongli (Thu, 14 Sep 2017 17:57:55 GMT):
:sob:

gbolo (Thu, 14 Sep 2017 17:58:00 GMT):
try changig config file directly

gbolo (Thu, 14 Sep 2017 17:58:00 GMT):
try changing config file directly

tongli (Thu, 14 Sep 2017 17:58:21 GMT):
so I could have a configuration file like this

tongli (Thu, 14 Sep 2017 17:58:32 GMT):
```affiliations:```

tongli (Thu, 14 Sep 2017 17:58:49 GMT):
I will give it a try, but I do not know how it will work.

gbolo (Thu, 14 Sep 2017 17:59:09 GMT):
see this sample config: https://github.com/gbolo/dockerfiles/blob/master/hyperledger-fabric/softhsm/compose/files/config/ca-server-1.0.0-pkcs11.yaml

tongli (Thu, 14 Sep 2017 17:59:10 GMT):
any how, thanks for helping and confirming these things.

gbolo (Thu, 14 Sep 2017 17:59:19 GMT):
remove the pkcs11 stuff

tongli (Thu, 14 Sep 2017 17:59:39 GMT):
k.

tongli (Thu, 14 Sep 2017 17:59:45 GMT):
will give it a try.

gbolo (Thu, 14 Sep 2017 17:59:49 GMT):
make sure database is gone first

tongli (Thu, 14 Sep 2017 18:01:16 GMT):
sure.

tongli (Thu, 14 Sep 2017 18:01:24 GMT):
Thanks @gbolo

gbolo (Thu, 14 Sep 2017 18:01:30 GMT):
np

tongli (Thu, 14 Sep 2017 19:28:09 GMT):
@gbolo @aambati I tried to add a very simple ca configuration file and set affiliations to empty. it worked.

tongli (Thu, 14 Sep 2017 19:28:46 GMT):
however the env variable such as FABRIC_CA_SERVER_AFFILIATIONS has no effects whatsoever.

tongli (Thu, 14 Sep 2017 19:29:00 GMT):
just a FYI.

smithbk (Thu, 14 Sep 2017 19:31:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aXTatr2xGrR26QQkc) @kustrun That is strange that a "ping" call to the DB checks for the name of the DB. It must be either a config setting on the server or just different behavior for Heroku PostgresSQL. If you don't see anything in the config doc for this, then pls open a jira item and we'll need to do something special for Heroku.

smithbk (Thu, 14 Sep 2017 19:38:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=obNwEwJp7Jv8TghFA) @tongli Yeh, the only thing you can configure thru env variables are leaves of the config tree. We are starting to work on allowing you to manage identities and affiliations via fabric-ca-client w/o server restart. See https://docs.google.com/document/d/1AblDQGXOBvMLyn_VTNqoMrjshgUoHP-MhjfZTe3hjtI ... comments welcome

tongli (Thu, 14 Sep 2017 19:39:00 GMT):
@smithbk thanks for your clarification.

smithbk (Thu, 14 Sep 2017 19:39:26 GMT):
@tongli For now, you'll need to provide your own custom config file to define your own affiliations

tongli (Thu, 14 Sep 2017 19:40:24 GMT):
yes. I used the latest code and verified that with a simple configuration file, I can get rid of the affiliations

SethiSaab (Thu, 14 Sep 2017 21:28:59 GMT):
anyone online ?

SethiSaab (Thu, 14 Sep 2017 21:29:08 GMT):
i need help regarding cli server client setup

simoneromani (Fri, 15 Sep 2017 07:24:39 GMT):
Has joined the channel.

simoneromani (Fri, 15 Sep 2017 08:28:21 GMT):
hello, I am having issues assigning a new identity to a participant, this is the error I'm getting back from the CA ```root@07469f02a697:/bna# composer identity issue -p defaultProfile -n torch-network -i admin -s passw0rd -u adri -a nl.abnamro.com.torchnetwork.Banker#pers1 Error: fabric-ca request register failed with errors [[{"code":400,"message":"Authorization failure"}]] Command failed```

simoneromani (Fri, 15 Sep 2017 08:28:21 GMT):
hello, I am having issues assigning a new identity to a participant, this is the error I'm getting back from the CA ```root@07469f02a697:/bna# composer identity issue -p defaultProfile -n network -i admin -s passw0rd -u ad -a namespace.Banker#pers1 Error: fabric-ca request register failed with errors [[{"code":400,"message":"Authorization failure"}]] Command failed```

simoneromani (Fri, 15 Sep 2017 08:29:26 GMT):
is there a way to enable debug logging level on the CA container so that I can see more details? the CA should also be TLS enabled but I don't see any log confirming that

AuHuR (Fri, 15 Sep 2017 08:51:57 GMT):
Has left the channel.

smithbk (Fri, 15 Sep 2017 13:00:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FQpKZ8CPDQZGsXXre) @simoneromani I think the default info level logging on the server should give more of a reason than on the client (for security reasons), but you can also enable debug level by starting it with the "-d" option

smithbk (Fri, 15 Sep 2017 13:00:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=w7HeurPCdXuWLLPdT) @SethiSaab Do you still need help?

simoneromani (Fri, 15 Sep 2017 13:01:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AW9rMeqomPpizwLm4) @smithbk thank you, I enabled debugging with the flag `--debug`, currently trying to understand what's going on

gauthampamu (Fri, 15 Sep 2017 13:57:07 GMT):
@smithbk Currently for the CA certificate for the Fabric CA server has to unencrypted. "If you want the Fabric CA server to use a CA signing certificate and key file which you provide, you must place your files in the location referenced by ca.certfile and ca.keyfile respectively. Both files must be PEM-encoded and must not be encrypted. More specifically, the contents of the CA certificate file must begin with -----BEGIN CERTIFICATE----- and the contents of the key file must begin with -----BEGIN PRIVATE KEY----- and not -----BEGIN ENCRYPTED PRIVATE KEY-----." Is there any plans to fix this issue in future version or is there a feature to use the keys from HSM in future versions.

ashutosh_kumar (Fri, 15 Sep 2017 15:16:15 GMT):
@gauthampamu , what do you mean by encrypted key ?

ashutosh_kumar (Fri, 15 Sep 2017 15:17:31 GMT):
do you mean PKCS#8 ?

ashutosh_kumar (Fri, 15 Sep 2017 15:18:03 GMT):
AFAIK , golang does not support PKCS#8 out of the box.

smithbk (Fri, 15 Sep 2017 15:34:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JQpQBfvwbTkRZFtxS) @gauthampamu It already supports HSM. @ashutosh_kumar Yes that statement in the doc is referring to PKCS#8. I see little reason to support that given that we support HSM

gauthampamu (Fri, 15 Sep 2017 15:43:22 GMT):
@smithbk Thanks for the response. Is this supported in v1.0 or v1.0.1 ? Just looked at the command usage...fabric-ca-server --help | grep label --intermediate.enrollment.label string Label to use in HSM operations I have not seen any documentation for it. Where can we find information on how to configure when you use HSM. Let say we are using HSM for the keys, do we just need to specify the label and skip the other parameters such as ... --ca.certfile string PEM-encoded CA certificate file (default "ca-cert.pem") --ca.chainfile string PEM-encoded CA chain file (default "ca-chain.pem") --ca.keyfile string PEM-encoded CA key file (default "ca-key.pem")

smithbk (Fri, 15 Sep 2017 17:04:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NiazMBHen5m2GnMyu) @gauthampamu See the "Key Store" section of https://docs.google.com/document/d/1x7bbSkLt3VLexNMECJXbOYJ3xX8Ck9Q6O6W1dmnVaRQ ... I'll have this added to the user's guide as it should really be there

gauthampamu (Fri, 15 Sep 2017 20:15:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZubMZyQWHftKfG4RY) @smithbk Thanks

Arindam (Fri, 15 Sep 2017 20:18:58 GMT):
Has joined the channel.

Arindam (Fri, 15 Sep 2017 20:19:21 GMT):
Hi All, I am able to deploy the BNA file to one of the peer. But the other peer is able to join the channel, but can not deploy on the 2nd peer. It is giving error like : Error: Error trying install chaincode. Error: Failed to deserialize creator identity, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority I am using CA server no TLS is used

Arindam (Fri, 15 Sep 2017 20:21:18 GMT):
#fetch the block in another peer environment docker exec -e "CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin@org2.example.com/msp" peer0.org2.example.com peer channel fetch config -o orderer.example.com:7050 -c composerchannelnew1 composerchannelnew1.block 2017-09-15 20:14:25.388 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP 2017-09-15 20:14:25.389 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity 2017-09-15 20:14:25.394 UTC [channelCmd] InitCmdFactory -> INFO 003 Endorser and orderer connections initialized 2017-09-15 20:14:25.394 UTC [msp] GetLocalMSP -> DEBU 004 Returning existing local MSP 2017-09-15 20:14:25.394 UTC [msp] GetDefaultSigningIdentity -> DEBU 005 Obtaining default signing identity 2017-09-15 20:14:25.395 UTC [msp] GetLocalMSP -> DEBU 006 Returning existing local MSP 2017-09-15 20:14:25.396 UTC [msp] GetDefaultSigningIdentity -> DEBU 007 Obtaining default signing identity 2017-09-15 20:14:25.396 UTC [msp/identity] Sign -> DEBU 008 Sign: plaintext: 0AC9060A1F08021A0608A1E9F0CD0522...02E2B841FA6612080A020A0012020A00 2017-09-15 20:14:25.397 UTC [msp/identity] Sign -> DEBU 009 Sign: digest: 8A77558F134286B76566312842533B07DD984A7D0A52864AEF0D208F022C1580 2017-09-15 20:14:25.402 UTC [channelCmd] readBlock -> DEBU 00a Received block: 0 2017-09-15 20:14:25.402 UTC [msp] GetLocalMSP -> DEBU 00b Returning existing local MSP 2017-09-15 20:14:25.402 UTC [msp] GetDefaultSigningIdentity -> DEBU 00c Obtaining default signing identity 2017-09-15 20:14:25.402 UTC [msp] GetLocalMSP -> DEBU 00d Returning existing local MSP 2017-09-15 20:14:25.402 UTC [msp] GetDefaultSigningIdentity -> DEBU 00e Obtaining default signing identity 2017-09-15 20:14:25.402 UTC [msp/identity] Sign -> DEBU 00f Sign: plaintext: 0AC9060A1F08021A0608A1E9F0CD0522...A0F3D75A96BF12080A021A0012021A00 2017-09-15 20:14:25.402 UTC [msp/identity] Sign -> DEBU 010 Sign: digest: 5F19FEC4A254CC4B3E5503EF7DAACE09AD3055EDDDE503D04248B029D34E92FC 2017-09-15 20:14:25.421 UTC [channelCmd] readBlock -> DEBU 011 Received block: 0 2017-09-15 20:14:25.422 UTC [main] main -> INFO 012 Exiting..... # Join peer0.org2.example.com to the channel. docker exec -e "CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin@org2.example.com/msp" peer0.org2.example.com peer channel join -b composerchannelnew1.block 2017-09-15 20:14:25.744 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP 2017-09-15 20:14:25.744 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity 2017-09-15 20:14:25.747 UTC [channelCmd] InitCmdFactory -> INFO 003 Endorser and orderer connections initialized 2017-09-15 20:14:25.750 UTC [msp/identity] Sign -> DEBU 004 Sign: plaintext: 0A86070A5C08011A0C08A1E9F0CD0510...174B916918F91A080A000A000A000A00 2017-09-15 20:14:25.750 UTC [msp/identity] Sign -> DEBU 005 Sign: digest: 08A7A7E8D654D696334DF0A5CC511D07744EB8E2ADCCED8477648FF99D2A44B4 2017-09-15 20:14:25.938 UTC [channelCmd] executeJoin -> INFO 006 Peer joined the channel! 2017-09-15 20:14:25.938 UTC [main] main -> INFO 007 Exiting..... cd ../.. ubuntu@ubuntu-xenial:~/fabric-tools$ composer network deploy -p hlfv1 -a membervaluetrading.bna -i NewAdminOrg2 -s newadmin2 Deploying business network from archive: membervaluetrading.bna Business network definition: Identifier: membervaluetrading@0.1 Description: undefined ✖ Deploying business network definition. This may take a minute... Error: Error trying deploy. Error: Error trying install chaincode. Error: Failed to deserialize creator identity, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority

Arindam (Fri, 15 Sep 2017 20:23:59 GMT):
New AdminOrg2 was created using composer identity import -p hlfv1 -u NewAdminOrg2 -c ./peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/signcerts/Admin@org2.example.com-cert.pem -k ./peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/keystore/96a5b6300c1dd4cca655e68646e67a3d25f2be0bc4dcb0b80cdda00fefd8d981_sk

Arindam (Fri, 15 Sep 2017 20:24:27 GMT):
NewAdminOrg1 can deploy the BNA in peer0

Arindam (Fri, 15 Sep 2017 20:24:48 GMT):
composer identity import -p hlfv1 -u NewAdminOrg1 -c ./peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/signcerts/Admin@org1.example.com-cert.pem -k ./peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/c94536f9574fe83a8cb96397d1588cde04ee3a3eb675d1e12e339ecf12f4c8a3_sk

Arindam (Fri, 15 Sep 2017 20:27:10 GMT):
ubuntu@ubuntu-xenial:~/fabric-tools/fabric-scripts/hlfv1/composer/crypto-config$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 2a32c8a7887c dev-peer0.org1.example.com-membervaluetrading-0.12.0-0634b814bde1b29cc7b99bf38f4a71abd2178cd96ff81e23059f5d19a6034c6f "chaincode -peer.a..." 11 minutes ago Up 10 minutes dev-peer0.org1.example.com-membervaluetrading-0.12.0 169c5410df2d hyperledger/fabric-peer:x86_64-1.0.1 "peer node start -..." 28 minutes ago Up 28 minutes 0.0.0.0:7051->7051/tcp, 0.0.0.0:7053->7053/tcp peer0.org1.example.com 18e39c9567a3 hyperledger/fabric-peer:x86_64-1.0.1 "peer node start -..." 28 minutes ago Up 28 minutes 0.0.0.0:7056->7051/tcp, 0.0.0.0:7058->7053/tcp peer0.org2.example.com 47f60b365699 hyperledger/fabric-couchdb:x86_64-1.0.1 "tini -- /docker-e..." 28 minutes ago Up 28 minutes 4369/tcp, 9100/tcp, 0.0.0.0:5984->5984/tcp couchdb1 0972b8a83d13 hyperledger/fabric-couchdb:x86_64-1.0.1 "tini -- /docker-e..." 28 minutes ago Up 28 minutes 4369/tcp, 9100/tcp, 0.0.0.0:6984->5984/tcp couchdb2 eea290f6eec9 hyperledger/fabric-orderer:x86_64-1.0.1 "orderer" 28 minutes ago Up 28 minutes 0.0.0.0:7050->7050/tcp orderer.example.com 96e64f786de3 hyperledger/fabric-ca:x86_64-1.0.1 "sh -c 'fabric-ca-..." 28 minutes ago Up

Arindam (Fri, 15 Sep 2017 20:27:40 GMT):
I can not deploy in peer2

Arindam (Fri, 15 Sep 2017 20:27:52 GMT):
only able to deploy in peer1

Arindam (Fri, 15 Sep 2017 20:28:32 GMT):
I mean able to deploy in Org1 but can not deploy in Org2 but Org2 joined the channel

gauthampamu (Fri, 15 Sep 2017 21:29:36 GMT):
@smithbk Can we configure fabric ca server without any attributes and affiliations.

gauthampamu (Fri, 15 Sep 2017 22:20:49 GMT):
I have fabric ca docker container that is running with TLS enabled. I am getting this error when I try to connect to the server using TLS

gauthampamu (Fri, 15 Sep 2017 22:20:50 GMT):
fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --tls.certfiles /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem 2017/09/15 22:18:19 [INFO] User provided config file: /root/fabric-ca/clients/admin/fabric-ca-client-config.yaml 2017/09/15 22:18:19 [INFO] generating key: &{A:ecdsa S:256} 2017/09/15 22:18:19 [INFO] encoded CSR 2017/09/15 22:18:19 [INFO] TLS Enabled Error: POST failure [Post https://localhost:7054/enroll: x509: certificate is valid for ca.org1.example.com, not localhost]; not sending POST https://localhost:7054/enroll Authorization: Basic YWRtaW46YWRtaW5wdw== {"hosts":["07acc6662fbc"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBQTCB6QIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESN+LcLPLLxtS3S6t\n7ZeB9x1hOkXZwWxTa1MSpxdMx1bjrRB4WxozwrM6b2vgvmyT/etRorOx5D1pnLOk\nBtB0o6AqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDoIMMDdhY2M2NjYyZmJj\nMAoGCCqGSM49BAMCA0cAMEQCIDhan566Idhi5DuRjnaMKU34AbjifimNyVQitMKj\n3SVdAiBv39QRLG3btiQxHg9zeo4Ze+GVuQ4fJnqJg1O92T514w==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","CAName":""}

gauthampamu (Sat, 16 Sep 2017 02:54:18 GMT):
You can ignore the above message, it was resolved when I updated the /etc/host file

gauthampamu (Sat, 16 Sep 2017 02:56:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZubMZyQWHftKfG4RY) @smithbk "By default, the Fabric CA server and client store private keys in a PEM-encoded file" In case of the Fabric CA Server, is it talking about the CA certificate. Also when you specify HSM in BCCSP, can we skip the CA file names.

smithbk (Sat, 16 Sep 2017 02:56:57 GMT):
yes ... another way to resolve is to use the "--csr.hosts localhost,$HOSTNAME" option when you start the server for the first time (or call "init")

gauthampamu (Sat, 16 Sep 2017 02:57:09 GMT):
ok

smithbk (Sat, 16 Sep 2017 02:57:36 GMT):
fabric-ca-server start -b a:b --tls.enabled --csr.hosts localhost,$HOSTNAME

gauthampamu (Sat, 16 Sep 2017 02:57:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dymNhnFSE2w7hEzTs) @smithbk Thanks

smithbk (Sat, 16 Sep 2017 02:58:09 GMT):
np

gauthampamu (Sat, 16 Sep 2017 03:00:40 GMT):
@smithbk I have additional questions about the HSM configuration. When you configure with HSM, do we still need to specify the TLS key and cert file and similar do we need to specify the ca.keyfile and ca.cert file in the server config or even environment variables.

gauthampamu (Sat, 16 Sep 2017 03:02:05 GMT):
Also what is the environment variable to override the properties

gauthampamu (Sat, 16 Sep 2017 03:02:06 GMT):
tls: # Enable TLS (default: false) enabled: true # TLS for the server's listening port certfile: ca-cert.pem keyfile: ca-key.pem clientauth: type: noclientcert certfiles:

smithbk (Sat, 16 Sep 2017 03:02:08 GMT):
If you allow the server to generate it's own, you don't need to ... but if you want it to import a key into the HSM, then you would need to specify it the 1st time

smithbk (Sat, 16 Sep 2017 03:03:04 GMT):
All env variables are prefixed with FABRIC_CA_SERVER_ and then use the path to the variable. For example, FABRIC_CA_SERVER_TLS_ENABLED=true

gauthampamu (Sat, 16 Sep 2017 03:03:05 GMT):
If I am using Docker container for the ca, how do I specify it

gauthampamu (Sat, 16 Sep 2017 03:04:28 GMT):
Sorry, I was referring to the HSM configuration.

gauthampamu (Sat, 16 Sep 2017 03:04:51 GMT):
So FABRIC_CA_SERVER_BCCSP_DEFAULT=PKCS11

smithbk (Sat, 16 Sep 2017 03:05:03 GMT):
Yes

gauthampamu (Sat, 16 Sep 2017 03:05:06 GMT):
Thanks

smithbk (Sat, 16 Sep 2017 03:05:14 GMT):
np

smithbk (Sat, 16 Sep 2017 03:05:51 GMT):
btw, see the comments at the top of the config file ... that describes this

gauthampamu (Sat, 16 Sep 2017 03:06:27 GMT):
Thanks

gauthampamu (Sat, 16 Sep 2017 03:07:46 GMT):
I have not used HSM so when you use HSM, is it possible to reference a key in the HSM. Does the label refer a specific key in HSM.

gauthampamu (Sat, 16 Sep 2017 03:10:00 GMT):
In the documentation, for HSM they have filekeystore ? Why do we have to specify the filekeystore, does it not store the key in the HSM. What is the purpose of the filekeystore

gauthampamu (Sat, 16 Sep 2017 03:16:05 GMT):
@smithbk Fabric CA server with LDAP does not support the attributes and affiliations So I wanted to find out whether we can configure fabric ca server without any attributes and affiliations ?

gauthampamu (Sat, 16 Sep 2017 03:16:23 GMT):
So I wanted to find out whether we can configure fabric ca server without any attributes and affiliations even when you use database

smithbk (Sat, 16 Sep 2017 03:18:22 GMT):
You would need someone with attributes to dynamically register other identities or to revoke ... if you don't need those capabilities, then yes

smithbk (Sat, 16 Sep 2017 03:18:45 GMT):
hf.Registrar.Roles, hf.Revoker, for example

smithbk (Sat, 16 Sep 2017 03:19:40 GMT):
Are you wanting to use LDAP?

gauthampamu (Sat, 16 Sep 2017 04:10:49 GMT):
Right now I am not planning to use LDAP

davidoevans (Sat, 16 Sep 2017 12:27:28 GMT):
anyone know why my `fabric-ca-server` or `fabric-ca-client` it returns with `Killed: 9` immediately? My dependences seem fine...libtools installed and `go version go1.7.6 darwin/amd64`. thanks.

smithbk (Sat, 16 Sep 2017 12:42:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LZ7Aw4cvcLhQAzN3c) @davidoevans There is a long thread on this at https://github.com/golang/go/issues/19734 but the short answer is to work around, you can run the following command: # sudo ln -s /usr/bin/true /usr/local/bin/dsymutil

wanghhao (Sat, 16 Sep 2017 16:19:21 GMT):
Has joined the channel.

davidoevans (Sun, 17 Sep 2017 00:05:05 GMT):
thanks for the direction @smithbk - in my case I (needed?) to install Xcode...but it was finally upgrading go to v1.8.3 that fixed it.

Smithatv (Sun, 17 Sep 2017 15:07:37 GMT):
@smithbk, is transaction not possible without tcerts ?

Smithatv (Sun, 17 Sep 2017 15:07:51 GMT):
and how do we generate tcerts ?

smithbk (Sun, 17 Sep 2017 15:28:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cP6EyGcSDDMnZygoZ) @Smithatv TCerts are not supported by the SDKs yet, but you can transact with an ECert. This simply means that transactions are not anonymous or unlinkable to someone who has access to read the ledger

gauthampamu (Sun, 17 Sep 2017 20:34:22 GMT):
cryptogen

shubhamvrkr (Mon, 18 Sep 2017 05:05:24 GMT):
@skarim 2017/09/14 10:34:17 [DEBUG] TLS is enabled 2017/09/14 10:34:17 [DEBUG] Client authentication type requested: noclientcert 2017/09/14 10:34:17 [INFO] Listening on https://0.0.0.0:7054 2017/09/14 10:36:09 [DEBUG] Received request POST /api/v1/register Authorization: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNHVENDQWNDZ0F3SUJBZ0lSQ U14MnovN1l6S09JaTdyMWVBT0VyelV3Q2dZSUtvWkl6ajBFQXdJd2N6RUwKTUFrR0ExVUVCaE1DVlZNe EV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY1REVk5oYmlCRwpjbUZ1WTJselkyO HhHVEFYQmdOVkJBb1RFRzl5WnpFdVpYaGhiWEJzWlM1amIyMHhIREFhQmdOVkJBTVRFMk5oCkxtOXlae kV1WlhoaGJYQnNaUzVqYjIwd0hoY05NVGN3T0RBNU1Ea3pOekU1V2hjTk1qY3dPREEzTURrek56RTUKV 2pCYk1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LUTJGc2FXWnZjbTVwWVRFV01CUUdBMVVFQ nhNTgpVMkZ1SUVaeVlXNWphWE5qYnpFZk1CMEdBMVVFQXd3V1FXUnRhVzVBYjNKbk1TNWxlR0Z0Y0d4b ExtTnZiVEJaCk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkxLaGM2QkN6T1hVWiszdk8vb EtBZHljTktzamdyRW0KYmJ4NjQzaGJhTjlOMnVjQjM3My9PY0E3Y3Z6N3JZTS9TRGVoVDRlQmhsOTcvU 2dVUFNNc0NkeWpUVEJMTUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBTUJnTlZIUk1CQWY4RUFqQUFNQ3NHQ TFVZEl3UWtNQ0tBSUlYQVZOZ2pld05xCndXV0FORTJXaTVnUXhUczJkcHFCN0pkUXorQlpadC9uTUFvR 0NDcUdTTTQ5QkFNQ0EwY0FNRVFDSUdaVUNCRTIKQ1BEWG5TSUdqT3JvbWxRV1MxOVNsN1NnQTdvS2ZpU lVpZ2RZQWlCTm5lNkpEU2RIVk5Icjdmd1lEMFdkNWEzcQpWenZ2SUVINkhLTklkU2hBYlE9PQotLS0tL UVORCBDRVJUSUZJQ0FURS0tLS0tCg==.MEUCIQCck4dMHna4jBObHIItth13mbU+3h/3EllUCWoFh4sC 4gIgEzV0XMxgZlbVslUCcBTJNLO+DpY5cRz7sQ3sK6aL1RI= {"id":"shubham","type":"client","affiliation":"Org1MSP.department1","max_enrollm ents":1,"caName":"ca-org1"} 2017/09/14 10:36:09 [DEBUG] Directing traffic to CA ca-org1 2017/09/14 10:36:09 [DEBUG] Checking for revocation/expiration of certificate ow ned by 'Admin@org1.example.com' 2017/09/14 10:36:09 [DEBUG] DB: Get certificate by serial (cc76cffed8cca3888bbaf 5780384af35) and aki (85c054d8237b036ac16580344d968b9810c53b36769a81ec9750cfe059 66dfe7) 2017/09/14 10:36:09 [ERROR] No certificates found for provided serial and aki

AbhishekSeth (Mon, 18 Sep 2017 05:23:56 GMT):
@shubhamvrkr, who is the registrar for u? admin with adminpw is the one who has the right to register a new user !!!!

AbhishekSeth (Mon, 18 Sep 2017 05:25:13 GMT):
hey.... What does revoke() API do? once I do revoke, it does not allow me to enroll the same user again, but isEnrolled() says that user is already enrolled. Why is it so??

AbhishekSeth (Mon, 18 Sep 2017 05:26:38 GMT):
Further, what is the way to login to and logout from the network?? if `revoke` ~ logout, then how to login back to the network???

AbhishekSeth (Mon, 18 Sep 2017 05:27:29 GMT):
@muralisr, sir.. any clarifications u can provide??

yoyokeen (Mon, 18 Sep 2017 08:54:33 GMT):
@here. CA tls problem.

yoyokeen (Mon, 18 Sep 2017 08:54:48 GMT):
crypto-config.yaml

yoyokeen (Mon, 18 Sep 2017 08:55:04 GMT):
```tls: # Enable TLS (default: false) enabled: true certfiles: - root.pem client: certfile: tls_client-cert.pem keyfile: tls_client-key.pem```

yoyokeen (Mon, 18 Sep 2017 08:55:25 GMT):
and run command: 'cryptogen generate --config=./crypto-config.yaml'

yoyokeen (Mon, 18 Sep 2017 08:55:49 GMT):
but havnt generate the tls folder.

yoyokeen (Mon, 18 Sep 2017 08:56:09 GMT):
and also havnt error come out.

simoneromani (Mon, 18 Sep 2017 11:15:54 GMT):
hello, question regarding the CA signing the certificate of one organization's admin and most importantly with TLS enabled. I see that the CN is ca.organization bla bla.. but is it possible to change it into tlsca.organization bla bla? because when I try to issue an identity, Admin doesn't recognize the tlsca as the correct CA but searches for the ca.

muralisr (Mon, 18 Sep 2017 11:35:46 GMT):
@AbhishekSeth let me refer you to @smithbk please

smithbk (Mon, 18 Sep 2017 13:25:17 GMT):
@AbhishekSeth The revoke API can revoke a specific certificate or an entire account. You typically revoke one of your own certificates when you think the private key associated with that certificate may have been compromised. You revoke another user's account when you think that user is misbehaving. Of course revoking an account requires special privileges. Comparing this to a web-based login/logout model doesn't track 1-1. In a webapp when you logout, it simply deletes a session cookie that your browser caches and which was granted as a result of logging in with user/pass. In our model, enroll exchanges a user/pass for a signed certificate, so the closest thing to logout in our model would mean simply deleting the private key and certificate from your client's home directory.

smithbk (Mon, 18 Sep 2017 13:25:17 GMT):
@AbhishekSeth The revoke API can revoke a specific certificate or an entire account (i.e. enrollment ID). You typically revoke one of your own certificates when you think the private key associated with that certificate may have been compromised. You revoke another user's account when you think that user is misbehaving. Of course revoking an account requires special privileges. Comparing this to a web-based login/logout model doesn't track 1-1. In a webapp when you logout, it simply deletes a session cookie that your browser caches and which was granted as a result of logging in with user/pass. In our model, enroll exchanges a user/pass for a signed certificate, so the closest thing to logout in our model would mean simply deleting the private key and certificate from your client's home directory.

smithbk (Mon, 18 Sep 2017 13:26:55 GMT):
If you revoke your own account, then you will not be able to do anything with that account again.

smithbk (Mon, 18 Sep 2017 13:28:17 GMT):
We don't currently have a way to unrevoke an account but are just beginning work on dynamically managing identities and affiliations, so it would be part of that

skarim (Mon, 18 Sep 2017 13:49:02 GMT):
@shubhamvrkr How are you registering? Are you using some SDK or the fabric-ca-client?

smithbk (Mon, 18 Sep 2017 15:11:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=trLwSBv4W9QPP9rPZ) @simoneromani Can you elaborate on what you mean by "Admin doesn't recognize the tlsca as the correct CA but searches for the ca". Yes, it is possible to change the CN of a signing certificate by using the "--csr.cn" option but not sure I understand why you need this

StephHuynh (Mon, 18 Sep 2017 21:23:37 GMT):
Has joined the channel.

blockcloud (Tue, 19 Sep 2017 02:29:29 GMT):
@here hello, how to config when I want to enable the tls? Could someone tell me about the certfile to config and each certfile means for?

vdods (Tue, 19 Sep 2017 04:03:35 GMT):
@blockcloud Take a look at the example app at https://github.com/LedgerDomain/FabricWebApp -- in particular, the file FabricWebApp/docker/ca-base.yaml.

Smithatv (Tue, 19 Sep 2017 04:56:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kXEQquLWuBPMQQguy) @smithbk does this mean i have to copy Ecert as Tcert in case if i want to enable TLS ?

CodeReaper (Tue, 19 Sep 2017 06:00:27 GMT):
Hi there, I want to make a mobile app as front-end, followed by APIs in nodejs to interact with my smart-contracts. I was wondering how I can save my mobile app itself and not on the default key-value store in config.json of nodejs such as in balance-transfer example. And then I would like to like my transactions to be signed in that application with keys present inside. I do feel this is the wrong approach but I also can't have N number of Nodejs instances for every user. Any directions?

sampath06 (Tue, 19 Sep 2017 10:27:02 GMT):
Hello, I am trying to verify the credentials of the Creator in the chaincode. I can get the Common Name from the certificate but not able to get the Organisation name. How do I check the Organisation of the invoker in the chain code?

smithbk (Tue, 19 Sep 2017 11:46:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HsBsPdNpuapNPf5mo) @blockcloud All you have to do to enable TLS for the server is start it with the "--tls.enabled" option. That will cause the server to generate its own certfile and keyfile that it uses in the section below: ```############################################################################# # TLS section for the server's listening port # # The following types are supported for client authentication: NoClientCert, # RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, # and RequireAndVerifyClientCert. # # Certfiles is a list of root certificate authorities that the server uses # when verifying client certificates. ############################################################################# tls: # Enable TLS (default: false) enabled: false # TLS for the server's listening port certfile: tls-cert.pem keyfile: clientauth: type: noclientcert certfiles:``` I assume you don't need to enable client authentication though, but see the comments above if you did.

smithbk (Tue, 19 Sep 2017 11:53:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ELgQRJeJPuvuE5K4n) @Smithatv Enabling TLS doesn't have anything to do with whether it is an ECert ... or later when supported, a TCert. To enable TLS, just start the server with "--tls.enabled". And if using the fabric-ca-client, you would set the FABRIC_CA_CLIENT_TLS_CERTFILES environment variable to point to the root CA's signing certificate (*ca-cert.pem*) or the intermediate CA's signing certificate chain (*ca-chain.pem*). You would need to copy one of those from the server to the client.

smithbk (Tue, 19 Sep 2017 11:59:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zrc6CQSQsEa9LzjNi) @CodeReaper The #fabric-sdk-node channel is the best place to ask this, or to @jimthematrix ... but it sounds like you want your mobile app to store the private key used to sign blockchain transactions. Is that correct?

CodeReaper (Tue, 19 Sep 2017 12:03:29 GMT):
Nevermind @smithbk Its not possible to sign outside an application that cannot implement fabric-clent/fabric-ca-client

smithbk (Tue, 19 Sep 2017 12:05:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NEHQYXipE8zhrEBjZ) @sampath06 We are working on a chaincode library currently which would allow you to easily get the MSP ID, but the change set is not yet merged. If you need this immediately, you can see how it is done here: https://gerrit.hyperledger.org/r/#/c/13265/13/core/chaincode/lib/cid/cid.go If you really want instead to get the O value from the certificate instead of the MSP ID, then you can also see from that code how to get the *x509.Certificate from the bytes returned by GetCreator and you then have access to anything in the certificate, including the O value.

smithbk (Tue, 19 Sep 2017 12:07:38 GMT):
@sampath06 Could you give info on your use case? why do you need the organization?

SimonOberzan (Tue, 19 Sep 2017 12:12:25 GMT):
Has joined the channel.

sampath06 (Tue, 19 Sep 2017 12:43:56 GMT):
@smithbk I have an use case for endorsement of documents. This endorsement should be done only by a certain organisation. I need to verify this. I couldnt find any way other than to check the Creator in the chaincode invocation. I did read the certificate but only the Common Name was set and the Organisation was not set in the certificate. This is through the node SDK. I could find the Organisation in the Issuer certificate details. I guess this is from the CA details. Not sure if this can be used reliably for my use case.

sampath06 (Tue, 19 Sep 2017 13:11:37 GMT):
@smithbk Does this approach make sense or is there some better way to achieve this?

mastersingh24 (Tue, 19 Sep 2017 13:55:11 GMT):
@sampath06 - assuming you maintain a 1 to 1 mapping of MSPIDs to organizations, then you should simply be able to use the MSPID (which you get as part of the GetCreator() api) to check that the write org actually endorsed

sampath06 (Tue, 19 Sep 2017 13:59:37 GMT):
@mastersingh24 How do I get the MSPID from GetCreator() api. I could get the certificate and extract the details but did not find the MSPID. The code that I am using is ``` creator, err := stub.GetCreator() if err != nil { logger.Debug("Error received on GetCreator", err) return shim.Error("Failed to get creator") } certStart := bytes.IndexAny(creator, "----BEGIN CERTIFICATE-----") if certStart == -1 { logger.Debug("No certificate found") return shim.Error("Begin of certificate") } certText := creator[certStart:] block, _ := pem.Decode(certText) if block == nil { logger.Debug("Error received on pem.Decode of certificate", certText) return shim.Error("Decode") } ucert, err := x509.ParseCertificate(block.Bytes) if err != nil { logger.Debug("Error received on ParseCertificate", err) return shim.Error("parseCertificate") } ```

sampath06 (Tue, 19 Sep 2017 14:00:42 GMT):
The certificate json I got was ``` {"Raw":"MIIB7zCCAZWgAwIBAgIUDnu1iH9Cj/V5Cv3tQze7ea0FPyMwCgYIKoZIzj0EAwIwczELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMTE2NhLm9yZzEuZXhhbXBsZS5jb20wHhcNMTcwOTE5MDc0MzAwWhcNMTgwOTE5MDc0MzAwWjAOMQwwCgYDVQQDEwNKaW0wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASdC7RaaXwFNwEs8te5CFrtxILim/hUghi0fnzk1OjIg3z9SfgxudRkk82h5FsG+IMxGVcG21CMG08wGZn5c8h7o2wwajAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzQLD07agUCtwPFBZtJ3LNebzurowKwYDVR0jBCQwIoAgDnKSJOiz8xeEyKk8W4729MHJHZ5uV3xFwzFjYJ/kABEwCgYIKoZIzj0EAwIDSAAwRQIhALmlPhhcsNKimf8oE849j7+aGs/sqW9bMb1WvGPpSiaSAiAaVC7xCi918SsV9aQsWaZzMmk9nZ7C9wZo26NXJkmIHA==","RawTBSCertificate":"MIIBlaADAgECAhQOe7WIf0KP9XkK/e1DN7t5rQU/IzAKBggqhkjOPQQDAjBzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQb3JnMS5leGFtcGxlLmNvbTEcMBoGA1UEAxMTY2Eub3JnMS5leGFtcGxlLmNvbTAeFw0xNzA5MTkwNzQzMDBaFw0xODA5MTkwNzQzMDBaMA4xDDAKBgNVBAMTA0ppbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJ0LtFppfAU3ASzy17kIWu3EguKb+FSCGLR+fOTU6MiDfP1J+DG51GSTzaHkWwb4gzEZVwbbUIwbTzAZmflzyHujbDBqMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTNAsPTtqBQK3A8UFm0ncs15vO6ujArBgNVHSMEJDAigCAOcpIk6LPzF4TIqTxbjvb0wckdnm5XfEXDMWNgn+QAEQ==","RawSubjectPublicKeyInfo":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnQu0Wml8BTcBLPLXuQha7cSC4pv4VIIYtH585NToyIN8/Un4MbnUZJPNoeRbBviDMRlXBttQjBtPMBmZ+XPIew==","RawSubject":"MA4xDDAKBgNVBAMTA0ppbQ==","RawIssuer":"MHMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBvcmcxLmV4YW1wbGUuY29tMRwwGgYDVQQDExNjYS5vcmcxLmV4YW1wbGUuY29t","Signature":"MEUCIQC5pT4YXLDSopn/KBPOPY+/mhrP7KlvWzG9Vrxj6UomkgIgGlQu8QovdfErFfWkLFmmczJpPZ2ewvcGaNujVyZJiBw=","SignatureAlgorithm":10,"PublicKeyAlgorithm":3,"PublicKey":{"Curve":{"P":115792089210356248762697446949407573530086143415290314195533631308867097853951,"N":115792089210356248762697446949407573529996955224135760342422259061068512044369,"B":41058363725152142129326129780047268409114441015993725554835256314039467401291,"Gx":48439561293906451759052585252797914202762949526041747995844080717082404635286,"Gy":36134250956749795798585127919587881956611106672985015071877198253568414405109,"BitSize":256,"Name":"P-256"},"X":71033797297131817193711733079881010446297886807255797807837336861417549645955,"Y":56534316050500800737927011500350439466296501563628725904613912410006870018171},"Version":3,"SerialNumber":82684676222266136728228704829384846675903069987,"Issuer":{"Country":["US"],"Organization":["org1.example.com"],"OrganizationalUnit":null,"Locality":["San Francisco"],"Province":["California"],"StreetAddress":null,"PostalCode":null,"SerialNumber":"","CommonName":"ca.org1.example.com","Names":[{"Type":[2,5,4,6],"Value":"US"},{"Type":[2,5,4,8],"Value":"California"},{"Type":[2,5,4,7],"Value":"San Francisco"},{"Type":[2,5,4,10],"Value":"org1.example.com"},{"Type":[2,5,4,3],"Value":"ca.org1.example.com"}],"ExtraNames":null},"Subject":{"Country":null,"Organization":null,"OrganizationalUnit":null,"Locality":null,"Province":null,"StreetAddress":null,"PostalCode":null,"SerialNumber":"","CommonName":"Jim","Names":[{"Type":[2,5,4,3],"Value":"Jim"}],"ExtraNames":null},"NotBefore":"2017-09-19T07:43:00Z","NotAfter":"2018-09-19T07:43:00Z","KeyUsage":1,"Extensions":[{"Id":[2,5,29,15],"Critical":true,"Value":"AwIHgA=="},{"Id":[2,5,29,19],"Critical":true,"Value":"MAA="},{"Id":[2,5,29,14],"Critical":false,"Value":"BBTNAsPTtqBQK3A8UFm0ncs15vO6ug=="},{"Id":[2,5,29,35],"Critical":false,"Value":"MCKAIA5ykiTos/MXhMipPFuO9vTByR2ebld8RcMxY2Cf5AAR"}],"ExtraExtensions":null,"UnhandledCriticalExtensions":null,"ExtKeyUsage":null,"UnknownExtKeyUsage":null,"BasicConstraintsValid":true,"IsCA":false,"MaxPathLen":-1,"MaxPathLenZero":false,"SubjectKeyId":"zQLD07agUCtwPFBZtJ3LNebzuro=","AuthorityKeyId":"DnKSJOiz8xeEyKk8W4729MHJHZ5uV3xFwzFjYJ/kABE=","OCSPServer":null,"IssuingCertificateURL":null,"DNSNames":null,"EmailAddresses":null,"IPAddresses":null,"PermittedDNSDomainsCritical":false,"PermittedDNSDomains":null,"CRLDistributionPoints":null,"PolicyIdentifiers":null} ```

kesavannb (Tue, 19 Sep 2017 14:54:28 GMT):
Hi Folks, I have created a blog for Emerging Technology for Beginners , Also i added the setting up for Hyperledger fabric V 0.6 and V 1.0 on that. Kindly review and let me know your queries. Blog name : kesavannb.wordpress.com

smithbk (Tue, 19 Sep 2017 15:50:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=roJhxfg2Ed9kXuLca) @sampath06 The bytes before the "-----BEGIN CERTIFICATE----" is the MSPID

vdods (Tue, 19 Sep 2017 18:22:47 GMT):
Hi all, is there any way in fabric-ca-server to configure the tls.Config CipherSuites used to connect to an LDAP server? I've set up my LDAP server to use SSF (security strength factor) 256 (which works with tls.Config CipherSuites value of `[]uint16{tls.TLS_RSA_WITH_AES_256_CBC_SHA},` but the fabric-ca server connects to it with a SSF of 128

vdods (Tue, 19 Sep 2017 18:22:47 GMT):
Hi all, is there any way in fabric-ca-server to configure the tls.Config CipherSuites used to connect to an LDAP server? I've set up my LDAP server to use SSF (security strength factor) 256 (which works with tls.Config CipherSuites value of `[]uint16{tls.TLS_RSA_WITH_AES_256_CBC_SHA},`) but the fabric-ca server connects to it with a SSF of 128

smithbk (Tue, 19 Sep 2017 19:30:56 GMT):
@vdods It uses https://godoc.org/crypto/tls#Config ... we don't allow you to specify the cipher suites but the doc there says ``` // CipherSuites is a list of supported cipher suites. If CipherSuites // is nil, TLS uses a list of suites supported by the implementation. CipherSuites []uint16```

vdods (Tue, 19 Sep 2017 19:32:09 GMT):
Thanks

vdods (Tue, 19 Sep 2017 19:41:30 GMT):
What is the correct syntax for `fabric-ca-client enroll` for an LDAP-connected fabric-ca-server? My root user in LDAP is "cn=jimbob, dc=localhost"

vdods (Tue, 19 Sep 2017 19:41:50 GMT):
Trying different things, I'm getting LDAP Result Code 49 "Invalid Credentials"

vdods (Tue, 19 Sep 2017 19:42:04 GMT):
fabric-ca-client enroll --url http://cn=jimbob,dc=localhost:xxx@localhost:7054

vdods (Tue, 19 Sep 2017 19:42:08 GMT):
xxx being the password

smithbk (Tue, 19 Sep 2017 19:49:25 GMT):
By default it uses an LDAP filter of "(uid=%s)" when mapping the enrollment ID to a DN ... so you need to enter the value of the uid attribute

smithbk (Tue, 19 Sep 2017 19:49:35 GMT):
You can change the filter if needed

smithbk (Tue, 19 Sep 2017 19:51:55 GMT):
See the following in the fabric-ca-server usage output: ``` --ldap.userfilter string The LDAP user filter to use when searching for users (default "(uid=%s)")```

vdods (Tue, 19 Sep 2017 22:09:25 GMT):
@smithbk Ok, so it would be something like (uid=%s,dc=localhost) ?

smithbk (Tue, 19 Sep 2017 23:26:17 GMT):
I'm not sure why you'd need the additional "dc=localhost", and looks like that wouldn't match your "dc=localhost:xxx@localhost:7054" entry above. Assuming your LDAP schema is an inetOrgPerson (see https://www.ietf.org/rfc/rfc2798.txt) then it MAY have a "uid" attribute as shown with this example in the RFC: ``` version: 1 dn: cn=Barbara Jensen,ou=Product Development,dc=siroe,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Barbara Jensen cn: Babs Jensen displayName: Babs Jensen sn: Jensen givenName: Barbara initials: BJJ title: manager, product development uid: bjensen mail: bjensen@siroe.com telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 mobile: +1 408 555 1941 roomNumber: 0209 carLicense: 6ABC246 o: Siroe ou: Product Development departmentNumber: 2604 employeeNumber: 42 employeeType: full time preferredLanguage: fr, en-gb;q=0.8, en;q=0.7 labeledURI: http://www.siroe.com/users/bjensen My Home Page```

smithbk (Tue, 19 Sep 2017 23:29:17 GMT):
Of course you could change the filter to another field such as "(cn=%s)", in which case given this example they would have to enter "Barbara Jensen". I think logging in with a uid (bjenson in this example) is more user-friendly, but whatever field is used, it should be unique. Another example would be employeeNumber. It really depends on how you want to set it up.

sampath06 (Wed, 20 Sep 2017 02:25:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XGdsSGtnvjKtBTd7R) @smithbk Thanks for the suggestion. I am trying to use https://gerrit.hyperledger.org/r/#/c/13265/13/core/chaincode/lib/cid/cid.go. I am getting some missing libraries. Installed most of them but couldnt find "github.com/hyperledger/fabric/common/attrmgr". How can I install this.

sampath06 (Wed, 20 Sep 2017 02:26:02 GMT):
@smithbk The commons directory that I have does not have the attrmgr module. Is it some version incompatibility?

Jacky_Sheng (Wed, 20 Sep 2017 03:19:54 GMT):
Has joined the channel.

sampath06 (Wed, 20 Sep 2017 03:51:20 GMT):
I found those files in the master branch. Will try it out with that.

yasu (Wed, 20 Sep 2017 05:42:15 GMT):
Has joined the channel.

AbhishekSeth (Wed, 20 Sep 2017 06:12:10 GMT):
Hey @smithbk, Is there any way to completely remove the identity of a user from the network so that the same user can be freshly registered again?? I mean any way to deregister the user from the network??

indira.kalagara (Wed, 20 Sep 2017 09:29:19 GMT):
Has joined the channel.

kustrun (Wed, 20 Sep 2017 11:02:26 GMT):
@smithbk Are there any guidelines how to report problem over Jira? At the beginning I am not able to create an account. [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EHLpQPytuHAZLrPSQ)

Colonel_HLE (Wed, 20 Sep 2017 12:18:35 GMT):
Has joined the channel.

smithbk (Wed, 20 Sep 2017 12:36:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kaRfqCW53KiKZPEPt) @AbhishekSeth Not currently but work is currently in progress to support this

smithbk (Wed, 20 Sep 2017 12:36:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kaRfqCW53KiKZPEPt) @AbhishekSeth Not currently but work is currently in progress to support this ... but I'm also curious why you can't revoke that user and then use a different enrollment ID. Can you expound on the use case that requires reuse of a revoked identity?

smithbk (Wed, 20 Sep 2017 12:40:45 GMT):
@kustrun Did you create a linux foundation ID at https://identity.linuxfoundation.org/ ?

SimonOberzan (Wed, 20 Sep 2017 12:44:19 GMT):
Hi. I'm trying to add a peer to an exsisting network. I ran: ``` fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 fabric-ca-client register --id.name peer2 --id.type peer --id.affiliation org2.department1 --id.secret peer2pw --enrollment.profile org2.example.com ```

SimonOberzan (Wed, 20 Sep 2017 12:52:19 GMT):
Hi. I'm trying to add a peer to an exsisting network. I ran: ``` fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 fabric-ca-client register --id.name peer2 --id.type peer --id.affiliation org2.department1 --id.secret peer2pw --enrollment.profile org2.example.com fabric-ca-client enroll -u http://peer2:peer2pw@localhost:7054 -M /etc/hyperledger/fabric-ca-msp```, then I ran the new peer with the generated singcerts, cacerts, keycerts and added admincerts from exsisting peer. Docker logs then gave me the following error: ```[gossip/comm] authenticateRemotePeer -> WARN 1ac Identity store rejected 172.20.0.7:7051 : Peer Identity [0a 07 4f ...] cannot be validated. No MSP found able to do that. [gossip/comm] Handshake -> WARN 1ad Authentication failed: Peer Identity [0a 07 4f...] cannot be validated. No MSP found able to do that. [gossip/discovery] func1 -> WARN 1ae Could not connect to {peer0.org2.example.com:7051 [] [] peer0.org2.example.com:7051} : Peer Identity [0a 07 4f...] cannot be validated. No MSP found able to do that.``` Did I miss any step? Any help much appreciated!

SimonOberzan (Wed, 20 Sep 2017 12:52:19 GMT):
Hi. I'm trying to add a peer to an exsisting network. I ran: ```fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 fabric-ca-client register --id.name peer2 --id.type peer --id.affiliation org2.department1 --id.secret peer2pw --enrollment.profile org2.example.com fabric-ca-client enroll -u http://peer2:peer2pw@localhost:7054 -M /etc/hyperledger/fabric-ca-msp```, then I ran the new peer with the generated singcerts, cacerts, keycerts and added admincerts from exsisting peer. Docker logs then gave me the following error: ```[gossip/comm] authenticateRemotePeer -> WARN 1ac Identity store rejected 172.20.0.7:7051 : Peer Identity [0a 07 4f ...] cannot be validated. No MSP found able to do that. [gossip/comm] Handshake -> WARN 1ad Authentication failed: Peer Identity [0a 07 4f...] cannot be validated. No MSP found able to do that. [gossip/discovery] func1 -> WARN 1ae Could not connect to {peer0.org2.example.com:7051 [] [] peer0.org2.example.com:7051} : Peer Identity [0a 07 4f...] cannot be validated. No MSP found able to do that.``` And on GOSSIP_BOOTSTRAP peer: ```[gossip/comm] authenticateRemotePeer -> WARN 52f Identity store rejected 172.20.0.11:39542 : Peer Identity [0a 07 6f...] cannot be validated. No MSP found able to do that.``` Did I miss any step? Also any tip on how to debug such an error would be welcome. Any help much appreciated!

smithbk (Wed, 20 Sep 2017 13:05:13 GMT):
@SimonOberzan Is this a new peer for an existing CA? Or are you starting a new CA also?

SimonOberzan (Wed, 20 Sep 2017 13:05:36 GMT):
@smithbk Exsisting one

SimonOberzan (Wed, 20 Sep 2017 13:07:09 GMT):
@smithbk I have set the following variables on ca: ```- FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/2776d45c4e6c24b16169158a4d5f0e5a2ea346c13a0e02a283eb7ab5fc4b6efe_sk```.

SimonOberzan (Wed, 20 Sep 2017 13:09:38 GMT):
@smithbk Also the generated cacert has name localhost-7054.pem, and is not the same as on exsisting MSP, which I guess is not OK.

SimonOberzan (Wed, 20 Sep 2017 13:09:38 GMT):
@smithbk Also the generated cacert has name localhost-7054.pem, and is not the same as the one in exsisting MSP, which I guess is not OK.

smithbk (Wed, 20 Sep 2017 13:11:38 GMT):
Hmm ... it should not be generating a cacert if you set those env vars and the files already exist

SimonOberzan (Wed, 20 Sep 2017 13:12:37 GMT):
Those are the output of the commands posted above: ```2017/09/20 13:03:45 [INFO] User provided config file: /etc/hyperledger/fabric-ca-client/fabric-ca-client-config.yaml 2017/09/20 13:03:45 [INFO] Created a default configuration file at /etc/hyperledger/fabric-ca-client/fabric-ca-client-config.yaml 2017/09/20 13:03:45 [INFO] generating key: &{A:ecdsa S:256} 2017/09/20 13:03:45 [INFO] encoded CSR 2017/09/20 13:03:45 [INFO] Stored client certificate at /etc/hyperledger/fabric-ca-client/msp/signcerts/cert.pem 2017/09/20 13:03:45 [INFO] Stored CA root certificate at /etc/hyperledger/fabric-ca-client/msp/cacerts/localhost-7054.pem Register a peer 2017/09/20 13:03:45 [INFO] User provided config file: /etc/hyperledger/fabric-ca-client/fabric-ca-client-config.yaml 2017/09/20 13:03:45 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-client/fabric-ca-client-config.yaml Password: peer2pw Enroll peer 2017/09/20 13:03:45 [INFO] User provided config file: /etc/hyperledger/fabric-ca-client/fabric-ca-client-config.yaml 2017/09/20 13:03:45 [INFO] generating key: &{A:ecdsa S:256} 2017/09/20 13:03:45 [INFO] encoded CSR 2017/09/20 13:03:46 [INFO] Stored client certificate at /msp/signcerts/cert.pem 2017/09/20 13:03:46 [INFO] Stored CA root certificate at /msp/cacerts/localhost-7054.pem ```

SimonOberzan (Wed, 20 Sep 2017 13:13:23 GMT):
I then used the /msp folder for the new peer, whit an added admincerts

SimonOberzan (Wed, 20 Sep 2017 13:13:23 GMT):
I then used the /msp folder for the new peer, witt an added admincerts

SimonOberzan (Wed, 20 Sep 2017 13:13:23 GMT):
I then used the /msp folder for the new peer, with an added admincerts

smithbk (Wed, 20 Sep 2017 13:14:32 GMT):
Did you set those env vars before running fabric-ca-server or fabric-ca-client?

SimonOberzan (Wed, 20 Sep 2017 13:15:24 GMT):
$FABRIC_CA_HOME and $FABRIC_CA_CLIENT_HOME?

smithbk (Wed, 20 Sep 2017 13:15:50 GMT):
- FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/2776d45c4e6c24b16169158a4d5f0e5a2ea346c13a0e02a283eb7ab5fc4b6efe_sk

smithbk (Wed, 20 Sep 2017 13:16:07 GMT):
looks like that's in your docker-compose file

SimonOberzan (Wed, 20 Sep 2017 13:16:20 GMT):
i provided those with volume

SimonOberzan (Wed, 20 Sep 2017 13:16:37 GMT):
volumes: - ${COMPOSE_PROJECT_PATH}/crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config

smithbk (Wed, 20 Sep 2017 13:17:53 GMT):
Can you paste the beginning of the server logs where it shows what key and certfile it uses?

SimonOberzan (Wed, 20 Sep 2017 13:19:32 GMT):
2017/09/20 13:02:42 [INFO] Created default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml 2017/09/20 13:02:42 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server 2017/09/20 13:02:42 [INFO] The CA key and certificate files already exist 2017/09/20 13:02:42 [INFO] Key file location: /etc/hyperledger/fabric-ca-server-config/3ce82e384406c943fde5603bb446ecd6b3453d04c336d966208554e896b8a971_sk 2017/09/20 13:02:42 [INFO] Certificate file location: /etc/hyperledger/fabric-ca-server-config/ca.org2.example.com-cert.pem

SimonOberzan (Wed, 20 Sep 2017 13:20:23 GMT):
I previously posted vrong env settings

SimonOberzan (Wed, 20 Sep 2017 13:20:23 GMT):
I previously posted wrong env settings (copied from CA1 instead of CA2)

SimonOberzan (Wed, 20 Sep 2017 13:20:52 GMT):
Those are the ones I use: ```- FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org2.example.com-cert.pem - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/3ce82e384406c943fde5603bb446ecd6b3453d04c336d966208554e896b8a971_sk```

smithbk (Wed, 20 Sep 2017 13:24:58 GMT):
ok, so at this point I would start checking the SKI and AKI values of certs to see if they are really what I expect them to be. In particular, I would check with openssl to see if the AKI of the issued certificate equals the SKI of the certificate in the cacerts folder of the correct MSP

smithbk (Wed, 20 Sep 2017 13:26:37 GMT):
since this is happening when trying to connect to the bootstrap peer, it should be in the same MSP

SimonOberzan (Wed, 20 Sep 2017 13:28:18 GMT):
I am not really familliar with how to check that, ill look into it.

smithbk (Wed, 20 Sep 2017 13:28:22 GMT):
Looking at the code below where the error message comes from, it should return successfully for the local MSP case, but is not so it must not be matching and goes on to try remote MSPs ```func (s *mspMessageCryptoService) getValidatedIdentity(peerIdentity api.PeerIdentityType) (msp.Identity, common.ChainID, error) { // Validate arguments if len(peerIdentity) == 0 { return nil, nil, errors.New("Invalid Peer Identity. It must be different from nil.") } // Notice that peerIdentity is assumed to be the serialization of an identity. // So, first step is the identity deserialization and then verify it. // First check against the local MSP. // If the peerIdentity is in the same organization of this node then // the local MSP is required to take the final decision on the validity // of the signature. identity, err := s.deserializer.GetLocalDeserializer().DeserializeIdentity([]byte(peerIdentity)) if err == nil { // No error means that the local MSP successfully deserialized the identity. // We now check additional properties. // TODO: The following check will be replaced by a check on the organizational units // when we allow the gossip network to have organization unit (MSP subdivisions) // scoped messages. // The following check is consistent with the SecurityAdvisor#OrgByPeerIdentity // implementation. // TODO: Notice that the following check saves us from the fact // that DeserializeIdentity does not yet enforce MSP-IDs consistency. // This check can be removed once DeserializeIdentity will be fixed. if identity.GetMSPIdentifier() == s.deserializer.GetLocalMSPIdentifier() { // Check identity validity // Notice that at this stage we don't have to check the identity // against any channel's policies. // This will be done by the caller function, if needed. return identity, nil, identity.Validate() } } // Check against managers for chainID, mspManager := range s.deserializer.GetChannelDeserializers() { // Deserialize identity identity, err := mspManager.DeserializeIdentity([]byte(peerIdentity)) if err != nil { mcsLogger.Debugf("Failed deserialization identity [% x] on [%s]: [%s]", peerIdentity, chainID, err) continue } // Check identity validity // Notice that at this stage we don't have to check the identity // against any channel's policies. // This will be done by the caller function, if needed. if err := identity.Validate(); err != nil { mcsLogger.Debugf("Failed validating identity [% x] on [%s]: [%s]", peerIdentity, chainID, err) continue } mcsLogger.Debugf("Validation succeeded [% x] on [%s]", peerIdentity, chainID) return identity, common.ChainID(chainID), nil } return nil, nil, fmt.Errorf("Peer Identity [% x] cannot be validated. No MSP found able to do that.", peerIdentity) } ```

zemtsov (Wed, 20 Sep 2017 13:34:00 GMT):
Has joined the channel.

smithbk (Wed, 20 Sep 2017 13:34:14 GMT):
Here is how I do it. The following is me printing the ca-cert.pem from the server, but this would be the same for a file in the MSP cacerts directory. Note the final field is the SKI (Subject Key Identifier): ``$ openssl x509 -in ca-cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 31:74:7e:8a:ed:52:83:45:ce:bf:93:2a:72:bf:d4:9a:58:3c:1f:bd Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=fabric-ca-server Validity Not Before: Sep 19 18:50:00 2017 GMT Not After : Sep 15 18:50:00 2032 GMT Subject: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=fabric-ca-server Subject Public Key Info: Public Key Algorithm: id-ecPublicKey EC Public Key: pub: 04:fe:8a:96:87:61:60:4e:82:77:3a:4c:ee:74:2e: ae:87:c4:ff:c5:c2:6a:60:d7:fa:2c:c6:1f:81:05: 49:b3:be:58:a0:13:60:f3:62:17:50:8b:40:70:f1: 2f:f9:55:57:a3:a4:2b:27:ff:ce:55:c9:6e:36:6d: ad:3e:b1:44:75 ASN1 OID: prime256v1 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 X509v3 Subject Key Identifier: C6:09:BE:02:BB:B2:02:EF:BD:63:00:F0:9C:E5:37:07:D5:8F:76:C2```

smithbk (Wed, 20 Sep 2017 13:34:14 GMT):
Here is how I do it. The following is me printing the ca-cert.pem from the server, but this would be the same for a file in the MSP cacerts directory. Note the final field is the SKI (Subject Key Identifier): ```$ openssl x509 -in ca-cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 31:74:7e:8a:ed:52:83:45:ce:bf:93:2a:72:bf:d4:9a:58:3c:1f:bd Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=fabric-ca-server Validity Not Before: Sep 19 18:50:00 2017 GMT Not After : Sep 15 18:50:00 2032 GMT Subject: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=fabric-ca-server Subject Public Key Info: Public Key Algorithm: id-ecPublicKey EC Public Key: pub: 04:fe:8a:96:87:61:60:4e:82:77:3a:4c:ee:74:2e: ae:87:c4:ff:c5:c2:6a:60:d7:fa:2c:c6:1f:81:05: 49:b3:be:58:a0:13:60:f3:62:17:50:8b:40:70:f1: 2f:f9:55:57:a3:a4:2b:27:ff:ce:55:c9:6e:36:6d: ad:3e:b1:44:75 ASN1 OID: prime256v1 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 X509v3 Subject Key Identifier: C6:09:BE:02:BB:B2:02:EF:BD:63:00:F0:9C:E5:37:07:D5:8F:76:C2```

SimonOberzan (Wed, 20 Sep 2017 13:36:52 GMT):
@smithbk Generated signcert: ``` X509v3 Subject Key Identifier: 9F:F7:02:35:58:B7:EF:8C:1E:C3:63:5C:CF:2C:B1:CB:10:05:51:CA X509v3 Authority Key Identifier: keyid:3C:E8:2E:38:44:06:C9:43:FD:E5:60:3B:B4:46:EC:D6:B3:45:3D:04:C3:36:D9:66:20:85:54:E8:96:B8:A9:71``` peer0.org2 signcert: ```X509v3 Authority Key Identifier: keyid:3C:E8:2E:38:44:06:C9:43:FD:E5:60:3B:B4:46:EC:D6:B3:45:3D:04:C3:36:D9:66:20:85:54:E8:96:B8:A9:71```

SimonOberzan (Wed, 20 Sep 2017 13:36:52 GMT):
@smithbk Generated signcert: ```X509v3 Subject Key Identifier: 9F:F7:02:35:58:B7:EF:8C:1E:C3:63:5C:CF:2C:B1:CB:10:05:51:CA X509v3 Authority Key Identifier: keyid:3C:E8:2E:38:44:06:C9:43:FD:E5:60:3B:B4:46:EC:D6:B3:45:3D:04:C3:36:D9:66:20:85:54:E8:96:B8:A9:71``` peer0.org2 signcert: ```X509v3 Authority Key Identifier: keyid:3C:E8:2E:38:44:06:C9:43:FD:E5:60:3B:B4:46:EC:D6:B3:45:3D:04:C3:36:D9:66:20:85:54:E8:96:B8:A9:71```

SimonOberzan (Wed, 20 Sep 2017 13:37:36 GMT):
That should be OK, right?

smithbk (Wed, 20 Sep 2017 13:37:53 GMT):
And this is an ecert from a client enroll command. Note that the Authority Key Identifier from this equals the SKI from the other: ```$ openssl x509 -in cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 2a:ba:df:5b:66:03:13:b7:42:6c:9e:de:12:39:7c:f7:ff:2d:c1:35 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=fabric-ca-server Validity Not Before: Sep 20 13:31:00 2017 GMT Not After : Sep 20 13:31:00 2018 GMT Subject: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=a Subject Public Key Info: Public Key Algorithm: id-ecPublicKey EC Public Key: pub: 04:6b:b5:9e:04:86:0b:fe:13:cd:c3:2f:4e:31:2b: 68:c7:92:bf:92:74:95:74:74:76:19:9b:cb:e0:c2: d1:d5:9e:74:49:42:0b:7c:d9:42:4e:4e:0c:9d:c0: fa:29:63:3d:1b:89:92:06:8b:1d:d5:e2:4c:5c:bc: 1f:e3:f1:9d:0d ASN1 OID: prime256v1 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 58:88:32:E6:4F:A6:A1:C8:92:0C:B7:29:8E:AD:19:96:95:66:7C:EB X509v3 Authority Key Identifier: keyid:C6:09:BE:02:BB:B2:02:EF:BD:63:00:F0:9C:E5:37:07:D5:8F:76:C2 X509v3 Subject Alternative Name: DNS:keiths-mbp.raleigh.ibm.com ```

smithbk (Wed, 20 Sep 2017 13:39:44 GMT):
On the peer that is issuing the error message, print the cert in the local MSP's cacerts folder

SimonOberzan (Wed, 20 Sep 2017 13:41:47 GMT):
```root@peer2:/etc/hyperledger/fabric/msp/cacerts# openssl x509 -in localhost-7054.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 76:8a:f7:93:65:d9:d9:90:fb:4e:71:52:31:30:5d:c0 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=California, L=San Francisco, O=org2.example.com, CN=ca.org2.example.com Validity Not Before: Sep 20 08:54:52 2017 GMT Not After : Sep 18 08:54:52 2027 GMT Subject: C=US, ST=California, L=San Francisco, O=org2.example.com, CN=ca.org2.example.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:bd:9d:1e:1c:7c:5c:63:00:16:fa:79:cc:e9:f6: 08:5a:f9:77:a1:54:13:86:74:e9:b7:83:6b:2d:f2: 46:89:2c:9b:b3:61:fc:a7:a3:7b:b7:da:3a:4c:18: 71:40:34:05:2a:b5:09:0e:99:66:66:8a:76:50:94: 8e:bc:85:5f:a3 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign X509v3 Extended Key Usage: Any Extended Key Usage X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 3C:E8:2E:38:44:06:C9:43:FD:E5:60:3B:B4:46:EC:D6:B3:45:3D:04:C3:36:D9:66:20:85:54:E8:96:B8:A9:71 Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:ad:b6:97:bb:47:52:3a:13:14:22:57:13:aa: c4:ea:9d:d2:1d:67:df:02:7f:a6:12:14:61:e3:8b:b6:e9:ec: 11:02:20:44:ff:36:e8:e9:c9:63:14:9c:8c:35:7a:fb:be:3a: ba:af:56:14:ce:cf:21:c4:00:d9:0d:c6:e6:0e:9a:c6:fd ```

smithbk (Wed, 20 Sep 2017 13:43:38 GMT):
Are you sure that the MSPID of the new peer is set correctly?

SimonOberzan (Wed, 20 Sep 2017 13:45:42 GMT):
Oh my

SimonOberzan (Wed, 20 Sep 2017 13:46:05 GMT):
I set it on org2MSP instead of Org2MSP...

SimonOberzan (Wed, 20 Sep 2017 13:48:58 GMT):
Got new errors now but thank you a lot

smithbk (Wed, 20 Sep 2017 13:52:23 GMT):
np

eetti (Wed, 20 Sep 2017 18:54:11 GMT):
@mastersingh24 Please how can I ue Fabric-ca to generate TLS certs

eetti (Wed, 20 Sep 2017 18:54:11 GMT):
@mastersingh24 Please how can I use Fabric-ca to generate TLS certs

gauthampamu (Wed, 20 Sep 2017 19:27:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4uaoLMw4Fs2f6h4eb) @eetti You cannot use Fabric CA to generate TLC certs. You can use the default root CA to generate the TLS certs.

eetti (Wed, 20 Sep 2017 19:28:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2z77hbALaJ4syAcoj) @gauthampamu Okay, thanks.

mastersingh24 (Wed, 20 Sep 2017 21:09:08 GMT):
@eetti - you can modify the `signing` section of your fabric-ca-server-config.yaml: ``` signing: default: usage: - digital signature expiry: 8760h profiles: ca: usage: - cert sign expiry: 43800h caconstraint: isca: true maxpathlen: 0 tls: usage: - signing - key encipherment - server auth - client auth - key agreement expiry: 8760h ``` And then when using the fabric-ca-client, you can pass in the `--enrollment.profile tls` and you'll get back signed X509 cert which can be used for TLS communication

eetti (Wed, 20 Sep 2017 21:49:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bC4HipWeCdavwNWA2) @mastersingh24 I made all the changes but the fabric-ca-client still prints an error. ``` fabric-ca-client enroll -u https://admin:adminpw@ca.xyz:7054 -M ${MAP_DIR}/msp -c ${MAP_DIR}/fabric-ca-client-config.yaml --enrollment.profile tls 2017/09/20 21:46:52 [INFO] User provided config file: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2017/09/20 21:46:52 [INFO] generating key: &{A:ecdsa S:256} 2017/09/20 21:46:52 [INFO] encoded CSR 2017/09/20 21:46:52 [INFO] TLS Enabled Error: Failed to get client TLS config: No TLS certificate files were provided ```

eetti (Wed, 20 Sep 2017 21:49:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bC4HipWeCdavwNWA2) @mastersingh24 I made all the changes but I didnt get a tls cert returned. ``` fabric-ca-client enroll -u https://admin:adminpw@ca.xyz:7054 -M ${MAP_DIR}/msp --tls.certfiles ./ca-cert.pem --enrollment.profile tls ```

vdods (Wed, 20 Sep 2017 22:16:01 GMT):
Hi all, I'm trying to get fabric-ca-server up and running using a cert/key pair that I've generated myself via openssl. However, I get the following error: ```Error: Validation of certificate and key failed: Invalid certificate and/or key in files '/fabric-ca-server/ca.cert.pem' and '/fabric-ca-server/ca.key.pem': Failed parsing EC private key: asn1: structure error: tags don't match (16 vs {class:0 tag:6 length:8 isCompound:false}) {optional:false explicit:false application:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} pkcs8```

vdods (Wed, 20 Sep 2017 22:16:21 GMT):
I can show the exact commands I used to create the key/cert pair

vdods (Wed, 20 Sep 2017 22:16:51 GMT):
this happens when i use my root CA's self-signed cert and when i use an intermediate CA whose cert was signed by the root CA

vdods (Wed, 20 Sep 2017 22:17:06 GMT):
it also happens if i specify a ca-chain file or not.

vdods (Wed, 20 Sep 2017 22:39:48 GMT):
Nevermind -- the problem was that I had a section `-----BEGIN EC PARAMETERS-----` at the beginning of my key. I remember reading somewhere that must begin with somethign like "BEGIN PRIVATE KEY". Deleting this section allows the server to boot.

qingsongGuo (Thu, 21 Sep 2017 04:56:05 GMT):
Has joined the channel.

smithbk (Thu, 21 Sep 2017 13:11:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xQWjfo2NxhiRm5SY9) @eetti See https://gerrit.hyperledger.org/r/#/c/13213/18/fabric-ca/scripts/start-peer.sh for how to get a TLS cert and ecert for the peer

SimonOberzan (Thu, 21 Sep 2017 13:18:48 GMT):
@smithbk Hi. After we have solved yesterday's problem, I got another one. Now peer0 and peer1 of org2 (the one of the new peer) do not display any errors, but now there are errors on peer0.org1 and peer1.org1. They are the following: ```[gossip/comm] func1 -> WARN 490 peer2.org2.example.com:7051, PKIid:[72 126 38 46 227 64 227 123 167 189 213 77 113 92 32 12 16 209 206 157 93 166 4 30 240 80 13 109 231 102 174 58] isn't responsive: EOF [gossip/discovery] expireDeadMembers -> WARN 491 Entering [[72 126 38 46 227 64 227 123 167 189 213 77 113 92 32 12 16 209 206 157 93 166 4 30 240 80 13 109 231 102 174 58]] [gossip/discovery] expireDeadMembers -> WARN 492 Closing connection to Endpoint: peer2.org2.example.com:7051, InternalEndpoint: , PKI-ID: [72 126 38 46 227 64 227 123 167 189 213 77 113 92 32 12 16 209 206 157 93 166 4 30 240 80 13 109 231 102 174 58], Metadata: [] [gossip/discovery] expireDeadMembers -> WARN 493 Exiting ``` And logs of the new peer: ```[gossip/comm] authenticateRemotePeer -> WARN 1c8 Identity store rejected 172.20.0.3:43412 : Peer Identity [0a 07 4f...] cannot be validated. No MSP found able to do that. [gossip/comm] GossipStream -> ERRO 1c9 Authentication failed: Peer Identity [0a 07 4f...] cannot be validated. No MSP found able to do that. [gossip/gossip] handleMessage -> WARN 1cc Message GossipMessage: tag:EMPTY alive_msg: timestamp: > , Envelope: 83 bytes, Signature: 71 bytes isn't valid``` How can I make peers of Org1 "accept" the new peer? Or should I disable the external gossip endpoint, and what would be the advantages/disadvantages of that? Thanks for the help.

SimonOberzan (Thu, 21 Sep 2017 13:18:48 GMT):
@smithbk Hi. After we have solved yesterday's problem, I got another one. Now peer0 and peer1 of org2 (the one of the new peer) don't display any errors, but now there are errors on peer0.org1 and peer1.org1. They are the following: ```[gossip/comm] func1 -> WARN 490 peer2.org2.example.com:7051, PKIid:[72 126 38 46 227 64 227 123 167 189 213 77 113 92 32 12 16 209 206 157 93 166 4 30 240 80 13 109 231 102 174 58] isn't responsive: EOF [gossip/discovery] expireDeadMembers -> WARN 491 Entering [[72 126 38 46 227 64 227 123 167 189 213 77 113 92 32 12 16 209 206 157 93 166 4 30 240 80 13 109 231 102 174 58]] [gossip/discovery] expireDeadMembers -> WARN 492 Closing connection to Endpoint: peer2.org2.example.com:7051, InternalEndpoint: , PKI-ID: [72 126 38 46 227 64 227 123 167 189 213 77 113 92 32 12 16 209 206 157 93 166 4 30 240 80 13 109 231 102 174 58], Metadata: [] [gossip/discovery] expireDeadMembers -> WARN 493 Exiting ``` And logs of the new peer: ```[gossip/comm] authenticateRemotePeer -> WARN 1c8 Identity store rejected 172.20.0.3:43412 : Peer Identity [0a 07 4f...] cannot be validated. No MSP found able to do that. [gossip/comm] GossipStream -> ERRO 1c9 Authentication failed: Peer Identity [0a 07 4f...] cannot be validated. No MSP found able to do that. [gossip/gossip] handleMessage -> WARN 1cc Message GossipMessage: tag:EMPTY alive_msg: timestamp: > , Envelope: 83 bytes, Signature: 71 bytes isn't valid``` How can I make peers of Org1 "accept" the new peer? Or should I disable the external gossip endpoint, and what would be the advantages/disadvantages of that? Thanks for the help.

SimonOberzan (Thu, 21 Sep 2017 13:18:48 GMT):
@smithbk Hi. After we have solved yesterday's problem, I got another one. Now peer0 and peer1 of org2 (the one of the new peer) don't display any errors, but there are errors on peer0.org1 and peer1.org1. They are the following: ```[gossip/comm] func1 -> WARN 490 peer2.org2.example.com:7051, PKIid:[72 126 38 46 227 64 227 123 167 189 213 77 113 92 32 12 16 209 206 157 93 166 4 30 240 80 13 109 231 102 174 58] isn't responsive: EOF [gossip/discovery] expireDeadMembers -> WARN 491 Entering [[72 126 38 46 227 64 227 123 167 189 213 77 113 92 32 12 16 209 206 157 93 166 4 30 240 80 13 109 231 102 174 58]] [gossip/discovery] expireDeadMembers -> WARN 492 Closing connection to Endpoint: peer2.org2.example.com:7051, InternalEndpoint: , PKI-ID: [72 126 38 46 227 64 227 123 167 189 213 77 113 92 32 12 16 209 206 157 93 166 4 30 240 80 13 109 231 102 174 58], Metadata: [] [gossip/discovery] expireDeadMembers -> WARN 493 Exiting ``` And logs of the new peer: ```[gossip/comm] authenticateRemotePeer -> WARN 1c8 Identity store rejected 172.20.0.3:43412 : Peer Identity [0a 07 4f...] cannot be validated. No MSP found able to do that. [gossip/comm] GossipStream -> ERRO 1c9 Authentication failed: Peer Identity [0a 07 4f...] cannot be validated. No MSP found able to do that. [gossip/gossip] handleMessage -> WARN 1cc Message GossipMessage: tag:EMPTY alive_msg: timestamp: > , Envelope: 83 bytes, Signature: 71 bytes isn't valid``` How can I make peers of Org1 "accept" the new peer? Or should I disable the external gossip endpoint, and what would be the advantages/disadvantages of that? Thanks for the help.

smithbk (Thu, 21 Sep 2017 13:33:02 GMT):
@SimonOberzan No, you wouldn't disable the external endpoint. Not sure off the top of my head but guess some env var is missing or wrong. Here are the ones I have for a byfn-like network that works correctly ... no gossip errors: ``` - CORE_PEER_ID=peer1-org1 - CORE_PEER_ADDRESS=peer1-org1:7051 - CORE_PEER_LOCALMSPID=org1MSP - CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/msp - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=net_fabric-ca - CORE_LOGGING_LEVEL=DEBUG - CORE_PEER_TLS_ENABLED=true - CORE_PEER_PROFILE_ENABLED=true - CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/tls/server.crt - CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/tls/server.key - CORE_PEER_TLS_ROOTCERT_FILE=/data/org1-ca-chain.pem - CORE_PEER_GOSSIP_USELEADERELECTION=true - CORE_PEER_GOSSIP_ORGLEADER=false - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1-org1:7051 - CORE_PEER_GOSSIP_SKIPHANDSHAKE=true ```

smithbk (Thu, 21 Sep 2017 13:33:28 GMT):
You could compare and also maybe @yacov knows off the top of his head

smithbk (Thu, 21 Sep 2017 13:33:28 GMT):
You could compare and also maybe @yacovm knows off the top of his head

SimonOberzan (Thu, 21 Sep 2017 13:34:11 GMT):
@smithbk Ok, thanks, will look if anything differs

smithbk (Thu, 21 Sep 2017 13:36:05 GMT):
And my peer2-org1 additionally has its bootstrap to point to peer1-org1: ``` - CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org1:7051```

SimonOberzan (Thu, 21 Sep 2017 14:01:13 GMT):
@smithbk Which peer is the new one here? peer2-org1?

smithbk (Thu, 21 Sep 2017 14:01:51 GMT):
in my case, they were both part of starting the network

SimonOberzan (Thu, 21 Sep 2017 14:03:43 GMT):
I don't think I understand. You didn't add a new peer by registring and enrolling it with CA?

smithbk (Thu, 21 Sep 2017 14:05:13 GMT):
All of my peers register and enroll, but I was saying that I did that before generating the genesis block

smithbk (Thu, 21 Sep 2017 14:07:03 GMT):
fyi, the full sample is at https://gerrit.hyperledger.org/r/#/c/13213/ ... obviously not merged yet

SimonOberzan (Thu, 21 Sep 2017 14:07:26 GMT):
so you haven't ganerated any peers with cryptogen, but added them by registring and enrolling them and then generating the genesis block?

smithbk (Thu, 21 Sep 2017 14:08:52 GMT):
no, but the only difference should be that fabric-ca-server uses an existing signing cert and key rather than generating its own

SimonOberzan (Thu, 21 Sep 2017 14:12:08 GMT):
I see. I will try the sample you provided to see if I missed anything.

smithbk (Thu, 21 Sep 2017 14:13:35 GMT):
from the error message, it still looks like there is a reference to an invalid MSPID somewhere, but @yacovm would probably know better

subbu165 (Thu, 21 Sep 2017 14:14:09 GMT):
Hi, I'm using the getCreator() API to decipher the certificate to get the details, what is the field that gives me 1. Which user that currently invoked the Transaction

subbu165 (Thu, 21 Sep 2017 14:14:28 GMT):
2. Which Org the user belongs to? I'm trying to do this in the Chaincode

smithbk (Thu, 21 Sep 2017 14:15:15 GMT):
@SimonOberzan Let me give you the prereqs to run that sample, since not all is merged

yacovm (Thu, 21 Sep 2017 14:15:51 GMT):
@SimonOberzan just pingme in private chat. I'm out of home but will try to help from the phone

smithbk (Thu, 21 Sep 2017 14:18:11 GMT):
@SimonOberzan you need the following change sets to run that sample: ```fabric repository: https://gerrit.hyperledger.org/r/#/c/13265/ fabric-ca repository: https://gerrit.hyperledger.org/r/#/c/13195/```

SimonOberzan (Thu, 21 Sep 2017 14:18:34 GMT):
@smithbk Ok, thank you

smithbk (Thu, 21 Sep 2017 14:23:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9KmWT2r5hZXj9fywm) @subbu165 Once https://gerrit.hyperledger.org/r/#/c/13265/ is merged, you will have an easy way of getting the MSPID and doing access control based on attributes. See https://gerrit.hyperledger.org/r/#/c/13265/14/core/chaincode/lib/cid/README.md .... that said, the []byte that GetCreator() returns is a serialization of the MSPID as a string followed by the PEM-encoded certificate.

subbu165 (Thu, 21 Sep 2017 14:27:29 GMT):
Yeah go that. Can you please let me know when the merge might happen?

subbu165 (Thu, 21 Sep 2017 14:29:46 GMT):
@smithbk With the current code, I have enrollment ID "cert.Subject.CommonName" and mspid by creator.GetMspid(). So enrollment id is where I have to extract the user? the value comes as "Admin@peerOrg1"

subbu165 (Thu, 21 Sep 2017 14:30:22 GMT):
and I'm invoking the txn as Admin user only

smithbk (Thu, 21 Sep 2017 14:34:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GoS8wjgLWkdHXCMv6) @subbu165 Reviews are backed up, so hard to say. I would hope by Monday but that is a guess

smithbk (Thu, 21 Sep 2017 14:35:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=e6rk8LG4q3ay9o4Rf) @subbu165 Yes, the enrollment ID is the common name which is the user's unique ID within a particular fabric-ca-server

subbu165 (Thu, 21 Sep 2017 14:41:33 GMT):
@smithbk Yes I was asking about that only. Thanks for clarifying and 1. is there way to extract which organization this user belongs to? is it nothing but the MSP ID? 2. After we bootstrapped Fabric CA with the admin user and after wards using Node SDK APIs, with admin user if I register new users, where this user informations will be stored?

smithbk (Thu, 21 Sep 2017 15:00:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=quyBzfgtB6YvtT2J5) @subbu165 1) Yes, you can just get the MSPID. You could name your MSP's the same as the org though, so it would be the same, again assuming a 1-1 mapping between orgs and MSPs. 2) The registered user info is kept in the fabric-ca-server's database.

subbu165 (Thu, 21 Sep 2017 15:53:01 GMT):
@smithbk ok got it. Thank You.

eetti (Thu, 21 Sep 2017 20:29:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tpfvFhhJBcxZBdK4Y) @smithbk Thank you, I followed the steps, I have one last hurdle to cross. I dont want to use the root CA Cert to sign the tls certs. Do i need an intermediate CA or is there a parameter/ env variable that can be used to change the issuer of the TLS certs. Thanks in advance.

smithbk (Thu, 21 Sep 2017 20:33:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2e7F7iesgKixzNZk6) @eetti If you don't want any root CA to issue TLS certs, then yes, you would need to start an intermediate CA.

eetti (Thu, 21 Sep 2017 21:04:49 GMT):
@smithbk My ca-cert.pem file and ca-chain.pem have the CN as admin but I want it to be TLSCA. How do I change that? I followed similar steps to the change set you have on gerrit.

eetti (Thu, 21 Sep 2017 21:09:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bSTiFBDGCJuvHdNqR) @eetti @smithbk I have noticed my mistake, the enrollmentID should be the CN candidate that I desire.

smithbk (Thu, 21 Sep 2017 21:22:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bSTiFBDGCJuvHdNqR) @eetti The simplest way is to start the root CA with "-b TLSCA:password" the 1st time and when starting the intermediate CA for the first time, use "-u http://TLSCA:password@host:port". You could also register a TLSCA identity separately, but if you do, you need to make sure that it has the proper authority to enroll as an intermediate CA, which means it must have the "hf.IntermediateCA=true" attribute

nickyng (Fri, 22 Sep 2017 03:16:18 GMT):
Has joined the channel.

harik (Fri, 22 Sep 2017 08:17:50 GMT):
hi , i have the below configuration : fabric-ca-server1 on 1st machine , fabric-ca-server2 on 2nd machine , haproxy on 3rd machine . i have given the command fabric-ca-client enroll -u "http://admin:password@haproxyIP:haproxyBINDPORT" which was successful , it got redirected to 1st machine and client yaml was created which contained url of haproxy , when i run cmd to register peer i am getting "authorization failure" can someone help me resolve this

paul.sitoh (Fri, 22 Sep 2017 09:14:50 GMT):
When you register a user/peer on fabric ca, where is this credential stored in the out-of-the-box version? It does not appear to be anywhere in FABRIC_CA_SERVER home directory.

smithbk (Fri, 22 Sep 2017 11:33:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HMXtHtB2KBq5mHE4y) @harik Did you also set up mysql or postgres as the database? If you are using the default sqlite, that is the reason because sqlite is embedded in each process and does not support sharing between fabric-ca-server1 and fabric-ca-server2

SimonOberzan (Fri, 22 Sep 2017 12:19:04 GMT):
@smithbk Hi. I think my problem has to do something with wrong certificates. I have CA1 and CA2 but their certificates seem self signed (same issuer as subject and no authority key). Isn't that the problem why the peers of one org don't accept the new peer of another org? Shouldn't the cacerts of both CAs have the same root cert?

vanhumbeecka (Fri, 22 Sep 2017 12:42:45 GMT):
Has joined the channel.

vanhumbeecka (Fri, 22 Sep 2017 12:45:19 GMT):
I have the same problem as described above. I followed the docs by letter. I can enroll the admin, but I can't register the 'admin2'. I'm getting an 'Authorization failure'. I sticked to the default config, so something is off with these defaults..

vanhumbeecka (Fri, 22 Sep 2017 12:46:10 GMT):
so response is 'Authorization failure' on the client side. On the server side, the logs say '[ERROR] No certificates found for provided serial and aki'

eetti (Fri, 22 Sep 2017 12:47:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cWaWnXEEzamNHyXzG) @vanhumbeecka Check the password of the CA admin i.e the one used to start the fabric CA, it could be different from the one you are using to register.

vanhumbeecka (Fri, 22 Sep 2017 12:56:51 GMT):
@eetti double checked the 'admin' user and 'adminpw' password. No luck so far

paul.sitoh (Fri, 22 Sep 2017 13:30:33 GMT):
Folks, why does npm fabric-ca-client not also pull down fabric-client, since the former is dependent on the other for GRPC module? What would be the point of having fabric-ca-client as an independent module if you still need to have fabric-client?

smithbk (Fri, 22 Sep 2017 13:53:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ERuQfSiZoagLZFTgn) @SimonOberzan No, the cacerts of both CAs would not have the same root cert. The cacerts will contain self-signed and for 2 different CAs, they will and should be different

smithbk (Fri, 22 Sep 2017 13:54:22 GMT):
@SimonOberzan I'll ping direct

smithbk (Fri, 22 Sep 2017 14:22:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cWaWnXEEzamNHyXzG) @vanhumbeecka Hi, can you point me to the docs that you followed?

smithbk (Fri, 22 Sep 2017 14:22:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cWaWnXEEzamNHyXzG) @vanhumbeecka Hi, can you point me to the docs that you followed ... and which steps in them?

smithbk (Fri, 22 Sep 2017 14:22:25 GMT):
@vanhumbeecka It sounds like the fabric-ca-server database was deleted and recreated after you enrolled, so when you try to register it can't find that certificate in its DB. If you perform the enroll again, I believe the register will then succeed.

smithbk (Fri, 22 Sep 2017 14:26:56 GMT):
@vanhumbeecka If the docs led you down that path, we need to fix

eetti (Fri, 22 Sep 2017 18:40:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zfNo6GCXgC5jwKkWc) @vanhumbeecka You may need to restart your server. Before you do that, delete the sqlite file fabric-ca-server.db and msp folder If you are sharing the fabric-ca-server (FABRIC_CA_SERVER_HOME) folder volume with you host machine.

tlsdmstn56 (Sat, 23 Sep 2017 00:10:59 GMT):
Has joined the channel.

danconway (Sat, 23 Sep 2017 18:51:48 GMT):
Has joined the channel.

aambati (Sat, 23 Sep 2017 21:08:33 GMT):
Anyone seen this error...I am getting this error after rebasing one of my change set... i get the error with both go1.8.1 and go1.9: ``` /usr/local/Cellar/go/1.9/libexec/pkg/tool/darwin_amd64/link: running clang failed: exit status 1 duplicate symbol _FetchPEMRootsCTX509 in: /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000006.o /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000007.o duplicate symbol _FetchPEMRootsCTX509_MountainLion in: /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000006.o /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000007.o duplicate symbol __cgo_d1bc793333c2_Cfunc_CFDataGetBytePtr in: /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000006.o /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000007.o duplicate symbol __cgo_d1bc793333c2_Cfunc_CFDataGetLength in: /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000006.o /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000007.o duplicate symbol __cgo_d1bc793333c2_Cfunc_CFRelease in: /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000006.o /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000007.o duplicate symbol __cgo_d1bc793333c2_Cfunc_FetchPEMRootsCTX509 in: /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000006.o /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000007.o duplicate symbol _useOldCodeCTX509 in: /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000006.o /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000007.o ld: 7 duplicate symbols for architecture x86_64 clang: error: linker command failed with exit code 1 (use -v to see invocation) ```

aambati (Sat, 23 Sep 2017 21:08:33 GMT):
Anyone seen this error...I am getting this error after rebasing one of my change set... i get the error with both go1.8.1 and go1.9 when making fabric-ca-client or fabric-ca-server: ``` /usr/local/Cellar/go/1.9/libexec/pkg/tool/darwin_amd64/link: running clang failed: exit status 1 duplicate symbol _FetchPEMRootsCTX509 in: /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000006.o /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000007.o duplicate symbol _FetchPEMRootsCTX509_MountainLion in: /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000006.o /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000007.o duplicate symbol __cgo_d1bc793333c2_Cfunc_CFDataGetBytePtr in: /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000006.o /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000007.o duplicate symbol __cgo_d1bc793333c2_Cfunc_CFDataGetLength in: /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000006.o /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000007.o duplicate symbol __cgo_d1bc793333c2_Cfunc_CFRelease in: /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000006.o /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000007.o duplicate symbol __cgo_d1bc793333c2_Cfunc_FetchPEMRootsCTX509 in: /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000006.o /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000007.o duplicate symbol _useOldCodeCTX509 in: /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000006.o /var/folders/r1/jplnn1z139x5d6jqj_62dn0h0000gn/T/go-link-829893036/000007.o ld: 7 duplicate symbols for architecture x86_64 clang: error: linker command failed with exit code 1 (use -v to see invocation) ```

gentios (Sun, 24 Sep 2017 09:26:18 GMT):
Has joined the channel.

gentios (Sun, 24 Sep 2017 09:26:26 GMT):
Hi Guys

gentios (Sun, 24 Sep 2017 09:26:45 GMT):
can someone explain me how to generate the /creds folder

gentios (Sun, 24 Sep 2017 09:27:00 GMT):
for example:

gentios (Sun, 24 Sep 2017 09:27:02 GMT):
```-----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgNmsvQQm4nwrxOKFX UNfLPgjNm+FtYu3vb6OZ9q/5GbChRANCAAQKZvNQOjMissqOnc4DMi1IbubsWXDv qtPxU7wTqi2ULDEq0FGQ+lkvueisLc2yPITff0nk7ilcKqEgClDJFGxG -----END PRIVATE KEY-----

gentios (Sun, 24 Sep 2017 09:27:08 GMT):
```-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECmbzUDozIrLKjp3OAzItSG7m7Flw 76rT8VO8E6otlCwxKtBRkPpZL7norC3NsjyE339J5O4pXCqhIApQyRRsRg== -----END PUBLIC KEY-----

gentios (Sun, 24 Sep 2017 09:27:16 GMT):
```{"name":"PeerAdmin","mspid":"Org1MSP","roles":null,"affiliation":"","enrollmentSecret":"","enrollment":{"signingIdentity":"5890f0061619c06fb29dea8cb304edecc020fe63f41a6db109f1e227cc1cb2a8","identity":{"certificate":"-----BEGIN CERTIFICATE-----\nMIICGTCCAb+gAwIBAgIQKKKdQSzsDoUYn/LPAuRWGTAKBggqhkjOPQQDAjBzMQsw\nCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy\nYW5jaXNjbzEZMBcGA1UEChMQb3JnMS5leGFtcGxlLmNvbTEcMBoGA1UEAxMTY2Eu\nb3JnMS5leGFtcGxlLmNvbTAeFw0xNzA2MjMxMjMzMTlaFw0yNzA2MjExMjMzMTla\nMFsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMR8wHQYDVQQDDBZBZG1pbkBvcmcxLmV4YW1wbGUuY29tMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECmbzUDozIrLKjp3OAzItSG7m7Flw76rT\n8VO8E6otlCwxKtBRkPpZL7norC3NsjyE339J5O4pXCqhIApQyRRsRqNNMEswDgYD\nVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwKwYDVR0jBCQwIoAgDnKSJOiz8xeE\nyKk8W4729MHJHZ5uV3xFwzFjYJ/kABEwCgYIKoZIzj0EAwIDSAAwRQIhALT02pc/\nyfE/4wUJfUBQ32GifUEh8JktAXzL/73S0rjYAiACNSp6zAQBX9SBxTOGMk4cGGAy\nCKqf8052NVUs2CvPzA==\n-----END CERTIFICATE-----\n"}}}

SethiSaab (Sun, 24 Sep 2017 14:14:49 GMT):
Hi Team i am getting error while registering a user .....when i run this command fabric-ca-client register --id.name admin2 --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,admin=true:ecert' i get the following error ..............7/09/24 07:12:46 [DEBUG] Directing traffic to default CA 2017/09/24 07:12:46 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin' 2017/09/24 07:12:46 [DEBUG] DB: Get certificate by serial (8247494153b0aec633674b90a34d97e066ba3bb) and aki (1e94125663d537fb926ba373a2ab9ba321c2ec34) 2017/09/24 07:12:46 [ERROR] No certificates found for provided serial and aki .

smithbk (Sun, 24 Sep 2017 15:23:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hCKdSnu6Xa876Qfbe) @gentios The /creds folder of what? Is that a node or java SDK folder? If yes, I suggest asking on the fabric-sdk-node/java channel. If not, pls explain where you see this folder.

smithbk (Sun, 24 Sep 2017 15:26:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EMem93J5Hc7CMhAMP) @SethiSaab This typically means that the server's DB was deleted and recreated after you enrolled. You will need to enroll again to get a new registrar's ecert.

gentios (Sun, 24 Sep 2017 16:29:20 GMT):
@smithbk in the fabric samples/fabcar there is a folder /creds whith whom you make requests to the ledger

gentios (Sun, 24 Sep 2017 16:29:32 GMT):
```

gentios (Sun, 24 Sep 2017 16:29:41 GMT):
```let options = { wallet_path: path.join(__dirname, "../creds"), user_id: "PeerAdmin", channel_id: "mychannel", chaincode_id: "fabcar", peer_url: "grpc://localhost:7051", event_url: "grpc://localhost:7053", orderer_url: "grpc://localhost:7050" };

gentios (Sun, 24 Sep 2017 16:31:31 GMT):
so this is the wallet path, which gets the /creds folder and in the /creds folder there is the code which I pasted above

gentios (Sun, 24 Sep 2017 16:37:08 GMT):
so my question is how to generate the /creds folder, or how to create a wallet_path

gentios (Sun, 24 Sep 2017 16:37:16 GMT):
because I have setup a custom network

aambati (Sun, 24 Sep 2017 19:13:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2r36QK8pKqwfw7vNH) @aambati I figured my problem...I had different versions of cfssl in gopath and vendor folder after I rebased. Once i fixed the versions to be same, it worked

smithbk (Sun, 24 Sep 2017 20:12:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xahSkJkgj75w3fs3A) @gentios Ah, so this is the default file-based key value store created by the node SDK. I would think the easiest way is to start off with an empty creds folder and then use the node SDK API to enroll the peer admin user, using its enrollment ID and secret. This should populate the creds folder. It looks like the getAdminUser function in fabric-samples/balance-transfer/app/helper.js shows you how to do this. @jimthematrix. Jim, is this correct or is there an easier way? Does the fabcar sample assume you've run the balance-transfer sample?

Smithatv (Mon, 25 Sep 2017 06:28:08 GMT):

Message Attachments

Smithatv (Mon, 25 Sep 2017 06:28:08 GMT):
@smithbk , i ran

Smithatv (Mon, 25 Sep 2017 06:28:36 GMT):
i ran the above fabric-ca-client command and i am getting below server error

Smithatv (Mon, 25 Sep 2017 06:29:17 GMT):

Message Attachments

Smithatv (Mon, 25 Sep 2017 06:29:52 GMT):
could you please help me understand the problem and also how to solve this issue

Smithatv (Mon, 25 Sep 2017 06:46:14 GMT):
and what is the difference between "noclientcert","RequestClientCert", "RequestAnyClientCert", "VerifyClientCertIfGiven" etc etc

Smithatv (Mon, 25 Sep 2017 06:46:36 GMT):
wiill these help in controlling who can access chain code ?

gentios (Mon, 25 Sep 2017 09:13:59 GMT):
@smithbk can you elaborate it more, on how to achieve it ?

smithbk (Mon, 25 Sep 2017 11:18:00 GMT):
@Smithatv The server is listening with TLS enabled. This means that the client must connect to it using https instead of http, and also means that you must either use the --tls.certfiles option or set the env variable as follows: ```export FABRIC_CA_CLIENT_TLS_CERTFILES=ca-cert.pem``` where ca-cert.pem is the root CA cert from the server.

gentios (Mon, 25 Sep 2017 11:28:02 GMT):
@smithbk , can you elaborate it little bit more on how to generate the /creds folder

gentios (Mon, 25 Sep 2017 11:30:24 GMT):
@smithbk I cannot find the function where it writes /creds folder

toriaezunama (Mon, 25 Sep 2017 12:12:36 GMT):
Has joined the channel.

DarshanBc (Mon, 25 Sep 2017 13:09:53 GMT):
Hi my requirement is similar to balance transfer Now I need to send asset x from Jim to Barry I will decode who is sending through getcretaor() similarly can I retrieve recipient enrollment Id through certs?

smithbk (Mon, 25 Sep 2017 13:18:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RHMRn78cfJm2TeZ9Q) @gentios @jimthematrix Jim, can you help with creating the creds folder?

smithbk (Mon, 25 Sep 2017 13:21:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gaWJ68QAp2Yxw7jJR) @DarshanBc We really need to get the library merged to make this easier. Once that is done, see https://gerrit.hyperledger.org/r/#/c/13265/14/core/chaincode/lib/cid/README.md for how to associated an arbitrary attribute with the cert and to access it from chaincode.

jimthematrix (Mon, 25 Sep 2017 16:30:43 GMT):
@gentios the creds folder is backing both the `stateStore` (for managing the User objects) and `cryptoKeyStore` (for persisting private keys) objects in node.js SDK. if you want to generate the artifacts in the folder from your own tool, it'll involve the following steps: - generate an ECDSA key pair (making sure the EC params like curve match what the code expects) - calculate the key pair's Subject Key Index based on the algo here: https://github.com/hyperledger/fabric-sdk-node/blob/release/fabric-client/lib/impl/ecdsa/key.js#L64 - save the private key in a file under the name in PEM encoding - save the user object in a file under the name by using the existing user file as a reference

jimthematrix (Mon, 25 Sep 2017 16:31:27 GMT):
or you can write a small program with node SDK to do the above steps

JonathanTan (Mon, 25 Sep 2017 17:09:06 GMT):
any help on this would be greatly appreciated: https://stackoverflow.com/questions/46410592/unable-to-revoke-a-certificate-or-enrollment-id-with-fabric-node-sdk

smithbk (Mon, 25 Sep 2017 19:13:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=r2uyMgZ3bpeq3Bppv) @JonathanTan I just posted a response

smithbk (Mon, 25 Sep 2017 19:22:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qf2HSZajTevKxcydg) @Smithatv These are directly from https://golang.org/pkg/crypto/tls/#ClientAuthType which also doesn't document what they are :-) ... but here goes. 1) noclientcert means TLS client auth is disabled (which is typical) 2) RequestClientCert means the client's cert is requested but not validated ... this is useful for performing app-level checks 3) RequestAnyClientCert - not really sure, but think this accepts any cert signed by the server's trusted root/intermediate certs 4) VerifyClientCertIfGiven - assuming one or more specific client certs are provided, make sure it is one of those 5) RequireAndVerifyClientCert - requires that it be one of the specific certs provided

JonathanTan (Tue, 26 Sep 2017 02:29:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6E57Ai2A5LCtJxCdv) @smithbk thanks let me take a look

zemtsov (Tue, 26 Sep 2017 06:12:35 GMT):
Hi, I have some questions about certificates. What if my certificate was compromised? Should it be revoked and re-issued? Will I able to read my old transactions with the new certificate?

yushan (Tue, 26 Sep 2017 09:16:06 GMT):
Has joined the channel.

smithbk (Tue, 26 Sep 2017 11:44:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=79jWRzbTaaFS5ZgEY) @zemtsov Yes, it should be revoked and re-issued. Yes, you can read old transactions with new certificate.

zemtsov (Tue, 26 Sep 2017 11:46:10 GMT):
@smithbk Thank you!

gentios (Wed, 27 Sep 2017 06:22:41 GMT):
@jimthematrix do you have any node SDK example on how to achieve this ?

gentios (Wed, 27 Sep 2017 06:44:17 GMT):
I am trying to enroll a user and populate the /creds folder but I am keep getting

gentios (Wed, 27 Sep 2017 06:44:23 GMT):
*Cannot read property 'isEnrolled' of null*

gentios (Wed, 27 Sep 2017 06:44:56 GMT):
when deploying the network in the docker I have used this command

gentios (Wed, 27 Sep 2017 06:44:59 GMT):
* command: sh -c 'fabric-ca-server start -b admin:adminpw -d'*

gentios (Wed, 27 Sep 2017 06:44:59 GMT):
* command: sh -c 'fabric-ca-server start -b admin:adminpw -d' *

gentios (Wed, 27 Sep 2017 06:45:43 GMT):
and now in the NodeSDK I am trying to enroll like this:

gentios (Wed, 27 Sep 2017 06:45:44 GMT):
```return caClient.enroll({ enrollmentID: username, enrollmentSecret: password,

gentios (Wed, 27 Sep 2017 06:45:58 GMT):
but I keep getting that error

paul.sitoh (Wed, 27 Sep 2017 09:29:58 GMT):
Folks, I am trying to understand the relationship between fabric ca and peers. On development network, all the certs you need for peers originate from cryptogen rather than Fabric CA. Whereas if you use fabric-node-sdk you get certs from Fabric CA. In which case, how would the fabric-node-sdk and peer exchange public keys, when the certs from both parties are from different sources.

Vadim (Wed, 27 Sep 2017 09:38:45 GMT):
@paul.sitoh the fabric CA must sign certs it issues with certs which are trusted by the peers (i.e. they should be e.g. one of the MSP org certs which are configured in the genesis block and the channel)

Vadim (Wed, 27 Sep 2017 09:39:27 GMT):
you can also issue peer certs using fabric CA, the cryptogen tool is just makes it easier

Vadim (Wed, 27 Sep 2017 09:39:27 GMT):
you can also issue peer certs using fabric CA, the cryptogen tool just makes it easier

paul.sitoh (Wed, 27 Sep 2017 09:39:55 GMT):
I understand the peer does not interact with CA so how does it get any sign certs.

paul.sitoh (Wed, 27 Sep 2017 09:40:13 GMT):
I am referring to development model of course

Vadim (Wed, 27 Sep 2017 09:40:41 GMT):
it has trusted roots in the genesis block, when it gets a cert with a transaction, it checks the trusted chain terminates at one of the certs in the trusted root

Vadim (Wed, 27 Sep 2017 09:41:38 GMT):
kinda the same like your browser trusts the google website even though it might never saw the google cert before

paul.sitoh (Wed, 27 Sep 2017 09:42:26 GMT):
But if the fabric ca is the root cert does the cryptogen produces the same one?

Vadim (Wed, 27 Sep 2017 09:43:02 GMT):
you just configure fabric ca to use the root cert from cryptogen

Vadim (Wed, 27 Sep 2017 09:43:24 GMT):
otherwise, the fabric ca will generate its own cert and peers won't trust it

paul.sitoh (Wed, 27 Sep 2017 09:43:41 GMT):
How will you do that?

paul.sitoh (Wed, 27 Sep 2017 09:44:13 GMT):
Get the CA to use the cryptogen's root cert

Vadim (Wed, 27 Sep 2017 09:45:31 GMT):
you specify it in fabric-ca-server-config.yaml or over the command line

Vadim (Wed, 27 Sep 2017 09:46:24 GMT):
I think you also need to edit the CSR part of the config file to match the cryptogen cert

paul.sitoh (Wed, 27 Sep 2017 09:47:17 GMT):
All I got is this doc for CA http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html

paul.sitoh (Wed, 27 Sep 2017 09:47:17 GMT):
All I got is this doc for CA http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html. No mention of "synchonising" with cryptogen.

Katiyman (Wed, 27 Sep 2017 09:48:06 GMT):
Hello I wanted to understand all about, the ceritificates involed in the hyperledger fabric. Can any please point me in the right direction for undertanding it.

MeenakshiSingh (Wed, 27 Sep 2017 09:57:33 GMT):
Hi..I am trying to enable tls on my fabric network. While enrolling a peer, I got the following error.

MeenakshiSingh (Wed, 27 Sep 2017 09:57:33 GMT):
Hi..I am trying to enable tls on my fabric network. While enrolling a peer, I got the following error. Can anybody please help.

MeenakshiSingh (Wed, 27 Sep 2017 09:57:48 GMT):

Message Attachments

paul.sitoh (Wed, 27 Sep 2017 09:58:53 GMT):
Cryptogen uses crypo-config.yaml whereas Fabric CA ca.certfile ca.keyfile. How do I reconcile the two?

Vadim (Wed, 27 Sep 2017 10:37:05 GMT):
@paul.sitoh run the `fabric-ca-server --help`, it will output all options and among them the ones that allow to specify existing root certs

paul.sitoh (Wed, 27 Sep 2017 10:45:01 GMT):

Message Attachments

paul.sitoh (Wed, 27 Sep 2017 10:45:49 GMT):
Like this

paul.sitoh (Wed, 27 Sep 2017 10:45:49 GMT):
Like this?

Vadim (Wed, 27 Sep 2017 10:46:42 GMT):
@paul.sitoh yes

paul.sitoh (Wed, 27 Sep 2017 10:46:51 GMT):
@Vadim thanks

paul.sitoh (Wed, 27 Sep 2017 10:53:08 GMT):
Looks like the doc needs to be updated

gentios (Wed, 27 Sep 2017 11:15:47 GMT):
@Vadim, I have succesfuly enrolled a user, how to write that user object into the creds folder ?

Vadim (Wed, 27 Sep 2017 11:16:54 GMT):
@gentios it's written to your state store folder, check the logs of your js script to find out where it is

Vadim (Wed, 27 Sep 2017 11:17:44 GMT):
most likely it's in ~/.hfc-key-store

gentios (Wed, 27 Sep 2017 11:21:38 GMT):
@Vadim I am in that folder and I do not see the creds

gentios (Wed, 27 Sep 2017 11:21:45 GMT):
but the script run just fine

gentios (Wed, 27 Sep 2017 12:11:49 GMT):
@Vadim thank you very much for the help and support I really appreciate it

smithbk (Wed, 27 Sep 2017 13:53:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qsfzLHqSxEkgXWSNu) @paul.sitoh Let me try to clarify the relationship between cryptogen and fabric CA. In a nutshell, cryptogen is a dev only tool and should not be used in a real deployment, whereas fabric CA can be used in a real deployment. The reason cryptogen is not appropriate for a real deployment is because it generates the private keys all on one host. In a multi-host topology, you would then have to copy the private keys. This is bad from a security perspective because the private key should never leave the host where it was generated. So yes, it is possible to generate keys with cryptogen and fabric CA server and client can then use those keys, but this is not recommended since it still requires copying the private keys. So it really depends on what you want to accomplish as to which tool to use and how/when to generate the keys.

paul.sitoh (Wed, 27 Sep 2017 13:55:39 GMT):
@smithbk fully agree with you that cryptogen is purely for development

paul.sitoh (Wed, 27 Sep 2017 13:56:58 GMT):
But I think the doc certainly lacks use cases that could enable reader understand implications

smithbk (Wed, 27 Sep 2017 13:57:26 GMT):
You mean doc on cryptogen?

paul.sitoh (Wed, 27 Sep 2017 13:57:33 GMT):
The doc

paul.sitoh (Wed, 27 Sep 2017 13:57:42 GMT):
Well cryptogen too

paul.sitoh (Wed, 27 Sep 2017 13:57:50 GMT):
what it is intended for

Asara (Wed, 27 Sep 2017 13:57:59 GMT):
So what would a production deployment process look like? How would new instances (peers/orderers) get their crypto materials?

Asara (Wed, 27 Sep 2017 13:58:31 GMT):
I assumed you bootstrap your environment with cryptogen (for the orderers/peers), and then use the sdk to get the rest of the credentials using the AdminID of the organization

smithbk (Wed, 27 Sep 2017 13:59:12 GMT):
See https://gerrit.hyperledger.org/r/#/c/13213/ ... am trying to get this sample merged

smithbk (Wed, 27 Sep 2017 14:00:12 GMT):
In particular, see https://gerrit.hyperledger.org/r/#/c/13213/24/fabric-ca/scripts/start-orderer.sh for how the orderer gets crypto material and https://gerrit.hyperledger.org/r/#/c/13213/24/fabric-ca/scripts/start-peer.sh for how the peer gets its crypto material

smithbk (Wed, 27 Sep 2017 14:01:03 GMT):
And see https://gerrit.hyperledger.org/r/#/c/13213/24/fabric-ca/README.md for an overview of how the sample works

smithbk (Wed, 27 Sep 2017 14:04:10 GMT):
One other caution: the part of that sample which demonstrates ABAC (Attribute Based Access Control) will not work until https://gerrit.hyperledger.org/r/#/c/13265/ is merged

smithbk (Wed, 27 Sep 2017 14:06:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ktAYXAbeh4pw8Dv3S) @gentios If you're still having trouble with this, I'd suggest asking on the #fabric-sdk-node channel

gentios (Wed, 27 Sep 2017 14:19:27 GMT):
@smithbk no I have already fixed that, thank you for the support

lehors (Wed, 27 Sep 2017 17:02:21 GMT):
@smithbk I just realized that a few test files in the lib dir are said to be in package lib_test while all the others (including some tests) are in package lib, is that intentional?

lehors (Wed, 27 Sep 2017 17:11:56 GMT):
ok I think I get it

smithbk (Wed, 27 Sep 2017 17:12:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=o8QSvQmvo7fdzX6Eb) @lehors I can't claim all of them are correct but in general, yes there are both black box tests (lib_test) and white box tests (lib)

lehors (Wed, 27 Sep 2017 17:12:25 GMT):
right, that's what I just realized!

lehors (Wed, 27 Sep 2017 17:12:52 GMT):
I was wondering what the name client_whitebox was about :)

lehors (Wed, 27 Sep 2017 17:13:01 GMT):
I just figured it out. duh!

Amjadnz (Wed, 27 Sep 2017 19:18:01 GMT):
@smithbk - if I have 4 orgs and want them to connect to the same ORDERER. I am not able to do achieve that configuration if you can guide me that would be great. ``` TLS: Enabled: true PrivateKey: /msp/keystore/private_key_sk Certificate: /orderers/orderer.uae-bc-network.org/msp/signcerts/orderer.uae-bc-network.org-cert.pem #RootCAs: # - /tts/official/src/github.com/hyperledger/fabric/build/bin/crypto-config/ordererOrganizations/uae-bc-network.org/orderers/orderer.uae-bc-network.org/msp/cacerts/ca.uae-bc-network.org-cert.pem ClientAuthEnabled: true ClientRootCAs: - /ca/ca.org1-cert.pem - /ca/ca.org2-cert.pem - /ca/ca.org3-cert.pem - /ca/ca.org4-cert.pem```

Amjadnz (Wed, 27 Sep 2017 19:18:01 GMT):
@smithbk - if I have 4 orgs and want them to connect to the same ORDERER. I am not able to do achieve that configuration if you can guide me that would be great. ``` TLS: Enabled: true PrivateKey: /msp/keystore/private_key_sk Certificate: /orderers/orderer.uae-bc-network.org/msp/signcerts/.pem #RootCAs: # - /tts/official/src/github.com/hyperledger/fabric/build/bin/crypto-config/ordererOrganizations/uae-bc-network.org/orderers/orderer.uae-bc-network.org/msp/cacerts/ca.uae-bc-network.org-cert.pem ClientAuthEnabled: true ClientRootCAs: - /ca/ca.org1-cert.pem - /ca/ca.org2-cert.pem - /ca/ca.org3-cert.pem - /ca/ca.org4-cert.pem```

Amjadnz (Wed, 27 Sep 2017 19:19:54 GMT):
This extract is from the orderer.yaml

jcbombardelli (Wed, 27 Sep 2017 20:25:10 GMT):
Has joined the channel.

Asara (Wed, 27 Sep 2017 20:42:13 GMT):
@smithbk Thanks for the links!

smithbk (Wed, 27 Sep 2017 20:58:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zdJQFRncqrDMXXJv8) @Amjadnz The PrivateKey path doesn't look right to me unless it was copied there explicitly. Is there a file in the /orderers/orderer.uae-bc-network.org/msp/keystore directory? It seems it should be there. What is the error message saying on both the client and server side?

Amjadnz (Wed, 27 Sep 2017 21:24:52 GMT):
@smithbk - re-configuring with lesser number of nodes and peers. Just to get to the bottom of it. I would reply back shortly once that area is clean.

jcbombardelli (Wed, 27 Sep 2017 21:28:50 GMT):

Message Attachments

jcbombardelli (Wed, 27 Sep 2017 21:36:51 GMT):
Hi, I'm an enthusiast of Hyperledger technology and I'm digging into 'fabric-ca', I'm following the documentation available in " http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#overview " and I'm having trouble starting 'fabric-ca-client', some code errors in GoLang appear and do not I'm an expert to solve them. The Errors are below and the files are in 'Config.go' and 'Main.go' Config.go error 1: cannot use pflags (type *"github.com/spf13/pflag".FlagSet) as type *"github.com/hyperledger/fabric-ca/vendor/github.com/spf13/pflag". FlagSet in argument to util.FlagString import (util "github.com/hyperledger/fabric-ca/util") Config.go error 2: cannot use pflags (type *"github.com/spf13/pflag".FlagSet) as type *"github.com/hyperledger/fabric-ca/vendor/github.com/spf13/pflag". FlagSet in argument to util.RegisterFlags Main.go: cannot use "github.com/spf13/viper".GetViper() (type *"github.com/spf13/viper".Viper) as type *"github.com/hyperledger/fabric-ca/vendor/github.com/spf13/viper". Viper in argument to util.ViperUnmarshal

jcbombardelli (Wed, 27 Sep 2017 21:45:34 GMT):
https://drive.google.com/file/d/0Bxx3i5g3ZkD3U0puX3l0a1h1aEU/view?usp=sharing Hi, I'm an enthusiast of Hyperledger technology and I'm digging into 'fabric-ca', I'm following the documentation available in " http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#overview " and I'm having trouble starting 'fabric-ca-client', some code errors in GoLang appear and do not I'm an expert to solve them. The Errors are below and the files are in 'Config.go' and 'Main.go' Image host in: https://drive.google.com/file/d/0Bxx3i5g3ZkD3U0puX3l0a1h1aEU/view?usp=sharing Config.go error 1: cannot use pflags (type *"github.com/spf13/pflag".FlagSet) as type *"github.com/hyperledger/fabric-ca/vendor/github.com/spf13/pflag". FlagSet in argument to util.FlagString import (util "github.com/hyperledger/fabric-ca/util") Config.go error 2: cannot use pflags (type *"github.com/spf13/pflag".FlagSet) as type *"github.com/hyperledger/fabric-ca/vendor/github.com/spf13/pflag". FlagSet in argument to util.RegisterFlags Main.go: cannot use "github.com/spf13/viper".GetViper() (type *"github.com/spf13/viper".Viper) as type *"github.com/hyperledger/fabric-ca/vendor/github.com/spf13/viper". Viper in argument to util.ViperUnmarshal

jcbombardelli (Wed, 27 Sep 2017 21:45:34 GMT):
Hi, I'm an enthusiast of Hyperledger technology and I'm digging into 'fabric-ca', I'm following the documentation available in " http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#overview " and I'm having trouble starting 'fabric-ca-client', some code errors in GoLang appear and do not I'm an expert to solve them. The Errors are below and the files are in 'Config.go' and 'Main.go' Image host in: https://drive.google.com/file/d/0Bxx3i5g3ZkD3U0puX3l0a1h1aEU/view?usp=sharing Config.go error 1: cannot use pflags (type *"github.com/spf13/pflag".FlagSet) as type *"github.com/hyperledger/fabric-ca/vendor/github.com/spf13/pflag". FlagSet in argument to util.FlagString import (util "github.com/hyperledger/fabric-ca/util") Config.go error 2: cannot use pflags (type *"github.com/spf13/pflag".FlagSet) as type *"github.com/hyperledger/fabric-ca/vendor/github.com/spf13/pflag". FlagSet in argument to util.RegisterFlags Main.go: cannot use "github.com/spf13/viper".GetViper() (type *"github.com/spf13/viper".Viper) as type *"github.com/hyperledger/fabric-ca/vendor/github.com/spf13/viper". Viper in argument to util.ViperUnmarshal

Amjadnz (Wed, 27 Sep 2017 21:51:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7FBCsWoy6PJGFSN5Q) @smithbk - Hello there. ```CORE_PEER_MSPCONFIGPATH=/tts/official/src/github.com/hyperledger/fabric/build/bin/crypto-config/peerOrganizations/adx.ubn.org/users/Admin@adx.ubn.org/msp CORE_PEER_ADDRESS=peer0.adx.ubn.org:7051 CORE_PEER_LOCALMSPID="ADXOrg" CORE_PEER_TLS_ROOTCERT_FILE=/tts/official/src/github.com/hyperledger/fabric/build/bin/crypto-config/peerOrganizations/adx.ubn.org/peers/peer0.adx.ubn.org/tls/ca.crt ./peer channel create -o ca.ubn.org:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls true --cafile /tts/official/src/github.com/hyperledger/fabric/build/bin/crypto-config/ordererOrganizations/ubn.org/orderers/orderer.ubn.org/msp/tlscacerts/tlsca.ubn.org-cert.pem```

Amjadnz (Wed, 27 Sep 2017 21:52:06 GMT):
On running the above command I get the following error message

Amjadnz (Wed, 27 Sep 2017 21:52:30 GMT):
`Error: Error connecting due to rpc error: code = Internal desc = connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority" Usage: peer channel create [flags]`

Amjadnz (Wed, 27 Sep 2017 21:52:30 GMT):
```Error: Error connecting due to rpc error: code = Internal desc = connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority" Usage: peer channel create [flags]```

Amjadnz (Wed, 27 Sep 2017 21:54:18 GMT):
I'm using the following structure: ubn.org -> Orderer adx.ubn.org -> Node 1 -> has 2 peers -> peer0 and peer1 sca.ubn.org -> Node 2 -> has 2 peers -> peer0 and peer1

Amjadnz (Wed, 27 Sep 2017 21:56:52 GMT):
On the orderer side - I have this message ```2017-09-28 01:48:55.934 GST [grpc] Printf -> DEBU 2a6 grpc: Server.Serve failed to complete security handshake from "127.0.0.1:56650": remote error: tls: bad certificate 2017-09-28 01:49:54.091 GST [grpc] Printf -> DEBU 2a7 grpc: Server.Serve failed to complete security handshake from "127.0.0.1:56657": remote error: tls: bad certificate```

Amjadnz (Wed, 27 Sep 2017 21:57:29 GMT):
So obviously something is not right with my certs configuration - that is missing my attention.

Amjadnz (Wed, 27 Sep 2017 21:58:49 GMT):
``` TLS: Enabled: true PrivateKey: crypto-config/ordererOrganizations/ubn.org/ca/22cd19ead0f58a8bd9ab654601b4425c276d77a437a60082289d375311ee3c55_sk Certificate: crypto-config/ordererOrganizations/ubn.org/ca/ca.ubn.org-cert.pem RootCAs: - /tts/official/src/github.com/hyperledger/fabric/build/bin/crypto-config/ordererOrganizations/ubn.org/orderers/orderer.ubn.org/msp/tlscacerts/tlsca.ubn.org-cert.pem ClientAuthEnabled: false ClientRootCAs:```

Amjadnz (Wed, 27 Sep 2017 21:58:49 GMT):
``` TLS: Enabled: true PrivateKey: crypto-config/ordererOrganizations/ubn.org/orderers/orderer.ubn.org/msp/keystore/f858f72812c25c857719f18a2f17bd721cd080e31524b8311ee4947bec609b72_sk Certificate: crypto-config/ordererOrganizations/ubn.org/orderers/orderer.ubn.org/msp/signcerts/orderer.ubn.org-cert.pem RootCAs: - crypto-config/ordererOrganizations/ubn.org/orderers/orderer.ubn.org/msp/tlscacerts/tlsca.ubn.org-cert.pem ClientAuthEnabled: false ClientRootCAs:```

Amjadnz (Wed, 27 Sep 2017 21:59:02 GMT):
configuration at orderer.yaml

vdods (Wed, 27 Sep 2017 22:20:40 GMT):
Say I've got a cert hierarchy like: RootCA -> IntermediateCA -> peer. The peer uses RootCA's cert as the trusted cert, but the cert chain must be supplied (e.g. to `openssl verify`) in order to verify that the peer's cert was signed on behalf of RootCA. What should the format of the cert chain be?

vdods (Wed, 27 Sep 2017 22:21:03 GMT):
Perhaps I'm just asking which certs need to be in the cert chain and in what order?

vdods (Wed, 27 Sep 2017 23:02:40 GMT):
For reference, I may have found an answer for `openssl verify` here: https://mail.python.org/pipermail/cryptography-dev/2016-August/000676.html but I'm still curious if it works the same way in fabric-ca

vdods (Wed, 27 Sep 2017 23:59:05 GMT):
Hmm.. perhaps the order doesn't matter to `openssl verify` but it definitely matters to fabric-ca -- the signers come first, subordinates later, so each cert is the issuer for the next

vdods (Thu, 28 Sep 2017 00:27:14 GMT):
It looks like the TLS RFC specifies that certificate chains are supposed to come host-first, and each successive cert must be the signer of the previous. See page 47/48 under "certificate_list" at http://www.rfc-base.org/txt/rfc-5246.txt

vdods (Thu, 28 Sep 2017 00:32:52 GMT):
Golang http package also expects cert chains to be host-first

scott_xu (Thu, 28 Sep 2017 03:21:46 GMT):
Has joined the channel.

Katiyman (Thu, 28 Sep 2017 04:06:45 GMT):
Hello I wanted to understand all about, the ceritificates involed in the hyperledger fabric. Can any please point me to the documentation related to it.

mastersingh24 (Thu, 28 Sep 2017 10:25:59 GMT):
@Katiyman - http://hyperledger-fabric.readthedocs.io/en/latest/msp.html

Katiyman (Thu, 28 Sep 2017 10:43:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=n77KvQdQ9kmTq9RjA) @mastersingh24 Thanks will go through it

paul.sitoh (Thu, 28 Sep 2017 11:04:46 GMT):
Is there anyway of retrieving the password or a registered user via the fabric-ca-client? I am using this to work for smoke testing.

Vadim (Thu, 28 Sep 2017 11:06:42 GMT):
@paul.sitoh seems that it would be a security issue for me

paul.sitoh (Thu, 28 Sep 2017 11:07:29 GMT):
@Vadim So no way of retrieving via fabric-ca-client?

Vadim (Thu, 28 Sep 2017 11:08:19 GMT):
I would find it strange if it were possible. E.g. anybody would be able to retrieve a password of some user

paul.sitoh (Thu, 28 Sep 2017 11:09:07 GMT):
Ok no worries. It is only a development instance I am using.

Vadim (Thu, 28 Sep 2017 11:09:30 GMT):
I usually just save the passwords in some db

paul.sitoh (Thu, 28 Sep 2017 11:09:56 GMT):
When you register for the first time, it returns a password

paul.sitoh (Thu, 28 Sep 2017 11:10:15 GMT):
I was hoping there would be a function.

paul.sitoh (Thu, 28 Sep 2017 11:10:37 GMT):
I can access via sqlite3 but it is encrypted there

paul.sitoh (Thu, 28 Sep 2017 11:11:00 GMT):
which make sense

paul.sitoh (Thu, 28 Sep 2017 13:29:11 GMT):
Folks, I have been using `fabric-ca-client` to interact with `fabric-ca-server` and tried to 'smoke' test revoking operation. But the cert does not appear to be revoke. Here is the result of my 'smoke' test: ``` ```

paul.sitoh (Thu, 28 Sep 2017 13:34:07 GMT):
Folks, I have been using `fabric-ca-client` to interact with `fabric-ca-server` and tried to 'smoke' test revoking operation. But the cert does not appear to be revoke. Here is the result of my 'smoke' test.

paul.sitoh (Thu, 28 Sep 2017 13:35:11 GMT):

Message Attachments

paul.sitoh (Thu, 28 Sep 2017 14:00:11 GMT):
Is something wrong with fabric-ca-server not sending out a revoked certificate?

paul.sitoh (Thu, 28 Sep 2017 14:01:16 GMT):
Or have I understood the feature wrongly.

skarim (Thu, 28 Sep 2017 14:03:52 GMT):
@paul.sitoh There is nothing in the certificate itself that indicates that it is revoked. When you revoke a user, in the fabric-ca database the user and its associated certificates get marked as revoked.

paul.sitoh (Thu, 28 Sep 2017 14:05:01 GMT):
@skarim does it not re-issue a certificate?

paul.sitoh (Thu, 28 Sep 2017 14:06:09 GMT):
A cert that says it has expired?

skarim (Thu, 28 Sep 2017 14:07:12 GMT):
I'm not sure if I understand the question. Once your certificate is revoked, you won't be able to reenroll but if you have not exceeded your max enrollment allotment you can enroll again using the username and password.

skarim (Thu, 28 Sep 2017 14:07:45 GMT):
If a cert is expired, you should get back an authorization error

paul.sitoh (Thu, 28 Sep 2017 14:15:42 GMT):
But this applies only when you interact with the CA

paul.sitoh (Thu, 28 Sep 2017 14:15:53 GMT):
how about when you interact with peer?

paul.sitoh (Thu, 28 Sep 2017 14:16:02 GMT):
When you sign transactions with it

paul.sitoh (Thu, 28 Sep 2017 14:16:24 GMT):
The peer don't validate against the CA right?

paul.sitoh (Thu, 28 Sep 2017 14:16:43 GMT):
I mean the peer is going to say hey cert is valid?

paul.sitoh (Thu, 28 Sep 2017 14:18:05 GMT):
Or have I got it wrong?

skarim (Thu, 28 Sep 2017 14:19:20 GMT):
The MSP on the peer must contain a CRL that list all the certificates that have been revoked. It uses this CRL to determine which certificates are not valid.

skarim (Thu, 28 Sep 2017 14:20:08 GMT):
There is currently work on the fabric-ca side to help generate this CRL that can then be placed in the MSP in the Peer

paul.sitoh (Thu, 28 Sep 2017 14:25:03 GMT):
What is the CRL?

aambati (Thu, 28 Sep 2017 14:25:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hFGmhoYr7TX5G6rLJ) @skarim if an identity is not revoked, it should be able to reenroll to get a new ecert. So, an identity can have multiple ecerts..you can revoke a ecert owned by an identity, but the identity should be able to use other ecert(s) that it owns

aambati (Thu, 28 Sep 2017 14:26:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HExgbSEvcSFNqE6P4) @paul.sitoh Certificate revocation list..it is a pem encoded file that contains unexpired revoked certificates

skarim (Thu, 28 Sep 2017 14:27:03 GMT):
@aambati Right, but if you revoke an identity then all its certs get revoked

aambati (Thu, 28 Sep 2017 14:27:35 GMT):
yes

aambati (Thu, 28 Sep 2017 14:28:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FBtccuHGfziYyYgHZ) @skarim https://jira.hyperledger.org/browse/FAB-5300

paul.sitoh (Thu, 28 Sep 2017 14:29:54 GMT):

Message Attachments

paul.sitoh (Thu, 28 Sep 2017 14:30:01 GMT):
On the client side

Vadim (Thu, 28 Sep 2017 14:30:24 GMT):
@paul.sitoh it needs to be in the config block of the channel

aambati (Thu, 28 Sep 2017 14:31:16 GMT):
the crl file should be placed in the crls folder of the msp (local or channel)

aambati (Thu, 28 Sep 2017 14:31:56 GMT):
pls take a look at this change set, it has an example on how to update crl in the channel msp

aambati (Thu, 28 Sep 2017 14:31:57 GMT):
https://gerrit.hyperledger.org/r/c/13687/

Vadim (Thu, 28 Sep 2017 14:32:18 GMT):
@aambati it gives 404

aambati (Thu, 28 Sep 2017 14:32:36 GMT):
https://gerrit.hyperledger.org/r/#/c/13687/

aambati (Thu, 28 Sep 2017 14:32:40 GMT):
that was new ui URL

paul.sitoh (Thu, 28 Sep 2017 14:33:11 GMT):
@Vadim ok how does the crl get placed in the channel when the peer or orderer don't interact with the CA

Vadim (Thu, 28 Sep 2017 14:33:32 GMT):
@paul.sitoh check that link that @aambati posted

aambati (Thu, 28 Sep 2017 14:36:12 GMT):
Not that gencrl support is still in review...you can take a look at the change set: https://gerrit.hyperledger.org/r/c/13583/

aambati (Thu, 28 Sep 2017 14:36:12 GMT):
Note that gencrl support is still in review...you can take a look at the change set: https://gerrit.hyperledger.org/r/c/13583/

paul.sitoh (Thu, 28 Sep 2017 14:36:47 GMT):
I got no access

Vadim (Thu, 28 Sep 2017 14:37:18 GMT):
https://gerrit.hyperledger.org/r/#/c/13583/

paul.sitoh (Thu, 28 Sep 2017 14:57:28 GMT):
I am guessing the command to --gencrl is not yet implemented

rock_martin (Thu, 28 Sep 2017 15:28:46 GMT):
Anyone let me know some links for using hyperledger fabric as for production based environment setup on multiple different hosts with respect to docker swarm or kubernates, Thanks in advance

smithbk (Thu, 28 Sep 2017 17:01:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=n7v3X3pxS2LX9yW5S) @paul.sitoh Getting close, but still under review. See https://gerrit.hyperledger.org/r/#/c/13583/

smithbk (Thu, 28 Sep 2017 17:05:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=L2XaTYdTCckhoGeNh) @rock_martin The closest is currently https://gerrit.hyperledger.org/r/#/c/13213/ which is a sample for fabric-ca with docker-compose (not yet merged). But wouldn't be hard to adapt to swarm or kubernetes

toddinpal (Thu, 28 Sep 2017 17:34:15 GMT):
Do peers need their own identity or can multiple peers share an identity? In other words, can two different peers use the same identity to obtain enrollment certs?

smithbk (Thu, 28 Sep 2017 17:50:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dwcHqiq2bMfmXoiku) @toddinpal Yes, there is nothing that prevents you from using the same enrollment ID and secret to enroll multiple peers.

toddinpal (Thu, 28 Sep 2017 17:51:14 GMT):
@smithbk Thanks!

smithbk (Thu, 28 Sep 2017 17:51:26 GMT):
np

vdods (Thu, 28 Sep 2017 18:00:11 GMT):
@skarim Hi Saad, I've assigned a Jira ticket to you regarding fabric-ca cert chain ordering

skarim (Thu, 28 Sep 2017 18:02:20 GMT):
okay, I will take a look

paul.sitoh (Thu, 28 Sep 2017 20:42:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3DMhSEbr5wvo2Aesq) @smithbk ok. Not a big problem as long as this is only confined to fabric-ca-client. It will be a problem with SDK. Otherwise we could end up signing transactions with expired certs.

ujjwalmishra (Thu, 28 Sep 2017 22:06:57 GMT):
Has joined the channel.

ujjwalmishra (Thu, 28 Sep 2017 22:07:55 GMT):
When generating fabric-ca root certificate using config file, is there a way to control key usages printed on the certificate?

wy (Fri, 29 Sep 2017 02:43:56 GMT):
Does anyone know how we can make use of the certs defined for the fabric network to verify signatures in my chaincode? 1) Are there any built in chaincode functions which i can use to pull the cert/public keys of a particular org/identity? 2) If so, how can i use them for verification?

CodeReaper (Fri, 29 Sep 2017 04:41:50 GMT):
Hey, I've been registering and enrolling a user in my demo app. What I noticed is that every time I enroll him the public key I extracted from the user certificate in the chaincode was different ever time. i basically remove the check if the user is enrolled already and enrolled him anyway. Why does it send me different public Key?? I want to map all users based on the hash of public key my chaincode is getting. Real dilemma, any help appreciated.

CodeReaper (Fri, 29 Sep 2017 04:54:56 GMT):
Hey there, I was working with registering and enrolling of users. What I noticed that if I enroll the user which was already enrolled, I got a different set of private-public pair(this was based on the conclusion that I got different public key from the certificate I got at chaincode every time I enroll a user whose already enrolled). What I want to know is why are register and enrollment kept different from each other then??

Katiyman (Fri, 29 Sep 2017 06:11:32 GMT):
Requesting someone to throw soem light on the below para from fabric documention :In addition to verification related parameters, for the MSP to enable the node on which it is instantiated to sign or authenticate, one needs to specify: The signing key used for signing by the node (currently only ECDSA keys are supported), and The node’s X.509 certificate, that is a valid identity under the verification parameters of this MSP. TIA

ianyan (Fri, 29 Sep 2017 09:29:39 GMT):
Has joined the channel.

smithbk (Fri, 29 Sep 2017 12:03:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=epYm6AX395fMfXsqf) @ujjwalmishra It does not appear to be configurable. We use CFSSL directly for generating the root CA's signing cert and at 1st glance doesn't appear to be configurable, but I'll look more closely in a few minutes

smithbk (Fri, 29 Sep 2017 12:07:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5gaDDD7hBW8Q2BgB5) @wy The MSP definitions containing the CA certificates is not currently available to chaincode. But it would be helpful to know exactly what you would like to accomplish. You may want to look at CR https://gerrit.hyperledger.org/r/#/c/13265/ (note the README.md) which adds a chaincode API for attribute-based access control. Of course this assumes that you are using fabric CA to generate your certificates.

wy (Fri, 29 Sep 2017 12:08:03 GMT):
@smithbk ill pm you

smithbk (Fri, 29 Sep 2017 12:12:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bFah48JkxpiKpnr2W) @CodeReaper Yes, that is working as designed. Everytime you enroll, you are getting a new certificate and are using the enrollment ID and secret to authenticate. Of course you can limit the number of times an enrollment ID and secret can be used. But I don't see how this relates to your question about why register/enroll are different. Registration is like inviting someone to the party, and enrollment is like accepting the invitation. We always need to keep these separate.

CodeReaper (Fri, 29 Sep 2017 12:15:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BsDuirtY6z2u4YZa4) @smithbk I've been using the publuc key out from the certificate and making a hash of it. So that everytime a user invokes some functionality I get to know which account(I've tokenized users and stored with chaincode) is doing that particular transaction.

smithbk (Fri, 29 Sep 2017 12:17:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uDLTt7hQQvj4GEAuz) @Katiyman Think of a peer needing to provide an endorsment. It needs to provide a signature, which means it needs not just a certificate but also the corresponding private key for that certificate. Or said another way, an MSP could just have the certificate in the cacerts folder and you could use that MSP to verify signatures, but in order to create a signature, the MSP must contain a matching private key (in keystore) and certificate (in signcerts)

smithbk (Fri, 29 Sep 2017 12:21:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FvtJmwmuyED2CYi2L) @CodeReaper Right, a single user/identity can have multiple certificates, so using the public key to identity a user will not work.

CodeReaper (Fri, 29 Sep 2017 12:21:50 GMT):
Any other sort of mapping you can advice?

CodeReaper (Fri, 29 Sep 2017 12:22:08 GMT):
Certificates looked pretty solid way to go till now

smithbk (Fri, 29 Sep 2017 12:23:47 GMT):
The subject DN + issuer DN?

CodeReaper (Fri, 29 Sep 2017 12:37:57 GMT):
@smithbk If i'm trying to write an user entity in the state database, I would want that the key-value mapping be done in such a way that I don't require to store the key externally in any database. The user invoking a transaction should be enough to verify the user there itself.By DN you mean distingushed name?? Only way out I can think is maybe just combining the username and secret of user and maybe hash it to create the mapping, is there any other standard way to do this?? And I also wonder what purpose can accessing the certificate of invoker serve at chaincode level??

smithbk (Fri, 29 Sep 2017 12:43:12 GMT):
Yes, DN = Distinquished Name and is the standard x509 way of uniquely identifying an entity

gentios (Fri, 29 Sep 2017 13:15:45 GMT):
guys from where does it gets the --cafile when creating a channel ?

ashutosh_kumar (Fri, 29 Sep 2017 13:18:10 GMT):
@CodeReaper , usually you should map your schema to enterprise user management system and then customize your soln based on that , assuming you have enterprise use case. There is no standard as such for such a broad topic.

loooog (Sat, 30 Sep 2017 06:46:36 GMT):
Has joined the channel.

loooog (Sat, 30 Sep 2017 06:52:53 GMT):
hi I got an ERROR when run the client (register command) natively: Authorization failure

loooog (Sat, 30 Sep 2017 06:53:05 GMT):
The server side said:

loooog (Sat, 30 Sep 2017 06:53:32 GMT):
no certificates found for the seial and aki

mastersingh24 (Sat, 30 Sep 2017 19:50:06 GMT):
@loooog - can you post the commands you are trying to run? and can you post the command you used to enroll the admin (or whichever user you are using to register other users)?

loooog (Sun, 01 Oct 2017 02:56:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uNQy8PLpHuxExCjFz) @mastersingh24 Hi，thank you , I solve it mysef.The cause is go1.9 not compatible with AKI stuff,I return to go1.8 then all good

mastersingh24 (Sun, 01 Oct 2017 10:46:32 GMT):
Good to hear @loooog BTW - the code in the master branch of fabric-ca does support Go 1.9 (this will be for fabric-ca v1.1) But the code in the release branch (v1.0.x) only supports Go 1.7

BernardLin (Sun, 01 Oct 2017 18:27:07 GMT):
Has joined the channel.

livespotty (Sun, 01 Oct 2017 23:55:50 GMT):
Has joined the channel.

loooog (Mon, 02 Oct 2017 01:48:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=s7KiMfb8ShAhvW6H8) @mastersingh24 Hmm, Even I only installed the native cmd files(fabric-ca-server&&fabric-ca-client) by go 1.9 without the source code checked, it did not work either.Actually the go get command will check fabric-ca source itself(v1.0.x).

mastersingh24 (Mon, 02 Oct 2017 10:01:27 GMT):
The default branch for all the repos is the "release" branch - which is currently the v1.0.x code

jarvis26 (Mon, 02 Oct 2017 15:37:45 GMT):
Has joined the channel.

falix (Tue, 03 Oct 2017 04:03:06 GMT):
Hi guys, I am using fabric-ca with mysql for its DB. It is using below connection string example to connect to mysql. My question is , is there anyway to hide the mysql connection string password by product default? `db: type: mysql datasource: hlfabricuser:password123@tcp(localhost:3306)/fabric_ca?parseTime=true&tls=false`

falix (Tue, 03 Oct 2017 04:03:06 GMT):
Hi guys, I am using fabric-ca with mysql for its DB. It is using below connection string example to connect to mysql. My question is , is there anyway to hide the mysql connection string password by product default? db: type: mysql datasource: hlfabricuser:password123@tcp(localhost:3306)/fabric_ca?parseTime=true&tls=false

Katiyman (Tue, 03 Oct 2017 05:33:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NyXiitQRvKSkmchME) @smithbk THanks

Katiyman (Tue, 03 Oct 2017 06:54:55 GMT):
In the balance transfer sample curl -s -X POST http://localhost:4000/users -H "content-type: application/x-www-form-urlencoded" -d 'username=Jim&orgName=org1' if if i pass any name it it working.. how is the authentication taking place here

smithbk (Tue, 03 Oct 2017 10:53:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CTK3qGpwL3kWwRQjx) @falix abric-ca-server does mask out passwords before logging. But the only way of not having the password in fabric-ca-server-config.yaml in the clear is to use some disk encryption software.

smithbk (Tue, 03 Oct 2017 11:01:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Ya3sW6SyTWwT64G7N) @Katiyman I'm not familiar with that sample. Looks like a node app listening on port 4000 and name Jim in the sample, so I'm guessing @jimthematrix would know ... or you can try on the #fabric-sdk-node channel

falix (Wed, 04 Oct 2017 01:23:22 GMT):
@smithbk thanks alot!!

cqyhm (Wed, 04 Oct 2017 01:42:10 GMT):
Has joined the channel.

jimthematrix (Wed, 04 Oct 2017 03:38:51 GMT):
@Katiyman if you inspect the code here https://github.com/hyperledger/fabric-samples/blob/release/balance-transfer/app.js#L123 you'll see that there's no authentication (this is by design to simplify the sample), basically the app issues a JWT token based on the user name passed into the calls to the `/users` endpoint

Katiyman (Wed, 04 Oct 2017 03:47:50 GMT):
@jimthematrix IThanks.. Is there any sample(or guide doc) where the proper implementation of fabric ca has been given.

AlekNS (Wed, 04 Oct 2017 05:14:07 GMT):
Has joined the channel.

rock_martin (Wed, 04 Oct 2017 06:01:33 GMT):
HI ,Can we access transaction id of the parent invocation of the transaction in chaincode?

Katiyman (Wed, 04 Oct 2017 09:54:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DjmiY25xtaMKgiFMk) @jimthematrix Is it just creating the certificate and returning success

KevinLeyssens (Wed, 04 Oct 2017 10:47:39 GMT):
Has joined the channel.

mastersingh24 (Wed, 04 Oct 2017 11:03:03 GMT):
@rock_martin What exactly do you mean by "parent invocation"? (https://chat.hyperledger.org/channel/fabric-ca?msg=mHFeibCAmBaPxezCQ)

rock_martin (Wed, 04 Oct 2017 11:44:18 GMT):
@mastersingh24 sorry its current invocation not parent invocation.

mastersingh24 (Wed, 04 Oct 2017 13:47:25 GMT):
@rock_martin : https://github.com/hyperledger/fabric/blob/release/core/chaincode/shim/interfaces.go#L64 - this will give you the transaction ID https://github.com/hyperledger/fabric/blob/release/core/chaincode/shim/interfaces.go#L169 - this will give you the creator of the transaction https://github.com/hyperledger/fabric/blob/release/core/chaincode/shim/interfaces.go#L184 - this will actually give you access to the full proposal request

jamesgua (Wed, 04 Oct 2017 15:21:26 GMT):
Has joined the channel.

rock_martin (Thu, 05 Oct 2017 04:55:10 GMT):
@mastersingh24 Thanks a lot :)

KevinLeyssens (Thu, 05 Oct 2017 10:54:54 GMT):
@smithbk , when I use this API library, I get following error "Error: Error getting chaincode code chaincode: Error getting chaincode package bytes: Error obtaining dependencies for github.com/hyperledger/fabric/core/chaincode/lib/cid: : failed with error: "exit status 1"" It can not find the package, although the package is on this path. Any idea? >>> @wy The MSP definitions containing the CA certificates is not currently available to chaincode. But it would be helpful to know exactly what you would like to accomplish. You may want to look at CR https://gerrit.hyperledger.org/r/#/c/13265 (note the README.md) which adds a chaincode API for attribute-based access control. Of course this assumes that you are using fabric CA to generate your certificates. >>>

KevinLeyssens (Thu, 05 Oct 2017 10:54:54 GMT):
@smithbk , when I use this API library, I get following error "Error: Error getting chaincode code chaincode: Error getting chaincode package bytes: Error obtaining dependencies for github.com/hyperledger/fabric/core/chaincode/lib/cid: : failed with error: "exit status 1"" It can not find the package, although the package is on this path. Any idea? >@wy The MSP definitions containing the CA certificates is not currently available to chaincode. But it would be helpful to know exactly what you would like to accomplish. You may want >to look at CR https://gerrit.hyperledger.org/r/#/c/13265 (note the README.md) which adds a chaincode API for attribute-based access control. Of course this assumes that you are using >fabric CA to generate your certificates.

DarshanBc (Thu, 05 Oct 2017 11:28:47 GMT):
transient

Menniti (Thu, 05 Oct 2017 12:31:58 GMT):
Has joined the channel.

smithbk (Thu, 05 Oct 2017 13:04:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nqki5QQEGCk6ALhux) @KevinLeyssens Do you have the master branch of fabric locally on your machine?

smithbk (Thu, 05 Oct 2017 13:04:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nqki5QQEGCk6ALhux) @KevinLeyssens Do you have the master branch of fabric locally on your machine? And up-to-date?

Smithatv (Thu, 05 Oct 2017 13:36:20 GMT):
Hello @smithbk, is there a way to know the resource consumption Ex: Memory usage , traffic monitoring etc etc in case of multi channel setup ?

KevinLeyssens (Thu, 05 Oct 2017 14:24:49 GMT):
@smithbk Fixed it with the 'govendor tool'. Now facing some other errors: "unexpected PEM block found. Expected a certificate but found a block of type:" :-/

smithbk (Thu, 05 Oct 2017 14:27:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iJnaCyivqK4eMihXQ) @KevinLeyssens Yeh, it doesn't currently work with v1.0 but https://gerrit.hyperledger.org/r/#/c/14223/ fixes that ... not yet merged

smithbk (Thu, 05 Oct 2017 14:33:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bJvTmyx2yzd2JJrEr) @Smithatv There is no specific monitoring support built into fabric. You would either need to build your own ... or the Bluemix offering provides monitoring support

KevinLeyssens (Thu, 05 Oct 2017 14:34:36 GMT):
@smithbk , thank you very much, it works now!

smithbk (Thu, 05 Oct 2017 14:35:03 GMT):
cool ... your welcome

Smithatv (Fri, 06 Oct 2017 06:01:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uh2oajcKaFysvjCpy) @smithbk , thank you

Smithatv (Fri, 06 Oct 2017 06:02:10 GMT):
@smithbk , can you please help me understand .. what is happening in the below error

Smithatv (Fri, 06 Oct 2017 06:02:23 GMT):

Message Attachments

smithbk (Fri, 06 Oct 2017 11:19:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CmSQoeN8LckghYgkh) @Smithatv Looks like chaincode returned an error. I assume you looked at the logs in the chaincode container?

SimonOberzan (Fri, 06 Oct 2017 13:39:39 GMT):
Hi. I have generated orderer ans CA certificates using cryptogen. I have then ran order, CAs in a docker container and reistered and enrolled new peers. But when i run those peers I get only the following output: ```[main] main -> ERRO 001 Cannot run peer because error when setting up MSP from directory /etc/hyperledger/fabric/msp: err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com")``` How does Verify() "know" authorities? It's really hard to debug such an error to me as there is so little output. Peer signcert: ```Certificate: Data: Version: 3 (0x2) Serial Number: 52:06:ef:5e:fb:38:58:19:d6:d6:ac:00:90:99:bb:09:bd:31:f4:aa Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1.example.com Validity Not Before: Oct 6 13:17:00 2017 GMT Not After : Oct 6 13:17:00 2018 GMT Subject: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=peer0 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:be:66:93:21:cf:79:1c:94:e3:01:2c:98:1b:f0: 74:94:46:2a:2e:7d:91:58:b1:85:89:b7:f2:ea:24: 3b:36:8a:89:5c:06:50:4c:ea:b4:db:f3:91:7c:5b: 6a:0d:e9:a2:95:5b:05:a4:38:51:7b:1f:e2:3b:92: 56:77:1a:61:3e ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 56:10:39:FC:84:E0:D1:B2:25:60:46:88:6C:3F:34:F7:35:A3:27:BE X509v3 Authority Key Identifier: keyid:4D:1E:18:A9:46:BA:3F:5C:F0:C9:52:3A:D4:D9:EB:DE:EB:31:8F:58:22:B1:3C:0C:49:7A:D5:47:E8:44:5B:3F X509v3 Subject Alternative Name: DNS:449053cf28b5 Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:d9:1d:60:48:d6:d7:e7:95:17:d3:eb:d5:d9: 4a:e9:27:ca:94:c7:9f:bd:2e:03:04:3f:21:a3:0d:ec:4d:12: 0e:02:20:21:81:b0:a2:b0:59:0c:f3:ab:13:f7:bb:2f:08:d1: be:e0:09:e8:8e:89:51:e6:13:88:c7:46:6a:e4:c2:0b:f3 -----BEGIN CERTIFICATE----- MIICWTCCAf+gAwIBA.... -----END CERTIFICATE----- ```

SimonOberzan (Fri, 06 Oct 2017 13:39:39 GMT):
Hi. I have generated orderer ans CA certificates using cryptogen. I have then ran order, CAs in a docker container and reistered and enrolled new peers. But when i run those peers I get only the following output: ```[main] main -> ERRO 001 Cannot run peer because error when setting up MSP from directory /etc/hyperledger/fabric/msp: err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com")``` How does Verify() "know" authorities? It's really hard to debug such an error to me as there is so little output. Peer signcert: ``` Certificate: Data: Version: 3 (0x2) Serial Number: 52:06:ef:5e:fb:38:58:19:d6:d6:ac:00:90:99:bb:09:bd:31:f4:aa Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1.example.com Validity Not Before: Oct 6 13:17:00 2017 GMT Not After : Oct 6 13:17:00 2018 GMT Subject: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=peer0 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:be:66:93:21:cf:79:1c:94:e3:01:2c:98:1b:f0: 74:94:46:2a:2e:7d:91:58:b1:85:89:b7:f2:ea:24: 3b:36:8a:89:5c:06:50:4c:ea:b4:db:f3:91:7c:5b: 6a:0d:e9:a2:95:5b:05:a4:38:51:7b:1f:e2:3b:92: 56:77:1a:61:3e ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 56:10:39:FC:84:E0:D1:B2:25:60:46:88:6C:3F:34:F7:35:A3:27:BE X509v3 Authority Key Identifier: keyid:4D:1E:18:A9:46:BA:3F:5C:F0:C9:52:3A:D4:D9:EB:DE:EB:31:8F:58:22:B1:3C:0C:49:7A:D5:47:E8:44:5B:3F X509v3 Subject Alternative Name: DNS:449053cf28b5 Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:d9:1d:60:48:d6:d7:e7:95:17:d3:eb:d5:d9: 4a:e9:27:ca:94:c7:9f:bd:2e:03:04:3f:21:a3:0d:ec:4d:12: 0e:02:20:21:81:b0:a2:b0:59:0c:f3:ab:13:f7:bb:2f:08:d1: be:e0:09:e8:8e:89:51:e6:13:88:c7:46:6a:e4:c2:0b:f3 -----BEGIN CERTIFICATE----- MIICWTCCAf+gAwIBA.... -----END CERTIFICATE----- ```

smithbk (Fri, 06 Oct 2017 13:56:56 GMT):
That means the certificate in the msp/signcerts (or possibly msp/admincerts) was not issued by a CA certificate in msp/cacerts (or an intermediate in msp/intermediatecerts if that exists)

SimonOberzan (Fri, 06 Oct 2017 13:57:47 GMT):
@smithbk Thank you will look into it

SimonOberzan (Fri, 06 Oct 2017 13:57:47 GMT):
@smithbk Thank you, will look into it

smithbk (Fri, 06 Oct 2017 13:58:11 GMT):
sure

SimonOberzan (Fri, 06 Oct 2017 16:00:00 GMT):
@smithbk You were right, it was a problem related to msp/admincerts. Thanks

xuzhao103389 (Sat, 07 Oct 2017 14:29:32 GMT):
I want to set up 2 CAs for 2 ORGs, e.g. CA01 is for peers within ORG01,CA02 is for peers within ORG02 who can help me how to write the configs.

xuzhao103389 (Sat, 07 Oct 2017 14:30:09 GMT):
is there any sample docker-compose.yaml file

smithbk (Sat, 07 Oct 2017 18:52:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Zn4RSaPnsjkZSg8Sa) @xuzhao103389 See https://gerrit.hyperledger.org/r/#/c/13213/ ... it is not yet merged but you can pull it now and all dependencies are merged to fabric and fabric-ca repositories. The fabric-samples/fabric-ca/makeDocker.sh builds the docker-compose.yml for 3 CAs: one for the orderer and 2 for orgs with peers.

xuzhao103389 (Sun, 08 Oct 2017 16:20:52 GMT):
thanks @smithbk

niteshsolanki (Mon, 09 Oct 2017 10:30:40 GMT):
Has joined the channel.

niteshsolanki (Mon, 09 Oct 2017 11:20:54 GMT):
Hi. What is the expiration period of Ecerts in v1.0 ? and can this be set optionally during registering process ?

niteshsolanki (Mon, 09 Oct 2017 11:20:54 GMT):
Hi. What is the expiration period of Ecerts in v1.0 ? and can this be set optionally during registeration process ?

smithbk (Mon, 09 Oct 2017 13:32:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NTtrxBzNThE6CHore) @niteshsolanki The default is 1 year but is configurable on a per=profile basis. By default, there are only two profiles, one for ecerts and one for TLS certificates, but you can create additional profiles. No, you may not specify the expiry during registration ... at least not currently. This is the 1st request for this that I've heard. Can you explain the use case?

niteshsolanki (Mon, 09 Oct 2017 13:39:58 GMT):
thanks @smithbk. i tried to check the expiry date of a user certificate using openssl command. it gave me 10years expiry duration.

niteshsolanki (Mon, 09 Oct 2017 13:39:58 GMT):
thanks @smithbk. i tried to check the expiry date of a user certificate using openssl command. it gave me 10years expiry duration. Is this the right comand: openssl x509 -enddate -noout -in file.pem ?

niteshsolanki (Mon, 09 Oct 2017 13:39:58 GMT):
thanks @smithbk i tried to check the expiry date of a user certificate using openssl command. it gave me 10years expiry duration. Is this the right comand: openssl x509 -enddate -noout -in file.pem ?

lehors (Mon, 09 Oct 2017 14:40:41 GMT):
@smithbk hi, the new unit-tests fail on vagrant/windows and looking into it I see that it is yet again a problem of DB not being closed

lehors (Mon, 09 Oct 2017 14:41:03 GMT):
the new tests call NewCA which leaves the db open

lehors (Mon, 09 Oct 2017 14:41:59 GMT):
I can simply fix is the tests by adding a call to closeDB but it makes me wonder what this means from a public API point of view

lehors (Mon, 09 Oct 2017 14:41:59 GMT):
I can simply fix the tests by adding a call to closeDB but it makes me wonder what this means from a public API point of view

lehors (Mon, 09 Oct 2017 14:42:36 GMT):
should NewCA really be public?

lehors (Mon, 09 Oct 2017 14:43:01 GMT):
does anybody else other than the server use this?

lehors (Mon, 09 Oct 2017 14:43:20 GMT):
shouldn't it be newCA instead?

rickr (Mon, 09 Oct 2017 14:57:16 GMT):
@aambati @smithbk Looking at the swagger for https://gerrit.hyperledger.org/r/#/c/13583/ There's no indication what the date format is acceptable "string" could mean "yesterday" ?

rickr (Mon, 09 Oct 2017 14:57:26 GMT):
Can we have some examples in there ?

rickr (Mon, 09 Oct 2017 14:58:03 GMT):
Found the description

julian (Mon, 09 Oct 2017 17:12:29 GMT):
Has joined the channel.

aambati (Mon, 09 Oct 2017 17:41:11 GMT):
```-----BEGIN X509 CRL----- MIIBVDCB/AIBATAKBggqhkjOPQQDAjBzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQb3JnMS5leGFtcGxlLmNvbTEcMBoGA1UEAxMTY2Eub3JnMS5leGFtcGxlLmNvbRcNMTcwOTE4MjI1MDQ3WhcNMTcxMjE4MjI1MDQ3WjAnMCUCFBRsodDSNnyeIcUUfESL8/OW3BZbFw0xNzA5MTIxODE2NDNaoC8wLTArBgNVHSMEJDAigCAILc807QwTozcchKNumCx5O1Lqn+kIlrbnC44qj2sIuzAKBggqhkjOPQQDAgNHADBEAiA/zyIZg6ACmxsP9X+6rLr6xnYxx0VaxzXWpukWJbpLrAIgaVWL6aENnX7Sg52XNr1kiFjI2zbpzaamG68fi6VogHk= -----END X509 CRL-----```

aambati (Mon, 09 Oct 2017 17:42:24 GMT):
In go, you can use this: https://golang.org/pkg/crypto/x509/#ParseDERCRL

aambati (Mon, 09 Oct 2017 17:43:00 GMT):
to parse the CRL you get from the api

smithbk (Mon, 09 Oct 2017 17:59:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5HT3MYLKAHtysHg7o) @lehors yes, that gives you the notAfter field of the cert. By default, ecerts generated by fabric CA have a 1 year expiry, not 10 years as is done by cryptogen. The fabric CA root CA default expiration is 15 years and an intermediate CA is 5 years.

smithbk (Mon, 09 Oct 2017 18:04:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7jcRuiEz7z7Kmoa3m) @niteshsolanki yes, that gives you the notAfter field of the cert. By default, ecerts generated by fabric CA have a 1 year expiry, not 10 years as is done by cryptogen. The fabric CA root CA default expiration is 15 years and an intermediate CA is 5 years.

smithbk (Mon, 09 Oct 2017 18:05:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5HT3MYLKAHtysHg7o) @lehors yes, NewCA should be newCA. I doubt it would ever need to be public. Are you going to fix?

niteshsolanki (Mon, 09 Oct 2017 18:05:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JoPYPdvLBYiLC9NRA) @smithbk thanks for the response

lehors (Mon, 09 Oct 2017 18:20:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NNEuxcRuQ2GddiKn2) @smithbk I'll fix it, just wanted to make sure I wasn't missing something. Thanks.

yoyokeen (Tue, 10 Oct 2017 06:47:13 GMT):
@here,Should use the domain on the TLS mode?

DarshanBc (Tue, 10 Oct 2017 06:55:15 GMT):
```[2017-10-10 11:57:11.245] [DEBUG] SampleWebApp - End point : /users [2017-10-10 11:57:11.245] [DEBUG] SampleWebApp - User name : Barry [2017-10-10 11:57:11.245] [DEBUG] SampleWebApp - Org name : org2 [2017-10-10 11:57:11.249] [DEBUG] Helper - ORGS[org].name :org2 [2017-10-10 11:57:11.249] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore.js - constructor [2017-10-10 11:57:11.251] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore -- getValue [2017-10-10 11:57:11.252] [DEBUG] Helper - ORGS[org].name :org2 [2017-10-10 11:57:11.252] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore.js - constructor [2017-10-10 11:57:11.253] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore -- getValue [2017-10-10 11:57:11.303] [DEBUG] Helper - [utils.CryptoKeyStore]: This class requires a CryptoKeyStore to save keys, using the store: {"opts":{"path":"/tmp/fabric-client-kvs_peerOrg2"}} [2017-10-10 11:57:11.304] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore.js - constructor [2017-10-10 11:57:11.304] [DEBUG] Helper - [utils.CryptoKeyStore]: _getKeyStore returning ks [2017-10-10 11:57:11.304] [DEBUG] Helper - [crypto_ecdsa_aes]: generateKey, store.setValue [2017-10-10 11:57:11.305] [DEBUG] Helper - [ecdsa/key.js]: ECDSA curve param X: 10e7408518fe34d480431c4d8c0abe2776b1a14ec3cb58a6824d7898f1a5a80f [2017-10-10 11:57:11.305] [DEBUG] Helper - [ecdsa/key.js]: ECDSA curve param Y: 1516697123fea2c0e4763b32b0fe4344a758c3bd35c42e886efff70f799689fc [2017-10-10 11:57:11.310] [DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore -- setValue [2017-10-10 11:57:11.488] [ERROR] Helper - Error: Calling enrollment endpoint failed with error [Error: write EPROTO 140583861933888:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2512: 140583861933888:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3544: ] at ClientRequest. (/home/rtcin/go/src/github.com/hyperledger/fabric-samples/D-Twin-4org/node_modules/fabric-ca-client/lib/FabricCAClientImpl.js:711:12) at emitOne (events.js:96:13) at ClientRequest.emit (events.js:188:7) at TLSSocket.socketErrorListener (_http_client.js:310:9) at emitOne (events.js:96:13) at TLSSocket.emit (events.js:188:7) at onwriteError (_stream_writable.js:346:10) at onwrite (_stream_writable.js:364:5) at WritableState.onwrite (_stream_writable.js:90:5) at fireErrorCallbacks (net.js:468:13) [2017-10-10 11:57:11.488] [DEBUG] Helper - Barry failed to register [2017-10-10 11:57:11.488] [ERROR] Helper - Barry enrollment failed (node:9578) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 1): Error: Cannot save null userContext. (node:9578) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 2): TypeError: Cannot read property '_enrollmentSecret' of null ``` I am trying to bring up 4 org system using method followed in balance transfer All the containers are up including 4 ca_Peers but while registering users I am getting the above error

Amitchandra (Tue, 10 Oct 2017 06:57:30 GMT):
Has joined the channel.

username343 (Tue, 10 Oct 2017 08:13:00 GMT):
Has joined the channel.

username343 (Tue, 10 Oct 2017 08:13:51 GMT):
After getting the certificate and keys from the fabric-ca how do i put them in orderer and peer msp folders?

username343 (Tue, 10 Oct 2017 08:18:20 GMT):
Can anybody please explain me how the fabric-ca peers and orderer interact with each other. By now i've figured out that the i've to obtain keys and certificate from the fabric-ca after enrolling the user using fabric-ca-client. I've created a new user and using that users's certificate and private key i'm trying to using invoke.js and query.js scripts of fabcar folder, but i'm getting the error verify error certificate signed by unknown authority. Do you know what is causing it?

Smithatv (Tue, 10 Oct 2017 08:48:27 GMT):
@smithbk, is it possible to add organizations to the channel on the fly.. meaning when network is up and running ?

DarshanBc (Tue, 10 Oct 2017 08:52:22 GMT):
Hi I am trying to bring up 4 org systems similar with node sdk when I am trying to register a new user I am getting this error in docker logs of ca_Peer ```2017/10/10 08:44:00 [DEBUG] Received request POST /api/v1/register Authorization: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUI4VENDQVplZ0F3SUJBZ0lVWEg5OG0zaGpqZktnbHNHZ1gxNW5UOU1iVURRd0NnWUlLb1pJemowRUF3SXcKY3pFTE1Ba0dBMVVFQmhNQ1ZWTXhFekFSQmdOVkJBZ1RDa05oYkdsbWIzSnVhV0V4RmpBVUJnTlZCQWNURFZOaApiaUJHY21GdVkybHpZMjh4R1RBWEJnTlZCQW9URUc5eVp6TXVaWGhoYlhCc1pTNWpiMjB4SERBYUJnTlZCQU1UCkUyTmhMbTl5WnpNdVpYaGhiWEJzWlM1amIyMHdIaGNOTVRjeE1ERXdNRGd4TmpBd1doY05NVGd4TURFd01EZ3gKTmpBd1dqQVFNUTR3REFZRFZRUURFd1ZoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQQpCSnZmUk9zRm9DcmVid1JYMitaaGlyQWtzQktEeVpqM1RNMy9PTHJjUm9jS2tMT1BnY0ExQlBPTlN2Wmlxby84CmxMellFVU1DQzhVdHZrclR6b1FvYkZXamJEQnFNQTRHQTFVZER3RUIvd1FFQXdJSGdEQU1CZ05WSFJNQkFmOEUKQWpBQU1CMEdBMVVkRGdRV0JCU2JoL1JWS3VGcS9rZW4xREw1ZVgxTEYwVzkyekFyQmdOVkhTTUVKREFpZ0NDMgo1aWF6cVFKM3dzTUVsaDNlV2YxYXEwcEo4OXV5UTlaSkEvSkhCeEN1YlRBS0JnZ3Foa2pPUFFRREFnTklBREJGCkFpRUFxWEQwZlMzbVRIT2VoN0pVZW9lTEZhc1Vmc1E3a2Q3UHdEVzBMY1U2Q3hjQ0lBSWtXeDRLTFppeWFoQk4KeGpJcGlmeWFRazlNak9jY0x2VkJwS21FYk9EUgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==.MEQCIBvfkrVrJolnlhcH9Om+cb/y6z1J2y2cRSJvkqww+p6WAiAGBQu6XC/w0qnIyH/KmAAL5Vsy+O/uaQZKnQCEanYCqQ== {"id":"Alie","type":"client","affiliation":"org3.department1","max_enrollments":1,"caName":""} 2017/10/10 08:44:00 [DEBUG] Directing traffic to default CA 2017/10/10 08:44:00 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin' 2017/10/10 08:44:00 [DEBUG] DB: Get certificate by serial (5c7f7c9b78638df2a096c1a05f5e674fd31b5034) and aki (b6e626b3a90277c2c304961dde59fd5aab4a49f3dbb243d64903f2470710ae6d) 2017/10/10 08:44:00 [DEBUG] Successful authentication of 'admin' 2017/10/10 08:44:00 [DEBUG] Register request received 2017/10/10 08:44:00 [DEBUG] Received registration request from admin: &{RegistrationRequest:{Name:Alie Type:client Secret:<> MaxEnrollments:1 Affiliation:org3.department1 Attributes:[] CAName:}} 2017/10/10 08:44:00 [DEBUG] canRegister - Check to see if user admin can register 2017/10/10 08:44:00 [DEBUG] DB: Getting identity admin 2017/10/10 08:44:00 [DEBUG] Validate ID 2017/10/10 08:44:00 [DEBUG] An affiliation is required for identity type client 2017/10/10 08:44:00 [DEBUG] Validating affiliation: org3.department1 2017/10/10 08:44:00 [DEBUG] DB: Get affiliation org3.department1 2017/10/10 08:44:00 [DEBUG] Registration of 'Alie' failed: Failed getting affiliation 'org3.department1': sql: no rows in result set 2017/10/10 08:44:00 [INFO] 172.19.0.1:44238 - "POST /api/v1/register" 0 ```

DarshanBc (Tue, 10 Oct 2017 08:55:09 GMT):
it says failed getting affiliation org3.department1 but I have uploaded this while starting the ca_server ```affiliations: org1: - department1 - department2 org2: - department1 - department2 org3: - department1 - department2 org4: - department1 - department2```

Smithatv (Tue, 10 Oct 2017 11:24:13 GMT):
@smithbk can you please help me resolve the below issue

Smithatv (Tue, 10 Oct 2017 11:24:23 GMT):

Message Attachments

smithbk (Tue, 10 Oct 2017 11:30:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Af2iqjd5SLq9kYjhr) @yoyokeen Can you elaborate what you mean? Do you mean using a domain rather than a hostname?

smithbk (Tue, 10 Oct 2017 11:40:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5hQqCwXJPMf2pm4PD) @DarshanBc Did you edit the affiliations table in fabric-ca-server-config.yaml after the DB was created, i.e. after running `fabric-ca-server init` or `fabric-ca-server start` for the 1st time? The affiliations are read from fabric-ca-server-config.yaml the 1st time you start the server and then added to the DB. The next time you start the server when the DB already exists, the affiliations are taken from the DB and not from fabric-ca-server-config.yaml. There is a work in progress now that will change the behavior and support dynamically updating the affiliation table (see https://jira.hyperledger.org/browse/FAB-5726).

smithbk (Tue, 10 Oct 2017 11:44:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=x36BtLT5Lk2gy9yAR) @Smithatv Try deleting the 'true' after '--tls' ... the presence of the option indicates true

DarshanBc (Tue, 10 Oct 2017 11:46:03 GMT):
@smithbk I had put this file in a fabric-ca-server directory as told in https://stackoverflow.com/questions/46034246/hyperledger-fabric-ca-v1-fabric-ca-client-error/46054669#46054669

DarshanBc (Tue, 10 Oct 2017 11:46:03 GMT):
@smithbk I had put this file in a fabric-ca-server directory located where docker-compose.yaml is placed as told in https://stackoverflow.com/questions/46034246/hyperledger-fabric-ca-v1-fabric-ca-client-error/46054669#46054669

smithbk (Tue, 10 Oct 2017 11:49:33 GMT):
The answer in stackoverflow is correct, but so is what I said above. To fix, you will need to delete your DB in the ./fabric-ca-server directory on your host and restart the container

DarshanBc (Tue, 10 Oct 2017 11:50:17 GMT):
ok

DarshanBc (Tue, 10 Oct 2017 11:52:44 GMT):
Can I have affiliation for peers? and have an endorsement policy accordingly?

smithbk (Tue, 10 Oct 2017 12:04:00 GMT):
The peer identity can have an affiliation but no, it can't be checked as part of an endorsement policy. Can you describe at a high-level the use case? Maybe there is another way to accomplish this.

JeroenDePrest (Tue, 10 Oct 2017 13:19:25 GMT):
Has joined the channel.

JeroenDePrest (Tue, 10 Oct 2017 13:23:07 GMT):
I am trying to run the start.sh from the fabric-ca sample (https://gerrit.hyperledger.org/r/#/c/13213/) but I keep getting `ERROR: pull access denied for hyperledger/fabric-ca-tools, repository does not exist or may require 'docker login'` I can't seem to find the correct repo

DarshanBc (Tue, 10 Oct 2017 13:34:36 GMT):
@smithbk inside an org I have peers belonging to few other departments users belonging to those department has created some data I have a function which edits these values it can be only edited if these peers are up so thought of having AND endorsement policy on them

ericmvaughn (Tue, 10 Oct 2017 13:48:54 GMT):
TWDis1ofMyFavorites!

ericmvaughn (Tue, 10 Oct 2017 13:49:24 GMT):
Sorry, ignore that

smithbk (Tue, 10 Oct 2017 14:23:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rJ7MhMwAiSditwYFM) @JeroenDePrest I haven't seen that docker error before. I did some googling and they suggest a firewall issue or as the message says, trying 'docker login' 1st. Anyway, until v1.1 is published, I suggest just making sure that your fabric and fabric-ca repositories are on the master branch and up-to-date on your machine. Then just run the "build-images.sh" script in the sample. It will take a while to build.

lmars (Tue, 10 Oct 2017 16:35:08 GMT):
Has joined the channel.

vdods (Tue, 10 Oct 2017 20:57:15 GMT):
What is the most basic example use-case that motivates affiliations? Having multiple apps' users being provisioned by the same CA? What would the affiliation structure look like in that case?

mastersingh24 (Tue, 10 Oct 2017 21:05:48 GMT):
@vdods - IMHO, at the current time, there is really no great use case for affiliations. They were actually meant to be used with TCerts such that you could have an hierarchical / tree structure for determining who would be able to "re-link" transactions. So if you are at the top of the tree, you'd be able to re-link transactions for the whole tree, if you are on a leaf you could do the entire leaf, etc

vdods (Tue, 10 Oct 2017 21:06:08 GMT):
Ah that's right

mastersingh24 (Tue, 10 Oct 2017 21:06:11 GMT):
And BTW - re-link is a loose term.

mastersingh24 (Tue, 10 Oct 2017 21:06:13 GMT):
;)

vdods (Tue, 10 Oct 2017 21:08:20 GMT):
What's described in the docs make it seem that affiliations could at least be used to create a hierarchy of admins/users for apps within an org.. say org0 was running a single CA to support 3 apps, app0, app1, and app2, then it could create admins for each of those apps whose affiliation would be org0.app0, org0.app1, and org0.app2 respectively, and those admins could register users -- only for those apps -- without bothering the "main" admin

vdods (Tue, 10 Oct 2017 21:09:22 GMT):
Are the ecert attribute values passed into chaincode yet by the SDKs?

smithbk (Tue, 10 Oct 2017 22:56:41 GMT):
the attribute name and values are inside the certificate, so the SDKs just pass the certificate as they do today. The additional work for the SDKs is to request attributes by name when they enroll ... or to specify which attributes should be added by default at registration time if no specific attributes are requested at enroll time. This has been merged for node and java SDKs: https://jira.hyperledger.org/browse/FAB-5825

smithbk (Tue, 10 Oct 2017 23:01:57 GMT):
Regarding a use-case for affiliation, once https://gerrit.hyperledger.org/r/#/c/14241/ is merged, the affiliation could be added as an attribute to an ecert and be used to make ACL decisions. And I'm sure you're aware of how it is used to govern who can register whom. So it would provide a way to make hierarchical ACL decisions. For example, having admins on a per-department basis who can register users, and then making chaincode decisions based on those departments.

vdods (Tue, 10 Oct 2017 23:51:22 GMT):
Gotcha, thanks

vdods (Wed, 11 Oct 2017 00:19:03 GMT):
Is there any way to change a user's password, or a workflow that has an equivalent result?

Hangyu (Wed, 11 Oct 2017 01:56:02 GMT):
I recently found the jira ticket about integrating Identity Mixer to fabric msp https://jira.hyperledger.org/browse/FAB-2005 I was wondering if you could give me some insight on the relationship between fabric-ca and this Identity Mixer ? My understanding is that fabric-ca issues Ecert and Identity mixer issuers Tcert based on the Ecert it receives. Sort of like the TCA of fabric 0.6? very much appriciate it. @smithbk @mastersingh24

Smithatv (Wed, 11 Oct 2017 04:20:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Dn7HNz7RhNgbNHonH) @smithbk Excellent !!! .. Thanks a lot

amolpednekar (Wed, 11 Oct 2017 05:16:18 GMT):
Has joined the channel.

yoheiueda (Wed, 11 Oct 2017 05:27:38 GMT):
Has joined the channel.

UtkarshSingh (Wed, 11 Oct 2017 06:38:58 GMT):
Has joined the channel.

JeroenDePrest (Wed, 11 Oct 2017 08:10:12 GMT):
@smithbk any idea when v1.1 will be released

DarshanBc (Wed, 11 Oct 2017 09:22:39 GMT):
Hi I am getting this error while registering new user ```2017/10/11 07:53:11 [DEBUG] Received request POST /api/v1/enroll Authorization: Basic YWRtaW46YWRtaW5wdw== {"caName":"","certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\r\nMIHMMHICAQAwEDEOMAwGA1UEAwwFYWRtaW4wWTATBgcqhkjOPQIBBggqhkjOPQMB\r\nBwNCAASUWo/5gS9H/PSvsiNK2iGsWw0nv7tsVnGG+ZY3cWFJ3ANz6cNmd+lRLZS3\r\nBhHYD/FZhhqwBucMHFE1sB9SqqEnoAAwDAYIKoZIzj0EAwIFAANIADBFAiEAiHjk\r\ncyM3gzqYbLAFVz8kHahVXtAjEOb82q7jiP35Tm4CIAHQsotf2301RCBVQ6i5hb9i\r\nByHhofDyhEFbch7gJVVF\r\n-----END CERTIFICATE REQUEST-----\r\n"} 2017/10/11 07:53:11 [DEBUG] Directing traffic to default CA 2017/10/11 07:53:11 [DEBUG] DB: Getting identity admin 2017/10/11 07:53:11 [DEBUG] Failed to get identity 'admin': sql: no rows in result set ``` I have my own fabric-ca-server-config.yaml file ```identities: - name: admin pass: adminpw type: client affiliation: "" maxenrollments: -1 attrs: hf.Registrar.Roles: "client,user,peer,validator,auditor" hf.Registrar.DelegateRoles: "client,user,validator,auditor" hf.Revoker: true hf.IntermediateCA: true hf.GenCRL: true affiliations: org1: - department1 - department2 org2: - department1 - department2 org3: - department1 - department2 org4: - department1 - department2 ``` I browsed .db file I didn't find any data in any of the table

DarshanBc (Wed, 11 Oct 2017 11:59:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BmcQ63526QWoSBAZF) Issue got resolved deleted fabric-ca-server.db and cleared keystore in /tmp/... restarted ca_peers thanks to @smithbk

vdods (Wed, 11 Oct 2017 19:02:13 GMT):
What is the correct signal to send to fabric-ca to stop it such that it is guaranteed to shut itself down safely? SIGHUP?

vdods (Wed, 11 Oct 2017 19:02:53 GMT):
maybe SIGQUIT?

vdods (Wed, 11 Oct 2017 19:07:47 GMT):
SIGQUIT causes fabric-ca-server to print stuff to the log, including a stack trace of all threads, but it's not clear that that means it cleans up correctly

htyagi90 (Wed, 11 Oct 2017 20:06:58 GMT):

Message Attachments

htyagi90 (Wed, 11 Oct 2017 20:07:05 GMT):
Hi all, I'm using the git commit level as per this gerrit `https://gerrit.hyperledger.org/r/#/c/13213/` I haven't updated any of the files just running the `start.sh`, but it fails on creating artifacts (supposed to be created by setup container) with the following error:

htyagi90 (Wed, 11 Oct 2017 20:07:23 GMT):
the setup logs are as follows : ``` ```

htyagi90 (Wed, 11 Oct 2017 20:07:23 GMT):
the setup logs are as follows : ``` 2017/10/11 20:05:03 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc42025d230 Pkcs11Opts:} 2017/10/11 20:05:03 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42026dcf0 DummyKeystore:} 2017/10/11 20:05:03 [INFO] TLS Enabled 2017/10/11 20:05:03 [DEBUG] CA Files: [/data/org0-ca-chain.pem] 2017/10/11 20:05:03 [DEBUG] Client Cert File: 2017/10/11 20:05:03 [DEBUG] Client Key File: 2017/10/11 20:05:03 [DEBUG] Client TLS certificate and/or key file not provided 2017/10/11 20:05:03 [DEBUG] Loading identity: keyFile=%s, certFile=%s/root/cas/ica-org0/msp/keystore/key.pem/root/cas/ica-org0/msp/signcerts/cert.pem 2017/10/11 20:05:03 [DEBUG] Register { Name:admin-org0 Type:user Secret:**** MaxEnrollments:-1 Affiliation:org1 Attributes:[{hf.admin true true}] CAName: } 2017/10/11 20:05:03 [DEBUG] adding token-based authorization header 2017/10/11 20:05:03 [DEBUG] Sending request POST https://ica-org0:7054/register {"id":"admin-org0","type":"user","secret":"admin-org0pw","max_enrollments":-1,"affiliation":"org1","attrs":[{"name":"hf.admin","value":"true","ecert":true}]} 2017/10/11 20:05:03 [DEBUG] Received response statusCode=401 (401 Unauthorized) Error: Response from server: Error Code: 43 - Registrar does not have any values for 'hf.Registrar.Attributes' thus can't register any attributes ```

htyagi90 (Wed, 11 Oct 2017 20:09:28 GMT):
@smithbk

skarim (Wed, 11 Oct 2017 20:09:37 GMT):
this is a known issue, there is a fix in progress that should address this. see: https://gerrit.hyperledger.org/r/#/c/14427/

skarim (Wed, 11 Oct 2017 20:09:37 GMT):
@htyagi90 this is a known issue, there is a fix in progress that should address this. see: https://gerrit.hyperledger.org/r/#/c/14427/

htyagi90 (Wed, 11 Oct 2017 20:11:29 GMT):
@skarim thanks for the reply

htyagi90 (Wed, 11 Oct 2017 20:12:01 GMT):
any quick fix so that above test can be passed ?

skarim (Wed, 11 Oct 2017 20:15:13 GMT):
im not very familiar with the way that scripts works, I can take a look and see if there is a workaround

vdods (Wed, 11 Oct 2017 21:17:59 GMT):
It appears that fabric-ca-client writes to msp/signcerts/cert.pem for both enroll and TLS enroll -- this seems wrong because the certs are different, and there are apparently two distinct keys that show up in msp/keystore

vdods (Wed, 11 Oct 2017 21:18:21 GMT):
Is there some convention I'm missing?

jimthematrix (Wed, 11 Oct 2017 23:36:50 GMT):
@smithbk @skarim any idea why this is failing in node SDK end2end test? ```Error: fabric-ca request register failed with errors [[{"code":43,"message":"Registrar does not have any values for 'hf.Registrar.Attributes' thus can't register any attributes"}]]

jimthematrix (Wed, 11 Oct 2017 23:36:50 GMT):
@smithbk @skarim any idea why this is failing in latest node SDK end2end test? ```Error: fabric-ca request register failed with errors [[{"code":43,"message":"Registrar does not have any values for 'hf.Registrar.Attributes' thus can't register any attributes"}]]

skarim (Wed, 11 Oct 2017 23:46:55 GMT):
@jimthematrix This is a known issue, there is a fix out there. See: https://gerrit.hyperledger.org/r/#/c/14427/ However, there is an issue with CI on z that Ramesh is looking into so it has not been able to get merged yet.

smithbk (Thu, 12 Oct 2017 00:03:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=obaZTqMf2tiKLgDkE) @vdods Yes, they are stored the same but note that the certs have different usages. Why does this seem wrong? Can you elaborate?

vdods (Thu, 12 Oct 2017 00:03:37 GMT):
@smithbk Because tls enroll overwrites the cert retrieved by the ordinary enroll

vdods (Thu, 12 Oct 2017 00:03:51 GMT):
I'd assume it should show up as a separate file

vdods (Thu, 12 Oct 2017 00:04:25 GMT):
I think this does not present as a bug because the same certs are being used for TLS and CAs

vdods (Thu, 12 Oct 2017 00:04:33 GMT):
or something to that effect

vdods (Thu, 12 Oct 2017 00:06:54 GMT):
I suppose because both are using `fabric-ca-client enroll`, it's not unreasonable to have it write to the same filename. but when tls enrollment happens, other certs appear in tlscacerts and other dirs

vdods (Thu, 12 Oct 2017 00:07:06 GMT):
both certs are written to msp/signcerts/cert.pem

vdods (Thu, 12 Oct 2017 00:07:06 GMT):
both certs are written to msp/signcerts/cert.pem during normal and tls enrollment

smithbk (Thu, 12 Oct 2017 00:07:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9ycD7EEgKsh56QNDJ) @vdods Graceful shutdown isn't currently supported, but we will be providing it in the near future (post v1.1) since we have now moved up to a version of golang which supports it.

vdods (Thu, 12 Oct 2017 00:34:38 GMT):
@smithbk Is there a risk that the CA DB will be corrupted if it's shut down via SIGINT or SIGQUIT?

DarshanBc (Thu, 12 Oct 2017 06:13:14 GMT):
Is node-sdk supported for Access based attribute control module?

mastersingh24 (Thu, 12 Oct 2017 11:53:50 GMT):
@DarshanBc - there's nothing special needed in order to enroll clients and obtain certificates with attributes when using fabric-node-sdk (this would assume that you configure fabric-ca to populate eCerts with a set of attributes)

mastersingh24 (Thu, 12 Oct 2017 11:54:38 GMT):
If you use one of the 1.1-snapshot releases of fabric-client with fabric-ca built from master, you can register users with attributes and request attributes during enrollment

DarshanBc (Thu, 12 Oct 2017 12:02:59 GMT):
ok with cid module in chaincode for ABAC I can see only the attributes of invokers are can be extracted is there any way where I can give a certificate of invoker of some transaction x and get his attribute?

DarshanBc (Thu, 12 Oct 2017 12:02:59 GMT):
@mastersingh24 @smithbk ok with cid module in chaincode for ABAC I can see only the attributes of invokers are can be extracted is there any way where I can give a certificate of invoker of some transaction x and get his attribute?

DarshanBc (Thu, 12 Oct 2017 12:02:59 GMT):
@mastersingh24 @smithbk ok with cid module in chaincode for ABAC I can see only the attributes of invokers can be extracted is there any way where I can give a certificate of invoker of some transaction x as an input and get his attribute?

KevinLeyssens (Thu, 12 Oct 2017 12:09:59 GMT):
Is it possible to specify on transaction level which endorser can verify this transaction? E.G: 10 companies, there is a trade/transaction between company 1 and 3. So only the endorser of company 1 and 3 will be valid. The rest can validate it by default, but will have no value. I know it is possible to set endorsement policy on chaincode level, but is there a way or an alternative to do this on transaction level?

DarshanBc (Thu, 12 Oct 2017 12:13:47 GMT):
@KevinLeyssens I think you can use OR endorsement policy for that part of chaincode

DarshanBc (Thu, 12 Oct 2017 12:13:47 GMT):
@KevinLeyssens I think you can use OR endorsement policy for that of chaincode

DarshanBc (Thu, 12 Oct 2017 12:13:47 GMT):
@KevinLeyssens I think you can use OR endorsement policy for that chaincode

DarshanBc (Thu, 12 Oct 2017 12:13:47 GMT):
@KevinLeyssens I think you can use AND(company1.member,company2.member) endorsement policy for that chaincode

DarshanBc (Thu, 12 Oct 2017 12:13:47 GMT):
@KevinLeyssens I think you can use AND(company1.member,company3.member) endorsement policy for that chaincode

KevinLeyssens (Thu, 12 Oct 2017 12:17:52 GMT):
@DarshanBc , if you specify this on chaincode level then for all invokes on that chaincodes will be endorsed by company 1 and 3. But this is not what we are looking for. Is there a way to do this dynamicly? So the invoker and receiver's endorsers will validate this?

KevinLeyssens (Thu, 12 Oct 2017 12:19:07 GMT):
Because all 10 companies invoke that smart contract, but only sender and receivers company's endorsers need to endorse this

KevinLeyssens (Thu, 12 Oct 2017 12:19:34 GMT):
I hope you'll get the question, rather a difficult / tricky one

DarshanBc (Thu, 12 Oct 2017 12:49:01 GMT):
As of now Endorsement policy can be specified while instantiating the chaincode probably what you can do is take all possible combination and put OR(And (org1,org2),And(org1,org3)....)

DarshanBc (Thu, 12 Oct 2017 12:53:36 GMT):
what is the purpose of having roles and affiliation for the user being registered and enrolled what may be the basic usecase for it

KevinLeyssens (Thu, 12 Oct 2017 13:30:20 GMT):
With the OR command, when the first (org1 and org2) are OK with the transaction, it will be endrosed. But what if org7 and org9 make a transaction, so we only want org7 and org9 endorsers to verify. In the OR example you provide, won't it be the case that org1 and org2 validate this transaction and it will be OK, without org7 and org9 validating it?

rjones (Thu, 12 Oct 2017 14:27:53 GMT):
Has joined the channel.

rjones (Thu, 12 Oct 2017 14:30:06 GMT):
@mastersingh24 WRT your comment here: https://gerrit.hyperledger.org/r/#/c/14445/1/MAINTAINERS.md for both projects the branch displayed on hithub is release. I suppose that change 14445 should be on release, so that it gets shown by default on github, pointing to master in fabric.

rjones (Thu, 12 Oct 2017 14:30:38 GMT):
@mastersingh24 should I put 14445 on the release branch of fabric-ca?

aambati (Thu, 12 Oct 2017 14:41:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=eJSc2TZcf3xqrZAAY) @vdods I think we should write tls cert to some other file name (tlscert.pem) ...the question is should tls enroll cert be written to msp/signcerts folder? because msp doc says this : `a folder signcerts to include a PEM file with the node’s X.509 certificate` so not sure what is the consequence if signcerts folder has multiple pem files

aambati (Thu, 12 Oct 2017 14:49:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BbBryTCnxanfyiXza) @vdods currently fabric-ca server request handlers write/update one table row for each request. I think this will not cause db corruption. There are change sets out there that do multiple updates in a transaction, i think we are covered there as well as far as db corruption

louismyu (Thu, 12 Oct 2017 16:34:57 GMT):
Has joined the channel.

louismyu (Thu, 12 Oct 2017 16:35:55 GMT):
can fabric's CA auth against ADFS or does that even make any sense?

ashutosh_kumar (Thu, 12 Oct 2017 16:50:02 GMT):
fabric CA's job is to provide you Enrollment Cert. It does not do authentication hence ADFS is out of question. It might change in future.

Asara (Thu, 12 Oct 2017 17:55:42 GMT):
Curious, is it currently possible to set up a fabric network without using cryptogen? As in use the fabric-ca to handle registration of orderers/peers as well as sdk clients?

htyagi90 (Thu, 12 Oct 2017 18:45:58 GMT):
I'm working with the fabric-ca-sample (https://gerrit.hyperledger.org/r/#/c/13213/ ) . Both my fabric, fabric-ca repo are on the master branch. I build the images by running `build-images.sh` in the fabric-sample, but on running the start.sh, my orderers and peer containers are not started, however all the ca(s) started perfectly. I get the following error message. ``` ##### 2017-10-12 18:34:52 Waiting for the 'setup' container to finish registering identities, creating the genesis block and other artifacts ............. ##### 2017-10-12 18:35:03 FATAL: Failed waiting for the 'setup' container to finish registering identities, creating the genesis block and other artifacts (/data/logs/setup.successful not found); see data/logs/setup.log ``` Following the output of `setup.log` ``` POST https://ica-org0:7054/enroll {"hosts":["fa2e553fb24b"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBSjCB8gIBADBmMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxFzAVBgNV\nBAMTDmljYS1vcmcwLWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECHRV\niUEj5nqtN5txVJJIH3UVmEShOqiICtgGur1ZqL4kIZp54nsziXUyPH1jE2F4htQx\ndeWtdg2O7EXkfA/i/qAqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDoIMZmEy\nZTU1M2ZiMjRiMAoGCCqGSM49BAMCA0cAMEQCIEXBd8v6z0D+q9iu/LIRw++xaaeu\nmxGpuHV5KVmRvp2GAiBeLLBvYdOfQHWLy4BH+2rJ56yZ4YXdH6uopg9/NoWsig==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""} Error: POST failure of request: POST https://ica-org0:7054/enroll {"hosts":["fa2e553fb24b"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBSjCB8gIBADBmMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxFzAVBgNV\nBAMTDmljYS1vcmcwLWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECHRV\niUEj5nqtN5txVJJIH3UVmEShOqiICtgGur1ZqL4kIZp54nsziXUyPH1jE2F4htQx\ndeWtdg2O7EXkfA/i/qAqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDoIMZmEy\nZTU1M2ZiMjRiMAoGCCqGSM49BAMCA0cAMEQCIEXBd8v6z0D+q9iu/LIRw++xaaeu\nmxGpuHV5KVmRvp2GAiBeLLBvYdOfQHWLy4BH+2rJ56yZ4YXdH6uopg9/NoWsig==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post https://ica-org0:7054/enroll: dial tcp 172.18.0.7:7054: getsockopt: connection refused ```

jworthington (Thu, 12 Oct 2017 19:43:59 GMT):
Go 1.9 is in the docs. I was building ca servers a couple weeks ago with 1.9 fine. Building a new one today and getting the no certificates found for the serial and aki error. saw the note and rebuilt using Go 1.8 and all is well. Just FYI.

jworthington (Thu, 12 Oct 2017 19:48:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RGWJjHkiAmoqQfB77) @Asara Yes

Asara (Thu, 12 Oct 2017 19:52:29 GMT):
What I'm refereing to is the crypto materials that get generated,but that process seems to be documented here: http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#registering-a-new-identity so I'm looking through this now

Asara (Thu, 12 Oct 2017 19:52:29 GMT):
What I'm refereing to is the crypto materials that get generated, and that process seems to be documented here: http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#registering-a-new-identity so I'm looking through this now

vdods (Thu, 12 Oct 2017 19:58:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uQKNePKy3xvrhWGkA) @aambati Agreed. I think enrollment certs/keys and tls certs/keys should be kept separate and very clearly labeled.

vdods (Thu, 12 Oct 2017 19:59:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mXDMWs7HsxtaZeqwc) @aambati Ah ok, so it's likely the shutdown-safety of the DB would protect it. Though I guess the CA still does write to the msp/keystore dir, so it's possible it could fail in some manner while writing a key

rajasekharpippalla (Fri, 13 Oct 2017 06:05:33 GMT):
Has joined the channel.

rajasekharpippalla (Fri, 13 Oct 2017 06:05:38 GMT):
how we can implement self sovereign identity in hyperledger fabric?

DarshanBc (Fri, 13 Oct 2017 12:19:15 GMT):
Hi I am trying ABAC and I am using sdk I hardcoded attributes and tried to retrieve it from chaincode but I am not able to retreive it this is my code in sdk(modified balance transfer)```var attr_req=[]; var attr1_req={name:"hf.Registrar.Roles",required:true} attr_req.push(attr1_req); var reg_attr=[]; var attr_reg={name:"hf.Registrar.Roles",value:"this is roles"}; reg_attr.push(attr_reg); return hfc.newDefaultKeyValueStore({ path: getKeyStoreForOrg(getOrgName(userOrg)) }).then((store) => { client.setStateStore(store); // clearing the user context before switching client._userContext = null; return client.getUserContext(username, true).then((user) => { logger.debug("User :"+user) if (user && user.isEnrolled()) { logger.info('Successfully loaded member from persistence'); return user; } else { let caClient = caClients[userOrg]; logger.debug("Ca client: "+caClient) return getAdminUser(userOrg).then(function(adminUserObj) { member = adminUserObj; logger.debug("reached line 279 member username"+username+"userOrg "+userOrg) return caClient.register({ enrollmentID: username, affiliation: userOrg + '.department1', attrs:reg_attr }, member); }).then((secret) => { enrollmentSecret = secret; logger.debug(username + ' registered successfully'); return caClient.enroll({ enrollmentID: username, enrollmentSecret: secret, attr_reqs:attr_req });``` This is the code of chaincode ``` attrvalue,status,_:=cid.GetAttributeValue(stub,"hf.Registrar.Roles") fmt.Printf("attr Value: %s status : %t", attrvalue ,status)``` I am getting it as attrvalue:"" and value: false

smithbk (Fri, 13 Oct 2017 14:05:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WfgdNvT4TsJeSXG7X) @louismyu fabric CA can act as an LDAP client to authenticate users for enrollment. Is the ADFS using LDAP?

smithbk (Fri, 13 Oct 2017 14:07:24 GMT):
@DarshanBc Pls try on the #fabric-sdk-node channel. My guess is to change the "attr_reqs" at the end to "attrreqs", but I'm not sure what the node SDK calls those fields. I seem to remember that (maybe)

smithbk (Fri, 13 Oct 2017 14:08:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RGWJjHkiAmoqQfB77) @Asara Yes, it is. Pls see https://gerrit.hyperledger.org/r/#/c/13213/

smithbk (Fri, 13 Oct 2017 15:42:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Du8ZPTMdRjHCtunik) @vdods Yes, I agree that we should default to using a different cert file name in signcerts if the tls profile is used (e.g. tls-cert.pem). However, currently MSP doesn't support multiple signcerts though the design is there to support it. See https://gerrit.hyperledger.org/r/#/c/13213/29/fabric-ca/scripts/start-peer.sh for how the sample does this for now. We will go ahead and add the profile prefix name to the cert file ... though again MSP in fabric will not handle multiple signcerts currently. In the future, I "think" fabric will want to support reading the peer and orderer's TLS certs from MSP in order to support the private key for TLS certs in an HSM. But currently, we just specify a separate MSP directory and copy the cert and key to the appropriate locations as the sample does.

jaswanth (Mon, 16 Oct 2017 05:31:05 GMT):
Can i get roles from the enrolled user. like i registered a user with `hf.role = manager` when i enroll a user only the manager can do some specific operations , but when i looked into the enrolled user i dint find any `role = manager` value .Is there a way of getting it in my nodejs. any help here

waterlord (Mon, 16 Oct 2017 06:22:33 GMT):
Has joined the channel.

daijianw (Mon, 16 Oct 2017 06:59:57 GMT):
I'm following http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#setting-up-a-cluster , in the "Setting up multiple CAs" part, it mentions to use "cacount" or cafiles to start multiple ca instances. My observation is, only port 7054 was listening on. Then I assume the multiple instances started by this way will share the same endpoint of :. If we start multiple CA instances like this way in container, then they were still in one container. Then how does haproxy can balance load among these CA instances in one container? Thanks for clarification.

outis (Mon, 16 Oct 2017 07:51:07 GMT):
How can I revoke an enrolled user by serial and aki? Is there any way to get serial/aki of the certificate via sdk?

username343 (Mon, 16 Oct 2017 08:44:16 GMT):
can anybody direct me towards any resource how the fabric-ca generated material works, where are the admincerts obtained from and how does the peer admin certs get added to the peer nodes?

username343 (Mon, 16 Oct 2017 09:24:37 GMT):

Fabric-CA certificate Tree.png

username343 (Mon, 16 Oct 2017 09:24:40 GMT):
i found this question on stackoverflow.com - https://stackoverflow.com/questions/46465298/understanding-various-certificates-in-hyperledger-fabric, i want to understand the tree structure made by the poster of this question.

skarim (Mon, 16 Oct 2017 14:33:00 GMT):
@outis You can use the `fabric-ca-client revoke --revoke.serial --revoke.aki ` to revoke certificate by serial and aki. I am not sure if the SDKs provide a way to get the serial/aki, you might want to ask in the respective sdk channel. However, you can use openssl to get serial and aki. Example: `openssl x509 -in cert.pem -noout -text`

skarim (Mon, 16 Oct 2017 14:36:23 GMT):
@daijianw Multiple CAs in one server should not be used for clustering. In a cluster setup, you will need to have multiple CA servers that should have different hostnames/ports and not just multiple CAs in a single server.

smithbk (Mon, 16 Oct 2017 16:02:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sdBr3Fzy9MXvyLx3P) @jaswanth See https://github.com/hyperledger/fabric/tree/master/core/chaincode/lib/cid ... you can use https://github.com/hyperledger/fabric/tree/master/core/chaincode/lib/cid#asserting-an-attribute-value for this

smithbk (Mon, 16 Oct 2017 16:06:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KFSLzqMz8sDdphAGG) @daijianw HA proxy load balances to a specific fabric-ca-server instance, but each fabric-ca-server instance manages multiple CAs. The CA which handles the request depends on the name of the CA in the body of the request. It goes to the default CA if there is none.

smithbk (Mon, 16 Oct 2017 16:11:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=J9KuwprYtDkm7jTSq) @username343 The admin certs must be manually distributed to the local MSPs of the peer. There is no magic here. We will be making this easier in the future by providing a way to recognize an admin cert based on other criteria, but this is not yet done

outis (Tue, 17 Oct 2017 01:43:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BcexFAcdanoRTi3RP) @skarim thanks

daijianw (Tue, 17 Oct 2017 01:56:33 GMT):
@skarim @smithbk Thanks for your reply. Then can I understand there are two layers of load balance? One is at HAProxy which balances load among multiple fabric-ca-server instances. The other is at each fabric-ca-server instance itself, it can balance load among multiple CA instances depends on the CA name specified in the request body. My further question is, what's the best practice to use the 2nd layer of load balance at each fabric-ca-server instance? It seems it need the fabric ca client to know the different CA names on the fabric-ca-server instance and manage the load balance among the CA instances.

outis (Tue, 17 Oct 2017 07:23:12 GMT):
How can I use fabric-ca-client command to revoke existing users? I tried the following: 1. start the balance-transfer example 2. connect to the fabric-ca docker image 3. run `fabric-ca-client -a -s ` where aki/serial are those of generated `crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/signcerts/peer0.org1.example.com-cert.pem `. But I get the message `Error: Enrollment information does not exist. Please execute enroll command first.` I already run the createchannel-install-instantiate-invoke process, so all the peers should be enrolled. Am I wrong about this or revoking a wrong cert?

DarshanBc (Tue, 17 Oct 2017 07:35:04 GMT):
Hi I am trying to enroll a user and I am getting this error ```{"id":"Jacky","affiliation":"org1.department1","max_enrollments":1,"attrs":[{"name":"hf.Registrar.Roles","value":"admin"}],"caName":""} 2017/10/17 07:30:20 [DEBUG] Directing traffic to default CA 2017/10/17 07:30:20 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin' 2017/10/17 07:30:20 [DEBUG] DB: Get certificate by serial (b7c4948af2b88e852ee01d76500cbc4bf733104) and aki (d71819749f1ae8d67095c17f04c96200187ff16ff815a2beb406b95cc8fbcb37) 2017/10/17 07:30:20 [DEBUG] Successful authentication of 'admin' 2017/10/17 07:30:20 [DEBUG] Register request received 2017/10/17 07:30:20 [DEBUG] Received registration request from admin: &{RegistrationRequest:{Name:Jacky Type: Secret:<> MaxEnrollments:1 Affiliation:org1.department1 Attributes:[{Name:hf.Registrar.Roles Value:admin}] CAName:}} 2017/10/17 07:30:20 [DEBUG] canRegister - Check to see if user admin can register 2017/10/17 07:30:20 [DEBUG] DB: Getting identity admin 2017/10/17 07:30:20 [DEBUG] Registration of 'Jacky' failed: No identity type provided. Please provide identity type 2017/10/17 07:30:20 [INFO] 172.19.0.1:36880 - "POST /api/v1/register" 0```

DarshanBc (Tue, 17 Oct 2017 07:38:34 GMT):
How do I specify user type?

DarshanBc (Tue, 17 Oct 2017 07:38:41 GMT):
I am using node sdk

smithbk (Tue, 17 Oct 2017 10:25:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bPk43qWB5qFESf3CE) @daijianw Directing a request to the appropriate CA in a fabric-ca-server instance is not load balancing. It is not based on load. Think of the ability of the fabric-ca-server to host multiple CAs as if they are logically different servers; in fact, they are using different signing certificates, different database tables, etc, so they function as different servers. So this is simply a way to host multiple CAs while only having to manage a single physical server or cluster. And yes, the client must explicitly know the name of the CA, just as the client must know the host/port of the CA. So the "address" of the CA becomes .

smithbk (Tue, 17 Oct 2017 10:45:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zZNeh5snCdm7AgyYn) @outis First, there is a difference between revoking a certificate in fabric CA and in fabric. Revoking a certificate in fabric CA marks that certificate as being revoked in the fabric CA's database so that all future operations received by the fabric-ca-server which are associated with that certificate will be rejected (e.g. fabric-ca-client register/reenroll/revoke). Revoking a certificate in fabric requires updating a CRL in an MSP (either a local MSP or an MSP in a channel configuration). Next, regarding your steps above, you have used cryptogen in the balance-transfer example to generate a certificate and then tried to revoke that certificate in fabric-ca-server's database. It does not exist in fabric-ca-server's DB since you used cryptogen, so it will not work. If you used fabric CA from the beginning as shown in this sample https://gerrit.hyperledger.org/r/#/c/13213/, then you would be able to revoke it, but it would still not automatically revoke the certificate in fabric. To do this, you could see https://gerrit.hyperledger.org/r/#/c/13687. Neither of these change sets are merged yet, but hopefully will be soon. One other thing to mention is that if you want to continue to use cryptogen, you can still follow part of what the run-fabric.sh script does in https://gerrit.hyperledger.org/r/#/c/13687. In particular, see the following: ``` # Revoke the user and generate CRL using admin's credentials revokeFabricUser generateCRL # Fetch config block fetchConfigBlock # Create config update envelope with CRL and update the config block of the channel createConfigUpdatePayloadWithCRL updateConfigBlock ```

smithbk (Tue, 17 Oct 2017 10:52:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sXMjG7ondwJcXgeLM) @DarshanBc Try adding *"type": "user"* to your request as follows: ```{"id":"Jacky","type":"user","affiliation":"org1.department1","max_enrollments":1,"attrs":[{"name":"hf.Registrar.Roles","value":"admin"}],"caName":""}```

DarshanBc (Tue, 17 Oct 2017 10:53:51 GMT):
yep it got resolved by adding `role:user`

utiMan (Tue, 17 Oct 2017 14:06:33 GMT):
Has joined the channel.

utiMan (Tue, 17 Oct 2017 14:09:42 GMT):
Hi, I am trying to connect a hardware HSM to the CA with pkcs#11. Sadly I get the error `Could not find default \`PKCS11\` BCCSP`. I supplied the information with env variables. Can anyonep int me into the right direction of resolving this?

utiMan (Tue, 17 Oct 2017 14:09:42 GMT):
Hi, I am trying to connect a hardware HSM to the CA with pkcs#11. Sadly I get the error `Could not find default ``PKCS11`` BCCSP`. I supplied the information with env variables. Can anyonep int me into the right direction of resolving this?

utiMan (Tue, 17 Oct 2017 14:09:42 GMT):
Hi, I am trying to connect a hardware HSM to the CA with pkcs#11. Sadly I get the error `Could not find default 'PKCS11' BCCSP`. I supplied the information with env variables. Can anyonep int me into the right direction of resolving this?

utiMan (Tue, 17 Oct 2017 14:09:42 GMT):
Hi, I am trying to connect a hardware HSM to the CA with pkcs#11. Sadly I get the error `Could not find default 'PKCS11' BCCSP`. I supplied the information with env variables. Can anyone point me into the right direction of resolving this?

utiMan (Tue, 17 Oct 2017 14:17:02 GMT):
Okay, apperently you need to supply the config section nonetheless ^^'. This leads me to `[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x0]`

utiMan (Tue, 17 Oct 2017 15:20:02 GMT):
Hi all, I am trying to use a hardware HSM via pkcs11 as the BCCSP. I setup everything with docker 17.09. When I start the ca container it stops immediately. docker logs shows `[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x0]` plus this trace https://pastebin.com/Sq8YPYhb What is going wrong here?

smithbk (Tue, 17 Oct 2017 15:44:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=H8i8Qsv7hwBcTRJpZ) @utiMan I assume you following the instructions at http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#hsm. @vpaprots Vlad may be able to help off the top of his head; otherwise, we're going to need to know how to reproduce.

smithbk (Tue, 17 Oct 2017 15:44:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=H8i8Qsv7hwBcTRJpZ) @utiMan I assume you followed the instructions at http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#hsm. @vpaprots Vlad may be able to help off the top of his head; otherwise, we're going to need to know how to reproduce.

utiMan (Tue, 17 Oct 2017 15:47:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cv6JnZ8e7c4g63QtW) @smithbk Yes, I used this to start. I have found this jira https://jira.hyperledger.org/browse/FAB-6161?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel which suggests that this is an issue with the docker image. While this is not what I would expect from an official image, I will try to run the ca from my host tomorrow and see if the error persists. If yes, I will check back here.

Asara (Tue, 17 Oct 2017 17:34:38 GMT):
When allowing the CA to make its own self signed certs, does it not ever write the private key?

Asara (Tue, 17 Oct 2017 17:35:02 GMT):
It seems to generate and write the public key, but when I restart the service (running it natively) it tells me that the private key doesn't match the public key

Asara (Tue, 17 Oct 2017 17:38:43 GMT):
Oh... unless what ends up generated in the msp directory is the privkey

harsha (Tue, 17 Oct 2017 18:11:27 GMT):
Hi, would be interested read/understand the need/requirement to have `fabric-ca-peer, fabric-ca-orderer, and fabric-ca-tools` docker images as opposed to bundling them together into single fabric-ca docker image.

harsha (Tue, 17 Oct 2017 18:11:27 GMT):
Hi, would be interested to read/understand the need/requirement to have `fabric-ca-peer, fabric-ca-orderer, and fabric-ca-tools` docker images as opposed to bundling them together into single fabric-ca docker image.

vdods (Tue, 17 Oct 2017 19:35:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uxfoANR8tqPSsYwFw) @smithbk Ah ok, so currently it's as if the TLS enrollment is just an entirely different identity. The definition of the MSP dir in the docs says that signcerts should have 1 cert, so it would seem like adding a cert to that dir isn't the way to go. When the TLS enrollment happens, a new dir tlscacert shows up, so perhaps the tls enrollment key and cert could show up in tlscerts and tlskeystore (or something otherwise having a separate namespace)?

smithbk (Tue, 17 Oct 2017 20:18:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BQj8hhiAPAjzEw3FQ) @vdods The TLS enrollment doesn't have to be a different identity, but best security practice is that they are different certs. In the future, I think MSP may allow multiple signcerts, but until then you just specify a different directory for the client to place the cert as is done by the start-peer.sh script

vdods (Tue, 17 Oct 2017 20:19:21 GMT):
Thanks

smithbk (Tue, 17 Oct 2017 20:21:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2p4kNrgZWXHQoq7Jr) @Asara Yes, the private key is in the msp/keystore directory

smithbk (Tue, 17 Oct 2017 20:24:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jdhWmNeDDBS4PvaDM) @harsha The fabric-samples/fabric-ca sample uses them in a similar way that the fabric-peer, fabric-orderer, and fabric-tools images are used. The only difference is that the fabric-ca-xxxx version of each of these images adds in a fabric-ca-client so that we can register and enroll as needed for the peer, orderer, admins, and end users. This creates the minimal images and demonstrates how they are really intended to be used.

VoR0220 (Tue, 17 Oct 2017 20:56:09 GMT):
Has joined the channel.

rjones (Tue, 17 Oct 2017 21:17:33 GMT):
@smithbk should this be merged or abandoned? https://gerrit.hyperledger.org/r/#/c/14445/

rjones (Tue, 17 Oct 2017 21:17:43 GMT):
if you could merge it, that would be great

smithbk (Tue, 17 Oct 2017 21:27:01 GMT):
merged

vdods (Tue, 17 Oct 2017 23:33:55 GMT):
@smithbk On https://jira.hyperledger.org/browse/FAB-4617 you mentioned some way to configure the "not before" time for a cert on a per-profile basis -- I'm having a problem with the built-in 5 minute backdating. How do I go about changing this?

smithbk (Wed, 18 Oct 2017 00:11:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yEtq3ipEY5byWtbyo) @vdods See the additional backdate directives below ```signing: default: usage: - digital signature expiry: 8760h backdate: 24h profiles: ca: usage: - cert sign expiry: 43800h backdate: 24h caconstraint: isca: true maxpathlen: 0 tls: usage: - signing - key encipherment - server auth - client auth - key agreement expiry: 8760h backdate: 24h ```

vdods (Wed, 18 Oct 2017 00:12:04 GMT):
Thanks!

vdods (Wed, 18 Oct 2017 00:14:14 GMT):
So backdating of zero is not possible? It looks like 0 is the sentinel value that triggers the default of 5 minutes

outis (Wed, 18 Oct 2017 01:07:34 GMT):
@smithbk thanks for the detailed explanation. I will follow up if I have further questions.

daijianw (Wed, 18 Oct 2017 02:11:32 GMT):
@smithbk Thanks for your clarification

DarshanBc (Wed, 18 Oct 2017 05:34:51 GMT):
In Balance transfer the admin who register's other user doesn't have any attributes how to add an attribute for him?

KristofSajdak (Wed, 18 Oct 2017 09:58:25 GMT):
Has joined the channel.

smithbk (Wed, 18 Oct 2017 11:34:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Gox2QM9jFkcxo5SXZ) @vdods yes, looks like cfssl does use 0 as sentinel which defaults to 5 minutes. You could use "1ns" which is 1 nano-second as smallest non-zero duration.

aambati (Wed, 18 Oct 2017 13:49:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jdhWmNeDDBS4PvaDM) @harsha fabric-ca-peer and fabric-ca-orderer extends fabric-peer and fabric-orderer images by adding fabric-ca-client...as names indicate, one is for peer and other is for orderer...why do you want them bundled into one image? what use case you have in mind?

DarshanBc (Wed, 18 Oct 2017 13:52:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GJ5sFHFqsNPpjBCHZ) Issue resolved

VoR0220 (Wed, 18 Oct 2017 15:39:51 GMT):
how do I add users to an LDAP server through the Fabric CA client after the LDAP server has been connected to the Fabric CA server

VoR0220 (Wed, 18 Oct 2017 15:39:51 GMT):
how do I add users to an LDAP server through the Fabric CA client after the LDAP server has been connected to the Fabric CA server?

smithbk (Wed, 18 Oct 2017 17:28:03 GMT):
You can't do it through fabric-ca-client. You have to use some LDAP client or UI for updating the LDAP server.

vdods (Wed, 18 Oct 2017 19:39:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZPpG7eiZW9foy8ptS) @smithbk I changed my openssl-based cert signing to accomodate the backdating done by fabric-ca, since I figure it's there for a reason. If this is useful to anyone, here's how I did it -- it was rather nontrivial to provide a backdated, ASN1 GeneralizedTime formatted value: ``` local BACKDATE_SECONDS=600 local STARTDATE=$(python3 -c "import datetime as dt; d = dt.datetime.fromtimestamp(dt.datetime.now(dt.timezone.utc).timestamp() - $BACKDATE_SECONDS, dt.timezone.utc); print(d.strftime('%Y%m%d%H%M%SZ'))") openssl ca -config $OPENSSL_CONF_PATH -extensions $EXTENSIONS -days $DAYS -notext -md sha256 -in $CSR_PATH -startdate $STARTDATE ```

Asara (Wed, 18 Oct 2017 20:11:13 GMT):
I'm a little confused as to what I'm doing wrong. I am trying to follow http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html, while also enabling TLS

Asara (Wed, 18 Oct 2017 20:11:48 GMT):
For some reason, when specifying the `--tls.certfiles` option on the enrolling, the command goes through, but when trying to register a new user, I get `Error: Error response from server was: Authorization failure`

Asara (Wed, 18 Oct 2017 20:12:12 GMT):
Using the same ca.crt as specified in the enroll command...

Asara (Wed, 18 Oct 2017 20:17:06 GMT):
I am also a little confused about `The client option is required only if mutual TLS is configured on the server.`

Asara (Wed, 18 Oct 2017 20:17:18 GMT):
What is the difference between enabling TLS and 'mutual TLS'?

rennman (Wed, 18 Oct 2017 20:17:26 GMT):
@Asara are you logging debug messages on the server? does the server log give any additional info?

rennman (Wed, 18 Oct 2017 20:19:02 GMT):
as far as TLS, the common practice is to only verify the server's identity (serverauth) with the use of the server's TLS cert .. so only the server is required to have a TLS cert/key pair

rennman (Wed, 18 Oct 2017 20:19:47 GMT):
In 'mutual AUTH' the server verifies the client's identity with the client's TLS cert, so the client has to have a TLS cert/key pair also

rennman (Wed, 18 Oct 2017 20:20:26 GMT):
the ca.crt in the config is the CA that signed the TLS cert (if self-signed, it is one and the same)

Asara (Wed, 18 Oct 2017 20:20:29 GMT):
If that is the case, I currently hvae clientauth set to noclientcert

rennman (Wed, 18 Oct 2017 20:20:37 GMT):
which should be fine

rennman (Wed, 18 Oct 2017 20:21:34 GMT):
the auth error may be due to an enrollment problem with the registrar ... is the client's home DIR set appropriately (where the enrollment cert resides)?

rennman (Wed, 18 Oct 2017 20:22:14 GMT):
and has the DB ever been deleted after a re-start? or does the client have an old cert from a previous enroll?

rennman (Wed, 18 Oct 2017 20:23:09 GMT):
the server's log may point you to the root of the problem

Asara (Wed, 18 Oct 2017 20:23:10 GMT):
``` [root@ip-172-30-2-43 ~]# export FABRIC_CA_CLIENT_HOME=$HOME [root@ip-172-30-2-43 ~]# fabric-ca-client enroll -u https://admin:adminpw@ca.org1.domain.com:7054 --tls.certfiles /opt/ssl_certs/ca.crt 2017/10/18 20:22:04 [INFO] User provided config file: /root/fabric-ca-client-config.yaml 2017/10/18 20:22:04 [INFO] generating key: &{A:ecdsa S:256} 2017/10/18 20:22:04 [INFO] encoded CSR 2017/10/18 20:22:04 [INFO] TLS Enabled 2017/10/18 20:22:04 [INFO] Stored client certificate at /root/msp/signcerts/cert.pem 2017/10/18 20:22:04 [INFO] Stored CA root certificate at /root/msp/cacerts/ca-org1-monetago-com-7054.pem [root@ip-172-30-2-43 ~]# fabric-ca-client register --id.name admin2 --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,admin=true:ecert' --tls.certfiles /opt/ssl_certs/ca.crt 2017/10/18 20:22:23 [INFO] User provided config file: /root/fabric-ca-client-config.yaml 2017/10/18 20:22:23 [INFO] Configuration file location: /root/fabric-ca-client-config.yaml 2017/10/18 20:22:23 [INFO] TLS Enabled Error: Error response from server was: Authorization failure ```

Asara (Wed, 18 Oct 2017 20:24:01 GMT):
I am seeing no logs on the server side

Asara (Wed, 18 Oct 2017 20:24:03 GMT):
though I see this error

Asara (Wed, 18 Oct 2017 20:24:16 GMT):
``` Oct 18 20:19:09 ip-172-30-2-43.ec2.internal fabric-ca-server[3819]: 2017/10/18 20:19:09 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting key Oct 18 20:19:09 ip-172-30-2-43.ec2.internal fabric-ca-server[3819]: /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor/ Oct 18 20:19:09 ip-172-30-2-43.ec2.internal fabric-ca-server[3819]: /root/Go/src/github.com/hyperledger/fabric-ca/util/csp.go:218 github.com/hyperledger/fabric-ca/util.GetSignerFromCert Oct 18 20:19:09 ip-172-30-2-43.ec2.internal fabric-ca-server[3819]: /root/Go/src/github.com/hyperledger/fabric-ca/util/csp.go:340 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair Oct 18 20:19:09 ip-172-30-2-43.ec2.internal fabric-ca-server[3819]: /root/Go/src/github.com/hyperledger/fabric-ca/lib/server.go:450 github.com/hyperledger/fabric-ca/lib.(*Server).listenAndServe Oct 18 20:19:09 ip-172-30-2-43.ec2.internal fabric-ca-server[3819]: /root/Go/src/github.com/hyperledger/fabric-ca/lib/server.go:127 github.com/hyperledger/fabric-ca/lib.(*Server).Start Oct 18 20:19:09 ip-172-30-2-43.ec2.internal fabric-ca-server[3819]: /root/Go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/start.go:41 main.runStart Oct 18 20:19:09 ip-172-30-2-43.ec2.internal fabric-ca-server[3819]: /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/sp Oct 18 20:19:09 ip-172-30-2-43.ec2.internal fabric-ca-server[3819]: /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/sp Oct 18 20:19:09 ip-172-30-2-43.ec2.internal fabric-ca-server[3819]: /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/sp Oct 18 20:19:09 ip-172-30-2-43.ec2.internal fabric-ca-server[3819]: /root/Go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:95 main.RunMain Oct 18 20:19:09 ip-172-30-2-43.ec2.internal fabric-ca-server[3819]: /root/Go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:82 main.main Oct 18 20:19:09 ip-172-30-2-43.ec2.internal fabric-ca-server[3819]: /usr/lib/golang/src/runtime/proc.go:194 runtime.main Oct 18 20:19:09 ip-172-30-2-43.ec2.internal fabric-ca-server[3819]: /usr/lib/golang/src/runtime/asm_amd64.s:2338 runtime.goexit Oct 18 20:19:09 ip-172-30-2-43.ec2.internal fabric-ca-server[3819]: Caused by: Key type not recognized Oct 18 20:19:09 ip-172-30-2-43.ec2.internal fabric-ca-server[3819]: 2017/10/18 20:19:09 [DEBUG] Attempting fallback with certfile /opt/fabric-ca/tls-cert.pem and keyfile /opt/fabric-ca/tls-key.pem Oct 18 20:19:09 ip-172-30-2-43.ec2.internal fabric-ca-server[3819]: 2017/10/18 20:19:09 [DEBUG] Client authentication type requested: noclientcert Oct 18 20:19:09 ip-172-30-2-43.ec2.internal fabric-ca-server[3819]: 2017/10/18 20:19:09 [INFO] Listening on %!s(int=7054)%!(EXTRA string=https://0.0.0.0:7054) ```

Asara (Wed, 18 Oct 2017 20:24:16 GMT):
``` 2017/10/18 20:19:09 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting key /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor/ /root/Go/src/github.com/hyperledger/fabric-ca/util/csp.go:218 github.com/hyperledger/fabric-ca/util.GetSignerFromCert /root/Go/src/github.com/hyperledger/fabric-ca/util/csp.go:340 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair /root/Go/src/github.com/hyperledger/fabric-ca/lib/server.go:450 github.com/hyperledger/fabric-ca/lib.(*Server).listenAndServe /root/Go/src/github.com/hyperledger/fabric-ca/lib/server.go:127 github.com/hyperledger/fabric-ca/lib.(*Server).Start /root/Go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/start.go:41 main.runStart /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/sp /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/sp /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/sp /root/Go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:95 main.RunMain /root/Go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:82 main.main /usr/lib/golang/src/runtime/proc.go:194 runtime.main /usr/lib/golang/src/runtime/asm_amd64.s:2338 runtime.goexit Caused by: Key type not recognized 2017/10/18 20:19:09 [DEBUG] Attempting fallback with certfile /opt/fabric-ca/tls-cert.pem and keyfile /opt/fabric-ca/tls-key.pem 2017/10/18 20:19:09 [DEBUG] Client authentication type requested: noclientcert 2017/10/18 20:19:09 [INFO] Listening on %!s(int=7054)%!(EXTRA string=https://0.0.0.0:7054) ```

rennman (Wed, 18 Oct 2017 20:24:24 GMT):
hmmm ... --debug may help, but mostly in the server log

rennman (Wed, 18 Oct 2017 20:25:18 GMT):
did you provide a URL for the register? I don't see one

Asara (Wed, 18 Oct 2017 20:25:36 GMT):
It wouldn't grab it from the config?

Asara (Wed, 18 Oct 2017 20:25:57 GMT):
It is in the configuration that gets created after enrollment

rennman (Wed, 18 Oct 2017 20:26:21 GMT):
ah ok, right I am usually pretty explicit

Asara (Wed, 18 Oct 2017 20:26:28 GMT):
and including it with -u I still get the same error

rennman (Wed, 18 Oct 2017 20:27:05 GMT):
the reason I asked is that I don't see any new messages in the server log after the 'INFO' listening

rennman (Wed, 18 Oct 2017 20:27:26 GMT):
I would have expected an indication of some incoming request

smithbk (Wed, 18 Oct 2017 20:32:22 GMT):
The server logs will give more details on the reason for the authorization failure. For security reasons, the client error message is not specific.

Asara (Wed, 18 Oct 2017 20:38:19 GMT):
``` 2017/10/18 20:37:51 [DEBUG] Directing traffic to default CA 2017/10/18 20:37:51 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin' 2017/10/18 20:37:51 [DEBUG] DB: Get certificate by serial (38319b2a9309e26938b9cfa099cfb69b0f79842) and aki (465a282cec379aa1e945fc340cb3d5c9ad070c18) 2017/10/18 20:37:51 [ERROR] No certificates found for provided serial and aki ```

Asara (Wed, 18 Oct 2017 20:39:29 GMT):
And again, I'm pointing to the same ```--tls.certfiles``` if that could be causing this

Asara (Wed, 18 Oct 2017 20:39:31 GMT):
not sure....

rennman (Wed, 18 Oct 2017 20:41:07 GMT):
run the client cmd with the --debug ... would like to see 'Configuration file location:'

rennman (Wed, 18 Oct 2017 20:42:24 GMT):
fyi, the config file that is generated when I tried the cmd (enroll.yaml) did not include the value that was passed in with the -u option, but rather was the default: url: https://localhost:7054

rennman (Wed, 18 Oct 2017 20:42:56 GMT):
ok, I take it back ... not the default ... the 's' is there

Asara (Wed, 18 Oct 2017 20:43:30 GMT):
provided config file: /root/fabric-ca-client-config.yaml

Asara (Wed, 18 Oct 2017 20:43:33 GMT):
which is the correct file

Asara (Wed, 18 Oct 2017 20:48:37 GMT):
I do see this: ``` 2017/10/18 20:47:18 [DEBUG] Saved serial number as hex 48d0e5aa83d3598141ef95f92ea3ae6d97b75879 2017/10/18 20:47:18 [DEBUG] saved certificate with serial number 415705897237317822474515338706102011649773230201 2017/10/18 20:47:18 [INFO] 172.30.2.234:38930 - "POST /enroll" 200 2017/10/18 20:47:54 [DEBUG] Received request POST /register ``` and further down after trying to register a new user: `2017/10/18 20:47:54 [DEBUG] DB: Get certificate by serial (48d0e5aa83d3598141ef95f92ea3ae6d97b75879) and aki (ce01bee8beb5ef67b2d16fe1263cda0b1f22ca56)`

Asara (Wed, 18 Oct 2017 20:50:28 GMT):
If that is of any use...

rennman (Wed, 18 Oct 2017 20:59:54 GMT):
so you can confirm that you have the right enrollment cert (or at least is consistent with the one that got logged when you enrolled) if you look at the serial number: openssl x509 -in /root/msp/signcerts/cert.pem -serial -noout

Asara (Wed, 18 Oct 2017 21:06:21 GMT):
It is the same as the one provided in the output of the fabric-ca-server logs yes.

rennman (Wed, 18 Oct 2017 21:07:45 GMT):
hmmm .. i replayed your exact sequence and it worked ... which DB are you using ?

Asara (Wed, 18 Oct 2017 21:07:53 GMT):
for the CA? sqlite

Asara (Wed, 18 Oct 2017 21:08:13 GMT):
Hm... it is possible the CSR isn't being created properly for the client?

Asara (Wed, 18 Oct 2017 21:08:23 GMT):
I will pick this up tomorrow, thanks for the assistance thus far @rennman

rennman (Wed, 18 Oct 2017 21:10:25 GMT):
sure, last thing before you/I go ... stash this for in depth DB debugging: sqlite3 "select * from certificates"

Asara (Wed, 18 Oct 2017 21:13:07 GMT):
``` admin|3bca5a0f8501d888cb77525e3b0b743425277262|||good|0|2018-10-18 21:07:00+00:00|0001-01-01 00:00:00+00:00|-----BEGIN CERTIFICATE----- ```

Asara (Wed, 18 Oct 2017 21:13:07 GMT):
```admin|3bca5a0f8501d888cb77525e3b0b743425277262|||good|0|2018-10-18 21:07:00+00:00|0001-01-01 00:00:00+00:00|-----BEGIN CERTIFICATE----- ```

Asara (Wed, 18 Oct 2017 21:13:22 GMT):
```root@ip-172-30-2-157 fabric-ca]# openssl x509 -in /root/msp/signcerts/cert.pem -serial -noout serial=3BCA5A0F8501D888CB77525E3B0B743425277262 ```

rennman (Wed, 18 Oct 2017 21:18:53 GMT):
if in fact, that SN and AKI is consistent with the server's message "No certificates found for provided serial and aki" that would seem to be a problem

vdods (Wed, 18 Oct 2017 23:26:27 GMT):
@smithbk I'm doing some work involving configtxgen, and some of the parts of configtx.yaml involves specifying the MSP dir for each organization defined within. I noticed that fabric-ca-cryptogen.sh generates MSP dirs with different content for the orderer org and for the orderer itself. What exactly is the MSP dir that is specified in configtx.yaml for an organization? What does it need to contain? The docs at https://hyperledger-fabric.readthedocs.io/en/latest/msp.html#channel-msp-setup aren't really clear which certs/keys are needed

smithbk (Thu, 19 Oct 2017 00:07:58 GMT):
The MSP dirs referenced in configtx.yaml are used to build the genesis block, etc and do not contain any private keys. They contain cacerts, optionally intermediatecerts, admincerts, tlscacerts, and optionally tlsintermediatecerts. This is the MSP info that goes into a channel config block and are used for a) connecting over TLS as a client and b) to validate signatures. Only the local MSP of a peer or orderer will have private keys and are used for signing at the peer or orderer identity.

vdods (Thu, 19 Oct 2017 00:10:33 GMT):
For example, the contents of the org's MSP dirs admincerts, cacerts, and intermediatecerts are identical to those in that org's orderer's MSP dir, but the signcerts and tlscacerts have different contents (i think only the names of the files in tlscacerts are different)

vdods (Thu, 19 Oct 2017 00:20:08 GMT):
which admin certs should go into an org's MSP for the channel? I guess I could phrase that as "admin in which context?"

smithbk (Thu, 19 Oct 2017 01:10:15 GMT):
Yes, there is a lot of duplication in the MSP directories. I think it will make more sense if you think of two types of MSP directories: 1) those at the top-level which contain no private keys are which are referenced in the configtx.yaml file and used for building the genesis block, and 2) the MSP directories at lower-levels in the directory hierarchy, and all of which correspond to and are owned by a single identity in the blockchain network. Those identities of type 2 are either an orderer, a peer (2 peers in each org), an org administrator, or an org end user. Since these correspond to an identity that must sign (not just validate), these MSP directories contain a signcert and corresponding private key in the keystore directory.

alain2sf (Thu, 19 Oct 2017 06:03:35 GMT):
Has joined the channel.

outis (Thu, 19 Oct 2017 07:31:52 GMT):
@smithbk I am looking at runFabric.sh, a little confused. Where is it supposed to run? I see peer command fabric-ca-client - how does it switch docker image?

outis (Thu, 19 Oct 2017 07:31:52 GMT):
@smithbk I am looking at runFabric.sh, a little confused. Where is it supposed to run? I see peer command and fabric-ca-client - how does it switch docker image?

vdods (Thu, 19 Oct 2017 08:02:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Ji8PKPL9eyL22jyui) @smithbk Ok, so for the type 1 MSP dirs (which I believe is what you'd supply in configtx.yaml for channel tx creation), whose cert goes in the admincerts dir, and whose cert goes in the signcerts dir? The choices I'm seeing for admincerts are 1) CA cert, 2) CA admin, 3) application admin. The choices I'm seeing for signcerts are 1) CA cert, 2) CA admin.

vdods (Thu, 19 Oct 2017 08:03:11 GMT):
@smithbk Perhaps it would be good to formalize the distinction between these MSP types in the documentation

smithbk (Thu, 19 Oct 2017 08:40:34 GMT):
In type 1 MSP dirs, there are no signcerts. The admincerts would contain the application admin, or more fully, the identity or identies who should be allowed to install chaincode on a peer and possibly create channels for its org.

smithbk (Thu, 19 Oct 2017 08:42:08 GMT):
@nickgaski Could you help with formalizing this difference in the doc that @vdods refers to above?

DarshanBc (Thu, 19 Oct 2017 09:38:38 GMT):
I have a requirement I need to create an asset for which 3 users with different Roles of a single org has to agree how do I do It?

fredbi (Thu, 19 Oct 2017 11:53:14 GMT):
Has joined the channel.

smithbk (Thu, 19 Oct 2017 12:01:47 GMT):
You could do this with a combination of ABAC (Attribute-Based Access Control) and logic in your chaincode. Basically you use ABAC to determine the org/MSPID and role of the invoker with certain args in your chaincode. You just keep track of the IDs of those that have "signed" by invoking the chaincode with those args and when you have 3, you create the asset.

Asara (Thu, 19 Oct 2017 13:12:22 GMT):
What exactly is the AKI?

Asara (Thu, 19 Oct 2017 13:13:29 GMT):
And how can I validate it matches what is in the CA?

Asara (Thu, 19 Oct 2017 13:19:25 GMT):
Also can anyone expand on this error a bit? ``` 2017/10/19 13:16:08 [DEBUG] 1 CA instance(s) running on server 2017/10/19 13:16:08 [DEBUG] TLS is enabled 2017/10/19 13:16:08 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting ke /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor /root/Go/src/github.com/hyperledger/fabric-ca/util/csp.go:218 github.com/hyperledger/fabric-ca/util.GetSignerFromCert /root/Go/src/github.com/hyperledger/fabric-ca/util/csp.go:340 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair /root/Go/src/github.com/hyperledger/fabric-ca/lib/server.go:450 github.com/hyperledger/fabric-ca/lib.(*Server).listenAndServe /root/Go/src/github.com/hyperledger/fabric-ca/lib/server.go:127 github.com/hyperledger/fabric-ca/lib.(*Server).Start /root/Go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/start.go:41 main.runStart /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/s /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/s /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/s /root/Go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:95 main.RunMain /root/Go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:82 main.main /usr/lib/golang/src/runtime/proc.go:194 runtime.main /usr/lib/golang/src/runtime/asm_amd64.s:2338 runtime.goexit Caused by: Key type not recognized 2017/10/19 13:16:08 [DEBUG] Attempting fallback with certfile /opt/fabric-ca/tls-cert.pem and keyfile /opt/fabric-ca/tls-key.pem 2017/10/19 13:16:08 [DEBUG] Client authentication type requested: noclientcert 2017/10/19 13:16:08 [INFO] Listening on %!s(int=7054)%!(EXTRA string=https://0.0.0.0:7054) ```

Asara (Thu, 19 Oct 2017 13:19:25 GMT):
Also can anyone expand on this error a bit? ```2017/10/19 13:16:08 [DEBUG] 1 CA instance(s) running on server 2017/10/19 13:16:08 [DEBUG] TLS is enabled 2017/10/19 13:16:08 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting ke /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor /root/Go/src/github.com/hyperledger/fabric-ca/util/csp.go:218 github.com/hyperledger/fabric-ca/util.GetSignerFromCert /root/Go/src/github.com/hyperledger/fabric-ca/util/csp.go:340 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair /root/Go/src/github.com/hyperledger/fabric-ca/lib/server.go:450 github.com/hyperledger/fabric-ca/lib.(*Server).listenAndServe /root/Go/src/github.com/hyperledger/fabric-ca/lib/server.go:127 github.com/hyperledger/fabric-ca/lib.(*Server).Start /root/Go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/start.go:41 main.runStart /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/s /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/s /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/s /root/Go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:95 main.RunMain /root/Go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:82 main.main /usr/lib/golang/src/runtime/proc.go:194 runtime.main /usr/lib/golang/src/runtime/asm_amd64.s:2338 runtime.goexit Caused by: Key type not recognized 2017/10/19 13:16:08 [DEBUG] Attempting fallback with certfile /opt/fabric-ca/tls-cert.pem and keyfile /opt/fabric-ca/tls-key.pem 2017/10/19 13:16:08 [DEBUG] Client authentication type requested: noclientcert 2017/10/19 13:16:08 [INFO] Listening on %!s(int=7054)%!(EXTRA string=https://0.0.0.0:7054) ```

Asara (Thu, 19 Oct 2017 13:19:25 GMT):
Also can anyone expand on this error a bit? ```2017/10/19 13:16:08 [DEBUG] 1 CA instance(s) running on server 2017/10/19 13:16:08 [DEBUG] TLS is enabled 2017/10/19 13:16:08 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting key for SKI: CSP:500 - Failed getting key for SKI [[234 248 169 148 185 154.... /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor /root/Go/src/github.com/hyperledger/fabric-ca/util/csp.go:218 github.com/hyperledger/fabric-ca/util.GetSignerFromCert /root/Go/src/github.com/hyperledger/fabric-ca/util/csp.go:340 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair /root/Go/src/github.com/hyperledger/fabric-ca/lib/server.go:450 github.com/hyperledger/fabric-ca/lib.(*Server).listenAndServe /root/Go/src/github.com/hyperledger/fabric-ca/lib/server.go:127 github.com/hyperledger/fabric-ca/lib.(*Server).Start /root/Go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/start.go:41 main.runStart /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/s /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/s /root/Go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/s /root/Go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:95 main.RunMain /root/Go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:82 main.main /usr/lib/golang/src/runtime/proc.go:194 runtime.main /usr/lib/golang/src/runtime/asm_amd64.s:2338 runtime.goexit Caused by: Key type not recognized 2017/10/19 13:16:08 [DEBUG] Attempting fallback with certfile /opt/fabric-ca/tls-cert.pem and keyfile /opt/fabric-ca/tls-key.pem 2017/10/19 13:16:08 [DEBUG] Client authentication type requested: noclientcert 2017/10/19 13:16:08 [INFO] Listening on %!s(int=7054)%!(EXTRA string=https://0.0.0.0:7054) ```

Asara (Thu, 19 Oct 2017 13:20:00 GMT):
In my settings I am specifically pointing to `/opt/fabric-ca/tls-cert.pem` and `/opt/fabric-ca/tls-key.pem`

Asara (Thu, 19 Oct 2017 13:20:08 GMT):
So I'm not sure what TLS certs it is trying to load there

wy (Thu, 19 Oct 2017 13:58:02 GMT):
hi guys, does anyone know how i can add a new org into a network? will this require any downtime in the network?

skarim (Thu, 19 Oct 2017 14:10:30 GMT):
@Asara AKI stands for Authority Key Identifier, this identifies what CA signed this certificate. You can inspect both the CA cert and the issued cert using OpenSSL to see if the issued cert has proper AKI. The command would like `openssl x509 -noout -text -in ca-cert.pem`. The AKI of the issued cert should match the SKI (Subject Key Identifier) of the CA cert. BCSSP expects the key to be stored in the MSP, however if you provide a custom path to your tls key file it will throw that error, but as you can see that it will fall back to using the tls key that you specified. `2017/10/19 13:16:08 [DEBUG] Attempting fallback with certfile /opt/fabric-ca/tls-cert.pem and keyfile /opt/fabric-ca/tls-key.pem`

Asara (Thu, 19 Oct 2017 14:11:57 GMT):
Ah that makes sense

Asara (Thu, 19 Oct 2017 14:12:00 GMT):
Thanks @skarim

Asara (Thu, 19 Oct 2017 14:13:00 GMT):
Actually wait, what do you mean by provide a custom path?

Asara (Thu, 19 Oct 2017 14:13:11 GMT):
The only place I am specifying the path is in the config

skarim (Thu, 19 Oct 2017 14:16:06 GMT):
@Asara If you specify a path that is outside of the MSP, in the config file there is place where the keystore is set `keystore: msp/keystore`. This is where BCSSP expects the key to be by default, but if the key is stored else where it will throw that error and fallback to what you specified in the config.

Asara (Thu, 19 Oct 2017 14:27:44 GMT):
Okay I'm just trying to make sure, is this where it pulls ca.keyfile from?

Vadim (Thu, 19 Oct 2017 14:29:13 GMT):
@Asara could it be that the actual error message is `Caused by: Key type not recognized`?

Asara (Thu, 19 Oct 2017 14:30:56 GMT):
@Vadim Possibly but I'm not sure why

Asara (Thu, 19 Oct 2017 14:31:02 GMT):
Let me give an overview of what I'm doing

Vadim (Thu, 19 Oct 2017 14:31:57 GMT):
ok, but then it seems to fall back to using your tls files

Vadim (Thu, 19 Oct 2017 14:32:39 GMT):
so have you tried to communicate with the CA? Do you have any problems with it?

Vadim (Thu, 19 Oct 2017 14:32:56 GMT):
or you just trying to understand the log output?

Asara (Thu, 19 Oct 2017 14:32:58 GMT):
I mentioned yesterday, I am able to enroll users,but no register them using the same TLS CAs

Asara (Thu, 19 Oct 2017 14:33:04 GMT):
```tls: enabled: true certfile: /opt/fabric-ca/tls-cert.pem keyfile: /opt/fabric-ca/tls-key.pem clientauth: type: noclientcert certfiles: ca: name: ca-org1 keyfile: /opt/fabric-ca/msp/keystore/02788bf5e9bcf1cec23bd3c6baae36e1e1d2aaef9a67bbe49370d15749c35f5d_sk certfile: /opt/fabric-ca/ca-cert.pem chainfile: ca-chain.pem ```

Asara (Thu, 19 Oct 2017 14:33:25 GMT):
`keyfile: /opt/fabric-ca/msp/keystore/02788bf5e9bcf1cec23bd3c6baae36e1e1d2aaef9a67bbe49370d15749c35f5d_sk` I fill in dynamically after it is created using the init command.

Vadim (Thu, 19 Oct 2017 14:33:41 GMT):
could you explain the registration problem?

Asara (Thu, 19 Oct 2017 14:33:54 GMT):
``` [root@ip-172-30-2-43 ~]# export FABRIC_CA_CLIENT_HOME=$HOME [root@ip-172-30-2-43 ~]# fabric-ca-client enroll -u https://admin:adminpw@ca.org1.domain.com:7054 --tls.certfiles /opt/ssl_certs/ca.crt 2017/10/18 20:22:04 [INFO] User provided config file: /root/fabric-ca-client-config.yaml 2017/10/18 20:22:04 [INFO] generating key: &{A:ecdsa S:256} 2017/10/18 20:22:04 [INFO] encoded CSR 2017/10/18 20:22:04 [INFO] TLS Enabled 2017/10/18 20:22:04 [INFO] Stored client certificate at /root/msp/signcerts/cert.pem 2017/10/18 20:22:04 [INFO] Stored CA root certificate at /root/msp/cacerts/ca-org1-monetago-com-7054.pem [root@ip-172-30-2-43 ~]# fabric-ca-client register --id.name admin2 --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,admin=true:ecert' --tls.certfiles /opt/ssl_certs/ca.crt 2017/10/18 20:22:23 [INFO] User provided config file: /root/fabric-ca-client-config.yaml 2017/10/18 20:22:23 [INFO] Configuration file location: /root/fabric-ca-client-config.yaml 2017/10/18 20:22:23 [INFO] TLS Enabled Error: Error response from server was: Authorization failure ```

Asara (Thu, 19 Oct 2017 14:33:54 GMT):
``` [root@ip-172-30-2-43 ~]# export FABRIC_CA_CLIENT_HOME=$HOME [root@ip-172-30-2-43 ~]# fabric-ca-client enroll -u https://admin:adminpw@ca.org1.domain.com:7054 --tls.certfiles /opt/ssl_certs/ca.crt 2017/10/18 20:22:04 [INFO] User provided config file: /root/fabric-ca-client-config.yaml 2017/10/18 20:22:04 [INFO] generating key: &{A:ecdsa S:256} 2017/10/18 20:22:04 [INFO] encoded CSR 2017/10/18 20:22:04 [INFO] TLS Enabled 2017/10/18 20:22:04 [INFO] Stored client certificate at /root/msp/signcerts/cert.pem 2017/10/18 20:22:04 [INFO] Stored CA root certificate at /root/msp/cacerts/ca-org1-domain-com-7054.pem [root@ip-172-30-2-43 ~]# fabric-ca-client register --id.name admin2 --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,admin=true:ecert' --tls.certfiles /opt/ssl_certs/ca.crt 2017/10/18 20:22:23 [INFO] User provided config file: /root/fabric-ca-client-config.yaml 2017/10/18 20:22:23 [INFO] Configuration file location: /root/fabric-ca-client-config.yaml 2017/10/18 20:22:23 [INFO] TLS Enabled Error: Error response from server was: Authorization failure ```

Vadim (Thu, 19 Oct 2017 14:33:57 GMT):
and what does it have to do with TLS CA?

Asara (Thu, 19 Oct 2017 14:34:11 GMT):
I am not exactly sure what is causing this error here

Asara (Thu, 19 Oct 2017 14:34:49 GMT):
So enrollment goes through with this setup, but it fails on registering new users

Vadim (Thu, 19 Oct 2017 14:36:26 GMT):
have you done this correctly? https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enrolling-the-bootstrap-identity

Asara (Thu, 19 Oct 2017 14:37:46 GMT):
Let me go through that process again and make sure :)

Vadim (Thu, 19 Oct 2017 14:38:16 GMT):
because that error happens after TLS handshake and it's not the problem

aambati (Thu, 19 Oct 2017 14:52:05 GMT):
@Asara pls use -d flag on both server and client commands , that should give additional info on the failure...

Asara (Thu, 19 Oct 2017 15:37:49 GMT):
@Vadim @aambati so I'm running both the client and server with -d

Asara (Thu, 19 Oct 2017 15:38:00 GMT):
I did indeed enroll the bootstrap identity correctly (I think)

Asara (Thu, 19 Oct 2017 15:38:52 GMT):
```2017/10/19 15:36:54 [DEBUG] Directing traffic to default CA 2017/10/19 15:36:54 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin' 2017/10/19 15:36:54 [DEBUG] DB: Get certificate by serial (703eda5ce5fba10a37e77f961a2c8ffe914a6496) and aki (d4fdcf7e7632229cc3ccdabf6d82656f12e68cf0) 2017/10/19 15:36:54 [ERROR] No certificates found for provided serial and aki```

Asara (Thu, 19 Oct 2017 15:39:39 GMT):
On the client side: ```2017/10/19 15:39:18 [DEBUG] CA Files: [/opt/ssl_certs/ca.crt] 2017/10/19 15:39:18 [DEBUG] Client Cert File: 2017/10/19 15:39:18 [DEBUG] Client Key File: 2017/10/19 15:39:18 [DEBUG] Client TLS certificate and/or key file not provided 2017/10/19 15:39:18 [DEBUG] Received response statusCode=400 (400 Bad Request) Error: Error response from server was: Authorization failure ```

Asara (Thu, 19 Oct 2017 15:54:08 GMT):
Is there any other logs/information I can give you guys? Kinda stuck here

aambati (Thu, 19 Oct 2017 16:01:44 GMT):
what version of Fabric CA are you using?

aambati (Thu, 19 Oct 2017 16:01:51 GMT):
and go version?

aambati (Thu, 19 Oct 2017 16:02:05 GMT):
if you are using the latest code from master branch, use go 1.9

aambati (Thu, 19 Oct 2017 16:02:20 GMT):
if you are using code from release branch, then use go 1.7

aambati (Thu, 19 Oct 2017 16:02:37 GMT):
i think i have seen this error when running release branch code with go 1.9

Asara (Thu, 19 Oct 2017 16:13:52 GMT):
I am just running go get using 1.9

Asara (Thu, 19 Oct 2017 16:13:55 GMT):
so I assume that pulls master?

aambati (Thu, 19 Oct 2017 16:21:59 GMT):
i think it will pull release

aambati (Thu, 19 Oct 2017 16:22:03 GMT):
try using 1.7

aambati (Thu, 19 Oct 2017 16:22:03 GMT):
try using go 1.7

Asara (Thu, 19 Oct 2017 16:36:18 GMT):
Ah you are right, it pulls the default branch, which for fabric-ca is the release branch

Asara (Thu, 19 Oct 2017 16:36:22 GMT):
thanks for the insight @aambati

Asara (Thu, 19 Oct 2017 16:49:05 GMT):
Ah man, thanks so much. Banging my head against this for the past two days now.

mastersingh24 (Thu, 19 Oct 2017 17:03:50 GMT):
@aambati @Asara - https://jira.hyperledger.org/browse/FAB-6003?focusedCommentId=30719&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-30719 (https://chat.hyperledger.org/channel/fabric-ca?msg=3vHCj4eqkJGfBzD5b) @aambati

mastersingh24 (Thu, 19 Oct 2017 17:04:37 GMT):
release branch support Go 1.7.5 master branch support Go 1.9 git clone will pull the default branch which is the "release" branch

Asara (Thu, 19 Oct 2017 18:09:29 GMT):
Does the orderer get registered with a type of peer as well?

Asara (Thu, 19 Oct 2017 18:10:37 GMT):
```[ca@ip-172-30-2-173 ~]$ fabric-ca-client register --id.name orderer.domain.com --id.type orderer --id.affiliation org1 --id.secret orderer 2017/10/19 18:08:46 [INFO] User provided config file: /home/ca/fabric-ca-client-config.yaml 2017/10/19 18:08:46 [INFO] Configuration file location: /home/ca/fabric-ca-client-config.yaml 2017/10/19 18:08:46 [INFO] TLS Enabled Error: Error response from server was: Identity 'admin' may not register type 'orderer' [ca@ip-172-30-2-173 ~]$ fabric-ca-client register --id.name orderer.domain.com --id.type peer --id.affiliation org1 --id.secret orderer 2017/10/19 18:08:58 [INFO] User provided config file: /home/ca/fabric-ca-client-config.yaml 2017/10/19 18:08:58 [INFO] Configuration file location: /home/ca/fabric-ca-client-config.yaml 2017/10/19 18:08:58 [INFO] TLS Enabled Password: orderer ```

vdods (Thu, 19 Oct 2017 18:19:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FBCTs9Rk33ovGgePu) @smithbk Thanks for the clarification -- one last question: do the admincerts need to be exact copies of the enrollment certs for the actual admins, or can they be separate enrollments of the same user accounts? I.e. do I need to copy the original e-cert for the app admin into the configtx channel MSP dir, or can I use `fabric-ca-client enroll` to produce a new e-cert and use that?

mastersingh24 (Thu, 19 Oct 2017 18:24:58 GMT):
@vdods - from the Fabric perspective, you'd be ok enrolling twice and using the second eCert as the admin cert in the MSP

vdods (Thu, 19 Oct 2017 18:25:43 GMT):
@mastersingh24 Great, thank you. Is there another perspective from which that would be a bad idea? Perhaps having 2 ecerts out for the same account is more annoying if you have to revoke them?

aambati (Thu, 19 Oct 2017 18:29:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=X7RHyGazh6C6GSk2T) @Asara Make sure admin's "hf.Registrar.Roles" attribute value has "orderer" in the list

Asara (Thu, 19 Oct 2017 18:29:39 GMT):
I am using the bootstrap admin though

aambati (Thu, 19 Oct 2017 18:29:43 GMT):
you can use peer type for orderer, right now identity types are only used by fabric-ca

Asara (Thu, 19 Oct 2017 18:29:55 GMT):
Ah

Asara (Thu, 19 Oct 2017 18:29:56 GMT):
alright

wy (Fri, 20 Oct 2017 04:10:44 GMT):
hello, anyone knows how i can suspend an organisation from a running fabric network?

outis (Fri, 20 Oct 2017 05:04:17 GMT):
@smithbk I am looking at runFabric.sh, a little confused. Where is it supposed to run? I see peer command and fabric-ca-client - how does it switch docker image?

glotov (Fri, 20 Oct 2017 11:10:45 GMT):
Hi! How can I get the key and signcert of the new user I just sucesfully registered with `fabric-ca-client register --id.name user1 ...`?

mastersingh24 (Fri, 20 Oct 2017 11:22:02 GMT):
@glotov - if you used the -M option to specify an MSP directory, you'll find the material there (keystore folder will hold the private key and signcerts folder will hold the public key). If you did not use the -M option, you'll find the material in the FABRIC_CA_CLIENT_HOME/msp directory, which by default would be $HOME/.fabric-ca-client/msp

glotov (Fri, 20 Oct 2017 11:58:48 GMT):
@mastersingh24 I retried now, I can see 'msp' directory created when I _enroll_. But after I _register_, nothing new gets there.

glotov (Fri, 20 Oct 2017 12:02:28 GMT):
I am using `hyperledger/fabric-ca:x86_64-1.0.1` docker image and run 'fabric-ca-client' that is inside.

simoneromani (Fri, 20 Oct 2017 12:06:08 GMT):
hello, I am trying to issue a new identity to a participant (composer 0.14.1 and fabric-ca 1.0.3), but everytime composer tries to connect to the CA returns this error `Error: Calling register endpoint failed with error [Error: connect ECONNREFUSED 34.251.123.28:7054]`. Anyone knows why or has already faced this issue?

mastersingh24 (Fri, 20 Oct 2017 12:30:47 GMT):
Oops - silly me - did not properly read your post

mastersingh24 (Fri, 20 Oct 2017 12:31:06 GMT):
After you register, you'll need to enroll that new user in order to get their crypto material

mastersingh24 (Fri, 20 Oct 2017 12:31:37 GMT):
registration just creates an entry in the users database. When you register, you get back the secret the user will use during enrollment

simoneromani (Fri, 20 Oct 2017 12:33:02 GMT):
hello, I am trying to issue a new identity to a participant (composer 0.14.1 and fabric-ca-server 1.0.3, TLS enabled) but I get this error back `Error: Calling register endpoint failed with error [Error: unsupported certificate purpose]`. Anyone can help or has already faced this issue?

mastersingh24 (Fri, 20 Oct 2017 12:49:47 GMT):
@simoneromani - As I recall, this issue is due to an issue with the TLS certs which are automatically generated by fabric-ca (they don't have the proper key usage set). Either disable TLS for now or use something like openssl to generate new TLS certificates

smithbk (Fri, 20 Oct 2017 12:54:27 GMT):
@mastersingh24 Gari, what is the missing key usage for TLS certs as generated by fabric CA? I had not see this error

smithbk (Fri, 20 Oct 2017 12:54:27 GMT):
@mastersingh24 Gari, what is the missing key usage for TLS certs as generated by fabric CA? I had not seen this error

smithbk (Fri, 20 Oct 2017 12:54:27 GMT):
@mastersingh24 Gari, what is the missing key usage for TLS certs as generated by fabric CA? I had not seen this error, but should be an easy fix

smithbk (Fri, 20 Oct 2017 13:00:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8hf9JiR69spR5mo9t) @outis The run-fabric.sh script runs in the fabric-ca-tools image which contains the peer and fabric-ca-client commands. The fabric-ca-tools is just an extension of the fabric-tools image with fabric-ca-client added in

mastersingh24 (Fri, 20 Oct 2017 13:06:09 GMT):
@smithbk @simoneromani - Let me clarify If you enable TLS for fabric-ca (e.g. FABRIC_CA_SERVER_TLS_ENABLED=true) and do not set/specify the TLS key pair, then by default fabric-ca-server will actually use the CA root key pair (which does not have the proper key usage for TLS and openssl - used by NodeJS - does not like this) (https://chat.hyperledger.org/channel/fabric-ca?msg=ugE2bGcFvdfcoKjPw)

mastersingh24 (Fri, 20 Oct 2017 13:06:31 GMT):
This is no longer the case in v1.1

simoneromani (Fri, 20 Oct 2017 13:09:03 GMT):
@mastersingh24 I specified also the TLS_CERTFILE and TLS_KEYFILE, they are matched with my `crypto-config/peerOrganizations/${ORG_DOMAIN}/ca/` directory (generated with cryptogen tool). Should I match instead the `crypto-config/peerOrganizations/${ORG_DOMAIN}/tlsca/` directory?

mastersingh24 (Fri, 20 Oct 2017 13:12:22 GMT):
@simoneromani - those certs will not work either - those are also root CA signing certs. cryptogen does not actually generate TLS certs for the fabric-ca's

glotov (Fri, 20 Oct 2017 14:00:08 GMT):
@mastersingh24 is there a bug tracking this? Do you know is it being fixed?

VoR0220 (Fri, 20 Oct 2017 21:31:37 GMT):
Hi there, does anyone know a good way to create an LDAP with some users and then test the fabric-ca-enroll against it? I'm new to LDAP but have gotten the general gist of it from multiple sources, but I'm not sure how the schemas 'translate'. Side question: why can I not seem to connect to CouchDB from the CA server configurations? (Or am I reading that wrong?)

smithbk (Sat, 21 Oct 2017 01:25:05 GMT):
For setting up an LDAP server with users, see fabric-ca/images/fabric-ca-fvt/payload/slapd_setup.sh ... and for configuring the fabric-ca-server to talk to LDAP, see fabric-ca/scripts/fvt/ldap_test.sh.

smithbk (Sat, 21 Oct 2017 01:25:05 GMT):
fabric-ca-server doesn't support couch DB as a database

mastersingh24 (Sat, 21 Oct 2017 10:48:10 GMT):
Bug tracking for which issue? (https://chat.hyperledger.org/channel/fabric-ca?msg=oQ5wgWvHGqLuLoD7b) @glotov

glotov (Sat, 21 Oct 2017 10:51:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Ndfbe27zHS9kbyJ8Y) @mastersingh24 I meant this issue. Is there any tracking for it?

mastersingh24 (Sat, 21 Oct 2017 11:27:39 GMT):
We actually fixed the issue is v1.1. We were not planning to backport any change as the workaround is to simply generate / supply your own TLS key pair for fabric-ca

mogamboizer (Sat, 21 Oct 2017 15:10:28 GMT):
Has joined the channel.

VoR0220 (Sat, 21 Oct 2017 16:25:24 GMT):
@smithbk but isn't couchDB the blockchain and so isn't the CA server somehow communicating with it? Or am I totally misunderstanding the architecture here?

smithbk (Sat, 21 Oct 2017 16:42:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3Fmufuw6WAZ226P4n) @VoR0220 No, fabric CA's DB is separate. Fabric accesses key material that is either part of the local MSP or the MSPs that are in the config block of the ledger. It is intentionally a loose-coupling to allow 3rd party CAs to be used.

VoR0220 (Sat, 21 Oct 2017 18:55:08 GMT):
I also appear to be unable to create the docker image. Am getting this error: ``` Step 8/10 : ADD payload/fabric-ca.tar.bz2 $FABRIC_CA_HOME failed to copy files: Error processing tar file(bzip2 data invalid: bad magic value in continuation file): make: *** [build/image/fabric-ca/.dummy-x86_64-1.1.0-snapshot-7acc35a] Error 1 ```

VoR0220 (Sat, 21 Oct 2017 18:57:07 GMT):
and this is effecting me running the tests. I'm on OS X and am using Docker For Mac 17.09.0-ce-mac35, Go 1.9. Anybody know a workaround here?

mastersingh24 (Sat, 21 Oct 2017 22:00:11 GMT):
@VoR0220 - http://hyperledger-fabric.readthedocs.io/en/latest/dev-setup/devenv.html#prerequisites - look at the brew install gnu-tar (https://chat.hyperledger.org/channel/fabric-ca?msg=aWNCAw78PpQyN2vzS)

glotov (Sun, 22 Oct 2017 06:39:42 GMT):
Looks like my CA server is still listening its port with HTTP protocol, not HTTPS. Although I followed [balance transfer setup](https://github.com/hyperledger/fabric-samples/blob/release/balance-transfer/artifacts/docker-compose.yaml#L10) example literally. How can I help it?

glotov (Sun, 22 Oct 2017 07:19:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GB7mfeWcm3thxyxvQ) @mastersingh24 sorry, what is 1.1?

mastersingh24 (Sun, 22 Oct 2017 11:08:37 GMT):
@glotov - Sorry - the current release version of Hyperledger Fabric is v1.0.3. Work is currently underway on version 1.1 and that is where we fixed this issue. We were not planning on fixing / making a change in the current v1.0.X release stream

agiledeveloper (Sun, 22 Oct 2017 16:57:17 GMT):
Has joined the channel.

agiledeveloper (Sun, 22 Oct 2017 17:03:06 GMT):
I am unable to generate the crypto material using the crypto.sh

agiledeveloper (Sun, 22 Oct 2017 17:09:55 GMT):
I am trying to use the crypto.sh to generate the right material for CA,but I am getting an error ```Failed to register Admin@pcxchg.com with CA as crypto-config/ordererOrganizations/pcxchg.com/users/rootAdmin;```

agiledeveloper (Sun, 22 Oct 2017 17:12:15 GMT):

crypto.txt

agiledeveloper (Sun, 22 Oct 2017 17:14:08 GMT):

crypto-config.txt

agiledeveloper (Sun, 22 Oct 2017 17:14:57 GMT):

register.log

smithbk (Mon, 23 Oct 2017 00:56:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=thhiv7qefYsnaYWnk) @agiledeveloper I see the following in register.log ```2017/10/22 20:55:12 [DEBUG] Sending request POST http://localhost:7100/register Authorization: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNQekNDQWVhZ0F3SUJBZ0lVTFZOdmtZTysyNUFvdW1qTnNQUTcxL1RDNUpJd0NnWUlLb1pJemowRUF3SXcKYURFTE1Ba0dBMVVFQmhNQ1ZWTXhGekFWQmdOVkJBZ1REazV2Y25Sb0lFTmhjbTlzYVc1aE1SUXdFZ1lEVlFRSwpFd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVJrd0Z3WURWUVFERXhCbVlXSnlhV010ClkyRXRjMlZ5ZG1WeU1CNFhEVEUzTVRBeU1qRTJOVEF3TUZvWERURTRNVEF5TWpFMk5UQXdNRm93WFRFTE1Ba0cKQTFVRUJoTUNWVk14RnpBVkJnTlZCQWdURGs1dmNuUm9JRU5oY205c2FXNWhNUlF3RWdZRFZRUUtFd3RJZVhCbApjbXhsWkdkbGNqRVBNQTBHQTFVRUN4TUdSbUZpY21sak1RNHdEQVlEVlFRREV3VmhaRzFwYmpCWk1CTUdCeXFHClNNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJBQmlRR0xsSWsvSVhqMHluNFlOdUlvcWt2MkRkSWZnNEU4c0N2WDcKUUhwV3QyOEl6OVh5M3FEajl2NHBSQllnSmQwRlBTbnFPR3lYak1ibUdGTW83dU9qZVRCM01BNEdBMVVkRHdFQgovd1FFQXdJSGdEQU1CZ05WSFJNQkFmOEVBakFBTUIwR0ExVWREZ1FXQkJUeUl0b1lCdkdHOWttRzJXMk1tLzB4ClIrMXM4ekFmQmdOVkhTTUVHREFXZ0JRMVZ5NktmSGkrUWZDWjN6SG90MUcxZkhxWGZUQVhCZ05WSFJFRUVEQU8KZ2d4VlluVnVkSFZUWlhKMlpYSXdDZ1lJS29aSXpqMEVBd0lEUndBd1JBSWdZd2hnN0dUNkFuVWpWRXBTSWRYKwp4Mk9YVkpwbkVlUEdTREMyd2s5a1pjd0NJRmtnbkIwRGdmZnVUZXF3a3VNSVBpbVpwUmFWOTI5RlRVVC9YejZ0CjJwT08KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=.MEUCIQDZU7JXeo3/GQ57O55cLRPPoaXJfJ77tzR73NEbY8XpTwIgSWAeYlEYlnQKpavIHZHCTCnpNSWKSD970Pbw3w0c4HI= {"id":"Admin@pcxchg.com","type":"user","secret":"secret","max_enrollments":-1,"affiliation":"org1","attrs":[{"name":"","value":""}]} 2017/10/22 20:55:12 [DEBUG] Received response statusCode=400 (400 Bad Request) Error: Error response from server was: Authorization failure``` In order to see the reason for the authorization failure, you'll need to find the rejection error message in the server logs.

smithbk (Mon, 23 Oct 2017 00:56:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oPZCZm4ocd2ETYrNg) @Jonny Have you seen https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca/? That provides the best end-to-end example

agiledeveloper (Mon, 23 Oct 2017 05:13:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CJsSmTL3yX75qeSM5) @smithbk Thanks ; resolved now, I recompiled the binaries (fabric ca) using GO 1.8.3. then the bash script worked

raduciobanu (Mon, 23 Oct 2017 08:07:10 GMT):
Has joined the channel.

Jonny (Mon, 23 Oct 2017 08:44:02 GMT):
Hi, I just running sample marbles example. But trying to understand how fabric-ca work. So, instead of using prebaked. I want to generate own private key and signed certificate. I started docker image fabric-ca. But I'm having difficulty to find guide how to generate it. Could someone please help me on this.

movee2005 (Mon, 23 Oct 2017 11:37:18 GMT):
Has joined the channel.

movee2005 (Mon, 23 Oct 2017 11:42:46 GMT):
@smithbk I am trying to figure how to use the client's own CA instead of Fabric-CA. Can you point me to the steps to do this. We are working with a prospective client and one of their requirements is to use their X.509 certificates and RSA keys

smithbk (Mon, 23 Oct 2017 11:49:18 GMT):
@movee2005 There are 3 modes of operation: a) use fabric CA with its own self-signed certificate b) use fabric CA with a signing certificate issued by the client's CA but ecerts issue by fabric CA or c) do not use fabric CA at all and use ecerts issued by client's CA. Are you sure you want "c" rather than "b"?

smithbk (Mon, 23 Oct 2017 11:52:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oPZCZm4ocd2ETYrNg) @Jonny Have you seen https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca/? This is the best end-to-end example using fabric CA

movee2005 (Mon, 23 Oct 2017 12:07:22 GMT):
@smithbk. I will take a look

movee2005 (Mon, 23 Oct 2017 12:08:56 GMT):
@smithbk thanks for the response. we are trying to see if we could hook to LetsEncrypt as an example.

movee2005 (Mon, 23 Oct 2017 12:12:55 GMT):
@smithbk yes we want to use C as this was explicitly requested as they already use a .CA. This is one of the possible deal makers for us/IBM

Jonny (Mon, 23 Oct 2017 12:38:26 GMT):
thanks @smithbk I'm looking at that sample now. Really helpful for me

smithbk (Mon, 23 Oct 2017 12:50:35 GMT):
@movee2005 @bhargav18 was writing up an article which may be helpful. I was working with Bhargav on this but am not sure of its current state. It would also not be too hard to take one of the samples and replace calls to cryptogen or fabric-ca-server with certbot calls to LetsEncrypt. If you have a particular sample that is preferred, I could help. Although we would need to make sure the certs generated by LetsEncrypt which are for TLS will also have appropriate key usage required by fabric (e.g. digital signature)

bhargav18 (Mon, 23 Oct 2017 12:50:35 GMT):
Has joined the channel.

movee2005 (Mon, 23 Oct 2017 13:49:48 GMT):
@smithbk @bhargav18 I would like to see the article if ok. I am happy to work with you to try and test this out @ratnakar and some one else from my team can help here

DarshanBc (Mon, 23 Oct 2017 14:15:39 GMT):
Hi how to restrict all users from installing chaincode?

DarshanBc (Mon, 23 Oct 2017 14:16:08 GMT):
Only admin users should be able to upgrade or install chaincode

Vadim (Mon, 23 Oct 2017 14:26:11 GMT):
@DarshanBc by default, only peer admin is allowed to install a chaincode

DarshanBc (Mon, 23 Oct 2017 14:28:42 GMT):
@Vadim but with respect to balance transfer anyone registered and enrolled are abled to install!!!

Vadim (Mon, 23 Oct 2017 14:30:21 GMT):
@DarshanBc it's the app designed like this, whenever you call install, it retrieves peer admin and does it on his behalf: https://github.com/hyperledger/fabric-samples/blob/release/balance-transfer/app/install-chaincode.js#L33

Asara (Mon, 23 Oct 2017 15:40:05 GMT):
Hey all, following this: http://hyperledger-fabric-ca.readthedocs.io/en/stable/users-guide.html#enrolling-a-peer-identity, upon starting the orderer I get the error `Failed to initialize local MSP: Could not load a valid admin certificate from directory /etc/fabric/msp/admincerts`

Asara (Mon, 23 Oct 2017 15:40:16 GMT):
The enrollment/registration process doesn't seem to make admincerts on the server

Asara (Mon, 23 Oct 2017 15:40:24 GMT):
What am I supposed to be providing there?

Asara (Mon, 23 Oct 2017 15:40:34 GMT):
(on the client side, orderer in my case here)

mastersingh24 (Mon, 23 Oct 2017 15:40:50 GMT):
@Asara - You are correct. It does not. You need to enroll an admin separately and then add it to the MSP for a peer and orderer

Asara (Mon, 23 Oct 2017 15:41:14 GMT):
So the orderer/peer both need their own user, as well as an admin user?

Asara (Mon, 23 Oct 2017 15:41:44 GMT):
Or could one admin user alone suffice?

Asara (Mon, 23 Oct 2017 15:41:52 GMT):
and thanks for the info @mastersingh24

Asara (Mon, 23 Oct 2017 16:52:46 GMT):
So I'm trying to create a new admin user using the bootstrap admin and I recieve this error: `Identity 'admin' may not register type 'admin'`

mastersingh24 (Mon, 23 Oct 2017 17:21:53 GMT):
The admin for the peer needs to be issued by the MSP / CA for the peer and the same for the orderer. If you choose to use the same CA for both the orderer and the peer, then one admin will suffice

VoR0220 (Mon, 23 Oct 2017 17:51:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zxJMu5Z2qgyoo2LYp) @mastersingh24 Tried that, still getting the same error.

mastersingh24 (Mon, 23 Oct 2017 17:57:18 GMT):
what's the output of `tar --version` ?

VoR0220 (Mon, 23 Oct 2017 18:01:53 GMT):
``` bsdtar 2.8.3 - libarchive 2.8.3 ```

VoR0220 (Mon, 23 Oct 2017 18:03:19 GMT):
...not sure how to change to gnutar

Asara (Mon, 23 Oct 2017 18:17:36 GMT):
@mastersingh24 sorry I was unclear with my question. What I'm trying to ask is, do the peer/orderers need an admin as well as a 'peer' user?

mastersingh24 (Mon, 23 Oct 2017 18:46:00 GMT):
@asara - the peer/orderers don't need any "special" type of user - can you just register the peer/orderer admin(s) as user type "client" (although it really does not matter)

Asara (Mon, 23 Oct 2017 19:01:21 GMT):
http://hyperledger-fabric.readthedocs.io/en/latest/msp.html#msp-setup-on-the-peer-orderer-side Is what I'm reading right now. When using fabric-ca-client, signcerts gets created

VipinB (Mon, 23 Oct 2017 19:01:33 GMT):
Hi guys, any more documentation in fabric-ca that we can use as inputs into Identity WG docs. Particularly useful would be 1. Interface to legacy systems/x.5xx systems 2. Revocation 3. Anything on generic pki.

Asara (Mon, 23 Oct 2017 19:01:36 GMT):
admincerts does not. Can I use the same cert (if it is registered as an admin?)

smithbk (Mon, 23 Oct 2017 19:17:03 GMT):
@Asara Technically speaking, yes, when you enroll with fabric-ca-client, you could copy the cert from signcerts into the admincerts folder. You are effectively saying that the identity that you just enrolled IS the identity that should function as the MSPs admin user. If you haven't looked at the fabric-samples/fabric-ca sample, I'd suggest looking. See https://github.com/hyperledger/fabric-samples/blob/master/fabric-ca/scripts/start-peer.sh which calls the copyAdminCert function in https://github.com/hyperledger/fabric-samples/blob/master/fabric-ca/scripts/env.sh

Asara (Mon, 23 Oct 2017 19:18:16 GMT):
Just for a more functional knowledge, why exactly does it need a signcert (its own ID) and an adminID?

Asara (Mon, 23 Oct 2017 19:19:14 GMT):
Is there a reason for them to be different? Why does the orderer/peer need both?

Asara (Mon, 23 Oct 2017 19:19:22 GMT):
and thanks for the links @smithbk

smithbk (Mon, 23 Oct 2017 19:23:32 GMT):
A peer's signcerts of the local MSP is used to sign a message the peer sends (e.g. when signing a proposal). The admincerts of the local MSP on a peer is used to validate who can install chaincode. Only an admin cert can.

Asara (Mon, 23 Oct 2017 19:24:16 GMT):
Ah that makes sense. Thanks a lot :)

smithbk (Mon, 23 Oct 2017 19:24:24 GMT):
np

smithbk (Mon, 23 Oct 2017 19:35:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nNvNPsebZqCDNgo3B) @VipinB 1. If you mean interfaces to pre-v1.0 Hyperledger, there are no interfaces. 2. For revocation, a couple of links regarding revoking a certificate http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#revoking-a-certificate-or-identity and generating a CRL http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#generating-a-crl-certificate-revocation-list And here is a not-yet-merged sample to demonstrate how revocation works end-to-end between fabric CA and fabric: https://gerrit.hyperledger.org/r/#/c/13687/ 3. No, we assume folks are able to learn basic PKI on their own.

VipinB (Mon, 23 Oct 2017 21:01:37 GMT):
Hi, @smithbk legacy systems does not mean pre-v1.0 HL in my question; it means existing Enterprise Identity systems. Thanks for the rest of the answers. We need references to PKI that you would recommend, so that we can insert them in our paper with a short description. Thanks again,

laoqui (Mon, 23 Oct 2017 23:15:32 GMT):
Has joined the channel.

outis (Tue, 24 Oct 2017 01:24:24 GMT):
I'm running the balance-transfer example, and wondering what type of the certificate is used there. I see certificates under /tmp/fabric-client-kvs_peerOrg1/, but cannot figure out how to obtain aki/serial of the -priv certificates there. `openssl x509 ...` gives me 'failed to load certificate'.

aambati (Tue, 24 Oct 2017 02:57:43 GMT):
@outis all the examples use x509 certs. `openssl x509 -in -text` should display the cert contents in text form

outis (Tue, 24 Oct 2017 03:16:47 GMT):
The following is the message I got: ```openssl x509 -in /tmp/fabric-client-kvs_peerOrg1/16acea8d9e1e0e27afcf3507ede6fadb9105bb7200ce08b16749c00eb2690601-priv -text unable to load certificate 15114:error:0906D06C:PEM routines:PEM_read_bio:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFICATE``` The (supposed) pem file is: ```-----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgRykoeXfEdiOSElUP Ry4d0UsuE21NWtkO6juuc5Uw4NahRANCAATsF8ffRVs3eXHHTXn0D/6nQ+uEchmW Vcb+TxUpmaK3Rj7FkrtPGUMQLWusDBBTBQcnVRMzKBLpzILpIY956qSr -----END PRIVATE KEY-----```

outis (Tue, 24 Oct 2017 03:17:33 GMT):
The demo app itself runs fine.

smithbk (Tue, 24 Oct 2017 05:43:49 GMT):
@outis "openssl x509" is for printing a PEM-encoded certificate that has "-----BEGIN CERTIFICATE-----". Looks like this is an EC private key, so use "openssl ec -in -text" to print.

outis (Tue, 24 Oct 2017 05:51:03 GMT):
@smithbk thank you. you are right, at least I was able to parse the key. Is it possible to ec key to pem format?

jaswanth (Tue, 24 Oct 2017 05:51:53 GMT):
I am trying to access control . i imported "github.com/hyperledger/fabric/core/chaincode/lib/cid", in my chaincode ...but got error as ```error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: Error starting container: Failed to generate platform-specific docker build: Error returned from build: 1 "chaincode/input/src/github.com/example_cc/example_cc.go:25:2: cannot find package "github.com/hyperledger/fabric/core/chaincode/lib/cid" in any of: /opt/go/src/github.com/hyperledger/fabric/core/chaincode/lib/cid (from $GOROOT) /chaincode/input/src/github.com/hyperledger/fabric/core/chaincode/lib/cid (from $GOPATH) /opt/gopath/src/github.com/hyperledger/fabric/core/chaincode/lib/cid "```

jaswanth (Tue, 24 Oct 2017 05:51:53 GMT):
I am trying to do some access control based on invoker of the tx. Imported "github.com/hyperledger/fabric/core/chaincode/lib/cid", in my chaincode ...but got error as ```error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: Error starting container: Failed to generate platform-specific docker build: Error returned from build: 1 "chaincode/input/src/github.com/example_cc/example_cc.go:25:2: cannot find package "github.com/hyperledger/fabric/core/chaincode/lib/cid" in any of: /opt/go/src/github.com/hyperledger/fabric/core/chaincode/lib/cid (from $GOROOT) /chaincode/input/src/github.com/hyperledger/fabric/core/chaincode/lib/cid (from $GOPATH) /opt/gopath/src/github.com/hyperledger/fabric/core/chaincode/lib/cid "```

jaswanth (Tue, 24 Oct 2017 06:09:09 GMT):
i dont have fabric folder in my local `GOPATH` ..but it can find `shim `package but cannot `cid`.. am i missing something here

jaswanth (Tue, 24 Oct 2017 06:09:09 GMT):
i dont have fabric folder in my local `GOPATH` ..but it can find `shim `package but cannot find`cid`.. am i missing something here

jaswanth (Tue, 24 Oct 2017 06:09:09 GMT):
i dont have fabric folder in my local `GOPATH` ..but it can find `shim `package but cannot find `cid`.. am i missing something here

smithbk (Tue, 24 Oct 2017 06:10:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WBsjLAWTmBcAdfftr) @jaswanth Are you on the master branch or a release branch? It is only on master branch currently.

jaswanth (Tue, 24 Oct 2017 06:11:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4bhah33PwLsr4xGGG) @smithbk i cloned the master branch in my local .

smithbk (Tue, 24 Oct 2017 06:19:40 GMT):
@jaswanth See https://github.com/hyperledger/fabric/tree/master/core/chaincode/lib/cid

smithbk (Tue, 24 Oct 2017 06:21:07 GMT):
@VipinB For connecting to an LDAP server, see http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#configuring-ldap WRT PKI, the wikipedia is OK at https://en.wikipedia.org/wiki/Public_key_infrastructure, but if the goal is to state how PKI is used by fabric, that would not present a complete story. In a nutshell, you would need to know that fabric assumes no central root of trust. Each org on a channel/chain will have their own root of trust, but a channel has multiple orgs, where each org has its own root of trust. In fact, each org on a channel/chain may use different types of identity systems altogether, such as: fabric CA, external CA, identity mixer, or custom.

jaswanth (Tue, 24 Oct 2017 06:34:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SrHs8M7cBz3TvAwf6) @smithbk i am running the `balance-tranfer` example .. when i modified the chain code to import the `cid ` iam getting the error .. i don't have any `fabric` folder in my local ( removed it now ).. but the chaincode is able to get the `shim package `..can you tell me from where its getting that shim package

username343 (Tue, 24 Oct 2017 07:58:24 GMT):
Hi everyone, can anybody please tell me what are the certificates in fabric-ca-server and fabric-ca-server-config? What is the private key in the msp folder in the fabric-ca-server folder in fabric ca?

shivann (Tue, 24 Oct 2017 12:12:36 GMT):
Has joined the channel.

smithbk (Tue, 24 Oct 2017 12:43:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cttpkdDiWN36GqpYC) @username343 If you start it without TLS enabled, there is a single cert and key which are fabric-ca-server's CA signing key and cert, referred to as the root CA key and cert. If you start it with TLS enabled, then it also automatically generates a TLS key and certificate, where the certificate is signed by the root CA key.

username343 (Tue, 24 Oct 2017 12:46:01 GMT):
thanks @smithbk , i guess the certificate and key in the fabric-ca-server are the root ca cert and key, if yes, then who does the private in the keystore in the msp folder belong to?

username343 (Tue, 24 Oct 2017 12:46:17 GMT):
*the private key in the msp folder

smithbk (Tue, 24 Oct 2017 12:48:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QYcS98EaQp7uCB8Np) @jaswanth It is getting it from the published release images, which do not have the lib/cid folder. In order to use cid, you must [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=e6BJueB54K2Ppdf8P) @username343 That is the private key of associated with the self-signed root CA certificate

smithbk (Tue, 24 Oct 2017 12:48:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QYcS98EaQp7uCB8Np) @jaswanth It is getting it from the published release images, which do not have the lib/cid folder. In order to use cid, you must use have the master branch of fabric on your local system.

smithbk (Tue, 24 Oct 2017 12:50:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=e6BJueB54K2Ppdf8P) @username343 That is the private key of the self-signed root CA certificate

username343 (Tue, 24 Oct 2017 13:00:29 GMT):
@smithbk where would one require that private key, and i saw that the the certificates in the fabric-ca-server-config folder are present in the peer msp folders, so what are those certificates?

pchandra (Tue, 24 Oct 2017 13:11:34 GMT):
Has joined the channel.

smithbk (Tue, 24 Oct 2017 13:24:38 GMT):
@username343 That private key is owned by and used by the fabric-ca-server to sign and issue enrollment certificates for an orderer, peer, or end user. The certificates in the peer msp folder is issued by the fabric-ca-server. I recommend printing these certs with openssl and looking at the issuer. You'll see that fabric-ca-server's is self-signed but a peer's certificate issuer is the fabric-ca-server

rexxie (Tue, 24 Oct 2017 14:52:14 GMT):
Has joined the channel.

rexxie (Tue, 24 Oct 2017 14:55:28 GMT):
This is my ca0 server config: environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca-org1 - FABRIC_CA_SERVER_TLS_ENABLED=false I use following cmd: fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 fabric-ca-client register --id.name peer3 --id.type peer --id.affiliation org1.department1 --id.secret peer3pw fabric-ca-client enroll -u http://peer3:peer3pw@localhost:7054 -M /opt/fabricinstall/rexcode/crypto-config/peerOrganizations/org1.example.com/peers/peer3.org1.example.com/msp but don’t create tls folder and file，so that I copy tls from peer1.org1.example.com，is error： Caused by: x509: certificate is valid for peer1.org1.example.com, peer1, not peer3.org1.example.com Please help me to know how to use fabric-ca-client create MSP and TLS file ,thanks.

Menniti (Tue, 24 Oct 2017 16:20:37 GMT):
Hey guys, Maybe someone is interested Hyperledger Course in EdX https://www.edx.org/course/blockchain-business-introduction-linuxfoundationx-lfs171x

smithbk (Tue, 24 Oct 2017 16:54:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Y4JApTW3fD66tzBq2) @rexxie See the following. The 1st enrollment generates TLS certs and the 2nd the enrollment certificate

rexxie (Tue, 24 Oct 2017 17:17:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=686mzWsfPPag43eJm) @smithbk 1st? where?

smithbk (Tue, 24 Oct 2017 17:43:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ts58W7FfHGYQ47k9u) @rexxie Oppss sorry, see https://github.com/hyperledger/fabric-samples/blob/master/fabric-ca/scripts/start-peer.sh

anyone (Tue, 24 Oct 2017 18:57:50 GMT):
Has joined the channel.

anyone (Tue, 24 Oct 2017 18:58:09 GMT):
Hi guys, I have deployed the example "first network" from the blockchain demo. When I run this "./byfn.sh -m up" script, it performs without errors. While the docker is still up and running, I try to run "peer query -C mychannel -n mycc -c {"Args":["query","a"]} and I receive an error "failed to deserialize identity, err MSP DEFAULT is unknown". I made some research but found no help. Anyone has an idea? Sorry, I hope I am right here in this channel. Thanks a lot in advance! The query is copied from script.sh, which is called by "./byfn.sh -m up". Somehow it does not work if I run it directly.

rexxie (Wed, 25 Oct 2017 03:05:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hDWB9Xyv8TMcnjsix) @smithbk sorry, I step by step your proposal, the peer3 is running, and can create a new channel, but "peer channel join -b mychannel.block" Err:Caused by: x509: certificate signed by unknown authority ,so ,I download your samples code "https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca" and run " start.sh" err is 'ERROR: manifest for hyperledger/fabric-ca-tools:latest not found ', could you tell me how to get this images ,thanks.

jaswanth (Wed, 25 Oct 2017 04:05:34 GMT):
i tried [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xigNZLacwJ8vcPiky) @smithbk i cloned the master branch of fabric from git and ran `sudo make clean` and `sudo make docker` .. but i got an error as ```find: ‘/src/github.com/hyperledger/fabric/core/chaincode/shim’: No such file or directory``` . i got my GOPATH set and placed the fabric under ` $GOPATH/src/github.com/hyperledger` .. any idea on this

jaswanth (Wed, 25 Oct 2017 04:05:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xigNZLacwJ8vcPiky) @smithbk i cloned the master branch of fabric from git and ran `sudo make clean` and `sudo make docker` .. but i got an error as ```find: ‘/src/github.com/hyperledger/fabric/core/chaincode/shim’: No such file or directory``` . i got my GOPATH set and placed the fabric under ` $GOPATH/src/github.com/hyperledger` .. any idea on this

username343 (Wed, 25 Oct 2017 04:12:26 GMT):
thanks @smithbk

smithbk (Wed, 25 Oct 2017 05:01:37 GMT):
@anyone Hi anyone :-) The first network creates mychannel with MSPs that are named 'org1MSP' and 'org2MSP' IIRC, so in order to query that channel, you'll need to do so with an MSP as used by the byfn.sh script. That is the difference and why invoking directly doesn't work, because it is using the default MSP.

smithbk (Wed, 25 Oct 2017 05:07:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nRJMfEuSwFxNgeEiK) @rexxie See #1 at https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca#running-this-sample about building the images using the build-images.sh script

smithbk (Wed, 25 Oct 2017 05:15:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CmsbnxWMqWAAReKic) @jaswanth And if you manually check, does the fabric/core/chaincode/shim directory exist? I assume that it does exist but the find command is being issued for some reason w/o the proper path prefix due to some env variable not being set. But I'm not sure where the "find" command is being issued from the output you posted. Is there more output? Maybe run `sudo make docker --debug`?

jaswanth (Wed, 25 Oct 2017 05:26:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=25t5g47HfwRAxmcda) @smithbk here is the total output that i got

jaswanth (Wed, 25 Oct 2017 05:26:34 GMT):

fabricError.png

jaswanth (Wed, 25 Oct 2017 05:26:56 GMT):

fabricError2.png

pchandra (Wed, 25 Oct 2017 06:55:55 GMT):
I am using the balance-transfer app and enrolling users, I can only enroll 'Jim' for org1 and 'Barry' for org2, using the HFC client I cannot enroll any other users, wondering where and how Jim and Barry are configured, is there a configuration file which has this details?

smithbk (Wed, 25 Oct 2017 11:19:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=k59dhgaSwFyTRqcLh) @pchandra See this section in balance-transfer/testAPIs.sh. Did you try adding others similarly? ```echo "POST request Enroll on Org1 ..." echo ORG1_TOKEN=$(curl -s -X POST \ http://localhost:4000/users \ -H "content-type: application/x-www-form-urlencoded" \ -d 'username=Jim&orgName=org1') echo $ORG1_TOKEN ORG1_TOKEN=$(echo $ORG1_TOKEN | jq ".token" | sed "s/\"//g") echo echo "ORG1 token is $ORG1_TOKEN" echo echo "POST request Enroll on Org2 ..." echo ORG2_TOKEN=$(curl -s -X POST \ http://localhost:4000/users \ -H "content-type: application/x-www-form-urlencoded" \ -d 'username=Barry&orgName=org2')```

smithbk (Wed, 25 Oct 2017 11:57:51 GMT):
@jaswanth I generally don't use sudo when making. If you need to use sudo for some reason, then use "sudo -E" to preserve your $GOPATH env variable (and others)

anyone (Wed, 25 Oct 2017 12:58:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RHz9knxsWfxJvddR8)

anyone (Wed, 25 Oct 2017 12:59:31 GMT):
Sorry, Problem is solved. You need to make sure that you are logged in into peer or cli Container and have a bash there. Docker exec cli...

anyone (Wed, 25 Oct 2017 13:13:16 GMT):
But now I have the next problem: Curl is not working When i want to use the Rest api to call my chaincode. I checked the ip of my peers via docker inspect. The docker yaml file mentions the Port of the peer. If I enter :curl ip:port/chain, i get error connection reset By peer. Any idea maybe???

pchandra (Wed, 25 Oct 2017 13:13:18 GMT):
@smithbk You are correct I tried to use the script and tried to register myself but it throws an error, which made me to believe that Jim and Barry are already in the system and only those 2 users can be enrolled

smithbk (Wed, 25 Oct 2017 13:23:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=piDj28vqRo3aa47xf) @pchandra I'd recommend asking on the #fabric-sdk-node channel since it is using the node REST API

smithbk (Wed, 25 Oct 2017 13:24:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5DXSezLv4vvf7q8tE) @anyone You can only connect to the peer with GRPC, not REST.

smithbk (Wed, 25 Oct 2017 13:24:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5DXSezLv4vvf7q8tE) @anyone You can only connect to the peer with GRPC, not REST. You can use the peer's CLI to act as a GRPC cllent to the peer process.

anyone (Wed, 25 Oct 2017 14:33:32 GMT):
In that case, how can an external web app communicate with the blockchain. Can grpc be called remotely? Thanks!

Vadim (Wed, 25 Oct 2017 14:34:55 GMT):
@anyone there are several SDKs available, e.g. nodejs or java

anyone (Wed, 25 Oct 2017 14:43:04 GMT):
Sorry for that stupid questions and thanks a lot guys!

smithbk (Wed, 25 Oct 2017 15:22:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xpj58FsrZtPStfwkd) @anyone A web app should use one of the SDKs (node, java, golang, or python) to interact with a peer and orderer.

vdods (Wed, 25 Oct 2017 19:43:58 GMT):
Is there any way, short of using LDAP behind fabric-ca, for fabric-ca-server-config.yaml to not store the admin's password in plaintext?

anyone (Wed, 25 Oct 2017 20:47:36 GMT):
Sorry guys, 2 more stupid questions: when I execute docker inspect, I can see the IP addresses of my containers / peers. They are changing slightly whenever I build my network again. Where are the IP addresses defined? 2. I understand that GRPC is to be used, but my blockchain network / peers have to provide an endpoint that can be called via GRPC, e.g. to make an invoke operation. How can I find out that endpoint?

Asara (Wed, 25 Oct 2017 20:50:14 GMT):
@anyone it is using hostnames instead of IPs.

anyone (Wed, 25 Oct 2017 20:50:58 GMT):
but when I look at docker inspect, I do see IP addresses...

anyone (Wed, 25 Oct 2017 20:51:12 GMT):
for every container

Asara (Wed, 25 Oct 2017 20:51:55 GMT):
Yes but in the containers themselves, gRPC is resolving hostnames to those IPs, which is why when they change the services are still able to communicate with each other

anyone (Wed, 25 Oct 2017 20:55:02 GMT):
but again, when I run the network via docker compose, somehow IPs are defined. they are not random I assume

anyone (Wed, 25 Oct 2017 20:55:39 GMT):
additionally, let us assume I have a peer with hostname peer.example.com - what would be the endpoint make an invoke operation

anyone (Wed, 25 Oct 2017 20:56:47 GMT):
I ask myself if I install the java sdk....somehow I need to tell my web app to call my peer.....but what is the exact endpoint

Asara (Wed, 25 Oct 2017 20:59:59 GMT):
So you mentioned byfn earlier

Asara (Wed, 25 Oct 2017 21:00:01 GMT):
`https://github.com/hyperledger/fabric-samples/blob/release/first-network/base/docker-compose-base.yaml`

Asara (Wed, 25 Oct 2017 21:00:01 GMT):
`https://github.com/hyperledger/fabric-samples/blob/release/first-network/base/docker-compose-base.yaml

Asara (Wed, 25 Oct 2017 21:00:01 GMT):
`https://github.com/hyperledger/fabric-samples/blob/release/first-network/base/docker-compose-base.yam

Asara (Wed, 25 Oct 2017 21:00:01 GMT):
https://github.com/hyperledger/fabric-samples/blob/release/first-network/base/docker-compose-base.yam

Asara (Wed, 25 Oct 2017 21:00:15 GMT):
You can see the container names

Asara (Wed, 25 Oct 2017 21:00:30 GMT):
for example ` container_name: peer0.org1.example.com`

Asara (Wed, 25 Oct 2017 21:00:52 GMT):
The IPs that get assigned via docker are random, the hosts are looking up the containers based on the container_names, which they are able to resolve

anyone (Wed, 25 Oct 2017 21:15:43 GMT):
ok, what about the endpoint? can you give me an example?

jaswanth (Thu, 26 Oct 2017 05:35:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YMAtYvyikAWZF4AbY) @smithbk thanks it worked .. but i got struck at the same error as before while instantiating chaincode .. got error as ```error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: error starting container: Failed to generate platform-specific docker build: Error returned from build: 1 "chaincode/input/src/github.com/example_cc/example_cc.go:25:2: cannot find package "github.com/hyperledger/fabric/core/chaincode/lib/cid" in any of: /opt/go/src/github.com/hyperledger/fabric/core/chaincode/lib/cid (from $GOROOT) /chaincode/input/src/github.com/hyperledger/fabric/core/chaincode/lib/cid (from $GOPATH) /opt/gopath/src/github.com/hyperledger/fabric/core/chaincode/lib/cid " ``` I cloned the fabric from github and ran `git checkout master` now i can see the `lib/cid` under `fabric/core/chaincode` ... is am doing all correct ?

ahmadzafar (Thu, 26 Oct 2017 07:46:07 GMT):
Has joined the channel.

smithbk (Thu, 26 Oct 2017 12:15:18 GMT):
@jaswanth Pls paste the final portion for the 'run' container from your docker-compose.yml file. For example, mine is as follows: ``` run: container_name: run image: hyperledger/fabric-ca-tools environment: - GOPATH=/opt/gopath command: /bin/bash -c 'sleep 3;/scripts/run-fabric.sh 2>&1 | tee /data/logs/run.log; sleep 99999' volumes: - ./scripts:/scripts - ./data:/data - /Users/keith/go/src/github.com/hyperledger/fabric-samples:/opt/gopath/src/github.com/hyperledger/fabric-samples - /Users/keith/go/src/github.com/hyperledger/fabric:/opt/gopath/src/github.com/hyperledger/fabric networks: - fabric-ca depends_on: - orderer1-org0 - peer1-org1 - peer2-org1 - peer1-org2 - peer2-org2```

agiledeveloper (Thu, 26 Oct 2017 18:01:35 GMT):
using below docker, I am not able to enrol ca1 into ca, any advice is appreciate`version: '2' networks: multicanetwork: services: fabriccarootserver: image: hyperledger/fabric-ca container_name: fabriccarootserver ports: - 7054:7054 environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server volumes: - ./fabric-ca-server:/etc/hyperledger/fabric-ca-server command: sh -c 'fabric-ca-server start -b admin:adminpw --cacount 2' networks: - multicanetwork fabricca1server: image: hyperledger/fabric-ca container_name: fabricca1server ports: - 8054:7054 environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server volumes: - ./fabric-ca-server/ca/ca1:/etc/hyperledger/fabric-ca-server command: sh -c 'fabric-ca-server start -b admin:adminpw -u http://admin:adminpw@localhost:7054' networks: - multicanetwork depends_on: - fabriccarootserver fabricca-client: tty: true image: hyperledger/fabric-ca container_name: fabricca-client environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-client - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock volumes: - ./fabric-ca-client/ca/:/etc/hyperledger/fabric-ca-client depends_on: - fabriccarootserver command: sh -c 'sleep 5;fabric-ca-client enroll -u http://admin:adminpw@fabriccarootserver:7054;sleep 10000' networks: - multicanetwork fabricca1-client: tty: true image: hyperledger/fabric-ca container_name: fabricca1-client environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-client - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock volumes: - ./fabric-ca-client/ca1/:/etc/hyperledger/fabric-ca-client depends_on: - fabricca1server command: sh -c 'sleep 5;fabric-ca-client enroll -u http://admin:adminpw@fabricca1server:8054;sleep 10000' networks: - multicanetwork`

agiledeveloper (Thu, 26 Oct 2017 18:01:35 GMT):
using below docker, I am not able to enrol ca1 into ca, any advice is appreciated `version: '2' networks: multicanetwork: services: fabriccarootserver: image: hyperledger/fabric-ca container_name: fabriccarootserver ports: - 7054:7054 environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server volumes: - ./fabric-ca-server:/etc/hyperledger/fabric-ca-server command: sh -c 'fabric-ca-server start -b admin:adminpw --cacount 2' networks: - multicanetwork fabricca1server: image: hyperledger/fabric-ca container_name: fabricca1server ports: - 8054:7054 environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server volumes: - ./fabric-ca-server/ca/ca1:/etc/hyperledger/fabric-ca-server command: sh -c 'fabric-ca-server start -b admin:adminpw -u http://admin:adminpw@localhost:7054' networks: - multicanetwork depends_on: - fabriccarootserver fabricca-client: tty: true image: hyperledger/fabric-ca container_name: fabricca-client environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-client - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock volumes: - ./fabric-ca-client/ca/:/etc/hyperledger/fabric-ca-client depends_on: - fabriccarootserver command: sh -c 'sleep 5;fabric-ca-client enroll -u http://admin:adminpw@fabriccarootserver:7054;sleep 10000' networks: - multicanetwork fabricca1-client: tty: true image: hyperledger/fabric-ca container_name: fabricca1-client environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-client - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock volumes: - ./fabric-ca-client/ca1/:/etc/hyperledger/fabric-ca-client depends_on: - fabricca1server command: sh -c 'sleep 5;fabric-ca-client enroll -u http://admin:adminpw@fabricca1server:8054;sleep 10000' networks: - multicanetwork`

agiledeveloper (Thu, 26 Oct 2017 18:04:33 GMT):

output.txt

agiledeveloper (Thu, 26 Oct 2017 18:05:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=M9EHKK7KJZ9xqh7LF) `[33mfabricca1server |[0m 2017/10/26 17:35:18 [ERROR] Enrollment failure: Chain file does not exist at /etc/hyperledger/fabric-ca-server/ca-chain.pem`

smithbk (Thu, 26 Oct 2017 19:42:17 GMT):
In the fabricca1server section, try replacing ```command: sh -c 'fabric-ca-server start -b admin:adminpw -u http://admin:adminpw@localhost:7054'``` with ```command: sh -c 'fabric-ca-server start -b admin:adminpw -u http://admin:adminpw@fabriccarootserver:7054'``` ... you're trying to connect to local host and are failing because it is running in a different container. Keep in mind that it may still fail because of a timing issue. The docker container hosting the root CA doesn't know when it is actually up and listening on its port, so you may need to add a sleep before trying to start the intermediate CA server

agiledeveloper (Thu, 26 Oct 2017 20:06:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2b4tD5z36ipYApEnm) @smithbk thanks for the tip I have adjusted the command, here is the output file

agiledeveloper (Thu, 26 Oct 2017 20:07:56 GMT):

output.txt

agiledeveloper (Thu, 26 Oct 2017 20:10:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZwxC7vWgXJRYhRG68) from the bash of client ca1, when I execute `fabric-ca-client enroll -u http://admin:adminpw@fabricca1server:7054` I get error \[2017/10/26 20:04:26 [ERROR] Enrollment failure: Chain file does not exist at /etc/hyperledger/fabric-ca-server/ca-chain.pem\]

smithbk (Thu, 26 Oct 2017 20:28:10 GMT):
Error: POST failure [Post http://fabricca1server:8054/enroll: dial tcp 172.18.0.4:8054: get sockopt: connection refused

smithbk (Thu, 26 Oct 2017 20:28:26 GMT):
Looks like you're trying to connect to 8054, not 7054

agiledeveloper (Thu, 26 Oct 2017 20:39:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=f8C79WjfD8nZdcMJ9) @smithbk because the ca1server is mapped to external port 8054 , but even I tried with 7054

agiledeveloper (Thu, 26 Oct 2017 20:39:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=f8C79WjfD8nZdcMJ9) @smithbk ```root@79140b49f6cc:/# fabric-ca-client enroll -u http://admin:adminpw@fabricca1server:8054 2017/10/26 20:39:04 [INFO] User provided config file: /etc/hyperledger/fabric-ca-client/fabric-ca-client-config.yaml 2017/10/26 20:39:04 [INFO] generating key: &{A:ecdsa S:256} 2017/10/26 20:39:04 [INFO] encoded CSR Error: POST failure [Post http://fabricca1server:8054/enroll: dial tcp 172.18.0.4:8054: getsockopt: connection refused]; not sending POST http://fabricca1server:8054/enroll Authorization: Basic YWRtaW46YWRtaW5wdw== {"hosts":["e05bab70505d"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBQjCB6QIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFAeKPRaVMIj79thh\nAanyeLeAOnRw1ioZXGiG0QZXcp3oWuUDVDwU3BKwX7eTadN3NHRcmtTQ68SALE7a\n9dDRw6AqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDoIMZTA1YmFiNzA1MDVk\nMAoGCCqGSM49BAMCA0gAMEUCIQDom86Xh4WXOBAUc55f9hkbe9ymd5/JUKhTxr7T\nvYBCfwIgSs3DK7VIG90/8kCtdykpw4a0qMsvfCQnecN58f4b4UQ=\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","CAName":""} root@79140b49f6cc:/# ```

agiledeveloper (Thu, 26 Oct 2017 20:40:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=p24PDcEjcvwnsS5LF) ```root@79140b49f6cc:/# fabric-ca-client enroll -u http://admin:adminpw@fabricca1server:7054 2017/10/26 20:40:20 [INFO] User provided config file: /etc/hyperledger/fabric-ca-client/fabric-ca-client-config.yaml 2017/10/26 20:40:20 [INFO] generating key: &{A:ecdsa S:256} 2017/10/26 20:40:20 [INFO] encoded CSR Error: Error response from server was: Chain file does not exist at /etc/hyperledger/fabric-ca-server/ca-chain.pem root@79140b49f6cc:/# ```

smithbk (Thu, 26 Oct 2017 20:42:10 GMT):
The external port is the port from your host, but when referencing a port from one container to another, it is the internal port

agiledeveloper (Thu, 26 Oct 2017 20:43:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hxNKNcTZ4uce3XswD) @smithbk got it, then it is about the missing chain file

smithbk (Thu, 26 Oct 2017 20:43:23 GMT):
the missing chain file is happening because of the connection failure

smithbk (Thu, 26 Oct 2017 20:44:25 GMT):
i think it is happening because of the timing issue i mentioned earlier

smithbk (Thu, 26 Oct 2017 20:45:13 GMT):
you could add a sleep before connecting from ca1

agiledeveloper (Thu, 26 Oct 2017 20:45:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YtPEa4RsGzBz4ibgX) @smithbk okay, I will delete all the content and add a sleep of 10, rerun the docker from scratch

smithbk (Thu, 26 Oct 2017 20:45:51 GMT):
did you look at the fabric-ca sample?

smithbk (Thu, 26 Oct 2017 20:46:05 GMT):
you can just follow that model since it does the same thing

agiledeveloper (Thu, 26 Oct 2017 20:46:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Aofe8mHxrKFeimg6C) @smithbk i didn't, I will look for it

smithbk (Thu, 26 Oct 2017 20:47:17 GMT):
https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca/

asuchit (Fri, 27 Oct 2017 04:05:56 GMT):
Has joined the channel.

asuchit (Fri, 27 Oct 2017 04:21:08 GMT):
What is the use of Fabric-CA and IS there any tutorial present for fabric-CA ?

clauz (Fri, 27 Oct 2017 08:16:07 GMT):
Has joined the channel.

clauz (Fri, 27 Oct 2017 08:18:21 GMT):
Hi, there! We are trying to replicate something like the fabric-samples/first-network example but using fabric-ca instead of cryptogen

clauz (Fri, 27 Oct 2017 08:21:14 GMT):
It is not clear to us how to define/create an organization using fabric-ca, and also which is the relation between the admin user and the MSP of an organization (i.e. how to replicate something like the crypto-config/peerOrganizations/org1.example.com/msp/admincerts/ folder)

clauz (Fri, 27 Oct 2017 08:22:00 GMT):
If you can help, thank you in advance!

agiledeveloper (Fri, 27 Oct 2017 08:30:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aciYyjeMzyw7aeurp) @smithbk Thanks alot, it works now

DannyWong (Fri, 27 Oct 2017 09:39:38 GMT):
http://hyperledger-fabric.readthedocs.io/en/latest/msp.html Best Practice no. 4 `It is important to set MSP admin certificates to be different than any of the certificates considered by the MSP for root of trust, or intermediate CAs.` Can anyone further explain this to me?... (already run and studied the fabric-samples/fabric-ca)

DannyWong (Fri, 27 Oct 2017 09:40:46 GMT):
MSP admin cert --> i understand What do they mean by `any of the certificates considered by the MSP for root of trust`

Vadim (Fri, 27 Oct 2017 09:47:40 GMT):
@DannyWong I read it as "dont set admin certs to be the same as root certs"

DannyWong (Fri, 27 Oct 2017 09:52:22 GMT):
i see!

ascatox (Fri, 27 Oct 2017 10:28:34 GMT):
Someone can indicate me a good tutorial different from the Official Documentation, in order to start to configure a fabric env with a CA server and different users. Thanks in advance!

ascatox (Fri, 27 Oct 2017 10:37:13 GMT):
Hi All! I don't understand the relation between the cryptogen tool and a fabric-ca server. Someone can try to explain me this. Thanks in advance!

mastersingh24 (Fri, 27 Oct 2017 11:29:17 GMT):
@ascatox - They are not really related although it's possible to start with cryptogen and move to fabric-ca. cryptogen was created as a simple tool to bootstrap development networks without requiring standing up instances of fabric-ca. But the idea was that if you wanted to add additional clients, peers, orderers for any given organization, you could spin up an instance of fabric-ca for any organization created by cryptogen. The per organization artifacts created by cryptogen include a `ca` folder which has the root keypair used to sign all of the crypto material for an organization. fabric-ca allows you to specify an existing root keypair to use when it starts up. If you do that, then any additional certificates issues by that instance of fabric-ca will also be part of the organization created by cryptogen. The one thing to note is that none of the crypto material created by cryptogen is included in the fabric-ca - for example the users created by cryptogen do not exist in fabric-ca so you can't use them to register new users, etc

ascatox (Fri, 27 Oct 2017 12:08:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rLqRBH7dXPerZBr3p) @mastersingh24 Thank you very much for the exhaustive answer!

clauz (Fri, 27 Oct 2017 12:30:18 GMT):
Thanks!

gauthampamu (Fri, 27 Oct 2017 12:33:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zKBYr2JYYQawmS5HJ) @aambati Do you have sample code for the CRL update using configtxlator.

gauthampamu (Fri, 27 Oct 2017 12:35:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jrvTnTWxXCnW33Tgc) @smithbk You mentioned local MSP is used to sign and for the access control of peer and admin functions. So when the certs expire for the peers, before they expire do we need to manually update the MSP folder with renewed certs and restart the peers.

smithbk (Fri, 27 Oct 2017 13:40:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JXYFo5KAYqa6JhmyT) @gauthampamu Yes, that is the current requirement

smithbk (Fri, 27 Oct 2017 13:41:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=T73MK8KGmT9uD49nL) @gauthampamu See https://gerrit.hyperledger.org/r/#/c/13687/

Jonny (Sun, 29 Oct 2017 06:25:46 GMT):
hi, for `crytogen` tool is that possible to generate peer artifact with prefix that having leading 0 for the peer 0-9 e.g. `peer01.domain.com` `peer02.domain.com`

Jonny (Sun, 29 Oct 2017 06:25:49 GMT):
# Hostname: {{.Prefix}}{{.Index}} # default

kenmazsyma (Sun, 29 Oct 2017 11:06:16 GMT):
Has joined the channel.

luxus (Mon, 30 Oct 2017 01:03:33 GMT):
Has joined the channel.

rexxie (Mon, 30 Oct 2017 06:16:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dqk5D7zZFF9icvB2g) @smithbk this err is ：FATAL: You must switch to the master branch in /opt/gopath/src/github.com/hyperledger/fabric-ca

jaswanth (Mon, 30 Oct 2017 06:31:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9acwMiRzxu9GeRcJf) @smithbk thanks for that . but it din't worked. any other suggestion

jaswanth (Mon, 30 Oct 2017 06:31:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9acwMiRzxu9GeRcJf) @smithbk thanks for that . but it din't worked. any other suggestion i also tried to `govender` but error as ``` Error: Package "/home/jaswanth/goProjects/src/github.com/Dev_setup_v1/artifacts/src/github.com/example_cc" not a go package or not in GOPATH ``` but when i run `go list` it shows the `_/home/jaswanth/goProjects/src/github.com/Dev_setup_v1/artifacts/src/github.com/example_cc` `echo $GOPATH ` Prints ` /home/jaswanth/goProjects/ `

jaswanth (Mon, 30 Oct 2017 06:31:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9acwMiRzxu9GeRcJf) @smithbk thanks for that . but it din't worked. any other suggestion . Also tried with `govender` but got error as ``` Error: Package "/home/jaswanth/goProjects/src/github.com/Dev_setup_v1/artifacts/src/github.com/example_cc" not a go package or not in GOPATH ``` but when i run `go list` it shows the `_/home/jaswanth/goProjects/src/github.com/Dev_setup_v1/artifacts/src/github.com/example_cc` `echo $GOPATH ` Prints ` /home/jaswanth/goProjects/ `

jaswanth (Mon, 30 Oct 2017 06:31:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9acwMiRzxu9GeRcJf) @smithbk thanks for that . but it din't worked. any other suggestion . Also tried with `govender` but got error as ``` govendor init Error: Package "/home/jaswanth/goProjects/src/github.com/Dev_setup_v1/artifacts/src/github.com/example_cc" not a go package or not in GOPATH ``` but when i run `go list` it shows the `_/home/jaswanth/goProjects/src/github.com/Dev_setup_v1/artifacts/src/github.com/example_cc` `echo $GOPATH ` Prints ` /home/jaswanth/goProjects/ `

anna (Mon, 30 Oct 2017 11:11:01 GMT):
Has joined the channel.

ascatox (Mon, 30 Oct 2017 11:37:11 GMT):
Hi All! When I register a user using the CA server

ascatox (Mon, 30 Oct 2017 11:37:53 GMT):
How can I get the certificates to use in my applications for the user just registered?

ascatox (Mon, 30 Oct 2017 11:38:01 GMT):
Thanks for the help!

asadhayat (Mon, 30 Oct 2017 12:06:39 GMT):
When we generate certificate for a user, a lot of folders are generarated in `msp` folder like `admincerts`,`cacerts`,`keystore`,`signcerts`,`tlscerts`.

asadhayat (Mon, 30 Oct 2017 12:06:39 GMT):
When we generate certificate for a user, a lot of folders are generarated in `msp` folder like `admincerts`, `cacerts`, `keystore`, `signcerts`, `tlscerts`.

asadhayat (Mon, 30 Oct 2017 12:07:52 GMT):
Can please anyone help me understand what these different files are and its usage.

smithbk (Mon, 30 Oct 2017 13:05:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nCMWbaqcZs7YsJh6y) @Jonny No, [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mD2LQdioRPTgAaNc6) @rexxie You probably know this by now, but you need to do a "git checkout master" from your fabric-ca directory on your host

smithbk (Mon, 30 Oct 2017 13:07:29 GMT):
@jaswanth Pls paste the final portion for the 'run' container from your docker-compose.yml file. I don't see where you ever did that as I asked earlier.

smithbk (Mon, 30 Oct 2017 13:12:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Q7AE62ATo6f3tPRyp) @ascatox If you are using one of the SDKs (node, java, go, or python), there is an enroll API which is used to get a certificate which depends on which SDK you are using. To enroll from the CLI, see https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enrolling-a-peer-identity

ascatox (Mon, 30 Oct 2017 13:14:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FZXJxhnaW6jsarM5m) @smithbk Thank you

smithbk (Mon, 30 Oct 2017 13:14:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=a8nxtcXZQoGEQXaNy) @asadhayat See http://hyperledger-fabric.readthedocs.io/en/release/msp.html?highlight=MSP#msp-setup-on-the-peer-orderer-side

MarkPruitt (Mon, 30 Oct 2017 20:24:37 GMT):
Has joined the channel.

MarkPruitt (Mon, 30 Oct 2017 20:24:46 GMT):
Greetings all. iOS developer and very much a noob in the Hyperledger world. With Kitura and Vapor now becoming mature, has anyone started any type of project working with those instead of NodeJS as the communication path with Hyperledger?

smithbk (Mon, 30 Oct 2017 20:49:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mzSsQ3jmubwzxL5NR) @MarkPruitt Not that I'm aware of but @jimthematrix is the best one to answer that

rjones (Mon, 30 Oct 2017 23:15:28 GMT):
Has left the channel.

rahulhegde (Tue, 31 Oct 2017 01:44:24 GMT):
Has joined the channel.

jaswanth (Tue, 31 Oct 2017 04:40:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KBJLzg3bWgiJ2EGHE) @smithbk here is my `run` container ``` run: container_name: run image: hyperledger/fabric-ca-tools environment: - GOPATH=/opt/gopath command: /bin/bash -c 'sleep 3;/scripts/run-fabric.sh 2>&1 | tee /data/logs/run.log; sleep 99999' volumes: - ./scripts:/scripts - ./data:/data - ~/goProjects/src/github.com/Dev_setup_v1:/opt/gopath/src/github.com/hyperledger/fabric-samples - ~/goProjects/src/github.com/hyperledger/fabric:/opt/gopath/src/github.com/hyperledger/fabric depends_on: - orderer.example.com - peer0.org1.example.com - peer1.org1.example.com - peer0.org2.example.com - peer1.org2.example.com ```

Katiyman (Tue, 31 Oct 2017 06:33:38 GMT):
Hi One Ques... the way in which we specify the MSP dir is ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp within msp folder we have many diff folders like admincerts, signcerts etc. My ques is that once we specify the msp dir.. is the code internally looking for directories with exact same names to find the certs. Or is it possible to change the names of the dirs or put all the certs in one or two folder inside the msp dir. TIA

Katiyman (Tue, 31 Oct 2017 07:43:21 GMT):
Hello All one ques i read below blog for msp config http://www.blogsaays.com/configure-msp-hyperledger-fabric-blockchain/ it says _An MSP involves two key aspects for its proper functioning. The rules by which Membership identities are governed (Identity validation). Membership authentication (Signature generation and verification)._ I think membership authentication is goverened by the signcerts if i am right .. what i want to ask is how the rules for membership identities are layed out..is it refferring to the YAML file that that to be included in the msp folder Or wat i am thinking is totally wrong TIA

Katiyman (Tue, 31 Oct 2017 07:43:21 GMT):
Hello All one ques i read below blog for msp config http://www.blogsaays.com/configure-msp-hyperledger-fabric-blockchain/ it says _ An MSP involves two key aspects for its proper functioning. The rules by which Membership identities are governed (Identity validation). Membership authentication (Signature generation and verification). _ I think membership authentication is goverened by the signcerts if i am right .. what i want to ask is how the rules for membership identities are layed out..is it refferring to the YAML file that that to be included in the msp folder Or wat i am thinking is totally wrong TIA

NakaoK (Tue, 31 Oct 2017 09:36:42 GMT):
Has joined the channel.

baoyangc (Tue, 31 Oct 2017 09:42:03 GMT):
does any generate crypto-config directory with fabric-ca

baoyangc (Tue, 31 Oct 2017 09:42:05 GMT):
?

smithbk (Tue, 31 Oct 2017 11:43:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=puMZoH4SqCgHprgHe) @Katiyman The "signcerts" and "keystore" folders are used by a client to sign a message. Everything else in an MSP is used to verify that the client is a member of the MSP, and if so, is the client also an MSP administrator. You may also find this helpful: https://www.ibm.com/developerworks/cloud/library/cl-build-blockchain-network-with-custom-cryptographic-material-from-your-certificate-authority/index.html. See section 2 which describes MSP as well.

smithbk (Tue, 31 Oct 2017 11:53:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kyeqjQ5DhpBumku2y) @baoyangc The sample at https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca/ builds the organizational MSPs that are used by configtxgen, which I assume is what you really want. It intentionally does not build the entire crypto-config directory as is done by cryptogen, because in a real-world scenario, you would not have all of the private keys on one host. See in particular https://github.com/hyperledger/fabric-samples/blob/master/fabric-ca/scripts/setup-fabric.sh for how the genesis block is built. It builds the MSPs used by configtxgen which contain only public key material.

baoyangc (Tue, 31 Oct 2017 12:23:33 GMT):
what i want is generate organizational MSPs by fabric-ca, not configtxgen

smithbk (Tue, 31 Oct 2017 13:05:38 GMT):
That sample uses fabric-ca to generate the MSP which is then consumed by configtxgen

smithbk (Tue, 31 Oct 2017 13:05:38 GMT):
configtxgen only consumes, doesn't generate MSPs

baoyangc (Tue, 31 Oct 2017 15:15:48 GMT):
thanks

Jonny (Tue, 31 Oct 2017 15:36:43 GMT):
Hi guys. Any hint where can I check, I keep on getting `error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: The creator's signature over the proposal is not valid, err The signature is invalid`. For your information, I'm running maples example with my custom network with TLS

Jonny (Tue, 31 Oct 2017 15:37:16 GMT):
``` error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: The creator's signature over the proposal is not valid, err The signature is invalid at /application/hyperledger/marbles/node_modules/grpc/src/node/src/client.js:554:15 error: [fcw] Failed to obtain endorsement for transaction. code=2, error: [fcw] Error in install catch block object code=2, --------------------------------------- info: Install done. Errors: parsed=Blockchain network error - The creator's signature over the proposal is not valid, err The signature is invalid, raw=[code=2, ] --------------------------------------- ```

baoyangc (Tue, 31 Oct 2017 15:40:07 GMT):
do we have a way use fabric-ca as a intermedia ca but without parent ca server, as the root CA is offline?

smithbk (Tue, 31 Oct 2017 16:28:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qFjJAbqk5SahCgCg3) @baoyangc Yes, there are 2 possibilities. You can either: 1) start the root fabric-ca-server, initialize the intermediate fabric-ca-server, stop the root fabric-ca-server, and start the intermediate fabric-ca-server (so the root CA is off-line), or 2) just start a fabric-ca-server with an intermediate CA signing certificate which was issued by some external CA.

baoyangc (Tue, 31 Oct 2017 16:29:51 GMT):
in the 2nd case, do we need show root CA's cert to end user?

baoyangc (Tue, 31 Oct 2017 16:30:53 GMT):
in the intermediate CA's configuration, is there a place to show the root CA's cert?

smithbk (Tue, 31 Oct 2017 16:33:08 GMT):
Yes, in the config file as the ca.chainfile

smithbk (Tue, 31 Oct 2017 16:34:26 GMT):
You would put the external CA's root certificate 1st in this file

baoyangc (Tue, 31 Oct 2017 16:35:08 GMT):
thanks

smithbk (Tue, 31 Oct 2017 16:35:21 GMT):
np

smithbk (Tue, 31 Oct 2017 16:54:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AKwTTYCTtGD6yDqsT) @Jonny Most likely, the root CA cert that issued the client's ecert to your node.js client is not the same cert in the MSP's cacerts folder. I would start with looking at the peer logs to see if the message is more specific.

Jonny (Tue, 31 Oct 2017 16:55:39 GMT):
@smithbk. Sorry for the late giving update. I'm able to find the correct key and cert for that. But I'm getting another error

Jonny (Tue, 31 Oct 2017 16:55:39 GMT):
@smithbk. Sorry for the late updated. I'm able to find the correct key and cert for that. But I'm getting another error

Jonny (Tue, 31 Oct 2017 16:56:10 GMT):
`sendPeersProposal - Promise is rejected: Error: Failed to deserialize creator identity, err MSP PrimaryMSP is unknown`

Jonny (Tue, 31 Oct 2017 16:56:18 GMT):
Do you have any idea for this?

smithbk (Tue, 31 Oct 2017 16:57:26 GMT):
The MSP ID you are using in your client does not match the MSP ID of the peer

Jonny (Tue, 31 Oct 2017 16:58:00 GMT):
I can confirm that MSP ID in peer is `- CORE_PEER_LOCALMSPID=PrimaryMSP`

Jonny (Tue, 31 Oct 2017 17:00:15 GMT):
this is my marble configuration ``` "organizations": { "PrimaryMSP": { "mspid": "PrimaryMSP", "peers": [ "peer0.primary.domain.com" ], "certificateAuthorities": [ "ca.primary.domain.com" ], "adminPrivateKey": { "path": "./crypto/privateKey.pem" }, "signedCert": { "path": "./crypto/signedCert.pem" } } } ```

Jonny (Tue, 31 Oct 2017 17:00:15 GMT):
this is my marble configuration ``` "organizations": { "PrimaryMSP": { "mspid": "PrimaryMSP", "peers": [ "peer0.primary.domain.com" ], "certificateAuthorities": [ "ca.primary.winapp.my" ], "adminPrivateKey": { "path": "./crypto/privateKey.pem" }, "signedCert": { "path": "./crypto/signedCert.pem" } } } ```

smithbk (Tue, 31 Oct 2017 17:22:14 GMT):
Two thoughts ... 1) You changed the MSPID that was in the sample, but you also need to change it every place that ID occurs. You probably missed some place. 2) I think this error occurs if the peer has not joined the channel associated with the proposal you are sending. Anyway, I'd suggest starting from scratch and making sure you update all locations appropriately.

Jonny (Tue, 31 Oct 2017 17:42:56 GMT):
thanks @smithbk will work on it

RezwanKabir (Tue, 31 Oct 2017 19:28:02 GMT):
hi guys I want to create more channels. I can generate channel1 by # generate channel configuration transaction `configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./config/orion.tx -channelID channel1` # generate anchor peer transaction `configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./config/Org1MSPanchors.tx -channelID channel1 -asOrg Org1MSP` now I want to generate channel2 first step could be : `configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./config/orion.tx -channelID channel2` what would be second step ? `configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./config/Org1MSPanchors.tx -channelID channel1 ,channel2 -asOrg Org1MSP` ? can I define more channels for Org1MSP ?

RezwanKabir (Tue, 31 Oct 2017 19:41:12 GMT):
In short can I define the anchor peer for Org1 for many channels

niteshsolanki (Wed, 01 Nov 2017 14:20:42 GMT):
Hi, is identity mix considered as alternative to normal x509 PKI?

smithbk (Wed, 01 Nov 2017 15:17:52 GMT):
yes, though it is only tech preview in v1.1 time frame.

t_stephens67 (Wed, 01 Nov 2017 15:38:58 GMT):
Has joined the channel.

t_stephens67 (Wed, 01 Nov 2017 15:39:08 GMT):
hello all any reason I would get this error?

t_stephens67 (Wed, 01 Nov 2017 15:39:11 GMT):
[ERROR] No certificates found for provided serial and aki

t_stephens67 (Wed, 01 Nov 2017 15:54:10 GMT):
I am making the call through composer-rest-server and have tried the command line command as well

kayadhami (Wed, 01 Nov 2017 16:00:49 GMT):
Has joined the channel.

smithbk (Wed, 01 Nov 2017 17:02:07 GMT):
See #2 under https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#troubleshooting

smithbk (Wed, 01 Nov 2017 17:02:07 GMT):
@t_stephens67 See #2 under https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#troubleshooting

t_stephens67 (Wed, 01 Nov 2017 17:04:16 GMT):
@smithbk yea I read that

smithbk (Wed, 01 Nov 2017 17:09:55 GMT):
@t_stephens67 I believe the composer-rest-server is built on top of the node SDK using its local keystore. My guess is that it has some ecerts which were issued by fabric-ca-server, but the fabric-ca-server's DB was deleted and recreated, thus losing it's copy of the ecert.

t_stephens67 (Wed, 01 Nov 2017 17:27:56 GMT):
Even if I try issuing the identity before the rest server is even started it does not work

t_stephens67 (Wed, 01 Nov 2017 17:34:59 GMT):
I went into the container and ran "fabric-ca-client enroll -u http://admin:adminpw@localhost:7054" and the logs gave no errors and everything seemed fine but then I tried to enroll a participant and it got the same no certificate found for serial and aki

t_stephens67 (Wed, 01 Nov 2017 18:35:43 GMT):
got it

t_stephens67 (Wed, 01 Nov 2017 18:37:56 GMT):
first you have to POST /wallets/{id}/identities with admin adminpw then use POST /wallets/{id}/identities/{fk}/setDefault with that ID and FK. then you will be able to use POST /system/identities/issue to issue identities to the participants then just use POST /wallets/{id}/identities/{fk}/setDefault to swap between participants to make calls to the rest server so the ACL rules work

Asara (Wed, 01 Nov 2017 18:49:53 GMT):
Hey all, is there an example of a config.tx for a multi-orderer environment?

Asara (Wed, 01 Nov 2017 18:50:18 GMT):
I have two organizations, both of them have 1 peer and 1 orderer, not sure how to make my config.tx look though

Asara (Wed, 01 Nov 2017 18:51:21 GMT):
My real question comes from the `Organizations:` section of the configtx

Asara (Wed, 01 Nov 2017 18:52:07 GMT):
Does each 'org' get an organization for their orderer and another one for their peer group? And just have an organization for each of those things? I am really trying to understand this in terms of the MSPDir

baoyangc (Wed, 01 Nov 2017 19:04:43 GMT):
what's the "X509v3 Extended Key Usage: 2.5.29.37.0" meaning? I generate an CA cert with fabric-ca. compare with the cert generated by the tool cryptogen, only this attribute is absent

baoyangc (Wed, 01 Nov 2017 19:04:56 GMT):
does this matter

baoyangc (Wed, 01 Nov 2017 19:56:23 GMT):
does anyone can explain the meaning of ` hf.Registrar.Roles: "client,user,peer,validator,auditor"`

baoyangc (Wed, 01 Nov 2017 19:56:53 GMT):
is there any difference between them

smithbk (Wed, 01 Nov 2017 20:04:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=f2p4ScLLLAn2PYedC) @Asara Each org has one entry in the organization section ... not one 1 for peer and 1 for orderer

Asara (Wed, 01 Nov 2017 20:05:59 GMT):
So for example, in the first-network sample configtx.yaml, there is an agnostic OrdererOrg

Asara (Wed, 01 Nov 2017 20:06:09 GMT):
How about orderers that belong to an Organization?

smithbk (Wed, 01 Nov 2017 20:11:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CYzD2ArmoauLyoXtL) @baoyangc Are you saying that extension is in a cert generated by cryptogen? What version of cryptogen?

smithbk (Wed, 01 Nov 2017 20:14:04 GMT):
@Asara That is just a sample in which there is a separate org for all orderers (of which there is just 1 in that sample). But you can have an org that provides both orderer nodes and peer nodes in general.

Asara (Wed, 01 Nov 2017 20:14:41 GMT):
@smithbk Alright, so what MSPDir would I use? What info is being pulled from there?

smithbk (Wed, 01 Nov 2017 20:16:09 GMT):
You have an MSPDir for each organization, that's all. Not sure I understand the question. Can you clarify?

Asara (Wed, 01 Nov 2017 20:18:01 GMT):
What exactly is being used from the MSPDir?

Asara (Wed, 01 Nov 2017 20:18:35 GMT):
I'm just trying to wrap my head around this. I am currently using fabric-ca to create all MSP related materials on the host machines themselves. So each service (orderers and peers) have their own MSP data

Asara (Wed, 01 Nov 2017 20:18:44 GMT):
And I'm trying to create the channel manually

smithbk (Wed, 01 Nov 2017 20:21:50 GMT):
@Asara I suggest reading section 2 of this article: https://www.ibm.com/developerworks/cloud/library/cl-build-blockchain-network-with-custom-cryptographic-material-from-your-certificate-authority/index.html. I think that will help.

Asara (Wed, 01 Nov 2017 20:22:16 GMT):
I'll give it a read thanks

Asara (Wed, 01 Nov 2017 20:28:01 GMT):
@smithbk Alright this clears some stuff up. Now if I'm using fabric-ca where are the org MSPs located?

Asara (Wed, 01 Nov 2017 20:28:02 GMT):
on the CA itself?

Asara (Wed, 01 Nov 2017 20:28:55 GMT):
Or rather what is the way to create the org MSP information using fabric-ca-client?

Asara (Wed, 01 Nov 2017 20:28:55 GMT):
Or rather, what is the way to create the org MSP information using fabric-ca-client?

smithbk (Wed, 01 Nov 2017 20:39:06 GMT):
@Asara See the fabric-ca sample at https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca for an end-to-end flow. The https://github.com/hyperledger/fabric-samples/blob/master/fabric-ca/scripts/setup-fabric.sh script does this. In a nutshell, to create an org MSP, you call ```fabric-ca-client getcacert -u ``` which populates everything except the admincerts directory. You will have to manually populate that. Oh, and you'll need to populate tlscacerts and tlsintermediatecerts separately, but assuming you use fabric CA to issue TLS certs also, they will be the same as the cacerts and intermediatecerts, respectively.

Asara (Wed, 01 Nov 2017 21:11:57 GMT):
@smithbk So a mix of https://github.com/hyperledger/fabric-samples/blob/master/fabric-ca/scripts/setup-fabric.sh#L78 and https://github.com/hyperledger/fabric-samples/blob/master/fabric-ca/scripts/env.sh#L261

Asara (Wed, 01 Nov 2017 21:12:03 GMT):
Thanks man, I'll give it a go tonight

smithbk (Wed, 01 Nov 2017 21:13:03 GMT):
yes, np

AshCapy (Thu, 02 Nov 2017 07:20:12 GMT):
Has joined the channel.

AshCapy (Thu, 02 Nov 2017 07:22:34 GMT):
Hello! I have a question on the `role` and `attribute` when I register an identity. What is the difference between these 2 field? From what I understand, there are key-value-store that I can put into the attribute field which is according to the pre-set role in the `fabric-ca-server` configuration but what is the different between setting it in the `role` and `attrs` field.

JoshuaBarker (Thu, 02 Nov 2017 08:08:31 GMT):
Has joined the channel.

glotov (Thu, 02 Nov 2017 11:59:23 GMT):
Hi! Am I right that users, who are registered dynamically with ca server, have certs only during their session (between _enroll_ and ca-server restart)? In contrast to users, initially generated by cryptogen tool (`Users.Count: N`). What is the idea behind this difference?

Vadim (Thu, 02 Nov 2017 12:05:38 GMT):
@glotov as soon as they enroll, they have their certs regardless of whether ca is running or not

smithbk (Thu, 02 Nov 2017 12:14:49 GMT):
When an identity is registered, you must have a single role (or type) such as "peer", "orderer", "client", etc. That is required. Attributes (as you said) are just name/value pairs and are optional.

UtkarshSingh (Thu, 02 Nov 2017 12:21:54 GMT):
Does Fabric-CA eliminate the concept of Organisations ? (peers are independent of Organisations, and MSP will be provided by CA server)

smithbk (Thu, 02 Nov 2017 12:29:15 GMT):
No, generally there would be a 1-1 mapping between a fabric-ca-server and an organization. Peers are a member of an MSP

UtkarshSingh (Thu, 02 Nov 2017 13:03:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=59Em9enCFBFHfsXxm) @smithbk Why should we use Fabric-ca then, as Organisations' MSP is used by the peers & peers can generate their own certificates using openssl ?

UtkarshSingh (Thu, 02 Nov 2017 13:03:44 GMT):
How private blockchain is useful, as it has the properties of centralised systems So, what's the use of using Private Blockchain? In Hyperledger Fabric, we are using PKI (Public Key Infra) kind of settings, here we have Root of Trust, Intermediate CAs. Blockchain came to eliminate the concept of Trusted Third Party, but Private Blockchain is violating this. (We need to Trust entities, what if Root of Trust gets compromised or cheats)

UtkarshSingh (Thu, 02 Nov 2017 13:04:05 GMT):
@Vadim

Vadim (Thu, 02 Nov 2017 13:04:47 GMT):
@UtkarshSingh each org has its own root of trust, there is no centralization

UtkarshSingh (Thu, 02 Nov 2017 13:21:04 GMT):
We are using PKI kind of settings, which is somewhat a centralisation

Vadim (Thu, 02 Nov 2017 13:26:49 GMT):
well this is a consortium blockchain, you have to enforce access control somehow

Vadim (Thu, 02 Nov 2017 13:27:27 GMT):
I guess you could develop other implementations of identity providers which would not rely on PKI, as the MSP concept is pluggable

UtkarshSingh (Thu, 02 Nov 2017 14:00:51 GMT):
As, In centralised system, there is a single point of failure. In Consortium Blockchain, there would be k-point of failure(more secure than centralised system) And, Public Blockchain is more secure than the above two. Why didn't we use that in Hyperledger Fabric?

Vadim (Thu, 02 Nov 2017 14:03:27 GMT):
@UtkarshSingh because public blockchains 1) have no access control 2) have no privacy (all data is public) 3) pseudonumous identities make it hard to audit

Vadim (Thu, 02 Nov 2017 14:05:14 GMT):
and perhaps also 4) have low tx throughput

gauthampamu (Thu, 02 Nov 2017 14:54:44 GMT):
http://hyperledger-fabric.readthedocs.io/en/latest/releases.html @smithbk Noticed Fabric team added attribute based access control. Is that only feasible when you use fabric ca server or is it feasible to add attributed when you use custom certs issues by external CA server like entrust or Verisign CA.

smithbk (Thu, 02 Nov 2017 15:15:31 GMT):
@UtkarshSingh Keep in mind that all security checks have been abstracted behind the MSP API. The default implement of this abstract is x509-based and there is another in progress called idemix (short for "Identity Mixer") which provides zero-knowledge proof. Each channel/ledger has multiple MSPs. With the default MSP being x509 PKI based, yes, there are N roots of trust, where N is the number of MSPs for the channel/ledger. Theoretically speaking, there is no limit to N. That said, more importantly is the fact that other MSP implementations can (and I believe will) be developed with different qualities of service as needed. But having an x509-based MSP is certainly fits a model for company-to-company interactions, where these companies already have their own PKI infrastructure, and has a separation of trust between companies.

smithbk (Thu, 02 Nov 2017 15:15:31 GMT):
@UtkarshSingh Keep in mind that all security checks have been abstracted behind the MSP API. The default implementation of this abstract is x509-based and there is another in progress called idemix (short for "Identity Mixer") which provides zero-knowledge proof. Each channel/ledger has multiple MSPs. With the default MSP being x509 PKI based, yes, there are N roots of trust, where N is the number of MSPs for the channel/ledger. Theoretically speaking, there is no limit to N. That said, more importantly is the fact that other MSP implementations can (and I believe will) be developed with different qualities of service as needed. But having an x509-based MSP is certainly fits a model for company-to-company interactions, where these companies already have their own PKI infrastructure, and has a separation of trust between companies.

smithbk (Thu, 02 Nov 2017 15:15:31 GMT):
@UtkarshSingh Keep in mind that all security checks have been abstracted behind the MSP API. The default implementation of this API is x509-based and there is another in progress called idemix (short for "Identity Mixer") which provides zero-knowledge proof. Each channel/ledger has multiple MSPs. With the default MSP being x509 PKI based, yes, there are N roots of trust, where N is the number of MSPs for the channel/ledger. Theoretically speaking, there is no limit to N. That said, more importantly is the fact that other MSP implementations can (and I believe will) be developed with different qualities of service as needed. But having an x509-based MSP is certainly fits a model for company-to-company interactions, where these companies already have their own PKI infrastructure, and has a separation of trust between companies.

smithbk (Thu, 02 Nov 2017 15:15:31 GMT):
@UtkarshSingh Keep in mind that all security checks have been abstracted behind the MSP API. The default implementation of this API is x509-based and there is another in progress called idemix (short for "Identity Mixer") which provides zero-knowledge proof. Each channel/ledger has multiple MSPs. With the default MSP being x509 PKI based, yes, there are N roots of trust, where N is the number of MSPs for the channel/ledger. Theoretically speaking, there is no limit to N. That said, more importantly is the fact that other MSP implementations can (and I believe will) be developed with different qualities of service as needed. But having an x509-based MSP certainly fits a model for company-to-company interactions, where these companies already have their own PKI infrastructure, and has a separation of trust between companies.

smithbk (Thu, 02 Nov 2017 15:29:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3qJKYLbxifcnrhwk9) @gauthampamu It can be used with external CAs also to get the MSPID and x509 certificate, but in order for the APIs to retrieve attributes to work, you would need to get the external CA to issue certificates with the custom extension, which I don't think they would ever do. And even if they did, there would have to be some governance around who was able to get which attributes with what values, or if you're performing ACL based on OUs, there would need to be governance by the CA around who can get certificates with which OUs. For now, assuming there is some governance around OUs from your external CA, I would suggest using the cid library to get the x509.Certificate and get the OUs to make access control decisions. In the future, we hope to provide higher level of abstraction to separate duties of a developer and deployer. See https://gerrit.hyperledger.org/r/#/c/14653/ and https://jira.hyperledger.org/browse/FAB-6674

Asara (Thu, 02 Nov 2017 17:18:31 GMT):
Hey all, I am trying to create my own channel using configtxgen, and the only response I get from the application is `[common/configtx/tool] main -> INFO 001 Loading configuration`

Asara (Thu, 02 Nov 2017 17:18:42 GMT):
While running /usr/local/bin/configtxgen -profile profileName

Asara (Thu, 02 Nov 2017 17:18:42 GMT):
While running `/usr/local/bin/configtxgen -profile profileName`

Asara (Thu, 02 Nov 2017 17:19:55 GMT):
Is there anything I can do to get more information out of this?

Asara (Thu, 02 Nov 2017 17:19:58 GMT):
Not sure what I'm doing wrong

mastersingh24 (Thu, 02 Nov 2017 17:51:16 GMT):
@Asara - you need to set `FABRIC_CFG_PATH` to the directory your configtx.yaml is in

mastersingh24 (Thu, 02 Nov 2017 17:51:29 GMT):
well that's my best guess

Asara (Thu, 02 Nov 2017 17:51:40 GMT):
@mastersingh24 figured it out with the help of @jyellick

Asara (Thu, 02 Nov 2017 17:51:56 GMT):
Running the command with -outputBlock works, but without it it apparently just reads the config?

mastersingh24 (Thu, 02 Nov 2017 17:51:58 GMT):
what was the issue?

mastersingh24 (Thu, 02 Nov 2017 17:52:04 GMT):
ah

Asara (Thu, 02 Nov 2017 17:52:23 GMT):
Which implies that the instructions (http://hyperledger-fabric.readthedocs.io/en/latest/configtxgen.html#bootstrapping-the-orderer) aren't correct?

knagware9 (Thu, 02 Nov 2017 18:56:08 GMT):
Has joined the channel.

natchapon.pa (Fri, 03 Nov 2017 02:48:16 GMT):
Has joined the channel.

Luke_Chen (Fri, 03 Nov 2017 05:41:31 GMT):
Has joined the channel.

Luke_Chen (Fri, 03 Nov 2017 05:47:12 GMT):
Hey guys, when I enroll an identity with "fabric-ca-client enroll" command, it only return a msp folder, my question is how could I get tlsca folder, should I generate it by myself ?

Amitchandra (Fri, 03 Nov 2017 07:23:50 GMT):
cryptogen tool creates the tlsca folder along with the msp

Luke_Chen (Fri, 03 Nov 2017 07:33:35 GMT):
@Amitchandra so noway to request such folder from fabric-ca ?

Luke_Chen (Fri, 03 Nov 2017 07:42:11 GMT):
using cryptogen tool is not a good idea, especially when the Fabric network is running

UtkarshSingh (Fri, 03 Nov 2017 10:55:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DyQxfm7EFNkYdcLk6) @smithbk I have gone through many blogs, I have an understanding issue on private permissioned blockchains. Is its motto just to provide privacy over the Blockchains ? Why are we using the term "blockchain" in private blockchain, as we are keeping the system same, using the PKI - a central authority, and just adding a Hashed-based Database technology & Keeping the replicas with each peer. The Difference between the previous private centralised systems & private blockchain is (as per my understanding) : Hashed-based Database(Chaining property) + replicas of the database with each peer (no decentralisation property) The main & concrete property of Blockchain of "Decentralisation of the Network" is violating, here in private blockchain, after introducing central authorities' inside the network.

Vadim (Fri, 03 Nov 2017 11:05:06 GMT):
@UtkarshSingh I'd say it's decentralized in a sense that not a single org can impose any rules on how the blockchain network should work without agreeing it with other participating orgs

UtkarshSingh (Fri, 03 Nov 2017 11:09:08 GMT):
You Mean to say, if we talk about Organisation level, it is decentralised. But in terms of peers, it is not

Vadim (Fri, 03 Nov 2017 11:09:48 GMT):
these are the peers that belong to org anyway, there cannot be any other peers. So this is IMO not a problem.

Vadim (Fri, 03 Nov 2017 11:10:50 GMT):
to add to that, if a single peer gets compromised, it cannot corrupt the shared blockchain state

Vadim (Fri, 03 Nov 2017 11:11:22 GMT):
problem is when CA gets compromised, so probably you have to take a great care protecting it

UtkarshSingh (Fri, 03 Nov 2017 11:11:33 GMT):
What about the scenario, in which 51% of the peers in a channel are malicious(cheating ones) ?

Vadim (Fri, 03 Nov 2017 11:12:35 GMT):
this is defined by endorsement policy and it's quite flexible. I find it hard that 51% of peers across different orgs will get simultaneously compromised.

Vadim (Fri, 03 Nov 2017 11:12:52 GMT):
also, in public blockchains you have the same problem

UtkarshSingh (Fri, 03 Nov 2017 11:13:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DFfdCtDgWyYQJhmet) @Vadim Yes, again a problem of "Single point of failure", that a Blockchain is assumed to solve.

Vadim (Fri, 03 Nov 2017 11:13:48 GMT):
The CA is only needed for an initial provisioning, then you can just turn it off and the network will function without problems without it

UtkarshSingh (Fri, 03 Nov 2017 11:15:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QXJNEdr9WKiLwnPzN) @Vadim Security is goverened by the Consensus Algorithm, in Proof of Work & Proof of Stake, in which, solving a hard problem makes the trust Here are not doing anything like that

Vadim (Fri, 03 Nov 2017 11:16:51 GMT):
so you think that if all nodes will switch to mining, the problem will go away?

Vadim (Fri, 03 Nov 2017 11:17:22 GMT):
this is a private chain, you have limited number of resources and it will be very easy to make a 51% attack

Vadim (Fri, 03 Nov 2017 11:17:22 GMT):
this is a private chain, you have limited number of resources and nodes and it will be very easy to make a 51% attack

UtkarshSingh (Fri, 03 Nov 2017 11:18:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=d5cCQhpT7QAzGDfBx) @Vadim Why any peer involves itself to the endorsing process. He's not getting any advantage. In bitcoin, the incentives associated with the minning process drags the peers to keep on validating the blocks, which keeps the network on

Vadim (Fri, 03 Nov 2017 11:18:46 GMT):
@UtkarshSingh Because this is a private chain, organizations own the peers and they want to run it, because they apply it for their use cases

Vadim (Fri, 03 Nov 2017 11:19:03 GMT):
this is very different from public chains

UtkarshSingh (Fri, 03 Nov 2017 11:19:45 GMT):
All peers will work fine, it is pre-assumed?

Vadim (Fri, 03 Nov 2017 11:20:18 GMT):
no, you have an endorsement policy which enforces how many peer should agree between each other for the tx to be valid

Jonny (Fri, 03 Nov 2017 11:21:40 GMT):
any idea, why my ca always getting error while getting `DB: Get affiliation `

Jonny (Fri, 03 Nov 2017 11:21:40 GMT):
any idea, what my ca always getting error while getting `DB: Get affiliation `

Jonny (Fri, 03 Nov 2017 11:22:29 GMT):
at this line : https://github.com/hyperledger/fabric-ca/blob/a21585dcc589e16cfb764acb5bee14293354cb4a/lib/dbaccessor.go#L306-L321

UtkarshSingh (Fri, 03 Nov 2017 11:24:43 GMT):
@Vadim for an example, in a channel there are 10 peers, 7 of them are lazy(they won't use their processing in endorsement) & 4 endorsements are needed by the endorsing policy. Then, what reason will make the lazy peers to do endorsements ?

Vadim (Fri, 03 Nov 2017 11:26:33 GMT):
I don't understand your terminology, peers are machines and I don't see why they will be lazy. THey might, however, be unreachable (e.g. power outage), so it your case, you won't be able to get a valid tx because not enough peers signed the results.

UtkarshSingh (Fri, 03 Nov 2017 11:27:40 GMT):
I just tried to keep things simple, for a better understanding:sweat_smile:

UtkarshSingh (Fri, 03 Nov 2017 11:31:43 GMT):
@Vadim One more question.... Does Hyperledger Fabric eliminates the Malicious Insiders' Attacks ? (peers inside the channel, who will not follow the protocol & always try to attack on the system)

Vadim (Fri, 03 Nov 2017 11:32:33 GMT):
if he attacks by providing wrong results, then you will see it immediately

Vadim (Fri, 03 Nov 2017 11:32:47 GMT):
because his results will differ from another peer

Jonny (Fri, 03 Nov 2017 11:33:19 GMT):
@Vadim, do you have any idea why I'm not able to get affiliation of myorg.department1 in database. keep getting `sql: no rows in result set`

Jonny (Fri, 03 Nov 2017 11:33:19 GMT):
@Vadim, do you have any idea why I'm not able to get affiliation of org1.department1 in database. keep getting `sql: no rows in result set`

Jonny (Fri, 03 Nov 2017 11:34:33 GMT):
Is there any default affiliation in that ca ?

UtkarshSingh (Fri, 03 Nov 2017 11:34:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vMf4ikmHcj4cvK9ru) @Vadim Due to the "auditing" property of private blockchain ?

UtkarshSingh (Fri, 03 Nov 2017 11:37:31 GMT):
@Vadim Any peer can violate protocol in 2 ways 1. giving wrong results 2. not performing any computation, [in this case, it will somehow effect the performance of the system (if cheating peers are in large no)]

Vadim (Fri, 03 Nov 2017 11:44:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Q9KZWvqv53ZJ7g9GM) the client need to ask peers for results. If the results are not equal, he will detect that. This happens before the data is submitted to the blockchain.

Vadim (Fri, 03 Nov 2017 11:45:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xsJqbndY2JkTRQRKA) the client will get a timeout on that peer then, the overall performance will not be affected as that peer e.g. can be excluded from endorsement the next call.

agiledeveloper (Fri, 03 Nov 2017 18:02:31 GMT):
hi guys, can you advice on where to check, I am not able to instantiate the chaincode from peers, below log from chaincode container ```2017-11-03 17:56:27.076 UTC [shim] userChaincodeStreamGetter -> ERRO 001 Error trying to connect to local pee r: x509: cannot validate certificate for 172.18.0.3 because it doesn't contain any IP SANs 2017-11-03 17:56:27.076 UTC [artmanager] Errorf -> ERRO 002 error starting chaincode: Error trying to connect to local peer: x509: cannot validate certificate for 172.18.0.3 because it doesn't contain any IP SANs```

agiledeveloper (Fri, 03 Nov 2017 18:03:32 GMT):
error from client ```root@991dbf7c759d:/opt/gopath/src/github.com/hyperledger/fabric/peer/channels# peer chaincode instantiate orderer.art.ifar.org:7050 -C mainchannel -n artmanager -v 0 -c '{"Args":[""]}' --tls $CORE_PEER_TLS_ENABLE-cafile $ORDERER_CA 2017-11-03 17:56:26.414 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP 2017-11-03 17:56:26.414 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity 2017-11-03 17:56:26.418 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 003 Using default escc 2017-11-03 17:56:26.418 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 004 Using default vscc 2017-11-03 17:56:26.419 UTC [msp/identity] Sign -> DEBU 005 Sign: plaintext: 0AD1070A6908031A0C08CADBF2CF0...0A000A000A04657363630A0476736363 2017-11-03 17:56:26.419 UTC [msp/identity] Sign -> DEBU 006 Sign: digest: D0A96A11EEF74713723803BCFDDE78D85D8484641AFBF8D2613B06823D13D Error: Error endorsing chaincode: rpc error: code = Unknown desc = Timeout expired while starting chaincodpeerid:peer0.louvre.fr,tx:d7125ed0e897b93f29f956b4243f43577a7e1471fe9a992ebe8af3dc582b077f) Usage: peer chaincode instantiate [flags] Flags: -C, --channelID string The channel on which this command should be executed (default "testchainid") -c, --ctor string Constructor message for the chaincode in JSON format (default "{}") -E, --escc string The name of the endorsement system chaincode to be used for this chaincode -l, --lang string Language the chaincode is written in (default "golang") -n, --name string Name of the chaincode -P, --policy string The endorsement policy associated to this chaincode -v, --version string Version of the chaincode specified in install/instantiate/upgrade commands -V, --vscc string The name of the verification system chaincode to be used for this chaincode Global Flags: --cafile string Path to file containing PEM-encoded trusted certificate(s) for the orde --logging-level string Default logging level and overrides, see core.yaml for full syntax -o, --orderer string Ordering service endpoint --test.coverprofile string Done (default "coverage.cov") --tls Use TLS when communicating with the orderer endpoint ```

agiledeveloper (Fri, 03 Nov 2017 18:14:15 GMT):
``` -> DEBU 56b container lock deleted(dev-peer0.louvre.fr-artmanager-0) peer0.louvre.fr | 2017-11-03 18:01:27.084 UTC [chaincode] Launch -> ERRO 56c launchAndWaitForRegister failed Timeout expired while starting chaincode artmanag er:0(networkid:dev,peerid:peer0.louvre.fr,tx:d7125ed0e897b93f29f956b4243f43577a7e1471 fe9a992ebe8af3dc582b077f) peer0.louvre.fr | 2017-11-03 18:01:27.084 UTC [endorser] callChaincode -> DEBU 56d Exit peer0.louvre.fr | 2017-11-03 18:01:27.084 UTC [endorser] simulateProposal -> ERRO 56e failed to invoke chaincode name:"lscc" on transaction d7125ed0e897b93f2 9f956b4243f43577a7e1471fe9a992ebe8af3dc582b077f, error: Timeout expired while startin g chaincode artmanager:0(networkid:dev,peerid:peer0.louvre.fr,tx:d7125ed0e897b93f29f9 56b4243f43577a7e1471fe9a992ebe8af3dc582b077f) peer0.louvre.fr | 2017-11-03 18:01:27.084 UTC [endorser] simulateProposal -> DEBU 56f Exit peer0.louvre.fr | 2017-11-03 18:01:27.084 UTC [lockbasedtxmgr] Done -> DE BU 570 Done with transaction simulation / query execution [832147a9-0061-49bf-8793-5e 8779f4f494] peer0.louvre.fr | 2017-11-03 18:01:27.084 UTC [endorser] ProcessProposal -> DEBU 571 Exit orderer.art.ifar.org | 2017-11-03 18:01:27.085 UTC [orderer/common/broadcast] Handle -> WARN 1373 Error reading from stream: rpc error: code = Canceled desc = cont ext canceled orderer.art.ifar.org | 2017-11-03 18:01:27.086 UTC [orderer/main] func1 -> DEB U 1374 Closing Broadcast stream ```

mastersingh24 (Fri, 03 Nov 2017 19:14:57 GMT):
@agiledeveloper (I like that screen name BTW) - ``` 2017-11-03 17:56:27.076 UTC [shim] userChaincodeStreamGetter -> ERRO 001 Error trying to connect to local pee r: x509: cannot validate certificate for 172.18.0.3 because it doesn't contain any IP SANs ``` You are passing an IP address to the chaincode and trying to use TLS. Assuming the TLS certs came from cryptogen, you'll likely need to change the value of `CORE_PEER_ADDRESS` to the name of the container itself

agiledeveloper (Fri, 03 Nov 2017 19:21:38 GMT):
the crypto-materials were generated using this script ```https://gerrit.hyperledger.org/r/#/c/10871/6/examples/e2e_cli/fabric-ca-cryptogen.sh```

agiledeveloper (Fri, 03 Nov 2017 19:22:55 GMT):
I had it set like `CORE_PEER_ADDRESS=peer0.egyptianmuseum.org:7051`

agiledeveloper (Fri, 03 Nov 2017 19:22:55 GMT):
I had it set like `CORE_PEER_ADDRESS=peer0.egyptianmuseum.org:7051` which is the name of the container

agiledeveloper (Fri, 03 Nov 2017 19:25:07 GMT):
I found these similar issues 'I guess' but I don't understand the solution, maybe you can elaborate more ```https://jira.hyperledger.org/browse/FAB-5352?jql=text%20~%20%22it%20doesn%27t%20contain%20any%20IP%20SANs%22```

mastersingh24 (Fri, 03 Nov 2017 19:45:58 GMT):
So somehow in your config the peer is passing `172.18.0.3:7051` to the chaincode container. When the chaincode container connects to `172.18.0.3:7051`, the TLS certificate being returned by the peer does not have the IP address `172.18.0.3` in its Subject Alternative Names field so the TLS connection fails and the chaincode container "crashes" and therefore you get the timeout

agiledeveloper (Fri, 03 Nov 2017 19:56:19 GMT):
I have `- CORE_PEER_ADDRESSAUTODETECT=true`

agiledeveloper (Fri, 03 Nov 2017 19:58:02 GMT):
where do you propose I can check ?

mastersingh24 (Fri, 03 Nov 2017 20:05:59 GMT):
set that to false

mastersingh24 (Fri, 03 Nov 2017 20:06:34 GMT):
`CORE_PEER_ADDRESSAUTODETECT=false` that is ;)

muralisr (Fri, 03 Nov 2017 20:29:19 GMT):
one thing @agiledeveloper @mastersingh24 ... is this latest master ?

muralisr (Fri, 03 Nov 2017 20:29:40 GMT):
7051 instead of 7052 makes me think CORE_PEER_CHAINCODELISTENADDRESS is not being set

agiledeveloper (Sat, 04 Nov 2017 08:44:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QjqfffYu6fRcYMv6h) @muralisr i am using v1.0

agiledeveloper (Sat, 04 Nov 2017 08:45:03 GMT):
it works now, thank you both

hhimanshu (Sat, 04 Nov 2017 22:55:33 GMT):
Has joined the channel.

MeenakshiSingh (Sun, 05 Nov 2017 16:41:56 GMT):
Hi...I am trying to implement a sample on access control with ABAC. My current fabric setup runs on v1.0.1, which doesn't have the `/chaincode/cid` library. So do I need to get new version of fabric-ca-server as well as client? Also what would be the underlying compatible go version to use?

MeenakshiSingh (Sun, 05 Nov 2017 16:41:56 GMT):
Hi...I am trying to implement a sample on access control with ABAC. My current fabric setup runs on v1.0.1, which doesn't have the `/chaincode/cid` library. So do I need to get new version of fabric-ca-server as well as client for fabric 1.1.0-preview branch? Also what would be the underlying compatible go version to use?

MeenakshiSingh (Sun, 05 Nov 2017 16:41:56 GMT):
Hi...I am trying to implement a sample on access control with ABAC. My current fabric setup runs on v1.0.1, which doesn't have the `/chaincode/cid` library. So do I need to get new version of `fabric-ca-server` and `fabric-ca-client` for `fabric 1.1.0-preview` branch? Also what would be the underlying compatible `go version` to use?

smithbk (Sun, 05 Nov 2017 21:08:59 GMT):
Yes, you should use 1.1.0-preview of fabric (chaincode/cid library), fabric-ca, and fabric-samples (fabric-samples/fabric-ca) ... and use go 1.9.

smithbk (Sun, 05 Nov 2017 21:08:59 GMT):
@MeenakshiSingh Yes, you should use 1.1.0-preview of fabric (chaincode/cid library), fabric-ca, and fabric-samples (fabric-samples/fabric-ca) ... and use go 1.9.

asuchit (Mon, 06 Nov 2017 04:21:41 GMT):
is there any example of usage of fabric-ca where I can understand to setup a network (similar to "build first network") using fabric-ca and adding peer/orderer ?

Katiyman (Mon, 06 Nov 2017 06:32:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=d2rK7CoufEiYB2tWp) @smithbk Thank you so much Smith that was really helpful

Lucifer (Mon, 06 Nov 2017 07:08:33 GMT):
Has joined the channel.

terryfernz (Mon, 06 Nov 2017 07:20:44 GMT):
Has joined the channel.

asuchit (Mon, 06 Nov 2017 09:28:43 GMT):
I am getting this error for fabric-ca-client: fabric-ca-client enroll -u "http://admin:adminpw@localhost:7054" 2017/11/06 09:25:51 [INFO] generating key: &{A:ecdsa S:256} 2017/11/06 09:25:51 [INFO] encoded CSR Error: Response from server: Error Code: 20 - Authorization failure It was working on Friday. Let me know if I need to clear some thing.

Asara (Mon, 06 Nov 2017 20:55:30 GMT):
Hey all, trying to use fabric-ca and when I go to create a channel, my orderer logs say `identity 0 does not satisfy principal: This identity is not an admin`, but I am using fabric-ca-client in order to get those msp certs, using the bootstrap admin account

Asara (Mon, 06 Nov 2017 20:55:34 GMT):
Not sure what I am doing wrong here

aambati (Mon, 06 Nov 2017 21:29:57 GMT):
@Asara you need to add the certificate to the admin folder of the peer msp, then generate channel configuration transaction file using configtxgen. Specify the generated channel configuration transaction file to peer channel create command using -f option.

smithbk (Mon, 06 Nov 2017 21:34:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NPzWtJoP89c2mWqHs) @asuchit The fabric-ca-server logs should give a more specific reason for the authorization failure. What does it say?

smithbk (Mon, 06 Nov 2017 21:34:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NPzWtJoP89c2mWqHs) @asuchit There are lots of reasons for getting an authorization failure. The fabric-ca-server logs should give a more specific reason for the authorization failure. What does it say?

zdmob (Tue, 07 Nov 2017 01:51:23 GMT):
Has joined the channel.

asuchit (Tue, 07 Nov 2017 02:53:26 GMT):
@smithbk /usr/local/go/src/runtime/asm_amd64.s:2197 2017/11/06 09:34:25 [INFO] 127.0.0.1:48568 POST /enroll 401 23 "Failed to get user: User not found" 2017/11/06 11:05:04 [DEBUG] Received request for /enroll 2017/11/06 11:05:04 [DEBUG] ca.Config: &{CA:{Name: Keyfile:/home/suchit/hyperledger/fabric-ca/docker/server/ca-key.pem Certfile:/home/suchit/hyperledger/fabric-ca/docker/server/ca-cert.pem Chainfile:/home/suchit/hyperledger/fabric-ca/docker/server/ca-chain.pem} Signing:0xc4202b49b0 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[a.suchit-ubuntu localhost] KeyRequest: CA:0xc4202bcfc0 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:-1 Attrs:map[hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.Registrar.Roles:client,user,peer,validator,auditor hf.Registrar.DelegateRoles:client,user,validator,auditor hf.Revoker:1] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) TLS:{false [/home/suchit/hyperledger/fabric-ca/docker/server/ldap-server-cert.pem] {/home/suchit/hyperledger/fabric-ca/docker/server/ldap-client-key.pem /home/suchit/hyperledger/fabric-ca/docker/server/ldap-client-cert.pem}} } DB:{ Type:sqlite3 Datasource:/home/suchit/hyperledger/fabric-ca/docker/server/fabric-ca-server.db TLS:{false [/home/suchit/hyperledger/fabric-ca/docker/server/db-server-cert.pem] {/home/suchit/hyperledger/fabric-ca/docker/server/db-client-key.pem /home/suchit/hyperledger/fabric-ca/docker/server/db-client-cert.pem}} } CSP:0xc4202bd500 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** Profile: Label: CSR: CAName: AttrReqs:[] }} CRL:{Expiry:24h0m0s}} 2017/11/06 11:05:04 [DEBUG] DB: Getting identity admin 2017/11/06 11:05:04 [DEBUG] Sent error for /enroll: scode: 401, local code: 23, local msg: Failed to get user: User not found, remote code: 20, remote msg: Authorization failure github.com/hyperledger/fabric-ca/lib.newAuthErr /usr/local/go/src/github.com/hyperledger/fabric-ca/lib/servererror.go:145 github.com/hyperledger/fabric-ca/lib.(*serverRequestContext).BasicAuthentication /usr/local/go/src/github.com/hyperledger/fabric-ca/lib/serverrequestcontext.go:93 github.com/hyperledger/fabric-ca/lib.enrollHandler /usr/local/go/src/github.com/hyperledger/fabric-ca/lib/serverenroll.go:82 github.com/hyperledger/fabric-ca/lib.(*serverEndpoint).ServeHTTP /usr/local/go/src/github.com/hyperledger/fabric-ca/lib/serverendpoint.go:44 net/http.(*ServeMux).ServeHTTP /usr/local/go/src/net/http/server.go:2238 net/http.serverHandler.ServeHTTP /usr/local/go/src/net/http/server.go:2568 net/http.(*conn).serve /usr/local/go/src/net/http/server.go:1825 runtime.goexit /usr/local/go/src/runtime/asm_amd64.s:2197 2017/11/06 11:05:04 [INFO] 127.0.0.1:36541 POST /enroll 401 23 "Failed to get user: User not found"

asaningmaxchain (Tue, 07 Nov 2017 06:45:39 GMT):
Has joined the channel.

asaningmaxchain (Tue, 07 Nov 2017 06:46:14 GMT):
@asuchit i got the same error

asaningmaxchain (Tue, 07 Nov 2017 06:46:50 GMT):
github.com/hyperledger/fabric-ca/lib.newAuthErr /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/servererror.go:145 github.com/hyperledger/fabric-ca/lib.(*serverRequestContext).TokenAuthentication /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverrequestcontext.go:157 github.com/hyperledger/fabric-ca/lib.registerHandler /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverregister.go:49 github.com/hyperledger/fabric-ca/lib.(*serverEndpoint).ServeHTTP /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverendpoint.go:44 net/http.(*ServeMux).ServeHTTP /opt/go/src/net/http/server.go:2254 net/http.serverHandler.ServeHTTP /opt/go/src/net/http/server.go:2619 net/http.(*conn).serve /opt/go/src/net/http/server.go:1801 runtime.goexit /opt/go/src/runtime/asm_amd64.s:2337 2017/11/07 06:41:35 [INFO] 172.16.10.12:39400 POST /api/v1/register 401 30 "Certificate not found with AKI '9ea83cf0b0892b4c9faf7858f2b237ae5bf03f53c4e601d325f9812b68f235e1' and serial '7e9c3cccd94a170dc873aa869409df56d556aaee'"

Ryo (Tue, 07 Nov 2017 06:52:47 GMT):
Has joined the channel.

levinkwong (Tue, 07 Nov 2017 07:55:26 GMT):
Hi all, may I know if I can specify the attribute value for O (organisation name) using the register and enrol mechanism in fabric-ca?

levinkwong (Tue, 07 Nov 2017 07:56:12 GMT):
From my understanding, I add the CSR to the enrol api will do the job??

asuchit (Tue, 07 Nov 2017 09:48:13 GMT):
@asaningmaxchain are you able to solve the error ?

smithbk (Tue, 07 Nov 2017 12:15:58 GMT):
@asuchit The following ```2017/11/06 11:05:04 [DEBUG] DB: Getting identity admin 2017/11/06 11:05:04 [DEBUG] Sent error for /enroll: scode: 401, local code: 23, local msg: Failed to get user: User not found, remote code: 20, remote msg: Authorization failure``` means that the `admin` user was not found in the users table of the database. Is the `admin` user in your fabric-ca-server-config.yaml file in the registry.identities section? If it was working earlier, it must mean that the database or table or at least that entry was deleted from the database. The fabric-ca-server doesn't do this, so I'm not sure how it could have been deleted. If you are using the default DB, sqlite, then you could check with the following commands: `sqlite3 fabric-ca-server.db` and then `select * from users;` to print the users table.

smithbk (Tue, 07 Nov 2017 12:18:45 GMT):
@asaningmaxchain Although you also got the authorization failure on your client, it was for a different reason: ```2017/11/07 06:41:35 [INFO] 172.16.10.12:39400 POST /api/v1/register 401 30 "Certificate not found with AKI ``` See #2 under http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#troubleshooting

aambati (Tue, 07 Nov 2017 15:08:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7RkWKY5iZawat8xta) @asaningmaxchain This error can also happen if you are running with incorrect go version. v1.0.x code (release branch) must be run with go 1.7 and the code from master branch must be run with go 1.9

Umar12 (Wed, 08 Nov 2017 08:37:13 GMT):
Has joined the channel.

awattez (Wed, 08 Nov 2017 11:45:24 GMT):
Hi all, is it possible to know if the CA is compatible with an Oracle SQL ? is it planned ?

ranjan008 (Wed, 08 Nov 2017 12:06:15 GMT):
Hi I am trying to add user to tha CA but getting the below error Failed to verify certificate: Failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com")

ranjan008 (Wed, 08 Nov 2017 12:06:40 GMT):
Anything on what could be the error

smithbk (Wed, 08 Nov 2017 12:19:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6cEBkaRXJXsM9Cobr) @awattez No, this is the 1st request for Oracle SQL, but would welcome you to contribute to the product for this. I'd be glad to help. Or even if you can't, to open a jira feature request for this.

smithbk (Wed, 08 Nov 2017 12:19:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6cEBkaRXJXsM9Cobr) @awattez No, this is the 1st request for Oracle SQL that I've heard, but would welcome you to contribute to the product for this. I'd be glad to help. Or even if you can't, to open a jira feature request for this.

smithbk (Wed, 08 Nov 2017 12:23:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=w72949G7fxSDutTFq) @ranjan008 It sounds like you may be using an old ECert and that the server's database was deleted and recreated since that ECert was created. You should execute `fabric-ca-client enroll -u ` again to get a new ECert.

ranjan008 (Wed, 08 Nov 2017 12:58:04 GMT):
I am trying to interact with the chaincode but getting below error from the peer 2017-11-08 12:52:27.775 UTC [eventhub_producer] Chat -> ERRO 466 Error handling message: event message must be properly signed by an identity from the same organization as the peer: [failed deserializing event creator: [The supplied identity is not valid, Verify() returned x509: certificate has expired or is not yet valid]]

ranjan008 (Wed, 08 Nov 2017 12:58:39 GMT):
@smithbk what can be the issue?

smithbk (Wed, 08 Nov 2017 13:20:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mtmZHKXcEZaQm2WeH) @ranjan008 When trying to verify a certificate, it checks the current time to make sure that it is between the `NotBefore` and `NotAfter` timestamps in the certificate. Given a PEM file, you can view the certificate's timestamps with `openssl x509 -in -noout -dates`. You should check both the MSP's root certificate in the cacerts folder and the client's enrollment certificate that was used when this error occurred. (Well, if you are using intermediate certificates, you also need to check the files in the MSP's intermediatcerts folder)

mastersingh24 (Wed, 08 Nov 2017 13:21:43 GMT):
@ranjan008 - Only members of the peer's org can connect to the eventhub. This check uses the peer's local MSP (configured in core.yaml or via environment variables) in order to check this

MaximP (Wed, 08 Nov 2017 15:43:37 GMT):
Has joined the channel.

laoqui (Wed, 08 Nov 2017 19:43:55 GMT):
hi everyone, i have a question regarding the `fabric-ca-client` configuration file. what does the `csr.ca.*` fields represent? what values should i use for them?

sukritVisa (Wed, 08 Nov 2017 21:42:05 GMT):
Has joined the channel.

smithbk (Wed, 08 Nov 2017 21:52:38 GMT):
@laoqui Just leave them blank. They really only apply to an intermediate CA when acting as a client to the root CA. They will be removed from the client's config.

laoqui (Wed, 08 Nov 2017 21:59:53 GMT):
cool, thanks @smithbk !

danielleekc (Thu, 09 Nov 2017 00:57:13 GMT):
Has joined the channel.

danielleekc (Thu, 09 Nov 2017 01:15:35 GMT):
Hi everyone, I have a problem on certificates issued by Fabric CA Server. In my case, I generate a root ca cert (CA), intermediate ca cert (INTERMEDIATE CA) by openssl command. I started a Fabric CA Server and assigned INTERMEDIATE CA to the server. When I enroll a new user for MSP Certificates, I found that the "Not Before" date of issued certificate is 5 minutes before the issuing time. Say, the time of CA, system time of the host machine and the system time of container is 10:00, the "Not Before" time of the issued certificates are 09:55. And then when I going use "configtxgen" commands to generate genesis block, the certificate verification in setting up MSP modules will be failed. Giving me the errors below: ``` 2017-11-08 08:15:53.692 GMT [common/configtx/tool] main -> INFO 001 Loading configuration 2017-11-08 08:16:00.908 GMT [configvalues/msp] TemplateGroupMSPWithAdminRolePrincipal -> CRIT 002 Setting up the MSP manager failed, err The supplied identity is not valid, Verify() returned x509: certificate has expired or is not yet valid ``` Any have idea on the above issue?

ranjan008 (Thu, 09 Nov 2017 05:59:58 GMT):
@mastersingh24 I am running a configuration of 4 peers all under a single organization still am getting this error.

username343 (Thu, 09 Nov 2017 06:02:41 GMT):
hi everyone, how can i create an admin identity for a peer using fabric-ca-client?

Vadim (Thu, 09 Nov 2017 08:30:02 GMT):
@username343 peer admin can be any org user whose cert is located in admincerts directory of the peer local msp

username343 (Thu, 09 Nov 2017 08:30:50 GMT):
thanks @Vadim

username343 (Thu, 09 Nov 2017 08:43:47 GMT):
I have one more question @Vadim , when i register an identity with fabric-ca what should be my --id.type in order to be able to use that identity as an admin for a peer of an organization?

Vadim (Thu, 09 Nov 2017 08:52:02 GMT):
@username343 `--id.type user`

username343 (Thu, 09 Nov 2017 08:56:21 GMT):
thanks @Vadim

Katiyman (Thu, 09 Nov 2017 09:28:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yNGNKtg7jJRNdmy9w) @smithbk Hello following the below mentioned link i created the cetificates from a 3rd party CA and then did other config related changes as well now when i am trying to generate the genesis block i get issue as Failed reading file /root/hyperledger/fabric-samples/first-network/crypto-config/ordererOrganizations/aexp.com/msp/cacerts/ca.crt: no pem content for file /root/hyperledger/fabric-samples/first-network/crypto-config/ordererOrganizations/aexp.com/msp/cacerts/ca.crt Ca you please suggest

asuchit (Thu, 09 Nov 2017 11:33:02 GMT):
fabric-ca provide the public and private keys of peers. How to generate the server.crt and server.key in case of tls enabled ?

asuchit (Thu, 09 Nov 2017 11:44:03 GMT):
Have these server keys any relation with the organization's tlsca keys ?

shiyj93 (Thu, 09 Nov 2017 12:02:00 GMT):
Has joined the channel.

smithbk (Thu, 09 Nov 2017 13:09:00 GMT):
@katiyman What is in your file `/root/hyperledger/fabric-samples/first-network/crypto-config/ordererOrganizations/aexp.com/msp/cacerts/ca.crt`? Apparently it isn't valid PEM?

smithbk (Thu, 09 Nov 2017 13:12:08 GMT):
@asuchit See https://github.com/hyperledger/fabric-samples/blob/v1.1.0-preview/fabric-ca/scripts/start-peer.sh

smithbk (Thu, 09 Nov 2017 13:12:08 GMT):
@asuchit See https://github.com/hyperledger/fabric-samples/blob/v1.1.0-preview/fabric-ca/scripts/start-peer.sh#L17

UtkarshSingh (Fri, 10 Nov 2017 07:06:46 GMT):
When I am running start.sh inside fabric-samples/fabric-ca, it is giving this error : ##### 2017-11-10 12:13:46 Cleaning up the data directory from previous run at ./data ##### 2017-11-10 12:13:46 Created docker-compose.yml ##### 2017-11-10 12:13:46 Creating docker containers ... Pulling setup (hyperledger/fabric-ca-tools:latest)... ERROR: manifest for hyperledger/fabric-ca-tools:latest not found

username343 (Fri, 10 Nov 2017 07:34:14 GMT):
there is a scripts folder in the fabric-samples folder inside that there is a script named fabric-reload.sh, try to run that

Katiyman (Fri, 10 Nov 2017 08:04:38 GMT):
Hello Requesting someone to help me with my query https://stackoverflow.com/questions/47218176/unable-to-start-the-peer-in-hyperledger-fabric-first-network-sample-using-custo

Katiyman (Fri, 10 Nov 2017 08:08:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2SbxJJq8TWccD6roM) @smithbk Yes this particular issue was resolved by adding BEGIN certificate and END certificate to the ca.crt. But now i am getting sam error on staring orderer container but the signer.crt it is reffering to already has this BEGIN certificate and END certificate in the file i have provided details in the below link Thanks https://stackoverflow.com/questions/47218176/unable-to-start-the-peer-in-hyperledger-fabric-first-network-sample-using-custo

UtkarshSingh (Fri, 10 Nov 2017 08:10:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vHE8hLETzvZTTPMNF) @username343 not working.. same error is coming

UtkarshSingh (Fri, 10 Nov 2017 08:12:40 GMT):
that script doesn't contain fabric-ca-tools, so I added ca-tools But couldn't download that

username343 (Fri, 10 Nov 2017 08:41:00 GMT):
I've not had that issue, so unfortunately i can't understand whats the reason that you're getting that error. Maybe somebody else can help you , one drastic /last step solution i can tell you is remove all the images and start from scratch but that means downloading all the images again. See if somebody else can answer your query

agiledeveloper (Fri, 10 Nov 2017 10:21:49 GMT):
hi guys can you suggest the reason for this error, if I disable TLS, instantiate chaincode is working ``` agiledeveloper@UbuntuServer:~$ docker logs dev-peer0.egyptianmuseum.org-artmanager-0 2017-11-10 09:48:52.070 UTC [shim] userChaincodeStreamGetter -> ERRO 001 Error trying to connect to local peer: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "fabric-ca-server") ```

smithbk (Fri, 10 Nov 2017 12:05:23 GMT):
@UtkarshSingh You can follow the instructions on #1 at https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca#running-this-sample which will build the fabric-ca-tools and other images and tag them as latest on your system

smithbk (Fri, 10 Nov 2017 12:20:15 GMT):
@Katiyman I just posted to https://stackoverflow.com/questions/47218176/unable-to-start-the-peer-in-hyperledger-fabric-first-network-sample-using-custo

Katiyman (Fri, 10 Nov 2017 12:44:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gec8dY7pDvpL9mzao) @smithbk Thanks smith .. the ---end certificate---is now in the new line at the end but still same issue is there.. i will check for other validities

smithbk (Fri, 10 Nov 2017 13:00:39 GMT):
@Katiyman I am able to print the cert with openssl when making it ```-----BEGIN CERTIFICATE----- MIIC0TCCAbmgAwIBAgIPAV+a2M5AtqiPiJ/UbeTPMA0GCSqGSIb3DQEBCwUAMDAxCzAJBgNVBAYTAlBMMQ4wDAYDVQQKEwVOb2tpYTERMA8GA1UEAxMIUkVTVCBDQTEwHhcNMTcxMTA4MDgyNzAwWhcNMTgwNzMxMTI1ODM1WjCBoDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FsYWJhbWExEDAOBgNVBAcTB1Bob2VuaXgxITAfBgNVBAoTGEFkdmFuY2VkIEV4cGxvcmF0aW9uIEluYzEcMBoGA1UECxMTVEVTVCBCbG9ja2NoYWluIEh1YjEsMCoGA1UEAxMjdGVzdC1ibG9ja2NoYWluSHViLW9yZGVyZXIuYWV4cC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARQ0kKTAjB+Pfm2qTPj5AyRw8SU8CO431RdnmGFwfLRUYF+p6UsklNVEQbv6uGRKOLmPVHd3bY4+WWhf1mlmJHqo0IwQDAfBgNVHSMEGDAWgBQ4wDFZQdWAiTTvmhvctnjg96t3NzAdBgNVHQ4EFgQUAKrKE+neX8czESLhG0O2H2e+7TEwDQYJKoZIhvcNAQELBQADggEBAETkTpTapY6Pe4gECBMZAW9gbnSnofR+eKBc24u6Zpk3KiGhfbU3msKiZ5YbXhUkFdy9e1YnIArSayrSanbLO1psGx0zI0SEICfFJ0iPaZYVNV34XzX66+nlsOEq7WrhxHwhqlrV5lFqCj5imwC7ETRTErYl/+qblGfnETRoIEQMPwWHmKB6OcdltaoJxWH6scLMEfvFUTRCoVDnMGDB3ez/8RscDtij8/ARXAJRPmJICts0nQhXQoiVBqaolfTPe2PGC8YWoNoRxXp9mvYz2bg7vM4uq6Epd7wTrNTgugsqiaONwtYdJt+z9BBGjdeKZREfj93aB1LyY41wftpjKl4=MIIC0TCCAbmgAwIBAgIPAV+a2M5AtqiPiJ/UbeTPMA0GCSqGSIb3DQEBCwUAMDAxCzAJBgNVBAYTAlBMMQ4wDAYDVQQKEwVOb2tpYTERMA8GA1UEAxMIUkVTVCBDQTEwHhcNMTcxMTA4MDgyNzAwWhcNMTgwNzMxMTI1ODM1WjCBoDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FsYWJhbWExEDAOBgNVBAcTB1Bob2VuaXgxITAfBgNVBAoTGEFkdmFuY2VkIEV4cGxvcmF0aW9uIEluYzEcMBoGA1UECxMTVEVTVCBCbG9ja2NoYWluIEh1YjEsMCoGA1UEAxMjdGVzdC1ibG9ja2NoYWluSHViLW9yZGVyZXIuYWV4cC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARQ0kKTAjB+Pfm2qTPj5AyRw8SU8CO431RdnmGFwfLRUYF+p6UsklNVEQbv6uGRKOLmPVHd3bY4+WWhf1mlmJHqo0IwQDAfBgNVHSMEGDAWgBQ4wDFZQdWAiTTvmhvctnjg96t3NzAdBgNVHQ4EFgQUAKrKE+neX8czESLhG0O2H2e+7TEwDQYJKoZIhvcNAQELBQADggEBAETkTpTapY6Pe4gECBMZAW9gbnSnofR+eKBc24u6Zpk3KiGhfbU3msKiZ5YbXhUkFdy9e1YnIArSayrSanbLO1psGx0zI0SEICfFJ0iPaZYVNV34XzX66+nlsOEq7WrhxHwhqlrV5lFqCj5imwC7ETRTErYl/+qblGfnETRoIEQMPwWHmKB6OcdltaoJxWH6scLMEfvFUTRCoVDnMGDB3ez/8RscDtij8/ARXAJRPmJICts0nQhXQoiVBqaolfTPe2PGC8YWoNoRxXp9mvYz2bg7vM4uq6Epd7wTrNTgugsqiaONwtYdJt+z9BBGjdeKZREfj93aB1LyY41wftpjKl4= -----END CERTIFICATE----- ``` and here is the output of openssl ```Certificate: Data: Version: 3 (0x2) Serial Number: 01:5f:9a:d8:ce:40:b6:a8:8f:88:9f:d4:6d:e4:cf Signature Algorithm: sha256WithRSAEncryption Issuer: C=PL, O=Nokia, CN=REST CA1 Validity Not Before: Nov 8 08:27:00 2017 GMT Not After : Jul 31 12:58:35 2018 GMT Subject: C=US, ST=Alabama, L=Phoenix, O=Advanced Exploration Inc, OU=TEST Blockchain Hub, CN=test-blockchainHub-orderer.aexp.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey EC Public Key: pub: 04:50:d2:42:93:02:30:7e:3d:f9:b6:a9:33:e3:e4: 0c:91:c3:c4:94:f0:23:b8:df:54:5d:9e:61:85:c1: f2:d1:51:81:7e:a7:a5:2c:92:53:55:11:06:ef:ea: e1:91:28:e2:e6:3d:51:dd:dd:b6:38:f9:65:a1:7f: 59:a5:98:91:ea ASN1 OID: prime256v1 X509v3 extensions: X509v3 Authority Key Identifier: keyid:38:C0:31:59:41:D5:80:89:34:EF:9A:1B:DC:B6:78:E0:F7:AB:77:37 X509v3 Subject Key Identifier: 00:AA:CA:13:E9:DE:5F:C7:33:11:22:E1:1B:43:B6:1F:67:BE:ED:31 Signature Algorithm: sha256WithRSAEncryption 44:e4:4e:94:da:a5:8e:8f:7b:88:04:08:13:19:01:6f:60:6e: 74:a7:a1:f4:7e:78:a0:5c:db:8b:ba:66:99:37:2a:21:a1:7d: b5:37:9a:c2:a2:67:96:1b:5e:15:24:15:dc:bd:7b:56:27:20: 0a:d2:6b:2a:d2:6a:76:cb:3b:5a:6c:1b:1d:33:23:44:84:20: 27:c5:27:48:8f:69:96:15:35:5d:f8:5f:35:fa:eb:e9:e5:b0: e1:2a:ed:6a:e1:c4:7c:21:aa:5a:d5:e6:51:6a:0a:3e:62:9b: 00:bb:11:34:53:12:b6:25:ff:ea:9b:94:67:e7:11:34:68:20: 44:0c:3f:05:87:98:a0:7a:39:c7:65:b5:aa:09:c5:61:fa:b1: c2:cc:11:fb:c5:51:34:42:a1:50:e7:30:60:c1:dd:ec:ff:f1: 1b:1c:0e:d8:a3:f3:f0:11:5c:02:51:3e:62:48:0a:db:34:9d: 08:57:42:88:95:06:a6:a8:95:f4:cf:7b:63:c6:0b:c6:16:a0: da:11:c5:7a:7d:9a:f6:33:d9:b8:3b:bc:ce:2e:ab:a1:29:77: bc:13:ac:d4:e0:ba:0b:2a:89:a3:8d:c2:d6:1d:26:df:b3:f4: 10:46:8d:d7:8a:65:11:1f:8f:dd:da:07:52:f2:63:8d:70:7e: da:63:2a:5e ```

smithbk (Fri, 10 Nov 2017 13:02:27 GMT):
```Certificate: Data: Version: 3 (0x2) Serial Number: 01:5f:9a:d8:ce:40:b6:a8:8f:88:9f:d4:6d:e4:cf Signature Algorithm: sha256WithRSAEncryption Issuer: C=PL, O=Nokia, CN=REST CA1 Validity Not Before: Nov 8 08:27:00 2017 GMT Not After : Jul 31 12:58:35 2018 GMT Subject: C=US, ST=Alabama, L=Phoenix, O=Advanced Exploration Inc, OU=TEST Blockchain Hub, CN=test-blockchainHub-orderer.aexp.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey EC Public Key: pub: 04:50:d2:42:93:02:30:7e:3d:f9:b6:a9:33:e3:e4: 0c:91:c3:c4:94:f0:23:b8:df:54:5d:9e:61:85:c1: f2:d1:51:81:7e:a7:a5:2c:92:53:55:11:06:ef:ea: e1:91:28:e2:e6:3d:51:dd:dd:b6:38:f9:65:a1:7f: 59:a5:98:91:ea ASN1 OID: prime256v1 X509v3 extensions: X509v3 Authority Key Identifier: keyid:38:C0:31:59:41:D5:80:89:34:EF:9A:1B:DC:B6:78:E0:F7:AB:77:37 X509v3 Subject Key Identifier: 00:AA:CA:13:E9:DE:5F:C7:33:11:22:E1:1B:43:B6:1F:67:BE:ED:31 Signature Algorithm: sha256WithRSAEncryption ```

Katiyman (Fri, 10 Nov 2017 13:25:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cchibfgAJAH5BkKKF) @smithbk That means the certificate is fine i suppose.

jmcnevin (Fri, 10 Nov 2017 19:35:38 GMT):
I am running fabric-ca in multi-root mode with a postgres backend... looking at the database tables, i'm a little unclear as to whether I can have two identities with the same name in two different CAs

jmcnevin (Fri, 10 Nov 2017 19:40:56 GMT):
at least with 1.0.4, using fabric-ca-register with the same id.name with two different canames seems to fail on the second one

jmcnevin (Fri, 10 Nov 2017 19:40:56 GMT):
at least with 1.0.4, using fabric-ca-client register with the same id.name with two different canames seems to fail on the second one

skarim (Fri, 10 Nov 2017 20:42:00 GMT):
@jmcnevin You should be able to register an identity with the same name on different CAs. Could you provide server logs from the failing instance, might help to troubleshoot.

DeepaR (Sat, 11 Nov 2017 06:08:20 GMT):
Has joined the channel.

thiago-moreira (Sun, 12 Nov 2017 01:25:05 GMT):
Has joined the channel.

auxillium (Sun, 12 Nov 2017 03:33:21 GMT):
Has joined the channel.

hhimanshu (Sun, 12 Nov 2017 16:41:14 GMT):
Has left the channel.

Katiyman (Mon, 13 Nov 2017 04:49:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cchibfgAJAH5BkKKF) @smithbk Thanks smith now i am not getting the pem issue but still *KeyMaterial not found in SigningIdentityInfo* is coming in all the the peers and the orderer node and they are not starting

Katiyman (Mon, 13 Nov 2017 08:27:06 GMT):
Hello i am unable to create a channel using the custom cryptographic material i have mentioned details at https://stackoverflow.com/questions/47259234/unable-to-create-channel-in-hyperledger-fabric-using-custom-crypto-graphic-mater Kindly help

asuchit (Mon, 13 Nov 2017 10:31:56 GMT):
fabric-ca-client register -c client/config.yaml --id.name "intca" --id.type "ca" --id.affiliation "org1" --id.attrs "name=hf.IntermediateCA,value=true" 2017/11/13 10:28:45 [INFO] Configuration file location: /home/suchit/hyperledger/fabric-ca/bin/client/config.yaml Error: Response from server: Error Code: 0 - Identity 'admin' may not register type 'ca Can someone help me that wjat would be issue in it ?

smithbk (Mon, 13 Nov 2017 10:51:12 GMT):
@asuchit Try with `--id.type client`. It doesn't matter which ID type is used, but must be one of the ones in the registrar's hf.Registrar.Roles value.

asuchit (Mon, 13 Nov 2017 10:52:21 GMT):
If I use the client then would it work as Intermediate server ?

asuchit (Mon, 13 Nov 2017 10:53:44 GMT):
@smithbk client is working but would it work as intermediate CA ?

smithbk (Mon, 13 Nov 2017 11:02:04 GMT):
Yes, it will work. The hf.IntermediateCA attribute is what authorizes the identity to function as an intermediate CA

asuchit (Mon, 13 Nov 2017 11:02:12 GMT):
@smithbk I am getting following erro while intialize Intermediate server fabric-ca-client register -c client/config.yaml --id.name "intca" --id.type "ca" --id.affiliation "org1" --id.attrs "name=hf.IntermediateCA,value=true" 2017/11/13 10:28:45 [INFO] Configuration file location: /home/suchit/hyperledger/fabric-ca/bin/client/config.yaml Error: Response from server: Error Code: 0 - Identity 'admin' may not register type 'ca'

asuchit (Mon, 13 Nov 2017 11:03:15 GMT):
is below command right ? fabric-ca-client register -c client/config.yaml --id.name "intca" --id.type "client" --id.affiliation "org1" --id.attrs "name=hf.IntermediateCA,value=true"

smithbk (Mon, 13 Nov 2017 11:03:59 GMT):
Yes, and you are registering that identity with the root CA, right?

asuchit (Mon, 13 Nov 2017 11:04:18 GMT):
yes

asuchit (Mon, 13 Nov 2017 11:06:05 GMT):
@smithbk sorry, Now getting below error fabric-ca-server init -c server/intca/config.yaml -b admin:adminpw -u http://intca:rfJifSAoaWEh@107.108.218.34:7054 2017/11/13 10:58:18 [INFO] Created default configuration file at /home/suchit/hyperledger/fabric-ca/bin/server/intca/config.yaml 2017/11/13 10:58:18 [INFO] generating key: &{A:ecdsa S:256} 2017/11/13 10:58:18 [INFO] encoded CSR 2017/11/13 10:58:18 [FATAL] Initialization failure: Response from server: Error Code: 0 - Identity 'intca' does not have attribute 'hf.IntermediateCA'

smithbk (Mon, 13 Nov 2017 11:08:41 GMT):
When registering, use `--id.attrs "hf.IntermediateCA=true"

smithbk (Mon, 13 Nov 2017 11:08:41 GMT):
When registering, use `--id.attrs "hf.IntermediateCA=true"`

smithbk (Mon, 13 Nov 2017 11:14:22 GMT):
@Katiyman The `*KeyMaterial not found in SigningIdentityInfo*` error means your `keystore` directories did not contain the appropriate private keys that you created when you created the CSR. Each one must contain the private key that corresponds to the certificate in the `signcerts` folder.

smithbk (Mon, 13 Nov 2017 11:25:59 GMT):
@Katiyman WRT https://stackoverflow.com/questions/47259234/unable-to-create-channel-in-hyperledger-fabric-using-custom-crypto-graphic-mater, it compares to the certificate in the genesis block which was extracted from the `crypto-config/peerOrganizations/org1.aexp.com/msp/admincerts` directory. Are you sure that you generated the genesis block after you placed the certificate there?

asuchit (Mon, 13 Nov 2017 11:26:11 GMT):
@smithbk Is is working, Thanks Can we use Json in place of [ --id.name "intca" --id.type "client" --id.affiliation "org1" --id.attrs "hf.IntermediateCA=true" ]

smithbk (Mon, 13 Nov 2017 11:27:54 GMT):
@asuchit There is a change set that is not yet merged which will allow you to add a new identity and specify a json arg

smithbk (Mon, 13 Nov 2017 11:28:40 GMT):
This new change set will allow you to add, modify, delete, list identities

smithbk (Mon, 13 Nov 2017 11:28:52 GMT):
without restarting server

asuchit (Mon, 13 Nov 2017 11:29:49 GMT):
hmm ok

Katiyman (Mon, 13 Nov 2017 11:40:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TvXdPqXhm4CJNJJBP) @smithbk Yes but i am not sure which certificates it will match .. should the orderer Admin certs and peer0 admin certs be same?

smithbk (Mon, 13 Nov 2017 11:48:17 GMT):
@Katiyman They are different. Did you see table 1 in the dev works article? It shows the directories which contain both the signcerts and keystore for each of these. For orderer admin: `ordererOrganizations/example.com/users/Admin@example.com/msp` and for org1 admin: `peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp`

smithbk (Mon, 13 Nov 2017 11:49:44 GMT):
Those are the `identity MSP` directories, but you also need to populate the `org MSP` directories which are referenced by configtx.yaml

smithbk (Mon, 13 Nov 2017 11:49:44 GMT):
Those are the `identity MSP` directories, but you also need to populate the `org MSP` directories which are referenced by configtx.yaml, where the admincerts folder of the org MSPs at the top level of the cryptoconfig must be populated appropriately

bh4rtp (Mon, 13 Nov 2017 11:51:39 GMT):
hi, what are the differences between organization admin and ca admin?

smithbk (Mon, 13 Nov 2017 11:52:38 GMT):
An organization admin is used to administer the peer and is allowed to install chaincode, etc

smithbk (Mon, 13 Nov 2017 11:53:22 GMT):
A CA admin is allowed to administer the fabric-ca-server

smithbk (Mon, 13 Nov 2017 11:53:47 GMT):
They could be the same identity, but aren't required to be

Katiyman (Mon, 13 Nov 2017 11:55:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BK5j9CpLvKFx4FGPe) @smithbk Yes smith i populated both the types of dir and and provided the path like below on the configtx.yaml ` - &OrdererOrg Name: OrdererOrg ID: OrdererMSP MSPDir: crypto-config/ordererOrganizations/aexp.com/msp - &Org1 Name: Org1MSP ID: Org1MSP MSPDir: crypto-config/peerOrganizations/org1.aexp.com/msp AnchorPeers: - Host: test-blockchainHub-peer0-org1.aexp.com Port: 7051 - &Org2 Name: Org2MSP ID: Org2MSP MSPDir: crypto-config/peerOrganizations/org2.aexp.com/msp AnchorPeers: - Host: test-blockchainHub-peer0-org2.aexp.com Port: 7051

asuchit (Mon, 13 Nov 2017 11:57:41 GMT):
@smithbk How can be enroll the order ? is it same as peer and just the difference in id.type as "orderer" ?

smithbk (Mon, 13 Nov 2017 12:03:08 GMT):
@asuchit Yes, but depending on which version of fabric-ca-server, orderer may not be listed as a type in hf.Registrar.Roles and so you'd get an error when trying to register. You can check your fabric-ca-server-config.yaml file to see if it is listed or not.

smithbk (Mon, 13 Nov 2017 12:03:25 GMT):
You may also be interested in this change set, fyi: https://gerrit.hyperledger.org/r/#/c/15139/

smithbk (Mon, 13 Nov 2017 12:04:23 GMT):
@Katiyman Let's take this off this channel and can report back once resolved

bh4rtp (Mon, 13 Nov 2017 12:07:16 GMT):
@smithbk if the org admin and ca admin are the same identity, should the docker-compose.yaml file be configured with the same key pair for ca and org admin?

smithbk (Mon, 13 Nov 2017 12:13:40 GMT):
Which docker-compose.yaml are you referring to? From the fabric-ca sample?

smithbk (Mon, 13 Nov 2017 12:15:10 GMT):
Anyway, yes, if they are the same identity, they would have the same key pair

bh4rtp (Mon, 13 Nov 2017 12:23:55 GMT):
@smithbk i mean the docker-composer.yaml file as for e2e_cli example.

bh4rtp (Mon, 13 Nov 2017 12:25:17 GMT):
thanks. i understand these concepts now.

suryalanka (Mon, 13 Nov 2017 21:04:25 GMT):
Has joined the channel.

rajasekharpippalla (Tue, 14 Nov 2017 05:53:53 GMT):
Oracle ---->>> verification module JPMorgan ---->>> verification module 1. Oracle as well as JPMorgan has done transactions with verfication module. 2. Now verification module can have information for both Oracle and JPMorgan. 3. Oracle should not have access for JPMorgan data and vice-versa. How can we implement this kind of requirement? Can we implement this by using channels and how we can implement if we have any chances?

ahmadzafar (Tue, 14 Nov 2017 07:02:06 GMT):
1) what are the meaning of these lines in fabric-ca-server-config? when and how these are used? # The following types are supported for client authentication: NoClientCert, # RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, # and RequireAndVerifyClientCert. clientauth: type: noclientcert certfiles:

ahmadzafar (Tue, 14 Nov 2017 07:03:11 GMT):
2) In fabric-ca-server-config what is type:client in registry.identities and what is maxenrollments in registry.identities.maxenrollments identities: - name: admin pass: adminpw type: client affiliation: "" maxenrollments: -1

brankoterzic (Tue, 14 Nov 2017 10:31:45 GMT):
Has joined the channel.

brankoterzic (Tue, 14 Nov 2017 10:34:11 GMT):
Hi guys, one general question: when we say that there is no central authority for CA, how that is true, since every organization in network has its own CA which allowing which participants can contribute? Can someone explain this in more detail?

Vadim (Tue, 14 Nov 2017 10:38:41 GMT):
@brankoterzic so which CA among several orgs in your scenario are the central authority?

brankoterzic (Tue, 14 Nov 2017 10:39:44 GMT):
for org1 I have one CA, for org2 I have the other one. So both of them are central authority for their orgs, right?

brankoterzic (Tue, 14 Nov 2017 10:39:44 GMT):
@Vadim for org1 I have one CA, for org2 I have the other one. So both of them are central authority for their orgs, right?

Vadim (Tue, 14 Nov 2017 10:40:20 GMT):
yes, but there is no central authority for the network as a whole

brankoterzic (Tue, 14 Nov 2017 10:41:57 GMT):
Yes, but, let me ask in different way. Who can guarantee that on organization level, me as someone issuing the certificate not malicious? Or to issue multiple JWT using nodejs SDK

brankoterzic (Tue, 14 Nov 2017 10:41:57 GMT):
@Vadim Yes, but, let me ask in different way. Who can guarantee that on organization level, me as someone issuing the certificate not malicious? Or to issue multiple JWT using nodejs SDK

brankoterzic (Tue, 14 Nov 2017 10:42:03 GMT):
or similar things

Vadim (Tue, 14 Nov 2017 10:42:54 GMT):
you mean how is the org ensures that the CA is not malicious?

Vadim (Tue, 14 Nov 2017 10:42:54 GMT):
you mean how the org ensures that the CA is not malicious?

brankoterzic (Tue, 14 Nov 2017 10:44:31 GMT):
No, on org level we have admin for CA issuing right? So if I try to issue cert for my app, I will contact admin and I will get the cert, right? So, admin is the one who decides who can get the cert?

Vadim (Tue, 14 Nov 2017 10:45:09 GMT):
can be several admins

Vadim (Tue, 14 Nov 2017 10:46:07 GMT):
you should think of a fabric as an inter-org blockchain, and what's inside the org belongs to it and the org defines how it issues the certs to itself

brankoterzic (Tue, 14 Nov 2017 10:47:39 GMT):
yes, ok.

Vadim (Tue, 14 Nov 2017 10:48:13 GMT):
so if you want to control yourself how you issue certs to your users, maybe you should be an org

Vadim (Tue, 14 Nov 2017 10:48:38 GMT):
or at least be an admin of the ca of another org

brankoterzic (Tue, 14 Nov 2017 10:49:17 GMT):
so admin decides who can get the access to the part of the network controlled by the certan org?

Vadim (Tue, 14 Nov 2017 10:49:54 GMT):
admin can register new users

brankoterzic (Tue, 14 Nov 2017 10:50:13 GMT):
ok

brankoterzic (Tue, 14 Nov 2017 10:50:14 GMT):
tnx

simcan (Tue, 14 Nov 2017 14:46:06 GMT):
Has joined the channel.

Marshalll (Wed, 15 Nov 2017 03:51:01 GMT):
Has joined the channel.

flyq (Wed, 15 Nov 2017 04:40:33 GMT):
Has joined the channel.

jaswanth (Wed, 15 Nov 2017 06:11:13 GMT):
Hi all. how can i restrict all users expect admin to deploy the chaincode .. like in balance-transfer example everyone who enrolls into the network can deploy the chaincode where i don't want that to happen . any suggestions?

UtkarshSingh (Wed, 15 Nov 2017 06:57:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BBAA8u9JSCE4p32Pg) @Vadim What's the use of "Users" in users folder, where Admin folder resides ??

ahmadzafar (Wed, 15 Nov 2017 07:02:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vaxEZv8cwro9Nyitm) Any one please answer these questions

zhoujunshan (Wed, 15 Nov 2017 07:53:10 GMT):
Has joined the channel.

zhoujunshan (Wed, 15 Nov 2017 07:53:16 GMT):
否可以通过链码进行动态添加peer？ Hello, I want to ask is how to use fabric CA to achieve dynamic join peer, and whether you can dynamically add peer through chain code?

zhoujunshan (Wed, 15 Nov 2017 07:53:59 GMT):
Hello, I want to ask is how to use fabric CA to achieve dynamic join peer, and whether you can dynamically add peer through chain code?

ajksharma (Wed, 15 Nov 2017 08:05:03 GMT):
Has joined the channel.

Vadim (Wed, 15 Nov 2017 08:11:49 GMT):
@zhoujunshan you can use fabric-ca to generate peer's msp: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enrolling-a-peer-identity; the second part of your question I did not understand

Vadim (Wed, 15 Nov 2017 08:13:32 GMT):
@ajksharma this is for mutual auth during tls handshake, i.e. when the server needs to authenticate to the client and when client needs to authenticate to client. noclientcert means that client does not need to authenticate to the server.

Vadim (Wed, 15 Nov 2017 08:13:32 GMT):
@ajksharma this is for mutual auth during tls handshake, i.e. when the server needs to authenticate to the client and when client needs to authenticate to server. noclientcert means that client does not need to authenticate to the server.

Vadim (Wed, 15 Nov 2017 08:13:32 GMT):
@ahmadzafar this is for mutual auth during tls handshake, i.e. when the server needs to authenticate to the client and when client needs to authenticate to server. noclientcert means that client does not need to authenticate to the server.

zhoujunshan (Wed, 15 Nov 2017 08:41:19 GMT):
@Vadim ok,Thank you!

gvammer (Wed, 15 Nov 2017 09:43:45 GMT):
Has joined the channel.

ascatox (Wed, 15 Nov 2017 10:01:40 GMT):
Hi All! I've a simple question! I've to register a lot of users, using a CA Server, after registered and correctly enrolled, where are *the files to give to the users* in order to access with applications to the fabric system

Vadim (Wed, 15 Nov 2017 10:02:54 GMT):
@ascatox if you register users, you only give them username and secret, the rest (enrolling and obtaining the cert) they should do themselves

ahmadzafar (Wed, 15 Nov 2017 10:04:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TXZdv2M3xkQntyccc) @Vadim 2) In fabric-ca-server-config what is type:client in registry.identities and what is maxenrollments in registry.identities.maxenrollments identities: - name: admin pass: adminpw type: client affiliation: "" maxenrollments: -1

ascatox (Wed, 15 Nov 2017 10:04:46 GMT):
I didn't understand very well the process!

ascatox (Wed, 15 Nov 2017 10:05:11 GMT):
I'm the admin of a Fabric system

ascatox (Wed, 15 Nov 2017 10:05:34 GMT):
I register the users

ascatox (Wed, 15 Nov 2017 10:05:34 GMT):
I have to register only the users

Vadim (Wed, 15 Nov 2017 10:05:50 GMT):
@ahmadzafar client - type of the cert, afaik, currently not used; maxenrollments - how many times users can call enroll on CA with the same username and secret

ascatox (Wed, 15 Nov 2017 10:07:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HC7SYxQcSdN22mSpz) @Vadim If they are using an application developed with the node-sdk for example

ascatox (Wed, 15 Nov 2017 10:07:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HC7SYxQcSdN22mSpz) @Vadim If they are using an application developed with the node-sdk for example the application should enroll them!Is this correct?

ahmadzafar (Wed, 15 Nov 2017 10:07:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=39kXwGCPovKvom8H2) @Vadim Thanks.. I have some more question 3) What is different between db.tls.certfiles and db.tls.client.certfile db: type: sqlite3 datasource: fabric-ca-server.db tls: enabled: false certfiles: - db-server-cert.pem client: certfile: db-client-cert.pem keyfile: db-client-key.pem 4) what is bccsp.sw.filekeystore 5) what is intermediate.enrollment.profile and .label intermediate: parentserver: url: caname: enrollment: hosts: profile: label:

ascatox (Wed, 15 Nov 2017 10:07:34 GMT):
the application should enroll them

ascatox (Wed, 15 Nov 2017 10:08:31 GMT):
is this correct?

Vadim (Wed, 15 Nov 2017 10:08:57 GMT):
@ascatox depends on the use case, ideally, they should enroll themselves

OlliKasari (Wed, 15 Nov 2017 10:09:51 GMT):
Has joined the channel.

ascatox (Wed, 15 Nov 2017 10:10:34 GMT):
I thought the enrollment was a part of the registration and the admin should give to the users, the certificates generated

ascatox (Wed, 15 Nov 2017 10:10:45 GMT):
I was wrong

ascatox (Wed, 15 Nov 2017 10:10:45 GMT):
I was wrong!

smithbk (Wed, 15 Nov 2017 10:11:51 GMT):
@ascatox If you have a web app which needs to transact on the blockchain on behalf of a user who is already authenticated to the web app, yes, the web app would both register and enroll on behalf of that user. In that case, the private key and certficate are kept in a pluggable KeyStore by the SDK

ascatox (Wed, 15 Nov 2017 10:13:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tB8uB856LsQtCjvpF) @smithbk ok but the private key are given after the enrollement procedure, directly by the ca server?

Vadim (Wed, 15 Nov 2017 10:14:28 GMT):
@ascatox it's generated by sdk along with signing request which CA signs

ascatox (Wed, 15 Nov 2017 10:15:40 GMT):
Thank you now everything is clear

smithbk (Wed, 15 Nov 2017 10:15:49 GMT):
In that model, the web app is always holding onto the private key and is the middle man between the end user and the blockchain. This is similar to a web app talking via JDBC to a database. The end user never transacts directly with the blockchain and never has access to the private key. It is a different trust model and you MUST trust the web app to securely authenticate the end user and securely manage the storing of the private key, so no one can masquerade as the end user

ascatox (Wed, 15 Nov 2017 10:17:21 GMT):
Thanks for your answer!

smithbk (Wed, 15 Nov 2017 10:25:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=39kXwGCPovKvom8H2) @Vadim BTW, there is an in-progress change set for fabric which will use OUs to distinguish between 3 types of users from a single MSP: orderer, peer, and client (where client is anything that isn't an orderer or peer). In conjunction with that, the fabric CA server will always issue certificates with the identity type and affiliation encoded as OUs (see https://gerrit.hyperledger.org/r/#/c/15139/). So in the near future, this means that both identity type and/or affiliation may be used for access control within fabric to distinguish orderer, peer, and client. And you may also use the cid (client identity) chaincode library to make access control decisions in chaincode based on identity type and/or affiliation.

Vadim (Wed, 15 Nov 2017 10:26:33 GMT):
@smithbk thanks, looking forward to that and cid I'm already using

smithbk (Wed, 15 Nov 2017 10:27:02 GMT):
cool

smithbk (Wed, 15 Nov 2017 10:31:49 GMT):
@ahmadzafar 3) db.tls.certfiles is for server-side TLS and is required when TLS is enabled to the DB, while db.tls.client.certfile is the client's TLS certificate if/when client authentication is enabled for the DB server

smithbk (Wed, 15 Nov 2017 10:33:35 GMT):
4) bccsp.sw.filekeystore - is the local filesystem directory used to store private keys for the software version of BCCSP ... sort-of like a sortware version of an HSM

smithbk (Wed, 15 Nov 2017 10:36:12 GMT):
5) intermediate.enrollment.profile is the profile with which to enroll. For example, you would use the "tls" profile when enrolling to get a TLS certificate. The "label" is not really used today. It is specific to CFSSL and would relate to use of a remote HSM.

ascatox (Wed, 15 Nov 2017 10:43:28 GMT):
Someone has encountered this error in their own experiences : `UNKNOWN: Failed to deserialize creator identity, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority`?

smithbk (Wed, 15 Nov 2017 10:47:43 GMT):
That means the issuer of the certificate did not match any of the certificates in the `cacerts` folder of the MSP

smithbk (Wed, 15 Nov 2017 10:47:43 GMT):
That means the issuer of the certificate did not match any of the certificates in the `cacerts` folder (or `intermediatecerts` folder) of the MSP

ascatox (Wed, 15 Nov 2017 10:49:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ztrtLQtZg65x5vWXi) @smithbk :thumbsup:

ascatox (Wed, 15 Nov 2017 11:25:13 GMT):
I've registered an user, enrolled but when I try to execute an invoke method with this user, the error arises! I don't know how to solve!

smithbk (Wed, 15 Nov 2017 12:40:01 GMT):
@ascatox 1st question: Are you using root and intermediate CA, or just root CA?

ascatox (Wed, 15 Nov 2017 13:29:47 GMT):
just root CA

smithbk (Wed, 15 Nov 2017 13:51:49 GMT):
So that error would occur if you deleted and recreated the root CA certificate and key after creating the genesis block. Did you do that? Anyway, the real check to make if you are failing to install chaincode on a peer is to compare the `X509v3 Authority Key Identifier` field of the client's certificate to the `X509v3 Subject Key Identifier` field of the certificate in the MSP `cacerts` directory on the peer. They must be the same, but in your case I believe they are different which means a different signing key/certificate was used to issue the client's certificate.

ascatox (Wed, 15 Nov 2017 13:52:47 GMT):
I generated all the certificates using the cryptogen tool

ascatox (Wed, 15 Nov 2017 13:52:56 GMT):
this may be a problem?

smithbk (Wed, 15 Nov 2017 13:53:05 GMT):
Ah :-) yes, that is the problem

smithbk (Wed, 15 Nov 2017 13:53:50 GMT):
You would have to start the fabric-ca-server with the root CA key and cert

smithbk (Wed, 15 Nov 2017 13:54:01 GMT):
and then reissue your client's ecert

smithbk (Wed, 15 Nov 2017 13:54:54 GMT):
I think the root CA key and cert was under crypto-config/peerOrganizations//ca IIRC

ascatox (Wed, 15 Nov 2017 13:57:47 GMT):
What do you mean for 'reissue your client's ecert'?

smithbk (Wed, 15 Nov 2017 13:58:01 GMT):
enroll again

ascatox (Wed, 15 Nov 2017 13:58:29 GMT):
:thumbsup:

ascatox (Wed, 15 Nov 2017 13:59:03 GMT):
Thank you very much, your help is really precious

ascatox (Wed, 15 Nov 2017 13:59:03 GMT):
Thank you very much, your help is really precious!

smithbk (Wed, 15 Nov 2017 13:59:27 GMT):
np

gvammer (Wed, 15 Nov 2017 19:41:34 GMT):
Hello! Have someone an implementation of GetAttributesFromCert function for attrmgr?

berserkr (Wed, 15 Nov 2017 21:26:10 GMT):
@smithbk can you please point me to the patch we need for the fabric to use the fabric ca instead of cryptogen in the e2e cli example?

berserkr (Wed, 15 Nov 2017 21:26:21 GMT):
I cannot find it

berserkr (Wed, 15 Nov 2017 21:45:06 GMT):
nm, found it, now, the question is, how do I leave the ca up and running so that I can connect to it through the java sdk?

smithbk (Wed, 15 Nov 2017 21:57:14 GMT):
@berserkr I assume you are talking about the old fabric-ca-cryptogen.sh script. You can of course continue to use that, but the fabric-samples/fabric-ca sample is the replacement for that. Regarding leaving the fabric-ca-server up, you could comment out the call to `stopAllCAs` in that script as shown below: ```# Main fabric CA crypto config function function main { echo "#################################################################" echo "####### Generating crypto material using Fabric CA ##########" echo "#################################################################" echo "Checking executables ..." checkExecutables if [ -d $CDIR ]; then echo "Cleaning up ..." stopAllCAs rm -rf $CDIR fi echo "Setting up organizations ..." setupOrgs echo "Finishing ..." #stopAllCAs echo "Complete" } ```

berserkr (Wed, 15 Nov 2017 21:58:29 GMT):
yes old one, i figured that, but for some reason I am not able to register to it

berserkr (Wed, 15 Nov 2017 21:58:35 GMT):
could be my port forwarding is mest up

berserkr (Wed, 15 Nov 2017 21:58:37 GMT):
thank you

smithbk (Wed, 15 Nov 2017 22:00:02 GMT):
oh, actually in v1.1 fabric code they have changed the peer's port from 7051 to 7052 IIRC

jeroiraz (Thu, 16 Nov 2017 00:19:19 GMT):
Has joined the channel.

zhoujunshan (Thu, 16 Nov 2017 02:26:42 GMT):
Hello everyone ,My Fabric CA Server is running in Docker. I need to open the TLS and specify the csr.cn file.

zhoujunshan (Thu, 16 Nov 2017 02:29:28 GMT):

Clipboard - 2017年11月16日上午10点29分

zhoujunshan (Thu, 16 Nov 2017 02:29:33 GMT):
Hello everyone ,My Fabric CA Server is running in Docker. I need to open the TLS and specify the csr.cn file

TinVo 1 (Thu, 16 Nov 2017 02:37:50 GMT):
Has joined the channel.

TinVo 1 (Thu, 16 Nov 2017 02:46:30 GMT):
Hi everyone,

TinVo 1 (Thu, 16 Nov 2017 02:46:33 GMT):
I'm reseaching about SDK for writing node.js applications to interact with Hyperledger Fabric CA. - version: hyperledger/fabric-ca:x86_64-1.1.0-preview - download fabric-ca-client pakage Currently, I can call to server but I got the issue when I enroll user: The response I got when I send a request to server: 2017/11/14 05:30:07 [DEBUG] DB: Getting identity admin 2017/11/14 05:30:07 [DEBUG] DB: Login user admin with max enrollments of -1 and state of 0 2017/11/14 05:30:07 [DEBUG] DB: identity admin successfully logged in 2017/11/14 05:30:07 [DEBUG] Sent error for /api/v1/enroll: {"code":9002,"message":"CSR Decode failed"}

TinVo 1 (Thu, 16 Nov 2017 02:47:46 GMT):
Does anyone faced this issue and have a resolution for this? Thanks in advance.

TinVo 1 (Thu, 16 Nov 2017 02:47:46 GMT):
Does anyone face this issue and have a resolution for this? Thanks in advance.

JayJong (Thu, 16 Nov 2017 03:52:49 GMT):
Has joined the channel.

seiferjp (Thu, 16 Nov 2017 04:04:09 GMT):
Has joined the channel.

asuchit (Thu, 16 Nov 2017 06:05:17 GMT):
How to enroll the root ca admin if tls is enabled on root CA ?

asuchit (Thu, 16 Nov 2017 06:09:30 GMT):
POST request is failing : bric-ca-client enroll -c clienttls/rootadmin/config.yaml -u http://rootadmin:rootadminpw@107.108.218.34:7054 2017/11/16 06:02:30 [INFO] Created a default configuration file at /home/suchit/hyperledger/fabric-ca/bin/clienttls/rootadmin/config.yaml 2017/11/16 06:02:30 [INFO] generating key: &{A:ecdsa S:256} 2017/11/16 06:02:31 [INFO] encoded CSR Error: POST failure of request: POST http://107.108.218.34:7054/enroll {"hosts":["a.suchit-ubuntu"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBSDCB8AIBADBhMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxEjAQBgNV\nBAMTCXJvb3RhZG1pbjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAmu2CPMEv2I\nucT5w4SWnSHzjlz7+jXKyr452/4ufsFV/ctpXJfxOcaHvR7p7S1M+Q9EJmQT4s/Y\nSBcQg6o9VEKgLTArBgkqhkiG9w0BCQ4xHjAcMBoGA1UdEQQTMBGCD2Euc3VjaGl0\nLXVidW50dTAKBggqhkjOPQQDAgNHADBEAiBESpisOLK5/LvwmVKraRTsslCu0yvQ\nKCQUJpaDrvNpxwIgMFiQjW0o1A64qgHiBakPoX/saPo2bTYrpFPloijeMz4=\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post http://107.108.218.34:7054/enroll: malformed HTTP response "\x15\x03\x01\x00\x02\x02\x16"

Tin_Vo (Thu, 16 Nov 2017 06:18:28 GMT):
Has joined the channel.

lcj (Thu, 16 Nov 2017 06:41:11 GMT):
Has joined the channel.

lcj (Thu, 16 Nov 2017 06:42:41 GMT):
Hello, everyone. :champagne_glass: The contents of hf.Registrar.Roles in the fabric-ca-server-config.yaml are arbitrary definitions? For example, define a cooker

smithbk (Thu, 16 Nov 2017 11:06:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=B4Nzd68KGXb3B6JZq) @zhoujunshan To TLS, use `--tls.enabled` ... and optionally `--tls.certfile ` and `--tls.keyfile ` if you want to bring-your-own-TLS cert and key file; otherwise, it will generate its own using its CA signing cert and `tls` profile to generate. I am not sure what you mean by the "csr.cn file".

smithbk (Thu, 16 Nov 2017 11:11:56 GMT):
@TinVo 1 Bret @bretharrison is the node.js SDK expert, but will need to know what version of SDK and fabric-ca-server is being used and see a code snippet.

bretharrison (Thu, 16 Nov 2017 11:11:56 GMT):
Has joined the channel.

smithbk (Thu, 16 Nov 2017 11:15:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sva9KhLftiiDqfwPE) @asuchit 1) Must use "https" instead of "http" and 2) See http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enabling-tls

smithbk (Thu, 16 Nov 2017 11:17:46 GMT):
@asuchit Or from command line only, use "https" instead of "http" and also use the `--tls.certfiles ` fabric-ca-client option

smithbk (Thu, 16 Nov 2017 11:25:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ep8icCpqseBdb7NdG) @lcj Yes, the fabric-ca-server allows the value of `hf.Registrar.Roles` to be any values. The default values for the bootstrap admin include "client", "peer", and "orderer" which match the types of entities which fabric will distinguish between in v1.1 (i.e. client, peer, and orderer). But there is no need for fabric-ca-server to restrict those values.

smithbk (Thu, 16 Nov 2017 11:28:12 GMT):
So yes, it would be possible to add a "cooker" type of identity, to have one or more registrars of cookers whose job it is to give that type of identity to only select people, and then uses ABAC (Attribute-Based Access Control) to allow only cookers to perform some action

smithbk (Thu, 16 Nov 2017 11:28:12 GMT):
So yes, it would be possible to add a "cooker" type of identity, to have one or more registrars of cookers whose job it is to give that type of identity to only select people, and then use ABAC (Attribute-Based Access Control) to allow only cookers to perform some action

lcj (Thu, 16 Nov 2017 11:41:01 GMT):
@smithbk Thank you for your reply:wine_glass:

asuchit (Thu, 16 Nov 2017 12:02:21 GMT):
@smithbk Thanks, I will try it out...

ascatox (Thu, 16 Nov 2017 13:39:24 GMT):
Hi All! I'm trying to add another peer to the *fabcar* network. I tried to rigenerate the crypto material using cryptogen tool and added the new peer to the docker-compose file but now this error arises: `Cannot run peer because error when setting up MSP from directory /etc/hyperledger/msp/peer/: err CA Certificate is not valid, (SN: 256558962280820800448360877319586742204) [Could not obtain certification chain, err The supplied identity is not valid, Verify() returned x509: certificate has expired or is not yet valid]`` Someone can help me to solve! Thanks in advance!

smithbk (Thu, 16 Nov 2017 14:06:19 GMT):
Compare the current time on the peer with the `NotBefore` and `NotAfter` times of the certificate in the `msp/cacerts` folder on the peer. It is saying the current time is not between `NotBefore` and `NotAfter`. This could happen is the clocks aren't in sync between the host where you ran cryptogen and your peer host

jeroiraz (Thu, 16 Nov 2017 16:24:22 GMT):
I've experienced the same issue, running cryptogen in the same machine I'm running the containers

jeroiraz (Thu, 16 Nov 2017 16:25:24 GMT):
from CLI certificates seems to be ok but when using node sdk it throws the error "x509: certificate has expired or is not yet valid" when joining a peer to a channel but it's ok when creating the channel

harsha (Thu, 16 Nov 2017 16:44:42 GMT):
https://chat.hyperledger.org/channel/fabric-ci?msg=Hbc6f2zY4zD5Xm7ey

nileshyjadhav (Thu, 16 Nov 2017 16:55:21 GMT):
Has joined the channel.

rennman (Thu, 16 Nov 2017 17:02:04 GMT):
@harsha @rameshthoomu @skarim is working on a fix

rameshthoomu (Thu, 16 Nov 2017 17:02:36 GMT):
nice.. Thanks @rennman

skarim (Thu, 16 Nov 2017 19:40:34 GMT):
@harsha @rameshthoomu @rennman This should fix the issue: https://gerrit.hyperledger.org/r/#/c/15533/

TinVo 1 (Fri, 17 Nov 2017 04:06:10 GMT):
@smithbk: Thanks for your help.

TinVo 1 (Fri, 17 Nov 2017 04:06:10 GMT):
@smithbk: Thanks for your help. version of SDK: v6.11.4 and fabric-ca-server: hyperledger/fabric-ca:x86_64-1.1.0-preview code snippet: []

TinVo 1 (Fri, 17 Nov 2017 04:06:10 GMT):
@smithbk: Thanks for your help. version of SDK: v6.11.4 and fabric-ca-server: hyperledger/fabric-ca:x86_64-1.1.0-preview code snippet: [ var hfcAdmin = require('fabric-ca-client'); var chain, user, chaincodeID; var connect_opts = { protocol : 'http', hostname : '192.168.99.100', port : 7054, caname: 'ca.log.test.com' }; var enrollRequest = { enrollmentID : 'admin', enrollmentSecret: 'admin123', csr: null }; console.log(hfcAdmin); var ca_client = new hfcAdmin.FabricCAClient(connect_opts); ca_client.enroll("admin", "admin123", null, null).then((admin) => { console.log(admin); }).catch((err) => { console.log("ERROR: failed to register %s: %s",err); process.exit(1); }); ]

TinVo 1 (Fri, 17 Nov 2017 04:06:10 GMT):
@smithbk: Thanks for your help. - version of SDK: v6.11.4 - fabric-ca-server: hyperledger/fabric-ca:x86_64-1.1.0-preview - code snippet: [ var hfcAdmin = require('fabric-ca-client'); var chain, user, chaincodeID; var connect_opts = { protocol : 'http', hostname : '192.168.99.100', port : 7054, caname: 'ca.log.test.com' }; var enrollRequest = { enrollmentID : 'admin', enrollmentSecret: 'admin123', csr: null }; console.log(hfcAdmin); var ca_client = new hfcAdmin.FabricCAClient(connect_opts); ca_client.enroll("admin", "admin123", null, null).then((admin) => { console.log(admin); }).catch((err) => { console.log("ERROR: failed to register %s: %s",err); process.exit(1); }); ]

jaswanth (Fri, 17 Nov 2017 05:05:06 GMT):
Hi all, i'm able to get attribute (`position`) in certificate.. but in chaincode ,i'am getting `mspid` as `Org1msp` , but its says `The client identity does not possess the attribute` for the attribute ..any help ?

jaswanth (Fri, 17 Nov 2017 05:05:06 GMT):
Hi all, i'm able to get attribute (`position`) in certificate.. in chaincode ,i'am getting `mspid` as `Org1msp` as i wanted, but its says `The client identity does not possess the attribute` for the attribute ..any help ?

jaswanth (Fri, 17 Nov 2017 05:06:26 GMT):
i got info in enrollment certificate as `cert extensions[......] {"attrs":{"position":"admin"}}`

jaswanth (Fri, 17 Nov 2017 05:06:51 GMT):
my chaincode is ```func(t *StudentChainCode) Init(stub shim.ChaincodeStubInterface) pb.Response { fmt.Println("Student's chaincode is starting up") fmt.Println(" - ready for action"); id, err := cid.GetID(stub); fmt.Printf("id obtained %v",id); mspid, err := cid.GetMSPID(stub); fmt.Printf("mspid obtained %v",mspid); val, ok, err := cid.GetAttributeValue(stub, "position"); if err != nil { fmt.Println("There was an error trying to retrieve the attribute"); }else if !ok { fmt.Println("The client identity does not possess the attribute"); }else{ fmt.Printf("value obtained %v",val); } return shim.Success(nil) }```

jaswanth (Fri, 17 Nov 2017 05:06:51 GMT):
my chaincode where i used `cid` is ```func(t *StudentChainCode) Init(stub shim.ChaincodeStubInterface) pb.Response { fmt.Println("Student's chaincode is starting up") fmt.Println(" - ready for action"); id, err := cid.GetID(stub); fmt.Printf("id obtained %v",id); mspid, err := cid.GetMSPID(stub); fmt.Printf("mspid obtained %v",mspid); val, ok, err := cid.GetAttributeValue(stub, "position"); if err != nil { fmt.Println("There was an error trying to retrieve the attribute"); }else if !ok { fmt.Println("The client identity does not possess the attribute"); }else{ fmt.Printf("value obtained %v",val); } return shim.Success(nil) }```

asuchit (Fri, 17 Nov 2017 05:39:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jyBbjytEKJQxQz4X3) @smithbk I used https and --tls.certfiles ` but I was getting same error. Fabric-ca-server is running on local machine only. So I tried with the localhost in place of ip address and it worked. But I did not understand the difference, why is it not working with ip address ?

doraemon7 (Fri, 17 Nov 2017 06:50:52 GMT):
Has joined the channel.

Vadim (Fri, 17 Nov 2017 08:01:56 GMT):
@jaswanth read your cert with openssl and check whether attr is really there (I guess not)

jaswanth (Fri, 17 Nov 2017 09:48:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2gv7BQ7FJQpgLAvkL) @Vadim got it .. when i use `cid ` in init .. its not working .. but in `Invoke ` i'm getting the attr . don't know why , any idea ?

asuchit (Fri, 17 Nov 2017 10:15:04 GMT):
@smithbk 1. Start a root CA 2. Start a intermediate CA for Org1 3. Start a intermediate CA for Org2 4. Enroll 1 peer for each Org/InterCA But I have the confussion here. I am not finding, How to generate peer/tls/server.crt and peer/tls/server.key ?

ascatox (Fri, 17 Nov 2017 10:40:33 GMT):
Hi All! I've a simple question! If i create all the crypto material for my users using cryptogen tool then I can register and enroll new users using the CA server

Vadim (Fri, 17 Nov 2017 10:42:30 GMT):
@ascatox you can enroll new users using the CA server

ascatox (Fri, 17 Nov 2017 10:42:57 GMT):
ok but I want to register new users too

Vadim (Fri, 17 Nov 2017 10:43:54 GMT):
you can enroll and register

ascatox (Fri, 17 Nov 2017 10:43:57 GMT):
The cryptogen tool usage is only for the fabric installation or I'm wrong

Vadim (Fri, 17 Nov 2017 10:44:15 GMT):
it's only for development to simplify certs generation

ascatox (Fri, 17 Nov 2017 10:44:39 GMT):
Thanks

brankoterzic (Fri, 17 Nov 2017 13:02:05 GMT):
Hi guys, one question. I have created my business network, having one org, 5 peers, solo endorser and 1 ca. I want do develop Node.js sdk as a CA client. My question is, what additional settings on CA server docker container I need to to in order to make it authorize my Node.js app? I have added the container definition and generated required crypto materials.

brankoterzic (Fri, 17 Nov 2017 13:02:05 GMT):
Hi guys, one question. I have created my business network, having one org, 5 peers, solo endorser and 1 ca. I want do develop Node.js sdk as a CA client. My question is, what additional settings on CA server docker container I need to make in order to make it authorize my Node.js app? I have added the container definition and generated required crypto materials.

smithbk (Fri, 17 Nov 2017 13:14:38 GMT):
@brankoterzic You just have to know the bootstrap user/pass in order to enroll the bootstrap admin, who can then register an identity (call it `appID`) to give to your node.js app. When the node.js app starts, it can enroll itself using the user/pass of `appID`. When appID is registered by the bootstrap administrator, it could be registered with sufficient privileges to alllow it to register other identities for the end users which authenticate to the node.js app. That said, a business network would generally have multiple CAs, one for each company or organization transacting on the blockchain in order to prevent having a single point of trust (i.e. the CA).

smithbk (Fri, 17 Nov 2017 13:18:46 GMT):
@asuchit See how the TLS key/cert is obtained from fabric-ca here https://github.com/hyperledger/fabric-samples/blob/v1.1.0-preview/fabric-ca/scripts/start-peer.sh#L15

smithbk (Fri, 17 Nov 2017 13:33:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5ApxwHP74WFbCCsTH) @asuchit If the only difference is the hostname vs IP address, then I would have expected a different error regarding the hostname or SAN (Subject Alternative Name). Anyway, the way TLS works on the client is that it gets the certificate from the server and verifies that the hostname or IP address to which you connected (whichever was used) is either equal to the CN (Common Name) of the certificate or one of the Subject Alternative Names (SAN) entries in the extension section of the certificate. If it doesn't match, then the client will fail the connection, because it thinks the server is masquerading as the hostname or IP address. The fix is to make sure that when you generate the TLS certificate for a server, you put multiple SAN entries in the certificate, one for each of the following: localhost, 127.0.0.1, and one or more hostnames by which the server is known. To add multiple SAN entries, provide a comma-separated list for the value of the ``csr.hosts`` option on the enroll command when getting the TLS certificate using the TLS profile. See https://github.com/hyperledger/fabric-samples/blob/v1.1.0-preview/fabric-ca/scripts/start-peer.sh#L15 and replace $PEER_HOST with something like `localhost,127.0.0.1,myrealhostname`

smithbk (Fri, 17 Nov 2017 13:40:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Rvh9bEjoz8A6Td2bJ) @jaswanth The only reason I can see for this is if you're somehow using the wrong certificate when instantiating the chaincode. You could use the cid.GetX509Certificate call and print the serial number or other fields to see if they are the different between init and invoke

brankoterzic (Fri, 17 Nov 2017 13:57:14 GMT):
@smithbk I keep getting tls handshake error EOF on CA for admin user, so it fails to authorize the admin:adminpw user. Any ideas?

brankoterzic (Fri, 17 Nov 2017 14:05:10 GMT):

Screen Shot 2017-11-17 at 15.04.04.png

smithbk (Fri, 17 Nov 2017 15:12:29 GMT):
@brankoterzic Is your node client trusting the issuer of the fabric-ca-server's TLS cert, which would be the ca-cert.pem by default?

brankoterzic (Fri, 17 Nov 2017 15:25:19 GMT):
@smithbk Not sure I understand your question. I followed https://github.com/hyperledger/fabric-samples/tree/release/balance-transfer balance transfer example. I added all to configtx.yaml, crypto-config.yaml and docker-compose-base.yaml to point to ca crypto material. I taught that I need extra setup of CA docker compose in /etc/hyperledger/fabric-ca-server? Or I am wrong?

brankoterzic (Fri, 17 Nov 2017 15:25:19 GMT):
@smithbk Not sure I understand your question. I followed https://github.com/hyperledger/fabric-samples/tree/release/balance-transfer balance transfer example. I added all to configtx.yaml, crypto-config.yaml and docker-compose-base.yaml to point to CA crypto material. I taught that I need extra setup of CA docker compose in /etc/hyperledger/fabric-ca-server? Or I am wrong?

brankoterzic (Fri, 17 Nov 2017 15:26:37 GMT):
Or should I add ca-cert.pem in some config file on Node.js side?\

smithbk (Fri, 17 Nov 2017 15:40:08 GMT):
@bretharrison Bret is the node SDK expert. I'm taking a look at the sample now but haven't looked at it before really

smithbk (Fri, 17 Nov 2017 16:15:39 GMT):
So the cert that the node SDK is supposed to be trusting is specified in the artifacts/network-config.yaml file as follows: ```certificateAuthorities: ca-org1: url: https://localhost:7054 # the properties specified under this object are passed to the 'http' client verbatim when # making the request to the Fabric-CA server httpOptions: verify: false tlsCACerts: path: artifacts/channel/crypto-config/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem```

bretharrison (Fri, 17 Nov 2017 16:15:57 GMT):
@brankoterzic How are you building the Node side CA client that is making the request to the Fabric-CA ?

brankoterzic (Fri, 17 Nov 2017 16:46:45 GMT):
@bretharrison I build it like Node.js REST app, following the https://github.com/hyperledger/fabric-samples/tree/release/balance-transfer

bretharrison (Fri, 17 Nov 2017 16:49:27 GMT):
@brankoterzic Can you show me the code where you instantiate the fabric-ca client ?

smithbk (Fri, 17 Nov 2017 17:04:02 GMT):
Or maybe you could just give us steps to reproduce, assuming you are just trying to run the sample pretty much as is?

brankoterzic (Fri, 17 Nov 2017 18:31:32 GMT):
@smithbk @bretharrison yes, this is the same code as in https://github.com/hyperledger/fabric-samples/tree/release/balance-transfer but just a sec i will give you a snippet in sec

bretharrison (Fri, 17 Nov 2017 18:32:38 GMT):
@brankoterzic I just pulled the latest `fabric-samples` and ran the balance-transfer, following the instructions in the `README.md` and using the `./testAPIs.sh -l node` command to use node chaincode and it all works.

brankoterzic (Fri, 17 Nov 2017 18:33:22 GMT):
@bretharrison yes it works in that example, but what I am trying to do is to apply it on my project

brankoterzic (Fri, 17 Nov 2017 18:33:34 GMT):
I have one org, 5 peers, one CA i solo orderer

brankoterzic (Fri, 17 Nov 2017 18:33:34 GMT):
I have one org, 5 peers, one CA and solo orderer

brankoterzic (Fri, 17 Nov 2017 18:33:47 GMT):
I have added all configuration and crypto materials

brankoterzic (Fri, 17 Nov 2017 18:34:17 GMT):
And I am trying to authenticate user on my CA

brankoterzic (Fri, 17 Nov 2017 18:34:33 GMT):
https://chat.hyperledger.org/channel/fabric-ca?msg=auZ2SALXRiNu4nYPG

brankoterzic (Fri, 17 Nov 2017 18:34:40 GMT):
and get this error

brankoterzic (Fri, 17 Nov 2017 18:36:41 GMT):

Screen Shot 2017-11-17 at 19.35.31.png

brankoterzic (Fri, 17 Nov 2017 18:36:49 GMT):
here is Node.js code

brankoterzic (Fri, 17 Nov 2017 18:37:34 GMT):
I have logger.debug my ca client in this code sample

berserkr (Fri, 17 Nov 2017 18:38:25 GMT):
@here, is the process for creating a new user/cert, getting it registered/signed by the ca, then using that user to interact via any of the sdks documented somewhere?

brankoterzic (Fri, 17 Nov 2017 18:39:04 GMT):
@berserkr you have an example here https://github.com/hyperledger/fabric-samples/tree/release/balance-transfer

berserkr (Fri, 17 Nov 2017 18:41:30 GMT):
@brankoterzic thank you, that will work, everything is done via tokens then

brankoterzic (Fri, 17 Nov 2017 18:41:58 GMT):
@berserkr Yes the ca generates JWT

berserkr (Fri, 17 Nov 2017 18:44:05 GMT):
@brankoterzic if I want to create a new channel, do I need to create a new channel.tx?

berserkr (Fri, 17 Nov 2017 18:44:40 GMT):
For isntance, I see a lot of this in the examples, where a channel is being created, but the channel.tx file is already present

berserkr (Fri, 17 Nov 2017 18:44:44 GMT):
```curl -s -X POST \ http://localhost:4000/channels \ -H "authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0OTQ4NjU1OTEsInVzZXJuYW1lIjoiSmltIiwib3JnTmFtZSI6Im9yZzEiLCJpYXQiOjE0OTQ4NjE5OTF9.yWaJhFDuTvMQRaZIqg20Is5t-JJ_1BP58yrNLOKxtNI" \ -H "content-type: application/json" \ -d '{ "channelName":"mychannel", "channelConfigPath":"../artifacts/channel/mychannel.tx" }'```

berserkr (Fri, 17 Nov 2017 18:45:14 GMT):
I know, this is not really ca related, but that is one of the things I am having issues with

brankoterzic (Fri, 17 Nov 2017 19:02:27 GMT):
You need to generate channel.tx for each new channel

brankoterzic (Fri, 17 Nov 2017 19:04:02 GMT):
see https://hyperledger-fabric.readthedocs.io/en/release/build_network.html

bretharrison (Fri, 17 Nov 2017 19:46:55 GMT):
@brankoterzic I do not see where you create the fabric-ca client in the code sample. You may wish to use `verify:false` in your `tlsOptions` when you create the fabric-ca-client. Then you will not need to provide the `trustedRoots` https://fabric-sdk-node.github.io/FabricCAClient.html

slender (Sat, 18 Nov 2017 03:59:03 GMT):
time

vdods (Sun, 19 Nov 2017 01:27:28 GMT):
Is there any way to retrieve an existing enrollment cert, analogous to the enroll action? I.e. provide username and password to get a/the "currently active" cert? Because the MSP dir in the peer or orderer is so inflexible, there's no easy way to put a new cert in as say the peer admin, and so from the perspective of the app+SDK, you have to make sure you have a copy of the cert that's in the admincerts dir, instead of being able to get it via this hypothetical "get existing enrollment" action.

zhoujunshan (Mon, 20 Nov 2017 06:21:54 GMT):
Hello, the use of Fabric CA can generate peer files in MSP, but the generation of peer also requires TLS certificates. Now, I need to generate three files in TLS. Ca.crt, server.crt and server.key. Is there any way for Fabric CA to get TLS certificates?

zhoujunshan (Mon, 20 Nov 2017 06:22:25 GMT):

Clipboard - 2017年11月20日下午2点22分

ahmadzafar (Mon, 20 Nov 2017 06:40:47 GMT):
Hello, i am receiving this error in Error: unknown flag: --gencrl while executing fabric-ca-client revoke -e peer1 --gencrl command... is this any issue in the command

ahmadzafar (Mon, 20 Nov 2017 06:41:07 GMT):
without --gencrl it is working

ahmadzafar (Mon, 20 Nov 2017 06:59:42 GMT):
Query 2: After starting fabric-ca server on locally on port:7054 I run these comands export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin fabric-ca-client register -d --id.name admin2 --id.type user --id.affiliation org1.department1 --id.attrs '"hf.Registrar.Roles=peer,user,client,validator,auditor",hf.Revoker=true' In the admin2 its affiliation is only org1.department1 after successful registration fabric-ca-server give me password:ZggPwayDRtfV export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/user fabric-ca-client enroll -u http://admin2: ZggPwayDRtfV@localhost:7054 now using admin2 certificate i am register another user with different affiliation org2.department1 fabric-ca-client register -d --id.name user --id.type user --id.affiliation org2.department1 --id.attrs '"hf.Registrar.Roles=user”,hf.Revoker=true' But it is registering successfully. But Why its affiliation is different from admin2 users. Can any one explain what am i doing wrong?

HandsomeRoger (Mon, 20 Nov 2017 07:56:13 GMT):
Has joined the channel.

asuchit (Mon, 20 Nov 2017 09:11:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2JjY8SKhCMcaWZd2o) @smithbk It seems to be working but TLS certificates are not generate. fabric-ca-client enroll --enrollment.profile tls -u https://rootCA:rootCApw@107.108.218.34:7054 -M ~/hyperledger/fabric-ca/bin/tls/client/rootCAadmintls --csr.hosts "localhost 127.0.0.1 107.108.218.34" 2017/11/20 07:25:58 [INFO] TLS Enabled Error: Failed to get client TLS config: No TLS certificate files were provided

asuchit (Mon, 20 Nov 2017 09:15:24 GMT):
it is working now, I forgot to pass "--tls.certfiles ~/hyperledger/fabric-ca/bin/tls/server/rootCA/tls-cert.pem"

asuchit (Mon, 20 Nov 2017 10:23:24 GMT):
I have started the root-CA (tls enabled) on a host. Now I want to start the intermediate-CA on another host and for that I need to generate root-CA administrator and for generating root-CA administrator, I needs tls certificate of the root-CA. (which would be passed in --tls.certfiles) Is there any provision so that I can fetch it from root-CA host machine ?

jesus.diaz.vico (Mon, 20 Nov 2017 11:33:12 GMT):
Has joined the channel.

smithbk (Mon, 20 Nov 2017 12:02:25 GMT):
@asuchit You have to manually copy the root CA's TLS cert to the intermediate CA. It would not be secure if we provided a way to automatically download it because of the possibility of a man-in-the-middle attack.

smithbk (Mon, 20 Nov 2017 12:15:09 GMT):
@zhoujunshan The ca.crt file must be manually downloaded. You should copy the fabric-ca-server's ca-cert.pem file. For the server.crt and server.key files, see https://github.com/hyperledger/fabric-samples/blob/v1.1.0-preview/fabric-ca/scripts/start-peer.sh#L15

smithbk (Mon, 20 Nov 2017 12:19:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=C2YAx4SZpiW6EhsiP) @ahmadzafar Which version of fabric-ca-client and fabric-ca-server are you using? `fabric-ca-client version` and `fabric-ca-server version` Try with 1.1.0-preview if not using that

smithbk (Mon, 20 Nov 2017 12:40:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Lg4wEthXQC3PxdCcZ) @vdods No. The way I'd like t to do this is to allow an identity with an `hf.Admin=true` attribute to be recognized by fabric as an admin, thus not requiring the `admincerts` MSP folder to be populated

mrshah-ibm (Mon, 20 Nov 2017 14:06:06 GMT):
Has joined the channel.

mrshah-ibm (Mon, 20 Nov 2017 14:06:57 GMT):
Hey, I am using fabric-ca 1.0.4.. Where can I find the list of attributes that can be passed when we register a new user?

mrshah-ibm (Mon, 20 Nov 2017 14:08:18 GMT):
I am trying to register a new admin user that can register other more users

smithbk (Mon, 20 Nov 2017 15:38:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gfCaZbFigivDQo3Ja) @mrshah-ibm In v1.0.4, to register identity admin2 who can register other identities, register admin2 with the `hf.Registrar.Roles` attribute with a value equal to the types of identities that you want admin2 to be able to register. For example, `hf.Registrar.Roles=client,peer` would allow admin2 to register client and peer identities. In v1.1.0, with the addition of ABAC (Attribute-Based Access Control), you will need to also register admin2 with the `hf.Registrar.Attributes` attribute with a value or pattern indicating the attributes that admin2 is able to give to an identity when it registers them.

mrshah-ibm (Mon, 20 Nov 2017 15:40:29 GMT):
perfect.. thank you.. I will give it a try

zhoujunshan (Tue, 21 Nov 2017 02:53:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=F5EHXTeA5y8zBun24) @smithbk THX.After reading your reply, I solved the problem.

MadhavaReddy (Tue, 21 Nov 2017 04:54:16 GMT):
Hi All, am trying to run balance transfer and while enrolling user am getting below error can you please help me to fix the issue [2017-11-21 04:45:38.829] [ERROR] Helper - Failed to get registered user: Jim with error: Error: Network configuration is missing this client's organization and certificate authority [2017-11-21 04:45:38.829] [DEBUG] SampleWebApp - Successfully returned from registering the username Jim for organization Org1

smithbk (Tue, 21 Nov 2017 06:21:04 GMT):
@MadhavaReddy That error is coming from the node SDK. I would guess that the CA associated with user Jim is not in the artifacts/network-config.yaml file. Recommend asking on the #fabric-sdk-node channel.

MadhavaReddy (Tue, 21 Nov 2017 06:21:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=quDN98HSGZrQnJRZt) @smithbk Thank you

ahmadzafar (Tue, 21 Nov 2017 07:02:48 GMT):
Hello Everyone i want to generate crypto-config whole file structure for peer organization and ordrer ogranization from using fabric ca server and fabric ca client not from cryptogen generate. Any helping material....

smithbk (Tue, 21 Nov 2017 07:34:14 GMT):
@ahmadzafar Have you seen https://github.com/hyperledger/fabric-samples/tree/v1.1.0-preview/fabric-ca?

ahmadzafar (Tue, 21 Nov 2017 07:45:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SrXsR5EWP3SyKhEY5) @smithbk Thanks it will help me..

HubertYoung (Tue, 21 Nov 2017 08:40:49 GMT):
i want to register a peer using fabric-ca but get an error.

HubertYoung (Tue, 21 Nov 2017 08:41:04 GMT):
[root@kzx-ww-it35179 admin]# fabric-ca-client register --id.name peer1 --id.type peer --id.affiliation org1.department1 --id.secret peer1pw 2017/11/21 16:36:41 [INFO] User provided config file: /root/fabric-ca/clients/peer1/fabric-ca-client-config.yaml 2017/11/21 16:36:41 [INFO] Configuration file location: /root/fabric-ca/clients/peer1/fabric-ca-client-config.yaml Error: Error response from server was: Authorization failure

HubertYoung (Tue, 21 Nov 2017 08:41:04 GMT):
# fabric-ca-client register --id.name peer1 --id.type peer --id.affiliation org1.department1 --id.secret peer1pw 2017/11/21 16:36:41 [INFO] User provided config file: /root/fabric-ca/clients/peer1/fabric-ca-client-config.yaml 2017/11/21 16:36:41 [INFO] Configuration file location: /root/fabric-ca/clients/peer1/fabric-ca-client-config.yaml Error: Error response from server was: Authorization failure

HubertYoung (Tue, 21 Nov 2017 08:49:40 GMT):

Clipboard - 2017年11月21日下午4点49分

HubertYoung (Tue, 21 Nov 2017 08:51:35 GMT):
I don't understand how to deal with it.I have enrolled fabric-client and certificates are generated.

smithbk (Tue, 21 Nov 2017 11:11:55 GMT):
@HubertYoung See #2 under https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#troubleshooting

asuchit (Tue, 21 Nov 2017 11:41:26 GMT):
I have started the root-CA (tls enabled) on host1. Generated tls certificates for root-CA-administrator on host2. Generated root-CA-administrator on host2. While registration of intermediate-CA : 1. connection refused because it if trying to connect with root-CA on 443 port. I needs to edit the root-CA-administrator's config file for root-CA port. After added the port in root-CA-administrator's config file 2. It is not accepting the root-CA-administrator's tls certificate while working with root-CA tls certificate. My question is : 1. root-CA-administrator's config file should be generated with root-CA listening port ? 2. why is it not accepting the root-CA-administrator's tls file ? Even, I found some issues with starting the root-CA also : 1. when passing the --tls.enabled in command line and it is generating it's config file then tls enabled is not set as true ? 2. I did not find the command line option for setting csr.hosts ?

asuchit (Tue, 21 Nov 2017 11:46:09 GMT):
2. I did not find the command line option for setting csr.hosts ? ohh, I found the command line for it

paul.sitoh (Tue, 21 Nov 2017 15:49:37 GMT):
Does anyone know advise me on how to enable fabric-ca-client enroll identities to a tls enabled fabric-ca-server

paul.sitoh (Tue, 21 Nov 2017 15:49:37 GMT):
Does anyone know advise me on how to enable fabric-ca-client enroll identities to a tls enabled fabric-ca-server?

paul.sitoh (Tue, 21 Nov 2017 15:49:37 GMT):
Could someone advise me on how to enable fabric-ca-client to enroll identities to a tls enabled fabric-ca-server?

smithbk (Tue, 21 Nov 2017 18:08:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oNMYzoLgKuZEZ8B2X) @paul.sitoh Recommend reading thru the sample at https://github.com/hyperledger/fabric-samples/tree/v1.1.0-preview/fabric-ca? Just look in the scripts directory and grep for fabric-ca-client

smithbk (Tue, 21 Nov 2017 18:11:33 GMT):
@asuchit Can you provide the exact commands you're using? I recommend going ahead and opening a jira and putting steps to reproduce there.

oujunketu (Wed, 22 Nov 2017 02:00:05 GMT):
Has joined the channel.

HubertYoung (Wed, 22 Nov 2017 02:51:25 GMT):
@smithbk Thanks.But i didn't restart my fabric server.

HubertYoung (Wed, 22 Nov 2017 02:51:36 GMT):

Clipboard - November 22, 2017 10:51 AM

HubertYoung (Wed, 22 Nov 2017 02:53:03 GMT):

Clipboard - November 22, 2017 10:52 AM

HubertYoung (Wed, 22 Nov 2017 03:34:02 GMT):
I configured to use mysql to save data.Is the ecert stored in certificates table? I still get the same error.

asuchit (Wed, 22 Nov 2017 05:22:55 GMT):
@smithbk filed a jira : https://jira.hyperledger.org/browse/FAB-7082

iamdm (Wed, 22 Nov 2017 08:32:36 GMT):
Has joined the channel.

paul.sitoh (Wed, 22 Nov 2017 13:18:06 GMT):
Folks, I am getting this error when starting the `fabric-ca-server`: ```2017/11/22 13:11:19 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting key for SKI [[209 18 192 139 45 89 39 210 219 91 74 100 70 233 222 189 255 43 57 33 185 25 10 79 96 80 75 65 29 69 8 106]] /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw.(*impl).GetKey /opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:218 github.com/hyperledger/fabric-ca/util.GetSignerFromCert /opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:340 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:450 github.com/hyperledger/fabric-ca/lib.(*Server).listenAndServe /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:127 github.com/hyperledger/fabric-ca/lib.(*Server).Start /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/start.go:41 main.runStart /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:95 main.RunMain /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:82 main.main /opt/go/src/runtime/proc.go:192 runtime.main /opt/go/src/runtime/asm_amd64.s:2087 runtime.goexit Caused by: Key type not recognized```

paul.sitoh (Wed, 22 Nov 2017 13:19:25 GMT):
Is there a bug in the `sw` package?

paul.sitoh (Wed, 22 Nov 2017 13:20:59 GMT):
The problem is solved by preloading a cert. However, if no cert found it defaults to BCCSP to generate key and it is this that seemed to crash

paul.sitoh (Wed, 22 Nov 2017 13:21:59 GMT):
Do we need to also separately `go get` fabric-ca?

paul.sitoh (Wed, 22 Nov 2017 13:28:15 GMT):
I thought fabric-ca already vendor-ed the BCCSP implementation?

paul.sitoh (Wed, 22 Nov 2017 14:01:39 GMT):
I ran this `fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/3378b49f90bacc656b9ce11acfc7c499d0c3af6bf9383a219283324fe93bf930_sk -b admin:adminpw -d` but I got this error ```2017/11/22 13:54:56 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting key for SKI [[127 237 229 85 120 167 201 107 191 101 210 193 115 138 172 166 238 5 46 219 110 14 26 250 31 29 69 161 218 10 91 81]] /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw.(*impl).GetKey /opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:218 github.com/hyperledger/fabric-ca/util.GetSignerFromCert /opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:340 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:450 github.com/hyperledger/fabric-ca/lib.(*Server).listenAndServe /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:127 github.com/hyperledger/fabric-ca/lib.(*Server).Start /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/start.go:41 main.runStart /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:95 main.RunMain /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:82 main.main /opt/go/src/runtime/proc.go:192 runtime.main /opt/go/src/runtime/asm_amd64.s:2087 runtime.goexit Caused by: Key type not recognized 2017/11/22 13:54:56 [DEBUG] Attempting fallback with certfile /etc/hyperledger/fabric-ca-server-config/tlsca/tlsca.org1.example.com-cert.pem and keyfile /etc/hyperledger/fabric-ca-server-config/tlsca/7fede55578a7c96bbf65d2c1738aaca6ee052edb6e0e1afa1f1d45a1da0a5b51_sk```

paul.sitoh (Wed, 22 Nov 2017 14:02:59 GMT):
I guess it is not an error in the sense that the server did not crash

paul.sitoh (Wed, 22 Nov 2017 14:02:59 GMT):
I guess it is not an error in the sense that the server did not crash when the ca certs and keys are provided.

paul.sitoh (Wed, 22 Nov 2017 14:02:59 GMT):
I guess it is not an error in the sense that the server did not crash when the ca certs and keys are provided (--ca.certfile & --ca.keyfile)

paul.sitoh (Wed, 22 Nov 2017 14:02:59 GMT):
I guess it is not an error in the sense that the server did not crash when the ca certs and keys are provided (--ca.certfile & --ca.keyfile). Note: TLS certs and key have also been provided. It seemed to be coming from the default `fabric-ca-server-config.yaml` autogenerated by the cli

paul.sitoh (Wed, 22 Nov 2017 14:03:15 GMT):
however, if a key is not provided it will crash

paul.sitoh (Wed, 22 Nov 2017 14:03:15 GMT):
however, if ca key and cert are not provided it will crash

mastersingh24 (Wed, 22 Nov 2017 14:48:54 GMT):
@paul.sitoh - You do have debug logging turned on and the error returned from the GetKey function actually returns the entire callstack. So you simply see that printed out because it's part of the error returned

mastersingh24 (Wed, 22 Nov 2017 14:49:12 GMT):
https://github.com/hyperledger/fabric-ca/blob/release/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go#L257

paul.sitoh (Wed, 22 Nov 2017 15:01:38 GMT):
ok but I have already provided a TLS (private Key and cert) generated by cryptogen. Just wondered why BCCSP is complaining that matching private key is not found? I presumed cryptogen uses `sw` to generate certs and keys, right?

paul.sitoh (Wed, 22 Nov 2017 15:02:12 GMT):
Or is it trying to get keys before it is loaded?

mastersingh24 (Wed, 22 Nov 2017 16:37:28 GMT):
bccsp looks for files uses the msp folder structure

mastersingh24 (Wed, 22 Nov 2017 16:38:08 GMT):
else fabric-ca falls back to loading files directly

MohammadObaid (Wed, 22 Nov 2017 18:05:28 GMT):
hey @mastersingh24 when I try to enroll user I am getting this error ``` Error: Enrollment failed with errors [[{"code":400,"message":"Authorization failure"}]] at IncomingMessage. (/home/ubuntu/fabric-sdk-node/fabric-samples/balance-transfer/node_modules/fabric-ca-client/lib/FabricCAClientImpl.js:698:22) ``` I am unable to diagnose cause of this error. From peer container I am able to invoke queries or fetch results but when I integerate node sdk with it and try to enroll user it is throwing this error. Here are ca logs

MohammadObaid (Wed, 22 Nov 2017 18:05:28 GMT):
hey @mastersingh24 @smithbk when I try to enroll user I am getting this error ``` Error: Enrollment failed with errors [[{"code":400,"message":"Authorization failure"}]] at IncomingMessage. (/home/ubuntu/fabric-sdk-node/fabric-samples/balance-transfer/node_modules/fabric-ca-client/lib/FabricCAClientImpl.js:698:22) ``` I am unable to diagnose cause of this error. From peer container I am able to invoke queries or fetch results but when I integerate node sdk with it and try to enroll user it is throwing this error. Here are ca logs

MohammadObaid (Wed, 22 Nov 2017 18:05:51 GMT):

calogs.png

paul.sitoh (Wed, 22 Nov 2017 18:19:57 GMT):
Just a suggestion to anyone doing the documentation for fabric-ca (server and client) it would be good to have a section showing mapping between environmental variables and cli flags (i.e. for those who are planning to start everything from cli).

smithbk (Thu, 23 Nov 2017 00:37:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wiYhzM4cjF3WTyt7z) @paul.sitoh Not sure if the saw the following that is in comments at the top of the config file, but we can add it to the readthedocs as well: ```############################################################################# # This is a configuration file for the fabric-ca-server command. # # COMMAND LINE ARGUMENTS AND ENVIRONMENT VARIABLES # ------------------------------------------------ # Each configuration element can be overridden via command line # arguments or environment variables. The precedence for determining # the value of each element is as follows: # 1) command line argument # Examples: # a) --port 443 # To set the listening port # b) --ca-keyfile ../mykey.pem # To set the "keyfile" element in the "ca" section below; # note the '-' separator character. # 2) environment variable # Examples: # a) FABRIC_CA_SERVER_PORT=443 # To set the listening port # b) FABRIC_CA_SERVER_CA_KEYFILE="../mykey.pem" # To set the "keyfile" element in the "ca" section below; # note the '_' separator character. # 3) configuration file # 4) default value (if there is one) # All default values are shown beside each element below.```

smithbk (Thu, 23 Nov 2017 00:48:52 GMT):
@MohammadObaid It isn't finding "admin" in the users table of the database. This could happen if you used a different name with the "-b" option when you started the server for the 1st time. I'd suggest looking at the database with the following commands: ```$ sqlite3 fabric-ca-server.db SQLite version 3.16.0 2016-11-04 19:09:39 Enter ".help" for usage hints. sqlite> select * from users; a|$2a$10$FXiPNeX13JxZoJM/.vjHDuytySN.Ovj6.puiNdFP9cV/tE1HaYCk2|client||[{"name":"hf.Registrar.Attributes","value":"*"},{"name":"hf.Registrar.Roles","value":"client,user,peer,validator,auditor"},{"name":"hf.Registrar.DelegateRoles","value":"client,user,validator,auditor"},{"name":"hf.Revoker","value":"1"},{"name":"hf.IntermediateCA","value":"1"},{"name":"hf.GenCRL","value":"1"}]|0|-1|1 sqlite> ^D ```

smithbk (Thu, 23 Nov 2017 00:52:23 GMT):
It is hard to read, but what I've displayed above has a single line of the table where each column is separated by "|", and the 1st column is the user's name. In my case, it is simply "a" because I started fabric-ca-server with a `-b a:b` for bootstrap user.

baoyangc (Thu, 23 Nov 2017 01:14:31 GMT):
does `fabric-ca-client` support register an user to an intermedia CA server

baoyangc (Thu, 23 Nov 2017 01:22:31 GMT):
I tried to register an user to an intermedia CA server with command `fabric-ca-client register --id.name User${i}@${DOMAIN} --id.secret admin123 --id.type user -u https://admin:adminpw@ca.${DOMAIN}:7054 --id.affiliation org1.department1 --tls.certfiles /crypto-config/peerOrganizations/${DOMAIN}/ca/ca.${DOMAIN}-cert.pem,/rca/${ROOTCA}-cert.pem`, but failed with error:`Failed to verify certificate: Failed to verify certificate: x509: certificate signed by unknown authority`

HubertYoung (Thu, 23 Nov 2017 02:12:27 GMT):
I cannot register a peer with ca client. Can someone help me,please!

chandrairawan (Thu, 23 Nov 2017 02:18:43 GMT):
Has joined the channel.

baoyangc (Thu, 23 Nov 2017 05:00:38 GMT):
where are you?

ahmadzafar (Thu, 23 Nov 2017 05:05:44 GMT):
could someone please tell me when and why id.affiliation is used in fabric-ca?

MohammadObaid (Thu, 23 Nov 2017 05:11:38 GMT):
@smithbk when I execute sqlite command I got nothing probably showing empty table

smithbk (Thu, 23 Nov 2017 05:12:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2RZpkeo2cRY8nyqkE) @baoyangc My guess is that you enrolled with the root CA and are trying to use that certificate to register with the intermediate. You need to enroll with the intermediate CA as the bootstrap user and then register

smithbk (Thu, 23 Nov 2017 05:13:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Rn8Fx78BFMsqSAuos) @MohammadObaid So I'd recommend stopping the server, deleting the fabric-ca-server.db file, restart the server, and try enrolling again

MohammadObaid (Thu, 23 Nov 2017 05:15:52 GMT):
@smithbk means I should kill fabric ca server then start fabric ca server again with admin:admin right?

smithbk (Thu, 23 Nov 2017 05:16:54 GMT):
@MohammadObaid Yes, kill it, delete the db file, and restart it

smithbk (Thu, 23 Nov 2017 05:18:03 GMT):
Just to be safe, you should also delete the fabric-ca-server-config.yaml file so it is regenerated

smithbk (Thu, 23 Nov 2017 05:22:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8MfJh6GiRhajjMKsn) @ahmadzafar Every identity has exactly one affiliation. An affiliation allows identities to be grouped in a hierarchical way. For example, the "a.b.c" affiliation's parent is "a.b". Parent's can access child affiliations but not siblings. For example, an identity in affiliation a.b can access identities in affiliation a.b.c but not in a.c.

smithbk (Thu, 23 Nov 2017 05:24:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4R37xR7Tq9ooBNSdR) @HubertYoung What command are you issuing and what error do you get?

ahmadzafar (Thu, 23 Nov 2017 05:25:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GN2Gv6FdepwbABczW) @smithbk Is affiliation used inside the one organization it is not related no any other organization?

smithbk (Thu, 23 Nov 2017 05:26:18 GMT):
It is inside the CA. So assuming a 1-1 mapping between CAs and organizations, it would be inside the organization.

baoyangc (Thu, 23 Nov 2017 05:35:47 GMT):
@smithbk

baoyangc (Thu, 23 Nov 2017 05:36:16 GMT):

Clipboard - 2017年11月23日下午1点35分

baoyangc (Thu, 23 Nov 2017 05:37:27 GMT):
1):start rootCA 2):register intermediate CA user to the rootCA 3):enroll intermediate CA user 4):start intermediate CA server 5): register user to the intermediate CA

baoyangc (Thu, 23 Nov 2017 05:37:30 GMT):
@smithbk

baoyangc (Thu, 23 Nov 2017 05:38:54 GMT):
in step 5th, I meet an error:```2017/11/23 05:11:15 [INFO] User provided config file: /root/bqjadmin/fabric-ca-client-config.yaml 2017/11/23 05:11:15 [INFO] Configuration file location: /root/bqjadmin/fabric-ca-client-config.yaml 2017/11/23 05:11:15 [INFO] TLS Enabled Error: Error response from server was: Authorization failure```

baoyangc (Thu, 23 Nov 2017 05:39:19 GMT):
in the intermediate CA server: ```2017/11/23 05:11:15 [DEBUG] Received request POST /register Authorization: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNRakNDQWVtZ0F3SUJBZ0lVTTNBdU1ZVzdRLzJCSFZmSEtBRU1UcVFpUndBd0NnWUlLb1pJemowRUF3SXcKYnpFT01Bd0dBMVVFQmhNRlEyaHBibUV4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEdqQVlCZ05WQkFvVEVXSnNiMk5yWTJoaGFXNHVZbkZxTG1OdU1SMHdHd1lEVlFRREV4UmpZUzVpCmJHOWphMk5vWVdsdUxtSnhhaTVqYmpBZUZ3MHhOekV4TWpNd01UVXpNREJhRncweE9ERXhNak13TVRVek1EQmEKTUYweEN6QUpCZ05WQkFZVEFsVlRNUmN3RlFZRFZRUUlFdzVPYjNKMGFDQkRZWEp2YkdsdVlURVVNQklHQTFVRQpDaE1MU0hsd1pYSnNaV1JuWlhJeER6QU5CZ05WQkFzVEJrWmhZbkpwWXpFT01Bd0dBMVVFQXhNRllXUnRhVzR3CldUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFRcXgyZk9wWm9sUU5QQVpoZlpRclVxclI0dWtlZEIKamdCRU92QXlZUlBJNmRDam5pdWU4N3FoNjJPNGhUVWVZRnJseFo1OE5xMHpNdFRVelJBMVliYmlvM1V3Y3pBTwpCZ05WSFE4QkFmOEVCQU1DQjRBd0RBWURWUjBUQVFIL0JBSXdBREFkQmdOVkhRNEVGZ1FVbHdHNFlyeVQrMTJrCkwzOWVIT1Q1cTllVzJqSXdId1lEVlIwakJCZ3dGb0FVZjluMUdrY3FPUDkzNWJrYURydFpQSmJ1L3BFd0V3WUQKVlIwUkJBd3dDb0lJWTJGamJHbGxiblF3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnWGc5VEhyclpQNVhSaWI3MQo5SnlDbVBmTmRlYjVVR0cxczRUUGp5QnYzZ1lDSUFFVGZpekdJVGlFNUVteklDam9UYVl1ZDdJUk4yRXJnRjdjClRGaG1nSEMwCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K.MEQCIFhdd+SeyS6WAc0CAAaRamoMknWVffWFgmHDjlu5mq//AiAJcURebpbXbeclA93avtZrkGbRJnfIrsfZI5hYAuLm0A== {"id":"Admin@blockchain.bqj.cn","type":"user","secret":"admin123","max_enrollments":-1,"affiliation":"org1.department1","attrs":[{"name":"","value":""}]} 2017/11/23 05:11:15 [DEBUG] Directing traffic to default CA 2017/11/23 05:11:15 [DEBUG] Failed to verify certificate: Failed to verify certificate: x509: certificate signed by unknown authority```

baoyangc (Thu, 23 Nov 2017 05:39:19 GMT):
in the intermediate CA server: ```2017/11/23 05:11:15 [DEBUG] Received request POST /register Authorization: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNRakNDQWVtZ0F3SUJBZ0lVTTNBdU1ZVzdRLzJCSFZmSEtBRU1UcVFpUndBd0NnWUlLb1pJemowRUF3SXcKYnpFT01Bd0dBMVVFQmhNRlEyaHBibUV4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEdqQVlCZ05WQkFvVEVXSnNiMk5yWTJoaGFXNHVZbkZxTG1OdU1SMHdHd1lEVlFRREV4UmpZUzVpCmJHOWphMk5vWVdsdUxtSnhhaTVqYmpBZUZ3MHhOekV4TWpNd01UVXpNREJhRncweE9ERXhNak13TVRVek1EQmEKTUYweEN6QUpCZ05WQkFZVEFsVlRNUmN3RlFZRFZRUUlFdzVPYjNKMGFDQkRZWEp2YkdsdVlURVVNQklHQTFVRQpDaE1MU0hsd1pYSnNaV1JuWlhJeER6QU5CZ05WQkFzVEJrWmhZbkpwWXpFT01Bd0dBMVVFQXhNRllXUnRhVzR3CldUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFRcXgyZk9wWm9sUU5QQVpoZlpRclVxclI0dWtlZEIKamdCRU92QXlZUlBJNmRDam5pdWU4N3FoNjJPNGhUVWVZRnJseFo1OE5xMHpNdFRVelJBMVliYmlvM1V3Y3pBTwpCZ05WSFE4QkFmOEVCQU1DQjRBd0RBWURWUjBUQVFIL0JBSXdBREFkQmdOVkhRNEVGZ1FVbHdHNFlyeVQrMTJrCkwzOWVIT1Q1cTllVzJqSXdId1lEVlIwakJCZ3dGb0FVZjluMUdrY3FPUDkzNWJrYURydFpQSmJ1L3BFd0V3WUQKVlIwUkJBd3dDb0lJWTJGamJHbGxiblF3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnWGc5VEhyclpQNVhSaWI3MQo5SnlDbVBmTmRlYjVVR0cxczRUUGp5QnYzZ1lDSUFFVGZpekdJVGlFNUVteklDam9UYVl1ZDdJUk4yRXJnRjdjClRGaG1nSEMwCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K.MEQCIFhdd+SeyS6WAc0CAAaRamoMknWVffWFgmHDjlu5mq//AiAJcURebpbXbeclA93avtZrkGbRJnfIrsfZI5hYAuLm0A== {"id":"Admin@xxx.xxx.cn","type":"user","secret":"admin123","max_enrollments":-1,"affiliation":"org1.department1","attrs":[{"name":"","value":""}]} 2017/11/23 05:11:15 [DEBUG] Directing traffic to default CA 2017/11/23 05:11:15 [DEBUG] Failed to verify certificate: Failed to verify certificate: x509: certificate signed by unknown authority```

HubertYoung (Thu, 23 Nov 2017 05:41:32 GMT):
@smithbk The same error i met yesterday,"Error: Error response from server was: Authorization failure"

smithbk (Thu, 23 Nov 2017 05:41:58 GMT):
When you started the intermediate CA, you specified a "-b admin:adminpw" or similar argument?

smithbk (Thu, 23 Nov 2017 05:42:28 GMT):
Before step 5, you need to enroll with that user/pass

HubertYoung (Thu, 23 Nov 2017 05:43:28 GMT):
I delete the db file,restart,enroll again,but get the same error.

baoyangc (Thu, 23 Nov 2017 05:44:32 GMT):
yes , before step 5, i enrolled admin of the Intermediate CA

smithbk (Thu, 23 Nov 2017 05:47:03 GMT):
@baoyangc Then as long as you have FABRIC_CA_CLIENT_HOME set to the same directory that it was set to when you enrolled admin with the intermediate CA, the register should use the correct certificate and would not see that error

baoyangc (Thu, 23 Nov 2017 05:47:07 GMT):
HuberYoung，are you Chinese

HubertYoung (Thu, 23 Nov 2017 05:47:22 GMT):
yes

baoyangc (Thu, 23 Nov 2017 05:48:39 GMT):
@smithbk , yes I'm sure I set FABRIC_CA_CLIENT_HOME ,but it report the same error

smithbk (Thu, 23 Nov 2017 05:49:51 GMT):
@baoyangc If you will give me exact steps to reproduce, I can help

smithbk (Thu, 23 Nov 2017 05:49:51 GMT):
@baoyangc If you will give me exact commands to reproduce, I can help

baoyangc (Thu, 23 Nov 2017 05:50:32 GMT):

Clipboard - 2017年11月23日下午1点50分

baoyangc (Thu, 23 Nov 2017 05:51:52 GMT):
@smithbk ,what's your email address?

baoyangc (Thu, 23 Nov 2017 05:52:14 GMT):
I will send mail to you about half hour lator

smithbk (Thu, 23 Nov 2017 05:52:29 GMT):
bksmith@us.ibm.com

smithbk (Thu, 23 Nov 2017 05:52:59 GMT):
ok, but it is 1 AM here now and tomorrow is a holiday. I'll try to look as soon as I can

smithbk (Thu, 23 Nov 2017 05:53:23 GMT):
or today is a holiday :-)

baoyangc (Thu, 23 Nov 2017 05:53:48 GMT):
ok, wait 10 min

MohammadObaid (Thu, 23 Nov 2017 05:55:25 GMT):
@smithbk SO I tried to start fabric ca server natively and it return with org token but not any secret token . The output I got is `{"success":true,"secret":"","message":"Jim enrolled Successfully","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTE0NTIzODQsInVzZXJuYW1lIjoiSmltIiwib3JnTmFtZSI6Im9yZ2IiLCJpYXQiOjE1MTE0MTYzODR9.Aa_5xGQBSuYbVI4zGej07_jAllJYXqEWm-F_nxOIc8k"} ` To get secret token which file should I need to modify. I just clone fabric-ca directory and start server natively

MohammadObaid (Thu, 23 Nov 2017 05:55:25 GMT):
@smithbk SO I tried to start fabric ca server natively and it return with org token but not any secret token . The output I got is ```{"success":true,"secret":"","message":"Jim enrolled Successfully","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTE0NTIzODQsInVzZXJuYW1lIjoiSmltIiwib3JnTmFtZSI6Im9yZ2IiLCJpYXQiOjE1MTE0MTYzODR9.Aa_5xGQBSuYbVI4zGej07_jAllJYXqEWm-F_nxOIc8k"} ``` To get secret token which file should I need to modify. I just clone fabric-ca directory and start server natively

smithbk (Thu, 23 Nov 2017 05:57:43 GMT):
@MohammadObaid Are you using fabric-ca-client?

MohammadObaid (Thu, 23 Nov 2017 05:58:12 GMT):
I think I need to edit this file `/opt/gopath/bin\fabric-ca-server-config.yaml` No I am using fabric ca server

MohammadObaid (Thu, 23 Nov 2017 05:58:42 GMT):
Actually I have orga, orgb while default file contains org1,org2

smithbk (Thu, 23 Nov 2017 05:59:35 GMT):
What exactly are you trying to do?

MohammadObaid (Thu, 23 Nov 2017 06:01:02 GMT):
I setup fabric network on aws using ansible script https://github.com/hyperledger/cello/tree/master/src/agent/ansible . It setups core hyperledger fabric. I was able to invoke queries suign peer terminals. Now I am trying to integerate node sdk with existing network

MohammadObaid (Thu, 23 Nov 2017 06:01:02 GMT):
I setup fabric network on aws using ansible script https://github.com/hyperledger/cello/tree/master/src/agent/ansible . It setups core hyperledger fabric. I was able to invoke queries using peer terminals. Now I am trying to integerate node sdk with existing network

smithbk (Thu, 23 Nov 2017 06:02:29 GMT):
And how does that relate to fabric-ca-server?

smithbk (Thu, 23 Nov 2017 06:02:29 GMT):
And what do the fabric-ca-server logs say?

MohammadObaid (Thu, 23 Nov 2017 06:03:52 GMT):
When I try to enroll user using node sdk , fabric ca server dosent return me with tokens. Although fabric ca container running

smithbk (Thu, 23 Nov 2017 06:07:21 GMT):
This does not look like a response from fabric-ca-server ```{"success":true,"secret":"","message":"Jim enrolled Successfully","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTE0NTIzODQsInVzZXJuYW1lIjoiSmltIiwib3JnTmFtZSI6Im9yZ2IiLCJpYXQiOjE1MTE0MTYzODR9.Aa_5xGQBSuYbVI4zGej07_jAllJYXqEWm-F_nxOIc8k"}```

smithbk (Thu, 23 Nov 2017 06:08:16 GMT):
Not sure what it is from ... maybe the node SDK REST service?

baoyangc (Thu, 23 Nov 2017 06:23:11 GMT):
@smithbk sending mail to you

baoyangc (Thu, 23 Nov 2017 06:27:05 GMT):
@HubertYoung 私信你了

ahmadzafar (Thu, 23 Nov 2017 07:12:06 GMT):
what is the difference between fabric-ca-orderer and fabric-orderer docker images? Please provide me description about fabric-ca-orderer..

MohammadObaid (Thu, 23 Nov 2017 07:14:03 GMT):
@smithbk yeah from sdk rest service which

MohammadObaid (Thu, 23 Nov 2017 07:14:03 GMT):
@smithbk yeah from sdk rest service

bobsummerwill (Thu, 23 Nov 2017 08:15:40 GMT):
Has left the channel.

paul.sitoh (Thu, 23 Nov 2017 11:00:35 GMT):
I am using fabric-ca-client to access the cert of a registrar in a fabric-ca-server. In the client I ran this command `fabric-ca-client enroll -u https://admin1:admin1pw@fabric-ca-server:7054 --tls.client.certfile /opt/wd/tlsca/tlsca.org1.example.com-cert.pem --tls.client.keyfile /opt/wd/tlsca/924bf692b725891588e7ea61df3f503aca7f1afaea08e6fd765ce4a7604c927d_sk -d` As expected the client sends a default `csr`: ```2017/11/23 10:51:49 [DEBUG] Sending request POST https://fabric-ca-server:7054/enroll Authorization: Basic YWRtaW4xOmFkbWluMXB3 {"hosts":["e71e0deae89c"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBQjCB6gIBADBeMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDzANBgNV\nBAMTBmFkbWluMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNr1swbM8PmSf6F5\nguZtIu4IiQrvfBiXEPvAe83SSJ9XSCpxfq6/q6ApBZOjX0m8Q+bAxym3jfM7SDIB\nW/TVAimgKjAoBgkqhkiG9w0BCQ4xGzAZMBcGA1UdEQQQMA6CDGU3MWUwZGVhZTg5\nYzAKBggqhkjOPQQDAgNHADBEAiBHqq2sFwuqsaKD2xCWfl0TV4GyRP6PTW9DP3FQ\nnlNqzwIgEXZR6K7fdKTpF4Ix+xWO6Sw4jnvYy+xG6/mELi1yRvM=\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","CAName":""}``` The client and server are both tls enabled and shared the same tls cert and keys, generated from cryptogen. But I am getting this error ```2017/11/23 10:51:49 [INFO] TLS Enabled 2017/11/23 10:51:49 [DEBUG] CA Files: [] 2017/11/23 10:51:49 [DEBUG] Client Cert File: /opt/wd/tlsca/tlsca.org1.example.com-cert.pem 2017/11/23 10:51:49 [DEBUG] Client Key File: /opt/wd/tlsca/924bf692b725891588e7ea61df3f503aca7f1afaea08e6fd765ce4a7604c927d_sk 2017/11/23 10:51:49 [DEBUG] Check client TLS certificate for valid dates 2017/11/23 10:51:49 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting key for SKI [[146 75 246 146 183 37 137 21 136 231 234 97 223 63 80 58 202 127 26 250 234 8 230 253 118 92 228 167 96 76 146 125]] /opt/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw.(*impl).GetKey /opt/go/src/github.com/hyperledger/fabric-ca/util/csp.go:218 github.com/hyperledger/fabric-ca/util.GetSignerFromCert /opt/go/src/github.com/hyperledger/fabric-ca/util/csp.go:340 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair /opt/go/src/github.com/hyperledger/fabric-ca/lib/tls/tls.go:78 github.com/hyperledger/fabric-ca/lib/tls.GetClientTLSConfig /opt/go/src/github.com/hyperledger/fabric-ca/lib/client.go:403 github.com/hyperledger/fabric-ca/lib.(*Client).SendReq /opt/go/src/github.com/hyperledger/fabric-ca/lib/client.go:193 github.com/hyperledger/fabric-ca/lib.(*Client).Enroll /opt/go/src/github.com/hyperledger/fabric-ca/lib/clientconfig.go:71 github.com/hyperledger/fabric-ca/lib.(*ClientConfig).Enroll /opt/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-client/enroll.go:78 main.runEnroll /opt/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-client/enroll.go:62 main.glob..func2 /opt/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute /opt/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC /opt/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute /opt/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-client/main.go:115 main.RunMain /opt/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-client/main.go:103 main.main /usr/lib/go-1.7/src/runtime/proc.go:192 runtime.main /usr/lib/go-1.7/src/runtime/asm_amd64.s:2087 runtime.goexit Caused by: Key type not recognized 2017/11/23 10:51:49 [DEBUG] Attempting fallback with certfile /opt/wd/tlsca/tlsca.org1.example.com-cert.pem and keyfile /opt/wd/tlsca/924bf692b725891588e7ea61df3f503aca7f1afaea08e6fd765ce4a7604c927d_sk Error: Failed to get client TLS config: No TLS certificate files were provided``` This would suggest that TLS is not working. I ran the same command without TLS setting and it works. Is there are bug in the fabric-ca-client?

paul.sitoh (Thu, 23 Nov 2017 11:00:35 GMT):
I am using fabric-ca-client to access the cert of a registrar in a fabric-ca-server. In the client I ran this command `fabric-ca-client enroll -u https://admin1:admin1pw@fabric-ca-server:7054 --tls.client.certfile /opt/wd/tlsca/tlsca.org1.example.com-cert.pem --tls.client.keyfile /opt/wd/tlsca/924bf692b725891588e7ea61df3f503aca7f1afaea08e6fd765ce4a7604c927d_sk -d` The client sends a default `csr`: ```2017/11/23 10:51:49 [DEBUG] Sending request POST https://fabric-ca-server:7054/enroll Authorization: Basic YWRtaW4xOmFkbWluMXB3 {"hosts":["e71e0deae89c"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBQjCB6gIBADBeMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDzANBgNV\nBAMTBmFkbWluMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNr1swbM8PmSf6F5\nguZtIu4IiQrvfBiXEPvAe83SSJ9XSCpxfq6/q6ApBZOjX0m8Q+bAxym3jfM7SDIB\nW/TVAimgKjAoBgkqhkiG9w0BCQ4xGzAZMBcGA1UdEQQQMA6CDGU3MWUwZGVhZTg5\nYzAKBggqhkjOPQQDAgNHADBEAiBHqq2sFwuqsaKD2xCWfl0TV4GyRP6PTW9DP3FQ\nnlNqzwIgEXZR6K7fdKTpF4Ix+xWO6Sw4jnvYy+xG6/mELi1yRvM=\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","CAName":""}``` The client and server are both tls enabled and shared the same tls cert and keys, generated from cryptogen. But I am getting this error ```2017/11/23 10:51:49 [INFO] TLS Enabled 2017/11/23 10:51:49 [DEBUG] CA Files: [] 2017/11/23 10:51:49 [DEBUG] Client Cert File: /opt/wd/tlsca/tlsca.org1.example.com-cert.pem 2017/11/23 10:51:49 [DEBUG] Client Key File: /opt/wd/tlsca/924bf692b725891588e7ea61df3f503aca7f1afaea08e6fd765ce4a7604c927d_sk 2017/11/23 10:51:49 [DEBUG] Check client TLS certificate for valid dates 2017/11/23 10:51:49 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting key for SKI [[146 75 246 146 183 37 137 21 136 231 234 97 223 63 80 58 202 127 26 250 234 8 230 253 118 92 228 167 96 76 146 125]] /opt/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw.(*impl).GetKey /opt/go/src/github.com/hyperledger/fabric-ca/util/csp.go:218 github.com/hyperledger/fabric-ca/util.GetSignerFromCert /opt/go/src/github.com/hyperledger/fabric-ca/util/csp.go:340 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair /opt/go/src/github.com/hyperledger/fabric-ca/lib/tls/tls.go:78 github.com/hyperledger/fabric-ca/lib/tls.GetClientTLSConfig /opt/go/src/github.com/hyperledger/fabric-ca/lib/client.go:403 github.com/hyperledger/fabric-ca/lib.(*Client).SendReq /opt/go/src/github.com/hyperledger/fabric-ca/lib/client.go:193 github.com/hyperledger/fabric-ca/lib.(*Client).Enroll /opt/go/src/github.com/hyperledger/fabric-ca/lib/clientconfig.go:71 github.com/hyperledger/fabric-ca/lib.(*ClientConfig).Enroll /opt/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-client/enroll.go:78 main.runEnroll /opt/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-client/enroll.go:62 main.glob..func2 /opt/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute /opt/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC /opt/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute /opt/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-client/main.go:115 main.RunMain /opt/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-client/main.go:103 main.main /usr/lib/go-1.7/src/runtime/proc.go:192 runtime.main /usr/lib/go-1.7/src/runtime/asm_amd64.s:2087 runtime.goexit Caused by: Key type not recognized 2017/11/23 10:51:49 [DEBUG] Attempting fallback with certfile /opt/wd/tlsca/tlsca.org1.example.com-cert.pem and keyfile /opt/wd/tlsca/924bf692b725891588e7ea61df3f503aca7f1afaea08e6fd765ce4a7604c927d_sk Error: Failed to get client TLS config: No TLS certificate files were provided``` This would suggest that TLS is not working. I ran the same command without TLS setting and it works. Is there are bug in the fabric-ca-client when running with TLS enabled? With SDK, I presumed it uses GRPC authentication, so not using https?

Vadim (Thu, 23 Nov 2017 12:07:47 GMT):
@paul.sitoh can you make sure that the TLC cert at `/opt/wd/tlsca/tlsca.org1.example.com-cert.pem` matches the key `/opt/wd/tlsca/924bf692b725891588e7ea61df3f503aca7f1afaea08e6fd765ce4a7604c927d_sk`?

Vadim (Thu, 23 Nov 2017 12:08:01 GMT):
some tutorial I found on how to do it: https://kb.wisc.edu/middleware/page.php?id=4064

MadhavaReddy (Thu, 23 Nov 2017 12:39:26 GMT):
Hi All when i try to register user am getting below error can you please help me to fix the issue, am using node sdk here 2017/11/23 12:34:40 [DEBUG] Registration of 'Jim' failed: No identity type provided. Please provide identity type 2017/11/23 12:34:40 [INFO] 172.18.0.1:51626 - "POST /api/v1/register" 0 [2017-11-23 12:34:40.549] [ERROR] Helper - Failed to get registered user: Jim with error: Error: fabric-ca request register failed with errors [[{"code":0,"message":"No identity type provided. Please provide identity type"}]]

paul.sitoh (Thu, 23 Nov 2017 13:10:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RJfndxMo8synARZCv) @Vadim The cert and keys were generated by cryptogen. So I would assumed they match. The same certs and keys are also setup on the server side.

Vadim (Thu, 23 Nov 2017 13:11:41 GMT):
@paul.sitoh I'd still check if I were you

paul.sitoh (Thu, 23 Nov 2017 13:17:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=o6G6bhP9tSSt3e6dc) @Vadim Ok I'll check. In the meantime, could you confirm that the TLS (or HTTPS) works as I understand, which is as follows: I presumed, like normal HTTPS or TLS, the first stage is for the server and client to confirm that (TLS) certificates on both sides are valid (probably exchange public keys). After that a symmetric key is exchanged between server and client. Is my understand correct as it applies to fabric-ca?

Vadim (Thu, 23 Nov 2017 13:18:06 GMT):
yes, but afaik ca-server does not verify client identity (over tls)

Vadim (Thu, 23 Nov 2017 13:18:23 GMT):
you can enable it somewhere, but by default it's disabled

smithbk (Thu, 23 Nov 2017 15:03:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9R2Ko9vhHqGxkawiP) @ahmadzafar fabric-ca-orderer = fabric-orderer + fabric-ca-client where the fabric-ca-client is used to enroll the orderer in order to get its enrollment certificate

smithbk (Thu, 23 Nov 2017 15:11:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yoJZf4QiAWppApaM9) @MadhavaReddy IIRC, the node SDK API calls the identity type a "role", which means you aren't specifying the role when registering Jim

MadhavaReddy (Thu, 23 Nov 2017 15:45:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MutqdnZvNxdNMxzzv) @smithbk Thank you

MadhavaReddy (Thu, 23 Nov 2017 15:46:03 GMT):
Hi All, am trying to run fabric explorer using balance transfer crypto files and getting below error, please suggests what is the issue here [2017-11-23 15:40:59.781] [ERROR] Helper - Error: Calling enrollment endpoint failed with error [Error: Parse Error] at ClientRequest. (/home/ubuntu/work/src/github.com/hyperledger/explorer/fabric-explorer/node_modules/fabric-ca-client/lib/FabricCAClientImpl.js:711:12) at emitOne (events.js:115:13) at ClientRequest.emit (events.js:210:7) at Socket.socketOnData (_http_client.js:459:9) at emitOne (events.js:115:13) at Socket.emit (events.js:210:7) at addChunk (_stream_readable.js:266:12) at readableAddChunk (_stream_readable.js:253:11) at Socket.Readable.push (_stream_readable.js:211:10) at TCP.onread (net.js:585:20) [2017-11-23 15:40:59.781] [ERROR] Helper - admin enrollment failed [2017-11-23 15:40:59.781] [ERROR] Query - Error: Missing userContext parameter at new TransactionID (/home/ubuntu/work/src/github.com/hyperledger/explorer/fabric-explorer/node_modules/fabric-client/lib/TransactionID.js:43:10) at Channel.queryInfo (/home/ubuntu/work/src/github.com/hyperledger/explorer/fabric-explorer/node_modules/fabric-client/lib/Channel.js:765:14) at helper.getRegisteredUsers.then (/home/ubuntu/work/src/github.com/hyperledger/explorer/fabric-explorer/app/query.js:175:18) at at process._tickCallback (internal/process/next_tick.js:188:7)

MadhavaReddy (Thu, 23 Nov 2017 15:47:23 GMT):
also see below msg is keep repeating in CA docker logs

MadhavaReddy (Thu, 23 Nov 2017 15:47:24 GMT):
2017/11/23 15:40:55 http: TLS handshake error from 172.18.0.1:56294: tls: oversized record received with length 21536 2017/11/23 15:40:56 http: TLS handshake error from 172.18.0.1:56304: tls: oversized record received with length 21536 2017/11/23 15:40:57 http: TLS handshake error from 172.18.0.1:56308: tls: oversized record received with length 21536

paul.sitoh (Thu, 23 Nov 2017 16:45:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RJfndxMo8synARZCv) @Vadim One more question the flags --tls.client.keyfile is a reference to "public" or "private" key file?

paul.sitoh (Thu, 23 Nov 2017 16:45:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RJfndxMo8synARZCv) @Vadim One more question the flag --tls.client.keyfile is a reference to "public" or "private" key file?

paul.sitoh (Thu, 23 Nov 2017 16:45:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RJfndxMo8synARZCv) @Vadim One more question: the flag --tls.client.keyfile is a reference to "public" or "private" key file?

MadhavaReddy (Thu, 23 Nov 2017 19:10:02 GMT):
Hi All, am trying to use fabric ca latest images and facing below issue when try to enroll a user through node sdk can you please help me to fix the issue [2017-11-23 19:06:48.337] [DEBUG] Helper - [crypto_ecdsa_aes]: ecdsa signature: Signature { r: , s: , recoveryParam: 0 } [2017-11-23 19:06:48.345] [ERROR] Helper - Failed to get registered user: Jim with error: Error: fabric-ca request register failed with errors [[{"code":0,"message":"No identity type provided. Please provide identity type"}]]

MadhavaReddy (Thu, 23 Nov 2017 19:12:05 GMT):
in CA docker log see below msg 2017/11/23 19:06:48 [DEBUG] Directing traffic to CA ca-org1 2017/11/23 19:06:48 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin' 2017/11/23 19:06:48 [DEBUG] DB: Get certificate by serial (746d7641db5837dafe297daeae66165c4e1d433) and aki (e729224e8b3f31784c8a93c5b8ef6f4c1c91d9e6e577c45c33163609fe40011) 2017/11/23 19:06:48 [DEBUG] Successful authentication of 'admin' 2017/11/23 19:06:48 [DEBUG] Register request received 2017/11/23 19:06:48 [DEBUG] Received registration request from admin: &{RegistrationRequest:{Name:Jim Type: Secret:<> MaxEnrollments:1 Affiliation:org1.department1 Attributes:[] CAName:ca-org1}} 2017/11/23 19:06:48 [DEBUG] canRegister - Check to see if user admin can register 2017/11/23 19:06:48 [DEBUG] DB: Getting identity admin 2017/11/23 19:06:48 [DEBUG] Registration of 'Jim' failed: No identity type provided. Please provide identity type 2017/11/23 19:06:48 [INFO] 172.18.0.1:58786 - "POST /api/v1/register" 0

jackeyliliang (Fri, 24 Nov 2017 02:55:29 GMT):
Has joined the channel.

baoyangc (Fri, 24 Nov 2017 04:13:17 GMT):
fabric-ca 1.1.0-preview, meet error while enroll: `2017/11/24 04:05:18 [ERROR] local signer policy disallows issuing CA certificate`

baoyangc (Fri, 24 Nov 2017 04:14:35 GMT):
who know where to set local signer policy?

MohammadObaid (Fri, 24 Nov 2017 05:09:11 GMT):
Hey I want to know when we use fabric-ca docker image to create fabric-ca container what configuration file is used? and how we can change that?

MohitYadav2317 (Fri, 24 Nov 2017 07:10:01 GMT):
Has joined the channel.

asuchit (Fri, 24 Nov 2017 09:52:47 GMT):
fabric-ca-client register -c org2CaAdmin/config.yaml --id.name "org2Orderer" --id.type "orderer" --id.affiliation "org2Orderer" --tls.certfilesca-cert.pem 2017/11/24 06:26:25 [INFO] Configuration file location: /home/suchit/hyperledger/fabric-ca/bin/client/org2CaAdmin/config.yaml 2017/11/24 06:26:25 [INFO] TLS Enabled 2017/11/24 06:26:25 [INFO] TLS Enabled Error: Response from server: Error Code: 0 - Identity 'org2Ca' may not register type 'orderer' Can someone help me that why is this error for orderer ? It is working for peer.

PetrVlasekCA (Fri, 24 Nov 2017 10:52:42 GMT):
Has joined the channel.

mastersingh24 (Fri, 24 Nov 2017 11:39:28 GMT):
@asuchit - I assume you are using v1.0.X of fabric-ca? If so, looks like "orderer" is not included in the default set of roles for the CA admin therefore it cannot register identities with the "orderer" role.

asuchit (Fri, 24 Nov 2017 11:53:32 GMT):
@mastersingh24 I am using master branch of Fabric-C

asuchit (Fri, 24 Nov 2017 11:54:13 GMT):
@mastersingh24 I am using master branch of Fabric-Ca and Fabric...

paul.sitoh (Fri, 24 Nov 2017 11:55:08 GMT):
Folks, this is the structure of the assets created by `cryptogen`.

paul.sitoh (Fri, 24 Nov 2017 11:55:46 GMT):

Screen Shot 2017-11-24 at 11.52.56.png

paul.sitoh (Fri, 24 Nov 2017 11:57:09 GMT):
Can someone advise on which crypto stuff (i.e. keys and certs) to be mounted to the fabric-ca-server and fabric-ca-client to enable TLS comms?

paul.sitoh (Fri, 24 Nov 2017 11:58:41 GMT):
I am guessing the tlsca cert is for tls for fabric-ca-server under org1.example.com and the ca cert is for fabric-ca-server administrator?

paul.sitoh (Fri, 24 Nov 2017 11:58:41 GMT):
I am guessing the tlsca cert is for tls for fabric-ca-server under org1.example.com and the ca cert is for fabric-ca-server root cert?

Vadim (Fri, 24 Nov 2017 12:01:46 GMT):
yes

Vadim (Fri, 24 Nov 2017 12:02:15 GMT):
how do you set TLS CA files to CA?

paul.sitoh (Fri, 24 Nov 2017 12:02:52 GMT):
For development fabric I just mount it

Vadim (Fri, 24 Nov 2017 12:03:05 GMT):
how do you tell CA which files to use?

paul.sitoh (Fri, 24 Nov 2017 12:03:35 GMT):
Like this

paul.sitoh (Fri, 24 Nov 2017 12:03:41 GMT):
```fabric-ca-server: container_name: fabric-ca-server image: hyperledger/fabric-ca:x86_64-1.0.2 environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server # CA cert and key file - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/ca/CA_PRIVATE_KEY # TLS settings - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/tlsca/tlsca.org1.example.com-cert.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/tlsca/CA_TLS_KEY```

paul.sitoh (Fri, 24 Nov 2017 12:03:52 GMT):
via docker compose

paul.sitoh (Fri, 24 Nov 2017 12:03:52 GMT):
via docker compose ```- ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config/ca - ./crypto-config/peerOrganizations/org1.example.com/tlsca/:/etc/hyperledger/fabric-ca-server-config/tlsca```

paul.sitoh (Fri, 24 Nov 2017 12:04:00 GMT):
yaml

Vadim (Fri, 24 Nov 2017 12:04:02 GMT):
seems correct

paul.sitoh (Fri, 24 Nov 2017 12:04:06 GMT):
this is only development

paul.sitoh (Fri, 24 Nov 2017 12:05:13 GMT):
But somehow fabric-ca-client still can't connect when tls is enabled

paul.sitoh (Fri, 24 Nov 2017 12:05:33 GMT):
Cert and key seemed to match based on https://kb.wisc.edu/middleware/page.php?id=4064

Vadim (Fri, 24 Nov 2017 12:06:49 GMT):
try to set FABRIC_CA_SERVER_TLS_CERTFILE and FABRIC_CA_SERVER_TLS_KEYFILE to the same cert and key as the root cert, does that work?

Vadim (Fri, 24 Nov 2017 12:07:09 GMT):
you also need to tell your client to use different cert for tls verification

paul.sitoh (Fri, 24 Nov 2017 12:08:39 GMT):
So TLS same as CA cert and key on server?

paul.sitoh (Fri, 24 Nov 2017 12:09:11 GMT):
How do I tell the client to use different cert for tls verification?

Vadim (Fri, 24 Nov 2017 12:09:49 GMT):
well you need to specify to the client the TLS cert

paul.sitoh (Fri, 24 Nov 2017 12:10:34 GMT):
--tls.client.certfile flag?

Vadim (Fri, 24 Nov 2017 12:11:47 GMT):
I guess so

paul.sitoh (Fri, 24 Nov 2017 12:12:13 GMT):
ok let me try again. I might have to give up on this if it does not work

Vadim (Fri, 24 Nov 2017 12:12:37 GMT):
I'm not sure it's that parameter, it seems like it's client tls cert for mutual tls

Vadim (Fri, 24 Nov 2017 12:14:26 GMT):
http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enabling-tls that's right, it's for mutual tls

Vadim (Fri, 24 Nov 2017 12:14:37 GMT):
you need root.cert

Vadim (Fri, 24 Nov 2017 12:14:37 GMT):
you need to change tls.certfiles.root.cert

paul.sitoh (Fri, 24 Nov 2017 12:16:48 GMT):
ok thanks. let me try. BTW using this to check cert key match https://www.sslshopper.com/certificate-key-matcher.html

MadhavaReddy (Fri, 24 Nov 2017 12:49:55 GMT):
Hi All, when try to run balance transfer by generating crypto file the CA containers are stopping with below error please suggest how to fix the issue Error: Validation of certificate and key failed: Invalid certificate and/or key in files '/etc/hyperledger/fabric-ca-server-config/ca.org2.example.com-cert.pem' and '/etc/hyperledger/fabric-ca-server-config/7f6f33e55aa256c666b8829ac13e30c92c69390701c9684551592d101f0b24f7_sk': Public key and private key do not match

MadhavaReddy (Fri, 24 Nov 2017 13:31:04 GMT):
Hi All can you please help me on Enrolling identities using .yaml file, seems all the certificates for balance transfer are generated using CA

MadhavaReddy (Fri, 24 Nov 2017 14:42:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Qi7mG5E6ZNg9MFfgN) Thanks @Vadim for helping on this

MadhavaReddy (Fri, 24 Nov 2017 16:05:57 GMT):
Hi All, i ran "fabric-samples/fabric-ca" with three peers in each org and was expecting this tool will generate three peer folder under each peer org however it only generated single folder, can some one please clarify why its not created separate identities for each each peer

sasiedu (Sun, 26 Nov 2017 09:51:42 GMT):
Has joined the channel.

sasiedu (Sun, 26 Nov 2017 09:52:24 GMT):
Morning, i'm new to fabric-ca and will like to know where i can find the fabric-ca env variables

smithbk (Sun, 26 Nov 2017 17:01:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qEv3A5T9r6TskSj3S) @sasiedu See http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#configuration-settings. Also see the leading comments in the fabric-ca-server-config.yaml (or http://hyperledger-fabric-ca.readthedocs.io/en/latest/serverconfig.html) and fabric-ca-client-config.yaml (or http://hyperledger-fabric-ca.readthedocs.io/en/latest/clientconfig.html).

smithbk (Sun, 26 Nov 2017 17:04:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tghdTWvxKcYZQGckE) @MadhavaReddy Where are you expecting it to create 3 folders? It actually does create the identities for each peer by registering them in the scripts/setup-fabric.sh script, and then each peer enrolls itself using the user/pass associated with the peer. There is no need to have a folder per peer like cryptogen does, if that is what you are referring to.

smithbk (Sun, 26 Nov 2017 17:04:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tghdTWvxKcYZQGckE) @MadhavaReddy Where are you expecting it to create 3 folders? It actually does create the identities for each peer by registering them in the scripts/setup-fabric.sh script, and then each peer enrolls itself using the user/pass associated with the peer in the scripts/start-peer.sh script. There is no need to have a folder per peer like cryptogen does, if that is what you are referring to.

MadhavaReddy (Sun, 26 Nov 2017 17:27:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7fyDF6TBSJCb4a4fA) @smithbk Thank you for the clarification

DarshanBc (Mon, 27 Nov 2017 04:55:26 GMT):
How long do the private keys and certs generated while registering new users are valid

ShefaliMittal (Mon, 27 Nov 2017 06:49:20 GMT):
Has joined the channel.

ShefaliMittal (Mon, 27 Nov 2017 06:49:43 GMT):
Hi, Can I have one MSP and CA for two orgs?

himani.arora (Mon, 27 Nov 2017 11:38:51 GMT):
Has joined the channel.

smithbk (Mon, 27 Nov 2017 12:06:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BefrzDbZ5aFadtKpc) @DarshanBc The default is 1 year, but it is configurable.

smithbk (Mon, 27 Nov 2017 12:14:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hCqeLCtpZj5MM69Hd) @ShefaliMittal You can have one CA which issues certs for multiple OUs (Organization Units) ... and each OU is a different MSP. But am not sure what you mean by "1 MSP and CA and 2 orgs". Can you elaborate on what you are trying to accomplish? In order to prevent someone in 1 org from masquerading as someone in another org, they would need to be in different MSPs.

DarshanBc (Mon, 27 Nov 2017 12:32:32 GMT):
@smithbk Thank you

asuchit (Mon, 27 Nov 2017 13:19:19 GMT):
http: TLS handshake error from 107.109.107.54:48932: tls: oversized record received with length 21536 Please help me, What is this error ?

asuchit (Mon, 27 Nov 2017 13:25:38 GMT):
It is working now, missed https

smithbk (Mon, 27 Nov 2017 14:13:48 GMT):
@paul.sitoh Did you get TLS working?

paul.sitoh (Mon, 27 Nov 2017 14:15:13 GMT):
I am afraid not for fabric-ca-client "talking" to fabric-ca-server.

MohammadObaid (Mon, 27 Nov 2017 16:22:02 GMT):
What is the role of affiliation section in fabric-ca-server config file . Let say this is affiliation section ```affiliations: orga: - department1 - department2 orgb: - department1 ``` what does department1 means ?

Asara (Mon, 27 Nov 2017 16:33:06 GMT):
It is not a role, but rather the 'group' that exists under that specific organization

Asara (Mon, 27 Nov 2017 16:34:02 GMT):
This allows you to specify users that belong to orga.department1, and orga.department2

Asara (Mon, 27 Nov 2017 16:34:04 GMT):
etc.

MohammadObaid (Mon, 27 Nov 2017 16:39:07 GMT):
Hey @Asara Thanks . Just one more thing if we dont define department where user will be enrolled then? How many departments should we defined?

Asara (Mon, 27 Nov 2017 16:40:24 GMT):
Can't comment on not defining departments, haven't done that personally. As for how many you should define, it all depends on your application/organization structure

smithbk (Mon, 27 Nov 2017 17:14:34 GMT):
If you don't define the affiliation when registering an identity, it inherits the affiliation of the registrar. The same is true of the identity type.

Asara (Mon, 27 Nov 2017 17:30:28 GMT):
@smithbk what happens if you don't include any subaffiliations? Will it just take on the organization as its affiliation?

MohammadObaid (Mon, 27 Nov 2017 17:54:20 GMT):
@smithbk I have ca docker running. Is it possible to enroll user without any client like node sdk etc?

sasiedu (Mon, 27 Nov 2017 21:21:59 GMT):
hi, the fabric-ca-client i have does not have ```gencrl gencsr identity```, any idea why or what version has it?

smithbk (Mon, 27 Nov 2017 21:24:11 GMT):
@Asara Not sure what you mean by not including any subaffiliations. When you register, you either specify an affiliation or you don't. If you don't specify one, it uses the registrar's affiliation. If you specify an affiliation when you register, it must be either equal to the registrar's affiliation or a subaffiliation of the registrar's affiliation.

Asara (Mon, 27 Nov 2017 21:24:38 GMT):
Just going off of @MohammadObaid's example, orga vs orga.department1

smithbk (Mon, 27 Nov 2017 21:27:39 GMT):
ok, if you don't define any subaffiliations but only have "orga" and "orgb", then it simply means you have only two affiliations to choose from ... well, actually 3 since the empty string is the root affiliation

smithbk (Mon, 27 Nov 2017 21:27:39 GMT):
@sasiedu The gencsr command is in v1.1.0-preview. You can do as follows: ```cd $GOPATH/src/github.com/hyperledger/fabric-ca git checkout v1.1.0-preview rm $GOPATH/bin/fabric-ca* go install github.com/hyperledger/fabric-ca/cmd/... $GOPATH/bin/fabric-ca-server version $GOPATH/bin/fabric-ca-client version ```

sasiedu (Mon, 27 Nov 2017 21:49:56 GMT):
@smithbk okay, thanks alot

rickr (Mon, 27 Nov 2017 23:50:18 GMT):
https://ctrlv.it/id/65557/1246210393 swagger for revoke on the types like for id ``` "id": { "type": [ "string", "null" ], "description": "The enrollment ID of the identity whose certificates are to be revoked, including both enrollment certificates and transaction certificates. \nAll future enrollment attempts for this identity will be rejected. \nIf this field is specified, the *serial* and *aki* fields are ignored. ```

rickr (Mon, 27 Nov 2017 23:50:47 GMT):
does the null mean that's the default value ? for id can it really be null ?

rickr (Mon, 27 Nov 2017 23:51:30 GMT):
``` "id": { "type": [ "string", "null" ], "description": "The enrollment ID of the identity whose certificates are to be revoked, including both enrollment certificates and transaction certificates. \nAll future enrollment attempts for this identity will be rejected. \nIf this field is specified, the *serial* and *aki* fields are ignored."```

rickr (Mon, 27 Nov 2017 23:51:57 GMT):
``` "gencrl": { "type": [ "boolean", "null" ], "description": "When this request results in revoking one or more certificates, this boolean indicates whether to generate a CRL and return it in the response" } ```

rickr (Mon, 27 Nov 2017 23:52:52 GMT):
is that really part of revoke ? not seeing that mentioned in the response and is null > to be false ?

rickr (Mon, 27 Nov 2017 23:54:17 GMT):
For the string types where null is given that would mean in the body of request it would be just missing ? or the actual string value of just "null" ?

prabhat.kashyap (Tue, 28 Nov 2017 05:56:22 GMT):
Has joined the channel.

sasiedu (Tue, 28 Nov 2017 06:48:40 GMT):
Morning all, is there any way the fabric-client can get CSR from the fabric-server?

CodeReaper (Tue, 28 Nov 2017 11:32:20 GMT):
Hey I'm trying to register a new peer through command line inside a fabric-ca container and I'm getting this error-

CodeReaper (Tue, 28 Nov 2017 11:32:28 GMT):

Clipboard - November 28, 2017 5:02 PM

sasiedu (Tue, 28 Nov 2017 11:36:31 GMT):
@CodeReaper did you enroll the current client yet?

smithbk (Tue, 28 Nov 2017 11:40:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kYyWTdyqrR9EBRDRx) @rickr It means that id can be omitted, but the serial and AKI must be provided if it is omitted

CodeReaper (Tue, 28 Nov 2017 11:41:38 GMT):
@sasiedu When I try to enroll admin it gives me this error-

CodeReaper (Tue, 28 Nov 2017 11:41:47 GMT):

Clipboard - November 28, 2017 5:11 PM

smithbk (Tue, 28 Nov 2017 11:46:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KCHzTgvpvKh8XrX96) @rickr Yes, it is part of a revoke request and says that if any certificates are actually revoked, then a new CRL will be generated and returned in the response. But you're right, it looks like the response was not updated to reflect that in the swagger doc. @aambati

smithbk (Tue, 28 Nov 2017 11:47:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9wFeu5Ror2EEvDeHP) @rickr It means it could just be missing

sasiedu (Tue, 28 Nov 2017 11:47:24 GMT):
@CodeReaper can you post the server logs

CodeReaper (Tue, 28 Nov 2017 11:50:23 GMT):

Clipboard - November 28, 2017 5:20 PM

smithbk (Tue, 28 Nov 2017 11:51:16 GMT):
@CodeReaper You are using "http" but the server is listening on "https"

smithbk (Tue, 28 Nov 2017 11:51:16 GMT):
@CodeReaper You are using "http" on your client but the server is listening on "https"

CodeReaper (Tue, 28 Nov 2017 11:51:50 GMT):
gives a different error at that, let me get screenshot

smithbk (Tue, 28 Nov 2017 11:53:00 GMT):
You also need to use the `--tls.certfiles ` option on the client

smithbk (Tue, 28 Nov 2017 11:53:00 GMT):
You also need to use the `--tls.certfiles ` option on the client where is the cert of issuer of TLS cert used by the server

CodeReaper (Tue, 28 Nov 2017 11:54:47 GMT):
@smithbk this certfile is suppose to be of the person whose trying to enroll, admin in this case??

smithbk (Tue, 28 Nov 2017 11:56:08 GMT):
no, it is the cert used by the server for TLS. Did you paste the start of the server logs above?

smithbk (Tue, 28 Nov 2017 11:56:08 GMT):
no, it is the cert used by the server for TLS. Did you paste the start of the server logs above? Or the command line?

CodeReaper (Tue, 28 Nov 2017 11:57:15 GMT):
Is there any document available on this??

CodeReaper (Tue, 28 Nov 2017 11:58:29 GMT):
I dont have any other logs other than trying to register a new peer identity and enrolling an existing user

sasiedu (Tue, 28 Nov 2017 11:58:52 GMT):
@CodeReaper ```http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html```

smithbk (Tue, 28 Nov 2017 12:00:49 GMT):
https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enabling-tls

smithbk (Tue, 28 Nov 2017 12:06:22 GMT):
But the you should specify on the client depends on the certificate which is specified in the "tls.certfile" option on the server. By default, in the v1.1 version of fabric-ca-server if you use the `--tls.enabled` option, it will automatically issue a TLS certificate for you and use that on the server. If that is the case, then the on your client should be the server's `ca-cert.pem` file. If that is not the case, then on the client can just be the same as the `tls.certfile` of the server

CodeReaper (Tue, 28 Nov 2017 12:09:35 GMT):
Where can I find my tls.certfile in the container @smithbk ?

smithbk (Tue, 28 Nov 2017 12:11:50 GMT):
If you didn't bring your own tls.certfile for the server (which I'm guessing you didn't), then it must have generated its own. So that means you should use the ca-cert.pem in the home directory of the server.

CodeReaper (Tue, 28 Nov 2017 12:14:47 GMT):
home directory seems to be empty

smithbk (Tue, 28 Nov 2017 12:16:03 GMT):
Is $FABRIC_CA_SERVER_HOME env variable set?

CodeReaper (Tue, 28 Nov 2017 12:17:03 GMT):
No its not.

CodeReaper (Tue, 28 Nov 2017 12:17:15 GMT):
Did I miss something>

smithbk (Tue, 28 Nov 2017 12:17:18 GMT):
How did you start the container?

smithbk (Tue, 28 Nov 2017 12:17:39 GMT):
Is there a docker-compose.yaml file?

CodeReaper (Tue, 28 Nov 2017 12:18:38 GMT):
FABRIC_CA_HOME is set in yaml file but not FABRIC_CA_SERVER_HOME

CodeReaper (Tue, 28 Nov 2017 12:18:44 GMT):

Clipboard - November 28, 2017 5:48 PM

smithbk (Tue, 28 Nov 2017 12:19:04 GMT):
ok, so look in that directory of the container for ca-cert.pem

CodeReaper (Tue, 28 Nov 2017 12:20:35 GMT):
Yes, found a ca-cert.pem

smithbk (Tue, 28 Nov 2017 12:20:56 GMT):
oh wait ... you need to use the same file as the TLS_CERTFILE, not the ca-cert.pem

smithbk (Tue, 28 Nov 2017 12:21:06 GMT):
now that I see your env vars

CodeReaper (Tue, 28 Nov 2017 12:22:58 GMT):
So i'm having to send a TLS certificate with my fabric-ca-client's operation because the fabric-ca-server and fabric-ca-client both are present in same container

smithbk (Tue, 28 Nov 2017 12:23:47 GMT):
No, it is because you are connecting to the server over TLS

smithbk (Tue, 28 Nov 2017 12:24:06 GMT):
being in the same or different container doesn't matter

CodeReaper (Tue, 28 Nov 2017 12:24:19 GMT):
And the request whether coming from within the container or outside both are verified over TLS

smithbk (Tue, 28 Nov 2017 12:24:29 GMT):
yes

CodeReaper (Tue, 28 Nov 2017 12:24:59 GMT):
Ok makes sense, Ill redo it

smithbk (Tue, 28 Nov 2017 12:25:39 GMT):
So just to be clear, the cert that you need on your client is the "ca.org1.example.com-cert.pem" file

smithbk (Tue, 28 Nov 2017 12:25:39 GMT):
So just to be clear, the cert that you need on your client is the issuer of the certificate in the "ca.org1.example.com-cert.pem" file

smithbk (Tue, 28 Nov 2017 12:33:48 GMT):
@CodeReaper Now I see that you are using the TLS certificate generated by cryptogen. The issuer of that is the org's TLSCA, so it means the certificate that you should use on the client for is crypto-config/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem

smithbk (Tue, 28 Nov 2017 12:33:48 GMT):
@CodeReaper Now I see that you are using the TLS certificate generated by cryptogen. The issuer of that is the org's TLSCA, so it means the certificate that you should use on the client for is `crypto-config/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem`

username343 (Tue, 28 Nov 2017 12:35:17 GMT):
Why is there a admincerts folder in Admin@org1.example.com folder inside the users folder in peerOrganizations folder?

username343 (Tue, 28 Nov 2017 12:35:17 GMT):
Why is there an admincerts folder in Admin@org1.example.com folder inside the users folder in peerOrganizations folder?

username343 (Tue, 28 Nov 2017 12:36:41 GMT):
Does adding the users certificates in the admincerts in peer's msp folder will make that user the admin of that peer?

username343 (Tue, 28 Nov 2017 12:40:00 GMT):
It makes sense that a peer's msp folder has a admincerts folder but why does the Admin@org1.example.com folder in users have the admincerts folder?

smithbk (Tue, 28 Nov 2017 12:40:10 GMT):
@username343 The `crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/admincerts` folder is not needed or used because this is the MSP folder for the admin user itself. That `admincerts` folder is only needed in a local MSP of a peer for guarding who can install chaincode and in the channel MSPs for guarding channel operations

smithbk (Tue, 28 Nov 2017 12:41:06 GMT):
You are right. I'm guessing that it was generated just out of some pattern by cryptogen, but it is not needed or used

username343 (Tue, 28 Nov 2017 12:42:42 GMT):
thanks for responding @smithbk , another thing that i want to ask is if i register a user with ca and the user obtains their certificate with enrollment commnand, then can that user directly interact with the networking using those certificates or is admin required to add those certificates in the users folder for each peer, or does the fabric-ca does that by itself?

username343 (Tue, 28 Nov 2017 12:42:42 GMT):
thanks for responding @smithbk , another thing that i want to ask is if i register a user with fabric-ca and the user obtains their certificate with enrollment commnand, then can that user directly interact with the networking using those certificates or is admin required to add those certificates in the users folder for each peer, or does the fabric-ca does that by itself?

smithbk (Tue, 28 Nov 2017 12:45:22 GMT):
The assumption is that the CA signing certificate used by fabric CA is one of the cacerts or intermediatecerts of one of the MSPs. In this case, the issued certificates can be used directly

CodeReaper (Tue, 28 Nov 2017 12:46:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KM4ALjELyEjERZqfm) @smithbk I'm not even sending the tlsca folder's content to the CA. I think it'll be your first advice to use ca.org1.example.com-cert.pem

username343 (Tue, 28 Nov 2017 12:46:04 GMT):
so does that mean that peer verify's users ecerts agains the ca's certs

username343 (Tue, 28 Nov 2017 12:46:04 GMT):
so does that mean that peer verifies users ecerts agains the ca's certs

smithbk (Tue, 28 Nov 2017 12:46:53 GMT):
Yes, it is the same verification logic and is done locally only. It does not require talking to the fabric-ca-server

username343 (Tue, 28 Nov 2017 12:47:17 GMT):
ok go it. Thanks @smithbk

smithbk (Tue, 28 Nov 2017 12:48:25 GMT):
np

CodeReaper (Tue, 28 Nov 2017 12:57:51 GMT):
@smithbk getting this error-

CodeReaper (Tue, 28 Nov 2017 12:58:06 GMT):

Clipboard - November 28, 2017 6:27 PM

CodeReaper (Tue, 28 Nov 2017 12:58:34 GMT):
"not valid for localhost"

smithbk (Tue, 28 Nov 2017 13:28:04 GMT):
It means the server certificate that you are using doesn't have a SAN (Subject Alternative Name) which includes "localhost". You can connect to it from outside the container using the hostname "ca.org1.example.com"

username343 (Tue, 28 Nov 2017 13:50:52 GMT):
@smithbk can you please tell me about the certificates ca.crt server.crt and server.key files in tls folder for peer0.org1.example.com in first-nework example, and how is it different from the tlsca folder in the msp folder for the peer?

CodeReaper (Tue, 28 Nov 2017 14:20:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8CgFtNiETkjDZxSFF) @smithbk How can I add SAN?? I see that we can add it in cryptogen.yaml when using the tool, any other way??

CodeReaper (Tue, 28 Nov 2017 14:32:44 GMT):
Also where can I download fabric-ca-client and fabric-ca-server binaries from??

smithbk (Tue, 28 Nov 2017 14:34:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5W7sJHB6q5kdnxSCy) @username343 The tls folder is used by the server-side of TLS and the tlsca folder is used by the client-side of TLS

smithbk (Tue, 28 Nov 2017 14:38:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=K8CgobAF9nPvnEYMP) @CodeReaper In v1.1 of fabric-ca-server, it can generate its own TLS certificate, in which case it will add 2 SANs by default: one for the hostname and one for localhost. It really just depends on what you use to generate your TLS certs. The fabric-samples/fabric-ca sample demonstrates how to use fabric-ca to issue both TLS and enrollment certificates

smithbk (Tue, 28 Nov 2017 14:47:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oDDbuwYqJN7PrZN2C) @CodeReaper They aren't yet published, but you can use `go get github.com/hyperledger/fabric-ca/cmd/...` to download, build, and install locally ... though that is going to be v1.0.x. To install v1.1.0-preview, you can additionally do the following: ```cd $GOPATH/src/github.com/hyperledger/fabric-ca git checkout v1.1.0-preview rm $GOPATH/bin/fabric-ca* go install github.com/hyperledger/fabric-ca/cmd/...```

sasiedu (Tue, 28 Nov 2017 16:42:51 GMT):
@smithbk Is fabric-ca-client identity implemented yet?

smithbk (Tue, 28 Nov 2017 17:19:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=b9g4RcqvLf8WKnxqZ) @sasiedu It isn't merged yet ... see https://gerrit.hyperledger.org/r/#/c/15283/ and the dependent change sets. Only the 1st one has been merged.

sarifuddin (Tue, 28 Nov 2017 17:23:52 GMT):
Has joined the channel.

sarifuddin (Tue, 28 Nov 2017 17:24:19 GMT):
Hi, I am trying to build a fabric network using 1 Orderer and 2 Peer nodes and 1 fabric ca server they are on separate physical machines I am able to set up those I like to register my peer and orderer with my FABRIC CA server how can i register the peers and orderer with fabric ca server, do i need to install fabric-ca-client on my peer and orderer nodes and then run the fabric-ca-client register/enroll commands? please help, I am struggling from couple of days

sasiedu (Tue, 28 Nov 2017 17:25:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Lon9yvWYW789brSBr) @smithbk thanks

antoniovassell (Tue, 28 Nov 2017 18:38:34 GMT):
Hey, I am trying to test softhsm2 with hyperledger fabric. I have followed the HSM section located http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#configuring-fabric-ca-server-to-use-softhsm2 and I am using version 1.0.4 images (I have tried using images from 1.0.0 to 1.0.4 with the same result). Upon attempting to start the fabric-ca-server with the config file it errors out saying that pcks11.go cannot instantiate it. I have tested that softhsm2 is installed and that the parameters are correct (path to .so file, password and label), I tested by pulling the pcks11 git repo into the container and writing a simple script that communicates to it. I am uploading an image below showing the error. Can any advice be given as to what I may be doing wrong, or something I am overlooking? Thanks in advance.

antoniovassell (Tue, 28 Nov 2017 18:38:49 GMT):

unexpected-signal.png

RohanMalcolm (Tue, 28 Nov 2017 18:41:02 GMT):
Has joined the channel.

sk (Tue, 28 Nov 2017 18:45:07 GMT):
Has joined the channel.

smithbk (Tue, 28 Nov 2017 20:40:21 GMT):
@antoniovassell What OS are you on and how did you install softhsm? Here is a script to follow: https://github.com/hyperledger/fabric/blob/release/images/testenv/install-softhsm2.sh

RohanMalcolm (Tue, 28 Nov 2017 21:42:56 GMT):
@smithbk softhsm was installed via the instructions found here (https://github.com/opendnssec/SoftHSMv2) and the OS is ubuntu. Will installing via just apt-install be any different than building from the source?

smithbk (Tue, 28 Nov 2017 21:50:57 GMT):
@RohanMalcolm I'm not sure but I just installed on my mac using brew and validated it again. I think it is worth trying since it should be easy. If it doesn't work, then we can look more closely but assuming your config is the same as in those instructions, there shouldn't be any issue with that

RohanMalcolm (Tue, 28 Nov 2017 21:52:06 GMT):
@smithbk I will try doing it that way and let you know, thanks for the speedy response

linyuadam (Wed, 29 Nov 2017 04:43:00 GMT):
Hi, all, how can I enroll an user with attribute if I use fabric ca with LDAP

netwalker2000 (Wed, 29 Nov 2017 06:12:08 GMT):
Has joined the channel.

CodeReaper (Wed, 29 Nov 2017 06:22:28 GMT):
@smithbk still no luck, I'm trying to run this outside the container after getting fabric-ca-client binary. container of name ca.org1.example.com is running and on correct port with same container name as service name, still cannot lookup ca.org1.example.com

CodeReaper (Wed, 29 Nov 2017 06:22:36 GMT):

Clipboard - November 29, 2017 11:52 AM

linyuadam (Wed, 29 Nov 2017 07:12:58 GMT):
@smithbk how can I enroll an user with attribute if I use fabric ca with LDAP? I should setup the attributes in LDAP or?

username343 (Wed, 29 Nov 2017 07:50:52 GMT):
how can i settle crypto material using the fabric-ca? I am trying to create certificates for the orderer msp but i am not able to register identity of type orderer. I'm getting two error the first one is : Error: Error response from server was: Failed getting affiliation : sql: no rows in result set, and the other error is identity of type admin can not reigster identity orderer

smithbk (Wed, 29 Nov 2017 13:13:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cvaDEWr7WRvhp6Hju) @linyuadam This is not currently possible but there is a change set to allow this at https://gerrit.hyperledger.org/r/#/c/14279/

linyuadam (Wed, 29 Nov 2017 13:15:04 GMT):
@smithbk Got it. Thanks very much

smithbk (Wed, 29 Nov 2017 13:24:14 GMT):
@CodeReaper You need to do 2 things which is standard for docker to connect from host. 1) Make sure the container exports the listening port to the host with section similar to the following

smithbk (Wed, 29 Nov 2017 13:24:25 GMT):
```ports:

smithbk (Wed, 29 Nov 2017 13:24:25 GMT):
``` ports: - 7054:7054```

smithbk (Wed, 29 Nov 2017 13:26:21 GMT):
And add the following entry to your /etc/hosts file on your host: ```127.0.0.1 ca.org1.example.com```

smithbk (Wed, 29 Nov 2017 13:26:21 GMT):
And 2) add the following entry to your /etc/hosts file on your host: ```127.0.0.1 ca.org1.example.com```

CodeReaper (Wed, 29 Nov 2017 13:56:13 GMT):
@smithbk Both are already in place

CodeReaper (Wed, 29 Nov 2017 14:01:21 GMT):
service name seems to be all good as well, take a look at container ca.org1.example.com-

CodeReaper (Wed, 29 Nov 2017 14:01:29 GMT):

Clipboard - November 29, 2017 7:31 PM

CodeReaper (Wed, 29 Nov 2017 14:02:17 GMT):
This is mind boggling

smithbk (Wed, 29 Nov 2017 14:12:14 GMT):
Paste the output of `ping ca.org1.example.com` from your host

smithbk (Wed, 29 Nov 2017 14:12:14 GMT):
@CodeReaper Paste the output of `ping ca.org1.example.com` from your host

subbu165 (Wed, 29 Nov 2017 14:33:14 GMT):
HI, How can I get the list of registered Users

subbu165 (Wed, 29 Nov 2017 14:33:31 GMT):
is there any api?

RohanMalcolm (Wed, 29 Nov 2017 14:42:43 GMT):
@smithbk I tried installing via the package manager and got the exact result. I am using the latest hyperledger fabric-ca and the following is my BCCSP in the config ``` bccsp: default: PKCS11 pkcs11: Library: /etc/softhsm/libsofthsm2.so Pin: 98765432 Label: ForFabric hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: msp/keystore ``` I have also tried with the library address being /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so. Those are the only two paths where libsofthsm2.so is found on the system after install. The error still states that the failure occured at initializing with PCKS11.

smithbk (Wed, 29 Nov 2017 14:44:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=g9vioFamwcqeJ7jRi) @subbu165 There is a change set currently in review to support this

smithbk (Wed, 29 Nov 2017 14:45:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GsLQxhPFAmJ3CNxpJ) @RohanMalcolm @vpaprots Vlad, can you take a look at this?

subbu165 (Wed, 29 Nov 2017 14:49:18 GMT):
@smithbk as of now with V1.0.4, how can I get this information?

smithbk (Wed, 29 Nov 2017 14:51:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yo3tdNraE2htDar8D) @subbu165 It is not supported in v1.0.4 through a REST API. You would have to look at the users table in the DB

subbu165 (Wed, 29 Nov 2017 14:51:41 GMT):
@smithbk even if its manually also or I have to write my own API also its fine. I will do it.

subbu165 (Wed, 29 Nov 2017 14:52:23 GMT):
ohh ok.

vpaprots (Wed, 29 Nov 2017 14:52:26 GMT):
@RohanMalcolm having trouble finding the original error message, can you paste again? what distro/arch you are using? never seen softhsm getting installed under `/etc`

vpaprots (Wed, 29 Nov 2017 14:53:01 GMT):
@RohanMalcolm also, did you initialize the token?

RohanMalcolm (Wed, 29 Nov 2017 14:53:03 GMT):
I also found one at /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so

RohanMalcolm (Wed, 29 Nov 2017 14:53:06 GMT):
Yes with this command

RohanMalcolm (Wed, 29 Nov 2017 14:53:11 GMT):
softhsm2-util --init-token --slot 0 --label "ForFabric" --so-pin 1234 --pin 98765432

RohanMalcolm (Wed, 29 Nov 2017 14:53:11 GMT):
```softhsm2-util --init-token --slot 0 --label "ForFabric" --so-pin 1234 --pin 98765432```

vpaprots (Wed, 29 Nov 2017 14:53:41 GMT):
looks correct..

RohanMalcolm (Wed, 29 Nov 2017 14:53:58 GMT):

Selection_074.png

RohanMalcolm (Wed, 29 Nov 2017 14:54:42 GMT):
I also installed from source and it was placed in the path ```/usr/local/lib/softhsm/libsofthsm2.so```

RohanMalcolm (Wed, 29 Nov 2017 14:54:50 GMT):
That also gave the same error

vpaprots (Wed, 29 Nov 2017 14:55:17 GMT):
what distro? looks like linux..

RohanMalcolm (Wed, 29 Nov 2017 14:55:34 GMT):
Yes

RohanMalcolm (Wed, 29 Nov 2017 14:55:38 GMT):
Specifically ubuntu

vpaprots (Wed, 29 Nov 2017 14:55:54 GMT):
odd.. if softhsm util runs fine, thats typically enough to verify the installation..

vpaprots (Wed, 29 Nov 2017 14:56:09 GMT):
`softhsm2-util --show-slots` ?

RohanMalcolm (Wed, 29 Nov 2017 14:56:51 GMT):

Selection_075.png

RohanMalcolm (Wed, 29 Nov 2017 14:57:31 GMT):

Selection_076.png

vpaprots (Wed, 29 Nov 2017 14:57:58 GMT):
guessing this is running inside docker..

RohanMalcolm (Wed, 29 Nov 2017 14:58:08 GMT):
Yes in the container

RohanMalcolm (Wed, 29 Nov 2017 14:58:18 GMT):
I installed everything inside the container

vpaprots (Wed, 29 Nov 2017 14:58:26 GMT):
testenv docker container does this all the time..

RohanMalcolm (Wed, 29 Nov 2017 14:58:58 GMT):
@vpaprots What do you mean?

vpaprots (Wed, 29 Nov 2017 14:59:29 GMT):
we know that softhsm works inside docker.. thats how I run unit tests on pkcs11 bccsp..

vpaprots (Wed, 29 Nov 2017 14:59:44 GMT):
there is a fabric-testenv docker container, that gets softhsm installed..

RohanMalcolm (Wed, 29 Nov 2017 15:00:11 GMT):
Just to be certain I brought down the instance, and restarted and ran the scripts

RohanMalcolm (Wed, 29 Nov 2017 15:00:11 GMT):
Just to be certain I brought down the instance, and restarted and ran the scripts and got back the slots again

vpaprots (Wed, 29 Nov 2017 15:00:17 GMT):
https://github.com/hyperledger/fabric/tree/release/images/testenv

vpaprots (Wed, 29 Nov 2017 15:01:25 GMT):
Not sure if this is an issue here.. @smithbk do we build fabric with `-nopkcs11` tag? the fabric-peer does by default..

RohanMalcolm (Wed, 29 Nov 2017 15:01:29 GMT):

Selection_077.png

RohanMalcolm (Wed, 29 Nov 2017 15:02:01 GMT):
I had copied the contents from ```https://github.com/hyperledger/fabric/blob/release/images/testenv/install-softhsm2.sh``` created my own file locally, mounted it and executed the commands.

vpaprots (Wed, 29 Nov 2017 15:02:18 GMT):
ah.. @RohanMalcolm can you find the fabric-ca executable, run `ldd` on it?

vpaprots (Wed, 29 Nov 2017 15:02:45 GMT):
I have a sneaking suspicion that the binary was built with `-static` flag

vpaprots (Wed, 29 Nov 2017 15:03:25 GMT):
if the output of `ldd` is empty.. we got a problem..

RohanMalcolm (Wed, 29 Nov 2017 15:03:35 GMT):
@vpaprots just checking you want me to find fabric-ca and not fabric-ca-server or fabric-ca-client

vpaprots (Wed, 29 Nov 2017 15:03:44 GMT):
fabric-ca-server

vpaprots (Wed, 29 Nov 2017 15:03:52 GMT):
but check on both please

vpaprots (Wed, 29 Nov 2017 15:04:22 GMT):
(whichever you were having crash above)

RohanMalcolm (Wed, 29 Nov 2017 15:04:33 GMT):

Selection_078.png

RohanMalcolm (Wed, 29 Nov 2017 15:04:40 GMT):
I ran on both

vpaprots (Wed, 29 Nov 2017 15:04:50 GMT):
yeah.. thats the problem..

vpaprots (Wed, 29 Nov 2017 15:05:32 GMT):
somewhere in the makefiles, there is a `-static` flag.. unfortunately, you wont be able to load pkcs11 shared library like this now..

vpaprots (Wed, 29 Nov 2017 15:05:56 GMT):
if you can rebuild fabric-ca without it, thats how you solve it

RohanMalcolm (Wed, 29 Nov 2017 15:06:11 GMT):
Ok, thanks will try that

vpaprots (Wed, 29 Nov 2017 15:10:27 GMT):
( @smithbk this is probably going to be a common complaint with the default fabric-ca builds. didnt know you had that flag too now.. https://jira.hyperledger.org/browse/FAB-3196 https://jira.hyperledger.org/browse/FAB-6161 )

RohanMalcolm (Wed, 29 Nov 2017 17:53:43 GMT):
@vpaprots Thanks for the help again, I was able to build without the static flag and was able to run with softhsm locally on the container.

creativemonk (Thu, 30 Nov 2017 02:03:19 GMT):
Has joined the channel.

CodeReaper (Thu, 30 Nov 2017 13:32:32 GMT):
Hey what is tlsca folder used for

smithbk (Thu, 30 Nov 2017 14:13:04 GMT):
That is the directory that cryptogen uses to store the CA signing key and cert which it uses to issue TLS certs.

ashablyg (Thu, 30 Nov 2017 15:49:25 GMT):
Has joined the channel.

C0rnelius (Thu, 30 Nov 2017 16:44:51 GMT):
Has joined the channel.

C0rnelius (Thu, 30 Nov 2017 16:45:06 GMT):
Hi guys, I am relatively new to Hyperledger and currently looking into access management on Fabric. To my understanding, access to channels is granted through the scope of organizations, where each organization represents one company. User access is than granted by a single peer run by the company. Therefore, user access is handled on the peer and off-chain. Did I get this right? Is it possible to run multiple peers within one company and have them store access information on the chain to further decentralize my network?

MuhammadSalah (Thu, 30 Nov 2017 18:05:12 GMT):
Has joined the channel.

MuhammadSalah (Thu, 30 Nov 2017 18:05:37 GMT):
Hello, has anybody tried the 1.1.0-preview containers; I was so interested in trying out the Attribute Based Access Control; and I pulled the image; and I couldn't locate the new lib in the chaincode env image. Therefore, the video Keith presented here (https://www.youtube.com/watch?v=KZ5HThNjaeI) I was not able to follow on his trail.

iamprem (Thu, 30 Nov 2017 21:54:59 GMT):
Has joined the channel.

smithbk (Thu, 30 Nov 2017 22:17:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wT2SaFFPbeTCaCeDW) @C0rnelius There is one chain/ledger per channel. Access information is stored on the ledger so it is available to all peers who have joined a channel. You can control access on a per-identity basis by using the .ADMIN policy which checks to see if the client is in the list of admins for that org, so it is finer grained than per org. And then for decentralization across orgs, you can require that transactions have signatures from multiple orgs ... so it could be from an admin from all orgs associated with the channel

smithbk (Thu, 30 Nov 2017 22:17:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wT2SaFFPbeTCaCeDW) @C0rnelius There is one chain/ledger per channel. Access information is stored on the ledger so it is available to all peers who have joined a channel. You can control access on a per-identity basis by using the .ADMIN policy which checks to see if the client is in the list of admins for that org, so it is finer grained than per org. And then for decentralization across orgs, you can require that transactions have signatures from multiple orgs ... so it could be required to be signed by an admin from all orgs associated with the channel

smithbk (Thu, 30 Nov 2017 22:21:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tw9METgHFfsgcYxEG) @MuhammadSalah Did you try the fabric-samples/fabric-ca/build-images.sh script?

srongzhe (Fri, 01 Dec 2017 01:36:28 GMT):
Has joined the channel.

byron1st (Fri, 01 Dec 2017 03:30:23 GMT):
Has joined the channel.

CodeReaper (Fri, 01 Dec 2017 07:30:45 GMT):
How can I add the SANS field for CA in cryptogen.yaml file? Any file format which I can refer to?

ankitkamra (Fri, 01 Dec 2017 08:20:08 GMT):
Has joined the channel.

ArnabChatterjee (Fri, 01 Dec 2017 08:20:37 GMT):
Hello All, I wish to change the state, country in the subject of the certificates so that all certificates issued by CA and cryptogen contain these information. I am enrolling users via node sdk and generating crypto artifacts using cryptogen. Any ideas? Thanks :)

wanghaihui (Fri, 01 Dec 2017 08:48:18 GMT):
Has joined the channel.

Subramanyam (Fri, 01 Dec 2017 10:12:28 GMT):
Hi all, I want to know, What is HSM and we are using in Hyperledger Fabric CA, What are the API's are implemented for HSM in Hyperledger Fabric

Subramanyam (Fri, 01 Dec 2017 10:13:55 GMT):
X.509 Certificates functionality and how it handles everything in Hyperledger Fabric

Subramanyam (Fri, 01 Dec 2017 10:17:18 GMT):
@Vadim @jimthematrix In MSP, I want to know the key differences that Fabric CA is default implementation authority but I want to know all the organisations can be maintained by someone. Who will maintain that data in hyperledger fabric. and also i want to know the clear idea, Difference Network admin and normal user in hyperledger fabric

subbu165 (Fri, 01 Dec 2017 12:53:05 GMT):
Hi, when I get in to fabric-ca container and run sqlite3 command, it says command not found. How can I run sqlite3 within the container

subbu165 (Fri, 01 Dec 2017 12:54:54 GMT):
? how ever If i run sqlite3 outside of the container from my mac, that works

Vadim (Fri, 01 Dec 2017 12:56:23 GMT):
you need to install sqlite3 inside your container

subbu165 (Fri, 01 Dec 2017 12:59:44 GMT):
you mean npm install sqlite3 inside fabric ca container?

Vadim (Fri, 01 Dec 2017 13:00:20 GMT):
I don't think npm can install sqlite3

Vadim (Fri, 01 Dec 2017 13:00:49 GMT):
try `apt-get update && apt-get install sqlite3`

subbu165 (Fri, 01 Dec 2017 13:01:39 GMT):
ok thanks

ArnabChatterjee (Fri, 01 Dec 2017 13:58:55 GMT):
Hi, How can I modify the balance-transfer so as to make both org1 and org2 use a common CA server? Can anyone suggest me the settings ?

smithbk (Fri, 01 Dec 2017 15:44:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gK8sdZB8N7QgbXocK) @ArnabChatterjee So you're using cryptogen and not fabric-ca-server?

smithbk (Fri, 01 Dec 2017 15:47:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BrRSGTpFg7Ttgx5i7) @Subramanyam We are using PKCS11 APIs so anything adhering to that is supported. Testing with Gemalto, etc

smithbk (Fri, 01 Dec 2017 15:49:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YTggjR4BZTZxL3cJm) @Subramanyam If you're looking for an overview, that's more than can be answered via chat. More specific questions?

smithbk (Fri, 01 Dec 2017 15:53:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=v9DoFuuRRcDk2TGhq) @Subramanyam Question isn't really clear to me, though I will say that there is a loose coupling between fabric and fabric CA in that fabric simply does normal PKI cert checking and fabric CA or another CA can generate those certs. Each channel has multiple MSPs (typically a 1-1 between MSP and org) and each MSP has its own set of admins. Policies can reference admin or normal user for access control, but is configurable

Vadim (Fri, 01 Dec 2017 15:55:08 GMT):
@nabilchaabane 1) admin registers a user and gives him username/password 2) user generates a private key and a certificate signing request (CSR) and sends CSR to the CA using the username/password he got from the admin. CA signs the CSR and sends it back to a user[ ](https://chat.hyperledger.org/channel/general?msg=vaACexAFkopfAy7iJ)

nabilchaabane (Fri, 01 Dec 2017 15:55:08 GMT):
Has joined the channel.

nabilchaabane (Fri, 01 Dec 2017 16:01:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jNRC2ouDpZ96JpSAG) @Vadim Thanks for your answer! Does that mean that the user can connect from different machines (i.e. their computers and their phones)? They only need to re-generate a private key and a CSR on each machine they'd like to use?

Vadim (Fri, 01 Dec 2017 16:07:39 GMT):
@nabilchaabane depends on your use case, you can either do that or you can store the user's private key encrypted on a backend thus enabling sharing across devices or you can store everything and do enrollment from your backend on behalf of a user and then have user authenticated using conventional methods in web (username/password, sso, etc.)

nabilchaabane (Fri, 01 Dec 2017 16:10:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qvbij7q7uPkigid6N) @Vadim Thanks a lot. This has been very helpful.

RohanMalcolm (Fri, 01 Dec 2017 20:48:32 GMT):
Hey, I am trying to get fabric-ca to work with a physical HSM (I have gotten it to work with SoftHSM) via PKCS11, I have configured it to use the HSM via PKCS11 but keep getting invalid CKR_MECHANISMS, I believe that the problem exists on the hardware providers side based on there support (they state all the mechanisms are supported) but just picking someones brain to see if they had tried it before and if so what was the result.

MuhammadSalah (Fri, 01 Dec 2017 23:19:08 GMT):
@smithbk I have been able to run the whole thing; but thing is I have no idea why the libs were not on the ccenv image yet; for some reason they are just not there; so I took the dirty work around and I vendored the libs.

ArnabChatterjee (Sat, 02 Dec 2017 03:45:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vWDcc42rTzFiGaq2D) @smithbk - I am using cryptogen for generation of initial certs and will be using CA via node SDK

MohitYadav2317 (Sat, 02 Dec 2017 08:08:54 GMT):
can anyone tell me what is affiliation field while calling fabric_ca_client.register, i am getting this error Failed getting affiliation 'customOrg.department1': sql: no rows in result set' when i call node registerUser.js in fabcar example

mastersingh24 (Sat, 02 Dec 2017 10:56:01 GMT):
@MohitYadav2317 - fabcar uses the basic network sample which in turn just runs the default fabric-ca config. The affiliations are here: https://github.com/hyperledger/fabric-ca/blob/release/cmd/fabric-ca-server/config.go#L209

vdods (Sun, 03 Dec 2017 03:24:39 GMT):
Say a certificate is revoked by a CA, and that certificate is used somewhere in a channel (used by an intermediate CA, a peer, or a client, etc). Can the certificate revocation be put into a configuration update transaction for the affected channel? Or do CRLs have to be updated manually (by updating the relevant MSP dirs and restarting the relevant servers)?

vdods (Sun, 03 Dec 2017 03:25:28 GMT):
Also, is password changing or password recovery currently available in fabric-ca (or is it a planned feature)?

bizhenchao1201 (Sun, 03 Dec 2017 09:25:45 GMT):
Has joined the channel.

mastersingh24 (Sun, 03 Dec 2017 15:49:46 GMT):
@vdods - As a matter of fact, the only way to update CRLs is on a per channel basis and it is indeed done via a config update transaction for the relevant channel(s)

smithbk (Sun, 03 Dec 2017 16:31:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TmankfFKpKNXSge6Z) @vdods Support for changing password is provided by current change sets in review

MohammadObaid (Sun, 03 Dec 2017 16:33:18 GMT):
@smithbk when user enrolls via fabric ca , two types of responses I got . 1 - JSON Web Token (JWT) with enrollment secret 2- JSON Web Token(JWT) without enrollment secret . What is the difference between these two tokens generated?

smithbk (Sun, 03 Dec 2017 16:38:11 GMT):
@MohammadObaid fabric-ca-server doesn't return a token with the enrollment secret

MohammadObaid (Sun, 03 Dec 2017 17:40:04 GMT):

secrettoken.png

MohammadObaid (Sun, 03 Dec 2017 17:42:47 GMT):
@smithbk I was talking about this `secret` token . You were right fabric-ca only returns `Authorization` token but then I am not sure what's the purpose of this secret token if it is not returning from ca.

smithbk (Sun, 03 Dec 2017 18:05:24 GMT):
@MohammadObaid That looks like an automatically generated password which the fabric-ca-server generates when an identity is registered. It returns this from register but not from enroll, since the client must provide the secret/password in the enroll request. I assume you are showing the response from the REST service which is performing both a registration and enrollment to fabric-ca-server and returns both the secret and the token

MohammadObaid (Sun, 03 Dec 2017 18:21:34 GMT):
@smithbk Oh yeah both register and enroll called from REST service .if identity is already registered then we can only call enroll right ?

smithbk (Sun, 03 Dec 2017 18:31:58 GMT):
@MohammadObaid Correct, if already registered it would return an error if it tried to register again with the same enrollment ID

MohammadObaid (Sun, 03 Dec 2017 18:41:05 GMT):
Hmm.

ArnabChatterjee (Mon, 04 Dec 2017 02:45:08 GMT):
Hello people, can anyone tell me how I can modify balance-transfer example to use a single CA server for both organizations?

ArnabChatterjee (Mon, 04 Dec 2017 02:45:08 GMT):
Hello people, can anyone tell me how I can modify balance-transfer example to use a single CA server for both organizations, one as the root and one as intermediate (root should belong to org1 and intermediate should belong to org2)?

ArnabChatterjee (Mon, 04 Dec 2017 04:21:12 GMT):
Any ideas @Vadim @smithbk ?

Subramanyam (Mon, 04 Dec 2017 08:47:08 GMT):
@jimthematrix @ArnabChatterjee @Vadim could you please differentiate who will be the network admin to access all server data means every server has organisation data those data should be maintained by someone and here who is the key role to maintained all user's data. Who is that person

ArnabChatterjee (Mon, 04 Dec 2017 08:50:43 GMT):
@Subramanyam - I dont think there is any distinction between users at data level. Users of the same channel can see all data. I think you have to develop your chaincode logic to implement data access control using the chaincode invoker's identity.

Subramanyam (Mon, 04 Dec 2017 09:07:04 GMT):
@ArnabChatterjee I mean for example we have different examples like fabric-ca, fabric-balance transfer, fabric-sample, etc.. Each and everyone have different organisations maintianed by someone like that for all organisations who will maintain the data

smithbk (Mon, 04 Dec 2017 10:20:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zZLCX5Y7KkrWbrDAm) @ArnabChatterjee You would modify the crypto-config folder so that both org1 and org2 contain the same self-signed root CA cert in their cacerts folders. The intermediatecacerts folder of org1 is empty and the intermediatecacerts folder of org2 has a CA cert issued by cert in the corresponding cacerts folder.

smithbk (Mon, 04 Dec 2017 10:26:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JoCHw2dErW359sLme) @Subramanyam Can you clarify what type of data you are referring to when you ask "who will maintain the data"? Perhaps give an example.

lcj (Mon, 04 Dec 2017 10:29:33 GMT):
Hello everyone, I would like to ask a question I reenrolled a new certificate for peer0, but this new certificate, how to configure for peer0?

Subramanyam (Mon, 04 Dec 2017 10:29:39 GMT):
@smithbk In realtime scenario I am asking this question nothing but if you maintain an organisation, I am maintain an organisation and like that so many organisations will be there then all of the organisations should be maintained in a server, for that who will provide access credentials to us, who will maintain our credentials and data

lcj (Mon, 04 Dec 2017 10:34:59 GMT):
I restarted peer0, but error

lcj (Mon, 04 Dec 2017 10:35:37 GMT):
2017-12-04 05:07:45.858 UTC [flogging] setModuleLevel -> DEBU 36c Module 'grpc' logger enabled for log level 'ERROR' 2017-12-04 05:07:45.860 UTC [gossip/gossip] func1 -> WARN 36d Deep probe of peer0.org2.example.com:7051 failed: x509: certificate signed by unknown authority 2017-12-04 05:07:45.860 UTC [gossip/discovery] func1 -> WARN 36e Could not connect to {peer0.org2.example.com:7051 [] [] peer0.org2.example.com:7051} : x509: certificate signed by unknown authority 2017-12-04 05:07:47.845 UTC [gossip/comm] authenticateRemotePeer -> WARN 36f Failed reading messge from 10.0.0.18:53144, reason: Timed out waiting for connection message from 10.0.0.18:53144 2017-12-04 05:07:47.845 UTC [gossip/comm] GossipStream -> ERRO 370 Authentication failed: Timed out waiting for connection message from 10.0.0.18:53144 2017-12-04 05:07:51.854 UTC [deliveryClient] StartDeliverForChannel -> DEBU 371 This peer will pass blocks from orderer service to other peers for channel mychannel 2017-12-04 05:07:51.857 UTC [deliveryClient] connect -> DEBU 372 Connected to orderer1.example.com:7050 2017-12-04 05:07:51.857 UTC [deliveryClient] connect -> DEBU 373 Establishing gRPC stream with orderer1.example.com:7050 ... 2017-12-04 05:07:51.857 UTC [deliveryClient] afterConnect -> DEBU 374 Entering 2017-12-04 05:07:51.858 UTC [deliveryClient] RequestBlocks -> DEBU 375 Starting deliver with block [5] for channel mychannel 2017-12-04 05:07:51.858 UTC [deliveryClient] afterConnect -> DEBU 376 Exiting 2017-12-04 05:08:35.824 UTC [gossip/comm] createConnection -> WARN 377 Remote endpoint claims to be a different peer, expected [60 80 56 7 212 124 166 173 15 102 168 4 46 210 1 202 205 18 74 130 132 228 122 186 166 169 218 249 88 255 88 90] but got [94 90 164 175 163 39 196 66 203 21 219 56 53 166 41 5 185 5 60 25 254 8 55 90 208 21 172 207 28 147 231 166] 2017-12-04 05:08:35.824 UTC [gossip/comm] sendToEndpoint -> WARN 378 Failed obtaining connection for peer0.org1.example.com:7051, PKIid:[60 80 56 7 212 124 166 173 15 102 168 4 46 210 1 202 205 18 74 130 132 228 122 186 166 169 218 249 88 255 88 90] reason: Authentication failure 2017-12-04 05:09:00.829 UTC [gossip/comm] createConnection -> WARN 379 Remote endpoint claims to be a different peer, expected [60 80 56 7 212 124 166 173 15 102 168 4 46 210 1 202 205 18 74 130 132 228 122 186 166 169 218 249 88 255 88 90] but got [94 90 164 175 163 39 196 66 203 21 219 56 53 166 41 5 185 5 60 25 254 8 55 90 208 21 172 207 28 147 231 166] 2017-12-04 05:09:00.829 UTC [gossip/comm] sendToEndpoint -> WARN 37a Failed obtaining connection for peer0.org1.example.com:7051, PKIid:[60 80 56 7 212 124 166 173 15 102 168 4 46 210 1 202 205 18 74 130 132 228 122 186 166 169 218 249 88 255 88 90] reason: Authentication failure 2017-12-04 05:09:25.844 UTC [gossip/comm] createConnection -> WARN 37b Remote endpoint claims to be a different peer, expected [60 80 56 7 212 124 166 173 15 102 168 4 46 210 1 202 205 18 74 130 132 228 122 186 166 169 218 249 88 255 88 90] but got [94 90 164 175 163 39 196 66 203 21 219 56 53 166 41 5 185 5 60 25 254 8 55 90 208 21 172 207 28 147 231 166] 2017-12-04 05:09:25.844 UTC [gossip/comm] sendToEndpoint -> WARN 37c Failed obtaining connection for peer0.org1.example.com:7051, PKIid:[60 80 56 7 212 124 166 173 15 102 168 4 46 210 1 202 205 18 74 130 132 228 122 186 166 169 218 249 88 255 88 90] reason: Authentication failure

mp (Mon, 04 Dec 2017 12:37:19 GMT):
Has joined the channel.

bsteinfeld (Mon, 04 Dec 2017 14:35:34 GMT):
Has joined the channel.

bsteinfeld (Mon, 04 Dec 2017 14:39:02 GMT):
Does anyone know if there is a way to set `hostnameOverride` for the ca server (in the composer connection profile)? I'm getting the following error when trying to create identities (TLS error): ```Error: failed to request identity. Error trying to enroll user and return certificates. Error: Calling enrollment endpoint failed with error [Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: localhost. is not cert's CN: tlsca.my.domain] ```

jworthington (Mon, 04 Dec 2017 16:08:54 GMT):
I need the Organization crypto for genesis block and channel creation. Should I use the root from the CA Server? Or register a 'user' with the CA? Do any names need to match the Org name in the genesis and channel config names?

ashablyg (Mon, 04 Dec 2017 16:27:33 GMT):
hey guys, has anyone seen this error while trying to enroll a new user? `[2017-12-04 11:23:37.505] [ERROR] Helper - Failed to get registered user: Jim with error: Error: Calling register endpoint failed with error [Error: write EPROTO 140737122890688:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2520: 140737122890688:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3550: ]`

ashablyg (Mon, 04 Dec 2017 16:27:33 GMT):
hey guys, has anyone seen this error while trying to enroll a new user? ```[2017-12-04 11:23:37.505] [ERROR] Helper - Failed to get registered user: Jim with error: Error: Calling register endpoint failed with error [Error: write EPROTO 140737122890688:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2520: 140737122890688:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3550: ]```

jworthington (Mon, 04 Dec 2017 16:38:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LWdzdu5miYKuyCYmd) @ashablyg Is the user registered?

ashablyg (Mon, 04 Dec 2017 16:44:51 GMT):
@jworthington so i'm trying to register the user using node SDK through the CA server?

ashablyg (Mon, 04 Dec 2017 16:45:10 GMT):
idk if that's the right way to do it though

ashablyg (Mon, 04 Dec 2017 16:48:06 GMT):
I guess the more appropriate question would be - where do I declare my affiliation for the ca server?

ashablyg (Mon, 04 Dec 2017 16:48:28 GMT):
Like department and all. I've never seen department being mentioned anywhere

jworthington (Mon, 04 Dec 2017 16:48:59 GMT):
The SDK works fine. You're not getting the 'right' crypto. Either you are not getting any crypto at all, or you are using a user that does not have --id.attrs '"hf.Registrar.Roles=peer,user".

ashablyg (Mon, 04 Dec 2017 16:50:50 GMT):
Just to be clear the FABRIC_CA_SERVER_CA_KEYFILE should be copied from crypto-config/peerOrganization/org/ca?

ashablyg (Mon, 04 Dec 2017 16:51:31 GMT):
where can I check hf.Registar.Roles?

jworthington (Mon, 04 Dec 2017 16:53:11 GMT):
if you are using the CA admin then it is set on bootstrap in fabric-ca-server-config.yaml

jworthington (Mon, 04 Dec 2017 16:54:40 GMT):
if you are using another user then you have to set it during its registration. I use postgres so I can query it to see.

jworthington (Mon, 04 Dec 2017 16:56:09 GMT):
In the SDK, you can use FabricClient or FabricCAClient. require('fabric-client'); or require('fabric-ca-client/lib/FabricCAClientImpl.js');

ashablyg (Mon, 04 Dec 2017 16:57:42 GMT):
so I'm working with balance-transfer and I don't see fabric-ca-server-config.yaml

ashablyg (Mon, 04 Dec 2017 16:57:59 GMT):
I think my docker-compose.yaml boots up the CA server

jworthington (Mon, 04 Dec 2017 16:59:15 GMT):
yeah, i found it hard to understand the docker configs until I did it all without. I haven't done balance-transfer, but I am confident the CA admin has registrar rights.

ashablyg (Mon, 04 Dec 2017 17:00:09 GMT):
So maybe I should give it the Admin certs?

jworthington (Mon, 04 Dec 2017 17:00:16 GMT):
You just need to make sure you reference the correct crypto. When you call register from the client or ca-client, you have to send all the info.

jworthington (Mon, 04 Dec 2017 17:00:20 GMT):
yes.

jworthington (Mon, 04 Dec 2017 17:00:37 GMT):
The admin account will have registrar rights.

jworthington (Mon, 04 Dec 2017 17:01:54 GMT):
I use the CLI to create a user that has registrar rights, and then use that in my Node app to register new users.

ashablyg (Mon, 04 Dec 2017 17:03:29 GMT):
Yeah balance-transfer doesn't even has a cli container

smithbk (Mon, 04 Dec 2017 19:06:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yGiXDzfm95692EgoW) @lcj The `x509: certificate signed by unknown authority` error must mean that the issuer of the certificate before you reenrolled must be different from the issuer after the reenrollment. Did you compare the two AKI values? If it worked before but not after reenrollment, then the AKI must be different. How did you reenroll? Was it using `fabric-ca-client reenroll`?

smithbk (Mon, 04 Dec 2017 19:10:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tGHMtiDeHzyQiAMXt) @bsteinfeld The hostnameOverride is a client-side thing, so that is a question for the composer folks. Or you could also issue TLS certs with localhost added as a SAN (Subject Alternative Name) and not have to change the client.

deekshasharma (Mon, 04 Dec 2017 21:44:15 GMT):
Has joined the channel.

deekshasharma (Mon, 04 Dec 2017 21:46:01 GMT):
Hi, I am doing the Hyperledger course @ edex-> chapter 7-> Installing and running the first-network example, When I run this command to generate certificates and keys,it gives me the error shown below. Can anyone please help ? ./byfn.sh -m generate Cannot run peer because error when setting up MSP from directory /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp: err CA Certificate is not valid, (SN: 51548574792226553138381936845633986282) [Could not obtain certification chain, err The supplied identity is not valid, Verify() returned x509: certificate has expired or is not yet valid] !!!!!!!!!!!!!!! Channel creation failed !!!!!!!!!!!!!!!!

deekshasharma (Mon, 04 Dec 2017 21:46:01 GMT):
Hi, I am doing the Hyperledger course @ edex-> chapter 7-> Installing and running the first-network example, When I run this command to generate certificates and keys,it gives me the error shown below. Can anyone please help ? `./byfn.sh -m generate` Cannot run peer because error when setting up MSP from directory /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp: err CA Certificate is not valid, (SN: 51548574792226553138381936845633986282) [Could not obtain certification chain, err The supplied identity is not valid, Verify() returned x509: certificate has expired or is not yet valid] !!!!!!!!!!!!!!! Channel creation failed !!!!!!!!!!!!!!!!

deekshasharma (Mon, 04 Dec 2017 21:46:01 GMT):
Hi, I am doing the Hyperledger course @ edex-> chapter 7-> Installing and running the first-network example, When I run this command to generate certificates and keys,it gives me the error shown below. Can anyone please help ? `./byfn.sh -m generate` ```Cannot run peer because error when setting up MSP from directory /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp: err CA Certificate is not valid, (SN: 51548574792226553138381936845633986282) [Could not obtain certification chain, err The supplied identity is not valid, Verify() returned x509: certificate has expired or is not yet valid] !!!!!!!!!!!!!!! Channel creation failed !!!!!!!!!!!!!!!! ```

gauthampamu (Tue, 05 Dec 2017 00:47:20 GMT):
@smithbk Lets say we have two participants/members on the network and each member has a fabric CA. Lets says you have user certificate signed by Fabric CA of member 1, can you use the key and signed user certificate to connect to the peer of member 2 to submit the transactions.

lcj (Tue, 05 Dec 2017 01:16:51 GMT):
@smithbk Thank you for your reply:handshake: For the first time, I generated a peer0 certificate with org1's admin user, and then reenroll the peer0's certificate with the org1's admin user. In fact, what I want to do is, for a node, if the certificate has changed, such as expired soon, this node will issue a new certificate, This time, the new certificate in the fabric system should be how to configure.

Subramanyam (Tue, 05 Dec 2017 05:58:29 GMT):
Hi all, I want to know, What is HSM and we are using in Hyperledger Fabric CA, What are the API's are implemented for HSM in Hyperledger Fabric X.509 Certificates functionality and how it handles everything in Hyperledger Fabric

username343 (Tue, 05 Dec 2017 07:45:14 GMT):
Hi everyone, i'm using fabric-ca 1.1.0-preview images to register users, but i am getting the error POST /register 401 43 "Registrar does not have any values for 'hf.Registrar.Attributes' thus can't register any attributes"

JOYELIN (Tue, 05 Dec 2017 07:57:50 GMT):
Has joined the channel.

AJAJ (Tue, 05 Dec 2017 08:02:04 GMT):
Has joined the channel.

C0rnelius (Tue, 05 Dec 2017 09:50:40 GMT):
Hi guys, I am trying to set up a network to use RBAC. What is the best approach to do so? Is it possible to take the basic-network sample, run the ABAC chaincode on it, and use identity-attributes as user-roles? Can I run this with v1.0.4 images or should I use the 1.1.0-previews? Did someone do this already and can provide some best-practice?

Vadim (Tue, 05 Dec 2017 09:55:03 GMT):
@C0rnelius the best is to go with https://github.com/hyperledger/fabric/tree/master/core/chaincode/lib/cid which is available in 1.1-preview

DarshanBc (Tue, 05 Dec 2017 10:51:11 GMT):
can the keys and values in world state be shared between 2 channels

ashablyg (Tue, 05 Dec 2017 15:33:16 GMT):
Hey guys, did anyone get the fabric-ca-sample working? When I follow the instructions, i get `Error: TLS is enabled but no TLS certificate provided`

aambati (Tue, 05 Dec 2017 15:59:23 GMT):
@ashablyg can you provide more details. At what stage do you see this error

ashablyg (Tue, 05 Dec 2017 16:01:41 GMT):
Sure thing. So I got the fabric-ca sample from 1.1 master. I follow the instructions, and when I try to run start.sh, and then it looks like the root ca certs aren't created

ashablyg (Tue, 05 Dec 2017 16:01:56 GMT):
Here's a part of the rca log ```2017/12/04 21:05:32 [DEBUG] DB: Add affiliation org1 2017/12/04 21:05:32 [DEBUG] Affiliation 'org1' already exists 2017/12/04 21:05:32 [DEBUG] DB: Add affiliation org1.department1 2017/12/04 21:05:32 [DEBUG] Affiliation 'org1.department1' already exists 2017/12/04 21:05:32 [DEBUG] DB: Add affiliation org1.department2 2017/12/04 21:05:32 [DEBUG] Affiliation 'org1.department2' already exists 2017/12/04 21:05:32 [DEBUG] Successfully loaded affiliations table 2017/12/04 21:05:32 [INFO] Initialized sqlite3 database at /etc/hyperledger/fabric-ca/fabric-ca-server.db 2017/12/04 21:05:32 [DEBUG] Initializing enrollment signer 2017/12/04 21:05:33 [DEBUG] validating configuration 2017/12/04 21:05:33 [DEBUG] validate local profile 2017/12/04 21:05:33 [DEBUG] profile is valid 2017/12/04 21:05:33 [DEBUG] validate local profile 2017/12/04 21:05:33 [DEBUG] profile is valid 2017/12/04 21:05:33 [DEBUG] validate local profile 2017/12/04 21:05:33 [DEBUG] profile is valid 2017/12/04 21:05:33 [DEBUG] CA initialization successful 2017/12/04 21:05:33 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca 2017/12/04 21:05:33 [DEBUG] 1 CA instance(s) running on server 2017/12/04 21:05:33 [DEBUG] TLS is enabled 2017/12/04 21:05:33 [DEBUG] Closing server DBs Error: TLS is enabled but no TLS certificate provided ```

skarim (Tue, 05 Dec 2017 18:49:53 GMT):
@username343 A new attribute 'hf.Registrar.Attributes' was introduced that controls what attributes a user can register. So unfortunately, if you already had registrars in your database then they will not have that attributes. You can register a new registrar with the 'hf.Registar.Attributes' and this new registrar should then be able to register users with attributes. There is currently a fix in progress that will resolve this backwards compatibility issue.

rickr (Tue, 05 Dec 2017 20:20:28 GMT):
@skarim @smithbk Would it be reasonable for the CA to add in v1.1 to the cainfo endpont returned a version field so that the SDK client could inspect that to determine what options it is supporting ?

rickr (Tue, 05 Dec 2017 20:22:03 GMT):
I think now it just returns CAName and CAChain

rickr (Tue, 05 Dec 2017 20:35:29 GMT):
I'll open a JIRA if this seems reasonable

toddinpal (Wed, 06 Dec 2017 01:08:35 GMT):
Can v1.0.x fabric-ca create a CRL?

aambati (Wed, 06 Dec 2017 02:57:08 GMT):
no

aambati (Wed, 06 Dec 2017 02:57:08 GMT):
@toddinpal no

aambati (Wed, 06 Dec 2017 03:57:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nmWjPgkgQGnx5i5xk) @ashablyg i am able to reproduce the problem...I think changes made in https://gerrit.hyperledger.org/r/c/15373/ caused this problem, but not sure...investigating

username343 (Wed, 06 Dec 2017 05:23:38 GMT):
thanks @skarim

aambati (Wed, 06 Dec 2017 05:53:10 GMT):
@ashablyg I think i know the problem and have solution. I will open a JIRA for this and submit a CR. I had to make following changes incase you want to get going: ```git diff diff --git a/fabric-ca/makeDocker.sh b/fabric-ca/makeDocker.sh index 8324409..726e8ad 100755 --- a/fabric-ca/makeDocker.sh +++ b/fabric-ca/makeDocker.sh @@ -128,6 +128,7 @@ function writeRootCA { environment: - FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca - FABRIC_CA_SERVER_TLS_ENABLED=true + - FABRIC_CA_SERVER_TLS_CERTFILE=tls-cert.pem - FABRIC_CA_SERVER_CSR_CN=$ROOT_CA_NAME - FABRIC_CA_SERVER_CSR_HOSTS=$ROOT_CA_HOST - FABRIC_CA_SERVER_DEBUG=true @@ -152,6 +153,7 @@ function writeIntermediateCA { - FABRIC_CA_SERVER_INTERMEDIATE_TLS_CERTFILES=$ROOT_CA_CERTFILE - FABRIC_CA_SERVER_CSR_HOSTS=$INT_CA_HOST - FABRIC_CA_SERVER_TLS_ENABLED=true + - FABRIC_CA_SERVER_TLS_CERTFILE=tls-cert.pem - FABRIC_CA_SERVER_DEBUG=true - BOOTSTRAP_USER_PASS=$INT_CA_ADMIN_USER_PASS - PARENT_URL=https://$ROOT_CA_ADMIN_USER_PASS@$ROOT_CA_HOST:7054```

aambati (Wed, 06 Dec 2017 05:54:58 GMT):
```git diff lib/ca.go diff --git a/lib/ca.go b/lib/ca.go index b660b712d..7aca63bbc 100644 --- a/lib/ca.go +++ b/lib/ca.go @@ -401,6 +401,7 @@ func (ca *CA) getCAChain() (chain []byte, err error) { return nil, errors.New("The server has no configuration") } certAuth := &ca.Config.CA + // If the chain file exists, we always return the chain from here if util.FileExists(certAuth.Chainfile) { return util.ReadFile(certAuth.Chainfile) @@ -437,6 +438,9 @@ func (ca *CA) initConfig() (err error) { if cfg.CA.Keyfile == "" { cfg.CA.Keyfile = "ca-key.pem" } + if cfg.CA.Chainfile == "" { + cfg.CA.Chainfile = "ca-chain.pem" + } if cfg.CSR.CA == nil { cfg.CSR.CA = &cfcsr.CAConfig{} }```

aambati (Wed, 06 Dec 2017 05:58:34 GMT):
after you make the changes, i did the following: ``` cd $GOPATH/src/github.com/hyperledger/fabric-samples/fabric-ca stop.sh cd $GOPATH/src/github.com/hyperledger/fabric-ca make docker-clean make docker cd $GOPATH/src/github.com/hyperledger/fabric-samples/fabric-ca start.sh```

aambati (Wed, 06 Dec 2017 05:58:34 GMT):
after making the changes, i did the following: ``` cd $GOPATH/src/github.com/hyperledger/fabric-samples/fabric-ca stop.sh cd $GOPATH/src/github.com/hyperledger/fabric-ca make docker-clean make docker cd $GOPATH/src/github.com/hyperledger/fabric-samples/fabric-ca start.sh```

Subramanyam (Wed, 06 Dec 2017 12:48:19 GMT):
Hi all, I want to know, 1) What is HSM and we are using in Hyperledger Fabric CA, What are the API's are implemented for HSM in Hyperledger Fabric 2) X.509 Certificates functionality and how it handles everything in Hyperledger Fabric 3) In MSP, I want to know the key differences that Fabric CA is default implementation authority but I want to know all the organisations can have admins and users. Who will maintain that data in hyperledger fabric. and also i want to know the clear idea, Difference Network admin and normal user in hyperledger fabric

Vadim (Wed, 06 Dec 2017 12:51:12 GMT):
@Subramanyam https://docs.google.com/document/d/1Qg7ZEccOIsrShSHSNl4kBHOFvLYRhQ3903srJ6c_AZE/edit#heading=h.2rmho7iqstbu

Subramanyam (Wed, 06 Dec 2017 13:28:03 GMT):
@vadim thanks for info regarding MSP

smithbk (Wed, 06 Dec 2017 14:23:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zvN2MaDYuwTf5Y7HH) @rickr We can add but 2 comments 1) may want a /info endpoint to return per server info rather than per ca info and 2) I think returning a list of currently enabled capabilities is more usable for this use case since for example the CRL endpoint may be disabled if the signing cert doesn't have crl signing as a usage. Anyway, yes, if you'll open a jira, we go from there

smithbk (Wed, 06 Dec 2017 14:31:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=coBXpxBEDkADs6RJh) @C0rnelius You can use any chaincode as long as you add calls to `cid` such as `cid.AsssertAttributeValue`. You definitely need to use the 1.1.0-preview image of fabric-ca and probably simplest to use 1.1.0-preview of fabric also which contains the cid library, but the cid library should also be compatible with v1.0.4 of chaincode if necessary.

C0rnelius (Wed, 06 Dec 2017 14:37:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sBgMmtZaGKooXS7WX) @smithbk thank you for your reply. I will use fabric preview-1.1.0 including the cid library of 1.1.0. It seams work just as fine as 1.0.4 :)

ashablyg (Wed, 06 Dec 2017 15:29:00 GMT):
@aambati wow, thank you! I'll give it a try.

vudathasaiomkar (Thu, 07 Dec 2017 07:04:52 GMT):
Has joined the channel.

asuchit (Thu, 07 Dec 2017 09:58:45 GMT):
@smithbk How to set the tls cn name while starting root CA ? Its entry always comes as computer name in tls.cert.pem.

asuchit (Thu, 07 Dec 2017 09:58:45 GMT):
@smithbk How to set the tls cn name in "Subject:" while starting root CA ? Its entry always comes as computer name in tls.cert.pem.

asuchit (Thu, 07 Dec 2017 09:58:45 GMT):
@smithbk How to set the tls cn name in "Subject:" while starting root CA for tls-cert.pem ? Its value always comes as computer name.

asuchit (Thu, 07 Dec 2017 09:58:45 GMT):
@smithbk How to set the tls cn name in "Subject:" while starting root CA for tls-cert.pem ? Its value always comes as computer name. I tried it another way. 1. First started the root CA without tls enabled. 2. Generated the tls for root CA. In this case tls cn name in "Subject:" value comes from registry.identities.name of root CA config.yaml file.

asuchit (Thu, 07 Dec 2017 09:58:45 GMT):
@smithbk I am starting the root CA with tls enabled. When I extract the tls-cert.pem using openssl than : Subject section's CN value is computer name. I am not finding that how to set this CN value. I tried it but this time I started the root CA without tls enabled and now generated the tls certificates of the root CA But in this case : Subject section's CN value is registry.identities.name. What is the dependency of Subject section's CN value and how is it set ?

vieiramanoel (Thu, 07 Dec 2017 16:53:06 GMT):
Has joined the channel.

vieiramanoel (Thu, 07 Dec 2017 16:54:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LEYhb2LD3Pmj7tuLp) @asuchit when you use https which tls cert do you use in fabric-ca-client?

vieiramanoel (Thu, 07 Dec 2017 16:57:21 GMT):
in fact i have tls enabled, and I want to add a new peer which wasn't generated at blockchain creation to my network

vieiramanoel (Thu, 07 Dec 2017 16:57:43 GMT):
i need certificates for it, and CA must provide me that

vieiramanoel (Thu, 07 Dec 2017 16:57:45 GMT):
BUT

vieiramanoel (Thu, 07 Dec 2017 16:58:45 GMT):
I've been working two days in that and still can't figure out how to do that

vieiramanoel (Thu, 07 Dec 2017 16:59:57 GMT):
when I try to enroll my new peer (peer2) i have TLS error (using https) and can't find out which cert file I must pass as argument to enroll function

aambati (Thu, 07 Dec 2017 17:21:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sKfsjcM88Kg8W6fsj) @asuchit server uses hostname for CN. @see https://github.com/hyperledger/fabric-ca/blob/d365e506186e6291f2a0b0512360462bad4bc4b0/lib/server.go#L749 ...why do you need to specify the CN?

naveenv (Fri, 08 Dec 2017 05:09:15 GMT):
Has joined the channel.

asuchit (Fri, 08 Dec 2017 07:08:03 GMT):
@vieiramanoel You can use ca tls cert OR ca cert OR both. Also You can use all hierarchy CA server's certs/tls certs.

MohammadObaid (Fri, 08 Dec 2017 07:17:56 GMT):
Hi all . I am having hard time understanding difference between fabric-ca and cryptogen tools . I have seen in balance-transfer example that both fabric-ca and cryptogen is used. What are specific roles of both

Vadim (Fri, 08 Dec 2017 07:20:08 GMT):
@MohammadObaid cryptogen is for dev only and used to quickly generate many certificates

MohammadObaid (Fri, 08 Dec 2017 07:21:17 GMT):
And for production environment we should use fabric-ca for generating all sort of certificates and crypto-material right ?

Vadim (Fri, 08 Dec 2017 07:21:27 GMT):
right

Vadim (Fri, 08 Dec 2017 07:22:20 GMT):
or any other CA or openssl... point is that you don't want that there is somebody having access to all private keys of all orgs like with cryptogen

asuchit (Fri, 08 Dec 2017 08:05:35 GMT):
hf.Registrar.Attributes: "*" is set on Root CA and I am not able to register for org1. Registrar does not have authority to request 'org1' affiliation Can anyone help me in it ?

oralzb (Fri, 08 Dec 2017 15:36:14 GMT):
Has joined the channel.

smithbk (Fri, 08 Dec 2017 16:36:59 GMT):
@asuchit What is the affiliation of the registrar (i.e. the identity you used when trying to register)?

smithbk (Fri, 08 Dec 2017 16:37:59 GMT):
This is indicating that its affiliation was not the empty string or "org1"

smithbk (Fri, 08 Dec 2017 16:38:53 GMT):
If you enable debug logging on the server, it will indicate the registrar's affiliation

vieiramanoel (Fri, 08 Dec 2017 16:54:52 GMT):
@asuchit the command i'm trying: ```fabric-ca-client enroll -u "https://peer0:peer0pw@ca.org1.example.com:7054" --tls.client.certfile `pwd`/ca.org1.example.com-cert.pem --tls.client.keyfile private key```

vieiramanoel (Fri, 08 Dec 2017 16:55:21 GMT):
the error I get: `Error: Failed to get client TLS config: No TLS certificate files were provided`

gdinhof (Fri, 08 Dec 2017 17:03:13 GMT):
Has joined the channel.

MohammadObaid (Fri, 08 Dec 2017 18:28:43 GMT):
@Vadim Alright thanks :) I will look into it . Only tutorial I found for this https://www.ibm.com/developerworks/cloud/library/cl-build-blockchain-network-with-custom-cryptographic-material-from-your-certificate-authority/index.html . If you know any better please let me know .

steveruckdashel (Fri, 08 Dec 2017 20:56:06 GMT):
Has joined the channel.

steveruckdashel (Fri, 08 Dec 2017 21:00:32 GMT):
btw, aki is not getting set if you compile with go 1.9. Found FAB-6003, but has that fix not shipped yet?

smithbk (Fri, 08 Dec 2017 21:13:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uJzxQR4u6yYtFfQLk) @vieiramanoel You need to use the --tls.certfiles option. That is the only option needed unless the server is configured to require TLS client authentication

smithbk (Fri, 08 Dec 2017 21:17:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3yHLRaWtsLJw8yZSn) @MohammadObaid Have you seen the fabric-ca sample at https://github.com/hyperledger/fabric-samples/tree/v1.1.0-preview/fabric-ca#hyperledger-fabric-ca-sample

smithbk (Fri, 08 Dec 2017 21:42:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Pjvxqq7vZSTmTebWS) @steveruckdashel Not in the v1.0.x release stream, but it is in the v1.1.0-preview tag of master.

steveruckdashel (Fri, 08 Dec 2017 21:44:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=24v5N8Ei5vJ2RpHZo) @smithbk target release date on that?

smithbk (Fri, 08 Dec 2017 21:46:18 GMT):
@steveruckdashel alpha coming soon but can't say exact date

smithbk (Fri, 08 Dec 2017 21:46:18 GMT):
@steveruckdashel alpha coming soon but don't know exact date

smithbk (Fri, 08 Dec 2017 21:46:29 GMT):
you have to use go 1.9?

steveruckdashel (Fri, 08 Dec 2017 21:49:27 GMT):
I default to current versions.

smithbk (Fri, 08 Dec 2017 22:17:26 GMT):
@steveruckdashel submitted https://gerrit.hyperledger.org/r/16061

smithbk (Fri, 08 Dec 2017 22:17:26 GMT):
@steveruckdashel submitted https://gerrit.hyperledger.org/r/16063

eclairamb (Fri, 08 Dec 2017 22:23:31 GMT):
Has joined the channel.

httran88 (Sat, 09 Dec 2017 22:07:15 GMT):
Has joined the channel.

httran88 (Sat, 09 Dec 2017 22:07:19 GMT):
howdy!

httran88 (Sat, 09 Dec 2017 22:12:02 GMT):
@here For the Fabric CA User guide at ```https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html``` section Attribute-based access control, the links ```https://github.com/hyperledger/fabric-samples/tree/release/fabric-ca/README.md``` and ```https://github.com/hyperledger/fabric/tree/release/core/chaincode/lib/cid/README.md``` are missing. Any idea if it has been removed or moved somewhere else? I would really like to read these information. Thank you community!

httran88 (Sat, 09 Dec 2017 22:12:02 GMT):
@here For the Fabric CA User guide at `https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html` section Attribute-based access control, the links `https://github.com/hyperledger/fabric-samples/tree/release/fabric-ca/README.md` and `https://github.com/hyperledger/fabric/tree/release/core/chaincode/lib/cid/README.md` are missing. Any idea if it has been removed or moved somewhere else? I would really like to read these information. Thank you community!

nehirakdag (Sun, 10 Dec 2017 04:55:30 GMT):
Has joined the channel.

dave.enyeart (Sun, 10 Dec 2017 06:15:55 GMT):
@httran88 if you replace 'release' with 'master' in those links they will work. Once 1.1 is released the 'release' links will also work. We'll need to figure out how to manage the doc links going forward so that they work both prior and after release.

alvaradojl (Sun, 10 Dec 2017 11:19:04 GMT):
Has joined the channel.

httran88 (Mon, 11 Dec 2017 01:03:45 GMT):
thank you @dave.enyeart

vieiramanoel (Mon, 11 Dec 2017 01:49:59 GMT):
@smithbk thnks, man. I got a CA working on my pc. So I generated cryptogen files, started CA, got my networking working. Now I have to find out how add a new peer to this network

asuchit (Mon, 11 Dec 2017 10:57:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iaSLw6dHiv4eMW2pz) @smithbk Later I tried like below and worked for me : hf.Registrar.Attributes: "org1,org2,orgOrderer1,hf.IntermediateCA"

smithbk (Mon, 11 Dec 2017 12:51:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=trsZ8W8ECAv7eDNS5) @vieiramanoel If the peer is for a new org, you must first add the new org as described at https://hyperledger-fabric.readthedocs.io/en/master/channel_update.html. You can then register an identity for a peer using `fabric-ca-client register` and enroll the peer using `fabric-ca-client enroll` as is done in the fabric-ca sample at https://github.com/hyperledger/fabric-samples/tree/v1.1.0-preview/fabric-ca

vieiramanoel (Mon, 11 Dec 2017 12:53:26 GMT):
In that case where my new peer is from same org I just follow the steps from register on, right?

vieiramanoel (Mon, 11 Dec 2017 12:53:26 GMT):
@smithbk In that case where my new peer is from same org I just follow the steps from register on, right?

smithbk (Mon, 11 Dec 2017 12:54:00 GMT):
yes, correct

vieiramanoel (Mon, 11 Dec 2017 12:54:15 GMT):
Right, I'll try, thanks

vu3mmg (Mon, 11 Dec 2017 15:25:24 GMT):
Has joined the channel.

vu3mmg (Mon, 11 Dec 2017 15:26:17 GMT):
Dear Experts , could you please help me to configure fabric-ca to serve Ecerts from well known CAs or act as an intermediate CAs of well known CAs

vu3mmg (Mon, 11 Dec 2017 15:39:25 GMT):
also -one query about ABAC , is the feature available in 1.1 preview . I got compilation error in peer container while trying to use the function .I had to copy the dependencies manually

aambati (Mon, 11 Dec 2017 15:57:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XX5TywHFFL2RRsFH5) @vu3mmg i believe it is available in 1.1 preview

aambati (Mon, 11 Dec 2017 16:00:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GfmZk8sgqn8dxXLEo) @vu3mmg have you looked at https://developer.ibm.com/code/patterns/build-your-first-blockchain-application/

aambati (Mon, 11 Dec 2017 16:00:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GfmZk8sgqn8dxXLEo) @vu3mmg have you looked at https://www.ibm.com/developerworks/cloud/library/cl-build-blockchain-network-with-custom-cryptographic-material-from-your-certificate-authority/index.html

vieiramanoel (Mon, 11 Dec 2017 16:13:01 GMT):
@smithbk when I try `fabric-ca-client enroll -u "https://admin:adminpw@ca.org1.example.com:7054" --tls.certfiles msp/cacerts/ca.org1.example.com-cert.pem ` 2017/12/11 14:12:35 [INFO] TLS Enabled 2017/12/11 14:12:35 [INFO] generating key: &{A:ecdsa S:256} 2017/12/11 14:12:35 [INFO] encoded CSR Error: Response from server: Error Code: 0 - Certificate signing failure: {"code":5300,"message":"Policy violation request"}

vieiramanoel (Mon, 11 Dec 2017 16:13:01 GMT):
@smithbk when I try `fabric-ca-client enroll -u "https://admin:adminpw@ca.org1.example.com:7054" --tls.certfiles msp/cacerts/ca.org1.example.com-cert.pem ` I get this error ``` 2017/12/11 14:12:35 [INFO] TLS Enabled 2017/12/11 14:12:35 [INFO] generating key: &{A:ecdsa S:256} 2017/12/11 14:12:35 [INFO] encoded CSR Error: Response from server: Error Code: 0 - Certificate signing failure: {"code":5300,"message":"Policy violation request"} ```

vieiramanoel (Mon, 11 Dec 2017 16:13:01 GMT):
@smithbk when I try `fabric-ca-client enroll -u "https://admin:adminpw@ca.org1.example.com:7054" --tls.certfiles msp/cacerts/ca.org1.example.com-cert.pem ` I get this error ```2017/12/11 14:12:35 [INFO] TLS Enabled 2017/12/11 14:12:35 [INFO] generating key: &{A:ecdsa S:256} 2017/12/11 14:12:35 [INFO] encoded CSR Error: Response from server: Error Code: 0 - Certificate signing failure: {"code":5300,"message":"Policy violation request"} ```

vieiramanoel (Mon, 11 Dec 2017 16:13:57 GMT):
which policy do it refers to

vieiramanoel (Mon, 11 Dec 2017 16:17:29 GMT):
i didnt find any on fabric-ca-server-config

vieiramanoel (Mon, 11 Dec 2017 16:45:24 GMT):
miss config in client file, ignore that

mohdhafeezaj (Mon, 11 Dec 2017 21:51:35 GMT):
Has joined the channel.

mohdhafeezaj (Mon, 11 Dec 2017 21:51:56 GMT):
If I have to create a application which is public and have user registered into the web application, should i issue a certificate for each user registered or I can have one certificate which has internally access., what is the best practice

httran88 (Mon, 11 Dec 2017 23:45:30 GMT):
Hi can someone tell me the difference between crypto-config/peerOrganizations/peer.example.com/ca and crypto-config/peerOrganizations/peer.example.com/tlsca ? When is one used? Thank you

handasontam (Tue, 12 Dec 2017 01:43:11 GMT):
Has joined the channel.

aambati (Tue, 12 Dec 2017 04:39:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7tLqXqx73fpkN5ThE) @httran88 both are used. tlsca folder contains root ca cert that issued cert used in the tls communication where as ca folder contains root ca cert

guolidong (Tue, 12 Dec 2017 05:57:08 GMT):
Has joined the channel.

asuchit (Tue, 12 Dec 2017 13:46:46 GMT):
when I am initiating the RootCA (fabric-ca-server init) then It generate RootCaCert even I pass --tls-enabled, It generate only RootCaCert only. Then I need to open config.yaml and set tls-enabled true and start the server. After that It generates the RootCaTlsCert. This is also fine for me but Problem is with RootCaTlsCert issuer RootCaCert. How Can I generate these 2 certificates independently ?

5igm4 (Tue, 12 Dec 2017 14:19:31 GMT):
Quick question about ldap DN and affiliate path. Correct me if I'm wrong, but if I want to enroll a user, let's call him `user1`, who is affiliated with `org1`, `department 1`--would the DN look like this: `uid=user1,ou=department1,ou=org1,ou=user,dc=my-domain,dc=com` ?

5igm4 (Tue, 12 Dec 2017 14:19:31 GMT):
Quick question about ldap DN and affiliate path. Correct me if I'm wrong, but if I want to enroll a user, let's call him `user1`, who is affiliated with `org1`, `department1`--would the DN look like this: `uid=user1,ou=department1,ou=org1,ou=user,dc=my-domain,dc=com` ?

5igm4 (Tue, 12 Dec 2017 14:19:31 GMT):
Quick question about ldap DN and affiliate path. Correct me if I'm wrong, but if I want to enroll a user, let's call him `user1`, who is affiliated with `org1`, `department1`--should the DN look something like this: `uid=user1,ou=department1,ou=org1,ou=user,dc=my-domain,dc=com` ?

fch22 (Tue, 12 Dec 2017 16:11:55 GMT):
Has joined the channel.

aambati (Tue, 12 Dec 2017 16:14:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fXNendEncMTb6MEtx) @asuchit You want fabric-ca server's tls cert signed by another CA certificate , not server's CA cert? If so, currently it is not possible. Can you pls explain your use case , why you need server's tls cert to have different root

httran88 (Wed, 13 Dec 2017 01:41:47 GMT):
@aambati thank you for the reply, so if I am getting this correctly, if I enable TLS to true, I would use the directory tlsca ?

asuchit (Wed, 13 Dec 2017 05:04:54 GMT):
@aambati I am creating a root CA server. Is it common/right behavior that Root Ca Tls certificate is signed by it's Root Ca certificate. As per my understanding that Root Ca cert and Root CA tls cert should be signed by itself.

JayJong (Wed, 13 Dec 2017 06:32:53 GMT):
anyone knows how to git clone the fabric-ca in the fabric-samples? this is because when i git clone fabric-samples, the fabric-ca is not inside

Norberthu (Wed, 13 Dec 2017 09:55:50 GMT):
Has joined the channel.

DarshanBc (Wed, 13 Dec 2017 10:52:14 GMT):
Since working with cli container is not recomeneded in production environment how to add an org dynamically without using CLI container

Vadim (Wed, 13 Dec 2017 10:53:25 GMT):
use sdk

DarshanBc (Wed, 13 Dec 2017 11:35:04 GMT):
how any example?

fch22 (Wed, 13 Dec 2017 13:42:37 GMT):
Hi All I have installed a fresh installation of fabrics-sample using the 1.1.0-preview version then I tried to start fabcar channel. 1st scenario, I just used `./startFabric.sh` command but got some failure. Then I execute before the `./generate.sh `from basic network before the get the network up and running. Then I executed successfully the `node enrollAdmin.js` and `node registerUser.js` Problem appeared when trying to execute the query: ``` [root@nkoin-dev-2 fabcar]# node query.js Store path:/home/chaume1/fabric-samples/fabcar/hfc-key-store Successfully loaded user1 from persistence error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: Failed to deserialize creator identity, err the supplied identity is not valid: x509: certificate signed by unknown authority at /home/chaume1/fabric-samples/fabcar/node_modules/grpc/src/client.js:554:15 Query has completed, checking results error from query = { Error: Failed to deserialize creator identity, err the supplied identity is not valid: x509: certificate signed by unknown authority at /home/chaume1/fabric-samples/fabcar/node_modules/grpc/src/client.js:554:15 code: 2, metadata: Metadata { _internal_repr: {} } } ``` I guess it is a well known problem, if someone can help it would be glad

fch22 (Wed, 13 Dec 2017 13:54:48 GMT):
forgot my message, sent in the wrong channel

indirajith (Wed, 13 Dec 2017 14:01:48 GMT):
Hi all, I am looking for a chaincode example mentioned in the fanric-ca sample "See the chaincode at fabric-samples/chaincode/abac/abac.go". It seems like removed. Any pointers? Thanks in advance!

Vadim (Wed, 13 Dec 2017 14:02:28 GMT):
@indirajith this one? https://github.com/hyperledger/fabric-samples/tree/master/chaincode/abac

indirajith (Wed, 13 Dec 2017 14:03:38 GMT):
@Vadim Oh, yes. Thank you very much!

indirajith (Wed, 13 Dec 2017 14:04:41 GMT):
I was searching in the release branch, my bad.

Khaled.MH (Wed, 13 Dec 2017 14:41:13 GMT):
Has joined the channel.

Sahar (Wed, 13 Dec 2017 14:42:36 GMT):
Has joined the channel.

smithbk (Wed, 13 Dec 2017 18:21:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2EZucFQptWMc2K9hC) @DarshanBc There is nothing wrong with using a CLI container ... well, unless you use it to generate all of the key pairs and so it has access to all private keys. You of course wouldn't do this in production. But there is nothing inherently wrong with using a CLI container.

smithbk (Wed, 13 Dec 2017 18:30:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rTRLHckJoYmmbv49r) @5igm4 The format of the DN of an LDAP user is defined by the LDAP server. The affiliation of an LDAP user is "calculated" from whatever OUs are returned for the user from the LDAP server.

smithbk (Wed, 13 Dec 2017 18:35:48 GMT):
[ ](https://chat.hyperledger [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HJ6xMsdw3awsJtzGJ) @mohdhafeezaj It is best to get a certificate for each user so that each transaction on the ledger will have per-user signatures

songsx (Thu, 14 Dec 2017 03:51:27 GMT):
Has joined the channel.

jaswanth (Thu, 14 Dec 2017 05:57:46 GMT):
I am trying to build my own containers . i created some `orgs like university and mainorg` .. i generated the certificates with the cryptogen tools. when i enroll the admin getting error as `[Error: connect ECONNREFUSED 127.0.0.1:8054]` .. in the fabric-ca logs ```2017/12/14 05:49:54 [INFO] Key file location: /etc/hyperledger/fabric-ca-server-config/bb8fc6c5f9791a268807887e92cf61f1334a9dc7823b75541cb63bf0be338dc6_sk 2017/12/14 05:49:54 [INFO] Certificate file location: /etc/hyperledger/fabric-ca-server-config/ca.getinfo.example.com-cert.pem 2017/12/14 05:49:54 [DEBUG] Validating the CA certificate and key 2017/12/14 05:49:54 [DEBUG] Check CA certificate for valid dates 2017/12/14 05:49:54 [DEBUG] Check CA certificate for valid usages 2017/12/14 05:49:54 [DEBUG] Check CA certificate for valid IsCA value 2017/12/14 05:49:54 [DEBUG] Check that key type is supported 2017/12/14 05:49:54 [DEBUG] Check that key size is of appropriate length 2017/12/14 05:49:54 [DEBUG] Check that public key and private key match 2017/12/14 05:49:54 [DEBUG] Closing server DBs Error: Validation of certificate and key failed: Invalid certificate and/or key in files '/etc/hyperledger/fabric-ca-server-config/ca.getinfo.example.com-cert.pem' and '/etc/hyperledger/fabric-ca-server-config/bb8fc6c5f9791a268807887e92cf61f1334a9dc7823b75541cb63bf0be338dc6_sk': Public key and private key do not match``` . i checked the keys with online tool and it says it's a match . any HELP ?

jaswanth (Thu, 14 Dec 2017 05:57:46 GMT):
@smita0709 I am trying to build my own containers . i created some `orgs like university and mainorg` .. i generated the certificates with the cryptogen tools. when i enroll the admin getting error as `[Error: connect ECONNREFUSED 127.0.0.1:8054]` .. in the fabric-ca logs ```2017/12/14 05:49:54 [INFO] Key file location: /etc/hyperledger/fabric-ca-server-config/bb8fc6c5f9791a268807887e92cf61f1334a9dc7823b75541cb63bf0be338dc6_sk 2017/12/14 05:49:54 [INFO] Certificate file location: /etc/hyperledger/fabric-ca-server-config/ca.getinfo.example.com-cert.pem 2017/12/14 05:49:54 [DEBUG] Validating the CA certificate and key 2017/12/14 05:49:54 [DEBUG] Check CA certificate for valid dates 2017/12/14 05:49:54 [DEBUG] Check CA certificate for valid usages 2017/12/14 05:49:54 [DEBUG] Check CA certificate for valid IsCA value 2017/12/14 05:49:54 [DEBUG] Check that key type is supported 2017/12/14 05:49:54 [DEBUG] Check that key size is of appropriate length 2017/12/14 05:49:54 [DEBUG] Check that public key and private key match 2017/12/14 05:49:54 [DEBUG] Closing server DBs Error: Validation of certificate and key failed: Invalid certificate and/or key in files '/etc/hyperledger/fabric-ca-server-config/ca.getinfo.example.com-cert.pem' and '/etc/hyperledger/fabric-ca-server-config/bb8fc6c5f9791a268807887e92cf61f1334a9dc7823b75541cb63bf0be338dc6_sk': Public key and private key do not match``` . i checked the keys with online tool and it says it's a match . any HELP ?

jaswanth (Thu, 14 Dec 2017 06:23:33 GMT):
iam able to enroll into the network .. but when i do register .. in fabric-ca got ```Received registration request from : { Name:arcAdmin Type:user Secret:**** MaxEnrollments:1 Affiliation:employers Attributes:[{id arcadmin true} {accountType employer true} {worksin arc true} {studyingIn arc true} {position admin true} {isAdmin true true}] CAName: } 2017/12/14 06:19:15 [DEBUG] Sent error for /api/v1/register: scode: 401, local code: 30, local msg: Certificate not found with AKI 'bad5294aaa6641a80e7d6a8f55083292b1d14d129701c50c98c19462691f06f0' and serial '33928cbe5e3be8d324bc9a4ad434791ac5a1c018', remote code: 20, remote msg: Authorization failure github.com/hyperledger/fabric-ca/lib.newAuthErr /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/servererror.go:145 github.com/hyperledger/fabric-ca/lib.(*serverRequestContext).TokenAuthentication /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverrequestcontext.go:157 github.com/hyperledger/fabric-ca/lib.registerHandler /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverregister.go:49 github.com/hyperledger/fabric-ca/lib.(*serverEndpoint).ServeHTTP /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverendpoint.go:44 net/http.(*ServeMux).ServeHTTP /opt/go/src/net/http/server.go:2254 net/http.serverHandler.ServeHTTP /opt/go/src/net/http/server.go:2619 net/http.(*conn).serve /opt/go/src/net/http/server.go:1801 runtime.goexit /opt/go/src/runtime/asm_amd64.s:2337 2017/12/14 06:19:15 [INFO] 172.18.0.1:47514 POST /api/v1/register 401 30 "Certificate not found with AKI 'bad5294aaa6641a80e7d6a8f55083292b1d14d129701c50c98c19462691f06f0' and serial '33928cbe5e3be8d324bc9a4ad434791ac5a1c018'"```

jaswanth (Thu, 14 Dec 2017 06:23:33 GMT):
iam trying to generate my own containers . able to enroll into the network .. but when i do register ..`Affiliation:employers` -> is this correct . in fabric-ca got ```Received registration request from : { Name:arcAdmin Type:user Secret:**** MaxEnrollments:1 Affiliation:employers Attributes:[{id arcadmin true} {accountType employer true} {worksin arc true} {studyingIn arc true} {position admin true} {isAdmin true true}] CAName: } 2017/12/14 06:19:15 [DEBUG] Sent error for /api/v1/register: scode: 401, local code: 30, local msg: Certificate not found with AKI 'bad5294aaa6641a80e7d6a8f55083292b1d14d129701c50c98c19462691f06f0' and serial '33928cbe5e3be8d324bc9a4ad434791ac5a1c018', remote code: 20, remote msg: Authorization failure github.com/hyperledger/fabric-ca/lib.newAuthErr /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/servererror.go:145 github.com/hyperledger/fabric-ca/lib.(*serverRequestContext).TokenAuthentication /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverrequestcontext.go:157 github.com/hyperledger/fabric-ca/lib.registerHandler /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverregister.go:49 github.com/hyperledger/fabric-ca/lib.(*serverEndpoint).ServeHTTP /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverendpoint.go:44 net/http.(*ServeMux).ServeHTTP /opt/go/src/net/http/server.go:2254 net/http.serverHandler.ServeHTTP /opt/go/src/net/http/server.go:2619 net/http.(*conn).serve /opt/go/src/net/http/server.go:1801 runtime.goexit /opt/go/src/runtime/asm_amd64.s:2337 2017/12/14 06:19:15 [INFO] 172.18.0.1:47514 POST /api/v1/register 401 30 "Certificate not found with AKI 'bad5294aaa6641a80e7d6a8f55083292b1d14d129701c50c98c19462691f06f0' and serial '33928cbe5e3be8d324bc9a4ad434791ac5a1c018'"```

jaswanth (Thu, 14 Dec 2017 06:23:33 GMT):
iam trying to generate my own containers . able to enroll into the network .. but when i do register .. ` Affiliation:employers ` -> is this correct . in fabric-ca got ```Received registration request from : { Name:arcAdmin Type:user Secret:**** MaxEnrollments:1 Affiliation:employers Attributes:[{id arcadmin true} {accountType employer true} {worksin arc true} {studyingIn arc true} {position admin true} {isAdmin true true}] CAName: } 2017/12/14 06:19:15 [DEBUG] Sent error for /api/v1/register: scode: 401, local code: 30, local msg: Certificate not found with AKI 'bad5294aaa6641a80e7d6a8f55083292b1d14d129701c50c98c19462691f06f0' and serial '33928cbe5e3be8d324bc9a4ad434791ac5a1c018', remote code: 20, remote msg: Authorization failure github.com/hyperledger/fabric-ca/lib.newAuthErr /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/servererror.go:145 github.com/hyperledger/fabric-ca/lib.(*serverRequestContext).TokenAuthentication /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverrequestcontext.go:157 github.com/hyperledger/fabric-ca/lib.registerHandler /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverregister.go:49 github.com/hyperledger/fabric-ca/lib.(*serverEndpoint).ServeHTTP /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverendpoint.go:44 net/http.(*ServeMux).ServeHTTP /opt/go/src/net/http/server.go:2254 net/http.serverHandler.ServeHTTP /opt/go/src/net/http/server.go:2619 net/http.(*conn).serve /opt/go/src/net/http/server.go:1801 runtime.goexit /opt/go/src/runtime/asm_amd64.s:2337 2017/12/14 06:19:15 [INFO] 172.18.0.1:47514 POST /api/v1/register 401 30 "Certificate not found with AKI 'bad5294aaa6641a80e7d6a8f55083292b1d14d129701c50c98c19462691f06f0' and serial '33928cbe5e3be8d324bc9a4ad434791ac5a1c018'"```

jaswanth (Thu, 14 Dec 2017 06:23:33 GMT):
@smithbk iam trying to generate my own containers . able to enroll into the network .. but when i do register .. ` Affiliation:employers ` -> is this correct . in fabric-ca got ```Received registration request from : { Name:arcAdmin Type:user Secret:**** MaxEnrollments:1 Affiliation:employers Attributes:[{id arcadmin true} {accountType employer true} {worksin arc true} {studyingIn arc true} {position admin true} {isAdmin true true}] CAName: } 2017/12/14 06:19:15 [DEBUG] Sent error for /api/v1/register: scode: 401, local code: 30, local msg: Certificate not found with AKI 'bad5294aaa6641a80e7d6a8f55083292b1d14d129701c50c98c19462691f06f0' and serial '33928cbe5e3be8d324bc9a4ad434791ac5a1c018', remote code: 20, remote msg: Authorization failure github.com/hyperledger/fabric-ca/lib.newAuthErr /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/servererror.go:145 github.com/hyperledger/fabric-ca/lib.(*serverRequestContext).TokenAuthentication /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverrequestcontext.go:157 github.com/hyperledger/fabric-ca/lib.registerHandler /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverregister.go:49 github.com/hyperledger/fabric-ca/lib.(*serverEndpoint).ServeHTTP /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverendpoint.go:44 net/http.(*ServeMux).ServeHTTP /opt/go/src/net/http/server.go:2254 net/http.serverHandler.ServeHTTP /opt/go/src/net/http/server.go:2619 net/http.(*conn).serve /opt/go/src/net/http/server.go:1801 runtime.goexit /opt/go/src/runtime/asm_amd64.s:2337 2017/12/14 06:19:15 [INFO] 172.18.0.1:47514 POST /api/v1/register 401 30 "Certificate not found with AKI 'bad5294aaa6641a80e7d6a8f55083292b1d14d129701c50c98c19462691f06f0' and serial '33928cbe5e3be8d324bc9a4ad434791ac5a1c018'"```

mp (Thu, 14 Dec 2017 09:12:43 GMT):
Hello, what is the recommended way of organizing CA servers for issuing ECerts and TLS-certs for fabric participants? Single CA with different profiles (tls, ecert) or separate CA's? And in second case - root CA for ECerts should self issue tls cert or get it from tls-ca?

mychewcents (Thu, 14 Dec 2017 09:16:25 GMT):
Has left the channel.

smithbk (Thu, 14 Dec 2017 12:54:40 GMT):
@jaswanth That error should only occur if the ecert of the registrar was not obtained from the same fabric-ca-server. How are you getting the registrar's identity?

smithbk (Thu, 14 Dec 2017 12:56:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xubYfP9BmBZh3L5dx) @mp A single CA with different profiles as is done by fabric-samples/fabric-ca

rsherwood (Thu, 14 Dec 2017 16:01:08 GMT):
Has joined the channel.

tfuanig (Thu, 14 Dec 2017 16:15:22 GMT):
Has joined the channel.

pmcosta1 (Thu, 14 Dec 2017 17:05:01 GMT):
Hi I've setup a CA to use LDAP. I have registered peers on LDAP and can use the fabric Fabric CA Client to enrol them. My question is related having an actual peer enrol, i.e. where in the peer do I configure the CA and matching record info created on LDAP? Thanks in advance

RohanMalcolm (Thu, 14 Dec 2017 19:06:09 GMT):
Hey, does anyone know if fabric-ca version 1.1.0 preview has HSM support? I tried with 1.0.4 and it worked (had to build without the static flag) now I am trying with 1.1.0 and it is throwing a segmentation error and I see that under the user-guide docs there is no option to view the docs for 1.1.0. On a brand new computer I also get ``` fabric-ca-server | fabric-ca-server: error while loading shared libraries: libltdl.so.7: cannot open shared object file: No such file or directory ```

Rapture (Thu, 14 Dec 2017 19:11:42 GMT):
Has joined the channel.

Rapture (Thu, 14 Dec 2017 19:14:18 GMT):
Can anyone tell me how to use the CA to generate new peer certificates on a network that is already up and running?

RohanMalcolm (Thu, 14 Dec 2017 19:31:50 GMT):
@Rapture you should be able to use the cryptogen executable to create the certs and use the cli to update the peer chaincode. Has multiple flags that can be used.

smithbk (Thu, 14 Dec 2017 20:43:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Lg8ux7d2tM8adZADC) @RohanMalcolm Yes, it is supported in v1.1.0-preview and should be the same as in v1.0.4. Pls open a jira with instructions on how to reproduce.

smithbk (Thu, 14 Dec 2017 20:46:35 GMT):
@Rapture See https://github.com/hyperledger/fabric-samples/blob/v1.1.0-preview/fabric-ca/scripts/start-peer.sh for how to use fabric-ca-client to dynamically get a new peer cert

Rapture (Fri, 15 Dec 2017 00:09:04 GMT):
@smithbk thanks, but I need to understand how to do it manually myself and I can't really deduce it from the script, unfortunately. It seems to work differently from the way I built my network using the Hyperledger Fabric docs

smithbk (Fri, 15 Dec 2017 00:15:25 GMT):
@Rapture So I assume you are using fabric-ca-server, but not sure what you mean by "manually". Do you mean you're using one of the SDKs rather than the fabric-ca-client CLI?

blw (Fri, 15 Dec 2017 01:05:53 GMT):
Has joined the channel.

Rapture (Fri, 15 Dec 2017 02:37:18 GMT):
@smithbk Oh no, was using the user guid efor the fabric-ca

Rapture (Fri, 15 Dec 2017 02:37:45 GMT):
But I've run into some trouble there, I wanted to run through the link you sent me, but I can't find the images that are required

Rapture (Fri, 15 Dec 2017 04:43:23 GMT):
When I run the ./start.sh in fabric-ca in fabric-samples it says that I have tls enabled but I provide no certificate, anyone know how to fix this? I'd like to have TLS enabled

lcj (Fri, 15 Dec 2017 08:18:57 GMT):
Hello everyone, I would like to ask a question. tlsca certificate and private key, made through the CA server? Or made through openssl?

lcj (Fri, 15 Dec 2017 08:20:36 GMT):
:cry:

kayadhami (Fri, 15 Dec 2017 11:50:01 GMT):
Error: POST failure [Post http://localhost:7054/enroll: dial tcp 127.0.0.1:7054: getsockopt: connection refused]; not sending POST http://localhost:7054/enroll

kayadhami (Fri, 15 Dec 2017 11:50:07 GMT):
Any idea what error is this?

Vadim (Fri, 15 Dec 2017 11:51:11 GMT):
@kayadhami CA is not running

kayadhami (Fri, 15 Dec 2017 11:52:40 GMT):
Thanks. Got it working. My bad.

kayadhami (Fri, 15 Dec 2017 12:13:46 GMT):
Error: Failed to create default configuration file: mkdir /Fabric: permission denied

kayadhami (Fri, 15 Dec 2017 12:14:38 GMT):
Whenever I'm trying to start fabric server this error comes up. `fabric-ca-server start -b “admin:adminpw”`

smithbk (Fri, 15 Dec 2017 12:44:21 GMT):
@kayadhami Apparently you have FABRIC_CA_SERVER_HOME=/Fabric but you don't have permission to create that directory. Either run as root or change to another directory to which you can write.

smithbk (Fri, 15 Dec 2017 12:55:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=P6H6v5sM8zz6MhF7i) @lcj fabric-ca-server has is a single CA signing key and cert for each CA that it hosts which it uses for all profiles (e.g. the default profile which is used to issue ecerts and the "tls" profile which is used to issue TLS certs). You can provide your own CA signing key and cert (e.g. created using openssl) to fabric-ca-server or it can create its own. It is simpler to just let it create its own. But one use case where you would want to provide your own is if some external CA issued a CA signing cert to you, then the fabric-ca-server could use that to function as an intermediate CA for that external CA.

smithbk (Fri, 15 Dec 2017 12:55:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=P6H6v5sM8zz6MhF7i) @lcj fabric-ca-server has is a single CA signing key and cert for each CA that it hosts which it uses for all profiles (e.g. the default profile which is used to issue ecerts and the "tls" profile which is used to issue TLS certs). You can provide your own CA signing key and cert (e.g. created using openssl) to fabric-ca-server or fabric-ca-server can create its own. It is simpler to just let it create its own. But one use case where you would want to provide your own is if some external CA issued a CA signing cert to you, then the fabric-ca-server could use that to function as an intermediate CA for that external CA.

smithbk (Fri, 15 Dec 2017 13:07:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=k3m2jxhS4vDZAX9Ji) @Rapture I know what the error is saying but haven't seen this happen with the sample. Can you provide the exact steps you took to reproduce this error? It would be best to open a jira for this. Or if you want to talk through it, feel free to ping me directly here on rocket chat

antoniovassell (Fri, 15 Dec 2017 16:03:44 GMT):
Hi @smithbk

antoniovassell (Fri, 15 Dec 2017 16:04:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Lg8ux7d2tM8adZADC) @RohanMalcolm

antoniovassell (Fri, 15 Dec 2017 16:04:24 GMT):
Following up on the above ^

antoniovassell (Fri, 15 Dec 2017 16:04:31 GMT):
We created a ticket here https://jira.hyperledger.org/browse/FAB-7471?orderby=created+DESC%2C+assignee+ASC%2C+priority+ASC%2C+updated+DESC

antoniovassell (Fri, 15 Dec 2017 16:06:05 GMT):
Please let us know if you have any thoughts or ideas as it relates to this issue.

Vadim (Fri, 15 Dec 2017 16:13:36 GMT):
@antoniovassell `sudo apt-get install libltdl-dev`?

RohanMalcolm (Fri, 15 Dec 2017 16:14:23 GMT):
@Vadim Should that be ran in the container? Because as soon as we run docker-compose up, it errors out and crashes. We could add that to the docker-compose commands and try again

sasiedu (Sun, 17 Dec 2017 09:40:22 GMT):
hi guys, does fabric-ca use SECP256k1 for encoding Private Keys as PEMs?

bruteforced (Sun, 17 Dec 2017 15:01:59 GMT):
Has joined the channel.

daijianw (Mon, 18 Dec 2017 05:15:39 GMT):
hi guys, how to overwrite affiliations defined in the default fabric-ca-server-config.yaml? When starting fabric ca server without providing server config yams, it will generate a default fabric-ca-server-config.yaml. In it, the affiliations is as below: ############################################################################# # Affiliation section ############################################################################# affiliations: org1: - department1 - department2 org2: - department1 ################################################# My question is, if I want to overwrite the affiliations section by environment variables, how can I do it? For example, I have setup three orgs in the network, then how can I add an affiliation as “org3.department1”? I tried to set an environment variable like “FABRIC_CA_SERVER_AFFILIATIONS_ORG3” (with value as “department1”.), but it seems it doesn’t work.

Santhosh_S (Mon, 18 Dec 2017 06:08:59 GMT):
Has joined the channel.

wanghhao (Mon, 18 Dec 2017 10:06:19 GMT):
Has left the channel.

smithbk (Mon, 18 Dec 2017 13:38:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JLHx2CbAGebLjZjy2) @sasiedu No, it uses prime256v1 which is equivalent to secp256r1

smithbk (Mon, 18 Dec 2017 13:41:42 GMT):
@daijianw You will have to provide your own config file. In v1.1, there will a way thru APIs and fabric-ca-client CLI to list, add, and remove affiliations

smithbk (Mon, 18 Dec 2017 13:41:42 GMT):
@daijianw You will have to provide your own config file in order to customize affiliations. In v1.1, there will a way thru APIs and fabric-ca-client CLI to list, add, and remove affiliations

smithbk (Mon, 18 Dec 2017 13:46:28 GMT):
@sasiedu To be more complete, it supports 4 key lengths: p224, p256, p384, p521

AndreaBorzi (Mon, 18 Dec 2017 14:58:05 GMT):
Has joined the channel.

AndreaBorzi (Mon, 18 Dec 2017 14:58:33 GMT):
hi guys I have a question, is there a way to install fabric-ca-server on a machine with no internet connection?

AndreaBorzi (Mon, 18 Dec 2017 14:59:07 GMT):
as building it outside the machine, then copying it into the machine via scp?

smithbk (Mon, 18 Dec 2017 15:59:08 GMT):
@AndreaBorzi as long as your build and target machine are compatible, yes

vieiramanoel (Mon, 18 Dec 2017 15:59:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RQM47mHvey7EdTDHo) @AndreaBorzi clone fabric-ca github to a local folder, pass it through scp to dst machine, via ssh call make fabric-ca-client fabric-ca-server

vieiramanoel (Mon, 18 Dec 2017 16:00:19 GMT):
the building process from source and env configuration is explained in this two tutorials

vieiramanoel (Mon, 18 Dec 2017 16:00:35 GMT):
[set server](https://mlgblockchain.com/setup-hyperledger-fabric.html)

vieiramanoel (Mon, 18 Dec 2017 16:00:49 GMT):
[set client](mlgblockchain.com/setup-hyperledger-client.html)

vieiramanoel (Mon, 18 Dec 2017 16:00:49 GMT):
[set client](http://mlgblockchain.com/setup-hyperledger-client.html)

AndreaBorzi (Mon, 18 Dec 2017 16:00:51 GMT):
I see some files are importing github.com/repo

AndreaBorzi (Mon, 18 Dec 2017 16:01:05 GMT):
isn't it going to cause problems since the dst machine can't connect to internet?

vieiramanoel (Mon, 18 Dec 2017 16:01:30 GMT):
i think this is the folder structure needed to build

vieiramanoel (Mon, 18 Dec 2017 16:01:49 GMT):
follow these links tutorials and see if you face some issue

AndreaBorzi (Mon, 18 Dec 2017 16:04:14 GMT):
ok I'll follow right away and let you know

AndreaBorzi (Mon, 18 Dec 2017 16:04:16 GMT):
thanks a lot :)

vieiramanoel (Mon, 18 Dec 2017 16:04:52 GMT):
you're welcome

AndreaBorzi (Mon, 18 Dec 2017 16:10:08 GMT):
github.com/hyperledger/fabric-ca/vendor/github.com/miekg/pkcs11 vendor/github.com/miekg/pkcs11/pkcs11.go:29:18: fatal error: ltdl.h: No such file or directory #include ^ compilation terminated. make: *** [bin/fabric-ca-server] Error 2

AndreaBorzi (Mon, 18 Dec 2017 16:10:18 GMT):
sorry to bother you..

vieiramanoel (Mon, 18 Dec 2017 16:11:58 GMT):
its ok

vieiramanoel (Mon, 18 Dec 2017 16:14:09 GMT):
@AndreaBorzi http://ftpmirror.gnu.org/libtool/libtool-2.4.6.tar.gz here is the latest version of ltdl download it and install on dst machine

vieiramanoel (Mon, 18 Dec 2017 16:14:30 GMT):
same thing, scp .tar.gz, extract it install via make

AndreaBorzi (Mon, 18 Dec 2017 16:15:37 GMT):
oh thanks

vieiramanoel (Mon, 18 Dec 2017 16:16:43 GMT):
inside tar.gz there's a file named `INSTALL` which contains installation instructions if you need it

AndreaBorzi (Mon, 18 Dec 2017 16:18:25 GMT):
it is saying that I need to run configure, however I can't run custom scripts on this machine unfortunately

AndreaBorzi (Mon, 18 Dec 2017 16:18:33 GMT):
so ./configure gives permission denied

AndreaBorzi (Mon, 18 Dec 2017 16:18:41 GMT):
is there a way around this?

AndreaBorzi (Mon, 18 Dec 2017 16:20:31 GMT):
in fact even "scripts/rename-repo" is giving me permission denied

AndreaBorzi (Mon, 18 Dec 2017 16:20:36 GMT):
when calling make on fabric-ca

vieiramanoel (Mon, 18 Dec 2017 16:21:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bADwbcYysiiKcFFij) @smithbk i've enrolled my peer with register i can do `peer node start` but at cli when I try `peer channel join` to this new peer (all address variables set) I get ` "JoinChain" request failed authorization check for channel [mychannel]: [Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins}: [This identity is not an admin]])`

vieiramanoel (Mon, 18 Dec 2017 16:22:12 GMT):
[src msg](https://chat.hyperledger.org/channel/fabric-ca?msg=2W72mGcmSF6BzrcFB) @AndreaBorzi try do chmod +x configure via ssh

vieiramanoel (Mon, 18 Dec 2017 16:22:12 GMT):
[](https://chat.hyperledger.org/channel/fabric-ca?msg=2W72mGcmSF6BzrcFB) @AndreaBorzi try do chmod 777 configure via ssh

vieiramanoel (Mon, 18 Dec 2017 16:22:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2W72mGcmSF6BzrcFB) @AndreaBorzi try do chmod 777 configure via ssh

AndreaBorzi (Mon, 18 Dec 2017 16:22:51 GMT):
it already has 777 permissions

vieiramanoel (Mon, 18 Dec 2017 16:22:56 GMT):
oh

vieiramanoel (Mon, 18 Dec 2017 16:24:31 GMT):
you got me haha Idk how to fix this

AndreaBorzi (Mon, 18 Dec 2017 16:25:15 GMT):
I am running in a company's environment that's why it has it's own protections

AndreaBorzi (Mon, 18 Dec 2017 16:25:21 GMT):
such as not allowing the execution of scripts

AndreaBorzi (Mon, 18 Dec 2017 16:26:01 GMT):
thanks btw you really helped me a lot

vieiramanoel (Mon, 18 Dec 2017 16:28:25 GMT):
this is a really bad thing haha, can't you get authorization for you to run scripts?

smithbk (Mon, 18 Dec 2017 16:42:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LA3gRaTbgeykkY5NK) @vieiramanoel You need to run `peer channel join` from a host with the local MSP that is an admin (i.e. that has the private key of the admin). This command is part of the peer's client CLI and so can be run remotely from the target peer.

AndreaBorzi (Mon, 18 Dec 2017 16:42:39 GMT):
@vieiramanoel I'll ask right away, hoping it will help

vieiramanoel (Mon, 18 Dec 2017 16:45:05 GMT):
@smithbk when I run cli, the local msp is the org admin, and in fact the first peer (generated with cryptogen) can join the channel. When I register and enroll a new user using fabric-ca cli is already set with that org admin, why cant it make peer join channel?

smithbk (Mon, 18 Dec 2017 16:46:43 GMT):
@vieiramanoel Because the new user's cert is not one of the certs in the msp/admincerts folder of the channel config

MohitYadav2317 (Mon, 18 Dec 2017 16:47:11 GMT):
The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority

MohitYadav2317 (Mon, 18 Dec 2017 16:47:34 GMT):
can anybody help debug this error?

vieiramanoel (Mon, 18 Dec 2017 16:48:31 GMT):
@MohitYadav2317 describe it better, there's a lot of ways to get this error haha What are you trying to do and when you get this error?

vieiramanoel (Mon, 18 Dec 2017 16:48:31 GMT):
@MohitYadav2317 describe it better, there's a lot of ways to get this error haha What are you trying to do and when did you get this error?

vieiramanoel (Mon, 18 Dec 2017 16:49:22 GMT):
@smithbk I need then register a new user admin for this new peer and put this cert at msp/admin certs at cli?

vieiramanoel (Mon, 18 Dec 2017 16:49:39 GMT):
srry i'm kinda lost on this, i though it would be easier haha

MohitYadav2317 (Mon, 18 Dec 2017 16:52:23 GMT):
@vieiramanoel i am trying to customize the fabric network by using custom organizations A and B, and i have network with 2 peers or org A and B both, now when i run the network, and after enrolling admin as intermediate CA and registering a new client X which generates credentials for this client X and in sdk when i use user context of this client X then i get this error in sendpeerproposal method

smithbk (Mon, 18 Dec 2017 16:53:02 GMT):
@vieiramanoel You could just go to the peer where you successfully issued the join command and invoke `peer join channel` again with the same CORE_PEER_LOCALMSPID setting as before but different CORE_PEER_ADDRESS and CORE_PEER_ID settings which point to the new peer. I "think" those are the only env variables to change but not totally sure.

vieiramanoel (Mon, 18 Dec 2017 16:54:01 GMT):
To enter in a channel I need the channel block file, don't I?

smithbk (Mon, 18 Dec 2017 16:54:20 GMT):
yes ... use the same as before

MohitYadav2317 (Mon, 18 Dec 2017 16:54:49 GMT):
@vieiramanoel any suggestions for my issue? did you get the clear picture of it?

vieiramanoel (Mon, 18 Dec 2017 16:58:50 GMT):
@MohitYadav2317 i didn't get whats is the new client, is it a new peer or a new user?

MohitYadav2317 (Mon, 18 Dec 2017 17:32:28 GMT):
it is a new user

MohitYadav2317 (Mon, 18 Dec 2017 17:32:34 GMT):
@vieiramanoel

vieiramanoel (Mon, 18 Dec 2017 19:01:15 GMT):
@MohitYadav2317 at what point do you get error? i mean, running what command?

vieiramanoel (Mon, 18 Dec 2017 19:01:45 GMT):
@smithbk it worked, was a simple thing in fact, just my CORE_PEER_MSPCONFIGPATH wasn't unset at new peer

vieiramanoel (Mon, 18 Dec 2017 19:05:52 GMT):
thnks alot

vieiramanoel (Mon, 18 Dec 2017 19:05:52 GMT):
thnks a lot

daijianw (Tue, 19 Dec 2017 00:38:16 GMT):
@smithbk thanks. I will try to do that by providing a customized config file.

MohitYadav2317 (Tue, 19 Dec 2017 03:34:28 GMT):
while running node registeruser.js from sdk in fabcar example

MohitYadav2317 (Tue, 19 Dec 2017 03:35:04 GMT):
@vieiramanoel

MohitYadav2317 (Tue, 19 Dec 2017 06:25:22 GMT):
Error: Failed to deserialize creator identity, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority

zhishui (Tue, 19 Dec 2017 08:08:53 GMT):
Has joined the channel.

Amber.Zhang (Tue, 19 Dec 2017 08:39:04 GMT):
Has joined the channel.

MohitYadav2317 (Tue, 19 Dec 2017 08:49:40 GMT):
@vieiramanoel maybe it is possible that this has something to do with endorsement policy? i was calling querybychaincode method from sdk

kayadhami (Tue, 19 Dec 2017 09:57:36 GMT):
@Vadim @smithbk what else do I need to generate if I'm using fabric CA instead of cryptogen?

Vadim (Tue, 19 Dec 2017 10:02:23 GMT):
@kayadhami have you seen this? https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca

kayadhami (Tue, 19 Dec 2017 10:03:05 GMT):
not yet, I will study this and get back to you if I run into some problem.

kayadhami (Tue, 19 Dec 2017 10:03:06 GMT):
Thanks

kayadhami (Tue, 19 Dec 2017 11:34:28 GMT):
@Vadim `ERROR: manifest for hyperledger/fabric-ca-tools:latest not found`

kayadhami (Tue, 19 Dec 2017 11:34:40 GMT):
Couldn't find the image on docker.hub

AndreaBorzi (Tue, 19 Dec 2017 13:33:11 GMT):
hi guys, a question: - I have setup a machine with fabric-ca-server running and configured - I have registered an entity and enrolled with it on another machine which I'll call "client machine" how do I convert the cert.pem file inside msp/signcerts directory into a pkcs12 file? If I try to run this command I get "Expecting ANY PRIVATE KEY": openssl pkcs12 -export -out cert.pkcs12 -in cert.pem what I'm trying to achieve in the end is a java keystore file (.jks) if that helps

AndreaBorzi (Tue, 19 Dec 2017 13:33:20 GMT):
Thanks alot for your support!

smithbk (Tue, 19 Dec 2017 13:50:14 GMT):
@kayadhami You can use the build-images.sh script to build locally which tags them latest

AndreaBorzi (Tue, 19 Dec 2017 14:49:12 GMT):
guys where can I find the list of supported --id.type(s) ?

smithbk (Tue, 19 Dec 2017 15:14:39 GMT):
The default list is "peer,orderer,client,user" but fabric-ca-server allows you to change them by modifying the values of registry.identities.attrs hf.Registrar.Roles and hf.Registrar.DelegateRoles

smithbk (Tue, 19 Dec 2017 15:14:39 GMT):
@AndreaBorzi The default list is "peer,orderer,client,user" but fabric-ca-server allows you to change them by modifying the values of registry.identities.attrs hf.Registrar.Roles and hf.Registrar.DelegateRoles

AndreaBorzi (Tue, 19 Dec 2017 15:39:23 GMT):
thanks alot smith

RobertMiroballi (Tue, 19 Dec 2017 17:12:25 GMT):
Has joined the channel.

AgnesaHa (Tue, 19 Dec 2017 17:24:18 GMT):
Has joined the channel.

AgnesaHa (Tue, 19 Dec 2017 17:26:46 GMT):
Hi guys.. We are trying to add attributes to our users, but it won't work.. we have this implemented return fabric_ca_client.register({enrollmentID: 'user1', role:'client', affiliation: 'org1.department1', attr: [{name:"attr1",value:"Test:ecert"}]}, admin_user); but it still won't save the attributes in the certificate.. can somebody help me?

yacovm (Tue, 19 Dec 2017 18:38:10 GMT):
Hey @smithbk , @aambati @rickr @skarim does anyone have a clue about this CI failure? https://jenkins.hyperledger.org/job/fabric-verify-end-2-end-x86_64/11332/console https://jenkins.hyperledger.org/job/fabric-verify-end-2-end-x86_64/11334/consoleFull ``` 18:05:42 Tests run: 21, Failures: 3, Errors: 0, Skipped: 2, Time elapsed: 283.229 sec <<< FAILURE! - in org.hyperledger.fabric.sdkintegration.IntegrationSuite 18:05:42 testUserRevoke(org.hyperledger.fabric_ca.sdkintegration.HFCAClientIT) Time elapsed: 1.053 sec <<< FAILURE! 18:05:42 java.lang.AssertionError: 18:05:42 18:05:42 Expected: (an instance of org.hyperledger.fabric_ca.sdk.exception.EnrollmentException and exception with message a string containing "Failed to re-enroll user") 18:05:42 but: an instance of org.hyperledger.fabric_ca.sdk.exception.EnrollmentException is a java.io.IOException 18:05:42 Stacktrace was: java.io.IOException: unknown tag 13 encountered 18:05:42 at org.bouncycastle.asn1.ASN1InputStream.buildObject(Unknown Source) ```

yacovm (Tue, 19 Dec 2017 18:38:10 GMT):
Hey @smithbk , @aambati @rickr @skarim @mastersingh24 does anyone have a clue about this CI failure? https://jenkins.hyperledger.org/job/fabric-verify-end-2-end-x86_64/11332/console https://jenkins.hyperledger.org/job/fabric-verify-end-2-end-x86_64/11334/consoleFull https://jenkins.hyperledger.org/job/fabric-verify-end-2-end-x86_64/11323/console ``` 18:05:42 Tests run: 21, Failures: 3, Errors: 0, Skipped: 2, Time elapsed: 283.229 sec <<< FAILURE! - in org.hyperledger.fabric.sdkintegration.IntegrationSuite 18:05:42 testUserRevoke(org.hyperledger.fabric_ca.sdkintegration.HFCAClientIT) Time elapsed: 1.053 sec <<< FAILURE! 18:05:42 java.lang.AssertionError: 18:05:42 18:05:42 Expected: (an instance of org.hyperledger.fabric_ca.sdk.exception.EnrollmentException and exception with message a string containing "Failed to re-enroll user") 18:05:42 but: an instance of org.hyperledger.fabric_ca.sdk.exception.EnrollmentException is a java.io.IOException 18:05:42 Stacktrace was: java.io.IOException: unknown tag 13 encountered 18:05:42 at org.bouncycastle.asn1.ASN1InputStream.buildObject(Unknown Source) ```

yacovm (Tue, 19 Dec 2017 18:38:10 GMT):
Hey @smithbk , @aambati @rickr @skarim @mastersingh24 @jimthematrix does anyone have a clue about this CI failure? https://jenkins.hyperledger.org/job/fabric-verify-end-2-end-x86_64/11332/console https://jenkins.hyperledger.org/job/fabric-verify-end-2-end-x86_64/11334/consoleFull https://jenkins.hyperledger.org/job/fabric-verify-end-2-end-x86_64/11323/console ``` 18:05:42 Tests run: 21, Failures: 3, Errors: 0, Skipped: 2, Time elapsed: 283.229 sec <<< FAILURE! - in org.hyperledger.fabric.sdkintegration.IntegrationSuite 18:05:42 testUserRevoke(org.hyperledger.fabric_ca.sdkintegration.HFCAClientIT) Time elapsed: 1.053 sec <<< FAILURE! 18:05:42 java.lang.AssertionError: 18:05:42 18:05:42 Expected: (an instance of org.hyperledger.fabric_ca.sdk.exception.EnrollmentException and exception with message a string containing "Failed to re-enroll user") 18:05:42 but: an instance of org.hyperledger.fabric_ca.sdk.exception.EnrollmentException is a java.io.IOException 18:05:42 Stacktrace was: java.io.IOException: unknown tag 13 encountered 18:05:42 at org.bouncycastle.asn1.ASN1InputStream.buildObject(Unknown Source) ```

yacovm (Tue, 19 Dec 2017 18:38:26 GMT):
It appeared in 2 different unrelated change sets...

yacovm (Tue, 19 Dec 2017 18:38:26 GMT):
It appeared in 3 different unrelated change sets...

yacovm (Tue, 19 Dec 2017 18:38:33 GMT):
could it be that something is broken?

mastersingh24 (Tue, 19 Dec 2017 18:56:30 GMT):
Sh*t. Yes. I know the issue. Ugh

mastersingh24 (Tue, 19 Dec 2017 18:57:32 GMT):
Well I think I know the issue

yacovm (Tue, 19 Dec 2017 18:57:55 GMT):
unknown tag sounds to me like protobuf

yacovm (Tue, 19 Dec 2017 18:58:34 GMT):
but the stack trace about points at ASN1

yacovm (Tue, 19 Dec 2017 18:59:27 GMT):
my best guess is someone updated vendor folder in fabric-CA

yacovm (Tue, 19 Dec 2017 18:59:35 GMT):
and not in the fabric-ca-client

yacovm (Tue, 19 Dec 2017 18:59:45 GMT):
and a CSR format has changed

yacovm (Tue, 19 Dec 2017 18:59:52 GMT):
(but most likely I am wrong)

mastersingh24 (Tue, 19 Dec 2017 19:00:56 GMT):
My guess is that it is this change: https://gerrit.hyperledger.org/r/16167

mastersingh24 (Tue, 19 Dec 2017 19:01:02 GMT):
Let me see if I can debug

rickr (Tue, 19 Dec 2017 19:05:10 GMT):
We try to decode the CRLs and that has been working. I saw this before it was merged and asked @skarim to test it as it had me worried.

rickr (Tue, 19 Dec 2017 19:07:21 GMT):
We use bouncycastel's ASN1 to decode it. If I had to bet I would put my money on that the PEM is really not valid. :)

rickr (Tue, 19 Dec 2017 19:07:21 GMT):
We use bouncycastel's library that uses ASN1 to decode it. It's been working till now so, if I had to bet I would put my money on that the PEM is really not valid. :)

rickr (Tue, 19 Dec 2017 19:07:21 GMT):
We use bouncycastel's library that uses ASN1 to decode it. It's been working till now so, if I had to bet I would put my money on that the PEM CRL is really not valid. :)

rickr (Tue, 19 Dec 2017 19:44:30 GMT):
Are we not running the SDK's IT tests before merging fabric code ?

yacovm (Tue, 19 Dec 2017 20:01:37 GMT):
of course we are

yacovm (Tue, 19 Dec 2017 20:01:44 GMT):
that's why I'm complaining ;)

yacovm (Tue, 19 Dec 2017 20:02:18 GMT):
but the problem is we don't run fabric-CA

yacovm (Tue, 19 Dec 2017 20:02:18 GMT):
but the problem is we don't run in fabric-CA

vieiramanoel (Tue, 19 Dec 2017 20:28:44 GMT):
guys, at `peer node start` does peer consult fabric-ca if its certs are ok?

vieiramanoel (Tue, 19 Dec 2017 20:30:09 GMT):
i've started my peer and joined it to my channel, but fabric-ca didn't log about any request/consult in these steps

mastersingh24 (Tue, 19 Dec 2017 20:33:00 GMT):
@rickr - so I have a fix (forgot to ask if you were working on one?)

rickr (Tue, 19 Dec 2017 20:43:40 GMT):
no -- I'm officially _off the clock_

rickr (Tue, 19 Dec 2017 20:43:52 GMT):
Is this an SDK fix ?

mastersingh24 (Tue, 19 Dec 2017 20:44:03 GMT):
Actually just a modification to the test

mastersingh24 (Tue, 19 Dec 2017 20:44:08 GMT):
SDK test

mastersingh24 (Tue, 19 Dec 2017 20:44:13 GMT):
simple change

rickr (Tue, 19 Dec 2017 20:44:23 GMT):
put a patch

mastersingh24 (Tue, 19 Dec 2017 20:44:29 GMT):
will do

rickr (Tue, 19 Dec 2017 20:44:38 GMT):
AFAIK we just called the library

mastersingh24 (Tue, 19 Dec 2017 20:45:04 GMT):
I'll explain what happened in the CR and JIRA entry so you can see ;)

rickr (Tue, 19 Dec 2017 20:45:11 GMT):
k

mastersingh24 (Tue, 19 Dec 2017 20:56:03 GMT):
https://gerrit.hyperledger.org/r/16327

rickr (Tue, 19 Dec 2017 21:32:08 GMT):
merged and thanks

antoniovassell (Tue, 19 Dec 2017 22:12:14 GMT):
Hey guys

antoniovassell (Tue, 19 Dec 2017 22:13:27 GMT):
if HSM is enabled on a fabric-ca server, are there any configuration changes required in the node sdk?

antoniovassell (Tue, 19 Dec 2017 22:14:56 GMT):
Currently when I am trying to enroll a user, the sdk gives this error:

antoniovassell (Tue, 19 Dec 2017 22:15:02 GMT):
```error: [Client.js]: Error: Calling enrollment endpoint failed with error [Error: write EPROTO 140601276032832:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../deps/openssl/openssl/ssl/s3_pkt.c:1500:SSL alert number 40 web_1 | 140601276032832:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:../deps/openssl/openssl/ssl/s23_lib.c:177: web_1 | ] web_1 | at ClientRequest. (/usr/src/app/node_modules/fabric-ca-client/lib/FabricCAClientImpl.js:809:12) web_1 | at emitOne (events.js:116:13) web_1 | at ClientRequest.emit (events.js:211:7) web_1 | at TLSSocket.socketErrorListener (_http_client.js:387:9) web_1 | at emitOne (events.js:116:13) web_1 | at TLSSocket.emit (events.js:211:7) web_1 | at onwriteError (_stream_writable.js:408:12) web_1 | at onwrite (_stream_writable.js:430:5) web_1 | at _destroy (internal/streams/destroy.js:39:7) web_1 | at TLSSocket.Socket._destroy (net.js:561:3) web_1 | at TLSSocket.destroy (internal/streams/destroy.js:32:8) web_1 | at WriteWrap.afterWrite [as oncomplete] (net.js:869:10) ```

antoniovassell (Tue, 19 Dec 2017 22:15:50 GMT):
While the logs for the fabric-ca shows this output:

antoniovassell (Tue, 19 Dec 2017 22:15:55 GMT):
```2017/12/19 21:05:04 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml 2017/12/19 21:05:04 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server 2017/12/19 21:05:04 [INFO] Server Version: 1.1.0-alpha-snapshot-f5af79b 2017/12/19 21:05:04 [INFO] Server Levels: &{Identity:1 Affiliation:0 Certificate:0} 2017/12/19 21:05:06 [INFO] The CA key and certificate already exist 2017/12/19 21:05:06 [INFO] The key is stored by BCCSP provider 'PKCS11' 2017/12/19 21:05:06 [INFO] The certificate is at: /etc/hyperledger/fabric-ca-server/ca-cert.pem 2017/12/19 21:05:06 [INFO] Initialized sqlite3 database at /etc/hyperledger/fabric-ca-server/fabric-ca-server.db 2017/12/19 21:05:06 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server 2017/12/19 21:05:06 [INFO] Listening on https://0.0.0.0:7054 2017/12/19 21:05:57 http: TLS handshake error from 172.20.0.20:57794: tls: failed to sign ECDHE parameters: CSP:404 - Unsupported 'SignKey' provided [&{[237 8 193 7 146 17 154 244 196 115 53 125 171 228 43 181 103 186 160 174 24 107 63 97 39 6 161 237 249 128 193 94] 0xc42035ad60}] /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:321 github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw.(*impl).Sign /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/pkcs11/impl.go:467 github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/pkcs11.(*impl).Sign /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/signer/signer.go:88 github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/signer.(*bccspCryptoSigner).Sign /opt/go/src/crypto/tls/key_agreement.go:276 crypto/tls.(*ecdheKeyAgreement).generateServerKeyExchange /opt/go/src/crypto/tls/handshake_server.go:400 crypto/tls.(*serverHandshakeState).doFullHandshake /opt/go/src/crypto/tls/handshake_server.go:85 crypto/tls.(*Conn).serverHandshake /opt/go/src/crypto/tls/conn.go:1309 crypto/tls.(*Conn).Handshake /opt/go/src/net/http/server.go:1713 net/http.(*conn).serve /opt/go/src/runtime/asm_amd64.s:2338 runtime.goexit ```

yacovm (Tue, 19 Dec 2017 22:17:20 GMT):
@antoniovassell did you... somehow make TLS use HSM?

yacovm (Tue, 19 Dec 2017 22:17:20 GMT):
@antoniovassell did you... somehow make TLS use HSM? edit - I didn't know we had that support in fabric-ca

antoniovassell (Tue, 19 Dec 2017 22:19:36 GMT):
uhmmm, not sure, I am currently using fabric 1.1 sample files without much changes

antoniovassell (Tue, 19 Dec 2017 22:20:28 GMT):
for the fabric-ca config i added this for bccsp

antoniovassell (Tue, 19 Dec 2017 22:20:34 GMT):
```bccsp: default: PKCS11 pkcs11: Library: /opt/nfast/toolkits/pkcs11/libcknfast.so PIN: 1234 label: local hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: ```

antoniovassell (Tue, 19 Dec 2017 22:23:14 GMT):
you can see full config of the ca here if you like: https://gist.github.com/antoniovassell/2fee62065478b09cd092041c2bdbed34

antoniovassell (Tue, 19 Dec 2017 22:26:20 GMT):
any ideas of why I would be getting that error ```Unsupported 'SignKey' provided``` when hsm is supported?

antoniovassell (Tue, 19 Dec 2017 22:26:20 GMT):
any ideas of why I would be getting that error ```Unsupported 'SignKey' provided``` when hsm is enabled?

yacovm (Tue, 19 Dec 2017 23:04:37 GMT):
haha I knew it

yacovm (Tue, 19 Dec 2017 23:05:20 GMT):
so, the reason you're getting this is because fabric-ca loads the TLS certificates via bccsp

yacovm (Tue, 19 Dec 2017 23:06:34 GMT):
@vpa

yacovm (Tue, 19 Dec 2017 23:06:47 GMT):
@vpaprots ;) ^

yacovm (Tue, 19 Dec 2017 23:09:41 GMT):
@mastersingh24 @smithbk I might be missing something, but looking at the code - there is no way to make fabric-CA TLS not use BCCSP

yacovm (Tue, 19 Dec 2017 23:09:46 GMT):
is that by design?

Amber.Zhang (Wed, 20 Dec 2017 01:15:33 GMT):
@hellothere When I build latest fabric-ca code, I got this error "Removing intermediate container bb7bd45b27c9 Successfully built c619a8415e6d Successfully tagged hyperledger/fabric-ca:latest docker tag hyperledger/fabric-ca hyperledger/fabric-ca:x86_64-1.0.6-snapshot-cd93c3c Checking Go files for license headers ... All go files have license headers Running go vet ... YOU MUST FIX THE FOLLOWING GO VET PROBLEMS: lib/dbutil/dbutil.go:100: arg root for printf verb %s of wrong type: byte make: *** [vet] Error 1 ". Any idea on how to fix it?

hellothere (Wed, 20 Dec 2017 01:15:33 GMT):
Has joined the channel.

Amber.Zhang (Wed, 20 Dec 2017 01:19:33 GMT):
my go version is "go version go1.9.2 darwin/amd64"

mastersingh24 (Wed, 20 Dec 2017 03:31:40 GMT):
looks like you are building the release branch which only supports Go 1.7.5

Amber.Zhang (Wed, 20 Dec 2017 07:39:32 GMT):
@mastersingh24 Yeah, the release branch was compiled successfully with go v1.7.3 on Ubuntu. Thank you!

Amber.Zhang (Wed, 20 Dec 2017 08:20:24 GMT):
@mastersingh24 I have one more question about fabric compiling. I got following error when tried to compiled the release branch. My go version is "go1.7.3 linux/amd64".

Amber.Zhang (Wed, 20 Dec 2017 08:20:58 GMT):
Successfully built d04a85be0d4c Successfully tagged hyperledger/fabric-tools:latest docker tag hyperledger/fabric-tools hyperledger/fabric-tools:x86_64-1.0.5 Checking committed files for SPDX-License-Identifier headers ... The following files are missing SPDX-License-Identifier headers: (standard input) Please replace the Apache license header comment text with: SPDX-License-Identifier: Apache-2.0 Makefile:111: recipe for target 'license' failed make: *** [license] Error 1 Successfully built d04a85be0d4c Successfully tagged hyperledger/fabric-tools:latest docker tag hyperledger/fabric-tools hyperledger/fabric-tools:x86_64-1.0.5 Checking committed files for SPDX-License-Identifier headers ... The following files are missing SPDX-License-Identifier headers: (standard input) Please replace the Apache license header comment text with: SPDX-License-Identifier: Apache-2.0 Makefile:111: recipe for target 'license' failed make: *** [license] Error 1 Removing intermediate container 8a76f0853b34 Successfully built d04a85be0d4c Successfully tagged hyperledger/fabric-tools:latest docker tag hyperledger/fabric-tools hyperledger/fabric-tools:x86_64-1.0.5 Checking committed files for SPDX-License-Identifier headers ... The following files are missing SPDX-License-Identifier headers: (standard input) Please replace the Apache license header comment text with: SPDX-License-Identifier: Apache-2.0 Makefile:111: recipe for target 'license' failed make: *** [license] Error 1

Amber.Zhang (Wed, 20 Dec 2017 08:21:23 GMT):
Removing intermediate container 8a76f0853b34 Successfully built d04a85be0d4c Successfully tagged hyperledger/fabric-tools:latest docker tag hyperledger/fabric-tools hyperledger/fabric-tools:x86_64-1.0.5 Checking committed files for SPDX-License-Identifier headers ... The following files are missing SPDX-License-Identifier headers: (standard input) Please replace the Apache license header comment text with: SPDX-License-Identifier: Apache-2.0 Makefile:111: recipe for target 'license' failed make: *** [license] Error 1

antoniovassell (Wed, 20 Dec 2017 13:54:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3z28pddXRBsf5iG7w) @yacovm Hey, in the config tls is disabled.

antoniovassell (Wed, 20 Dec 2017 13:54:24 GMT):
would it still try to do that?

yacovm (Wed, 20 Dec 2017 13:54:53 GMT):
TLS is disabled?!

yacovm (Wed, 20 Dec 2017 13:55:07 GMT):
how is it disabled

yacovm (Wed, 20 Dec 2017 13:55:23 GMT):
are you 100% sure?

antoniovassell (Wed, 20 Dec 2017 13:56:23 GMT):
sorry, false alarm, its disabled in the ca-config file but overwritten in the docker compose file to be enabled

antoniovassell (Wed, 20 Dec 2017 13:59:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3z28pddXRBsf5iG7w) @yacovm weird question, does that mean that the tls keys would need to be on the hsm then?

antoniovassell (Wed, 20 Dec 2017 14:16:04 GMT):
so disabled tls, was able to enroll a user

antoniovassell (Wed, 20 Dec 2017 14:16:18 GMT):
on fabric ca

antoniovassell (Wed, 20 Dec 2017 14:16:25 GMT):
that went through okay

smithbk (Wed, 20 Dec 2017 14:53:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6Rknivdct4pNkpMzk) @yacovm yes, it is by design that when HSM is enabled, it is used for TLS.

smithbk (Wed, 20 Dec 2017 14:54:34 GMT):
@antoniovassell When you enabled HSM, did you provide a TLS cert/key not generated via HSM?

yacovm (Wed, 20 Dec 2017 14:55:27 GMT):
If you provide your own key, which is not provided by HSM - can it even be used by BCCSP ?

smithbk (Wed, 20 Dec 2017 14:56:07 GMT):
There used to be code to import a key into an HSM which worked

yacovm (Wed, 20 Dec 2017 14:56:30 GMT):
you mean export to HSM?

yacovm (Wed, 20 Dec 2017 14:56:54 GMT):
if you export the key, I guess you need to do it off-band, and then destroy the key from outside the HSM no?

smithbk (Wed, 20 Dec 2017 14:57:07 GMT):
i mean a key generated outside an HSM to be loaded into the HSM

smithbk (Wed, 20 Dec 2017 14:57:56 GMT):
obviously what you really want is to allow the HSM to generate the key

smithbk (Wed, 20 Dec 2017 14:58:36 GMT):
so what I'm guessing happened here is that it tried to find a key in the HSM which matched a cert not generated via the HSM

smithbk (Wed, 20 Dec 2017 15:00:11 GMT):
If this debug message was printed when starting the fabric-ca-server, then that is what happened ```logger.Debugf("Private key not found [%s] for SKI [%s], looking for Public key", err, hex.EncodeToString(ski))```

smithbk (Wed, 20 Dec 2017 15:03:01 GMT):
bccsp needs some improved error messages in this case. It would have been more obvious if it printed the type rather than the bytes in that error message ```Unsupported 'SignKey' provided``` I think I'll submit a change set for that

smithbk (Wed, 20 Dec 2017 15:04:49 GMT):
Anyway, I'd be interested in knowing what happens if you remove the TLS and CA cert and key and let fabric-ca-server generate its own when it starts

antoniovassell (Wed, 20 Dec 2017 15:06:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NMFHsuYZHxddQ7GXL) @smithbk Yes I did, I am now trying to generate/import tls certs on the hsm

antoniovassell (Wed, 20 Dec 2017 15:09:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dryPLFW2BiiiaMxa6) @smithbk Haven't seen this as yet

smithbk (Wed, 20 Dec 2017 15:10:22 GMT):
Did you use "-d" option when starting fabric-ca-server? It may also be the case that the logger in fabric isn't enabled by that

antoniovassell (Wed, 20 Dec 2017 15:10:59 GMT):
yes, i can restart /recreate the container without it

smithbk (Wed, 20 Dec 2017 15:11:36 GMT):
you will also want to delete the ca-cert.pem file if there was one

antoniovassell (Wed, 20 Dec 2017 15:11:43 GMT):
sure

mastersingh24 (Wed, 20 Dec 2017 15:59:06 GMT):
@smithbk @antoniovassell - If you use PKCS11 and allow fabric-ca to generate CA and TLS certs, everything works

mastersingh24 (Wed, 20 Dec 2017 15:59:11 GMT):
I've tested several times

mastersingh24 (Wed, 20 Dec 2017 15:59:24 GMT):
I found the actual issue and have a fix I believe

mastersingh24 (Wed, 20 Dec 2017 15:59:37 GMT):
There's some logic issues in processing

mastersingh24 (Wed, 20 Dec 2017 16:00:14 GMT):
If you use PCKS11 and attempt to configure TLS cert and key with files that exist, TLS will not work

smithbk (Wed, 20 Dec 2017 16:09:10 GMT):
@mastersingh24 Just to be clear, the fix you have fixes when "you use PCKS11 and attempt to configure TLS cert and key with files that exist"

smithbk (Wed, 20 Dec 2017 16:09:10 GMT):
@mastersingh24 Just to be clear, the fix you have fixes when "you use PCKS11 and attempt to configure TLS cert and key with files that exist"?

smithbk (Wed, 20 Dec 2017 16:09:28 GMT):
so it fixes the import case?

smithbk (Wed, 20 Dec 2017 16:13:14 GMT):
A couple of error message improvements in the meantime:

smithbk (Wed, 20 Dec 2017 16:13:14 GMT):
A couple of error message/checking improvements in the meantime:

smithbk (Wed, 20 Dec 2017 16:13:16 GMT):
https://gerrit.hyperledger.org/r/#/c/16345/

smithbk (Wed, 20 Dec 2017 16:13:30 GMT):
https://gerrit.hyperledger.org/r/#/c/16347/

mastersingh24 (Wed, 20 Dec 2017 16:14:12 GMT):
I'll write it up, but it fixes the following things: 1) Fallback to TLS key/cert file when configured and using PKCS11 2) Server should fail when using PKCS11, public CA cert exists but can't find private key. I think this is a bug. Let's say you are using PKCS11 and autogenerate the root CA key pair. This of course creates a the CA public key on the filesystem. You reboot fabric-ca and for some reason it can no longer find the private key in the HSM. Right now the behavior is that it actually just generates a new signing key pair. That should not be the case

smithbk (Wed, 20 Dec 2017 16:15:18 GMT):
For #2 see https://gerrit.hyperledger.org/r/#/c/16347

mastersingh24 (Wed, 20 Dec 2017 16:16:11 GMT):
ah - I did not see this because I was looking for bugs

mastersingh24 (Wed, 20 Dec 2017 16:16:16 GMT):
This is a bug

mastersingh24 (Wed, 20 Dec 2017 16:16:18 GMT):
same fix

mastersingh24 (Wed, 20 Dec 2017 16:16:26 GMT):
But there's another piece

mastersingh24 (Wed, 20 Dec 2017 16:16:32 GMT):
The server needs to fail as well

mastersingh24 (Wed, 20 Dec 2017 16:16:43 GMT):
It doesn't right now

mastersingh24 (Wed, 20 Dec 2017 16:17:29 GMT):
https://github.com/hyperledger/fabric-ca/blob/master/lib/ca.go#L241

smithbk (Wed, 20 Dec 2017 16:17:30 GMT):
hmm ... i thought https://gerrit.hyperledger.org/r/#/c/16347 would cause the server to fail to start ... no?

smithbk (Wed, 20 Dec 2017 16:17:33 GMT):
checking

mastersingh24 (Wed, 20 Dec 2017 16:17:39 GMT):
If there is an error it should fail here

mastersingh24 (Wed, 20 Dec 2017 16:17:51 GMT):
Right now it will generate a new key pair

mastersingh24 (Wed, 20 Dec 2017 16:18:03 GMT):
(I thought the same as you BTW) ;)

smithbk (Wed, 20 Dec 2017 16:20:01 GMT):
yes, I see it now

smithbk (Wed, 20 Dec 2017 16:20:30 GMT):
ok, if you have another fix, I can abandon mine

mastersingh24 (Wed, 20 Dec 2017 16:23:21 GMT):
I think you can just adjust yours

mastersingh24 (Wed, 20 Dec 2017 16:23:50 GMT):
and we can merge

smithbk (Wed, 20 Dec 2017 16:23:50 GMT):
ok ... i'll handle #2 ... do you want me to also do #1 or are you doing that?

mastersingh24 (Wed, 20 Dec 2017 16:24:27 GMT):
I think #2 actually fixes #1

mastersingh24 (Wed, 20 Dec 2017 16:24:31 GMT):
let me check

mastersingh24 (Wed, 20 Dec 2017 16:24:37 GMT):
because of the fallthrough logic

mastersingh24 (Wed, 20 Dec 2017 16:24:47 GMT):
or fallbackcerts logic

smithbk (Wed, 20 Dec 2017 16:25:57 GMT):
ok, to do #2 in addition to what I already did, I will change the following logic to return an error rather than falling thru ``` // If key file does not exist but certFile does, key file is probably // stored by BCCSP, so check for that now. if certFileExists { _, _, _, err = util.GetSignerFromCertFile(certFile, ca.csp) if err == nil { // Yes, it is stored by BCCSP log.Info("The CA key and certificate already exist") log.Infof("The key is stored by BCCSP provider '%s'", ca.Config.CSP.ProviderName) log.Infof("The certificate is at: %s", certFile) // Load CN from existing enrollment information and set CSR accordingly // CN needs to be set, having a multi CA setup requires a unique CN and can't // be left blank ca.Config.CSR.CN, err = ca.loadCNFromEnrollmentInfo(certFile) if err != nil { return err } return nil } } ```

smithbk (Wed, 20 Dec 2017 16:26:06 GMT):
Is that what you're thinking?

mastersingh24 (Wed, 20 Dec 2017 16:28:57 GMT):
yeah

mastersingh24 (Wed, 20 Dec 2017 16:29:18 GMT):
``` if certFileExists { _, _, _, err = util.GetSignerFromCertFile(certFile, ca.csp) if err == nil { // Yes, it is stored by BCCSP log.Info("The CA key and certificate already exist") log.Infof("The key is stored by BCCSP provider '%s'", ca.Config.CSP.ProviderName) log.Infof("The certificate is at: %s", certFile) // Load CN from existing enrollment information and set CSR accordingly // CN needs to be set, having a multi CA setup requires a unique CN and can't // be left blank ca.Config.CSR.CN, err = ca.loadCNFromEnrollmentInfo(certFile) if err != nil { return err } return nil } else { log.Fatalf("Cannot start server due to fatal error [%s]", err) } } ```

mastersingh24 (Wed, 20 Dec 2017 16:31:46 GMT):
so interesting - with the fix for #2, new error for #1: `TLS handshake error from 127.0.0.1:49445: tls: no cipher suite supported by both client and server` ;)

mastersingh24 (Wed, 20 Dec 2017 16:34:16 GMT):
oops - never mind

mastersingh24 (Wed, 20 Dec 2017 16:36:56 GMT):
@smithbk - as far as I can tell, your fix for #2 fixes #1 as well

smithbk (Wed, 20 Dec 2017 16:38:28 GMT):
ok, i had already changed as follows which is equivalent but now working on test case ``` // If key file does not exist but certFile does, key file is probably // stored by BCCSP, so check for that now. if certFileExists { _, _, _, err = util.GetSignerFromCertFile(certFile, ca.csp) if err != nil { return err } // Yes, it is stored by BCCSP log.Info("The CA key and certificate already exist") log.Infof("The key is stored by BCCSP provider '%s'", ca.Config.CSP.ProviderName) log.Infof("The certificate is at: %s", certFile) // Load CN from existing enrollment information and set CSR accordingly // CN needs to be set, having a multi CA setup requires a unique CN and can't // be left blank ca.Config.CSR.CN, err = ca.loadCNFromEnrollmentInfo(certFile) if err != nil { return err } return nil }```

mastersingh24 (Wed, 20 Dec 2017 16:42:18 GMT):
cool

mastersingh24 (Wed, 20 Dec 2017 16:42:33 GMT):
And I checked that #1 is fixed with your csp.go change

antoniovassell (Wed, 20 Dec 2017 16:46:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pKPss7pGKJHh7yPNh) @mastersingh24 Okay so what I did was deleted any existed ca-cert.pem file

antoniovassell (Wed, 20 Dec 2017 16:46:53 GMT):
and allow fabric-ca to generate its own file, tls on, using pkcs11

antoniovassell (Wed, 20 Dec 2017 16:47:07 GMT):
server started okay.

antoniovassell (Wed, 20 Dec 2017 16:47:31 GMT):
I made FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server/ca-cert.pem

antoniovassell (Wed, 20 Dec 2017 16:47:31 GMT):
I made `FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server/ca-cert.pem`

antoniovassell (Wed, 20 Dec 2017 16:48:30 GMT):
I did not define `FABRIC_CA_SERVER_TLS_KEYFILE` since the key generated i assume on the hsm

antoniovassell (Wed, 20 Dec 2017 16:49:21 GMT):
you can see the debug logs here:

antoniovassell (Wed, 20 Dec 2017 16:50:13 GMT):
https://gist.github.com/antoniovassell/bc7ec0db4d91d6ec24ff97e9a0fa3e2a

antoniovassell (Wed, 20 Dec 2017 16:51:09 GMT):
using the sdk i have also used this file as the tls cert: `/etc/hyperledger/fabric-ca-server/ca-cert.pem`

antoniovassell (Wed, 20 Dec 2017 16:51:09 GMT):
using the node sdk i have also used this file as the tls cert: `/etc/hyperledger/fabric-ca-server/ca-cert.pem`

smithbk (Wed, 20 Dec 2017 16:51:42 GMT):
what's the error on the client?

antoniovassell (Wed, 20 Dec 2017 16:51:55 GMT):
the last line in the logs `16:44:22 http: TLS handshake error from 172.20.0.20:37186: EOF` happens when I tried to error a user on the fabric ca

antoniovassell (Wed, 20 Dec 2017 16:52:24 GMT):
1 sec, copying

antoniovassell (Wed, 20 Dec 2017 16:53:01 GMT):
```Error: Calling enrollment endpoint failed with error [Error: write EPROTO 139986494089024:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2520: web_1 | 139986494089024:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3550: web_1 | ] web_1 | failed Error: Calling enrollment endpoint failed with error [Error: write EPROTO 139986494089024:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2520: web_1 | 139986494089024:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3550: ```

antoniovassell (Wed, 20 Dec 2017 16:53:36 GMT):
that's from the client node sdk

mastersingh24 (Wed, 20 Dec 2017 16:55:25 GMT):
You can't use the CA cert as the TLS cert

mastersingh24 (Wed, 20 Dec 2017 16:55:49 GMT):
NodeJS / openssl are very particular about KeyUsage

antoniovassell (Wed, 20 Dec 2017 16:55:50 GMT):
good point

mastersingh24 (Wed, 20 Dec 2017 16:56:45 GMT):
I should say you can't use the autogenerated CA cert. In genera, nothing would stop you as long as the cert has the right KeyUsage

mastersingh24 (Wed, 20 Dec 2017 16:57:25 GMT):
FWIW, what I did is have fabric-ca autogenerate both the CA and TLS certs with PKCS11

ashutosh_kumar (Wed, 20 Dec 2017 16:57:50 GMT):
Microsoft is very particular about KeyUsage as well.

mastersingh24 (Wed, 20 Dec 2017 16:58:19 GMT):
Just specify the tls.certfile property and not the tls.keyfile property

ashutosh_kumar (Wed, 20 Dec 2017 16:58:35 GMT):
In mutual auth TLS , if your cert does not have KeyUsage as client authentication , it rejects.

mastersingh24 (Wed, 20 Dec 2017 16:58:38 GMT):
And make sure that the tls.certfile does not exist

antoniovassell (Wed, 20 Dec 2017 17:01:04 GMT):
okay, so @mastersingh24 how to make fabric-ca also generate the tls certs as well? I see that it generates the ca certs but not tls certs?

antoniovassell (Wed, 20 Dec 2017 17:01:04 GMT):
okay, so @mastersingh24 how do I make fabric-ca also generate the tls certs as well? I see that it generates the ca certs but not tls certs?

ShahzebHasnain (Wed, 20 Dec 2017 17:01:34 GMT):
Has joined the channel.

antoniovassell (Wed, 20 Dec 2017 17:03:56 GMT):
never mind! @mastersingh24 ^^

antoniovassell (Wed, 20 Dec 2017 17:05:24 GMT):
@smithbk @mastersingh24 was able to enrol a user this time, no errors

antoniovassell (Wed, 20 Dec 2017 17:06:04 GMT):
thanks so far guys, will continue testing around

vieiramanoel (Wed, 20 Dec 2017 17:13:03 GMT):
how do peer communicate to fabric-ca, I don't see any env var setting ca's address

vieiramanoel (Wed, 20 Dec 2017 17:13:03 GMT):
how do peer communicate to fabric-ca? I don't see any env var setting ca's address

mastersingh24 (Wed, 20 Dec 2017 17:14:01 GMT):
@vieiramanoel - neither peers nor orderers directly communicate with the fabric-ca

vieiramanoel (Wed, 20 Dec 2017 17:15:37 GMT):
@mastersingh24 so how does revoke works? In my mind (i just figured out that I'm wrong haha) we'd use revoke to ""'expel'''' peer from network

smithbk (Wed, 20 Dec 2017 18:06:40 GMT):
@vieiramanoel Revoking a certificate in fabric CA alone does not revoke the certificate in fabric. You must update the CRL which is part of the MSP in the channel config to revoke a certificate in fabric. See https://github.com/hyperledger/fabric-samples/blob/master/fabric-ca/scripts/run-fabric.sh#L91 for an example of revoking with fabric-ca-server, generating a CRL, and pushing that CRL into fabric

vieiramanoel (Wed, 20 Dec 2017 18:25:27 GMT):
@smithbk oh, thnks!

atian15 (Thu, 21 Dec 2017 02:13:43 GMT):
Has joined the channel.

zhai2005 (Thu, 21 Dec 2017 05:46:29 GMT):
Has joined the channel.

zhai2005 (Thu, 21 Dec 2017 06:36:11 GMT):
Can any one help me? [2017-12-21 11:03:38.015] [ERROR] Helper - Error: Calling enrollment endpoint failed with error [Error: write EPROTO 140063596390208:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:../deps/openssl/openssl/ssl/s23_clnt.c:825: ] at ClientRequest. (/home/jack/nodeTest/node_modules/fabric-ca-client/lib/FabricCAClientImpl.js:724:12) at emitOne (events.js:125:13) at ClientRequest.emit (events.js:221:7) at TLSSocket.socketErrorListener (_http_client.js:389:9) at emitOne (events.js:125:13) at TLSSocket.emit (events.js:221:7) at onwriteError (_stream_writable.js:409:12) at onwrite (_stream_writable.js:431:5) at _destroy (internal/streams/destroy.js:39:7) at TLSSocket.Socket._destroy (net.js:565:3) [2017-12-21 11:03:38.015] [DEBUG] Helper - pony failed to register [2017-12-21 11:03:38.015] [ERROR] Helper - pony enrollment failed (node:3137) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 3): Error: Cannot save null userContext. (node:3137) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 4): TypeError: Cannot read property '_enrollmentSecret' of null

ra_w (Thu, 21 Dec 2017 09:23:11 GMT):
Has joined the channel.

AndreaBorzi (Thu, 21 Dec 2017 10:39:31 GMT):
Cannot read property '_enrollmentSecret' of null

AndreaBorzi (Thu, 21 Dec 2017 10:39:40 GMT):
how are you trying to connect to your fabric-ca-server?

AndreaBorzi (Thu, 21 Dec 2017 10:40:17 GMT):
@zhai2005

AndreaBorzi (Thu, 21 Dec 2017 10:41:42 GMT):
btw I have a question too, is there a way to preserve certificate chain? I see that in msp/ folder there is the keystore folder containing the client's private key and in signcerts there are signed certificates by the fabric-ca-server CA I'm connecting too, however there's no trace of chain

AndreaBorzi (Thu, 21 Dec 2017 10:42:09 GMT):
in fact the Cert has a mere size of roughly 750 bytes

AndreaBorzi (Thu, 21 Dec 2017 10:46:20 GMT):
what I'm trying to achieve is this situation

AndreaBorzi (Thu, 21 Dec 2017 10:48:41 GMT):
I have a fabric-ca-server running as Root CA on machine A, fabric-ca-server running as Intermediate CA on machine B, fabric-ca-client running on machine B, connecting on machine B's server

AndreaBorzi (Thu, 21 Dec 2017 10:49:26 GMT):
I'd like that the cert generated on the client to have the full chain

AndreaBorzi (Thu, 21 Dec 2017 10:49:26 GMT):
I'd like the cert generated on the client to have the full chain

zhai2005 (Thu, 21 Dec 2017 10:50:47 GMT):
@AndreaBorzi thx！I have fix it。

AndreaBorzi (Thu, 21 Dec 2017 10:50:57 GMT):
oh i see

AndreaBorzi (Thu, 21 Dec 2017 10:50:57 GMT):
oh I see, good for you then!

zhai2005 (Thu, 21 Dec 2017 10:52:00 GMT):
but i have another error： error: [Orderer.js]: sendBroadcast - reject with BAD_REQUEST [2017-12-21 17:23:20.445] [ERROR] Create-Channel - Error: BAD_REQUEST at ClientDuplexStream. (/home/jack/nodeTest/node_modules/fabric-client/lib/Orderer.js:106:21) at emitOne (events.js:125:13) at ClientDuplexStream.emit (events.js:221:7) at addChunk (_stream_readable.js:265:12) at readableAddChunk (_stream_readable.js:252:11) at ClientDuplexStream.Readable.push (_stream_readable.js:209:10) at readCallback (/home/jack/nodeTest/node_modules/grpc/src/client.js:299:14)

AndreaBorzi (Thu, 21 Dec 2017 11:50:15 GMT):
I have a question, is there a way to generate the keypair for a fabric-ca-client and keep the full chain ? (Root Ca -> Intermediate Ca)

AndreaBorzi (Thu, 21 Dec 2017 11:50:26 GMT):
I see that on the intermediate CA server I have a ca-chain.pem

AndreaBorzi (Thu, 21 Dec 2017 11:51:18 GMT):
but issuing openssl pkcs12 -export -in cert.pem -inkey ../keystore/<> -out keypair.p12 -chain -certfile ca-chain.pem from the signcerts folder on my client I get "unable to get local issuer certificate getting chain"

AndreaBorzi (Thu, 21 Dec 2017 11:51:29 GMT):
I'm sure the issuer's certificate is in the file though

smithbk (Thu, 21 Dec 2017 13:35:47 GMT):
@AndreaBorzi The full chain is stored in MSP format. The root cert is at msp/cacerts and one or more intermediate certs at msp/intermediatecerts.

AndreaBorzi (Thu, 21 Dec 2017 13:43:00 GMT):
so if I wanted to have a keystore containing the full chain, I'd have to first concatenate the certificates from top to bottom (i.e. root -> intermediate)

AndreaBorzi (Thu, 21 Dec 2017 13:43:13 GMT):
then use the resulting pem as CAfile

AndreaBorzi (Thu, 21 Dec 2017 13:44:07 GMT):
then I can create the .p12 by using cert.pem in signcerts as -in param, the key inside of keystore as -inkey and the chain.pem as -CAfile right?

AndreaBorzi (Thu, 21 Dec 2017 13:44:17 GMT):
not as -certfile

AndreaBorzi (Thu, 21 Dec 2017 13:44:35 GMT):
sorry if this isn't strictly pertinent to fabric ca

RasmusThorsoee (Thu, 21 Dec 2017 14:19:18 GMT):
Has joined the channel.

AndreaBorzi (Thu, 21 Dec 2017 14:43:05 GMT):
something strange happens though

AndreaBorzi (Thu, 21 Dec 2017 14:43:37 GMT):
I am generating the pkcs12 file as said above, so using root ca and intermediate ca concatenated .pems as ca-chain and cert.pem as -in parameter

AndreaBorzi (Thu, 21 Dec 2017 14:43:57 GMT):
the resulting file is 2000 bytes roughly

AndreaBorzi (Thu, 21 Dec 2017 14:44:18 GMT):
but if I visualize it using keystore tool (as the final point is importing it into a java keystore)

AndreaBorzi (Thu, 21 Dec 2017 14:44:22 GMT):
I don't have the whole certificate chain

AndreaBorzi (Thu, 21 Dec 2017 14:44:40 GMT):
so when importing, I only get the last certificate, losing all of the chain

AndreaBorzi (Thu, 21 Dec 2017 14:44:40 GMT):
so when importing, I only get the last certificate, losing all of the certificate chain

AndreaBorzi (Thu, 21 Dec 2017 14:44:58 GMT):
anybody knows why?

antoniovassell (Thu, 21 Dec 2017 15:35:36 GMT):
Hey, me again, @smithbk @mastersingh24 following on yesterday where I was able to do an enrollment of a user with hsm enabled in fabric ca, when i do an invoke it fails with the error:

antoniovassell (Thu, 21 Dec 2017 15:35:41 GMT):
```web_1 | [2017-12-20 20:26:35.921] [DEBUG] Helper - [NetworkConfig101.js]: getOrderer - name orderer.example.com web_1 | error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: Failed to deserialize creator identity, err the supplied identity is not valid: x509: certificate signed by unknown authority web_1 | at /usr/src/app/node_modules/grpc/src/client.js:554:15 web_1 | error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: Failed to deserialize creator identity, err the supplied identity is not valid: x509: certificate signed by unknown authority web_1 | at /usr/src/app/node_modules/grpc/src/client.js:554:15 web_1 | [2017-12-20 20:26:35.993] [ERROR] SampleWebApp - invoke chaincode proposal was bad web_1 | [2017-12-20 20:26:35.993] [ERROR] SampleWebApp - invoke chaincode proposal was bad web_1 | [2017-12-20 20:26:35.993] [DEBUG] SampleWebApp - Failed to send Proposal and receive all good ProposalResponse web_1 | (node:187) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 3): Error: Failed to invoke chaincode. cause:Failed to send Proposal and receive all good ProposalResponse web_1 | [2017-12-20 20:26:35.993] [ERROR] SampleWebApp - Failed to invoke chaincode. cause:Failed to send Proposal and receive all good ProposalResponse ```

antoniovassell (Thu, 21 Dec 2017 15:39:13 GMT):
The only output from the other nodes are the peers :

antoniovassell (Thu, 21 Dec 2017 15:39:17 GMT):
```eer0.org2.example.com | 2017-12-20 20:26:35.990 UTC [endorser] ProcessProposal -> DEBU 632 Entering: Got request from 172.20.0.20:54154 peer0.org2.example.com | 2017-12-20 20:26:35.990 UTC [protoutils] ValidateProposalMessage -> DEBU 633 ValidateProposalMessage starts for signed proposal 0xc422503f20 peer0.org2.example.com | 2017-12-20 20:26:35.990 UTC [protoutils] validateChannelHeader -> DEBU 634 validateChannelHeader info: header type 3 peer0.org2.example.com | 2017-12-20 20:26:35.990 UTC [protoutils] checkSignatureFromCreator -> DEBU 635 checkSignatureFromCreator starts peer0.org2.example.com | 2017-12-20 20:26:35.991 UTC [endorser] ProcessProposal -> DEBU 636 Exit: request from%!(EXTRA string=172.20.0.20:54154) peer0.org1.example.com | 2017-12-20 20:26:35.990 UTC [protoutils] checkSignatureFromCreator -> DEBU 685 checkSignatureFromCreator starts peer0.org1.example.com | 2017-12-20 20:26:35.991 UTC [endorser] ProcessProposal -> DEBU 686 Exit: request from%!(EXTRA string=172.20.0.20:55112) ```

antoniovassell (Thu, 21 Dec 2017 15:42:29 GMT):
questions. #1 should the tls cert generated by the fabric-ca be the same one used for all the other tls certs on the crypto-config folder? eg:

antoniovassell (Thu, 21 Dec 2017 15:45:13 GMT):
i understand there isn't any direct communication from the peers to the fabric-ca, but would the peers need any different certs apart from the ones generated by the cryptogen tool?

ashutosh_kumar (Thu, 21 Dec 2017 16:35:08 GMT):
@AndreaBorzi concatenated pem is not parsed by openssl AFAIK , or at least I have not done that before. Also , your command does not seem right. Thirdly , your question is not pertinent to Fabric CA.

RasmusThorsoee (Thu, 21 Dec 2017 18:40:34 GMT):
How is it defined which user the fabric-ca-client uses for registrering new users? I have a ca-client instance where i enrolled 2 users, admin and admin2. From what i see it seems it uses the user that was last enrolled on the ca-client, is that correct? But is the ca-client not stateless and simple reads from config files and the keystore whatever information it needs?

keerthiGiridhari (Fri, 22 Dec 2017 07:49:47 GMT):
Has joined the channel.

RasmusThorsoee (Fri, 22 Dec 2017 08:54:41 GMT):
I figured it out, it was the cert.pem file.

AndreaBorzi (Fri, 22 Dec 2017 08:56:17 GMT):
hi guys, is there a way to tell fabric-ca-client when enrolling to not put the CN in the certificate being generated by the server?

skarim (Fri, 22 Dec 2017 21:31:54 GMT):
@AndreaBorzi That is currently not allowed, the CN will always be the enrollment ID

tsrb (Mon, 25 Dec 2017 07:32:07 GMT):
tls_client-cert

Ann (Mon, 25 Dec 2017 10:43:36 GMT):
Has joined the channel.

Cavan2477 (Tue, 26 Dec 2017 01:57:01 GMT):
Has joined the channel.

iamdm (Tue, 26 Dec 2017 07:07:14 GMT):
Hello everyone, I would like to ask a question

iamdm (Tue, 26 Dec 2017 07:07:31 GMT):
I'm trying to get install chaincodes with users enrolled by Fabric CA

iamdm (Tue, 26 Dec 2017 07:08:08 GMT):
And then i got error

iamdm (Tue, 26 Dec 2017 07:08:18 GMT):
` peer0.org1.example.com | 2017-12-26 07:04:31.013 UTC [endorser] ProcessProposal -> ERRO 5f5 simulateProposal() resulted in chaincode response status 500 for txid: 5987488afb85bca53b332129af849b6c73dfd3857d254e3783fb317e5ad294d2 peer0.org1.example.com | 2017-12-26 07:04:31.013 UTC [endorser] ProcessProposal -> DEBU 5f6 Exit peer0.org1.example.com | 2017-12-26 07:04:31.015 UTC [eventhub_producer] Chat -> ERRO 5f7 error during Chat, stopping handler: rpc error: code = Canceled desc = context canceled peer0.org1.example.com | 2017-12-26 07:04:31.016 UTC [eventhub_producer] deRegisterHandler -> DEBU 5f8 deregistering event type: BLOCK `

artessan (Tue, 26 Dec 2017 17:32:35 GMT):
Has joined the channel.

jnichols181912 (Tue, 26 Dec 2017 20:31:51 GMT):
Has joined the channel.

vieiramanoel (Tue, 26 Dec 2017 20:45:58 GMT):
how do I enable tls on fabric-ca-server on init?

vieiramanoel (Tue, 26 Dec 2017 20:45:58 GMT):
how do I enable tls on fabric-ca-server at init?

peter.li (Wed, 27 Dec 2017 06:29:14 GMT):
Has joined the channel.

vieiramanoel (Wed, 27 Dec 2017 15:10:30 GMT):
anyone?

smithbk (Wed, 27 Dec 2017 15:43:41 GMT):
@vieiramanoel Easiest is to set the following env variables when starting fabric-ca-server: `FABRIC_CA_SERVER_TLS_ENABLED=true` and `FABRIC_CA_SERVER_TLS_CERTFILE=tls-cert.pem` and it will automatically generate the tls-cert.pem file

smithbk (Wed, 27 Dec 2017 15:47:01 GMT):
@iamdm What do the chaincode container logs say?

vieiramanoel (Wed, 27 Dec 2017 19:48:43 GMT):
thnks, @smithbk. I'm using your solution, maybe set tls at server init should be good, I'll check if there's any discussion about it at github

vieiramanoel (Wed, 27 Dec 2017 19:48:43 GMT):
thnks, @smithbk . I'm using your solution, maybe set tls at server init should be good, I'll check if there's any discussion about it at github

vieiramanoel (Wed, 27 Dec 2017 19:50:24 GMT):
There's another thing that I didn't understood, at (this line)[https://github.com/hyperledger/fabric-samples/blob/733ce9fbd7593a85da2b8b0bc9edbb6a615187d5/fabric-ca/scripts/setup-fabric.sh#L49

vieiramanoel (Wed, 27 Dec 2017 19:50:24 GMT):
There's another thing that I didn't understood, at [this line](https://github.com/hyperledger/fabric-samples/blob/733ce9fbd7593a85da2b8b0bc9edbb6a615187d5/fabric-ca/scripts/setup-fabric.sh#L49)

vieiramanoel (Wed, 27 Dec 2017 19:59:24 GMT):
asking better, what says that this new user is a orderer or a peer or something else

vieiramanoel (Wed, 27 Dec 2017 19:59:24 GMT):
asking better, what says that this new identity is a orderer or a peer or something else

smithbk (Thu, 28 Dec 2017 22:28:46 GMT):
@vieiramanoel the identity type is added as an OU (org unit) to the cert which MSP uses (or will use) to distinguish between orderer, peer, and client identities

JeanDias (Fri, 29 Dec 2017 01:19:21 GMT):
Has joined the channel.

RohanMalcolm (Fri, 29 Dec 2017 18:26:45 GMT):
Hey, when pcks11 is enabled on the fabric-ca does that mean that the keys that are generated for the users are also done via pcks11 (stored on a hsm). I can see several files being created during network setup but when I register and enroll a user I do not see any keys created on the hsm but I see local files public and private key files. Is there some other configuration?

RohanMalcolm (Fri, 29 Dec 2017 18:26:45 GMT):
Hey, when pcks11 is enabled on the fabric-ca does that mean that the keys that are generated for the users are also done via pcks11 (stored on a hsm). I can see several files being created during network setup but when I register and enroll a user I do not see any keys created on the hsm but I see local public and private key files. Is there some other configuration?

smithbk (Fri, 29 Dec 2017 18:59:01 GMT):
@RohanMalcolm If you are using fabric-ca-client to enroll the user, then you would enable the HSM in the fabric-ca-client's config file. If you are using an SDK, then HSM must be enabled for the SDK. The fabric-ca-server intentionally never sees the private key of the users that enroll.

RohanMalcolm (Fri, 29 Dec 2017 19:00:19 GMT):
@smithbk thanks, we had tried enabling HSM in the sdk, but then the sdk started throwing errors that seems to be linked to some hardcoded values, and if bypassed had CKR_TEMPLATE_INCONSISTENT errors.

elias_p (Sat, 30 Dec 2017 10:32:22 GMT):
Has joined the channel.

erdiD (Sun, 31 Dec 2017 12:03:50 GMT):
Has joined the channel.

Randyshu2018 (Tue, 02 Jan 2018 02:28:27 GMT):
Has joined the channel.

ws8634 (Tue, 02 Jan 2018 10:18:34 GMT):
Has joined the channel.

RohanMalcolm (Tue, 02 Jan 2018 13:42:50 GMT):
@smithbk Just following up on the above

smithbk (Tue, 02 Jan 2018 14:09:35 GMT):
@RohanMalcolm Pls provide more info on how to reproduce and the full error message

davidkel (Tue, 02 Jan 2018 15:36:38 GMT):
Has joined the channel.

vieiramanoel (Tue, 02 Jan 2018 17:25:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wq6qrbCCgTFho9Ndf) @smithbk What's the difference between OU and id.type?

vieiramanoel (Tue, 02 Jan 2018 17:25:33 GMT):
```fabric-ca-client identity list2018/01/02 15:25:13 [INFO] Configuration file location: /home/vieira/goledger-samples/sample_5_deploy_network_fabric-ca/ministerio/fabric-ca-client-config.yaml 2018/01/02 15:25:13 [INFO] TLS Enabled 2018/01/02 15:25:13 [INFO] TLS Enabled Error: Failed to parse response: 404 page not found : invalid character 'p' after top-level value``` anyone has this error?

vieiramanoel (Tue, 02 Jan 2018 17:25:33 GMT):
```fabric-ca-client identity list 2018/01/02 15:25:13 [INFO] Configuration file location: /home/vieira/goledger-samples/sample_5_deploy_network_fabric-ca/ministerio/fabric-ca-client-config.yaml 2018/01/02 15:25:13 [INFO] TLS Enabled 2018/01/02 15:25:13 [INFO] TLS Enabled Error: Failed to parse response: 404 page not found : invalid character 'p' after top-level value``` anyone has this error?

vieiramanoel (Tue, 02 Jan 2018 17:25:33 GMT):
```$ fabric-ca-client identity list 2018/01/02 15:25:13 [INFO] Configuration file location: /home/vieira/goledger-samples/sample_5_deploy_network_fabric-ca/ministerio/fabric-ca-client-config.yaml 2018/01/02 15:25:13 [INFO] TLS Enabled 2018/01/02 15:25:13 [INFO] TLS Enabled Error: Failed to parse response: 404 page not found : invalid character 'p' after top-level value``` anyone has this error?

smithbk (Tue, 02 Jan 2018 17:30:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ko2AcxPrFM3JHGY56) @vieiramanoel OU is just more general, but fabric-ca-server stuffs the id.type into the cert as an OU so that MSP in fabric which can look at OUs will effectively be checking the identity type

vieiramanoel (Tue, 02 Jan 2018 17:30:50 GMT):
thanks!

skarim (Tue, 02 Jan 2018 17:37:41 GMT):
@vieiramanoel the identity command code has not completely been merged yet. As of right now, the command is available on the client side but the corresponding server code is not there as of right now. Once all code has been merged you should no longer get that message.

vieiramanoel (Tue, 02 Jan 2018 20:31:37 GMT):
I created a new user named 'admin.ministerio.org' i need this new user to be one of my org admin, what do I need to do to achieve this?

vieiramanoel (Tue, 02 Jan 2018 20:31:55 GMT):
In fact, its certificate has: `{"attrs":{"hf.admin":"true"}}` when decoded

vieiramanoel (Tue, 02 Jan 2018 20:32:14 GMT):
and I registered with `fabric-ca-client register -d --id.name admin.ministerio.org --id.secret adminpwd --id.attrs "hf.admin=true:ecert"`

vieiramanoel (Tue, 02 Jan 2018 20:32:14 GMT):
and I registered with ```fabric-ca-client register -d --id.name admin.ministerio.org --id.secret adminpwd --id.attrs "hf.admin=true:ecert"```

vieiramanoel (Tue, 02 Jan 2018 20:32:36 GMT):
what did I did wrong? :(

vieiramanoel (Tue, 02 Jan 2018 20:33:26 GMT):
when I try to create a new channel using this new identity i got ` 0xc42000e9f8 identity 0 does not satisfy principal: This identity is not an admin` from orderer

vieiramanoel (Tue, 02 Jan 2018 21:42:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wtzusQEczXFMgzGLT) @skarim thanks a lot, this explains haha

mohdhafeezaj (Tue, 02 Jan 2018 22:06:21 GMT):
Hi .. Can we store web user app credentials in fabric-ca and if I have multiple organizations and each organization can access some aspects of private channel, how should the credentials or authorization we done. while enrolling the user, can we associate with multi organization.

vdods (Tue, 02 Jan 2018 22:15:05 GMT):
@smithbk Hi there, was there any resolution for https://jira.hyperledger.org/browse/FAB-6003 for v1.0.x ? Apart from creating my own fork of fabric-ca v1.0.5 with the re-vendored cloudfare lib, or downgrading to go 1.8, both of which present devops problems, I'm blocked by this bug

vdods (Tue, 02 Jan 2018 22:15:50 GMT):
This bug has a known fix, and is a rather serious bug (I can't register via fabric-ca-client), so it would warrant merging the fix and releasing a v1.0.6

vieiramanoel (Tue, 02 Jan 2018 23:51:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uDX4pAbiPZPDCLkbe) @mohdhafeezaj I'm not sure about network design, but I think there'll be at least one CA for each organization, so in case you've same user for multiple orgs you need this person registered in each CA

smithbk (Wed, 03 Jan 2018 02:59:17 GMT):
@vdods sorry, but v1.0.x isn't supported on go 1.9, so you just have to downgrade go to 1.8

vdods (Wed, 03 Jan 2018 02:59:41 GMT):
@smithbk Ok, thanks

smithbk (Wed, 03 Jan 2018 03:01:22 GMT):
@vieiramanoel Yes, the design is that an identity is associated with a single org

mohdhafeezaj (Wed, 03 Jan 2018 03:53:25 GMT):
@vieiramanoel : we are planning to have one CA, but will have multiple divisions in it to create private channel, do you think that is a good design . If we follow this design can we restrict the access of channels to certain users?

vieiramanoel (Wed, 03 Jan 2018 03:57:27 GMT):
I don't think i'm the best person to answer that, since that I work only at structural level (i didn't write any chaincode yet haha), but i'll try. Keep in mind that a channel is formed between peers, not between users, the fabric-CA config file provides a field where you can set departments for each user that you are registering/enrolling. Given that departments, _i guess_ you can make restriction policies for each department at REST or chaincode level (i'm not sure about which one)

vieiramanoel (Wed, 03 Jan 2018 03:57:27 GMT):
I don't think i'm the best person to answer that, since that I've working only at structural level (i didn't write any chaincode yet haha), but i'll try. Keep in mind that a channel is formed between peers, not between users, the fabric-CA config file provides a field where you can set departments for each user that you are registering/enrolling. Given that departments, _i guess_ you can make restriction policies for each department at REST or chaincode level (i'm not sure about which one)

vieiramanoel (Wed, 03 Jan 2018 03:57:27 GMT):
I don't think i'm the best person to answer that, since that I've been working only at structural level (i didn't write any chaincode yet haha), but i'll try. Keep in mind that a channel is formed between peers, not between users, the fabric-CA config file provides a field where you can set departments for each user that you are registering/enrolling. Given that departments, _i guess_ you can make restriction policies for each department at REST or chaincode level (i'm not sure about which one)

vieiramanoel (Wed, 03 Jan 2018 03:59:31 GMT):
anyone please be welcome to point any errors

ishwaryak (Wed, 03 Jan 2018 05:02:08 GMT):
Has joined the channel.

ishwaryak (Wed, 03 Jan 2018 05:05:15 GMT):

host.png

ishwaryak (Wed, 03 Jan 2018 05:06:27 GMT):
can any1 solve this error?

ishwaryak (Wed, 03 Jan 2018 05:36:16 GMT):
export PATH=$PWD/bin:$PATH what is the meaning of this line?

vieiramanoel (Wed, 03 Jan 2018 06:27:00 GMT):
@ishwaryak take a look at these two tutorials, it will help you

vieiramanoel (Wed, 03 Jan 2018 06:27:06 GMT):
mlgblockchain.com/setup-hyperledger-fabric.html

vieiramanoel (Wed, 03 Jan 2018 06:27:14 GMT):
https://mlgblockchain.com/setup-hyperledger-client.html

vieiramanoel (Wed, 03 Jan 2018 06:27:31 GMT):
this error is caused because your fabric-ca-server is not running

ishwaryak (Wed, 03 Jan 2018 06:27:44 GMT):
i am following this tutorial only ...

vieiramanoel (Wed, 03 Jan 2018 06:28:21 GMT):
you need then

vieiramanoel (Wed, 03 Jan 2018 06:28:25 GMT):
`fabric-ca-server start -b “admin:adminpw”`

vieiramanoel (Wed, 03 Jan 2018 06:28:29 GMT):
in one terminal

vieiramanoel (Wed, 03 Jan 2018 06:28:33 GMT):
let it running

vieiramanoel (Wed, 03 Jan 2018 06:28:44 GMT):
open another terminal and do client operations

vieiramanoel (Wed, 03 Jan 2018 06:29:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EovNFfStPiwFN23eD) @ishwaryak about path variable take a look at linux docs http://www.linfo.org/path_env_var.html

vieiramanoel (Wed, 03 Jan 2018 06:30:39 GMT):
basically it says where are your binaries in order to not write `/bin/shutdown` every time you need to shutdown your computer from terminal for example. instead you just type `shutdown`

vieiramanoel (Wed, 03 Jan 2018 06:31:27 GMT):
cuz your system knows through PATH var where to search this binary

vieiramanoel (Wed, 03 Jan 2018 06:35:22 GMT):
this line specifically add to your PATH variable your new binaries that you just compiled: fabric-ca-server and fabric-ca-client

vieiramanoel (Wed, 03 Jan 2018 06:35:51 GMT):
was it helpful?

ishwaryak (Wed, 03 Jan 2018 06:38:06 GMT):
yup helpful.. still have doubts... pwd means? export PATH=$PWD/bin:$PATH this command i need to execute in sudo nano bash? @vieiramanoel

vieiramanoel (Wed, 03 Jan 2018 06:39:17 GMT):
pwd means "print working directory" it just give you your current directory in one variable

ishwaryak (Wed, 03 Jan 2018 06:40:12 GMT):

sudo.png

ishwaryak (Wed, 03 Jan 2018 06:40:54 GMT):
go path i need to give? fabric sample path i need to give?

vieiramanoel (Wed, 03 Jan 2018 06:40:56 GMT):
these are linux questions, call me at private then I can solve your questions about it

vieiramanoel (Wed, 03 Jan 2018 06:41:21 GMT):
lets keep the channel focused at fabric-ca questions

smithbk (Wed, 03 Jan 2018 12:59:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pnwT2AEYtMbzXJxy2) @mohdhafeezaj 2 possibilities here: 1) A single fabric-ca-server can host multiple CAs. So if your concern is having to run a server for each org, it is possible to run a single fabric-ca-server (or cluster for HA) which hosts a CA for each org. Each CA has its own signing key in this case. 2) It is possible to divide up a single CA hierarchically using affiliations. Instead of having a single bootstrap user, you would have an administrator for each top-level branch in the affiliation tree, thus dividing what a single administrator can do.

smithbk (Wed, 03 Jan 2018 13:05:15 GMT):
#1 is much simpler of course

rsherwood (Wed, 03 Jan 2018 14:55:51 GMT):
Hi, I'm new to the CA. Can you tell me can the CA produce any reports such as the certificates produced by the CA that will expire in the next X days, so that the service management organisation can manage key renewal ? I cant see any mention in the read the docs. If the answer is write your own, then is the SQL schema of the CA backing store published , and would it contain any confidential info such as secrets that should not be exposed in any way?

aambati (Wed, 03 Jan 2018 16:51:39 GMT):
i don't think we have such function currently. But there is a JIRA https://jira.hyperledger.org/browse/FAB-7238 to implement such function

aambati (Wed, 03 Jan 2018 17:00:24 GMT):
you can see SQL schema at https://github.com/hyperledger/fabric-ca/blob/ae82824942708c8d435e1a48deab13a454c1ba2c/lib/dbutil/dbutil.go#L75 ...you need to query certificates table...btw, secrets are one way hashed and there is no secret stored in certificate table

gurel (Wed, 03 Jan 2018 17:42:28 GMT):
Has joined the channel.

akashsethi24 (Thu, 04 Jan 2018 05:15:01 GMT):
Has joined the channel.

ishwaryak (Thu, 04 Jan 2018 06:15:06 GMT):

client failure.png

ishwaryak (Thu, 04 Jan 2018 06:17:50 GMT):
fabric-ca-client enroll -u “http://admin:adminpw@localhost:7054”

ishwaryak (Thu, 04 Jan 2018 06:18:05 GMT):
can anyone solve this error?

Subramanyam (Thu, 04 Jan 2018 06:49:16 GMT):
Hi all, I want to know that how to encrypt and decryption a text file in a hyperledger fabric with an example.

mohdhafeezaj (Thu, 04 Jan 2018 07:03:20 GMT):
@smithbk : Thanks

vdods (Thu, 04 Jan 2018 08:20:00 GMT):
Is there any way to run `fabric-ca-client enroll` without specifying the password in the commandline? It shows right up in the process list and is visible by any user.

ishwaryak (Thu, 04 Jan 2018 10:38:52 GMT):
@vdods for me its not working

vdods (Thu, 04 Jan 2018 10:43:03 GMT):
@ishwaryak What method is it?

ishwaryak (Thu, 04 Jan 2018 10:44:48 GMT):

client failure.png

allonblocks21 (Thu, 04 Jan 2018 11:05:12 GMT):
Has joined the channel.

smithbk (Thu, 04 Jan 2018 13:20:02 GMT):
@vdods Looks like it isn't currently but will open a jira to support env var and config file for that also. It is a short-lived command at least

smithbk (Thu, 04 Jan 2018 13:55:23 GMT):
@vdods See https://jira.hyperledger.org/browse/FAB-7596

smithbk (Thu, 04 Jan 2018 14:02:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LxomAdpysbndzaGzQ) @Subramanyam See https://github.com/hyperledger/fabric/blob/v1.1.0-preview/core/chaincode/shim/ext/entities/interfaces.go#L41 ... note that it is in the master branch. BTW, the folks on the fabric-crypto channel wrote this encryption library so that is a better place to ask further questions

smithbk (Thu, 04 Jan 2018 14:04:30 GMT):
@ishwaryak Did you solve your enroll failure? Anytime you get an authorization failure on the client, you can look at the server logs to get a more specific description of what failed. Of course the wrong username or password would cause this

rahulhegde (Thu, 04 Jan 2018 14:56:10 GMT):
How do i specify the csr names as part of fabric ca client environment variable `FABRIC_CA_CLIENT_CSR_NAMES`. It gives message `source data must be array or slice, passed string`. do we have sample reference?

voutasaurus (Thu, 04 Jan 2018 16:35:27 GMT):
Has joined the channel.

skarim (Thu, 04 Jan 2018 17:48:41 GMT):
@rahulhegde Seems like might be a bug here with environment variables. I am looking further into it. But, I think your best bet right now would be to use the configuration file for CSR names.

vdods (Thu, 04 Jan 2018 19:20:51 GMT):
@smithbk Thanks!

rahulhegde (Thu, 04 Jan 2018 19:33:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iL9atEqNsjgJu9XbN) @skarim I can update CSR information using fabric-ca client configuration file however I was not able to update CN even using the configuration approach. Do you know how this should be done?

skarim (Thu, 04 Jan 2018 19:34:26 GMT):
@rahulhegde The CN is always going to be your enrollment ID, we do not allow setting the CN to a value that is not your enrollment ID

rahulhegde (Thu, 04 Jan 2018 19:42:04 GMT):
As per my understanding, Enrollment Id is the credential used for authorizing use of CA by a client. And CN would be a common/distinguished name for the subject.. Now, there could be multiple end-entity certificates to be issued by the same CA which would translate assigning the same common name to every issued certificates.

krabradosty (Thu, 04 Jan 2018 20:17:19 GMT):
Has joined the channel.

krabradosty (Thu, 04 Jan 2018 20:20:18 GMT):
Hi folks! How can user retrieve his certificate and private key from CA after he has been enrolled?

skarim (Thu, 04 Jan 2018 20:45:22 GMT):
@rahulhegde You would need to register multiple identities with the fabric CA, and then enroll using different Enrollment IDs to get certificates with different CNs

skarim (Thu, 04 Jan 2018 21:41:04 GMT):
@krabradosty The private key exists where it was created by the user and should never really be shared, and thus is not tracked by the CA. There is currently no way to request a certificate for a specific identity from the Fabric CA, but this is something that can be supported in the future. There is a work item to track this effort. https://jira.hyperledger.org/browse/FAB-7238

rahulhegde (Thu, 04 Jan 2018 23:21:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=J6qTX9dRnLGxXZftg) @skarim I agree - every organization getting segregated by their enrollment id. But this would be too much of ask for mandating a organization to use a separate enrollment id in orderer to achieve a unique common name for the subject. Today - `cn` is not been used for any validation by fabric for 1.0.4 but considering best practice, is it something to be thought for fabric-ca.

rahulhegde (Thu, 04 Jan 2018 23:21:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=J6qTX9dRnLGxXZftg) @skarim I agree - every organization getting segregated by their enrollment id. But this would be too much of ask for mandating a organization to use a separate enrollment id in order to achieve a unique common name for the subject. Today - `cn` is not been used for any validation by fabric for 1.0.4 but considering best practice, is it something to be thought for fabric-ca. Thanks.

Taffies (Fri, 05 Jan 2018 03:07:49 GMT):
Has joined the channel.

ShefaliMittal (Fri, 05 Jan 2018 04:47:53 GMT):
Hi I have setup my network using docker swarm. Below is my setup details - - Two organisations having one peer each and one orderer - Orderer and org1 peer is on one machine - org 2 peer is on second machine I am able to create and join channel from both peers. But when I try to install chaincode from my peer, I get below error - 2018-01-05 04:41:13.962 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP 2018-01-05 04:41:13.962 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity 2018-01-05 04:41:13.962 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 003 Using default escc 2018-01-05 04:41:13.962 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 004 Using default vscc Error: Error getting chaincode code chaincode: : failed with error: "exec: not started" Usage: peer chaincode install [flags]

vieiramanoel (Fri, 05 Jan 2018 04:51:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bHkYsWEm6xHDB6QAz) @ShefaliMittal hello! This occurs because you need to use cli to do chaincode operations, peer image doesn't has go compiler anymore since 1.0's alpha version

vieiramanoel (Fri, 05 Jan 2018 04:51:55 GMT):
I came into this error yesterday

vieiramanoel (Fri, 05 Jan 2018 04:54:51 GMT):
[check this jyra thread](https://jira.hyperledger.org/browse/FAB-2493?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&showAll=true)

ShefaliMittal (Fri, 05 Jan 2018 04:55:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Qe9GNWiYseHWrx665) @vieiramanoel When I use CLI.. it does install on both peers. It also instantiate on one peer but when I invoke chaincode on second peer, it says chaincode not found. .

vieiramanoel (Fri, 05 Jan 2018 04:56:02 GMT):
you need to query from second peer

vieiramanoel (Fri, 05 Jan 2018 04:56:37 GMT):
I didn't understand exactly why, @yacovm has explained at #fabric-questions channel, i guess.

vieiramanoel (Fri, 05 Jan 2018 04:56:55 GMT):
(but I didn't get why this is needed haha)

ShefaliMittal (Fri, 05 Jan 2018 04:57:29 GMT):
You mean invoke can be done from one machine which has CLI?

nagarajants (Fri, 05 Jan 2018 14:19:43 GMT):
Has joined the channel.

knagware9 (Fri, 05 Jan 2018 17:09:13 GMT):
Hi..can you please help me to understand

knagware9 (Fri, 05 Jan 2018 17:09:19 GMT):
A user, does not have a certificate, but they can still interact with the blockchain network through one of the existing network members.how ?

knagware9 (Fri, 05 Jan 2018 17:11:16 GMT):
While there may be hundreds of members in a blockchain network, there may be thousands of users. A user is a participant in a blockchain network that has indirect access to the ledger through a “trust relationship” to an existing member. For example, it is common for some mobile applications to employ their own user authentication and authorization scheme (OAuth, OpenID) and map those credential to one or more credentialed members in a blockchain network. A proxy or gateway service is typically created to perform this mapping function, thereby mapping the outside world to the blockchain world.

lucasdf (Fri, 05 Jan 2018 17:27:34 GMT):
Has joined the channel.

smithbk (Fri, 05 Jan 2018 17:54:40 GMT):
@knagware9 One possible flow is user1 logs into a web app in company 1 using some authentication framework specific to that company. Let's say the company uses 2-factor authentication for example. The user clicks on something that requires interaction with the blockchain, so the web app registers and enrolls an identity on behalf of user1 which creates a certificate for user1, and then uses that certificate to transact on the blockchain for user1.

sukesannn (Sun, 07 Jan 2018 01:28:14 GMT):
Has joined the channel.

rahulhegde (Sun, 07 Jan 2018 15:24:46 GMT):
Reference: http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enrolling-a-peer-identity I have question on Enrollment Definition in Fabric CA Server. Once a identity is registered, does enrollment of identity means: 1. Using the registered enrollment identity, I can now enroll multiple identities. Like in the reference link, registered identity is Peer1. And hence now I am eligible to run `enroll` command maxenrollment times for enrolling and thus creating multiple MSP folders for each entity to be used in my Fabric Network. Example: Say I have 5 Peers running in my Organization and hence I would be running `enroll` command 5 times to create 5 MSP folders using the registered Enrollment Id Peer1. OR 2. Each Registered Enrollment Id must be allowed to be Enrolled only once. This means, once the same identity is enrolled, a corresponding MSP folder is created for it. This flow looks more alike, the `admin` of the Fabric CA Server will perform the Registration of the Requested Identity by the Organization and then credential received will be securely-passed to that identity of the organization. This identity will be running the `enroll` command in their organization (which would create keys) and hence will receive a issued/signed certificate from the fabric-ca-server. Example: Say I have 5 Peers running in my Organization and hence I would be running [`register` + `enroll`] command 5 times (peer[1-5]) to create Enrollment ID = MSP folder per Identity.

smithbk (Sun, 07 Jan 2018 16:30:44 GMT):
#2 is the best practice, not #1. You want each peer to have a different identity. There is a 1-1 mapping between enrollment ID and identity. BTW, it is certainly more secure to have max_enrollments set to 1, which means the enrollment secret is a 1-time password. The only real reason that I can think of for having max_enrollments > 1 in the real world is if you have a cluster of servers where each server should by definition be an exact copy of the other and so you want them to have the same identity. You would then set max_enrollments equal to the number of servers in the cluster. In a dev environment, you might also want to have max_enrollments > 1 just so you can easily recover when you delete your ECert. In any case, I would not recommend #1.

smithbk (Sun, 07 Jan 2018 16:30:44 GMT):
@rahulhegde #2 is the best practice, not #1. You want each peer to have a different identity. There is a 1-1 mapping between enrollment ID and identity. BTW, it is certainly more secure to have max_enrollments set to 1, which means the enrollment secret is a 1-time password. The only real reason that I can think of for having max_enrollments > 1 in the real world is if you have a cluster of servers where each server should by definition be an exact copy of the other and so you want them to have the same identity. You would then set max_enrollments equal to the number of servers in the cluster. In a dev environment, you might also want to have max_enrollments > 1 just so you can easily recover when you delete your ECert. In any case, I would not recommend #1.

rahulhegde (Sun, 07 Jan 2018 22:43:07 GMT):
@smithbk Looks to me #1 can be recommended approach for offline CA that does not have connectivity for organization. CSR can be directly sent to CA (as organization) and using RestAPI support (`/enroll`) of fabric-ca-server, certificate can be issued. In this case - the same enrollment identity can be used multiple times. Will #1 approach cause any implication on further certificate management (like Revoke/Renewal of that certification etc) from Fabric CA Server perspective?

rahulhegde (Sun, 07 Jan 2018 22:43:07 GMT):
@smithbk Looks to me #1 can be recommended approach for offline CA that does not have connectivity for organization. CSR can be directly sent to CA (as Organization) and using RestAPI support ( `/enroll` ) of fabric-ca-server, certificate can be issued. In this case - the same enrollment identity can be used multiple times. Will #1 approach cause any implication on further certificate management (like Revoke/Renewal of that certification etc) from Fabric CA Server perspective?

rahulhegde (Sun, 07 Jan 2018 22:43:07 GMT):
@smithbk Looks to me #1 can be recommended approach for offline CA that does not have connectivity for Participant Organization. CSR can be directly sent to CA Organization and using RestAPI support ( `/enroll` ) of fabric-ca-server, certificate can be issued. In this case - the same enrollment identity can be used multiple times. Will #1 approach cause any implication on further certificate management (like Revoke/Renewal of that certification etc) from Fabric CA Server perspective?

rahulhegde (Sun, 07 Jan 2018 22:43:07 GMT):
@smithbk Looks to me #1 can be recommended approach for offline CA that does not have connectivity for Participant Organizations. CSR can be directly sent to CA Organization and using RestAPI support ( `/enroll` ) of fabric-ca-server, certificate can be issued. In this case - the same enrollment identity can be used multiple times. Will #1 approach cause any implication on further certificate management (like Revoke/Renewal of that certification etc) from Fabric CA Server perspective?

rahulhegde (Sun, 07 Jan 2018 22:57:18 GMT):
@smithbk I feel the documentation of fabric-ca-server is more aligned towards #2 process. The #1 came to mind with statement, `Revoking an identity will revoke all the certificates owned by the identity and will also prevent the identity from getting any new certificates`. Reference: http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#revoking-a-certificate-or-identity How can single enrollment identity own multiple certificates. Is it like a scenario an `admin` registers `org.admin` which in further registers enrollment Ids: `peer[1-5]`. A revoke on enrollment id = `org.admin` will trigger revoke of certificates of `org.admin` + `peer[1-5]`.

naveen_saravanan (Mon, 08 Jan 2018 06:26:21 GMT):
Has joined the channel.

naveen_saravanan (Mon, 08 Jan 2018 08:54:05 GMT):
Does anyone know how to add a new peer/org dynamically using the fabric-CA?

smithbk (Mon, 08 Jan 2018 13:36:16 GMT):
@naveen_saravanan If adding a new org, then create a new fabric CA to represent that org, which has a new root of trust. See https://www.ibm.com/developerworks/cloud/library/cl-add-an-organization-to-your-hyperledger-fabric-blockchain/index.html for how to add that root of trust to an existing channel

smithbk (Mon, 08 Jan 2018 13:42:31 GMT):
@rahulhegde No, a revoke of enrollment ID org.admin would only revoke org.admin's certificates, not certificates of identities that org.admin registered

smithbk (Mon, 08 Jan 2018 13:47:40 GMT):
@rahulhegde You really need peers to have different identities IMO. It is just better from a security perspective to do so. You would also not be able to distinguish between signatures from one peer to another as would be required for some endorsement policies.

smithbk (Mon, 08 Jan 2018 13:47:40 GMT):
@rahulhegde You really need peers to have different enrollment IDs IMO. It is just better from a security perspective to do so. You would also not be able to distinguish between signatures from one peer to another as would be required for some endorsement policies unless peers have different enrollment IDs.

KathyXu (Mon, 08 Jan 2018 19:30:17 GMT):
Has joined the channel.

naveen_saravanan (Tue, 09 Jan 2018 07:03:45 GMT):
@smithbk Thank you for your reply.

naveen_saravanan (Tue, 09 Jan 2018 07:06:21 GMT):
Do you know how the fabric-CA-client's commands can be deployed to register and enroll a new member into the server?

naveen_saravanan (Tue, 09 Jan 2018 07:07:30 GMT):
And could you also specify the commands that are used for this?

aceyin (Tue, 09 Jan 2018 10:04:34 GMT):
Has joined the channel.

aceyin (Tue, 09 Jan 2018 10:06:13 GMT):
What's the difference between *HFCAClient.register(RegistrationRequest request, User registrar)* and *HFCAClient.enroll(String user, String secret)* ?

italycappuccino (Tue, 09 Jan 2018 10:51:48 GMT):
Has joined the channel.

YashGanthe (Tue, 09 Jan 2018 13:08:17 GMT):
When Peer connects to Orderer over TLS, it validates the TLS cert of the orderer. Is it possible to disable the validation so that even if the certificate is not valid, the connection will be established?

jmcnevin (Tue, 09 Jan 2018 14:05:04 GMT):
Hey all, I was attempting to get 1.0.5 talking to a postgres 9.6 RDS instance last night, and kept hitting this with "sslmode=require": https://gist.github.com/jmcnevin/07cfdc4717f74f87c258b07e9f63409e

jmcnevin (Tue, 09 Jan 2018 14:05:19 GMT):
Anyone else experienced this with the 1.0.5 docker container?

jmcnevin (Tue, 09 Jan 2018 14:05:55 GMT):
Server started fine with "sslmode=disable"

smithbk (Tue, 09 Jan 2018 14:20:33 GMT):
@naveen_saravanan See http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#registering-a-new-identity and http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enrolling-a-peer-identity

smithbk (Tue, 09 Jan 2018 14:23:10 GMT):
@aceyin Registering a user adds a new enrollment ID, password, attributes, etc to the CA database and is done by a registrar. Enrolling that user uses the enrollment ID and password to get the CA to issue an enrollment certificate (ECert) for that user.

smithbk (Tue, 09 Jan 2018 14:29:29 GMT):
@YashGanthe The TLS client always validates the certificate. Some clients allow you to disable the hostname validation part though it is not really secure. Is that the failure you are getting?

YashGanthe (Tue, 09 Jan 2018 14:30:51 GMT):
Yes. I am getting hostname validation error and I want to disable that just for some testing

smithbk (Tue, 09 Jan 2018 14:43:22 GMT):
Look for the `ordererTLSHostnameOverride` flag on the command such as the following: ```$ peer channel -h Operate a channel: create|fetch|join|list|update|signconfigtx|getinfo. Usage: peer channel [command] Available Commands: create Create a channel fetch Fetch a block getinfo get blockchain information of a specified channel. join Joins the peer to a channel. list List of channels peer has joined. signconfigtx Signs a configtx update. update Send a configtx update. Flags: --cafile string Path to file containing PEM-encoded trusted certificate(s) for the ordering endpoint -o, --orderer string Ordering service endpoint --ordererTLSHostnameOverride string The hostname override to use when validating the TLS connection to the orderer. --tls Use TLS when communicating with the orderer endpoint Global Flags: --logging-level string Default logging level and overrides, see core.yaml for full syntax -v, --version Display current version of fabric peer server ```

smithbk (Tue, 09 Jan 2018 14:54:09 GMT):
@jmcnevin See https://jira.hyperledger.org/browse/FAB-2919 ... you can build images w/o --static as follows: `FABRIC_CA_DYNAMIC_LINK=true make docker`

smithbk (Tue, 09 Jan 2018 14:58:59 GMT):
@jmcnevin Also see https://jira.hyperledger.org/browse/FAB-7471 and https://gerrit.hyperledger.org/r/#/c/16691/ which is not yet merged

rahulhegde (Tue, 09 Jan 2018 17:37:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ewZovMaBgdXLR6BvC) Thanks Keith, could you please pass your viewpoint on this part.

rahulhegde (Tue, 09 Jan 2018 17:37:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ewZovMaBgdXLR6BvC) Thanks Keith on your previous responses, could you please pass your viewpoint on this part.

smithbk (Tue, 09 Jan 2018 18:57:52 GMT):
@rahulhegde Afraid I don't follow. You said an "offline CA" but are sending enroll requests to its REST API. Can you elaborate?

cchalc (Tue, 09 Jan 2018 20:44:42 GMT):
Has joined the channel.

aceyin (Wed, 10 Jan 2018 00:52:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7LA2uieAvG2sHW4GS) @smithbk that's great explanation, thank you

javrevasandeep (Wed, 10 Jan 2018 07:08:07 GMT):
Has joined the channel.

javrevasandeep (Wed, 10 Jan 2018 07:11:40 GMT):
can someone help me with adding new peer dynamically. I have tried a lot and couldn't able to get it working. Though able to start new peer container but getting error sendToEndpoint -> WARN Failed obtaining connection for peer3.org1.example.com:7051, PKIid:[147 183 148 145 207 91 110 56 176 50 130 248 85 201 254 71 243 222 64 195 34 145 56 207 114 3 38 39 135 60 67 44] reason: x509: certificate signed by unknown authority I am following the below steps First I logged into container ca_peerOrg1 and then run below commands export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin fabric-ca-client enroll -d -u https://admin:adminpw@ca.org1.example.com:7054 -M $FABRIC_CA_CLIENT_HOME --csr.hosts ca.org1.example.com --tls.certfiles /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin fabric-ca-client register -d -u https://admin:adminpw@ca.org1.example.com:7054 -M $FABRIC_CA_CLIENT_HOME --id.name peer3 --id.type peer --id.affiliation org1.department1 --tls.certfiles /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem password - yIjaZmkoyiQO export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer3 fabric-ca-client enroll -u https://peer3:yIjaZmkoyiQO@ca.org1.example.com:7054 -M $FABRIC_CA_CLIENT_HOME/msp --tls.certfiles /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem fabric-ca-client enroll -d --enrollment.profile tls -u https://peer3:yIjaZmkoyiQO@ca.org1.example.com:7054 -M /tmp/tls --csr.hosts peer3.org1.example.com --tls.certfiles /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem I copied certificates to ../crypto-config..../../../peer3.org1.example.com and started peer3 container through docker compose with orderer as dependency

naveen_saravanan (Wed, 10 Jan 2018 09:26:30 GMT):
Can anyone please tell me the steps to install and run fabric-ca-client on ubuntu?

lkolisko (Wed, 10 Jan 2018 09:44:20 GMT):
Has joined the channel.

naveen_saravanan (Wed, 10 Jan 2018 11:26:58 GMT):
what does "GOPATH environment variable is set correctly" means from this URL: http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#getting-started?

vieiramanoel (Wed, 10 Jan 2018 11:41:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rroR5B7eANKuJTtKN) @naveen_saravanan You can run it via docker or compile the binaries, for second case, here's a tutorial: [server](mlgblockchain.com/setup-hyperledger-fabric.html) [client](https://mlgblockchain.com/setup-hyperledger-client.html)

vieiramanoel (Wed, 10 Jan 2018 11:41:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rroR5B7eANKuJTtKN) @naveen_saravanan You can run it via docker or compile the binaries, for second case, here's a tutorial: [server](https://mlgblockchain.com/setup-hyperledger-fabric.html) [client](https://mlgblockchain.com/setup-hyperledger-client.html)

vieiramanoel (Wed, 10 Jan 2018 11:42:47 GMT):
I would recommend follow these tutorials before using a docker enviroment

vieiramanoel (Wed, 10 Jan 2018 11:42:47 GMT):
Follow these tutorials before using a docker enviroment

vieiramanoel (Wed, 10 Jan 2018 11:45:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tNH2taxuibCNPgt7Y) @javrevasandeep here's a test I would recommend: https://www.sslshopper.com/certificate-decoder.html use this decoder to decode the certificates of both peers: already existing peer and new peer. See the diferences: if they're from same org, if the issuer is the same etc

vieiramanoel (Wed, 10 Jan 2018 12:23:51 GMT):
(the signcerts one)

YashGanthe (Wed, 10 Jan 2018 14:44:30 GMT):
The Orderer has been issued a TLS cert with CN=*.myorg. The Peer is refusing the certificate, and asking for a cert named orderer.myorg. Fundamentally, a wildcard cert should be acceptable to the Peer. Is there a setting we can do in the Peer to accept wildcard certs?

sk (Wed, 10 Jan 2018 15:07:44 GMT):
Referring ABAC example, I am trying to add aClient.register({ enrollmentID: username, affiliation: userOrg, attrs: [{"name":"appAdmin","value":"true:ecert"}] But when I run chaincode get error : Attribute 'appAdmin' was not found And into CA log I see : "Registrar does not have any values for 'hf.Registrar.Attributes' thus can't register any attributes" Anyone faced similar error? Any clue?

gbolo (Wed, 10 Jan 2018 17:12:37 GMT):
User User_1 added by gbolo.

smithbk (Wed, 10 Jan 2018 17:12:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tNH2taxuibCNPgt7Y) @javrevasandeep Did you follow instructions at https://www.ibm.com/developerworks/cloud/library/cl-add-an-organization-to-your-hyperledger-fabric-blockchain/index.html ?

smithbk (Wed, 10 Jan 2018 17:17:36 GMT):
@sk What identity did you use to call register? If you were using the default bootstrap user, then it should have that "hf.Registrar.Attributes" attribute with a value of "*" which means it can register any attribute. It is possible that you are using an older version of fabric-ca-server. The current version should automatically handle that for you. So if you're using the latest version, I'd be interested in knowing how to reproduce.

smithbk (Wed, 10 Jan 2018 17:25:12 GMT):
@YashGanthe Did you try the `--ordererTLSHostnameOverride` option on peer?

toddinpal (Wed, 10 Jan 2018 18:15:42 GMT):
Does fabric-ca support OCSP?

sk (Wed, 10 Jan 2018 18:35:50 GMT):

hf.Registrar.Attributes: "*"

sk (Wed, 10 Jan 2018 18:35:50 GMT):
@smithbk I am using "hyperledger/fabric-ca x86_64-1.1.0-preview " is this the latest one? Also I tried setting hf.Registrar.Attributes: "*" into "fabric-ca-server-config.yaml" Refer attached screen shot

smithbk (Wed, 10 Jan 2018 18:47:49 GMT):
@sk Yes, the preview is the latest release and did not include the migration code. To fix, in addition to the change to fabric-ca-server-config.yaml, you need to stop server, delete the fabric-ca-server.db file (assuming you're using the default sqlite), and restart

toddinpal (Wed, 10 Jan 2018 18:48:39 GMT):
A clarification on my question, does fabric-ca provide an OCSP responder?

smithbk (Wed, 10 Jan 2018 18:48:40 GMT):
@toddinpal No, not yet, but would welcome a jira item for that

toddinpal (Wed, 10 Jan 2018 18:48:51 GMT):
ok, will do.

vieiramanoel (Wed, 10 Jan 2018 18:50:59 GMT):
`Error: Registration request does not have an affiliation` doesn't it was fixed in older versions?

vieiramanoel (Wed, 10 Jan 2018 18:50:59 GMT):
`Error: Registration request does not have an affiliation` wasn't it fixed in older versions?

smithbk (Wed, 10 Jan 2018 18:53:38 GMT):
It should not be required, but should default to the affiliation of the registrar. What version are you using? CLI or SDK?

toddinpal (Wed, 10 Jan 2018 18:55:05 GMT):
FAB-7687

vieiramanoel (Wed, 10 Jan 2018 18:57:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MtZGCfXxy65p4WsbT) @smithbk i'm using client via binary

vieiramanoel (Wed, 10 Jan 2018 18:57:25 GMT):
i compiled from this release branch https://github.com/hyperledger/fabric-ca

vieiramanoel (Wed, 10 Jan 2018 18:57:51 GMT):
while fabric-ca-server is inside a docker at latest version

smithbk (Wed, 10 Jan 2018 18:59:01 GMT):
@vieiramanoel ok, so you can just use the "--affiliation" flag ... but that will no longer be required in v1.1.0-alpha which will be the next release

vieiramanoel (Wed, 10 Jan 2018 19:00:36 GMT):
this flag isn't available, i'm confused because this used to work in another machine :s

smithbk (Wed, 10 Jan 2018 19:02:44 GMT):
sorry, use `--id.affiliation ` flag

smithbk (Wed, 10 Jan 2018 19:03:10 GMT):
you'll also need `--id.type `

smithbk (Wed, 10 Jan 2018 19:06:13 GMT):
See examples at http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#registering-a-new-identity

vieiramanoel (Wed, 10 Jan 2018 19:14:35 GMT):
inside fabric-ca-server-config.yaml: ```affiliations: Goledger: - estagiarios - department2```

vieiramanoel (Wed, 10 Jan 2018 19:15:01 GMT):
thnks

vieiramanoel (Wed, 10 Jan 2018 19:15:04 GMT):
it worked

rahulhegde (Thu, 11 Jan 2018 01:56:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2f2zFNEfDErCBrSKK) @smithbk `offline CA` meant running it in an isolated environment and not available for the `fabric-ca-client` to directly call say using command `enroll` with `-u` option. This means a `CSR` would be created at participant site (for example) and then transferred through a secure process to the `CA` hosting organization. Now using the Rest API support available with `fabric-ca-server` @ `https://github.com/hyperledger/fabric-ca/blob/release/swagger/swagger-fabric-ca.json#L128` (the REST specification is not update to date though), you can request issue of certificate by using `curl` utility to send a `CSR` pem to fabric-ca-server however using the same `enrollment id`.

rahulhegde (Thu, 11 Jan 2018 01:56:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2f2zFNEfDErCBrSKK) @smithbk `offline CA` meant running it in an isolated environment and not available for the `fabric-ca-client` to directly call say using command `enroll` with `-u` option. This means a `CSR` would be created at participant site (for example) and then transferred through a secure process to the `CA` hosting organization. Now using the Rest API support available with `fabric-ca-server` @ https://github.com/hyperledger/fabric-ca/blob/release/swagger/swagger-fabric-ca.json#L128 (the REST specification is not update to date though), you can request issue of certificate by using `curl` utility to send a CSR pem to fabric-ca-server however using the same `enrollment id`.

smithbk (Thu, 11 Jan 2018 02:14:56 GMT):
(https://chat.hyperledger.org/channel/fabric-ca?msg=s5EGFwv4XcGqnMkhu) @rahulhegde Yes, that is a valid case for setting max_enrollments > 1. That is needed because you will need to use /enroll multiple times rather than /enroll once and /reenroll for renewal. But that isn't really #1 because you are using the same enrollment ID each time.

rahulhegde (Thu, 11 Jan 2018 03:15:42 GMT):
> But that isn't really #1 because you are using the same enrollment ID each time. Do you see problem on certificate management on reuse of enrollment ID each time from perspective of fabric-ca-server?

smithbk (Thu, 11 Jan 2018 05:01:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DwNzC3sarpwvXiej4) @rahulhegde No

naveen_saravanan (Thu, 11 Jan 2018 06:55:11 GMT):
I have installed fabric-ca-client

naveen_saravanan (Thu, 11 Jan 2018 06:56:27 GMT):
and when I try to enroll I get the error as follows,

naveen_saravanan (Thu, 11 Jan 2018 06:56:30 GMT):
root@hibiz-Aspire-E5-575:/usr/local/go/src/github.com/hyperledger/fabric-ca# fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 2018/01/11 12:23:44 [INFO] User provided config file: /root/Documents/Fabric-CA/client/fabric-ca-client-config.yaml 2018/01/11 12:23:44 [INFO] generating key: &{A:ecdsa S:256} 2018/01/11 12:23:44 [INFO] encoded CSR Error: POST failure [Post http://localhost:7054/enroll: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02\x16"]; not sending POST http://localhost:7054/enroll Authorization: Basic YWRtaW46YWRtaW5wdw== {"hosts":["hibiz-Aspire-E5-575"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBSTCB8AIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwptAb4w2Sc9EoJ++\nVQ4i092PHKyFsQWIeGZlFn8C6oSEMz1/U3Yu2zKqwrPPsHxjU//5WPxTLtPSmXZK\nC+PVT6AxMC8GCSqGSIb3DQEJDjEiMCAwHgYDVR0RBBcwFYITaGliaXotQXNwaXJl\nLUU1LTU3NTAKBggqhkjOPQQDAgNIADBFAiEApfdKIqTTEzaaYEaqE/XcHc5FRawp\nyP2J7Am0jLgWmTsCIBHb5O9BlKTjRLQKJLO28rSnoDqplHIYIHOsAFoI0ZoZ\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","CAName":""} root@hibiz-Aspire-E5-575:/usr/local/go/src/github.com/hyperledger/fabric-ca#

naveen_saravanan (Thu, 11 Jan 2018 06:57:44 GMT):
what should I be doing?

lijwww (Thu, 11 Jan 2018 07:18:32 GMT):
Has joined the channel.

ascatox (Thu, 11 Jan 2018 11:15:52 GMT):
Hi All!!! I've a simple question to ask! How can I create a PeerAdmin user in fabric-ca server! Has someone the right command to accomplish this. Thanks in advance!

aambati (Thu, 11 Jan 2018 14:19:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ePmJH5R9vy78mjSyo) @naveen_saravanan Make sure if tls is enabled on the server , make sure to use https protocol on the client side and specify server ca cert in using --tls.certfiles option

aambati (Thu, 11 Jan 2018 14:23:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iAYDcQ7PuAvQGSHNx) @ascatox You can user `fabric-ca-client register` command to create identity for peer admin and then use the returned credentials to get enrollment cert by calling `fabric-ca-client enroll` command...you can see how these commands are used in the fabric-ca sample: https://github.com/hyperledger/fabric-samples/blob/master/fabric-ca/scripts/setup-fabric.sh

vieiramanoel (Thu, 11 Jan 2018 17:44:28 GMT):
Hey, guys I'm can just enroll my admin any other enroll command fails with error 400, anyone had same problem?

vieiramanoel (Thu, 11 Jan 2018 17:44:28 GMT):
Hey, guys I'm can just enroll my admin, any other enroll command fails with error 400, anyone had same problem?

vieiramanoel (Thu, 11 Jan 2018 17:44:48 GMT):
(yesterday I was able to enroll all my users using same script)

vieiramanoel (Thu, 11 Jan 2018 18:01:57 GMT):
idk exactly what it was but things are working back

vieiramanoel (Thu, 11 Jan 2018 18:02:10 GMT):
haha, just ignore above messages

vieiramanoel (Thu, 11 Jan 2018 18:02:10 GMT):
haha, ignore above messages

smithbk (Thu, 11 Jan 2018 18:18:33 GMT):
must have been that 15 min 404 timer in the code :-)

smithbk (Thu, 11 Jan 2018 18:18:33 GMT):
must have been that 15 min 400 timer in the code :-)

vieiramanoel (Thu, 11 Jan 2018 20:12:23 GMT):
@smithbk what's the right way to enroll a org admin?

vieiramanoel (Thu, 11 Jan 2018 20:14:46 GMT):
I've registered it with `fabric-ca-client register -d --id.name admin.ministerio.org --id.secret adminpwd --id.attrs 'hf.Revoker=true,admin=true:ecert' --id.attrs '"hf.Registrar.Roles=peer,user,user"' --id.attrs 'Ministerio.Admins=true:ecert' --id.affiliation ministerio.center --id.type "user"`

vieiramanoel (Thu, 11 Jan 2018 20:14:58 GMT):
and enrolled it

vieiramanoel (Thu, 11 Jan 2018 20:15:07 GMT):
when I try to create a channel

vieiramanoel (Thu, 11 Jan 2018 20:15:12 GMT):
i got it from orderer

vieiramanoel (Thu, 11 Jan 2018 20:15:30 GMT):
```2018-01-11 19:47:05.318 UTC [msp] SatisfiesPrincipal -> DEBU 170 Checking if identity satisfies ADMIN role for MinisterioMSP orderer.goledger.com | 2018-01-11 19:47:05.318 UTC [cauthdsl] func2 -> DEBU 171 0xc420025188 identity 0 does not satisfy principal: This identity is not an admin orderer.goledger.com | 2018-01-11 19:47:05.318 UTC [cauthdsl] func2 -> DEBU 172 0xc420025188 principal evaluation fails orderer.goledger.com | 2018-01-11 19:47:05.318 UTC [cauthdsl] func1 -> DEBU 173 0xc420025188 gate 1515700025316614980 evaluation fails orderer.goledger.com | 2018-01-11 19:47:05.318 UTC [orderer/common/broadcast] Handle -> WARN 174 Rejecting CONFIG_UPDATE because: Error authorizing update: Error validating DeltaSet: Policy for [Groups] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining```

vieiramanoel (Thu, 11 Jan 2018 20:31:52 GMT):
in fact there's no attribute at this signed certificate, while at my machine (using latest fabric-ca too) the certificate is signed with the attributes

smithbk (Thu, 11 Jan 2018 20:33:15 GMT):
The only way to currently satisfy the ADMIN role in fabric is to 1) generate an ecert and then 2) put that specific ecert in the msp/admincerts folder of the MSP

smithbk (Thu, 11 Jan 2018 20:33:39 GMT):
There is no way to recognize an ADMIN role by an attribute in the certificate

smithbk (Thu, 11 Jan 2018 20:34:25 GMT):
The fabric-ca sample shows how to populate the admincerts folder

smithbk (Thu, 11 Jan 2018 20:34:43 GMT):
prior to building the genesis block

vieiramanoel (Thu, 11 Jan 2018 20:36:19 GMT):
the certificate is the same for this admin.ministerio.org and for org's msp/admincerts

vieiramanoel (Thu, 11 Jan 2018 20:37:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GjqTXkxig8cpS6YSx) @smithbk i'm using it as reference

vieiramanoel (Thu, 11 Jan 2018 20:38:49 GMT):
but your statement give me a clue about what's going on

vieiramanoel (Thu, 11 Jan 2018 20:39:54 GMT):
thanks!

KristofSajdak (Fri, 12 Jan 2018 10:17:41 GMT):
Does anyone here have experience using AWS CloudHSM as a PKCS11 backend for Fabric? I used the work done by @gbolo in https://github.com/gbolo/dockerfiles/tree/master/hyperledger-fabric/softhsm as a starting point. However after changing the PKCS11 parameters to target AWS CloudHSM I get the following output "error: PKCS11 function C_Initialize failed: rv = CKR_GENERAL_ERROR (0x5) Aborting. Failed to connect socket".

KristofSajdak (Fri, 12 Jan 2018 10:19:20 GMT):
I can see a similar kind of message when I run a command with pkcs11-tool from inside of the Docker, which leads me to think that this probably is a CloudHSM/Docker issue. The same pkcs11-tool command runs fine on the host

KristofSajdak (Fri, 12 Jan 2018 10:21:08 GMT):
will try to get help from AWS support, but that could take a while so any insights would be appreciated

Kristof_Sajdak (Fri, 12 Jan 2018 11:00:22 GMT):
Has joined the channel.

Kristof_Sajdak (Fri, 12 Jan 2018 11:02:04 GMT):
update: I ran the fabric-ca-server from the host this time, with similar config as the docker. Getting the following Error: Failed generating ECDSA P256 key [Failed Unmarshaling Public Key]

Kristof_Sajdak (Fri, 12 Jan 2018 11:03:32 GMT):
Here is the full debug output : ubuntu@ip-10-0-0-187:~$ fabric-ca-server start -b admin:adminpw 2018/01/12 10:57:49 [INFO] Configuration file location: /home/ubuntu/fabric-ca-server-config.yaml 2018/01/12 10:57:49 [INFO] Starting server in home directory: /home/ubuntu 2018/01/12 10:57:49 [DEBUG] CA Home Directory: /home/ubuntu 2018/01/12 10:57:49 [DEBUG] Making server filenames absolute 2018/01/12 10:57:49 [DEBUG] Initializing default CA in directory /home/ubuntu 2018/01/12 10:57:49 [DEBUG] Init CA with home /home/ubuntu and config {CA:{Name: Keyfile:ca-key.pem Certfile:ca-cert.pem Chainfile:ca-chain.pem} Signing:0xc4202c7150 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[ip-10-0-0-187 localhost] KeyRequest: CA:0xc4202d4680 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Registrar.DelegateRoles:client,user,validator,auditor hf.Revoker:1 hf.IntermediateCA:1 hf.Registrar.Roles:client,user,peer,validator,auditor] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) TLS:{false [ldap-server-cert.pem] {ldap-client-key.pem ldap-client-cert.pem}} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [db-server-cert.pem] {db-client-key.pem db-client-cert.pem}} } CSP:0xc4202b7fa0 Client: Intermediate:{ParentServer:{URL: CAName:} TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{Name: Secret: Profile: Label: CSR: CAName:}}} 2018/01/12 10:57:49 [DEBUG] CA Home Directory: /home/ubuntu 2018/01/12 10:57:49 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:0xc4202bee70 Pkcs11Opts:0xc4202d0ee0} 2018/01/12 10:57:49 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore: DummyKeystore:} 2018/01/12 10:57:49 [DEBUG] Initializing BCCSP with PKCS11 options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc4202d2770 DummyKeystore: Library:/opt/cloudhsm/lib/libcloudhsm_pkcs11.so Label:cavium Pin:example_user:houseful-initial-quantify Sensitive:true SoftVerify:true} SDK Version: 2.03 2018/01/12 10:57:49 [DEBUG] Initialize key material 2018/01/12 10:57:49 [DEBUG] Making CA filenames absolute 2018/01/12 10:57:49 [DEBUG] Getting CA cert; parent server URL is '' 2018/01/12 10:57:49 [DEBUG] Root CA certificate request: {CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[ip-10-0-0-187 localhost] KeyRequest:0xc42030c1c0 CA:0xc4202d4680 SerialNumber:} 2018/01/12 10:57:49 [INFO] generating key: &{A:ecdsa S:256} 2018/01/12 10:57:49 [DEBUG] generate key from request: algo=ecdsa, size=256 unknown key type or mechanism type 3 unknown key type or mechanism type 3 2018-01-12 10:57:50.229 UTC [bccsp_p11] generateECKey -> INFO 001 Generated new P11 key, SKI 8618e5864fe94bf935a03801a63c6cd7bdb7bf2b1a49e1081923cffee64beebd Invalid req_id 1073741864 actual 1073741865 in Message Header: Ignoring the Message Invalid req_id 1073741865 actual 1073741866 in Message Header: Ignoring the Message Invalid req_id 1073741866 actual 1073741867 in Message Header: Ignoring the Message Error: Failed generating ECDSA P256 key [Failed Unmarshaling Public Key]

Kristof_Sajdak (Fri, 12 Jan 2018 11:05:09 GMT):
I can probably get the CloudHSM/Docker issue sorted with the help of AWS support later down the line, but not really sure though how to proceed with this Fabric-CA/CloudHSM interface error

Apurv29 (Fri, 12 Jan 2018 11:56:40 GMT):
Has joined the channel.

mogamboizer (Fri, 12 Jan 2018 14:17:51 GMT):
When to use Fabric-CA-Client component and when to use the Fabric-CA-Client SDK?

mogamboizer (Fri, 12 Jan 2018 14:17:51 GMT):
When to use Fabric-CA-Client component what are its high level use-cases?

mogamboizer (Fri, 12 Jan 2018 14:17:51 GMT):
When to use Fabric-CA-*Client* component what are its high level use-cases?

mogamboizer (Fri, 12 Jan 2018 14:17:51 GMT):
When to use Fabric-CA-Client component what are its high level use-cases?

mogamboizer (Fri, 12 Jan 2018 14:17:51 GMT):
When to use *Fabric-CA-Client* component what are its high level use-cases?

smithbk (Fri, 12 Jan 2018 20:07:34 GMT):
You want to 1) add a user 2) add/modify/delete a user's attribute which changes the user's permissions 3) get an enrollment certificate to use in transacting on the blockchain 4) remove a user and revoke all of the user's certificates 5) revoke a specific certificate perhaps because it was compromised or any other reason 6) renew your enrollment certificate because it is about to expire or was compromised or other 7) get the CA's signing certificate which is a root of trust 8) get a CRL (Certificate Revocation List) 9) etc

mogamboizer (Fri, 12 Jan 2018 20:11:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7Lvos8H2ZLgNnmqdQ) @smithbk Why not send the request to the Fabric-CA-Server?

mogamboizer (Fri, 12 Jan 2018 20:11:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7Lvos8H2ZLgNnmqdQ) @smithbk Why not send the request to the Fabric-CA-Server directly?

mogamboizer (Fri, 12 Jan 2018 20:11:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7Lvos8H2ZLgNnmqdQ) @smithbk Why not send the request to the *Fabric-CA-Server* directly?

smithbk (Fri, 12 Jan 2018 21:26:03 GMT):
If you want a CLI to talk to fabric-ca-server, use fabric-ca-client. If you want to programmatically talk to fabric-ca-server, use one of the SDKs. All of these talk directly to the fabric-ca-server via the REST APIs.

smithbk (Fri, 12 Jan 2018 21:26:52 GMT):
If you want to use the REST APIs yourself, you can but the CLI and SDKs have already done a lot of work for you.

smithbk (Fri, 12 Jan 2018 21:26:52 GMT):
If you want to use the REST APIs yourself, you can but the CLI and SDKs have already done a lot of work for you, so not sure why you would want to do that

mogamboizer (Fri, 12 Jan 2018 21:53:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rnasNRT2MqKZatuJd) @smithbk Thanks. Would it be correct to say that the Fabric-CA-Client would be mostly suitable for use by administrators and or cli/shell/scripts. While production level applications would talk to the Fabric-CA-Server via SDK?

smithbk (Fri, 12 Jan 2018 22:00:57 GMT):
Yes, though I would remove "production level" ... that is, fabric-ca-client and SDKs are OK in production and/or non-prod ... it just depends on if you want to do something from a CLI or programatically

mogamboizer (Fri, 12 Jan 2018 22:08:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QwRJhTXJZAaHtXL37) @smithbk Thank you that makes it clear now :ghost:

vdods (Fri, 12 Jan 2018 22:30:50 GMT):
Is there any way to enroll an identity in a fabric-ca-server such that the server isn't privy to that identity's secrets? Like the identity provides a CSR that the fabric-ca-server will sign, but the fabric-ca-server doesn't have the identity's private key. Same scenario as in ordinary CA cert-signing workflow.

smithbk (Sun, 14 Jan 2018 00:13:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kAPhjYJ7WbthnX8j8) @vdods That's the way it works. The fabric-ca-client or SDKs do generate a CSR so the server never sees the private key of users

vdods (Sun, 14 Jan 2018 01:17:18 GMT):
Oh, then what's the function of registering a user with a secret?

vdods (Sun, 14 Jan 2018 01:17:18 GMT):
Oh, then what's the function of the secret in registering a user?

hammerWang (Sun, 14 Jan 2018 15:22:00 GMT):
Has joined the channel.

smithbk (Sun, 14 Jan 2018 19:22:38 GMT):
We don't want the CA to sign certificates for just anyone, so the secret returned by register is used to authenticate the user during enrollment before issuing a certificate. But the enroller is always the only one privy to the private key which is used to sign as that identity. For example, suppose I as the registrar register an identity for you named vdods, type=user, affiliation=org1, and perhaps some attributes. I then call you and tell you that I did so and give you the enrollment ID (vdods) and password. You then use `fabric-ca-client enroll` with the enrollment ID and password. This enroll call will first create a key-pair (public/private) and put the public key in the CSR which it passes to the server in the enroll request to the fabric-ca-server. The server validates the user/pass and then issues the certificate. I never see your private key.

newlife 1 (Mon, 15 Jan 2018 06:12:52 GMT):
Has joined the channel.

yash-ibm (Mon, 15 Jan 2018 12:04:28 GMT):
Has joined the channel.

tasmiya_n (Mon, 15 Jan 2018 12:05:13 GMT):
Has joined the channel.

JaspalSingh13 (Mon, 15 Jan 2018 15:16:49 GMT):
Has joined the channel.

paul.sitoh (Mon, 15 Jan 2018 17:24:00 GMT):
Anyone know what is the format for tlsOptions_p in ```FabricCAClient(constructor(url_p, tlsOptions_p, caName_p, cryptoSuite_p)```

paul.sitoh (Mon, 15 Jan 2018 17:24:00 GMT):
Anyone know what is the data type for tlsOptions_p in ```FabricCAClient(constructor(url_p, tlsOptions_p, caName_p, cryptoSuite_p)```

paul.sitoh (Mon, 15 Jan 2018 18:33:29 GMT):
Is it ```{ pem: , 'ssl-target-name-override': }```

paul.sitoh (Mon, 15 Jan 2018 18:33:29 GMT):
Is it ```{pem: , 'ssl-target-name-override': }```

paul.sitoh (Mon, 15 Jan 2018 18:33:29 GMT):
Is it ```{ pem: , 'ssl-target-name-override': }```

smithbk (Mon, 15 Jan 2018 19:04:59 GMT):
@paul.sitoh Try the fabric-sdk-node channel

olrraju (Tue, 16 Jan 2018 01:50:00 GMT):
Has joined the channel.

rah_acc (Wed, 17 Jan 2018 10:13:52 GMT):
Has joined the channel.

rickr (Wed, 17 Jan 2018 18:25:26 GMT):
Today the user/client for enrollments needs to specify a profile name. These can be added to the CA configuration. Is there any way for the client/user to discover these and their properties to decide which to use ? If not, in plan ?

vieiramanoel (Wed, 17 Jan 2018 19:41:42 GMT):
@smithbk when I try to connect to fabric-ca using openssl i've got some verify errors that can't be bypassed disabling verify

vieiramanoel (Wed, 17 Jan 2018 19:42:27 GMT):
` openssl s_client -connect ca.goledger.com:7054 -servername ca.goledger.com -CAfile aws-deploy/ca-cert.pem`

vieiramanoel (Wed, 17 Jan 2018 19:42:30 GMT):
output

vieiramanoel (Wed, 17 Jan 2018 19:42:45 GMT):
```CONNECTED(00000003) depth=0 C = BR, ST = Distrito Federal, L = Brasilia, O = GoLedger, CN = ca.goledger.com verify return:1 140537120720536:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:ssl_lib.c:2514: 140537120720536:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:s3_clnt.c: ... ```

vieiramanoel (Wed, 17 Jan 2018 19:44:01 GMT):
this bad ecc cert error is struggling us in #fabric-sdk-py to use tls at making a request to fabric-ca. Do you know what is this and how to fix this?

smithbk (Wed, 17 Jan 2018 19:53:27 GMT):
@vieiramanoel You can't connect to fabric-ca-server using openssl. Why would you want to? Use fabric-ca-client

smithbk (Wed, 17 Jan 2018 19:54:03 GMT):
@rickr No API today, but there is a jira: see https://jira.hyperledger.org/browse/FAB-7778

vieiramanoel (Wed, 17 Jan 2018 19:54:38 GMT):
@smithbk cuz we're developing python-sdk and the requests library use openssl to connect to CA

vieiramanoel (Wed, 17 Jan 2018 19:55:30 GMT):
would you recommend to use another lib which doesn't use openssl to connect?

smithbk (Wed, 17 Jan 2018 19:56:08 GMT):
You need to use the REST APIs directly, but I thought the python SDK already supported talking to fabric-ca-server. No?

vieiramanoel (Wed, 17 Jan 2018 19:56:26 GMT):
not using TLS.

vieiramanoel (Wed, 17 Jan 2018 19:57:17 GMT):
When using TLS, the lib that is used to make requests to REST uses openssl and TLS handshake fails

smithbk (Wed, 17 Jan 2018 19:57:56 GMT):
oh, so it uses openssl for the TLS connection only?

vieiramanoel (Wed, 17 Jan 2018 20:00:11 GMT):
every requests is made using openssl deep inside libraries, but it only fails when using TLS, it tries to post do CA using openssl and passing ca-cert to verify, but it throws a BAD_ECC_CERT when try to handshake

vieiramanoel (Wed, 17 Jan 2018 20:00:44 GMT):
If TLS is enabled in ca-server, set verify to false doesn't work too

smithbk (Wed, 17 Jan 2018 20:01:14 GMT):
let's take this off this channel

vieiramanoel (Wed, 17 Jan 2018 20:01:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uHePqN5gMQAzRajbc) I said it wrong, it uses openssl for https connections only

vieiramanoel (Wed, 17 Jan 2018 20:01:29 GMT):
ok

naveen_saravanan (Thu, 18 Jan 2018 04:50:36 GMT):
I tried to use the fabric-ca-client to enroll user in an already existing fabric-ca-server (in a docker container image) and met with an error of the path to tls-cet in the command: fabric-ca-client enroll -u "https://admin:adminpw@localhost:7054" --tls.certfiles PATH_TO_SERVER_CA_FILE

naveen_saravanan (Thu, 18 Jan 2018 04:50:53 GMT):
The logs are:

naveen_saravanan (Thu, 18 Jan 2018 04:52:39 GMT):
root@hibiz-Aspire-E5-575:/home/hibiz# export PATH_TO_SERVER_CA_FILE=/etc/hyperledger/fabric-ca-server-config/ca.a.example.com-cert.pem root@hibiz-Aspire-E5-575:/home/hibiz# fabric-ca-client enroll -u "https://admin:adminpw@localhost:7054" --tls.certfiles PATH_TO_SERVER_CA_FILE 2018/01/18 10:06:57 [INFO] User provided config file: /root/Documents/Fabric-CA/client/fabric-ca-client-config.yaml 2018/01/18 10:06:57 [INFO] generating key: &{A:ecdsa S:256} 2018/01/18 10:06:57 [INFO] encoded CSR 2018/01/18 10:06:57 [INFO] TLS Enabled Error: Failed to get client TLS config: Failed to read '/root/Documents/Fabric-CA/client/PATH_TO_SERVER_CA_FILE': open /root/Documents/Fabric-CA/client/PATH_TO_SERVER_CA_FILE: no such file or directory root@hibiz-Aspire-E5-575:/home/hibiz#

naveen_saravanan (Thu, 18 Jan 2018 04:53:32 GMT):
Could you please point out how do I set the tls-cert path to my docker image?

naveen_saravanan (Thu, 18 Jan 2018 04:53:32 GMT):
Could you please point out how do I set the tls-cert path from my docker image?

naveen_saravanan (Thu, 18 Jan 2018 04:53:45 GMT):
And thank you in advance.

vieiramanoel (Thu, 18 Jan 2018 04:54:34 GMT):
@naveen_saravanan

vieiramanoel (Thu, 18 Jan 2018 04:56:29 GMT):
``` mkdir -p /etc/hyperledger/fabric-ca-client cd /etc/hyperledger/fabric-ca-client export FABRIC_CA_CLIENT_HOME=$PWD cp /etc/hyperledger/fabric-ca-server-config/ca.a.example.com-cert.pem ca.a.example.com-cert.pem fabric-ca-client enroll -u "https://admin:adminpw@localhost:7054" --tls.certfiles ca.a.example.com-cert.pem ```

vieiramanoel (Thu, 18 Jan 2018 04:56:29 GMT):
```mkdir -p /etc/hyperledger/fabric-ca-client cd /etc/hyperledger/fabric-ca-client export FABRIC_CA_CLIENT_HOME=$PWD cp /etc/hyperledger/fabric-ca-server-config/ca.a.example.com-cert.pem ca.a.example.com-cert.pem fabric-ca-client enroll -u "https://admin:adminpw@localhost:7054" --tls.certfiles ca.a.example.com-cert.pem ```

vieiramanoel (Thu, 18 Jan 2018 04:57:54 GMT):
At [docs](http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#fabric-ca-client) says as it follows: ```The Fabric CA client’s home directory is determined as follows: if the –home command line option is set, use its value otherwise, if the FABRIC_CA_CLIENT_HOME environment variable is set, use its value otherwise, if the FABRIC_CA_HOME environment variable is set, use its value otherwise, if the CA_CFG_PATH environment variable is set, use its value otherwise, use $HOME/.fabric-ca-client``

vieiramanoel (Thu, 18 Jan 2018 04:59:59 GMT):
So fabric-ca-client will search for your ca-cert.cert _beginning at_ the folder where `FABRIC_CA_CLIENT_HOME` is set to

vieiramanoel (Thu, 18 Jan 2018 04:59:59 GMT):
So fabric-ca-client will search for your ca-cert.cert _starting at_ the folder where `FABRIC_CA_CLIENT_HOME` is set to

vieiramanoel (Thu, 18 Jan 2018 04:59:59 GMT):
So fabric-ca-client will search for your ca-cert.cert _starting at_ the folder where `FABRIC_CA_CLIENT_HOME` is set to.

vieiramanoel (Thu, 18 Jan 2018 05:03:31 GMT):
so if yours `FABRIC_CA_CLIENT_HOME` is set to `/etc/hyperledger/fabric-client` and you use the flag `--tls.certfiles /etc/hyperledger/fabric-client/ca.a.example.com-cert.pem` it will try to get a certfile from path `${FABRIC_CA_CLIENT_HOME+/etc/hyperledger/fabric-client/ca.a.example.com-cert.pem}` then try to get de cert file from `/etc/hyperledger/fabric-client/etc/hyperledger/fabric-client/ca.a.example.com-cert.pem` and will return that that folder doesn't exists

vieiramanoel (Thu, 18 Jan 2018 05:03:31 GMT):
So if yours `FABRIC_CA_CLIENT_HOME` is set to `/etc/hyperledger/fabric-client` and you use the flag `--tls.certfiles /etc/hyperledger/fabric-client/ca.a.example.com-cert.pem` it will try to get a certfile from path `${FABRIC_CA_CLIENT_HOME+/etc/hyperledger/fabric-client/ca.a.example.com-cert.pem}` then try to get de cert file from `/etc/hyperledger/fabric-client/etc/hyperledger/fabric-client/ca.a.example.com-cert.pem` and will return that that folder doesn't exists

naveen_saravanan (Thu, 18 Jan 2018 05:16:24 GMT):
I get what you are trying to say but how do I copy the ca.a.example.com-cert.pem from my docker image?[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bFfB77v8thZ2JDhZC) @vieiramanoel

vieiramanoel (Thu, 18 Jan 2018 05:17:08 GMT):
inside the docker image where's your ca file? `/etc/hyperledger/fabric-ca-server-config/ca.a.example.com-cert.pem`?

naveen_saravanan (Thu, 18 Jan 2018 05:17:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DC4bKqCcRZQvyrrxG) @vieiramanoel yes

naveen_saravanan (Thu, 18 Jan 2018 05:18:08 GMT):
after I bash into it.

vieiramanoel (Thu, 18 Jan 2018 05:18:09 GMT):
then change the line `cp /etc/hyperledger/fabric-ca-server-config/ca.a.example.com-cert.pem ca.a.example.com-cert.pem` to `docker cp CONTAINER_NAME:/etc/hyperledger/fabric-ca-server-config/ca.a.example.com-cert.pem ./ca.a.example.com-cert.pem`

vieiramanoel (Thu, 18 Jan 2018 05:18:27 GMT):
```mkdir -p /etc/hyperledger/fabric-ca-client cd /etc/hyperledger/fabric-ca-client export FABRIC_CA_CLIENT_HOME=$PWD cp /etc/hyperledger/fabric-ca-server-config/ca.a.example.com-cert.pem ca.a.example.com-cert.pem fabric-ca-client enroll -u "https://admin:adminpw@localhost:7054" --tls.certfiles ca.a.example.com-cert.pem```

vieiramanoel (Thu, 18 Jan 2018 05:18:27 GMT):
```#outside docker container mkdir -p fabric-ca-client cd fabric-ca-client export FABRIC_CA_CLIENT_HOME=$PWD docker cp CONTAINER_NAME:/etc/hyperledger/fabric-ca-server-config/ca.a.example.com-cert.pem ./ca.a.example.com-cert.pem fabric-ca-client enroll -u "https://admin:adminpw@localhost:7054" --tls.certfiles ca.a.example.com-cert.pem```

vieiramanoel (Thu, 18 Jan 2018 05:18:37 GMT):
srry, let me edit message

vieiramanoel (Thu, 18 Jan 2018 05:19:34 GMT):
this should work

naveen_saravanan (Thu, 18 Jan 2018 05:36:12 GMT):
Thanks and I got this message: root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client# fabric-ca-client enroll -u "https://admin:adminpw@localhost:7054" --tls.certfiles ca.a.example.com-cert.pem 2018/01/18 10:54:58 [INFO] User provided config file: /etc/hyperledger/fabric-ca-client/fabric-ca-client-config.yaml 2018/01/18 10:54:58 [INFO] Created a default configuration file at /etc/hyperledger/fabric-ca-client/fabric-ca-client-config.yaml 2018/01/18 10:54:58 [INFO] generating key: &{A:ecdsa S:256} 2018/01/18 10:54:59 [INFO] encoded CSR 2018/01/18 10:54:59 [INFO] TLS Enabled Error: POST failure [Post https://localhost:7054/enroll: x509: certificate is valid for ca.a.example.com, not localhost]; not sending POST https://localhost:7054/enroll Authorization: Basic YWRtaW46YWRtaW5wdw== {"hosts":["hibiz-Aspire-E5-575"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBSDCB8AIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERncwSoEQpeFRP6/b\nGucwsMN91hLR5RmmeBFaAB73+bEGvp8rYgh38+p3XNjr0/jNSug6dBrpt8jpLkGT\n1PcAhKAxMC8GCSqGSIb3DQEJDjEiMCAwHgYDVR0RBBcwFYITaGliaXotQXNwaXJl\nLUU1LTU3NTAKBggqhkjOPQQDAgNHADBEAiBKJ/BLwCbpBMSkKe/e1I9jH1O/1VZB\neU6P/1jwZNhtBQIgGSoqDvz60OygW/iMtdz+NHi0ipC5uLlMrPOQLp2eEWE=\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","CAName":""} root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client# " Error: POST failure [Post https://localhost:7054/enroll: x509: certificate is valid for ca.a.example.com, not localhost]; not sending " does this mean the tls-cert was successful (only for org-a) but it was inefficient for the whole localhost-server?

vieiramanoel (Thu, 18 Jan 2018 05:38:24 GMT):
```sudo echo "127.0.0.1 ca.a.example.com" >> /etc/hosts``` should solve your problem

vieiramanoel (Thu, 18 Jan 2018 05:38:49 GMT):
your certificate is valid to a domain ca.a.example.com, not localhost

vieiramanoel (Thu, 18 Jan 2018 05:39:10 GMT):
the easier way to make it work is to add this domain to your hosts

naveen_saravanan (Thu, 18 Jan 2018 05:40:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sZckFc2Jy9c9ee5XB) @vieiramanoel ok I will try iy.

naveen_saravanan (Thu, 18 Jan 2018 05:40:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sZckFc2Jy9c9ee5XB) @vieiramanoel ok I will try it.

naveen_saravanan (Thu, 18 Jan 2018 05:42:38 GMT):
I still get that post failed error:

naveen_saravanan (Thu, 18 Jan 2018 05:42:43 GMT):
root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client# echo "127.0.0.1 ca.a.example.com" >> /etc/hosts root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client# fabric-ca-client enroll -u "https://admin:adminpw@localhost:7054" --tls.certfiles ca.a.example.com-cert.pem 2018/01/18 11:10:58 [INFO] User provided config file: /etc/hyperledger/fabric-ca-client/fabric-ca-client-config.yaml 2018/01/18 11:10:58 [INFO] generating key: &{A:ecdsa S:256} 2018/01/18 11:10:58 [INFO] encoded CSR 2018/01/18 11:10:58 [INFO] TLS Enabled Error: POST failure [Post https://localhost:7054/enroll: x509: certificate is valid for ca.a.example.com, not localhost]; not sending POST https://localhost:7054/enroll Authorization: Basic YWRtaW46YWRtaW5wdw== {"hosts":["hibiz-Aspire-E5-575"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBSTCB8AIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOdjyQNaYcSbp6g3s\nwpS8ONlMytXkD9WKNwYlse+j25A1wHofZpBJaS1zjIlHibHmdarhqfkCowD6RQ73\nNFEylaAxMC8GCSqGSIb3DQEJDjEiMCAwHgYDVR0RBBcwFYITaGliaXotQXNwaXJl\nLUU1LTU3NTAKBggqhkjOPQQDAgNIADBFAiEAkRo+r/GXrtYz15P9HoZSrJHYQHFI\n9UvT3glB+DGlq8sCIB/2eG8zjFk4MlfkvX4oXf5FxbSlSV/vRmSFM6ajfSxK\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","CAName":""} root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client#

vieiramanoel (Thu, 18 Jan 2018 05:45:28 GMT):
`fabric-ca-client enroll -u "https://admin:adminpw@ca.a.example.com:7054" --tls.certfiles ca.a.example.com-cert.pem` the address was wrong

vieiramanoel (Thu, 18 Jan 2018 05:45:37 GMT):
try with this line

vieiramanoel (Thu, 18 Jan 2018 05:45:46 GMT):
@naveen_saravanan

naveen_saravanan (Thu, 18 Jan 2018 06:20:11 GMT):
ok @vieiramanoel

naveen_saravanan (Thu, 18 Jan 2018 06:22:38 GMT):
root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client# fabric-ca-client enroll -u "https://admin:adminpw@ca.a.example.com:7054" --tls.certfiles ca.a.example.com-cert.pem 2018/01/18 11:50:58 [INFO] User provided config file: /etc/hyperledger/fabric-ca-client/fabric-ca-client-config.yaml 2018/01/18 11:50:58 [INFO] generating key: &{A:ecdsa S:256} 2018/01/18 11:50:58 [INFO] encoded CSR 2018/01/18 11:50:58 [INFO] TLS Enabled 2018/01/18 11:50:59 [INFO] Stored client certificate at /etc/hyperledger/fabric-ca-client/msp/signcerts/cert.pem 2018/01/18 11:50:59 [INFO] Stored CA root certificate at /etc/hyperledger/fabric-ca-client/msp/cacerts/ca-a-example-com-7054.pem root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client#

vieiramanoel (Thu, 18 Jan 2018 06:23:06 GMT):
it worked!

naveen_saravanan (Thu, 18 Jan 2018 06:23:48 GMT):
thank you.

naveen_saravanan (Thu, 18 Jan 2018 06:23:48 GMT):
thank you. @vieiramanoel

vieiramanoel (Thu, 18 Jan 2018 06:24:15 GMT):
you're welcome

jks3462 (Thu, 18 Jan 2018 11:30:15 GMT):
Has joined the channel.

naveen_saravanan (Thu, 18 Jan 2018 11:38:27 GMT):
Hi, after enrolling the admin I tried to register a new user (named user1) and got the error: " Error: POST failure [Post http://localhost:7054/register: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02\x16"]; not sending ".

naveen_saravanan (Thu, 18 Jan 2018 11:39:24 GMT):
why is this error is appearing and how do I work through this?

naveen_saravanan (Thu, 18 Jan 2018 11:39:24 GMT):
why is this error appearing and how do I work through this?

Ammu (Thu, 18 Jan 2018 13:35:36 GMT):
Has joined the channel.

vieiramanoel (Thu, 18 Jan 2018 14:00:23 GMT):
Use HTTPS @naveen_saravanan change localhost for address ca.a.example.com

vieiramanoel (Thu, 18 Jan 2018 14:00:43 GMT):
Use --tls.certfiles flag

vieiramanoel (Thu, 18 Jan 2018 18:15:25 GMT):
@smithbk how do I get tlsca from CA? I didn't find it at samples

smithbk (Thu, 18 Jan 2018 18:16:33 GMT):
You mean how do you get a TLS certificate from fabric-ca-server?

vieiramanoel (Thu, 18 Jan 2018 18:16:43 GMT):
yes

smithbk (Thu, 18 Jan 2018 18:16:56 GMT):
Use the "--profile tls" option

smithbk (Thu, 18 Jan 2018 18:16:56 GMT):
Use the "--profile tls" option on the enroll command

vieiramanoel (Thu, 18 Jan 2018 18:18:53 GMT):
thanks! I was doing something really dumb on my enrollment script ahhaah

smithbk (Thu, 18 Jan 2018 18:19:04 GMT):
See https://github.com/hyperledger/fabric-samples/blob/v1.1.0-preview/fabric-ca/scripts/start-peer.sh#L15

smithbk (Thu, 18 Jan 2018 18:19:59 GMT):
And note the following lines which copy the cert and key to specific location

vieiramanoel (Thu, 18 Jan 2018 18:20:07 GMT):
instead of moving tlscacert/somecert.pem to ca.crt I was moving cacert/somecert.pem to ca.crt

vieiramanoel (Thu, 18 Jan 2018 19:27:42 GMT):
@smithbk

vieiramanoel (Thu, 18 Jan 2018 19:31:14 GMT):
@smithbk I've got a problem on this now. I enrolled my tls profile, but none of generated certs has `tlsca.$cadomain` as common nome. ```enrollOrdererTLS(){ fabric-ca-client enroll -d --enrollment.profile tls -u https://***:***@ca.goledger.com:7054 -M client/orderer/tls --csr.hosts orderer.goledger.com mkdir -p $TLSDIR cp client/orderer/tls/tlscacerts/tls-ca-goledger-com-7054-ca-goledger-com.pem $TLSDIR/ca.crt cp client/orderer/tls/keystore/* $TLSDIR/server.key cp client/orderer/tls/signcerts/* $TLSDIR/server.crt rm -rf client/orderer/tls }``` but if I compare both client/orderer/tls/tlscacerts/tls-ca-goledger-com-7054-ca-goledger-com.pem with my root-ca.pem there're equal

vieiramanoel (Thu, 18 Jan 2018 19:31:14 GMT):
@smithbk I've got a problem on this now. I enrolled my tls profile, but none of generated certs has `tlsca.$cadomain` as common nome. ```enrollOrdererTLS(){ fabric-ca-client enroll -d --enrollment.profile tls -u https://****:***@ca.goledger.com:7054 -M client/orderer/tls --csr.hosts orderer.goledger.com mkdir -p $TLSDIR cp client/orderer/tls/tlscacerts/tls-ca-goledger-com-7054-ca-goledger-com.pem $TLSDIR/ca.crt cp client/orderer/tls/keystore/* $TLSDIR/server.key cp client/orderer/tls/signcerts/* $TLSDIR/server.crt rm -rf client/orderer/tls }``` but if I compare both client/orderer/tls/tlscacerts/tls-ca-goledger-com-7054-ca-goledger-com.pem with my root-ca.pem there're equal

vieiramanoel (Thu, 18 Jan 2018 19:31:14 GMT):
@smithbk I've got a problem on this now. I enrolled my tls profile, but none of generated certs has `tlsca.$cadomain` as common nome. ```enrollOrdererTLS(){ fabric-ca-client enroll -d --enrollment.profile tls -u https://user:ped@ca.goledger.com:7054 -M client/orderer/tls --csr.hosts orderer.goledger.com mkdir -p $TLSDIR cp client/orderer/tls/tlscacerts/tls-ca-goledger-com-7054-ca-goledger-com.pem $TLSDIR/ca.crt cp client/orderer/tls/keystore/* $TLSDIR/server.key cp client/orderer/tls/signcerts/* $TLSDIR/server.crt rm -rf client/orderer/tls }``` but if I compare both client/orderer/tls/tlscacerts/tls-ca-goledger-com-7054-ca-goledger-com.pem with my root-ca.pem there're equal

vieiramanoel (Thu, 18 Jan 2018 19:31:14 GMT):
@smithbk I've got a problem on this now. I enrolled my tls profile, but none of generated certs has `tlsca.$cadomain` as common nome. ```enrollOrdererTLS(){ fabric-ca-client enroll -d --enrollment.profile tls -u "https://***:***@ca.goledger.com:7054" -M client/orderer/tls --csr.hosts orderer.goledger.com mkdir -p $TLSDIR cp client/orderer/tls/tlscacerts/tls-ca-goledger-com-7054-ca-goledger-com.pem $TLSDIR/ca.crt cp client/orderer/tls/keystore/* $TLSDIR/server.key cp client/orderer/tls/signcerts/* $TLSDIR/server.crt rm -rf client/orderer/tls }``` but if I compare both client/orderer/tls/tlscacerts/tls-ca-goledger-com-7054-ca-goledger-com.pem with my root-ca.pem there're equal

vieiramanoel (Thu, 18 Jan 2018 19:31:14 GMT):
@smithbk I've got a problem on this now. I enrolled my tls profile, but none of generated certs has `tlsca.$cadomain` as common nome. ```enrollOrdererTLS(){ fabric-ca-client enroll -d --enrollment.profile tls -u "https://***:***@ca.goledger.com:7054" -M client/orderer/tls --csr.hosts orderer.goledger.com mkdir -p $TLSDIR cp client/orderer/tls/tlscacerts/tls-ca-goledger-com-7054-ca-goledger-com.pem $TLSDIR/ca.crt cp 'client/orderer/tls/keystore/*' $TLSDIR/server.key cp 'client/orderer/tls/signcerts/*' $TLSDIR/server.crt rm -rf client/orderer/tls }``` but if I compare both client/orderer/tls/tlscacerts/tls-ca-goledger-com-7054-ca-goledger-com.pem with my root-ca.pem there're equal

vieiramanoel (Thu, 18 Jan 2018 19:33:48 GMT):
I was expecting that `client/orderer/tls/tlscacerts/tls-ca-goledger-com-7054-ca-goledger-com.pem` had tlsca as prefix on common name when decoded

vieiramanoel (Thu, 18 Jan 2018 19:42:50 GMT):
I'm aiming to what cryptogen generates as ca.crt decoding this file you've CN=tlsca.org1.example.com for byfn sample

vieiramanoel (Thu, 18 Jan 2018 19:42:50 GMT):
I'm aiming to what cryptogen generates as ca.crt, decoding this file you've CN=tlsca.org1.example.com for byfn sample

smithbk (Thu, 18 Jan 2018 19:44:14 GMT):
I'm not sure why you require that to be the CN just because cryptogen does it that way, but if you want to make it the same, the you need to register an identity with fabric-ca-server with that same name. The CN when you enroll is always the enrollment ID.

vieiramanoel (Thu, 18 Jan 2018 19:47:00 GMT):
describing better the problem: composer uses this tlsca to ping to network, the ping command enroll a user and returns a card to make some process that I don't know much about. But trying to do that the compose throws same error that we talked about yesterday: bad_ecc_error

vieiramanoel (Thu, 18 Jan 2018 19:48:34 GMT):
and fabric-ca logs says `2018/01/18 19:10:11 http: TLS handshake error from 10.0.0.213:46306: EOF`

vieiramanoel (Thu, 18 Jan 2018 19:49:58 GMT):
In theory this `tlscacerts/tls-ca-goledger-com-7054-ca-goledger-com.pem` is my tlsca cert and composer could make those operations with no trouble but

vieiramanoel (Thu, 18 Jan 2018 19:50:15 GMT):
I don't even know if this is a question to this channel or #composer

vieiramanoel (Thu, 18 Jan 2018 20:43:24 GMT):
decoding both with: `openssl x509 -in ca.crt -text -noout` ```x509v3 extensions X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign X509v3 Extended Key Usage: Any Extended Key Usage ```

vieiramanoel (Thu, 18 Jan 2018 20:43:24 GMT):
decoding both with: `openssl x509 -in ca.crt -text -noout` The cryptogen cert has: ```x509v3 extensions X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign X509v3 Extended Key Usage: Any Extended Key Usage ``` While the fabric-ca generated ``` X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 ```

vieiramanoel (Thu, 18 Jan 2018 20:43:24 GMT):
decoding both with: `openssl x509 -in ca.crt -text -noout` The cryptogen cert has: ```x509v3 extensions X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign X509v3 Extended Key Usage: Any Extended Key Usage ``` While the fabric-ca generated ```X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 ```

vieiramanoel (Thu, 18 Jan 2018 20:45:08 GMT):
missing `Digital Signature, Key Encipherment`

vieiramanoel (Thu, 18 Jan 2018 20:45:17 GMT):
and `X509v3 Extended Key Usage:`

vieiramanoel (Thu, 18 Jan 2018 20:45:22 GMT):
could it be related?

skarim (Thu, 18 Jan 2018 20:57:47 GMT):
@vieiramanoel Are you sure you have the 'tls' profile configured on your server? It seem like the enroll request is going to the default profile, which makes me think that the 'tls' profile is not actually configured on the server with the right usages. By default, the TLS profile should be configured as follows under the signing section in the configuration file: tls: usage: - signing - key encipherment - server auth - client auth - key agreement

skarim (Thu, 18 Jan 2018 20:57:47 GMT):
@vieiramanoel Are you sure you have the 'tls' profile configured on your server? It seem like the enroll request is going to the default profile, which makes me think that the 'tls' profile is not actually configured on the server with the right usages. By default, the TLS profile should be configured as follows under the signing section in the configuration file: ``` tls: usage: - signing - key encipherment - server auth - client auth - key agreement ```

vieiramanoel (Thu, 18 Jan 2018 21:10:58 GMT):
@smithbk hmmm I'll check it. Maybe it isn't, thanks once more

vieiramanoel (Thu, 18 Jan 2018 21:12:30 GMT):
@skarim you pointed something that I didn't checked on server, I'll see it! Thanks!

vieiramanoel (Thu, 18 Jan 2018 23:56:16 GMT):
@skarim only `client auth` wasn't in the profile. nothing changed by the way :(

vieiramanoel (Thu, 18 Jan 2018 23:56:16 GMT):
@skarim only `client auth` wasn't in the profile. nothing changed after add it by the way :(

vieiramanoel (Fri, 19 Jan 2018 00:04:16 GMT):
```signing: default: usage: - digital signature expiry: 8760h profiles: ca: usage: - cert sign - crl sign expiry: 43800h caconstraint: isca: true maxpathlen: 0 tls: usage: - signing - key encipherment - server auth - key agreement - client auth expiry: 8760h ```

naveen_saravanan (Fri, 19 Jan 2018 04:07:01 GMT):
@vieiramanoel Thank you again.

Katiyman (Fri, 19 Jan 2018 06:09:52 GMT):
Hello All I raised one issue regarding creation of channel in HLF deployed on kubernetest with custom cryptographic material for MSP https://stackoverflow.com/questions/48318696/error-while-creating-channel-in-hyperledger-fabric Kindly help

JeroenDePrest (Fri, 19 Jan 2018 09:14:00 GMT):
I have deployed the fabcar network to 4 EC2 instances. The setup is as follows: 01 has the CA, 02 has the Orderer and cli, 03 peer0 Org1 , couchDB and Chaincode and 04 has peer0 Org2, couchDB. Using the cli I can use invokes and queries but when I run one of the node scripts from fabcar from my machine I get the following error `Error: Failed to deserialize creator identity, err The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority`?

ascatox (Fri, 19 Jan 2018 09:34:25 GMT):
Hi All! Someone knows if in the fabric-ca-client node is possible to enroll an identity passing the parameter *-M* as in the cli command (fabric-ca-client enroll -u http://peer1:peer1pw@localhost:7054 *-M $FABRIC_CA_CLIENT_HOME/msp

naveen_saravanan (Fri, 19 Jan 2018 09:48:45 GMT):
I have registered and enrolled a new user using the fabric-ca-client's register and enroll command as given below:

naveen_saravanan (Fri, 19 Jan 2018 09:48:49 GMT):
root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client# fabric-ca-client register -u https://ca.a.example.com:7054 --id.name user2 --id.secret user2pwd --id.type user --id.affiliation a --id.attrs '"hf.Registrar.Roles=peer,user"' --id.attrs hf.Revoker=true --tls.certfiles ca.a.example.com-cert.pem 2018/01/19 14:30:31 [INFO] User provided config file: /etc/hyperledger/fabric-ca-client/fabric-ca-client-config.yaml 2018/01/19 14:30:31 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-client/fabric-ca-client-config.yaml 2018/01/19 14:30:31 [INFO] TLS Enabled Password: user2pwd root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client# fabric-ca-client enroll -u "https://user2:user2pwd@ca.a.example.com:7054" --tls.certfiles ca.a.example.com-cert.pem 2018/01/19 14:32:25 [INFO] User provided config file: /etc/hyperledger/fabric-ca-client/fabric-ca-client-config.yaml 2018/01/19 14:32:25 [INFO] generating key: &{A:ecdsa S:256} 2018/01/19 14:32:25 [INFO] encoded CSR 2018/01/19 14:32:25 [INFO] TLS Enabled 2018/01/19 14:32:25 [INFO] Stored client certificate at /etc/hyperledger/fabric-ca-client/msp/signcerts/cert.pem 2018/01/19 14:32:25 [INFO] Stored CA root certificate at /etc/hyperledger/fabric-ca-client/msp/cacerts/ca-a-example-com-7054.pem root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client#

naveen_saravanan (Fri, 19 Jan 2018 09:50:23 GMT):
Now where and how do I find the new user's private and public certificates? (which will be used for further transcations)

naveen_saravanan (Fri, 19 Jan 2018 09:50:23 GMT):
Now where and how do I find the new user's private and public certificates? (which will be used for future transactions)

ascatox (Fri, 19 Jan 2018 10:40:00 GMT):
Someone has a tutorial to create a network with fabric-ca and not using cryptogen tool?

ascatox (Fri, 19 Jan 2018 10:40:00 GMT):
Someone has a tutorial to create a network with fabric-ca and without the usage of the cryptogen tool?

ascatox (Fri, 19 Jan 2018 10:40:00 GMT):
Someone has a tutorial to create a network with fabric-ca and **without the usage** of the cryptogen tool?

zhaochy (Fri, 19 Jan 2018 10:58:28 GMT):
Has joined the channel.

zhaochy (Fri, 19 Jan 2018 11:01:47 GMT):
@mastersingh24 would you please look at this ticket, https://jira.hyperledger.org/browse/FAB-7812

navdevl (Fri, 19 Jan 2018 11:44:56 GMT):
Has joined the channel.

varun-raj (Fri, 19 Jan 2018 12:08:30 GMT):
Has joined the channel.

vieiramanoel (Fri, 19 Jan 2018 13:09:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dwyTYtDCBYuW7TSMZ) @JeroenDePrest check if you're using the SAME cert as cli

vieiramanoel (Fri, 19 Jan 2018 13:10:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Nfnce4pnZAwhrjJ2f) @ascatox https://github.com/hyperledger/fabric-samples/blob/v1.1.0-preview/fabric-ca/ check fabric-ca samples

vieiramanoel (Fri, 19 Jan 2018 13:11:48 GMT):
@smithbk if i'm right if I could enroll an ECC cert, would solve the problems that i'm stucked at, is that a possible operation?

vieiramanoel (Fri, 19 Jan 2018 13:12:22 GMT):
sorry i'm kinda lost with this bad ecc error showing up in two different situations hahaha

vieiramanoel (Fri, 19 Jan 2018 13:14:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DHEzPGX9wemjW4PB6) @naveen_saravanan use --enrollment.profile tls in enroll command to generate tls private/public certs

aambati (Fri, 19 Jan 2018 15:51:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mNRn4ndfvwTPkBrKP) @zhaochy we will fix the swagger doc

aambati (Fri, 19 Jan 2018 15:52:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Nfnce4pnZAwhrjJ2f) @ascatox please look at fabric-ca sample at : https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca

aambati (Fri, 19 Jan 2018 15:57:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DHEzPGX9wemjW4PB6) @naveen_saravanan the enrollment cert and associated private key are in the msp folder. By default msp folder is in the $FABRIC_CA_CLIENT_HOME/msp . It can be changed to some other location using -M option of fabric-ca-client command

aambati (Fri, 19 Jan 2018 16:00:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KmrAQiDyk8mJS9CfR) @ascatox yes it is possible. Pls look at test cases in https://github.com/hyperledger/fabric-ca/blob/master/cmd/fabric-ca-client/main_test.go

bh4rtp (Sat, 20 Jan 2018 03:20:31 GMT):
hi, ca will be panic when starting the fabric network. ```2018/01/20 11:14:16 [INFO] Created default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml 2018/01/20 11:14:16 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server panic: Version is not set for fabric-ca library goroutine 1 [running]: github.com/hyperledger/fabric-ca/lib/metadata.GetVersion(0x1, 0xc42001e9b0) /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/metadata/version.go:58 +0x60 github.com/hyperledger/fabric-ca/lib.(*Server).init(0xc4202a0b40, 0x0, 0xc420131c00, 0x1) /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:112 +0x29 github.com/hyperledger/fabric-ca/lib.(*Server).Start(0xc4202a0b40, 0xc4202a0b40, 0xc420052300) /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:145 +0xee main.(*ServerCmd).init.func3(0xc420074fc0, 0xc420135350, 0x0, 0x3, 0x0, 0x0) /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/servercmd.go:121 +0xf3 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute(0xc420074fc0, 0xc4201352c0, 0x3, 0x3, 0xc420074fc0, 0xc4201352c0) /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 +0x3e8 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xc420074b40, 0xa044d6, 0xc420010cd0, 0xc420010cd0) /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 +0x2fe github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute(0xc420074b40, 0xc4200ea3c0, 0xc420010cd0) /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 +0x2b main.(*ServerCmd).Execute(0xc420010cd0, 0x5, 0x1) /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/servercmd.go:69 +0x2f main.RunMain(0xc420010140, 0x5, 0x5, 0xc420131f70, 0xa05c9b) /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:45 +0xb0 main.main() /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:27 +0x45```

bh4rtp (Sat, 20 Jan 2018 03:21:37 GMT):
i am using the latest `fabric` and `fabric-ca`, i.e. `1.1.0-alpha`.

Brucepark (Sat, 20 Jan 2018 06:13:42 GMT):
Has joined the channel.

mastersingh24 (Sat, 20 Jan 2018 10:17:26 GMT):
@bh4rtp - how did you build the fabric-ca-server? Did you use `go build` or did you run `make fabric-ca-server` ?

Ammu (Sat, 20 Jan 2018 11:54:50 GMT):

chaincode.png

Ammu (Sat, 20 Jan 2018 11:58:07 GMT):
solve this error plz

frankz (Sat, 20 Jan 2018 12:33:19 GMT):
Has joined the channel.

asaningmaxchain (Sat, 20 Jan 2018 13:52:45 GMT):
@mastersingh24 @lehors can you tell me where the location of the fabric-ca config file?like orderre.yaml for orderer,core.yaml for peer

asaningmaxchain (Sat, 20 Jan 2018 13:54:13 GMT):
it just provide the `defaultCfgTemplate` ,not expose by the config file

smithbk (Sat, 20 Jan 2018 14:17:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GB5Yz9vXJLqpKmRyW) @aambati Actually, the code is wrong and the doc is correct here.

smithbk (Sat, 20 Jan 2018 14:25:39 GMT):
@asaningmaxchain The location of the config file is the 1st line that the fabric-ca-server logs. By default the docker image will put it at /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml

asaningmaxchain (Sat, 20 Jan 2018 14:26:41 GMT):
in the fabric-ca source it doesn't contain

bh4rtp (Sat, 20 Jan 2018 14:28:37 GMT):
@mastersingh24 i just built it using make rename docker.

mastersingh24 (Sat, 20 Jan 2018 14:43:07 GMT):
@bh4rtp - I'm not seeing this error. I just updated my master branch, ran `make docker-fabric-ca` and then ran `docker run --rm hyperledger/fabric-ca` and no issues

asaningmaxchain (Sat, 20 Jan 2018 14:52:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=R4A9cy39Qx6DnjKuy) @mastersingh24 it work fine for me

asaningmaxchain (Sat, 20 Jan 2018 14:52:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=R4A9cy39Qx6DnjKuy) @mastersingh24 it works for me

asaningmaxchain (Sat, 20 Jan 2018 15:12:34 GMT):
@mastersingh24 @smithbk i strong recommand expose the config file to the user

asaningmaxchain (Sat, 20 Jan 2018 15:15:09 GMT):
and i use the `fabric-ca-server` to start it,in the source code,it contain the following config `pflags.StringVarP(&s.cfgFileName, "config", "c", "", "Configuration file")` but when i see the `fabric-ca-server` usage,it doesn't show

asaningmaxchain (Sat, 20 Jan 2018 15:16:00 GMT):
`pflags.MarkHidden("config")` it hidden the config option.

asaningmaxchain (Sat, 20 Jan 2018 15:16:00 GMT):
i think provide the "-c" option is enough for user

bh4rtp (Sat, 20 Jan 2018 15:43:25 GMT):
@mastersingh24 are there any new updates in the latest 5 hours? i did not find this issue yesterday.

smithbk (Sat, 20 Jan 2018 17:07:25 GMT):
@asaningmaxchain Yes, we still recognize the "-c" option but hid it because it is recommended that you use the -H option instead to specify the home directory and always name the config file fabric-ca-server-config.yaml. This avoided some usability issues and is also consistent with what some others have done (e.g. cloud foundry's cf command).

asaningmaxchain (Sun, 21 Jan 2018 02:12:02 GMT):
ifdsa

asaningmaxchain (Sun, 21 Jan 2018 02:12:02 GMT):
i think it's enough to provide "-c" option for user

asaningmaxchain (Sun, 21 Jan 2018 02:18:45 GMT):
@smithbk i don't know the the fabric-ca set the `lib/metadata/version/Version` when i start the fabric-ca-sever,it always tell me `panic: Version is not set for fabric-ca library`, and i know the location of the error happen,`serverVersion := metadata.GetVersion()`,so can you tell me where the location of the source code which set the `version` var

bh4rtp (Sun, 21 Jan 2018 03:13:40 GMT):
@mastersingh24 i updated the latest master branch, the issue remains. i changed the makefile using `0.4.5 baseimage`, maybe is it the cause?

bh4rtp (Sun, 21 Jan 2018 03:40:49 GMT):
@asaningmaxchain did you face the `panic: Version is not set for fabric-ca library` issue too? how do you fix it?

asaningmaxchain (Sun, 21 Jan 2018 03:41:20 GMT):
you can set the version = 1.1.0

asaningmaxchain (Sun, 21 Jan 2018 03:41:20 GMT):
you can set the version = 1.1.0 for temporary

bh4rtp (Sun, 21 Jan 2018 03:42:38 GMT):
@asaningmaxchain how and where should i set the version?

asaningmaxchain (Sun, 21 Jan 2018 03:42:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XszDuTRZWjWTnNaxf) @bh4rtp please take a look

bh4rtp (Sun, 21 Jan 2018 03:43:25 GMT):
ok, let me try. that is interesting.

Glen (Sun, 21 Jan 2018 14:40:14 GMT):
Has joined the channel.

asaningmaxchain (Sun, 21 Jan 2018 15:48:49 GMT):
@mastersingh24 @smithbk the fabric-ca has the orderer/peer,can you give some detail about it

rickr (Sun, 21 Jan 2018 16:34:59 GMT):
@smithbk @skarim @aambati Hi I don't have time to investigate but JSDK just started seeing errors re-rolling user's test. https://jenkins.hyperledger.org/job/fabric-sdk-java-merge-x86_64/214/consoleFull this build passed eariler We had expected an error message ``` Expected: (an instance of org.hyperledger.fabric_ca.sdk.exception.EnrollmentException and exception with message a string containing "Failed to re-enroll user") ``` Now ```with status code: 401. Response: {"result":"","errors":[{"code":20,"message":"Authorization failure"}``` Any ideas ?

rickr (Sun, 21 Jan 2018 16:47:10 GMT):
``` 19:43:58 ],"messages":[],"success":false} > is a org.hyperledger.fabric_ca.sdk.exception.RegistrationException 19:43:58 Stacktrace was: org.hyperledger.fabric_ca.sdk.exception.RegistrationException: Error while registering the user org.hyperledger.fabric.sdkintegration.SampleUser@1d3433c7 url: https://localhost:7054 POST request to https://localhost:7054/api/v1/register failed request body {"id":"user1516477431_6","type":"user","secret":"testUserRevoke","affiliation":"org1.department1","attrs":[{"name":"user.role","value":"department lead"},{"name":"hf.revoker","value":"true"}]} with status code: 401. Response: {"result":"","errors":[{"code":20,"message":"Authorization failure"} 19:43:58 ],"messages":[],"success":false} 19:43:58 at org.hyperledger.fabric_ca.sdk.HFCAClient.register(HFCAClient.java:255) 19:43:58 at org.hyperledger.fabric_ca.sdkintegration.HFCAClientIT.testUserRevoke(HFCAClientIT.java:319) 19:43:58 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 19:43:58 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 19:43:58 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 19:43:58 at java.lang.reflect.Method.invoke(Method.java:498) 19:43:58 at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50) 19:43:58 at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12) 19:43:58 at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47) 19:43:58 at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17) 19:43:58 at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26) 19:43:58 at org.junit.rules.ExpectedException$ExpectedExceptionStatement.evaluate(ExpectedException.java:239) 19:43:58 at org.junit.rules.RunRules.evaluate(RunRules.java:20) 19:43:58 at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325) 19:43:58 at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78) 19:43:58 at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57) 19:43:58 at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290) 19:43:58 at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71) 19:43:58 at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288) 19:43:58 at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58) 19:43:58 at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268) 19:43:58 at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26) 19:43:58 at org.junit.runners.ParentRunner.run(ParentRunner.java:363) 19:43:58 at org.junit.runners.Suite.runChild(Suite.java:128) 19:43:58 at org.junit.runners.Suite.runChild(Suite.java:27) 19:43:58 at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290) 19:43:58 at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71) 19:43:58 at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288) 19:43:58 at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58) 19:43:58 at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268) 19:43:58 at org.junit.runners.ParentRunner.run(ParentRunner.java:363) 19:43:58 at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:367) 19:43:58 at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:274) 19:43:58 at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:238) 19:43:58 at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:161) 19:43:58 at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:290) 19:43:58 at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:242) 19:43:58 at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:121) 19:43:58 Caused by: java.lang.Exception: POST request to https://localhost:7054/api/v1/register failed request body {"id":"user1516477431_6","type":"user","secret":"testUserRevoke","affiliation":"org1.department1","attrs":[{"name":"user.role","value":"department lead"},{"name":"hf.revoker","value":"true"}]} with status code: 401. Response: {"result":"","errors":[{"code":20,"message":"Authorization failure"} 19:43:58 ],"messages":[],"success":false} 19:43:58 at org.hyperledger.fabric_ca.sdk.HFCAClient.httpPost(HFCAClient.java:859) 19:43:58 at org.hyperledger.fabric_ca.sdk.HFCAClient.register(HFCAClient.java:246) ```

smithbk (Sun, 21 Jan 2018 21:54:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2JpR3zHJLZGon3MHr) @asaningmaxchain The fabric-ca Makefile has targets for building a fabric-ca-orderer which simply adds the fabric-ca-client to the fabric-orderer image. The fabric-ca-client is then used to get TLS and enrollment certificates for the orderer before starting the orderer. There is also a target for building a fabric-ca-peer images which does the same for the peer.

MarisonSouza (Sun, 21 Jan 2018 22:39:57 GMT):
Has joined the channel.

aambati (Mon, 22 Jan 2018 01:39:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=N6khpPgwvsejrHPvL) @rickr so this test started to fail with latest changes? Can you tell at what commit level was it working...in any case i will check the latest commits ..Also, can you tell what is the test case trying to do?

naveen_saravanan (Mon, 22 Jan 2018 06:21:56 GMT):
How do you check the registered/enrolled user using the fabric-ca client? I tried the below command and got this error message: root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client# fabric-ca-client identity list Error: unknown command "identity" for "fabric-ca-client" Run 'fabric-ca-client --help' for usage. root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client#

naveen_saravanan (Mon, 22 Jan 2018 06:21:56 GMT):
How do you check the registered/enrolled users using the fabric-ca client? I tried the below command and got this error message: root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client# fabric-ca-client identity list Error: unknown command "identity" for "fabric-ca-client" Run 'fabric-ca-client --help' for usage. root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client#

naveen_saravanan (Mon, 22 Jan 2018 06:21:56 GMT):
How do you check the registered/enrolled users using the fabric-ca client command? I tried the below command and got this error message: root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client# fabric-ca-client identity list Error: unknown command "identity" for "fabric-ca-client" Run 'fabric-ca-client --help' for usage. root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client#

naveen_saravanan (Mon, 22 Jan 2018 06:23:32 GMT):
From the URL: http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#getting-identity-information

naveen_saravanan (Mon, 22 Jan 2018 06:32:42 GMT):
Is there a way to list-out the registered/enrolled users using the fabric-ca-client commands?

mastersingh24 (Mon, 22 Jan 2018 09:32:50 GMT):
@naveen_saravanan - Not is v1.0.x but in the current master there is and this will be included on the alpha release coming out very soon

naveen_saravanan (Mon, 22 Jan 2018 09:34:48 GMT):
@mastersingh24 thank you.

naveen_saravanan (Mon, 22 Jan 2018 09:36:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=psHNqDYvTrbaEqk2a) you mean V!.0 of fabric-ca?

naveen_saravanan (Mon, 22 Jan 2018 09:36:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=psHNqDYvTrbaEqk2a) you mean V1.0 of fabric-ca?

mastersingh24 (Mon, 22 Jan 2018 09:39:28 GMT):
Sorry - yes ^^^

naveen_saravanan (Mon, 22 Jan 2018 09:50:06 GMT):
ook.

naveen_saravanan (Mon, 22 Jan 2018 09:50:06 GMT):
ok.

naveen_saravanan (Mon, 22 Jan 2018 09:57:33 GMT):
@mastersingh24 I have used 'git clone' command to clone the fabric-ca. So which one will I get?

naveen_saravanan (Mon, 22 Jan 2018 09:58:33 GMT):
because both branches have the same git URL : https://github.com/hyperledger/fabric-ca.git

rickr (Mon, 22 Jan 2018 10:04:57 GMT):
@smithbk @aambati @skarim We are now failing the register of a user when we specify an attribute of "hf.revoker", "true" ``` 2018-01-22 09:54:53,443 main ERROR HFCAClient:861 - POST request to http://localhost:7054/api/v1/register failed request body {"id":"user1516614853_6","type":"user","secret":"testUserRevoke","affiliation":"org1.department1","attrs":[{"name":"user.role","value":"department lead"},{"name":"hf.revoker","value":"true"}]} with status code: 401. Response: {"result":"","errors":[{"code":20,"message":"Authorization failure"} ],"messages":[],"success":false} ```

naveen_saravanan (Mon, 22 Jan 2018 10:10:21 GMT):
I checked the the fabric-ca I got was not of the master version. So how do I get the master version while cloning it using the 'git clone' command?

naveen_saravanan (Mon, 22 Jan 2018 10:10:21 GMT):
I checked the the fabric-ca I got. It was not of the master version. So how do I get the master version while cloning it using the 'git clone' command?

naveen_saravanan (Mon, 22 Jan 2018 10:10:21 GMT):
I checked the the fabric-ca I got and it was not of the master version. So how do I get the master version while cloning it using the 'git clone' command?

rickr (Mon, 22 Jan 2018 10:16:12 GMT):
@smithbk It seems the attribute name has changed `hf.revoker` -> `hf.Revoker` Or it has become case sensitive. This will break any users that used the former !

rickr (Mon, 22 Jan 2018 10:16:12 GMT):
@mastersingh24 @smithbk It seems the attribute name has changed `hf.revoker` -> `hf.Revoker` Or it has become case sensitive. This will break any users that used the former !

rickr (Mon, 22 Jan 2018 10:35:30 GMT):
BTW ```Authorization failure``` for an unidentified attribute ?

rickr (Mon, 22 Jan 2018 10:35:30 GMT):
BTW ```Authorization failure``` for an unidentified attribute ? No mention which ?

newlife 1 (Mon, 22 Jan 2018 10:45:00 GMT):
I want to build fabric-ca from source, using command`make fabric-ca-server`, error shows that can not find packages in vendor dir , what shoud I do to use these packages in vendor ?

mastersingh24 (Mon, 22 Jan 2018 11:25:33 GMT):
@rickr - looking through the docs, we never use lower case for the built-in attributes in the fabric-ca docs, but on the other hand we don't specify that the built-in attributes are case sensitive

asaningmaxchain (Mon, 22 Jan 2018 11:28:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=T9sy9GxkJSNYt39o3) @smithbk so when the orderer/peer starts it doesn't need to produce the channel artifacts

SudheerKaspa (Mon, 22 Jan 2018 11:42:30 GMT):
Has joined the channel.

rickr (Mon, 22 Jan 2018 15:00:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kM4WWrtixCz2QpDxt) @mastersingh24 Irregardless, this will break users as it did the SDK and the message returned back to the client gives no indication why. IMO I would have made it case sensitive on the onset but given that it wasn't and the unlikelihood for the use of attributes that just differ in case I would now have left it as is. @smithbk

C0rnelius (Mon, 22 Jan 2018 16:06:07 GMT):
hello guys, i want to use the *cid* lib. It tries to import a "plugin" package. I have no idea where to get this package. I am working with v1.1.0-preview to get lib/cid. Any ideas?

C0rnelius (Mon, 22 Jan 2018 16:07:56 GMT):
pluginfactory.go:12:2: cannot find package "plugin"

aambati (Mon, 22 Jan 2018 16:17:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BGrYabzfCXem2hiqh) @naveen_saravanan `git clone -b master https://github.com/hyperledger/fabric-ca.git`

vieiramanoel (Mon, 22 Jan 2018 17:04:09 GMT):
https://developer.ibm.com/answers/questions/371902/hyperledger-node-sdk-enroll-failure-v10-alpha-cert.html?smartspace=blockchain i'm getting same problem as this guy yet, three days on that and still no clue about how to solve, what usage must be in tls profile to fix it?

vieiramanoel (Mon, 22 Jan 2018 17:17:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tnvwZMkKNiRoGjjk5) @skarim i'm srry to bring this up again, but i've added those to tls profile even ```caconstraint: isca: true``` in a desperate try but it didn't worked using openssl to test I get `openssl s_client -connect ca.goledger.com:7054 -CAfile msp/tlscacerts/tls-ca-goledger-com-7054.pem --tls1_2` or `openssl s_client -connect ca.goledger.com:7054 -CAfile msp/signcerts/cert.pem --tls1_2` after `fabric-ca-client enroll --enrollment.profile tls -u "https://admin:adminpw@ca.goledger.com:7054" --tls.certfiles ca-cert.pem -H $PWD -M msp` and I get ```140421140186880:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:ssl/ssl_lib.c:2861: 140421140186880:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:ssl/statem/statem_clnt.c:2815: ``` ```SSL handshake has read 774 bytes and written 190 bytes Verification error: unsupported certificate purpose ``` Which is the same error as composer acuses: certfile not for signing Server output also is: `2018/01/22 17:08:20 http: TLS handshake error from 186.195.37.161:41748: remote error: tls: handshake failure`

vieiramanoel (Mon, 22 Jan 2018 17:17:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tnvwZMkKNiRoGjjk5) @skarim i'm srry to bring this up again, but i've added those to tls profile even ```caconstraint: isca: true``` in a desperate try but it didn't worked. Uusing openssl to test I get `openssl s_client -connect ca.goledger.com:7054 -CAfile msp/tlscacerts/tls-ca-goledger-com-7054.pem --tls1_2` or `openssl s_client -connect ca.goledger.com:7054 -CAfile msp/signcerts/cert.pem --tls1_2` after `fabric-ca-client enroll --enrollment.profile tls -u "https://admin:adminpw@ca.goledger.com:7054" --tls.certfiles ca-cert.pem -H $PWD -M msp` and I get ```140421140186880:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:ssl/ssl_lib.c:2861: 140421140186880:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:ssl/statem/statem_clnt.c:2815: ``` ```SSL handshake has read 774 bytes and written 190 bytes Verification error: unsupported certificate purpose ``` Which is the same error as composer acuses: certfile not for signing Server output also is: `2018/01/22 17:08:20 http: TLS handshake error from 186.195.37.161:41748: remote error: tls: handshake failure`

vieiramanoel (Mon, 22 Jan 2018 17:17:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tnvwZMkKNiRoGjjk5) @skarim i'm srry to bring this up again, but i've added those to tls profile even ```caconstraint: isca: true``` in a desperate try but it didn't worked. Using openssl to test I get `openssl s_client -connect ca.goledger.com:7054 -CAfile msp/tlscacerts/tls-ca-goledger-com-7054.pem --tls1_2` or `openssl s_client -connect ca.goledger.com:7054 -CAfile msp/signcerts/cert.pem --tls1_2` after `fabric-ca-client enroll --enrollment.profile tls -u "https://admin:adminpw@ca.goledger.com:7054" --tls.certfiles ca-cert.pem -H $PWD -M msp` and I get ```140421140186880:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:ssl/ssl_lib.c:2861: 140421140186880:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:ssl/statem/statem_clnt.c:2815: ``` ```SSL handshake has read 774 bytes and written 190 bytes Verification error: unsupported certificate purpose ``` Which is the same error as composer acuses: certfile not for signing Server output also is: `2018/01/22 17:08:20 http: TLS handshake error from 186.195.37.161:41748: remote error: tls: handshake failure`

vieiramanoel (Mon, 22 Jan 2018 17:17:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tnvwZMkKNiRoGjjk5) @skarim i'm srry to bring this up again, but i've added those to tls profile even ```caconstraint: isca: true``` in a desperate try but it didn't worked. Using openssl to test I get `openssl s_client -connect ca.goledger.com:7054 -CAfile msp/tlscacerts/tls-ca-goledger-com-7054.pem --tls1_2` or `openssl s_client -connect ca.goledger.com:7054 -CAfile msp/signcerts/cert.pem --tls1_2` after `fabric-ca-client enroll --enrollment.profile tls -u "https://admin:adminpw@ca.goledger.com:7054" --tls.certfiles ca-cert.pem -H $PWD -M msp` and I get ```140421140186880:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:ssl/ssl_lib.c:2861: 140421140186880:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:ssl/statem/statem_clnt.c:2815: ``` ```SSL handshake has read 774 bytes and written 190 bytes Verification error: unsupported certificate purpose ``` Which is the same error as composer acuses: ```Error: Error trying login and get user Context. Error: Error trying to enroll user or load channel configuration. Error: Calling enrollment endpoint failed with error [Error: write EPROTO 139626353597256:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2520: 139626353597256:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3550:``` Server output also is: `2018/01/22 17:08:20 http: TLS handshake error from 186.195.37.161:41748: remote error: tls: handshake failure`

vieiramanoel (Mon, 22 Jan 2018 17:17:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tnvwZMkKNiRoGjjk5) @skarim i'm srry to bring this up again, but i've added those to tls profile even ```caconstraint: isca: true``` in a desperate try but it didn't worked. Using openssl to test I get `openssl s_client -connect ca.goledger.com:7054 -CAfile msp/tlscacerts/tls-ca-goledger-com-7054.pem --tls1_2` or `openssl s_client -connect ca.goledger.com:7054 -CAfile msp/signcerts/cert.pem --tls1_2` after `fabric-ca-client enroll --enrollment.profile tls -u "https://admin:adminpw@ca.goledger.com:7054" --tls.certfiles ca-cert.pem -H $PWD -M msp` and I get ```140421140186880:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:ssl/ssl_lib.c:2861: 140421140186880:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:ssl/statem/statem_clnt.c:2815: ``` ```SSL handshake has read 774 bytes and written 190 bytes Verification error: unsupported certificate purpose ``` Which is the same error as composer acuses when it try to ping to business network: ```Error: Error trying login and get user Context. Error: Error trying to enroll user or load channel configuration. Error: Calling enrollment endpoint failed with error [Error: write EPROTO 139626353597256:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2520: 139626353597256:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3550:``` Server output also is: `2018/01/22 17:08:20 http: TLS handshake error from 186.195.37.161:41748: remote error: tls: handshake failure`

vieiramanoel (Mon, 22 Jan 2018 17:17:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tnvwZMkKNiRoGjjk5) @skarim i'm srry to bring this up again, but i've added those to tls profile even ```caconstraint: isca: true``` in a desperate try but it didn't worked. Using openssl to test `openssl s_client -connect ca.goledger.com:7054 -CAfile msp/tlscacerts/tls-ca-goledger-com-7054.pem --tls1_2` or `openssl s_client -connect ca.goledger.com:7054 -CAfile msp/signcerts/cert.pem --tls1_2` after `fabric-ca-client enroll --enrollment.profile tls -u "https://admin:adminpw@ca.goledger.com:7054" --tls.certfiles ca-cert.pem -H $PWD -M msp` and I get ```140421140186880:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:ssl/ssl_lib.c:2861: 140421140186880:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:ssl/statem/statem_clnt.c:2815: ``` ```SSL handshake has read 774 bytes and written 190 bytes Verification error: unsupported certificate purpose ``` Which is the same error as composer acuses when it try to ping to business network: ```Error: Error trying login and get user Context. Error: Error trying to enroll user or load channel configuration. Error: Calling enrollment endpoint failed with error [Error: write EPROTO 139626353597256:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2520: 139626353597256:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3550:``` Server output also is: `2018/01/22 17:08:20 http: TLS handshake error from 186.195.37.161:41748: remote error: tls: handshake failure`

vieiramanoel (Mon, 22 Jan 2018 17:17:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tnvwZMkKNiRoGjjk5) @skarim i'm srry to bring this up again, but i've added those to tls profile even ```caconstraint: isca: true``` in a desperate try but it didn't worked. Using openssl to test `openssl s_client -connect ca.goledger.com:7054 -CAfile msp/tlscacerts/tls-ca-goledger-com-7054.pem --tls1_2` or `openssl s_client -connect ca.goledger.com:7054 -CAfile msp/signcerts/cert.pem --tls1_2` after `fabric-ca-client enroll --enrollment.profile tls -u "https://admin:adminpw@ca.goledger.com:7054" --tls.certfiles ca-cert.pem -H $PWD -M msp` and I get ```140421140186880:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:ssl/ssl_lib.c:2861: 140421140186880:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:ssl/statem/statem_clnt.c:2815: ``` ```SSL handshake has read 774 bytes and written 190 bytes Verification error: unsupported certificate purpose ``` Which is the same error as composer acuses when it try to ping to business network using root ca cert: ```Error: Error trying login and get user Context. Error: Error trying to enroll user or load channel configuration. Error: Calling enrollment endpoint failed with error [Error: write EPROTO 139626353597256:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2520: 139626353597256:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3550:``` Server output also is: `2018/01/22 17:08:20 http: TLS handshake error from 186.195.37.161:41748: remote error: tls: handshake failure`

skarim (Mon, 22 Jan 2018 17:32:21 GMT):
@vieiramanoel Do you have the fabric-ca server logs from where you enroll using the tls profile?

vieiramanoel (Mon, 22 Jan 2018 17:32:28 GMT):
yes

skarim (Mon, 22 Jan 2018 17:33:30 GMT):
can you please share those?

vieiramanoel (Mon, 22 Jan 2018 17:33:37 GMT):
client: `fabric-ca-client enroll --enrollment.profile tls -u "https://admin:adminpw@ca.goledger.com:7054" --tls.certfiles ca-cert.pem -H $PWD -M msp` ```2018/01/22 15:32:49 [INFO] TLS Enabled 2018/01/22 15:32:49 [INFO] generating key: &{A:ecdsa S:256} 2018/01/22 15:32:49 [INFO] encoded CSR 2018/01/22 15:32:49 [INFO] Stored client certificate at /home/vieira/ca-example/client/msp/signcerts/cert.pem 2018/01/22 15:32:49 [INFO] Stored TLS root CA certificate at /home/vieira/ca-example/client/msp/tlscacerts/tls-ca-goledger-com-7054.pem 2018/01/22 15:32:49 [INFO] Stored TLS intermediate certificates at /home/vieira/ca-example/client/msp/tlsintermediatecerts/tls-ca-goledger-com-7054.pem ``` server: ```2018/01/22 17:32:49 [INFO] signed certificate with serial number 528758389974863205919540641177390665889044480679 2018/01/22 17:32:49 [INFO] 186.195.37.161:42170 - "POST /enroll" 200```

vieiramanoel (Mon, 22 Jan 2018 17:50:29 GMT):
maybe I misunderstood, is the server log at openssl fault, right? ```2018/01/22 17:08:20 http: TLS handshake error from 186.195.37.161:41748: remote error: tls: handshake failure ``` every time I try use openssl connect command

vieiramanoel (Mon, 22 Jan 2018 17:50:29 GMT):
maybe I misunderstood, is the server log at openssl fault, right? `2018/01/22 17:08:20 http: TLS handshake error from 186.195.37.161:41748: remote error: tls: handshake failure` every time I try use openssl connect command

vieiramanoel (Mon, 22 Jan 2018 17:51:26 GMT):
or ping on composer's business network

skarim (Mon, 22 Jan 2018 18:07:49 GMT):
@vieiramanoel Could you enable debug on the server and try enrolling with tls profile again? I would like to make sure that the enroll request is going to the right profile. Also, if you have your fabric-ca server config file, could you share that too please? If I understand correctly, you are trying to generate a tls cert using fabric-ca and then trying to use it with OpenSSL?

vieiramanoel (Mon, 22 Jan 2018 18:08:07 GMT):
yes

skarim (Mon, 22 Jan 2018 18:08:07 GMT):
Also, did you inspect the certificate you got back to make sure this time it had the correct usage extension?

vieiramanoel (Mon, 22 Jan 2018 18:08:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iYnrXHDQERgLye8NK) @skarim that's my bigger question, what's the right usage extension?

skarim (Mon, 22 Jan 2018 18:09:04 GMT):
if are using the tls profile you should get back ``` X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication ```

vieiramanoel (Mon, 22 Jan 2018 18:12:48 GMT):
Debug ```2018/01/22 18:11:09 [DEBUG] Received request POST /enroll Authorization: Basic YWRtaW46YWRtaW5wdw== {"hosts":["vieira-notebook"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBRTCB7AIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEA0zsbyVkROmV5CsN\npiTI1a25kreMOsv8GayfjTJDEMex0s/HXLVvtZ02+Lx3aWW3VU+Pq8JUxbKwL0tZ\nqXuWq6AtMCsGCSqGSIb3DQEJDjEeMBwwGgYDVR0RBBMwEYIPdmllaXJhLW5vdGVi\nb29rMAoGCCqGSM49BAMCA0gAMEUCIQD4V6fRQ5swZi4fCXxUHe+n2dossCYSr4CB\nf1BpSmMFsgIgQzDdBIPmkHpkHLkhVGYfT+kwywjg+c0zJoxGsXn8tOk=\n-----END CERTIFICATE REQUEST-----\n","profile":"tls","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""} 2018/01/22 18:11:09 [DEBUG] Directing traffic to default CA 2018/01/22 18:11:09 [DEBUG] DB: Getting identity admin 2018/01/22 18:11:09 [DEBUG] DB: Login user admin with max enrollments of -1 and state of 8 2018/01/22 18:11:09 [DEBUG] Successfully incremented state for identity admin to 9 2018/01/22 18:11:09 [DEBUG] DB: identity admin successfully logged in 2018/01/22 18:11:09 [DEBUG] Identity/Pass was correct 2018/01/22 18:11:09 [DEBUG] Received request for endpoint enroll 2018/01/22 18:11:09 [DEBUG] Enrollment request: {SignRequest:{Hosts:[vieira-notebook] Request:-----BEGIN CERTIFICATE REQUEST----- MIIBRTCB7AIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp bmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV BAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEA0zsbyVkROmV5CsN piTI1a25kreMOsv8GayfjTJDEMex0s/HXLVvtZ02+Lx3aWW3VU+Pq8JUxbKwL0tZ qXuWq6AtMCsGCSqGSIb3DQEJDjEeMBwwGgYDVR0RBBMwEYIPdmllaXJhLW5vdGVi b29rMAoGCCqGSM49BAMCA0gAMEUCIQD4V6fRQ5swZi4fCXxUHe+n2dossCYSr4CB f1BpSmMFsgIgQzDdBIPmkHpkHLkhVGYfT+kwywjg+c0zJoxGsXn8tOk= -----END CERTIFICATE REQUEST----- Subject: Profile:tls CRLOverride: Label: Serial: Extensions:[]} CAName:} 2018/01/22 18:11:09 [DEBUG] csrAuthCheck: enrollment ID=admin, CommonName=admin, Subject= 2018/01/22 18:11:09 [DEBUG] CSR authorization check passed 2018/01/22 18:11:09 [DEBUG] Checking CSR fields to make sure that they do not exceed maximum character limits 2018/01/22 18:11:09 [INFO] signed certificate with serial number 659285177179536316206579431537284384597291724090 2018/01/22 18:11:09 [DEBUG] DB: Insert Certificate 2018/01/22 18:11:09 [DEBUG] Saved serial number as hex 737b5eab637754d2c37f936e612fd881984e6d3a 2018/01/22 18:11:09 [DEBUG] saved certificate with serial number 659285177179536316206579431537284384597291724090 2018/01/22 18:11:09 [INFO] 186.195.37.161:42580 - "POST /enroll" 200 ```

vieiramanoel (Mon, 22 Jan 2018 18:13:13 GMT):
fabric-ca-server-config.yaml ```port: 7054 debug: false crlsizelimit: 512000 tls: enabled: true certfile: ca-cert.pem keyfile: clientauth: type: noclientcert certfiles: ca: name: ca.goledger.com keyfile: certfile: ca-cert.pem chainfile: crl: expiry: 24h registry: maxenrollments: -1 identities: - name: admin pass: adminpw type: client affiliation: "" attrs: hf.Registrar.Roles: "peer,orderer,client,user" hf.Registrar.DelegateRoles: "peer,orderer,client,user" hf.Revoker: true hf.IntermediateCA: true hf.GenCRL: true hf.Registrar.Attributes: "*" db: type: sqlite3 datasource: fabric-ca-server.db tls: enabled: false certfiles: client: certfile: keyfile: ldap: # Enables or disables the LDAP client (default: false) # If this is set to true, the "registry" section is ignored. enabled: false # The URL of the LDAP server url: ldap://:@:/ tls: certfiles: client: certfile: keyfile: affiliations: goledger: - estagiarios signing: default: usage: - digital signature expiry: 8760h profiles: ca: usage: - cert sign - crl sign - signing expiry: 43800h caconstraint: isca: true maxpathlen: 0 tls: usage: - signing - key encipherment - server auth - key agreement - client auth expiry: 8760h csr: cn: ca.goledger.com names: - C: BR ST: "Distrito Federal" L: "Brasilia" O: GoLedger hosts: - ca.goledger.com ca: expiry: 131400h pathlength: 1 bccsp: default: SW sw: hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: msp/keystore cacount: cafiles: intermediate: parentserver: url: caname: enrollment: hosts: profile: label: tls: certfiles: client: certfile: keyfile: ```

vieiramanoel (Mon, 22 Jan 2018 18:32:26 GMT):
decoding signcert in tls enrollment ``` X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE ```

skarim (Mon, 22 Jan 2018 18:41:12 GMT):
hmm...everything looks to be correct. I don't really understand the error that is coming back from openssl

skarim (Mon, 22 Jan 2018 18:43:50 GMT):
the CAfile that you pass into the openssl, is that the signing cert that is used to generate the tls cert from fabric-ca?

vieiramanoel (Mon, 22 Jan 2018 18:45:00 GMT):
After I enroll I tried MSP/tlsca, MSP/signcert and ca-root.pem

vieiramanoel (Mon, 22 Jan 2018 18:45:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=geNvanYiCGL5cgRL4) @skarim I read it wrong, yes

vieiramanoel (Mon, 22 Jan 2018 18:46:13 GMT):
All of them returns same error

skarim (Mon, 22 Jan 2018 18:46:19 GMT):
also, in your openssl command you use '--tls1_2', I am looking at the docs and they use only one dash '-tls1_2'. Not sure if this related but might want to try that

vieiramanoel (Mon, 22 Jan 2018 18:47:11 GMT):
I think i copied it from -help let me try this on

vieiramanoel (Mon, 22 Jan 2018 18:47:11 GMT):
I think i copied it from -help let me try this one

vieiramanoel (Mon, 22 Jan 2018 18:47:11 GMT):
I think i copied it from -help. let me try this one

vieiramanoel (Mon, 22 Jan 2018 18:57:29 GMT):
@skarim i wrote it here wrong haha i'm using -tls1_2, only one dash

skarim (Mon, 22 Jan 2018 19:15:46 GMT):
@vieiramanoel Can you try cleaning out your MSP folder on your fabric ca server and start fresh. This time when you start the server, start with the flag '--tls.enabled'. This will automatically generate at TLS certificate for your server and enable TLS. Afterwards, try using openssl client with this generated TLS certificate as the -CAFiles flag. You will see the location of the tls certificate in the server logs, make sure debug is enabled.

vieiramanoel (Mon, 22 Jan 2018 19:16:17 GMT):
ok! lemme try that

vieiramanoel (Mon, 22 Jan 2018 19:24:49 GMT):
@skarim `ca.goledger.com | 2018/01/22 19:22:59 [INFO] The certificate is at: /etc/hyperledger/fabric-ca-server/ca-cert.pem` is that cert?

skarim (Mon, 22 Jan 2018 19:26:54 GMT):
no, there should be that states it is a tls cert

skarim (Mon, 22 Jan 2018 19:26:54 GMT):
no, there should be one that states it is a tls cert

skarim (Mon, 22 Jan 2018 19:27:25 GMT):
you will need to turn debug logging on

vieiramanoel (Mon, 22 Jan 2018 19:28:45 GMT):
is turned on `fabric-ca-server start -b "admin:admin" --tls.enabled -d`

vieiramanoel (Mon, 22 Jan 2018 19:28:45 GMT):
is turned on `fabric-ca-server start -b "admin:adminpw" --tls.enabled -d`

skarim (Mon, 22 Jan 2018 19:29:00 GMT):
yeah, -d will enable it

vieiramanoel (Mon, 22 Jan 2018 19:31:47 GMT):
so i don't have any debug message about tls cert files, just ```[...] 2018/01/22 19:29:38 [DEBUG] CA Home Directory: /etc/hyperledger/fabric-ca-server 2018/01/22 19:29:38 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc42025fd40 Pkcs11Opts:} 2018/01/22 19:29:38 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc420271c80 DummyKeystore:} 2018/01/22 19:29:38 [DEBUG] Initialize key material 2018/01/22 19:29:38 [DEBUG] Making CA filenames absolute 2018/01/22 19:29:38 [INFO] The CA key and certificate already exist 2018/01/22 19:29:38 [INFO] The key is stored by BCCSP provider 'SW' 2018/01/22 19:29:38 [INFO] The certificate is at: /etc/hyperledger/fabric-ca-server/ca-cert.pem 2018/01/22 19:29:38 [DEBUG] Loading CN from existing enrollment information 2018/01/22 19:29:38 [DEBUG] Using sqlite database, connect to database in home (/etc/hyperledger/fabric-ca-server/fabric-ca-server.db) directory 2018/01/22 19:29:38 [DEBUG] Database (/etc/hyperledger/fabric-ca-server/fabric-ca-server.db) exists 2018/01/22 19:29:38 [DEBUG] Successfully opened sqlite3 DB 2018/01/22 19:29:38 [DEBUG] Initializing identity registry 2018/01/22 19:29:38 [DEBUG] Initialized DB identity registry 2018/01/22 19:29:38 [INFO] Initialized sqlite3 database 2018/01/22 19:29:38 [DEBUG] Initializing enrollment signer 2018/01/22 19:29:38 [DEBUG] validating configuration 2018/01/22 19:29:38 [DEBUG] validate local profile 2018/01/22 19:29:38 [DEBUG] profile is valid 2018/01/22 19:29:38 [DEBUG] validate local profile 2018/01/22 19:29:38 [DEBUG] profile is valid 2018/01/22 19:29:38 [DEBUG] validate local profile 2018/01/22 19:29:38 [DEBUG] profile is valid 2018/01/22 19:29:38 [DEBUG] CA initialization successful 2018/01/22 19:29:38 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server 2018/01/22 19:29:38 [DEBUG] 1 CA instance(s) running on server 2018/01/22 19:29:38 [DEBUG] TLS is enabled 2018/01/22 19:29:38 [DEBUG] Client authentication type requested: noclientcert 2018/01/22 19:29:38 [INFO] Listening on https://0.0.0.0:7054 2018/01/22 19:29:38 [DEBUG] Received request ```

vieiramanoel (Mon, 22 Jan 2018 20:08:13 GMT):
@skarim i'll try another approach now, on fabric-ca samples, theres inside run container `/etc/hyperledger/fabric/msp/tlscacerts` theres a tlsroot.pem file

vieiramanoel (Mon, 22 Jan 2018 20:08:13 GMT):
@skarim i'll try another approach now, on fabric-ca samples, there's inside run container `/etc/hyperledger/fabric/msp/tlscacerts` theres tlsroot.pem file

vieiramanoel (Mon, 22 Jan 2018 20:08:13 GMT):
@skarim i'll try another approach now, on fabric-ca samples, there's inside run container `/etc/hyperledger/fabric/msp/tlscacerts` a tlsroot.pem file

vieiramanoel (Mon, 22 Jan 2018 20:08:36 GMT):
i didn't found how this is generated on scripts

vieiramanoel (Mon, 22 Jan 2018 20:09:27 GMT):
what matters is that in this tlsroot.pem there's ``` X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign X509v3 Extended Key Usage: Any Extended Key Usage X509v3 Basic Constraints: critical CA:TRUE```

vieiramanoel (Mon, 22 Jan 2018 20:10:40 GMT):
what usage I set on config file to ```X509v3 Extended Key Usage: Any Extended Key Usage```

vieiramanoel (Mon, 22 Jan 2018 20:10:40 GMT):
what usage do I set on config file to ```X509v3 Extended Key Usage: Any Extended Key Usage```

rickr (Mon, 22 Jan 2018 20:14:59 GMT):
@rameshthoomu @smithbk We really need some verify/merge test of the Fabaric CA with the SDKs .. like we have for Fabric

vieiramanoel (Mon, 22 Jan 2018 20:19:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qecg6mE9DgAztNyXS) know where on scripts it is generated would be enough I guess, but I can't find it too

vieiramanoel (Mon, 22 Jan 2018 20:19:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qecg6mE9DgAztNyXS) to know where on scripts it is generated would be enough I guess, but I can't find it too

skarim (Mon, 22 Jan 2018 20:35:54 GMT):
@vieiramanoel I am surprised you don't see the TLS debug message? What commit level are you on for fabric-ca? If you are trying to use fabric-ca to generate a certificate with "Any Extended Key Usage", I think if you set 'any' as the usage for a profile in fabric-ca server config, you should get it. I have not tested this though.

vieiramanoel (Mon, 22 Jan 2018 20:39:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5MZnm8KFcYFNwyr5x) @skarim i'm using docker latest image

rameshthoomu (Mon, 22 Jan 2018 20:57:37 GMT):
@rickr I disabled SDK e2e tests from fabric patch sets. See the JIRA request here https://jira.hyperledger.org/browse/FAB-7694

rameshthoomu (Mon, 22 Jan 2018 20:58:22 GMT):
and later it's decided that we should run only e2e cli (byfn) tests on every patch set and SDK repo's should take care of the e2e tests..

rameshthoomu (Mon, 22 Jan 2018 20:58:22 GMT):
and later it's decided that we should run only e2e cli (byfn) tests on every fabric patch set and SDK repo's should take care of the e2e tests..

rickr (Mon, 22 Jan 2018 21:02:32 GMT):
So nothing is checking so we know quickly that Fabric is breaking the SDKs ?

rameshthoomu (Mon, 22 Jan 2018 21:07:19 GMT):
yes.

Toan2211 (Mon, 22 Jan 2018 21:10:56 GMT):
Has joined the channel.

naveen_saravanan (Tue, 23 Jan 2018 03:40:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3YYBDqLmkvxuvsRYd) Thanks.

zhaochy (Tue, 23 Jan 2018 03:49:51 GMT):
@mastersingh24 would you please look at this ticket. https://jira.hyperledger.org/browse/FAB-7857

hanlsin (Tue, 23 Jan 2018 04:29:27 GMT):
Has left the channel.

AnandBanik (Tue, 23 Jan 2018 05:59:23 GMT):
Has joined the channel.

AnandBanik (Tue, 23 Jan 2018 06:00:01 GMT):
Hi team ....can anyone provide me an example of chaincode where we can get the attributes mentioned during the user registration process currently i am using the below chaincode to get name and org var getCreator = func(certificate []byte) (string, string) { data := certificate[strings.Index(string(certificate), "-----") : strings.LastIndex(string(certificate), "-----")+5] block, _ := pem.Decode([]byte(data)) cert, _ := x509.ParseCertificate(block.Bytes) organization := cert.Issuer.Organization[0] commonName := cert.Subject.CommonName logger.Debug("commonName: " + commonName + ", organization: " + organization) organizationShort := strings.Split(organization, ".")[0] return commonName, organizationShort } But I cannot find a way to get the values of attributes i use to register the user I am using the below Node SDK request for user registration https://fabric-sdk-node.github.io/global.html#RegisterRequest__anchor Appreciate your help with this

sibil (Tue, 23 Jan 2018 06:30:55 GMT):
Has joined the channel.

naveen_saravanan (Tue, 23 Jan 2018 06:34:06 GMT):
Is there any node.js application files available to perform the same operations (such the enrolling the admin, registering and enrolling the user, etc) that were performed using the fabric-ca-client commands?

AnandBanik (Tue, 23 Jan 2018 06:41:22 GMT):
@naveen_saravanan yes....you can either use the fabric-ca services...here is the swagger file

AnandBanik (Tue, 23 Jan 2018 06:41:24 GMT):
250269033

AnandBanik (Tue, 23 Jan 2018 06:41:40 GMT):
https://github.com/hyperledger/fabric-ca/blob/release/swagger/swagger-fabric-ca.json

AnandBanik (Tue, 23 Jan 2018 06:42:12 GMT):
or use the Node SDK https://fabric-sdk-node.github.io/global.html#RegisterRequest__anchor

naveen_saravanan (Tue, 23 Jan 2018 06:43:07 GMT):
@AnandBanik thanks and I will try it.

Brucepark (Tue, 23 Jan 2018 07:20:52 GMT):
Can I use ABAC(Attribute-Based AccessControl) on latest fabric-ca-server (v1.1)? I think because there is no connection between ca and other fabric node, it is not possible to use ABAC. Am I right?

Brucepark (Tue, 23 Jan 2018 07:51:28 GMT):
I have another question.

Brucepark (Tue, 23 Jan 2018 07:51:30 GMT):
I can’t find what is the candidate role for hf.Registrar.Roles and hf.Registrar.DelegateRoles. Can I define roles in my own way?

naveen_saravanan (Tue, 23 Jan 2018 09:04:30 GMT):
I am getting an error while trying to stop the docker conainer. What is the problerits having? root@hibiz-Aspire-E5-575:/home/hibiz/blockchain-explorer/fabric-starter-master# docker stop 24213fd1d320 Error response from daemon: cannot stop container: 24213fd1d320: Cannot kill container 24213fd1d3208baa344915598efe39cfc9733e4df80b978caf41cdf173d35a9a: connection error: desc = "transport: dial unix /var/run/docker/containerd/docker-containerd.sock: connect: connection refused": unknown root@hibiz-Aspire-E5-575:/home/hibiz/blockchain-explorer/fabric-starter-master#

naveen_saravanan (Tue, 23 Jan 2018 09:04:30 GMT):
I am getting an error while trying to stop the docker container. What is the problem here? root@hibiz-Aspire-E5-575:/home/hibiz/blockchain-explorer/fabric-starter-master# docker stop 24213fd1d320 Error response from daemon: cannot stop container: 24213fd1d320: Cannot kill container 24213fd1d3208baa344915598efe39cfc9733e4df80b978caf41cdf173d35a9a: connection error: desc = "transport: dial unix /var/run/docker/containerd/docker-containerd.sock: connect: connection refused": unknown root@hibiz-Aspire-E5-575:/home/hibiz/blockchain-explorer/fabric-starter-master#

kapilAtrey (Tue, 23 Jan 2018 09:13:24 GMT):
Has joined the channel.

kapilAtrey (Tue, 23 Jan 2018 09:13:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-sdk-node?msg=8SgCQMhH8Hfw2vuhx) [ ](https://chat.hyperledger.org/channel/fabric-sdk-node?msg=W72yBfaLuRyMMJySa) [ ](https://chat.hyperledger.org/channel/fabric-sdk-node?msg=RmEL2PXywoYRMvSo3)

mastersingh24 (Tue, 23 Jan 2018 09:34:25 GMT):
@kapilAtrey - https://chat.hyperledger.org/channel/fabric-sdk-node?msg=BwoZmjqWsMpHguy87

aambati (Tue, 23 Jan 2018 15:42:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Tg5hmp6o83rtssksH) @AnandBanik pls check https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca ..specifically, https://github.com/hyperledger/fabric-samples/blob/master/chaincode/abac/abac.go

aambati (Tue, 23 Jan 2018 15:48:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GTf9W5HgiWRxRipCs) @naveen_saravanan you can refer to Node SDK but they don't use fabric-ca-client commands though..It has node code that makes REST calls to Fabric CA server

aambati (Tue, 23 Jan 2018 15:48:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GTf9W5HgiWRxRipCs) @naveen_saravanan you can refer to Node SDK (https://github.com/hyperledger/fabric-sdk-node) but they don't use fabric-ca-client commands though..It has node code that makes REST calls to Fabric CA server

aambati (Tue, 23 Jan 2018 15:51:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=L8uLQsxYgcBouY2gh) @Brucepark Yes, you should be able to ABAC in 1.1. As long as the enrollment certificate was issued by fabric CA server and attributes were requested during enrollment...the ABAC library can be used to make access control decisions in the chaincode...pls check fabric-ca sample: https://github.com/hyperledger/fabric-samples/blob/master/chaincode/abac/abac.go

aambati (Tue, 23 Jan 2018 16:03:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KRLr5piCxYcBtwor3) @Brucepark you can define any values you like but roles like peer, orderer may have significance in the fabric MSP

aambati (Tue, 23 Jan 2018 16:03:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KRLr5piCxYcBtwor3) @Brucepark you can define any values you like but not that roles like peer, orderer have significance in the fabric MSP

aambati (Tue, 23 Jan 2018 16:03:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KRLr5piCxYcBtwor3) @Brucepark you can define any values you like but note that roles like peer, orderer have significance in the fabric MSP

aambati (Tue, 23 Jan 2018 16:08:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CuKaPMHM7ut56M6Ks) @zhaochy @skarim is going to work on it

aambati (Tue, 23 Jan 2018 16:08:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CuKaPMHM7ut56M6Ks) @zhaochy @skarim is going to look on it

aambati (Tue, 23 Jan 2018 16:08:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CuKaPMHM7ut56M6Ks) @zhaochy @skarim is going to look intoit

aambati (Tue, 23 Jan 2018 16:08:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CuKaPMHM7ut56M6Ks) @zhaochy @skarim is going to look into it

vieiramanoel (Tue, 23 Jan 2018 18:23:50 GMT):
hey guys, i'm here with the SAME problem as yesterday when you start e2e from byfn example the ca-cert for the root when decoded is: ```Certificate: Data: Version: 3 (0x2) Serial Number: b5:4c:ba:72:c9:46:4e:a5:d1:6d:97:1e:32:6b:64:da Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = California, L = San Francisco, O = org1.example.com, CN = ca.org1.example.com Validity Not Before: Jan 23 16:59:35 2018 GMT Not After : Jan 21 16:59:35 2028 GMT Subject: C = US, ST = California, L = San Francisco, O = org1.example.com, CN = ca.org1.example.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:06:55:f5:92:72:3d:3d:fd:50:4d:6d:41:19:61: ff:51:0e:41:95:9d:7b:75:75:38:c8:60:84:72:51: 25:22:bc:0a:15:59:31:6c:04:f6:8b:13:2c:c8:9a: 27:cf:5b:7b:18:d7:e3:c9:18:e7:c0:65:14:64:ac: 68:d3:fe:16:aa ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign X509v3 Extended Key Usage: Any Extended Key Usage X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: A3:BB:9F:58:BC:59:96:4F:7D:DC:8C:A6:8B:CA:85:FD:5D:34:DB:BD:BA:F3:03:B4:60:86:33:F9:82:C9:E3:C4 Signature Algorithm: ecdsa-with-SHA256 30:44:02:20:49:23:83:77:8c:1f:41:26:77:4a:ed:5c:3b:e0: b9:36:4e:5f:ea:64:15:b9:b6:fa:11:0f:0b:31:70:84:d0:1a: 02:20:19:7d:c3:24:87:bc:e8:9a:0d:ef:0c:00:10:4d:d1:55: 42:bc:b7:82:37:91:94:49:2b:c7:8a:22:90:9e:e7:68 ```

vieiramanoel (Tue, 23 Jan 2018 18:24:19 GMT):
but if you start fabric-ca-server (even with tls enabled)

vieiramanoel (Tue, 23 Jan 2018 18:24:49 GMT):
```Certificate: Data: Version: 3 (0x2) Serial Number: 21:26:25:7c:34:1a:33:4b:bd:7e:37:aa:68:9c:af:21:b3:21:e8:bf Signature Algorithm: ecdsa-with-SHA256 Issuer: C = BR, ST = Distrito Federal, L = Brasilia, O = GoLedger, CN = ca.goledger.com Validity Not Before: Jan 23 17:58:00 2018 GMT Not After : Jan 19 17:58:00 2033 GMT Subject: C = BR, ST = Distrito Federal, L = Brasilia, O = GoLedger, CN = ca.goledger.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:37:8d:7f:06:24:af:aa:e6:e1:9e:6f:d2:a8:65: fb:d2:48:5c:70:01:70:4a:dd:a4:21:bc:f5:9b:f3: 34:06:81:1c:21:c6:4a:3d:a3:16:a7:ab:06:05:66: 6c:07:66:ac:55:22:a5:8a:8b:5c:6b:11:20:19:69: 27:02:94:f8:55 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 X509v3 Subject Key Identifier: 08:CA:55:A2:64:D0:66:95:C0:54:81:49:D7:E4:37:C3:22:60:7B:8F Signature Algorithm: ecdsa-with-SHA256 30:44:02:20:06:bf:46:ad:da:e0:88:24:9f:94:59:4a:e5:1c: 6d:89:37:a7:f8:b3:a1:74:7a:27:60:4d:7f:94:5b:cb:35:92: 02:20:36:42:a3:d4:cc:dd:79:65:93:04:29:ff:db:b6:28:24: 39:47:e6:b2:45:71:51:b8:12:fe:dc:ac:ba:7e:88:a4 ```

vieiramanoel (Tue, 23 Jan 2018 18:25:06 GMT):
missing ```X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign X509v3 Extended Key Usage: Any Extended Key Usage```

vieiramanoel (Tue, 23 Jan 2018 18:25:35 GMT):
we're getting a lot of problems with composer and this diference is the why

vieiramanoel (Tue, 23 Jan 2018 18:26:05 GMT):
did someone fall in similar problem and could help me?

aambati (Tue, 23 Jan 2018 18:33:56 GMT):
@vieiramanoel are you saying that the fabric-ca server generated CA cert does not have "Digital Signature and Key Encipherment" in the key usage and it is causing problems in the composer?

vieiramanoel (Tue, 23 Jan 2018 18:34:03 GMT):
yes

vieiramanoel (Tue, 23 Jan 2018 18:34:27 GMT):
another thing that is strange in our env:

vieiramanoel (Tue, 23 Jan 2018 18:34:48 GMT):
```vieira@vieira-notebook ~/ca-example/server $ fabric-ca-server init -b admin:adminpw --tls.enabled -d 2018/01/23 16:33:15 [INFO] Configuration file location: /home/vieira/ca-example/server/fabric-ca-server-config.yaml 2018/01/23 16:33:15 [DEBUG] CA Home Directory: /home/vieira/ca-example/server 2018/01/23 16:33:15 [DEBUG] Making server filenames absolute 2018/01/23 16:33:15 [DEBUG] Initializing default CA in directory /home/vieira/ca-example/server 2018/01/23 16:33:15 [DEBUG] Init CA with home /home/vieira/ca-example/server and config {CA:{Name: Keyfile:ca-key.pem Certfile:ca-cert.pem Chainfile:} Signing:0xc4202c6e20 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[vieira-notebook localhost] KeyRequest: CA:0xc42026bec0 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Registrar.DelegateRoles:peer,orderer,client,user hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.Registrar.Roles:peer,orderer,client,user] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc42026aaa0 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** Profile: Label: CSR: CAName: AttrReqs:[] }} CRL:{Expiry:24h0m0s}} ```

vieiramanoel (Tue, 23 Jan 2018 18:35:23 GMT):
even when `--tls.enabled` at init

vieiramanoel (Tue, 23 Jan 2018 18:35:36 GMT):
you can see in debug that tls is set to false

vieiramanoel (Tue, 23 Jan 2018 18:35:51 GMT):
@skarim finally i found where was the debug message

vieiramanoel (Tue, 23 Jan 2018 18:36:45 GMT):
when it supposed to create tls certs if --tls.enabled was set, as skarim had suggested

vieiramanoel (Tue, 23 Jan 2018 18:38:26 GMT):
@smithbk any clue about it?

aambati (Tue, 23 Jan 2018 18:57:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=biJMF2cp9K7aqncs4) @vieiramanoel the tls certs are created when server starts...command line arguments are respected for that instance of the command but are not updated in the configuration file. Since init command does not create TLS certs, specifying --tls.enabled is a kind of no-op...So, you can edit the server configuration file to enable TLS before starting the server.

aambati (Tue, 23 Jan 2018 18:57:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=biJMF2cp9K7aqncs4) @vieiramanoel the tls certs are created when server starts...command line arguments are respected for that instance of the command but are not updated in the configuration file. Since init command does not create TLS certs, specifying --tls.enabled is kind of no-op...So, you can edit the server configuration file to enable TLS before starting the server.

aambati (Tue, 23 Jan 2018 18:57:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Y2bFrwsh5RDD4gsJW) @vieiramanoel can you pls elaborate what kind of problems are you seeing

vieiramanoel (Tue, 23 Jan 2018 18:58:47 GMT):
error when composer acuses when it try to ping to business network using root ca cert: ``` Error: Error trying login and get user Context. Error: Error trying to enroll user or load channel configuration. Error: Calling enrollment endpoint failed with error [Error: write EPROTO 139626353597256:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2520: 139626353597256:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3550:```

vieiramanoel (Tue, 23 Jan 2018 18:58:47 GMT):
error composer acuses when it try to ping to business network using root ca cert: ``` Error: Error trying login and get user Context. Error: Error trying to enroll user or load channel configuration. Error: Calling enrollment endpoint failed with error [Error: write EPROTO 139626353597256:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2520: 139626353597256:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3550:```

vieiramanoel (Tue, 23 Jan 2018 18:59:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GnbfJzg5oYSCdMJaX) @aambati this is my config file

vieiramanoel (Tue, 23 Jan 2018 18:59:31 GMT):
it exists on folder before init or start

aambati (Tue, 23 Jan 2018 19:13:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DKPerBiZRkwzm39FA) @vieiramanoel to make fabric-ca server use your config you can use `-H option or -c `

aambati (Tue, 23 Jan 2018 19:18:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=77hHBpYbyobjqFjEP) @vieiramanoel `Digital Signature -- Use when the public key is used with a digital signature mechanism to support security services other than non-repudiation, certificate signing, or CRL signing. A digital signature is often used for entity authentication and data origin authentication with integrity. Key encipherment --- Use when a certificate will be used with a protocol that encrypts keys. An example is S/MIME enveloping, where a fast (symmetric) key is encrypted with the public key from the certificate. SSL protocol also performs key encipherment.` I would think CA certs don't need these key usages..as it is used to issue other certificates...

aambati (Tue, 23 Jan 2018 19:18:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=77hHBpYbyobjqFjEP) @vieiramanoel ```Digital Signature -- Use when the public key is used with a digital signature mechanism to support security services other than non-repudiation, certificate signing, or CRL signing. A digital signature is often used for entity authentication and data origin authentication with integrity. Key encipherment --- Use when a certificate will be used with a protocol that encrypts keys. An example is S/MIME enveloping, where a fast (symmetric) key is encrypted with the public key from the certificate. SSL protocol also performs key encipherment.``` I would think CA certs don't need these key usages..as it is used to issue other certificates...

vieiramanoel (Tue, 23 Jan 2018 19:19:08 GMT):
it is already being consumed [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YLfjrLCY2FgDY8DTk) @aambati

aambati (Tue, 23 Jan 2018 19:24:28 GMT):
@vieiramanoel so if you have enabled tls in the config file and server is consuming it then server must be running with TLS enabled...you should see tls-cert.pem in the server home directory

vieiramanoel (Tue, 23 Jan 2018 19:24:57 GMT):
the trouble is that theresn't this file in home :(

aambati (Tue, 23 Jan 2018 19:25:53 GMT):
can you pls tell me how you are starting the server (the command you use to start it)

vieiramanoel (Tue, 23 Jan 2018 19:30:26 GMT):
`fabric-ca-server init -b "admin:adminpw" --tls.enabled` `fabric-ca-server start -b "admin:adminpw" --tls.enabled -d`

vieiramanoel (Tue, 23 Jan 2018 19:36:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=n4WSwRzg3LsFFG3of) @aambati unfortunately create a new profile with this usages and enroll a new user with this profile didn't worked

aambati (Tue, 23 Jan 2018 19:38:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KrZktHiyMDqHyTQfk) @vieiramanoel can you try `fabric-ca-server start -b admin:adminpw -d -H `

vieiramanoel (Tue, 23 Jan 2018 20:09:15 GMT):
yes, give me a minute

vieiramanoel (Tue, 23 Jan 2018 20:12:08 GMT):
@aambati with ``` tls: enabled: true certfile: ca-cert.pem keyfile: clientauth: type: noclientcert certfiles:``` or ```tls: enabled: true certfile: keyfile: clientauth: type: noclientcert certfiles:```

aambati (Tue, 23 Jan 2018 20:13:20 GMT):
second set of options

vieiramanoel (Tue, 23 Jan 2018 20:14:06 GMT):
ok

vieiramanoel (Tue, 23 Jan 2018 20:19:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CFDcq5gJkMNHzHgpb) @aambati on my pc Ican use flag -H, on remote server don't. I'm using docker image latest version on remote server, which one should I use

vieiramanoel (Tue, 23 Jan 2018 20:19:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CFDcq5gJkMNHzHgpb) @aambati on my pc I can use flag -H, on remote server don't. I'm using docker image latest version on remote server, which one should I use

vieiramanoel (Tue, 23 Jan 2018 20:39:03 GMT):
i changed to 1.1.0-preview, now I can use -H flag and tls is now generated

vieiramanoel (Tue, 23 Jan 2018 20:40:00 GMT):
I'll try use it on composer, thnks!!

vieiramanoel (Tue, 23 Jan 2018 20:40:21 GMT):
if any trouble comes up still I come back here

aambati (Tue, 23 Jan 2018 20:47:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MQqAJrZZSPt55Bhdj) @vieiramanoel :thumbsup:

vieiramanoel (Tue, 23 Jan 2018 21:09:23 GMT):
@aambati hosts is set to ca.goledger.com but it says that `certificate is valid for e9fc1a74de20, not ca.goledger.com` which is the container name

vieiramanoel (Tue, 23 Jan 2018 21:09:43 GMT):
what flag must I set when start to change host for that tls cert?

vieiramanoel (Tue, 23 Jan 2018 21:11:41 GMT):
it's csr.cn

vieiramanoel (Tue, 23 Jan 2018 21:11:45 GMT):
sorry for bother

aambati (Tue, 23 Jan 2018 21:11:49 GMT):
you do have ca.goledger.com in csr.hosts...is this the enrollment cert?

vieiramanoel (Tue, 23 Jan 2018 21:12:04 GMT):
yes

vieiramanoel (Tue, 23 Jan 2018 21:12:11 GMT):
my csr

vieiramanoel (Tue, 23 Jan 2018 21:12:18 GMT):
```csr: cn: ca.goledger.com names: - C: BR ST: "Distrito Federal" L: "Brasilia" O: GoLedger hosts: - ca.goledger.com ca: expiry: 131400h pathlength: 1 ```

vieiramanoel (Tue, 23 Jan 2018 21:12:33 GMT):
what is weird is that I've set -H to consume this file

vieiramanoel (Tue, 23 Jan 2018 21:12:51 GMT):
yet it is using docker container id as cn

vieiramanoel (Tue, 23 Jan 2018 21:13:03 GMT):
even cn is set on file :s

vieiramanoel (Tue, 23 Jan 2018 21:13:03 GMT):
even cn is set on file

vieiramanoel (Tue, 23 Jan 2018 21:13:10 GMT):
:confused:

aambati (Tue, 23 Jan 2018 21:13:33 GMT):
that is from your server configuration , right?

vieiramanoel (Tue, 23 Jan 2018 21:13:37 GMT):
yes

aambati (Tue, 23 Jan 2018 21:13:47 GMT):
which is used for generating ca cert

vieiramanoel (Tue, 23 Jan 2018 21:13:56 GMT):
yes

aambati (Tue, 23 Jan 2018 21:14:14 GMT):
you are having issue with enrollment cert, i thought

aambati (Tue, 23 Jan 2018 21:14:48 GMT):
then make sure you set the hosts in the enrollment request

vieiramanoel (Tue, 23 Jan 2018 21:14:57 GMT):
ca-cert.pem has cn=ca.goledger.com

vieiramanoel (Tue, 23 Jan 2018 21:15:10 GMT):
but tls-cert.pem has cn=${docker id}

vieiramanoel (Tue, 23 Jan 2018 21:17:21 GMT):
if I change enrollment command from `fabric-ca-client enroll -u https://admin:adminpw@ca.goledger.com:7054` to `fabric-ca-client enroll -u https://admin:adminpw@e9fc1a74de20:7054` it works, but i need this tls to be valid for 'ca.goledger.com'

aambati (Tue, 23 Jan 2018 21:21:49 GMT):
so, it must be tls cert...can u ping the result of `openssl x509 -in tls-cert.pem -text`

vieiramanoel (Tue, 23 Jan 2018 21:23:02 GMT):
Certificate: Data: Version: 3 (0x2) Serial Number: 05:21:39:dc:95:39:76:a5:47:17:b7:8c:ca:c9:ab:fd:19:f5:3f:bb Signature Algorithm: ecdsa-with-SHA256 Issuer: C=BR, ST=Distrito Federal, L=Brasilia, O=GoLedger, CN=ca.goledger.com Validity Not Before: Jan 23 21:02:00 2018 GMT Not After : Jan 23 21:02:00 2019 GMT Subject: C=BR, ST=Distrito Federal, L=Brasilia, O=GoLedger, CN=e9fc1a74de20 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:cb:54:f9:9a:78:14:12:6f:56:0c:c1:98:48:b9: 64:f6:9d:82:1a:1e:aa:82:cb:8f:58:e1:50:5b:f6: e8:9a:da:09:f7:c4:33:08:bf:b4:12:4f:18:c2:da: 56:b6:33:e7:96:7c:0a:79:66:5c:4d:29:10:2c:1c: d8:ca:71:b8:52 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:TRUE

vieiramanoel (Tue, 23 Jan 2018 21:23:02 GMT):
```Certificate: Data: Version: 3 (0x2) Serial Number: 05:21:39:dc:95:39:76:a5:47:17:b7:8c:ca:c9:ab:fd:19:f5:3f:bb Signature Algorithm: ecdsa-with-SHA256 Issuer: C=BR, ST=Distrito Federal, L=Brasilia, O=GoLedger, CN=ca.goledger.com Validity Not Before: Jan 23 21:02:00 2018 GMT Not After : Jan 23 21:02:00 2019 GMT Subject: C=BR, ST=Distrito Federal, L=Brasilia, O=GoLedger, CN=e9fc1a74de20 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:cb:54:f9:9a:78:14:12:6f:56:0c:c1:98:48:b9: 64:f6:9d:82:1a:1e:aa:82:cb:8f:58:e1:50:5b:f6: e8:9a:da:09:f7:c4:33:08:bf:b4:12:4f:18:c2:da: 56:b6:33:e7:96:7c:0a:79:66:5c:4d:29:10:2c:1c: d8:ca:71:b8:52 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:TRUE```

vieiramanoel (Tue, 23 Jan 2018 21:23:04 GMT):
opa

aambati (Tue, 23 Jan 2018 21:24:12 GMT):
`Subject: C=BR, ST=Distrito Federal, L=Brasilia, O=GoLedger, CN=e9fc1a74de20`

vieiramanoel (Tue, 23 Jan 2018 21:24:22 GMT):
yes

vieiramanoel (Tue, 23 Jan 2018 21:24:26 GMT):
this is the problem

vieiramanoel (Tue, 23 Jan 2018 21:24:42 GMT):
tls-cert.pem is generated at server start

vieiramanoel (Tue, 23 Jan 2018 21:24:51 GMT):
n?how I can change its c/

vieiramanoel (Tue, 23 Jan 2018 21:24:51 GMT):
how I can change its cm?

vieiramanoel (Tue, 23 Jan 2018 21:24:51 GMT):
how I can change its cn?

aambati (Tue, 23 Jan 2018 21:30:10 GMT):
i don't know it is configurable, let me get back to you

vieiramanoel (Tue, 23 Jan 2018 21:32:35 GMT):
ok

aambati (Tue, 23 Jan 2018 23:14:03 GMT):
So, there is no way to change the CN for server's default tls certificate ...what you can do is this: 1. start server with tls disabled 2. use fabric-ca-client enroll command to generate a TLS certificate with right hostname in the csr.hosts section (`fabric-ca-client enroll --enrollment.profile tls --csr.hosts -M /tmp/msp`) 3. Move the generated cert and key (from /tls/msp) to the server's home directory and /msp/keystore directory, respectively 4. Stop server 5. Change tls.enabled to true in the server config 6. Restart server

aambati (Tue, 23 Jan 2018 23:14:03 GMT):
So, there is no way to change the CN for server's default tls certificate ...what you can do is this: 1. start server with tls disabled 2. use fabric-ca-client enroll command to generate a TLS certificate with right hostname in the csr.hosts section `fabric-ca-client enroll --enrollment.profile tls --csr.hosts -M /tmp/msp` 3. Move the generated cert and key (from /tls/msp) to the server's home directory and /msp/keystore directory, respectively 4. Stop server 5. Change tls.enabled to true in the server config 6. Restart server

aambati (Tue, 23 Jan 2018 23:14:03 GMT):
@vieiramanoel So, there is no way to change the CN for server's default tls certificate ...what you can do is this: 1. start server with tls disabled 2. use fabric-ca-client enroll command to generate a TLS certificate with right hostname in the csr.hosts section `fabric-ca-client enroll --enrollment.profile tls --csr.hosts -M /tmp/msp` 3. Move the generated cert and key (from /tls/msp) to the server's home directory and /msp/keystore directory, respectively 4. Stop server 5. Change tls.enabled to true in the server config 6. Restart server

Brucepark (Wed, 24 Jan 2018 01:09:56 GMT):
@aambati :thumbsup: thank you. I'm checking it out the sample project

StevenXu (Wed, 24 Jan 2018 01:20:13 GMT):
Has joined the channel.

jack (Wed, 24 Jan 2018 01:27:41 GMT):
Has joined the channel.

vieiramanoel (Wed, 24 Jan 2018 03:02:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3HMkrr5NdAJeqDRDJ) @aambati ok, I'll do that. There's any way to put this in next releases?

aambati (Wed, 24 Jan 2018 03:04:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4Z35SGPADJu3zujbR) @vieiramanoel pls open a JIRA ticket

vieiramanoel (Wed, 24 Jan 2018 03:05:04 GMT):
Ok!

aambati (Wed, 24 Jan 2018 03:05:42 GMT):
https://jira.hyperledger.org/projects/FAB/summary

vieiramanoel (Wed, 24 Jan 2018 03:31:39 GMT):
https://jira.hyperledger.org/browse/FAB-7875

vieiramanoel (Wed, 24 Jan 2018 03:31:48 GMT):
:)

naveen_saravanan (Wed, 24 Jan 2018 07:35:37 GMT):
Hi, I revoked the peer3 using the 'revoke' command as the logs shown below: root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client/admin# fabric-ca-client revoke -e peer3 --tls.certfiles ca.a.example.com-cert.pem -u https://ca.a.example.com:7054 2018/01/24 11:19:20 [INFO] User provided config file: /etc/hyperledger/fabric-ca-client/admin/fabric-ca-client-config.yaml 2018/01/24 11:19:20 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-client/admin/fabric-ca-client-config.yaml 2018/01/24 11:19:20 [INFO] TLS Enabled 2018/01/24 11:19:21 [INFO] Revocation was successful root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client/admin# And tried to reenroll it using the 'reenroll' command as given in the log below but faced with the '' error: root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client/admin# fabric-ca-client reenroll -u "https://peer3:peer3pwd@ca.a.example.com:7054" --tls.certfiles ca.a.example.com-cert.pem 2018/01/24 12:59:43 [INFO] User provided config file: /etc/hyperledger/fabric-ca-client/peer3/fabric-ca-client-config.yaml 2018/01/24 12:59:43 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-client/peer3/fabric-ca-client-config.yaml 2018/01/24 12:59:43 [INFO] generating key: &{A:ecdsa S:256} 2018/01/24 12:59:43 [INFO] encoded CSR 2018/01/24 12:59:43 [INFO] TLS Enabled Error: Failed to store enrollment information: Error response from server was: Authorization failure root@hibiz-Aspire-E5-575:/etc/hyperledger/fabric-ca-client/admin# What is the problem here?

bami0988 (Wed, 24 Jan 2018 07:46:30 GMT):
Has joined the channel.

smithbk (Wed, 24 Jan 2018 13:02:10 GMT):
@naveen_saravanan Using `-e` on the revoke command disables the identity altogether which is why the reenroll fails. You want to instead 1) make a note of the current AKI and serial number of the enrollment certificate in the msp/signcerts folder. Use `openssl x509 -in -noout -text` to print it. 2) reenroll to get the new enrollment certificate, which will overwrite the previous one 3) revoke the old certificate using `-a -s ` instead of `-e ` to revoke the old enrollment certificate

SimonOberzan (Wed, 24 Jan 2018 13:08:26 GMT):
Hi. I'm trying to enroll an admin on a CA that has tls enabled. But when I run the following command: `fabric-ca-client enroll -u https://admin:adminpw@ca1.org2:7054 --tls.client.certfile /etc/hyperledger/fabric-ca-server-config/tlsca/tlsca1.org2-cert.pem --tls.client.keyfile /etc/hyperledger/fabric-ca-server-config/tlsca/8fc3c038a51359fedb0f780bdcc1afbab5a356b25dae28a152e9e3b4ab18b343_sk -d` I get the following error: http://prntscr.com/i4wsy4 . Where did I go wrong?

smithbk (Wed, 24 Jan 2018 13:18:08 GMT):
@SimonOberzan You can delete the tls.client.certfile and tls.client.keyfile options and use instead the tls.certfiles option. This is the cert that the client trusts which is returned by the server. You can look at how the fabric-ca sample does it.

ahmedsajid (Wed, 24 Jan 2018 14:16:17 GMT):
Has joined the channel.

SimonOberzan (Wed, 24 Jan 2018 14:51:15 GMT):
@smithbk Thanks. I did what you have suggested, but now when I try to enroll using `fabric-ca-client enroll -u https://admin:adminpw@ca1.org2:7054` (TLS_CERTFILES as env variable), I get a response: `Post https://ca1.org2:7054/enroll: x509: certificate is valid for tlsca1.org2, not ca1.org2`. I believe this is because the certificate of SERVER_TLS_CERTFILE contains the tlsca1.org2 as CN of the Issuer. I have generated those certificates using cryptogen, and now I'm wondering what is the best way to proceed here.

SimonOberzan (Wed, 24 Jan 2018 14:58:40 GMT):
One of the options is setting the CLIENT_TLS_CERTIFICATES to the tls cert, adding tlsca1.org2 to /etc/hosts and calling `fabric-ca-client enroll -u https://admin:adminpw@tlsca1.org2:7054`. But I have a feeling there must be a better solution

aambati (Wed, 24 Jan 2018 15:14:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gvKLsjxj6MjLHfhTP) @SimonOberzan You can generate TLS certs using fabric-ca as well...use `--enrollment.profile tls` option

SimonOberzan (Wed, 24 Jan 2018 15:20:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=d6WZGnDr7p2Qdd5H6) @aambati What I am really trying to do is call the enrollment with: `fabric-ca-client enroll -u https://admin:adminpw@ca1.org2:7054`, but I don't know how to do that as only calls with the url `https://admin:adminpw@tlsca1.org2:7054` are considered valid. Would your suggestion help me somehow? Sorry if I misunderstood you

aambati (Wed, 24 Jan 2018 15:46:15 GMT):
So, @vieiramanoel had similar issue...i suggested this solution to him: https://chat.hyperledger.org/channel/fabric-ca?msg=Dsa8avXuPJpCuMDbh

aambati (Wed, 24 Jan 2018 15:48:32 GMT):
in his case, he was starting the server with `--tls.enabled` and letting server generate default tls cert and key...the problem he had was the default tls cert's CN was set to docker container ID instead of host name he was using in enroll command. He got same error as you

indirajith (Wed, 24 Jan 2018 16:39:03 GMT):
I am facing a problem while just following the fabric-samples -> fabric CA.

indirajith (Wed, 24 Jan 2018 16:39:51 GMT):
after building the images, while I run start.sh script, I get " statusCode=401 (401 Unauthorized) Error: Response from server: Error Code: 20 - Authorization failure " error. Any light where should I look in to?

indirajith (Wed, 24 Jan 2018 16:40:05 GMT):
Thanks in advance!

aambati (Wed, 24 Jan 2018 16:49:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=eRbe7mSQ2hC2cYFPZ) @indirajith start with data/logs/run.log

indirajith (Wed, 24 Jan 2018 16:53:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rwTEnDqGvECG9guNZ) @aambati Thank you, but it does not have much info. from setup.log I got the above error code info.

aambati (Wed, 24 Jan 2018 17:06:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=w6r7nabHwkStehsww) @indirajith Make sure containers are built using 1.1 fabric and fabric-ca code..pls send me the run.log...

indirajith (Wed, 24 Jan 2018 17:13:43 GMT):
@aambati Yes, the images are 1.1 version.

aambati (Wed, 24 Jan 2018 17:16:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JqCTgXsrEDhhpezgW) @indirajith If you built with latest and greatest 1.1 code, then i have been told that there is a problem...i am looking into

vieiramanoel (Wed, 24 Jan 2018 18:35:12 GMT):
@aambati i'm implementing what you said to

vieiramanoel (Wed, 24 Jan 2018 18:35:38 GMT):
enrolled ca.goledger.com user using tls profile

vieiramanoel (Wed, 24 Jan 2018 18:36:29 GMT):
```mv tls/signcert/cert.pem tls-cert.pem mv tls/keystore/* tls.key```

vieiramanoel (Wed, 24 Jan 2018 18:37:00 GMT):
``````

vieiramanoel (Wed, 24 Jan 2018 18:37:00 GMT):
```TLS_CERTFILE=publiccert/tls-cert.pem TLS_KEYFILE=publiccert/tls.key fabric-ca-server start -b "admin:admin" -d --tls.enabled --tls.certfile $TLS_CERTFILE --tls.keyfile=$TLS_KEYFILE ```

vieiramanoel (Wed, 24 Jan 2018 18:37:51 GMT):
Then:

vieiramanoel (Wed, 24 Jan 2018 18:37:57 GMT):
```DEBUG] TLS Certificate: /etc/hyperledger/fabric-ca-server/publiccert/tls-cert.pem, TLS Key: /etc/hyperledger/fabric-ca-server/publiccert/tls.key 2018/01/24 18:33:09 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting key for SKI [[23 49 146 72 253 87 86 121 85 186 23 147 96 66 66 104 217 41 6 130 128 2 91 86 183 233 79 138 50 92 97 240]] /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw.(*impl).GetKey /opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:219 github.com/hyperledger/fabric-ca/util.GetSignerFromCert /opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:341 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:530 github.com/hyperledger/fabric-ca/lib.(*Server).listenAndServe /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:146 github.com/hyperledger/fabric-ca/lib.(*Server).Start /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/servercmd.go:121 main.(*ServerCmd).init.func3 /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/servercmd.go:69 main.(*ServerCmd).Execute /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:45 main.RunMain /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:27 main.main /opt/go/src/runtime/proc.go:194 runtime.main /opt/go/src/runtime/asm_amd64.s:2338 runtime.goexit Caused by: Key type not recognized 2018/01/24 18:33:09 [DEBUG] Attempting fallback with certfile /etc/hyperledger/fabric-ca-server/publiccert/tls-cert.pem and keyfile /etc/hyperledger/fabric-ca-server/publiccert/tls.key ```

vieiramanoel (Wed, 24 Jan 2018 18:47:29 GMT):
although seems there's no trouble using tls-cert.pem to make operations using fabric-ca-client (not tested on composer yet)

aambati (Wed, 24 Jan 2018 19:41:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=y2Gk2435bFxY62C9E) @vieiramanoel :thumbsup: That debug message is expected

vieiramanoel (Wed, 24 Jan 2018 19:44:13 GMT):
really? haha

vieiramanoel (Wed, 24 Jan 2018 19:44:15 GMT):
Ok

naveen_saravanan (Wed, 24 Jan 2018 23:51:20 GMT):
@smithbk ok.

naveen_saravanan (Wed, 24 Jan 2018 23:51:31 GMT):
I will try it.

blockhash (Thu, 25 Jan 2018 05:22:30 GMT):
Has joined the channel.

Brucepark (Thu, 25 Jan 2018 06:40:48 GMT):
Hi, Can I get a pair of sample fabric-ca-server-config.yaml files for root ca server and intermediate ca server.

naveen_saravanan (Thu, 25 Jan 2018 08:15:14 GMT):
Hi, I am trying to enroll admin for the fabric-starter (which has multiple orgs with separate docker containers for each orgs like ca.org1.example.com instead of ca.example.com ) using the erollAdmin.js file from the Fabcar through the Node.js application ( by calling 'node enroll admin'). Could anyone explain the elements used for fabric-ca-client given below? fabric_ca_client = new Fabric_CA_Client('http://localhost:7054', tlsOptions , 'ca.example.com', crypto_suite); And also about the this function and the arguments :- 'http://localhost:7054', tlsOptions , 'ca.example.com', crypto_suite ?

SimonOberzan (Thu, 25 Jan 2018 08:26:44 GMT):
@aambati Oh thanks, I missed that. So if I understand correctly the CA's tls certs' CommonNames should be the same to the CommonNames of the CA certs, right? Because I currently generate my certificates using cryptogen and what I get for CA's is one self-signed certificate with CNs ca1.org2, and a self-signed tls certificate with CNs tlsca1.org2. That doesn't seem right. What I would like, would be to have a self-signed certificate named ca1.org2, and a tls certificate with name ca1.org2 signed by ca1.org2, right?

mastersingh24 (Thu, 25 Jan 2018 09:49:21 GMT):
@SimonOberzan - cryptogen generates 2 different CA root certificates for each organization: - a CA for issuing enrollment certificates - a CA for issuing TLS certificates It also generates TLS certificates for each peer, orderer and user (signed by the tlsca for each organization). cryptogen DOES NOT generate TLS certificates for the fabric-ca though

mastersingh24 (Thu, 25 Jan 2018 09:49:21 GMT):
@SimonOberzan - cryptogen generates 2 different root CA certificates for each organization: - a CA for issuing enrollment certificates - a CA for issuing TLS certificates It also generates TLS certificates for each peer, orderer and user (signed by the tlsca for each organization). cryptogen DOES NOT generate TLS certificates for the fabric-ca though

SimonOberzan (Thu, 25 Jan 2018 09:51:06 GMT):
@mastersingh24 Oh so I have to generate it manually and than set my FABRIC_CA_SERVER_TLS_CERTFILE variable to that TLS cert?

mastersingh24 (Thu, 25 Jan 2018 09:51:42 GMT):
Correct. You can use the root CA pair in the tlsca folder to sign the TLS certificates if you want

SimonOberzan (Thu, 25 Jan 2018 09:53:03 GMT):
Ok, great. Thank you

Brucepark (Thu, 25 Jan 2018 10:25:56 GMT):
I have a problem to use TLS connection between root-ca and intermediate-ca. root-ca configuration - FABRIC_CA_SERVER_TLS_CLIENTAUTH_TYPE=noclientcert intermediate-ca configuation intermediate: parentserver: url: https://msp1tlsca:msp1tlscapw@localhost:7054 caname: enrollment: hosts: profile: label: tls: certfiles: client: certfile: keyfile: Can anybody tell me what is the problem? The error message is 2018/01/25 19:20:14 [INFO] TLS Enabled 2018/01/25 19:20:14 [DEBUG] CA Files: [] 2018/01/25 19:20:14 [DEBUG] Client Cert File: 2018/01/25 19:20:14 [DEBUG] Client Key File: 2018/01/25 19:20:14 [DEBUG] Client TLS certificate and/or key file not provided Error: Failed to get client TLS config: No TLS certificate files were provided

Brucepark (Thu, 25 Jan 2018 10:27:56 GMT):
I have a problem to use TLS connection between root-ca and intermediate-ca. root-ca configuration `- FABRIC_CA_SERVER_TLS_CLIENTAUTH_TYPE=noclientcert` intermediate-ca configuation `intermediate: parentserver: url: https://msp1tlsca:msp1tlscapw@localhost:7054 caname: enrollment: hosts: profile: label: tls: certfiles: client: certfile: keyfile: ` Can anybody tell me what is the problem? `The error message is 2018/01/25 19:20:14 [INFO] TLS Enabled 2018/01/25 19:20:14 [DEBUG] CA Files: [] 2018/01/25 19:20:14 [DEBUG] Client Cert File: 2018/01/25 19:20:14 [DEBUG] Client Key File: 2018/01/25 19:20:14 [DEBUG] Client TLS certificate and/or key file not provided Error: Failed to get client TLS config: No TLS certificate files were provided`

Brucepark (Thu, 25 Jan 2018 10:37:13 GMT):
I have a problem to use TLS connection between root-ca and intermediate-ca. root-ca configuration ` - FABRIC_CA_SERVER_TLS_CLIENTAUTH_TYPE=noclientcert` intermediate-ca configuation ``` intermediate: parentserver: url: https://msp1tlsca:msp1tlscapw@localhost:7054 caname: enrollment: hosts: profile: label: tls: certfiles: client: certfile: keyfile: ``` Can anybody tell me what is the problem? The error message is ``` 2018/01/25 19:20:14 [INFO] TLS Enabled 2018/01/25 19:20:14 [DEBUG] CA Files: [] 2018/01/25 19:20:14 [DEBUG] Client Cert File: 2018/01/25 19:20:14 [DEBUG] Client Key File: 2018/01/25 19:20:14 [DEBUG] Client TLS certificate and/or key file not provided Error: Failed to get client TLS config: No TLS certificate files were provided ```

Brucepark (Thu, 25 Jan 2018 10:37:13 GMT):
*I have a problem to use TLS connection between root-ca and intermediate-ca.* *root-ca configuration* ` - FABRIC_CA_SERVER_TLS_CLIENTAUTH_TYPE=noclientcert` *intermediate-ca configuation* ``` intermediate: parentserver: url: https://msp1tlsca:msp1tlscapw@localhost:7054 caname: enrollment: hosts: profile: label: tls: certfiles: client: certfile: keyfile: ``` *Can anybody tell me what is the problem?* The error message is ``` 2018/01/25 19:20:14 [INFO] TLS Enabled 2018/01/25 19:20:14 [DEBUG] CA Files: [] 2018/01/25 19:20:14 [DEBUG] Client Cert File: 2018/01/25 19:20:14 [DEBUG] Client Key File: 2018/01/25 19:20:14 [DEBUG] Client TLS certificate and/or key file not provided Error: Failed to get client TLS config: No TLS certificate files were provided ```

Brucepark (Thu, 25 Jan 2018 10:38:46 GMT):
I execute root ca on docker and intermediate ca on host

Brucepark (Thu, 25 Jan 2018 10:38:46 GMT):
I executed root ca on docker and intermediate ca on host

C0rnelius (Thu, 25 Jan 2018 11:58:39 GMT):
i pulled https://github.com/hyperledger/fabric/tree/master/core/chaincode/lib/cid but i end up with ../../github.com/hyperledger/fabric/bccsp/factory/pluginfactory.go:12:2: cannot find package "plugin" shouldn't this "plugin" package also be in the fabric v.1.1.0-preview?

mastersingh24 (Thu, 25 Jan 2018 12:22:17 GMT):
@C0rnelius - which version of Go are you using?

mastersingh24 (Thu, 25 Jan 2018 12:22:28 GMT):
You need Go 1.9 or higher

C0rnelius (Thu, 25 Jan 2018 14:08:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HgcSKYcrTF4bcCcLn) @mastersingh24 I do use go 1.9

SimonOberzan (Thu, 25 Jan 2018 14:30:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3HMkrr5NdAJeqDRDJ) @aambati When I run step 2. I get msp that looks like this: cacerts (empty) signcerts (admin cert signed by CA root certificate) tlscacerts (CA root certificate) tlstlscacerts (CA root certificate)

SimonOberzan (Thu, 25 Jan 2018 14:30:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3HMkrr5NdAJeqDRDJ) @aambati When I run step 2. I get msp that looks like this: cacerts (empty) keystore (sk of root CA cert) signcerts (admin cert signed by CA root certificate) tlscacerts (CA root certificate) tlstlscacerts (CA root certificate)

aambati (Thu, 25 Jan 2018 14:32:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cMrmNid6uQEEWwSiR) @SimonOberzan ok...you are using 1.1, right...just want to make sure

SimonOberzan (Thu, 25 Jan 2018 14:32:46 GMT):
Yes

SimonOberzan (Thu, 25 Jan 2018 14:32:46 GMT):
@aambati Yes

SimonOberzan (Thu, 25 Jan 2018 14:32:46 GMT):
@aambati Yes. Do you know, what is causing this?

aambati (Thu, 25 Jan 2018 14:59:32 GMT):
@SimonOberzan so the the tls cert will be in /tmp/msp/signcerts and corresponding key will be in /tmp/msp/keystore ...

SimonOberzan (Thu, 25 Jan 2018 15:03:02 GMT):
@aambati Well I got a admin cert in signcerts. What I need is to get a TLS cert which will accept calls to my CA by the url ca1.org1... And also a folder with name tlstlscacerts and an empty cacerts folder? This seems super weird to me, is it really meant to be like that?

SimonOberzan (Thu, 25 Jan 2018 15:03:02 GMT):
@aambati Well I got an admin cert in signcerts. What I need is to get a TLS cert which will accept calls to my CA by the url ca1.org1... And also a folder with name tlstlscacerts and an empty cacerts folder? This seems super weird to me, is it really meant to be like that?

SimonOberzan (Thu, 25 Jan 2018 15:03:02 GMT):
@aambati I know, I got an admin cert in signcerts. What I need is to get a TLS cert which will accept calls to my CA by the url ca1.org1... And also a folder with name tlstlscacerts and an empty cacerts folder? This seems super weird to me, is it really supposed to be like that?

SimonOberzan (Thu, 25 Jan 2018 15:05:43 GMT):
None of the certs that were created are signed by TLS

SimonOberzan (Thu, 25 Jan 2018 15:05:43 GMT):
None of the certs that were created are signed by TLS root cert

aambati (Thu, 25 Jan 2018 15:17:14 GMT):
same root cert is used to generate tls and enrollment certs

aambati (Thu, 25 Jan 2018 15:17:14 GMT):
same root cert is used to issue tls and enrollment certs

SimonOberzan (Thu, 25 Jan 2018 15:18:05 GMT):
But my CA enrollment cert and TLS cert are self-signed?

SimonOberzan (Thu, 25 Jan 2018 15:18:05 GMT):
But my CA enrollment cert and TLS cert are self-signed? That seems to be in line with what mastersingh has written above.

SimonOberzan (Thu, 25 Jan 2018 15:18:41 GMT):
And all the certificates that are returned to me are admin cert, and 2 root enrolment certificates

SimonOberzan (Thu, 25 Jan 2018 15:18:41 GMT):
And all the certificates that are returned to me are admin cert, and 2 root enrolment certificates (1 in tlscacerts and 1 in tlstlscacerts)

SimonOberzan (Thu, 25 Jan 2018 15:18:41 GMT):
And all the certificates that are returned to me are admin cert, and 2 CA root enrolment certificates (1 in tlscacerts and 1 in tlstlscacerts)

aambati (Thu, 25 Jan 2018 16:08:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Xa5JYiqumSC8yeWLS) @SimonOberzan the cert in tlscacerts and tlstlscacerts (the name is mangled, it needs to be tlstlscacerts, i will open a bug) are same, as i said earlier, both tls and enrollment certs issued by fabric-ca server are signed by same root certificate

ahmedsajid (Thu, 25 Jan 2018 16:31:52 GMT):
@Kristof_Sajdak where you able to resolve the issue using PKCS11 with CloudHSM?

ahmedsajid (Thu, 25 Jan 2018 16:31:52 GMT):
@Kristof_Sajdak were you able to resolve the issue using PKCS11 with CloudHSM?

vieiramanoel (Thu, 25 Jan 2018 16:47:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JrTvhKL2X8ZdSCXEm) @SimonOberzan first register a user named ca1.org1....

vieiramanoel (Thu, 25 Jan 2018 16:47:08 GMT):
then enroll it as tls

vieiramanoel (Thu, 25 Jan 2018 16:47:16 GMT):
it was what i made

smithbk (Thu, 25 Jan 2018 16:53:27 GMT):
You can use the following option on the enroll request to cause the issued certificate to have whatever SAN (Subject Alternative Names) that you want in the cert. ```--csr.hosts stringSlice A list of space-separated host names in a certificate signing request``` The TLS client will accept host names as SAN entries in the certificate and doesn't have to match the CN

javrevasandeep (Thu, 25 Jan 2018 17:10:01 GMT):
Hi Guys. I am using fabric-samples/fabric-ca example and as stated there I pulled latest fabric-ca images and started ./start.sh script. But I am getting the below error

javrevasandeep (Thu, 25 Jan 2018 17:10:01 GMT):
##### 2018-01-25 16:46:51 FATAL: Failed waiting for the 'setup' container to finish registering identities, creating the genesis block and other artifacts (./data/logs/setup.successful not found); see ./data/logs/setup.log

javrevasandeep (Thu, 25 Jan 2018 17:10:55 GMT):
When checked in setup logs I can see below error message

javrevasandeep (Thu, 25 Jan 2018 17:10:56 GMT):
Password: orderer1-org0pw ##### 2018-01-25 16:39:05 Registering admin identity with ica-org0 2018/01/25 16:39:05 [DEBUG] Home directory: /root/cas/ica-org0 2018/01/25 16:39:05 [INFO] Configuration file location: /root/cas/ica-org0/fabric-ca-client-config.yaml 2018/01/25 16:39:05 [DEBUG] Checking for enrollment 2018/01/25 16:39:05 [DEBUG] Initializing client with config: &{Debug:true URL:https://ica-org0:7054 MSPDir:msp TLS:{Enabled:true CertFiles:[/data/org0-ca-chain.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** Profile: Label: CSR: CAName: AttrReqs:[] } CSR:{CN:ica-org0-admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[a314c4c8469e] KeyRequest: CA: SerialNumber:} ID:{Name:admin-org0 Type:client Secret:admin-org0pw MaxEnrollments:-1 Affiliation:org1 Attributes:[{Name:hf.admin Value:true ECert:true}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc42018ebe0} 2018/01/25 16:39:05 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc42019eb10 Pkcs11Opts:} 2018/01/25 16:39:05 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc4201abaf0 DummyKeystore:} 2018/01/25 16:39:05 [INFO] TLS Enabled 2018/01/25 16:39:05 [DEBUG] CA Files: [/data/org0-ca-chain.pem] 2018/01/25 16:39:05 [DEBUG] Client Cert File: 2018/01/25 16:39:05 [DEBUG] Client Key File: 2018/01/25 16:39:05 [DEBUG] Client TLS certificate and/or key file not provided 2018/01/25 16:39:05 [DEBUG] Client configuration settings: &{Debug:true URL:https://ica-org0:7054 MSPDir:/root/cas/ica-org0/msp TLS:{Enabled:true CertFiles:[/data/org0-ca-chain.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** Profile: Label: CSR: CAName: AttrReqs:[] } CSR:{CN:ica-org0-admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[a314c4c8469e] KeyRequest: CA: SerialNumber:} ID:{Name:admin-org0 Type:client Secret:admin-org0pw MaxEnrollments:-1 Affiliation:org1 Attributes:[{Name:hf.admin Value:true ECert:true}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc42018ebe0} 2018/01/25 16:39:05 [DEBUG] Entered runRegister 2018/01/25 16:39:05 [DEBUG] Initializing client with config: &{Debug:true URL:https://ica-org0:7054 MSPDir:/root/cas/ica-org0/msp TLS:{Enabled:true CertFiles:[/data/org0-ca-chain.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** Profile: Label: CSR: CAName: AttrReqs:[] } CSR:{CN:ica-org0-admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[a314c4c8469e] KeyRequest: CA: SerialNumber:} ID:{Name:admin-org0 Type:client Secret:admin-org0pw MaxEnrollments:-1 Affiliation:org1 Attributes:[{Name:hf.admin Value:true ECert:true}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc42018ebe0} 2018/01/25 16:39:05 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc42019eb10 Pkcs11Opts:} 2018/01/25 16:39:05 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc4201abaf0 DummyKeystore:} 2018/01/25 16:39:05 [INFO] TLS Enabled 2018/01/25 16:39:05 [DEBUG] CA Files: [/data/org0-ca-chain.pem] 2018/01/25 16:39:05 [DEBUG] Client Cert File: 2018/01/25 16:39:05 [DEBUG] Client Key File: 2018/01/25 16:39:05 [DEBUG] Client TLS certificate and/or key file not provided 2018/01/25 16:39:05 [DEBUG] Loading identity: keyFile=/root/cas/ica-org0/msp/keystore/key.pem, certFile=/root/cas/ica-org0/msp/signcerts/cert.pem 2018/01/25 16:39:05 [DEBUG] Register { Name:admin-org0 Type:client Secret:**** MaxEnrollments:-1 Affiliation:org1 Attributes:[{hf.admin true true}] CAName: } 2018/01/25 16:39:05 [DEBUG] Adding token-based authorization header 2018/01/25 16:39:05 [DEBUG] Sending request POST https://ica-org0:7054/register {"id":"admin-org0","type":"client","secret":"admin-org0pw","max_enrollments":-1,"affiliation":"org1","attrs":[{"name":"hf.admin","value":"true","ecert":true}]} 2018/01/25 16:39:05 [DEBUG] Received response statusCode=401 (401 Unauthorized) Error: Response from server: Error Code: 20 - Authorization failure

aambati (Thu, 25 Jan 2018 17:30:21 GMT):
@javrevasandeep if you have the latest (7da97f416aa2d9fed41f34bf2e422b36786050a8 for fabric and 0eb83eb1677f9b950a9af3874f15e35090bc92aa for fabric-ca) , then i suggest you do this: 1. run `./stop.sh` in the hyperledger/fabric-samples/fabric-ca folder 2. Run `make docker-clean` in the hyperledger/fabric-ca folder 3. Run `make docker-clean docker` in the hyperledger/fabric folder 4. Run export FABRIC_TAG= image 5. Run `make docker` in the hyperledger/fabric-ca folder 6. Replace "hf.admin" with "admin" in the hyperledger/fabric-samples/fabric-ca/scripts/setup-fabric.sh 7. Run start.sh in the hyperledger/fabric-samples/fabric-ca folder There is Change set to fix step 6

javrevasandeep (Thu, 25 Jan 2018 17:32:06 GMT):
hmm even i checked logs for ica-org0. it is throwing error hf is reserved keyword

javrevasandeep (Thu, 25 Jan 2018 17:38:18 GMT):
@aambati I am new to fabric. could you please tell me which CA technology is used by hyperledger fabric 1.1. Just wanted to check with my organization whether they have some other way to do it and that it could be configured with our existing projects

javrevasandeep (Thu, 25 Jan 2018 17:44:15 GMT):
@aambati Also do you have any configuration to run this fabric-samples/fabric-ca with kafka based ordering service? Or can the existing fabric-samples/fabric-ca scripts be configured to include the multiple orderers based on kafka ordering services

aambati (Thu, 25 Jan 2018 18:13:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MGzaztgubCgZnrGrK) @javrevasandeep currently, fabric-ca sample is not built to work with a kafka based orderer

aambati (Thu, 25 Jan 2018 18:17:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4tGkkaLrqYj3i4CuX) @javrevasandeep Not sure what you mean "CA technology"? You can use fabric CA or other CA to generate x509 certificates and use them to setup MSPs...Fabric is CA agnostic.

george.skrbic (Thu, 25 Jan 2018 20:55:24 GMT):
Has joined the channel.

toffee.beanns (Fri, 26 Jan 2018 04:44:34 GMT):
Has joined the channel.

Brucepark (Fri, 26 Jan 2018 05:53:54 GMT):
Although my fabric-ca-server is set as noclientcert, enroll fails like that ``` $fabric-ca-client enroll -d --enrollment.profile tls -u https://msp1tlsca:msp1tlscapw@localhost:7054 ... 2018/01/26 14:43:59 [INFO] TLS Enabled 2018/01/26 14:43:59 [DEBUG] CA Files: [] 2018/01/26 14:43:59 [DEBUG] Client Cert File: 2018/01/26 14:43:59 [DEBUG] Client Key File: 2018/01/26 14:43:59 [DEBUG] Client TLS certificate and/or key file not provided ``` I think noclientcert option should not require any certificate for tls, why enroll fails like that?

Brucepark (Fri, 26 Jan 2018 05:53:54 GMT):
Although my fabric-ca-server is set as *noclientcert*, enroll fails like that ``` $fabric-ca-client enroll -d --enrollment.profile tls -u https://msp1tlsca:msp1tlscapw@localhost:7054 ... 2018/01/26 14:43:59 [INFO] TLS Enabled 2018/01/26 14:43:59 [DEBUG] CA Files: [] 2018/01/26 14:43:59 [DEBUG] Client Cert File: 2018/01/26 14:43:59 [DEBUG] Client Key File: 2018/01/26 14:43:59 [DEBUG] Client TLS certificate and/or key file not provided ``` I think *noclientcert* should not require any certificate for tls, why enroll fails like that?

niyuelin (Fri, 26 Jan 2018 08:48:52 GMT):
Has joined the channel.

SimonOberzan (Fri, 26 Jan 2018 08:50:35 GMT):
@vieiramanoel @aambati @smithbk Thank you for your help. I have now registered ca1.org1 first, but when I enroll the registered ca1.org1 with the `--enrollment.profile tls` flag, the cert that I recieve is not signed by the TLS root cert, but instead with enrollment root cert: http://prntscr.com/i5sqd6 . Did I miss any important steps here? My steps were as follows: - run ca1.org1 with TLS disabled (my fabric-ca-server-config.yaml : https://pastebin.com/4pg1j0fP ) - fabric-ca-client enroll -u http://admin:adminpww@localhost:7054 - fabric-ca-client register --caname ca1.org1 --csr.cn ca1.org1 --csr.hosts ca1.org1 --enrollment.profile tls --id.name ca1.org1 --id.secret pw - fabric-ca-client enroll -u http://ca1.org1:pw@localhost --enrollment.profile tls

SimonOberzan (Fri, 26 Jan 2018 08:50:35 GMT):
@vieiramanoel @aambati @smithbk Thank you for your help. I have now registered ca1.org1 first, but when I enroll the registered ca1.org1 with the `--enrollment.profile tls` flag, the cert that I recieve is not signed by the TLS root cert, but instead with enrollment root cert: http://prntscr.com/i5sqd6 . Did I miss any important steps here? My steps were as follows: - run ca1.org1 with TLS disabled (my fabric-ca-server-config.yaml : https://pastebin.com/4pg1j0fP ) - `fabric-ca-client enroll -u http://admin:adminpww@localhost:7054` - `fabric-ca-client register --caname ca1.org1 --csr.cn ca1.org1 --csr.hosts ca1.org1 --enrollment.profile tls --id.name ca1.org1 --id.secret pw` - `fabric-ca-client enroll -u http://ca1.org1:pw@localhost --enrollment.profile tls`

SimonOberzan (Fri, 26 Jan 2018 08:50:35 GMT):
@vieiramanoel @aambati @smithbk Thank you for your help. I have now registered ca1.org1 first, but when I enroll the registered ca1.org1 with the `--enrollment.profile tls` flag, the cert that I recieve is not signed by the TLS root cert, but instead with enrollment root cert: http://prntscr.com/i5sqd6 . Did I miss any important steps here? My steps were as follows: - run ca1.org1 with TLS disabled (my fabric-ca-server-config.yaml : https://pastebin.com/4pg1j0fP ) - `fabric-ca-client enroll -u http://admin:adminpww@localhost:7054` - `fabric-ca-client register --caname ca1.org1 --csr.cn ca1.org1 --csr.hosts ca1.org1 --enrollment.profile tls --id.name ca1.org1 --id.secret pw` - `fabric-ca-client enroll -u http://ca1.org1:pw@localhost:7054 --enrollment.profile tls`

SimonOberzan (Fri, 26 Jan 2018 08:50:35 GMT):
@vieiramanoel @aambati @smithbk Thank you for your help. I have now registered ca1.org1 first, but when I enroll the registered ca1.org1 with the `--enrollment.profile tls` flag, the cert that I recieve is not signed by the TLS root cert, but instead with enrollment root cert: http://prntscr.com/i5sqd6 . Did I miss any important steps here? My steps were as follows: - run ca1.org1 with TLS disabled (my fabric-ca-server-config.yaml : https://pastebin.com/4pg1j0fP and env variables: http://prntscr.com/i5t5lv ) - `fabric-ca-client enroll -u http://admin:adminpww@localhost:7054` - `fabric-ca-client register --caname ca1.org1 --csr.cn ca1.org1 --csr.hosts ca1.org1 --enrollment.profile tls --id.name ca1.org1 --id.secret pw` - `fabric-ca-client enroll -u http://ca1.org1:pw@localhost:7054 --enrollment.profile tls`

Brucepark (Fri, 26 Jan 2018 09:53:36 GMT):
I think I should set *intermediate.tls.certfiles* section to communicate with https://rootcaserver, but I don’t know what certfile it requires Can somebody tell me how to make that certfile?

Brucepark (Fri, 26 Jan 2018 12:28:17 GMT):
I solve the problem. I set root certificate to intermediate.tls.certfiles and I run both server on docker.

aambati (Fri, 26 Jan 2018 13:56:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CdqwKnwm9MCeAhNwC) @Brucepark i am assuming that you sent noclientcert in the tls section of the server config?

aambati (Fri, 26 Jan 2018 14:01:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ggR6oLv6qxGCfanpn) @SimonOberzan You need to specify --csr.cn, --csr.hosts, and --caname on the enroll command...csr params are not needed on register command...btw, as i mentioned before, tls certs (when --enrollment.profile tls is used) and enrollment certs are signed by the same CA root cert...unless you are running two different CA in the same server...it is not clear from your message. What is this address: https://pastebin.com/4pg1j0fP?

SimonOberzan (Fri, 26 Jan 2018 14:13:17 GMT):
@aambati I ran the commands that you have described and this is the signcert I got in response: http://prntscr.com/i5x6g5 . So that is OK, it doesn't have to be signed by the tlsca cert? So now I simply restart my CA with TLS enabled and FABRIC_CA_SERVER_TLS_CERTFILE pointing to it? Than what is the root TLSCA cert's task at all? Sorry that I don't get it, but I would like to understand the process here. Also the link that you have asked about is showing the content of my server-configs with which I start the fabric-ca-server.

SimonOberzan (Fri, 26 Jan 2018 14:13:17 GMT):
@aambati I ran the commands that you have described and this is the signcert I got in response: http://prntscr.com/i5x6g5 . So that is OK, it doesn't have to be signed by the tlsca cert? So now I simply restart my CA with TLS enabled and `FABRIC_CA_SERVER_TLS_CERTFILE` pointing to it? Than what is the root TLSCA cert's task at all? Sorry that I don't get it, but I would like to understand the process here. Also the link that you have asked about is showing the content of my server-configs with which I start the fabric-ca-server.

bfuentes@fr.ibm.com (Fri, 26 Jan 2018 15:30:21 GMT):
@here is it possible to have multiple instances of a CA ? I mean if I need to have a worldwide application, I would like to have multiple replicated CA on different location

toddinpal (Fri, 26 Jan 2018 15:32:10 GMT):
@bfuentes@fr.ibm.com If your CA supports it, or are you asking about Fabric-CA itself?

bfuentes@fr.ibm.com (Fri, 26 Jan 2018 15:32:26 GMT):
Fabric-CA

bfuentes@fr.ibm.com (Fri, 26 Jan 2018 15:32:26 GMT):
@toddinpal Fabric-CA

aambati (Fri, 26 Jan 2018 15:33:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kt4nAxG4dToreNL2M) @bfuentes@fr.ibm.com fabric ca server can be run in a cluster fronted with a proxy ...cluster members are geographically separated then latency issues should be taken into consideration...

aambati (Fri, 26 Jan 2018 15:33:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kt4nAxG4dToreNL2M) @bfuentes@fr.ibm.com fabric ca server can be run in a cluster fronted with a proxy ...if cluster members are geographically separated then latency issues should be taken into consideration...

bfuentes@fr.ibm.com (Fri, 26 Jan 2018 15:35:13 GMT):
@aambati yes it is for latency purposes .... so answer is NO , right ?

bfuentes@fr.ibm.com (Fri, 26 Jan 2018 15:37:23 GMT):
I have seen that there is something like an embeede sqlite3 DB on the container, so i suppose by default it is standalone :/

bfuentes@fr.ibm.com (Fri, 26 Jan 2018 15:37:23 GMT):
I have seen that there is something like an embedded sqlite3 DB on the container, so i suppose by default it is standalone :/

aambati (Fri, 26 Jan 2018 15:37:35 GMT):
i think the key is database replication

aambati (Fri, 26 Jan 2018 15:37:54 GMT):
fabric ca supports postgres and mysql

aambati (Fri, 26 Jan 2018 15:38:13 GMT):
sqlite is meant for testing purposes

bfuentes@fr.ibm.com (Fri, 26 Jan 2018 15:38:21 GMT):
@aambati yep it seems we think the same

bfuentes@fr.ibm.com (Fri, 26 Jan 2018 15:38:38 GMT):
thanks @aambati

rake66 (Fri, 26 Jan 2018 16:21:50 GMT):
Has joined the channel.

smithbk (Fri, 26 Jan 2018 16:36:15 GMT):
@bfuentes@fr.ibm.com It depends what your functional requirements are. For example, you could have a single global root fabric CA and per-geo intermediate CAs. The intermediate CAs would not share the same DB across geos. This means that each user would be tied to a specific region when talking to its intermediate CA, but the MSP in fabric could contain the cert associated with all intermediate CAs, thus allowing users from any geo to transact.

vieiramanoel (Fri, 26 Jan 2018 18:11:08 GMT):
@SimonOberzan how are you doing there?

vieiramanoel (Fri, 26 Jan 2018 18:11:16 GMT):
after I generate certs

vieiramanoel (Fri, 26 Jan 2018 18:11:27 GMT):
when I join a peer to a channel

vieiramanoel (Fri, 26 Jan 2018 18:11:28 GMT):
I get

vieiramanoel (Fri, 26 Jan 2018 18:11:37 GMT):
```orderer.goledger.com | 2018-01-26 18:07:20.958 UTC [grpc] Printf -> DEBU 31b grpc: Server.Serve failed to complete security handshake from "172.29.0.1:53058": remote error: tls: bad certificate ```

vieiramanoel (Fri, 26 Jan 2018 18:11:43 GMT):
and

vieiramanoel (Fri, 26 Jan 2018 18:11:49 GMT):
```peer0.ministerio.org | 2018-01-26 18:11:36.963 UTC [deliveryClient] connect -> ERRO 3b1 Failed obtaining connection: Could not connect to any of the endpoints: [orderer.goledger.com:7050] peer0.ministerio.org | 2018-01-26 18:11:36.963 UTC [deliveryClient] try -> WARN 3b2 Got error: Could not connect to any of the endpoints: [orderer.goledger.com:7050] ,at 10 attempt. Retrying in 8m32s ```

vieiramanoel (Fri, 26 Jan 2018 18:11:49 GMT):
```peer0.ministerio.org | 2018-01-26 18:11:36.963 UTC [ConnProducer] NewConnection -> ERRO 3af Failed connecting to orderer.goledger.com:7050 , error: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.goledger.com") peer0.ministerio.org | 2018-01-26 18:11:36.963 UTC [deliveryClient] connect -> DEBU 3b0 Connected to peer0.ministerio.org | 2018-01-26 18:11:36.963 UTC [deliveryClient] connect -> ERRO 3b1 Failed obtaining connection: Could not connect to any of the endpoints: [orderer.goledger.com:7050] peer0.ministerio.org | 2018-01-26 18:11:36.963 UTC [deliveryClient] try -> WARN 3b2 Got error: Could not connect to any of the endpoints: [orderer.goledger.com:7050] ,at 10 attempt. Retrying in 8m32s ```

vieiramanoel (Fri, 26 Jan 2018 18:11:49 GMT):
```peer0.ministerio.org | 2018-01-26 18:07:20.958 UTC [deliveryClient] connect -> ERRO 3ad Failed obtaining connection: Could not connect to any of the endpoints: [orderer.goledger.com:7050] peer0.ministerio.org | 2018-01-26 18:07:20.959 UTC [deliveryClient] try -> WARN 3ae Got error: Could not connect to any of the endpoints: [orderer.goledger.com:7050] ,at 9 attempt. Retrying in 4m16s peer0.ministerio.org | 2018-01-26 18:11:36.963 UTC [ConnProducer] NewConnection -> ERRO 3af Failed connecting to orderer.goledger.com:7050 , error: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.goledger.com") ```

vieiramanoel (Fri, 26 Jan 2018 18:12:00 GMT):
@aambati @smithbk any idea?

aambati (Fri, 26 Jan 2018 18:44:03 GMT):
@vieiramanoel how are you running `peer channel join` command

aambati (Fri, 26 Jan 2018 18:44:03 GMT):
@vieiramanoel how are you running `peer channel join` command...what options are you running with

vieiramanoel (Fri, 26 Jan 2018 18:44:21 GMT):
peer channel join -b mychannel.block

vieiramanoel (Fri, 26 Jan 2018 18:44:23 GMT):
but wait

vieiramanoel (Fri, 26 Jan 2018 18:44:33 GMT):
maybe i found out the problem

ahmedsajid (Fri, 26 Jan 2018 18:52:00 GMT):
@here Hi, anyone know how to change key algorithm and size used for enrollment in fabric-ca-client? Does it go under csr section? ``` csr: cn: user1 serialnumber: names: - C: US ST: North Carolina L: O: Hyperledger OU: Fabric hosts: - peer1.example.com ca: pathlen: pathlenzero: expiry: key: algo: ecdsa size: 384 ``` Setting the above in /root/.fabric-ca-client/fabric-ca-client-config.yaml doesn't change anything. ``` 2018/01/26 15:00:48 [INFO] User provided config file: /root/.fabric-ca-client/fabric-ca-client-config.yaml 2018/01/26 15:00:48 [INFO] generating key: &{A:ecdsa S:256} 2018/01/26 15:00:48 [INFO] encoded CSR 2018/01/26 15:00:48 [INFO] TLS Enabled ```

aambati (Fri, 26 Jan 2018 18:57:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vQKmWbrEtPwQemyym) @ahmedsajid which version? This problem was fixed in 1.1

ahmedsajid (Fri, 26 Jan 2018 18:59:32 GMT):
@aambati i'm using 1.0.2. I'll try 1.1.0. Thanks!

vieiramanoel (Fri, 26 Jan 2018 19:01:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KaJGRBgEd8a9GTPM5) @aambati ok, things got worse

vieiramanoel (Fri, 26 Jan 2018 19:01:57 GMT):
when `peer channel join -b mychannel.block` Error: Error getting endorser client channel: error trying to connect to local peer: x509: certificate signed by unknown authority

vieiramanoel (Fri, 26 Jan 2018 19:01:57 GMT):
when `peer channel join -b mychannel.block` ```Error: Error getting endorser client channel: error trying to connect to local peer: x509: certificate signed by unknown authority```

vieiramanoel (Fri, 26 Jan 2018 19:02:27 GMT):
no logs on orderer or peer0

ahmedsajid (Fri, 26 Jan 2018 19:13:56 GMT):
@aambati using hyperledger/fabric-ca-tools:x86_64-1.1.0-preview docker image still no luck ``` # fabric-ca-client version fabric-ca-client: Version: 1.1.0-preview Go version: go1.9 OS/Arch: linux/amd64 ```

aambati (Fri, 26 Jan 2018 19:16:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vGNLFgQbhSCkFSayg) @vieiramanoel can you tell me what environment variables have you set...I am assuming you have set: ``` CORE_PEER_TLS_ENABLED CORE_PEER_TLS_ROOTCERT_FILE```?

vieiramanoel (Fri, 26 Jan 2018 19:16:59 GMT):
for peer:

vieiramanoel (Fri, 26 Jan 2018 19:17:02 GMT):
``` - CORE_PEER_ID=peer0.ministerio.org - CORE_PEER_ADDRESS=peer0.ministerio.org:7051 - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.ministerio.org:7051 - CORE_PEER_LOCALMSPID=MinisterioMSP - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=ministerio_ministerio - CORE_LOGGING_LEVEL=DEBUG - CORE_PEER_TLS_ENABLED=true - CORE_PEER_GOSSIP_USELEADERELECTION=false - CORE_PEER_GOSSIP_ORGLEADER=true - CORE_PEER_PROFILE_ENABLED=true - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/msp```

vieiramanoel (Fri, 26 Jan 2018 19:17:19 GMT):
for cli

vieiramanoel (Fri, 26 Jan 2018 19:17:23 GMT):
``` - GOPATH=/opt/gopath - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock - CORE_LOGGING_LEVEL=DEBUG - CORE_PEER_ID=peer0.ministerio.org - CORE_PEER_ADDRESS=peer0.ministerio.org:7051 - CORE_PEER_LOCALMSPID=MinisterioMSP - CORE_PEER_TLS_ENABLED=true - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/crypto/ministerio/ministerio/peer0/tls/server.crt - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/crypto/crypto/ministerio/ministerio/peer0/tls/server.key - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/crypto/ministerio/ministerio/peer0/tls/ca.crt - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/crypto/ministerio/ministerio/users/admin.ministerio.org/msp```

aambati (Fri, 26 Jan 2018 19:18:55 GMT):
so, /etc/hyperledger/fabric/tls/ca.crt and /etc/hyperledger/fabric/crypto/ministerio/ministerio/peer0/tls/ca.crt are same? also, you don't need CORE_PEER_TLS_CERT_FILE and CORE_PEER_TLS_KEY_FILE on the cli

vieiramanoel (Fri, 26 Jan 2018 19:19:30 GMT):
let me check that

aambati (Fri, 26 Jan 2018 19:20:55 GMT):
issuer of /etc/hyperledger/fabric/tls/server.crt must be etc/hyperledger/fabric/crypto/ministerio/ministerio/peer0/tls/ca.crt ?

vieiramanoel (Fri, 26 Jan 2018 19:21:17 GMT):
same

vieiramanoel (Fri, 26 Jan 2018 19:21:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ixQEXWDrMZKaucwyP) @aambati same

vieiramanoel (Fri, 26 Jan 2018 19:22:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WxCDEGEvreQhruzhE) @aambati are the same

vieiramanoel (Fri, 26 Jan 2018 19:22:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WxCDEGEvreQhruzhE) @aambati yes it is

aambati (Fri, 26 Jan 2018 19:25:45 GMT):
could set CORE_LOGGING_GRPC=DEBUG on the peer node and cli , see if you get additional detail

aambati (Fri, 26 Jan 2018 19:25:45 GMT):
could you set CORE_LOGGING_GRPC=DEBUG on the peer node and cli , see if you get additional detail

vieiramanoel (Fri, 26 Jan 2018 19:33:45 GMT):
omg

vieiramanoel (Fri, 26 Jan 2018 19:33:51 GMT):
this is driving me crazy

vieiramanoel (Fri, 26 Jan 2018 19:34:01 GMT):
now I can't create a channel again

vieiramanoel (Fri, 26 Jan 2018 19:34:08 GMT):
Error: got unexpected status: BAD_REQUEST -- error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining

vieiramanoel (Fri, 26 Jan 2018 19:34:08 GMT):
`Error: got unexpected status: BAD_REQUEST -- error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining `

vieiramanoel (Fri, 26 Jan 2018 19:34:08 GMT):
```Error: got unexpected status: BAD_REQUEST -- error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining ```

vieiramanoel (Fri, 26 Jan 2018 19:34:27 GMT):
```orderer.goledger.com | 2018-01-26 19:33:27.509 UTC [cauthdsl] deduplicate -> ERRO 119 Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.ministerio.org")) ```

vieiramanoel (Fri, 26 Jan 2018 19:34:51 GMT):
last time i'd solved this adding ca's to docker hosts

vieiramanoel (Fri, 26 Jan 2018 19:38:03 GMT):
ok, now I can't create channel again

vieiramanoel (Fri, 26 Jan 2018 19:38:11 GMT):
orderer logs point that:

vieiramanoel (Fri, 26 Jan 2018 19:38:12 GMT):
2018-01-26 19:37:10.836 UTC [cauthdsl] deduplicate -> ERRO 1a1 Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.ministerio.org"))

vieiramanoel (Fri, 26 Jan 2018 19:38:12 GMT):
```2018-01-26 19:37:10.836 UTC [cauthdsl] deduplicate -> ERRO 1a1 Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.ministerio.org")) ```

vieiramanoel (Fri, 26 Jan 2018 19:41:18 GMT):
I regenerated certs and channel artifacts

vieiramanoel (Fri, 26 Jan 2018 19:41:22 GMT):
it worked

vieiramanoel (Fri, 26 Jan 2018 19:41:28 GMT):
but still cant join channel

vieiramanoel (Fri, 26 Jan 2018 19:41:37 GMT):
no debug message at gprc

aambati (Fri, 26 Jan 2018 19:42:14 GMT):
on both the cli or peer node?

vieiramanoel (Fri, 26 Jan 2018 19:42:39 GMT):
wait, I forgot to debug on peer

vieiramanoel (Fri, 26 Jan 2018 19:42:57 GMT):
sorry, i'm so stressed about it

vieiramanoel (Fri, 26 Jan 2018 19:43:11 GMT):
that i'm doing a lot of dumb things in the process

vieiramanoel (Fri, 26 Jan 2018 19:43:50 GMT):
gprc debug on peer:

vieiramanoel (Fri, 26 Jan 2018 19:43:56 GMT):
```peer0.ministerio.org | 2018-01-26 19:43:35.497 UTC [grpc] Printf -> DEBU 1d9 grpc: Server.Serve failed to complete security handshake from "172.30.0.1:44512": remote error: tls: bad certificate```

scarolan-dev (Fri, 26 Jan 2018 19:46:53 GMT):
Has joined the channel.

aambati (Fri, 26 Jan 2018 19:49:49 GMT):
is this 172.30.0.1 the orderer

vieiramanoel (Fri, 26 Jan 2018 19:52:18 GMT):
this is the gateway for network that handles cli, peer0 and couchdb0

vieiramanoel (Fri, 26 Jan 2018 19:57:00 GMT):
I dont think it is orderer, once it doesn't log anything

vieiramanoel (Fri, 26 Jan 2018 19:57:05 GMT):
gprc log is enabled

vieiramanoel (Fri, 26 Jan 2018 19:57:05 GMT):
gprc log is enabled at orderer too

aambati (Fri, 26 Jan 2018 20:01:19 GMT):
so, no grpc error on the cli

vieiramanoel (Fri, 26 Jan 2018 20:01:28 GMT):
no

aambati (Fri, 26 Jan 2018 20:01:41 GMT):
this error happens when peer channel join is called?

vieiramanoel (Fri, 26 Jan 2018 20:01:46 GMT):
just ```Error: Error getting endorser client channel: error trying to connect to local peer: x509: certificate signed by unknown authority```

vieiramanoel (Fri, 26 Jan 2018 20:01:56 GMT):
after `peer channel join -b mychannel.block`

aambati (Fri, 26 Jan 2018 20:02:34 GMT):
i mean the error you see on the peer `Server.Serve failed to complete security handshake from "172.30.0.1:44512": remote error: tls: bad certificate` happens when you issue peer channel join command..just making sure

vieiramanoel (Fri, 26 Jan 2018 20:03:34 GMT):
yes

aambati (Fri, 26 Jan 2018 20:04:33 GMT):
since `bad certificate` is a remote error, i am trying to figure out who that remote end is ...it must be 172.30.0.1, but you are saying that is a some proxy in between

aambati (Fri, 26 Jan 2018 20:06:30 GMT):
ok, cli does not trust peer node's tls certificate even though you have set CORE_PEER_TLS_ROOTCERT_FILE to the file that contains CA cert that signed the peer node's tls cert

aambati (Fri, 26 Jan 2018 20:06:30 GMT):
ok, so question is , why cli does not trust peer node's tls certificate even though you have set CORE_PEER_TLS_ROOTCERT_FILE to the file that contains CA cert that signed the peer node's tls cert

vieiramanoel (Fri, 26 Jan 2018 20:07:02 GMT):
I think if I try to join from inside peer

vieiramanoel (Fri, 26 Jan 2018 20:07:07 GMT):
I get same error

vieiramanoel (Fri, 26 Jan 2018 20:09:53 GMT):
```docker exec -it peer0.ministerio.org bash peer channel fetch config -o orderer.goledger.com:7050 -c mychannel --tls --cafile ca-goledger-com-7054-ca-goledger-com.pem peer channel join -b mychannel_config.block```

vieiramanoel (Fri, 26 Jan 2018 20:10:12 GMT):
peer0.ministerio.org | 2018-01-26 20:09:32.257 UTC [grpc] Printf -> DEBU 1dc grpc: Server.Serve failed to complete security handshake from "172.30.0.4:33304": remote error: tls: bad certificate now theres another remote error

vieiramanoel (Fri, 26 Jan 2018 20:10:12 GMT):
```peer0.ministerio.org | 2018-01-26 20:09:32.257 UTC [grpc] Printf -> DEBU 1dc grpc: Server.Serve failed to complete security handshake from "172.30.0.4:33304": remote error: tls: bad certificate``` now theres error from another remote

vieiramanoel (Fri, 26 Jan 2018 20:10:39 GMT):
I'll try to figure out what remote it is

vieiramanoel (Fri, 26 Jan 2018 20:10:39 GMT):
I'll try to find who is this remote

vieiramanoel (Fri, 26 Jan 2018 20:11:25 GMT):
it's the peer itself

vieiramanoel (Fri, 26 Jan 2018 20:11:30 GMT):
D:

aambati (Fri, 26 Jan 2018 20:24:04 GMT):
how can that be

vieiramanoel (Fri, 26 Jan 2018 20:24:40 GMT):
I don't know

vieiramanoel (Fri, 26 Jan 2018 20:24:45 GMT):
this is driving me crazy

vieiramanoel (Fri, 26 Jan 2018 20:25:05 GMT):
I'm trying another thing on CA

vieiramanoel (Fri, 26 Jan 2018 20:30:00 GMT):
same thing

vieiramanoel (Fri, 26 Jan 2018 20:30:12 GMT):
It's official: i'm lost

vieiramanoel (Fri, 26 Jan 2018 20:30:21 GMT):
hahahaha

kiranthakkar (Fri, 26 Jan 2018 20:34:32 GMT):
Has joined the channel.

vieiramanoel (Fri, 26 Jan 2018 20:36:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3HMkrr5NdAJeqDRDJ) @aambati CORE_PEER_TLS_ROOTCERT_FILE must be same tls that we enrolled on step 2, right?

aambati (Fri, 26 Jan 2018 20:38:01 GMT):
no, it is the cert of the CA that issued the cert in step 2...so it would be the ca cert of the fabric ca server to which fabric-ca-client command connected in step 2

vieiramanoel (Fri, 26 Jan 2018 20:39:39 GMT):
ok, so I must review what i've done in these steps with you

vieiramanoel (Fri, 26 Jan 2018 20:40:00 GMT):
cuz now I know I didn't get it ahah

vieiramanoel (Fri, 26 Jan 2018 20:40:57 GMT):
``` fabric-ca-client enroll -u "http://admin:adminpw@ca.ministerio.org:8054" fabric-ca-client register -d --id.name ca.ministerio.org --id.secret ministeriopwd fabric-ca-client enroll -d --enrollment.profile tls -u "http://ca.ministerio.org:ministeriopwd@ca.ministerio.org:8054" -M client/tls --csr.hosts "ca.ministerio.org" mv client/tls/signcerts/cert.pem ../cacert/tls-cert.pem mv client/tls/keystore/* ../cacert/tls.key````

vieiramanoel (Fri, 26 Jan 2018 20:40:57 GMT):
```fabric-ca-client enroll -u "http://admin:adminpw@ca.ministerio.org:8054" fabric-ca-client register -d --id.name ca.ministerio.org --id.secret ministeriopwd fabric-ca-client enroll -d --enrollment.profile tls -u "http://ca.ministerio.org:ministeriopwd@ca.ministerio.org:8054" -M client/tls --csr.hosts "ca.ministerio.org" mv client/tls/signcerts/cert.pem ../cacert/tls-cert.pem mv client/tls/keystore/* ../cacert/tls.key````

vieiramanoel (Fri, 26 Jan 2018 20:40:57 GMT):
```fabric-ca-client enroll -u "http://admin:adminpw@ca.ministerio.org:8054" fabric-ca-client register -d --id.name ca.ministerio.org --id.secret ministeriopwd fabric-ca-client enroll -d --enrollment.profile tls -u "http://ca.ministerio.org:ministeriopwd@ca.ministerio.org:8054" -M client/tls --csr.hosts "ca.ministerio.org" mv client/tls/signcerts/cert.pem ../cacert/tls-cert.pem mv client/tls/keystore/* ../cacert/tls.key```

vieiramanoel (Fri, 26 Jan 2018 20:41:22 GMT):
the `cacert` is mapped to inside ca-server docker

vieiramanoel (Fri, 26 Jan 2018 20:41:34 GMT):
to a folder named publiccert

vieiramanoel (Fri, 26 Jan 2018 20:41:46 GMT):
then when I restart the docker

vieiramanoel (Fri, 26 Jan 2018 20:42:00 GMT):
```TLS_CERTFILE=publiccert/tls-cert.pem TLS_KEYFILE=publiccert/tls.key```

vieiramanoel (Fri, 26 Jan 2018 20:42:15 GMT):
```fabric-ca-server start -b "admin:adminpw" -d --tls.enabled --tls.certfile $TLS_CERTFILE --tls.keyfile $TLS_KEYFILE```

vieiramanoel (Fri, 26 Jan 2018 20:42:35 GMT):
these steps are wrong?

vieiramanoel (Fri, 26 Jan 2018 20:42:35 GMT):
are these steps wrong?

aambati (Fri, 26 Jan 2018 20:47:31 GMT):
yeah, in these steps you are generating a tls cert for a fabric ca server, nothing to do with peer or ordererer

aambati (Fri, 26 Jan 2018 20:47:31 GMT):
nothing wrong, in these steps you are generating a tls cert for a fabric ca server, nothing to do with peer or ordererer

vieiramanoel (Fri, 26 Jan 2018 20:47:56 GMT):
ok, but ca init with tls is ok?

vieiramanoel (Fri, 26 Jan 2018 20:48:00 GMT):
ok

vieiramanoel (Fri, 26 Jan 2018 20:48:04 GMT):
cool

scarolan-dev (Fri, 26 Jan 2018 20:48:12 GMT):
hi all

vieiramanoel (Fri, 26 Jan 2018 20:48:19 GMT):
@scarolan-dev hello1

vieiramanoel (Fri, 26 Jan 2018 20:48:19 GMT):
@scarolan-dev hello!

scarolan-dev (Fri, 26 Jan 2018 20:49:00 GMT):
i'm playing with this for the first time and having a few, probably simple to solve issues

vieiramanoel (Fri, 26 Jan 2018 20:51:11 GMT):
tell us

scarolan-dev (Fri, 26 Jan 2018 20:51:39 GMT):
bascially took the fabcar sample, made a few simple changes to channel name, createddol a new chain code.start the network, enrollAdim, registerUser - all good at that point - and them run query.js and get :

vieiramanoel (Fri, 26 Jan 2018 20:51:43 GMT):
@aambati so the TLS_ROOT_CERTFILE is the ca-cert first generated by CA, right?

scarolan-dev (Fri, 26 Jan 2018 20:51:46 GMT):
dol

scarolan-dev (Fri, 26 Jan 2018 20:52:05 GMT):
sendPeersProposal - Promise is rejected: Error: 2 UNKNOWN: Failed to deserialize creator identity, err the supplied identity is not valid: x509: certificate signed by unknown

scarolan-dev (Fri, 26 Jan 2018 20:53:23 GMT):
anyone see this before and have any ideas on what i have missed?

scarolan-dev (Fri, 26 Jan 2018 20:53:58 GMT):
apologies if i'm interrupting (new to RocketChat too!)

vieiramanoel (Fri, 26 Jan 2018 20:55:03 GMT):
It's ok! Be welcome

scarolan-dev (Fri, 26 Jan 2018 20:55:13 GMT):
big thx

vieiramanoel (Fri, 26 Jan 2018 20:56:02 GMT):
I don't code in .js neither ran fabcar, my role in company is just the network structure, but don't worry, soon someone will shows up!

scarolan-dev (Fri, 26 Jan 2018 20:56:33 GMT):
appreciate it - thx

jrosmith (Fri, 26 Jan 2018 20:58:29 GMT):
@scarolan-dev could copy the full log output into hastebin and paste a link?

jrosmith (Fri, 26 Jan 2018 20:58:29 GMT):
@scarolan-dev could you copy the full log output into hastebin and paste a link?

jrosmith (Fri, 26 Jan 2018 20:58:55 GMT):
theres a mismatch of credentials happening somewhere

vieiramanoel (Fri, 26 Jan 2018 21:10:47 GMT):
@aambati ca.crt in peer tls is now the same ca-cert.pem inside ca-server

vieiramanoel (Fri, 26 Jan 2018 21:10:56 GMT):
I could enter channel

vieiramanoel (Fri, 26 Jan 2018 21:10:58 GMT):
but

vieiramanoel (Fri, 26 Jan 2018 21:11:16 GMT):
i'm back to the error which brought me here hahah

vieiramanoel (Fri, 26 Jan 2018 21:11:23 GMT):
```peer0.ministerio.org | 2018-01-26 21:09:51.453 UTC [ConnProducer] NewConnection -> ERRO 3ad Failed connecting to orderer.goledger.com:7050 , error: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.goledger.com") peer0.ministerio.org | 2018-01-26 21:09:51.453 UTC [deliveryClient] connect -> DEBU 3ae Connected to peer0.ministerio.org | 2018-01-26 21:09:51.453 UTC [deliveryClient] connect -> ERRO 3af Failed obtaining connection: Could not connect to any of the endpoints: [orderer.goledger.com:7050] peer0.ministerio.org | 2018-01-26 21:09:51.453 UTC [deliveryClient] try -> WARN 3b0 Got error: Could not connect to any of the endpoints: [orderer.goledger.com:7050] ,at 5 attempt. Retrying in 16```

vieiramanoel (Fri, 26 Jan 2018 21:12:02 GMT):
at orderer

vieiramanoel (Fri, 26 Jan 2018 21:12:05 GMT):
```orderer.goledger.com | 2018-01-26 21:11:43.472 UTC [grpc] Printf -> DEBU 2fd grpc: Server.Serve failed to complete security handshake from "172.29.0.1:57478": remote error: tls: bad certificate ```

scarolan-dev (Fri, 26 Jan 2018 21:20:01 GMT):
what or where is a "hastebin"

vieiramanoel (Fri, 26 Jan 2018 21:24:18 GMT):
@scarolan-dev https://pastebin.com

scarolan-dev (Fri, 26 Jan 2018 21:24:28 GMT):
cool - https://hastebin.com/evulubayof.tex

scarolan-dev (Fri, 26 Jan 2018 21:24:34 GMT):
i think this is it

vieiramanoel (Fri, 26 Jan 2018 21:24:59 GMT):
whoa, this is beautiful

vieiramanoel (Fri, 26 Jan 2018 21:25:01 GMT):
haha

scarolan-dev (Fri, 26 Jan 2018 21:25:19 GMT):
lol

vieiramanoel (Fri, 26 Jan 2018 21:25:54 GMT):
more than pastebin surely

scarolan-dev (Fri, 26 Jan 2018 21:26:31 GMT):
i think it's related to this : - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c_sk

scarolan-dev (Fri, 26 Jan 2018 21:26:44 GMT):
in the docker-compose.yml

vieiramanoel (Fri, 26 Jan 2018 21:28:32 GMT):
paste here the volumes session

vieiramanoel (Fri, 26 Jan 2018 21:28:38 GMT):
in docker-compose.yml

scarolan-dev (Fri, 26 Jan 2018 21:29:14 GMT):
volumes: - ./config/:/etc/hyperledger/configtx - ./crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/:/etc/hyperledger/msp/orderer - ./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/:/etc/hyperledger/msp/peerOrg1 networks:

scarolan-dev (Fri, 26 Jan 2018 21:29:38 GMT):
s/b the same as fabcar

vieiramanoel (Fri, 26 Jan 2018 21:32:36 GMT):
run `docker exec -it _docker name_ ls /etc/hyperledger/fabric-ca-server-config/`

vieiramanoel (Fri, 26 Jan 2018 21:32:50 GMT):
substitute _docker name_

vieiramanoel (Fri, 26 Jan 2018 21:32:50 GMT):
substitute `_docker name_ `

vieiramanoel (Fri, 26 Jan 2018 21:33:37 GMT):
and see if the _sk key name is the same as `4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c_sk`

scarolan-dev (Fri, 26 Jan 2018 21:37:06 GMT):
scarolan@ubuntu:~/hlf/RAL03/ndamgr/hfc-key-store$ docker exec -it ca.example.com ls /etc/hyperledger/fabric-ca-server-config/ connection error: desc = "transport: dial unix /var/run/docker/containerd/docker-containerd.sock: connect: connection refused": unknown

scarolan-dev (Fri, 26 Jan 2018 21:38:31 GMT):
i have to run and meet my wife. thanks for your help - i'll try again later and check back in

scarolan-dev (Fri, 26 Jan 2018 21:38:34 GMT):
thanks

aambati (Fri, 26 Jan 2018 21:43:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tbFd4qDFjS688GDRz) @vieiramanoel yes

aambati (Fri, 26 Jan 2018 21:46:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tprKAJN3NyuRoFXhk) @vieiramanoel This indicates that peer is not able to connect to orderer...peer node is not able to verify orderer tls certificate

scarolan-dev (Sat, 27 Jan 2018 00:43:40 GMT):
hey a;;

scarolan-dev (Sat, 27 Jan 2018 00:43:57 GMT):
anyone still around?

Ammu (Sat, 27 Jan 2018 05:15:03 GMT):
i had done with marbles, output also perfect . Is it possible that i can link with my front end application with marbles?

asaningmaxchain123 (Sun, 28 Jan 2018 06:36:44 GMT):
Has joined the channel.

asaningmaxchain123 (Sun, 28 Jan 2018 06:38:22 GMT):
hi everyone,i use the mysql as datasource to start the fabric-ca,but i get the following the error

asaningmaxchain123 (Sun, 28 Jan 2018 06:38:36 GMT):
```Error occurred initializing database: Failed to create user registry for MySQL: Failed to create MySQL tables: Error creating certificates table: Error 1067: Invalid default value for 'expiry'```

asaningmaxchain123 (Sun, 28 Jan 2018 06:40:04 GMT):
i see,i must modify the config `expiry timestamp DEFAULT 0`

asaningmaxchain123 (Sun, 28 Jan 2018 07:23:08 GMT):
please ignore the above message,i resolve it

SjirNijssen (Sun, 28 Jan 2018 09:39:46 GMT):
Has joined the channel.

Brucepark (Mon, 29 Jan 2018 01:46:54 GMT):
@aambati:grinning:hi

Brucepark (Mon, 29 Jan 2018 01:46:55 GMT):
there was problems in below command. ``` $fabric-ca-client enroll -d --enrollment.profile tls -u https://msp1tlsca:msp1tlscapw@localhost:7054 ``` 1. *--tls.certfiles ca_cert.pem* is necessary. ca_cert.pem is server's cert. 2. I changed servcer address to *https://msp1tlsca:msp1tlscapw@ca.ledger.xxx.com:7054* 3. *--enrollment.profile tls* is not necessary So I changed command to below and it worked well. ``` fabric-ca-client enroll --tls.certfiles ca-cert.pem -u https://msp1tlsca:msp1tlscapw@ca.ledger.xxx.com:7054 ```

Brucepark (Mon, 29 Jan 2018 01:53:03 GMT):
When I set ca-server as *noclientcert*, they do not require client's cert but they require ca-server's cert. So client should have ca's cert to communicate with ca-server.

naveen_saravanan (Mon, 29 Jan 2018 04:18:59 GMT):
Can anyone explain the function of "reenroll" in the fabric-ca-client commands? And does reenroll-command can be used to change the revoked status in the certificates of the identity (e.g. user1) that was revoked using the revoke-command?

naveen_saravanan (Mon, 29 Jan 2018 04:18:59 GMT):
Can anyone explain the function of "reenroll" in the fabric-ca-client commands? And does reenroll-command can be used to change the revoked status in the certificates of an identity (e.g. user1) that was revoked using the revoke-command?

naveen_saravanan (Mon, 29 Jan 2018 05:57:23 GMT):
Is there any way to get serial and aki keys of the certificate of a registered user via fabric-ca-client commands?

MadhavaReddy (Mon, 29 Jan 2018 06:51:06 GMT):
Hi All when i try to run balance transfer (v1.1.0-alpha) while enrolling user am getting below error, can you please help to fix the issue "Registration of 'Jim' failed: No identity type provided. Please provide identity type"

Brucepark (Mon, 29 Jan 2018 07:23:44 GMT):
When I try to enroll, I get below error message. ``` $fabric-ca-client enroll -u https://admin:adminpw@msp1ca:9054 … Error: Error response from server was: Attribute 'hf.IntermediateCA' is not set to true for identity 'admin' ``` fabric-ca-server’s registry is below ``` registry: maxenrollments: -1 identities: - name: admin pass: adminpw type: client affiliation: "msp1.ca" attrs: hf.Registrar.Roles: "client,user,peer,validator,auditor" hf.Registrar.DelegateRoles: "client,user,peer,validator,auditor" hf.Revoker: true hf.IntermediateCA: false hf.GenCRL: true hf.Registrar.Attributes: "*" hf.AffiliationMgr: true ``` I just want to get admin eCert not intermediateCA. What is the problem? Do I have to set *hf.IntermediateCA: true*

hyper_learner_ak (Mon, 29 Jan 2018 07:24:23 GMT):
Has joined the channel.

saya22K (Mon, 29 Jan 2018 07:33:46 GMT):
Has joined the channel.

javrevasandeep (Mon, 29 Jan 2018 08:59:32 GMT):
I am new to fabric. can anyone pls let me know what protocols and PKI tech is used by fabric-ca and cryptogen for issuing certificates for members. Are there any other alternatives if one doesn't want to use fabric-ca. and what is the difference between fabric-ca and other similar technologies?

qb (Mon, 29 Jan 2018 09:01:55 GMT):
Has joined the channel.

gdinhof (Mon, 29 Jan 2018 09:56:11 GMT):
Has left the channel.

rake66 (Mon, 29 Jan 2018 10:58:58 GMT):
@Brucepark leave out @msp1ca:9054

rake66 (Mon, 29 Jan 2018 10:59:25 GMT):
and https://

smithbk (Mon, 29 Jan 2018 13:55:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WDdWCnZLhDnmrSEqe) @naveen_saravanan No, not currently. We plan to add a way to get certificate(s) by enrollment ID but not currently possible

smithbk (Mon, 29 Jan 2018 13:57:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CDPnWtzLsw75thQsW) @naveen_saravanan The purpose of reenroll is to renew a certificate. The only difference between enroll and reenroll is in how authentication is performed. Enroll uses basic authentication (user/pass) and reenroll uses token authentication based on the private key of cert.

smithbk (Mon, 29 Jan 2018 13:59:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=e9tu8XKPjuSkgsiQt) @Brucepark The client has the CA's cert to verify that it is communicating with the correct server so there can be no man-in-the-middle attack

smithbk (Mon, 29 Jan 2018 14:06:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8t6q7uvjueDCELzin) @MadhavaReddy I believe balance-transfer uses the node SDK, which means the node SDK register call must specify a "type" on the registration call. I doesn't really matter which type you specify. I suggest just setting the type to "client". If you don't know where this is done via node SDK, try asking on the fabric-sdk-node channel

smithbk (Mon, 29 Jan 2018 14:14:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=J9y3pjkwqdnFL9hc7) @Brucepark It should only require the hf.IntermediateCA attribute if the profile being requested has `isca: true` like the `ca` profile below. ```signing: default: usage: - digital signature expiry: 8760h profiles: ca: usage: - cert sign - crl sign expiry: 43800h caconstraint: isca: true maxpathlen: 0``` Or by adding to the csr section of your fabric-ca-client-config.yaml file. If you haven't made any changes to either, then I suggest opening a jira item with details on how to reproduce.

smithbk (Mon, 29 Jan 2018 14:18:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Tu6u5S4uJYYHgEP55) @javrevasandeep fabric can work with any x509 certificate. There is intentionally a loose-coupling between fabric and fabric CA to allow use of any CA certificates. You just have to configure an MSP in fabric to have the proper trust certificate, basically like configuring a TLS trust file, and it will accept certs issued by that CA.

MadhavaReddy (Mon, 29 Jan 2018 14:35:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3545LTTQu2g9MrdzR) @smithbk Thank you

aambati (Mon, 29 Jan 2018 14:51:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NdZMa2xf3T9K6h6Zg) @Ammu I am sure you can...although fabric or general channels channel may be better places to ask questions

aambati (Mon, 29 Jan 2018 14:53:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=e9tu8XKPjuSkgsiQt) @Brucepark That is correct...by default, server need to authenticate to the client (server cert is sent during tls handshake) but if client auth is enabled, client needs to authenticate to the server as well (by sending it's cert to the server)...so server and client need to trust each others certs

aambati (Mon, 29 Jan 2018 14:55:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CDPnWtzLsw75thQsW) @naveen_saravanan reenroll command is used to get new certificate, for example, when the current certificate expires...revoked users cannot reenroll...but if a user cert is revoked, then user can reenroll and get a new certificate

niteshsolanki (Mon, 29 Jan 2018 14:59:19 GMT):
@smithbk how does the CA server authenticates the user whose keys are compromised while trying to re-enroll?

aambati (Mon, 29 Jan 2018 15:01:52 GMT):
@niteshsolanki reenroll requires user's existing cert...if user's private key is compromised then let the admin revoke the user and ask the user to register with another id and enroll

niteshsolanki (Mon, 29 Jan 2018 15:04:53 GMT):
Ok. Thanks @aambati .how do I recover from lost private key? other than having Backup is there other way I can regenerate the key from passphrase or something?

niteshsolanki (Mon, 29 Jan 2018 15:04:53 GMT):
Ok. Thanks @aambati .how do I recover from lost private key? other than having Backup is there any other way I can regenerate the key from passphrase or something?

aambati (Mon, 29 Jan 2018 15:07:42 GMT):
@niteshsolanki I don't think there is another way to regenerate a lost key

niteshsolanki (Mon, 29 Jan 2018 15:08:54 GMT):
Okay! Thanks @aambati

javrevasandeep (Mon, 29 Jan 2018 16:31:09 GMT):
can anyone pls help me with fabric-samples/fabric-ca example. II run this example as stated by running start.sh script. Now further I want to run invoke and query using fabric-node-sdk for the same network. what changes i need to make in node-sdk network-config.yaml file

sourishkrout (Mon, 29 Jan 2018 16:58:51 GMT):
Has joined the channel.

neharprodduturi (Mon, 29 Jan 2018 18:30:14 GMT):
Has joined the channel.

Brucepark (Tue, 30 Jan 2018 02:03:13 GMT):
@smithbk :thumbsup: Thank you for your help

Brucepark (Tue, 30 Jan 2018 02:03:29 GMT):
I set `hf.IntermediateCA: true`, but I got new problem. Below is intermediate server error log ``` 2018/01/30 01:48:58 [DEBUG] DB: Getting identity admin 2018/01/30 01:48:58 [DEBUG] getUserAttrValue identity=admin, name=hf.IntermediateCA, value=1 2018/01/30 01:48:58 [ERROR] local signer policy disallows issuing CA certificate 2018/01/30 01:48:58 [ERROR] Enrollment failure: Failed signing: {"code":5300,"message":"Policy violation request"} ``` below are parts my configuration. *root-ca-server configuration file* ``` csr: … ca: expiry: 131400h *pathlength: 2* signing: … profiles: ca: usage: - cert sign - crl sign expiry: 43800h caconstraint: *isca: true* *maxpathlen: 1* ``` *intermediate-ca-server configuration file* ``` csr: … ca: expiry: 131400h *pathlength: 1* signing: … profiles: ca: usage: - cert sign - crl sign expiry: 43800h caconstraint: *isca: true* *maxpathlen: 0* registry: maxenrollments: -1 identities: - name: admin pass: adminpw type: client affiliation: "msp1.ca" attrs: hf.Registrar.Roles: "client,user,peer,validator,auditor" hf.Registrar.DelegateRoles: "client,user,peer,validator,auditor" hf.Revoker: true hf.IntermediateCA: true hf.GenCRL: true hf.Registrar.Attributes: "*" hf.AffiliationMgr: true ``` *fabric-ca-client enroll command* ``` $fabric-ca-client enroll -u https://admin:adminpw@xxx.com:9054 ``` Do you know what is the problem?

Brucepark (Tue, 30 Jan 2018 02:03:29 GMT):
I set `hf.IntermediateCA: true`, but I got new problem. Below is intermediate server error log ``` 2018/01/30 01:48:58 [DEBUG] DB: Getting identity admin 2018/01/30 01:48:58 [DEBUG] getUserAttrValue identity=admin, name=hf.IntermediateCA, value=1 2018/01/30 01:48:58 [ERROR] local signer policy disallows issuing CA certificate 2018/01/30 01:48:58 [ERROR] Enrollment failure: Failed signing: {"code":5300,"message":"Policy violation request"} ``` below are parts my configuration. *root-ca-server configuration file* ``` csr: … ca: expiry: 131400h pathlength: 2 signing: … profiles: ca: usage: - cert sign - crl sign expiry: 43800h caconstraint: isca: true maxpathlen: 1 ``` *intermediate-ca-server configuration file* ``` csr: … ca: expiry: 131400h pathlength: 1 signing: … profiles: ca: usage: - cert sign - crl sign expiry: 43800h caconstraint: isca: true maxpathlen: 0 registry: maxenrollments: -1 identities: - name: admin pass: adminpw type: client affiliation: "msp1.ca" attrs: hf.Registrar.Roles: "client,user,peer,validator,auditor" hf.Registrar.DelegateRoles: "client,user,peer,validator,auditor" hf.Revoker: true hf.IntermediateCA: true hf.GenCRL: true hf.Registrar.Attributes: "*" hf.AffiliationMgr: true ``` *fabric-ca-client enroll command* ``` $fabric-ca-client enroll -u https://admin:adminpw@xxx.com:9054 ``` Do you know what is the problem?

naveen_saravanan (Tue, 30 Jan 2018 06:14:14 GMT):
[how do we revoke the user certs instead of the user itself?](https://chat.hyperledger.org/channel/fabric-ca?msg=ExcedfdzMPDAnQMkM)

naveen_saravanan (Tue, 30 Jan 2018 06:14:14 GMT):
[@aambati how do we revoke the user certs instead of the user itself?](https://chat.hyperledger.org/channel/fabric-ca?msg=ExcedfdzMPDAnQMkM)

naveen_saravanan (Tue, 30 Jan 2018 06:14:14 GMT):
@aambati [how do we revoke the user certs instead of the user itself?](https://chat.hyperledger.org/channel/fabric-ca?msg=ExcedfdzMPDAnQMkM)

naveen_saravanan (Tue, 30 Jan 2018 07:08:00 GMT):
Is there any way to decide the admin/user should be registered in a specific org (e.g. org1 or org2) by using the enrollAdmin.js or registerUser.js file from the fabcar of fabric-samples?

Brucepark (Tue, 30 Jan 2018 10:09:44 GMT):
After issuing certificate, I find that there is only CN information in certificate’s Subject section. `Subject: CN=user1` ``` Certificate: Data: Version: 3 (0x2) Serial Number: 0c:c4:8c:fa:df:ec:ad:06:2c:6e:91:49:49:a1:1b:95:41:76:ee:49 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=California, L=San Francisco, O=example.com, CN=ca.example.com Validity Not Before: Jan 30 07:11:00 2018 GMT Not After : Jan 30 07:11:00 2019 GMT Subject: CN=user1 … ``` Is it OK? Can I issue other certificates (peer, tls, orderer etc.) that way?

rake66 (Tue, 30 Jan 2018 10:21:55 GMT):
hi guys, I just found the new fabric-ca sample but I can't get it to run. the ica doesn't want to register the org admin. has anyone else run into this problem? is it not in the release branch because it doesn't work yet?

OSubachev (Tue, 30 Jan 2018 13:20:18 GMT):
Has joined the channel.

OSubachev (Tue, 30 Jan 2018 13:24:24 GMT):
I've started fabric-ca-server as described in Fabric CA User’s Guide (https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html). It is now listening on port 7054. What can I do next ? How to interact with the CA server by means of Go SDK ? Where are examples ?

aambati (Tue, 30 Jan 2018 14:51:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4vo6G6zDP8TdCL2tE) @naveen_saravanan You need to the aki and serial of the cert you are trying to revoke...You can use openssl to view aki and serial of a certificate...we have a story to implement certificate command in fabric-ca-client that will let you do that in the future...once you get the aki and serial, you can use `fabric-ca-client revoke --revoke.aki and --revoke.serial` parameters to specify aki and serial.

aambati (Tue, 30 Jan 2018 14:57:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nExrPKQKTegjD8zsf) @Brucepark user with hf.IntermediateCA=true attribute must be registered on the root server, so the identities stanza that you have in the intermediate ca server config file, must be in the root server config file...not sure what you are doing with enroll command though

aambati (Tue, 30 Jan 2018 15:17:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QFhrfHxFy2SWNAYac) @javrevasandeep i am not familiar with network-config.yaml....i suggest checking examples in node-sdk project or checking marbles app (https://github.com/IBM-Blockchain/marbles) ....or may be better to ask this question in node-sdk

aambati (Tue, 30 Jan 2018 15:32:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XsjCG5qkX4mvAy29D) @Brucepark I think you can but it is better to have other attributes as well to distinguish enrollment certs not just on CN, which can restrictive if two users have same id but in two different organizations...I am curious how did you create the cert

aambati (Tue, 30 Jan 2018 15:36:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NSXrrqcrYPGLp3dDP) @rake66 fabric-ca sample is in master branch only...There were some posts on how to get fabric-sample running successfully recently..see https://chat.hyperledger.org/channel/fabric-ca?msg=WwaRBcczTN6N9bjF2

aambati (Tue, 30 Jan 2018 15:42:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dyk6N39uJHhLfCgLs) @OSubachev u can interact with it using fabric-ca-client or via REST...https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca demonstrates how to use fabric-ca-client to generate certs...also refer to https://github.com/hyperledger/fabric-sdk-go/blob/master/api/apifabca/fabricca.go

rake66 (Tue, 30 Jan 2018 16:15:26 GMT):
@aambati thanks a lot, I'll try it out now

asaningmaxchain123 (Tue, 30 Jan 2018 16:38:36 GMT):
@aambati how to build a cluster ca server

asaningmaxchain123 (Tue, 30 Jan 2018 16:38:36 GMT):
@aambati how to build a cluster ca server and how to data persistence

asaningmaxchain123 (Tue, 30 Jan 2018 16:38:36 GMT):
@aambati how to build a cluster ca server？ and how to data persistence？and when i use the mysql to store it,i can use the mysql in master-slave way,how the fabric-ca control it

rake66 (Tue, 30 Jan 2018 17:38:18 GMT):
@aambati that worked pretty well up until the end. it seems to have another error when it tries to revoke a user. it doesn't seem to have proper authority. I looked through the file and I think it needs to have hf.Registrar.Roles set but I tried that and it still didn't work. I can't figure it out

rake66 (Tue, 30 Jan 2018 17:40:24 GMT):
btw when I say setting hf.Registrar.Roles and it didn't work I mean it stopped working at registering the identities again

rake66 (Tue, 30 Jan 2018 17:40:45 GMT):
it didn't get to the revoking stage yet

rake66 (Tue, 30 Jan 2018 17:40:54 GMT):
*again

skarim (Tue, 30 Jan 2018 18:27:21 GMT):
@asaningmaxchain123 I would suggest taking a looking at the following documentation, it describes how you can set up a cluster using HAproxy. But basically, you have multiple CAs using the same cert/key and they connect to the same database behind some sort of load balancer. http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#setting-up-a-cluster

skarim (Tue, 30 Jan 2018 18:27:49 GMT):
@rake66 Do you have the error that you are getting when registering or revoking users?

aambati (Tue, 30 Jan 2018 19:19:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zb9neniamWGwrHXyf) @rake66 what level of fabri-ca sample code do you have? may be just do a git pull to get the latest ...i fixed the hf.Registrar.Roles some time ago

Brucepark (Wed, 31 Jan 2018 01:51:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6SmZvQFAaR8MZmmPt) @aambati In the ca-server configuration I posted above, I just followed https://github.com/hyperledger/fabric-samples/tree/release/fabcar example. I first enroll admin (enrollAdmin.js). Using that I registered user1 identity and enrolled and received cert. The result is a certificate that shows only cn.

Brucepark (Wed, 31 Jan 2018 02:27:42 GMT):
I'm thinking of three MSPs for testing (Org1MSP, ordererMSP, Org2MSP) And I will run a CA and a TLS CA on each MSP. Totally its configuration will be six intermediate ca servers + one root-ca servers. In each CA, it will issue a their own certificate for admin, user, peer and orderer. In each TLS CA, it will issue a their own tls certificate for client and peer and orderer. For distinguishing, each peer's identity will be registered and have different CN.

Brucepark (Wed, 31 Jan 2018 02:27:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YAaMSew9i6CcXWpNi) @aambati I'm thinking of three MSPs for testing (Org1MSP, ordererMSP, Org2MSP) And I will run a CA and a TLS CA on each MSP. Totally its configuration will be six intermediate ca servers + one root-ca servers. In each CA, it will issue a their own certificate for admin, user, peer and orderer. In each TLS CA, it will issue a their own tls certificate for client and peer and orderer. For distinguishing, each peer's identity will be registered and have different CN.

Brucepark (Wed, 31 Jan 2018 02:27:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YAaMSew9i6CcXWpNi) @aambati I'm thinking of three MSPs for testing (Org1MSP, ordererMSP, Org2MSP) And I will run a CA and a TLS CA on each MSP. Totally its configuration will be six intermediate ca servers + one root-ca server. In each CA, it will issue their own certificates for admin, user, peer and orderer. In each TLS CA, it will issue their own tls certificates for client and peer and orderer. For distinguishing, each peer's identity will be registered and have different CN.

Brucepark (Wed, 31 Jan 2018 02:43:09 GMT):
Now I have a doubt whether root-ca is necessary. What about make each 6 intermediate ca server to 6 root ca server?

asaningmaxchain123 (Wed, 31 Jan 2018 06:36:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DusfX9SJNjeu95s6i) @skarim thx,i have build ca cluster,how to data persistence

rake66 (Wed, 31 Jan 2018 10:29:30 GMT):
@aambati that did it, thanks a lot. I thought I had pulled quite recently but I guess not

niteshsolanki (Wed, 31 Jan 2018 11:21:00 GMT):
Hi @aambati @smithbk . Is it possible to generate client private keys using some seed and then regenerate it again in SDK ?

niteshsolanki (Wed, 31 Jan 2018 11:21:00 GMT):
Hi @aambati @smithbk . Is it possible to generate client private keys using some user specified seed and then regenerate it again in SDK ?

niteshsolanki (Wed, 31 Jan 2018 11:21:00 GMT):
Hi @aambati @smithbk . Is it possible to generate client private keys using some user specified seed and then regenerate it again using same seed again in SDK ?

niteshsolanki (Wed, 31 Jan 2018 11:21:00 GMT):
Hi @aambati @smithbk . Is it possible to generate client private keys using some user specified seed and then regenerate it using same seed again in SDK ?

smithbk (Wed, 31 Jan 2018 11:23:54 GMT):
@niteshsolanki No, unfortunately doing so would prevent use of an HSM ... at least in the standard way where the seed and private key never leave the HSM, thus the APIs don't allow it

niteshsolanki (Wed, 31 Jan 2018 11:26:56 GMT):
ok. its not possible through API's. but can it be built by using functionality mentioned here: https://fabric-sdk-node.github.io/module-api.CryptoSuite.html

niteshsolanki (Wed, 31 Jan 2018 11:26:56 GMT):
ok. its not possible directly through standard API's. but can it be built by using functionality mentioned here: https://fabric-sdk-node.github.io/module-api.CryptoSuite.html ?

smithbk (Wed, 31 Jan 2018 12:17:56 GMT):
The node SDK uses https://kjur.github.io/jsrsasign/api/symbols/KEYUTIL.html#.generateKeypair to generate a key pair. There would have to be a way to pass in a seed and I don't see such an API

niteshsolanki (Wed, 31 Jan 2018 12:30:43 GMT):
oh ok..thanks @smithbk

OSubachev (Wed, 31 Jan 2018 13:33:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZuBscLfQWMpG3HyQ4) @aambati Yes, I've successfully interacted with fabric-ca-server using fabric-ca-client as described in http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#fabric-ca-client But how to perform the same actions using REST or Go SDK ? Where is the documentation ?

javrevasandeep (Wed, 31 Jan 2018 13:48:25 GMT):
can we generate certificates for peers orderers through fabric-sdk-node

javrevasandeep (Wed, 31 Jan 2018 13:48:43 GMT):
is there any sample doing the same

aambati (Wed, 31 Jan 2018 15:30:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MnsNWu9FdaKe2nRQj) @OSubachev You can start with the swagger doc https://github.com/hyperledger/fabric-ca/blob/release/swagger/swagger-fabric-ca.json and look at how fabric-ca-client forms the requests and sends them to the server: https://github.com/hyperledger/fabric-ca/blob/release/lib/client.go and https://github.com/hyperledger/fabric-ca/blob/release/lib/identity.go ... more importantly how request authentication header is set: https://github.com/hyperledger/fabric-ca/blob/cf29205e2ae76ad2178038cc0e28471eefae9271/lib/identity.go#L199

aambati (Wed, 31 Jan 2018 15:48:07 GMT):
Go SDK is doing the same...Unfortunately, none of the examples invokes fabric CA api...But it seems to be easy, just call sdk.NewFabricCAClient, which returns FabricCA object, which has Register, Enroll, and other fabric ca related functions. Looking at the code, they have not implemented newer API that was added to the fabric ca in 1.1

aambati (Wed, 31 Jan 2018 15:48:07 GMT):
Go SDK is doing the same...Unfortunately, none of the examples invoke fabric CA api...But it seems to be easy, just call sdk.NewFabricCAClient, which returns FabricCA object, which has Register, Enroll, and other fabric ca related functions. Looking at the code, they have not implemented newer API that was added to the fabric ca in 1.1

aambati (Wed, 31 Jan 2018 15:48:07 GMT):
Go SDK is doing the same...Unfortunately, none of the examples invoke fabric CA api...But it seems to be straightforwad, just call sdk.NewFabricCAClient, which returns FabricCA object, which has Register, Enroll, and other fabric ca related functions. Looking at the code, they have not implemented newer API that was added to the fabric ca in 1.1

aambati (Wed, 31 Jan 2018 15:59:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jwvfDmYiGep8h8vEZ) @javrevasandeep yes, you can using register and enroll functions (https://fabric-sdk-node.github.io/FabricCAServices.html#enroll) here is one example: https://github.com/hyperledger/fabric-samples/blob/release/fabcar/registerUser.js

aambati (Wed, 31 Jan 2018 15:59:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jwvfDmYiGep8h8vEZ) @javrevasandeep yes, you can use register and enroll functions (https://fabric-sdk-node.github.io/FabricCAServices.html#enroll) here is one example: https://github.com/hyperledger/fabric-samples/blob/release/fabcar/registerUser.js

MadhavaReddy (Wed, 31 Jan 2018 18:10:51 GMT):
Hi All, When i try to enroll a user am getting below error, can you please help me to fix the issue curl -s -X POST \ > http://localhost:4000/users \ > -H "content-type: application/x-www-form-urlencoded" \ > -d 'username=Jim&orgName=Org1' {"success":false,"message":"failed Error: Calling enrollment endpoint failed with error [Error: write EPROTO 140262304130880:error:1411713E:SSL routines:ssl_check_srvr_ecc_cert_and_alg:ecc cert not for signing:../deps/openssl/openssl/ssl/ssl_lib.c:2520:\n140262304130880:error:14082130:SSL routines:ssl3_check_cert_and_algorithm:bad ecc cert:../deps/openssl/openssl/ssl/s3_clnt.c:3550:\n]"}

skarim (Wed, 31 Jan 2018 18:30:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LxfTyAJsGP9njdc6R) @asaningmaxchain123 If you are using MySQL or Postgres all cluster members will all connect to and share one database, and so all the cluster member will all be reading/writing to the same database.

aambati (Wed, 31 Jan 2018 18:33:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8YfejPcQzPBNRXuFk) @MadhavaReddy There is no /users URL endpoint in fabric CA server...what server are you sending this curl request to ?

y.yone (Thu, 01 Feb 2018 02:59:48 GMT):
Has joined the channel.

naveen_saravanan (Thu, 01 Feb 2018 04:18:15 GMT):
@aambati Thanks for your reply. [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ymXD9Fo3eXXFJd8bD)

naveen_saravanan (Thu, 01 Feb 2018 04:18:15 GMT):
@aambati Thanks for your reply an I will check it out. [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ymXD9Fo3eXXFJd8bD)

naveen_saravanan (Thu, 01 Feb 2018 04:23:26 GMT):
In fabcar ( from fabric-samples-master) how do I specify which org's server does the enrollAdmin.js or registerUser.js runs on, if there were more orgs present ?

MadhavaReddy (Thu, 01 Feb 2018 06:59:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kBionS2ajcKRgHp6v) @aambati , was trying to run the Balance transfer example, its using node SDK, through node api was trying to enroll the user

aambati (Thu, 01 Feb 2018 16:07:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SkFxhhQaW8CTKsB6b) @MadhavaReddy ok...looking at the balance-transfer code, the error happens when fabric ca server enroll endpoint was called...can you check the fabric ca server log for any info that might help...the error it self seems to say that CA cert that is being used for signing the enrollment cert does not have "Certificate Sign" usage

aambati (Thu, 01 Feb 2018 16:07:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SkFxhhQaW8CTKsB6b) @MadhavaReddy ok...looking at the balance-transfer code, the error happens when fabric CA server's enroll endpoint was called...can you check the fabric ca server log for any info that might help...the error it self seems to say that CA cert that is being used for signing the enrollment cert does not have "Certificate Sign" usage

aambati (Thu, 01 Feb 2018 16:07:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SkFxhhQaW8CTKsB6b) @MadhavaReddy ok...looking at the balance-transfer code, the error happens when fabric CA server's enroll endpoint was called...can you check the fabric CA server log for any info that might help...the error itself seems to say that CA cert that is being used for signing the enrollment cert does not have "Certificate Sign" usage

MasthanbeeShaik (Thu, 01 Feb 2018 18:51:05 GMT):
Has joined the channel.

MasthanbeeShaik (Thu, 01 Feb 2018 18:53:44 GMT):
Hello Everyone, trying to create a hyperledger blockchain network. When running the command "npm run create-channel" to create a channel getting the following issue. Please help me out on this.

MasthanbeeShaik (Thu, 01 Feb 2018 18:55:54 GMT):
root@miracle:~/hyperledger-fabric-example# npm run create-channel > hyperledger-fabric-example@0.1.0 create-channel /root/hyperledger-fabric-example > ts-node src/create-channel.ts Setting up the cryptoSuite .. Setting up the keyvalue store .. Creating the admin user context .. Reading the envelope from manually created channel transaction .. Extracting the channel configuration .. Signing the extracted channel configuration .. Sending the request to create the channel .. error: [Orderer.js]: sendBroadcast - reject with BAD_REQUEST (node:13366) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 2): Error: BAD_REQUEST root@miracle:~/hyperledger-fabric-example#

MasthanbeeShaik (Thu, 01 Feb 2018 18:59:13 GMT):

error.png

skarim (Thu, 01 Feb 2018 18:59:55 GMT):
@MasthanbeeShaik Looks like you are using Node SDK, you might want to ask in #fabric-sdk-node channel

MasthanbeeShaik (Thu, 01 Feb 2018 19:01:07 GMT):
Ok @skarim .. Thank you.

SreekarSudireddy (Fri, 02 Feb 2018 06:58:20 GMT):
Has joined the channel.

Taffies (Fri, 02 Feb 2018 07:59:04 GMT):
hi! are the ca-certs inside the msp library supposed to be the same for both the client and server when you first bootstrap the admin?

RocMax (Fri, 02 Feb 2018 10:31:10 GMT):
Has joined the channel.

vieiramanoel (Fri, 02 Feb 2018 12:18:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fPhL6hdSKki7HAJMD) @Taffies yes

vieiramanoel (Fri, 02 Feb 2018 14:18:01 GMT):
anyone is facing client not consuming config file even with `FABRIC_CA_CLIENT_HOME` set

vieiramanoel (Fri, 02 Feb 2018 14:18:01 GMT):
anyone is facing client not consuming config file even with `FABRIC_CA_CLIENT_HOME` set?

vieiramanoel (Fri, 02 Feb 2018 14:18:55 GMT):
it's kinda strange, I formated my pc yesterday and compiled 1.1-preview branch and now I got this problem

rake66 (Fri, 02 Feb 2018 14:19:26 GMT):
try 1.1.0-alpha, it all works fine for me

rake66 (Fri, 02 Feb 2018 14:19:37 GMT):
but I skipped preview

vieiramanoel (Fri, 02 Feb 2018 14:19:50 GMT):
ok, I'll try

vieiramanoel (Fri, 02 Feb 2018 15:16:17 GMT):
it worked, thnks @rake66

MadhavaReddy (Fri, 02 Feb 2018 15:31:01 GMT):
Hi All, have generated certificates for my network using cryptogen tool and when i start the network am getting below error can you please help me on this issue Error: Validation of certificate and key failed: Invalid certificate and/or key in files '/etc/hyperledger/fabric-ca-server-config/ca.org2.example.com-cert.pem' and '/etc/hyperledger/fabric-ca-server-config/c064f6e6a15782fb29de40c564e0ede81816f72fcce7324bc6a5e23bec53dff6_sk': Public key and private key do not match

Vadim (Fri, 02 Feb 2018 15:33:33 GMT):
@MadhavaReddy you need to regenerate the certs and make sure you provide correct filenames of certs when you start the ca

MadhavaReddy (Fri, 02 Feb 2018 15:38:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RmQ82ecjGjNpqSc2A) @Vadim have verified the files which have given in docker-compose file with local path, and all files are present , fyi am sharing the compose file https://hastebin.com/ehebijaraf.vbs

vieiramanoel (Fri, 02 Feb 2018 15:41:45 GMT):
@MadhavaReddy everytime you regenerate you got this error? Remove your crypto-config folder and generate certs with cryptogen again

Vadim (Fri, 02 Feb 2018 15:42:45 GMT):
@MadhavaReddy probably you specified the path once wrong, so fabric-ca generated its own root certs and now everything is mixed up

MadhavaReddy (Fri, 02 Feb 2018 15:43:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wTQPBEWZ5uiJjNH8x) @vieiramanoel , have generated once ( around 30mins ) back and updated docker-compose file and started the network, when i started the network am seeing this error

MadhavaReddy (Fri, 02 Feb 2018 15:43:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vAydW8T7SjJukrSMp) @Vadim oh ok got it let me try

vieiramanoel (Fri, 02 Feb 2018 15:43:55 GMT):
I'd really recommend you to regenerate cert files again

MadhavaReddy (Fri, 02 Feb 2018 15:44:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2Hu2iEa9Ec9W5FXfP) @vieiramanoel Thank you, sure let me try

MadhavaReddy (Fri, 02 Feb 2018 15:58:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vAydW8T7SjJukrSMp) @Vadim Thanks Vadim, the issue got resolved after regenerating certificates

MadhavaReddy (Fri, 02 Feb 2018 15:59:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2Hu2iEa9Ec9W5FXfP) @vieiramanoel Thanks you the issue got resolved after regenerating certificates

vieiramanoel (Fri, 02 Feb 2018 16:31:02 GMT):
be welcome

Rapture (Sat, 03 Feb 2018 16:53:28 GMT):
Hi guys, I have a question that I hope someone will be able to assist with: I've currently used the fabric-ca scripts in the fabric-samples to generate a network with working CA's. Now I want to enroll new peers (and users) into organization myself, but I'm not sure how to do this. I believe there is an fabric-ca-client enroll command, however I'm not sure how to use the appropriate identity and how to make sure that these peers land in the correct organizations. Anyone have some experience/knowledge on this and can help me out? Thanks!

vieiramanoel (Sat, 03 Feb 2018 18:09:02 GMT):
@raput

vieiramanoel (Sat, 03 Feb 2018 18:09:02 GMT):
@Rapture What I've made was read the scripts to understand what does they do

vieiramanoel (Sat, 03 Feb 2018 18:09:54 GMT):
Then repeat its steps by myself

vieiramanoel (Sat, 03 Feb 2018 18:09:54 GMT):
Then repeated its steps by myself

vieiramanoel (Sat, 03 Feb 2018 18:12:40 GMT):
So the path I took was: mlgsetup and samples ( [server](https://medium.com/mlg-blockchain-consulting/fabric-ca-setup-server-8a1b14910179), [client](https://medium.com/mlg-blockchain-consulting/fabric-ca-setup-client-852136f6a63c) ), [read the docs](http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html), (I started my server and followed the docs client steps). At this point you should know how fabric-ca-client works at register/enroll users

vieiramanoel (Sat, 03 Feb 2018 18:12:40 GMT):
So the path I took was: mlg's setup and samples ( [server](https://medium.com/mlg-blockchain-consulting/fabric-ca-setup-server-8a1b14910179), [client](https://medium.com/mlg-blockchain-consulting/fabric-ca-setup-client-852136f6a63c) ), [read the docs](http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html), (I started my server and followed the docs client steps). At this point you should know how fabric-ca-client works at register/enroll users

vieiramanoel (Sat, 03 Feb 2018 18:12:40 GMT):
So the path I took was: mlg's setup and samples ( [server](https://medium.com/mlg-blockchain-consulting/fabric-ca-setup-server-8a1b14910179), [client](https://medium.com/mlg-blockchain-consulting/fabric-ca-setup-client-852136f6a63c) ), [read the docs](http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html) (I started my server and followed the docs client steps). At this point you should know how fabric-ca-client works at register/enroll users

vieiramanoel (Sat, 03 Feb 2018 18:13:30 GMT):
my last step was read the samples and learn how to put the enrollments in msp structures and then write my own script for that

Rapture (Sun, 04 Feb 2018 07:08:35 GMT):
@vieiramanoel I tried to understand the scripts but its just a lot to take in and I'm overwhelmed by it I think. Do you mind if i message you privately with some questions? Basically where I'm trying to get is, having a network set up with CA's where I can enroll new peers into organizations using the appropriate identities (the biggest problem I have is that I don't know how to act on behalf of a certain identity). Any chance you could answer a few questions to that end? I can elaborate on the state of things on my end to help you understand better my issue

Rapture (Sun, 04 Feb 2018 07:10:19 GMT):
@Rapture I should have added, enroll them manually, with a line of code that I write myself after the network is up and running

vieiramanoel (Sun, 04 Feb 2018 13:32:40 GMT):
Sure, be welcome. [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sLSaXaXTbXapdq4Fv) @Rapture

naveen_saravanan (Mon, 05 Feb 2018 08:07:26 GMT):
Hi guys a docker container that got expired immediately after the it was initialized. So I tried to start it again with the command "docker start container_name" . Even after that it got exited immediately. Could anyone what is the problem with this container??? The container logs are given below: arning: insecure environment read function 'getenv' used [2018-02-05 06:30:59.991] [INFO] fabric-client - Use network config file: /usr/src/artifacts/network-config.json [2018-02-05 06:31:00.855] [INFO] WebApp - ************** API SERVER 0.10.3 ****************** [2018-02-05 06:31:00.857] [INFO] WebApp - Admin : admin [2018-02-05 06:31:00.857] [INFO] WebApp - Org name : provider [2018-02-05 06:31:00.981] [INFO] WebApp - ************** ADMIN PARTY ENABLED ****************** [2018-02-05 06:31:00.999] [DEBUG] middleware - mounting: API request Logger => /usr/src/app/middleware-system/logger.js [2018-02-05 06:31:01.541] [INFO] Http - ****************** SERVER STARTED ************************ [2018-02-05 06:31:01.542] [INFO] Http - ************** http://localhost:4000 ****************** [2018-02-05 06:31:01.595] [DEBUG] Helper - Msp ID : providerMSP [2018-02-05 06:31:01.629] [DEBUG] peer-listener - Authorized as peerproviderAdmin@provider [2018-02-05 06:31:01.630] [INFO] peer-listener - connecting to peer0.provider.example.com:7051 info: [EventHub.js]: _connect - options {"grpc.ssl_target_name_override":"peer0.provider.example.com","grpc.default_authority":"peer0.provider.example.com"} [2018-02-05 06:31:01.748] [ERROR] peer-listener - (((((((((((( Got block error ))))))))))) [2018-02-05 06:31:01.748] [ERROR] peer-listener - { Error: event message must be properly signed by an identity from the same organization as the peer: [failed verifying the event signature: The signature is invalid] at ClientDuplexStream._emitStatusIfDone (/usr/src/app/node_modules/grpc/src/node/src/client.js:201:19) at ClientDuplexStream._receiveStatus (/usr/src/app/node_modules/grpc/src/node/src/client.js:180:8) at /usr/src/app/node_modules/grpc/src/node/src/client.js:649:14 code: 2, metadata: Metadata { _internal_repr: {} } } [2018-02-05 06:31:01.765] [DEBUG] peer-listener - disconnected /usr/src/app/lib-fabric/peer-listener.js:151 throw e; ^ Error: event message must be properly signed by an identity from the same organization as the peer: [failed verifying the event signature: The signature is invalid] at ClientDuplexStream._emitStatusIfDone (/usr/src/app/node_modules/grpc/src/node/src/client.js:201:19) at ClientDuplexStream._receiveStatus (/usr/src/app/node_modules/grpc/src/node/src/client.js:180:8) at /usr/src/app/node_modules/grpc/src/node/src/client.js:649:14 npm info lifecycle fabric-rest@0.10.3~start: Failed to exec start script npm ERR! Linux 4.13.0-31-generic npm ERR! argv "/usr/local/bin/node" "/usr/local/bin/npm" "start" npm ERR! node v6.11.2 npm ERR! npm v3.10.10 npm ERR! code ELIFECYCLE npm ERR! fabric-rest@0.10.3 start: `node $NODE_DEBUG_OPTION index` npm ERR! Exit status 1 npm ERR! npm ERR! Failed at the fabric-rest@0.10.3 start script 'node $NODE_DEBUG_OPTION index'. npm ERR! Make sure you have the latest version of node.js and npm installed. npm ERR! If you do, this is most likely a problem with the fabric-rest package, npm ERR! not with npm itself. npm ERR! Tell the author that this fails on your system: npm ERR! node $NODE_DEBUG_OPTION index npm ERR! You can get information on how to open an issue for this project with: npm ERR! npm bugs fabric-rest npm ERR! Or if that isn't available, you can get their info via: npm ERR! npm owner ls fabric-rest npm ERR! There is likely additional logging output above. npm ERR! Please include the following file with any support request: npm ERR! /usr/src/app/npm-debug.log

MohammadObaid (Mon, 05 Feb 2018 12:52:17 GMT):
Hey is there any tutorial available which guides us how to generate msp folder completely from fabric-ca instead of cryptogen

Vadim (Mon, 05 Feb 2018 12:52:54 GMT):
@MohammadObaid https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca

MohammadObaid (Mon, 05 Feb 2018 12:58:15 GMT):
Alright . I will take a look .Thanks :)

kenmazsyma (Mon, 05 Feb 2018 13:31:55 GMT):
Hi all, Does anyone let me know whether it is possible to add allowable affiliation to fabric-ca-server without restarting server? If possible, how should I deal with that?

erzeghi (Mon, 05 Feb 2018 13:48:41 GMT):
Has joined the channel.

aambati (Mon, 05 Feb 2018 14:25:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9BPxAzoz58fTi3TjM) @kenmazsyma it is possible in 1.1 code (master branch)...`fabric-ca-client affiliations` command allows that

aambati (Mon, 05 Feb 2018 14:25:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9BPxAzoz58fTi3TjM) @kenmazsyma it is possible in 1.1 code (master branch)... `fabric-ca-client affiliations` command allows that

kenmazsyma (Mon, 05 Feb 2018 14:57:17 GMT):
@aambati Thank you for the information.:slight_smile: I'll try that.

kenmazsyma (Mon, 05 Feb 2018 14:57:52 GMT):
@aambati Thank you for the information! I'll try that.

aambati (Mon, 05 Feb 2018 18:25:21 GMT):
@naveen_saravanan better ask the question in fabric-peer-endorser channel

aambati (Mon, 05 Feb 2018 18:25:21 GMT):
@naveen_saravanan better ask the question in fabric-peer-endorser or fabric-sdk-node channel

aambati (Mon, 05 Feb 2018 18:25:21 GMT):
@naveen_saravanan better ask the question in fabric-peer-endorser or fabric-sdk-node channel ...error message is suggesting that message that node-sdk received was signed by wrong certificate ...is this an example that you are running?

vieiramanoel (Mon, 05 Feb 2018 18:45:50 GMT):
@aambati I've updated my image to alpha

vieiramanoel (Mon, 05 Feb 2018 18:47:12 GMT):
registering my user with `fabric-ca-client register -d --id.name ca.goledger.com --id.secret goledgerpwd -M client/msp`

vieiramanoel (Mon, 05 Feb 2018 18:47:12 GMT):
enrolling my user with `fabric-ca-client enroll -d --enrollment.profile tls -u "http://ca.goledger.com:****@ca.goledger.com:7054" --csr.hosts "ca.goledger.com" -M client/tls`

vieiramanoel (Mon, 05 Feb 2018 18:47:34 GMT):
the server returns: ```2018/02/05 18:41:00 [INFO] 192.168.0.232:36860 POST /enroll 500 0 "Failed to get attribute 'hf.IntermediateCA' for user 'ca.goledger.com': User does not have attribute 'hf.IntermediateCA'" ```

vieiramanoel (Mon, 05 Feb 2018 18:47:45 GMT):
??

vieiramanoel (Mon, 05 Feb 2018 18:48:18 GMT):
this attr is not set on config file too

vieiramanoel (Mon, 05 Feb 2018 19:08:28 GMT):
@smithbk any clue?

smithbk (Mon, 05 Feb 2018 20:57:34 GMT):
@vieiramanoel Can you tell me how to reproduce? It should only require that attribute if you were requesting the ca profile or the csr has the isca bit set, so not sure why it is being requested

vieiramanoel (Mon, 05 Feb 2018 22:44:33 GMT):
Yes, it is. Byt

vieiramanoel (Mon, 05 Feb 2018 22:44:33 GMT):
Yes, it is. Is set on tls generation for ca tls-cert

vieiramanoel (Mon, 05 Feb 2018 22:46:27 GMT):
Then I restart server with isca for TLS profile disabled

smithbk (Tue, 06 Feb 2018 02:18:54 GMT):
@vieiramanoel I'll be glad to help but it is not clear how to reproduce. Can you provide steps of exactly what you did?

naveen_saravanan (Tue, 06 Feb 2018 04:14:34 GMT):
I tried to run the fabcar's query.js on similar fabric-samples (liker fabric-starter). I successfully ran enrollAdmin.js and registerUser.js on it. But while I run the query.js I get the below log: Store path:/home/hd/fabric-starter-patient/hfc-key-store Successfully loaded user1 from persistence error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: Stream removed at /home/hd/fabric-starter-patient/node_modules/grpc/src/client.js:554:15 Query has completed, checking results Response is Error: Stream removed error from query = { Error: Stream removed at /home/hd/fabric-starter-patient/node_modules/grpc/src/client.js:554:15 code: 2, metadata: Metadata { _internal_repr: {} } } Can anyone please point out the problem here?

javrevasandeep (Tue, 06 Feb 2018 05:31:31 GMT):
i have got couple of questions from our business and technical team regarding PKI tech provided by fabric-ca from production point of point of view. can anyone pls help me finding the right solution for these questions.

javrevasandeep (Tue, 06 Feb 2018 05:32:10 GMT):
• Authentication integration with known identity sources (on premises Active Directory, Azure AD, etc.). o It’s possible to build your own authentication system but it’s a complex piece that’s better off in the hands of a mature authentication system. o Authorization was not discussed and should be. • PKI has numerous questions around it which will require additional discussions. o How does the system as a whole deal with key compromise at all levels? o Root  Can the root be left offline until needed.  Should the private key of the root be stored on a USB hardware security module (HSM)? • This would ensure that it could be transferred in a way that we could not continue to use it afterwards.  How is trust in the root established?  What domain do we publish the CRL to that is transferable to a third party?  How often should the CRL be refreshed?  How long are the partner CA certificates going to last? o Partner CAs  Are HSMs supported? • Should they be required to maintain the trust of the system?  How often should the CRL be refreshed? • Probably more frequently due to always online nature.  CRLs hosted by partners?  How long are user certificates designed to last?  Will user certificates be revoked on termination? o User (Actor) Certificates  Certificates are stored in the Fabric CA Client Node? • This will probably be the easiest way to compromise commonly used certificates (RSA 2048 bit and ECC 256bit). • Is there a better way to manage this system? • How will backups be maintained and protected?

javrevasandeep (Tue, 06 Feb 2018 07:13:17 GMT):
@smithbk could you pls help me out

Vadim (Tue, 06 Feb 2018 08:04:18 GMT):
@javrevasandeep have you checked the CA documentation? I think a lot of your questions are answered there. http://hyperledger-fabric-ca.readthedocs.io/en/latest/

suhotskyi (Tue, 06 Feb 2018 11:07:28 GMT):
Has joined the channel.

smithbk (Tue, 06 Feb 2018 12:30:43 GMT):
@naveen_saravanan This is a node SDK issue so best to ask on the #fabric-sdk-node channel. That said, it looks to me to be an issue with version 1.8 of the grpc package in that the error occurs after a connection is idle for 5 minutes, but appears to throw the error once and renew the connection. See https://github.com/googleapis/nodejs-spanner/issues/76

javrevasandeep (Tue, 06 Feb 2018 12:46:55 GMT):
Hi Guys. Could you pls confirm whether fabric-ca uses private CA and if yes then which CA software package it uses to issue certificates

smithbk (Tue, 06 Feb 2018 12:52:07 GMT):
Yes, it is its own CA and uses cfssl packages to issue certs. It can of course use a signing CA certificate issued by an external CA, but the fabric CA server does not communicate with an external CA

smithbk (Tue, 06 Feb 2018 13:05:41 GMT):
See responses in caps ... Authentication integration with known identity sources (on premises Active Directory, Azure AD, etc.). o It’s possible to build your own authentication system but it’s a complex piece that’s better off in the hands of a mature authentication system. FABRIC CA CAN TALK TO LDAP TO AUTHENTICATE AND AUTHORIZE BASED ON LDAP ATTRIBUTES o Authorization was not discussed and should be. • PKI has numerous questions around it which will require additional discussions. o How does the system as a whole deal with key compromise at all levels? o Root GENERATE ANOTHER ROOT CERT  Can the root be left offline until needed. YES, THAT IS RECOMMENDED  Should the private key of the root be stored on a USB hardware security module (HSM)? YES, HSM IS SUPPORTED AND RECOMMENDED • This would ensure that it could be transferred in a way that we could not continue to use it afterwards.  How is trust in the root established? ROOT AND INTERMEDIATE CERTS ARE PUSHED TO FABRIC CONFIG AS MSP  What domain do we publish the CRL to that is transferable to a third party? FABRIC CA GENERATES THE CRL BASED ON WHICH CERTS HAVE BEEN REVOKED. THE CRL IS THEN PUSHED INTO A FABRIC CHANNEL CONFIG.  How often should the CRL be refreshed? IT SHOULD BE UPDATED IN THE CHANNEL WITH EACH REVOCATION  How long are the partner CA certificates going to last? NOT SURE WHAT YOU MEAN BY PARTNER SINCE FABRIC CA DOESN'T CALL OUT TO ANOTHER CA. CERT LIFETIMES ARE CONFIGURABLE. ROOT IS 15 YEARS BY DEFAULT, INTERMEDIATE IS 5 YEARS BY DEFAULT, AND END USER CERTS ARE 1 YEAR BY DEFAULT o Partner CAs  Are HSMs supported? FABRIC CA SUPPORTS HSMS • Should they be required to maintain the trust of the system? IT IS CERTAINLY MORE SECURE AND RECOMMENDED  How often should the CRL be refreshed? ALREADY ANSWERED • Probably more frequently due to always online nature.  CRLs hosted by partners? NO, FABRIC CA RETURNS CRLS  How long are user certificates designed to last? CONFIGURABLE, 1 YEAR BY DEFAULT  Will user certificates be revoked on termination? IF BY TERMINATION YOU MEAN EXPIRATION, NO o User (Actor) Certificates  Certificates are stored in the Fabric CA Client Node? YES, THE FABRIC CA CLIENT STORES CERTIFICATES LOCALLY • This will probably be the easiest way to compromise commonly used certificates (RSA 2048 bit and ECC 256bit). CERTIFICATES ARE PUBLIC. KEYS MAY BE STORED IN AN HSM. • Is there a better way to manage this system? NO • How will backups be maintained and protected? FABRIC CA SERVER KEEPS CERTIFICATES IN A DATABASE

javrevasandeep (Tue, 06 Feb 2018 13:21:10 GMT):
@smithbk Thanks for your support on these questions. I am new to PKI stuff and trying to learn it in parallel. It would be really great if you can provide some more insight on these responses. 1. It’s possible to build your own authentication system but it’s a complex piece that’s better off in the hands of a mature authentication system. FABRIC CA CAN TALK TO LDAP TO AUTHENTICATE AND AUTHORIZE BASED ON LDAP ATTRIBUTES ---- *How does this really help. can you pls give one real case scenario*.

javrevasandeep (Tue, 06 Feb 2018 13:47:12 GMT):
@smithbk Few more doubts to add

javrevasandeep (Tue, 06 Feb 2018 13:47:13 GMT):
• PKI has numerous questions around it which will require additional discussions. o How does the system as a whole deal with key compromise at all levels? o Root GENERATE ANOTHER ROOT CERT --- *does this mean we should have two root certs for each organization and will the system still works if one of the root certs get compromised*  Can the root be left offline until needed. YES, THAT IS RECOMMENDED --- *I am using docker containers for fabric-ca. How to make it sleep or offline once its work is done*  Should the private key of the root be stored on a USB hardware security module (HSM)? YES, HSM IS SUPPORTED AND RECOMMENDED --- Is there any working example of this one and can i implement this with fabric-ca docker containers by some configuration* • This would ensure that it could be transferred in a way that we could not continue to use it afterwards.  How is trust in the root established? ROOT AND INTERMEDIATE CERTS ARE PUSHED TO FABRIC CONFIG AS MSP --- *Do you mean root and intermediate certs are pushed to fabric-ca-client to issue ceretificates for the members and users.*  What domain do we publish the CRL to that is transferable to a third party? FABRIC CA GENERATES THE CRL BASED ON WHICH CERTS HAVE BEEN REVOKED. THE CRL IS THEN PUSHED INTO A FABRIC CHANNEL CONFIG. --- *If some intermediate CA meant for an organization to issue member and users certs is compromised then what needs to be done to bring back the system to work normally. does CRL lists is pushed to fabric channel config automatically or this needs to be done manually.*  How often should the CRL be refreshed? IT SHOULD BE UPDATED IN THE CHANNEL WITH EACH REVOCATION -- again the same question. Is this needs to be done manually or it is taken care of automatically.  How long are the partner CA certificates going to last? NOT SURE WHAT YOU MEAN BY PARTNER SINCE FABRIC CA DOESN'T CALL OUT TO ANOTHER CA. CERT LIFETIMES ARE CONFIGURABLE. ROOT IS 15 YEARS BY DEFAULT, INTERMEDIATE IS 5 YEARS BY DEFAULT, AND END USER CERTS ARE 1 YEAR BY DEFAULT o Partner CAs  Are HSMs supported? FABRIC CA SUPPORTS HSMS • Should they be required to maintain the trust of the system? IT IS CERTAINLY MORE SECURE AND RECOMMENDED --- *So this means they should have their own root of trust independent of other organizations. Is this correct?*  How often should the CRL be refreshed? ALREADY ANSWERED • Probably more frequently due to always online nature.  CRLs hosted by partners? NO, FABRIC CA RETURNS CRLS  How long are user certificates designed to last? CONFIGURABLE, 1 YEAR BY DEFAULT  Will user certificates be revoked on termination? IF BY TERMINATION YOU MEAN EXPIRATION, NO o User (Actor) Certificates  Certificates are stored in the Fabric CA Client Node? YES, THE FABRIC CA CLIENT STORES CERTIFICATES LOCALLY ---*does storing certificates locally means storing in FileKeyValueStore manner at the host location? Is there any better way to store these certificates like some database or something. I read something like changing the persistence store for keys like couchDBKeyValueStore.js. what exactly is that. Is this something that can solve this issue?* • This will probably be the easiest way to compromise commonly used certificates (RSA 2048 bit and ECC 256bit). CERTIFICATES ARE PUBLIC. KEYS MAY BE STORED IN AN HSM. --- *Does this mean it can store keys for peers, orderers and users in a secured manner?* • Is there a better way to manage this system? NO • How will backups be maintained and protected? FABRIC CA SERVER KEEPS CERTIFICATES IN A DATABASE --- *By default it uses SQLite right? For production systems, we should use PostGreSQL database configuration for fabric-ca? Am I right?*

rake66 (Tue, 06 Feb 2018 14:31:37 GMT):
hi @here, quick question. I'm setting up a little demo based on the fabric-ca sample. I let start.sh do it's thing and then on the same docker network i bring up a new rca, ica and a couple of peers from another organisation (org3) and I want to show that until I submit a config tx to add org3 to the blockchain, nobody from org3 has any access. My problem is that when I bring up org3, peer1-org3 doesn't get registered by the ica. I checked the logs, in setup.log the request gets posted but the response is 404. In ica-org3.log it says that it failed to get affiliation 'org3'

rake66 (Tue, 06 Feb 2018 14:32:19 GMT):
what I find weirdest about this is that it has no problem getting affiliation 'org3' earlier when it's registering the admin

wlahti (Tue, 06 Feb 2018 14:49:18 GMT):
Has joined the channel.

aambati (Tue, 06 Feb 2018 14:55:07 GMT):
@javrevasandeep *does this mean we should have two root certs for each organization and will the system still works if one of the root certs get compromised* One is root CA and another is intermediate CA. Root CA issues intermediate CA's cert and usually kept offline unless another intermediate CA cert need to be issued..Intermediate CA issues enrollment certs...if intermediate ca is compromised, a new intermediate CA cert would have to be issued by root CA and the old cert would need to be rotated out...we have a JIRA that outlines a proposal as to how to rotate expired/compromised CA certs. *I am using docker containers for fabric-ca. How to make it sleep or offline once its work is done* Just stop the container *Do you mean root and intermediate certs are pushed to fabric-ca-client to issue ceretificates for the members and users.* CA chain that contains root and intermediate ca certs is put in the msp folder structure of the fabric-ca-client *If some intermediate CA meant for an organization to issue member and users certs is compromised then what needs to be done to bring back the system to work normally. does CRL lists is pushed to fabric channel config automatically or this needs to be done manually.* Manually

aambati (Tue, 06 Feb 2018 15:01:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RdCEkp5cM6sJQnzNM) @rake66 So, does ica-org3 logs show that org3 affiliation was added to the database? Can you send me the log of ica-org3 container (docker log ica-org3)

rake66 (Tue, 06 Feb 2018 15:16:25 GMT):
sorry, I don't know how to put files on here. You are right though, It adds the same affiliations table as the other 2 orgs. And for some reason the admin identity already existed, that's why it had no problem with it. I was pretty sure that I changed all the vars in the scripts to org3, but I'll go through them one more time. Could you help me by letting me know where exactly the affiliation table is described? I noticed that for the initial orgs it also puts in 2 departments each and I never found anything like that in the scripts. Is is a separate file somewhere?

jtclark (Tue, 06 Feb 2018 15:24:20 GMT):
quick question: ran into this issue when running a make locally:

jtclark (Tue, 06 Feb 2018 15:24:27 GMT):
``` Step 11/13 : ADD payload/fabric-ca.tar.bz2 $FABRIC_CA_HOME failed to copy files: Error processing tar file(bzip2 data invalid: bad magic value in continuation file): make: *** [build/image/fabric-ca/.dummy-x86_64-1.1.0-beta-snapshot-1947fcc] Error 1 ```

jtclark (Tue, 06 Feb 2018 15:25:27 GMT):
saw this, but even after I updated gnutar, I'm still seeing it: https://stackoverflow.com/questions/41465720/error-building-peer-bzip2-data-invalid-in-goshim-tar-bz2

dsanchezseco (Tue, 06 Feb 2018 15:37:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mcMcGcBF2iLSdNK2r) @rake66 @aambati i'm having the same problem with a full custom org, in this case i want to create an org with a couple intermediate CA, one for each subdivision, and then create the peers inside of each division, but the `fabric-ca-server-config.yaml` is created with default values when i do the init of the intermediate CA with the -u info. ``` ORG1 rootCA |-> iCA.divisionA | |->divisionA.peer0 | |->divisionA.peer1 2 channels : | ... * 1 of org1 divisions |-> iCA.divisionB * 1 of org1.divisionA and org2 | |->divisionB.peer0 | |->divisionB.peer1 | ... |-> iCA.divisionC |->divisionC.peer0 |->divisionC.peer1 ... ORG2 rootCA |->peer0 |->peer1 |

dsanchezseco (Tue, 06 Feb 2018 15:39:41 GMT):
the goal is to have and org with subdivisions that are connected to each other and some of those divisions may be connected to outside organizations. But i can not properley set the CAs to support the intermediate one. Also following the fabric-ca example i tested that you can register an user in org2.dept1 from ica-org1, which i doubt is the correct behaviour

dsanchezseco (Tue, 06 Feb 2018 15:39:41 GMT):
the default affiliations in `fabric-ca-server-config.yaml` are : ``` ```

dsanchezseco (Tue, 06 Feb 2018 15:39:41 GMT):
@aambati the default affiliations in `fabric-ca-server-config.yaml` are : ``` affiliations: org1: - department1 - department2 org2: - department1 ```

dsanchezseco (Tue, 06 Feb 2018 15:39:41 GMT):
@aambati the default affiliations in `fabric-ca-server-config.yaml` are : ``` affiliations: org1: - department1 - department2 org2: - department1 ``` If i connect to the iCA labeled as from org2 i can register and identity for an org1's department, eventhough the CA doesn't belongs to that org

vieiramanoel (Tue, 06 Feb 2018 16:14:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tdw2FZSzBQC5sKgnk) @smithbk ok, I was doing what ambaati said in [this message](https://chat.hyperledger.org/channel/fabric-ca?msg=3HMkrr5NdAJeqDRDJ).

vieiramanoel (Tue, 06 Feb 2018 16:15:48 GMT):
so this what I'm doing

vieiramanoel (Tue, 06 Feb 2018 16:17:55 GMT):
but my ca start with [this script](https://hastebin.com/yuqiqixewu.bash), that initialize server with tls disabled and isca = true for tls profile if there's not the tls cert pair in the folder, otherwise start server with tls enabled

vieiramanoel (Tue, 06 Feb 2018 16:21:48 GMT):
This is needed due to this jyra https://jira.hyperledger.org/browse/FAB-7875

vieiramanoel (Tue, 06 Feb 2018 16:21:48 GMT):
This is needed due to this jira https://jira.hyperledger.org/browse/FAB-7875

vieiramanoel (Tue, 06 Feb 2018 16:25:23 GMT):
And composer only worked with ca: TRUE on tls cert

aambati (Tue, 06 Feb 2018 16:25:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mcMcGcBF2iLSdNK2r) @rake66 the database file is in the server home directory...it is a sqlite database (fabric-ca-server.db)...name of the table is `affiliations` ...initial affiliations are loaded from the sever configuration file. I think you should be able to send the file as an attachment..try sending it me in 1x1 chat

skarim (Tue, 06 Feb 2018 16:28:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wCkH7TbWWSphTpxeP) @dsanchezseco You can modify the `fabric-ca-server-config.yaml` file after it is generated, if you want to keep the defaults affiliations and add new affiliations you can simply modify the configuration file to include the new affiliations and run `init` again and it will bootstrap the database again. If however, you want to remove the default affiliations from the database, you must delete the database after running the `init` command, remove the default affiliations from the configuration file, add your new affiliations and run `init` again and it should pick up your new affiliations.

aambati (Tue, 06 Feb 2018 16:36:53 GMT):
@dsanchezseco can u pls elaborate what you mean by this : ```i tested that you can register an user in org2.dept1 from ica-org1, which i doubt is the correct behaviour``` If i understand correctly, you have a subdivision that belongs to two different orgs? currently, an identity is not allowed to be associated with two affiliations and an affiliation cannot be a child of two different affiliations in the affiliation tree

dsanchezseco (Tue, 06 Feb 2018 16:47:12 GMT):
@aambati the default affiliations in `fabric-ca-server-config.yaml` are : ``` affiliations: org1: - department1 - department2 org2: - department1 ``` If i connect to the iCA labeled as from org2 i can register and identity for an org1's department, eventhough the CA doesn't belongs to that org

dsanchezseco (Tue, 06 Feb 2018 16:47:57 GMT):
i'm following https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca

rake66 (Tue, 06 Feb 2018 16:56:48 GMT):
if you look through env.sh you'll find this ``` # Affiliation is not used to limit users in this sample, so just put # all identities in the same affiliation. export FABRIC_CA_CLIENT_ID_AFFILIATION=org3 ```

rake66 (Tue, 06 Feb 2018 16:57:10 GMT):
wait, that's in the one I modified, it was org1 initially

aambati (Tue, 06 Feb 2018 19:41:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gfz6LFEHdrsKwQKfE) @dsanchezseco All the fabric CA servers have the defaults (org1, org1.dept1, org1.dept2, org2, org2.dept1)...so you can associate an identity to any of these affiliations on all fabric CA servers...We need to fix the fabric-ca example to make it more realistic by changing the affiliations on the fabric ca server based on which org it belongs to.

smithbk (Tue, 06 Feb 2018 21:52:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EBcDMkCkEyLQxCSPh) @vieiramanoel You should not set isca to true in the tls profile. What was the composer issue which you are trying to fix?

vieiramanoel (Tue, 06 Feb 2018 22:36:02 GMT):
Bad_ecc_cert, i'll try without it. And report here, composer has updated to 1[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TQWT6NQM7M8DT3itk) @smithbk

vieiramanoel (Tue, 06 Feb 2018 22:36:02 GMT):
Bad_ecc_cert, i'll try without it. And report here, composer has updated to 1.1 too. Lets see If it'll work[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TQWT6NQM7M8DT3itk) @smithbk

vieiramanoel (Tue, 06 Feb 2018 22:37:42 GMT):
Thnks for help

polleywong (Wed, 07 Feb 2018 03:45:51 GMT):
Has joined the channel.

tkhwang (Wed, 07 Feb 2018 06:01:20 GMT):
Has joined the channel.

lbniuqlm (Wed, 07 Feb 2018 06:52:01 GMT):
Has joined the channel.

dsanchezseco (Wed, 07 Feb 2018 08:42:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bMbqgyr5cvKyLBFzY) @aambati ok. So if i want to create the layout i put above i have to modify the yaml and leave in each intermediate CA only its affiliations. And then drop the db and restart the servers. Do I have to include also the parent url in the intermediate's yaml()? because i don't see the line filled when started with -u in the intermediates

dsanchezseco (Wed, 07 Feb 2018 11:24:02 GMT):
i'm doing as i said before ``` 1. root fabric-ca-server init -b root:rootpw fabric-ca-server init -b root:rootpw fabric-ca-server start 2. ica fabric-ca-server init -b ica:icapw -u https://root:rootpw@rca:7054 remove csr.cn leave mod affiliation> fabric-ca-server init -b ica:icapw -u https://root:rootpw@rca:7054 # <----HERE! fabric-ca-server start ``` and when i'm on the second init of the ica after the modification of the ica's yaml it prompts `2018/02/07 11:19:42 [FATAL] Initialization failure: CN 'ica' cannot be specified for an intermediate CA. Remove CN from CSR section for enrollment of intermediate CA to be successful` eventhough i removed it from the yaml.

dsanchezseco (Wed, 07 Feb 2018 11:26:12 GMT):
having a closer look at the output i see that csr.cn it's been included automatically and that this call breaks also the first time so no db initialization is done ```Init CA with home /etc/hyperledger/fabric-ca and config {Version:1.1.0-beta-snapshot-71974f5 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name: Keyfile: Certfile:ca-cert.pem Chainfile:ca-chain.pem} Signing:0xc4202dc810 CSR:{####CN:ica#### Names: ```

javrevasandeep (Wed, 07 Feb 2018 13:10:40 GMT):
@aambati @smithbk . Thanks for your great help. Just few more clarifications. Could you please help.Should the private key of the root be stored on a USB hardware security module (HSM)? YES, HSM IS SUPPORTED AND RECOMMENDED --- *Is there any working example of this one and can i implement this with fabric-ca docker containers by some configuration*

javrevasandeep (Wed, 07 Feb 2018 13:13:06 GMT):
Certificates are stored in the Fabric CA Client Node? YES, THE FABRIC CA CLIENT STORES CERTIFICATES LOCALLY --- *does storing certificates locally means storing in FileKeyValueStore manner at the host location? Is there any better way to store these certificates like some database or something. I read something like changing the persistence store for keys like couchDBKeyValueStore.js. what exactly is that. Is this something that can solve this issue*

aambati (Wed, 07 Feb 2018 14:04:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kzXgGvvMMJL2wGe6z) @javrevasandeep i don't know of any example that uses HSM to store keys

aambati (Wed, 07 Feb 2018 14:07:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tz3uhdKF7T2Ca2NDp) @javrevasandeep fabric ca uses bccsp (crypto provider) to generate and manage private keys..bccsp supports hsm, soft hsm and file system based storage...fabric ca saves user, enrollment cert and affiliations info in a database ...it supports sqlite, mysql and postgres.. so to answer your questions, keys are not stored in a db

javrevasandeep (Wed, 07 Feb 2018 14:21:00 GMT):
@aambati Thanks for your support. I found this in node-sdk Org1.yaml file. client: # Which organization does this application instance belong to? The value must be the name of an org # defined under "organizations" organization: Org1 # Some SDKs support pluggable KV stores, the properties under "credentialStore" # are implementation specific credentialStore: # [Optional]. Specific to FileKeyValueStore.js or similar implementations in other SDKs. Can be others # if using an alternative impl. For instance, CouchDBKeyValueStore.js would require an object # here for properties like url, db name, etc. path: "./fabric-client-kv-org1" # [Optional]. Specific to the CryptoSuite implementation. Software-based implementations like # CryptoSuite_ECDSA_AES.js in node SDK requires a key store. PKCS#11 based implementations does # not. cryptoStore: # Specific to the underlying KeyValueStore that backs the crypto key store. path: "/tmp/fabric-client-kv-org1" *As per my understanding, fabric-ca by default supports File based Key Value store. I think node-sdk also by default supports File based Key Value store. So finally in terms of best practises in production grade application these keys should be stored in HSM. Am I correct?*

aambati (Wed, 07 Feb 2018 15:20:36 GMT):
yes

rameshthoomu (Wed, 07 Feb 2018 18:35:11 GMT):
added below new *comments phrases* to trigger specific failed builds in fabric-ca gerrit patch sets (Triggers verify jobs on x and z platforms) `reverify-x` `reverify-z` Use `reverify` to trigger all the failed jobs

rameshthoomu (Wed, 07 Feb 2018 18:35:11 GMT):
updated existing *comments phrases* to trigger specific failed CI builds in fabric-ca gerrit patch sets (Triggers verify jobs on x and z platforms) `reverify-x` `reverify-z` Use `reverify` to trigger all the failed jobs

aambati (Wed, 07 Feb 2018 20:02:34 GMT):
@rameshthoomu is there a plan to run CI after each merge ...we are running into situation where a change set passes ci but fails after merge because the change set was based on older revision of master and it introduced a change that has functional conflicts with another change that went in after it was created

rameshthoomu (Wed, 07 Feb 2018 20:04:22 GMT):
yes.. you can type`remerge` on gerrit patch set to trigger the merge job..

aambati (Wed, 07 Feb 2018 20:05:21 GMT):
so, it would simulate a merge and run CI?

aambati (Wed, 07 Feb 2018 20:06:08 GMT):
i was talking about automatically running a CI after each merge

rameshthoomu (Wed, 07 Feb 2018 20:07:05 GMT):
we have merge jobs configured for fabric-ca... merge job runs on the latest merged code..

rameshthoomu (Wed, 07 Feb 2018 20:08:18 GMT):
there are two way to fix that issue. 1) you have to rebase the patch before merge 2) From CI, we have to pull the latest code from repo and then fetch the patch set code..

rameshthoomu (Wed, 07 Feb 2018 20:08:18 GMT):
there are two ways to fix that issue. 1) you have to rebase the patch before merge 2) From CI, we have to pull the latest code from repo and then fetch the patch set code..

rameshthoomu (Wed, 07 Feb 2018 20:08:57 GMT):
I am working on 2nd point.. this will fix all rebase problems..

rameshthoomu (Wed, 07 Feb 2018 20:09:42 GMT):
maintainer/developer no need to rebase manually on every patch set..

rameshthoomu (Wed, 07 Feb 2018 20:09:45 GMT):
makes sense?

aambati (Wed, 07 Feb 2018 20:12:51 GMT):
the problem is even if you do 2, another change set can go in that has functional conflicts after successful CI , in which case after change set is merged, master has bad code

aambati (Wed, 07 Feb 2018 20:13:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RskLAXHu9Kxxng5bB) @rameshthoomu really, how can we get notified of build failures

rameshthoomu (Wed, 07 Feb 2018 20:15:15 GMT):
If the code is interlinked between patch sets, then force rebase before merge or do `reverify` after 2) is implemented is the only option..

rameshthoomu (Wed, 07 Feb 2018 20:17:26 GMT):
verify job failures posts -1 on gerrit patch set, this is the only right now it's implemented right now.

rameshthoomu (Wed, 07 Feb 2018 20:20:04 GMT):
other way is, after merge job is failed, we can send out an email to the code contributor and to the fabric-ca maintainers

aambati (Wed, 07 Feb 2018 20:27:47 GMT):
yeah...i think kick off a merge job after each merge and send a mail to code contributor and maintainers if CI fails

aambati (Wed, 07 Feb 2018 20:27:47 GMT):
yeah...i think we should kick off a merge job after each merge and send a mail to code contributor and maintainers if CI fails

rameshthoomu (Wed, 07 Feb 2018 20:32:30 GMT):
ok.. Could you please create a JIRA task under `fabric-ci` component..

sreedharn (Wed, 07 Feb 2018 20:33:12 GMT):
Has joined the channel.

aambati (Wed, 07 Feb 2018 21:24:35 GMT):
ok

aambati (Wed, 07 Feb 2018 23:38:52 GMT):
@rameshthoomu i created https://jira.hyperledger.org/browse/FAB-8126

bh4rtp (Thu, 08 Feb 2018 05:55:46 GMT):
what type of db does ca use?

nirmal1988 (Thu, 08 Feb 2018 07:20:22 GMT):
Has joined the channel.

nirmal1988 (Thu, 08 Feb 2018 07:21:29 GMT):
I am using new version of hyperledger 1.1.0-alpha and registering and enrolling user with attribute "role".

nirmal1988 (Thu, 08 Feb 2018 07:21:29 GMT):
I am using new version of hyperledger 1.1.0-alpha and registering and enrolling user with attribute "role". And when i query it from chain code i am trying to find the attribute "role" using following method. val, ok, err := cid.GetAttributeValue(APIstub, "role") if err != nil { // There was an error trying to retrieve the attribute fmt.Printf("err--GETID:\n%s\n", err) } if !ok { // The client identity does not possess the attribute fmt.Printf("ok--GETID:\n%s\n", ok) } // Do something with the value of 'val' fmt.Printf("val--GETID:\n%s\n", val) i get val always blank and ok = false. however i am able to get MSPID using following method. mspid, err := cid.GetMSPID(APIstub). i am using nodejs SDK for registering, enrolling and querying chaincode. Following is the code: var uname= "user5"; caClient.register({ enrollmentID: uname, affiliation: 'org1.dept1', attrs: [{name: "role", value: "user", ecert: true}] }, resp) .then((password) => { console.log("user registered----"+ password); caClient.enroll({enrollmentID: uname, enrollmentSecret: password, attr_reqs: [{name: "role", optional: true}] }) .then((enrollment) => { console.log("enrolled user--------------------"+ enrollment.key.toBytes()); var channel = client.getChannel("mychannel"); if(!channel) { let message = util.format('Channel %s was not defined in the connection profile', channelName); logger.error(message); throw new Error(message); } var request = { targets : ["peer0.org1.example.com"], //queryByChaincode allows for multiple targets chaincodeId: "fabcar", fcn: "queryAllCars", args: [''], channelId: "mychannel", transientMap: new Date() }; channel.queryByChaincode(request, true) .then((resp) => { console.log("query res----------------"+ resp); console.log(resp); }); }); });

nirmal1988 (Thu, 08 Feb 2018 07:30:12 GMT):
i have modified the code of fabcar sample using the connection profile and want to check ABAC using CID lib here. And when i register the user, it shows the attr name n value in the logs of ca.example.com

Brucepark (Thu, 08 Feb 2018 08:44:09 GMT):
I have been googling and testing ABAC feature, but I wonder if this is possible. 1. I can not use cid module in a chain code. `can't load package: package github.com/hyperledger/fabric/core/chaincode/lib/cid` 2. The certificate generated by the following command `$fabric-ca-client register --id.name user1 --id.secret user1pw --id.type client --id.affiliation msp1 --id.attrs 'app1Admin=true:ecert,email=user1@gmail.com’` does not contain ecert field ` $openssl x509 -text -in msp/signcerts/cert.pem X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: C0:07:F5:22:80:E6:12:6B:FE:27:B1:D4:A0:69:01:43:38:BD:8E:29 X509v3 Authority Key Identifier: keyid:51:11:28:13:13:12:8C:8C:57:43:C7:1B:E4:C2:12:E6:B0:DE:D8:10 X509v3 Subject Alternative Name: DNS:kakaopayui-MacBook-Pro-3.local ` Is ABAC feature really missed? Or am I doing something wrong?

Brucepark (Thu, 08 Feb 2018 08:44:09 GMT):
I have been googling and testing ABAC feature, but I wonder if this is possible. 1. I can not use cid module in a chain code. `can't load package: package github.com/hyperledger/fabric/core/chaincode/lib/cid` 2. The certificate generated by the following command `$fabric-ca-client register --id.name user1 --id.secret user1pw --id.type client --id.affiliation msp1 --id.attrs 'app1Admin=true:ecert,email=user1@gmail.com’` does not contain ecert field ``` $openssl x509 -text -in msp/signcerts/cert.pem X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: C0:07:F5:22:80:E6:12:6B:FE:27:B1:D4:A0:69:01:43:38:BD:8E:29 X509v3 Authority Key Identifier: keyid:51:11:28:13:13:12:8C:8C:57:43:C7:1B:E4:C2:12:E6:B0:DE:D8:10 X509v3 Subject Alternative Name: DNS:kakaopayui-MacBook-Pro-3.local ``` Is ABAC feature really missed? Or am I doing something wrong?

Brucepark (Thu, 08 Feb 2018 08:44:09 GMT):
I have been googling and testing ABAC feature, but I wonder if this is possible. 1. I can not use cid module in a chain code. `can't load package: package github.com/hyperledger/fabric/core/chaincode/lib/cid` 2. The certificate generated by the following command `$fabric-ca-client register --id.name user1 --id.secret user1pw --id.type client --id.affiliation msp1 --id.attrs 'app1Admin=true:ecert,email=user1@gmail.com’` does not contain ecert field ``` $openssl x509 -text -in msp/signcerts/cert.pem X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: C0:07:F5:22:80:E6:12:6B:FE:27:B1:D4:A0:69:01:43:38:BD:8E:29 X509v3 Authority Key Identifier: keyid:51:11:28:13:13:12:8C:8C:57:43:C7:1B:E4:C2:12:E6:B0:DE:D8:10 X509v3 Subject Alternative Name: DNS:MacBook-Pro-3.local ``` Is ABAC feature really missed? Or am I doing something wrong?

grapebaba (Thu, 08 Feb 2018 09:04:33 GMT):
@here https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca this sample not works

grapebaba (Thu, 08 Feb 2018 09:08:37 GMT):

Clipboard - 2018年2月8日下午5点09分

Brucepark (Thu, 08 Feb 2018 09:12:53 GMT):
What I want to do is when there are 1org and 2org, I want to give write authority to 1Org and read authority to 2org. It is possible through ABAC, but if ABAC is not possible, how should I implement this?

Bchainer (Thu, 08 Feb 2018 09:34:22 GMT):
Has joined the channel.

nirmal1988 (Thu, 08 Feb 2018 09:41:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dYn2pBCFhL69QhsTQ) @Brucepark i am able to find the attr name in CERT. X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: C6:C6:54:DE:08:43:09:42:8A:36:91:BA:BE:85:F8:43:6B:1C:D2:6A X509v3 Authority Key Identifier: keyid:3C:1B:0F:C1:21:3E:16:C5:64:78:5B:64:C7:37:39:21:C4:58:EF:34 1.2.3.4.5.6.7.8.1: {"attrs":{"role":"buyer"}} Signature Algorithm: ecdsa-with-SHA256 30:44:02:20:4b:6d:e9:80:b3:b9:08:d3:4e:3c:a6:87:17:94:

nirmal1988 (Thu, 08 Feb 2018 09:42:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wBMHgnLmG4ym7EaHk) @Brucepark you can implement isolation between two ORGS using following of CID lib mspid, err := cid.GetMSPID(APIstub)

Brucepark (Thu, 08 Feb 2018 09:44:51 GMT):
How did you do that? Did you use `fabric-ca-client register` command? [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HFWyP9KN3vCdHftPP) @nirmal1988

Brucepark (Thu, 08 Feb 2018 09:46:09 GMT):
Did you use `$openssl x509 -text -in` command to see certificate?

nirmal1988 (Thu, 08 Feb 2018 09:47:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TowwgZYNBTNJy3R58) @Brucepark I registered using nodejs SDK

Brucepark (Thu, 08 Feb 2018 09:47:45 GMT):
I also tried using nodejs SDK but I failed.

nirmal1988 (Thu, 08 Feb 2018 09:49:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Z8qanc3vrrCdnuEnF) @Brucepark fabric-ca-client register also should work...both are doing same...

Brucepark (Thu, 08 Feb 2018 09:51:31 GMT):
``` fabric_ca_client.register({ enrollmentID: enroll_id, attrs: ???, affiliation: affiliation }, adminUser ) ``` That is my register code using nodejs sdk. How did you fill the questions area?[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=y2M6yLq9TfFAPADmt) @nirmal1988

nirmal1988 (Thu, 08 Feb 2018 09:54:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fKowxgGxciWKc5esZ) @Brucepark Attrs should be in this format attrs: [{name: "role", value: "user", ecert: true}] and fabric-ca client should be formed by this let caClient = client.getCertificateAuthority();

Brucepark (Thu, 08 Feb 2018 09:57:57 GMT):
Did you use `$openssl x509 -text -in msp/signcerts/cert.pem` to see certificate?[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7DoCmxgBac7NHKS9e) @nirmal1988

nirmal1988 (Thu, 08 Feb 2018 09:59:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=x2MM7vye84fSBae2u) @Brucepark yes i use openssl

Brucepark (Thu, 08 Feb 2018 10:00:23 GMT):
Thank you so much. I will try it again. [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=r8HdY2qHFTZWXqLFR) @nirmal1988

naveen_saravanan (Thu, 08 Feb 2018 10:52:23 GMT):
Is there exist a way (using fabric-ca commands) to authenticate a user credentials (user name and password) after registering the user in to the fabric-ca-server? If anyone knew about this please help me and thanks in advance.

landgraf.paul (Thu, 08 Feb 2018 10:54:58 GMT):
Has joined the channel.

landgraf.paul (Thu, 08 Feb 2018 10:56:32 GMT):
Hi! I found this page http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html with an example how to add/remove affiliations. fabric-ca-client affiliation add org1.dept1 But fabric-ca-client --help shows Available Commands: enroll Enroll an identity getcacert Get CA certificate chain reenroll Reenroll an identity register Register an identity revoke Revoke an identity

landgraf.paul (Thu, 08 Feb 2018 10:56:32 GMT):
Hi! I found this page http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html with an example how to add/remove affiliations. *fabric-ca-client affiliation add org1.dept1* But *fabric-ca-client --help* shows Available Commands: enroll Enroll an identity getcacert Get CA certificate chain reenroll Reenroll an identity register Register an identity revoke Revoke an identity

veralimita (Thu, 08 Feb 2018 10:57:21 GMT):
Has joined the channel.

Brucepark (Thu, 08 Feb 2018 12:43:11 GMT):
It was a ca server version problem. I changed server to v1.1 and it works well. thank you.[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=r8HdY2qHFTZWXqLFR) @nirmal1988

aambati (Thu, 08 Feb 2018 15:10:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aMEpuyH2nr3ziWMy6) @bh4rtp fabric ca server supports sqlite, mysql and postgress

aambati (Thu, 08 Feb 2018 15:10:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aMEpuyH2nr3ziWMy6) @bh4rtp fabric ca server supports sqlite, mysql and postgres

aambati (Thu, 08 Feb 2018 15:49:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pNbYyLhZJMMTLyyD6) @grapebaba this question was answered in this channel earlier..make sure fabric-ca images are built on top of latest fabric images... ```1. run `./stop.sh` in the hyperledger/fabric-samples/fabric-ca folder 2. Run `make docker-clean` in the hyperledger/fabric-ca folder 3. Run `make docker-clean docker` in the hyperledger/fabric folder 4. Run export FABRIC_TAG= image 5. Run `make docker` in the hyperledger/fabric-ca folder```

aambati (Thu, 08 Feb 2018 15:53:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CzgQgmQZF3PBCmP7N) @naveen_saravanan if you run 'fabric-ca-client enroll` with user credentials , it will fail if you provide bad credentials

aambati (Thu, 08 Feb 2018 15:55:20 GMT):
@nirmal1988 did you resolve your issue with using ABAC?

grapebaba (Thu, 08 Feb 2018 15:56:43 GMT):
@aambati after i update fabric ca, the error disappeared

grapebaba (Thu, 08 Feb 2018 15:57:05 GMT):
However another error throw

grapebaba (Thu, 08 Feb 2018 15:57:49 GMT):
org admin register fail by hf. prefix

grapebaba (Thu, 08 Feb 2018 15:58:10 GMT):
any idea?

aambati (Thu, 08 Feb 2018 16:22:19 GMT):
this problem was fixed recently...make sure you have latest fabri-ca sample code

ongar (Thu, 08 Feb 2018 20:40:06 GMT):
Has joined the channel.

ongar (Thu, 08 Feb 2018 20:40:14 GMT):
Hi folks - does anyone know how to enrol with Fabric CA by sending an existing public key? The sample scripts seem to generate the certs and keys afresh instead of asking for an existing public key. Any clues? Or how to get the CA cert from Fabric CA while using an existing public key?

aambati (Thu, 08 Feb 2018 21:14:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6LFjw4w5hGY85WuWB) @ongar `fabric-ca-client getcacert` will store ca cert in the cacerts folder of the msp. You don't really need enrollment cert to do that...we have a JIRA that will allow to get an existing certificate, so not implemented yet

ongar (Thu, 08 Feb 2018 21:19:30 GMT):
ok. my problem is, we use our own keystore (HSM) to manage our private key material and we don't want fabric ca to generate our key pair. Instead we would like to use our existing certs (or existing pub key to get a new cert). Do you think this is not possible right now? Any work around possible?

aambati (Thu, 08 Feb 2018 21:24:44 GMT):
it is not possible to get a new certificate with out generating new key pair

ongar (Thu, 08 Feb 2018 21:30:28 GMT):
I thought that a CA authority is supposed to issue a cert based on a given pub key without needing to generate a key pair. Why would a CA handle the private key of a user?

ongar (Thu, 08 Feb 2018 21:49:19 GMT):
Thanks @aambati ! Your responses were helpful!!

aambati (Thu, 08 Feb 2018 21:50:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hygoSCWnEaS7t4oWq) @ongar you can send enroll command again using the same key pair to get another cert

aambati (Thu, 08 Feb 2018 21:50:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hygoSCWnEaS7t4oWq) @ongar you invoke /enroll again using the same key pair to get another cert ... fabric-ca-client enroll and reenroll generate new key pairs but you should be able to use REST api to form a CSR with current public key to generate new cert

aambati (Thu, 08 Feb 2018 21:50:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hygoSCWnEaS7t4oWq) @ongar you invoke /enroll again using the same key pair to get another cert ... fabric-ca-client enroll and reenroll generate new key pairs but you can create a CSR based on current key-pair and invoke fabric-ca server REST endpoint /enroll to generate a new cert

aambati (Thu, 08 Feb 2018 21:50:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hygoSCWnEaS7t4oWq) @ongar fabric-ca-client enroll and reenroll generate new key pairs but you can create a CSR based on current key-pair and invoke fabric-ca server REST endpoint /enroll to generate a new cert

ongar (Thu, 08 Feb 2018 21:55:56 GMT):
Ok. I will explore /enroll to check whether it accepts a pubkey as input. Thanks!

ongar (Thu, 08 Feb 2018 21:58:12 GMT):
ok. That clarifies. Sorry to bother you further, but how do I issue a CSR request?

aambati (Thu, 08 Feb 2018 22:00:00 GMT):
`fabric-ca-client gencsr` creates a CSR but it creates new private-public key pair , you could try using openssl to create CSR

ongar (Thu, 08 Feb 2018 22:01:52 GMT):
Yep. Thanks a lot again :slight_smile:

ongar (Thu, 08 Feb 2018 22:05:54 GMT):
oops - the docs says that --

ongar (Thu, 08 Feb 2018 22:05:58 GMT):
If you want the Fabric CA server to use a CA signing certificate and key file which you provide, you must place your files in the location referenced by ca.certfile and ca.keyfile respectively. Both files must be PEM-encoded and must not be encrypted. More specifically, the contents of the CA certificate file must begin with -----BEGIN CERTIFICATE----- and the contents of the key file must begin with -----BEGIN PRIVATE KEY----- and not -----BEGIN ENCRYPTED PRIVATE KEY-----.

ongar (Thu, 08 Feb 2018 22:06:12 GMT):
Why does need private key??

ongar (Thu, 08 Feb 2018 22:07:53 GMT):
ok - that is for the certificate for the CS server itself.

ongar (Thu, 08 Feb 2018 22:07:53 GMT):
ok - that is for the certificate for the CA server itself.

ongar (Thu, 08 Feb 2018 22:09:26 GMT):
I was looking for if I can provide an existing cert or pub key for the network participant, in a CSR request

grapebaba (Fri, 09 Feb 2018 03:03:31 GMT):
@aambati I follow your step

grapebaba (Fri, 09 Feb 2018 03:03:36 GMT):
still error

grapebaba (Fri, 09 Feb 2018 03:04:43 GMT):
2018/02/09 03:03:56 [DEBUG] Registration of 'admin-org0' failed: : scode: 401, local code: 42, local msg: Failed to register attribute: Registering attribute 'hf.admin' using a reserved prefix 'hf.', however this not a supported reserved attribute, remote code: 20, remote msg: Authorization failure 2018/02/09 03:03:56 [INFO] 172.22.0.8:39948 POST /register 401 42 "Failed to register attribute: Registering attribute 'hf.admin' using a reserved prefix 'hf.', however this not a supported reserved attribute"

grapebaba (Fri, 09 Feb 2018 03:04:43 GMT):
```2018/02/09 03:03:56 [DEBUG] Registration of 'admin-org0' failed: : scode: 401, local code: 42, local msg: Failed to register attribute: Registering attribute 'hf.admin' using a reserved prefix 'hf.', however this not a supported reserved attribute, remote code: 20, remote msg: Authorization failure 2018/02/09 03:03:56 [INFO] 172.22.0.8:39948 POST /register 401 42 "Failed to register attribute: Registering attribute 'hf.admin' using a reserved prefix 'hf.', however this not a supported reserved attribute"

naveen_saravanan (Fri, 09 Feb 2018 04:01:51 GMT):
@aambati ok. But for an already enrolled user, how do we authenticate the user? Do we use the 'fabric-ca-client enroll'?

naveen_saravanan (Fri, 09 Feb 2018 04:48:13 GMT):
Hi @aambati I tried the 'fabric-ca-client-enroll' command on an already enrolled user and a set of private and public keys were created.

naveen_saravanan (Fri, 09 Feb 2018 04:48:13 GMT):
Hi @aambati I tried the 'fabric-ca-client-enroll' command on an already enrolled user and a new set of private and public keys were created.

naveen_saravanan (Fri, 09 Feb 2018 04:53:21 GMT):
Is there any other way?

nirmal1988 (Fri, 09 Feb 2018 05:48:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MbGbB8sucTJwvR3dh) @aambati No.. i am still not able to retrive attribute value in chain code.

nirmal1988 (Fri, 09 Feb 2018 05:49:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YzADvyWjACeC5cLHr) @Brucepark Are u able to fetch attr values in chain code???

bh4rtp (Fri, 09 Feb 2018 06:19:22 GMT):
@aambati as fabric-ca supports mysql, so does oracle with little changes?

nirmal1988 (Fri, 09 Feb 2018 06:30:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6x6WhPBbkDXaF4k8Y) Anil, After registering user with attribute(i can see the attribute in certificate and SQLite DB), i am getting error when i use following in chain code. err := cid.AssertAttributeValue(APIstub, "role", "user") ERROR----details: 'chaincode error (status: 500, message: Attribute \'role\' was not found)' } ]

Brucepark (Fri, 09 Feb 2018 06:43:29 GMT):
No I can not use cid module in a chain code. `can't load package: package github.com/hyperledger/fabric/core/chaincode/lib/cid` [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6x6WhPBbkDXaF4k8Y) @nirmal1988

Brucepark (Fri, 09 Feb 2018 06:44:04 GMT):
I'm thinking of using nodejs chain code instead of go.

Brucepark (Fri, 09 Feb 2018 06:44:04 GMT):
I'm thinking of using nodejs chain code instead of Go because of that problem

Vadim (Fri, 09 Feb 2018 07:59:15 GMT):
@Brucepark you need to vendor that package

Brucepark (Fri, 09 Feb 2018 08:37:32 GMT):
What vender? Can you explain more?[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jFDiL4cLhn2Sqev7v) @Vadim

Vadim (Fri, 09 Feb 2018 08:38:10 GMT):
@Brucepark https://blog.gopheracademy.com/advent-2015/vendor-folder/

Shivshankar (Fri, 09 Feb 2018 08:41:12 GMT):
Has joined the channel.

Shivshankar (Fri, 09 Feb 2018 08:42:09 GMT):
When I am trying to register a new user using node SDK I am getting this error 'Error: fabric-ca request register failed with errors [[{"code":63,"message":"Failed to get Affiliation: sql: no rows in result set"}]]'. Can someone help?

nirmal1988 (Fri, 09 Feb 2018 08:55:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3WrLtjkD6WJ57h3wL) @Vadim Vadim, Can you help me in implementing ABAC?

Vadim (Fri, 09 Feb 2018 08:55:39 GMT):
@nirmal1988 have you checked the examples already?

nirmal1988 (Fri, 09 Feb 2018 08:58:24 GMT):
yes, i have checked examples fabric-ca... but it does not work. then i have started modifying fabcar using connection profile and i am able to register n enroll user with attribute. And the attribute is also getting stored in certificate and SQLite db. But i am not able to fetch it in chain code while querying using nodejs SDK. val, ok, err := cid.GetAttributeValue(APIstub, "role") i am getting val null and ok = false

KarthikeyanS (Fri, 09 Feb 2018 10:29:46 GMT):
Has joined the channel.

KarthikeyanS (Fri, 09 Feb 2018 10:30:53 GMT):
error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: 14 UNAVAILABLE: EOF

KarthikeyanS (Fri, 09 Feb 2018 10:31:23 GMT):
I am getting this error when I tried to run fabcar sample program "node query.js"

naveen_saravanan (Fri, 09 Feb 2018 11:06:03 GMT):
Hi, I tried to run the query.js of fabcar and got the below given error: root@hibiz-Aspire-E5-575:/home/hibiz/fabric-starter-patient# node query.js Store path:/home/hibiz/fabric-starter-patient/hfc-key-store Successfully loaded user1 from persistence:{"name":"user1","mspid":"consumerMSP","roles":null,"affiliation":"","enrollmentSecret":"","enrollment":{"signingIdentity":"1f1b3ae14d1e7b183212d4e29336db2ddddaddedcf0a48b5a77f7febb0c104de","identity":{"certificate":"-----BEGIN CERTIFICATE-----\nMIIB+TCCAZ+gAwIBAgIUfVf3CN6CiiqAI+Jxfx1b1dLciUowCgYIKoZIzj0EAwIw\nezELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh\nbiBGcmFuY2lzY28xHTAbBgNVBAoTFGNvbnN1bWVyLmV4YW1wbGUuY29tMSAwHgYD\nVQQDExdjYS5jb25zdW1lci5leGFtcGxlLmNvbTAeFw0xODAyMDkwNjA1MDBaFw0x\nOTAyMDkwNjA1MDBaMBAxDjAMBgNVBAMTBXVzZXIxMFkwEwYHKoZIzj0CAQYIKoZI\nzj0DAQcDQgAETc7bGGzH3xtrtRB6RVaV7cQpkQ6FzUf2IkM2umwHt+rq2zUYV0yd\noxUNsv5M0ggNykzypeS+T9Pg+ToBhYpmqqNsMGowDgYDVR0PAQH/BAQDAgeAMAwG\nA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHM4S8+rpGwwXAwkAO2Z/bda3wNzMCsGA1Ud\nIwQkMCKAIKYb92hOBoHf145D0gHToqtUfq1ba6Mz/BU+1Xnf6sXgMAoGCCqGSM49\nBAMCA0gAMEUCIQClb2n0WiQDeJygenXh3CRFjgTO6cZRKinLj8SzIw+0iQIgdakc\nj83SHTxiQWgqf8zlZzrGJwmRSB89i1jn5I9Fdo4=\n-----END CERTIFICATE-----\n"}}} error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: Stream removed at /home/hibiz/fabric-starter-patient/node_modules/grpc/src/client.js:554:15 Query has completed, checking results Response is Error: Stream removed error from query = { Error: Stream removed at /home/hibiz/fabric-starter-patient/node_modules/grpc/src/client.js:554:15 code: 2, metadata: Metadata { _internal_repr: {} } } root@hibiz-Aspire-E5-575:/home/hibiz/fabric-starter-patient# does anyone know what is the problem here?

Brucepark (Fri, 09 Feb 2018 11:19:56 GMT):
Thank you so much. :thumbsup:[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3WrLtjkD6WJ57h3wL) @Vadim

rake66 (Fri, 09 Feb 2018 11:22:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gGWwz2air72DwtPq4) @Shivshankar I've had this error, though I'm not using node-sdk. The affiliations are in fabric-ca-server-config.yaml which gets generated with a default config when you run `fabric-ca-server init`. The default affiliations are org1 with department1 and department2 and org2 with department1. If you want to use anything else as an affiliation you need to modify the file then run `fabric-ca-server init -b blabla` again.

rake66 (Fri, 09 Feb 2018 11:23:31 GMT):
...well actually I guess run whatever function the sdk has for initialising the ca

KarthikeyanS (Fri, 09 Feb 2018 12:46:26 GMT):
error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: 14 UNAVAILABLE: EOF I am getting this error when I tried to run fabcar sample program "node query.js"

javrevasandeep (Fri, 09 Feb 2018 13:28:52 GMT):
can anyone pls tell me the role of ldap in fabric-ca in simple terms with some real time use case and how does it different from configuring Postgres or Mysql database in fabric-ca

ohmeraka (Fri, 09 Feb 2018 13:57:43 GMT):
Has joined the channel.

lkolisko (Fri, 09 Feb 2018 14:05:07 GMT):
Hi All, I am trying to get fabric-ca build from src working against very simple fabric-sdk-java based client. The flow I am trying to get working is simple: 1/ enroll admin using id/pass 2/ enroll peer using admin as the registrar The client works against fabric-ca in docker container setup from the fabric-samples basic network. However when I try to run my code agains fabric-ca-server built locally I am running into the following issue: fabric-ca-server log: 2018/02/09 14:56:42 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin' 2018/02/09 14:56:42 [DEBUG] DB: Get certificate by serial (8f4eba8d79ea25690e900b675a364d4584cf590) and aki (e6358701200c28df1fd4db20e1bc0c09b289493d) 2018/02/09 14:56:42 [ERROR] No certificates found for provided serial and aki client log: DEBUG PoolingHttpClientConnectionManager - Connection released: [id: 2][route: {}->http://localhost:7054][total kept alive: 1; route allocated: 1 of 2; total allocated: 1 of 20] Exception in thread "main" org.hyperledger.fabric_ca.sdk.exception.RegistrationException: Error while registering the user HLFUser{name='admin', roles=null, account='null', affiliation='null', enrollment=org.hyperledger.fabric_ca.sdk.HFCAEnrollment@4d910fd6, mspId='null'} url: http://localhost:7054 POST request to http://localhost:7054 failed request body {"id":"peer1","type":"user","affiliation":"org1.department1","attrs":[]}. Response: {"success":false,"result":null,"errors":[{"code":400,"message":"Authorization failure"}],"messages":[]} at org.hyperledger.fabric_ca.sdk.HFCAClient.register(HFCAClient.java:330) at demo.hlf.Main.registerUser(Main.java:41) at demo.hlf.Main.main(Main.java:32) Caused by: org.hyperledger.fabric_ca.sdk.exception.HTTPException: POST request to http://localhost:7054 failed request body {"id":"peer1","type":"user","affiliation":"org1.department1","attrs":[]}. Response: {"success":false,"result":null,"errors":[{"code":400,"message":"Authorization failure"}],"messages":[]} at org.hyperledger.fabric_ca.sdk.HFCAClient.getResult(HFCAClient.java:1098) at org.hyperledger.fabric_ca.sdk.HFCAClient.httpPost(HFCAClient.java:1025) at org.hyperledger.fabric_ca.sdk.HFCAClient.register(HFCAClient.java:321) ERROR HFCAClient - POST request to http://localhost:7054 failed request body {"id":"peer1","type":"user","affiliation":"org1.department1","attrs":[]}. Response: {"success":false,"result":null,"errors":[{"code":400,"message":"Authorization failure"}],"messages":[]} ERROR HFCAClient - HLFUser{name='admin', roles=null, account='null', affiliation='null', enrollment=org.hyperledger.fabric_ca.sdk.HFCAEnrollment@4d910fd6, mspId='null'} ... 2 more Any hints or help more then appreciated, Regards, Lukas

javrevasandeep (Fri, 09 Feb 2018 14:24:48 GMT):
does ldap stores certificates of users

smithbk (Fri, 09 Feb 2018 14:46:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5rSqB4B9cX9bkHyHq) @javrevasandeep no, it is read-only from ldap and it uses it to authenticate users and to get user attributes

javrevasandeep (Fri, 09 Feb 2018 14:47:55 GMT):
@smithbk so to store certificates one can use postgres or mysql right? bydefault it is stored in sqlite?

smithbk (Fri, 09 Feb 2018 14:50:56 GMT):
@javrevasandeep Yes, correct ... you need mysql or postgres to run in a cluster

javrevasandeep (Fri, 09 Feb 2018 14:54:28 GMT):
@smithbk that means if a user doesn't have his userid/pass in ldap registry he cannot be issued certificates by fabric-ca right?

aambati (Fri, 09 Feb 2018 15:02:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=grTheZ7twg9zHwAQa) @grapebaba hmm...if you have the latest code, hf.admin has been changed to admin...you can replace hf.admin to admin yourself in your workspace and rerun ./start.sh

grapebaba (Fri, 09 Feb 2018 15:03:11 GMT):
thanks

grapebaba (Fri, 09 Feb 2018 15:03:17 GMT):
i fixed it

aambati (Fri, 09 Feb 2018 15:04:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=eRAeSJzzxSFpYKvnP) @ongar openssl should allow you create a CSR based on an existing key pair i thought... as i mentioned before, fabric-ca-client gencsr does not allow to provide your own pair though

aambati (Fri, 09 Feb 2018 15:10:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CkpKAcJnw3pDBPjN2) @naveen_saravanan `fabric-ca-client enroll` command creates new private key and cert ...I would like to understand what you are trying to do when you say "authenticate the user"? Once user is enrolled, user's key material is created in the specified MSP directory...subsequent fabric-ca-client commands that point to this msp directory will use user's key material to make the requests to fabric-ca-server

aambati (Fri, 09 Feb 2018 15:12:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=r3L4LQCBeMTH5EBFZ) @bh4rtp i think it probably needs more than little changes, imo, but it should be easy to plug it in

javrevasandeep (Fri, 09 Feb 2018 15:12:52 GMT):
@smithbk @aambati can we stop fabric-ca container after issuing certificates to user and will the same user be still able to invoke or query the network without fabric-ca

aambati (Fri, 09 Feb 2018 15:13:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gWmnsRjNtuvbMNK7P) @nirmal1988 and you made sure the attribute is in the user's certificate as well, right?

aambati (Fri, 09 Feb 2018 15:16:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6oPMLi97CWchC7k45) @nirmal1988 What error do you get when you ran fabric-ca sample?

aambati (Fri, 09 Feb 2018 15:18:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8X5orquwASPFw7zR8) @javrevasandeep yes...user need to provide id/pass to be enrolled (to be issued a certificate)

smithbk (Fri, 09 Feb 2018 15:23:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8X5orquwASPFw7zR8) @javrevasandeep correct

aambati (Fri, 09 Feb 2018 16:36:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gH5Gr6m4AerJprNHH) @lkolisko i have seen this error if you are running 1.0.0 code with go 1.8 or 1.9

lkolisko (Fri, 09 Feb 2018 16:44:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xh8Y8JSu5jFArPo5S) @aambati I am using go version go1.9.3 linux/amd64 . I tried to debug fabric-ca-server and found out that the "issue" is, when enrolling the peer the query for admin certificate returns with no result. The query is based on cert sn and aki. Checking the database aki column for all the certificates is empty because when cert record is being inserted `certTBS.AuthorityKeyId` returns null. Therefore I get never match and authorization fails.

aambati (Fri, 09 Feb 2018 17:48:08 GMT):
if you are infact running 1.0 code, then i suggest you use go 1.7

mastersingh24 (Fri, 09 Feb 2018 17:49:39 GMT):
@lkolisko - @aambati is correct - if you cloned the fabric-ca repo, the default branch is the release branch which is v1.0.x If you want to stick with Go 1.9.3, you need to grab the master branch: `git clone -b master https://github.com/hyperledger/fabric-ca`

anillewis (Fri, 09 Feb 2018 19:28:26 GMT):
Has joined the channel.

anillewis (Fri, 09 Feb 2018 19:29:50 GMT):
@Brucepark I am facing the same issue where I cannot see the attributes in the certificate. I am using fabric-ca 1.0.5 image....will this work only in 1.1?

smithbk (Fri, 09 Feb 2018 22:10:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6KmaZttzvhHCbXXhC) @anillewis yes, ABAC is only supported in v1.1

Brucepark (Sat, 10 Feb 2018 03:07:31 GMT):
In the chain code, I can use the cid module to get the MSPID but there is no MSPID info in a certificate. How does cid module get MSPID? Is there a way to fake this in the participating organization's Intermediate CA?

grapebaba (Sat, 10 Feb 2018 03:12:31 GMT):
@here http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#dynamically-updating-affiliations

grapebaba (Sat, 10 Feb 2018 03:14:13 GMT):
is this feature in fabric-ca 1.1.0-alpha version?

smithbk (Sat, 10 Feb 2018 12:39:42 GMT):
Yes

kerokhin (Sat, 10 Feb 2018 16:46:42 GMT):
Has joined the channel.

mastersingh24 (Sun, 11 Feb 2018 11:16:23 GMT):
It extracts it from the `creator` field which is part of the proposal request sent to the peer and passed into the chaincode. Internally it uses the equivalent of the "GetCreator" function and extracts the MSPID (https://chat.hyperledger.org/channel/fabric-ca?msg=gYiX32zpPn59GuEYi) @Brucepark

mastersingh24 (Sun, 11 Feb 2018 11:16:23 GMT):
It extracts it from the `creator` field which is part of the proposal request sent to the peer and passed into the chaincode. Internally it uses the equivalent of the `GetCreator` function and extracts the MSPID (https://chat.hyperledger.org/channel/fabric-ca?msg=gYiX32zpPn59GuEYi) @Brucepark

javrevasandeep (Sun, 11 Feb 2018 13:10:27 GMT):
Hi Guys

javrevasandeep (Sun, 11 Feb 2018 13:22:51 GMT):
I planned to use fabric root CA and fabric intermediate CA architecture for each organization. My understanding on this is fabric root CA role is to sign and generate fabric intermediate CA certificate and then we can stop root CA container. Fabric intermediate CA will sign and generate members and users certificates and can be stopped after generating certificates. Is this understanding correct? Can we store root CA private keys in HSM and access the same while signing and generating another intermediate CA for future purpose in case the earlier intermediate CA gets compromised. Also do we need to have seperate HSMs to store root CA, intermediate CA, members and users private keys.

smithbk (Sun, 11 Feb 2018 15:13:30 GMT):
@javrevasandeep Yes, stop root CA after generating intermediate CA cert. This is a best practice. They are usually on different systems with different HSMs, or at least in a different partition of the HSM. The HSM is tied to a physical machine. HSM is not required, but is certainly more secure because the private key can not be extracted from the HSM, and if the secret to access the HSM is compromised, it will not help you on another machine. Yes, you would have separate HSMs for root CA, intermediate CA, members and users keys ... at least typically

nirmal1988 (Mon, 12 Feb 2018 04:03:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZYvYop4nMMPPR9cwg) @aambati I get this output when i run fabric-ca nirmal@nirmal-VirtualBox:~/Desktop/apps/fabric-samples/fabric-ca$ ./start.sh ##### 2018-02-12 09:24:52 Cleaning up the data directory from previous run at ./data ##### 2018-02-12 09:24:52 Created docker-compose.yml ##### 2018-02-12 09:24:52 Creating docker containers ... Creating peer2-org2 ... done Creating run ... done Creating rca-org0 ... Creating rca-org2 ... Creating ica-org1 ... Creating ica-org0 ... Creating ica-org2 ... Creating setup ... Creating peer2-org1 ... Creating peer1-org2 ... Creating orderer1-org0 ... Creating peer1-org1 ... Creating peer2-org2 ... Creating run ... ##### 2018-02-12 09:25:05 Waiting for the 'setup' container to finish registering identities, creating the genesis block and other artifacts ..... ##### 2018-02-12 09:25:07 Waiting for the docker 'run' container to start .............. nirmal@nirmal-VirtualBox:~/Desktop/apps/fabric-samples/fabric-ca$ i have attached the logs... and here is the error: [31m2018-02-08 10:07:48.544 UTC [main] main -> ERRO 001[0m Cannot run peer because error when setting up MSP from directory /opt/gopath/src/github.com/hyperledger/fabric/peer/msp: the supplied identity is not valid: x509: certificate signed by unknown authority

nirmal1988 (Mon, 12 Feb 2018 04:06:56 GMT):

logs.zip

nirmal1988 (Mon, 12 Feb 2018 04:07:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4ei4yZofafAosr9Rv)

lkolisko (Mon, 12 Feb 2018 09:13:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jYpgKjWEGaZwAWRiJ) @mastersingh24 @aambati Thanks a lot. Your suggestion resolved my problem.

Brucepark (Mon, 12 Feb 2018 09:50:39 GMT):
Thank you very much:thumbsup:[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dpqFbmh55rabrfDJ2) @mastersingh24

javrevasandeep (Mon, 12 Feb 2018 10:24:42 GMT):
any update on FabricFAB-7654 Fabric SDK Node unit tests configured with HSM are failing on master branch

naveen_saravanan (Mon, 12 Feb 2018 11:19:27 GMT):
Does anyone know how to integrate LDAP with fabric-ca-server? I tried to go through the url:'http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#configuring-ldap' but was not able to understand it and was not able to find the files 'FABRIC_CA/scripts/run-ldap-tests' & 'FABRIC_CA/cli/server/ldap/ldap_test.go'. If anyone knows the steps, please help me with this integration of LDAP with fabric-ca-server.

javrevasandeep (Mon, 12 Feb 2018 13:00:38 GMT):
@naveen_saravanan have you tried enrolling peer through fabric-node-sdk

smithbk (Mon, 12 Feb 2018 14:25:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iQyAE638zvnsLAqLq) @naveen_saravanan See https://github.com/hyperledger/fabric-ca/blob/v1.1.0-alpha/scripts/fvt/ldap_test.sh ... the readme is wrong

DmitryNovenkykh (Mon, 12 Feb 2018 14:48:14 GMT):
Has joined the channel.

DmitryNovenkykh (Mon, 12 Feb 2018 14:48:59 GMT):
Hello everyone! i`m using Attribute-based Access Control and faced problem. s it possible to change user attributes? I didnt found how to change it. Will be appreciated for any help =)

DmitryNovenkykh (Mon, 12 Feb 2018 14:48:59 GMT):
Hello everyone! i`m using Attribute-based Access Control and faced problem. Is it possible to change user attributes? I didnt found how to change it. Will be appreciated for any help =)

aambati (Mon, 12 Feb 2018 15:16:48 GMT):
@nirmal1988 i looked at the logs, i did not find any errors in the rca/ica logs...so there was no problem setting generating certs...no errors generating enrollment cert for the peer and i see that it is getting the ecert from the right CA...just want to make sure that you are running latest fabric-ca sample code and you are using the 1.1 containers...fabric-ca containers were built on fabric 1.1 containers

aambati (Mon, 12 Feb 2018 15:19:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8nyepK5omK2z8xS9T) @DmitryNovenkykh it is possible to change user attributes...first , attributes or attribute values can be changed using fabric-ca-client identity command, then user need to be reenrolled to regenerate new cert with new attributes, user

aambati (Mon, 12 Feb 2018 15:19:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8nyepK5omK2z8xS9T) @DmitryNovenkykh it is possible to change user attributes: 1. Using `fabric-ca-client identity` command change attributes or attribute values 2. Reenroll to regenerate new cert with new attributes 3. revoke user's old cert 4. generate CRL 5. update the CRL in the channel configuration

kostas (Mon, 12 Feb 2018 16:18:04 GMT):
The documentation [states](http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#getting-a-ca-certificate-chain-from-another-fabric-ca-server): > By default, the Fabric CA server returns the CA chain in child-first order. This means that each CA certificate in the chain is followed by its issuer’s CA certificate. If you need the Fabric CA server to return the CA chain in the opposite order, then set the environment variable CA_CHAIN_PARENT_FIRST to true and restart the Fabric CA server. The Fabric CA client will handle either order appropriately.

kostas (Mon, 12 Feb 2018 16:18:19 GMT):
Ignorant question: why do I care about the order?

aambati (Mon, 12 Feb 2018 16:27:35 GMT):
you only care about it if you are using third party generated CA cert to seed the fabric-ca server , instead of self signed cert that fabric-ca server generates

kostas (Mon, 12 Feb 2018 16:30:17 GMT):
Anil, thanks. _Why_ would I care about the order though? How does the order affect things? Is it a matter of speeding up validation requests, or something else?

aambati (Mon, 12 Feb 2018 16:49:52 GMT):
Server needs to know how to interpret the chain file , whether child is followed by master or vice-versa, while constructing the signer

kostas (Mon, 12 Feb 2018 16:50:25 GMT):
Ah, got it. Thanks.

kostas (Mon, 12 Feb 2018 16:53:34 GMT):
[This bit](https://hastebin.com/omayidomij.coffeescript) on `crl.expiry` is also unclear to me. Why would I want a CRL to expire?

aambati (Mon, 12 Feb 2018 18:30:15 GMT):
CRLs also have expirations like certificates..not sure if Fabric is respecting the expirations...i know it does not respect cert expirations currently, so it must be doing the same for CRLs

kostas (Mon, 12 Feb 2018 18:37:34 GMT):
Anil, thanks. I'm reading [RFC 5280](http://www.ietf.org/rfc/rfc5280.txt) (section 5.1.2.5) and it seems that `crl.expiry` (i.e. `nextUpdate`) is a means with which the CA server says "make sure to check back for new CRL every `crl.expiry` hours."

kostas (Mon, 12 Feb 2018 18:39:13 GMT):
FWIW, based on my readings through the RFCs, a CRL never really expires, even though that's how browsers treat the `nextUpdate` field.

kostas (Mon, 12 Feb 2018 18:39:13 GMT):
> not sure if Fabric is respecting the expirations... FWIW, based on my readings through the RFCs, a CRL never really expires, even though that's how browsers treat the `nextUpdate` field.

kostas (Mon, 12 Feb 2018 18:55:59 GMT):
On the topic of TLS, [the documentation states](http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enabling-tls): > The certfiles option is the set of root certificates trusted by the client. This will typically just be the root Fabric CA server’s certificate found in the server’s home directory in the ca-cert.pem file.

kostas (Mon, 12 Feb 2018 18:56:45 GMT):
Q1: Shouldn't that actually be `tls-cert.pem` instead of `ca-cert.pem`?

kostas (Mon, 12 Feb 2018 19:01:07 GMT):
Q2: Shouldn't there be a default filename for the TLS key that the server uses?

kostas (Mon, 12 Feb 2018 19:01:07 GMT):
Q2: Shouldn't there be a default filename for the TLS key that the server uses, as you guys already do for the TLS cert?

kostas (Mon, 12 Feb 2018 19:01:10 GMT):
The help text provided by the CLI suggests that this is not the case: > --tls.certfile string PEM-encoded TLS certificate file for server's listening port (default "tls-cert.pem") > --tls.keyfile string PEM-encoded TLS key for server's listening port

kostas (Mon, 12 Feb 2018 19:01:34 GMT):
Launching the CA server with `tls.enabled` set to `true` and the `--debug` option I also get:

kostas (Mon, 12 Feb 2018 19:01:58 GMT):
> 2018/02/12 13:57:51 [DEBUG] TLS Certificate: /Users/kchrist/Go/src/github.com/hyperledger/fabric-ca/bin/server/tls-cert.pem, TLS Key:

kostas (Mon, 12 Feb 2018 19:04:43 GMT):
As best as I can tell, you are generating (a new) key and placing it under `msp/keystore` when I activate TLS. If the CA server automatically picks that up (and it should... since TLS seems to be working), shouldn't I expect to see it in the debug message? I may be operating under a wrong assumption here.

kostas (Mon, 12 Feb 2018 19:04:43 GMT):
As best as I can tell, you are generating a (new) key and placing it under `msp/keystore` when I activate TLS. If the CA server automatically picks that up (and it should... since TLS seems to be working), shouldn't I expect to see it in the debug message? I may be operating under a wrong assumption here.

aambati (Mon, 12 Feb 2018 19:05:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=R6Hywz3Wra5Nomqcv) @kostas if you have setup the msp using fabric-ca-client, same root of trust is used for enrollment and tls certificates

kostas (Mon, 12 Feb 2018 19:07:17 GMT):
Hm, why? And as a follow-up, what would be the point of `tls-cert.pem` in that case?

aambati (Mon, 12 Feb 2018 19:10:24 GMT):
tls cert/key used by the server can be provided by the user and let it generate one, --tls.certfile and --tls.keyfile are used for letting users to provide one

aambati (Mon, 12 Feb 2018 19:10:49 GMT):
tls-cert.pem is the name of the file used to store the server generated tls certficate

aambati (Mon, 12 Feb 2018 19:11:11 GMT):
which will be signed by the same root ca certificate that is used to sign enrollment certs as well

kostas (Mon, 12 Feb 2018 19:11:59 GMT):
> tls-cert.pem is the name of the file used to store the server generated tls certficate Understood. Which is why I was suggesting that `tls-cert.perm` instead of `ca-cert.pem` makes for a saner default in the instructions.

kostas (Mon, 12 Feb 2018 19:12:10 GMT):
At any rate, you guys know best.

kostas (Mon, 12 Feb 2018 19:12:31 GMT):
I'm still unclear on Q2 however: https://chat.hyperledger.org/channel/fabric-ca?msg=baJSFuxgZbjzAyyfi

aambati (Mon, 12 Feb 2018 19:12:49 GMT):
you are talking about this sentence: "The certfiles option is the set of root certificates trusted by the client. This will typically just be the root Fabric CA server’s certificate found in the server’s home directory in the ca-cert.pem file."

kostas (Mon, 12 Feb 2018 19:12:56 GMT):
(Correct.)

aambati (Mon, 12 Feb 2018 19:13:06 GMT):
that is on the client side

kostas (Mon, 12 Feb 2018 19:13:14 GMT):
(Correct.)

aambati (Mon, 12 Feb 2018 19:13:14 GMT):
client needs to trust server tls cert

kostas (Mon, 12 Feb 2018 19:13:19 GMT):
(Correct.)

kostas (Mon, 12 Feb 2018 19:13:25 GMT):
Which is `tls-cert.pem`.

aambati (Mon, 12 Feb 2018 19:13:30 GMT):
for which it needs to have the root CA cert

aambati (Mon, 12 Feb 2018 19:13:34 GMT):
which is ca-cert.pem

aambati (Mon, 12 Feb 2018 19:13:39 GMT):
not tls-cert.pem

kostas (Mon, 12 Feb 2018 19:13:47 GMT):
Ah, I get you now.

kostas (Mon, 12 Feb 2018 19:14:14 GMT):
Wait though, `tls-cert.pem` has to be communicated somehow though right?

kostas (Mon, 12 Feb 2018 19:14:54 GMT):
i.e. in the real world you would expect `tls-cert.pem` to be communicated, or you'd just let the root CA cert do the job?

kostas (Mon, 12 Feb 2018 19:15:34 GMT):
(I know the root CA cert alone is good enough, just wondering about the actual flow.)

kostas (Mon, 12 Feb 2018 19:15:34 GMT):
(I know the root CA cert alone is good enough, just wondering about the actual flow, i.e. what is your expectation for normal usage.)

aambati (Mon, 12 Feb 2018 19:15:56 GMT):
yes, during ssl handshake server will send its cert (tls-cert.pem ) to the client, and client needs to trust it ...to make it trust the server cert, it needs to have ca-cert.pem (ca cert that was used to sign the server tls cert) in the client's root of trust

kostas (Mon, 12 Feb 2018 19:16:18 GMT):
Gotcha, that makes perfect sense.

kostas (Mon, 12 Feb 2018 19:16:37 GMT):
Let's go back to the DEBUG printout on Q2. Shouldn't I expect to see the TLS key filename printed there?

aambati (Mon, 12 Feb 2018 19:17:28 GMT):
fabric-ca uses bccsp as the crypto provider

aambati (Mon, 12 Feb 2018 19:17:32 GMT):
it manages the keys

aambati (Mon, 12 Feb 2018 19:17:57 GMT):
all the keys are in the keystore folder with some long file names (hashes probably)

kostas (Mon, 12 Feb 2018 19:18:21 GMT):
Right, see: > As best as I can tell, you are generating a (new) key and placing it under `msp/keystore` when I activate TLS.

aambati (Mon, 12 Feb 2018 19:18:29 GMT):
yes

kostas (Mon, 12 Feb 2018 19:18:48 GMT):
All I'm saying is, this debug-level printout seems incomplete?

kostas (Mon, 12 Feb 2018 19:18:57 GMT):
> 2018/02/12 13:57:51 [DEBUG] TLS Certificate: /Users/kchrist/Go/src/github.com/hyperledger/fabric-ca/bin/server/tls-cert.pem, TLS Key:

aambati (Mon, 12 Feb 2018 19:19:12 GMT):
ok, i see

aambati (Mon, 12 Feb 2018 19:19:17 GMT):
we can fix that

kostas (Mon, 12 Feb 2018 19:20:08 GMT):
Perfect, thanks. Let me know if you want me to submit this as a lowest-priority bug?

aambati (Mon, 12 Feb 2018 19:20:42 GMT):
if you dont mind, pls do

kostas (Mon, 12 Feb 2018 19:26:53 GMT):
Done: https://jira.hyperledger.org/browse/FAB-8221 (lowest priority improvement so as not to inflate the component's bug count)

kostas (Mon, 12 Feb 2018 19:33:23 GMT):
(Also: https://jira.hyperledger.org/browse/FAB-8222)

anillewis (Mon, 12 Feb 2018 20:16:17 GMT):
Hi, I have a question regarding --id.attrs switch while executing fabric-ca-client in 1.0.5 (this is documented in the stable version). How does one use this in the chain code if the attributes are added in the certificate only when using fabric ca 1.1.0?

jtclark (Mon, 12 Feb 2018 20:43:01 GMT):
Can sone one here take a look at https://gerrit.hyperledger.org/r/#/c/17809/ ? This change addresses FAB-1446, but prior to merging, we'd like to have someone take a look at the "61 potentially unsafe SQL statements" found in the code prior to merging this new FVT.

jtclark (Mon, 12 Feb 2018 20:43:24 GMT):
@smithbk, @rennman :point_up_2_tone1:

aambati (Mon, 12 Feb 2018 22:59:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RgnmMXaDL3sSCKQ5X) @anillewis in 1.0.x, attributes were only used by fabric ca , for example, to designate some one a registrar..in 1.1, we added support for adding these attributes to ecerts and shim code to access these attributes in the chaincode

aambati (Mon, 12 Feb 2018 23:00:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=B4RuWADhuWmf8fjH5) @jtclark i will take a look

aambati (Mon, 12 Feb 2018 23:01:09 GMT):
can u add me and allen bailey as the reviewers

aambati (Mon, 12 Feb 2018 23:02:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Bkcwvr8KjBES8Wjaa) +1ed

naveen_saravanan (Mon, 12 Feb 2018 23:13:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kGGkwWqu5Ni3nvreG) @smithbk thank you.

naveen_saravanan (Mon, 12 Feb 2018 23:13:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kGGkwWqu5Ni3nvreG) @smithbk thank you. And do you know what are the steps to be followed for integrating LDAP with fabric-ca-server?

naveen_saravanan (Mon, 12 Feb 2018 23:16:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hdTxm7An6S5u4koRd) @javrevasandeep I think I am enrolling users only. Could you elaborate what you are looking for?

Ryan2 (Tue, 13 Feb 2018 01:10:29 GMT):
Has joined the channel.

aambati (Tue, 13 Feb 2018 03:07:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JKoKGvhHc4ma7cmc5) @naveen_saravanan https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#configuring-ldap

Ryan2 (Tue, 13 Feb 2018 05:08:09 GMT):
@jes 278 hi

nirmal1988 (Tue, 13 Feb 2018 06:12:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8nyepK5omK2z8xS9T) @DmitryNovenkykh Were you able to fetch the attr value in chain code (assuming attr is stored while enrollment of user) using this method in go chain code: val, ok, err := cid.GetAttributeValue(APIstub, "role")

nirmal1988 (Tue, 13 Feb 2018 06:37:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=64AtQygYk8sE769NZ) @aambati Yes Anil... i am using latest fabric-ca sample and fabric container 1.1 My main aim is to achieve ABAC implemented in fabcar sample, which i have modified and added connection profile as per balance transfer sample. As of now, i am able to store the attr value in certificate when i register and enroll user using enrollUser.js(have modified as per requirement) and when i query it, i want to check the user's attr value in GO CHAIN CODE using following statement. but i never get value. val, ok, err := cid.GetAttributeValue(APIstub, "role")

naveen_saravanan (Tue, 13 Feb 2018 11:54:44 GMT):
HI , I followed the configuring LDAP from the url: 'https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#configuring-ldap' and modified the fabric-ca-server-config.yaml file's LDAP part as given below: ############################################################################# ldap: # Enables or disables the LDAP client (default: false) # If this is set to true, the "registry" section is ignored. enabled: true # The URL of the LDAP server url: ldap://admin:adminpw@localhost:389 userfilter: (uid=%s) tls: certfiles: - ldap-server-cert.pem client: certfile: ldap-client-cert.pem keyfile: ldap-client-key.pem #############################################################################

naveen_saravanan (Tue, 13 Feb 2018 11:54:44 GMT):
HI , I followed the configuring LDAP section from the url: 'https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#configuring-ldap' and modified the fabric-ca-server-config.yaml file's LDAP part as given below: ############################################################################# ldap: # Enables or disables the LDAP client (default: false) # If this is set to true, the "registry" section is ignored. enabled: true # The URL of the LDAP server url: ldap://admin:adminpw@localhost:389 userfilter: (uid=%s) tls: certfiles: - ldap-server-cert.pem client: certfile: ldap-client-cert.pem keyfile: ldap-client-key.pem ############################################################################# And also started a LDAP server with below given command: docker run --env LDAP_ORGANISATION="consumer" --env LDAP_DOMAIN="example.com" \ > --env LDAP_ADMIN_PASSWORD="adminpw" --detach osixia/openldap:1.1.11

naveen_saravanan (Tue, 13 Feb 2018 11:58:43 GMT):
How do I know that the fabric-ca-server and LDAP server are successfully integrated? And if they are integrated successfully, how do I register, enroll and authenticate the users through the LDAP?

smithbk (Tue, 13 Feb 2018 12:33:55 GMT):
@naveen_saravanan Are you sure that the attribute is in the certificate? You can go to the appropriate msp/signcerts folder and print the cert using `openssl x509 -in -text -noout` and if the attributes are present in the certificate, they will appear as JSON in the extensions section as follows: ``` X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 5C:72:D0:DD:8D:CC:57:3E:20:05:B1:4C:31:9E:48:CB:B3:B4:BB:D4 X509v3 Authority Key Identifier: keyid:0F:28:7D:EF:8B:98:B8:7C:15:17:85:12:97:BB:2D:F6:53:0B:8A:BE X509v3 Subject Alternative Name: DNS:Keiths-MBP.nc.rr.com 1.2.3.4.5.6.7.8.1: {"attrs":{"foo1":"bar1","foo2":"bar2"}}```

smithbk (Tue, 13 Feb 2018 12:33:55 GMT):
@nirmal1988 Are you sure that the attribute is in the certificate? You can go to the appropriate msp/signcerts folder and print the cert using `openssl x509 -in -text -noout` and if the attributes are present in the certificate, they will appear as JSON in the extensions section as follows: ``` X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 5C:72:D0:DD:8D:CC:57:3E:20:05:B1:4C:31:9E:48:CB:B3:B4:BB:D4 X509v3 Authority Key Identifier: keyid:0F:28:7D:EF:8B:98:B8:7C:15:17:85:12:97:BB:2D:F6:53:0B:8A:BE X509v3 Subject Alternative Name: DNS:Keiths-MBP.nc.rr.com 1.2.3.4.5.6.7.8.1: {"attrs":{"foo1":"bar1","foo2":"bar2"}}```

smithbk (Tue, 13 Feb 2018 12:37:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gDZann9NL6LjYPEPj) @naveen_saravanan You know they are successfully integrated by testing that you can enroll successfully. When LDAP is enabled, you no longer can register identities using `fabric-ca-client register`. Instead, you must use LDAP APIs to manage the identities, and that is going to depend upon the LDAP server you are using. When you enroll, you are authenticating the user against the password via the LDAP APIs.

javrevasandeep (Tue, 13 Feb 2018 13:23:34 GMT):
Hi Guys

javrevasandeep (Tue, 13 Feb 2018 13:24:02 GMT):
I found that there is an open issue with HSM implementation. FabricFAB-7654 Fabric SDK Node unit tests configured with HSM are failing on master branch

javrevasandeep (Tue, 13 Feb 2018 13:24:25 GMT):
Can we still use HSM with some configuration

javrevasandeep (Tue, 13 Feb 2018 13:24:53 GMT):
is there any ETA for this issue?

SuvitPatil (Tue, 13 Feb 2018 13:53:33 GMT):
Has joined the channel.

SuvitPatil (Tue, 13 Feb 2018 13:56:23 GMT):
Hi Guys, can we use external certificates and keys in hyperledger fabric instead of generating from cryptogen tool. Do we have any document for that to test.

ArvsIndrarys (Tue, 13 Feb 2018 14:43:09 GMT):
Has joined the channel.

aambati (Tue, 13 Feb 2018 14:55:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ogotkMXNCZzryLH5K) @SuvitPatil yes, you can use another CA issued certs in the fabric...there was an devloperworks article by @pvrbharg but the link is missing...it is really matter of populating the MSP with third party ca root cert, certs signed by third party CA...you can find more info on MSP at https://hyperledger-fabric.readthedocs.io/en/latest/msp.html

aambati (Tue, 13 Feb 2018 15:06:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HhYv5SP29NgZLYpLZ) @javrevasandeep i posted a comment in the JIRA 7654...you could also ask this question in the SDK channel...we should find out if this is a test issue or code issue..btw, are you running into any issues using HSM with node sdk?

ongar (Tue, 13 Feb 2018 16:04:29 GMT):
Hi folks - we would like to enroll as a member in to the business network, but my company policy can't allow private key to be created by fabric-ca, while enrolling. Is there a way to pass only public key to fabric-ca and get enrollment certificate and get enrolled into the network?

ongar (Tue, 13 Feb 2018 16:04:29 GMT):
Hi folks - we would like to enroll as a member in to a business network, but my company policy can't allow private key to be created by fabric-ca, while generating e-cert. Is there a way to pass only public key to fabric-ca, get enrollment certificate and get enrolled into the network?

aambati (Tue, 13 Feb 2018 16:09:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=F4FtHhkqAbrzx3fa9) @ongar short answer is no...but fabric ca uses bccsp (https://godoc.org/github.com/hyperledger/fabric/bccsp, https://jira.hyperledger.org/secure/attachment/10124/BCCSP.pdf) which is an api and default implementation. So, you could implement the bccsp API

ongar (Tue, 13 Feb 2018 16:13:04 GMT):
Thanks Amabti - I see that you have replied to @SuvitPatil mentioning that external certs are fine with CA. This seems to contradict what you just said?

ongar (Tue, 13 Feb 2018 16:13:32 GMT):
I mean, using external certs is waht I asked for

aambati (Tue, 13 Feb 2018 16:16:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EorPr9kiLBGsN6zMM) @ongar let me correct my answer...you can create your private and public key pair, create a CSR (which includes the public key) and send the csr to the fabric-ca sever using REST api, server will issue a certificate

aambati (Tue, 13 Feb 2018 16:17:47 GMT):
but yes external certs are supported by the fabric ...note that fabric-ca is not needed for operation of a fabric network...msp can be setup using third party issued certs

ongar (Tue, 13 Feb 2018 16:22:33 GMT):
Thanks for the clarification, @aambati ! Without fabric-ca, how to do we get t-certs? Can MSP provide the t-certs?

ongar (Tue, 13 Feb 2018 16:24:03 GMT):
Also is fabric-ca ever contacted by peers or orderers during processing of a transaction?

aambati (Tue, 13 Feb 2018 16:33:36 GMT):
no to the second question...currently although fabric ca supports tcerts, they are not being used by the fabric...plan is to support identity mixer (which uses zero knowledge proof ) certs in the next release, which allows generation of unlinkable tcerts with out having to go to CA

aambati (Tue, 13 Feb 2018 16:33:36 GMT):
no to the second question...although fabric ca supports tcerts, they are not being used by the fabric...plan is to support identity mixer (which uses zero knowledge proof ) certs in the next release, which allows generation of unlinkable tcerts with out having to go to CA

aambati (Tue, 13 Feb 2018 16:33:36 GMT):
no to the second question...although fabric ca supports tcerts, they are not being used by the fabric...plan is to support identity mixer (which uses zero knowledge proof) certs in the next release, which allows generation of unlinkable tcerts with out having to go to CA see https://www.zurich.ibm.com/identity_mixer/

aambati (Tue, 13 Feb 2018 16:33:36 GMT):
no to the second question...although fabric ca supports tcerts, they are not being used by the fabric...plan is to support identity mixer (which uses zero knowledge proof) certs in the next release, which allows generation of unlinkable tcerts without having to go to CA see https://www.zurich.ibm.com/identity_mixer/

Asara (Tue, 13 Feb 2018 16:36:20 GMT):
@aambati Is it possible to run identity mixer youreslf?

Asara (Tue, 13 Feb 2018 16:36:20 GMT):
@aambati Is it possible to run identity mixer yourself

aambati (Tue, 13 Feb 2018 16:39:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Nuq2s6rSwvAhoMr63) @Asara are you asking if you can run identity mixer to generate ecerts?

Asara (Tue, 13 Feb 2018 16:41:39 GMT):
As in can I self host id mixer

pvrbharg (Tue, 13 Feb 2018 16:44:01 GMT):
@SuvitPatil Hi Suvit - can you please let me know your email - so I can work with you. Thanks

ongar (Tue, 13 Feb 2018 17:00:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LQw9yKb4Sh64jHmWQ) @aambati - t-certs are not being in the release version of fabric right now? Then how are the transactions authenticated/authorized?

ongar (Tue, 13 Feb 2018 17:00:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LQw9yKb4Sh64jHmWQ) @aambati - t-certs are not being used in the release version of fabric right now? Then how are the transactions authenticated/authorized?

aambati (Tue, 13 Feb 2018 18:32:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jLsESaLtrjZ7XSz6E) @Asara i am not 100% sure...i think you write a lite weight CA that uses id mixer but you can as well enhance fabric CA

aambati (Tue, 13 Feb 2018 18:32:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jLsESaLtrjZ7XSz6E) @Asara i am not 100% sure...i think you can write a lite weight CA that uses id mixer but you can as well enhance fabric CA

aambati (Tue, 13 Feb 2018 18:32:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rkRywfhnogSGtzc2F) @ongar enrollment certs

aambati (Tue, 13 Feb 2018 18:32:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rkRywfhnogSGtzc2F) @ongar using enrollment certs

ongar (Tue, 13 Feb 2018 21:03:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4FRtaZJZJeTuXSXWJ) @aambati - can you please provide me any links to docs or code where it indicates that enrolment certs are being used in place of t-certs for authorizing transactions?

ongar (Tue, 13 Feb 2018 21:05:37 GMT):
Also, what about attributes that used be in t-certs? do e-certs carry them now?

aambati (Tue, 13 Feb 2018 21:41:02 GMT):
ecerts have the attributes

aambati (Tue, 13 Feb 2018 21:43:21 GMT):
https://hyperledger-fabric.readthedocs.io/en/latest/txflow.html

aambati (Tue, 13 Feb 2018 21:44:05 GMT):
https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#attribute-based-access-control

aambati (Tue, 13 Feb 2018 21:44:56 GMT):
https://github.com/hyperledger/fabric/blob/master/core/chaincode/lib/cid/README.md

naveen_saravanan (Wed, 14 Feb 2018 04:22:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PSbEoeohkQRHktnKG) @smithbk Ok and how do I register & enroll users in the LDAP server? Is there any document or command lines related to this?

ngeorge (Wed, 14 Feb 2018 06:25:02 GMT):
Can each organisation on a network have its own Fabric CA and still perform the install, instantiate etc properly? Should we place the certificates associated with each CAs on a root CA? Or can this work without the root CA concept?

smithbk (Wed, 14 Feb 2018 09:09:42 GMT):
@naveen_saravanan When LDAP is enabled, use the APIs or CLI specific to the LDAP server to register users. For example, if using openldap, see https://github.com/hyperledger/fabric-ca/blob/v1.1.0-alpha/images/fabric-ca-fvt/payload/slapd_setup.sh#L38 which registers all identities listed in https://github.com/hyperledger/fabric-ca/blob/v1.1.0-alpha/images/fabric-ca-fvt/payload/add-users.ldif#L7 with the openldap server. To enroll, use the normal `fabric-ca-server enroll -u http://:@:` command where by default the is one of the `uid` attribute values; for example, see this one: https://github.com/hyperledger/fabric-ca/blob/v1.1.0-alpha/images/fabric-ca-fvt/payload/add-users.ldif#L67. And the associated is this value https://github.com/hyperledger/fabric-ca/blob/v1.1.0-alpha/images/fabric-ca-fvt/payload/add-users.ldif#L29. The does not have to be the LDAP `uid` attribute and could be changed by using this option when starting the fabric-ca-server: ```--ldap.userfilter string The LDAP user filter to use when searching for users (default "(uid=%s)")``` See this in the fabric-ca-server usage message.

smithbk (Wed, 14 Feb 2018 09:14:11 GMT):
@ngeorge Yes, each org on a network may have its own fabric CA server. Each org could have its own root and intermediate CA. You could use just a root CA for each org, but root and intermediate CAs are a security best practice so that the root CA can be online only long enough to issue certificates to the intermediate CA and reduces the possibility of a key compromise for the root CA key.

ngeorge (Wed, 14 Feb 2018 09:44:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ANpAiaywbEgec4hEZ) @smithbk So how will the certificates issued by one organisation be trusted by another organisation, as they both have certificates issued by different Root/Intermediate CAs?

smithbk (Wed, 14 Feb 2018 09:50:52 GMT):
In fabric, a channel contains multiple MSPs (Membership Service Providers). Each MSP contains root and optionally intermediate certs. So when you bootstrap a channel (which contains a ledger), the group of MSPs associated with the channel defines who can transact on that channel. And the channel also has a policy to then change the MSPs associated with a channel. For example, to add a new org to a channel/ledger, it could require approval by an administrator from all of the current orgs on the channel. You can read more about MSPs at http://hyperledger-fabric.readthedocs.io/en/release/msp.html

smithbk (Wed, 14 Feb 2018 09:50:52 GMT):
@ngeorge In fabric, a channel contains multiple MSPs (Membership Service Providers). Each MSP contains root and optionally intermediate certs. So when you bootstrap a channel (which contains a ledger), the group of MSPs associated with the channel defines who can transact on that channel. And the channel also has a policy to then change the MSPs associated with a channel. For example, to add a new org to a channel/ledger, it could require approval by an administrator from all of the current orgs on the channel. You can read more about MSPs at http://hyperledger-fabric.readthedocs.io/en/release/msp.html

ngeorge (Wed, 14 Feb 2018 09:53:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DH5NS6KwqhwDeu4cA) @smithbk Okay. Thank you.

ongar (Wed, 14 Feb 2018 11:46:53 GMT):
Any samples for using an existing HSM for an application user, for signing the transaction proposals?

smithbk (Wed, 14 Feb 2018 13:07:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pp6ZbwiCEFW4RiFoJ) @ongar For the node SDK, see https://github.com/hyperledger/fabric-sdk-node/blob/v1.1.0-alpha/test/unit/pkcs11.js

daygee (Wed, 14 Feb 2018 13:17:09 GMT):
Has joined the channel.

ongar (Wed, 14 Feb 2018 13:46:09 GMT):
Thanks @smithbk ! Will try this out.

devth (Wed, 14 Feb 2018 17:29:33 GMT):
Has joined the channel.

MokeyJoy (Thu, 15 Feb 2018 06:20:41 GMT):
Has joined the channel.

MokeyJoy (Thu, 15 Feb 2018 06:50:50 GMT):
When generate crypto-config then I got 1 default user "Admin@org1.example.com" is this the same user as "admin:adminpw"

naveen_saravanan (Thu, 15 Feb 2018 09:36:37 GMT):
Hi, when creating a LDAP server will create/register a admin user in the ldap server?

rake66 (Thu, 15 Feb 2018 09:37:38 GMT):
well you got the cert, you don't need a pw

rake66 (Thu, 15 Feb 2018 09:38:30 GMT):
there's no CA to check your password if you had one

naveen_saravanan (Thu, 15 Feb 2018 09:43:53 GMT):
Hi, when configuring LDAP on fabric-ca-server by modifying the fabric-ca-server-config.yaml file's LDAP setion as: "ldap: enabled: true url: ldap://cn=admin,dc=example,dc=com:admin@localhost:389/dc=example,dc=com userfilter: (uid=%s)" With respect to the url "https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#configuring-ldap". Will it create/register a admin in the LDAP server?

naveen_saravanan (Thu, 15 Feb 2018 09:46:17 GMT):
How do I register a user in the LDAP server ? And if I did register a new user where will the registered user information will be stored?

naveen_saravanan (Thu, 15 Feb 2018 09:55:01 GMT):
Is creating a server with the below given command: "docker run --name openldap-server --env LDAP_DOMAIN="example.com" \ --env LDAP_ADMIN_PASSWORD="adminpw" --detach osixia/openldap:1.1.11" is appropriate for for the modification in the fabric-ca-server-config.yaml file's LDAP setion as: "ldap: enabled: true url: ldap://cn=admin,dc=example,dc=com:admin@localhost:389/dc=example,dc=com userfilter: (uid=%s)" ?

naveen_saravanan (Thu, 15 Feb 2018 09:55:01 GMT):
Is creating a server with the below given command: "docker run --name openldap-server --env LDAP_DOMAIN="example.com" \ --env LDAP_ADMIN_PASSWORD="adminpw" --detach osixia/openldap:1.1.11" is appropriate for the modification in the fabric-ca-server-config.yaml file's LDAP setion as: "ldap: enabled: true url: ldap://cn=admin,dc=example,dc=com:admin@localhost:389/dc=example,dc=com userfilter: (uid=%s)" ?

naveen_saravanan (Thu, 15 Feb 2018 09:55:01 GMT):
Is creating a server with the below given command: "docker run --name openldap-server --env LDAP_DOMAIN="example.com" \ --env LDAP_ADMIN_PASSWORD="adminpw" --detach osixia/openldap:1.1.11" is appropriate for the modification done in the fabric-ca-server-config.yaml file's LDAP setion as: "ldap: enabled: true url: ldap://cn=admin,dc=example,dc=com:admin@localhost:389/dc=example,dc=com userfilter: (uid=%s)" ?

ashok.pannala (Thu, 15 Feb 2018 10:08:00 GMT):
Has joined the channel.

KillerGasy (Thu, 15 Feb 2018 12:08:15 GMT):
Has joined the channel.

smithbk (Thu, 15 Feb 2018 12:11:26 GMT):
@naveen_saravanan The https://github.com/hyperledger/fabric-ca/blob/v1.1.0-alpha/images/fabric-ca-fvt/payload/slapd_setup.sh script that I referenced earlier is what installs, configures, starts, and adds users to the slapd LDAP server. We chose to use the ldif file to add multiple users at once. I'm not sure how that image is set up wrt the schema for the admin identity and use of the LDAP_ADMIN_PASSWORD thru env variable, but if that creates an entry with a uid entry equal to "admin", I suppose it should work.

ArvsIndrarys (Thu, 15 Feb 2018 13:23:23 GMT):
Hi all ! I want to integrate LDAP in my CA. But does it replace MySQL/Postgre or is it used in addition of them? Some StackOverflow say 'yes' and others 'no' so I'm kinda lost atmo...

skarim (Thu, 15 Feb 2018 14:48:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=byyK7BRjRFGwa3YMS) @ArvsIndrarys If using LDAP, it will be used in conjunction with MySQL/Postgres. LDAP will be used to enroll a user, but a record of the issued certificate will be stored in the database.

ArvsIndrarys (Thu, 15 Feb 2018 14:50:05 GMT):
@skarim thanks !

naveen_saravanan (Thu, 15 Feb 2018 15:58:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=p35WLSsDgKtLhcH37) @smithbk I tried the ldapadd command got the below logs: ********************************************************************************************************************* root@hibiz-Aspire-E5-575:/home/hibiz/LDAP-Folder# ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif Enter LDAP Password: adding new entry "ou=People,dc=example,dc=com" adding new entry "ou=Groups,dc=example,dc=com" adding new entry "cn=miners,ou=Groups,dc=example,dc=com" adding new entry "uid=john,ou=People,dc=example,dc=com" root@hibiz-Aspire-E5-575:/home/hibiz/LDAP-Folder# ************************************************************************************************ In this how do I check if a user is added? or Where do the user details gets stored at in the LDAP?

naveen_saravanan (Thu, 15 Feb 2018 16:01:47 GMT):
Is adding user in LDAP is same as register a user in fabric-ca-server (similar to the "fabric-ca-client register" command)?

aambati (Thu, 15 Feb 2018 16:18:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=upcHG3uXayPYmgmRu) @naveen_saravanan yes, it is equivalent

naveen_saravanan (Fri, 16 Feb 2018 00:42:34 GMT):
@aambati Ok and how do I check if a user is added? and Where do the user details gets stored at in the LDAP?

naveen_saravanan (Fri, 16 Feb 2018 00:42:34 GMT):
@aambati Ok and how do I check if a user is added? and Where do the added user details gets stored at in the LDAP?

naveen_saravanan (Fri, 16 Feb 2018 09:27:54 GMT):
Hi I have added the users to the ldap server and was able to view the added users using ldapsearch and also using the Jxplorer. But when I tried to enroll the user (for eg:'John') got "Failed to get identity 'John': Failed to connect to LDAP server over TCP at localhost:389: LDAP Result Code 200 "": dial tcp 127.0.0.1:389: getsockopt: connection refused" error in the fabric-ca-servere logs. Why do I get this error and what should I do?

naveen_saravanan (Fri, 16 Feb 2018 09:27:54 GMT):
Hi I have added the users to the ldap server and was able to view the added users using ldapsearch and also using the Jxplorer. But when I tried to enroll the user (for eg:'John') got "Failed to get identity 'John': Failed to connect to LDAP server over TCP at localhost:389: LDAP Result Code 200 "": dial tcp 127.0.0.1:389: getsockopt: connection refused" error in the fabric-ca-server logs. Why do I get this error and what should I do?

Pranoti (Fri, 16 Feb 2018 11:22:53 GMT):
Has joined the channel.

Pranoti (Fri, 16 Feb 2018 11:23:36 GMT):
Hi Currently I'm working on this tutorial https://www.skcript.com/svr/setting-up-a-blockchain-business-network-with-hyperledger-fabric-and-composer-running-in-multiple-physical-machine After executing this command docker exec peer0.org1.example.com peer channel create -o orderer.example.com:7050 -c channel001 -f /etc/hyperledger/configtx/composer-channel.tx I getting this error 2018-02-16 10:21:22.963 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP 2018-02-16 10:21:22.964 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity 2018-02-16 10:21:22.965 UTC [channelCmd] InitCmdFactory -> INFO 003 Endorser and orderer connections initialized 2018-02-16 10:21:22.965 UTC [msp] GetLocalMSP -> DEBU 004 Returning existing local MSP 2018-02-16 10:21:22.965 UTC [msp] GetDefaultSigningIdentity -> DEBU 005 Obtaining default signing identity 2018-02-16 10:21:22.966 UTC [msp] GetLocalMSP -> DEBU 006 Returning existing local MSP 2018-02-16 10:21:22.966 UTC [msp] GetDefaultSigningIdentity -> DEBU 007 Obtaining default signing identity 2018-02-16 10:21:22.966 UTC [msp/identity] Sign -> DEBU 008 Sign: plaintext: 0A8C060A074F7267314D53501280062D...6D706F736572436F6E736F727469756D 2018-02-16 10:21:22.966 UTC [msp/identity] Sign -> DEBU 009 Sign: digest: BAF05B786F0F0F6B762A3D214949F22698D680B14C675DB9219D78930CDA90F5 2018-02-16 10:21:22.966 UTC [msp] GetLocalMSP -> DEBU 00a Returning existing local MSP 2018-02-16 10:21:22.966 UTC [msp] GetDefaultSigningIdentity -> DEBU 00b Obtaining default signing identity 2018-02-16 10:21:22.966 UTC [msp] GetLocalMSP -> DEBU 00c Returning existing local MSP 2018-02-16 10:21:22.966 UTC [msp] GetDefaultSigningIdentity -> DEBU 00d Obtaining default signing identity 2018-02-16 10:21:22.966 UTC [msp/identity] Sign -> DEBU 00e Sign: plaintext: 0AC4060A1608021A0608A2E19AD40522...B1E6F31A8B3ED86867033236EDC5720D 2018-02-16 10:21:22.966 UTC [msp/identity] Sign -> DEBU 00f Sign: digest: 7A753EB23BE56D9F5C3F7EC1D82A463B014B75E158118B5F4EEC41B6A8E4213C Error: Got unexpected status: BAD_REQUEST Usage: peer channel create [flags] Flags: -c, --channelID string In case of a newChain command, the channel ID to create. -f, --file string Configuration transaction file generated by a tool such as configtxgen for submitting to orderer -t, --timeout int Channel creation timeout (default 5) Global Flags: --cafile string Path to file containing PEM-encoded trusted certificate(s) for the ordering endpoint --logging-level string Default logging level and overrides, see core.yaml for full syntax -o, --orderer string Ordering service endpoint --test.coverprofile string Done (default "coverage.cov") --tls Use TLS when communicating with the orderer endpoint -v, --version Display current version of fabric peer server I tried changing channel name twice, but its still not working.

Pranoti (Fri, 16 Feb 2018 11:23:36 GMT):
Hi Currently I'm working on this tutorial https://www.skcript.com/svr/setting-up-a-blockchain-business-network-with-hyperledger-fabric-and-composer-running-in-multiple-physical-machine After executing this command docker exec peer0.org1.example.com peer channel create -o orderer.example.com:7050 -c channel001 -f /etc/hyperledger/configtx/composer-channel.tx I'm getting this error 2018-02-16 10:21:22.963 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP 2018-02-16 10:21:22.964 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity 2018-02-16 10:21:22.965 UTC [channelCmd] InitCmdFactory -> INFO 003 Endorser and orderer connections initialized 2018-02-16 10:21:22.965 UTC [msp] GetLocalMSP -> DEBU 004 Returning existing local MSP 2018-02-16 10:21:22.965 UTC [msp] GetDefaultSigningIdentity -> DEBU 005 Obtaining default signing identity 2018-02-16 10:21:22.966 UTC [msp] GetLocalMSP -> DEBU 006 Returning existing local MSP 2018-02-16 10:21:22.966 UTC [msp] GetDefaultSigningIdentity -> DEBU 007 Obtaining default signing identity 2018-02-16 10:21:22.966 UTC [msp/identity] Sign -> DEBU 008 Sign: plaintext: 0A8C060A074F7267314D53501280062D...6D706F736572436F6E736F727469756D 2018-02-16 10:21:22.966 UTC [msp/identity] Sign -> DEBU 009 Sign: digest: BAF05B786F0F0F6B762A3D214949F22698D680B14C675DB9219D78930CDA90F5 2018-02-16 10:21:22.966 UTC [msp] GetLocalMSP -> DEBU 00a Returning existing local MSP 2018-02-16 10:21:22.966 UTC [msp] GetDefaultSigningIdentity -> DEBU 00b Obtaining default signing identity 2018-02-16 10:21:22.966 UTC [msp] GetLocalMSP -> DEBU 00c Returning existing local MSP 2018-02-16 10:21:22.966 UTC [msp] GetDefaultSigningIdentity -> DEBU 00d Obtaining default signing identity 2018-02-16 10:21:22.966 UTC [msp/identity] Sign -> DEBU 00e Sign: plaintext: 0AC4060A1608021A0608A2E19AD40522...B1E6F31A8B3ED86867033236EDC5720D 2018-02-16 10:21:22.966 UTC [msp/identity] Sign -> DEBU 00f Sign: digest: 7A753EB23BE56D9F5C3F7EC1D82A463B014B75E158118B5F4EEC41B6A8E4213C Error: Got unexpected status: BAD_REQUEST Usage: peer channel create [flags] Flags: -c, --channelID string In case of a newChain command, the channel ID to create. -f, --file string Configuration transaction file generated by a tool such as configtxgen for submitting to orderer -t, --timeout int Channel creation timeout (default 5) Global Flags: --cafile string Path to file containing PEM-encoded trusted certificate(s) for the ordering endpoint --logging-level string Default logging level and overrides, see core.yaml for full syntax -o, --orderer string Ordering service endpoint --test.coverprofile string Done (default "coverage.cov") --tls Use TLS when communicating with the orderer endpoint -v, --version Display current version of fabric peer server I tried changing channel name twice, but its still not working.

smithbk (Fri, 16 Feb 2018 12:55:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2kZ86T6BcxFN2NwPC) @naveen_saravanan Are you sure you're running the ldap server on the same host as the fabric-ca-server? You may need to change 127.0.0.1 to the external hostname or IP address in the fabric-ca-server-config.yaml

smithbk (Fri, 16 Feb 2018 12:58:42 GMT):
@pranoti I recommend trying the #fabric-peer-orderer-committer channel

aambati (Fri, 16 Feb 2018 13:32:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=E4dDhRTZCgsasMsh5) @Pranoti what do you see in orderer and peer logs?

Pranoti (Fri, 16 Feb 2018 13:34:10 GMT):
I got this error in the orderer log 2018-02-16 10:21:13.435 UTC [orderer/multichain] newChainSupport -> DEBU 0cc [channel: testchainid] Retrieved metadata for tip of chain (blockNumber=0, lastConfig=0, lastConfigSeq=0): 2018-02-16 10:21:13.435 UTC [orderer/multichain] NewManagerImpl -> INFO 0cd Starting with system channel testchainid and orderer type solo 2018-02-16 10:21:13.435 UTC [orderer/main] main -> INFO 0ce Beginning to serve requests 2018-02-16 10:21:22.965 UTC [orderer/main] Deliver -> DEBU 0cf Starting new Deliver handler 2018-02-16 10:21:22.966 UTC [orderer/common/deliver] Handle -> DEBU 0d0 Starting new deliver loop 2018-02-16 10:21:22.966 UTC [orderer/common/deliver] Handle -> DEBU 0d1 Attempting to read seek info message 2018-02-16 10:21:22.968 UTC [orderer/main] Broadcast -> DEBU 0d2 Starting new Broadcast handler 2018-02-16 10:21:22.968 UTC [orderer/common/broadcast] Handle -> DEBU 0d3 Starting new broadcast loop 2018-02-16 10:21:22.968 UTC [orderer/common/broadcast] Handle -> DEBU 0d4 Preprocessing CONFIG_UPDATE 2018-02-16 10:21:22.968 UTC [orderer/configupdate] Process -> DEBU 0d5 Processing channel creation request for channel channel001 2018-02-16 10:21:22.968 UTC [orderer/common/broadcast] Handle -> WARN 0d6 Rejecting CONFIG_UPDATE because: Proposed configuration has no application group members, but consortium contains members 2018-02-16 10:21:22.969 UTC [orderer/main] func1 -> DEBU 0d7 Closing Broadcast stream 2018-02-16 10:21:22.971 UTC [orderer/common/deliver] Handle -> WARN 0d8 Error reading from stream: rpc error: code = Canceled desc = context canceled 2018-02-16 10:21:22.971 UTC [orderer/main] func1 -> DEBU 0d9 Closing Deliver stream

Pranoti (Fri, 16 Feb 2018 13:39:44 GMT):
This is the peer0 logs 2018-02-16 13:35:40.291 UTC [chaincode] HandleMessage -> DEBU 1b4 [267d52e0]Fabric side Handling ChaincodeMessage of type: COMPLETED in state ready 2018-02-16 13:35:40.291 UTC [chaincode] HandleMessage -> DEBU 1b5 [267d52e0-a83f-49ec-8394-4a2b1f784166]HandleMessage- COMPLETED. Notify 2018-02-16 13:35:40.291 UTC [chaincode] notify -> DEBU 1b6 notifying Txid:267d52e0-a83f-49ec-8394-4a2b1f784166 2018-02-16 13:35:40.291 UTC [chaincode] Execute -> DEBU 1b7 Exit 2018-02-16 13:35:40.291 UTC [sccapi] deploySysCC -> INFO 1b8 system chaincode qscc/(github.com/hyperledger/fabric/core/chaincode/qscc) deployed 2018-02-16 13:35:40.291 UTC [nodeCmd] initSysCCs -> INFO 1b9 Deployed system chaincodess 2018-02-16 13:35:40.291 UTC [nodeCmd] serve -> INFO 1ba Starting peer with ID=[name:"peer0.org1.example.com" ], network ID=[dev], address=[peer0.org1.example.com:7051] 2018-02-16 13:35:40.292 UTC [nodeCmd] serve -> INFO 1bb Started peer with ID=[name:"peer0.org1.example.com" ], network ID=[dev], address=[peer0.org1.example.com:7051] 2018-02-16 13:35:40.292 UTC [flogging] setModuleLevel -> DEBU 1bc Module 'msp/identity' logger enabled for log level 'WARNING' 2018-02-16 13:35:40.292 UTC [flogging] setModuleLevel -> DEBU 1bd Module 'msp' logger enabled for log level 'WARNING' 2018-02-16 13:35:40.292 UTC [flogging] setModuleLevel -> DEBU 1be Module 'configvalues/msp' logger enabled for log level 'WARNING' 2018-02-16 13:35:40.292 UTC [flogging] setModuleLevel -> DEBU 1bf Module 'gossip/state' logger enabled for log level 'WARNING' 2018-02-16 13:35:40.292 UTC [flogging] setModuleLevel -> DEBU 1c0 Module 'gossip/comm' logger enabled for log level 'WARNING' 2018-02-16 13:35:40.292 UTC [flogging] setModuleLevel -> DEBU 1c1 Module 'gossip/pull' logger enabled for log level 'WARNING' 2018-02-16 13:35:40.292 UTC [flogging] setModuleLevel -> DEBU 1c2 Module 'peer/gossip/sa' logger enabled for log level 'WARNING' 2018-02-16 13:35:40.293 UTC [flogging] setModuleLevel -> DEBU 1c3 Module 'gossip/election' logger enabled for log level 'WARNING' 2018-02-16 13:35:40.293 UTC [flogging] setModuleLevel -> DEBU 1c4 Module 'peer/gossip/mcs' logger enabled for log level 'WARNING' 2018-02-16 13:35:40.293 UTC [flogging] setModuleLevel -> DEBU 1c5 Module 'gossip/service' logger enabled for log level 'WARNING' 2018-02-16 13:35:40.293 UTC [flogging] setModuleLevel -> DEBU 1c6 Module 'gossip/discovery' logger enabled for log level 'WARNING' 2018-02-16 13:35:40.293 UTC [flogging] setModuleLevel -> DEBU 1c7 Module 'gossip/gossip' logger enabled for log level 'WARNING' 2018-02-16 13:35:40.293 UTC [flogging] setModuleLevel -> DEBU 1c8 Module 'kvledger.util' logger enabled for log level 'INFO' 2018-02-16 13:35:40.293 UTC [flogging] setModuleLevel -> DEBU 1c9 Module 'kvledger' logger enabled for log level 'INFO' 2018-02-16 13:35:40.293 UTC [flogging] setModuleLevel -> DEBU 1ca Module 'ledgermgmt' logger enabled for log level 'INFO' 2018-02-16 13:35:40.293 UTC [flogging] setModuleLevel -> DEBU 1cb Module 'cauthdsl' logger enabled for log level 'WARNING' 2018-02-16 13:35:40.293 UTC [flogging] setModuleLevel -> DEBU 1cc Module 'policies' logger enabled for log level 'WARNING' 2018-02-16 13:35:40.294 UTC [flogging] setModuleLevel -> DEBU 1cd Module 'grpc' logger enabled for log level 'ERROR'

naveen_saravanan (Fri, 16 Feb 2018 13:41:49 GMT):
@smithbk I am running the ldap server and fabric-ca-server in localhost of my machine. And what do you mean by "You may need to change 127.0.0.1 to the external hostname or IP address in the fabric-ca-server-config.yaml"?

ArvsIndrarys (Fri, 16 Feb 2018 13:57:06 GMT):
@naveen_saravanan 127.0.0.1 is accessible only by the machine it is on. Localhost can be accessible by any other machine on the same network. As an example, I am using docker for the ca and mysql. My CA has the `root_ca` alias and my mysql container has the `mysql_dev` alias on the same network. So if I want my `root_ca` container to connect to `mysql_dev`, I have to setup the connection to : `user:password@tcp(mysql_server:3306)/fabric_ca?parseTime=true&tls=custom` . Fot the ldap, it should be something like `ldap://:@:/` with host corresponding to its hostname or @IP.

5igm4 (Fri, 16 Feb 2018 20:24:53 GMT):
Quick question guys, has fabric-ca been tested against an ldap server cluster running in multi-master configurations? In my personal attempts, fabric-ca has been unable to bind successfully when running in multi-master, and successful when running a single instance. The key difference here is what I'm passing to -h when running slapd. In the single server, I can get away using the default: `ldapi:/// ldap:///` In a multimaster, I specify it as `ldapi:// ldap://{dns-name}` When specifying it as shown in the latter, each ldap cli call (ie, ldapsearch, ldapadd) requires me to specify the -H argument, which requires the `ldap://{dns-name}` Regardless of how I configured fabric-ca-server--and believe me, I've tried many combinations of hostnames--I was unable to get fabric-ca client to authenticate when ldap is configured in multimaster. Any help/input would be greatly appreciated!

5igm4 (Fri, 16 Feb 2018 20:24:53 GMT):
Quick question guys, has fabric-ca been tested against an ldap server cluster running in multi-master configurations? In my personal attempts, fabric-ca has been unable to bind successfully when running in multi-master, and successful when running a single instance. The key difference here is what I'm passing to -h when running slapd. In the single server, I can get away using the default: `ldapi:/// ldap:///` In a multimaster, I specify it as `ldapi:// ldap://{dns-name}` When specifying it as shown in the latter, each ldap cli call (ie, ldapsearch, ldapadd) requires me to specify the `-H` argument, which requires the `ldap://{dns-name}` Regardless of how I configured fabric-ca-server--and believe me, I've tried many combinations of hostnames--I was unable to get fabric-ca client to authenticate when ldap is configured in multimaster. Any help/input would be greatly appreciated!

AnandBanik (Fri, 16 Feb 2018 22:20:52 GMT):
@Pranoti ...not sure....but I got a similar error when I was trying to create a channel which already existed....where u able to reproduce this error after restarting the ordering service?

Amjadnz (Sat, 17 Feb 2018 06:52:29 GMT):
Hi all, From where does the cryptogen pick up the CSR (Certificate Signing Request) attributes.

Amjadnz (Sat, 17 Feb 2018 06:52:29 GMT):
Hi all, From where does the `cryptogen` pick up the CSR (Certificate Signing Request) attributes.

Amjadnz (Sat, 17 Feb 2018 07:02:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rJyvBzLgZY959Qsmq) - never mind - it is in the cryptoconfig.yaml file itself

wbhagan (Sat, 17 Feb 2018 22:16:43 GMT):
Has joined the channel.

knagware9 (Sun, 18 Feb 2018 06:09:04 GMT):
I am following hyper ledger fabric sample Balance-transfer from this link. I have modified it a bit, now I have 3 Orgs with 1 peer each. All goes fine till I enroll users to Org1 and Org2 but when I try to enroll a user to my 3rd Org I get following error

knagware9 (Sun, 18 Feb 2018 06:09:22 GMT):
Failed to get registered user: xyz with error: Error: fabric-ca request register failed with errors [[{"code":63,"message":"Failed to get Affiliation: sql: no rows in result set"}]]

mastersingh24 (Sun, 18 Feb 2018 11:24:02 GMT):
@knagware9 - I believe you asked this over in Stack Overflow as well? https://stackoverflow.com/a/48840929/6160507

knagware9 (Sun, 18 Feb 2018 11:52:02 GMT):
No,I didnt ask but i checked that and try to folllow but not successful

knagware9 (Sun, 18 Feb 2018 11:52:58 GMT):
actually I logged in to ca container and run those commands from there

naveen_saravanan (Sun, 18 Feb 2018 13:02:06 GMT):
@ArvsIndrarys Ok.

naveen_saravanan (Sun, 18 Feb 2018 13:02:06 GMT):
@smithbk and @ArvsIndrarys Ok.

naveen_saravanan (Sun, 18 Feb 2018 13:05:19 GMT):
I have set the LDAP value in the 'fabric-ca-server-config.yaml' file in the fabric-ca-server with: 'ldap: # Enables or disables the LDAP client (default: false) # If this is set to true, the "registry" section is ignored. enabled: true # The URL of the LDAP server url: ldap://cn=admin,dc=example.com,dc=consumer:adminpw@localhost:636/dc=example.com,dc=consumer userfilter: (uid=%s) tls: certfiles: - ldap-server-cert.pem client: certfile: ldap-client-cert.pem keyfile: ldap-client-key.pem' Where do the pem (such as "ldap-server-cert.pem", "ldap-client-cert.pem" and "ldap-client-key.pem") files mentioned here gets stored?

naveen_saravanan (Sun, 18 Feb 2018 13:10:20 GMT):
f

naveen_saravanan (Sun, 18 Feb 2018 13:20:41 GMT):
How do I add users similar to "admin" (dn: cn=admin,dc=example,dc=com) in ldap server ? root@hibiz-Aspire-E5-575:/home/hibiz# ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn dn: dc=example,dc=com dn: cn=admin,dc=example,dc=com dn: ou=People,dc=example,dc=com dn: ou=Groups,dc=example,dc=com dn: cn=miners,ou=Groups,dc=example,dc=com dn: uid=john,ou=People,dc=example,dc=com root@hibiz-Aspire-E5-575:/home/hibiz#

naveen_saravanan (Sun, 18 Feb 2018 13:41:07 GMT):
Hi everyone, is there any way to add users through node-js application instead of the command line "ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f add-users.ldif" ? and if users can be added through the node-js application please share any documentations or links related to it?

Pranoti (Mon, 19 Feb 2018 06:12:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kB3ouHSHuvdSY23H6) @AnandBanik It's throwing error at the time of creating channel.. But I tried changing the channel name too. It didn't work..

javrevasandeep (Mon, 19 Feb 2018 07:51:09 GMT):
@smithbk @aambati I am getting error *Error: Error getting chaincode code chaincode: Error getting chaincode package bytes: Error obtaining dependencies for github.com/hyperledger/fabric/core/chaincode/lib/cid: : failed with error: "exit status 1" can't load package: package github.com/hyperledger/fabric/core/chaincode/lib/cid: cannot find package "github.com/hyperledger/fabric/core/chaincode/lib/cid" in any of: /opt/go/src/github.com/hyperledger/fabric/core/chaincode/lib/cid (from $GOROOT) /opt/gopath/src/github.com/hyperledger/fabric/core/chaincode/lib/cid (from $GOPATH) *

javrevasandeep (Mon, 19 Feb 2018 07:51:32 GMT):
while trying to run fabric-samples/fabric-ca example

javrevasandeep (Mon, 19 Feb 2018 07:52:34 GMT):
I followed the steps

javrevasandeep (Mon, 19 Feb 2018 07:52:34 GMT):
1. run `./stop.sh` in the hyperledger/fabric-samples/fabric-ca folder 2. Run `make docker-clean` in the hyperledger/fabric-ca folder 3. Run `make docker-clean docker` in the hyperledger/fabric folder 4. Run export FABRIC_TAG= image 5. Run `make docker` in the hyperledger/fabric-ca folder 6. Replace "hf.admin" with "admin" in the hyperledger/fabric-samples/fabric-ca/scripts/setup-fabric.sh 7. Run start.sh in the hyperledger/fabric-samples/fabric-ca folder

gospodin.bodurov (Mon, 19 Feb 2018 08:21:32 GMT):
Has joined the channel.

nirmal1988 (Mon, 19 Feb 2018 09:10:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FMWCYXv6kXALtWhsm) @javrevasandeep Use vendor folder concept here. Browse previous chat... it is already discussed here

naveen_saravanan (Mon, 19 Feb 2018 10:40:28 GMT):
Hi, I could enroll 'admin' from Openldap to fabric-ca-server, but when I try to enroll other users I am getting the error-"Failed to get identity 'Sam': sql: no rows in result set" in the fabric-ca-server logs. Why do I get this error?

naveen_saravanan (Mon, 19 Feb 2018 10:40:28 GMT):
Hi, I could enroll 'admin' from Openldap to fabric-ca-server, but when I try to enroll other added users I am getting the error-"Failed to get identity 'Sam': sql: no rows in result set" in the fabric-ca-server logs. Why do I get this error?

javrevasandeep (Mon, 19 Feb 2018 10:57:53 GMT):
Hi Guys. I am facing some issue while running fabric-samples/fabric-ca

javrevasandeep (Mon, 19 Feb 2018 10:57:54 GMT):
Error: Error endorsing chaincode: rpc error: code = Unknown desc = error starting container: Failed to generate platform-specific docker build: Error returned from build: 1 "opt/gopath/src/github.com/hyperledger/fabric/bccsp/sw/impl.go:26:2: cannot find package "github.com/hyperledger/fabric/common/errors" in any of: /opt/gopath/src/github.com/hyperledger/fabric/vendor/github.com/hyperledger/fabric/common/errors (vendor tree) /opt/go/src/github.com/hyperledger/fabric/common/errors (from $GOROOT) /chaincode/input/src/github.com/hyperledger/fabric/common/errors (from $GOPATH) /opt/gopath/src/github.com/hyperledger/fabric/common/errors "

vitiko (Mon, 19 Feb 2018 11:41:48 GMT):
Has joined the channel.

SudheerKaspa (Mon, 19 Feb 2018 12:37:39 GMT):

Clipboard - February 19, 2018 6:07 PM

SudheerKaspa (Mon, 19 Feb 2018 12:37:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iTQ3H7ixvwL6XhRsX) How do I resolve the following error on running ./byfn.sh -m up command

javrevasandeep (Mon, 19 Feb 2018 12:59:16 GMT):
Hi Guys.

javrevasandeep (Mon, 19 Feb 2018 12:59:18 GMT):
I am running fabric-samples/fabric-ca example and facing issues below are the steps i folllowed 1. cloned latest fabric and fabric-ca repositories cloned latest fabric-samples repository 2. run ./build-images.sh file in fabric-samples/fabric-ca 3. and then finally run ./start.sh file I am getting error. i checked in run.log file inside /data/logs and found the below error [36m2018-02-19 12:01:46.535 UTC [msp] GetDefaultSigningIdentity -> DEBU 002[0m Obtaining default signing identity Error: failed to create deliver client: orderer client failed to connect to orderer1-org0:7050: failed to create new connection: remote error: tls: bad certificate when checked in /data/logs/orderer1-org0.log, I found the below error 2018-02-19 12:10:35.614 UTC [orderer/common/server] Start -> INFO 0c3[0m Beginning to serve requests [36m2018-02-19 12:10:44.814 UTC [grpc] Printf -> DEBU 0c4[0m grpc: Server.Serve failed to complete security handshake from "172.18.0.14:49788": tls: client didn't provide a certificate

vieiramanoel (Mon, 19 Feb 2018 13:31:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iTQ3H7ixvwL6XhRsX) @SudheerKaspa you can always ask at #fabric-questions but to solve this just `./byfn.sh -m down`

javrevasandeep (Mon, 19 Feb 2018 13:37:40 GMT):
@aambati @smithbk Any update on fabric-samples/fabric-ca issue explained above. I am using fabric commit e91df49c8ad05ec5a9c9dce75e87cc29549aa690 and fabric-ca commit 8eb2b2ba42b7871837ddc566721021911cd50f7a and fabric-samples commit 24f35c14932a0ae622dd32da76ceb33afd635594

skarim (Mon, 19 Feb 2018 14:52:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7D8xQHbCpSoj9dnWL) @naveen_saravanan If you are using LDAP, you need to make sure that the user 'Sam' is present within the LDAP directory for you to be able to enroll it

aambati (Mon, 19 Feb 2018 15:55:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZZLByATjrtp7wZyDW) @5igm4 i don't know off hand, i can find out let you know

salmanbaset (Mon, 19 Feb 2018 18:32:43 GMT):
when using LDAP as the backend, is there a way to specify in Fabric CA configuration which attributes can possibly be encoded in a cert? (related to 1.1 preview)

skarim (Mon, 19 Feb 2018 19:32:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jj7Yn4dHBvyzNJtKE) @salmanbaset Have you taken a look at https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#configuring-ldap ? Towards the end of this section it describes how ldap attribute can be mapped to fabric ca attributes

ahmedsajid (Mon, 19 Feb 2018 20:11:38 GMT):
Hi All, Any one experienced the following error when using MariaDB 5.5.56 with fabric-ca:x86_64-1.1.0-alpha Docker image? ``` 2018/02/19 20:07:52 [ERROR] Error occurred initializing database: Failed to create user registry for MySQL: Failed to create MySQL tables: Error creating index on affiliations table: Error 1709: Index column size too large. The maximum column size is 767 bytes. ``` I was able to fix this by running the following MySQL command manually: ``` alter table affiliations ROW_FORMAT=DYNAMIC; ``` It seems to be thrown by this line: https://github.com/hyperledger/fabric-ca/blob/v1.1.0-alpha/lib/dbutil/dbutil.go#L317

salmanbaset (Mon, 19 Feb 2018 21:09:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sBuYtvj4RSkXSmaeJ) @skarim I have seen that link. my question is whether only these attributes specified in LDAP section of Fabric CA config end up in the e-Cert (since Fabric 1.1-preview supports attributes in X.509 certs)

salmanbaset (Mon, 19 Feb 2018 21:09:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sBuYtvj4RSkXSmaeJ) @skarim I have seen that link. my question is whether only these attributes specified in LDAP section of Fabric CA config end up in an ecert (since Fabric 1.1-preview supports attributes in X.509 certs)

salmanbaset (Mon, 19 Feb 2018 21:09:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sBuYtvj4RSkXSmaeJ) @skarim I have seen that link. my question is whether only these attributes specified in LDAP section of Fabric CA config end up in an ecert (since Fabric 1.1-preview supports attributes in X.509 certs) or whether all LDAP attributes end up in ecert.

skarim (Tue, 20 Feb 2018 00:44:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GesxZj99d6Mcjpfd7) @salmanbaset Only the attributes specified in the LDAP section of Fabric CA config can be inserted into a certificate

naveen_saravanan (Tue, 20 Feb 2018 04:01:10 GMT):

Jxplorer-Screenshot

naveen_saravanan (Tue, 20 Feb 2018 04:01:44 GMT):
@skarim I already had added user Sam and was able to view the user 'Sam' as shown in the screenshot.

naveen_saravanan (Tue, 20 Feb 2018 04:01:44 GMT):
@skarim I already had added user Sam and was able to view the user 'Sam' in Jxplorer (as shown in the screenshot).

naveen_saravanan (Tue, 20 Feb 2018 04:01:44 GMT):
@skarim I already had added user 'Sam' and was able to view the user 'Sam' in Jxplorer (as shown in the screenshot).

venkateshmankena (Tue, 20 Feb 2018 04:24:00 GMT):
Has joined the channel.

jarvis26 (Tue, 20 Feb 2018 05:15:01 GMT):
Hi....I tried to clone new repository for fabric-ca and do a `go build` which is giving me errors. Where can I get pre-built binaries for fabric-ca-client and fabric-ca-server.

aambati (Tue, 20 Feb 2018 13:28:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vsddpdh56xwpGZyW3) @javrevasandeep discussing this issue in a separate chat, i will post the result of our investigation here [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aTyEGRTodgZ7onDEb) @jarvis26 there are no pre-built binaries...we are currently working on https://jira.hyperledger.org/browse/FAB-6673 to do just that

aambati (Tue, 20 Feb 2018 13:28:10 GMT):
@jarvis26 there are no pre-built binaries...we are currently working on https://jira.hyperledger.org/browse/FAB-6673 to do just that...there is a partially working change set: https://gerrit.hyperledger.org/r/c/17951/

5igm4 (Tue, 20 Feb 2018 14:06:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NrxCuqJTK7gz5eDpz) @aambati Thank you, much appreciated!

Pranoti (Tue, 20 Feb 2018 14:13:12 GMT):
Hi Is there any document on how to integrate customised fabric network with hyperledger composer??

Asara (Tue, 20 Feb 2018 14:46:18 GMT):
@Pranoti You'll probably get a better answer in #composer

skarim (Tue, 20 Feb 2018 14:52:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bgN3cRQQzy6GtoAzr) @naveen_saravanan Do you have the full server side logs that I could look at?

TomV 5 (Tue, 20 Feb 2018 16:07:12 GMT):
Has joined the channel.

5igm4 (Tue, 20 Feb 2018 21:15:40 GMT):
@aambati Hey, just checking in to see if you have an update to my question. This is blocking development as of right now, and we are urgently looking for a fix/work-around

aambati (Tue, 20 Feb 2018 21:18:13 GMT):
Looks like we have not tested with multi-master configuration

aambati (Tue, 20 Feb 2018 21:18:35 GMT):
the problem might be in the ldap connection string parsing

aambati (Tue, 20 Feb 2018 21:19:06 GMT):
if the connection string for multi-master configuration is not in a format that is expected by the CA server

aambati (Tue, 20 Feb 2018 21:19:33 GMT):
this is my guess...i have to admit, i don't know much about multi-master configuration

aambati (Tue, 20 Feb 2018 21:19:47 GMT):
can u tell me how your connection string looks like?

5igm4 (Tue, 20 Feb 2018 21:21:27 GMT):
It is exactly as is described in the docs: ://:@:/

aambati (Tue, 20 Feb 2018 21:22:52 GMT):
can u pls open a defect, we will look into it

aambati (Tue, 20 Feb 2018 21:23:08 GMT):
https://jira.hyperledger.org/browse

5igm4 (Tue, 20 Feb 2018 21:23:13 GMT):
Sounds good!

aambati (Tue, 20 Feb 2018 21:25:07 GMT):
thank you

aambati (Tue, 20 Feb 2018 21:30:12 GMT):
@5igm4 can u ping the exact error message you are getting

5igm4 (Tue, 20 Feb 2018 21:33:43 GMT):
yes, albeit I'll have to re-create my multi-master environment. I have since been using a single-master in order to make some progress. This will take a little bit of time

5igm4 (Tue, 20 Feb 2018 21:34:20 GMT):
I'll open the ticket by tomorrow afternoon

5igm4 (Tue, 20 Feb 2018 21:34:36 GMT):
Thanks again for trying to help :)

aambati (Tue, 20 Feb 2018 22:05:12 GMT):
np

jodafm (Wed, 21 Feb 2018 06:02:19 GMT):
Has joined the channel.

naveen_saravanan (Wed, 21 Feb 2018 06:37:42 GMT):
@skarim Thank you. I was able to overcome this issue.

naveen_saravanan (Wed, 21 Feb 2018 06:45:15 GMT):
Hi,I have been working integration of ldap with fabric-ca-server using the 'ldap://' and port 389. How do I shift to 'ldaps://' and port 636?

naveen_saravanan (Wed, 21 Feb 2018 06:47:18 GMT):
And I was able to connect to port 389 through 'telnet localhost 389' command, but was not able to connect to port 636 through 'telnet localhost 636' command. Why?

vsadriano (Wed, 21 Feb 2018 10:08:22 GMT):
Has joined the channel.

dsanchezseco (Wed, 21 Feb 2018 11:11:50 GMT):
Is there any recomended way to distribute the certs to generate the MSP for the peers/clients? Also, is necessary that an org/orderer has in its MSP the certs of the other orgs?

smithbk (Wed, 21 Feb 2018 13:36:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=q9d6mttfbZkwraeKT) @naveen_saravanan If you couldn't connect with telnet localhost 636, it means you it is not listening on localhost. How did you start the server? If starting via docker, make sure that you 1) start the ldap server in the container with TLS enabled on the appropriate port and 2) map the port in the container to port 636 on your localhost

smithbk (Wed, 21 Feb 2018 13:41:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dbRwKizvHDgwc3dMj) @dsanchezseco If using fabric CA or cryptogen, it creates the msp folder for you; but otherwise if you are creating your own certificates, it would be up to you to populate the msp folder appropriately. Orderers and peers will get the certs of other orgs from the ledger via the genesis block / config block. The local MSP directory on a peer doesn't need certs for other orgs, because you don't want other orgs to install chaincode on your peer

vsadriano (Wed, 21 Feb 2018 13:43:08 GMT):
Hi! How can I set a db determining the value parameters with environment variables? I change docker compose file as follow but none changes was applied. ```yaml fabric-ca-server: image: hyperledger/fabric-ca:x86_64-1.0.6 container_name: fabric-ca-server ports: - "7054:7054" environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_DB_TYPE=postgres - FABRIC_CA_SERVER_DB_DATASOURCE_HOST=172.16.11.50 - FABRIC_CA_SERVER_DB_DATASOURCE_PORT=5432 - FABRIC_CA_SERVER_DB_DATASOURCE_USER=user - FABRIC_CA_SERVER_DB_DATASOURCE_PASSWORD=password - FABRIC_CA_SERVER_DB_DATASOURCE_DBNAME=fabric_ca - FABRIC_CA_SERVER_DB_DATASOURCE_SSLMODE=disable - FABRIC_CA_SERVER_DB_TLS_ENABLED=false volumes: - "./fabric-ca-server:/etc/hyperledger/fabric-ca-server" command: sh -c 'fabric-ca-server start -b admin:adminpw' ```

dsanchezseco (Wed, 21 Feb 2018 13:45:52 GMT):
@smithbk ok, yeah, i'm using the CA, but for example how do i get my admin cert to perform an invoke (as far as i know it's required to be in your MSP) or the CA to perform the enroll?

ashutosh_kumar (Wed, 21 Feb 2018 13:48:00 GMT):
@5igm4 , in your Multi Master LDAP scenario , you configure LDAP Cluster in Multi Master config using replication. I assume you have Load Balancer in front which can loadbalance ldap and ldaps traffic. Once you have configured Multimaster , your query update string should look like ldap:/. So , in theory , from Fabric CA perspective , LDAP mechanosm should not change.

ashutosh_kumar (Wed, 21 Feb 2018 13:50:05 GMT):
Meaning , fabric CA LDAP code should not be changed to accomodate Multi Master LDAP config , unless I am missing something.

5igm4 (Wed, 21 Feb 2018 14:10:39 GMT):
@ashutosh_kumar Yes, in theory you're right. However, in our implementation, there is no load balancer in front of LDAP. Either way, it should still be able to connect to a single sever in the replication set and authenticate a user. The only real difference in the multi-master setup (from the perspective of a client) is that the CLI cannot assume that your server is running on local host (from my experience). For example, running: ```ldapadd -x -W -D "cn=ldapadm,dc=itzgeek,dc=local" -f base.ldif``` would work for me when in a single server environment. However, in my multi master environment, this wouldn't suffice and I would have to run the command as such: ```ldapadd -x -H server.itzgeek.local -W -D "cn=ldapadm,dc=itzgeek,dc=local" -f base.ldif``` Since both DNS names must specified in the slapd config, my hypothesis as to why this happens is that the CLI is unable to determine which server in the set you're trying to target.

5igm4 (Wed, 21 Feb 2018 14:10:39 GMT):
@ashutosh_kumar Yes, in theory you're right. However, in our implementation, there is no load balancer in front of LDAP. Either way, it should still be able to connect to a single sever in the replication set and authenticate a user. The only real difference in the multi-master setup (from the perspective of a client) is that the CLI cannot assume that your server is running on local host (from my experience). For example, running: `ldapadd -x -W -D "cn=ldapadm,dc=itzgeek,dc=local" -f base.ldif` would work for me when in a single server environment. However, in my multi master environment, this wouldn't suffice and I would have to run the command as such: `ldapadd -x -H server.itzgeek.local -W -D "cn=ldapadm,dc=itzgeek,dc=local" -f base.ldif` Since both DNS names must specified in the slapd config, my hypothesis as to why this happens is that the CLI is unable to determine which server in the set you're trying to target.

smithbk (Wed, 21 Feb 2018 14:19:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=y4FLaPvaB6Z66iM6F) @dsanchezseco You currently have to get the admin cert out-of-band to populate msp/admincerts. We plan on adding an API to fabric-ca-server to get the certs for a specific enrollment ID, but isn't there yet. I also had hoped we would have role-based control for the admin (e.g. anyone with OU=foo is an admin) but that isn't there.

dsanchezseco (Wed, 21 Feb 2018 14:21:10 GMT):
@smithbk thanks that was my thought too.

smithbk (Wed, 21 Feb 2018 14:21:17 GMT):
@5igm4 So what error are you seeing with the multi-master setup. The LDAP client in the fabric-ca-server certainly works when the server isn't on localhost, so am not sure what is going wrong

ashutosh_kumar (Wed, 21 Feb 2018 14:22:05 GMT):
@5igm4 , how good is your multi master config if you do not have Load balance in front as in LDAP , you do more read operation than write operation.

ashutosh_kumar (Wed, 21 Feb 2018 14:22:05 GMT):
@5igm4 , how good is your multi master config if you do not have Load balance in front as in LDAP , you do more read operation in LDAP than write operation.

ashutosh_kumar (Wed, 21 Feb 2018 14:25:08 GMT):
in your explanation above , looks like you are elaborating multi master config steps or LDAP setup steps. Fabric CA has nothing to do with these. Are you looking for guidance for LDAP multi master setup ? I am kind of confused now.

5igm4 (Wed, 21 Feb 2018 14:39:53 GMT):
@smithbk @ashutosh_kumar I was just stating the differences in how a client communicates with a multimaster ldap environment, and I'm thinking that Fabric isn't taking those differences in to account when it attempts to bind. I'm going to continue to experiment with my configurations (both LDAP and Fabric) and completely start from scratch to see if I can reproduce this. If so, I'll report back with some logs.

ashutosh_kumar (Wed, 21 Feb 2018 14:44:34 GMT):
sounds good @5igm4. I assume , you focus primarily on bind and read operation when using Fabric CA.

skarim (Wed, 21 Feb 2018 14:52:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rF9cXF7ZPBniCgK29) @vsadriano You can't separate out the parameters, they must all be part of the FABRIC_CA_SERVER_DB_DATASOURCE environment variable

vsadriano (Wed, 21 Feb 2018 16:29:45 GMT):
@skarim I tried this: ```yaml fabric-ca-server: image: hyperledger/fabric-ca:x86_64-1.0.6 container_name: fabric-ca-server ports: - "7054:7054" environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_DB_TYPE=postgres - FABRIC_CA_SERVER_DB_DATASOURCE=host=10.139.16.11 port=5785 user=user_blockchaindb_des password=4739278fd8e843e6a0a6a22d1c73f26a dbname=dbdes_10316_blockchaindb sslmode=disable - FABRIC_CA_SERVER_DB_TLS_ENABLED=false volumes: - "./fabric-ca-server:/etc/hyperledger/fabric-ca-server" command: sh -c 'fabric-ca-server start -b admin:adminpw' ``` But there wasn't change.

vsadriano (Wed, 21 Feb 2018 16:35:30 GMT):
I tried now: ```yaml fabric-ca-server: image: hyperledger/fabric-ca:x86_64-1.0.6 container_name: fabric-ca-server ports: - "7054:7054" environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_DB_TYPE=postgres - FABRIC_CA_SERVER_DB_DATASOURCE=host=10.139.16.11 port=5785 user=user_blockchaindb_des password=4739278fd8e843e6a0a6a22d1c73f26a dbname=dbdes_10316_blockchaindb sslmode=disable - 'FABRIC_CA_DB_DATASOURCE=host=10.139.16.11 port=5785 user=user_blockchaindb_des password=4739278fd8e843e6a0a6a22d1c73f26a dbname=dbdes_10316_blockchaindb sslmode=disable' - FABRIC_CA_SERVER_DB_TLS_ENABLED=false volumes: - "./fabric-ca-server:/etc/hyperledger/fabric-ca-server" command: sh -c 'fabric-ca-server start -b admin:adminpw' ``` But no changes.

skarim (Wed, 21 Feb 2018 16:39:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QePqtzofs8ofvYYFr) @vsadriano Is there is an error? Or is it not picking up the environment variable. Also, try enclosing the environment variable value in quotes FABRIC_CA_SERVER_DB_DATASOURCE="host=10.139.16.11 port=5785 user=user_blockchaindb_des password=4739278fd8e843e6a0a6a22d1c73f26a dbname=dbdes_10316_blockchaindb sslmode=disable"

vsadriano (Wed, 21 Feb 2018 16:48:27 GMT):
Well, I'm using double quotes as follows: ```yaml fabric-ca-server: image: hyperledger/fabric-ca:x86_64-1.0.6 container_name: fabric-ca-server ports: - "7054:7054" environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_DB_TYPE=postgres - "FABRIC_CA_SERVER_DB_DATASOURCE=host=10.139.16.11 dbname=dbdes_10316_blockchaindb port=5785 user=user_blockchaindb_des password=4739278fd8e843e6a0a6a22d1c73f26a sslmode=disable" - FABRIC_CA_SERVER_DB_TLS_ENABLED=false volumes: - "./fabric-ca-server:/etc/hyperledger/fabric-ca-server" command: sh -c 'fabric-ca-server start -b admin:adminpw' ``` I'm getting the error bellow: ```shell ~/fabric-ca $ docker-compose up Creating fabric-ca-server ... Creating fabric-ca-server ... done Attaching to fabric-ca-server fabric-ca-server | 2018/02/21 16:43:44 [INFO] Created default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml fabric-ca-server | 2018/02/21 16:43:44 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server fabric-ca-server | 2018/02/21 16:43:44 [INFO] generating key: &{A:ecdsa S:256} fabric-ca-server | 2018/02/21 16:43:44 [INFO] encoded CSR fabric-ca-server | 2018/02/21 16:43:44 [INFO] signed certificate with serial number 296772904673599490368295052105627641842680382383 fabric-ca-server | 2018/02/21 16:43:44 [INFO] The CA key and certificate were generated for CA fabric-ca-server | 2018/02/21 16:43:44 [INFO] The key was stored by BCCSP provider 'SW' fabric-ca-server | 2018/02/21 16:43:44 [INFO] The certificate is at: /etc/hyperledger/fabric-ca-server/ca-cert.pem fabric-ca-server | 2018/02/21 16:43:44 [ERROR] Error occurred initializing database: Failed to create user registry for PostgreSQL: Failed to connect to Postgres database: pq: database "user_blockchaindb_des" does not exist fabric-ca-server | 2018/02/21 16:43:44 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server fabric-ca-server | 2018/02/21 16:43:44 [INFO] Listening on http://0.0.0.0:7054 ```

vsadriano (Wed, 21 Feb 2018 17:02:57 GMT):
I don't understand why fabric is getting user value for dbname.

skarim (Wed, 21 Feb 2018 17:06:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oxoMn9FNTwse82MzB) @vsadriano This was a bug we fixed in v1.1, can you try using v1.1 alpha?

vsadriano (Wed, 21 Feb 2018 17:11:04 GMT):
I'll try. Is there a related issue for this bug? Did you can give the number?

skarim (Wed, 21 Feb 2018 17:14:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7i33YFeFPEnijnSA6) @vsadriano https://jira.hyperledger.org/browse/FAB-5782

vsadriano (Wed, 21 Feb 2018 17:14:50 GMT):
Thanks @skarim

vsadriano (Wed, 21 Feb 2018 17:28:09 GMT):
@skarim I don't think it's my context or I'm wrong. My database exists.

skarim (Wed, 21 Feb 2018 17:30:07 GMT):
So you already have instance of Postgres with the database dbdes_10316_blockchaindb present?

vsadriano (Wed, 21 Feb 2018 17:31:15 GMT):
Y

skarim (Wed, 21 Feb 2018 17:31:38 GMT):
hmm ok. can you send me your docker-compose file and server logs with debug enabled?

vsadriano (Wed, 21 Feb 2018 17:32:24 GMT):
Ok. Wait a minute, please...

vsadriano (Wed, 21 Feb 2018 17:33:24 GMT):
docker-compose.yml: ```yaml fabric-ca-server: image: hyperledger/fabric-ca:x86_64-1.0.6 container_name: fabric-ca-server ports: - "7054:7054" environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_DB_TYPE=postgres - "FABRIC_CA_SERVER_DB_DATASOURCE=host=10.139.16.11 dbname=dbdes_10316_blockchaindb port=5785 user=user_blockchaindb_des password=4739278fd8e843e6a0a6a22d1c73f26a sslmode=disable" - FABRIC_CA_SERVER_DB_TLS_ENABLED=false volumes: - "./fabric-ca-server:/etc/hyperledger/fabric-ca-server" command: sh -c 'fabric-ca-server start -b admin:adminpw' ```

skarim (Wed, 21 Feb 2018 17:35:01 GMT):
That is the entire docker-compose? Where is the postgres container configured?

vsadriano (Wed, 21 Feb 2018 17:38:01 GMT):
I don't use container for postgresql. I've a external database.

yetanotheruser23 (Wed, 21 Feb 2018 22:00:24 GMT):
Has joined the channel.

yetanotheruser23 (Wed, 21 Feb 2018 22:40:29 GMT):
Does anyone know how Fabric CA has been initialized in fabric-samples?

yetanotheruser23 (Thu, 22 Feb 2018 00:14:39 GMT):
What is an affiliation in Fabric-CA?

baohua (Thu, 22 Feb 2018 05:44:01 GMT):
the pkcs11 vendor lib break fabric-ca with golang 1.9.4. this patchset update the version to the same one with the fabric codebase, welcome to help review, thanks! https://gerrit.hyperledger.org/r/#/c/18197/

naveen_saravanan (Thu, 22 Feb 2018 08:34:41 GMT):
@smithbk I have set up openldap by following the steps mentioned under "Installing OpenLDAP" section from url:"https://www.techrepublic.com/article/how-to-install-openldap-and-phpldapadmin-on-ubuntu-16-04/"

naveen_saravanan (Thu, 22 Feb 2018 08:39:10 GMT):
Could you share any link or document related to shifting from 'ldap' to 'ldaps'?

naveen_saravanan (Thu, 22 Feb 2018 11:48:53 GMT):
Hi all. I was able to enroll users from openldap to fabric-ca-server, but after a while when I tried to enroll the users faced the below shown errors (from the fabric-ca-server-logs): " 2018/02/22 11:05:57 [DEBUG] Received request POST /api/v1/enroll Authorization: Basic U2FzaTpzYXNpcHc= {"caName":"","certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\r\nMIHLMHECAQAwDzENMAsGA1UEAwwEU2FzaTBZMBMGByqGSM49AgEGCCqGSM49AwEH\r\nA0IABGoDY95wmB6GasYCkt6P7LJ75+r6l+aUoWb3sBvceocj2biEevXpfjjN50SK\r\nOPCx8ROX0FmUOhLfzkHwu31knDugADAMBggqhkjOPQQDAgUAA0gAMEUCIQCSKwtt\r\nuWKCsi0vFGogZ97lNXWmcyZNfxRvW1LjqBY2QgIgFsUiSxJ62cbS8fWlGqLNbt9k\r\nYA5y7Y9MEDDVgipGSS8=\r\n-----END CERTIFICATE REQUEST-----\r\n"} 2018/02/22 11:05:57 [DEBUG] Directing traffic to default CA 2018/02/22 11:05:57 [DEBUG] Getting user 'Sasi' 2018/02/22 11:21:53 [DEBUG] Failed to get identity 'Sasi': LDAP search failure: unable to read LDAP response packet: read tcp 172.19.0.5:40464->18.216.159.239:389: read: connection timed out; search request: &{BaseDN:dc=example,dc=com Scope:2 DerefAliases:0 SizeLimit:0 TimeLimit:0 TypesOnly:false Filter:(cn=Sasi) Attributes:[] Controls:[]} 2018/02/22 11:32:41 [DEBUG] Received request POST /api/v1/enroll Authorization: Basic U2FzaTpzYXNpcHc= {"caName":"","certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\r\nMIHLMHECAQAwDzENMAsGA1UEAwwEU2FzaTBZMBMGByqGSM49AgEGCCqGSM49AwEH\r\nA0IABG5knoizXZHwT79pNB+XyWsEGudD7gTcO0s4LriF9lZEbQjF0VwMLBlY55fK\r\nFSn4aaUZESfGrWvWWtRrrUpQdKygADAMBggqhkjOPQQDAgUAA0gAMEUCIQDZf136\r\nhlTqqh1CQns5mIhDa0KGe65xFy06zKc0oNwA8QIgPc6Knvx8x0Hti8GSYcAy37ZG\r\nglEiP2KSYLR8EVmPl4c=\r\n-----END CERTIFICATE REQUEST-----\r\n"} 2018/02/22 11:32:41 [DEBUG] Directing traffic to default CA 2018/02/22 11:32:41 [DEBUG] Getting user 'Sasi' 2018/02/22 11:32:41 [DEBUG] Failed to get identity 'Sasi': LDAP search failure: LDAP Result Code 200 "": ldap: connection closed; search request: &{BaseDN:dc=example,dc=com Scope:2 DerefAliases:0 SizeLimit:0 TimeLimit:0 TypesOnly:false Filter:(cn=Sasi) Attributes:[] Controls:[]} root@hibiz-Aspire-E5-575:/home/hibiz# " Can anyone point out why is it happening ? and what should I do ?

smithbk (Thu, 22 Feb 2018 12:51:23 GMT):
@naveen_saravanan Do you have a entry in LDAP with a cn attribute of "Sasi"?

ashutosh_kumar (Thu, 22 Feb 2018 13:40:08 GMT):
@naveen_saravanan , looks like connectivity issue.

naveen_saravanan (Thu, 22 Feb 2018 13:40:45 GMT):
@smithbk yes I have.

naveen_saravanan (Thu, 22 Feb 2018 13:41:38 GMT):
@ashutosh_kumar ok, How do overcome it?

bfuentes@fr.ibm.com (Thu, 22 Feb 2018 13:46:51 GMT):
I have changed the CERTIFICATE generation of my ca-fabric-server, but when I enroll my PeerAdmin, the certificate returned is not corresponding to the one of the CA . Here examples :

bfuentes@fr.ibm.com (Thu, 22 Feb 2018 13:47:17 GMT):
########################################################################### # Certificate Signing Request section for generating the CA certificate ########################################################################### csr: cn: ca.byomc.com names: - C: FR ST: L: O: byomc OU: france hosts: - ca.byomc.com ca: pathlen: pathlenzero: expiry:

bfuentes@fr.ibm.com (Thu, 22 Feb 2018 13:48:35 GMT):

Clipboard - February 22, 2018 2:48 PM

bfuentes@fr.ibm.com (Thu, 22 Feb 2018 13:49:11 GMT):
-> country information is overrriden

bfuentes@fr.ibm.com (Thu, 22 Feb 2018 13:49:29 GMT):
state and locality are set with other values

bfuentes@fr.ibm.com (Thu, 22 Feb 2018 13:49:52 GMT):
then , my PeerAdmin got an enrollment with theses values too

bfuentes@fr.ibm.com (Thu, 22 Feb 2018 13:49:53 GMT):
oO

bfuentes@fr.ibm.com (Thu, 22 Feb 2018 13:50:50 GMT):
and this is what I get from a lambda user

bfuentes@fr.ibm.com (Thu, 22 Feb 2018 13:50:53 GMT):

Clipboard - February 22, 2018 2:50 PM

bfuentes@fr.ibm.com (Thu, 22 Feb 2018 13:51:26 GMT):
no info about country, state, locality this time ...

bfuentes@fr.ibm.com (Thu, 22 Feb 2018 14:05:43 GMT):
j'ai ouvert un ticket jira

bfuentes@fr.ibm.com (Thu, 22 Feb 2018 14:05:56 GMT):
I opened a JIRA ticket ^o^

5igm4 (Thu, 22 Feb 2018 14:09:25 GMT):
@smithbk @ashutosh_kumar Hey guys, quick update from yesterday. I started completely fresh: brand new servers, fresh installation of ldap and fabric-ca...and it worked perfectly. Sorry for the trouble, and thanks for the help!

ashutosh_kumar (Thu, 22 Feb 2018 14:11:14 GMT):
@naveen_saravanan , do typical network test like telnet etc. It is hard to debug from this end.

LabibFarag (Thu, 22 Feb 2018 20:47:13 GMT):
Has joined the channel.

yetanotheruser23 (Thu, 22 Feb 2018 23:16:06 GMT):
Can someone please tell me how to initialize the fabric-ca-server to use a config file. I added the CA section in my docker compose file, set FABRIC_CA_HOME and then added the following under the 'command' section. fabric-ca-server start -c -b admin:adminpw.

yetanotheruser23 (Thu, 22 Feb 2018 23:16:23 GMT):
But the certificates are not reflecting the CSR data in the config.

yetanotheruser23 (Fri, 23 Feb 2018 00:45:28 GMT):
I'm getting the following error when I try to register a new user. Failed to register Error: fabric-ca request register failed with errors [[{"code":0,"message":"Failed getting affiliation 'app': sql: no rows in result set"}]]

yetanotheruser23 (Fri, 23 Feb 2018 00:45:34 GMT):
does anyone know why?

PraveenKumar5 (Fri, 23 Feb 2018 00:46:50 GMT):
Has joined the channel.

yetanotheruser23 (Fri, 23 Feb 2018 00:48:16 GMT):
I'm using the Fabric-Node-SDK. This is my function call. fabric_ca_client.register({enrollmentID: 'user', affiliation: 'app', role: 'user', enrollmentSecret: 'ManagerUser'}, admin_user);

TreyZhong (Fri, 23 Feb 2018 00:55:11 GMT):
Has joined the channel.

TreyZhong (Fri, 23 Feb 2018 00:55:25 GMT):
I'm getting error as I'm typing this command below

TreyZhong (Fri, 23 Feb 2018 00:55:26 GMT):
CHANNEL_NAME=$CHANNEL_NAME TIMEOUT= docker-compose -f docker-compose-cli.yaml up -d

TreyZhong (Fri, 23 Feb 2018 00:55:39 GMT):

Clipboard - February 22, 2018 4:55 PM

aambati (Fri, 23 Feb 2018 04:47:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pHftbTxBLGp4c4Fbt) @yetanotheruser23 which version? we fixed this problem in 1.1

aambati (Fri, 23 Feb 2018 04:49:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zcoNGs34GNKSoPfT9) @yetanotheruser23 Can you check affiliations table in the database and make sure "app" is in there...did you add affiliations to your config file?

CodeReaper (Fri, 23 Feb 2018 07:20:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YtemnPr92NLjLZW5N) @aambati Does it work for 1.0 version as well??

aambati (Fri, 23 Feb 2018 12:17:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YiXZWYnRThsenTyFK) @CodeReaper no...see https://jira.hyperledger.org/browse/FAB-8450

SuvitPatil (Fri, 23 Feb 2018 13:20:15 GMT):
HI Team, Please correct me if I am wrong and give the solution. 1). If we run fabric-ca-server init command then it will generate ca-cert and ca-key file in fabric ca home. If this is right then I can only see ca-cert file and not key file. Pz find below screen shot. 2). If we want to use external certificate, then we can just replace ca-cert and ca-key file with externally generated CSR. And if i do that then it will gives me error of "Failed to parse certificate in the CA chain: asn1: structure error: tags don't match (6 vs {class:0 tag:17 length:11 isCompound:true}) {optional:false explicit:false application:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} ObjectIdentifier @2"

SuvitPatil (Fri, 23 Feb 2018 13:21:34 GMT):

screenShot.txt

Rapture (Fri, 23 Feb 2018 14:25:44 GMT):
Hiya, I'm using the fabric-ca from fabric-samples and successfully got that running, now I am trying to enroll an additional peer manually, but I'm running into errors from the various CA I'm doing it from, does anyone know from which CA I need to register/enroll a new peer? and which certificate I should grab for that

SimonOberzan (Fri, 23 Feb 2018 14:35:40 GMT):
Hi. I have created a project, similar to the fabric-ca sample, where I generate my certificates with an intermediate CA. I have successfully created the channel and joind my peers, but I have some problems with installing the chaincode. I have 3 hosts, each with 1 peer (peer1.org1, peer2.org1, peer3.org1). When I run a fabric-tools container on the first host I can install the chaincode only on the peer hosted on that host, but I get an `Error endorsing chaincode: rpc error: code = Unknown desc = chaincode error (status: 500, message: Authorization for INSTALL has been denied (error-Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]))` error for other two peers. If I run the cli container on some other host than only it's peer can install chaincode successfully. The admin identity that I use here, was registered as admin-org1, and than I enrolled 3 times, once for every host. So I believe that the problem here is that because I joined the peers to the channel with different admin-org1 identities, that now that peer needs that particular admin-org1 to install the chaincode. Am I correct here? BTW I have tried and copied the admin's msp directory from a host that errors the cc installation to the cli on other host. Then when I could successfully install the chaincode on the host.

SimonOberzan (Fri, 23 Feb 2018 14:35:40 GMT):
Hi. I have created a project, similar to the fabric-ca sample, where I generate my certificates with an intermediate CA. I have successfully created the channel and joind my peers, but I have some problems with installing the chaincode. I have 3 hosts, each with 1 peer (peer1.org1, peer2.org1, peer3.org1). When I run a fabric-tools container on the first host I can install the chaincode only on the peer hosted on that host, but I get an `Error endorsing chaincode: rpc error: code = Unknown desc = chaincode error (status: 500, message: Authorization for INSTALL has been denied (error-Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]))` error for other two peers. If I run the cli container on some other host than only it's peer can install chaincode successfully. The admin identity that I use here, was registered as admin-org1, and than I enrolled 3 times, once for every host. So I believe that the problem here is that because I joined the peers to the channel with different admin-org1 identities, that now that peer needs that particular admin-org1 to install the chaincode. Am I correct here? If so is there a way to use multiple admin-org1 cert on all org's admin functions? BTW I have tried and copied the admin's msp directory from a host that errors the cc installation to the cli on other host. Then when I could successfully install the chaincode on the host.

SimonOberzan (Fri, 23 Feb 2018 14:35:40 GMT):
Hi. I have created a project, similar to the fabric-ca sample, where I generate my certificates with an intermediate CA. I have successfully created the channel and joind my peers, but I have some problems with installing the chaincode. I have 3 hosts, each with 1 peer (peer1.org1, peer2.org1, peer3.org1). When I run a fabric-tools container on the first host I can install the chaincode only on the peer hosted on that host, but I get an `Error endorsing chaincode: rpc error: code = Unknown desc = chaincode error (status: 500, message: Authorization for INSTALL has been denied (error-Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]))` error for other two peers. If I run the cli container on some other host than only it's peer can install chaincode successfully. The admin identity that I use here, was registered as admin-org1, and than I enrolled 3 times, once for every host. So I believe that the problem here is that because I joined the peers to the channel with different admin-org1 identities, that now that peer needs that particular admin-org1 to install the chaincode. Am I correct here? If so is there a way to use multiple instances of admin-org1 certs on all org's admin functions? BTW I have tried and copied the admin's msp directory from a host that errors the cc installation to the cli on other host. Then when I could successfully install the chaincode on the host.

SimonOberzan (Fri, 23 Feb 2018 14:35:40 GMT):
Hi. I have created a project, similar to the fabric-ca sample, where I generate my certificates with an intermediate CA. I have successfully created the channel and joind my peers, but I have some problems with installing the chaincode. I have 3 hosts, each with 1 peer (peer1.org1, peer2.org1, peer3.org1). When I run a fabric-tools container on the first host I can install the chaincode only on the peer hosted on that host, but I get an `Error endorsing chaincode: rpc error: code = Unknown desc = chaincode error (status: 500, message: Authorization for INSTALL has been denied (error-Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]))` error for other two peers. If I run the cli container on some other host than only it's peer can install chaincode successfully. The admin identity that I use here, was registered as admin-org1, and than I enrolled 3 times, once for every host. So I believe that the problem here is that because I joined the peers to the channel with different admin-org1 identities, that now that peer needs that particular admin-org1 to install the chaincode. Am I correct here, or what is the thing that differentiates my admin-org1 instances? If Iam, is there a way to use multiple instances of admin-org1 certs on all org's admin functions? BTW I have tried and copied the admin's msp directory from a host that errors the cc installation to the cli on other host. Then when I could successfully install the chaincode on the host.

skarim (Fri, 23 Feb 2018 15:04:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yCBirH8Wi88bZEpoy) @SuvitPatil 1. The key for the ca can be found in the msp/keystore folder in the fabric ca server home directory 2. If you wan't to use a certificate/key that you have generated yourself, you will need to modify the fabric-ca-server-config.yaml file, under the ca section you will need to point to the path for the certificate and key.

aambati (Fri, 23 Feb 2018 15:18:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wQNpmjAihe7XzWimT) @Rapture You need register/enroll the new peer with the CA of the org to which this new peer belongs

Rapture (Fri, 23 Feb 2018 15:20:56 GMT):
I am currently doing so, but it if I don’t use the —tls.certfiles switch it gives me a response sayinf the the connection was broken (which I think makes sense as tls is enabled) and with —tls.certfiles ca-cert.pem it reports that the certificate is signed by an unknown authority

Rapture (Fri, 23 Feb 2018 15:21:03 GMT):
@aambati

ArvsIndrarys (Fri, 23 Feb 2018 16:17:42 GMT):
Hi guys ! is there a way to keep the keys and/or certs in a wallet? Currently, to prevent my keys not to be destroyed on each dock-compose change, I had to link them to a volume on my FS... not secure at all or maybe the .pem files can be automatically protected thanks to a password? (I can currentlly try `openssl x509 -in ca-cert.pem -text` even though I launched the contianer with admin:adminpw credentials)

aambati (Fri, 23 Feb 2018 18:33:28 GMT):
make sure tls cert used by the server is signed by ca-cert.pem that is specifed to --tls.certfiles command line argument

Jeff.Ran (Sat, 24 Feb 2018 02:43:10 GMT):
Has joined the channel.

malaxiangguo (Sat, 24 Feb 2018 05:47:14 GMT):
Has joined the channel.

BV (Sat, 24 Feb 2018 22:01:58 GMT):
Has joined the channel.

tittuvarghese (Sun, 25 Feb 2018 05:45:27 GMT):
Has joined the channel.

tittuvarghese (Sun, 25 Feb 2018 05:47:05 GMT):
I'm getting following error with certification. The certificate signed by the unknown authority. I have generated the crypto config using the e2e test in the Fabric example.

tittuvarghese (Sun, 25 Feb 2018 05:47:30 GMT):
The issue is only with peer0.org1.example.com connection with orderer.example.com

tittuvarghese (Sun, 25 Feb 2018 05:48:29 GMT):

Screen Shot 2018-02-25 at 1.51.42 AM.png

AshishMishra 1 (Mon, 26 Feb 2018 08:40:38 GMT):
Has joined the channel.

AshishMishra 1 (Mon, 26 Feb 2018 08:42:20 GMT):
Hi guys.. how do I run CA server cluster with a mysql database as backend store.. Does the mysql client in CA server multiple mysql Ips for active/passive or failover or should I run a mysql cluster or a multi-master mysql setup and configure the virtual IP ?

naveen_saravanan (Mon, 26 Feb 2018 10:04:47 GMT):
Hi everyone. Does anyone know how to create a objectClass (schema) with user defined attributes in ldap? or how to add new attributes to the existing objectClasses (e.g. inetOrgPerson) in the ldap? If you do please share the steps required.

SuvitPatil (Mon, 26 Feb 2018 11:12:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=veWsbN7Mavktd7zB8) @skarim Thanks @skarim.

SuvitPatil (Mon, 26 Feb 2018 11:14:15 GMT):
I am using HSM configuration in fabric-ca-server-config.yaml file and going to up the docker-compose, then it gives me error :[Could not initialize BCCSP PKCS11 [Failed initializing PKCS11 library /usr/local/lib/softhsm/libsofthsm2.so ForFabric [Instantiate failed [/usr/local/lib/softhsm/libsofthsm2.so]]]] fabric-ca-server | Could not find default `PKCS11` BCCSP

subbu165 (Mon, 26 Feb 2018 11:14:15 GMT):
pranoti

ArvsIndrarys (Mon, 26 Feb 2018 13:40:50 GMT):
Hi guys ! I have a few questions about the interconnexion between `ldap` and `fabric-ca` : _ all `fabric-client enroll` command must be preceded by adding the new user/org/whatever in the ldap? (ldapadd) _ has fabric-ca some pre-configured definitions of an orderer/peer/client for the ldap? (ldif files) _ the fabric-ca user's guide has converter's definition in the ldap configuration. In the config generated by the ca-server, there's no "attributes" part even commented out. It is still necessary? _ what is the relation between configtxgen and the fabric-ca (except configtxgen is a static cert generator in place of a full CA). The schema created by configtxgen really makes me think of some LDAP organization tree, is it just a coincidence?

ArvsIndrarys (Mon, 26 Feb 2018 13:40:50 GMT):
Hi guys ! I have a few questions about the interconnexion between `ldap` and `fabric-ca` : _ does all `fabric-client enroll` command must be preceded by adding the new user/org/whatever in the ldap? (ldapadd) _ has fabric-ca some pre-configured definitions of an orderer/peer/client for the ldap? (ldif files) _ the fabric-ca user's guide has converter's definition in the ldap configuration. In the config generated by the ca-server, there's no "attributes" part even commented out. It is still necessary? _ what is the relation between configtxgen and the fabric-ca (except configtxgen is a static cert generator in place of a full CA). The schema created by configtxgen really makes me think of some LDAP organization tree, is it just a coincidence?

gskerry (Mon, 26 Feb 2018 17:13:12 GMT):
Has joined the channel.

skarim (Mon, 26 Feb 2018 19:03:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HyN4kYT7zT2CRa3XZ) @SuvitPatil Do you mind sharing your fabric-ca-server-config.yaml and docker-compose file? Also, you have download and installed softhsm?

msarres (Mon, 26 Feb 2018 20:58:50 GMT):
Has joined the channel.

smithbk (Mon, 26 Feb 2018 22:18:40 GMT):
@ArvsIndrarys If you want to connect fabric-ca-server to LDAP, it is typically because you already have an LDAP server populated with identity info and want to specify which LDAP users map to peers, orderers, apps, end users, etc. But if LDAP isn't already populated, yes, you would need to do an ldapadd for each identity rather than a `fabric-ca-client register`. See `fabric-ca/images/fabric-ca-fvt/payload/add-users.ldip` for an ldif example.

smithbk (Mon, 26 Feb 2018 22:20:41 GMT):
The converters section is necessary if you want/need to convert existing ldap entries rather than change LDAP. This is most useful for existing LDAP registries, but if you're setting up your own, you can configure the schema however you want so that conversion is likely not necessary

smithbk (Mon, 26 Feb 2018 22:21:20 GMT):
configtxgen is a development tool, where as fabric-ca is for non-dev environments

zhouskun (Tue, 27 Feb 2018 02:33:20 GMT):
Has joined the channel.

sunshinek31 (Tue, 27 Feb 2018 03:25:11 GMT):
Has joined the channel.

SuvitPatil (Tue, 27 Feb 2018 06:08:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zouiRecuSe2BvBkeG) @skarim That error has resolve now. But when I use HSM and enroll the certificates that again store the certificates in file storage that we have given in BCCSP section. That again will be same as when we generate certificate using default setting in fabric-ca-config.yaml. According to me private keys will be stored somewhere in the softHSM and will not able to see others. But not happens here.

SuvitPatil (Tue, 27 Feb 2018 06:21:35 GMT):

server.zip

SuvitPatil (Tue, 27 Feb 2018 06:28:42 GMT):
If I have change the fabric-ca-config file and down network, then again up that same network then it will shows me that error.

zhouskun (Tue, 27 Feb 2018 08:45:41 GMT):
:grimacing:

purandam (Tue, 27 Feb 2018 09:13:33 GMT):
Has joined the channel.

Ammu (Tue, 27 Feb 2018 11:14:54 GMT):
can any1 solve this error?

Ammu (Tue, 27 Feb 2018 11:14:57 GMT):

stsrt.png

Ammu (Tue, 27 Feb 2018 11:15:20 GMT):
can any1 solve this error?

ArvsIndrarys (Tue, 27 Feb 2018 11:30:15 GMT):
@smithbk thanks !

ArvsIndrarys (Tue, 27 Feb 2018 11:41:48 GMT):
Hi guys ! May someone help me with that? I can't seem to give the hf.IntermediateCA attribute to one of my intermediate CA : root CA LDAP config : ``` ldap: enabled: true url: correctLDAP tls: certfiles: - ldap-server-cert.pem client: certfile: ldap-client-cert.pem keyfile: ldap-client-key.pem attribute: names: ["uid"] converters: - name: hf.IntermediateCA value: attr("uid") =~ "inter*" ``` LDAP user schema : ``` # intermediate_ca, dev, sunchain.fr dn: uid=intermediate_ca,ou=dev,dc=sunchain,dc=fr objectClass: simpleSecurityObject objectClass: account uid: intermediate_ca userPassword:: ZGV2X2ludGVy ``` resulting logs : ``` cadev_root_ca.1.0h9kuzqv4lax@ec1 | 2018/02/27 11:36:45 [DEBUG] Getting user 'intermediate_ca' cadev_root_ca.1.0h9kuzqv4lax@ec1 | 2018/02/27 11:36:45 [DEBUG] Searching for user 'intermediate_ca' using cached connection cadev_root_ca.1.0h9kuzqv4lax@ec1 | 2018/02/27 11:36:45 [DEBUG] Successfully retrieved user '%s', DN: %sintermediate_cauid=intermediate_ca,ou=dev,dc=sunchain,dc=fr cadev_root_ca.1.0h9kuzqv4lax@ec1 | 2018/02/27 11:36:45 [DEBUG] getUserAttrValue identity=intermediate_ca, name=hf.IntermediateCA, value= cadev_root_ca.1.0h9kuzqv4lax@ec1 | 2018/02/27 11:36:45 [ERROR] Enrollment failure: Identity 'intermediate_ca' does not have attribute 'hf.IntermediateCA' cadev_root_ca.1.0h9kuzqv4lax@ec1 | 2018/02/27 11:36:45 [INFO] 10.0.4.8:55714 - "POST /enroll" 0 ```

ArvsIndrarys (Tue, 27 Feb 2018 11:42:48 GMT):
I tried with : ``` converters: - name: hf.IntermediateCA value: attr("uid") == "intermediate_ca" ``` and with : ``` converters: - name: hf.IntermediateCA value: attr("uid") =~ "*_ca" ``` without any success :/

smithbk (Tue, 27 Feb 2018 13:04:49 GMT):
@ArvsIndrarys What version of fabric-ca-server are you using? Judging from the `Successfully retrieved user '%s'` debug statement, it appears to not be what is in master. Can you try with what is in master as this may be fixed?

smithbk (Tue, 27 Feb 2018 13:06:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zEfKGmQToBR5AT9bX) @Ammu Dave @dave.enyeart any ideas?

ArvsIndrarys (Tue, 27 Feb 2018 13:26:29 GMT):
@smithbk Trying it now ; I hope the new version has no breaking changes comparing to the 1.0.2

ArvsIndrarys (Tue, 27 Feb 2018 13:26:29 GMT):
@smithbk Trying it now ; I hope the new version has no breaking changes comparing to the 1.0.4

ArvsIndrarys (Tue, 27 Feb 2018 13:56:57 GMT):
same results with 1.0.6

Ryan2 (Tue, 27 Feb 2018 14:27:18 GMT):
Hi , I have a issue related to CA, but have no clue to fix, can someone help me. 2018-02-27 09:49:05.728 UTC [cauthdsl] func2 -> ERRO 18c Principal deserialization failure (The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "admin")) for identity 0a074f7267304d535012a8062d2d2d2d2d424547494e202d2d2d2d2d0a4d4949434f54434341654367417749424167495554614d72424f6f33626245696f4f77587066784150344e58734e6377436759494b6f5a497a6a3045417749770a5854454c4d416b474131554542684d4356564d78467a415642674e5642416754446b3576636e526f49454e68636d3973615735684d525177456759445651514b0a457774496558426c636d786c5a47646c636a45504d4130474131554543784d47526d4669636d6c6a4d5134774441594456515144457756685a473170626a41650a467730784f4441794d6a63774f5449774d444261467730784f5441794d6a63774f5449774d4442614d474578437a414a42674e5642415954416c56544d5263770a46515944565151494577354f62334a306143424459584a7662476c75595445554d4249474131554543684d4c53486c775a584a735a57526e5a584978447a414e0a42674e5642417354426b5a68596e4a70597a45534d4241474131554541784d4a626d396b5a55466b62576c754d466b77457759484b6f5a497a6a3043415159490a4b6f5a497a6a3044415163445167414548584373526f4873356f694e4b786c2b623345307169794176656e79672b4d3146616f646667416a58416541354652570a6e777771384f74715a6570552b617138305257524d4449706877384d51644e7857316a4c39714e364d48677744675944565230504151482f42415144416765410a4d41774741315564457745422f7751434d414177485159445652304f42425945464e646e496266643454544c595271482b7777524c51684b4e43597a4d4238470a41315564497751594d4261414646473845512f4d325436646e76466a6c4874332b75725a4d63396b4d42674741315564455151524d412b4344576c774c5445330a4e43307a4d6930784c545577436759494b6f5a497a6a304541774944527741775241496749512b443661592f64326e464a665746646b396969656563376c55380a726f33425946674f562f6e70376d6f434947345a4c5850704d2b4e654a3131673163527134326648496d713056577639346d4a6766324858545336660a2d2d2d2d2d454e44202d2d2d2d2d0a 2018-02-27 09:49:05.728 UTC [cauthdsl] func2 -> DEBU 18d 0xc420030d88 principal evaluation fails 2018-02-27 09:49:05.728 UTC [cauthdsl] func1 -> DEBU 18e 0xc420030d88 gate 1519724945728006980 evaluation fails 2018-02-27 09:49:05.728 UTC [orderer/common/broadcast] Handle -> WARN 18f Rejecting CONFIG_UPDATE because: Error authorizing update: Error validating DeltaSet: Policy for [Groups] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining

jtclark (Tue, 27 Feb 2018 14:28:16 GMT):
@smithbk - ping

jtclark (Tue, 27 Feb 2018 14:29:06 GMT):
question for you: have you had a chance to review the 'potential SQL vulnerabilities' re: FAB-1446?

jtclark (Tue, 27 Feb 2018 14:29:59 GMT):
The patch is still in review: https://gerrit.hyperledger.org/r/#/c/17809/

smithbk (Tue, 27 Feb 2018 14:46:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gPsmDvd2oSjKvnbGW) @ArvsIndrarys converters are not supported prior to v1.1. It should have not been in the 1.0 documentation. If it was, can you point me to that?

skarim (Tue, 27 Feb 2018 14:51:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sRt9kBzb2i6zvnNqq) @Ammu Have you followed the instruction here https://hyperledger-fabric.readthedocs.io/en/release/samples.html#binaries before running the fabcar sample?

smithbk (Tue, 27 Feb 2018 14:53:58 GMT):
@Ryan2 This means that the ecert used by the client was issued by a different CA than the one that is in fabric's MSP folder. You can compare the `Authority Key Identifier` of the client's ecert to the `Subject Key Identifier` of the cert in the msp/cacerts folder. They should be equal but in your case I believe they will not be. This means you need a new ecert signed by the appropriate CA's signing cert

ArvsIndrarys (Tue, 27 Feb 2018 14:58:14 GMT):
@smithbk Thanks ! I always used latest, and I agree there's no indication about converters in the 'stable' docs. But there is few indications about which images are corresponnding to 'latest' or 'stable' too, except the : ``` Change the image line to reflect the tag you found previously. The file may look like this for an x86 architecture for version beta. fabric-ca-server: image: hyperledger/fabric-ca:x86_64-1.0.0-beta ``` which doesn't explicitly indicates that we have to use any 1.1.x images

ArvsIndrarys (Tue, 27 Feb 2018 14:58:14 GMT):
@smithbk Thanks ! I always used latest, and I agree there's no indication about converters in the 'stable' docs. But there is few indications about which images are corresponding to 'latest' or 'stable', except the : ``` Change the image line to reflect the tag you found previously. The file may look like this for an x86 architecture for version beta. fabric-ca-server: image: hyperledger/fabric-ca:x86_64-1.0.0-beta ``` which doesn't explicitly indicates that we have to use any 1.1.x images

ArvsIndrarys I tried with 1.1.0-preview : ``` cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 cadev_root_ca.1.qkmd1s8i8g11@ec1 ``` The thing is, according ``` func (ca *CA) userHasAttribute(username, val, err := ca.getUserAttrValue(username, if err != nil { return "", err } if val == "" { return "", fmt.Errorf("Identity } return val, nil } // getUserAttrValue returns func (ca *CA) getUserAttrValue(username, log.Debugf("getUserAttrValue user, err := ca.registry.Get if err != nil { return "", err } attrval := user.GetAttribute(attrname) log.Debugf("getUserAttrValue return attrval, nil } ``` That never indicates the (Tue, 27 Feb 2018 15:08:08 GMT):
| 2018/02/27 15:01:34 [DEBUG] Getting user 'intermediate_ca' | 2018/02/27 15:01:34 [DEBUG] Searching for user 'intermediate_ca' using cached connection | 2018/02/27 15:01:34 [DEBUG] Successfully retrieved user 'intermediate_ca', DN: uid=intermediate_ca,ou=dev,dc=sunchain,dc=fr | 2018/02/27 15:01:34 [DEBUG] getUserAttrValue identity=intermediate_ca, name=hf.IntermediateCA, value= | 2018/02/27 15:01:34 [DEBUG] Sent error for /enroll: Identity 'intermediate_ca' does not have attribute 'hf.IntermediateCA' | github.com/hyperledger/fabric-ca/lib.(*CA).userHasAttribute | /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/ca.go:858 | github.com/hyperledger/fabric-ca/lib.(*CA).attributeIsTrue | /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/ca.go:867 | github.com/hyperledger/fabric-ca/lib.csrAuthCheck | /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverenroll.go:190 | github.com/hyperledger/fabric-ca/lib.handleEnroll | /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverenroll.go:121 | github.com/hyperledger/fabric-ca/lib.enrollHandler | /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverenroll.go:86 | github.com/hyperledger/fabric-ca/lib.(*serverEndpoint).ServeHTTP | /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverendpoint.go:44 | net/http.(*ServeMux).ServeHTTP | /opt/go/src/net/http/server.go:2254 | net/http.serverHandler.ServeHTTP | /opt/go/src/net/http/server.go:2619 | net/http.(*conn).serve | /opt/go/src/net/http/server.go:1801 | runtime.goexit | /opt/go/src/runtime/asm_amd64.s:2337 | 2018/02/27 15:01:34 [INFO] 10.0.4.10:56764 POST /enroll 500 0 "Identity 'intermediate_ca' does not have attribute 'hf.IntermediateCA'" to the fabric-ca github code, we have : attrname string) (string, error) { attrname) '%s' does not have attribute '%s'", username, attrname) a user's value for an attribute attrname string) (string, error) { identity=%s, attr=%s", username, attrname) User(username, []string{attrname}) identity=%s, name=%s, value=%s", username, attrname, attrval) field we want to use (e.g : uid, description, ...). I thunk it is searching for a `hf.IntermediateCA` field in LDAP

ArvsIndrarys (Tue, 27 Feb 2018 15:08:08 GMT):
I tried with 1.1.0-preview : ``` cadev_root_ca.1.qkmd1s8i8g11@ec1 | 2018/02/27 15:01:34 [DEBUG] Getting user 'intermediate_ca' cadev_root_ca.1.qkmd1s8i8g11@ec1 | 2018/02/27 15:01:34 [DEBUG] Searching for user 'intermediate_ca' using cached connection cadev_root_ca.1.qkmd1s8i8g11@ec1 | 2018/02/27 15:01:34 [DEBUG] Successfully retrieved user 'intermediate_ca', DN: uid=intermediate_ca,ou=dev,dc=sunchain,dc=fr cadev_root_ca.1.qkmd1s8i8g11@ec1 | 2018/02/27 15:01:34 [DEBUG] getUserAttrValue identity=intermediate_ca, name=hf.IntermediateCA, value= cadev_root_ca.1.qkmd1s8i8g11@ec1 | 2018/02/27 15:01:34 [DEBUG] Sent error for /enroll: Identity 'intermediate_ca' does not have attribute 'hf.IntermediateCA' cadev_root_ca.1.qkmd1s8i8g11@ec1 | github.com/hyperledger/fabric-ca/lib.(*CA).userHasAttribute cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/ca.go:858 cadev_root_ca.1.qkmd1s8i8g11@ec1 | github.com/hyperledger/fabric-ca/lib.(*CA).attributeIsTrue cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/ca.go:867 cadev_root_ca.1.qkmd1s8i8g11@ec1 | github.com/hyperledger/fabric-ca/lib.csrAuthCheck cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverenroll.go:190 cadev_root_ca.1.qkmd1s8i8g11@ec1 | github.com/hyperledger/fabric-ca/lib.handleEnroll cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverenroll.go:121 cadev_root_ca.1.qkmd1s8i8g11@ec1 | github.com/hyperledger/fabric-ca/lib.enrollHandler cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverenroll.go:86 cadev_root_ca.1.qkmd1s8i8g11@ec1 | github.com/hyperledger/fabric-ca/lib.(*serverEndpoint).ServeHTTP cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverendpoint.go:44 cadev_root_ca.1.qkmd1s8i8g11@ec1 | net/http.(*ServeMux).ServeHTTP cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/go/src/net/http/server.go:2254 cadev_root_ca.1.qkmd1s8i8g11@ec1 | net/http.serverHandler.ServeHTTP cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/go/src/net/http/server.go:2619 cadev_root_ca.1.qkmd1s8i8g11@ec1 | net/http.(*conn).serve cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/go/src/net/http/server.go:1801 cadev_root_ca.1.qkmd1s8i8g11@ec1 | runtime.goexit cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/go/src/runtime/asm_amd64.s:2337 cadev_root_ca.1.qkmd1s8i8g11@ec1 | 2018/02/27 15:01:34 [INFO] 10.0.4.10:56764 POST /enroll 500 0 "Identity 'intermediate_ca' does not have attribute 'hf.IntermediateCA'" ``` The thing is, according to the fabric-ca github code, we have : ``` func (ca *CA) userHasAttribute(username, attrname string) (string, error) { val, err := ca.getUserAttrValue(username, attrname) if err != nil { return "", err } if val == "" { return "", fmt.Errorf("Identity '%s' does not have attribute '%s'", username, attrname) } return val, nil } // getUserAttrValue returns a user's value for an attribute func (ca *CA) getUserAttrValue(username, attrname string) (string, error) { log.Debugf("getUserAttrValue identity=%s, attr=%s", username, attrname) user, err := ca.registry.GetUser(username, []string{attrname}) if err != nil { return "", err } attrval := user.GetAttribute(attrname) log.Debugf("getUserAttrValue identity=%s, name=%s, value=%s", username, attrname, attrval) return attrval, nil } ``` That never indicates the field we want to use (e.g : uid, description, ...). I think it is searching for a `hf.IntermediateCA` field in LDAP

ArvsIndrarys (Tue, 27 Feb 2018 15:08:08 GMT):
@smithbk I tried with 1.1.0-preview : ``` cadev_root_ca.1.qkmd1s8i8g11@ec1 | 2018/02/27 15:01:34 [DEBUG] Getting user 'intermediate_ca' cadev_root_ca.1.qkmd1s8i8g11@ec1 | 2018/02/27 15:01:34 [DEBUG] Searching for user 'intermediate_ca' using cached connection cadev_root_ca.1.qkmd1s8i8g11@ec1 | 2018/02/27 15:01:34 [DEBUG] Successfully retrieved user 'intermediate_ca', DN: uid=intermediate_ca,ou=dev,dc=sunchain,dc=fr cadev_root_ca.1.qkmd1s8i8g11@ec1 | 2018/02/27 15:01:34 [DEBUG] getUserAttrValue identity=intermediate_ca, name=hf.IntermediateCA, value= cadev_root_ca.1.qkmd1s8i8g11@ec1 | 2018/02/27 15:01:34 [DEBUG] Sent error for /enroll: Identity 'intermediate_ca' does not have attribute 'hf.IntermediateCA' cadev_root_ca.1.qkmd1s8i8g11@ec1 | github.com/hyperledger/fabric-ca/lib.(*CA).userHasAttribute cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/ca.go:858 cadev_root_ca.1.qkmd1s8i8g11@ec1 | github.com/hyperledger/fabric-ca/lib.(*CA).attributeIsTrue cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/ca.go:867 cadev_root_ca.1.qkmd1s8i8g11@ec1 | github.com/hyperledger/fabric-ca/lib.csrAuthCheck cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverenroll.go:190 cadev_root_ca.1.qkmd1s8i8g11@ec1 | github.com/hyperledger/fabric-ca/lib.handleEnroll cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverenroll.go:121 cadev_root_ca.1.qkmd1s8i8g11@ec1 | github.com/hyperledger/fabric-ca/lib.enrollHandler cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverenroll.go:86 cadev_root_ca.1.qkmd1s8i8g11@ec1 | github.com/hyperledger/fabric-ca/lib.(*serverEndpoint).ServeHTTP cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/serverendpoint.go:44 cadev_root_ca.1.qkmd1s8i8g11@ec1 | net/http.(*ServeMux).ServeHTTP cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/go/src/net/http/server.go:2254 cadev_root_ca.1.qkmd1s8i8g11@ec1 | net/http.serverHandler.ServeHTTP cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/go/src/net/http/server.go:2619 cadev_root_ca.1.qkmd1s8i8g11@ec1 | net/http.(*conn).serve cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/go/src/net/http/server.go:1801 cadev_root_ca.1.qkmd1s8i8g11@ec1 | runtime.goexit cadev_root_ca.1.qkmd1s8i8g11@ec1 | /opt/go/src/runtime/asm_amd64.s:2337 cadev_root_ca.1.qkmd1s8i8g11@ec1 | 2018/02/27 15:01:34 [INFO] 10.0.4.10:56764 POST /enroll 500 0 "Identity 'intermediate_ca' does not have attribute 'hf.IntermediateCA'" ``` The thing is, according to the fabric-ca github code, we have : ``` func (ca *CA) userHasAttribute(username, attrname string) (string, error) { val, err := ca.getUserAttrValue(username, attrname) if err != nil { return "", err } if val == "" { return "", fmt.Errorf("Identity '%s' does not have attribute '%s'", username, attrname) } return val, nil } // getUserAttrValue returns a user's value for an attribute func (ca *CA) getUserAttrValue(username, attrname string) (string, error) { log.Debugf("getUserAttrValue identity=%s, attr=%s", username, attrname) user, err := ca.registry.GetUser(username, []string{attrname}) if err != nil { return "", err } attrval := user.GetAttribute(attrname) log.Debugf("getUserAttrValue identity=%s, name=%s, value=%s", username, attrname, attrval) return attrval, nil } ``` That never indicates the field we want to use (e.g : uid, description, ...). I think it is searching for a `hf.IntermediateCA` field in LDAP instead of testing the content of the uid (e.g) field to set the hf.attribute to true or false

smithbk (Tue, 27 Feb 2018 16:36:44 GMT):
@ArvsIndrarys converter support was not in `v1.1.0-preview`. It was first added in `v1.1.0-alpha`. But there may have been fixes since then as well. You can try `v1.1.0-alpha` but I would recommend `master` (which is the latest)

ArvsIndrarys (Tue, 27 Feb 2018 16:55:47 GMT):
@smithbk Thanks, it seemed to work now. Just getting a policy violation error but I don't have to create a full ldap object class just for hyperledger, which is nice :)

koenbuyens (Tue, 27 Feb 2018 18:13:45 GMT):
Has joined the channel.

VikasJakhar (Tue, 27 Feb 2018 20:06:14 GMT):
Has joined the channel.

parsiya (Tue, 27 Feb 2018 20:11:24 GMT):
Has joined the channel.

Foen1x (Wed, 28 Feb 2018 06:52:45 GMT):
Has joined the channel.

SuvitPatil (Wed, 28 Feb 2018 09:36:15 GMT):
HI, I am running Fabric ca server natively with softHSM. fabric ca server start it takes BCCSP provider 'PKCS11' as written in config file. But when I am going to register user through fabric client it gives me "Error: Error response from server was: Authorization failure" error, from client side and "[ERROR] No certificates found for provided serial and aki" error from server side. Enrollment done successfully.

chandrakanthm (Wed, 28 Feb 2018 09:53:58 GMT):
Has joined the channel.

DarshanBc (Wed, 28 Feb 2018 10:11:49 GMT):
tell me what are the falgs that I need to pass to get channel info after setting these environment variables ``` export CORE_PEER_ID=peer1st-orga export CORE_PEER_ADDRESS=peer1st-orga:7051 export CORE_PEER_LOCALMSPID=orga export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/allorgs/orga/users/Admin@orga/msp ``` `peer channel getinfo ...`

DarshanBc (Wed, 28 Feb 2018 10:11:49 GMT):
can anyone tell me what are the falgs that I need to pass to get channel info after setting these environment variables ``` export CORE_PEER_ID=peer1st-orga export CORE_PEER_ADDRESS=peer1st-orga:7051 export CORE_PEER_LOCALMSPID=orga export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/allorgs/orga/users/Admin@orga/msp ``` `peer channel getinfo ...`

pankajcheema (Wed, 28 Feb 2018 11:16:51 GMT):
Has joined the channel.

smithbk (Wed, 28 Feb 2018 13:03:33 GMT):
@DarshanBc try the #fabric-peer-endorser-committer channel

aambati (Wed, 28 Feb 2018 13:06:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hpfhTkY43BqCpp8Jk) @SuvitPatil if you are running 1.1 (master branch) code, use go 1.9

smithbk (Wed, 28 Feb 2018 13:06:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hpfhTkY43BqCpp8Jk) @SuvitPatil See #2 under http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#troubleshooting

dampuero (Wed, 28 Feb 2018 15:05:17 GMT):
Has joined the channel.

ArvsIndrarys (Wed, 28 Feb 2018 16:56:43 GMT):
Hi guys ! I tried some things in CA enrollment : ``` - name: hf.Registrar.Roles=peer,orderer,client value: attr("uid") =~ "ca_*" ``` that gives me : ``` 2018/02/28 16:53:00 [DEBUG] Evaluated expression for attribute 'hf.Registrar.Roles=peer,orderer,client'; parms: map[DN:uid=ca_intermediate,cn=ca,ou=dev,dc=sunchain,dc=fr affiliation:[]]; result: true ``` something tells me that I have something like `"hf.Registrar.Roles=peer,orderer,client" = true`. And I would like "hf.Registrar.Roles=peer,orderer,client only... Is there a way to get it without using the maps ? I know that it is bold, but I tried ! :D or did it work? o.O

ArvsIndrarys (Wed, 28 Feb 2018 16:56:43 GMT):
Hi guys ! I tried some things in CA enrollment : ``` - name: hf.Registrar.Roles=peer,orderer,client value: attr("uid") =~ "ca_*" ``` that gives me : ``` 2018/02/28 16:53:00 [DEBUG] Evaluated expression for attribute 'hf.Registrar.Roles=peer,orderer,client'; parms: map[DN:uid=ca_intermediate,cn=ca,ou=dev,dc=sunchain,dc=fr affiliation:[]]; result: true ``` something tells me that I have something like `"hf.Registrar.Roles=peer,orderer,client" = true`. And I would like `hf.Registrar.Roles=peer,orderer,client` only... Is there a way to get it without using the maps ? I know that it is bold, but I tried ! :D or did it work? o.O

smithbk (Wed, 28 Feb 2018 17:46:53 GMT):
try the following:``` - name: hf.Registrar.Roles

smithbk (Wed, 28 Feb 2018 17:46:53 GMT):
try the following:``` - name: hf.Registrar.Roles value: if ( attr("uid") =~ "ca_*", "peer,orderer,client", "")

smithbk (Wed, 28 Feb 2018 17:46:53 GMT):
@ArvsIndrarys try the following:``` - name: hf.Registrar.Roles value: if ( attr("uid") =~ "ca_*", "peer,orderer,client", "")

mrshah-ibm (Wed, 28 Feb 2018 21:06:29 GMT):
Has left the channel.

naveen_saravanan (Thu, 01 Mar 2018 00:30:59 GMT):
Hi, I tried to switch my fabric-ca-server database from SQLite to MySQL by following the instructions given in the link: "http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#mysql". I modified the db section of the fabric-ca-server.db file to the content given below: "db: type: mysql datasource: root:rootpw@tcp(localhost:3306)/fabric_ca?parseTime=true&tls=custom" and when I restarted the fabric-starter the ca-server was getting exited. Could anyone point me the problem faced here? and if there are any-other links regarding the configuration of MySQL to fabric-ca-server could you please share them?

naveen_saravanan (Thu, 01 Mar 2018 00:30:59 GMT):
Hi, I tried to switch my fabric-ca-server database from SQLite to MySQL by following the instructions given in the link: "http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#mysql". I modified the db section of the fabric-ca-server.db file to the content given below: "db: type: mysql datasource: root:rootpw@tcp(localhost:3306)/fabric_ca?parseTime=true&tls=custom" and when I restarted the fabric-starter the ca-server was getting exited with the error:" Connection String: root:123456@tcp(localhost:3306)/?parseTime=true Error: Failed to connect to MySQL database: dial tcp 127.0.0.1:3306: getsockopt: connection refused". Could anyone point me the problem faced here? and if there are any-other links regarding the configuration of MySQL to fabric-ca-server could you please share them?

naveen_saravanan (Thu, 01 Mar 2018 00:30:59 GMT):
Hi, I tried to switch my fabric-ca-server database from SQLite to MySQL by following the instructions given in the link: "http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#mysql". I modified the db section of the fabric-ca-server.db file to the content given below: "db: type: mysql datasource: root:rootpw@tcp(localhost:3306)/fabric_ca?parseTime=true" and when I restarted the fabric-starter the ca-server was getting exited with the error:" Connection String: root:123456@tcp(localhost:3306)/?parseTime=true Error: Failed to connect to MySQL database: dial tcp 127.0.0.1:3306: getsockopt: connection refused". Could anyone point me the problem faced here? and if there are any-other links regarding the configuration of MySQL to fabric-ca-server could you please share them

Ammu (Thu, 01 Mar 2018 06:55:30 GMT):

port11.png

SimonOberzan (Thu, 01 Mar 2018 09:29:29 GMT):
Hi. I have a setup similar to fabric-ca sample (generating certs with intermediary CAs), but I use 3 hosts. On each host I run 1 peer (peer1.org1 / peer2.org1 / peer3.org1). To get the admin (admin-org1) certs on all my hosts I call an peer enroll command for that admin on each host. I then start my peers and everything works fine. I can join peers to the channel using the admin certs from their host, but not from the admin certs from other 2 host. Like admin-org1 certs on the first host now work only for the peers started on this host, but other peers respond with : http://prntscr.com/ilaac8 when trying to join them to the channel. Is this by design? Why would same admin not be treated equally, regardles of the instance of the cert? Any help welcome. admin-org1 cert on host1: http://prntscr.com/ilac8v admin-org1 cert on host2: http://prntscr.com/ilacnb

SimonOberzan (Thu, 01 Mar 2018 09:29:29 GMT):
Hi. I have a setup similar to fabric-ca sample (generating certs with intermediary CAs), but I use 3 hosts. On each host I run 1 peer (peer1.org1 / peer2.org1 / peer3.org1). To get the admin (admin-org1) certs on all my hosts I call an peer enroll command for that admin on each host. I then start my peers and everything works fine. I can join peers to the channel using the admin certs from their host, but not from the admin certs from other 2 host. Like admin-org1 certs on the first host now work only for the peers started on this host, but other peers respond with : http://prntscr.com/ilaac8 when trying to join them to the channel. Is this by design? Why wouldn't the same admin be treated equally, regardless of the instance of the cert? Any help welcome. admin-org1 cert on host1: http://prntscr.com/ilac8v admin-org1 cert on host2: http://prntscr.com/ilacnb

ArvsIndrarys (Thu, 01 Mar 2018 09:35:54 GMT):
@smithbk thanks ! trying it now

ArvsIndrarys (Thu, 01 Mar 2018 09:49:40 GMT):
Worked nicely! thank you again

naveen_saravanan (Thu, 01 Mar 2018 11:24:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cXroKznwWQ5tWKtcP) Thanks. I have cleared this error by changing the localhost to the hostip inside that container.

naveen_saravanan (Thu, 01 Mar 2018 11:28:37 GMT):
But When I try to enroll a user I get the error:"Enrollment failure: Failed signing: Failed to insert record into database: Error 1146: Table 'fabric_ca.certificates' doesn't exist". And I checked the fabric_ca database there was no certificates table. Could anyone help me solve this problem?

ArvsIndrarys (Thu, 01 Mar 2018 12:08:24 GMT):
q

Laxminarayana (Thu, 01 Mar 2018 12:46:38 GMT):
Has joined the channel.

smithbk (Thu, 01 Mar 2018 14:59:15 GMT):
@SimonOberzan MSP's admincerts are instance based. In other words, fabric does a simple byte comparison of the certificate for admincerts. So in order to have the admin cert from all 3 hosts recognized as admins, all MSP's admincerts must contain all 3 certs. See https://jira.hyperledger.org/browse/FAB-3752 and feel free to add your comments

SimonOberzan (Thu, 01 Mar 2018 15:04:15 GMT):
@smithbk Thank you

aambati (Thu, 01 Mar 2018 15:22:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aJ6jWcoXKeXeP4KbD) @naveen_saravanan certificates table is created at the startup..check for any errors during fabric-ca server startup for any clues

skarim (Thu, 01 Mar 2018 15:47:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wnAQd5YdiDS5KDyRe) @Ammu I would try the #fabric-sdk-node channel

AndrewRy 1 (Thu, 01 Mar 2018 16:29:26 GMT):
Has joined the channel.

SKDHANUKA (Thu, 01 Mar 2018 17:24:53 GMT):
Has joined the channel.

SethiSaab (Thu, 01 Mar 2018 19:10:21 GMT):
hi team i am getting error while enrolling admin user ... .when i run this command node enrollAdmin.js i get the following error

SethiSaab (Thu, 01 Mar 2018 19:10:25 GMT):
Error: connect ECONNREFUSED 127.0.0.1:7054] at ClientRequest. (/home/rio/Public/IBM HyperLedger Playground/HyperLedger Fbric Sample Apps/fabric-samples/fabcar/node_modules/fabric-ca-client/lib/FabricCAClientImpl.js:883:12) at ClientRequest.emit (events.js:127:13) at Socket.socketErrorListener (_http_client.js:394:9) at Socket.emit (events.js:127:13) at emitErrorNT (internal/streams/destroy.js:64:8) at process._tickCallback (internal/process/next_tick.js:152:19) Failed to enroll admin: Error: Failed to enroll admin

pmcosta1 (Thu, 01 Mar 2018 19:18:07 GMT):
Hi

pmcosta1 (Thu, 01 Mar 2018 19:18:14 GMT):
On ca with ldap enabled

pmcosta1 (Thu, 01 Mar 2018 19:18:29 GMT):
When using an admin to register a new user

pmcosta1 (Thu, 01 Mar 2018 19:18:47 GMT):
Iget

pmcosta1 (Thu, 01 Mar 2018 19:18:47 GMT):
I get

pmcosta1 (Thu, 01 Mar 2018 19:19:04 GMT):
`[DEBUG] Affilation path for DN 'mail=admin@example.com,ou=people,dc=example,dc=com' is '[]' [DEBUG] Checking to see if affiliation 'people' contains caller's affiliation ''`

pmcosta1 (Thu, 01 Mar 2018 19:19:04 GMT):
[DEBUG] Affilation path for DN 'mail=admin@example.com,ou=people,dc=example,dc=com' is '[]' [DEBUG] Checking to see if affiliation 'people' contains caller's affiliation ''

pmcosta1 (Thu, 01 Mar 2018 19:20:30 GMT):
Using -1.1.0-alpha

aambati (Thu, 01 Mar 2018 19:47:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9X8KnknQsnsDZPyHX) @SethiSaab are you sure server is running at 127.0.0.1:7054?

aambati (Thu, 01 Mar 2018 19:49:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZFx8uadsJrd2423ER) @pmcosta1 what error are you seeing? those are debug messages you posted? Also, i suggest trying code from master branch if you don't mind building the docker images locally

Arne_K (Thu, 01 Mar 2018 23:03:09 GMT):
Has joined the channel.

naveen_saravanan (Fri, 02 Mar 2018 01:28:02 GMT):
@aambati Ok I check it.

naveen_saravanan (Fri, 02 Mar 2018 01:28:02 GMT):
@aambati Ok I will check it.

massiveashok2014 (Fri, 02 Mar 2018 07:22:23 GMT):
Has joined the channel.

massiveashok2014 (Fri, 02 Mar 2018 07:26:18 GMT):
Hi Team, Am getting error when i try to initiate fabric-ca

massiveashok2014 (Fri, 02 Mar 2018 07:26:19 GMT):
fabric-ca-server init -b "admin:adminpw" 2018/03/02 12:41:05 [INFO] Configuration file location: /root/go/GO_PROJECTS/src/github.com/hyperledger/fabric-ca/server/fabric-ca-server-config.yaml panic: Version is not set for fabric-ca library goroutine 1 [running]: github.com/hyperledger/fabric-ca/lib/metadata.GetVersion(0x41be17, 0xc4202a8b40) /root/go/src/github.com/hyperledger/fabric-ca/lib/metadata/version.go:58 +0x60 github.com/hyperledger/fabric-ca/lib.(*Server).init(0xc4202a8b40, 0xc420296d00, 0xc0ebf2, 0xc42013fbf0) /root/go/src/github.com/hyperledger/fabric-ca/lib/server.go:98 +0x29 github.com/hyperledger/fabric-ca/lib.(*Server).Init(0xc4202a8b40, 0xc4202a8b00, 0x0, 0xc42013fc50) /root/go/src/github.com/hyperledger/fabric-ca/lib/server.go:88 +0x38 main.(*ServerCmd).init.func2(0xc420080d80, 0xc4200d7f20, 0x0, 0x2, 0x0, 0x0) /root/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/servercmd.go:102 +0xfc github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute(0xc420080d80, 0xc4200d7d80, 0x2, 0x2, 0xc420080d80, 0xc4200d7d80) /root/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 +0x3e8 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xc420080b40, 0xa11696, 0xc420078b40, 0xc420078b40) /root/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 +0x2fe github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute(0xc420080b40, 0xc4200f83c0, 0xc420078b40) /root/go/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 +0x2b main.(*ServerCmd).Execute(0xc420078b40, 0x4, 0x1) /root/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/servercmd.go:69 +0x2f main.RunMain(0xc4200100c0, 0x4, 0x4, 0xc42013ff70, 0xa12e5b) /root/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:45 +0xb0 main.main() /root/go/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:27 +0x45

IgorSim (Fri, 02 Mar 2018 08:49:14 GMT):
Has joined the channel.

pmcosta1 (Fri, 02 Mar 2018 11:45:10 GMT):
@aambati Hi I checked the method GetAffiliationPath

pmcosta1 (Fri, 02 Mar 2018 11:45:27 GMT):
here: https://github.com/hyperledger/fabric-ca/blob/v1.1.0-alpha/lib/ldap/client.go

pmcosta1 (Fri, 02 Mar 2018 11:45:49 GMT):
this is comparing to "OU="

pmcosta1 (Fri, 02 Mar 2018 11:46:18 GMT):
My ldap has org units has "ou="

pmcosta1 (Fri, 02 Mar 2018 11:50:18 GMT):
in master it's fixed

pmcosta1 (Fri, 02 Mar 2018 11:51:09 GMT):
Changed from "if strings.HasPrefix(p, "OU=") {" to "if strings.HasPrefix(strings.ToUpper(p), "OU=") {"

skarim (Fri, 02 Mar 2018 14:19:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=eBpncBxmehqQmQb53) @massiveashok2014 How do you build the fabric-ca-server binary? Did you do `make fabric-ca-server`? It seems like version variable is not getting set correctly

skarim (Fri, 02 Mar 2018 14:19:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=eBpncBxmehqQmQb53) @massiveashok2014 How did you build the fabric-ca-server binary? Did you do `make fabric-ca-server`? It seems like version variable is not getting set correctly

dolanor (Fri, 02 Mar 2018 14:59:27 GMT):
Has joined the channel.

dolanor (Fri, 02 Mar 2018 14:59:35 GMT):
Hi!

dolanor (Fri, 02 Mar 2018 15:04:30 GMT):
I have a question: Right now, the base configuration functions with private key + certs to authenticate users, peers, orderer, etc… And also to let them sign, etc. And TLS private key + certs for communication. What does the CA enables/enhances to this current setup ?

5igm4 (Fri, 02 Mar 2018 15:30:23 GMT):
Hey guys, so I'm trying to set up Fabric with an LDAP background. I noticed in the docs, that when using LDAP, there is no boot-strapped identity. How would we get the CA.keyfile for an LDAP backed CA?

5igm4 (Fri, 02 Mar 2018 15:30:23 GMT):
Hey guys, so I'm trying to set up Fabric with an LDAP backend. I noticed in the docs, that when using LDAP, there is no boot-strapped identity. How would we get the CA.keyfile for an LDAP backed CA?

5igm4 (Fri, 02 Mar 2018 15:30:23 GMT):
Hey guys, so I'm trying to set up Fabric with an LDAP backend. I noticed in the docs that, when using LDAP, there is no boot-strapped identity. How would we get the CA.keyfile for an LDAP backed CA?

pmcosta1 (Fri, 02 Mar 2018 16:16:23 GMT):
@5igm4 Not sure if I fully understand the question. But I think with a pre registered user on LDAP which you use when running fabric-ca-server start -b ...

pmcosta1 (Fri, 02 Mar 2018 16:17:00 GMT):
and then enroll

ArvsIndrarys (Fri, 02 Mar 2018 16:53:49 GMT):
Hi all ! I have currently successfully setup a CA with Mysql and LDAP, and I am wondering how to interconnect that with my fabric setup ? I mean, I can enroll peers, orderers and clients thanks to the fabric-ca client but how do I set my peers, orderers and clients to interact with that fabric-ca client? I tried to check how worked that setup : ( https://github.com/hyperledger/fabric-samples/tree/release/basic-network ) as it has some CA in it, but without any success...

5igm4 (Fri, 02 Mar 2018 18:50:06 GMT):
@pmcosta1 thanks :)

IgorSim (Fri, 02 Mar 2018 19:35:06 GMT):
Hi everybody, i have one question: what is the difference between 'fabric-peer' and 'fabric-ca-peer' image? I guess one difference is that 'fabric-ca-peer' image have 'fabric-ca-client' installed. Any other difference?

IgorSim (Fri, 02 Mar 2018 19:43:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KF3QaG3XKWEiAnqbR) @ArvsIndrarys I'm not very experienced with fabric but why do you need to interact with 'fabric-ca-client'? Perhaps you mean to interact with 'fabric-ca-server' within peer, orderer etc? If that's the case then i guess you can use 'fabric-ca-peer', 'fabric-ca-orderer' images and start container(s) from them. Those containers will have 'fabric-ca-client' installed on them and you can use this client to connect to server for ex to enroll or to get TLS certificates.

christian3042 (Sat, 03 Mar 2018 21:52:33 GMT):
Has joined the channel.

naveen_saravanan (Sun, 04 Mar 2018 11:46:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=e6ab4eYrFyR8EnyTi) @aambati I checked the server logs and found this error: "Creating Tables... 2018/03/02 04:24:49 [DEBUG] Created users table 2018/03/02 04:24:50 [DEBUG] Created affiliations table Error: Failed to create MySQL database: Error creating certificates table: Error 1067: Invalid default value for 'expiry'" How do I fix this?

naveen_saravanan (Sun, 04 Mar 2018 11:46:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=e6ab4eYrFyR8EnyTi) @aambati I checked the server logs and found this error: "Creating Tables... 2018/04/02 04:24:49 [DEBUG] Created users table 2018/04/02 04:24:50 [DEBUG] Created affiliations table Error: Failed to create MySQL database: Error creating certificates table: Error 1067: Invalid default value for 'expiry'" How do I fix this?

IgorSim (Sun, 04 Mar 2018 22:31:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vY49oqwYzjCrqyxfY) @naveen_saravanan I think the problem is regarding mysql configuration option called 'sql_mode'. Please check the value of this configuration and if it contains NO_ZERO_DATE try to remove it and restart mysql afterwards.

naveen_saravanan (Mon, 05 Mar 2018 01:21:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2nzjyuQAnv4LGRZ9n) @IgorSim Thanks for your reply and I was able to fix this error by modifying the 'sql_mode' as you have mentioned.

GiorgiBlockchain (Mon, 05 Mar 2018 03:35:17 GMT):
Has joined the channel.

Ammu (Mon, 05 Mar 2018 09:42:44 GMT):

balance transfer.png

pankajcheema (Mon, 05 Mar 2018 12:05:41 GMT):
Anyone know the fix for this issue?

pankajcheema (Mon, 05 Mar 2018 12:05:51 GMT):
./byfn.sh -m up -c channel2` fails and throw the error in above screenshot

pankajcheema (Mon, 05 Mar 2018 12:05:59 GMT):

1.png

pankajcheema (Mon, 05 Mar 2018 12:06:37 GMT):

1.png

pankajcheema (Mon, 05 Mar 2018 12:15:14 GMT):
`Error: Error endorsing query: rpc error: code = Unknown desc = make sure the chaincode mycc has been successfully instantiated and try again: could not find chaincode with name 'mycc' - `

aambati (Mon, 05 Mar 2018 14:49:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2nzjyuQAnv4LGRZ9n) @IgorSim :ok_hand:

aambati (Mon, 05 Mar 2018 14:49:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2nzjyuQAnv4LGRZ9n) @IgorSim :ok_hand: we should document this in the troubleshooting section of the userdocs

aambati (Mon, 05 Mar 2018 14:51:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tdW7mZjbPQPachwvv) @IgorSim no other differences

aambati (Mon, 05 Mar 2018 14:54:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ynbksj8y2utGka3CS) @IgorSim fabric-ca-client is used to create an identity for the peer/orderer and get an enrollment cert for it from the fabric ca server... `fabric-ca-client enroll` command can be invoked with -M to setup the msp of the peer/orderer.

lukaszhalicki (Tue, 06 Mar 2018 08:05:09 GMT):
Has joined the channel.

ArvsIndrarys (Tue, 06 Mar 2018 08:52:47 GMT):
Thanks @aambati !

ArvsIndrarys (Tue, 06 Mar 2018 08:52:47 GMT):
Thanks @aambati @IgorSim !

siyuyifang (Tue, 06 Mar 2018 10:02:22 GMT):
Has joined the channel.

magicliang (Tue, 06 Mar 2018 10:24:00 GMT):
Has joined the channel.

harsha (Tue, 06 Mar 2018 11:22:28 GMT):
Hi, any examples for setting up multi-fabric-ca cluster with mysql as datasource ?

ArvsIndrarys (Tue, 06 Mar 2018 11:41:31 GMT):
Hi guys, it is possible to change the Type of a member via the LDAP? I tried the following in my CA: ``` converters: - name: hf.Type value: map(attr("description"),"types") maps: types: - name: peer value: peer - name: orderer value: orderer - name: client value: client ``` but I got this result : ``` root@fb33d6b06989:/# fabric-ca-client identity list --id peer_17612 Name: uid=peer_17612,cn=peer,ou=dev,dc=sunchain,dc=fr, Type: client, Affiliation: , Max Enrollments: 0, Attributes: [{Name:uid Value:peer_17612 ECert:false} {Name:description Value:peer ECert:false} {Name:hf.Type Value:peer ECert:false} {Name:hf.IntermediateCA Value:false ECert:false} {Name:hf.GenCRL Value:false ECert:false} {Name:hf.Revoker Value:false ECert:false} {Name:hf.AffiliationMgr Value:false ECert:false} {Name:hf.Registrar.Roles Value: ECert:false}] ``` The JSON tells `hf.Type: peer` but the fabric-ca-client sees `Type: client` and I dunno why...

ArvsIndrarys (Tue, 06 Mar 2018 11:41:31 GMT):
Hi guys, it is possible to change the Type of a member via the LDAP? I tried the following in my CA: ``` converters: - name: hf.Type value: map(attr("description"),"types") maps: types: - name: peer value: peer - name: orderer value: orderer - name: client value: client ``` but I got this result : ``` root@fb33d6b06989:/# fabric-ca-client identity list --id peer_17612 Name: uid=peer_17612,cn=peer,ou=dev,dc=org,dc=fr, Type: client, Affiliation: , Max Enrollments: 0, Attributes: [{Name:uid Value:peer_17612 ECert:false} {Name:description Value:peer ECert:false} {Name:hf.Type Value:peer ECert:false} {Name:hf.IntermediateCA Value:false ECert:false} {Name:hf.GenCRL Value:false ECert:false} {Name:hf.Revoker Value:false ECert:false} {Name:hf.AffiliationMgr Value:false ECert:false} {Name:hf.Registrar.Roles Value: ECert:false}] ``` The JSON tells `hf.Type: peer` but the fabric-ca-client sees `Type: client` and I dunno why...

ArvsIndrarys (Tue, 06 Mar 2018 11:59:34 GMT):
I also tried to enroll with the --id.type flag but it stays a client :/

ArvsIndrarys (Tue, 06 Mar 2018 11:59:34 GMT):
I also tried to enroll with the `--id.type` flag but it stays a client :/

skarim (Tue, 06 Mar 2018 14:46:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FAnpJshxToiAvPphe) @harsha We don't have an example, but it should be pretty straight forward. In each of the cluster members, make sure you use the same datasource string in the configuration and they should all use the instance of mysql. Are you running into a specific issue?

skarim (Tue, 06 Mar 2018 14:46:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FAnpJshxToiAvPphe) @harsha We don't have an example, but it should be pretty straight forward. In each of the cluster members, make sure you use the same datasource string in the configuration and they should all use the same instance of mysql. Are you running into a specific issue?

aambati (Tue, 06 Mar 2018 15:00:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hbQfmws5LKmRNfyv9) @ArvsIndrarys you should have gotten an error for `fabric-ca-client identity list` command when using LDAP as your registry as it is not supported to list identities from a LDAP

ArvsIndrarys (Tue, 06 Mar 2018 15:07:37 GMT):
@aambati indeed, that command fails :

ArvsIndrarys (Tue, 06 Mar 2018 15:07:37 GMT):
@aambati indeed, that command fails, but adding an --id works and gets the correct parameters except the type of the member

ArvsIndrarys (Tue, 06 Mar 2018 15:09:55 GMT):
Is there a way to ensure that hyperledger knows that it is a peer and not a client that `peer_17612` defines?

aambati (Tue, 06 Mar 2018 15:36:57 GMT):
@ArvsIndrarys i missed the --id part...i think this may be a bug...can you pls open a JIRA item for it

rjones (Tue, 06 Mar 2018 17:06:08 GMT):
dave.enyeart

rjones (Tue, 06 Mar 2018 17:06:17 GMT):
cbf

dave.enyeart (Tue, 06 Mar 2018 19:57:13 GMT):
smithbk

dave.enyeart (Tue, 06 Mar 2018 20:01:53 GMT):
aambati

vieiramanoel (Tue, 06 Mar 2018 21:16:02 GMT):
did someone deployed a network with kafka and fabric-ca?

vieiramanoel (Tue, 06 Mar 2018 21:17:11 GMT):
in positive case, how did you achieved this?

vieiramanoel (Tue, 06 Mar 2018 21:17:59 GMT):
:thinking_face:

mohebz (Wed, 07 Mar 2018 07:53:26 GMT):
Has joined the channel.

vsadriano (Wed, 07 Mar 2018 09:57:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JkqTvFNPNXn7NcYui) @vieiramanoel I use Orderer with Kafka/Zookeeper and Fabric CA with PostgreSQL-9.6. Do you want set Fabric CA persistence on Kafka service?

anzalbeg (Wed, 07 Mar 2018 12:10:12 GMT):
Has joined the channel.

anzalbeg (Wed, 07 Mar 2018 12:13:41 GMT):
hi anyone can help, i am configuring LDAP with Fabric-ca, already created LDAP server and add user identity information in LDIF file. I configure the Fabric-ca environment variables as given ( FABRIC_CA_SERVER_LDAP_ENABLED=true - FABRIC_CA_SERVER_LDAP_URL="ldap://cn=jsmith,dc=example,dc=org:jsmithpw@localhost:10389/dc=example,dc=org" - FABRIC_CA_SERVER_LDAP_USERFILTER="uid=%s")

anzalbeg (Wed, 07 Mar 2018 12:18:01 GMT):
Now i bit confuse, at initialization phase of fabric-ca-server, see at initialization we need to pass -b option " fabric-ca-server init -b rca-org0-admin:rca-org0-adminpw" when LDAP is disable, but what should i need to pass at fabric-ca-server initialization, when LDAP is enabled?

aambati (Wed, 07 Mar 2018 15:14:07 GMT):
@anzalbeg -b option should not be required when LDAP is enabled...for now, specify dummy value to -b option to get around the problem...i have opened defect https://jira.hyperledger.org/browse/FAB-8692 for this problem

aambati (Wed, 07 Mar 2018 15:14:07 GMT):
@anzalbeg -b option should not be required when LDAP is enabled...this was fixed in the latest code (1.1-rc1) , i suggest moving to latest code if you are able to

aambati (Wed, 07 Mar 2018 15:14:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RmuMY8tZWavuGyj6g) @ArvsIndrarys Are you going to open a bug or should i got ahead and open one ?

ArvsIndrarys (Wed, 07 Mar 2018 15:20:03 GMT):
@aambati With `hyperledger/fabric-ca:x86_64-1.1.0-alpha`, when I setup my ca cluster which has LDAP, I don't use the -b option, all is working You can open a bug for the `identity list --id` issue, I don't want to setup JIRA just for a non-critical bug.

aambati (Wed, 07 Mar 2018 15:32:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BBdgX9uHPX4FKKCxS) @ArvsIndrarys yes, you are right , it works in rc1...i have opened https://jira.hyperledger.org/browse/FAB-8693

ArvsIndrarys (Wed, 07 Mar 2018 15:39:17 GMT):
@aambati thanks

vieiramanoel (Wed, 07 Mar 2018 19:52:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7j76HQGt5rwQLtKne) @vsadriano if figured out that maybe idk how to configure the kafka and zookeeper itself, but my first question was about the certs, each broker has one cert or is the same for all brokers?

widemouthfrog (Wed, 07 Mar 2018 20:43:49 GMT):
Has joined the channel.

widemouthfrog (Wed, 07 Mar 2018 20:46:56 GMT):
How does an enduser use the CA to authenticate to hyperledger? I understand that there are register and enroll sdk function calls. I believe the peer receives enrollment and transaction certs for an enrolled user. But how does a user verify themselves when using the blockchain?

vishwasbalakrishna (Wed, 07 Mar 2018 21:33:38 GMT):
Has joined the channel.

devchaud (Thu, 08 Mar 2018 06:17:01 GMT):
Has joined the channel.

fanjianhang (Thu, 08 Mar 2018 07:49:08 GMT):
Has joined the channel.

SuvitPatil (Thu, 08 Mar 2018 08:50:21 GMT):
Hi, We are trying to implement the SOFTHSM in hyperledger fabric -rc1 version. I able to get “successful admin enroll message” but when try to register as a user then I got below error. “enrollment.key” has proper value but when it try to convert into a byte code then it is falling. ``` ```

SuvitPatil (Thu, 08 Mar 2018 08:50:52 GMT):

enrollmentKey.png

aambati (Thu, 08 Mar 2018 13:05:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=F9FZfPDzgPGmDvALg) @widemouthfrog end user signs the transaction with his/her private key (that is associated with the enrollment cert) and includes the cert...peer will validate that cert was issued by the CA associated with the org to which peer belongs and then validates the signature. Currently, transactions are signed by the enrollment key. transaction certs are not used in fabric currently.

aambati (Thu, 08 Mar 2018 13:42:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3yMyHho7bnnXWao24) @SuvitPatil It seems you are using fabcar example. It seems like it was not meant to be used with hsm (pkcs11)...error says that toBytes is not supported by pkcs11 for private key (if key is allowed to serialized to bytes, it can leave the machine, in that sense it is understandable pkcs11 does not support toBytes) and that is what fabcar is doing...

aambati (Thu, 08 Mar 2018 13:42:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3yMyHho7bnnXWao24) @SuvitPatil It seems you are using fabcar example. It seems like it was not meant to be used with hsm (pkcs11)...error says that toBytes is not supported by pkcs11 for private key (if key is allowed to serialized to bytes, it can leave the process, in that sense it is understandable pkcs11 does not support toBytes) and that is what fabcar is doing...

JeroenDePrest (Thu, 08 Mar 2018 15:07:20 GMT):
In the fabric-ca project from the fabric samples repository it states that we use the data directory as a volume mount for all containers. This volume mount is not be needed in a real scenario but then in reason c for why we do this it states `c) to access bootstrap certificates required by clients to connect over TLS` how would we solve this then in a real world example? I am asking this because I would like to run this project (fabric-samples/fabric-ca) decentralized.

JeroenDePrest (Thu, 08 Mar 2018 15:07:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vyhxmmCuw8FHP3qL9) @JeroenDePrest in real world, the orderer/bootstrap admin gets the public portions of the organization msp (cacerts, tls certs, admin certs) from all the participating orgs, creates the genesis block and creates orderer system channel using this genesis block....admin certs contains the certs of the admins who can do channel operations...when you create a channel, its genesis block is derived from the latest configuration block of the orderer system channel

IgorSim (Thu, 08 Mar 2018 16:47:28 GMT):
Guys, does anyone has executed successfully 'fabric-ca' example but with USE_INTERMEDIATE_CA=false in env.sh? I'm using latest 1.1-rc1 branch but i run into problem, looks like start-peer.sh is using ICA URL instead of RCA during enrollment. [DEBUG] Sending request POST https://ica-org1:7054/enroll statusCode=401 (401 Unauthorized)

aambati (Thu, 08 Mar 2018 17:19:04 GMT):
@IgorSim did you get this change set : https://gerrit.hyperledger.org/r/c/18785/

aambati (Thu, 08 Mar 2018 17:19:04 GMT):
@IgorSim did you get this change set : https://gerrit.hyperledger.org/r/c/18785/...this was merged recently, so make sure you pull th latest code

Rosan (Fri, 09 Mar 2018 02:29:19 GMT):
Has joined the channel.

SuvitPatil (Fri, 09 Mar 2018 04:41:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=P359PAKd8aFB2CdL8) @aambati So do we have any other example to test with HSM?

glendjustus (Fri, 09 Mar 2018 05:22:52 GMT):
Has joined the channel.

glendjustus (Fri, 09 Mar 2018 05:25:27 GMT):
In the Hyperledger edX course, I just rant ./byfn.sh -m up and got this error:

glendjustus (Fri, 09 Mar 2018 05:25:27 GMT):
In the Hyperledger edX course, I just rant ./byfn.sh -m up and got this error: Build your first network (BYFN) end-to-end test Channel name : mychannel Creating channel... CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key CORE_PEER_LOCALMSPID=Org1MSP CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt CORE_PEER_TLS_ENABLED=true CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp CORE_PEER_ID=cli CORE_LOGGING_LEVEL=DEBUG CORE_PEER_ADDRESS=peer0.org1.example.com:7051 2018-03-09 05:00:38.352 UTC [main] main -> ERRO 001 Cannot run peer because error when setting up MSP of type bccsp from directory /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp: CA Certificate is not valid, (SN: 205568636626078227586601627822411722395): could not obtain certification chain: the supplied identity is not valid: x509: certificate has expired or is not yet valid !!!!!!!!!!!!!!! Channel creation failed !!!!!!!!!!!!!!!! ========= ERROR !!! FAILED to execute End-2-End Scenario ===========

AndrewRy 1 (Fri, 09 Mar 2018 09:46:42 GMT):
Hi, i got the issue " Principal deserialization failure (The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "admin"))" How come to know that The identity's certificate is not validly signed by the org CA chain?

ArvsIndrarys (Fri, 09 Mar 2018 10:49:32 GMT):
@AndrewRy 1 you can try `openssl x509 -CAFile `

ArvsIndrarys (Fri, 09 Mar 2018 10:49:32 GMT):
@AndrewRy 1 1 you can try `openssl x509 -CAFile `

ArvsIndrarys (Fri, 09 Mar 2018 10:49:32 GMT):
@AndrewRy 1 you can try `openssl x509 -CAFile `

ArvsIndrarys (Fri, 09 Mar 2018 10:49:32 GMT):
@AndrewRy 1 you can try `openssl verify -CAFile `

ArvsIndrarys (Fri, 09 Mar 2018 10:52:08 GMT):
it returns ` : OK` or an error

aambati (Fri, 09 Mar 2018 16:09:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Ni4ZSaiJ35MgWYcf9) @SuvitPatil i am not aware of any example that uses HSM

widemouthfrog (Fri, 09 Mar 2018 19:38:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mF7E9xKtkxGyQDLoM) @aambati So, by end user you mean the application the end user utilizes to interact with the ledger is what signs the transactions, with an eCert associated key? But an application may service multiple users, so then what I really need is an application level authentication system for users to provide identity to the application so that it uses the proper signing certs/keys? And I'm guessing this is out of scope for hylerdger, i.e., an implementation level detail for the specific app (OAUTH, etc...)?

lvzewen (Sat, 10 Mar 2018 07:27:09 GMT):
Has joined the channel.

SethiSaab (Sat, 10 Mar 2018 08:50:52 GMT):
HI Team i am getting the following error while doing channel config tx /......................................config update generation failure: could not parse application to application group: setting up the MSP manager failed: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com")

DavidWalter (Sat, 10 Mar 2018 21:21:02 GMT):
Has joined the channel.

TobiasN (Mon, 12 Mar 2018 00:13:12 GMT):
Has joined the channel.

pankajcheema (Mon, 12 Mar 2018 04:48:34 GMT):
Anyone here know how to find `CORE_PEER_LOCALMSPID`?

ArvsIndrarys (Mon, 12 Mar 2018 10:34:27 GMT):
in the organizations part of `configtx.yaml` : ``` Organizations: - &OrdererOrg Name: OrdererOrg ID: OrdererMSP MSPDir: /mnt/data/msp/dev/ordererMSP - &Org1 Name: Org1MSP ID: Org1MSP MSPDir: /mnt/data/msp/dev/peerMSP ``` something like that

ArvsIndrarys (Mon, 12 Mar 2018 10:34:27 GMT):
@pankajcheema in the organizations part of `configtx.yaml` : ``` Organizations: - &OrdererOrg Name: OrdererOrg ID: OrdererMSP MSPDir: /mnt/data/msp/dev/ordererMSP - &Org1 Name: Org1MSP ID: Org1MSP MSPDir: /mnt/data/msp/dev/peerMSP ``` something like that

pankajcheema (Mon, 12 Mar 2018 10:44:30 GMT):
Anyone know this error? ```orderer.example.com | 2018-03-12 10:43:28.563 UTC [orderer/commmon/multichannel] newLedgerResources -> CRIT 004 Error creating channelconfig bundle: initializing configtx manager failed: error converting config to map: Illegal characters in key: [Group] ```

ArvsIndrarys (Mon, 12 Mar 2018 10:57:46 GMT):
@pankajcheema as it says, some characters you used in the group part of the config provoke an error

pankajcheema (Mon, 12 Mar 2018 10:58:14 GMT):
What that means

pankajcheema (Mon, 12 Mar 2018 11:05:25 GMT):
@ArvsIndrarys

ArvsIndrarys (Mon, 12 Mar 2018 11:10:22 GMT):
@pankajcheema https://github.com/hyperledger/fabric/blob/db26105081bc30f2ef744d064a4e5958c01364c8/common/configtx/configmap.go

ArvsIndrarys (Mon, 12 Mar 2018 11:11:29 GMT):
I don't know what the character is but try with 'standard' characters in your configtx Like mine doesn't use anything like _, - * "

pankajcheema (Mon, 12 Mar 2018 11:11:40 GMT):
ok

pankajcheema (Mon, 12 Mar 2018 11:26:47 GMT):
@ArvsIndrarys I have remove _,- and all other symbols

pankajcheema (Mon, 12 Mar 2018 11:26:53 GMT):
but still it gave me same error

pankajcheema (Mon, 12 Mar 2018 11:26:58 GMT):
any other suggestion

pankajcheema (Mon, 12 Mar 2018 11:26:59 GMT):
.?

ArvsIndrarys (Mon, 12 Mar 2018 11:27:32 GMT):
remove [ and ] characters?

pankajcheema (Mon, 12 Mar 2018 13:20:19 GMT):
done

pankajcheema (Mon, 12 Mar 2018 13:20:21 GMT):
same error

pankajcheema (Mon, 12 Mar 2018 13:20:23 GMT):
@ArvsIndrarys

ArvsIndrarys (Mon, 12 Mar 2018 14:42:35 GMT):
Hi guys ! I can I revoke an identity wuth LDAP enabled, I tried by adapting the code of the readthedocs and I got : ``` docker exec $(docker ps -q --filter name=cadev_ca_in) bash -c 'fabric-ca-client revoke -e orderer_dev_0 -M /etc/hyperledger/msp/ca/ca_client' 2018/03/12 14:37:59 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2018/03/12 14:37:59 [INFO] TLS Enabled 2018/03/12 14:37:59 [INFO] TLS Enabled Error: Response from server: Error Code: 13 - Failed to revoke user: Not supported ``` and logs show : ``` POST /revoke 500 13 "Failed to revoke user: Not supported" ```

skarim (Mon, 12 Mar 2018 14:59:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=74YJGrinYx2a5ac6e) @ArvsIndrarys If you are using LDAP you can't revoke the actual user, but you can revoke the certificates associated with that user by supplying the AKI and Serial Number of the certificate

ArvsIndrarys (Mon, 12 Mar 2018 15:00:30 GMT):
@skarim thanks ! trying it now

rennman (Mon, 12 Mar 2018 17:12:28 GMT):
@pankajcheema are you using only lower-case? here are the rules: // 1. Contain only ASCII alphanumerics, dots '.', dashes '-' // 2. Are shorter than 250 characters. // 3. Are not the strings "." or "..".

rennman (Mon, 12 Mar 2018 17:14:38 GMT):
@pankajcheema that is for ConfigID; for ChannelID, also requires lower case: // 1. Contain only lower case ASCII alphanumerics, dots '.', and dashes '-' // 2. Are shorter than 250 characters. // 3. Start with a letter

pichayuthk (Tue, 13 Mar 2018 04:02:41 GMT):
Has joined the channel.

pichayuthk (Tue, 13 Mar 2018 04:04:18 GMT):
Hi, How do i exchange the ca cert between orgs so that org2 will be able to connect and fetch block information from org1 ?

pichayuthk (Tue, 13 Mar 2018 04:04:18 GMT):
Hi, How do i exchange the ca cert between orgs so that org2 will be able to connect and fetch block information from org1 ? I am trying to connect new org to existing org and was facing a problem about ca of org1 not allow org2 to fetch the block information from orderer

pankajcheema (Tue, 13 Mar 2018 04:24:46 GMT):

Clipboard - March 13, 2018 9:54 AM

AshishMishra 1 (Tue, 13 Mar 2018 08:36:56 GMT):
Hi guys.. is LDAP necessary to run CA in production? I 'm not able to understand the actual use case of LDAP. Can I use MySQL for the same purpose?

dsanchezseco (Tue, 13 Mar 2018 09:11:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7LvtkqwoQLDPktJWS) @pichayuthk I've found the same problem, for now i think manually is the only way (i heard there's plans to have an endpoint on the CA to get the root certs but i cannot recall the estimated time)

ArvsIndrarys (Tue, 13 Mar 2018 09:47:59 GMT):
@AshishMishra 1 LDAP will manage identities and MySQL will store certs

AshishMishra 1 (Tue, 13 Mar 2018 09:54:06 GMT):
@ArvsIndrarys thanks for the reply. But I can see MySQL can also manage my identities in the users table with the attributes too. Then am I gaining anything extra by running an overhead of LDAP? I mean LDAP is good for authentication from performance point of view, which is known fact. But in terms of functionality/feature/security am I losing anything if I don't use LDAP?

ArvsIndrarys (Tue, 13 Mar 2018 10:00:57 GMT):
@AshishMishra 1 As LDAP is optimized for reading, I think it will be more scalable the bigger your organization will be, and it could give you a better view of it thanks to the O, OU, CN, ... LDAP can be more secure though, as someone who gets access to your client CA can't enroll identities that don't exist in LDAP

AshishMishra 1 (Tue, 13 Mar 2018 10:03:44 GMT):
@ArvsIndrarys , that makes sense. Since with CA I can register and enroll users if I get access to CA. But with LDAP, I need to create users in LDAP separately.

ArvsIndrarys (Tue, 13 Mar 2018 10:04:06 GMT):
yes

AshishMishra 1 (Tue, 13 Mar 2018 10:06:34 GMT):
@ArvsIndrarys , thanks so scalablity and security. I think these two points are good enough for me to vouch for use of LDAP, though it increases operational overhead of maintaining a LDAP cluster.

ArvsIndrarys (Tue, 13 Mar 2018 10:13:42 GMT):
Hi guys ! I tried to create a CRL and I got : `Error Code: 46 - The CA does not have authority to generate a CRL. Its certificate does not have 'crl sign' key usage` but before, the logs show : `Evaluated expression for attribute 'hf.GenCRL'; parms: map[DN:uid=ca_client,cn=ca,ou=ca,dc=sunchain,dc=fr affiliation:[]]; result: true` Was there a configuration step that I missed?

ArvsIndrarys (Tue, 13 Mar 2018 10:13:42 GMT):
Hi guys ! I tried to create a CRL and I got : `Error Code: 46 - The CA does not have authority to generate a CRL. Its certificate does not have 'crl sign' key usage` but before, the logs show : `Evaluated expression for attribute 'hf.GenCRL'; parms: map[DN:uid=ca_client,cn=ca,ou=ca,dc=myorg,dc=fr affiliation:[]]; result: true` Was there a configuration step that I missed?

AshishMishra 1 (Tue, 13 Mar 2018 11:45:12 GMT):
Hey guys, in order to run multiple CA servers for org. Do each CA need a different identity or I can give same identity and use the same certs to all the CA servers running behind a load balancer? Is there any risk in doing so. Also I intend to use cryptogen for generating my peer certs (its super convenient) and with cyrtogen I can't generate multiple CA certs for 1 org.

nolimitkun (Tue, 13 Mar 2018 12:53:58 GMT):
Has joined the channel.

jspark84 (Tue, 13 Mar 2018 13:10:35 GMT):
Has joined the channel.

antitoine (Tue, 13 Mar 2018 13:24:00 GMT):
Has left the channel.

skarim (Tue, 13 Mar 2018 13:42:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jikREguHoEyBCM8Jt) @ArvsIndrarys 'hf.GenCRL' attribute indicates if a user is allowed to generate a CRL. But, the certificate used by the ca must have the usage 'crl sign'. By default, the ca signing profile has this usage. You should inspect the ca certificate to make sure this usage is present if not you will need to generate a ca certificate that has this usage. Below is default signing section in the server configuration file, take a look at the ca section: ``` signing: default: usage: - digital signature expiry: 8760h profiles: ca: usage: - cert sign - crl sign expiry: 43800h caconstraint: isca: true maxpathlen: ```

ArvsIndrarys (Tue, 13 Mar 2018 13:43:13 GMT):
@skarim Okay thanks! I did not see these lines in http://hyperledger-fabric-ca.readthedocs.io/en/latest/

skarim (Tue, 13 Mar 2018 13:43:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qJMbcv6nNGXYvc5St) @AshishMishra 1 If you are planning to run a cluster then that is the recommended approach, each one of the ca servers should be using the same ca certificate.

bourbonkidQ (Tue, 13 Mar 2018 14:47:57 GMT):
Has joined the channel.

smithbk (Tue, 13 Mar 2018 17:30:22 GMT):
@AshishMishra 1 Using the same enrollment ID and using the same CA certs for all cluster members are two different questions. I would not recommend having each member use the same certificate as doing so requires copying the private key which is a bad idea from a security perspective, and impossible if you are using an HSM configured appropriately. You could use the same enrollment ID and secret for all cluster members, but you have to make sure that the max_enrollments setting allows at least N enrollments where N is your cluster size. But if you want to be really secure, you would use different enrollment IDs for each cluster member with max_enrollments = 1 to prevent someone who learns the secret from being able to get their own signing certificate.

GopalPanda (Tue, 13 Mar 2018 19:55:13 GMT):
Has joined the channel.

ongar (Tue, 13 Mar 2018 22:02:20 GMT):
Question: Do I need to enroll the user with fabric-ca, if the user already has their cert and key from somewhere else?

ongar (Tue, 13 Mar 2018 22:03:17 GMT):
What's the purpose of the enroll call?

TobiasN (Wed, 14 Mar 2018 00:49:55 GMT):
@ongar the register call is letting the administrator create the User in the database of the CA server just a row in a table.

TobiasN (Wed, 14 Mar 2018 00:51:08 GMT):
@ongar when enroll, the client will create a private-public keypair, send the public-key with some parameter to the CA (including a passphrase) to get a certificate.

varun-raj (Wed, 14 Mar 2018 06:20:55 GMT):
Anyone body using JWT for authentication?>

TobiasN (Wed, 14 Mar 2018 06:32:48 GMT):
@varun-raj you can additional use TWC token to identify users, doing some login like behavior, but that would be an extra solution, in the balance transfer the use of JWT is demonstrated: https://github.com/hyperledger/fabric-samples/blob/release/balance-transfer/app.js

varun-raj (Wed, 14 Mar 2018 06:34:11 GMT):
Yeah so now If I use JWT, I need to upload the privatekey, certificate and verify with ca and then generate the token right?

TobiasN (Wed, 14 Mar 2018 06:51:58 GMT):
@varun-raj just read the code of balance trancefer, the private keys are created and stored at the node-js server, the certificate is created using the CA, The certificate is stored at CA and at node-js server.

TobiasN (Wed, 14 Mar 2018 06:53:04 GMT):
the app uses username and password to read a users privatekey&cert from fileSystem then invoke what ever action to peer,orderer or ca.

TobiasN (Wed, 14 Mar 2018 06:54:04 GMT):
the JWT token contains the user identification. and map the user: ``` req.username = decoded.username; req.orgname = decoded.orgName; ```

varun-raj (Wed, 14 Mar 2018 06:56:34 GMT):
Thanks @TobiasN That helps a lot. Is it safe to keep the private key and certificate in the nodejs server?

TobiasN (Wed, 14 Mar 2018 07:00:17 GMT):
it depends how the trust is about to be created, now the company could just take any key and fake some user makes certain transactions, but the employees can probably already trust there company. but this solution can already be used to create trust between organizations, as one organizations will not have the private keys of the other companies employees.

TobiasN (Wed, 14 Mar 2018 07:00:53 GMT):
if the system is supposed to create trust to the enduser and the network, the enduser would need to create the private key,

TobiasN (Wed, 14 Mar 2018 07:01:30 GMT):
As far as I analysed, that would require a rewrite of the fabric-ca-client npm package.

varun-raj (Wed, 14 Mar 2018 07:04:18 GMT):
Thats a great explanation.

varun-raj (Wed, 14 Mar 2018 07:05:45 GMT):
I was thinking of a different implementation where to store the keys in a temporary manner only when we use the application. Like upload the keys as a card file (Similar to composer) and place it in the store and generate the JWT for the enrollment ID and when we logout delete the keys and certificate.

varun-raj (Wed, 14 Mar 2018 07:05:49 GMT):
Do you think it is scalable?

ongar (Wed, 14 Mar 2018 07:09:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xEC3QBR5DfS5sQM8Y) @TobiasN - Thanks for the clarification. So, as a client, If I already have the key pair and a cert, I need only to register and not enroll? Or not even required to register?

TobiasN (Wed, 14 Mar 2018 07:11:30 GMT):
@varun-raj yes, that is scalable, but the problem would be the same, the it would only need to change a single line of code, and the company store the certs on a separate storage. you never know if your company deleted that key. the risk could be reduced by shord living certs, but the companie could create all the time new certs itself, as it is operating the CA-server itself.

TobiasN (Wed, 14 Mar 2018 07:12:39 GMT):
@ongar without enrollment is the process of creating the privatekey, creating a CSR (cert signing request) and get certificate from CA.

TobiasN (Wed, 14 Mar 2018 07:13:17 GMT):
the CA will sign the Request, because before, some trusted user has registered a user and gave you a username and passphrase

TobiasN (Wed, 14 Mar 2018 07:14:08 GMT):
only cryptogen is crating user certificates without having the user registered in the CA's database.

varun-raj (Wed, 14 Mar 2018 07:14:32 GMT):
Great, also is there a way to store the keys in temporary space like RAM so that we don't have to save it all

ongar (Wed, 14 Mar 2018 07:16:34 GMT):
@TobiasN - sorry I didn't get what you said. Are you saying I still need to do both register and enroll even if I already have my identity crypto material with me somewhere?

TobiasN (Wed, 14 Mar 2018 07:16:46 GMT):
@varun-raj for that you need to study the fabric-client node-js module, there is a implementation of "keystore" and "cryptokeystore" classes, they store the keys and certs to filesystem, I have an implementation that store them to mongo, but you can also make one that store them in memory only, or anywhere, and also implement auto delete from that store.

varun-raj (Wed, 14 Mar 2018 07:17:22 GMT):
Cool thats sounds good

TobiasN (Wed, 14 Mar 2018 07:17:54 GMT):
@ongar no, if you have that user certificate other way, you can use that. you can invoke, and send transactions.

TobiasN (Wed, 14 Mar 2018 07:18:44 GMT):
but when one of the servers would check back the user and its cert to the CA, the CA would not know that. (in fact, I think the peer and orderer never check back the certificates.)

TobiasN (Wed, 14 Mar 2018 07:19:12 GMT):
so you can invoke

AshishMishra 1 (Wed, 14 Mar 2018 07:20:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=z52F9HFdnL6ijss22) @smithbk Thanks for the detailed reply. max_enrollment id makes sense. I 'm not using HSM (don't have much idea of it, not sure if internally CA server is using it anyway), so exposing the private keys to different server is a security concern.

TobiasN (Wed, 14 Mar 2018 07:20:51 GMT):
checking if a cert is still valid, also comes into play, when you want to "revoke" a certificate. Even after revoke, I was able to invoke transactions or query chaincode. so an additional check implementation need to be done with the CA-server.

ongar (Wed, 14 Mar 2018 07:23:18 GMT):
Anyone can verify a certificate trivially for its validity. I'm not sure if Fabric CA is needed for it.

AshishMishra 1 (Wed, 14 Mar 2018 07:23:49 GMT):
Hi all, Can I have all the certificates generated by the CA-server itself and not using cryptogen at all? and in that case I guess, I have to export the certificates to an MSP and then copy them to the Peer/orderer node. How it is different and more secure than using cryptogen? And What about the TLS certificates?

ongar (Wed, 14 Mar 2018 07:25:55 GMT):
There is whole mess of certificates and keys (dozens of them) created and stored in the file system. Is there a documentation which explains what all these things for?

TobiasN (Wed, 14 Mar 2018 07:29:57 GMT):
@ongar right, anyone can check if the certificate is valid within itself, lets say, a employee is hired, he get a cert for one year, after 3 months probation he leave, his cert get revoked, later, it still should be tested if that cert was not revoked.

TobiasN (Wed, 14 Mar 2018 07:32:00 GMT):
in the filesystem that crytogen creates, many files are already duplications, that is because they are already prepared into usefull structures, so that you have all certs for a peer in one folder, all certs for a orderer-server in one place,... that might be confusing, just take your time, and click and compare them.

TobiasN (Wed, 14 Mar 2018 07:33:17 GMT):
in order to analyse what all these certificates are, I implemented my own PEM-parseing module: https://www.npmjs.com/package/tder

ongar (Wed, 14 Mar 2018 07:33:43 GMT):
Ok, that explains better. Thanks!. So, valid Identity alone is not enough, but the permission to participate in the network is also required. How are these permissions stored and managed?

TobiasN (Wed, 14 Mar 2018 07:34:06 GMT):
it is similar to https://www.npmjs.com/package/x509 but does not have any C compiler dependency.

TobiasN (Wed, 14 Mar 2018 07:37:22 GMT):
@ongar the management possible with CA server is quite limited, but i think "good enough", I think more permission management would be done in the chaincode.

ongar (Wed, 14 Mar 2018 07:40:45 GMT):
Chaincode probably only checks the roles. But these roles should be registered registered somewhere on the server side. So I htink the register call will add these roles to attribute server

TobiasN (Wed, 14 Mar 2018 07:52:44 GMT):
in chaincode you can do all kinds of logic, there is a prop creator that contains the users cert, based on that you can do all kinds of permission systems, ACL, groups, roles, hierarchical-groups,...

junhwanchoi (Wed, 14 Mar 2018 08:30:50 GMT):
Has joined the channel.

dsanchezseco (Wed, 14 Mar 2018 09:04:27 GMT):
Does a peer need to have the public certs of the rest of the peers of its org or of the other orgs for the normal consensus process? Is there any case in which it could be a 'must have'?

dsanchezseco (Wed, 14 Mar 2018 09:14:50 GMT):
btw the naming of the certs in the msp folder is incorrect, the ca cert and the intermedite ca cert have the same name although one is the root ca and the other is the intermediate. Its' just my config or is something common?

dsanchezseco (Wed, 14 Mar 2018 09:15:22 GMT):

Clipboard - March 14, 2018 10:14 AM

ArvsIndrarys (Wed, 14 Mar 2018 09:33:43 GMT):
@dsanchezseco up for the same name in intermediatecerts and cacerts It took me a while before doing an `openSSL x509 -in ... -text` and understand these certs weren't the same

dsanchezseco (Wed, 14 Mar 2018 09:34:43 GMT):
i know they aren't the same, that's whay i think they should be name different

dsanchezseco (Wed, 14 Mar 2018 09:34:43 GMT):
i know they aren't the same, that's why i think they should be name different

dsanchezseco (Wed, 14 Mar 2018 09:34:43 GMT):
i know they aren't the same, that's why i think they should be named different, not only being in different folders

dsanchezseco (Wed, 14 Mar 2018 09:37:05 GMT):
looking at the code the name is being generated from the host url you are querying to get the certs, same name for all the certs just with the distinction of the folder

dsanchezseco (Wed, 14 Mar 2018 09:41:46 GMT):
``` // Store the CAChain in the CACerts folder of MSP (Membership Service Provider) // The root cert in the chain goes into MSP 'cacerts' directory. // The others (if any) go into the MSP 'intermediatecerts' directory. func storeCAChain(config *lib.ClientConfig, si *lib.GetServerInfoResponse) error { mspDir := config.MSPDir // Get a unique name to use for filenames serverURL, err := url.Parse(config.URL) if err != nil { return err } fname := serverURL.Host //<- name generation if config.CAName != "" { fname = fmt.Sprintf("%s-%s", fname, config.CAName) } fname = strings.Replace(fname, ":", "-", -1) fname = strings.Replace(fname, ".", "-", -1) + ".pem" tlsfname := fmt.Sprintf("tls-%s", fname) [...] // Store the root certificates in the "cacerts" msp folder certBytes := bytes.Join(rootBlks, []byte("")) if config.Enrollment.Profile == "tls" { err := storeCert("TLS root CA certificate", tlsRootCACertsDir, tlsfname, certBytes) //<- [..] } else { err = storeCert("root CA certificate", rootCACertsDir, fname, certBytes) //<- [..] } // Store the intermediate certificates in the "intermediatecerts" msp folder certBytes = bytes.Join(intBlks, []byte("")) if config.Enrollment.Profile == "tls" { err = storeCert("TLS intermediate certificates", tlsIntCACertsDir, tlsfname, certBytes) //<- [..] } else { err = storeCert("intermediate CA certificates", intCACertsDir, fname, certBytes) //<- [..] } return nil } ```

deepakvparmar (Wed, 14 Mar 2018 09:56:45 GMT):
Hi All, We are getting following exception while registering user on Fabric CA Server. We are using Fabric Java SDK 1.0.1.

deepakvparmar (Wed, 14 Mar 2018 09:56:45 GMT):
Hi All, We are getting following exception while registering user on Fabric CA Server. We are using Fabric Java SDK 1.0.1. Kindly help us if anyone faced this issue before.

deepakvparmar (Wed, 14 Mar 2018 09:56:45 GMT):
Hi All, We are getting following exception "protocol_version" while registering user on Fabric CA Server. We are using Fabric Java SDK 1.0.1. Kindly help us if anyone faced this issue before.

deepakvparmar (Wed, 14 Mar 2018 09:56:45 GMT):
@dsanchezseco : We are getting following exception "protocol_version" while registering user on Fabric CA Server. We are using Fabric Java SDK 1.0.1. Kindly help us if faced this issue before. Any pointer will be very helpful.

deepakvparmar (Wed, 14 Mar 2018 09:58:44 GMT):

Clipboard - March 14, 2018 3:28 PM

bourbonkidQ (Wed, 14 Mar 2018 10:47:59 GMT):
Hello, I need help on setting up TLS between a root CA and an intermediate CA (and, secondly, between my peers and the intermediate CA). I have already read the documentation and the process is not clear to me. Noted: - I do not want to share certificates via scp or another "no-hyperledger" command. - I do not use certificates provided by default. I delete them and generators from the fabric-ca-server-config.yaml configuration file. Each CA is on a dedicated VM and I use docker-compose to create the containers. I'm using the hyperledger/fabric-ca version:1.1.0-preview I tried to start the CA-root with TLS enabled and then enrolled the CA-intermediary, of course I have an error in CA Intermediate because I do not provide a TLS certificate. I tried to start the CA-root with TLS disabled, enrolled the CA-Intermediate. Then restart CA-root with TLS enabled but CA-Intermediate still can not communicate with CA-root. What is the method to solve my problem? Thank you

dsanchezseco (Wed, 14 Mar 2018 11:18:03 GMT):
@bourbonkidQ try `fabric-ca-client getcacert -u http://localhost:7055 -M $FABRIC_CA_CLIENT_HOME/msp` https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#getting-a-ca-certificate-chain-from-another-fabric-ca-server

bourbonkidQ (Wed, 14 Mar 2018 11:30:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FGeXDE7xz6wqKekzB) @dsanchezseco if TLS is enable on CA-Root and I try `fabric-ca-client getcacert -u http://localhost:7055 -M $FABRIC_CA_CLIENT_HOME/msp` on CA-intermediate I have an error because the server expected an https

bourbonkidQ (Wed, 14 Mar 2018 11:30:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FGeXDE7xz6wqKekzB) @dsanchezseco if TLS is enable on CA-Root and I try `fabric-ca-client getcacert -u http://CAROOT:7055 -M $FABRIC_CA_CLIENT_HOME/msp` on CA-intermediate I have an error because the server expected an https

dsanchezseco (Wed, 14 Mar 2018 11:31:15 GMT):
:thinking:

Snixells (Wed, 14 Mar 2018 11:31:32 GMT):
Has joined the channel.

dsanchezseco (Wed, 14 Mar 2018 11:31:34 GMT):
and https with no tls cert?

dsanchezseco (Wed, 14 Mar 2018 11:31:44 GMT):
it doesn't work right?

dsanchezseco (Wed, 14 Mar 2018 11:31:44 GMT):
it doesn't work right? @bourbonkidQ

dsanchezseco (Wed, 14 Mar 2018 11:38:19 GMT):
@bourbonkidQ yeah, there must be a way to initially get the necessary certificates to be able to operate in a more programatically way instead of SCPing or sharing a directory

dsanchezseco (Wed, 14 Mar 2018 11:38:56 GMT):
i'm running in the same issue on mi env trying to automatize the start of a network

dsanchezseco (Wed, 14 Mar 2018 11:38:56 GMT):
i'm running into the same issue on my env trying to automatize the start of a network

bourbonkidQ (Wed, 14 Mar 2018 14:32:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=o6qZrwmgozyXWCda3) @dsanchezseco and if we trying with https, fabric-ca-client ask youre TLS cert. I'am looking for a solution, maybe start the root-ca with tls disable, enroll the intermediate-ca and restart the root-ca with tls. On the intermediate-CA, with the certificate obtained, generate TLS cert -with openssl-, but i dont known how to do that.

dsanchezseco (Wed, 14 Mar 2018 14:37:07 GMT):
@bourbonkidQ instead of generating the TLS with openssl you can try to do as you said, start w/o TLS, get the root cert and then enable TLS. As you have the root cert you should be able to call then the root with `fabric-ca-client enroll -d --enrollment.profile tls -u $ENROLLMENT_URL -M /tmp/tls --csr.hosts $PEER_HOST ` from the intermediate

dsanchezseco (Wed, 14 Mar 2018 14:37:29 GMT):
i'm guessing but i think is worth to try

dsanchezseco (Wed, 14 Mar 2018 14:38:46 GMT):
i'm checking the code to see if it's possible to have a function to return all the public certs registered in a CA as someone said [here](https://jira.hyperledger.org/browse/FAB-8585) https://jira.hyperledger.org/browse/FAB-8585

dsanchezseco (Wed, 14 Mar 2018 15:13:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PkigHJmFNeqwigDnx) I'm guessing is not necessary to have the peers cert to check the messages as that cert has being signed with the CA's we can check indirectly it's validity having the CA cert, which be can get via `fabric-ca-client getcacert` so this [issue](https://jira.hyperledger.org/browse/FAB-8585) is not needed. as the MSP only needs the CAs certs, right?

dsanchezseco (Wed, 14 Mar 2018 15:18:03 GMT):
Can someone confirm this thought please?

dsanchezseco (Wed, 14 Mar 2018 15:19:12 GMT):
that way the only missing step to not having to share any cert file manually is the tls...

dsanchezseco (Wed, 14 Mar 2018 15:24:55 GMT):
@cbf someone that can have a word on this (pleaseeee:slight_smile:)??

KGiou (Wed, 14 Mar 2018 15:37:07 GMT):
Has joined the channel.

dsanchezseco (Wed, 14 Mar 2018 15:38:38 GMT):
@mastersingh24 ??

huy.tranibm (Wed, 14 Mar 2018 17:01:19 GMT):
Has joined the channel.

huy.tranibm (Wed, 14 Mar 2018 17:01:49 GMT):
Hello friends, trying to register user with java sdk1.1, any idea what this error mean? its my first time seeing it ```POST /api/v1/register 401 30 "Certificate not found with AKI '```

mastersingh24 (Wed, 14 Mar 2018 17:22:51 GMT):
@dsanchezseco - you are correct. The endorsement policies are based on Orgs .... and the channel definition includes the MSPs for each org that is part of the channel .... these are passed to peers as configuration blocks ... and for the default MSP, we need only check the signing certs were issued by the CA/iCA associated with the Org and obtained from the config block for the channel

aambati (Wed, 14 Mar 2018 17:30:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sZw3xnFMWZX44qsJw) @huy.tranibm it means that the token used to make that call contains certificate that is not recognized by the Fabric CA server

huy.tranibm (Wed, 14 Mar 2018 17:31:18 GMT):
Thanks @aambati , just found that out, turns out i was using a kvs that wasn't deleted.

dsanchezseco (Wed, 14 Mar 2018 17:36:25 GMT):
@mastersingh24 thanks!! I'll check tomorrow for if I'm a step closer to a fault-tolerant self-healing org then:yum:

huy.tranibm (Wed, 14 Mar 2018 17:47:46 GMT):
fault-tolerant self-healing org?! sounds like a T-1000

aambati (Wed, 14 Mar 2018 18:51:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mmYeJSCBzDrZ3sTAT) @bourbonkidQ Setting up TLS on Fabric CA server with server generated TLS cert has "chicken-and-egg" problem. As you suggested, you should first start the server without TLS and get the CA certs and then enable TLS on the server

deepakvparmar (Thu, 15 Mar 2018 05:14:08 GMT):

Clipboard - March 15, 2018 10:43 AM

AshishMishra 1 (Thu, 15 Mar 2018 05:23:35 GMT):
@aambati How to generate tls certs using CA? registering and enrolling doesn't provide tls certs.

TobiasN (Thu, 15 Mar 2018 07:34:50 GMT):
@AshishMishra 1 NOT: https://github.com/hyperledger/fabric-sdk-java#tls-connection-to-orderer-and-peers

AshishMishra 1 (Thu, 15 Mar 2018 08:27:49 GMT):
@TobiasN , thanks.

dsanchezseco (Thu, 15 Mar 2018 09:13:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tzwbbjPAEtQifk5B8) @huy.tranibm at least is based in fabric not in bitcoin hahahahaha. Imagine a T-1000 doing an action every 10min:joy:

AnthonyRoux (Thu, 15 Mar 2018 09:41:38 GMT):
Has joined the channel.

Ammu (Thu, 15 Mar 2018 09:42:10 GMT):

up.png

Ammu (Thu, 15 Mar 2018 09:42:14 GMT):
i am facing this error please resolve it

LinusBorg (Thu, 15 Mar 2018 09:50:30 GMT):
Has joined the channel.

AnthonyRoux (Thu, 15 Mar 2018 10:55:49 GMT):
Hi to all ! I'm building a nodejs app based what we can find in @AnthonyRoux e Fabcar example in fabric-samples. I didn't change anything in the configuration of the network but it's still failing. When I check the logs of the orderer, I get the following error : ` Principal deserialization failure (The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority) for identity...` . I'm not really at ease with cert but I manage to find that the cert provide in orderer logs seems to come from a different CA. I execute a verify between the Admin@org1.example.com-cert.pem and ca.org1.example-cert.pem and it is ok. The volume mounted in my CA container is my $FABRIC_SERVER_HOME and ca cert and ca key from my crypto-config folder generated with cryptogen. I know I probably forgot something or did something the wrong way, I clear steps by steps procedure would be great. I can provide logs if needed

AnthonyRoux (Thu, 15 Mar 2018 10:55:49 GMT):
Hi to all ! I'm building a nodejs app based what we can find in the Fabcar example in fabric-samples. I didn't change anything in the configuration of the network but it's still failing. When I check the logs of the orderer, I get the following error : ` Principal deserialization failure (The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority) for identity...` . I'm not really at ease with cert but I manage to find that the cert provide in orderer logs seems to come from a different CA. I execute a verify between the Admin@org1.example.com-cert.pem and ca.org1.example-cert.pem and it is ok. The volume mounted in my CA container is my $FABRIC_SERVER_HOME and ca cert and ca key from my crypto-config folder generated with cryptogen. I know I probably forgot something or did something the wrong way, I clear steps by steps procedure would be great. I can provide logs if needed

vsadriano (Thu, 15 Mar 2018 12:04:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YGkcQGnbhcFernDyz) @Ammu First try `docker-compose down`. If the error persists Did you can try `docker kill $(docker ps -qa) && docker system prune -a` before. There's a container with same name.

Ammu (Thu, 15 Mar 2018 12:05:03 GMT):
thanks @vsadriano

vsadriano (Thu, 15 Mar 2018 12:05:09 GMT):
:thumbsup:

Ammu (Thu, 15 Mar 2018 12:09:17 GMT):

error2npm.png

Ammu (Thu, 15 Mar 2018 12:09:27 GMT):

error3npm.png

vsadriano (Thu, 15 Mar 2018 12:13:11 GMT):
Did you finish [prereq steps](http://hyperledger-fabric.readthedocs.io/en/release-1.0/prereqs.html)?

vsadriano (Thu, 15 Mar 2018 12:15:07 GMT):
And I don't think that you need to run `npm install` with `sudo`.

naveen_saravanan (Thu, 15 Mar 2018 23:58:16 GMT):
Hi everyone. What is the expairy time set to the jwt tokens in hyperledger fabric-starter file in the url "https://github.com/olegabu/fabric-starter"? And how do I modify the expairy time of the jwt token in fabric-starter? Could anyone help me with this please?

pichayuthk (Fri, 16 Mar 2018 02:35:08 GMT):
@dsanchezseco Thank you for the answer, I will try other ways

Ammu (Fri, 16 Mar 2018 05:30:02 GMT):

sol.png

Ammu (Fri, 16 Mar 2018 05:40:10 GMT):
help for this issue

yopep (Fri, 16 Mar 2018 05:57:42 GMT):
Has joined the channel.

AshishMishra 1 (Fri, 16 Mar 2018 08:01:47 GMT):
Hi guys.. what's the us of cacount in the CA server.. I can launch multiple CA servers using that and they create diff databases in mysql..but those CA servers I can't use with the fabric n/w because of different issuers of certificates. one network can have only one CA. What I wanted is different channels (diff users) use diff CA which I spin using cacount, but that's not working

smithbk (Fri, 16 Mar 2018 11:39:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gbLxE6YKN6XQY2f33) @Ammu Try the fabric-sdk-node channel since it is using the node SDK

smithbk (Fri, 16 Mar 2018 11:43:42 GMT):
@AshishMishra 1 The `--cacount`` option is for dev only to be able to spin up multiple CAs easily for test. The `--cafiles` option gives you more control and would be used in a real situation. That said, each CA is supposed to have different issuers. One network can have multiple CAs. Pls clarify what is not working and exactly what you are trying to do and what the failure is.

AshishMishra 1 (Fri, 16 Mar 2018 12:18:00 GMT):
@smithbk the child ca servers were started without any MSP configuration and it's issuer was Hyperledger instead of ca.org1.example.com . So maybe --cafiles should solve the problem mainly the csr section.

Ammu (Fri, 16 Mar 2018 12:23:48 GMT):

eee.png

Ammu (Fri, 16 Mar 2018 12:23:49 GMT):
solve this error

bourbonkidQ (Fri, 16 Mar 2018 13:35:50 GMT):
Hi, do you know if the CA-server can generate the private key with a specific name instead of a random character and number ?

bourbonkidQ (Fri, 16 Mar 2018 14:34:42 GMT):
in the configuration file if I put the path off a specific key that i have generated before, the fabric-ca-server not use this one to generate the certificate, but generated another random key. How can I change that to force the fabric-ca-server to generate the certificate with a custom PK ?

Mihai.A (Fri, 16 Mar 2018 14:52:56 GMT):
Has joined the channel.

sillysachin (Fri, 16 Mar 2018 17:51:33 GMT):
Has joined the channel.

huy.tranibm (Fri, 16 Mar 2018 18:14:57 GMT):
Hello, for an EnrollmentRequest, what is the purpose of the .addHost() of the req? also what can go wrong if i dont add a host to the certificate?

skarim (Fri, 16 Mar 2018 18:22:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SXecWLmLXeStiMoEW) @bourbonkidQ You can't generate a certificate by just providing the private key. You can either use the certificate/key generated by the CA or you must provide both the Cert and Key when you start up the CA. Is there any reason you can't use a key generated by the CA? There is currently not a way specify the name of a key

skarim (Fri, 16 Mar 2018 18:27:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qRnHvNoPKjCNapZtm) @huy.tranibm Hosts is usually for TLS certificates, when hostname verification is performed it is against the hosts that were defined in the CSR and are part of the Ceritifcate. If you don't have the current hostnames in the certificate for a server, and client does hostname verification you will get a TSL handshake error

skarim (Fri, 16 Mar 2018 18:27:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qRnHvNoPKjCNapZtm) @huy.tranibm Hosts is usually for TLS certificates, when hostname verification is performed it is against the hosts that were defined in the CSR and are part of the Ceritifcate. If you don't have the appropriate hostnames in the certificate for a server, and client does hostname verification you will get a TSL handshake error

huy.tranibm (Fri, 16 Mar 2018 18:28:43 GMT):
TY!!!!

huy.tranibm (Fri, 16 Mar 2018 18:28:45 GMT):
makes sense

bourbonkidQ (Fri, 16 Mar 2018 18:29:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KMoJYBCM86ACHWnHe) @skarim _Is there any reason you can't use a key generated by the CA? _ I was looking for a solution witch allow me to have a spefic name of the private key

vsadriano (Fri, 16 Mar 2018 19:20:42 GMT):
@bourbonkidQ Do you're refering to `*_sk` file?

vsadriano (Fri, 16 Mar 2018 19:29:57 GMT):
For others you can just to alter `CommonName` directive on crypto-config.yml.

huy.tranibm (Sat, 17 Mar 2018 02:06:25 GMT):
Hello guys, when i revoke the user from the fabric-ca, the fabric-ca revokes the user but i am still able to use the user's Enrollment to query the peers. Is there a proper way to sync revoke across the network so that the peers/orderers also void the user's certificates?

bourbonkidQ (Sat, 17 Mar 2018 11:22:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=R6ZWK3b6642kkLirh) @vsadriano yes

Levilk (Sat, 17 Mar 2018 18:28:11 GMT):
Has joined the channel.

Levilk (Sat, 17 Mar 2018 18:33:37 GMT):
Hello! I am following the Fabric CA user's Guide: http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#generating-a-crl-certificate-revocation-list. At the Fabric-ca-client section there is a command name fabric-ca-client gencrl. Unfortunatelly there is no command like this in my fabric-ca-client. Where can i get it?

Levilk (Sat, 17 Mar 2018 18:34:23 GMT):

Fabric-ca-client genclr command

newlife 1 (Sun, 18 Mar 2018 18:28:56 GMT):
➜ django-klaus git:(master) go get -u github.com/hyperledger/fabric-ca/cmd/... # github.com/hyperledger/fabric-ca/vendor/github.com/google/certificate-transparency-go/x509 ../../go/src/github.com/hyperledger/fabric-ca/vendor/github.com/google/certificate-transparency-go/x509/root_cgo_darwin.go:210: cannot use nil as type _Ctype_CFDataRef in assignment ../../go/src/github.com/hyperledger/fabric-ca/vendor/github.com/google/certificate-transparency-go/x509/root_cgo_darwin.go:211: cannot use nil as type _Ctype_CFDataRef in assignment ../../go/src/github.com/hyperledger/fabric-ca/vendor/github.com/google/certificate-transparency-go/x509/root_cgo_darwin.go:221: cannot convert nil to type _Ctype_CFDataRef

newlife 1 (Sun, 18 Mar 2018 18:33:47 GMT):
when I install fabric-ca user `go get -u github.com/hyperledger/fabric-ca/cmd/...```` ➜ django-klaus git:(master) go get -u github.com/hyperledger/fabric-ca/cmd/... # github.com/hyperledger/fabric-ca/vendor/github.com/google/certificate-transparency-go/x509 ../../go/src/github.com/hyperledger/fabric-ca/vendor/github.com/google/certificate-transparency-go/x509/root_cgo_darwin.go:210: cannot use nil as type _Ctype_CFDataRef in assignment ../../go/src/github.com/hyperledger/fabric-ca/vendor/github.com/google/certificate-transparency-go/x509/root_cgo_darwin.go:211: cannot use nil as type _Ctype_CFDataRef in assignment ../../go/src/github.com/hyperledger/fabric-ca/vendor/github.com/google/certificate-transparency-go/x509/root_cgo_darwin.go:221: cannot convert nil to type _Ctype_CFDataRef ``` How should I fix this ?

newlife 1 (Sun, 18 Mar 2018 18:33:47 GMT):
when I install fabric-ca use `go get -u github.com/hyperledger/fabric-ca/cmd/...```` ➜ django-klaus git:(master) go get -u github.com/hyperledger/fabric-ca/cmd/... # github.com/hyperledger/fabric-ca/vendor/github.com/google/certificate-transparency-go/x509 ../../go/src/github.com/hyperledger/fabric-ca/vendor/github.com/google/certificate-transparency-go/x509/root_cgo_darwin.go:210: cannot use nil as type _Ctype_CFDataRef in assignment ../../go/src/github.com/hyperledger/fabric-ca/vendor/github.com/google/certificate-transparency-go/x509/root_cgo_darwin.go:211: cannot use nil as type _Ctype_CFDataRef in assignment ../../go/src/github.com/hyperledger/fabric-ca/vendor/github.com/google/certificate-transparency-go/x509/root_cgo_darwin.go:221: cannot convert nil to type _Ctype_CFDataRef ``` How should I fix this ?

Unni_1994 (Mon, 19 Mar 2018 07:14:30 GMT):
Has joined the channel.

Hundredwz (Mon, 19 Mar 2018 07:18:59 GMT):
Has joined the channel.

Hundredwz (Mon, 19 Mar 2018 07:21:34 GMT):
When I try to use a user cert file generated by fabric-ca-client,there is always the error ```WARN 001 Failed reading file /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/devin/msp/intermediatecerts/localhost-7054.pem: no pem content for file /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/devin/msp/intermediatecerts/localhost-7054.pem``` any one know why?When I use the default cert file ,it works fine.Can any one help me ?

bh4rtp (Mon, 19 Mar 2018 07:32:53 GMT):
hi, when start the latest fabric-ca from master branch, it will exit with an error: `libltdl.so.7` is not installed. does anyone face it too?

Hundredwz (Mon, 19 Mar 2018 07:40:03 GMT):
@bh4rtp have you executed this command?`sudo apt install libtool libltdl-dev` (debian series)

Hundredwz (Mon, 19 Mar 2018 07:40:59 GMT):
@bh4rtp have you executed this command?```sudo apt install libtool libltdl-dev```you may need to install this library

bh4rtp (Mon, 19 Mar 2018 07:42:01 GMT):
@Hundredwz thanks.

Hundredwz (Mon, 19 Mar 2018 07:44:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=47TqR2X7u9aqN8sKc) @bh4rtp my pleasure.But I think fabric-ca is really a hard module in the whole fabric program

bh4rtp (Mon, 19 Mar 2018 07:46:12 GMT):
@Hundredwz i built the latest fabric just now. the error occurred the first time. i don't known why. maybe some packages are not installed successfully.

bh4rtp (Mon, 19 Mar 2018 07:49:00 GMT):
@Hundredwz i remember `FABRIC_CA_DYNAMIC_LINK` is not consumed when building `fabric-ca`. is there any exception here?

bh4rtp (Mon, 19 Mar 2018 07:49:00 GMT):
@Hundredwz i remember `FABRIC_CA_DYNAMIC_LINK is not consumed` is printed when building `fabric-ca`. is there any exception here?

Hundredwz (Mon, 19 Mar 2018 07:52:41 GMT):
@bh4rtp sorry,I haven't tried to build fabric-ca.I just use go get cmd:joy:

Unni_1994 (Mon, 19 Mar 2018 10:10:52 GMT):
Hello, Can a peer join multiple channels in hyperledger fabric?

dsanchezseco (Mon, 19 Mar 2018 11:23:35 GMT):
@Unni_1994 yes

smithbk (Mon, 19 Mar 2018 11:57:35 GMT):
@Hundredwz Regarding the error `localhost-7054.pem: no pem content for file`, can you paste the contents of that file?

smithbk (Mon, 19 Mar 2018 11:59:38 GMT):
@newlife 1 Regarding the error that you get when you install via `go get -u github.com/hyperledger/fabric-ca/cmd/...` ``` `, what OS are you on? I am able to install from my mac.

smithbk (Mon, 19 Mar 2018 11:59:38 GMT):
@newlife 1 Regarding the error that you get when you install via `go get -u github.com/hyperledger/fabric-ca/cmd/...` ``` ` , what OS are you on? I am able to install from my mac.

smithbk (Mon, 19 Mar 2018 11:59:38 GMT):
@newlife 1 Regarding the error that you get when you install via `go get`, what OS are you on? I am able to install from my mac.

smithbk (Mon, 19 Mar 2018 12:05:42 GMT):
@Levilk The gencrl option was added in v1.1.0-alpha. It looks like you are using v1.0.x of fabric-ca-client

smithbk (Mon, 19 Mar 2018 12:11:54 GMT):
@huy.tranibm The CRL must be pushed into the MSP in fabric via a config update transaction. See an exampe of this at lines 92 - 99 beginning at https://github.com/hyperledger/fabric-samples/blob/release-1.1/fabric-ca/scripts/run-fabric.sh#L92.

smithbk (Mon, 19 Mar 2018 12:23:05 GMT):
@bourbonkidQ As @skarim said, you can use your own private key and certificate, but you must specify both by specifying both the `--ca.keyfile` and `--ca.certfile` options. You can also generate a CA certificate with any name that you want by filling in the names section of the csr section of the fabric-ca-server-config.yaml file as shown below: ```csr: cn: fabric-ca-server names: - C: US ST: "North Carolina" L: O: Hyperledger OU: Fabric hosts: - Keiths-MBP.nc.rr.com - localhost ca: expiry: 131400h pathlength: 1```

smithbk (Mon, 19 Mar 2018 12:24:16 GMT):
Or the "cn" field which is the common name

bourbonkidQ (Mon, 19 Mar 2018 14:37:27 GMT):
Hello, I have a question: when I look in detail at the certificate provided by my CA-root to my CA-intermediate , I note that the "Subject:" is not that of the CA-intermediate but that of the CA-root . What did I miss ?

bourbonkidQ (Mon, 19 Mar 2018 14:38:02 GMT):
`openssl x509 -text -in ica-cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 10:55:68:23:12:08:3f:55:24:3e:95:13:db:8d:6c:04:20:9d:a1:50 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=FR, ST=Paris, O=company, OU=division, CN=rca.division.company.com Validity Not Before: Mar 19 13:43:00 2018 GMT Not After : Mar 15 13:43:00 2033 GMT Subject: C=FR, ST=Paris, O=company, OU=division, CN=rca.division.company.com`

bourbonkidQ (Mon, 19 Mar 2018 14:38:02 GMT):
`openssl x509 -text -in ica-cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 10:55:68:23:12:08:3f:55:24:3e:95:13:db:8d:6c:04:20:9d:a1:50 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=EN, ST=City, O=company, OU=division, CN=rca.division.company.com Validity Not Before: Mar 19 13:43:00 2018 GMT Not After : Mar 15 13:43:00 2033 GMT Subject: C=EN, ST=City, O=company, OU=division, CN=rca.division.company.com`

aambati (Mon, 19 Mar 2018 14:51:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Z8ey8p6DEkiZuPZ2C) @bourbonkidQ that looks like a self signed root cert...what value did u use to -u argument when starting intermediate server?

bourbonkidQ (Mon, 19 Mar 2018 14:53:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NoiRx9tSJ9DcHxmZj) @aambati -u https://rca.division.company.com-admin:rca.divison.company.com-adminpw@rca.divison.company.com:7054 . The rca.division.company.com-admin is the bootstrap admin that I use to start the root-ca

aambati (Mon, 19 Mar 2018 14:56:28 GMT):
and you are using 1.1?

bourbonkidQ (Mon, 19 Mar 2018 14:57:02 GMT):
1.1.0-preview

aambati (Mon, 19 Mar 2018 14:59:57 GMT):
ok...i got this for the intermediate ca server cert: ``` Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=fabric-ca-server Validity Not Before: Mar 19 14:54:00 2018 GMT Not After : Mar 18 14:59:00 2023 GMT Subject: C=US, ST=North Carolina, O=Hyperledger, OU=client, CN=rca.division.company.com-admin```

aambati (Mon, 19 Mar 2018 15:00:53 GMT):
do u have multiple levels of CAs? like this: root CA -> intermediate CA1 -> intermediate CA2

bourbonkidQ (Mon, 19 Mar 2018 15:04:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=irpPwBFhn7tvvtMLD) @aambati I use only 1 root CA and 2 intermediate CA. Both Intermediate CAs must register with the Root ca. My intermediate CA need only to provide end users cert.

bourbonkidQ (Mon, 19 Mar 2018 15:05:48 GMT):
So RCA -> ICA -> peer/orderer

aambati (Mon, 19 Mar 2018 15:05:59 GMT):
ok...then that does not explain why an intermediate CA's cert looks like a self signed root CA cert

aambati (Mon, 19 Mar 2018 15:08:23 GMT):
can u pls ping the csr section in the server config file

bourbonkidQ (Mon, 19 Mar 2018 15:30:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=y4o5Cz9FwBzRPFSpx) @aambati I have test with the stable version of 1.1.0. But the problem still be the same : the CN of the subject is the root CA. `openssl x509 -text -in ica-cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 11:40:35:e0:2d:38:3d:31:85:cc:13:a1:dc:83:f4:20:f4:6b:0d:76 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=EN, ST=City, O=division, OU=company, CN=rca.company.division.com Validity Not Before: Mar 19 15:19:00 2018 GMT Not After : Mar 18 15:24:00 2023 GMT Subject: C=EN, ST=City, O=division, OU=client, OU=company, OU=division, CN=rca.company.division.com-admin`

aambati (Mon, 19 Mar 2018 15:31:54 GMT):
CN is different in this case

aambati (Mon, 19 Mar 2018 15:32:10 GMT):
`rca.company.division.com` vs `rca.company.division.com-admin`

bourbonkidQ (Mon, 19 Mar 2018 15:32:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gxoDkbNddcGmDoz2a) @aambati for the ICA : csr: cn: names: - C: EN ST: City L: O: division OU: company hosts: - localhost - ica.division.company.com ca: expiry: 131400h pathlength: 0

aambati (Mon, 19 Mar 2018 15:32:45 GMT):
and other distinguished names as well

bourbonkidQ (Mon, 19 Mar 2018 15:34:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aNyvQFGeSoozdnZXC) @aambati Yes but why this is not the CN of the container where the ICA run or the name of the bootstrap admin of ICA ?

aambati (Mon, 19 Mar 2018 15:36:04 GMT):
CN of the intermediate CA cert is always set to the userid that is used to enroll the intermediate CA server with Root CA server (to get CA cert for intermediate server)

bourbonkidQ (Mon, 19 Mar 2018 15:37:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZBYdkKhpPzfw627Qh) @aambati ok thanks

bh4rtp (Tue, 20 Mar 2018 03:37:33 GMT):
hi, in the `fabric-ca` Makefile, to build the docker images, it uses ` --build-arg FABRIC_CA_DYNAMIC_LINK=$(FABRIC_CA_DYNAMIC_LINK)`. does the docker build args read env variable value of FABRIC_CA_DYNAMIC_LINK? but the Dockerfile.in defines `ARG FABRIC_CA_DYNAMIC_LINK=false`. so must i run make as ` export FABRIC_CA_DYNAMIC_LINK=false && make all`?

bh4rtp (Tue, 20 Mar 2018 03:40:29 GMT):
i noticed the actual make command prints as `docker build -t hyperledger/fabric-ca-peer --build-arg FABRIC_CA_DYNAMIC_LINK= build/image/fabric-ca-peer`. the value of FABRIC_CA_DYNAMIC_LINK is null.

Hundredwz (Tue, 20 Mar 2018 07:07:29 GMT):
@smithbk that file is an empty file.Is it right to be a empty file?

smithbk (Tue, 20 Mar 2018 12:10:34 GMT):
@Hundredwz No, it should not be empty. I have no idea how an empty file could have been created. If you can reproduce the steps which led to this, pls let us know ... better yet, open a jira item with details. Thanks

smithbk (Tue, 20 Mar 2018 12:23:35 GMT):
@bh4rtp hmm ... what version are you using. When I do this with master, I see `docker build -t hyperledger/fabric-ca --build-arg FABRIC_CA_DYNAMIC_LINK=false build/image/fabric-ca`

Unni_1994 (Tue, 20 Mar 2018 12:24:25 GMT):
Hi all ,While I am running the "fabric ca-client " , command identity is missing ?

aambati (Tue, 20 Mar 2018 13:11:47 GMT):
@Unni_1994 identity command was added in 1.1, make sure you are using 1.1 code...`fabric-ca-client version` displays version info

aambati (Tue, 20 Mar 2018 13:11:47 GMT):
@Unni_1994 identity command was added in 1.1, make sure you are using 1.1 code... `fabric-ca-client version` displays version info

Unni_1994 (Tue, 20 Mar 2018 13:56:22 GMT):
Thanks @aambati

Unni_1994 (Tue, 20 Mar 2018 13:57:05 GMT):
I tried fabric-ca-client version but I am getting this Error: unknown command "version" for "fabric-ca-client"

Unni_1994 (Tue, 20 Mar 2018 13:57:41 GMT):
Is it any other way to check the fabric-ca-client version

aambati (Tue, 20 Mar 2018 14:05:01 GMT):
so, you must be using old version...i suggest getting 1.1 code (build it locally) or getting 1.1 container from docker hub

guillermo.correa (Tue, 20 Mar 2018 14:33:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=c9haeKFhJX3zjFneN) @massiveashok2014 this error is when is not possible get version of golang in your system and is set like "". Maybe you are using and old golang version. In my case, I fix the version.go file in my local repository, in order to get the right version of golang.

ahmedsajid (Tue, 20 Mar 2018 16:04:20 GMT):
@Unni_1994 if you are building fabric-ca-client yourself, you need to do the following: ``` go build -o /usr/local/bin/fabric-ca-client -ldflags "-X github.com/hyperledger/fabric-ca/lib/metadata.Version=1.1.0" ```

ahmedsajid (Tue, 20 Mar 2018 16:04:20 GMT):
@Unni_1994 if you are building fabric-ca-client yourself (i.e., not using make command), you need to do the following: ``` go build -o /usr/local/bin/fabric-ca-client -ldflags "-X github.com/hyperledger/fabric-ca/lib/metadata.Version=1.1.0" ```

ahmedsajid (Tue, 20 Mar 2018 16:04:20 GMT):
@Unni_1994 if you are building fabric-ca-client yourself (i.e., not using make fabric-ca-client), you need to do the following: ``` go build -o /usr/local/bin/fabric-ca-client -ldflags "-X github.com/hyperledger/fabric-ca/lib/metadata.Version=1.1.0" ```

smithbk (Tue, 20 Mar 2018 17:53:00 GMT):
@Unni_1994 You must be using a v1.0.x version of fabric-ca-client as identity commands are in v1.1*

dpk2877 (Tue, 20 Mar 2018 18:51:31 GMT):
Has joined the channel.

dpk2877 (Tue, 20 Mar 2018 18:52:25 GMT):
Hi everyone

dpk2877 (Tue, 20 Mar 2018 18:52:34 GMT):
I need a small help

dpk2877 (Tue, 20 Mar 2018 18:55:02 GMT):
Can anyone tell me how can I store my keys in database instead of file storage, I using fabric-CA-client sdk for generating user certificate but it stores in file based storage but I want to store it on database

wjzheng (Tue, 20 Mar 2018 19:04:44 GMT):
Has joined the channel.

ShikarSharma (Tue, 20 Mar 2018 22:37:07 GMT):
Has joined the channel.

bh4rtp (Wed, 21 Mar 2018 00:30:01 GMT):
@smithbk i am using the latest master version.

Hundredwz (Wed, 21 Mar 2018 01:47:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8uXWihJYB95B6Snq9) @smithbk sorry,but I dont have a jira account yet.I am following this article ```https://www.cnblogs.com/studyzy/p/7482451.html```

tiennv (Wed, 21 Mar 2018 02:47:54 GMT):
Hi there,

tiennv (Wed, 21 Mar 2018 02:48:27 GMT):
When I build docker for fabric-ca, I get this error

tiennv (Wed, 21 Mar 2018 02:48:28 GMT):
Building build/docker/bin/fabric-ca-client docker: invalid reference format. See 'docker run --help'. Makefile:127: recipe for target 'build/docker/bin/fabric-ca-client' failed make: *** [build/docker/bin/fabric-ca-client] Error 125

tiennv (Wed, 21 Mar 2018 02:48:51 GMT):
Could you please help me on this problem?

pankajcheema (Wed, 21 Mar 2018 04:19:21 GMT):
kafka

hamza113 (Wed, 21 Mar 2018 05:29:52 GMT):
Has joined the channel.

RockBalbao (Wed, 21 Mar 2018 07:52:09 GMT):
Has joined the channel.

naveen_saravanan (Wed, 21 Mar 2018 10:47:16 GMT):
how do I edit the "body parser limit" of the fabric-rest image used in the fabric-starter-master (https://github.com/olegabu/fabric-starter)?

naveen_saravanan (Wed, 21 Mar 2018 10:47:16 GMT):
how do I edit the "body parser limit" of the fabric-rest image (https://github.com/Altoros/fabric-rest) used in the fabric-starter-master (https://github.com/olegabu/fabric-starter)?

smithbk (Wed, 21 Mar 2018 11:04:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sr5CFtoc5mxnKRcZG) @dpk2877 It supports storing in file-based and HSM only in the same way that the peer and orderers do. Can I ask why you want to store private keys in a database?

smithbk (Wed, 21 Mar 2018 11:20:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AbJnP5gbfo9o7r8bw) @bh4rtp It must have to do with your OS or make version. What OS, OS version, and make version are you using? I'm on macOS High Sierra 10.13.3 with GNU Make 3.81. You could try `make -d` but not sure if that is going to tell you anything

canerbuga (Wed, 21 Mar 2018 11:24:39 GMT):
Has joined the channel.

smithbk (Wed, 21 Mar 2018 11:28:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EiX5XnhAmEJuLS3yi) @Hundredwz I'm afraid we would need an english version of this in order to try to reproduce. Do you have one? Also, we would need to know at which step you are encountering the error with the empty file. It is very easy to get set up for jira. Just go to https://jira.hyperledger.org and follow the instructions on the bottom right to get a Linux Foundation ID and use that to login to jira at https://jira.hyperledger.org

smithbk (Wed, 21 Mar 2018 11:34:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BxWjm4eBLb6wSiwv6) @naveen_saravanan I'd suggest either contacting one of the 3 contributors to https://github.com/Altoros/fabric-rest directly or opening an issue there to ask this question. This is not the correct place.

smithbk (Wed, 21 Mar 2018 11:41:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6THwor3PMnbqDEg5B) @tiennv Pls try `make clean` first

vikramjit (Wed, 21 Mar 2018 12:08:56 GMT):
Has joined the channel.

FORFIRM (Wed, 21 Mar 2018 14:24:44 GMT):
Has joined the channel.

benitojcv (Wed, 21 Mar 2018 15:06:39 GMT):
Has joined the channel.

benitojcv (Wed, 21 Mar 2018 15:13:49 GMT):
Hi everyone! I have a conceptual doubt. I have done several proofs of concept with fabric using Fabric-CA default server. It's great! My question is: "how can I associate with an identity a certificate issued by a third-party CA (for example Verisign)?". That is, I do not want to generate the certificate, but I already have it and I want to incorporate it to, for example, validate messages signed by the user of the certificate. Thanks in advance!

dsanchezseco (Wed, 21 Mar 2018 15:17:03 GMT):
is there any plan on having a function in fabric-ca-client that like getcacert returns the admincert? [usefull to create a channel without having to pass the certs manually](https://chat.hyperledger.org/channel/fabric-orderer?msg=xiDmTnBNnYiMtNf3v)

IgorSim (Wed, 21 Mar 2018 15:18:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rAYPYxNobNnyEeKtp) @benitojcv I believe there was an article regarding this (i believe at IBM site) but link was broken... I guess Fabric-CA in that example will behave as intermediate CA and third-party CA is the root CA..but i'm not sure about this, any help will be appreciated

benitojcv (Wed, 21 Mar 2018 15:25:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dfbLcPbAZonfAbjJj) @IgorSim Thanks! I think that I have to put root certificate of third-party CA in "cacerts" directory. I understand that part, but after I need store de final user certificate (my personal certificate) in CA repository and bind it with my identity. I dont have seen any api for push an exist certificate :(

aambati (Wed, 21 Mar 2018 15:28:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GXwkRcFNnYjXu9Fbh) @dsanchezseco Plan is to add `fabric-ca-client certificates` command in 1.2 to get certificate of a user provided the user invoking this is authorized

aambati (Wed, 21 Mar 2018 15:30:52 GMT):
https://jira.hyperledger.org/browse/FAB-7238 is the JIRA

dsanchezseco (Wed, 21 Mar 2018 15:31:29 GMT):
@aambati cool but that is intended for users of the same organization right? I was thinking on retrieve the admincert from another org (the orderer's & channel creator's)

aambati (Wed, 21 Mar 2018 15:32:41 GMT):
yeah, same org

aambati (Wed, 21 Mar 2018 15:33:16 GMT):
why do u need admincert of another org?

dsanchezseco (Wed, 21 Mar 2018 15:34:08 GMT):
they are needed to generate the genesis.block and the channel.tx of a channel by configtxgen

aambati (Wed, 21 Mar 2018 15:37:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=afXWePb47foSmxkEo) @benitojcv once you bootstrap the Fabric CA server using third party CA issued root cert, then u can use the CA to issue certs for users...if the user already has a certificate then you do not really need Fabric CA

aambati (Wed, 21 Mar 2018 15:40:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JxKLcAJ7x9s9RruXj) @dsanchezseco ok...The orderer admin would create the genesis block after he receives msp material (cacerts, intcacerts, tlscacerts, tlsintcacerts, admincerts...no private keys) from participating orgs (out of band)

dsanchezseco (Wed, 21 Mar 2018 15:43:50 GMT):
@aambati then the orderer admin would have to send out of band the channel.tx to one of the peers to perform the `peer channel create` :thinking:, because the admincerts are also needed to generate it

dsanchezseco (Wed, 21 Mar 2018 15:43:50 GMT):
@aambati then the orderer admin would have to send out of band the channel.tx to one of the peers to perform the `peer channel create`(or the sdk equivalent) :thinking:, because the admincerts are also needed to generate it

dsanchezseco (Wed, 21 Mar 2018 15:45:15 GMT):
i was trying to avoid the out-of-band's

bh4rtp (Wed, 21 Mar 2018 17:18:14 GMT):
@smithbk i am using ubuntu 17.10. make 4.1 is used.

smithbk (Wed, 21 Mar 2018 18:00:27 GMT):
```a) 1st generate a default config file as follows. This will return an error but still creates the default config file. # fabric-ca-client gencsr 2018/03/09 15:47:32 [INFO] Created a default configuration file at /Users/keith/.fabric-ca-client/fabric-ca-client-config.yaml Error: CSR common name not specified; use '--csr.cn' flag b) Edit $HOME/.fabric-ca-client/fabric-ca-client-config.yaml, find the csr section and fill in the values as follows. Since you're setting the cn (common name) to the hostname, the "hosts" section isn't required, but I think it is still good. It will add the SAN (Subject Alternative Name) DNS entry with the hostname to the csr. csr: cn: uat.natixis.we-trade.com serialnumber: names: - C: FR ST: Paris L: Paris O: we-trade OU: UAT-Natixis SA-Bank hosts: - uat.natixis.we-trade.com c) Also fill in the bccsp section of the fabric-ca-client-config.yaml file as described at http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#configuring-fabric-ca-server-to-use-softhsm2 with values appropriate for your HSM. The server and client config are the same for HSM. d) Run the same gencsr command again and note the path where the CSR file is stored. # fabric-ca-client gencsr 2018/03/09 16:00:02 [INFO] generating key: &{A:ecdsa S:256} 2018/03/09 16:00:02 [INFO] encoded CSR 2018/03/09 16:00:02 [INFO] Stored CSR at /Users/keith/.fabric-ca-client/msp/signcerts/uat.natixis.we-trade.com.csr NOTE: You can use "fabric-ca-client gencsr -H

" both times if you want it to use a specific directory other than "$HOME/.fabric-ca-client". Once you have received the issued certificate in PEM format, store it at msp/signcerts/uat.natixis.we-trade.com.crt and store the issuer's CA certs in the msp/cacerts and msp/intermediatecerts folders.```

aambati (Wed, 21 Mar 2018 18:31:17 GMT):
@bh4rtp so, when you issue `make docker`, you will see `docker build -t hyperledger/fabric-ca --build-arg FABRIC_CA_DYNAMIC_LINK= build/image/fabric-ca` because FABRIC_CA_DYNAMIC_LINK env variable is not set but Dockerfile.in defaults it to false with `ARG FABRIC_CA_DYNAMIC_LINK=false` statement

aambati (Wed, 21 Mar 2018 18:34:20 GMT):
if you call `FABRIC_CA_DYNAMIC_LINK=true make docker` then you will see `docker build -t hyperledger/fabric-ca --build-arg FABRIC_CA_DYNAMIC_LINK=true build/image/fabric-ca`

bh4rtp (Thu, 22 Mar 2018 00:27:45 GMT):
@aambati yes. i do think so. the env variable should be set when make fabric-ca. thanks.

Ryan2 (Thu, 22 Mar 2018 02:36:09 GMT):
Hi, I enroll Admin client " fabric-ca-client enroll -u http:admin:adminpw@localhost:7054" but got the issue "Error: Error response from server was: Authorization failure" , please help

bh4rtp (Thu, 22 Mar 2018 02:44:24 GMT):
@aambati why do dockerfile.in files in images folds set `ARG FABRIC_CA_DYNAMIC_LINK=false`? this will mask setting value by `FABRIC_CA_DYNAMIC_LINK=true`.

bh4rtp (Thu, 22 Mar 2018 02:44:24 GMT):
@aambati why do `Dockerfile.in` files in `images` fold set `ARG FABRIC_CA_DYNAMIC_LINK=false`? this will mask setting value by `FABRIC_CA_DYNAMIC_LINK=true`. as can be seen from https://github.com/hyperledger/fabric-ca/search?utf8=%E2%9C%93&q=FABRIC_CA_DYNAMIC_LINK&type=

aambati (Thu, 22 Mar 2018 02:44:52 GMT):
that is the default value

aambati (Thu, 22 Mar 2018 02:44:52 GMT):
that is the default value, i don't think it will mask

bh4rtp (Thu, 22 Mar 2018 02:48:02 GMT):
@aambati got it. thanks.

kelvinzhong (Thu, 22 Mar 2018 03:23:44 GMT):
@aambati @smithbk hi, the Admin user need attributes "hf.Registrar.Roles=user" so can register a new user, in java sdk I saw there could set the new user's attribute during register, but I couldn't find where to query what attribute a user have. Is the attribute info only kept by CA and unknown to others?

aambati (Thu, 22 Mar 2018 03:28:57 GMT):
@kelvinzhong a registrar can call `fabric-ca-client identity` command (https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#getting-identity-information) to get information of an identity that is in the same affiliation and an identity can get his/her own info as well

aambati (Thu, 22 Mar 2018 03:30:44 GMT):
it will also check if the requested identity's type is one of the types specified in the registrar's hf.Registrar.Roles attribute

kelvinzhong (Thu, 22 Mar 2018 03:31:06 GMT):
seems this attributes info didn't include in the cert, so it should only kept in ca? and java sdk didn't support this feature

danfeng (Thu, 22 Mar 2018 03:31:13 GMT):
Has joined the channel.

aambati (Thu, 22 Mar 2018 03:32:49 GMT):
you mean hf.Registrar.Roles attribute is not in the cert?

kelvinzhong (Thu, 22 Mar 2018 03:33:44 GMT):
no, i could not find the hf.Registrar.Roles attribute in the cert

kelvinzhong (Thu, 22 Mar 2018 03:34:33 GMT):
is that I'm looking for a wrong cert?

kelvinzhong (Thu, 22 Mar 2018 03:35:50 GMT):

20180322113503.png

aambati (Thu, 22 Mar 2018 03:38:00 GMT):
only attributes that were registered with :ecert are added to certificate...or you can also request attributes to be added to the certificate when enrolling..pls read https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#attribute-based-access-control

aambati (Thu, 22 Mar 2018 03:38:00 GMT):
only attributes that were registered with :ecert are added to certificate by default...or you can also request attributes to be added to the certificate when enrolling..pls read https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#attribute-based-access-control

kelvinzhong (Thu, 22 Mar 2018 03:40:24 GMT):
but it says that only with the attribute hf.Registrar.Roles=user, so it could register a new user. but the cert of the admin doesn't contain this attribute but also can register a new user

kelvinzhong (Thu, 22 Mar 2018 03:40:48 GMT):
i though this attribute info is kept in ca

kelvinzhong (Thu, 22 Mar 2018 03:40:48 GMT):
i thought this attribute info is kept in ca

kelvinzhong (Thu, 22 Mar 2018 03:43:08 GMT):
i will go through the docs first, thanks for your reply

suntoe (Thu, 22 Mar 2018 03:49:47 GMT):
Has joined the channel.

aambati (Thu, 22 Mar 2018 04:16:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8BG5m92HCyCPFGBR5) @kelvinzhong yes, Fabric CA server keeps record of all registered users and their attributes.

labcoinpoc (Thu, 22 Mar 2018 04:17:21 GMT):
Has joined the channel.

kelvinzhong (Thu, 22 Mar 2018 04:26:07 GMT):
@aambati so is that possible the cert doesn't contain the attribute but the ca would record the attribute info? and that's why the cert of admin user in java sdk doesn't contain the attribute of "hf.Registrar.Roles=user" can also register a new user?

naveen_saravanan (Thu, 22 Mar 2018 07:37:08 GMT):
@smithbk Thank you for your reply. I will try it.

IgorSim (Thu, 22 Mar 2018 07:41:30 GMT):
In 'fabric-samples/fabric-ca' examples MSP for peer and admin identity are created on 'peer' machine. 'admincerts' folder of the peer contains admin certificate . All crypto material is shared in /data folder. I want to try different approach.... If 'run' container enrolls with admin identity (to create MSP for admin identity on 'run' container), i will get cert which is different then cert in 'admincerts' folder of the peer. Can i use this 'admin' identity for example to join the peer to channel? Or, peer will not be able to verify 'admin' identity?

benitojcv (Thu, 22 Mar 2018 08:03:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=b9uSZgHyPr2d6k6LX) @aambati Thanks for your response. I understand... but if I already hace a certificate of trusted third party, how to bind that certificate to hyperledger fabric identity of a user?

krishna108 (Thu, 22 Mar 2018 09:10:18 GMT):
Has joined the channel.

nicolapaoli (Thu, 22 Mar 2018 11:30:09 GMT):
Has joined the channel.

dsanchezseco (Thu, 22 Mar 2018 12:16:05 GMT):
Which are the different `hf.Type` possible values?

dsanchezseco (Thu, 22 Mar 2018 12:16:05 GMT):
Which are the different `--id.type` possible values?

dsanchezseco (Thu, 22 Mar 2018 12:28:04 GMT):
Which one is the correct to enroll and org admin?

bzeyben (Thu, 22 Mar 2018 13:39:04 GMT):
Has joined the channel.

aambati (Thu, 22 Mar 2018 13:44:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ndAXdB47vng64foZJ) @kelvinzhong yes

aambati (Thu, 22 Mar 2018 13:44:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ndAXdB47vng64foZJ) @kelvinzhong yes and yes

aambati (Thu, 22 Mar 2018 13:47:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PNWCjNj3oQw9bxss9) @dsanchezseco user, client, peer, orderer...user would be appropriate for an admin...pls look at hf.Registrar.Roles attribute in the server config temple: https://hyperledger-fabric-ca.readthedocs.io/en/latest/serverconfig.html ...since this is configurable, you can add your own types...if a registrar's hf.Registrar.Roles is set to "peer,orderer,client,user,application", then that registrar is allowed to register an identity of type "application"

aambati (Thu, 22 Mar 2018 13:49:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tLbcKT93Gi7erZwmh) @benitojcv The user should be given the certificate and associated key (which would reside in user's wallet), ask the user would use these credentials to submit transactions. Since the user certificate was issued by the CA whose root certificate is in the MSP, transaction submitted by the user will be allowed

aambati (Thu, 22 Mar 2018 13:49:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tLbcKT93Gi7erZwmh) @benitojcv The user should be given the certificate and associated key (which would reside in user's wallet), then user would use these credentials to submit transactions. Since the user certificate was issued by the CA whose root certificate is in the MSP, transaction submitted by the user will be allowed by the peer

aambati (Thu, 22 Mar 2018 13:49:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tLbcKT93Gi7erZwmh) @benitojcv The user should be given the certificate and associated key (which would reside in user's wallet), then user would use these credentials to submit transactions. Since the user certificate was issued by the third party CA whose root certificate is in the MSP, transaction submitted by the user will be allowed by the peer

aambati (Thu, 22 Mar 2018 13:59:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SuYcoZ3XLSrFRGfSJ) @IgorSim The admin identity should be in the org MSP in the channel configuration, in order for it to be able to join a peer to a channel

dsanchezseco (Thu, 22 Mar 2018 14:04:35 GMT):
@aambati Ok, then my problem with the install must be a different one. I'm getting that the identity is not an admin. I'm registering the identities with the CA:thinking:

IgorSim (Thu, 22 Mar 2018 14:05:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=c7HPvg7Ftoiftx9zM) @aambati That's right, admin identity is part of org MSP in channel configuration, but is it the same identity if i'm trying to enroll with admin for second time? After enrolling second(or third, fourth etc) time, CA sends back always different crt-s. Is this crt somehow (cryptographically) related to crt sent back from CA when admin was enrolled for first time and which is part of org MSP (and in channel configuration)?

aambati (Thu, 22 Mar 2018 14:19:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=euSJG6CZbKge4bmbk) @IgorSim every time you enroll or reenroll, you get new key pair..they are not related to old key pair...you would need to update the channel configuration with new certificate

massiveashok2014 (Thu, 22 Mar 2018 14:56:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AFTRZkpn2gToownP2) @guillermo.correa - but i set my GOROOT and GOPATH correctly i belive.

massiveashok2014 (Thu, 22 Mar 2018 14:56:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AFTRZkpn2gToownP2) @guillermo.correa - but i set my GOROOT and GOPATH correctly i belive. pwd /root/go

aambati (Thu, 22 Mar 2018 15:21:19 GMT):
@massiveashok2014 the error "Version is not set for fabric-ca library" is nothing to do golang version...it is the fabric-ca error message...this happens if fabric-ca-server is build without `-ldflags github.com/hyperledger/fabric-ca/lib/metadata.Version=`

massiveashok2014 (Thu, 22 Mar 2018 15:22:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tyEzm7vHRzuZtSfhj) @aambati - Any fix for this?

aambati (Thu, 22 Mar 2018 15:25:16 GMT):
this should not happen, if you build the binaries with `make fabric-ca-server` ....how did u build the binary?

massiveashok2014 (Thu, 22 Mar 2018 15:27:28 GMT):
Did the same way

aambati (Thu, 22 Mar 2018 15:30:26 GMT):
hmm...and you are working with 1.1 code? if so, do `make clean; make fabric-ca-server`

massiveashok2014 (Thu, 22 Mar 2018 15:32:41 GMT):
>>/go/GO_PROJECTS/src/github.com/hyperledger/fabric-ca# make fabric-ca-server make: *** No rule to make target 'fabric-ca-server'. Stop.

massiveashok2014 (Thu, 22 Mar 2018 15:32:53 GMT):
when i tried the same its giving the below message

massiveashok2014 (Thu, 22 Mar 2018 15:33:00 GMT):
i belive its already done?

aambati (Thu, 22 Mar 2018 15:51:43 GMT):
no, make does not recognize fabric-ca-server as a target for some reason...weird

aambati (Thu, 22 Mar 2018 15:55:47 GMT):
do you see this line in the Makefile: `fabric-ca-server: bin/fabric-ca-server`

massiveashok2014 (Thu, 22 Mar 2018 15:57:17 GMT):
Anil i did remove fabric-ca from /go/GO_PROJECTS/src/github.com/hyperledger path

massiveashok2014 (Thu, 22 Mar 2018 15:57:25 GMT):
and tried to cloned again

massiveashok2014 (Thu, 22 Mar 2018 15:57:39 GMT):
just to try with fresh mind

massiveashok2014 (Thu, 22 Mar 2018 15:59:21 GMT):
~/go/GO_PROJECTS/src/github.com/hyperledger# rm -rf fabric-ca ~/go/GO_PROJECTS/src/github.com/hyperledger# ls ~/go/GO_PROJECTS/src/github.com/hyperledger# git clone https://gerrit.hyperledger.org/r/fabric-ca. Cloning into 'fabric-ca.'... fatal: remote error: Git repository not found

massiveashok2014 (Thu, 22 Mar 2018 16:01:25 GMT):
Its moving

aambati (Thu, 22 Mar 2018 16:03:29 GMT):
you can also try: `git clone https://github.com/hyperledger/fabric-ca.git`

massiveashok2014 (Thu, 22 Mar 2018 16:04:06 GMT):
yes anil i have those stmts - fabric-ca-client: bin/fabric-ca-client fabric-ca-server: bin/fabric-ca-server

massiveashok2014 (Thu, 22 Mar 2018 16:04:45 GMT):
present in Makefile

massiveashok2014 (Thu, 22 Mar 2018 16:05:12 GMT):
under /go/GO_PROJECTS/src/github.com/hyperledger/fabric-ca/Makefile

aambati (Thu, 22 Mar 2018 16:08:34 GMT):
what operating system are you using?

massiveashok2014 (Thu, 22 Mar 2018 16:11:12 GMT):
Unix

massiveashok2014 (Thu, 22 Mar 2018 16:11:31 GMT):
when i do make fabric-ca-server am getting below error

massiveashok2014 (Thu, 22 Mar 2018 16:11:41 GMT):
~/go/GO_PROJECTS/src/github.com/hyperledger/fabric-ca# make fabric-ca-server Building fabric-ca-server in bin directory ... # github.com/hyperledger/fabric-ca/vendor/github.com/cloudflare/cfssl/log compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/cloudflare/cfssl/errors compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/jmoiron/sqlx/reflectx compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/cloudflare/cfssl/certdb compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/kisielk/sqlstruct compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/cloudflare/cfssl/auth compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/google/certificate-transparency-go/asn1 compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/golang.org/x/crypto/ocsp compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/golang.org/x/crypto/pkcs12/internal/rc2 compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/cloudflare/cfssl/info compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/cloudflare/cfssl/ocsp/config compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/gogo/protobuf/proto compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/golang/protobuf/proto compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/golang.org/x/net/context compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/jmhodges/clock compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/gorilla/mux compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/utils compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/op/go-logging compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/google.golang.org/grpc/grpclog compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/pkg/errors

massiveashok2014 (Thu, 22 Mar 2018 16:11:44 GMT):
compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/golang.org/x/crypto/sha3 compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/mitchellh/mapstructure compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cast compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/spf13/pflag compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/golang.org/x/sys/unix compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/hashicorp/hcl/hcl/strconv compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/magiconair/properties compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/pelletier/go-toml compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/kr/fs compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/golang.org/x/crypto/curve25519 compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/golang.org/x/crypto/ed25519/internal/edwards25519 compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/spf13/afero/mem compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/golang.org/x/text/transform compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/spf13/jwalterweatherman compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/gopkg.in/yaml.v2 compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/davecgh/go-spew/spew compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/pmezard/go-difflib/difflib compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/go-sql-driver/mysql compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/lib/pq/oid compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/miekg/pkcs11 compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/Knetic/govaluate compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/gopkg.in/asn1-ber.v1 compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/golang.org/x/crypto/blowfish compile: version "go1.9.2" does not match go tool version "go1.9.4" # github.com/hyperledger/fabric-ca/vendor/github.com/mattn/go-sqlite3 compile: version "go1.9.2" does not match go tool version "go1.9.4" Makefile:120: recipe for target 'bin/fabric-ca-server' failed make: *** [bin/fabric-ca-server] Error 2

massiveashok2014 (Thu, 22 Mar 2018 16:12:02 GMT):
sorry may be too many lines

massiveashok2014 (Thu, 22 Mar 2018 16:12:52 GMT):
My go version - go version go1.9.4 linux/amd64

massiveashok2014 (Thu, 22 Mar 2018 16:33:47 GMT):
Do i need to download go 1.9.2?

aambati (Thu, 22 Mar 2018 17:12:33 GMT):
it should work with any 1.9.x version...https://stackoverflow.com/questions/46693653/compile-version-go1-9-does-not-match-go-tool-version-go1-9-1

smithbk (Thu, 22 Mar 2018 21:32:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PNWCjNj3oQw9bxss9) @dsanchezseco Use 'client' for all users including admins

krishna108 (Fri, 23 Mar 2018 05:15:15 GMT):
When is user is enrolled ,we get "enrollment secret".But where to use enrollment secret?. If we want to get user context only user id is required.

massiveashok2014 (Fri, 23 Mar 2018 07:31:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nFf4mDQECfywnWWBQ) @aambati - Might be reason all this am doing as root user ?

aambati (Fri, 23 Mar 2018 11:40:12 GMT):
Enrollment credentials (private key and certificate) are used when submitting a transaction @krishna108 [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bEP2hSeoW7ysB4NE7)

aambati (Fri, 23 Mar 2018 11:45:14 GMT):
I don’t think so...something with the way you have your path and goroot is setup...I googled the string “does not match go tool version”, although most of hits I got were for mac, they should give a clue @massiveashok2014 [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PKMkqQbpzkZvnxfPP)

massiveashok2014 (Fri, 23 Mar 2018 12:01:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SrBEqYYSmywVLhXFuN) @aambati - export GOROOT=/usr/local/go export GOPATH=$HOME/go/GO_PROJECTS export PATH=$PATH:$GOROOT/bin:$GOPATH/bin export PATH=$PATH:$GOPATH/src/github.com/hyperledger/fabric-ca export FABRIC_CA_HOME=$GOPATH/src/github.com/hyperledger/fabric-ca export FABRIC_CA_SERVER_HOME=$FABRIC_CA_HOME/server

massiveashok2014 (Fri, 23 Mar 2018 12:01:42 GMT):
This is my .bashrc setup

CodeReaper (Fri, 23 Mar 2018 12:04:45 GMT):
Can anyone explain, How can I override the default affiliations for orgs in fabric-ca??

aambati (Fri, 23 Mar 2018 13:08:05 GMT):
@CodeReaper You can use `fabric-ca-client affiliations` command to remove the default affiliations and add new affiliations...we have a JIRA (https://jira.hyperledger.org/browse/FAB-8574) to remove default affiliations from the server configuration template, so you won't have any affiliations to start with...you can add affiliations either using `fabric-ca-client affiliations` command or by adding them to server configuration file and restarting the server

IgorSim (Fri, 23 Mar 2018 13:24:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TKkFz7JW9CFySojSq) @aambati Thanks for the answer...so what is the reasonable alternative (if any) to bootstrap 'fabric-ca' network w/o having shared folder (like /data in example) between organizations? Orderer node (where run container is running) must have MSP data of all organizations before genesis block is created. I thought that i can reenroll with admin for orgs and that way i will get admin cert, but it turns out its not the same with cert from 'admincerts' of the peer MSP.

CodeReaper (Fri, 23 Mar 2018 13:47:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tfmWSYFwX52NLBTuD) @aambati where is the server configuration file in fabric-ca image's container?

aambati (Fri, 23 Mar 2018 13:48:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3WarbxNJy3wR54vxL) @CodeReaper in the home directory (/etc/hyperledger/fabric-ca-server)

CodeReaper (Fri, 23 Mar 2018 13:51:49 GMT):
thnx

mrFranklin (Fri, 23 Mar 2018 13:59:38 GMT):
Has joined the channel.

aambati (Fri, 23 Mar 2018 14:17:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TsHzuX7ab8rtPspsZ) @IgorSim I don't understand what you meant by this: `I thought that i can reenroll with admin for orgs and that way i will get admin cert, but it turns out its not the same with cert from 'admincerts' of the peer MSP.` So, rootca and intca certs, tls root ca and int ca certs, and admin certs of each org that form the consortium in order to bootstrap the orderer..these need to be obtained out of band...then the admins can create and join channels whose initial configuration is based on the orderer system channel

massiveashok2014 (Fri, 23 Mar 2018 14:23:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oQnFNnZw3an8NwJq7) - Below issue resolved with - docker pull yeasy/hyperledger-fabric-ca:1.1.0-alpha and docker run --rm -it yeasy/hyperledger-fabric-ca:1.1.0-alpha bash

IgorSim (Fri, 23 Mar 2018 14:30:18 GMT):
@aambati In 'fabric-ca' example out-of-band is basically 'data' folder , correct? This is the way how MSP of every org become available to 'setup' container which generates genesis.block of the orderer. Is it possible to not share any folder and use CA (re)enrollment functionality as 'out-of-band' option to create MSP-s>? Of course, there are few things that should be known/available, like TLS root CA cert of every CA of orgs, admin credentials etc...but is this option possible at all? If upon second enrollment of the admin identity cert is different(comparing to cert in 'admincerts' of the peer) then i guess it doesn't make sense..That's what i'm trying to understand.

massiveashok2014 (Fri, 23 Mar 2018 14:32:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6iFduaTMdhPhCBnxw) - Now on Make fabric-ca-client Getting error as unexpected directory layout: import path: github.com/cloudflare/cfssl/csr root: /root/go/GO_PROJECTS/src dir: /root/go/GO_PROJECTS/src/github.com/hyperledger/fabric-ca/vendor/github.com/cloudflare/cfssl/csr expand root: /root/go/GO_PROJECTS/src expand dir: /root/go/GO_PROJECTS/src/github.com/hyperledger/fabric-ca/vendor/github.com/cloudflare/cfssl/csr separator: / make: *** [bin/fabric-ca-client] Error 1

aambati (Fri, 23 Mar 2018 14:57:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6cDBPCeLJ6B4aLC6h) @IgorSim 1. yes 2. at the moment no...once we have `fabric-ca-client certificates` command, i think it is possible.

Bchainer (Sat, 24 Mar 2018 02:21:19 GMT):
Hello, can someone provide some guidelines on how I should link the HLF identity with a web application (angularJS). I have defined the network with multiple organizations and each organization could have multiple users. Users should be able login using their username and password and then transact on the HLF network. Any pointers or examples would be very helpful

aambati (Sat, 24 Mar 2018 14:25:32 GMT):
You could use an LDAP to manage your users...This LDAP can be accessed by your web app and Fabric CA server ...web app will access it to validate the userid and password, and Fabric CA server will access LDAP to authenticate enrollment request ..enrollment will provide the user with a private key and certificate (which could reside in user's wallet)...the enrollment cert and key is used by the app to submit the transactions on behalf of the user

hantzaras (Sun, 25 Mar 2018 14:20:19 GMT):
Has joined the channel.

sensahin (Sun, 25 Mar 2018 20:50:15 GMT):
Has joined the channel.

gaeshi (Mon, 26 Mar 2018 01:38:34 GMT):
Has joined the channel.

j1984 (Mon, 26 Mar 2018 08:11:09 GMT):
Has joined the channel.

shivaganesh01 (Mon, 26 Mar 2018 08:22:30 GMT):
Has joined the channel.

shivaganesh01 (Mon, 26 Mar 2018 08:26:03 GMT):
Is there any example code of using private DB( side DB)?

shivaganesh01 (Mon, 26 Mar 2018 08:39:50 GMT):
side

ArvsIndrarys (Mon, 26 Mar 2018 10:46:22 GMT):
vim @darrell.odonnell

darrell.odonnell (Mon, 26 Mar 2018 10:46:23 GMT):
Has joined the channel.

aambati (Mon, 26 Mar 2018 13:02:58 GMT):
Pls ask this question in fabric-ledger channel

amy_xu22 (Tue, 27 Mar 2018 01:54:45 GMT):
Has joined the channel.

shivaganesh01 (Tue, 27 Mar 2018 03:50:29 GMT):
Okay. Thanks

BilalAhmad (Tue, 27 Mar 2018 06:30:00 GMT):
Has joined the channel.

trilochanachary (Tue, 27 Mar 2018 07:34:58 GMT):
Has joined the channel.

ManMinster (Tue, 27 Mar 2018 08:13:22 GMT):
Has joined the channel.

zian.yusuf (Tue, 27 Mar 2018 09:42:34 GMT):
Has joined the channel.

amy_xu22 (Tue, 27 Mar 2018 10:47:24 GMT):
hi I opened an issue to go community but found out later that I probably should turn to this community instead. Please suggest the appropriate channel if not this one.

amy_xu22 (Tue, 27 Mar 2018 10:48:01 GMT):
Basically I was following the fabric-ca installation guide and pumped into error in output ( https://github.com/golang/go/issues/24555) The symptom is gone with most recent this file in golang which also looks to have some other changes later on.

thoduerr (Tue, 27 Mar 2018 14:43:31 GMT):
Has joined the channel.

aambati (Tue, 27 Mar 2018 14:46:02 GMT):
@amy_xu22 we don't support Go 1.10 yet..Fabric CA 1.1 works with 1.9.x

aambati (Tue, 27 Mar 2018 14:46:02 GMT):
@amy_xu22 we don't support Go 1.10 yet..Fabric CA 1.1 works with 1.9.x ... i think we may have to update certificate-transparency-go package...I remember seeing some changes go into certificate-transparency-go recently in support of go 1.10

chadevans (Tue, 27 Mar 2018 16:24:54 GMT):
Has joined the channel.

huy.tranibm (Tue, 27 Mar 2018 21:20:34 GMT):
Hello guys, how do i find out what fabric-ca-client CLI version i am using? there's no version command?

amy_xu22 (Tue, 27 Mar 2018 21:24:15 GMT):
@aambati I see.. will try out 1.9.x. thanks!

amy_xu22 (Tue, 27 Mar 2018 21:26:17 GMT):
'fabric-ca-client version' gives me 'development build'. @huy.tranibm

huy.tranibm (Tue, 27 Mar 2018 21:29:07 GMT):
```huys-mbp-2:msp huytranibm$ fabric-ca-client version Error: unknown command "version" for "fabric-ca-client" Run 'fabric-ca-client --help' for usage. huys-mbp-2:msp huytranibm$ ```

huy.tranibm (Tue, 27 Mar 2018 21:29:17 GMT):
:frowning2:

amy_xu22 (Tue, 27 Mar 2018 22:00:01 GMT):
interesting.. will 'go get -u github.com/hyperledger/fabric-ca/cmd/...' do the trick? I executed this yesterday so I could look at the most updated code from development branch. and clientcmd.go does have code below: c.rootCmd.AddCommand(&cobra.Command{ Use: "version", Short: "Prints Fabric CA Client version", Run: func(cmd *cobra.Command, args []string) { fmt.Print(metadata.GetVersionInfo(cmdName)) }, })

huy.tranibm (Tue, 27 Mar 2018 22:20:52 GMT):
maybe im using an outdated version

huy.tranibm (Tue, 27 Mar 2018 22:20:57 GMT):
thanks amy!

bourbonkidQ (Wed, 28 Mar 2018 09:03:00 GMT):
Hi guys, even if i give to my intermediate CA a private key and a certificate, it's already generated a [random]_sk private key in the keystore. Do you known why ?

bourbonkidQ (Wed, 28 Mar 2018 09:03:00 GMT):
Hi, even if i give to my intermediate CA a private key and a certificate, it's already generated a [random]_sk private key in the keystore. Do you known why ?

tongli (Wed, 28 Mar 2018 12:50:32 GMT):
can someone provide me a bit help on this error? '''The current identity, with the name 'admin' and the identifier '89cafd3d727d573b34a9e37217624cb6d680b3667bb8994bae6d014cad230dcf', must be activated (ACTIVATION_REQUIRED)'''

tongli (Wed, 28 Mar 2018 12:51:16 GMT):
this error comes from chaincode container and peer container. same error appears in two different containers.

aambati (Wed, 28 Mar 2018 13:39:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GKehQvdk9fS7eu3fT) @bourbonkidQ if you are starting intermediate server with -u option, then it will create a new pair of keys ...start without -u option

aambati (Wed, 28 Mar 2018 13:41:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=svNJhtbmTx8qZoZ2M) @tongli not sure what activation required means...seems like it may be coming from composer?

tongli (Wed, 28 Mar 2018 13:56:17 GMT):
@aambati not really sure. it came from two containers.

tongli (Wed, 28 Mar 2018 13:56:25 GMT):
the chaincode and peer container.

tongli (Wed, 28 Mar 2018 13:58:15 GMT):
I mean same error appear from both containers

Gerard9494 (Wed, 28 Mar 2018 16:19:13 GMT):
Hello, Does anyone knows how to solve this problem when i try to start a new network using composer? peer1.org2.example.com | 2018-03-28 14:59:18.682 UTC [eventhub_producer] Chat -> ERRO 36a Error handling message: event message must be properly signed by an identity from the same organization as the peer: [failed deserializing event creator: [Expected MSP ID Org2MSP, received Org1MSP]] Thanks! :)

rupa12 (Wed, 28 Mar 2018 23:03:36 GMT):
Has joined the channel.

rupa12 (Wed, 28 Mar 2018 23:11:15 GMT):
Hello, I have generated MSP and TLS certificates for my peers and orderer. Now I want them to join the channel with TLS enabled. However, when I executing the following command : `peer channel create -o orderer.example:xxxx -c $CHANNEL -f /root/config/channel.tx --tls true --cafile $ORDERER_CA` it is throwing the following error ( obtained from orderer logs) : `ERRO 2b4 Principal deserialization failure (The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority) for identity `

rupa12 (Wed, 28 Mar 2018 23:12:08 GMT):
I am running my peers, orderer and fabric-ca-server in docker container

rupa12 (Wed, 28 Mar 2018 23:13:06 GMT):
Can someone help as to where I might be going wrong. Thanks

master-starcloud (Thu, 29 Mar 2018 11:36:25 GMT):
Has joined the channel.

aambati (Thu, 29 Mar 2018 13:10:20 GMT):
@rupa12 can u check 4th bullet in https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#troubleshooting

aambati (Thu, 29 Mar 2018 13:10:20 GMT):
@rupa12 can u check 4th bullet in https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#troubleshooting...seems like you have the same problem

paul.sitoh (Thu, 29 Mar 2018 14:10:53 GMT):
Folks, I am getting this error with Fabric CA. It worked with 1.1.0-preview but not 1.1.0. Here is the log from Docker and I can't decipher. ```2018/03/29 14:00:55 [INFO] Created default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml 2018/03/29 14:00:55 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server 2018/03/29 14:00:55 [INFO] Server Version: 1.1.0 2018/03/29 14:00:55 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1} 2018/03/29 14:00:55 [DEBUG] Making server filenames absolute 2018/03/29 14:00:55 [DEBUG] Initializing default CA in directory /etc/hyperledger/fabric-ca-server 2018/03/29 14:00:55 [DEBUG] Init CA with home /etc/hyperledger/fabric-ca-server and config {Version:1.1.0 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name:ca.org2.test.com Keyfile:/etc/hyperledger/fabric-ca-server/crypto-config/ca/secret.key Certfile:/etc/hyperledger/fabric-ca-server/crypto-config/ca/ca.org2.test.com-cert.pem Chainfile:ca-chain.pem} Signing:0xc42032e2d0 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[2ebc71df78f5 localhost] KeyRequest: CA:0xc4203283e0 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:peer,orderer,client,user hf.Registrar.DelegateRoles:peer,orderer,client,user] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc4203127b0 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** Profile: Label: CSR: CAName: AttrReqs:[] }} CRL:{Expiry:24h0m0s}} 2018/03/29 14:00:55 [DEBUG] CA Home Directory: /etc/hyperledger/fabric-ca-server 2018/03/29 14:00:55 [DEBUG] Checking configuration file version '1.1.0' against server version: '1.1.0' 2018/03/29 14:00:55 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc420312810 PluginOpts: Pkcs11Opts:} 2018/03/29 14:00:55 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc420324ca0 DummyKeystore:} 2018/03/29 14:00:55 [DEBUG] Initialize key material 2018/03/29 14:00:55 [DEBUG] Making CA filenames absolute 2018/03/29 14:00:55 [DEBUG] Closing server DBs Error: Failed to find private key for certificate in '/etc/hyperledger/fabric-ca-server/crypto-config/ca/ca.org2.test.com-cert.pem': Could not find matching private key for SKI: Failed getting key for SKI [[253 241 137 253 74 92 223 245 232 59 10 248 141 179 149 141 211 125 103 95 130 211 219 230 171 132 208 184 16 197 27 106]]: Key with SKI fdf189fd4a5cdff5e83b0af88db3958dd37d675f82d3dbe6ab84d0b810c51b6a not found in /etc/hyperledger/fabric-ca-server/msp/keystore```

paul.sitoh (Thu, 29 Mar 2018 14:11:33 GMT):
Is there any special setting I need to set with Fabric CA?

aambati (Thu, 29 Mar 2018 15:19:10 GMT):
@paul.sitoh you are specifying CA cert and key , so i expected following info messages, but I don't see them in the output you provided: ```log.Info("The CA key and certificate files already exist") log.Infof("Key file location: %s", keyFile) log.Infof("Certificate file location: %s", certFile)``` let me try this in my environment

paul.sitoh (Thu, 29 Mar 2018 15:21:11 GMT):
The keys were generated from cryptogen

aambati (Thu, 29 Mar 2018 15:27:39 GMT):
@paul.sitoh make sure /etc/hyperledger/fabric-ca-server/crypto-config/ca/secret.key file exists?

aambati (Thu, 29 Mar 2018 15:27:39 GMT):
@paul.sitoh make sure `/etc/hyperledger/fabric-ca-server/crypto-config/ca/secret.key` file exists?

paul.sitoh (Thu, 29 Mar 2018 15:31:39 GMT):
@aambati No secret.key

paul.sitoh (Thu, 29 Mar 2018 15:31:47 GMT):
How is it generated?

paul.sitoh (Thu, 29 Mar 2018 15:32:42 GMT):
Do I need to set something with the cryptogen tool?

skarim (Thu, 29 Mar 2018 15:49:14 GMT):
@paul.sitoh Cryptogen should generate both the key and the certificate. Do you see two files under /etc/hyperledger/fabric-ca-server/crypto-config/ca? One should be the certificate and the other the key (it might not be called secret.key)

paul.sitoh (Thu, 29 Mar 2018 15:49:43 GMT):
ok thanks

paul.sitoh (Thu, 29 Mar 2018 15:58:07 GMT):
@skarim is it under, for example, this file structure ```crypto-config/peerOrganizations/org1.test.com/peers/peer0.org1.test.com/tls/```?

paul.sitoh (Thu, 29 Mar 2018 15:58:47 GMT):
The file structure is only an example.

paul.sitoh (Thu, 29 Mar 2018 15:59:43 GMT):
I presumed it means the key for org1 client to access right?

paul.sitoh (Thu, 29 Mar 2018 15:59:43 GMT):
I presumed it means the key for org1 client to access tls right?

paul.sitoh (Thu, 29 Mar 2018 15:59:43 GMT):
I presumed it means the key for org1 client to access CA right?

bourbonkidQ (Thu, 29 Mar 2018 16:01:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xeLgCK2jKpKhbZw7w) @aambati I restart my ICA without the -u option and with the --chainfile $pathtomyicacert and the ICA create a new private key

aambati (Thu, 29 Mar 2018 16:05:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3x2q88srwb9kBmFRB) @bourbonkidQ it should not if you have placed the private key in the /keystore directory

aambati (Thu, 29 Mar 2018 16:11:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WhMPdLHFxWDRrBRzX) @paul.sitoh tls folder will contain certs used for tls communication

aambati (Thu, 29 Mar 2018 16:11:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WhMPdLHFxWDRrBRzX) @paul.sitoh tls folder will contain cert used for tls communication

paul.sitoh (Thu, 29 Mar 2018 16:12:05 GMT):
@aambati do we need one for client as well as CA server? I mean the keys

aambati (Thu, 29 Mar 2018 16:15:18 GMT):
lets go back to your original problem... if you want to use the key pair generated by the cryptogen to bootstrap fabric ca server, then both cert/key should be specified in the server configuration...in your case, the cert file was there but the key file is not there

aambati (Thu, 29 Mar 2018 16:15:38 GMT):
what files do you see in /etc/hyperledger/fabric-ca-server/crypto-config/ca/ ?

paul.sitoh (Thu, 29 Mar 2018 16:16:01 GMT):
none

paul.sitoh (Thu, 29 Mar 2018 16:16:09 GMT):
I think it is a mapping problem

paul.sitoh (Thu, 29 Mar 2018 16:16:24 GMT):
So that part is probably resolved

paul.sitoh (Thu, 29 Mar 2018 16:16:59 GMT):
I can see there is a server.key and a client.key from the cryptogen generated folder

paul.sitoh (Thu, 29 Mar 2018 16:16:59 GMT):
I can see there is a `server.key` and a `client.key` from the cryptogen generated folder. I am guess the server.key is need to be mapped to the FABRIC_CA_TLS_KEYFILE?

paul.sitoh (Thu, 29 Mar 2018 16:16:59 GMT):
I can see there is a `server.key` and a `client.key` from the cryptogen generated folder. I am guess the `server.key` is need to be mapped to the FABRIC_CA_TLS_KEYFILE?

paul.sitoh (Thu, 29 Mar 2018 16:16:59 GMT):
I can see there is a `server.key` and a `client.key` from the cryptogen generated folder. I am guessing the `server.key` is need to be mapped to the FABRIC_CA_TLS_KEYFILE?

aambati (Thu, 29 Mar 2018 16:18:26 GMT):
first-network/crypto-config folder on my system, i see this: ```aambati@Anils-MBP:~/Blockchain/fabric/src/github.com/hyperledger/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/ca$ls b77de0774d5991d6f828461c322808b146ec9a2038eef475636bbcea913b5a24_sk ca.org1.example.com-cert.pem```

aambati (Thu, 29 Mar 2018 16:18:46 GMT):
as you can see there is a cert and a private key

bourbonkidQ (Thu, 29 Mar 2018 16:19:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Ff4sc6aeLRmaRZfNM) @aambati but i do the same with -ca.keyfile $pathtotheicapk , it's create a new random pk each time :/ . And Yes i store all the pk in keystore/

paul.sitoh (Thu, 29 Mar 2018 16:20:37 GMT):
@aambati So I map the _sk file?

aambati (Thu, 29 Mar 2018 16:20:52 GMT):
@bourbonkidQ can u pls share the ica log

paul.sitoh (Thu, 29 Mar 2018 16:21:01 GMT):
To the TLS_SERVER variable?

aambati (Thu, 29 Mar 2018 16:21:36 GMT):
that is not tls cert key pair...that is CA's cert/key pair

rupa12 (Thu, 29 Mar 2018 17:38:23 GMT):
Hi @aambati thank you for your reply. I check the 4th bullet in https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#troubleshooting/ While I checked a bit looks like it is having problem creating identity for my admin2 ID. How do I check if my admin2 has admin rights?

aambati (Thu, 29 Mar 2018 18:03:22 GMT):
@rupa12 sorry i don't understand your question...you say it is having problem creating identity for admin2 but you ask how do i check if admin2 has admin rights? if admin2 is not created then how can it have admin rights? in any case, if you want an id to be admin, place it's cert in the admins folder of the msp

rupa12 (Thu, 29 Mar 2018 18:45:47 GMT):
Sorry for the confusion. I actually created this user named 'admin2' and got my orderer and peer registered/enrolled with it. Also I am lil confused here... all my peers and orderer have a admincerts folder in msp. So I have copied the contents of signcerts of each peer/orderer into admincerts folder ...

rupa12 (Thu, 29 Mar 2018 18:51:31 GMT):
Also am sending this : export CORE_PEER_MSPCONFIGPATH=/crypto/admin2/msp before creating my channel ...

aambati (Thu, 29 Mar 2018 20:48:12 GMT):
@rupa12 signcerts folder should have enrollment certs for the peer and orderer ...admincerts folder should have enrollment certs of the admins ...normally, enrollment certs of users who are considered admins are put in the admincerts folder...there is a difference between msp folder that is on peer machine, which is used for local administration of the peer (like installing chaincode) and msp information that is in the orderer system channel configuration (https://hyperledger-fabric.readthedocs.io/en/latest/configtx.html#), which is used to verify if the user has privilege to create channel

aambati (Thu, 29 Mar 2018 20:50:52 GMT):
each org has msp section in the system channel configuration, the msp section: ```- org2 - policies - Admins - Readers - Writers - mod_policy - version - values - MSP - mod_policy - value - config - name - crypto_config - admins - intermediate_certs - root_certs - tls_intermediate_certs - tls_root_certs - crls ``` which contains public key materials (certs)

TulioMSL (Thu, 29 Mar 2018 20:59:35 GMT):
Has joined the channel.

rupa12 (Thu, 29 Mar 2018 21:25:23 GMT):
Thanks @aambati , for that clarification.I shall put the enrollment cert of the admin in each of my peers/orderers admincerts folder. I had another query, I am following this document : http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html# and I created my admin2 using the command `fabric-ca-client register -d --id.name admin2 --id.affiliation org1 --id.attrs '"hf.Registrar.Roles=peer,user,orderer",hf.Revoker=true' --id.type client` . I registered my peer/orderer with this admin2. So since this admin2 is of type 'client' and not 'admin' do you think that might be th reason why am getting this error `ERRO 2b4 Principal deserialization failure (The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority) for identity`

aambati (Thu, 29 Mar 2018 21:46:45 GMT):
@rupa12 no...i don't think so

aambati (Thu, 29 Mar 2018 21:53:33 GMT):
what is the value of CORE_PEER_MSPCONFIGPATH in the container where you issue peer channel create?

rupa12 (Thu, 29 Mar 2018 22:06:37 GMT):
it is CORE_PEER_MSPCONFIGPATH=/crypto/admin2/msp

rupa12 (Thu, 29 Mar 2018 22:20:02 GMT):
and I have these admin2, peer and orderer folders in the container from where I am issuing peer channel create command ...

rupa12 (Thu, 29 Mar 2018 23:53:36 GMT):
I also compared the AKI of the certificate in signcert of admin2 user with the SKI of the certificate in cacert of the same admin2 user. And they both are the same. So the organization name mentioned in my configtx.yaml is diff than the one I used to register my peer and orderer. Can that be the reason for this error?

aambati (Fri, 30 Mar 2018 02:37:20 GMT):
@rupa12 no

AaronHu007 (Fri, 30 Mar 2018 05:49:03 GMT):
Has joined the channel.

pmryan (Fri, 30 Mar 2018 07:38:37 GMT):
Has joined the channel.

pmryan (Fri, 30 Mar 2018 07:40:50 GMT):
@mastersingh24 or anyone, can FCA be configured to use couchDB instances like BYFN or fabcar? if so, can someone direct me to any documentation or coded examples?

pmryan (Fri, 30 Mar 2018 07:57:44 GMT):
and also examples of adding ports to everything so the chain can actually be interacted with from external devices

JeroenDePrest (Fri, 30 Mar 2018 08:46:41 GMT):
What is the use of the intermediate CA? Can't I use a root CA for everything? (I am new to the CA thing)

smithbk (Fri, 30 Mar 2018 12:19:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iebdfFoyJSWPqmNvm) @pmryan No, fabric-ca-server can use sqlite, postgres, or mysql

smithbk (Fri, 30 Mar 2018 12:22:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gNaxdfhRveju6EYqE) @pmryan I guess you're referring to adding "expose" statements to docker-compose file so you can reach the ports on your host? No, I'm not aware of any. You would just have to add yourself. If this isn't what you mean, pls elaborate.

smithbk (Fri, 30 Mar 2018 12:24:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cD9rgofK23vDNa2uu) @JeroenDePrest See https://security.stackexchange.com/questions/128779/why-is-it-more-secure-to-use-intermediate-ca-certificates/128800

ronald.petty (Fri, 30 Mar 2018 16:25:02 GMT):
Has joined the channel.

ronald.petty (Fri, 30 Mar 2018 16:25:21 GMT):
How does one report potential bug to fabric-ca?

ronald.petty (Fri, 30 Mar 2018 16:25:21 GMT):
How does one report potential bug to fabric-ca? (no link on GH)

ronald.petty (Fri, 30 Mar 2018 16:28:28 GMT):
Installed as: `go get -u github.com/hyperledger/fabric-ca/cmd/...` Ran as: `$(go env GOPATH)/bin/fabric-ca-server start -b admin:adminpw` Got following panic: ```2018/03/29 23:05:45 [INFO] Configuration file location: /home/ubuntu/fabric-ca-server-config.yaml 2018/03/29 23:05:45 [INFO] Starting server in home directory: /home/ubuntu panic: Version is not set for fabric-ca library goroutine 1 [running]:```

ronald.petty (Fri, 30 Mar 2018 16:30:09 GMT):
```$(go env GOPATH)/bin/fabric-ca-server version fabric-ca-server: Version: development build Go version: go1.10.1 OS/Arch: linux/amd64```

ronald.petty (Fri, 30 Mar 2018 16:30:54 GMT):
Any advice on what I am doing wrong? It appeared the code says the version is supplied during `make`. The `go get` is from the readthedocs instructions.

rupa12 (Fri, 30 Mar 2018 19:20:27 GMT):
@aambati : I am getting this error now : `Checking if identity satisfies ADMIN role for exampleMSP` `identity 0 does not satisfy principal: This identity is not an admin` `WARN 235 Rejecting CONFIG_UPDATE because: Error authorizing update: Error validating DeltaSet: Policy for [Groups] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining`

rupa12 (Fri, 30 Mar 2018 19:22:17 GMT):
So basically I was using `CORE_PEER_MSPCONFIGPATH=/crypto/admin2/msp` and it is saying that admin2 is not a admin ... is there a way to assign this 'admin' role to admin2?

jorgego (Fri, 30 Mar 2018 20:52:32 GMT):
Has joined the channel.

mastersingh24 (Sat, 31 Mar 2018 10:14:51 GMT):
@rupa12 - you will need to explicitly add the public certificate for `admin2` to the `admincerts` of the MSP for the org `exampleMSP` in the channel you are trying to update. You'll need to use the original admin cert

thalisson (Sun, 01 Apr 2018 02:41:39 GMT):
Has joined the channel.

rupa12 (Sun, 01 Apr 2018 02:42:17 GMT):
@mastersingh24 : I have done the following ( acc to the doc http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#fabric-ca-client): I have enrolled an identity whose ID is admin using : `export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin` This generated a msp folder with cacerts, keystore and signcerts. I created another folder 'admincerts' and copied the contents of 'signcerts' into it. I then copied this 'admincerts' folder to all other peers and orderers msp folder. I also registered a new identity of type 'client' called 'admin2' and got my peers and orderer registered/enrolled with that. And now I tried putting `CORE_PEER_MSPCONFIGPATH=/crypto/admin/msp` but even then it is giving me the error `Checking if identity satisfies ADMIN role for exampleMSP` `identity 0 does not satisfy principal: This identity is not an admin` I also created a new genesis.block after making these changes and before using the following command to create the channel: `peer channel create -o orderer.exampleMSP:7050 -c $CHANNEL -f /root/config/channel.tx --tls true --cafile /crypto/orderer.exampleMSP/msp/tlscacerts/fabric-ca-server-7054.pem`

aambati (Sun, 01 Apr 2018 19:01:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MwrZkRoC2w5dgAeoJ) @ronald.petty you can open a bug at https://jira.hyperledger.org

aambati (Sun, 01 Apr 2018 19:42:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EXN8vzFg5MGiZ3kLq) @ronald.petty you may be right, make target specify version property , so if you build make fabric-ca-server and put the binary in your $GOPATH/bin, this problem will go away...go get does take build flags ...i tried this `go get -u -ldflags github.com/hyperledger/fabri-ca/lib/metdata.Version=1.1.0 github.com/hyperledger/fabric-ca/cmd/...` but did not work..in any case, you can open a bug

ronald.petty (Sun, 01 Apr 2018 20:47:39 GMT):
Thanks @aambati appreciate the help

m4p (Mon, 02 Apr 2018 13:57:42 GMT):
Has joined the channel.

aambati (Mon, 02 Apr 2018 15:10:13 GMT):
@ronald.petty `go get -u -ldflags "-X github.com/hyperledger/fabric-ca/lib/metdata.Version=1.1.0" github.com/hyperledger/fabric-ca/cmd/...` works

huy.tranibm (Mon, 02 Apr 2018 15:11:13 GMT):
Hello guys, what format is this from the channelConfig and how can i decode it to match the certs found in the pem file. TY ```LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNSRENDQWVxZ0F3SUJBZ0lSQUtQdTBPSkw3VUR1M3NzTTVva0NrVFl3Q2dZSUtvWkl6ajBFQXdJd2N6RUwKTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY1REVk5oYmlCRwpjbUZ1WTJselkyOHhHVEFYQmdOVkJBb1RFRzl5WnpFdVpYaGhiWEJzWlM1amIyMHhIREFhQmdOVkJBTVRFMk5oCkxtOXlaekV1WlhoaGJYQnNaUzVqYjIwd0hoY05NVGN3TmpJeU1USXdPRFF5V2hjTk1qY3dOakl3TVRJd09EUXkKV2pCek1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LUTJGc2FXWnZjbTVwWVRFV01CUUdBMVVFQnhNTgpVMkZ1SUVaeVlXNWphWE5qYnpFWk1CY0dBMVVFQ2hNUWIzSm5NUzVsZUdGdGNHeGxMbU52YlRFY01Cb0dBMVVFCkF4TVRZMkV1YjNKbk1TNWxlR0Z0Y0d4bExtTnZiVEJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUEKQklJUnI4Sld0RFRZUXR5N0NMS1d6dkRIOE9EWWkxcXl4S0wwdzNoY0lUQ0s1Y2tYem1WQzFIMWdEMTdVd0YzUQplR1pRVWJUS25tRGtWeG9FbVdTQXU0aWpYekJkTUE0R0ExVWREd0VCL3dRRUF3SUJwakFQQmdOVkhTVUVDREFHCkJnUlZIU1VBTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3S1FZRFZSME9CQ0lFSVB6M2RyQXFCV0FFQ05DK25aZFMKcjhXZlpKVUxjaHlzczJPMXVWb1A2bUlXTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFDbzE5S2NPQTlCNEd1Two5RlI5czlVYVJxYlNlRHZYUzVxTW9SMktJdDRTMGdJZ0ZXMG1KQjNqUk1IMERPVnhTYUZuTnhTZ1dlbkxNd3JBCllUTFNkMnF1K1FnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg\u003d\u003d```

huy.tranibm (Mon, 02 Apr 2018 15:13:53 GMT):
or convert to x509

audreyle (Mon, 02 Apr 2018 17:18:13 GMT):
Has joined the channel.

aambati (Mon, 02 Apr 2018 17:32:25 GMT):
base64decode it

coffeeplease (Mon, 02 Apr 2018 20:57:40 GMT):
Has joined the channel.

huy.tranibm (Mon, 02 Apr 2018 21:17:00 GMT):
ty @aambati

WHATISOOP (Tue, 03 Apr 2018 02:31:40 GMT):
Has joined the channel.

yghazi (Tue, 03 Apr 2018 10:24:17 GMT):
Has joined the channel.

yghazi (Tue, 03 Apr 2018 12:49:36 GMT):
Hello everyone.. I'm trying to figure out who the CA would belong to if more than one organization could be added to a channel? For a network that would have multiple organizations, who decides on the permissions to that channel? If it is those organizations who started the channel, what would happen if there was only one organization at the time of genesis? That would mean that the original organization is the only one that might be able to add new organizations?

yghazi (Tue, 03 Apr 2018 12:49:36 GMT):
Hello everyone.. I'm trying to figure out whom the CA would belong to if more than one organization could be added to a channel? For a network that would have multiple organizations, who decides on the permissions to that channel? If it is those organizations who started the channel, what would happen if there was only one organization at the time of genesis? That would mean that the original organization is the only one that might be able to add new organizations?

Exci (Tue, 03 Apr 2018 13:44:18 GMT):
Has joined the channel.

skarim (Tue, 03 Apr 2018 13:59:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dtwwSMvb29kfCeyvm) @yghazi Each organization should have its own CA. Who can interact on the channel depends on the definition of the channel MSP, this is configured during genesis and can be updated after the creation of the channel as well. Each organization that is participating on a channel would need to have their MSP in the channel. As more organizations are added to a channel, the channel MSP needs to be updated. Who can update the channel configuration depends on the policy defined but by default channel update requires both the agreement of a majority of application organization admins and orderer organization admins.

changxuejun (Tue, 03 Apr 2018 14:17:58 GMT):
Has joined the channel.

Rumeel_Hussain (Tue, 03 Apr 2018 15:00:47 GMT):
Has joined the channel.

Bchainer (Tue, 03 Apr 2018 18:13:48 GMT):
Hello, is there an example of using LDAP with CA? I would eventually want to build an application to add users to organization(s) who can transact on blockchain once they are authenticated

skarim (Tue, 03 Apr 2018 19:28:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fmh93ywjrgppnj3iT) @Bchainer I am not aware of an example that uses LDAP with Fabric CA. I would suggest looking at the LDAP section in the readthedocs that talks about configuring ldap: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#configuring-ldap

ctsouthe (Tue, 03 Apr 2018 20:18:00 GMT):
Has joined the channel.

xiao8 (Wed, 04 Apr 2018 01:17:58 GMT):
Has joined the channel.

naveen_saravanan (Wed, 04 Apr 2018 05:10:31 GMT):
Hi everyone. I have looked into "https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#configuring-ldap" for ldap configuration for fabric-starter. But how do I shift from ldap to ldaps? Is there any documentation or steps regarding this? Thanks in advance.

naveen_saravanan (Wed, 04 Apr 2018 05:13:45 GMT):
And also how do I configure the ldap to listen to port 636? ( currently the ldap only listens to port 389)

yghazi (Wed, 04 Apr 2018 06:30:41 GMT):
@skarim Thank you for the explanation! That actually makes a lot of sense. So in that respect, is it safe to say that if I started a channel with one organization and then kept adding organizations, then for every subsequent organization added, there will be more and more organizations responsible for making the decision? Also you mentioned that "the channel configuration depends on the policy", could you please tell me where said policy is configured?

yghazi (Wed, 04 Apr 2018 10:59:42 GMT):
This is it, right? http://hyperledger-fabric.readthedocs.io/en/release-1.0/configtx.html

ondar07 (Wed, 04 Apr 2018 11:48:27 GMT):
Has joined the channel.

aambati (Wed, 04 Apr 2018 13:25:08 GMT):
yes

Ammu (Wed, 04 Apr 2018 13:25:54 GMT):

fatl error.png

aambati (Wed, 04 Apr 2018 13:30:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cTAvkGXrGoSMDfAAp) @naveen_saravanan you want to use ldap cluster? Recently someone asked about how to configure Fabric CA to use multi-master ldap...pls search for it in this channel...i believe the steps are same for configuring fabric ca. Did you refer to the ldap documentation (not sure which ldap u r using) on how to configure it listen on different port?

aambati (Wed, 04 Apr 2018 13:32:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gQrynWy44LurefbAe) @Ammu have you set $FABRIC_CFG_PATH env variable...(https://stackoverflow.com/questions/49341851/error-when-reading-core-config-file-unsupported-config-type)

skarim (Wed, 04 Apr 2018 14:03:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jQ6DXTvXKD2o6M28R) @yghazi If that is what the policy is configured as then yes adding more organization will require approvals from more and more organizations. The policy is defined in the channel configuration. I think two documents might be worth reading. http://hyperledger-fabric.readthedocs.io/en/release-1.1/config_update.html http://hyperledger-fabric.readthedocs.io/en/release-1.1/channel_update_tutorial.html

skarim (Wed, 04 Apr 2018 14:03:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jQ6DXTvXKD2o6M28R) @yghazi If that is what the policy is configured as then yes adding more organization will require approvals from more and more organizations. The policy is defined in the channel configuration. I think these two documents might be worth reading. http://hyperledger-fabric.readthedocs.io/en/release-1.1/config_update.html http://hyperledger-fabric.readthedocs.io/en/release-1.1/channel_update_tutorial.html

ondar07 (Wed, 04 Apr 2018 14:11:08 GMT):
Hello everyone. If I understand correctly, CA server itself generates a private key for a new identity. Can I configure CA server that it issues a certificate for a public key generated and provided by identity?

tiennv (Wed, 04 Apr 2018 14:31:10 GMT):
Hi,

tiennv (Wed, 04 Apr 2018 14:32:00 GMT):
Is it possible to sign transactions using a private key, instead of enrollment.

tiennv (Wed, 04 Apr 2018 14:32:00 GMT):
Is it possible to sign transactions using a private key, instead of enrollment.?

skarim (Wed, 04 Apr 2018 14:45:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bq5ZavbRKJSHj3NhW) @ondar07 Are you saying you have already generated a key pair, and you would like to have Fabric CA issue a certificate based on this key? Any reason you don't want the CA to generate the key?

ondar07 (Wed, 04 Apr 2018 14:58:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=x7KnJmBMGjHDjGaHg) @skarim Yes, I want Fabric CA issue a certificate based on key generated by identity. I wonder if there is such an opportunity.

skarim (Wed, 04 Apr 2018 15:04:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dAhXjrwwY7DEqcF9K) @ondar07 There is not a way to pass in an already existing key to be used by Fabric CA to generate a certificate, the generation of the key is always done by the CA during enrollment time.

aambati (Wed, 04 Apr 2018 15:04:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jtFNyGFG9GJntajHu) @tiennv transactions are ideed signed using the private key..

richzhao (Wed, 04 Apr 2018 15:54:28 GMT):
Has joined the channel.

Bchainer (Wed, 04 Apr 2018 16:33:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WAuKhCvDFieowADWQ) @skarim Thanks for the link! I used the OpenLdap image (osixia/openldap)

Bchainer (Wed, 04 Apr 2018 16:40:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WAuKhCvDFieowADWQ) @skarim I used the OpenLDAP docker image (https://github.com/osixia/docker-openldap) and configured it. However, I am not sure what LDAP URL should I update in the CA server config file. The example in the document says ``` url: ldap://cn=admin,dc=example,dc=org:admin@localhost:10389/dc=example,dc=org ``` The CA itself is running in a container, so not sure if localhost would resolve correctly? Any guidance would be helpful ``` ```

skarim (Wed, 04 Apr 2018 18:38:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KnjZHin8FRTLRSYwZ) @Bchainer This would depend on how you have defined your containers. I believe you could link your Fabric CA container to the LDAP container and then replace "localhost" with the name of the LDAP container and appropriate port and you should be able to connect. @rennman Have you setup something like this?

naveen_saravanan (Thu, 05 Apr 2018 03:46:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wKeqLFP4JHQ7tDTCZ) @aambati Thank you for the reply. And I am using openldap here.

naveen_saravanan (Thu, 05 Apr 2018 03:46:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wKeqLFP4JHQ7tDTCZ) @aambati Thank you for the reply and I am using openldap here. I will look for responses as you mentioned and please ping me if you find any.

Bchainer (Thu, 05 Apr 2018 08:18:04 GMT):
Just started to explore the Node SDK, and curious about a couple of things: 1) Reviewing the fabcar demo, we enrolled the 'admin' using fabric_ca_client and then created it as a user using fabric_client? Can someone explain why this is needed? 2) Is there a way to query all the admins/users registered on a CA?

naveen_saravanan (Thu, 05 Apr 2018 08:50:33 GMT):
Hi everyone. Does anyone know where are the ldap-certificates mentioned in the tls section as shown below

naveen_saravanan (Thu, 05 Apr 2018 08:53:06 GMT):
Hi everyone. Does anyone knows the where the ldap-certificates (.pem files) mentioned in the ldap-section of the file fabric-ca-server-configtemplate.yaml

naveen_saravanan (Thu, 05 Apr 2018 09:02:45 GMT):
Hi everyone. Does anyone knows the where the ldap-certificates (.pem files) mentioned in the ldap-section of the file "fabric-ca-server-configtemplate.yaml" within the artifacts folder of the hyperledger fabric-starter (source url: https://github.com/olegabu/fabric-starter) are located/created and how does this ldap section interact with this ldap-cert files? Below in a the ldap section from the fabric-ca-server-configtemplate.yaml file: ############################################################################# # LDAP section # If LDAP is enabled, the fabric-ca-server calls LDAP to: # 1) authenticate enrollment ID and secret (i.e. username and password) # for enrollment requests; # 2) To retrieve identity attributes ############################################################################# ldap: # Enables or disables the LDAP client (default: false) # If this is set to true, the "registry" section is ignored. enabled: false # The URL of the LDAP server url: ldap://:@:/ tls: certfiles: - ldap-server-cert.pem client: certfile: ldap-client-cert.pem keyfile: ldap-client-key.pem #############################################################################

Ammu (Thu, 05 Apr 2018 10:13:24 GMT):

peer no.png

Ammu (Thu, 05 Apr 2018 10:52:05 GMT):

chat peers .png

Levilk (Thu, 05 Apr 2018 12:30:38 GMT):
Hello! I would like to build a simple fabric network (1 root-ca, 1 orderer, and 2 peer) with fabric-ca in dockers. I am looking for a tutorial or a sample network which can help me understand how to do it. I've read most of the official fabric and fabric-ca documents, i've analyzed a tons of scripts from fabric and fabric-ca samples but i got stuck... I can't do it on my own with dockers. Can anyone help me or do you have a working network i mentioned to learn from it?

aambati (Thu, 05 Apr 2018 13:48:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PzyHP5gDWGw8nugZ9) @Bchainer 1. All identities (clients, peers, orderers, users) need to have a certificate to operate in a network. One way to get this certificate is by enrolling with Fabric CA to get a cert. I am not sure what "creating a user using fabric-client" means. May be it is adding admin credentials to the MSP. 2. Yes, in Fabric CA 1.1, there is a way to query ..pls see https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#getting-identity-information

aambati (Thu, 05 Apr 2018 13:51:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NuvbSP8ZnT7Ciduoz) @Levilk did you look at https://github.com/hyperledger/fabric-samples/tree/release-1.1/fabric-ca

pankajcheema (Thu, 05 Apr 2018 16:31:21 GMT):
Hi All........ Anyone knows where does the enrollmentID and enrollmentSecret stores when we create our own network and use the sdk to specify both variables ``` return fabric_ca_client.enroll({ enrollmentID: 'admin', enrollmentSecret: 'adminpw' }) ``` If I use wrong `enrollmentID` and `enrollmentSecret` then ca rejects the request for enrollment logs of CA ``` ca.example.com | 2018/04/05 16:25:04 [DEBUG] Received request for /api/v1/enroll ca.example.com | 2018/04/05 16:25:04 [DEBUG] ca.Config: &{Version:1.1.0 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name:ca.example.com Keyfile:/etc/hyperledger/fabric-ca-server-config/2e2223dd901510904ca79e2b436ed98841644be19af8023caade89cb6447c6a0_sk Certfile:/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem Chainfile:/etc/hyperledger/fabric-ca-server/ca-chain.pem} Signing:0xc4202ebc90 CSR:{CN:ca.org1.example.com Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[e44204a437c3 localhost] KeyRequest: CA:0xc4202b6620 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:peer,orderer,client,user hf.Registrar.DelegateRoles:peer,orderer,client,user] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:/etc/hyperledger/fabric-ca-server/fabric-ca-server.db TLS:{false [] { }} } CSP:0xc4202cb140 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** Profile: Label: CSR: CAName: AttrReqs:[] }} CRL:{Expiry:24h0m0s}} ca.example.com | 2018/04/05 16:25:04 [DEBUG] DB: Getting identity admin1 ca.example.com | 2018/04/05 16:25:04 [INFO] 172.18.0.1:48966 POST /api/v1/enroll 401 23 "Failed to get user: : scode: 404, code: 63, msg: Failed to get User: sql: no rows in result set"

Bchainer (Thu, 05 Apr 2018 16:31:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NNqaEoyEoc666Xote) @aambati I was referring to the enrollAdmin.js script in fabcar example: `// need to enroll it with CA server return fabric_ca_client.enroll({ enrollmentID: 'admin', enrollmentSecret: 'adminpw' }).then((enrollment) => { console.log('Successfully enrolled admin user "admin"'); return fabric_client.createUser( {username: 'admin', mspid: 'Org1MSP', cryptoContent: { privateKeyPEM: enrollment.key.toBytes(), signedCertPEM: enrollment.certificate } });`

skarim (Thu, 05 Apr 2018 16:44:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=E26nBqnYfAKP3uaBP) @pankajcheema I would try the #fabric-sdk-node channel they will probably be able to answer this better

pankajcheema (Thu, 05 Apr 2018 17:48:19 GMT):
Anyone knows what is affilation ```ca.example.com | 2018/04/05 17:46:58 [DEBUG] Validate Affiliation ca.example.com | 2018/04/05 17:46:58 [DEBUG] Checking to see if affiliation 'org1.department1' contains caller's affiliation '' ca.example.com | 2018/04/05 17:46:58 [DEBUG] Caller has root affiliation ca.example.com | 2018/04/05 17:46:58 [DEBUG] Validate ID ca.example.com | 2018/04/05 17:46:58 [DEBUG] Validating affiliation: org1.department1 ca.example.com | 2018/04/05 17:46:58 [DEBUG] DB: Get affiliation org1.department1 ```

pankajcheema (Thu, 05 Apr 2018 17:58:43 GMT):
If I use any afflilation other than `org1.department` `CA` throws an error ``` ca.example.com | 2018/04/05 17:54:10 [DEBUG] Received request for /api/v1/register ca.example.com | 2018/04/05 17:54:10 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin' ca.example.com | 2018/04/05 17:54:10 [DEBUG] DB: Get certificate by serial (4676355c4b2bc7c3194e0eaa76e654a7008b1f82) and aki (2e2223dd901510904ca79e2b436ed98841644be19af8023caade89cb6447c6a0) ca.example.com | 2018/04/05 17:54:10 [DEBUG] Successful token authentication of 'admin' ca.example.com | 2018/04/05 17:54:10 [DEBUG] Received registration request from admin: { Name:user4 Type:client Secret:**** MaxEnrollments:1 Affiliation:org1.custom Attributes:[] CAName: } ca.example.com | 2018/04/05 17:54:10 [DEBUG] DB: Getting identity admin ca.example.com | 2018/04/05 17:54:10 [DEBUG] canRegister - Check to see if user 'admin' can register ca.example.com | 2018/04/05 17:54:10 [DEBUG] Checking to see if caller 'admin' is a registrar ca.example.com | 2018/04/05 17:54:10 [DEBUG] Validate Affiliation ca.example.com | 2018/04/05 17:54:10 [DEBUG] Checking to see if affiliation 'org1.custom' contains caller's affiliation '' ca.example.com | 2018/04/05 17:54:10 [DEBUG] Caller has root affiliation ca.example.com | 2018/04/05 17:54:10 [DEBUG] Validate ID ca.example.com | 2018/04/05 17:54:10 [DEBUG] Validating affiliation: org1.custom ca.example.com | 2018/04/05 17:54:10 [DEBUG] DB: Get affiliation org1.custom ca.example.com | 2018/04/05 17:54:10 [DEBUG] Registration of 'user4' failed: Registration of 'user4' to validate: Failed getting affiliation 'org1.custom': : scode: 404, code: 63, msg: Failed to get Affiliation: sql: no rows in result set ca.example.com | 2018/04/05 17:54:10 [INFO] 172.18.0.1:49518 POST /api/v1/register 404 63 "Failed to get Affiliation: sql: no rows in result set"

gbolo (Thu, 05 Apr 2018 18:37:53 GMT):
any way that we can add `ecert=true` to any of the user attrributes registered in the fabric-ca-server config? https://github.com/hyperledger/fabric-ca/blob/master/cmd/fabric-ca-server/config.go#L167

gbolo (Thu, 05 Apr 2018 18:40:39 GMT):
or i guess i must use fabric-ca-client to register these users

SmartContract2018 (Thu, 05 Apr 2018 19:34:46 GMT):
Has joined the channel.

skarim (Thu, 05 Apr 2018 20:51:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mwMW5QW8dDAedmebJ) @gbolo Currently you can't set `ecert=true` for identities registered through the config file. You can probably open up a JIRA work item to add support for this.

skarim (Thu, 05 Apr 2018 20:56:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uwQvS3mhFgniiDaE8) @pankajcheema Affiliations provide a way to group identities hierarchically. Affiliations are defined in the server configuration file and when the server is started it is bootstrapped with these affiliations. If the you try to register an identity with an affiliation that is not in the server database it will throw an error. You can dynamically add affiliations to a server (no restart required), see: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#dynamically-updating-affiliations

feynmanyuan (Thu, 05 Apr 2018 23:45:48 GMT):
Has joined the channel.

pb (Fri, 06 Apr 2018 06:14:11 GMT):
Has joined the channel.

pb (Fri, 06 Apr 2018 06:17:28 GMT):
Hi all Can anyone of you tell me how to add multiple users in fabric dynamically when the network is up and running ? I have gone through fabric ca client documentation http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#fabric-ca-client but found it difficult to understand.

khalifa (Fri, 06 Apr 2018 12:47:43 GMT):
Has joined the channel.

Ashish (Fri, 06 Apr 2018 12:56:21 GMT):
Hi, do we have seperate ca images now ? for Peer, Orderer and Tools ?

Ashish (Fri, 06 Apr 2018 12:57:35 GMT):

fabric-ca-example

rickr (Fri, 06 Apr 2018 13:26:20 GMT):
Possible to define more than one admin (registrar) per CA instance ?

tiennv (Fri, 06 Apr 2018 13:38:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cJtaG8peXduwxNbxH) @aambati Can we use a private key directly without enrollment secret on fabric-ca?

aambati (Fri, 06 Apr 2018 13:39:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uwQvS3mhFgniiDaE8) @pankajcheema that is because you need to define the affiliations before you associate with them...I think of affiliations as tags that are assigned to users...they are hierarchical in nature...if you are a registrar (a user with hf.Registrar attribute) and associated with affiliation org1, you can register users and associate them with org1 affiliation or any child affiliations...similarly, a revoker (a user with hf.Revoker attribute) can revoke users that are associated with revoker's affiliation or sub affiliations

aambati (Fri, 06 Apr 2018 13:40:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BWQSsZh2v4u5QTdNT) @tiennv i am not sure what you mean? can u pls elaborate?

aambati (Fri, 06 Apr 2018 13:40:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=s8YiGAfhJwpEHScjf) @rickr yes

aambati (Fri, 06 Apr 2018 13:41:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=R7W5jC6BQyaNnbsYg) @Ashish no...fabric-ca-orderer is fabric-orderer image with fabric-ca-client ...similarly, fabric-ca-peer is fabric-peer image with fabric-ca-client

tiennv (Fri, 06 Apr 2018 13:43:38 GMT):
@aambati Let's say. I want that after I register/enroll an user with fabric-ca,then I receive a key pair private key/public key. Next time, I use private key/public key to enroll with fabric-ca.

tiennv (Fri, 06 Apr 2018 13:43:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CMq8S2cE4AsEjZgYK) @tiennv So, you are asking if it is possible to enroll a user with a key pair that you already have....if so, answer is no...May i know what is the use case you are trying to solve?

tiennv (Fri, 06 Apr 2018 13:43:38 GMT):
@tiennv sorry, pls see my reply...i don't know why it appears as though you replied to your self

aambati (Fri, 06 Apr 2018 13:43:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DcAJSchqdCGoGhSdL) @pb you can `fabric-ca-client identity add` or `fabric-ca-client register` commands...we are looking to improve documentation...can u pls tell what was confusing?

aambati (Fri, 06 Apr 2018 13:43:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DcAJSchqdCGoGhSdL) @pb you can use `fabric-ca-client identity add` or `fabric-ca-client register` commands...we are looking to improve documentation...can u pls tell what was confusing?

aambati (Fri, 06 Apr 2018 13:49:26 GMT):
@tiennv

zimabry (Fri, 06 Apr 2018 13:55:05 GMT):
Has joined the channel.

alexaguileravz93 (Fri, 06 Apr 2018 14:04:42 GMT):
Has joined the channel.

tiennv (Fri, 06 Apr 2018 14:08:06 GMT):
@aambati Actually, what I understand that after a user enrolls with fabric-ca, the user doesn't need to enroll again next time. At this moment the user just get user context information (client.getUserContext(username, true)) to check whether she is enrolled or not. If she enrolled before, she just send a transaction to fabric ledger. But I consider that someone else can get the user context information (client.getUserContext(username, true)) to send a wrong transaction. So I want the user keep her key pair to send a transaction without get context information.

alexaguileravz93 (Fri, 06 Apr 2018 14:27:28 GMT):
Hi All, I have been having an issue on calling chaincode on one of my networks running on a cloud box from a java SDK on my local machine, the error seems to be a TLS connection issue. On my Java side the error I am seeing is:

alexaguileravz93 (Fri, 06 Apr 2018 14:28:41 GMT):
04/06/18 10:25:02 L[E]C[org.hyperledger.fabric.sdk.Channel] Channel mychannel sendDeliver failed on orderer orderer1. Reason: UNAVAILABLE: Channel closed while performing protocol negotiation ``` ``` on the orderer side i am seeing this:``` 2018-04-06 14:12:56.626 UTC [grpc] Printf -> DEBU b8d grpc: Server.Serve failed to complete security handshake from "148.132.123.187:60848": remote error: tls: internal error 2018-04-06 14:12:56.725 UTC [grpc] Printf -> DEBU b8e grpc: Server.Serve failed to complete security handshake from "148.132.123.187:60849": remote error: tls: internal error ```

alexaguileravz93 (Fri, 06 Apr 2018 14:28:41 GMT):
@alexaguileravz93 I suggest enabling grpc debug by setting environment variable : CORE_LOGGING_GRPC=DEBUG on all nodes involved to get additonal

alexaguileravz93 (Fri, 06 Apr 2018 14:30:05 GMT):
hoping someone can help me get some insight into why this error is happening, I have tried using different certs from the server which are working on the server, but when connecting to my server from local they don't seem to work

aambati (Fri, 06 Apr 2018 17:31:26 GMT):
@tiennv what is user context? is it a programming artifact or physical file? I think user context seems to contain user's private key and certificate...private key will be used to sign the transaction proposal and certificate is included when submitting the transaction proposal...if you meant, if private key is compromised, then user can request his certificate to be revoked and reenroll to get new pair of keys

aambati (Fri, 06 Apr 2018 17:31:26 GMT):
@tiennv what is user context? is it a programming artifact or physical file? It seems like a programming artificate that contains user's private key and certificate...private key will be used to sign the transaction proposal and certificate is included when submitting the transaction proposal...if you meant, if private key is compromised, then user can request his certificate to be revoked and reenroll to get new pair of keys

alexaguileravz93 (Fri, 06 Apr 2018 17:45:44 GMT):

Clipboard - April 6, 2018 1:45 PM

alexaguileravz93 (Fri, 06 Apr 2018 17:46:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gCyCWYwK22G5bPgfg) I have set the logging like above, still only seeing this line as an error: ```

alexaguileravz93 (Fri, 06 Apr 2018 17:46:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NhMyLQjiG38KEB57M) 2018-04-06 17:41:37.300 UTC [grpc] Printf -> DEBU b70 grpc: Server.Serve failed to complete security handshake from "148.132.123.187:59618": remote error: tls: internal error @aambati

alexaguileravz93 (Fri, 06 Apr 2018 17:56:50 GMT):
@aambati I set that level in my orderer container, and still this is the only log lines I see, is there some other way i need to view these logs? I am using docker logs command to get that information

alexaguileravz93 (Fri, 06 Apr 2018 17:57:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pP5RSW7pJRmHrXcGx) @aambati I set that level in my orderer container, and still this is the only log lines I see, is there some other way i need to view these logs? I am using docker logs command to get that information

pankajcheema (Sat, 07 Apr 2018 08:39:21 GMT):
@alexaguileravz93 put -f in logs command in each and every peer and orderer will let know about your error

pankajcheema (Sat, 07 Apr 2018 08:39:48 GMT):
for example `docker logs -f container_name_here`

Levilk (Sat, 07 Apr 2018 17:41:46 GMT):
Hello! I am curious is there any solution for this problem right now: I've a working network with 1 org, 1 orderer , and 2 peer. I've installed and instantinated succesfully a chaincode on the peers (CC was working perfectly). I decided to add a new peer to the network. Started a new peer image and joined it to the channel. After i installed the same chaincode without any problem i could not instantinate it (CC is already exist). So i removed the cc's containers and deleted the cc's images and the CCs from the peers (/var/hyperledger/production/chaincodes/:). There was no problem installing them again on all peer on the other hand they've still existed in the channel. I was able to list them on the channel besides the system CCs. Is there any way to instantinate this cc again without a network restart? Must i restart the network if i would like to add this cc to a new peer? Thanks for answers!

alexaguileravz93 (Sun, 08 Apr 2018 15:46:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZR2kAA76QEFaeM9Yx) @pankajcheema I did put that in the containers, really the only relevant error i am seeing is coming from the orderer: 2018-04-08 15:41:32.240 UTC [grpc] Printf -> DEBU b78 grpc: Server.Serve failed to complete security handshake from "139.49.132.56:59360": remote error: tls: internal error

pankajcheema (Mon, 09 Apr 2018 04:39:06 GMT):
@alexaguileravz93 TLS enabled ?

terby (Mon, 09 Apr 2018 05:17:45 GMT):
Has joined the channel.

MaximeAubanel (Mon, 09 Apr 2018 09:58:11 GMT):
Has joined the channel.

MonnyClara (Mon, 09 Apr 2018 10:01:22 GMT):
Has joined the channel.

MaximeAubanel (Mon, 09 Apr 2018 10:04:08 GMT):
"https://localhost:7054/enroll: x509: certificate is valid for ca.org1.hf.xxx.io, not localhost" - What can i do about that ?

MaximeAubanel (Mon, 09 Apr 2018 10:04:08 GMT):
"https://localhost:7054/enroll: x509: certificate is valid for ca.org1.hf.xxx.io, not localhost" - What can i do about that ? I'm trying to communicate with the FabricCA

pb (Mon, 09 Apr 2018 10:36:37 GMT):
Hi Can anyone tell me how to add multiple users using fabric-client ?

pb (Mon, 09 Apr 2018 11:12:04 GMT):
HI,

pb (Mon, 09 Apr 2018 11:14:26 GMT):
Hi, Can anyone please tell, how the certificates generated for a user is used?

pb (Mon, 09 Apr 2018 11:17:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EmrLRcZ64I8PH54poi) @aambati Yeah if so, when I enrolled a second user, the code seems to use the certificate of the first user and works fine without even generating any new certificates for second user. How cat it be so?

mozkarakoc (Mon, 09 Apr 2018 11:57:47 GMT):
Has joined the channel.

mozkarakoc (Mon, 09 Apr 2018 11:59:06 GMT):
Hi, can anyone please help? https://chat.hyperledger.org/channel/fabric-questions?msg=4nJM8GMPcZk8wD9jt

alexaguileravz93 (Mon, 09 Apr 2018 12:42:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=J9gcHEZvsa3Nh82ka) @pankajcheema Yes TLS is enabled

pankajcheema (Mon, 09 Apr 2018 12:44:47 GMT):
@alexaguileravz93 getting error at the time of invoke ?

alexaguileravz93 (Mon, 09 Apr 2018 12:50:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5WCC3hTSTfbDDSPBg) @pankajcheema Yes the error comes when i call channel.initialize() in my java code

pankajcheema (Mon, 09 Apr 2018 12:51:18 GMT):
@alexaguileravz93 are you able to invoke chaincode from cli ?

pankajcheema (Mon, 09 Apr 2018 12:51:26 GMT):
without sdk

alexaguileravz93 (Mon, 09 Apr 2018 12:52:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9nbaRk2vTyj8t7Ea5) @pankajcheema Yeah I can install and call chaincode functions from CLI, just not from my java client

pankajcheema (Mon, 09 Apr 2018 12:53:07 GMT):
docker network where you are working on ?

pankajcheema (Mon, 09 Apr 2018 12:53:07 GMT):
docker network where you are working on ? @alexaguileravz93

pankajcheema (Mon, 09 Apr 2018 12:54:19 GMT):
@alexaguileravz93 I am not familiar with java sdk but worked on node sdk.

pankajcheema (Mon, 09 Apr 2018 12:54:34 GMT):
can help you in finding your issue.

pankajcheema (Mon, 09 Apr 2018 12:54:40 GMT):
I faced in node sdk

pankajcheema (Mon, 09 Apr 2018 12:56:28 GMT):
1. First of all check that you have put `grpcs` in place of `grpc` wherever you are able to see url with `grpc`

alexaguileravz93 (Mon, 09 Apr 2018 12:57:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Jiddox67WGt4igAkr) @pankajcheema Yes I am using grpcs on my urls

pankajcheema (Mon, 09 Apr 2018 12:57:55 GMT):
provided pem and and key file to the orderer

pankajcheema (Mon, 09 Apr 2018 12:58:01 GMT):
?

alexaguileravz93 (Mon, 09 Apr 2018 12:59:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Hzxb6fyYY9YaigqLP) @pankajcheema On the client side I have the pem file being added to the call for the orderer, I only provide a key to my user context while making the call

pankajcheema (Mon, 09 Apr 2018 13:00:47 GMT):
@alexaguileravz93 in my node sdk provided `var peer = fabric_client.newPeer( 'grpcs://localhost:7051', { 'pem': Buffer.from(serverCert).toString(), 'clientKey': Buffer.from(clientKey).toString(), 'clientCert': Buffer.from(clientCert).toString(), 'ssl-target-name-override':'peer0.debutinfotech.com', } );```

pankajcheema (Mon, 09 Apr 2018 13:00:47 GMT):
@alexaguileravz93 in my node sdk provided ```var peer = fabric_client.newPeer( 'grpcs://localhost:7051', { 'pem': Buffer.from(serverCert).toString(), 'clientKey': Buffer.from(clientKey).toString(), 'clientCert': Buffer.from(clientCert).toString(), 'ssl-target-name-override':'peer0.debutinfotech.com', } );```

pankajcheema (Mon, 09 Apr 2018 13:01:11 GMT):
these key

pankajcheema (Mon, 09 Apr 2018 13:01:17 GMT):
worked fine

pankajcheema (Mon, 09 Apr 2018 13:01:32 GMT):
brfore that getting error of connection.

pankajcheema (Mon, 09 Apr 2018 13:01:32 GMT):
before that getting error of connection.

pankajcheema (Mon, 09 Apr 2018 13:02:19 GMT):
@alexaguileravz93 I think this may help you.

pankajcheema (Mon, 09 Apr 2018 13:02:55 GMT):
check the core definition of the sdk function and check for parameter.

pankajcheema (Mon, 09 Apr 2018 13:03:07 GMT):
Am sure you will get something here

pankajcheema (Mon, 09 Apr 2018 13:05:49 GMT):
same will work for orderer because you are invoking so you need to communicate with orderer

pankajcheema (Mon, 09 Apr 2018 13:06:19 GMT):
@alexaguileravz93 Let me know if my idea worked.

alexaguileravz93 (Mon, 09 Apr 2018 13:07:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=g75XtGbHudwqejvc6) @pankajcheema Ok, let me check the node SDK definitions vs Java and see if I can find out

alexaguileravz93 (Mon, 09 Apr 2018 13:12:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=g75XtGbHudwqejvc6) @pankajcheema Actually, it looks like in the code, this is the peer initialization, would you be able to show me how you are making calls to the peer/orderer

alexaguileravz93 (Mon, 09 Apr 2018 13:12:54 GMT):
As in I am actually calling from a different client to the peers/orderers on my channel which are already initialized

pankajcheema (Mon, 09 Apr 2018 13:13:39 GMT):
https://fabric-sdk-node.github.io/tutorial-mutual-tls.html

pankajcheema (Mon, 09 Apr 2018 13:13:50 GMT):
```orderer = client.newOrderer( 'grpcs://localhost:7050', { 'pem': Buffer.from(serverCert).toString(), 'clientKey': Buffer.from(clientKey).toString(), 'clientCert': Buffer.from(clientCert).toString(), });```

pankajcheema (Mon, 09 Apr 2018 13:13:56 GMT):
@alexaguileravz93

alexaguileravz93 (Mon, 09 Apr 2018 13:43:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4q8s2wrRihKkT42jK) @pankajcheema I am reading through for the java SDK and it looks like I am providing the client key/cert in my User context, I am using the same ones as what I used on my cli, but it looks like its still failing. I am making a call to a remote system from my local machine, and one thing i was thinking was that maybe since the CLI i am using is running in the docker network, the cert is being signed with the hostname on the docker network and not the hostname of the server I am making the call to, is this a possibliity?

aambati (Mon, 09 Apr 2018 13:44:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7J73kMi84wFxCKmxA) @MaximeAubanel Make sure to mention localhost in the hosts property of the CSR that is used to generate the TLS certificate

aambati (Mon, 09 Apr 2018 13:45:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=piduutQNy5sBKEh59) @Levilk please ask this question in the #fabric-peer-endorser-committer channel

aambati (Mon, 09 Apr 2018 13:53:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7tt5EeBXzsZC7RcMB) @pb the certificate and key pair that you get when an user is enrolled are used to submit the transactions. The transaction is signed by the private key of the user and certificate is sent as part of the transaction...The SDKs provide APIs for submitting transactions and more

aambati (Mon, 09 Apr 2018 13:57:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xEZWAQmTjpzmy5jGN) @pb The flow is as follows: 1. An user with registrar privileges (an user with hf.Registrar attribute) to register another user 2. The registrar gives the userid and the password returned by register command to the second user 3. The second user will use the userid and password to enroll to get a private key and certificate

aambati (Mon, 09 Apr 2018 14:07:32 GMT):
@alexaguileravz93 So, in this case, client cert was issued by a CA whose certificate chain is specified in the orderer (using ORDERER_GENERAL_TLS_CLIENTROOTCAS env property) and also the client should have CA chain of the orderer TLS cert to authenticate orderer tls connection

aambati (Mon, 09 Apr 2018 14:08:09 GMT):
i am assuming you have configured mutual tls on orderer and peer nodes?

aambati (Mon, 09 Apr 2018 14:08:30 GMT):
also, pls read this if you have not already: https://hyperledger-fabric.readthedocs.io/en/latest/enable_tls.html

alexaguileravz93 (Mon, 09 Apr 2018 14:31:36 GMT):
@aambati do you mind if I ping you in private chat?

aambati (Mon, 09 Apr 2018 14:32:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=x4frkt7iiyjz9QxY4) @alexaguileravz93 sure

ningyan325 (Mon, 09 Apr 2018 15:56:49 GMT):
Has joined the channel.

anishman (Mon, 09 Apr 2018 16:47:35 GMT):
hello everyone, I have a question regarding the sample "balance-transfer". When I transfer the money from A to B, the console log and the docker logs of the 'ca' show the errors "[ERROR] Helper - Jim enrollment failed" and "[DEBUG] Registration of 'Jim' failed: No identity type provided. Please provide identity type" respectively. However, the transaction result is correct and there are no errors in the docker logs of 'peer' containers and 'orderer'. Does anyone know why the transaction is succeeding despite Jim's enrollment is failing every time? (I've attached the screenshot too)

anishman (Mon, 09 Apr 2018 16:47:35 GMT):
hello everyone, I have a question regarding the sample "balance-transfer". When I transfer the money from A to B, the console log and the docker logs of the 'ca' show the errors "[ERROR] Helper - Jim enrollment failed" and "[DEBUG] Registration of 'Jim' failed: No identity type provided. Please provide identity type" respectively. However, the transaction result is correct and there are no errors in the docker logs of 'peer' and 'orderer' containers. Does anyone know why the transaction is succeeding despite Jim's enrollment is failing every time? (I've attached the screenshot too)

anishman (Mon, 09 Apr 2018 16:47:35 GMT):
hello everyone, I have a question regarding the sample "balance-transfer". When I transfer the money from A to B, the console log and the docker logs of the 'ca' show the errors "[ERROR] Helper - Jim enrollment failed" and "[DEBUG] Registration of 'Jim' failed: No identity type provided. Please provide identity type" respectively. However, the transaction result is correct and there are no errors in the docker logs of 'peer' and 'orderer' containers. Does anyone know why the transaction is succeeding despite Jim's enrollment is failing every time? (I've attached the screenshot too) @ArnabChatterjee

anishman (Mon, 09 Apr 2018 16:47:35 GMT):
hello everyone, I have a question regarding the sample "balance-transfer". When I transfer the money from A to B, the console log and the docker logs of the 'ca' show the errors "[ERROR] Helper - Jim enrollment failed" and "[DEBUG] Registration of 'Jim' failed: No identity type provided. Please provide identity type" respectively. However, the transaction result is correct and there are no errors in the docker logs of 'peer' and 'orderer' containers. Does anyone know why the transaction is succeeding despite Jim's enrollment is failing every time? (I've attached the screenshot too) @ArnabChatterjee - thanks beforehand

anishman (Mon, 09 Apr 2018 16:48:46 GMT):

enrollment_error_but_txn_pass.png

mastersingh24 (Mon, 09 Apr 2018 17:01:26 GMT):
@anishman - been a while since I looked at the code, but my guess is that even though registration of user "Jim" fails, the sample continues on using the "admin" user (which is also a valid user for the org)

toddinpal (Mon, 09 Apr 2018 20:23:55 GMT):
Where would I find a description of the fabric-ca/msp support of OAuth and OAuth tokens?

aambati (Mon, 09 Apr 2018 22:11:10 GMT):
@toddinpal not sure what you mean by this...fabric-ca api endpoints (except enroll) accept oauth tokens ..you can look at https://github.com/hyperledger/fabric-ca/blob/release-1.1/swagger/swagger-fabric-ca.json

aambati (Mon, 09 Apr 2018 22:11:18 GMT):
it describes the format of the oauth token

aambati (Mon, 09 Apr 2018 22:12:11 GMT):
fabric ca client does this for you: https://github.com/hyperledger/fabric-ca/blob/e6568899913a42ee6ac868cd0386422066e9f6bd/util/util.go#L173

anishman (Mon, 09 Apr 2018 23:34:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=c9uyeYyH28bttpN3H) @mastersingh24 thanks a lot for the reply. appreciate it.

naveen_saravanan (Tue, 10 Apr 2018 10:12:54 GMT):
Hi everyone. I tried using StartTLS for ldap from referring to the document on the url: https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls . But before trying to connect to it from the blockchain I tried to connect to it from node js application (with ldapjs package ucing ldapClient.starttls method) and was not able connect with the ldap server. If you know any steps or document regarding this please share it. Thanks in advance.

naveen_saravanan (Tue, 10 Apr 2018 10:12:54 GMT):
Hi everyone. I tried using StartTLS for ldap with reference from the document on the url: https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls . But before trying to connect to it from the blockchain I tried to connect to it from node js application (with ldapjs package ucing ldapClient.starttls method) and was not able connect with the ldap server. If you know any steps or document regarding this please share it. Thanks in advance.

ws8634 (Tue, 10 Apr 2018 11:51:44 GMT):

Clipboard - April 10, 2018 7:51 PM

ws8634 (Tue, 10 Apr 2018 11:52:33 GMT):
Anybody can tell me what's wrong ? Thank you

ws8634 (Tue, 10 Apr 2018 11:54:54 GMT):
I started fabric-ca server with command "fabric-ca-server start -b admin:adminpw",but I got message "panic: Version is not set for fabric-ca library".How can I set version of fabric server? Thank you

MaximeAubanel (Tue, 10 Apr 2018 12:41:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9XLhv6p4oDkicHmb9) @aambati Thanks, I finially made it work !

MaximeAubanel (Tue, 10 Apr 2018 12:41:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9XLhv6p4oDkicHmb9) @aambati Thanks, I finally made it work !

MaximeAubanel (Tue, 10 Apr 2018 12:47:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2BiTobcRDkGzYvfbf) @ws8634 Hello, check that :) https://github.com/fabric/fabric/issues/1731

toddinpal (Tue, 10 Apr 2018 12:57:17 GMT):
@aambati Right, but enroll doesn't allow passing a token as far as I know. This is required in order to support federated IDMs

aambati (Tue, 10 Apr 2018 13:21:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2BiTobcRDkGzYvfbf) @ws8634 Did you run go get to get fabric-ca-server and fabric-ca-client, if so, try this : ```go get -u -ldflags "-X github.com/hyperledger/fabric-ca/lib/metdata.Version=1.1.0" github.com/hyperledger/fabric-ca/cmd/...```

aambati (Tue, 10 Apr 2018 13:21:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2BiTobcRDkGzYvfbf) @ws8634 Did you run `go get` to get fabric-ca-server and fabric-ca-client, if so, try this : ```go get -u -ldflags "-X github.com/hyperledger/fabric-ca/lib/metdata.Version=1.1.0" github.com/hyperledger/fabric-ca/cmd/...```

aambati (Tue, 10 Apr 2018 13:21:58 GMT):
also, you will also run into this issue if you run `make docker` using `go 1.10`

aambati (Tue, 10 Apr 2018 13:21:58 GMT):
also, you will also run into this issue if you run `make docker` using `go 1.10`...there is a change set to fix this problem

aambati (Tue, 10 Apr 2018 13:25:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Gc87nC995zffHSkbH) @toddinpal Yes, that is what I mentioned, except for enroll endpoint, all endpoints accept oauth tokens (token authentication)...enroll accepts basic authentication header ...can you pls explain what you meant by "This is required in order to support federated IDMs"

MaximeAubanel (Tue, 10 Apr 2018 13:25:47 GMT):
Hello guys, how can I change the `fabric-ca-server-config.yaml`

MaximeAubanel (Tue, 10 Apr 2018 13:25:47 GMT):
Hello guys, how can I change the `fabric-ca-server-config.yaml` ?

MaximeAubanel (Tue, 10 Apr 2018 13:25:47 GMT):
Hello guys, how can I change the `fabric-ca-server-config.yaml` ? I can access it within my docker but I would like it to be in a certain way before my server-ca start to inititialize itself

aambati (Tue, 10 Apr 2018 13:42:53 GMT):
You can change the "command" property in the docker compose file to something like this: `/bin/bash -c 'fabric-ca-server start -c ...`

MaximeAubanel (Tue, 10 Apr 2018 13:43:29 GMT):
@aambati awesome thanks !

aambati (Tue, 10 Apr 2018 13:43:46 GMT):
you can either map the directory where fabric-ca-server-config.yaml lives or copy to a directory in the container

MaximeAubanel (Tue, 10 Apr 2018 13:50:17 GMT):
Yeah I'm using docker-compose in order to mount the file on the docker :) I don't need to use the "-c" flag then. Thanks again :)

MaximeAubanel (Tue, 10 Apr 2018 13:50:17 GMT):
Yeah I'm using docker-compose in order to mount the file on the docker :) I don't need to use the "-c" flag then. Thanks again :) @aambati

toddinpal (Tue, 10 Apr 2018 14:27:11 GMT):
@aambati Let's say I've modified fabric-ca to use an IDM system that supports federated identity management. I want to be able to pass an OAuth token provided by another IDM system into the enroll request. Current the enroll request assumes the caller has an identity in the local IDM system and only supports username/password AFAIK.

XingqiangMao (Tue, 10 Apr 2018 14:30:55 GMT):
Has joined the channel.

XingqiangMao (Tue, 10 Apr 2018 14:31:11 GMT):
Hi i have a setup question For ca server. If I use sdk for dev. And having peer orderder.... everything ready for one of many clients. Should I set up CA server and client for every client? Or Some one should host the ca server....

aambati (Tue, 10 Apr 2018 14:37:24 GMT):
@toddinpal This OAuth token given by the federated IDM system will be same for all requests, can it not be part of the connection string

aambati (Tue, 10 Apr 2018 14:38:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SAJYTfL486MhFvWFx) @XingqiangMao Usually there is one fabric ca server per organization, not per client

jtclark (Tue, 10 Apr 2018 14:43:30 GMT):
GM all.

jtclark (Tue, 10 Apr 2018 14:43:53 GMT):
@cbf has asked the Fabric CI team to revisit FAB-1446

jtclark (Tue, 10 Apr 2018 14:45:46 GMT):
I'd like to see if we can get this closed out this week. I got some direction from @ashutosh_kumar regarding making a non-voting job to cover this test, since what we are seeing from the test results are false positives.

jtclark (Tue, 10 Apr 2018 14:46:07 GMT):
@smithbk is this an approach that you think we can take?

jtclark (Tue, 10 Apr 2018 15:09:21 GMT):
Also @rameshthoomu, do you have any thoughts on this approach? :point_up_tone2:

XingqiangMao (Tue, 10 Apr 2018 15:10:48 GMT):
@aambati Thank you for relay. So one network can have multiple org and one org can have multiple client. and client can have multiple peer. Correct me if I am wrong.

XingqiangMao (Tue, 10 Apr 2018 15:11:47 GMT):
For me I can define any number of CA server I want right? Even only one org host one ca server.

rameshthoomu (Tue, 10 Apr 2018 15:12:11 GMT):
@jtclark that sounds good to me.. Create a weekly job and run these tests.

jtclark (Tue, 10 Apr 2018 15:12:25 GMT):
sounds good.

rameshthoomu (Tue, 10 Apr 2018 15:12:44 GMT):
You have to separate out these tests from the test suite..

rameshthoomu (Tue, 10 Apr 2018 15:13:18 GMT):
and run only this test in weekly job till we get fixes for these..

rameshthoomu (Tue, 10 Apr 2018 15:13:44 GMT):
that's my take and would like to hear from others..

jtclark (Tue, 10 Apr 2018 15:14:29 GMT):
If I understand, right now I'm adding the safesql go module to the fabric-ca-fvt docker image

jtclark (Tue, 10 Apr 2018 15:15:19 GMT):
and then, the script is being added in the scripts/fvt folder inside the fabric-ca repo..

jtclark (Tue, 10 Apr 2018 15:15:37 GMT):
you're saying create an entirely separate job from all the other jobs

jtclark (Tue, 10 Apr 2018 15:15:53 GMT):
pull down fabric-ca in it, and run the script?

jtclark (Tue, 10 Apr 2018 15:15:58 GMT):
@rameshthoomu :point_up_tone2:

jtclark (Tue, 10 Apr 2018 15:16:47 GMT):
don't add it to any of the existing scripts that are out there, i.e. runDailyTestSuite.sh

jtclark (Tue, 10 Apr 2018 15:16:49 GMT):
?

rameshthoomu (Tue, 10 Apr 2018 15:26:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oAKvmtjZrtR4LmT7o) @jtclark this is related to fabric-test repo

jtclark (Tue, 10 Apr 2018 15:26:59 GMT):
sure, it was just an example.

jtclark (Tue, 10 Apr 2018 15:27:26 GMT):
I was just saying create an entirely new job, and don't add it to any existing scripts

rameshthoomu (Tue, 10 Apr 2018 15:27:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mkmCMowTyn2sve3Hw) @jtclark yes.. that way you will not break the existing builds and keep a separate job for vulnerbale tests weekly till the build is clean

jtclark (Tue, 10 Apr 2018 15:27:50 GMT):
b/c it would run as part of other jobs that use the same script

jtclark (Tue, 10 Apr 2018 15:28:07 GMT):
I think I got it. thx, @rameshthoomu

tiennv (Tue, 10 Apr 2018 15:56:09 GMT):
Hi guys,

tiennv (Tue, 10 Apr 2018 15:57:42 GMT):
I am writing a fabric application that requires users to enroll into fabric-ca when they want to submit a transaction.

tiennv (Tue, 10 Apr 2018 15:58:19 GMT):
Once a users enroll, the private key is changed.

tiennv (Tue, 10 Apr 2018 15:58:53 GMT):
Is it possible to keep the private key unchanged?

toddinpal (Tue, 10 Apr 2018 16:05:33 GMT):
@tiennv What do you mean the private key is changed? When you enroll, you receive a private/public key pair.

aambati (Tue, 10 Apr 2018 17:28:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cFmAjPnEdvwBdyLTe) @XingqiangMao one org can have one or more peers...every peer, orderer, user/client should have an identity to participate in the network...

aambati (Tue, 10 Apr 2018 17:31:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MRjwtJZMJqS6BtR3e) @tiennv You can create a CSR using the public key associated with your private key and send request to /api/v1/enroll endpoint...Pls see https://github.com/hyperledger/fabric-ca/blob/e6568899913a42ee6ac868cd0386422066e9f6bd/swagger/swagger-fabric-ca.json#L217

XingqiangMao (Tue, 10 Apr 2018 17:40:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gjcQPwhAPnCs8CXcg) @aambati I see thank you!

kiranthakkar (Tue, 10 Apr 2018 20:20:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zEC9ErNkakoD6bSPr) @toddinpal Thanks @toddinpal for starting the discussion. In an enterprise environment, An enterprise would already have their users in some user repository on-prem or on the cloud. When they start using fabric, they would want fabric to be able to connect to their user repository. So our long-term goal should be to support SCIM interface in MSP. It only supports LDAP or local sqlite as user registry as of today. The second and relevant point that @toddinpal brought up is, in such enterprise environment, fabric SDK or fabric application would not have access to user credentials. The User would authenticate against Identity Provider or Authentication Provider and will pass some form of token to the fabric SDK application. The SDK application can pass through the token down to MSP and MSP should be able to authenticate the user based on the token and enroll the user. To begin with, we should start with the most prominent token these days and that is OAuth token.

aambati (Tue, 10 Apr 2018 22:31:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HMkx6JJLKX8evJToT) @kiranthakkar i understand..but we don't have ability to pass oauth token to enroll endpoint currently...I suggest one of you to open a feature in JIRA with this detail. Just to correct couple of things in your comment: 1.Only component that would deal with a user registry is Fabric CA, which is not essential for working of a fabric network. All the fabric components work with MSP to authenticate transaction proposals....ANd enroll request is sent to Fabric CA, not MSP

ws8634 (Wed, 11 Apr 2018 03:20:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Z25Mu4aM9cysW6RCB) @aambati Thank you for your advice.I tried but faild again.

ws8634 (Wed, 11 Apr 2018 03:20:04 GMT):

Clipboard - April 11, 2018 11:19 AM

ws8634 (Wed, 11 Apr 2018 03:24:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8yFD2oY33kWKZQjda) @MaximeAubanel I checked , and that issue which without solution is closed.

blackgeneral (Wed, 11 Apr 2018 03:53:12 GMT):
Has joined the channel.

pb (Wed, 11 Apr 2018 04:59:06 GMT):
User User_1 added by pb.

aambati (Wed, 11 Apr 2018 13:34:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GXubpi3Dio5qKMsFy) @ws8634 can u pls try` ./fabric-ca-server start -b admin:admin` in the /go/bin directory

aambati (Wed, 11 Apr 2018 13:34:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GXubpi3Dio5qKMsFy) @ws8634 can u pls try `./fabric-ca-server start -b admin:admin` in the /go/bin directory

MaximeAubanel (Wed, 11 Apr 2018 13:39:58 GMT):
var attr []msp.Attribute attr = append(attr, msp.Attribute{Key: "isAdmin", Value: "true"})Hello, when I register an user with : mspClient.Register(&msp.RegistrationRequest{ Name: username, Type: "User", Attributes: attr, Affiliation: "org1.admins", }), I'm able to retrieve my user in the db of my CA but I cannot see its attribute

MaximeAubanel (Wed, 11 Apr 2018 13:42:15 GMT):
Why I cannot see my user's attribute in my CA db when I do that : ``` var attr []msp.Attribute attr = append(attr, msp.Attribute{Key: "isAdmin", Value: "true"}) username := "Maxime" // Register the new user enrollmentSecret, err := mspClient.Register(&msp.RegistrationRequest{ Name: username, Type: "User", Attributes: attr, Affiliation: "org1.admins", }) ```

antitoine (Wed, 11 Apr 2018 13:44:55 GMT):
Has joined the channel.

skarim (Wed, 11 Apr 2018 14:37:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BZTEitBpEkqhyKTcm) @MaximeAubanel Do you have debug logs from the server/ca when performing this registration request?

fabienpe (Wed, 11 Apr 2018 14:38:01 GMT):
Has joined the channel.

MaximeAubanel (Wed, 11 Apr 2018 14:39:07 GMT):
@skarim yes

MaximeAubanel (Wed, 11 Apr 2018 14:40:26 GMT):
2018/04/11 10:05:46 [DEBUG] Received registration request from admin: { Name:Maxime Type:User Secret:**** MaxEnrollments:0 Affiliation:org1.admins Attributes:[] CAName: }

MaximeAubanel (Wed, 11 Apr 2018 14:40:26 GMT):
@skarim here it is ---- > 2018/04/11 10:05:46 [DEBUG] Received registration request from admin: { Name:Maxime Type:User Secret:**** MaxEnrollments:0 Affiliation:org1.admins Attributes:[] CAName: }

skarim (Wed, 11 Apr 2018 14:46:28 GMT):
@MaximeAubanel Are you writing your own Fabric CA client? If so, can you print the Registration Request on the client side before it is sent across the wire over to the server. The code looks okay, not sure if it is getting lost due to some JSON marshaling/unmarshaling issue

MaximeAubanel (Wed, 11 Apr 2018 14:51:58 GMT):
@skarim I'm not writing my own CA client. However I tried many times so I doubt that it's due to some marshaling/unmarshaling random issue

fabienpe (Wed, 11 Apr 2018 14:55:26 GMT):
Is there a way for a registered user to get the public key of another one? If I query the Fabric CA, I can get a list of identities or the identity corresponding to a particualar ID, but I did not find an API call which would allow me to get the public key of a given an enrolment ID.

fabienpe (Wed, 11 Apr 2018 14:55:26 GMT):
Is there a way for a registered user to get the public key of another one? If I query the Fabric CA, I can get a list of identities or the identity corresponding to a particular ID, but I did not find an API call which would allow me to get the public key of a given an enrolment ID.

skarim (Wed, 11 Apr 2018 15:12:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=r4pj6LFZP5dSmCkwE) @MaximeAubanel In that case do you have debug logs from the client side?

MaximeAubanel (Wed, 11 Apr 2018 15:12:27 GMT):
Yeah check this out

skarim (Wed, 11 Apr 2018 15:12:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Pjd7QPFGQtMqJMLTv) @fabienpe Not yet, but this feature is currently planned. See: https://jira.hyperledger.org/browse/FAB-7238

MaximeAubanel (Wed, 11 Apr 2018 15:12:39 GMT):
@skarim [fabsdk/fab] 2018/04/11 15:11:39 UTC - lib.(*Identity).Register -> WARN { Name:Maxime Type:User Secret:**** MaxEnrollments:0 Affiliation:org1.admins Attributes:[] CAName: }

MaximeAubanel (Wed, 11 Apr 2018 15:13:12 GMT):
I put a warning cause it's easier to see on the output, don't mind it

MaximeAubanel (Wed, 11 Apr 2018 15:14:44 GMT):
@skarim and the print is here ----> `func (i *Identity) Register(req *api.RegistrationRequest) (rr *api.RegistrationResponse, err error) { log.Debugf("Register %+v", req) if req.Name == "" { return nil, errors.New("Register was called without a Name set") } log.Warning(req) reqBody, err := util.Marshal(req, "RegistrationRequest") if err != nil { return nil, err }`

MaximeAubanel (Wed, 11 Apr 2018 15:14:44 GMT):
@skarim and the print is here ----> ```func (i *Identity) Register(req *api.RegistrationRequest) (rr *api.RegistrationResponse, err error) { log.Debugf("Register %+v", req) if req.Name == "" { return nil, errors.New("Register was called without a Name set") } log.Warning(req) reqBody, err := util.Marshal(req, "RegistrationRequest") if err != nil { return nil, err }```

MaximeAubanel (Wed, 11 Apr 2018 15:15:18 GMT):
identidy.go line 67

skarim (Wed, 11 Apr 2018 15:15:47 GMT):
what is msp.RegistrationRequest? is that the same things as api.RegistrationRequest?

fabienpe (Wed, 11 Apr 2018 15:16:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9ssKogav4cJDtcRWS) @skarim Thanks! I should have asked earlier instead of spending an afternoon on it ;-)

MaximeAubanel (Wed, 11 Apr 2018 15:16:56 GMT):
@skarim https://github.com/hyperledger/fabric-sdk-go/blob/master/test/integration/msp/enrollment_test.go It's from your test tho

skarim (Wed, 11 Apr 2018 15:18:37 GMT):
ah this is the go SDK, that is a different team out side of fabric-ca. In that case, trying the #fabric-sdk-go channel might get you a better answer

MaximeAubanel (Wed, 11 Apr 2018 15:18:45 GMT):
:'(

MaximeAubanel (Wed, 11 Apr 2018 15:19:29 GMT):
@skarim thanks for your help and your time anyway :D

skarim (Wed, 11 Apr 2018 15:20:40 GMT):
@MaximeAubanel no problem, sorry couldn't be more help

tiennv (Wed, 11 Apr 2018 16:06:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EMyYiCgs8vYCAzQd4) @aambati Thanks you so much. Could you please tell me how to enroll with a CSR using fabric-sdk-node?

tiennv (Wed, 11 Apr 2018 16:06:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EMyYiCgs8vYCAzQd4) @aambati Thanks you so much.

alexvicegrab (Wed, 11 Apr 2018 16:22:14 GMT):
Has joined the channel.

toddinpal (Wed, 11 Apr 2018 17:46:54 GMT):
@aambati @kiranthakkar I've created a Jira issue. Please modify it if I haven't properly captured the issue. https://jira.hyperledger.org/browse/FAB-9467

Ashish (Wed, 11 Apr 2018 18:14:44 GMT):
Hi What do i specify as the version in the fabric-ca-server-config.yaml which gets created when i call init?

Ashish (Wed, 11 Apr 2018 18:14:55 GMT):

Clipboard - April 11, 2018 11:44 PM

Ashish (Wed, 11 Apr 2018 18:19:25 GMT):
I tried with the command *go get -u -ldflags "-X github.com/hyperledger/fabric-ca/lib/metdata.Version=1.1.0" github.com/hyperledger/fabric-ca/cmd/...*

Ashish (Wed, 11 Apr 2018 18:21:36 GMT):
And i tried running ./fabric-ca-server start -b admin:admin also

Ashish (Wed, 11 Apr 2018 18:21:41 GMT):
still the same error.

smithbk (Wed, 11 Apr 2018 18:24:05 GMT):
@Ashish Try cloning the repo and use `make fabric-ca-server`

smithbk (Wed, 11 Apr 2018 18:26:39 GMT):
I can't reproduce the problem as `go get github.com/hyperledger/fabric-ca/cmd/fabric-ca-server` works for me

smithbk (Wed, 11 Apr 2018 18:26:45 GMT):
What OS are you on?

daviorocha (Wed, 11 Apr 2018 19:29:44 GMT):
Has joined the channel.

kiranthakkar (Wed, 11 Apr 2018 20:02:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QBGkjSEf2EynBGKcx) @toddinpal Sure. I will. @toddinpal Thanks for opening Jira ticket. @aambati Thanks for the clarification.

gouthamkrishna31 (Wed, 11 Apr 2018 20:21:27 GMT):
Has joined the channel.

aambati (Wed, 11 Apr 2018 20:25:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QBGkjSEf2EynBGKcx) @toddinpal :thumbsup:

aambati (Wed, 11 Apr 2018 20:34:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=auX77sbTnjtiXmPMW) @Ashish sorry, there is a typo in the command i asked you to run..run this: rm fabric-ca-server and fabric-ca-client from ~/go/bin directory and rerun this command: `go get -u -ldflags "-X github.com/hyperledger/fabric-ca/lib/metadata.Version=1.1.0" github.com/hyperledger/fabric-ca/cmd/...`

aambati (Wed, 11 Apr 2018 20:34:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=auX77sbTnjtiXmPMW) @Ashish sorry, there is a typo in the command i asked you to run..: rm fabric-ca-server and fabric-ca-client from ~/go/bin directory and rerun this command: `go get -u -ldflags "-X github.com/hyperledger/fabric-ca/lib/metadata.Version=1.1.0" github.com/hyperledger/fabric-ca/cmd/...`

ws8634 (Thu, 12 Apr 2018 06:40:29 GMT):

Clipboard - April 12, 2018 2:40 PM

ws8634 (Thu, 12 Apr 2018 06:43:15 GMT):
@aambati I run "./fabric-ca-server start -b admin:adminpw" in the ~/go/bin directory,and got same error. So sadly! I tried to commad "make fabric-ca-server " in the ~/go/src/github.com/hyperledger/fabric-ca directory.After that , I run "./fabric-ca-server start -b admin:admpinpw" in the ~/go/src/github.com/hyperledger/fabric-ca/bin directory, It's working!``` I want to know how it work. ``` Thank you again! ```

ws8634 (Thu, 12 Apr 2018 06:50:12 GMT):
@aambati I run the command " ./fabric-ca-server start -b admin:adminpw" in the ~/go/bin directory , and got same error. I run the command " make fabric-ca-server " in the ~/go/src/github.com/hyperledger/fabric-ca directory. After that, I tried running " ./bin/fabric-ca-server start -b admin:adminpw" in the ~/go/src/github.com/hyperledger/fabric-ca , it's working ! I want to know the reason why it's working! thank you again!

ws8634 (Thu, 12 Apr 2018 06:51:02 GMT):
*@aambati I run the command " ./fabric-ca-server start -b admin:adminpw" in the ~/go/bin directory , and got same error. I run the command " make fabric-ca-server " in the ~/go/src/github.com/hyperledger/fabric-ca directory. After that, I tried running " ./bin/fabric-ca-server start -b admin:adminpw" in the ~/go/src/github.com/hyperledger/fabric-ca , it's working ! I want to know the reason why it's working! thank you again!*

ws8634 (Thu, 12 Apr 2018 06:51:31 GMT):
@aambati I run the command " ./fabric-ca-server start -b admin:adminpw" in the ~/go/bin directory , and got same error. I run the command " make fabric-ca-server " in the ~/go/src/github.com/hyperledger/fabric-ca directory. After that, I tried running " ./bin/fabric-ca-server start -b admin:adminpw" in the ~/go/src/github.com/hyperledger/fabric-ca , it's working ! I want to know the reason why it's working! thank you again!

ws8634 (Thu, 12 Apr 2018 06:52:07 GMT):
@aambati I run the command " ./fabric-ca-server start -b admin:adminpw" in the ~/go/bin directory , and got same error. I run the command " make fabric-ca-server " in the "~ /go/src/github.com/hyperledger/fabric-ca" directory. After that, I tried running " ./bin/fabric-ca-server start -b admin:adminpw" in the "~ /go/src/github.com/hyperledger/fabric-ca" , it's working ! I want to know the reason why it's working! thank you again!

yuseven (Thu, 12 Apr 2018 07:31:35 GMT):
Has joined the channel.

dharuq (Thu, 12 Apr 2018 08:58:43 GMT):
Has joined the channel.

MaximeAubanel (Thu, 12 Apr 2018 10:36:35 GMT):
@ws8634 Because there is a certain path to respect when executing go projects

lclclc (Thu, 12 Apr 2018 11:14:58 GMT):
Has joined the channel.

lclclc (Thu, 12 Apr 2018 11:16:35 GMT):
What exactly the difference between enroll and register? To me, enroll is like "login", so user can act like some role according to the ECert it receives. Register is like writing a new user to the CA database waiting for enrollment. I don't know if my understanding is correct.

nirmal1988 (Thu, 12 Apr 2018 11:33:22 GMT):
i am trying to implement ABAC in Balance-transfer sample. I am registering user with "role" attribute and i have following code in chaincode. err = cid.AssertAttributeValue(stub, "role", "buyer") if err != nil { return shim.Error(err.Error()) } But i am getting error *sendPeersProposal - Promise is rejected: Error: transaction returned with failure: Attribute 'role' was not found*

aambati (Thu, 12 Apr 2018 11:48:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bdMKweWWQYFfkMJAj) @lclclc register registers an identity with Fabric CA ( this is not required if you have configured Fabric CA to use an LDAP as it's registry) ...enroll gets an identity a key pair (private key and a certificate signed by the CA)

lclclc (Thu, 12 Apr 2018 11:50:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9RaH7Rw8c3vypCiai) @aambati Thanks. I think your answer proves my understanding is not wrong.

aambati (Thu, 12 Apr 2018 11:51:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XEzgmfGksogEuvQ8w) @nirmal1988 first thing to check if the attribute is in the user's enrollment certificate..you can use `openssl x509 -in -text` to view the cert...attributes are in the extensions section

lclclc (Thu, 12 Apr 2018 12:00:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=E4in7sXYe3gRcCXYY) @aambati Does the cert attribute has type limit?

MonnyClara (Thu, 12 Apr 2018 12:01:09 GMT):
Has left the channel.

nirmal1988 (Thu, 12 Apr 2018 12:18:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=E4in7sXYe3gRcCXYY) @aambati Yes...attribute is there is certificate

nirmal1988 (Thu, 12 Apr 2018 12:18:40 GMT):
but i do not get it in chaincode

aambati (Thu, 12 Apr 2018 12:28:02 GMT):
and the name matches case? you could get the raw certificate and print all the extensions to see if the attribute is in there

link2yasar (Thu, 12 Apr 2018 12:38:42 GMT):
Has joined the channel.

davidgsmits (Thu, 12 Apr 2018 13:48:10 GMT):
Has joined the channel.

khalifa (Thu, 12 Apr 2018 14:57:38 GMT):
Hi all, Is there any example showing a simple toplogy with one fabric-ca server and the different requests to enroll and register entities using TLS

khalifa (Thu, 12 Apr 2018 15:15:08 GMT):

Clipboard - 12 avril 2018 17:15

jerry-zww (Thu, 12 Apr 2018 15:29:41 GMT):
Has joined the channel.

aambati (Thu, 12 Apr 2018 16:43:00 GMT):
@khalifa fabric-ca sample: https://github.com/hyperledger/fabric-samples/tree/release-1.1/fabric-ca

skarim (Thu, 12 Apr 2018 16:45:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7KJMbEud5dAFSmLhm) @khalifa I would also take a look at this doc: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enabling-tls. Your error indicates that on the client side you have not configured certfiles, this is required when using TLS and is used to validate the server's certificate.

yetanotheruser23 (Thu, 12 Apr 2018 18:58:21 GMT):
Hello, I was using the fabric-ca-client node sdk to create a Client Admin and Client User. I can create the admin successfully, but it fails when I try to create a user. Does anyone know why I might be facing this? ``` Failed to register Error: fabric-ca request register failed with errors [[{"code":0,"message":"Registration of 'user' failed in affiliation validation: : scode: 401, local code: 44, local msg: Caller does not have authority to act on affiliation 'manager.crushit.ibm.com.peer0', remote code: 20, remote msg: Authorization failure"}]] ```

yetanotheruser23 (Thu, 12 Apr 2018 19:00:37 GMT):
Hello, I am using the Fabric-CA-Client node sdk to create a Client Admin and User. I am getting the following error. Does anyone know why? ``` Failed to register Error: fabric-ca request register failed with errors [[{"code":0,"message":"Registration of 'user' failed in affiliation validation: : scode: 401, local code: 44, local msg: Caller does not have authority to act on affiliation 'manager.peer0', remote code: 20, remote msg: Authorization failure"}]] ```

yetanotheruser23 (Thu, 12 Apr 2018 19:01:15 GMT):
I had setup the same client users earlier and the same scripts had worked then.

khalifa (Thu, 12 Apr 2018 21:04:05 GMT):
@aambati @skarim thank you for your answers. I will follow these links

khalifa (Thu, 12 Apr 2018 21:04:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xgsu9f5xCKq6WWZaE) @skarim @aambati @skarim thank you for your answers. I will follow these links

Rajen (Thu, 12 Apr 2018 21:14:00 GMT):
Has joined the channel.

lclclc (Fri, 13 Apr 2018 05:13:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PQamdYt2yyPhGfuX3) @yetanotheruser23 looks like your enrolled user does have the priviledge on this affiliation.

neharprodduturi (Fri, 13 Apr 2018 07:54:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ExcedfdzMPDAnQMkM) @aambati Hi, I have a follow up question regarding reenroll. You said "reenroll command is used to get new certificate, for example, when the current certificate expires", when does the current certificate expire? Does it have an expiration date?

lclclc (Fri, 13 Apr 2018 07:56:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EaZHjtNjzM9WBKc8n) @neharprodduturi there is an expiration time inside fabric ca server configuration.

neharprodduturi (Fri, 13 Apr 2018 08:06:20 GMT):

Clipboard - April 13, 2018 1:06 AM

neharprodduturi (Fri, 13 Apr 2018 08:07:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CYExFQAss9ja4o3YT) @lclclc Is it the correct one?

neharprodduturi (Fri, 13 Apr 2018 08:07:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CYExFQAss9ja4o3YT) @lclclc okay. Is the below one correct?

neharprodduturi (Fri, 13 Apr 2018 08:07:18 GMT):

Clipboard - April 13, 2018 1:07 AM

bel0335 (Fri, 13 Apr 2018 08:39:30 GMT):
Has joined the channel.

neharprodduturi (Fri, 13 Apr 2018 09:01:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CYExFQAss9ja4o3YT) @lclclc Thank you. I found the config file

aambati (Fri, 13 Apr 2018 12:56:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EaZHjtNjzM9WBKc8n) @neharprodduturi Expiration time is in the certificate...you can use openssl to view the cert: `openssl x509 -in -text`

aambati (Fri, 13 Apr 2018 12:56:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=t6E9X4576QLrgozQZ) @neharprodduturi yes

aambati (Fri, 13 Apr 2018 12:56:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=t6E9X4576QLrgozQZ) @neharprodduturi no...that is the expiration time for the CA cert...it would be in the default profile: ``` signing: default: usage: - digital signature expiry: 8760h profiles: ca: usage: - cert sign - crl sign expiry: 43800h caconstraint: isca: true maxpathlen: 0 tls: usage: - signing - key encipherment - server auth - client auth - key agreement expiry: 8760h```

aambati (Fri, 13 Apr 2018 12:56:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=t6E9X4576QLrgozQZ) @neharprodduturi no...that is the expiration time for the CA cert...it would be in the default profile: ```signing: default: usage: - digital signature **expiry: 8760h** profiles: ca: usage: - cert sign - crl sign expiry: 43800h caconstraint: isca: true maxpathlen: 0 tls: usage: - signing - key encipherment - server auth - client auth - key agreement expiry: 8760h```

aambati (Fri, 13 Apr 2018 12:56:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=t6E9X4576QLrgozQZ) @neharprodduturi no...that is the expiration time for the CA cert...it would be in the default profile: ```signing: default: usage: - digital signature expiry: 8760h profiles: ca: usage: - cert sign - crl sign expiry: 43800h caconstraint: isca: true maxpathlen: 0 tls: usage: - signing - key encipherment - server auth - client auth - key agreement expiry: 8760h```

fTrestour (Fri, 13 Apr 2018 13:04:12 GMT):
Has joined the channel.

sklymenko (Fri, 13 Apr 2018 17:50:49 GMT):
Has joined the channel.

neharprodduturi (Fri, 13 Apr 2018 20:42:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BzSgcGW2Gk8JSosfo) @aambati Thank you!

rupa12 (Fri, 13 Apr 2018 23:25:13 GMT):
Hello, I am using Fabric CA for generating the MSP/TLS certificates for the peers and orderers. I have so far successfully registered/enrolled these identities with the fabric CA server and have also been able to create a channel and make the peers join to it as well as install, instantiate, query my chaincode. However, I was not able to register the orderer's certificate through 'admin' ( or the bootstrap identity) so I had to create another client named 'admin2' and made my orderer register through admin2. So there are two questions: * Is it required to get all my peers/orderers register through the same user like either 'admin' or 'admin2' or it doesn't matter. * Is there a way to register my orderer through 'admin'. The error which pops up while I try to register my orderer through admin is `Error: Error response from server was: Identity 'admin' may not register type 'orderer'`

bdu 5 (Sat, 14 Apr 2018 09:58:14 GMT):
Has joined the channel.

mastersingh24 (Sat, 14 Apr 2018 10:31:14 GMT):
@rupa12 - which version are you using? Sounds like v1.0.x ... and in that case the generated/``built-in "admin" user does not have authority to register clients with type "orderer" In v1.1, the built-in admin can register users of type "orderer"

Ashish (Sun, 15 Apr 2018 15:44:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jEhzveKE2ParNsii9) @smithbk I am on *Ubuntu 17.10*. But I decided not to use the fabric-ca-server in the interest of time. Brought up the docker image of fabric ca. Going to interact with the fabric-ca-client executable which i downloaded alongside the release 1.1. I think it would work. I certainly hope so :)

Ashish (Sun, 15 Apr 2018 15:44:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jEhzveKE2ParNsii9) @smithbk I am on *Ubuntu 17.10*. But I decided not to use the fabric-ca-server executable in the interest of time. Brought up the docker image of fabric ca. Going to interact with the fabric-ca-client executable which i downloaded alongside the release 1.1. I think it would work. I certainly hope so :)

Ashish (Sun, 15 Apr 2018 15:45:15 GMT):
Will try cloning the repo, if that doesnt work. Thanks @smithbk

aambati (Sun, 15 Apr 2018 18:18:06 GMT):
@Ashish this suggestion: https://chat.hyperledger.org/channel/fabric-ca?msg=cwXBnqCxHDL4c8EdL did not work for you?

Ashish (Mon, 16 Apr 2018 03:49:15 GMT):
@aambati Yes I had tried this also.

SaraEmily (Mon, 16 Apr 2018 09:49:26 GMT):
Has joined the channel.

markthedark (Mon, 16 Apr 2018 11:35:06 GMT):
Has joined the channel.

markthedark (Mon, 16 Apr 2018 11:36:12 GMT):
Hello! I'm trying to udpate the configtx.yaml configuration of the basic-network sample.. I've run generate.sh script after updating, but my CA image will not run, as it fails with the following error: Error: Failed to find private key for certificate in '/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem what else do i need to run and/or update to make it work?

aambati (Mon, 16 Apr 2018 14:20:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8WpaCkgBgrrfhsfvF) @markthedark What did you update in the configtx.yaml? Generally speaking, fabric CA cert will be in the / and key will be in /msp/keystore..but you can specify locations of the cert and key in the config file (fabric-ca-server-config.yaml) that is located in the ...check this section in the config file: ```ca: # Name of this CA name: # Key file (is only used to import a private key into BCCSP) keyfile: # Certificate file (default: ca-cert.pem) certfile: # Chain file chainfile:``` also, check all the env variables that start with FABRIC_CA_SERVER that are used to set some config properties

aambati (Mon, 16 Apr 2018 14:27:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zrWZqvPrhKnxMFfKb) @Ashish that is strange ...i would like to understand why that is the case...this is what I did on my mac using go 1.9: ``` export GOPATH=/tmp/fabric go get -u -ldflags "-X github.com/hyperledger/fabric-ca/lib/metadata.Version=1.1.0" github.com/hyperledger/fabric-ca/cmd/... cd /tmp/fabric bin/fabric-ca-server start -b admin:admin ```

khalifa (Mon, 16 Apr 2018 16:45:03 GMT):
HI all, I am trying to understang the fabric-ca sample. That is why I am trying to reproduce the different certificates without using the proposed scripts. what I understood until now, We have firstly to start the rca-orgi, ica-orgi and the setup containers. Then, we have to register all the peers, orders and the admin-users. Next, for each organisations, we have to enroll the admin of the organisations at this step, we will be ready to prepare the msp directory for each organisations; ==> here, I have a question I could not understand how to create the tls certificates for the different clients. Did we need to enroll the same user twice one for the ECRT and another for the TLS-certificate? Next, we have to genrate the genesis block, the channel.tx and the anchors.tx. At this step, we will be ready to launch our peers. For each peer, we have then to enroll it in order to get its certificate and then create the channel, join peer, etc. I wanted to share this conclusion to validate/ comment/ update it. Thank you in advance for your response. Best Regards,

skarim (Mon, 16 Apr 2018 16:59:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zZKEY7298YMy5rGib) @khalifa Yes you will have to use an existing identity on Fabric CA to generate a TLS certificate. You will use the enroll command, but this time you want to use the 'tls' profile in the command and this will put the appropriate key usages in the certificate. so the command might look like: ``` export FABRIC_CA_CLIENT_HOME=/tmp/clientTLS fabric-ca-client enroll -u http://:@serverAddr:serverPort --enrollment.profile tls ``` It is important to change the home directory of the fabric ca client before generating the tls certificate to prevent your ecert from getting overwritten.

mat0pad (Mon, 16 Apr 2018 18:06:35 GMT):
Has joined the channel.

treesong (Tue, 17 Apr 2018 04:46:43 GMT):
Has joined the channel.

rice (Tue, 17 Apr 2018 07:44:44 GMT):
Has joined the channel.

Clod16 (Tue, 17 Apr 2018 09:47:53 GMT):
Has joined the channel.

Ammu (Tue, 17 Apr 2018 10:25:29 GMT):
if hackers taking information illegally from bank(AXIS bank), if the project into fabrics. if the data is taken from 1 peer how the owner of the bank get notification that our bank information has been stolen? in blockchain/fabrics

kpkrish (Tue, 17 Apr 2018 11:45:48 GMT):
Has joined the channel.

SaraEmily (Tue, 17 Apr 2018 12:13:08 GMT):
Hi everyone! I have installed and started (using docker on windows) a fabric-ca server. I want to modify the simple byfn-scripts to use this server, what do I need to change in the yaml-files? Or where can I find information on what to change? Thanks!

aambati (Tue, 17 Apr 2018 13:52:13 GMT):
@SaraEmily better you look at https://github.com/hyperledger/fabric-samples/tree/release-1.1/fabric-ca...byfn uses cryptogen to generate needed key-pairs to bootstrap the network

SaraEmily (Tue, 17 Apr 2018 13:57:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=soQrNx2oGAss5pRae) @aambati Okay, thank you! So if I only want to build a simple chain on one machine for testing, it is sufficient to use cryptogen over fabric-ca?

aambati (Tue, 17 Apr 2018 14:00:31 GMT):
cryptogen is a tool that allows you to quickly generate crypto material (key pairs for peers, orderers, admins)...most of the samples use this tool...but realistically, one would use a CA (like Fabric CA) to issue credentials (key pair) for all the identities participating in the network (that includes peers, orgs, admin, users, clients)

SaraEmily (Tue, 17 Apr 2018 14:01:45 GMT):
Okay, great, thanks for the explanation!

MortezaieMohsen (Tue, 17 Apr 2018 14:50:08 GMT):
Has joined the channel.

MortezaieMohsen (Tue, 17 Apr 2018 14:50:52 GMT):
Hi , how can i bootstraping a network with multiple channel MSP?

smithbk (Tue, 17 Apr 2018 17:22:28 GMT):
@SaraEmily See https://github.com/hyperledger/fabric-samples/tree/release-1.1/fabric-ca ... it is basically the byfn sample but using fabric-ca ... with a couple of other things added

kkermanizadeh (Tue, 17 Apr 2018 21:03:27 GMT):
Has joined the channel.

rupa12 (Tue, 17 Apr 2018 21:37:27 GMT):
@mastersingh24 Thank you for your reply, yes I am using v1.0.6 , I was facing some issues with v1.1.0 so moved back to v1.0.6. I will try to figure out a way around the issue I am facing with v1.1.0, untill then will be using v1.0.6. So, is it fine to get the peers/orderers register through different clients ( say for example 'admin' registers/enrolls all my peers and a client named 'admin2' registers/enrolls my orderers ) ?

walmon (Wed, 18 Apr 2018 01:04:43 GMT):
Has joined the channel.

YorkYu (Wed, 18 Apr 2018 04:22:48 GMT):
Has joined the channel.

MaximeAubanel (Wed, 18 Apr 2018 07:41:38 GMT):
Can someone help me with this ? ```Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: Failed getting key for SKI [[35 70 194 204 137 164 207 177 23 110 199 220 43 220 105 216 206 255 220 82 173 113 95 247 98 60 89 148 128 36 73 145]]: Key with SKI 2346c2cc89a4cfb1176ec7dc2bdc69d8ceffdc52ad715ff7623c599480244991 not found in /etc/hyperledger/fabric-ca-server/msp/keystore```

Kamal_Kishor_Mehra (Wed, 18 Apr 2018 08:19:41 GMT):
Has joined the channel.

Kamal_Kishor_Mehra (Wed, 18 Apr 2018 08:36:39 GMT):
@MaximeAubanel Whenever you are creating new CA certificates for organization it is not updating in #fabric-ca-server path (*FABRIC_CA_SERVER_CA_KEYFILE not matched*). `./crypto-config/peerOrganizations/org1.example.com/ca/*_sk file not match or found on path /etc/hyperledger/fabric-ca-server/msp/keystore`

Kamal_Kishor_Mehra (Wed, 18 Apr 2018 08:37:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=X2N2BmSABWsmMh7YT) Update FABRIC_CA_SERVER_CA_KEYFILE in #fabric-ca fabric-ca-server

MaximeAubanel (Wed, 18 Apr 2018 08:43:08 GMT):
@Kamal_Kishor_Mehra Thansk for your answer but I don't get what you are trying to tell me by " Update FABRIC_CA_SERVER_CA_KEYFILE in #fabric-ca fabric-ca-server "

Ammu (Wed, 18 Apr 2018 08:59:40 GMT):
token concept possible in fabrics?

pjjp (Wed, 18 Apr 2018 12:43:53 GMT):
Has joined the channel.

aambati (Wed, 18 Apr 2018 14:08:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=X2N2BmSABWsmMh7YT) @MaximeAubanel can you post tls section of the server config...basically the error is saying that server could not find matching key of it's tls certificate..please make sure the cert and keyfile specified in the tls section of the server config exist and are accessible to the server

aambati (Wed, 18 Apr 2018 14:10:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LqYc29dp9AXWzfbGp) @rupa12 recommended version is 1.1...yes, you can use different clients to register and enroll peers/orderers

aambati (Wed, 18 Apr 2018 14:10:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MFmaSH2YegCofiAyE) @Ammu Can you please elaborate what you mean by "token concept"?

MaximeAubanel (Wed, 18 Apr 2018 15:31:48 GMT):
@aambati ```tls: # Enable TLS (default: false) enabled: true # TLS for the server's listening port certfile: /etc/hyperledger/fabric-ca-server-config/tls/tlsca.org1.hf.chainhero.io-cert.pem keyfile: /etc/hyperledger/fabric-ca-server-config/tls/2346c2cc89a4cfb1176ec7dc2bdc69d8ceffdc52ad715ff7623c599480244991_sk clientauth: type: RequireAndVerifyClientCert certfiles: ``` And I'm sure that they are here

MaximeAubanel (Wed, 18 Apr 2018 15:31:48 GMT):
@aambati ```tls: # Enable TLS (default: false) enabled: true # TLS for the server's listening port certfile: /etc/hyperledger/fabric-ca-server-config/tls/tlsca.org1.hf.mychain.io-cert.pem keyfile: /etc/hyperledger/fabric-ca-server-config/tls/2346c2cc89a4cfb1176ec7dc2bdc69d8ceffdc52ad715ff7623c599480244991_sk clientauth: type: RequireAndVerifyClientCert certfiles: ``` And I'm sure that they are here

MaximeAubanel (Wed, 18 Apr 2018 15:35:01 GMT):
But in the message error is talking about the keystore :/ Should I put something in the keystore ?

MaximeAubanel (Wed, 18 Apr 2018 15:35:01 GMT):
But the message error is talking about the keystore :/ Should I put something in the keystore ?

MaximeAubanel (Wed, 18 Apr 2018 15:35:01 GMT):
But the message error is talking about the keystore :/ Should I put something in the keystore folder ?

MaximeAubanel (Wed, 18 Apr 2018 15:35:54 GMT):
All I see in my kestore folder is my CA private key

aambati (Wed, 18 Apr 2018 19:32:01 GMT):
@MaximeAubanel If the key specified by the keyfile property is not accessible or not valid, it will look for key corresponding to the tls cert in the keystore. Can you send me the log file with debug (-d option) ...can you make sure SKI of the certificate at `/etc/hyperledger/fabric-ca-server-config/tls/tlsca.org1.hf.mychain.io-cert.pem` matches the SKI in the error message? I am wondering how did you generate the tls cert and key pair? How did you generate the tls cert and key?

Titret (Thu, 19 Apr 2018 00:48:56 GMT):
Has joined the channel.

khalifa (Thu, 19 Apr 2018 06:24:06 GMT):
Hi all I tried to recreate the fabric-ca sample with only one rca.

khalifa (Thu, 19 Apr 2018 06:24:31 GMT):
I got this error when I am generating the channel.tx

khalifa (Thu, 19 Apr 2018 06:25:15 GMT):

Clipboard - 19 avril 2018 08:25

khalifa (Thu, 19 Apr 2018 06:26:01 GMT):
Have you any idea how to debug this problem

khalifa (Thu, 19 Apr 2018 06:26:04 GMT):
thanks inadvance

MaximeAubanel (Thu, 19 Apr 2018 07:11:57 GMT):
@aambati with cryptogen

MaximeAubanel (Thu, 19 Apr 2018 07:21:01 GMT):
docker logd @rocket.cat

rocket.cat (Thu, 19 Apr 2018 07:21:02 GMT):
Has joined the channel.

MaximeAubanel (Thu, 19 Apr 2018 07:34:37 GMT):
@aambati I made it work.

darrell.odonnell (Thu, 19 Apr 2018 15:35:11 GMT):
Has left the channel.

aambati (Fri, 20 Apr 2018 04:16:07 GMT):
@khalifa can you tell exact steps what you did? The error is saying that SKI is not present in the extensions section of the CA cert...u can use openssl to see the CA cert

wtrmogi (Fri, 20 Apr 2018 07:18:25 GMT):
Has joined the channel.

panzheng (Sat, 21 Apr 2018 09:25:10 GMT):
Has joined the channel.

Ashish (Sat, 21 Apr 2018 13:01:24 GMT):
@aambati a small question. In the post you explained about crypto, you mentioned about types of entities interacting with fabric I believe. [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SFjPSHgcHvwdubQb7) . Peer, Orderer - these two need no explanation. admin - is this the bootstrap admin user which we need for fabric ca? users - are these users who are created per organisation,

Ashish (Sat, 21 Apr 2018 13:01:24 GMT):
@aambati a small question. In the post you explained about crypto, you mentioned about types of entities interacting with fabric I believe. [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SFjPSHgcHvwdubQb7) . Peer, Orderer - these two need no explanation. (Q1) admin - is this the bootstrap admin user which we need for fabric ca? (Q2) users - are these users who are created per organisation ( of which one of the user is Admin@Organization )? (Q3) what is client type? How does it differ from the users of Q2?

Ashish (Sat, 21 Apr 2018 13:01:24 GMT):
@aambati a small question. In the post you explained about crypto, you mentioned about types of entities who need to interact with fabric I believe. [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SFjPSHgcHvwdubQb7) . Peer, Orderer - these two need no explanation. (Q1) admin - is this the bootstrap admin user which we need for fabric ca? (Q2) users - are these users who are created per organisation ( of which one of the user is Admin@Organization )? (Q3) what is client type? How does it differ from the users of Q2? There are different types of admins...1. channel admins (users whose certs are in the admin section of participating orgs msp section in the channel configuration. 2. peer admins - users whose certs are in the peer msp...these are the people who can administer a peer, like installing chaincode 3. CA bootstrap admin - this is the initial user of fabric CA server...users of a blockchain are those who have valid certificate issued by a CA of any participating org...there is no different between identity type client and user as far as fabric is concerned...but, your application could make access control decisions based on identity type

titasp (Mon, 23 Apr 2018 06:48:46 GMT):
Has joined the channel.

Exci (Mon, 23 Apr 2018 10:34:38 GMT):
Hi. If I understand correctly there is no support on the node fabric-ca-client to work with rsa certificates instead of ecdsa? I'm reading "Currently ECDSA * is supported and the valid key sizes are 256 and 384" within the library, while on the official fabric ca documentation it's written "keys that support both RSA and Elliptic Curve (ECDSA)."

hrt031293 (Mon, 23 Apr 2018 11:43:01 GMT):
Has joined the channel.

Ammu (Mon, 23 Apr 2018 12:28:38 GMT):
what is the use of fabric-ca?

aambati (Mon, 23 Apr 2018 14:13:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6rPJ6x5WgPhABbG7W) @Ashish There are different types of admins...1. channel admins (users whose certs are in the admin section of participating orgs msp section in the channel configuration. 2. peer admins - users whose certs are in the peer msp...these are the people who can administer a peer, like installing chaincode 3. CA bootstrap admin - this is the initial user of fabric CA server...users of a blockchain are those who have valid certificate issued by a CA of any participating org...there is no different between identity type client and user as far as fabric is concerned...but, your application could make access control decisions based on identity type

aambati (Mon, 23 Apr 2018 14:18:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=A72gnjtKLWonKd9Hv) @Exci yes, RSA is not supported by the Fabric....I think CA supports both the key types (for most part) , while reviewing code, i did come across code that suggests that fabric ca client does not support creating oauth tokens based on RSA cert/key

Exci (Mon, 23 Apr 2018 14:20:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WBneXWNfA6hCn2HCP) @aambati I see, thank you!

aambati (Mon, 23 Apr 2018 14:20:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=j9mZNQL5xTakmneM4) @Ammu Fabric CA is a certificate authority, it issues certificates to users. Any user who needs to transact on the hyperledger fabric needs a valid cert...typically, each organization participating in the network have a CA

DrTES (Mon, 23 Apr 2018 15:14:56 GMT):
Has joined the channel.

Asara (Mon, 23 Apr 2018 18:57:39 GMT):
Hey all, I followed the Install guide for fabric-ca (http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#prerequisites), and for some reason every time I try to use the fabric-ca-server, I get thrown this error: `panic: Version is not set for fabric-ca library`

Asara (Mon, 23 Apr 2018 18:57:48 GMT):
Just wondering what the best way to proceed here is.

Asara (Mon, 23 Apr 2018 19:37:28 GMT):
Ah... scrolling up in this chat and I saw: `go get -u -ldflags "-X github.com/hyperledger/fabric-ca/lib/metadata.Version=1.1.0" github.com/hyperledger/fabric-ca/cmd/...` which works.

Asara (Mon, 23 Apr 2018 19:37:41 GMT):
Any reason this isn't documented somewhere?

aambati (Mon, 23 Apr 2018 21:07:48 GMT):
@Asara we will add it to the doc

jhodges (Tue, 24 Apr 2018 03:23:52 GMT):
Has joined the channel.

Ammu (Tue, 24 Apr 2018 03:45:45 GMT):
@aambati is there any command to implement fabric ca?

hosemose (Tue, 24 Apr 2018 04:57:59 GMT):
Has joined the channel.

nirmal1988 (Tue, 24 Apr 2018 07:27:00 GMT):
My CA Log has No key found in BCCSP keystore, attempting fallback

nirmal1988 (Tue, 24 Apr 2018 07:27:06 GMT):
what does it mean??

nirmal1988 (Tue, 24 Apr 2018 12:18:52 GMT):
Anyone has implemented ABAC functionality using fabric node js sdk?? or any sample??

aambati (Tue, 24 Apr 2018 13:34:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qAkmYuMn4m9t4YGbt) @nirmal1988 What it means is that BCCSP tried find a key in it's keystore but did not find it. So, CA will try to load the key from the file specified by ca.keyfile config property

aambati (Tue, 24 Apr 2018 13:39:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Bz8EXaA2vW6aqYHNZ) @Ammu if you have not already, pls refer to http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html...there are two commands fabric-ca-server and fabric-ca-client. Each of these commands have sub commands and have online help as well.. If you have specific questions, you can ask in this channel

anillewis (Tue, 24 Apr 2018 17:57:11 GMT):
Hi, I was trying to generate the certificates for the network using an intermediate ca (with fabric CA). If I enable TLS on the root ca and the intermediate ca, the intermediate ca (ICA) starts up with no issue but when I try to enroll the ica bootstrap user, using fabric-ca-client enroll -d -u https://ica-org0-admin:ica-org0-adminpw@ica-org0:7054 -c /etc/hyperledger/fabric-ca-client/ica-org0-admin/config.yaml, I get an error - certificate is valid for rca-org0-admin, not ica-org0-admin. This I was trying with fabric 1.0.5 but the same scripts when I try with fabric 1.1..everything works....was https with intermediate ca implemented in fabric 1.1 or am I doing something wrong with fabric 1.0.5

rcheuk (Tue, 24 Apr 2018 20:04:27 GMT):
Has joined the channel.

vick (Wed, 25 Apr 2018 11:14:36 GMT):
Has joined the channel.

lclclc (Wed, 25 Apr 2018 11:20:20 GMT):
I have dug into the fabric-ca document and examples. I can understand that a ca server can manage several organizations/affiliations. But in real world, different organizations in a channel are distinguished by there MSPs. I don't really understand the secret inside ca-server. how can a organization inside the fabric-ca-server-config.yaml is map to a MSP? Can a ca-server issue and manage the crypto materials for different MSPs(then, organizations), Or I need different ca-server for different MSPs?

lclclc (Wed, 25 Apr 2018 11:20:42 GMT):
@aambati would you mind answering my stupid question?

vloup (Wed, 25 Apr 2018 13:06:09 GMT):
Has joined the channel.

cuslenghi (Wed, 25 Apr 2018 13:28:15 GMT):
Has joined the channel.

mrkiouak (Wed, 25 Apr 2018 13:29:40 GMT):
Has left the channel.

michielmulders (Wed, 25 Apr 2018 13:48:35 GMT):
Has joined the channel.

bourbonkidQ (Wed, 25 Apr 2018 15:25:23 GMT):
How to define an intermediate CA in cryptogen (crypto-config.yaml) ?

vick (Wed, 25 Apr 2018 15:28:59 GMT):
hi, is there anyone who can describe these two points more clearly, i don't understand what they're trying to say The registrar (i.e. the invoker) must have the “hf.Registrar.Roles” attribute with a comma-separated list of values where one of the values equals the type of identity being registered; for example, if the registrar has the “hf.Registrar.Roles” attribute with a value of “peer,app,user”, the registrar can register identities of type peer, app, and user, but not orderer. The affiliation of the registrar must be equal to or a prefix of the affiliation of the identity being registered. For example, an registrar with an affiliation of “a.b” may register an identity with an affiliation of “a.b.c” but may not register an identity with an affiliation of “a.c”. If root affiliation is required for an identity, then the affiliation request should be a dot (”.”) and the registrar must also have root affiliation. If no affiliation is specified in the registration request, the identity being registered will be given the affiliation of the registrar.

aambati (Wed, 25 Apr 2018 16:34:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=E4AkKbe4nPKsTqrYr) @lclclc Typically, there is separate Fabric CA for an organization...Default affiliations in the server configuration is little confusing because they use org1 and org2 (which implies one Fabric CA server for organization1 and organization2, which is not the case)...Affiliations names can be anything, like : dept1, dept1.unit1, dept2...we will remove the default affiliations (org1, org2) from the template in the near future to avoid this confusion

skarim (Wed, 25 Apr 2018 16:35:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YCTFTor9eJwi2a64o) @vick Each identity has a type and affiliation associated it to it. A registrar, someone that has ablility to register other identities, has limitations on what properties it can give other identities. For instance, if a registrar is only allowed to register types peer and app, then any identity the registrar registers must be either peer or app. This same sorts of checks apply to affiliation, the registrar has an affiliation and thus any identity it registers must belong to the same affiliation hierarchy. Registrar with an affiliation of “a.b” may register an identity with an affiliation of “a.b.c” but may not register an identity with an affiliation of “a.c”

aambati (Wed, 25 Apr 2018 16:39:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WMkhkxFAmWvg4jhmu) @bourbonkidQ afaik, cryptogen does not support intermediate CA

varinder (Wed, 25 Apr 2018 18:26:56 GMT):
Has joined the channel.

Levilk (Wed, 25 Apr 2018 20:23:54 GMT):
hi folks! Can anyone tell me that Is there a way to integrate external identity services to fabric?

lclclc (Thu, 26 Apr 2018 02:16:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DPnswwXWje2TjfgLk) @aambati I checked several examples of official document. The typical architecture I saw is : one root ca server, some intermediate ca servers, one ca server per organization. Since all org-ca-servers are derived from one root ca server, I suppose all orgs can use one root-ca server directly. What is the disadvantage of one ca server globally?

naveen_saravanan (Thu, 26 Apr 2018 03:07:23 GMT):
Hi everyone. Do anyone know how to encrypt the blockchain data using public key while storing them and decrypt the blockchain data using private key while retrieving them can be done? If anyone knows about this, please give me some pointers on it.

naveen_saravanan (Thu, 26 Apr 2018 03:07:23 GMT):
Hi everyone. Do anyone know how to encrypt the blockchain data using public key while storing them and decrypt the blockchain data using private key while retrieving them can be done in the chaincode? If anyone knows about this, please give me some pointers on it.

naveen_saravanan (Thu, 26 Apr 2018 03:07:23 GMT):
Hi everyone. Do anyone know how to encrypt the blockchain data using public key while storing them and decrypt the blockchain data using private key while retrieving them can be done in the chaincode? If anyone knows about this, please give me some pointers on it and thanks in advance.

lclclc (Thu, 26 Apr 2018 03:21:42 GMT):
Actually fabric 1.1 has some encc feature released. You can check this https://github.com/hyperledger/fabric/tree/release-1.1/examples/chaincode/go/enccc_example

lclclc (Thu, 26 Apr 2018 03:21:48 GMT):
@naveen_saravanan

anthonyk (Thu, 26 Apr 2018 05:52:21 GMT):
Has joined the channel.

ondar07 (Thu, 26 Apr 2018 06:05:30 GMT):
@lclclc Could you answer my question please? Following fabcar sample tutorial (Writing Your First Application) I've registered and enrolled 'user1' user by admin ecert. So keys and eCert of 'user1' was saved in 'hfc-key-store' subdirectory. Using 'user1' identity material I read data from ledger using query.js script. After that, I want to launch the network again, so kill all docker containers, clear docker images, networks and volumes. But identity materials ('hfc-key-store') were not destroyed. After relaunching the network I try to query ledger data with previous 'user1' identity material, and it works fine. I can't understand why old 'user1' ecert is still valid after restarting network? What fabric component should check if ecert is enrolled by fabric-ca? After relaunching I don't enroll admin for fabric-ca, so 'user1' is also not registered.

lclclc (Thu, 26 Apr 2018 06:38:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Cd8jALPpqDvvYtg9Q) @ondar07 Haven't met this situation. But if every time the fabric-ca is generating same root cert. The legacy cert will still be valid because it is still in cert chain.

lclclc (Thu, 26 Apr 2018 06:39:33 GMT):
That is the only explanation I can image, but not likely happens in real world.

ondar07 (Thu, 26 Apr 2018 07:12:02 GMT):
@lclclc Yes, you are right! Basic network config used pre-generated certificates and key material. I regenerate certificates and key material in basic network config. Now access with previous 'user1' identity material is denied. Thanks!

ondar07 (Thu, 26 Apr 2018 07:12:02 GMT):
@lclclc Yes, you are right! Basic network config used pre-generated certificates and key material. I regenerated certificates and key material in basic network config. Now access with previous 'user1' identity material is denied. Thanks!

lclclc (Thu, 26 Apr 2018 07:12:58 GMT):
You are welcome.

umtyzc (Thu, 26 Apr 2018 08:13:07 GMT):
Has joined the channel.

soladnet (Thu, 26 Apr 2018 10:05:23 GMT):
Has joined the channel.

NeerajKumar (Thu, 26 Apr 2018 11:03:03 GMT):
please tell me how to alter the 'affiliation table' for fabric ca by setting environment variable in 'docker-compose file' itself

SmartContract2018 (Thu, 26 Apr 2018 15:41:22 GMT):
I am working on a fabric based design that can potentially have 1000's of private transactions (as many chaincodes). From data privacy perspective, I am looking to have the optimum design. I can have individual channels for each private communication thus ensuring that only relevant transactions are stored physically on any node. However it means creating 1000s of individual channels. It poses operations/maintenance challenges and network stability. What about CA? Any feedback would be appreciated.

aambati (Thu, 26 Apr 2018 16:05:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nNKxciMcPYzxRhYEA) @lclclc Typical topology is one root CA (which is usually not up once it issues certs for intermediate CAs), and one more intermediate CAs per Organization. You could have one root CA for all orgs. Only disadvantage is that if root CA is compromised then it affects all organizations as opposed to one org if there were separate root CA for each org

aambati (Thu, 26 Apr 2018 16:06:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zkgvcwQ7XhpNETNDJ) @NeerajKumar why do you want to alter affiliations table? do you mean, you want to add/remove affiliations?

shiyj (Thu, 26 Apr 2018 16:28:17 GMT):
Has joined the channel.

aambati (Thu, 26 Apr 2018 17:32:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=J5XQheQS3hcpYSy9S) @SmartContract2018 New features that address data privacy are in works (like ownable state, local collections, idemix credential support)...As you said one way is to create channels. CA's are per organization, so there is no implication on CA whether you have one channel or 1000 channels

vieiramanoel (Thu, 26 Apr 2018 17:35:18 GMT):
@smithbk I've updated ca version to 1.1.0, when I enable tls, but I dont provide the certs it generates the tls cert, but not the key pair :(

vieiramanoel (Thu, 26 Apr 2018 17:35:27 GMT):
can you help me with this again?

vieiramanoel (Thu, 26 Apr 2018 17:35:53 GMT):
```[DEBUG] TLS enabled but no certificate or key provided, automatically generate TLS credentials [DEBUG] TLS CSR: {CN:ca.ministerio.saude.gov.br Names:[{C:BR ST:Distrito Federal L:Brasilia O:ministerio OU: SerialNumber:}] Hosts:[ca.ministerio.saude.gov.br localhost] KeyRequest: CA: SerialNumber:} DEBUG] TLS Certificate: /etc/hyperledger/fabric-ca-server/tls-cert.pem, TLS Key:````

aambati (Thu, 26 Apr 2018 17:52:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gQcApAyKkhMH4z8y8) @vieiramanoel key will be in the keystore (msp/keystore directory)... Are you seeing an error because of this ?

vieiramanoel (Thu, 26 Apr 2018 18:13:38 GMT):
@aambati well, until now I've done that procedure that you recommended (I don't know if you remember about this issue, but hyperledger-composer doesn't works with the autogenerated certs) so, I put the ca up with tls disabled, generate the tls certfiles, then restart the ca with this new tls files generated by me

vieiramanoel (Thu, 26 Apr 2018 18:14:10 GMT):
everything goes well, and then I can use the root ca in hyperledger-compose to make my operations

vieiramanoel (Thu, 26 Apr 2018 18:15:14 GMT):
well, the issue appears when I try to use the auto-generated tls ca certfiles

vieiramanoel (Thu, 26 Apr 2018 18:17:46 GMT):
`Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed. `

vieiramanoel (Thu, 26 Apr 2018 18:17:46 GMT):
`Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed.`

SmartContract2018 (Thu, 26 Apr 2018 19:05:34 GMT):
Aggarwal_!$&!

SmartContract2018 (Thu, 26 Apr 2018 19:07:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5Yiqa8fQw2xKLTAcE) @aambati Thanks for your response and the clarification about CA. I understand about the data privacy features in works and that would be very helpful indeed. In the interim, do you have any insight on how best to approach the solution using 1.1?

aambati (Thu, 26 Apr 2018 20:40:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bhnFsH5ktBx4A4Ss6) @vieiramanoel i remember...i am confused, so the issue if you let the server auto generate tls certs? Btw, your statement " try to use the auto-generated tls ca certfiles" is wrong... it is NOT auto generating tls ca certfile, it is generating tls cert and key pair

vieiramanoel (Thu, 26 Apr 2018 20:41:20 GMT):
yes, sorry.

vieiramanoel (Thu, 26 Apr 2018 20:42:15 GMT):
somehow, if I issue a tls certificate pair, and restart server setting this pair as CA tls certs it works

vieiramanoel (Thu, 26 Apr 2018 20:43:16 GMT):
The only difference between them is the CN, the ca generated certs has as CN the docker id, but i've set csr.hosts to 'ca.orgdomain' and still doesn't work

vieiramanoel (Thu, 26 Apr 2018 20:47:19 GMT):
my guess is that when I enroll my own tls cert file, I use this signing options:

vieiramanoel (Thu, 26 Apr 2018 20:47:24 GMT):
``` - signing - key encipherment - key agreement - cert sign - crl sign - any ```

vieiramanoel (Thu, 26 Apr 2018 20:47:48 GMT):
only this particular configuration works with composer

Ryan2 (Fri, 27 Apr 2018 02:22:06 GMT):
hi, quick question, in the document stated that (`http://hyperledger-fabric.readthedocs.io/en/release-1.1/peers/peers.html#multiple-ledgers`) `P3 could be hosted in Org1’s data center, but as long as the digital certificate associated with it is issued by CA2, then it’s owned by Org2.` How to check peer is owned by Org and peer certificate associated which CA? thanks

lclclc (Fri, 27 Apr 2018 02:36:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hbR6YBKb8SrzrNJK4) @aambati I see, that make sense. Like don't put all eggs inside one basket.

naveen_saravanan (Fri, 27 Apr 2018 09:31:11 GMT):
Can the hyperledger-fabric's couchdb be mounted on a S3 bucket?

bourbonkidQ (Fri, 27 Apr 2018 13:06:41 GMT):
Hi, How can I stop the command fabric-ca-server inside a container ?

bourbonkidQ (Fri, 27 Apr 2018 13:06:41 GMT):
Hi, How can I stop the command fabric-ca-server start inside a container ?

aambati (Fri, 27 Apr 2018 14:51:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=M4dbE3vX2QMRZXNGk) @bourbonkidQ there is no stop command as such...you can just stop the process

aambati (Fri, 27 Apr 2018 14:52:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BAtMdEMwjDrdNMMyE) @naveen_saravanan pls ask this question in fabric-ledger channel

bourbonkidQ (Fri, 27 Apr 2018 14:52:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=M4dbE3vX2QMRZXNGk) is it going to be possible on next version of hypereldger ?

bourbonkidQ (Fri, 27 Apr 2018 14:52:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=M4dbE3vX2QMRZXNGk) is it going to be possible on next version of hyperledger?

aambati (Fri, 27 Apr 2018 14:53:27 GMT):
yes, we have that in the plan...latest version of go support quiescing of servers

MaximeAubanel (Fri, 27 Apr 2018 14:57:52 GMT):
Does someone knows how can I retrive a user's affiliation withing the chaincode ? I can get its attribute but not its affiliation.

chainsaw (Fri, 27 Apr 2018 15:50:17 GMT):
Has joined the channel.

kostas (Fri, 27 Apr 2018 21:58:31 GMT):
Has left the channel.

NeerajKumar (Sat, 28 Apr 2018 09:55:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NsWtgEdxsw5gBtn9J) i want to change affiliation table as it is having, Org1.department1 and org2.department default and not allowing me to register any user in an org that has altered name in services just line "myOrg1". With that being said, i am not able to register any user to myOrg1.department1 and i have tried altering this affiliation table from docker-compose file (as i am using fabric-ca doker images) by changeing the docker-compose file environment variable but it seem not to take any value from the environment value and hence every time i spin up my docker container for the fabric ca now, i have to manually go into the fabeic-ca container and then alter this affilation setting in the fabric-ca-server-conf.yaml file.... please tell me pre specify this in the conf file.

NeerajKumar (Sat, 28 Apr 2018 09:55:38 GMT):
@aambati

karthikeyans90 (Sat, 28 Apr 2018 19:30:03 GMT):
Has joined the channel.

naveen_saravanan (Sun, 29 Apr 2018 03:46:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vwtS5sFp33sJPHskw) @aambati Thanks for your reply and I will try to post it there.

naveen_saravanan (Sun, 29 Apr 2018 03:46:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vwtS5sFp33sJPHskw) @aambati Thanks for your reply and I will to post it there.

naveen_saravanan (Sun, 29 Apr 2018 03:46:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vwtS5sFp33sJPHskw) @aambati Thanks for your reply and I will post it there.

rupa12 (Mon, 30 Apr 2018 03:45:16 GMT):
@aambati thank you for that clarification

naveen_saravanan (Mon, 30 Apr 2018 06:19:24 GMT):
Hi everyone. Where are the data is stored normally in a cluster environment?

naveen_saravanan (Mon, 30 Apr 2018 06:19:24 GMT):
Hi everyone. Where are the data are stored normally in a cluster environment?

gravity (Mon, 30 Apr 2018 07:39:37 GMT):
Has joined the channel.

gravity (Mon, 30 Apr 2018 07:40:43 GMT):
Hello Could someone help me how to setup a basic Fabric network which is connected to the Fabric CA for issuing and verifying crypto materials? Thanks in advance!

jtclark (Mon, 30 Apr 2018 12:40:57 GMT):
GM all. @skarim - Can you review the following gerrit patches? @smithbk has asked you to review these, and we're trying to close out on them both ASAP. thanks!

jtclark (Mon, 30 Apr 2018 12:41:09 GMT):
https://gerrit.hyperledger.org/r/#/c/20695/

jtclark (Mon, 30 Apr 2018 12:41:17 GMT):
https://gerrit.hyperledger.org/r/#/c/20681/

aambati (Mon, 30 Apr 2018 13:47:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rKvcP63SJFdvYqrzY) @naveen_saravanan cluster members share same database. So, if there are 3 cluster members, and each server has 2 CA's (ca1, ca2) , then ca1 on each server use same database and should have same configuration (config file, ca cert and key pair) and same for ca2

aambati (Mon, 30 Apr 2018 13:48:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=A5NSB2ipawgeFygS9) @gravity pls see https://github.com/hyperledger/fabric-samples/tree/release-1.1/fabric-ca this is a sample that uses Fabric CA to generate required certs/keys for setting up a Fabric network

skarim (Mon, 30 Apr 2018 14:20:16 GMT):
@jtclark Please see comment in https://gerrit.hyperledger.org/r/#/c/20681/

jtclark (Mon, 30 Apr 2018 16:31:58 GMT):
@skarim replied.

jtclark (Mon, 30 Apr 2018 16:34:00 GMT):
@skarim we realized this some time ago, but the tool does not have a way to filter out these false positives. so, we decided to run a weekly, non-voting job just to ensure that the fabric-ca devs are aware of what the scan tool is "catching".

skarim (Mon, 30 Apr 2018 16:39:08 GMT):
ok, so we will be notified of these results weekly and we just check to see that any new queries that might get added are false positives?

skarim (Mon, 30 Apr 2018 16:39:08 GMT):
@jtclark ok, so we will be notified of these results weekly and we just check to see that any new queries that might get added are false positives?

jtclark (Mon, 30 Apr 2018 17:23:54 GMT):
@skarim yes, we do have an email that gets sent once the weekly job completes.

Aswath8687 (Tue, 01 May 2018 03:03:25 GMT):
Has joined the channel.

blackgeneral (Tue, 01 May 2018 04:37:38 GMT):
Hi, how can i start docker which was changed status 'exit(0)' ??

Levilk (Tue, 01 May 2018 11:16:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3AJs7E9JxAZZMDzhY) @blackgeneral Remove the exited container with 'docker rm -f "docker's id or name" ' then restart it. You should check the container's log via 'docker logs "docker's id or name" ' to see what was the cause of exit.

smithbk (Tue, 01 May 2018 13:05:08 GMT):
You could make fabric-ca-server start the CMD for the container so that stopping the container means stopping the server

nfrunza (Tue, 01 May 2018 15:17:21 GMT):
Has joined the channel.

carlcraig (Tue, 01 May 2018 16:01:27 GMT):
Has joined the channel.

udeshpa (Tue, 01 May 2018 16:09:52 GMT):
Has joined the channel.

udeshpa (Tue, 01 May 2018 16:10:01 GMT):
hello

carlcraig (Tue, 01 May 2018 16:22:38 GMT):
hi

nfrunza (Tue, 01 May 2018 19:56:56 GMT):
Hello fabric-ca

nfrunza (Tue, 01 May 2018 20:05:00 GMT):
We are working on HL Explorer and need assistance in setting up fabric-ca and or possible solution to integrate in with Explorer, for enrolling users, admins etc

nfrunza (Tue, 01 May 2018 20:05:00 GMT):
@aambati We are working on HL Explorer and need assistance in setting up fabric-ca and or possible solution to integrate in with Explorer, for enrolling users, admins etc

acbellini (Tue, 01 May 2018 21:07:14 GMT):
Has joined the channel.

PirangPhan (Wed, 02 May 2018 02:28:06 GMT):
Has joined the channel.

chandrakanthm (Wed, 02 May 2018 06:47:16 GMT):
i am getting this error while running ./testApi.sh under balance transfer app POST request Enroll on Org1 ... {"success":false,"message":"failed Error: fabric-ca request register failed with errors [[{\"code\":0,\"message\":\"No identity type provided. Please provide identity type\"}]]"}

chandrakanthm (Wed, 02 May 2018 08:23:18 GMT):
I have modified the project balance transfer to accommodate the role attribute and modified the testAPI.sh file which contains curl call to enroll a new user. https://github.com/chandrakanthm/fabric_balance_transfer

Kamal_Kishor_Mehra (Wed, 02 May 2018 09:39:25 GMT):
I am getting error while creating channel `*`2018-05-02 09:29:46.784 UTC [cauthdsl] deduplicate -> ERRO 180 Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.neo.com"))`*`

gravity (Wed, 02 May 2018 11:50:30 GMT):
` HFCAClient hfcaClient = HFCAClient.createNewInstance("http://localhost:7054", null); hfcaClient.info();`

gravity (Wed, 02 May 2018 11:50:30 GMT):
Hello I'm trying to connect to the CA, but getting an exception: `Caused by: org.apache.http.conn.HttpHostConnectException: Connect to localhost:7054 [localhost/127.0.0.1] failed: Connection refused (Connection refused)` ` HFCAClient hfcaClient = HFCAClient.createNewInstance("http://localhost:7054", null);` ` hfcaClient.info();` Any suggestions?

gravity (Wed, 02 May 2018 11:52:01 GMT):

`docker ps` output

amolpednekar (Wed, 02 May 2018 11:54:13 GMT):
@smithbk Hi. When registering a user, cert attributes can be given for that user. And when enrolling, we again specify the attributes. From my testing, the attributes given using enrollment has to be a subset of attributes given during registration. Is this correct?

smithbk (Wed, 02 May 2018 11:57:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Z4Q5Q3e3bWftALfk2) @amolpednekar You can optionally request attributes during enrollment. For example from the fabric-ca-client CLI usage message, see ```--enrollment.attrs stringSlice A list of comma-separated attribute requests of the form [:opt] (e.g. foo,bar:opt) ```

smithbk (Wed, 02 May 2018 11:57:51 GMT):
The 'opt' makes an attribute optional

amolpednekar (Wed, 02 May 2018 12:00:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RvNwaTqTnaQR6H2Z3) @smithbk Um, let me clarify what I was saying (referencing the NodeSDK documention for this example - https://fabric-sdk-node.github.io/FabricCAClient.html) Lets say I gave the following attributes during registration of a user "abc" :- [ age=30, role=manager ] During enrollment of user "abc" , can I give :- [ age=30, role=manager, name=abc ]

smithbk (Wed, 02 May 2018 12:03:27 GMT):
@amolpednekar During registration, names and values are specified. During enrollment, only names are specified. So if [ age=30, role=manager ] is provided during registration, then [age, role, name] could be requested at enrollment assuming "name" is optional

smithbk (Wed, 02 May 2018 12:03:51 GMT):
But of course "name" would not be included in the cert

smithbk (Wed, 02 May 2018 12:04:42 GMT):
Only the registrar can ASSIGN attribute names and values. The enroller can only request a certificate with certain attributes by name.

smithbk (Wed, 02 May 2018 12:05:33 GMT):
It would be a security problem if anyone could assign themselves any attribute name and value

smithbk (Wed, 02 May 2018 12:05:33 GMT):
It would be a security problem if anyone could assign themselves any attribute name and value during enrollment

amolpednekar (Wed, 02 May 2018 12:06:35 GMT):
Ok. Makes sense. What would be the point of adding "name" as an optional attribute if its not included in the certificate?

smithbk (Wed, 02 May 2018 12:07:16 GMT):
That is allowed so that you can request an attribute that you are not sure if you have or not

smithbk (Wed, 02 May 2018 12:07:16 GMT):
That is allowed so that you can request a certificate with an attribute that you are not sure if you have or not

amolpednekar (Wed, 02 May 2018 12:11:14 GMT):
So the only thing setting optional to true will do is not throw an error if the certificate didnt have that attribute during registration?

amolpednekar (Wed, 02 May 2018 12:15:49 GMT):
Also, a follow up question is :- How do I add more attributes to an already registered user?

aambati (Wed, 02 May 2018 13:36:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pDw876CNbcxvg99Ps) @nfrunza if you have any specific questions i can definitely answer.

aambati (Wed, 02 May 2018 13:39:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DGzR4qT4b5zXgKB4S) @chandrakanthm which Fabric CA version are you using? I think identity type did not have default before and was giving the error you are seeing when not provided..but in 1.1 , it was defaulted to 'client'

aambati (Wed, 02 May 2018 13:43:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vDcr5q9Sn2zYPTJEt) @Kamal_Kishor_Mehra message says that create channel request was submitted by an identity whose certificate was issued by unknown CA...make sure issuing CA's cert SKI matches AKI of the user cert..you can use openssl to view the certificates (openssl x509 -in -text) ...also see if 4th troubleshooting tip applies to you: http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#troubleshooting

Kamal_Kishor_Mehra (Wed, 02 May 2018 13:48:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JG4TJMGcB5TKvM48Z) @aambati Thank you very much.

aambati (Wed, 02 May 2018 13:57:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xpXZb9fADEfZNbtuR) @gravity which container are you running this from? because localhost will not work if you trying to connect from host computer if the port is not exposed, which seems to be in your case

aambati (Wed, 02 May 2018 14:00:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gHTcYm45hWsoPENyZ) @amolpednekar in 1.1, fabric-ca-client identity command was added to create (register), update and delete identities: http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#modifying-an-identity

gravity (Wed, 02 May 2018 14:15:45 GMT):
@aambati I'm trying to connect from the host computer. could you gimme a clue how to expose the port to be accessible from the host computer?

aambati (Wed, 02 May 2018 14:23:05 GMT):
@gravity using -p option on docker run , something like this: `docker run -it -p 7051:7051 fabric-ca`

gravity (Wed, 02 May 2018 14:23:25 GMT):
@aambati thanks, will try

GuillaumeCisco (Wed, 02 May 2018 14:24:18 GMT):
Has joined the channel.

GuillaumeCisco (Wed, 02 May 2018 14:26:17 GMT):
Hey there, I'm initializing my fabric-ca-server with the command `fabric-ca-server init -d -c fabric-ca-server-config.yaml` just before I run `rm -rf *.pem` for having both files ca-cert.pem and ca-key.pem to regenerate. But When I init it, only ca-cert.pem is regenerated, how to have ca-key.pem regenerated, and furthermore chain-cert.pem generated as well. Thank you

aambati (Wed, 02 May 2018 14:41:11 GMT):
By default, CA's private key would be stored in /msp/keystore directory, unless you have bootstrapped fabric ca server with cert /key pair issued by another CA, in which case, Fabric CA is acting more like an intermediate CA...why do you want to regenerate CA cer/key?

GuillaumeCisco (Wed, 02 May 2018 14:47:34 GMT):
oh ok, they are in msp so, interesting. I did not know they were in this folder as I have to remove them before for `fabric-ca-server init` to regenerate the `ca-cert.pem` file. I thought the `ca-key.pem` would be also generated here.

GuillaumeCisco (Wed, 02 May 2018 14:49:31 GMT):
I can found in the `msp/keystore` generated folder a private key like `b519979789eef6929157b6bf90dc4830b55d8d1a45992647c619e9f0843affd3_sk` is it the same thing as the `ca-key.pem` ? And where is generated the `chain-cert.pem` file ?

aambati (Wed, 02 May 2018 14:57:47 GMT):
did u provide ca-key.pem?

aambati (Wed, 02 May 2018 14:58:09 GMT):
are you referring to ca-chain.pem file? i am not sure what chain-cert.pem file is?

GuillaumeCisco (Wed, 02 May 2018 15:03:30 GMT):
no I did not provide a ca-key.pem. But when running the fabric-ca-server for the first time, there is one already created as described in the dockerfile: https://hub.docker.com/r/yeasy/hyperledger-fabric-ca/~/dockerfile/

GuillaumeCisco (Wed, 02 May 2018 15:04:14 GMT):
``` ca: # Name of this CA name: # Key file (default: ca-key.pem) keyfile: # Certificate file (default: ca-cert.pem) certfile: # Chain file (default: chain-cert.pem) chainfile: ```

GuillaumeCisco (Wed, 02 May 2018 15:04:48 GMT):
I think ca-chain.pem is the same as chain-cert.pem, maybe it changed its name with version 1.1

GuillaumeCisco (Wed, 02 May 2018 16:10:06 GMT):
ok look like ca-key.pem and ca-chain.pem are created with intermediate

GuillaumeCisco (Wed, 02 May 2018 16:10:06 GMT):
ok look like ca-key.pem and ca-chain.pem are created with intermediate CA

GuillaumeCisco (Wed, 02 May 2018 16:10:06 GMT):
ok looks like ca-key.pem and ca-chain.pem are created with intermediate CA

chandrakanthm (Wed, 02 May 2018 17:44:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3Sq8gdysWHL3gJ3mC) @aambati i

chandrakanthm (Wed, 02 May 2018 17:44:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3Sq8gdysWHL3gJ3mC) @aambati i am using v 1.1

chandrakanthm (Wed, 02 May 2018 17:44:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Tz5qKtP6tEP5rdQa8) @aambati i am using v 1.1

youssefg (Wed, 02 May 2018 18:23:17 GMT):
Has joined the channel.

CamilleMariniO (Wed, 02 May 2018 22:46:07 GMT):
Has joined the channel.

kevin-s-wang (Thu, 03 May 2018 02:34:13 GMT):
Has joined the channel.

blackgeneral (Thu, 03 May 2018 02:40:26 GMT):
Hi, i have question about fabric-ca images. what is different between fabric-ca-peer image and fabric-peer image?

amolpednekar (Thu, 03 May 2018 03:39:41 GMT):
Thanks @smithbk , @aambati

naveen_saravanan (Thu, 03 May 2018 04:21:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WYWDKopxFeFwnWvAW) @aambati Thank you for your reply.

ajkh88 (Thu, 03 May 2018 08:35:41 GMT):
Has joined the channel.

mengluo668 (Thu, 03 May 2018 08:35:56 GMT):
Has joined the channel.

mengluo668 (Thu, 03 May 2018 08:44:21 GMT):

error.png

mengluo668 (Thu, 03 May 2018 08:44:31 GMT):
I am trying to install *fabric-ca-server* & *fabric-ca* by _go get -u_ `go get -u github.com/hyperledger/fabric-ca/cmd/...`, but i hit some problems when executing this command, please refer to the image. My current go version is a stable version(1.10.2). Does anybody know how to fix it? Thank you very much.

mengluo668 (Thu, 03 May 2018 09:03:54 GMT):
This problem exist on git tag release 1.1, on master branch, it can work well

dokany (Thu, 03 May 2018 09:53:48 GMT):
Has joined the channel.

naveen_saravanan (Thu, 03 May 2018 10:52:41 GMT):
HI guys, does fabric-rest server supports https requests?

naveen_saravanan (Thu, 03 May 2018 10:52:41 GMT):
HI everyone, does fabric-rest server supports https requests?

acbellini (Thu, 03 May 2018 11:22:55 GMT):
Has left the channel.

gravity (Thu, 03 May 2018 11:47:34 GMT):
Hello is fabric ca is a substitution of cryptogen tool?

Ammu (Thu, 03 May 2018 12:40:38 GMT):

enrolladmin.js.png

gravity (Thu, 03 May 2018 12:48:46 GMT):
@Ammu have you run `npm install` to install all required packages?

Ammu (Thu, 03 May 2018 12:52:14 GMT):
@gravity thanks

dokany (Thu, 03 May 2018 14:21:39 GMT):
Hello, I'm getting the following error when I try and enroll an identity through a cloud-running fabric-ca server: Error: POST failure of request: POST https:///enroll

dokany (Thu, 03 May 2018 14:26:09 GMT):
POST

dokany (Thu, 03 May 2018 14:32:12 GMT):
Should I manually configure the generated fabric-ca-client-config.yaml file with the server credentials?

aambati (Thu, 03 May 2018 15:41:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qx4ZuCAzsLNhtmumS) @blackgeneral fabric-ca-peer has peer and fabric-ca-client executables...where as fabric-peer has only peer exectuble...fabric-ca-client is used to setup peer msp

aambati (Thu, 03 May 2018 15:43:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uuY9w5Cve2f8aJ2ML) @mengluo668 Use Go 1.9.2 with Fabric CA 1.1 code...use this go get command instead: `go get -u -ldflags "-X github.com/hyperledger/fabric-ca/lib/metadata.Version=1.1.0" github.com/hyperledger/fabric-ca/cmd/...`

aambati (Thu, 03 May 2018 15:43:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LD5Az7EJ6w8Qsmrvw) @naveen_saravanan You mean does Fabric-CA server supports https, if so, answer is yes

mengluo668 (Thu, 03 May 2018 15:48:48 GMT):
@aambati thanks，i will try it tomorrow morning. Have a nice day.

aambati (Thu, 03 May 2018 15:48:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MXzhGNy8RNWmSfuz9) @gravity cryptogen is a tool that is used to generate certs/keys for various entities (like peer, orderer, admins) quickly..it is commonly used in examples...Fabric CA is a certificate authority. It can issue certs to these same entities, users, revoke issued certs, generate CRL...In a real network, each org participating in the network would have a CA issuing certs

aambati (Thu, 03 May 2018 15:52:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2SYBoet3Y3u34mQeG) @dokany can u provide exact command you ran...you can provide id/password in the url using `-u https://id:pwd@serverhost:port` ...i am not sure if this is what you meant by "server credentials"

gravity (Thu, 03 May 2018 16:26:08 GMT):
@aambati thanks for the explanation. and there is one more question: how can I run a network without defined orderers and peers (and without generated crypto materials by CA)? could you describe a rough algorithm(a sequence of steps) how to do this? thanks in advance

Levilk (Thu, 03 May 2018 18:47:11 GMT):
Hi folks! I am looking for a documentation about the Fabric's components variables. More precisly i've examined the docker-compose.yml from fabric-samples/fabric-ca. A lot of variable set there while booting the docker images. Is there any information somewhere which list all the necessary and optional variables?

nfrunza (Thu, 03 May 2018 20:20:13 GMT):
Hello fabric-ca, i'm facing issues initializing fabric-ca server, fabric-ca-server init -b “admin:adminpw” 2018/05/03 16:17:59 [INFO] Configuration file location: /home/nfrunza/workspace/FABRIC-CA/server/fabric-ca-server-config.yaml panic: Version is not set for fabric-ca library goroutine 1 [running]: github.com/hyperledger/fabric-ca/lib/metadata.GetVersion(0xc4202e0900, 0x120) /home/nfrunza/workspace/go-workspace/src/github.com/hyperledger/fabric-ca/lib/metadata/version.go:58 +0x60 github.com/hyperledger/fabric-ca/lib.(*Server).init(0xc4202e0900, 0xc4201b3900, 0x14b7e60, 0xc42018dc10)

nfrunza (Thu, 03 May 2018 20:41:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gsFC3udCGsFtjg6TC) I found the solution Thanks, @mengluo668 Use Go 1.9.2 with Fabric CA 1.1 code...use this go get command instead: `go get -u -ldflags "-X github.com/hyperledger/fabric-ca/lib/metadata.Version=1.1.0" github.com/hyperledger/fabric-ca/cmd/...

blackgeneral (Fri, 04 May 2018 03:34:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2gGKNmbYy4Y7wFFpG) @aambati thank you

blackgeneral (Fri, 04 May 2018 03:37:37 GMT):
Hi, i wonder about configuration of configtx.yaml when i used kafka. Do you have sample files or code?

naveen_saravanan (Fri, 04 May 2018 04:31:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kJWu8btcdxCXkYmEk) @aambati I meant the fabric-rest server used as image for the api containers ( e.g. api.org.example.com) .

dokany (Fri, 04 May 2018 06:18:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bdL6g5LJLukDpvABd) @aambati It is! Turns out I was using an older URL :') It works perfectly now

CalvitoUy (Fri, 04 May 2018 11:46:48 GMT):
Has joined the channel.

gravity (Fri, 04 May 2018 13:34:47 GMT):
Hello I'm discovering the fabric-ca example, but I cannot understand, why `data/` directory is mapped to the docker container? why certificates from `data/` are generated inside this directory? if I understand correctly, all certificated are generated by fabric-ca-server and stored inside of each docker container in `/etc/hyperledger/fabric-ca-orderer/msp`

asaningmaxchain123 (Fri, 04 May 2018 14:09:27 GMT):
@smithbk @skarim how can i use the `Enrolling an intermediate CA` to setup the fabric-ca-server

asaningmaxchain123 (Fri, 04 May 2018 14:17:22 GMT):

Clipboard - May 4, 2018 10:17 PM

asaningmaxchain123 (Fri, 04 May 2018 14:17:53 GMT):
i see this picture, that means the intermediate CA can setup the fabric-ca-server?

smithbk (Fri, 04 May 2018 14:26:44 GMT):
@asaningmaxchain123 No, the "cluster of Fabric-CA servers" is a cluster of fabric CA servers as those 2 dotted lines are meant to show that the cluster box is just a "blow up" of the "Fabric-CA Intermediate Server" circle

asaningmaxchain123 (Fri, 04 May 2018 14:29:53 GMT):
so the i can't use the intermediate CA can setup the fabric-ca-server?

asaningmaxchain123 (Fri, 04 May 2018 14:32:14 GMT):
@smithbk i don't understand

smithbk (Fri, 04 May 2018 14:38:05 GMT):
@asaningmaxchain123 The picture is meant to show that the "Fabric-CA client" talks to a "Fabric-CA Intermediate Server" endpoint which is either: 1) a single fabric-ca-server process which is functioning as an intermediate CA, or 2) an HA proxy forwarding requests to a cluster of fabric-ca-server processes, each functioning as an intermediate CA

asaningmaxchain123 (Fri, 04 May 2018 14:39:24 GMT):
thx,i got it

asaningmaxchain123 (Fri, 04 May 2018 14:39:24 GMT):
thx,i got it, i can use the haproxy to setup multiple fabric-ca-server

asaningmaxchain123 (Fri, 04 May 2018 14:40:25 GMT):

Clipboard - May 4, 2018 10:40 PM

gravity (Fri, 04 May 2018 14:42:16 GMT):
Are there any good example of the network configuration with fabric-ca-server, without locally generated crypto materials using cryptogen?

asaningmaxchain123 (Fri, 04 May 2018 16:23:30 GMT):

Clipboard - May 5, 2018 12:23 AM

asaningmaxchain123 (Fri, 04 May 2018 16:23:44 GMT):
@smithbk the two link can't got it

asaningmaxchain123 (Fri, 04 May 2018 16:44:13 GMT):
`fabric-ca-server start -b admin:adminpw -u http://:@:`

asaningmaxchain123 (Fri, 04 May 2018 16:44:17 GMT):
@smithbk

asaningmaxchain123 (Fri, 04 May 2018 16:44:17 GMT):
@smithbk i can setup the intermediate CA from root CA

asaningmaxchain123 (Fri, 04 May 2018 16:44:17 GMT):
@smithbk i can setup the intermediate CA from root CA?

nfrunza (Fri, 04 May 2018 17:02:14 GMT):
Did anyone configured fabric-ca-server with postgresql? i'm getting permission denied error, question is i should use postgresql root user in fabric-ca-server-config.yaml ?

asaningmaxchain123 (Fri, 04 May 2018 17:09:25 GMT):
can you paste your config in https://pastebin.com/

aambati (Fri, 04 May 2018 18:04:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EpnrhxAS8oRbjJtoG) @naveen_saravanan i am not familiar with fabric-rest server, so i don't know if it supports https or not

aambati (Fri, 04 May 2018 18:08:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TB8WAc2Z4dfx6QHco) @gravity To setup a network , you need atleast one orderer...A network is formed when an orderer is setup. The orderer has a system channel (think of it as a template for user channels) whose genesis block contains consortium definition , which has information about organizations participating in the network...what is that you are trying to accomplish?

aambati (Fri, 04 May 2018 18:12:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GgavNKxX5Y2vLR78Q) @gravity The data directory contains crypto material( certs and keys for peers, orderers, admins) It was easier this way to share CA certs on the client side (run container)...i agree that we can do away with sharing folder and copy required certs to run container and make the example more realistic

gravity (Fri, 04 May 2018 18:12:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5cANHi5ddoPMb29Yd) Ok, I understand that I have to start an orderer. Let's assume that I have a running orderer. How can I create an organization with, for example, two peers? e.g. generate crypto materials for them using fabric ca and run peer nodes?

gravity (Fri, 04 May 2018 18:15:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qH4tbXWCpy6hJciXx) do you have any real-world examples? it would be very useful, if you could share some (if you have)

nfrunza (Fri, 04 May 2018 18:15:49 GMT):
@aambati I'm trying to configure fabric-ca-server with ostgreSQL, getting permission error, should i use the postgresql root user in the config?

aambati (Fri, 04 May 2018 18:20:46 GMT):
At a very high level, this is what you would need to do: 1. setup a CA for the organization , have it generate x509 credentials for the admins....2. Add org's CA and tls root certs, admin certs to the orderer system channel configuration block...3. generate x509 credentials for peers to setup peer msp..4. provision peers 5. Create channel 6. peers join the channel

aambati (Fri, 04 May 2018 18:20:46 GMT):
@gravity At a very high level, this is what you would need to do: 1. setup a CA for the organization , have it generate x509 credentials for the admins....2. Add org's CA and tls root certs, admin certs to the orderer system channel configuration block...3. generate x509 credentials for peers to setup peer msp..4. provision peers 5. Create channel 6. peers join the channel

aambati (Fri, 04 May 2018 18:22:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NPJSXThM8DgniWSLj) @gravity unfortunately, fabric-ca example is the closest to real world that i know of

gravity (Fri, 04 May 2018 18:24:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GQsoAifDH8LowgxJr) *2. Add org's CA and tls root certs, admin certs to the orderer system channel configuration block* this is the point where I stuck. how to add these certs to he orderer system channel configuration block?

nfrunza (Fri, 04 May 2018 18:25:00 GMT):
@gravity Are you trying to setup a fabric-ca-server/client ?

aambati (Fri, 04 May 2018 18:26:51 GMT):
there is some info at https://hyperledger-fabric.readthedocs.io/en/latest/configtx.html if you have not already looked at it

aambati (Fri, 04 May 2018 18:27:06 GMT):
https://hyperledger-fabric.readthedocs.io/en/latest/configtx.html#orderer-system-channel-configuration

gravity (Fri, 04 May 2018 18:28:40 GMT):
@nfrunza yep

nfrunza (Fri, 04 May 2018 18:31:32 GMT):
i was able to get up to the postgresql config

nfrunza (Fri, 04 May 2018 18:31:32 GMT):
@gravity i was able to get up to the postgresql config

gravity (Fri, 04 May 2018 18:36:42 GMT):
@aambati thanks a lot. will investigate in this direction

aambati (Fri, 04 May 2018 18:36:57 GMT):
and this: https://hyperledger-fabric.readthedocs.io/en/release-1.1/channel_update_tutorial.html

aambati (Fri, 04 May 2018 18:42:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XQnxhH4yccDNDX6de) @nfrunza what was the issue?

nfrunza (Fri, 04 May 2018 18:44:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tuPwRJoHGRcTPNksa) @aambati error i'm gettinh: 2018/05/04 12:59:34 [DEBUG] Initializing DB 2018/05/04 12:59:34 [DEBUG] Initializing 'postgres' database at 'host=localhost port=5432 user=**** password=**** dbname=hlfcaserver sslmode=require' 2018/05/04 12:59:34 [DEBUG] Using postgres database, connecting to database... 2018/05/04 12:59:34 [DEBUG] Database Name: hlfcaserver 2018/05/04 12:59:34 [DEBUG] Connecting to PostgreSQL server, using connection string: host=localhost port=5432 user=**** password=**** dbname=hlfcaserver sslmode=require 2018/05/04 12:59:34 [DEBUG] Creating Postgres Database (hlfcaserver) if it does not exist... 2018/05/04 12:59:34 [ERROR] Error occurred initializing database: Failed to create user registry for PostgreSQL: Failed to create Postgres database: Failed to execute create database query: pq: permission denied to create database

gravity (Fri, 04 May 2018 18:50:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qH4tbXWCpy6hJciXx) in this case, can I delete data/ directory from the host machine once it was mounted to the container?

aambati (Fri, 04 May 2018 18:51:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WfZS3JrY8mkrkcidm) @nfrunza ok, did you solve it? if so, how?

nfrunza (Fri, 04 May 2018 18:52:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Pb9eDeN9uMxSX8nv9) @aambati NO, i did not solve

nfrunza (Fri, 04 May 2018 18:52:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Pb9eDeN9uMxSX8nv9) @aambati NO, i did not solve, i created DB, provided connection string, but no luck, and if i need to enter postgreSQL root user/password, would be wrong

aambati (Fri, 04 May 2018 18:53:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9dZaoGyisr5WwRB9R) @gravity i am not sure...i thought deleting the data directory form host machine will delete it in the container as well as they are shared..i don't know for sure, you can try and let me know what you find

aambati (Fri, 04 May 2018 18:56:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oaqoYCYurLNeH3uZf) @nfrunza the user should have privileges to create database, tables

gravity (Fri, 04 May 2018 18:59:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rna2f5sWwYx9ArXTv) ok, thanks!

nfrunza (Fri, 04 May 2018 19:00:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=poaX8s36ewan9WzjF) @aambati that is a good point, the DB is already created, steps would be: 1) add a user with permission to create DATABASE, tables, etc, 2) then configure the DB connection with the user in fabric-ca-server-config.yaml ?

aambati (Fri, 04 May 2018 19:02:37 GMT):
if you have already created the database, then yes, user should have privileges to create tables as the server creates the tables using this id if they don't exist

nfrunza (Fri, 04 May 2018 19:05:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QoEgGkCEKudHDH8Nn) @aambati Yes i did create the DB, and user is granted, let me retry

nfrunza (Fri, 04 May 2018 19:27:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iCYfvRYQiXYjRSSw8) Worked only by creating a user and GRANT ALTER USER hlfcauser CREATEDB; GRANT SELECT, INSERT, UPDATE,DELETE ON ALL TABLES IN SCHEMA PUBLIC to hlfcauser;

rupa12 (Fri, 04 May 2018 22:15:42 GMT):
I have generated the MSP and TLS certificates using fabric CA. Since the admincerts folder doesn't get created during the process I am having to create this admincerts directory and copy over the certificates. My question is : I have admin, admin2 and I got my peers and orderers registered/enrolled using admin2 , so should I have the signcerts of admin2 or admin copied over to the admincerts folder of orderer/peer.

rupa12 (Sat, 05 May 2018 00:49:42 GMT):
Also can someone tell which port number does the cli container use by default?

rselvakct (Sat, 05 May 2018 18:37:01 GMT):
Has joined the channel.

davidkhala (Sun, 06 May 2018 07:21:35 GMT):
Has joined the channel.

davidkhala (Sun, 06 May 2018 07:22:21 GMT):
Dear Everyone, I am new to here and wondering has tcert generation been implemented in fabric-ca 1.1?

davidkhala (Sun, 06 May 2018 07:22:21 GMT):
Dear Everyone, I am new to here and wondering has tcert genarating been implemented in fabric-ca 1.1?

kletkeman (Sun, 06 May 2018 15:07:05 GMT):
Hi ... I am able to fry a composer smart contract -- but not the composer run time or the fabric -- with great ease and I am wondering if anyone has some idea what this error might mean: Error: No connection found with ID 4a1a8c38-9455-48a5-bd60-c639de63dd13 ... this on Composer 162. (IBM Container Service on a lite k8s cluster on IBM cloud). The scenario: an IoT client running traffic of various intensity into a blockchain (long term tests at 1/s and short term tests at 5/s or 10/s both seem to cause the issue). I use a burst tester that sends messages through a client with a queue, and on the backend dequeues 20 messages at a time (which we have found to be the sweet spot for the configuration mentioned above *with or without CouchDB seems to make no difference to the issue**). So these messages in flight tend to be committed within about 2 to 3 seconds average. In the background, we use the node SDK to poll blocks and create our own event streams to listening clients. So we are hitting the system from two directions and things work out quite nicely on our newest clients. The problem is that, after testing for hours, when I then just let the system sit it becomes unresponsive 4 or 5 hours later. And throws errors when connecting or sometimes just when trying to run transactions. Either way, the contract is unusable. I used to think this was the fabric itself frying, until I tried deploying another copy of our business network into composer and it worked. I have a system right now with three dead contracts and am wondering if this is a known issue?

akshaynet (Sun, 06 May 2018 15:40:04 GMT):
Has joined the channel.

pravindia (Sun, 06 May 2018 17:07:09 GMT):
Has joined the channel.

air 27 (Mon, 07 May 2018 02:40:32 GMT):
Has joined the channel.

hrt031293 (Mon, 07 May 2018 11:37:30 GMT):
Hello everyone, Did anyone present her, done the `Adding an Org to a Channel`?? I m facing a problem...

skarim (Mon, 07 May 2018 15:06:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TM8TE3acsX3MobGJ4) @davidkhala Tcert generation is not present in 1.1, I don't believe there is any planned future support for Tcerts

aambati (Mon, 07 May 2018 18:04:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Zp6tHAaAvLj72WzD8) @rupa12 yes, admin certs should be in admincerts folder of msp (peer and/or in the channel configuration)

dharuq (Mon, 07 May 2018 23:39:13 GMT):
Hello! I am trying to use Postgres as database, but i have several doubts: -- I have to define postgres in docker-compose.yaml to create a container for it or it is suppose to connect to the postgres installed in the host. If it suppose to create a container

dharuq (Mon, 07 May 2018 23:44:07 GMT):
Hello! I am trying to use Postgres as database, but i have several doubts: 1) Do I have to define postgres in docker-compose.yaml to create a container for it 2) or is it suppose to connect to the postgres installed in the host? In case 1), which is the host? Is it the localhost or the Postgres's container's name? In case 2), which is the host? I tried my interface's address from ifconfig. Thanks in advance!

Glen (Tue, 08 May 2018 00:04:12 GMT):
Hi @aambati , Can I use Fabric-CA to generate crypto materials for one organization instead of cryptogen, for now I only used Fabric-CA to register users under one organization.

aambati (Tue, 08 May 2018 00:05:37 GMT):
@Glen yes

aambati (Tue, 08 May 2018 00:08:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iQZPwzanf9NycMcYm) @dharuq which database to use is defined in the fabric CA server config yaml ..postgres can be installed on any host...CA server should be able to access the postgres server..if posgres is running in a container, then use container name

Glen (Tue, 08 May 2018 00:37:44 GMT):
@aambati , could you show such an example of generating all the crypto materials needed by one organization

Glen (Tue, 08 May 2018 00:37:44 GMT):
@aambati , could you show such an example of generating all the crypto materials needed by one organization using Fabric Ca

aambati (Tue, 08 May 2018 01:28:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=x5ry8xyieEYTPEAnw) @Glen https://github.com/hyperledger/fabric-samples/tree/release-1.1/fabric-ca

Glen (Tue, 08 May 2018 01:53:17 GMT):
Ok, thanks, one more question, How can we utilize the ```id: name: type: affiliation: maxenrollments: -1 attributes:``` fields associated with one identity?

Glen (Tue, 08 May 2018 01:53:17 GMT):
Ok, thanks, one more question, How can we utilize the ```id: name: type: affiliation: maxenrollments: -1 attributes:``` fields associated with one identity, or they can be combined with msp to do somthing?

Glen (Tue, 08 May 2018 01:53:17 GMT):
Ok, thanks @aambati , one more question, How can we utilize the ```id: name: type: affiliation: maxenrollments: -1 attributes:``` fields associated with one identity, or they can be combined with msp to do somthing? why if I assign the type to client , peer, user or else, it will be considered to be that role?

Glen (Tue, 08 May 2018 02:32:25 GMT):
let me read through the document first, thanks!

davidkhala (Tue, 08 May 2018 05:50:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iE5FXkipG7cKBsRFy) @skarim Seemingly they mentioned rarely about the term Tcert now, instead they preferred to use identity attributes-based access control

Subramanyam (Tue, 08 May 2018 06:01:56 GMT):
Has left the channel.

sandman4 (Tue, 08 May 2018 09:00:55 GMT):
Has joined the channel.

dharuq (Tue, 08 May 2018 09:02:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=turH5WdrgLWrMTeJ8) @aambati I have tried the container name but i get this error: Error occurred initializing database: Failed to create user registry for PostgreSQL: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases were tried: [postgres postgres template1]. Please create one of these database before continuing I have the postgres container initialized like this: postgres: image: postgres restart: always environment: POSTGRES_PASSWORD: example container_name: postgres and in the fabric-ca-server-config.yaml i have: db: type: postgres datasource: host=postgres port=5432 user=postgres password=example dbname=postgres

sandman4 (Tue, 08 May 2018 09:05:24 GMT):
how is crypto material generated?

sandman4 (Tue, 08 May 2018 09:05:57 GMT):
more specifically how does cryptogen achieves this?

Starseven (Tue, 08 May 2018 11:50:20 GMT):
Has joined the channel.

dimaxgl (Tue, 08 May 2018 11:52:53 GMT):
Has joined the channel.

umtyzc (Tue, 08 May 2018 12:04:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BL2xcejKjSh76doty) @sandman 4 http://hyperledger-fabric.readthedocs.io/en/latest/build_network.html?highlight=cryptogen#crypto-generator look at this...

aambati (Tue, 08 May 2018 13:49:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=n9gSQBHzhD8K7LEKd) @davidkhala Currently, enrollment credential (cert,private key pair) is used to sign transactions...There was a plan to use TCerts but an effort is ongoing to use Idemix zero knowledge proofs...Attributes are assigned to user during registration and they are added to the enrollment certs, which can be used by the chaincode/peer to make access control decisions. Attributes will also be added to Idemix credentials , which are then used to create zero knowledge proofs to sign the transactions.

aambati (Tue, 08 May 2018 13:51:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tnvEePHr4jJ5rwrJp) @dharuq do you see the request from Fabric CA server in the postgres logs? First lets make sure that request is reaching postgres

ondar07 (Tue, 08 May 2018 14:34:58 GMT):
Hi! Suppose 'admin2' identity was created to register new users and after that this cert was compromised. So we should reenroll it. I thought after reenroll command old enrollment certificate of 'admin2' will be inactive automatically. But I noted I still can register new users using old 'admin2' cert. What is a correct strategy to reenroll identity's certificate? After reenrolling I have to revoke old cert or smth else?

john_whitton (Tue, 08 May 2018 17:50:13 GMT):
Has joined the channel.

skarim (Tue, 08 May 2018 19:49:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2Sh6vgHt7G8ybssTT) @ondar07 Reenrolling will generate you a new certificate, but your old certificate will still be valid (until it expires). If a certificate has been compromised, that certificate needs to be revoked. You can revoke the certificate using the serial number and AKI of the certificate.

victer (Wed, 09 May 2018 04:50:23 GMT):
Has joined the channel.

bh4rtp (Wed, 09 May 2018 08:11:14 GMT):
hi, what databases does fabric-ca support?

hrt031293 (Wed, 09 May 2018 11:56:08 GMT):
Hello everyone, I want to know that, if I want to create a project in fabric, then what should be the basic architecture? Thanks for the help

dharuq (Wed, 09 May 2018 12:41:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bMRkZHbpuqahbHNtJ) @aambati Fabric CA is not reaching the postgres because the postgres container is not up when the fabric ca is connecting.. it is supposed to use a wait-for-postgres?

ondar07 (Wed, 09 May 2018 12:46:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qkkJcbbu5JSpcLgoc) @skarim Thanks for reply! I revoked the old certificate using serial number and aki. But I still can register new users using this certificate. On the other hand, if I revoke the new certificate, ca server does not allow registering new users using any of these certificates (old and new). Server log at such attempts: "The certificate in the authorization header is a revoked certificate." What am I doing wrong?

akshaylawange001 (Wed, 09 May 2018 12:58:55 GMT):
Has joined the channel.

aambati (Wed, 09 May 2018 13:31:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2Sh6vgHt7G8ybssTT) @ondar07 if the old cert is compromised, reenroll to new key pair and then revoke the old certificate

aambati (Wed, 09 May 2018 13:31:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JcaqeKctCFxjLuqQ7) @bh4rtp sqlite, mysql and postgres

aambati (Wed, 09 May 2018 13:38:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yKWh6GdxdybnZNKPa) @hrt031293 do you want to develop an application on Fabric? Typically, depending on the programming language you are going to use for the application, appropriate fabric SDK (there are 4 sdks i know of: node, java, python and go) is used to interact with Fabric. It is better if you ask this question in fabric-questions or fabric channels.

GrondinLaurent (Wed, 09 May 2018 13:57:07 GMT):
Has joined the channel.

guido.santos (Wed, 09 May 2018 14:07:51 GMT):
Has joined the channel.

huy.tranibm (Wed, 09 May 2018 20:00:48 GMT):
Hello, Can someone explain the different between type "Client" and "user". Thank you mucho

vijayin26 (Wed, 09 May 2018 20:50:51 GMT):
Has joined the channel.

vijayin26 (Wed, 09 May 2018 20:53:48 GMT):
Did anyone faced below issue while trying to issue new identity to IBM enterprise plan network? 2018/05/09 14:11:19 [ERROR] Error adding identity wm1 to the database: Error 1290: The MySQL server is running with the --super-read-only option so it cannot execute this statement

vijayin26 (Wed, 09 May 2018 20:53:48 GMT):
Did anyone face below issue while trying to issue new identity to IBM enterprise plan network? 2018/05/09 14:11:19 [ERROR] Error adding identity wm1 to the database: Error 1290: The MySQL server is running with the --super-read-only option so it cannot execute this statement

rupa12 (Thu, 10 May 2018 06:44:42 GMT):
Thanks @aambati for your reply ... I am trying to instantiate my chaincode , but it hangs and then timeouts after a while. I have added the following env variables in the cli container in docker-compose.yaml file: ` - CORE_PEER_CHAINCODELISTENADDRESS=peer0.networkname:7051 - CORE_CHAINCODE_DEPLOYTIMEOUT=300s - CORE_CHAINCODE_STARTUPTIMEOUT=300s - CORE_CHAINCODE_EXECUTETIMEOUT=90s ` Have also added - CORE_CHAINCODE_DEPLOYTIMEOUT=300s, CORE_CHAINCODE_STARTUPTIMEOUT=300s, CORE_CHAINCODE_EXECUTETIMEOUT=90s in the docker-compose-peer.yaml file. But nothing helped so far. I am using docker version 1.0.6 Please help.

ondar07 (Thu, 10 May 2018 07:23:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ax8w8Sn6Z2NdS5g4S) @aambati Thanks for your reply! After revoking the old certificate using serial number and aki I still can register new users using the old certificate.

ondar07 (Thu, 10 May 2018 07:24:03 GMT):
This is my simple script: `export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 # register and enroll admin2 export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin fabric-ca-client register --id.name admin2 --id.attrs '"hf.Registrar.Roles=peer,user",hf.Revoker=true,admin=true:ecert' --id.secret admin2pw export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin2 fabric-ca-client enroll -u http://admin2:admin2pw@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/msp # save original admin2 credentials in 'old_admin2' dir OLD_ADMIN2_HOME=$HOME/fabric-ca/clients/old_admin2 NEW_ADMIN2_HOME=$HOME/fabric-ca/clients/admin2 mkdir $OLD_ADMIN2_HOME cp -a $NEW_ADMIN2_HOME/. $OLD_ADMIN2_HOME # reenroll admin2 export FABRIC_CA_CLIENT_HOME=$NEW_ADMIN2_HOME fabric-ca-client reenroll # revoke OLD admin2 admin2_CERT=$OLD_ADMIN2_HOME/msp/signcerts/cert.pem serial=$(openssl x509 -in $admin2_CERT -serial -noout | cut -d "=" -f 2) aki=$(openssl x509 -in $admin2_CERT -text | awk '/keyid/ {gsub(/ *keyid:|:/,"",$1);print tolower($0)}') export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin fabric-ca-client revoke -s $serial -a $aki -r keycompromise --gencrl # register and enroll 'user1' user by OLD 'admin2' credentials # This shouldn't work... (???) export FABRIC_CA_CLIENT_HOME=$OLD_ADMIN2_HOME fabric-ca-client register --id.name user1 --id.type user --id.secret user1pw export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/user1 fabric-ca-client enroll -u http://user1:user1pw@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/msp `

hrt031293 (Thu, 10 May 2018 08:22:55 GMT):
Hello,

hrt031293 (Thu, 10 May 2018 08:23:42 GMT):
Hello everyone, Is there anyone present, who had completed "Adding an Org to a Channel" tutorial?

aambati (Thu, 10 May 2018 13:57:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oQXpbSJsaKqDgHhgq) @huy.tranibm no difference from Fabric perspective...Actually type can be anything , your application could use the type to make access control decisions

aambati (Thu, 10 May 2018 14:03:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pqLG8EBfRARH6MTT3) @rupa12 I am not an expert in chaincode but I would start with peer and orderer logs...what errors do you see there..more information can help

aambati (Thu, 10 May 2018 14:07:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wAwYcbPTjHsSXZM37) @ondar07 Yes, it shoud have failed...can u pls send me the output...what version of Fabric CA are you using?

ondar07 (Thu, 10 May 2018 14:39:37 GMT):
@aambati version: Version: 1.1.1-snapshot-e656889 Go version: go1.10.1 OS/Arch: linux/amd64

ondar07 (Thu, 10 May 2018 14:40:37 GMT):
output of fabric-ca-client: 2018/05/10 17:36:59 [INFO] Created a default configuration file at /home/ondar/fabric-ca/clients/admin/fabric-ca-client-config.yaml 2018/05/10 17:36:59 [INFO] generating key: &{A:ecdsa S:256} 2018/05/10 17:36:59 [INFO] encoded CSR 2018/05/10 17:37:00 [INFO] Stored client certificate at /home/ondar/fabric-ca/clients/admin/msp/signcerts/cert.pem 2018/05/10 17:37:00 [INFO] Stored root CA certificate at /home/ondar/fabric-ca/clients/admin/msp/cacerts/localhost-7054.pem 2018/05/10 17:37:00 [INFO] Stored intermediate CA certificates at /home/ondar/fabric-ca/clients/admin/msp/intermediatecerts/localhost-7054.pem 2018/05/10 17:37:00 [INFO] Configuration file location: /home/ondar/fabric-ca/clients/admin/fabric-ca-client-config.yaml Password: admin2pw 2018/05/10 17:37:00 [INFO] Created a default configuration file at /home/ondar/fabric-ca/clients/admin2/fabric-ca-client-config.yaml 2018/05/10 17:37:00 [INFO] generating key: &{A:ecdsa S:256} 2018/05/10 17:37:00 [INFO] encoded CSR 2018/05/10 17:37:01 [INFO] Stored client certificate at /home/ondar/fabric-ca/clients/admin2/msp/signcerts/cert.pem 2018/05/10 17:37:01 [INFO] Stored root CA certificate at /home/ondar/fabric-ca/clients/admin2/msp/cacerts/localhost-7054.pem 2018/05/10 17:37:01 [INFO] Stored intermediate CA certificates at /home/ondar/fabric-ca/clients/admin2/msp/intermediatecerts/localhost-7054.pem 2018/05/10 17:37:01 [INFO] Configuration file location: /home/ondar/fabric-ca/clients/admin2/fabric-ca-client-config.yaml 2018/05/10 17:37:01 [INFO] generating key: &{A:ecdsa S:256} 2018/05/10 17:37:01 [INFO] encoded CSR 2018/05/10 17:37:01 [INFO] Stored client certificate at /home/ondar/fabric-ca/clients/admin2/msp/signcerts/cert.pem 2018/05/10 17:37:01 [INFO] Stored root CA certificate at /home/ondar/fabric-ca/clients/admin2/msp/cacerts/localhost-7054.pem 2018/05/10 17:37:01 [INFO] Stored intermediate CA certificates at /home/ondar/fabric-ca/clients/admin2/msp/intermediatecerts/localhost-7054.pem 2018/05/10 17:37:01 [INFO] Configuration file location: /home/ondar/fabric-ca/clients/admin/fabric-ca-client-config.yaml 2018/05/10 17:37:01 [INFO] Sucessfully revoked certificates: [{Serial:6fa6b57fe5e24a5e600e6fb4bd3986f044083c60 AKI:1c05cab7a7d037051f5f7c27baeca54c9ecf5eb8}] 2018/05/10 17:37:01 [INFO] Successfully stored the CRL in the file %s/home/ondar/fabric-ca/clients/admin/msp/crls/crl.pem 2018/05/10 17:37:01 [INFO] Configuration file location: /home/ondar/fabric-ca/clients/old_admin2/fabric-ca-client-config.yaml Password: user1pw 2018/05/10 17:37:02 [INFO] Created a default configuration file at /home/ondar/fabric-ca/clients/user1/fabric-ca-client-config.yaml 2018/05/10 17:37:02 [INFO] generating key: &{A:ecdsa S:256} 2018/05/10 17:37:02 [INFO] encoded CSR 2018/05/10 17:37:02 [INFO] Stored client certificate at /home/ondar/fabric-ca/clients/user1/msp/signcerts/cert.pem 2018/05/10 17:37:02 [INFO] Stored root CA certificate at /home/ondar/fabric-ca/clients/user1/msp/cacerts/localhost-7054.pem 2018/05/10 17:37:02 [INFO] Stored intermediate CA certificates at /home/ondar/fabric-ca/clients/user1/msp/intermediatecerts/localhost-7054.pem

ondar07 (Thu, 10 May 2018 14:41:43 GMT):
output of fabric-ca-server: 2018/05/10 17:36:43 [INFO] Configuration file location: /home/ondar/rootca/fabric-ca-server-config.yaml 2018/05/10 17:36:43 [INFO] Starting server in home directory: /home/ondar/rootca 2018/05/10 17:36:43 [INFO] Server Version: 1.1.1-snapshot-e656889 2018/05/10 17:36:43 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1} 2018/05/10 17:36:43 [INFO] generating key: &{A:ecdsa S:256} 2018/05/10 17:36:43 [INFO] encoded CSR 2018/05/10 17:36:43 [INFO] signed certificate with serial number 86321601712377610885330923519359552210687884683 2018/05/10 17:36:43 [INFO] The CA key and certificate were generated for CA 2018/05/10 17:36:43 [INFO] The key was stored by BCCSP provider 'SW' 2018/05/10 17:36:43 [INFO] The certificate is at: /home/ondar/rootca/ca-cert.pem 2018/05/10 17:36:47 [INFO] Initialized sqlite3 database at /home/ondar/rootca/fabric-ca-server.db 2018/05/10 17:36:47 [INFO] Home directory for default CA: /home/ondar/rootca 2018/05/10 17:36:47 [INFO] Listening on http://0.0.0.0:7054 2018/05/10 17:37:00 [INFO] signed certificate with serial number 318886793527961747365843758817772760768789973019 2018/05/10 17:37:00 [INFO] [::1]:54690 POST /enroll 201 0 "OK" 2018/05/10 17:37:00 [INFO] [::1]:54716 POST /register 201 0 "OK" 2018/05/10 17:37:00 [INFO] signed certificate with serial number 637415710109584696695462364367751726592365706336 2018/05/10 17:37:01 [INFO] [::1]:54718 POST /enroll 201 0 "OK" 2018/05/10 17:37:01 [INFO] signed certificate with serial number 486510687838345057745468453523353840834784845520 2018/05/10 17:37:01 [INFO] [::1]:54744 POST /reenroll 201 0 "OK" 2018/05/10 17:37:01 [INFO] [::1]:54746 POST /revoke 200 0 "OK" 2018/05/10 17:37:02 [INFO] [::1]:54748 POST /register 201 0 "OK" 2018/05/10 17:37:02 [INFO] signed certificate with serial number 275170250664831980113939745585954526837774495172 2018/05/10 17:37:02 [INFO] [::1]:54774 POST /enroll 201 0 "OK"

skarim (Thu, 10 May 2018 14:51:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gdJNwYBEJPuBKoAjx) @ondar07 Could you provide logs with debug enabled?

rupa12 (Thu, 10 May 2018 17:50:42 GMT):
HI @aambati : The peer logs shows this: `2018-05-10 07:04:37.571 UTC [chaincode] Launch -> ERRO 46d launchAndWaitForRegister failed Timeout expired while starting chaincode mycc:1.0(networkid:dev,peerid:peer0.networkname,tx:ab495b01b14bd8d7ecb79e7effa67be8ce4724cea48b6f81e491011b1fb7e6ff) 2018-05-10 07:04:37.571 UTC [endorser] simulateProposal -> ERRO 46f failed to invoke chaincode name:"lscc" on transaction ab495b01b14bd8d7ecb79e7effa67be8ce4724cea48b6f81e491011b1fb7e6ff, error: Timeout expired while starting chaincode mycc:1.0(networkid:dev,peerid:peer0.networkname,tx:ab495b01b14bd8d7ecb79e7effa67be8ce4724cea48b6f81e491011b1fb7e6ff)` And the orderer logs shows this: `2018-05-10 06:24:21.371 UTC [orderer/main] func1 -> DEBU 373 Closing Broadcast stream 2018-05-10 06:59:37.203 UTC [orderer/main] Broadcast -> DEBU 374 Starting new Broadcast handler 2018-05-10 06:59:37.203 UTC [orderer/common/broadcast] Handle -> DEBU 375 Starting new broadcast loop 2018-05-10 07:04:37.573 UTC [orderer/common/broadcast] Handle -> WARN 376 Error reading from stream: rpc error: code = Canceled desc = context canceled `

aambati (Fri, 11 May 2018 01:31:39 GMT):
@rupa12 it is not obvious to me what the problem is from looking at the logs...better if you ask this in fabric-chaincode-dev or fabric-peer channel

ikinique (Fri, 11 May 2018 01:35:10 GMT):
Has joined the channel.

crj (Fri, 11 May 2018 06:27:38 GMT):
Has joined the channel.

ondar07 (Fri, 11 May 2018 07:12:59 GMT):

ca-server.log

ondar07 (Fri, 11 May 2018 07:13:52 GMT):

ca-client.log

ondar07 (Fri, 11 May 2018 07:14:36 GMT):
@skarim I uploaded the log files above

blackgeneral (Fri, 11 May 2018 09:49:53 GMT):
Hi, i tried to create fabric network that using kafka and zookeeper. but i didn't create channel. how can i create channel and fabric network? can you help me?

hrt031293 (Fri, 11 May 2018 10:43:43 GMT):
Does anyone know about "Delta"? I had read that term somewhere in the docs only, "to calculate delta", regarding to that I am asking. Thanks in advance

hrt031293 (Fri, 11 May 2018 10:43:43 GMT):
Hello, Does anyone know about "Delta"? I had read that term somewhere in the docs only, "to calculate delta", regarding to that I am asking. Thanks in advance

VadimInshakov (Fri, 11 May 2018 10:53:26 GMT):
Has joined the channel.

VadimInshakov (Fri, 11 May 2018 10:58:32 GMT):
Please, help me to install fabric CA. I execute these commands: ```go get -u github.com/hyperledger/fabric-ca/cmd/... fabric-ca-server init -b admin:adminpw ``` And I see this error: ```2018/05/11 13:47:37 [INFO] Configuration file location: /home/vadim/fabric-ca-server-config.yaml panic: Version is not set for fabric-ca library``` https://imgur.com/a/OpQWA8R How can I solve this problem?

aambati (Fri, 11 May 2018 13:55:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cTHGvsXGRp2TBCv9a) @VadimInshakov `go get -u -ldflags "-X github.com/hyperledger/fabric-ca/lib/metadata.Version=1.1.0" github.com/hyperledger/fabric-ca/cmd/...`

aambati (Fri, 11 May 2018 13:55:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cTHGvsXGRp2TBCv9a) @VadimInshakov pls run this:`go get -u -ldflags "-X github.com/hyperledger/fabric-ca/lib/metadata.Version=1.1.0" github.com/hyperledger/fabric-ca/cmd/...`

VadimInshakov (Fri, 11 May 2018 13:57:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QhMv4Tasb6NkbAfKN) @aambati Thanks. I already startet CA server in docker container, it works fine.

VadimInshakov (Fri, 11 May 2018 13:57:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QhMv4Tasb6NkbAfKN) @aambati Thanks. I already started CA server in docker container, it works fine.

aambati (Fri, 11 May 2018 14:03:47 GMT):
@ondar07 Client log shows that , certificate with `472C152CE38569902C31C1CC46B32844C6B567F2 AKI:b289841489e0c5f0161d71421c05c60af317f346` was successfully revoked ...but this certificate that was used to register user1 is `2018/05/11 10:07:11 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin2' 2018/05/11 10:07:11 [DEBUG] DB: Get certificate by serial (428aa28fe81c86098d9cf03b56b138121fc0cfba) and aki (b289841489e0c5f0161d71421c05c60af317f346)`

aambati (Fri, 11 May 2018 14:03:47 GMT):
@ondar07 Client log shows that , certificate with `472C152CE38569902C31C1CC46B32844C6B567F2 AKI:b289841489e0c5f0161d71421c05c60af317f346` was successfully revoked ...but this certificate that was used to register user1 is ```2018/05/11 10:07:11 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin2' 2018/05/11 10:07:11 [DEBUG] DB: Get certificate by serial (428aa28fe81c86098d9cf03b56b138121fc0cfba) and aki (b289841489e0c5f0161d71421c05c60af317f346)```

aambati (Fri, 11 May 2018 14:03:47 GMT):
@ondar07 Client log shows that , certificate with `Serial:472C152CE38569902C31C1CC46B32844C6B567F2 AKI:b289841489e0c5f0161d71421c05c60af317f346` was successfully revoked ...but this certificate that was used to register user1 is ```2018/05/11 10:07:11 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin2' 2018/05/11 10:07:11 [DEBUG] DB: Get certificate by serial (428aa28fe81c86098d9cf03b56b138121fc0cfba) and aki (b289841489e0c5f0161d71421c05c60af317f346)``` What do you see in the OLD_ADMIN2_HOME\msp/\

aambati (Fri, 11 May 2018 14:03:47 GMT):
@ondar07 Client log shows that , certificate with `Serial:472C152CE38569902C31C1CC46B32844C6B567F2 AKI:b289841489e0c5f0161d71421c05c60af317f346` was successfully revoked ...but this certificate that was NOT used to register user1 is ```2018/05/11 10:07:11 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin2' 2018/05/11 10:07:11 [DEBUG] DB: Get certificate by serial (428aa28fe81c86098d9cf03b56b138121fc0cfba) and aki (b289841489e0c5f0161d71421c05c60af317f346)``` What do you see in the OLD_ADMIN2_HOME\msp\signcerts and NEW_ADMIN2_HOME\msp\signcerts folders? which cert has serial `472C152CE38569902C31C1CC46B32844C6B567F2`?

aambati (Fri, 11 May 2018 14:08:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mNpT6dXz5r9nvzEbc) @blackgeneral you can create channel using peer command line...There are a number of examples that demonstrate channel creation, for example check : https://github.com/hyperledger/fabric-samples/tree/release-1.1/fabric-ca

ondar07 (Fri, 11 May 2018 14:46:20 GMT):
@aambati cert of OLD_ADMIN2_HOME\msp\signcerts has serial `472C152CE38569902C31C1CC46B32844C6B567F2`, and it is expected, it was this certificate I wanted to revoke. But cert of NEW_ADMIN2_HOME\msp\signcerts has serial `428aa28fe81c86098d9cf03b56b138121fc0cfba`, and for some reason it is used to register a user1, although I used the old certificate. Apparently, I'm doing something wrong...

toddinpal (Fri, 11 May 2018 14:50:35 GMT):
I was just watching the video done by Keith Smith about ABAC and he states in the video that external CA's won't be able to be used with ABAC. Can someone explain why?

aambati (Fri, 11 May 2018 14:54:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3v5wKuiTCiquKQ5TW) @ondar07 you are setting client home to old admin home : `export FABRIC_CA_CLIENT_HOME=$OLD_ADMIN2_HOME`, so i am not sure either why it used new cert for registering user

aambati (Fri, 11 May 2018 14:56:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=peQaADc83gPApsdXr) @toddinpal So, if you use external CA to issue certs for the users transacting on the network, then those certs will not have attributes

toddinpal (Fri, 11 May 2018 14:57:35 GMT):
@aambati The assumption being that external CAs can't provide those attributes?

toddinpal (Fri, 11 May 2018 15:11:40 GMT):
Also, how was the OID 1.2.3.4.5.6.7.8.1 chosen?

aambati (Fri, 11 May 2018 16:43:03 GMT):
@toddinpal yes...i think it was randomly chosen

toddinpal (Fri, 11 May 2018 17:24:20 GMT):
Why does the MSP only support EDCSA and not RSA?

toddinpal (Fri, 11 May 2018 17:24:20 GMT):
Why does the MSP only support ECDSA and not RSA?

rupa12 (Fri, 11 May 2018 19:33:05 GMT):
Hi @aambati : Thank you ... I am able to instantiate and query the chaincode now. Don't know how but it started to work with the same environment variables which I had for the peer container. I have another question: I am trying to make another peer from a different machine join the channel but it failing with the following error: `2018-05-11 19:18:49.476 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP 2018-05-11 19:18:49.476 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity Error: Error getting endorser client channel: PER:404 - Error trying to connect to local peer /opt/gopath/src/github.com/hyperledger/fabric/peer/common/common.go:116 github.com/hyperledger/fabric/peer/common.GetEndorserClient /opt/gopath/src/github.com/hyperledger/fabric/peer/channel/channel.go:149 github.com/hyperledger/fabric/peer/channel.InitCmdFactory /opt/gopath/src/github.com/hyperledger/fabric/peer/channel/join.go:138 github.com/hyperledger/fabric/peer/channel.join /opt/gopath/src/github.com/hyperledger/fabric/peer/channel/join.go:42 github.com/hyperledger/fabric/peer/channel.joinCmd.func1 /opt/gopath/src/github.com/hyperledger/fabric/vendor/github.com/spf13/cobra/command.go:599 github.com/hyperledger/fabric/vendor/github.com/spf13/cobra.(*Command).execute /opt/gopath/src/github.com/hyperledger/fabric/vendor/github.com/spf13/cobra/command.go:689 github.com/hyperledger/fabric/vendor/github.com/spf13/cobra.(*Command).ExecuteC /opt/gopath/src/github.com/hyperledger/fabric/vendor/github.com/spf13/cobra/command.go:648 github.com/hyperledger/fabric/vendor/github.com/spf13/cobra.(*Command).Execute /opt/gopath/src/github.com/hyperledger/fabric/peer/main.go:118 main.main /opt/go/src/runtime/proc.go:192 runtime.main /opt/go/src/runtime/asm_amd64.s:2087 runtime.goexit Caused by: context deadline exceeded 2018-05-11 19:18:52.478 UTC [grpc] Printf -> DEBU 003 grpc: addrConn.resetTransport failed to create client transport: connection error: desc = "transport: Error while dialing dial tcp xx.xx.xx.xx:7051: operation was canceled"; Reconnecting to {peer4.tharthar:7051 } Usage: peer channel join [flags] Flags: -b, --blockpath string Path to file containing genesis block Global Flags: --cafile string Path to file containing PEM-encoded trusted certificate(s) for the ordering endpoint --logging-level string Default logging level and overrides, see core.yaml for full syntax -o, --orderer string Ordering service endpoint --test.coverprofile string Done (default "coverage.cov") --tls Use TLS when communicating with the orderer endpoint -v, --version Display current version of fabric peer server`

rupa12 (Fri, 11 May 2018 19:33:05 GMT):
Hi @aambati : Thank you ... I am able to instantiate and query the chaincode now. Don't know how but it started to work with the same environment variables which I had for the peer container. I have another question: I am trying to make another peer from a different machine join the channel but it failing with the following error: ```` 2018-05-11 19:18:49.476 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP 2018-05-11 19:18:49.476 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity Error: Error getting endorser client channel: PER:404 - Error trying to connect to local peer /opt/gopath/src/github.com/hyperledger/fabric/peer/common/common.go:116 github.com/hyperledger/fabric/peer/common.GetEndorserClient /opt/gopath/src/github.com/hyperledger/fabric/peer/channel/channel.go:149 github.com/hyperledger/fabric/peer/channel.InitCmdFactory /opt/gopath/src/github.com/hyperledger/fabric/peer/channel/join.go:138 github.com/hyperledger/fabric/peer/channel.join /opt/gopath/src/github.com/hyperledger/fabric/peer/channel/join.go:42 github.com/hyperledger/fabric/peer/channel.joinCmd.func1 /opt/gopath/src/github.com/hyperledger/fabric/vendor/github.com/spf13/cobra/command.go:599 github.com/hyperledger/fabric/vendor/github.com/spf13/cobra.(*Command).execute /opt/gopath/src/github.com/hyperledger/fabric/vendor/github.com/spf13/cobra/command.go:689 github.com/hyperledger/fabric/vendor/github.com/spf13/cobra.(*Command).ExecuteC /opt/gopath/src/github.com/hyperledger/fabric/vendor/github.com/spf13/cobra/command.go:648 github.com/hyperledger/fabric/vendor/github.com/spf13/cobra.(*Command).Execute /opt/gopath/src/github.com/hyperledger/fabric/peer/main.go:118 main.main /opt/go/src/runtime/proc.go:192 runtime.main /opt/go/src/runtime/asm_amd64.s:2087 runtime.goexit Caused by: context deadline exceeded 2018-05-11 19:18:52.478 UTC [grpc] Printf -> DEBU 003 grpc: addrConn.resetTransport failed to create client transport: connection error: desc = "transport: Error while dialing dial tcp xx.xx.xx.xx:7051: operation was canceled"; Reconnecting to {peer4.tharthar:7051 } Usage: peer channel join [flags] Flags: -b, --blockpath string Path to file containing genesis block Global Flags: --cafile string Path to file containing PEM-encoded trusted certificate(s) for the ordering endpoint --logging-level string Default logging level and overrides, see core.yaml for full syntax -o, --orderer string Ordering service endpoint --test.coverprofile string Done (default "coverage.cov") --tls Use TLS when communicating with the orderer endpoint -v, --version Display current version of fabric peer server ``` `

acbellini (Fri, 11 May 2018 23:00:09 GMT):
Has joined the channel.

VadimInshakov (Sat, 12 May 2018 16:38:26 GMT):
How to use fabric-ca instead of cryptogen? I'm trying to use fabric-ca running in docker container. I initialized server CA with tls, but what to do next?? How to generate cryptomaterials for each peer and orderer? I do not understand what the sequence of steps should be.

VadimInshakov (Sun, 13 May 2018 11:04:22 GMT):
It's very urgent. Please help me.

aambati (Sun, 13 May 2018 14:32:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FWzNtAgM4zSaMGqQf) @VadimInshakov Can u pls check https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca ...it is a sample that uses fabric-ca to generate x509 credentials for peers, orderers, and users...pls have a look and let me know if you have any specific questions...basically, that example, starts a CA for each org, enrolls bootstrap admin to get x509 credentials, then using these credentials, creates credentials for peer, and other users

VadimInshakov (Sun, 13 May 2018 16:45:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2Lv4AHH4Ra6bTuPMu) @aambati it creates CA configuration for sample network, but I had to figure out how to set up the CA for my network on my own. Scripts from the example hide the whole point. Now I understand how it works. Thank you.

blackgeneral (Mon, 14 May 2018 01:41:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zmGubuEdk5cLdX3ZE) @aambati hi, i am modifing fabric-ca scipts to use ordering service that consist of kafka and zookeeper. but my script is not wokring at channel creation part. do you know what is problem? Or do you have sample code or yaml file??

naveen_saravanan (Mon, 14 May 2018 06:28:23 GMT):
Is it possible to host the data stored in the couchdb instance of the fabric-starter into a different machine?

versus (Mon, 14 May 2018 09:03:37 GMT):
Has joined the channel.

ondar07 (Mon, 14 May 2018 10:02:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2pDJnoay2La7zvCC5) @aambati Sorry, it was my fault. I forgot to fix the msp directory in the fabric-ca-client-config.yaml file of old_admin2, so 'user1' registering used credentials of valid certificate. Thanks for your help!

bansalru (Mon, 14 May 2018 12:11:29 GMT):
Has joined the channel.

guolidong (Mon, 14 May 2018 12:29:14 GMT):
panic

guolidong (Mon, 14 May 2018 12:30:22 GMT):
``` panic：``` guolidong:/opt/gopath/src/github.com/hyperledger/fabric-ca$ fabric-ca-server init -b admin:adminpw 2018/05/14 20:09:46 [INFO] Configuration file location: /opt/gopath/src/github.com/hyperledger/fabric-ca/fabric-ca-server-config.yaml panic: Version is not set for fabric-ca library goroutine 1 [running]: github.com/hyperledger/fabric-ca/lib/metadata.GetVersion(0x4013607, 0xc4202c47e0) /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/metadata/version.go:58 +0x60 github.com/hyperledger/fabric-ca/lib.(*Server).init(0xc4202c47e0, 0xc4202af000, 0x4879cd2, 0xc420147bf0) /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:98 +0x29 github.com/hyperledger/fabric-ca/lib.(*Server).Init(0xc4202c47e0, 0xc4202c4700, 0x0, 0xc420147c50) /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:88 +0x38 main.(*ServerCmd).init.func2(0xc42008afc0, 0xc4200dffa0, 0x0, 0x2, 0x0, 0x0) /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/servercmd.go:102 +0xfc github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute(0xc42008afc0, 0xc4200dfe00, 0x2, 0x2, 0xc42008afc0, 0xc4200dfe00) /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 +0x3e8 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xc42008ad80, 0x460b436, 0xc420082b40, 0xc420082b40) /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 +0x2fe github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute(0xc42008ad80, 0xc4201003c0, 0xc420082b40) /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 +0x2b main.(*ServerCmd).Execute(0xc420082b40, 0x4, 0x1) /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/servercmd.go:69 +0x2f main.RunMain(0xc420010140, 0x4, 0x4, 0xc420147f70, 0x460cbfb) /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:45 +0xb0 main.main() /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:27 +0x45 guolidong:/opt/gopath/src/github.com/hyperledger/fabric-ca$ ``` ```

aambati (Mon, 14 May 2018 13:49:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ECTHvZXqAEvF5PfZE) @blackgeneral i don't have sample code...so you are trying to change fabric-ca sample to work with Kafka ordering service ? I think someone in this group tried to do this before. What error are you getting? i have not tried to do this but I would think it is just matter of changing peer configurations to point to kafka endpoint after you had changed docker-compose file to include relevant kafka related containers

aambati (Mon, 14 May 2018 13:49:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xWXGLomhzAMjfzCNx) @guolidong if you used go get command to get fabric-ca binaries, use this command : `go get -u -ldflags "-X github.com/hyperledger/fabric-ca/lib/metadata.Version=1.1.0" github.com/hyperledger/fabric-ca/cmd/...`

gravity (Mon, 14 May 2018 16:32:16 GMT):
Hello @aambati I have a question about fabric-ca server. Should I run a separate fabric-ca-server for every organization and every orderer like it implemented in fabri-ca sample?

XingqiangMao (Mon, 14 May 2018 16:39:41 GMT):
Hi Pals, getting issue "failed to create deliver client: orderer client failed to connect to $IP:7050: failed to create new connection: x509: cannot validate certificate for $IP because it doesn't contain any IP SANs" I am trying to connect orderer from another ip address. It is in the local network. Any idea what should I do for the certs file ?

aambati (Mon, 14 May 2018 17:49:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cfjQngZCAKAogf2nY) @gravity yes, that is the best practice

gravity (Mon, 14 May 2018 17:53:08 GMT):
@aambati got it, thanks

aambati (Mon, 14 May 2018 17:54:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qP5bi68LfqrAAchXC) @XingqiangMao Make sure there is DNS entry for the host in the `X509v3 Subject Alternative Name` section of `X509v3 extensions`

XingqiangMao (Mon, 14 May 2018 18:50:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6vbxKMa6RpCXWijYP) @aambati Hi I am using MacOS now. Could please tell me where can I find this configuration?

skarim (Mon, 14 May 2018 20:32:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9B5Jjx4KJsX4cDMWg) @XingqiangMao You can use OpenSSL to examine the certificate. The command would like: `openssl x509 -noout -text -in `

XingqiangMao (Mon, 14 May 2018 20:33:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9M52bphgxrtATHGYA) @skarim I see thank you for reply. I am still using cryptogen tool. Is that an option?

skarim (Mon, 14 May 2018 20:34:00 GMT):
even if you are using cryptogen, you should be able to use openssl to examine the certificate that it generated

hnadim (Mon, 14 May 2018 22:15:08 GMT):
Has joined the channel.

rupa12 (Tue, 15 May 2018 05:34:55 GMT):
Can someone please help me how to trace down this problem ( this is when I am trying to create the channel from my cli container) : ``` 2018-05-15 02:25:48.164 UTC [grpc] Printf -> DEBU 003 grpc: addrConn.resetTransport failed to create client transport: connection error: desc = "transport: authentication handshake failed: read tcp xxx.xx.x.x:32938->xxx.xxx.xx.xx:7050: read: connection reset by peer"; Reconnecting to {orderer.example:7050 } ``` I have tried to check with wireshark but so far nothing helped. I have the cli in machineA and peer0, orderer, fabric CA server on machineB. MachineB is behind a firewall and the ports 7051, 7050, 7054, 5984 are all open and listening.

davidkhala (Tue, 15 May 2018 06:04:06 GMT):
I found setting ENV FABRIC_CA_SERVER_CSR_CN will not work, is it true?

rupa12 (Tue, 15 May 2018 06:18:34 GMT):
Just to add to my question above , these is the logs from the orderer: ``` 2018-05-15 04:13:59.211 UTC [grpc] Printf -> DEBU 22f grpc: Server.Serve failed to complete security handshake from "xx.x.xx.xxx:46434": tls: no cipher suite supported by both client and server 2018-05-15 04:13:59.233 UTC [grpc] Printf -> DEBU 230 grpc: Server.Serve failed to complete security handshake from "xx.x.xx.xxx:46446": tls: no cipher suite supported by both client and server 2018-05-15 04:13:59.261 UTC [grpc] Printf -> DEBU 231 grpc: Server.Serve failed to complete security handshake from "xx.x.xx.xx:46454": tls: no cipher suite supported by both client and server ``` Not sure if it has to do with some ''go' version mismatch between machineA and machineB ...

sauravverma (Tue, 15 May 2018 10:29:48 GMT):
Has joined the channel.

aambati (Tue, 15 May 2018 13:50:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cGJimCeCcozgfn4cF) @davidkhala it should work...do you have csr stanza in your server config file?

aambati (Tue, 15 May 2018 13:50:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cGJimCeCcozgfn4cF) @davidkhala it should work...do you have csr stanza in your server config file? Can you tell from the wireshark what suites are being used ?

aambati (Tue, 15 May 2018 13:50:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cGJimCeCcozgfn4cF) @davidkhala it should work...do you have csr stanza in your server config file?

aambati (Tue, 15 May 2018 13:53:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4CBqoobtczA5FErfE) @rupa12 and you are using peer command line client to create channel, right?

aambati (Tue, 15 May 2018 13:53:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4CBqoobtczA5FErfE) @rupa12 and you are using peer command line client to create channel, right? Can you tell from the wireshark what suites are being used ? Client and server are using the same fabric and go versions, right? just want to make sure

aambati (Tue, 15 May 2018 14:01:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9B5Jjx4KJsX4cDMWg) @XingqiangMao what i meant was there should be DNS entry in the `X509v3 Subject Alternative Name` section of the tls certificate. As @skarim suggested use openssl to see what DNS entries are in the certificate...If you are using fabric CA to generate TLS certs, you can specify csr.hosts (--csr.hosts command line argument) property

aambati (Tue, 15 May 2018 14:08:49 GMT):
nm...i think i have figured it out...:(

aambati (Tue, 15 May 2018 14:08:49 GMT):
nm...i think i have figured it out...:)

XingqiangMao (Tue, 15 May 2018 16:12:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=m5RGNfhH399Sydf4J) @aambati Thank you for reply.... Getting a new issue "failed to create new connection: context deadline exceeded " When I try to fetch the channel from another peer..." peer channel fetch 0 mychannel.block -o orderer.example.com:7050 -c mychannel --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem"

rupa12 (Tue, 15 May 2018 18:24:54 GMT):
@aambati : Yes I am using 'peer create channel' command to create the channel. I ran `openssl ciphers -v | awk '{print $2}' | sort | uniq` command on both machineA and machineB and this is what I get : ``` SSLv3 TLSv1.2 ``` MachineA is using go go1.9.2 linux/386 and machineB is using go1.9.5 linux/amd64. The Fabric version in both the machine is the same which 1.0.6.

vsadriano (Tue, 15 May 2018 18:57:37 GMT):
Hi! I'm trying to integrate the REST API of balance transfer example with an other network and I'm getting the error bellow: ```shell [2018-05-15 15:36:26.436] [ERROR] Helper - Failed to get registered user: Teste with error: Error: Enrollment failed with errors [[{"code":19,"message":"CA 'my-ca' does not exist"}]] ``` My network config: ```yaml ... organizations: Org1: mspid: org1MSP peers: - peer0 certificateAuthorities: - my-ca adminPrivateKey: path: $PATH_TO_KEYSTORE signedCert: path: $PATH_TO_SIGNED_CERTS ... certificateAuthorities: my-ca: httpOptions: verify: false tlsCACerts: path: $PATH_TO_CA_CERT ... ``` Any idea?

skarim (Tue, 15 May 2018 20:01:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vTfByvDBWyEeZTE7J) @vsadriano How are you issuing the enroll request? In your request, do you specify 'my-ca' as the CA to enroll with? If so, did you configure you server configuration to name the ca 'my-ca'? This is the configuration to investigate: ``` ############################################################################# # The CA section contains information related to the Certificate Authority # including the name of the CA, which should be unique for all members # of a blockchain network. It also includes the key and certificate files # used when issuing enrollment certificates (ECerts) and transaction # certificates (TCerts). # The chainfile (if it exists) contains the certificate chain which # should be trusted for this CA, where the 1st in the chain is always the # root CA certificate. ############################################################################# ca: # Name of this CA *name*: # Key file (is only used to import a private key into BCCSP) keyfile: # Certificate file (default: ca-cert.pem) certfile: # Chain file chainfile: ```

skarim (Tue, 15 May 2018 20:01:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vTfByvDBWyEeZTE7J) @vsadriano How are you issuing the enroll request? In your request, do you specify 'my-ca' as the CA to enroll with? If so, did you configure you server configuration to name the ca 'my-ca'? This is the configuration to investigate: ``` ############################################################################# # The CA section contains information related to the Certificate Authority # including the name of the CA, which should be unique for all members # of a blockchain network. It also includes the key and certificate files # used when issuing enrollment certificates (ECerts) and transaction # certificates (TCerts). # The chainfile (if it exists) contains the certificate chain which # should be trusted for this CA, where the 1st in the chain is always the # root CA certificate. ############################################################################# ca: # Name of this CA name: # Key file (is only used to import a private key into BCCSP) keyfile: # Certificate file (default: ca-cert.pem) certfile: # Chain file chainfile: ```

davidkhala (Wed, 16 May 2018 01:55:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XXRFqq8FZZ5giX5cj) @aambati No, I found that even I set FABRIC_CA_SERVER_CSR_CN, but the ``fabric-ca-server start``process will read preset common name still which is example.com.....

davidkhala (Wed, 16 May 2018 01:56:33 GMT):
the default common name seemingly read from default config file, since I do not mount a config file into.

davidkhala (Wed, 16 May 2018 02:06:57 GMT):
@aambati And another question is, if no ``ca.certfile`` or ``ca.keyfile`` is provided to fabric-ca, will ``fabric-ca-server init`` will generate them according to csr config (no matter it is from config file or docker env)??

davidkhala (Wed, 16 May 2018 02:20:22 GMT):
I possibly know the reason... before I use fabric-ca-server init, I have to rm ca-key.pem, rm ca-cert.pem manually, otherwise init root cert process will be skipped.

umapm113 (Wed, 16 May 2018 05:52:41 GMT):
Has joined the channel.

blackgeneral (Wed, 16 May 2018 06:20:16 GMT):

zookeeper2_error.png

blackgeneral (Wed, 16 May 2018 06:20:21 GMT):
hi, i construct network that using kafka 4 nodes and zookeeper 3 nodes. then, i found zookeeper log about error at zookeeper2 node. Do you know about that????

vsadriano (Wed, 16 May 2018 10:21:10 GMT):
@skarim 01. Following the [balance transfer example](https://github.com/hyperledger/fabric-samples/tree/master/balance-transfer/): ```shell curl -s -X POST http://localhost:4000/users -H "content-type: application/x-www-form-urlencoded" -d 'username=Jim&orgName=Org1' ``` 02. Yes! CA name is on `network-config.yaml` as I previously sent; 03. Yes! On my Fabric CA I set it up `FABRIC_CA_SERVER_CA_NAME=my-ca`.

aambati (Wed, 16 May 2018 13:41:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pMHmwAsxDp48YzPQj) @davidkhala yes, it will generate using csr section in the server config file

aambati (Wed, 16 May 2018 14:33:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qZ7LNtHTw2E7avEQb) @davidkhala I will try to reproduce if you can give me exact steps...we can open a bug if we are able to reproduce

skarim (Wed, 16 May 2018 15:08:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cucubMgdus93h7vkG) @vsadriano Do you have logs with debug enabled from the fabric ca server? I want to confirm if the environment variable to set the ca name got picked up. I tried on my local machine (not docker) and using fabric-ca-client, and it seems to be working

vsadriano (Wed, 16 May 2018 17:28:44 GMT):
@skarim ```shell # Fabric CA logs 2018/05/16 17:16:07 [DEBUG] Received request for /api/v1/enroll 2018/05/16 17:16:07 [DEBUG] DB: Getting identity admin 2018/05/16 17:16:07 [DEBUG] ca.Config: &{Version:1.1.0 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name:my-ca Keyfile:/etc/hyperledger/fabric-ca-server-config/290ed5287d1b306f690f22a2d3bbdeb04e93540729ca65bca50991be050b85a2_sk Certfile:/etc/hyperledger/fabric-ca-server-config/my-ca-cert.pem Chainfile:/etc/hyperledger/fabric-ca-server/ca-chain.pem} Signing:0xc420364520 CSR:{CN:my-ca Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[my-ca localhost] KeyRequest: CA:0xc4202f7c60 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:peer,orderer,client,user hf.Registrar.DelegateRoles:peer,orderer,client,user] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:/etc/hyperledger/fabric-ca-server/fabric-ca-server.db TLS:{false [] { }} } CSP:0xc420362450 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** Profile: Label: CSR: CAName: AttrReqs:[] }} CRL:{Expiry:24h0m0s}} 2018/05/16 17:16:07 [DEBUG] DB: Login user admin with max enrollments of -1 and state of 0 2018/05/16 17:16:07 [DEBUG] DB: identity admin successfully logged in 2018/05/16 17:16:07 [DEBUG] Request is not for a CA signing certificate 2018/05/16 17:16:07 [DEBUG] Processing sign request: id=admin, CommonName=admin, Subject= 2018/05/16 17:16:07 [DEBUG] DB: Getting identity admin 2018/05/16 17:16:07 [DEBUG] Checking CSR fields to make sure that they do not exceed maximum character limits 2018/05/16 17:16:07 [DEBUG] DB: Getting identity admin 2018/05/16 17:16:07 [DEBUG] Finished processing sign request 2018/05/16 17:16:07 [INFO] signed certificate with serial number 289624993258822006356691440545181816101557013245 2018/05/16 17:16:07 [DEBUG] Saved serial number as hex 32bb3bde94eba99d2299aab3e0c825aba5a48afd 2018/05/16 17:16:07 [DEBUG] DB: Insert Certificate 2018/05/16 17:16:07 [DEBUG] saved certificate with serial number 289624993258822006356691440545181816101557013245 2018/05/16 17:16:07 [DEBUG] Successfully incremented state for identity admin to 1 2018/05/16 17:16:07 [INFO] 10.79.79.0:12692 POST /api/v1/enroll 201 0 "OK" # App Node logs [2018-05-16 14:16:07.628] [ERROR] Helper - Failed to get registered user: Jim with error: Error: fabric-ca request register failed with errors [[{"code":19,"message":"CA 'my-ca' does not exist"}]] [2018-05-16 14:16:07.628] [DEBUG] SampleWebApp - -- returned from registering the username Jim for organization Org1 [2018-05-16 14:16:07.628] [DEBUG] SampleWebApp - Failed to register the username Jim for organization Org1 with::failed Error: fabric-ca request register failed with errors [[{"code":19,"message":"CA 'my-ca' does not exist"}]] ```

vsadriano (Wed, 16 May 2018 17:31:55 GMT):
On container: ```shell $ kubectl exec -it my-ca-2260360644-ztpg7 -- env | grep FABRIC_CA_SERVER_CA_NAME FABRIC_CA_SERVER_CA_NAME=my-ca ```

gravity (Wed, 16 May 2018 18:19:30 GMT):
Hi there is it possible to restrict chaincode invocation for particular users? I mean, if there is an organization, with 4 peers, peer0 and peer1 are in channel A, peer2 and peer3 are in channel B. there are 4 users registered with fabric-ca. is it possible to allow user0 and user1 to have an access only to channel A, and user2 and user3 to have only an access to channel B? Thanks in advance

skarim (Wed, 16 May 2018 18:30:05 GMT):
@vsadriano The logs you posted show a register request on the app, but then on the server I see an enroll request being processed. Do you have matching logs from the failed request?

vsadriano (Wed, 16 May 2018 18:42:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TvBntNfLdJ5XejiAs) @skarim the server log was generated by the request sent above.

vsadriano (Wed, 16 May 2018 18:45:33 GMT):
`getRegisteredUser` method is failing.

davidkhala (Thu, 17 May 2018 01:44:26 GMT):
@aambati yes, it could be reproduced, see my issue https://jira.hyperledger.org/browse/FAB-10160

davidkhala (Thu, 17 May 2018 01:59:30 GMT):
@aambati another problem is that the ``tls-cert.pem`` file that self-generated (from configured csr section) could not be used in fabric-node-sdk as trustedRoots

chongxinman (Thu, 17 May 2018 06:38:21 GMT):
Has joined the channel.

rupa12 (Thu, 17 May 2018 06:43:24 GMT):
@aambati : any suggestions? While checking through wireshark I could see RST, ACK packets immediately after SYN,ACK packets between machineA and machineB. Like I was telling machineB is behind a firewall. but while I checked for the ports it is listening on, I could see 7050 there ... so doesnt look to me as a firewall issue or is it ?

shwetacse5 (Thu, 17 May 2018 10:02:32 GMT):
Has joined the channel.

mastersingh24 (Thu, 17 May 2018 10:45:47 GMT):
@rupa12 ..... what do the orderer logs say?

aambati (Thu, 17 May 2018 15:41:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cM5tkXQ9im4rpABBz) @gravity you could check for attributes using ABAC (https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#attribute-based-access-control) in the chaincode and return an error if the user does not have an attribute ...for example, user0 and user1 will have dept=hr attribute, and in the Channel A chaincode will check for dept attribute , if the value is not hr, it will return error

aambati (Thu, 17 May 2018 15:42:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MkZ3vZAKKzWygiyBe) @mastersingh24 she pinged this before: ```2018-05-15 04:13:59.211 UTC [grpc] Printf -> DEBU 22f grpc: Server.Serve failed to complete security handshake from "xx.x.xx.xxx:46434": tls: no cipher suite supported by both client and server 2018-05-15 04:13:59.233 UTC [grpc] Printf -> DEBU 230 grpc: Server.Serve failed to complete security handshake from "xx.x.xx.xxx:46446": tls: no cipher suite supported by both client and server 2018-05-15 04:13:59.261 UTC [grpc] Printf -> DEBU 231 grpc: Server.Serve failed to complete security handshake from "xx.x.xx.xx:46454": tls: no cipher suite supported by both client and server```

aambati (Thu, 17 May 2018 15:43:31 GMT):
and this : ```Yes I am using 'peer create channel' command to create the channel. I ran `openssl ciphers -v | awk '{print $2}' | sort | uniq` command on both machineA and machineB and this is what I get : ``` SSLv3 TLSv1.2 ``` MachineA is using go go1.9.2 linux/386 and machineB is using go1.9.5 linux/amd64. The Fabric version in both the machine is the same which 1.0.6.```

aambati (Thu, 17 May 2018 15:54:35 GMT):
@rupa12 print column 1 (which should give cipher names) for TLSv1.2 ....linux versions are same as well?

aambati (Thu, 17 May 2018 15:55:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zh8FhANnJPusNhRma) @davidkhala Thanks ...i will look into it

aambati (Thu, 17 May 2018 15:57:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vpJxmqeyR8oJc6aGf) @davidkhala so, you generated tls cert using tls profile? Not sure what you meant by self generated? Trusted Roots should have fabric CA root cert if you are going to make node-sdk trust a tls cert generated by Fabric CA

vick (Thu, 17 May 2018 17:22:50 GMT):
is there anyway to unregister an identity from the fabric-ca-server from the fabric-ca-client?

vsadriano (Thu, 17 May 2018 17:27:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=neMdHLobJLFnn5zxx) @vick revocate certs?

vick (Thu, 17 May 2018 17:28:02 GMT):
i basically accidentally registered an identity with the wrong attributes

vick (Thu, 17 May 2018 17:28:12 GMT):
and now i want to set the attributes correctly but can't register it again

vick (Thu, 17 May 2018 17:28:22 GMT):
maybe i have to modify the attributes on the existing identity?

vick (Thu, 17 May 2018 17:28:40 GMT):
--id.attrs="[these attributes]"

vsadriano (Thu, 17 May 2018 17:29:26 GMT):
Did you see? http://hyperledger-fabric-ca.readthedocs.io/en/latest/clientcli.html

vsadriano (Thu, 17 May 2018 17:30:22 GMT):
See `Identity Command` session.

gravity (Thu, 17 May 2018 17:39:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kvfwe3S9XKfkWRjFT) @aambati thanks, will check

Krishna2 1 (Thu, 17 May 2018 20:55:36 GMT):
Has joined the channel.

Krishna2 1 (Thu, 17 May 2018 20:58:41 GMT):
Hello - The fabric-ca is unable to open its own cert file (fabric-ca-srv-config) and returns 500 error stating the Permission Denied to open its cert file. This happens after the container has been up for a few minutes. Restarting entire network seems to fix this, but for only few minutes. Any clues or solutions?

Krishna2 1 (Thu, 17 May 2018 21:27:08 GMT):
Also, as a root, when I do docker exec into the ca container, it gives same error (Permission Denied) if I do ls on the /etc/hyperledger/fabric-ca-server-config directory

sudeshrshetty (Thu, 17 May 2018 21:28:08 GMT):
Has joined the channel.

Krishna2 1 (Thu, 17 May 2018 21:28:11 GMT):
however docker cp command works to copy the files out of the ca container

sudeshrshetty (Thu, 17 May 2018 21:29:42 GMT):
After 02858a79cabef1d0674ac8e2f6d35d818bab5619 fabric-ca isn't backward compatible any more, getting "Invalid token in authorization header: Token signature validation failed" was it intentional?

troyronda (Thu, 17 May 2018 21:33:54 GMT):
@smithbk ^^^^

chandrakanthm (Fri, 18 May 2018 00:36:31 GMT):
How can we implement password based user authentication in hyperledger fabric instead of bearer token ?

Glen (Fri, 18 May 2018 02:07:21 GMT):
Hi @aambati , I met this issue ```"Identity 'admin' may not register type 'orderer'"``` when using Fabric CA 1.0 with the admin identity's hf.Registrar.Roles: "client,user,peer,orderer,validator,auditor" configured in fabric-ca-server-config.yaml

Glen (Fri, 18 May 2018 02:07:50 GMT):
doesn't Fabric CA 1.0 support orderer type registration?

tronglx (Fri, 18 May 2018 03:18:33 GMT):
Has joined the channel.

davidkhala (Fri, 18 May 2018 03:56:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tJR3FdBzMgrpZqPZo) @aambati [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tJR3FdBzMgrpZqPZo) No really, I have not specified any enroll profile, the command I used is like 'fabric-ca-server start -d -b ${admin}:${adminpw} --tls.enabled' without mount a config file, I guess it is the bootstrap process do that because log is witnessed `` 2018/05/18 03:40:06 [DEBUG] TLS is enabled 2018/05/18 03:40:06 [DEBUG] TLS enabled but no certificate or key provided, automatically generate TLS credentials 2018/05/18 03:40:06 [DEBUG] TLS CSR: {CN:example.com Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[9178e362b0b7 localhost] KeyRequest: CA: SerialNumber:} 2018/05/18 03:40:06 [DEBUG] GenCSR &{CN:example.com Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[9178e362b0b7 localhost] KeyRequest: CA: SerialNumber:} 2018/05/18 03:40:06 [DEBUG] Initializing client with config: &{URL: MSPDir: TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** Profile: Label: CSR: CAName: AttrReqs:[] } CSR:{CN: Names:[] Hosts:[] KeyRequest: CA: SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc4203247e0} 2018/05/18 03:40:06 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc420324840 PluginOpts: Pkcs11Opts:} 2018/05/18 03:40:06 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42032fb80 DummyKeystore:} 2018/05/18 03:40:06 [INFO] generating key: &{A:ecdsa S:256} 2018/05/18 03:40:06 [DEBUG] generate key from request: algo=ecdsa, size=256 2018/05/18 03:40:06 [INFO] encoded CSR 2018/05/18 03:40:06 [INFO] signed certificate with serial number 383886086869827593827992705932681688700473359656 2018/05/18 03:40:06 [DEBUG] DB: Insert Certificate 2018/05/18 03:40:06 [DEBUG] Saved serial number as hex 433e0c282fd8109fe1f6cc0dae019707fdccbd28 2018/05/18 03:40:06 [DEBUG] saved certificate with serial number 383886086869827593827992705932681688700473359656 2018/05/18 03:40:06 [DEBUG] TLS Certificate: /etc/hyperledger/fabric-ca-server/tls-cert.pem, TLS Key: `` So which fabric CA root cert should I choose in this case? tls-cert.pem or ca-cert.pem?

davidkhala (Fri, 18 May 2018 03:56:36 GMT):
@aambati [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tJR3FdBzMgrpZqPZo) No really, I have not specified any enroll profile, the command I used is like 'fabric-ca-server start -d -b ${admin}:${adminpw} --tls.enabled' without mount a config file, I guess it is the bootstrap process do that because log is witnessed `` 2018/05/18 03:40:06 [DEBUG] TLS is enabled 2018/05/18 03:40:06 [DEBUG] TLS enabled but no certificate or key provided, automatically generate TLS credentials 2018/05/18 03:40:06 [DEBUG] TLS CSR: {CN:example.com Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[9178e362b0b7 localhost] KeyRequest: CA: SerialNumber:} 2018/05/18 03:40:06 [DEBUG] GenCSR &{CN:example.com Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[9178e362b0b7 localhost] KeyRequest: CA: SerialNumber:} 2018/05/18 03:40:06 [DEBUG] Initializing client with config: &{URL: MSPDir: TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** Profile: Label: CSR: CAName: AttrReqs:[] } CSR:{CN: Names:[] Hosts:[] KeyRequest: CA: SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc4203247e0} 2018/05/18 03:40:06 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc420324840 PluginOpts: Pkcs11Opts:} 2018/05/18 03:40:06 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42032fb80 DummyKeystore:} 2018/05/18 03:40:06 [INFO] generating key: &{A:ecdsa S:256} 2018/05/18 03:40:06 [DEBUG] generate key from request: algo=ecdsa, size=256 2018/05/18 03:40:06 [INFO] encoded CSR 2018/05/18 03:40:06 [INFO] signed certificate with serial number 383886086869827593827992705932681688700473359656 2018/05/18 03:40:06 [DEBUG] DB: Insert Certificate 2018/05/18 03:40:06 [DEBUG] Saved serial number as hex 433e0c282fd8109fe1f6cc0dae019707fdccbd28 2018/05/18 03:40:06 [DEBUG] saved certificate with serial number 383886086869827593827992705932681688700473359656 2018/05/18 03:40:06 [DEBUG] TLS Certificate: /etc/hyperledger/fabric-ca-server/tls-cert.pem, TLS Key: `` So which fabric CA root cert should I choose in this case? tls-cert.pem or ca-cert.pem?

rupa12 (Fri, 18 May 2018 04:18:47 GMT):
@mastersingh24 : This is what the orderer logs say: ``` 2018-05-15 02:25:48.076 UTC [grpc] Printf -> DEBU 0cd grpc: Server.Serve failed to complete security handshake from "xx.xx.xxx.xxx:32938": read tcp xxx.xx.x.x: 7050->xx.xx.xxx.xxx:32938: read: connection reset by peer 2018-05-15 04:13:59.211 UTC [grpc] Printf -> DEBU 22f grpc: Server.Serve failed to complete security handshake from "xx.x.xx.xxx:46434": tls: no cipher suite supported by both client and server 2018-05-15 04:13:59.233 UTC [grpc] Printf -> DEBU 230 grpc: Server.Serve failed to complete security handshake from "xx.x.xx.xxx:46446": tls: no cipher suite supported by both client and server 2018-05-15 04:13:59.261 UTC [grpc] Printf -> DEBU 231 grpc: Server.Serve failed to complete security handshake from "xx.x.xx.xx:46454": tls: no cipher suite supported by both client and server ``` Like I had mentioned before machineB is behind a firewall.

rupa12 (Fri, 18 May 2018 04:26:17 GMT):
@aambati : These are the cipher names after I print out column 1 on machineA and machineB : ``` AES128-GCM-SHA256 AES128-SHA AES128-SHA256 AES256-GCM-SHA384 AES256-SHA AES256-SHA256 CAMELLIA128-SHA CAMELLIA256-SHA DES-CBC3-SHA DH-DSS-AES128-GCM-SHA256 DH-DSS-AES128-SHA DH-DSS-AES128-SHA256 DH-DSS-AES256-GCM-SHA384 DH-DSS-AES256-SHA DH-DSS-AES256-SHA256 DH-DSS-CAMELLIA128-SHA DH-DSS-CAMELLIA256-SHA DH-DSS-DES-CBC3-SHA DH-DSS-SEED-SHA DHE-DSS-AES128-GCM-SHA256 DHE-DSS-AES128-SHA DHE-DSS-AES128-SHA256 DHE-DSS-AES256-GCM-SHA384 DHE-DSS-AES256-SHA DHE-DSS-AES256-SHA256 DHE-DSS-CAMELLIA128-SHA DHE-DSS-CAMELLIA256-SHA DHE-DSS-SEED-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA DHE-RSA-AES256-SHA256 DHE-RSA-CAMELLIA128-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-SEED-SHA DH-RSA-AES128-GCM-SHA256 DH-RSA-AES128-SHA DH-RSA-AES128-SHA256 DH-RSA-AES256-GCM-SHA384 DH-RSA-AES256-SHA DH-RSA-AES256-SHA256 DH-RSA-CAMELLIA128-SHA DH-RSA-CAMELLIA256-SHA DH-RSA-DES-CBC3-SHA DH-RSA-SEED-SHA ECDH-ECDSA-AES128-GCM-SHA256 ECDH-ECDSA-AES128-SHA ECDH-ECDSA-AES128-SHA256 ECDH-ECDSA-AES256-GCM-SHA384 ECDH-ECDSA-AES256-SHA ECDH-ECDSA-AES256-SHA384 ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-RC4-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA ECDH-RSA-AES128-GCM-SHA256 ECDH-RSA-AES128-SHA ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-GCM-SHA384 ECDH-RSA-AES256-SHA ECDH-RSA-AES256-SHA384 ECDH-RSA-DES-CBC3-SHA ECDH-RSA-RC4-SHA EDH-DSS-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA IDEA-CBC-SHA KRB5-DES-CBC3-MD5 KRB5-DES-CBC3-SHA KRB5-IDEA-CBC-MD5 KRB5-IDEA-CBC-SHA KRB5-RC4-MD5 KRB5-RC4-SHA PSK-3DES-EDE-CBC-SHA PSK-AES128-CBC-SHA PSK-AES256-CBC-SHA PSK-RC4-SHA RC4-MD5 RC4-SHA SEED-SHA ``` And the linux version on machineA is 3.10.0-693.17.1.el7.x86_64 and machineB is 3.10.0-862.el7.x86_64

7sigma (Fri, 18 May 2018 05:13:35 GMT):
Hi All, Please let me know the difference between addidentity and register function. what are the differences; what should I consider

Krishna2 1 (Fri, 18 May 2018 05:38:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tTPwjsvwdgjraymLz)

Krishna2 1 (Fri, 18 May 2018 05:38:23 GMT):
Help needed on the above error, please!

Krishna2 1 (Fri, 18 May 2018 05:38:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=L4WtGzvBp5pmRBHWk)

Krishna2 1 (Fri, 18 May 2018 05:39:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QPugzhnvSmQ8nsRiW)

davidkhala (Fri, 18 May 2018 05:58:26 GMT):
@Krishna2 1 do you mount 'fabric-ca-server-config' from host to fabric-ca container?

davidkhala (Fri, 18 May 2018 05:58:45 GMT):
I mean is volume bindings

davidkhala (Fri, 18 May 2018 06:39:18 GMT):
@Krishna2 1

ongar (Fri, 18 May 2018 08:12:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rGGaPF98pT2vbfSHY) @davidkhala Answering for Krishna - No, we don't mount. It is already there in the container

davidkhala (Fri, 18 May 2018 08:13:32 GMT):
@ongar Are you running on non-ubuntu OS?

ongar (Fri, 18 May 2018 08:13:49 GMT):
Yes. it is RHEL 7

ongar (Fri, 18 May 2018 08:15:32 GMT):
Any issues with non-ubuntu OS?

vick (Fri, 18 May 2018 10:01:52 GMT):
guys, what does this mean? --enrollment.profile string Name of the signing profile to use in issuing the certificate

vick (Fri, 18 May 2018 10:02:01 GMT):
in the command cli definition

vick (Fri, 18 May 2018 10:02:16 GMT):
name of the signing profile, on the fabric-ca-server, is this defined in the config?

vick (Fri, 18 May 2018 10:02:23 GMT):
that flag is passed in the client

troyronda (Fri, 18 May 2018 10:39:33 GMT):
@smithbk @aambati @sudeshrshetty created https://jira.hyperledger.org/browse/FAB-10205 for the issue sudesh mentioned above.

bh4rtp (Fri, 18 May 2018 11:15:40 GMT):
hi, i am using the latest master `fabric-ca`, the fabric-ca container started with an error:

bh4rtp (Fri, 18 May 2018 11:15:45 GMT):
```panic: Version is not set for fabric-ca library```

bh4rtp (Fri, 18 May 2018 11:15:55 GMT):
how to fix it?

mp (Fri, 18 May 2018 11:40:12 GMT):
hi, what is the correct way to specify FABRIC_CA_SERVER_CSR_NAMES as env variable to bootstrap server with non-default values?

mp (Fri, 18 May 2018 11:40:12 GMT):
hi, what is the correct way to specify FABRIC_CA_SERVER_CSR_NAMES as env variable to bootstrap server with non-default values? Keep getting ``` ``` * 'CSR.Names[0]' expected a map, got 'string' * 'CSR.Names[1]' expected a map, got 'string' * 'CSR.Names[2]' expected a map, got 'string'

mp (Fri, 18 May 2018 11:40:12 GMT):
hi, what is the correct way to specify FABRIC_CA_SERVER_CSR_NAMES as env variable to bootstrap server with non-default values? Keep getting ``` * 'CSR.Names[0]' expected a map, got 'string' * 'CSR.Names[1]' expected a map, got 'string' * 'CSR.Names[2]' expected a map, got 'string' ```

mp (Fri, 18 May 2018 11:40:12 GMT):
hi, what is the correct way to specify FABRIC_CA_SERVER_CSR_NAMES as env variable to bootstrap server with non-default values? Tried export FABRIC_CA_SERVER_CSR_NAMES=[C:"RU",ST:"Moscow",O:"ORG1"] and export FABRIC_CA_SERVER_CSR_NAMES={C:"RU",ST:"Moscow",O:"ORG1} and bunch of others Still getting ``` * 'CSR.Names[0]' expected a map, got 'string' * 'CSR.Names[1]' expected a map, got 'string' * 'CSR.Names[2]' expected a map, got 'string' ```

migrenaa (Fri, 18 May 2018 13:03:51 GMT):
Has joined the channel.

migrenaa (Fri, 18 May 2018 13:28:07 GMT):
Hello guys, I have the following problem. I am working on a project that will have a Client App, where the users will be able to register and become users in the Hyperledger network. The users should be able to make transactions. The problem is that in order to communicate with the blockchain they need to have their certificates, so basically this means that we need to deliver the private key to the user via HTTPS which we don’t want to do for security reasons. We also don't want to store the private keys anywhere on our servers, so they need to remain on the client app. So, our idea is to generate the certificate from the client application and send only the public key via HTTPS and register it in the blockchain. I don’t see a way to implement this using Fabric CA. Could there be an easier solution than to implement our own Certificate Authority?

skarim (Fri, 18 May 2018 13:47:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wEs97qa9jcGypHX2Y) @bh4rtp if you used go get command to get fabric-ca binaries, use this command : `go get -u -ldflags "-X github.com/hyperledger/fabric-ca/lib/metadata.Version=1.1.0" github.com/hyperledger/fabric-ca/cmd/...`

skarim (Fri, 18 May 2018 13:50:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iQbaiLarhXxeXcFB4) @vick A CA can have multiple profiles for issuing different types of certificates. The profiles are configured on the server, and then client specifies which profile to get a certificate from by using --enrollment.profile flag. For instance, by default the fabric ca server has a 'ca', 'tls', and default profile. If you want a tls certificate you would use 'tls' as the profile name.

aambati (Fri, 18 May 2018 14:05:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=L4WtGzvBp5pmRBHWk) @Krishna2 1 can you pls open a JIRA ticket, pls provide as much details as possible

aambati (Fri, 18 May 2018 14:06:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dXMLw7jaWB9xQgDsE) @sudeshrshetty can u pls explain the scenario...i am assuming you have an enrollment certificate and then updated fabric-ca server, later used the enrollment cert to send a request to fabric-ca server?

aambati (Fri, 18 May 2018 14:09:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6t45F4qsSXXK99YxM) @davidkhala ok, so you are letting server generate it's own tls cert/key pair...so you have to add CA cert to the client's trusted roots for client to be able to communicated with server over TLS

troyronda (Fri, 18 May 2018 14:09:16 GMT):
@aambati https://jira.hyperledger.org/browse/FAB-10205

troyronda (Fri, 18 May 2018 14:09:16 GMT):
@aambati regarding @sudeshrshetty scenario: https://jira.hyperledger.org/browse/FAB-10205

troyronda (Fri, 18 May 2018 14:09:44 GMT):
SDKs are now broken.

troyronda (Fri, 18 May 2018 14:09:44 GMT):
SDKs are not sending the token expected by the CA server

troyronda (Fri, 18 May 2018 14:09:44 GMT):
SDKs are not sending the token expected by the CA server so existing tests are failing with Authorization Failure.

aambati (Fri, 18 May 2018 14:10:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FEqWeM5QLo5rM56WT) @7sigma both do the same...any one is ok

troyronda (Fri, 18 May 2018 14:11:26 GMT):
I provided two log snippets (one from Java SDK and one from Go SDK) showing the failures.

troyronda (Fri, 18 May 2018 14:11:26 GMT):
I provided two CI log snippets (one from Java SDK and one from Go SDK) showing the failures.

aambati (Fri, 18 May 2018 14:12:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iQbaiLarhXxeXcFB4) @vick yes it is the signing profile that is specified in the server config...For getting tls cert, one would specify --enrollment.profile tls and for getting enrollment certs, dont need to specify --enrollment.profile flag

aambati (Fri, 18 May 2018 14:13:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cQr9tSC49ZnjT4dns) @troyronda will take a look

troyronda (Fri, 18 May 2018 14:13:47 GMT):
thanks

aambati (Fri, 18 May 2018 14:16:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wEs97qa9jcGypHX2Y) @bh4rtp oh, did u build the fabric-ca container locally? This error happens only if `go get` command is used to get fabric-ca-server, solution for this has been posted many times in this channel

aambati (Fri, 18 May 2018 14:21:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oKNL64AdjjMM2DQfv) @mp can you try `export FABRIC_CA_SERVER_CSR_NAMES="C=RU,ST=Moscow,O=ORG1"`

vick (Fri, 18 May 2018 14:28:30 GMT):
thanks @aambati @skarim

vick (Fri, 18 May 2018 14:28:54 GMT):
how do i specify an msp config path to the peer channel create command?

vick (Fri, 18 May 2018 14:30:07 GMT):
2017-11-30 17:08:12.039 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP

mp (Fri, 18 May 2018 14:41:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DPsL6kW4npxtkdEok) @aambati Nope, still same error

mp (Fri, 18 May 2018 14:41:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cp83rZJMgNp43LQBm) @aambati Same error with that

skarim (Fri, 18 May 2018 14:42:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=G7yoj4ATdFPFYAwwq) @vick You can use the CORE_PEER_MSPCONFIGPATH environment variable to point a specific msp.

skarim (Fri, 18 May 2018 14:42:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EuJjWbvQuFjqQCFRW) @vick You can use the environment variable CORE_PEER_MSPCONFIGPATH to point to a specific msp.

vick (Fri, 18 May 2018 14:48:03 GMT):
thanks

aambati (Fri, 18 May 2018 15:15:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dHK8peTHF7ntDvafm) @mp sorry, i thought you were setting client environment variable...client supports converting comma separated values to a map , which is the type of the csr.names...cobra does not support specifying map values as environment variables, so i think only way to specify csr.names is in the config file

khalpin (Fri, 18 May 2018 15:53:14 GMT):
Has joined the channel.

header340 (Fri, 18 May 2018 15:54:40 GMT):
Has joined the channel.

bh4rtp (Fri, 18 May 2018 15:58:15 GMT):
@aambati @skarim thanks for your reply. i build local fabric-ca docker image using `FABRIC_CA_DYNAMIC_LINK=true make docker`. would you mind providing the answer link for me. i face this error the first time.

bh4rtp (Fri, 18 May 2018 15:58:15 GMT):
@aambati @skarim thanks for your reply. i built local fabric-ca docker image using `FABRIC_CA_DYNAMIC_LINK=true make docker`. would you mind providing the answer link for me? i face this error the first time.

bh4rtp (Fri, 18 May 2018 16:42:42 GMT):
@aambati @skarim should https://github.com/hyperledger/fabric-ca/blob/master/Makefile#L65 be coded `METADATA_VAR = Version=$(BASE_VERSION)`?

skarim (Fri, 18 May 2018 16:43:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LsoXbjz4ZeTT4qTBy) @bh4rtp How did you get the latest code? Did you do a 'go get', before issuing the 'make docker' command?

skarim (Fri, 18 May 2018 16:44:16 GMT):
if you use the 'go get' posted in my earlier reply, that variable should get set

bh4rtp (Fri, 18 May 2018 16:44:54 GMT):
@skarim git clone -b master ...

skarim (Fri, 18 May 2018 16:45:08 GMT):
I would suggest using the go get

bh4rtp (Fri, 18 May 2018 17:11:50 GMT):
i cannot understand yet. the previous pulling was ok. but the latest failed.

skarim (Fri, 18 May 2018 17:19:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yWX4QrsixrbLf6SXd) @bh4rtp what was the error?

sasquatch85 (Fri, 18 May 2018 18:03:50 GMT):
Has joined the channel.

vick (Fri, 18 May 2018 22:42:30 GMT):
hi, in the fabric-ca-server yaml config, under identities there is a field called affliation

vick (Fri, 18 May 2018 22:42:40 GMT):
can i have one identity affiliated to multiple organizations?

vick (Fri, 18 May 2018 22:42:48 GMT):
had a look through the documentation but it doesn't explain this

phanikumar (Sat, 19 May 2018 06:53:24 GMT):
Has joined the channel.

phanikumar (Sat, 19 May 2018 06:55:35 GMT):
Hi team, getting error while setting up multi-org across with 2 VM's following fabric-samples example.`http2Client.notifyError got notified that the client transport` `was broken unexpected EOF.` `Error: Error receiving: rpc error: code = Unavailable desc = transport is closing`. I have copied crypto-config and channel-artifacts folders to 2nd VM. is there anything that I am missing. I am trying to resolve this error from past 1 week but no solution worked for me. Any help is really appreciated.

phanikumar (Sat, 19 May 2018 06:55:35 GMT):
Hi team, I am getting error while setting up multi-org across with 2 VM's following fabric-samples example.`http2Client.notifyError got notified that the client transport` `was broken unexpected EOF.` `Error: Error receiving: rpc error: code = Unavailable desc = transport is closing`. I have copied crypto-config and channel-artifacts folders to 2nd VM. is there anything that I am missing. I am trying to resolve this error from past 1 week but no solution worked for me. Any help is really appreciated.

phanikumar (Sat, 19 May 2018 06:57:02 GMT):
When I am disabling TLS I am able to proceed further but in the end I am getting error

phanikumar (Sat, 19 May 2018 06:58:11 GMT):
Can someone help me resolve above issue

phanikumar (Sat, 19 May 2018 06:58:11 GMT):
Can someone help me resolve above issue. I am trying to resolve this since 2 weeks

7sigma (Sat, 19 May 2018 08:07:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JXwgzW5YEaNvWzeRZ) @aambati Many thanks

Buckley404 (Sat, 19 May 2018 13:33:53 GMT):
Has joined the channel.

Buckley404 (Sat, 19 May 2018 13:36:55 GMT):
is the auditor role still supported? I am trying to register with the id.type = auditor but i get this error: may not register type 'auditor'

Buckley404 (Sat, 19 May 2018 13:41:26 GMT):
in fact when i try enroll an admin with the attribute "hf.Registrar.Roles=*" i get Error: Response from server: Error Code: 20 - Authorization failure

bh4rtp (Sat, 19 May 2018 13:49:30 GMT):
@skarim `fabric-ca-server` exited with error: `panic: Version is not set for fabric-ca library`. what is the reason?

Buckley404 (Sat, 19 May 2018 13:52:26 GMT):
@bh4rtp what version of fabric are you using?

bh4rtp (Sat, 19 May 2018 14:49:37 GMT):
@Buckley404 the latest master branch. after updated minutes ago, `fabric-ca` is ok but prints: ```2018/05/19 22:43:36 [INFO] 172.18.0.1:46444 POST /api/v1/enroll 201 0 "OK" 2018/05/19 22:43:36 [DEBUG] Received request for /api/v1/register 2018/05/19 22:43:36 [DEBUG] Received registration request from : { Name:Allen Type: Secret:**** MaxEnrollments:1 Affiliation:org1.department1 Attributes:[] CAName:ca-org1 } 2018/05/19 22:43:36 [INFO] 172.18.0.1:46448 POST /api/v1/register 401 25 "Invalid token in authorization header: Token signature validation failed"``` i noticed that `configtx.yaml` was reversioned. must i regenerate artifacts, including genesis block, channel and tls files?

Buckley404 (Sat, 19 May 2018 16:05:26 GMT):
@bh4rtp that would be a good idea

Buckley404 (Sat, 19 May 2018 17:23:08 GMT):
The requested values for attribute 'hf.Registrar.Roles' is a superset of the caller's attribute value: '*' is not a member of 'peer,orderer,client,user'

Buckley404 (Sat, 19 May 2018 17:23:27 GMT):
can anyone help me fix this please?

phanikumar (Sat, 19 May 2018 17:49:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WBhYzBqkwLDqFGaMB) can someone help me in resolving this error

Buckley404 (Sat, 19 May 2018 18:26:11 GMT):
@phanikumar you'll get a better response if you shout at the sky, not many answers in here

mastersingh24 (Sun, 20 May 2018 12:45:01 GMT):
@phanikumar - do you have any logs from the peer nodes? You should set CORE_LOGGING_LEVEL=debug or CORE_LOGGING_GRPC=debug

mastersingh24 (Sun, 20 May 2018 12:45:54 GMT):
Most likely the error is due to something in the TLS handshake .... likely the fact that the hostname of the remote endpoint does not match the CN/hostname in the TLS certificates

mastersingh24 (Sun, 20 May 2018 12:46:02 GMT):
You might want to start with TLS disbaled

mastersingh24 (Sun, 20 May 2018 12:46:02 GMT):
You might want to start with TLS disabled

phanikumar (Sun, 20 May 2018 12:46:16 GMT):
I have the logs of peer nodded

phanikumar (Sun, 20 May 2018 12:46:16 GMT):
I have the logs of peer nodes

phanikumar (Sun, 20 May 2018 12:46:44 GMT):
Disabling TLS is causing another issue

phanikumar (Sun, 20 May 2018 12:50:21 GMT):
https://stackoverflow.com/questions/50412765/hyperledger-composer-install-error-error-error-trying-to-start-business-netwo

mastersingh24 (Sun, 20 May 2018 13:01:12 GMT):
well in that case you also needed to disable TLS in the Composer connection profile by changing the endpoints from grpcs/https to grcp/http (well that would be my guess)

mastersingh24 (Sun, 20 May 2018 13:01:53 GMT):
In any case, with debug on, what do you see in the peer logs?

phanikumar (Sun, 20 May 2018 13:02:51 GMT):
In composer? I am using fabric-samples. Can you tell me how to disable composer tls

phanikumar (Sun, 20 May 2018 13:03:24 GMT):
I have disabled tls by setting core_peer_tls=false

mastersingh24 (Sun, 20 May 2018 14:09:47 GMT):
which sample are you using?

phanikumar (Sun, 20 May 2018 15:38:25 GMT):
@mastersingh24 https://github.com/hyperledger/fabric-samples/tree/release-1.1/first-network

phanikumar (Sun, 20 May 2018 15:38:25 GMT):
@mastersingh24 I am following this dochttps://github.com/hyperledger/fabric-samples/tree/release-1.1/first-network

vick (Sun, 20 May 2018 22:50:06 GMT):
trying to register an orderer with the ca

vick (Sun, 20 May 2018 22:50:08 GMT):
getting this error

vick (Sun, 20 May 2018 22:50:09 GMT):
Error: Response from server: Error Code: 0 - Registration of 'orderer1-org0' failed in affiliation validation: : scode: 401, local code: 44, local msg: Caller does not have authority to act on affiliation 'org1', remote code: 20, remote msg: Authorization failure

vick (Sun, 20 May 2018 22:50:16 GMT):
doesnt anyone know what is causing it?

vick (Sun, 20 May 2018 22:50:45 GMT):
identities: - name: orgz-ca-admin pass: orgz-ca-adminpw type: client affiliation: "org0 org1 org2" attrs: hf.Registrar.Roles: "peer,orderer,client,user" hf.Registrar.DelegateRoles: "peer,orderer,client,user" hf.Revoker: true hf.IntermediateCA: false hf.GenCRL: true hf.Registrar.Attributes: "*" hf.AffiliationMgr: true

vick (Sun, 20 May 2018 22:51:01 GMT):
i have my identity defined like this, with affiliation org0 org1 and org2

vick (Sun, 20 May 2018 22:51:15 GMT):
so why would it still fail the affiliation validation?

phanikumar (Mon, 21 May 2018 04:08:54 GMT):
Error: Error getting endorser client channel: endorser client failed to connect to peer0.org2.example.com:7051: failed to create new connection: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "tlsca.org2.example.com

mastersingh24 (Mon, 21 May 2018 07:52:26 GMT):
@vick - you cannot assign the admin to multiple affiliations (https://chat.hyperledger.org/channel/fabric-ca?msg=Jf4fSTMwH3cnsmLQP)

mastersingh24 (Mon, 21 May 2018 07:52:26 GMT):
@vick - you cannot assign the admin to multiple affiliations (https://chat.hyperledger.org/channel/fabric-ca?msg=Jf4fSTMwH3cnsmLQP) You should be able to set `affiliation: ""` and then I believe your admin can register people in any affiliation

phanikumar (Mon, 21 May 2018 07:53:12 GMT):
@mastersingh24 is there a way to resolve my issue

mastersingh24 (Mon, 21 May 2018 07:53:43 GMT):
You should be able to set `affiliation: ""` and then I believe your admin can register people in any affiliation

phanikumar (Mon, 21 May 2018 07:54:34 GMT):
I am always running into certificate issues running multi-org on multiple VM'S

mastersingh24 (Mon, 21 May 2018 07:57:07 GMT):
@phanikumar - what command are you running? Or rather how are you running the command which gives the error above?

phanikumar (Mon, 21 May 2018 07:57:46 GMT):
I am running script.sh file from cli container

mastersingh24 (Mon, 21 May 2018 07:58:35 GMT):
And how re you setting up all of the MSPs for the peers running on different VMs?

mastersingh24 (Mon, 21 May 2018 07:58:35 GMT):
And how are you setting up all of the MSPs for the peers running on different VMs?

phanikumar (Mon, 21 May 2018 07:58:56 GMT):
Yes

phanikumar (Mon, 21 May 2018 07:59:17 GMT):
Peer join channel I s causing the error

phanikumar (Mon, 21 May 2018 07:59:17 GMT):
Peer join channel Is causing the error

phanikumar (Mon, 21 May 2018 07:59:17 GMT):
Peer join channel is causing the error

mastersingh24 (Mon, 21 May 2018 08:18:29 GMT):
Are you running `byfn -m generate` on one machine and then copying the files or are you running `byfn -m generate` on each VM?

phanikumar (Mon, 21 May 2018 08:19:50 GMT):
Yes

phanikumar (Mon, 21 May 2018 08:20:42 GMT):
I am running byfn -m on one machine and copying them to other machines

mastersingh24 (Mon, 21 May 2018 08:33:10 GMT):
which version of Fabric and which version of the fabric-samples are you using?

mastersingh24 (Mon, 21 May 2018 08:33:55 GMT):
looks like v1.1 samples (I think)

mastersingh24 (Mon, 21 May 2018 08:34:20 GMT):
and you only run `byfn -m generate` once?

vick (Mon, 21 May 2018 08:44:33 GMT):
@mastersingh24 thank you, will take a look

phanikumar (Mon, 21 May 2018 08:58:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vmq78F8AywmxjQTpq) @mastersingh24 I am following multi-orgs fabric-samples latest doc and cloned issue-6978 branch. I am running byfn -m generate only once

masayuki (Mon, 21 May 2018 09:12:18 GMT):
Has joined the channel.

mastersingh24 (Mon, 21 May 2018 09:20:07 GMT):
@phanikumar - can you post the rest of this error message: ``` Error: Error getting endorser client channel: endorser client failed to connect to peer0.org2.example.com:7051: failed to create new connection: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "tlsca.org2.example.com ```

chandrakanthm (Mon, 21 May 2018 09:39:08 GMT):
how to enable ldap on fabric ca server ?

chandrakanthm (Mon, 21 May 2018 09:39:19 GMT):
ldap

phanikumar (Mon, 21 May 2018 09:52:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zMHWjYi4ikYQ54WRe) @mastersingh24 it is making 5 attempts and exiting no more errors in specific

phanikumar (Mon, 21 May 2018 09:52:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zMHWjYi4ikYQ54WRe) @mastersingh24 it is making 5 attempts and exiting no more errors in specific in the cli log

mastersingh24 (Mon, 21 May 2018 09:52:49 GMT):
but looks like the error message you posted in truncated?

mastersingh24 (Mon, 21 May 2018 09:52:49 GMT):
but looks like the error message you posted is truncated?

shwetacse5 (Mon, 21 May 2018 11:00:49 GMT):
Hi.. Is there any documentation or tutorial to deploy fabric on multiple VMs or Host? I want to run fabric with multiple Vms

vsadriano (Mon, 21 May 2018 11:31:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=J437KSayydtbnS8Fu) @shwetacse5 you can copy artifacts of entities and setup docker containers on each host (baremetal or VM). Follow the steps on script.

skarim (Mon, 21 May 2018 14:31:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hysn4aQd6jBYicRHr) @Buckley404 It seems like you are trying to register a user with more privileges than the registrar. From the error message you posted, the registrar can only register 'peer,orderer,client,user' but it seems like you are giving an the attribute 'hf.Registrar.Roles' a value of '*' which would give this identity greater privileges.

aambati (Mon, 21 May 2018 15:04:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4owdz2dt6pnJDL85n) @chandrakanthm Pls check https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#configuring-ldap

chandrakanthm (Mon, 21 May 2018 16:02:25 GMT):
does hyperledger fabric support kerberos authentication?

aambati (Mon, 21 May 2018 17:21:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CsaJY69bRREhgX3Zy) @chandrakanthm no, i don't thinkso

Norberthu (Tue, 22 May 2018 08:17:40 GMT):
when I debug /cmd/fabric-ca-server ,it shows error: [ panic: Version is not set for fabric-ca library ] ?

Norberthu (Tue, 22 May 2018 08:17:52 GMT):
GOROOT=/home/ping40/Desktop/tools/go1.9.2 #gosetup GOPATH=/gp #gosetup /home/ping40/Desktop/tools/go1.9.2/bin/go build -o /tmp/___server_tmp_ca -gcflags "-N -l" -a github.com/hyperledger/fabric-ca/cmd/fabric-ca-server #gosetup /home/ping40/Desktop/tools/goland/GoLand-2018.1/plugins/go/lib/dlv/linux/dlv --listen=localhost:44993 --headless=true --api-version=2 --backend=default exec /tmp/___server_tmp_ca -- start -b admin:adminpw -H /tmp/ca #gosetup API server listening at: 127.0.0.1:44993 2018/05/22 16:06:17 [INFO] Created default configuration file at /tmp/ca/fabric-ca-server-config.yaml 2018/05/22 16:06:17 [INFO] Starting server in home directory: /tmp/ca panic: Version is not set for fabric-ca library goroutine 1 [running]: github.com/hyperledger/fabric-ca/lib/metadata.GetVersion(0x0, 0x0) /gp/src/github.com/hyperledger/fabric-ca/lib/metadata/version.go:48 +0x7b github.com/hyperledger/fabric-ca/lib.(*Server).init(0xc4201da360, 0x0, 0x0, 0x0) /gp/src/github.com/hyperledger/fabric-ca/lib/server.go:88 +0x4c github.com/hyperledger/fabric-ca/lib.(*Server).Start(0xc4201da360, 0x0, 0x0) /gp/src/github.com/hyperledger/fabric-ca/lib/server.go:121 +0x1e3 main.(*ServerCmd).init.func3(0xc420080fc0, 0xc420061240, 0x0, 0x4, 0x0, 0x0) /gp/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/servercmd.go:121 +0x2a5 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute(0xc420080fc0, 0xc420061200, 0x4, 0x4, 0x0, 0x0) /gp/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 +0x744 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xc420080900, 0xc420080fc0, 0x0, 0x0) /gp/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 +0x68c github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute(0xc420080900, 0x0, 0x0) /gp/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 +0x4f main.(*ServerCmd).Execute(0xc420078320, 0x0, 0x0) /gp/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/servercmd.go:69 +0x43 main.RunMain(0xc4200100c0, 0x6, 0x6, 0x0, 0x0) /gp/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:45 +0x125 main.main() /gp/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:27 +0x45 Debugger finished with exit code 0

Norberthu (Tue, 22 May 2018 08:21:20 GMT):
when I run [make fabric-ca-server] , and run bin/fabric-ca-server command, there is no error. I can't find where to set metadata.Version value.

Norberthu (Tue, 22 May 2018 08:24:36 GMT):
many test code calls: [metadata.Version = "1.1.0"].

Norberthu (Tue, 22 May 2018 08:25:53 GMT):
My question is that: in command bin/fabric-ca-server [from make fabric-ca-server], where/how to set metadata.Version? thanks

Norberthu (Tue, 22 May 2018 08:36:33 GMT):
when I debug fabric-ca-server, it show following errors: GOROOT=/home/ping40/Desktop/tools/go1.9.2 #gosetup GOPATH=/gp #gosetup /home/ping40/Desktop/tools/go1.9.2/bin/go build -o /tmp/___server_tmp_ca -gcflags "-N -l" -a github.com/hyperledger/fabric-ca/cmd/fabric-ca-server #gosetup /home/ping40/Desktop/tools/goland/GoLand-2018.1/plugins/go/lib/dlv/linux/dlv --listen=localhost:44993 --headless=true --api-version=2 --backend=default exec /tmp/___server_tmp_ca -- start -b admin:adminpw -H /tmp/ca #gosetup API server listening at: 127.0.0.1:44993 2018/05/22 16:06:17 [INFO] Created default configuration file at /tmp/ca/fabric-ca-server-config.yaml 2018/05/22 16:06:17 [INFO] Starting server in home directory: /tmp/ca panic: Version is not set for fabric-ca library goroutine 1 [running]: github.com/hyperledger/fabric-ca/lib/metadata.GetVersion(0x0, 0x0) /gp/src/github.com/hyperledger/fabric-ca/lib/metadata/version.go:48 +0x7b github.com/hyperledger/fabric-ca/lib.(*Server).init(0xc4201da360, 0x0, 0x0, 0x0) /gp/src/github.com/hyperledger/fabric-ca/lib/server.go:88 +0x4c github.com/hyperledger/fabric-ca/lib.(*Server).Start(0xc4201da360, 0x0, 0x0) /gp/src/github.com/hyperledger/fabric-ca/lib/server.go:121 +0x1e3 main.(*ServerCmd).init.func3(0xc420080fc0, 0xc420061240, 0x0, 0x4, 0x0, 0x0) /gp/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/servercmd.go:121 +0x2a5 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute(0xc420080fc0, 0xc420061200, 0x4, 0x4, 0x0, 0x0) /gp/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 +0x744 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xc420080900, 0xc420080fc0, 0x0, 0x0) /gp/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 +0x68c github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute(0xc420080900, 0x0, 0x0) /gp/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 +0x4f main.(*ServerCmd).Execute(0xc420078320, 0x0, 0x0) /gp/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/servercmd.go:69 +0x43 main.RunMain(0xc4200100c0, 0x6, 0x6, 0x0, 0x0) /gp/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:45 +0x125 main.main() /gp/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:27 +0x45 Debugger finished with exit code 0

krabradosty (Tue, 22 May 2018 09:17:00 GMT):
Hi! Do I understand correctly that to run a cluster of CA I just need to start several copies of CA server with the same configuration using one shared DB? And configure load balancer in front of this servers?

Sreesha (Tue, 22 May 2018 09:19:57 GMT):
Has joined the channel.

mastersingh24 (Tue, 22 May 2018 10:13:09 GMT):
@krabradosty - the preferred method would be to create a single root CA and then create multiple intermediate CAs and load balance across those (you can actually take the root CA offline)

mastersingh24 (Tue, 22 May 2018 10:14:42 GMT):
Of course its technically possible for multiple CA processes to share the same signing keypair (either via shared filesystem, copying the keys (not recommended) or using an HSM)

krabradosty (Tue, 22 May 2018 10:15:52 GMT):
Got it, thanks

sandman4 (Tue, 22 May 2018 13:57:21 GMT):
in byfn tutorial, base/docker-compose-base.yaml file binds /var/run directory to /host/var/run on peer. what is the use of this binding?

dimaxgl (Tue, 22 May 2018 14:24:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KBCGkN47nhKdNrk52) @sandman 4 it mounts docker.sock for peer

krabradosty (Tue, 22 May 2018 17:06:55 GMT):
@mastersingh24 FABRIC_CA_SERVER_CA_NAME should be unique?

krabradosty (Tue, 22 May 2018 17:08:38 GMT):
I'm trying to test CA cluster with Composer and I'm receiving noninformative error. So I can only guess.

krabradosty (Tue, 22 May 2018 17:12:46 GMT):
Maybe you know this error: ``` Error: Error trying login and get user Context. Error: Error trying to enroll user or load channel configuration. Error: Enrollment failed with errors [[{"code":0,"message":"2 rows were affected when updating the state of identity admin"}]] ```

aambati (Tue, 22 May 2018 18:12:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MWsSSToLKprmo8KAR) @krabradosty it needs to unique with in a Fabric CA server

aambati (Tue, 22 May 2018 18:12:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MWsSSToLKprmo8KAR) @krabradosty it needs to unique with in a Fabric CA server... A Fabric CA server can host multiple CAs ...by default it host one CA...so for example, each server in the cluster has two CAs (ca1, ca2)...ca1 in each server in the cluster must share one DB and ca2 in each server of the cluster must share on DB

aambati (Tue, 22 May 2018 18:12:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MWsSSToLKprmo8KAR) @krabradosty it needs to unique with in a Fabric CA server... A Fabric CA server can host multiple CAs (using --cafiles option) ...by default it host one CA...so for example, each server in the cluster has two CAs (ca1, ca2)...ca1 in each server in the cluster must share one DB and ca2 in each server of the cluster must share on DB

aambati (Tue, 22 May 2018 18:24:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=v6YF69BP5bnnTE7SW) @krabradosty The error indicates that CA tried to update admin information in the database after successfully generating a certificate and update failed because it found two records for admin instead of one

sudeshrshetty (Tue, 22 May 2018 21:22:53 GMT):
@aambati thanks for the quick fix https://gerrit.hyperledger.org/r/#/c/22067/ Any idea when latest fabric-ca image is going to be available? http://nexus3.hyperledger.org:10001/hyperledger/fabric-ca:latest

angeloatleadiq (Tue, 22 May 2018 22:57:45 GMT):
Has joined the channel.

davidkhala (Wed, 23 May 2018 01:31:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sQQyKoHapqZSch3dk) @aambati Thanks ambati, it works. BTW, what is the TLS cert/key pair generated by the server itself used for? I checked the subject item inside that cert and found it used the container id as common name. So I guess is it used for fabric CA to talk to its 'wrapping' container?

angeloatleadiq (Wed, 23 May 2018 06:17:24 GMT):
Hi All, I have tested and understood how a hyperledger network works from this tutorial https://github.com/chainHero/heroes-service. Now I am starting thinking a production env. Which tool should I use to replace bin/cryptogen?

Sairohithyanamala (Wed, 23 May 2018 06:22:59 GMT):
Has joined the channel.

sandman4 (Wed, 23 May 2018 06:57:59 GMT):
what is the use of CORE_PEER_PROFILE_ENABLED environment variable? its is set to true in base/peer-base.yaml file in byfn.

sandman4 (Wed, 23 May 2018 06:57:59 GMT):
@dimaxgl thanks for reply, one mare thing.

sandman4 (Wed, 23 May 2018 07:15:54 GMT):
@angeloatleadiq you need a proper CA setup to replace cryptogen

titoe218 (Wed, 23 May 2018 09:07:23 GMT):
Has joined the channel.

titoe218 (Wed, 23 May 2018 09:08:56 GMT):
Hi, I used Fabric go sdk when I enroll user I got this error `Enroll failed: failed to create CA Client: no CAs configured`, anyone knows how to fix it?

biksen (Wed, 23 May 2018 12:01:11 GMT):
Has joined the channel.

biksen (Wed, 23 May 2018 12:01:19 GMT):
Hi All, I am new to Fabric SDK. I am trying to connect CA which is TLS enabled using Fabric CA Java SDK. But I could not connect to it due to TLS handshake error. Can anyone please refer or provide sample code snippet to connect Fabric CA using "https://ca-url:port"? Thanx! in advance.

ping40 (Wed, 23 May 2018 13:12:54 GMT):
Has joined the channel.

krabradosty (Wed, 23 May 2018 14:08:00 GMT):
Does CA have HTTP endpoint that load balancer can use for ping?

krabradosty (Wed, 23 May 2018 14:08:00 GMT):
Does CA have HTTP endpoint that load balancer can use for ping?if you are looking for health check endpoint? if so, closest we have is /api/v1/cainfo but that is not really light weight, not meant for using for health check..I suggest that you pls open a JIRA if cainfo does not satisfy your requirement

krabradosty (Wed, 23 May 2018 14:08:00 GMT):
Does CA have HTTP endpoint that load balancer can use for ping?

aambati (Wed, 23 May 2018 14:31:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xmpus7KxBHFgAMJZZ) @sudeshrshetty I am not sure,i can find out and get back to you on that

aambati (Wed, 23 May 2018 14:32:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AcEFkCgoMmQu33dRj) @davidkhala It is used for TLS communication between server and a client (fabric-ca-client command line client or SDK)

dharuq (Wed, 23 May 2018 14:34:06 GMT):
Hello! I changed the fabric_ca_server_config.yaml to use postgresql and tried to run the End2EndIT (from java sdk) but i got this error: org.hyperledger.fabric_ca.sdk.exception.RegistrationException: Error while registering the user pt.ulisboa.tecnico.config.SampleUser@59e7564b url: https://localhost:8054 POST request to https://localhost:8054 failed request body {"id":"user1","type":"client","affiliation":"org1.department1","attrs":[]}. Response: {"result":"","errors":[{"code":0,"message":"Registration of 'user1' failed: Identity 'user1' is already registered"} ],"messages":[],"success":false} In the https://localhost:8054 its running the ca2. Anyone knows how to solve this?

aambati (Wed, 23 May 2018 14:34:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nGFHtm6WjSGRn9gNo) @angeloatleadiq Fabric CA would be a good choice ...pls check https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca sample that uses Fabric CA to generate required X509 certs for various identities like peers, orderer, admins and user

aambati (Wed, 23 May 2018 14:35:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YwfyYRemSAcG73TSr) @sandman 4 It enables go profiling

aambati (Wed, 23 May 2018 14:36:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7P6d7EZd5Gc5XMqQr) @titoe218 You need to set up a Fabric CA server: http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html

aambati (Wed, 23 May 2018 14:38:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EszwwCcRye3iZSyGh) @biksen Pls check https://github.com/hyperledger/fabric-ca/blob/2032d7736ec3254f7ad2555770743b90c5956274/lib/client.go#L689 ...this is the client code that fabric-ca-client users

aambati (Wed, 23 May 2018 14:47:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=W4R5Zz3gcj2RXnFGq) @dharuq it is probably because you ran the test multiple times...i don't think test will cleanup the database after the test is done, test was probably written to work with SQLite. Try dropping the fabric-ca database in postgres and running the test again

aambati (Wed, 23 May 2018 14:52:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=S8qvogG2EBqJLAnwJ) @krabradosty if you are looking for health check endpoint? if so, closest we have is /api/v1/cainfo but that is not really light weight, not meant for using for health check..I suggest that you pls open a JIRA(https://jira.hyperledger.org/) if cainfo does not satisfy your requirement

dharuq (Wed, 23 May 2018 14:53:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ySnAAjLwWeSCFTw35) @aambati I have already done that.. and the error persists..

krabradosty (Wed, 23 May 2018 14:56:20 GMT):
@aambati Thanks!

dharuq (Wed, 23 May 2018 15:00:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7fGMcpgE3NocC2Qfc) In the ca_peerOrg2 container the last print is: ca_peerOrg2 | 2018/05/23 14:52:05 [INFO] 172.18.0.1:34540 POST /api/v1/register 500 0 "Registration of 'user1' failed: Identity 'user1' is already registered" Is it normal?

sudeshrshetty (Wed, 23 May 2018 15:03:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AvkavhpeKYEugJPJh) @aambati got the latest image and problem is solved. Thanks a lot for the quick fix

aambati (Wed, 23 May 2018 15:04:10 GMT):
no, not normal...and you are sure that server is connecting to postgres database? registrations are stored in the database, that error would occur if the user is already in the database and a registration is requested

dharuq (Wed, 23 May 2018 15:12:02 GMT):

Screen Shot 2018-05-23 at 16.10.18.png

dharuq (Wed, 23 May 2018 15:42:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dc2WazGFaCJ8KZYf3) @aambati i have create a new user "test" and the tables : affiliations, certificates, properties and users are in the fabric_ca database. but now i have this error: Response: {"result":"","errors":[{"code":0,"message":"2 rows were affected when updating the state of identity admin"}.

skarim (Wed, 23 May 2018 17:51:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Chm2H8p35uGJf45GE) @dharuq Since you are using the Java SDK, you need to do './fabric.sh down' after each time you run End2EndIT and then try again

skarim (Wed, 23 May 2018 17:51:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Chm2H8p35uGJf45GE) @dharuq Since you are using the Java SDK, you need to do `./fabric.sh down` after each time you run End2EndIT and then try again

dharuq (Wed, 23 May 2018 20:20:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=viefFREG4Qg2ZN8KG) @skarim i always do ./fabric.sh restart and stop and remove all the docker containers, and drop the fabric_ca database on postgres

dharuq (Thu, 24 May 2018 00:48:33 GMT):
@aambati When i define the postgresql in the fabric_ca_server_config it is supposed to exist 2 saperated databases for the CAs? The users to access access the database could be the same?

govinda-attal (Thu, 24 May 2018 01:08:36 GMT):
Has joined the channel.

govinda-attal (Thu, 24 May 2018 01:10:06 GMT):
Hi All, need some assistance. I am using fabric-ca-client command line utility and trying to register a user with attributes, it gives me auhtorization failure. When I do it without attributes it doesn't complain

govinda-attal (Thu, 24 May 2018 01:10:08 GMT):
fabric-ca-client register \ -H $FABRIC_CA_CLIENT_HOME \ -M $FABRIC_CA_CLIENT_HOME/admin \ --url https://$CA_HOST:$CA_PORT \ --tls.certfiles $FABRIC_CA_CLIENT_TLS_CLIENT_CERTFILE \ --id.name $FABRIC_USER \ --id.secret $FABRIC_USER_PW \ --id.affiliation $FABRIC_MEMBER_MSPID \ --id.attrs $FABRIC_USER_ATTRS

govinda-attal (Thu, 24 May 2018 01:10:29 GMT):
2018/05/23 18:06:23 [INFO] Configuration file location: /home/user/dev/everledger-core/user-registration/fabric-ca-client-config.yaml 2018/05/23 18:06:23 [INFO] TLS Enabled 2018/05/23 18:06:23 [INFO] TLS Enabled Error: Response from server: Error Code: 20 - Authorization failure

govinda-attal (Thu, 24 May 2018 01:10:29 GMT):
2018/05/23 18:06:23 [INFO] Configuration file location: /home/user/dev/some-project-core/user-registration/fabric-ca-client-config.yaml 2018/05/23 18:06:23 [INFO] TLS Enabled 2018/05/23 18:06:23 [INFO] TLS Enabled Error: Response from server: Error Code: 20 - Authorization failure

govinda-attal (Thu, 24 May 2018 01:11:53 GMT):
FABRIC_USER_ATTRS='app-name=some-private-api:ecert,email=some-admin@some.org:ecert'

govinda-attal (Thu, 24 May 2018 01:12:03 GMT):
Am I missing anything here ?

titoe218 (Thu, 24 May 2018 07:43:48 GMT):
Does anyone knows how to check a user is enrolled using fabric Go sdk?

vikramjit (Thu, 24 May 2018 10:48:56 GMT):
Has left the channel.

OscarFerrer (Thu, 24 May 2018 11:27:49 GMT):
Has joined the channel.

OscarFerrer (Thu, 24 May 2018 11:31:45 GMT):
Hello, I've a local network with CA authentication connected to LDAP server working well, and I'm able to enroll with LDAP users correctly. Then, I've a channel created successfull and I want to install a chaincode from java SDK without success. What I do is: 1. Enroll User, 2. Create Channel. 3. Install Chaincode, and this point fails with an exception "java.lang.Exception: io.grpc.StatusRuntimeException: UNKNOWN: chaincode error (status: 500, message: Authorization for INSTALL has been denied (error-Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]))"

OscarFerrer (Thu, 24 May 2018 11:35:16 GMT):
In my fabric-ca-server-config.yaml I have these converters - name: hf.Registrar.Roles value: map(attr("memberOf"),"groups") - name: hf.Registrar.DelegateRoles value: map(attr("memberOf"),"groups") - name: hf.Registrar.Attributes value: map(attr("memberOf"),"attributes") - name: hf.Revoker value: attr("memberOf") =~ "GUP_HL*" - name: hf.IntermediateCA value: attr("memberOf") =~ "GUP_HL*" - name: hf.GenCRL value: attr("memberOf") =~ "GUP_HL*" - name: hf.AffiliationMgr value: attr("memberOf") =~ "GUP_HL*" - name: hf.Admin value: attr("memberOf") =~ "GUP_HL*" and the maps: groups: - name: CN=GU_APPCORP_DOCKER,OU=APLICACIONS,OU=Grups,DC=da,DC=inf,DC=sta value: "peer,orderer,client,user" attributes: - name: CN=GU_APPCORP_DOCKER,OU=APLICACIONS,OU=Grups,DC=da,DC=inf,DC=sta value: "*,admin" roles: - name: CN=GU_APPCORP_DOCKER,OU=APLICACIONS,OU=Grups,DC=da,DC=inf,DC=sta value: "admin"

OscarFerrer (Thu, 24 May 2018 11:35:16 GMT):
In my fabric-ca-server-config.yaml I have these converters - name: hf.Registrar.Roles value: map(attr("memberOf"),"groups") - name: hf.Registrar.DelegateRoles value: map(attr("memberOf"),"groups") - name: hf.Registrar.Attributes value: map(attr("memberOf"),"attributes") - name: hf.Revoker value: attr("memberOf") =~ "GUP_HL*" - name: hf.IntermediateCA value: attr("memberOf") =~ "GUP_HL*" - name: hf.GenCRL value: attr("memberOf") =~ "GUP_HL*" - name: hf.AffiliationMgr value: attr("memberOf") =~ "GUP_HL*" - name: hf.Admin value: attr("memberOf") =~ "GUP_HL*" and the maps: groups: - name: CN=GUP_HL value: "peer,orderer,client,user" attributes: - name: CN=GUP_HL value: "*,admin" roles: - name: CN=GUP_HL value: "admin"

OscarFerrer (Thu, 24 May 2018 11:39:26 GMT):
How can I set a user to be an admin identity? Thanks in advance

aambati (Thu, 24 May 2018 13:55:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GSS3ntFdZE8TxnyAn) @dharuq not sure i understand the question but if you are asking if each CA uses two database, answer is no. It uses one database.

skarim (Thu, 24 May 2018 13:57:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=P5pew4dQxr5zw84Ef) @govinda-attal Can you try to register with attributes again, but this time can you enable debug logging on the server and share those logs please.

aambati (Thu, 24 May 2018 13:57:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ehp9Q3b3EYoHHRkTh) @govinda-attal so, i am assuming that $FABRIC_CA_CLIENT_HOME/admin has admin credentials? (it should have signcerts, cacerts folders)

dharuq (Thu, 24 May 2018 13:59:34 GMT):
@aambati the user used to access the PostgreSQL should be the same? It is supposed to have two fabric server config file, one for each ca-server?

aambati (Thu, 24 May 2018 14:01:04 GMT):
it could be same, i think there is no restriction on that

dharuq (Thu, 24 May 2018 14:02:14 GMT):
So it means that the username and the password could be the same for the both CAs to access the PostgreSQL

dharuq (Thu, 24 May 2018 14:02:14 GMT):
So it means that the username and the password could be the same for the both CAs to access the PostgreSQL ?

aambati (Thu, 24 May 2018 14:02:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NLyiFQPjwMsHvGT5X) @OscarFerrer The user needs to be an admin ...so you would need to place the user's certificate in the admins folder of the peer msp

dharuq (Thu, 24 May 2018 14:08:42 GMT):
So it means that the username and the password could be the same for the both CAs to access the PostgreSQL ? @aambati [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YpfyMXepW6PkprMZK)

LAlejandroNG (Thu, 24 May 2018 18:20:10 GMT):
Has joined the channel.

acostarodrigo (Thu, 24 May 2018 18:56:24 GMT):
Has joined the channel.

acostarodrigo (Thu, 24 May 2018 18:58:22 GMT):
Hi all, I'm trying to integrate main ETH with Fabric in a similar way as Parity is doing using Bridge smart contract between Main and Private ethereum. In Parity, when an account wants to send back to main ethereum a token, the private nodes that form the blockchain sign a message and submits the collection of signatures with the message to a smart contract in main ETH. If the signatures are from predefined ETH address (or their public keys), then frozen tokens in main Ethereum are recovered back. I'm following a similar approach, in which I'm sending the signature of endorsing peers and using the payload of a predefined transaction as the message. The problem is that each time the endorsing peers sign the payload, they are generating a different signature from a different private key. This makes it impossible to validate in main ethereum if the signatures is from a predefined address. From a successful response of a chaincode invocation, I do byte[] message = response.getProposalResponse().getResponse().getPayload().toByteArray(); byte[] signature = response.getProposalResponse().getEndorsement().getSignature().toByteArray(); and get different signatures each time for the same message. Anyone has an idea of what the issue might be?

dharuq (Thu, 24 May 2018 20:37:20 GMT):
Anyone has used Postgresql or MySQL for fabric_ca server and run the End2EndIT (java-sdk test)? If so which of the databases? Any tips?

jpgalmeida (Thu, 24 May 2018 20:37:21 GMT):
Has joined the channel.

govinda-attal (Fri, 25 May 2018 04:14:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=csmqpq9s9AisH42eX) @skarim Hi Hope you are well.. I am not sure if I will be able to turn on the debug logging on Fabric CA as the server is on IBM Bluemix Blockchain as a service

govinda-attal (Fri, 25 May 2018 04:16:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CFjMrFmbMLEiXcRYi) @aambati Hi Hope you are well @aambati , Yes I first enrolled admin and $FABRIC_CA_CLIENT_HOME/admin has admin credentials... When I register a user without attributes, it just simply works.. But with attributes it complains

kelvinzhong (Fri, 25 May 2018 04:32:57 GMT):
@aambati hi, I wonder is there possible for chaincode to get the cert of the client and the ca cert of the org? I want put some limitation for a client, they can only access to the value which is belonged to it's own org, but without knowing the id of the client in chaincode it comes too hard to implement that.

sudharsand (Fri, 25 May 2018 07:02:16 GMT):
Has joined the channel.

ShikiTakahashi (Fri, 25 May 2018 07:31:17 GMT):
Has joined the channel.

paul.sitoh (Fri, 25 May 2018 10:02:40 GMT):
hi I don't know if this is the right channel. For the Go SDK, I ran the command `go generate` and I got this error: ```Traceback (most recent call last): File "./protogen", line 25, in from grpc.tools.protoc import main as _protoc ModuleNotFoundError: No module named 'grpc' gen.sh: line 24: mockgen: command not found gen.go:1: running "bash": exit status 127```

paul.sitoh (Fri, 25 May 2018 10:03:01 GMT):
I presumed it is something to do with missing Python module

paul.sitoh (Fri, 25 May 2018 10:03:51 GMT):
Could anyone advise me on how to fix this problem?

LAlejandroNG (Fri, 25 May 2018 13:14:48 GMT):
Hello every one, I have a CA connected to LDAP (no logs errors CA starting) but I can't register users correctly. I've seen CA logs after I tried to register an user and this is the trace: 2018/05/25 12:17:14 [DEBUG] canRegister - Check to see if user 'cn=govadmin,ou=goverment,dc=example,dc=org' can register ... 2018/05/25 12:17:14 [DEBUG] Validate ID 2018/05/25 12:17:14 [DEBUG] Validating affiliation: goverment.department1 2018/05/25 12:17:14 [DEBUG] Registration of 'spuser' failed: Registration of 'spuser' to validate: Failed getting affiliation 'goverment.department1': Not supported 2018/05/25 12:17:14 [INFO] 213.27.225.170:37945 POST /api/v1/register 500 0 "Registration of 'spuser' to validate: Failed getting affiliation 'goverment.department1': Not supported" I've cloned fabric-ca repository and followed last debug message, then I saw this: there are two GO files involved (release-1.1). lib/ldap/client.go, lib/serverregister.go. This is sequence (file, function, line): lib/serverregister.go - canRegister - 226 lib/serverregister.go - validateID - 127 lib/serverregister.go - isValidAffiliation - 181 lib/ldap/client.gp - GetAffiliation - 263 GetAffiliation function is not implemented. Do I have to implement this?

LAlejandroNG (Fri, 25 May 2018 13:20:38 GMT):
I'm invoking CA from nodejs api using nodejs SDK provided by balance-transfer sample.

skarim (Fri, 25 May 2018 13:51:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=E7u7iv4LsuLopHNeE) @dharuq Might also want to post to #fabric-sdk-java channel as well, someone on that channel might have tried this

skarim (Fri, 25 May 2018 13:52:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=eg4Jz2J82x8YBnfXr) @govinda-attal Do you know the value of the 'hf.Registrar.Attributes' attribute on the caller identity. Without seeing the server side debug logs, I am going to guess that you are trying to register an attribute for a user that you are not allowed to

dharuq (Fri, 25 May 2018 13:52:26 GMT):
I have already done that.. @skarim [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YsW2HXYCXDHcKwKb2)

dharuq (Fri, 25 May 2018 13:52:26 GMT):
I have already done that.. thanks :) @skarim [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YsW2HXYCXDHcKwKb2)

skarim (Fri, 25 May 2018 13:55:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8aHSWnvukRua5dYbG) @LAlejandroNG If you are using a LDAP, registration of new users is not supported through Fabric CA. Registration of users through fabric ca is only supported if you are using a database (sqlite, postgres, or mysql). For LDAP, you will have to register users out of band.

skarim (Fri, 25 May 2018 13:55:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8aHSWnvukRua5dYbG) @LAlejandroNG If you are using LDAP, registration of new users is not supported through Fabric CA. Registration of users through fabric ca is only supported if you are using a database (sqlite, postgres, or mysql). For LDAP, you will have to register users out of band.

migrenaa (Fri, 25 May 2018 14:05:59 GMT):
Hi! I want to run two fabric ca servers - root and intermediate. They should be in different docker containers. In my compose file I have 2 services for both containers and they are up and running. The problem is that both of them are running on port 7054 although I specified different ports in the compose file. So I assume that I should specify the fabric ca config files in the compose file, but I cannot see how to do it. Can someone help ..

LAlejandroNG (Fri, 25 May 2018 20:46:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aozdgymC9PKApuaYD) @skarim Thanks a lot

tboloo (Sat, 26 May 2018 10:10:54 GMT):
Has joined the channel.

ziqbalbh (Sun, 27 May 2018 06:59:23 GMT):
Has joined the channel.

gravity (Mon, 28 May 2018 09:27:28 GMT):
Hello Is it possible to create `ADMIN` identity using `fabric-ca`? if it is, how we can do this?

vijay5378 (Mon, 28 May 2018 09:39:33 GMT):
Has joined the channel.

vijay5378 (Mon, 28 May 2018 09:42:10 GMT):
Hi, I am trying to enrol an identity using fabric-ca's REST API's. Need some tips on what should be passed to the authorisation parameter? I tried passing admin.adminpw, however receive an error "Invalid token in authorization header: Failed to decode base64 encoded x509 cert: illegal base64 data at input byte 4". Do I need to encode this? If yes, any pointers to some code would be greatly appreciated

HemanthPrabhu (Mon, 28 May 2018 10:56:17 GMT):
Has joined the channel.

HemanthPrabhu (Mon, 28 May 2018 10:56:30 GMT):
hey I got below error when registering user into CA server Error: Calling enrollment endpoint failed with error [Error: Parse Error] at ClientRequest. (/Users/hemanthk/Documents/hyperledger/education/LFS171x/fabric-material/tuna-app/node_modules/fabric-ca-client/lib/FabricCAClientImpl.js:711:12) at emitOne (events.js:116:13) at ClientRequest.emit (events.js:211:7) at Socket.socketOnData (_http_client.js:445:9) at emitOne (events.js:116:13) at Socket.emit (events.js:211:7) at addChunk (_stream_readable.js:263:12) at readableAddChunk (_stream_readable.js:250:11) at Socket.Readable.push (_stream_readable.js:208:10) at TCP.onread (net.js:607:20)

LAlejandroNG (Mon, 28 May 2018 12:40:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QnZCWJSdAfK8h9yjT) @OscarFerrer Could you paste LDAP user entry you are using? result of every converter evaluation in CA log.

mortimr (Mon, 28 May 2018 14:06:53 GMT):
Has joined the channel.

mortimr (Mon, 28 May 2018 14:35:37 GMT):
Hi guys, have you seen `error:140770FC` while trying to fetch Admin certs with `composer identity request`. ``` Error: failed to request identity. Error trying to enroll user and return certificates. Error: Calling enrollment endpoint failed with error [Error: write EPROTO 140735717770112:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:../deps/openssl/openssl/ssl/s23_clnt.c:827: ] Command failed ``` I am currently deploying without the byfn.sh script, I have two organizations, with 2 peers in each one, and one fabric-ca-server for each one of them. Did anyone saw this error before ? How have you guys managed to fix this ? Thx (I also get this error code while running curl against listening port of the fabric-ca-server container)

mortimr (Mon, 28 May 2018 14:35:37 GMT):
Hi guys, have you ever seen `error:140770FC` while trying to fetch Admin certs with `composer identity request` ? ``` Error: failed to request identity. Error trying to enroll user and return certificates. Error: Calling enrollment endpoint failed with error [Error: write EPROTO 140735717770112:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:../deps/openssl/openssl/ssl/s23_clnt.c:827: ] Command failed ``` I am currently deploying without the byfn.sh script, I have two organizations, with 2 peers in each one, and one fabric-ca-server for each one of them. Did anyone saw this error before ? How have you guys managed to fix this ? Thx (I also get this error code while running curl against listening port of the fabric-ca-server container)

mortimr (Mon, 28 May 2018 14:35:37 GMT):
Hi guys, have you ever seen `error:140770FC` while trying to fetch Admin certs with `composer identity request` ? ``` Error: failed to request identity. Error trying to enroll user and return certificates. Error: Calling enrollment endpoint failed with error [Error: write EPROTO 140735717770112:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:../deps/openssl/openssl/ssl/s23_clnt.c:827: ] Command failed ``` I am currently deploying without the `byfn.sh` script, I have two organizations, with 2 peers in each one, and one fabric-ca-server for each one of them. Did anyone saw this error before ? How have you guys managed to fix this ? Thx (I also get this error code while running curl against listening port of the fabric-ca-server container)

gravity (Mon, 28 May 2018 14:51:35 GMT):
@aambati Hi Is it possible to enroll Admin identity using fabric-ca? As far as I know, one Admin identity is generated when we use `cryptogen` tool to generate crypto materials. But how to generate an Admin (who can create channels) using fabric-ca?

guangyingyuan (Mon, 28 May 2018 15:02:38 GMT):
Has joined the channel.

mengluo668 (Tue, 29 May 2018 02:55:45 GMT):
For issue [3898](https://github.com/hyperledger/composer/issues/3898), I see it is still *OPEN*. Because of I don't have enough time to wait, I have to fix it by myself, could anybody please give some guidelines about how to fix it? especially the root cause and solutions. Thanks very much.

amolpednekar (Tue, 29 May 2018 09:29:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bnqy69kRKxTsCaXF7) @gravity From what I know, you just put the certificate of whoever you want to be admin in the admincerts folder of peer (peerorgs -> peer0/1-> msp->admincerts)

gravity (Tue, 29 May 2018 09:36:47 GMT):
@amolpednekar OK, I got it. But instead of loading certificates from an admin folder, we cannot retrieve them directly from fabric-ca, can we?

gravity (Tue, 29 May 2018 11:17:34 GMT):
can we bootstrap one more Admin identity to perform admin actions (create channels, install chaincodes etc.)?

IgorSim (Tue, 29 May 2018 12:39:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Ld8AbzoBbMPfaTt8y) @gravity As far i understand there are different 'admins': ORG admin and peer admin (responsible for example for joining peer to channel). I think there isn't limit how many 'admins' can you register in CA but their certificates must be present in 'admincerts' folder of peer MSP or ORG MSP.

gravity (Tue, 29 May 2018 12:41:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RKBsGcgL9vjDA5gHp) @IgorSim Actually, I didn't find any information in the fabric-ca documentation about org admins and how to create these identities.

aambati (Tue, 29 May 2018 13:36:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cN8EeXEbMuwMlhy7lX) @dharuq i think so

dharuq (Tue, 29 May 2018 13:37:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Htijyb2v7FHKQjQSf) @aambati thanks :)

aambati (Tue, 29 May 2018 13:38:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8aHSWnvukRua5dYbG) @LAlejandroNG Affiliations are not supported when using LDAP as the user registry. You can map a LDAP attribute to affiliation attribute if your chaincode looks for it in the ecert

aambati (Tue, 29 May 2018 13:53:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dz3dXMts87ZXsLJys) @migrenaa How did you specify the port? --port or FABRIC_CA_SERVER_PORT?

aambati (Tue, 29 May 2018 14:07:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZBMb4fvGBmSpX7anr) @kelvinzhong By "cert of the client" do you mean cert of the invoker of the transaction? if so, yes, chaincode has access to the invoker of the transaction...i am not sure about ca cert though

aambati (Tue, 29 May 2018 14:10:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2B33zs8C4F8LKmKBf) @gravity which admin? fabric-ca-client can be used by the CA admin to register another user like peer admin, pass the userid/pass to the peer admin, have the peer admin enroll to get cert/key pair

gravity (Tue, 29 May 2018 14:11:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hwjXEKxMyTNZ5paoa) @aambati I mean org admin, who can create new channels, install chaincodes etc.

aambati (Tue, 29 May 2018 14:12:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dhWRDkKKhqGfj7yCE) @vijay5378 enroll request takes basic authorization header...The value of the `authorization` header must be `basic `

nmarcetic (Tue, 29 May 2018 14:16:57 GMT):
Has joined the channel.

aambati (Tue, 29 May 2018 14:17:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=D9F9ZcYDZq44nEcLg) @HemanthPrabhu you said registering a user but error says enrollment endpoint, there is a disconnect there..also, are you using 1.1?

aambati (Tue, 29 May 2018 14:21:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=idXTumKoGwuckgnSD) @gravity you would create same way as other users

gravity (Tue, 29 May 2018 14:23:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tiS69jPGD6zjqovpv) @aambati I tried to enroll org admin via fabric-ca, but later when I tried to sign a request to create a new channel, I received an error message `This identity is not an admin.`

migrenaa (Tue, 29 May 2018 14:24:34 GMT):
@aambati I fixed this problem, the problem was in my docker-compose file. But I still don't get how Fabric CA works, so if you can help me with that it will be super helpful. Now I have both of my CA servers up and running, I can register and enroll users using the intermediate server, but I don't get how to create certificates for the peers and the orderers. When I generate crypto materials using cryptogen, it generates a tree of folders with certificates. When I try to register and enroll peer using Fabric CA NodeJS SDK it creates 3 files - one pem certificate, one file with private key and one with public key. And it creates them in my local dir. My understanding was that the certificates should be stored inside the Intermediate CA container. In the container the only created certificate is the one for the Intermediate Server.

aambati (Tue, 29 May 2018 14:31:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GdYDcaRSdKCQofpQM) @gravity Did you add the admin cert to the the orderer system channel (testchainid) config block? there is some info on orderer system channel at: https://hyperledger-fabric.readthedocs.io/en/latest/upgrading_your_network_tutorial.html?highlight=orderer%20system%20channel

gravity (Tue, 29 May 2018 14:34:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mvPZJux7w2ppHMg6u) @aambati No, I didn't. Thanks, will check the link.

aambati (Tue, 29 May 2018 14:57:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rvhhsdqBnXpd45ytz) @migrenaa peers and orderers are entities that need identity as well...So, the way you enrolled users , you would do the same for peers and orderers....as a CA admin, first register an identity that represents a peer, then using the id/password returned by the register command, enroll the identity by passing msp directory of the peer to the fabric-ca-client using -M option...this will populate the cacerts, intermediatecacerts, signcerts folder, put the peer's private key in the msp/keystore

migrenaa (Tue, 29 May 2018 15:25:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ihP4uNhye9hshNFw4) @aambati Thank you. In the CA container there is msp folder which has subfolders for the different kinds of certificates, but when I enroll user/peer/orderer the certificates doesn't appear there. They are stored in my local folders. Shouldn't they be stored in the container?

migrenaa (Tue, 29 May 2018 15:25:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ihP4uNhye9hshNFw4) @aambati Thank you. In the CA container there is msp folder which contains subfolders for the different kinds of certificates, but when I enroll user/peer/orderer the certificates doesn't appear there. They are stored in my local folders. Shouldn't they be stored in the container?

migrenaa (Tue, 29 May 2018 15:25:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ihP4uNhye9hshNFw4) @aambati Thank you. In the CA container there is msp folder which contains the subfolders for the different kinds of certificates, but when I enroll user/peer/orderer the certificates doesn't appear there. They are stored in my local folders. Shouldn't they be stored in the container?

aambati (Tue, 29 May 2018 15:37:01 GMT):
You should enroll peer from peer container (fabric-ca-client is packaged in the peer container if you use fabric-ca-peer container)

migrenaa (Tue, 29 May 2018 15:41:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Xn5SGmDWhhsG8den3) @aambati Aw.. OK. Thanks a lot. :)

jeffcoop9 (Tue, 29 May 2018 16:05:15 GMT):
Has joined the channel.

karmicway (Tue, 29 May 2018 21:35:49 GMT):
Has joined the channel.

kelvinzhong (Wed, 30 May 2018 02:44:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=H33dhGogT9JuoHYGH) @aambati thanks~

yljgo (Wed, 30 May 2018 03:16:37 GMT):
Has joined the channel.

amolpednekar (Wed, 30 May 2018 03:58:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xv7B7um3bjSCx5guH) @gravity You can get the certs from the CA, just put them in the admincerts folder to make them admin

ahmadzafar (Wed, 30 May 2018 06:41:55 GMT):
To add a new peer in Hyperledger Fabric I am using following command peer = client.newPeer('grpcs://localhost:7051') getting following error PEM encoded certificate is required Please help!

gravity (Wed, 30 May 2018 08:11:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DwawDEprTzXpmK73u) @amolpednekar thanks, will try

IgorSim (Wed, 30 May 2018 10:18:57 GMT):
Hi, i'm not sure my question is for this channel, but anyway here it is: In fabric-samples/fabric-ca examples, few different identities are registered in CA. One of them , so called 'user' identity is used afterwards to query chaincode. As far i understand, endorsing peers verify if submitter is allowed to invoke transactions on the channel. My question is where this permission is set (who can send transactions on the channel), is it defined as policy in channel configuration transaction?

AlexanderZhovnuvaty (Wed, 30 May 2018 11:36:44 GMT):
Has joined the channel.

gravity (Wed, 30 May 2018 12:01:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JLdhuys2T56pwe6oi) @IgorSim from my understanding, validators will check users MSP and check if that MSP is a part of a consortium. when you create a channel, you have to provide a profile. the profile contains an information about organizations (name, MSP etc.). later, when a user tries to access a particular channel, users MSP will be checked against channels allowed MSPs, if everything is ok, then the user can proceed. also, you can implement attribute-based-access-control in a chaincode.

aambati (Wed, 30 May 2018 13:23:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JLdhuys2T56pwe6oi) @IgorSim Yes, in the channel configuration...you can also use the attributes based access control, where the attributes set in the user's certificate can be used by the chaincode to make application level access control checks

IgorSim (Wed, 30 May 2018 15:49:45 GMT):
@aambati OK, tnx. I fetched most recent configuration block from the channel and decoded into JSON format. I'm following documentation regarding configtx but i can't find where this policy is set. Can you point me in which part of the JSON to look, is it under groups.Application, groups.Orderer or somewhere else?

rogerwilcos (Wed, 30 May 2018 22:00:33 GMT):
Has joined the channel.

ChunTung (Thu, 31 May 2018 07:24:32 GMT):
Has joined the channel.

cnusri (Thu, 31 May 2018 10:42:31 GMT):
Has joined the channel.

mp (Thu, 31 May 2018 11:28:33 GMT):
Is it possible to store non-latin (ie cyrillic) characters in attrs section of fabric-ca generated certificates? Right now they are all replaced by dots. Tried switching locale of fabric-ca-tools container to UTF-8 and it didn't help.

migrenaa (Thu, 31 May 2018 12:30:38 GMT):
Hello. I have issue enrolling the orderer into Intermediate CA Server. I am running fabric-ca-client enroll -d -u $ENROLLMENT_URL -M $MSPDIR Both Enrollment Url and MspDir are correct, I checked. This is the log: ##### 2018-05-31 12:07:56 Enrollment URL : 'http://orderer1-orbixOrg1:orderer1-orbixOrg1@intermediate-ca-orbixOrg1:7054' with MSP at '/etc/hyperledger/orderer/msp' 2018/05/31 12:07:56 [DEBUG] Home directory: /etc/hyperledger/orderer 2018/05/31 12:07:56 [INFO] Created a default configuration file at /etc/hyperledger/orderer/fabric-ca-client-config.yaml 2018/05/31 12:07:56 [DEBUG] Client configuration settings: &{URL:http://orderer1-orbixOrg1:orderer1-orbixOrg1@intermediate-ca-orbixOrg1:7054 MSPDir:/etc/hyperledger/orderer/msp TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** Profile: Label: CSR: CAName: AttrReqs:[] } CSR:{CN:orderer1-orbixOrg1 Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[3cef3a961e68] KeyRequest: CA: SerialNumber:} ID:{Name: Type:client Secret: MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc4201b0de0} 2018/05/31 12:07:56 [DEBUG] Entered runEnroll 2018/05/31 12:07:56 [DEBUG] Enrolling { Name:orderer1-orbixOrg1 Secret:**** Profile: Label: CSR:&{orderer1-orbixOrg1 [{US North Carolina Hyperledger Fabric }] [3cef3a961e68] } CAName: AttrReqs:[] } 2018/05/31 12:07:56 [DEBUG] Initializing client with config: &{URL:http://intermediate-ca-orbixOrg1:7054 MSPDir:/etc/hyperledger/orderer/msp TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name:orderer1-orbixOrg1 Secret:**** Profile: Label: CSR:&{orderer1-orbixOrg1 [{US North Carolina Hyperledger Fabric }] [3cef3a961e68] } CAName: AttrReqs:[] } CSR:{CN:orderer1-orbixOrg1 Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[3cef3a961e68] KeyRequest: CA: SerialNumber:} ID:{Name: Type:client Secret: MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc4201b0de0} 2018/05/31 12:07:56 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc4201b0e40 PluginOpts: Pkcs11Opts:} 2018/05/31 12:07:56 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc4201c4eb0 DummyKeystore:} 2018/05/31 12:07:56 [DEBUG] GenCSR &{CN:orderer1-orbixOrg1 Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[3cef3a961e68] KeyRequest: CA: SerialNumber:} 2018/05/31 12:07:56 [INFO] generating key: &{A:ecdsa S:256} 2018/05/31 12:07:56 [DEBUG] generate key from request: algo=ecdsa, size=256 2018/05/31 12:07:56 [INFO] encoded CSR 2018/05/31 12:07:56 [DEBUG] Sending request POST http://intermediate-ca-orbixOrg1:7054/enroll {"hosts":["3cef3a961e68"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBTzCB9gIBADBqMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxGzAZBgNV\nBAMTEm9yZGVyZXIxLW9yYml4T3JnMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBB9S+OSCoVIQwFvuGXDfXn4DWyl+VBMxZb27UJe+OnUan66lHo0DfhUVhf5Rz+Tw\nRjjoHO8YXeTK+6Gxo9KBQ5ugKjAoBgkqhkiG9w0BCQ4xGzAZMBcGA1UdEQQQMA6C\nDDNjZWYzYTk2MWU2ODAKBggqhkjOPQQDAgNIADBFAiEA+14zA3Eo6Vm2dMOwqb5E\nI8f78I3ou00wjd2ni4tOlp8CIFw866k73nGF0zwtEzs1tV0bKkb+bH4CEXBlanYo\ng6uJ\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""} 2018/05/31 12:07:56 [DEBUG] Received response statusCode=401 (401 Unauthorized) Error: Response from server: Error Code: 20 - Authorization failure I am enrolling peers and users with the same script and it is working perfectly fine.. I am struggling with this for 3 hours....

aambati (Thu, 31 May 2018 13:39:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XKQRqPjcxTkANdXNQ) @mp i thought it should be possible but i have not tried before...Can you pls open a JIRA ticket (https://jira.hyperledger.org/), we will look into it

nmarcetic (Thu, 31 May 2018 14:05:46 GMT):
Hey folks is it possible to set database section using docker env variables ? ``` db: type: sqlite3 datasource: fabric-ca-server.db ``` For example I want to use postgresql can I set those params ^ via docker env var ?

aambati (Thu, 31 May 2018 14:31:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tqHNCKrc53RMKSdJJ) @migrenaa What do see in the server log? Server log should give more details... I am assuming that you have registered orderer1-orbixOrg1 with the CA server running at intermediate-ca-orbixOrg1:7054

aambati (Thu, 31 May 2018 14:31:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GnKaZF5hKCDi9KPQ4) @nmarcetic i think you should be able to able...FABRIC_CA_SERVER_DB_TYPE, FABRIC_CA_SERVER_DB_DATASOURCE

nmarcetic (Thu, 31 May 2018 14:35:15 GMT):
@aambati Thanks! Will try this ^

migrenaa (Thu, 31 May 2018 14:48:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8Zu5Q3fB64mbjbo4p) @aambati 2018/05/31 12:07:50 [INFO] Listening on http://0.0.0.0:7054 2018/05/31 12:07:56 [DEBUG] Received request for /enroll 2018/05/31 12:07:56 [DEBUG] ca.Config: &{Version:1.1.0 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name:intermediate-ca-orbixOrg1 Keyfile:/etc/hyperledger/fabric-ca/ca-key.pem Certfile:/etc/hyperledger/fabric-ca/ca-cert.pem Chainfile:/etc/hyperledger/fabric-ca/ca-chain.pem} Signing:0xc420317990 CSR:{CN:root-ca-orbixOrg1-admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[intermediate-ca-orbixOrg1] KeyRequest: CA:0xc4202a5e80 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.AffiliationMgr:1 hf.Registrar.Roles:peer,orderer,client,user hf.Registrar.DelegateRoles:peer,orderer,client,user hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:*] }]} Affiliations:map[orbixorg1:[] org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:/etc/hyperledger/fabric-ca/fabric-ca-server.db TLS:{false [] { }} } CSP:0xc420314750 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** Profile: Label: CSR: CAName: AttrReqs:[] }} CRL:{Expiry:24h0m0s}} 2018/05/31 12:07:56 [DEBUG] DB: Getting identity orderer1-orbixOrg1 2018/05/31 12:07:56 [INFO] 172.18.0.5:39982 POST /enroll 401 23 "Failed to get user: : scode: 404, code: 63, msg: Failed to get User: sql: no rows in result set"

migrenaa (Thu, 31 May 2018 14:48:42 GMT):
this is the log from the server

migrenaa (Thu, 31 May 2018 14:48:42 GMT):
this is the log from the Intermediate CA server

aambati (Thu, 31 May 2018 14:53:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YxbMFrj58tFPCpcQF) @IgorSim sorry, i misread your question...As long as the submitter of the transaction has a certificate issued by one the CAs whose certificate is in one of the MSPs of the channel configuration, user is allowed to submit. Also, there are readers and writers that says who can read and update the channel configuration

aambati (Thu, 31 May 2018 14:53:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YxbMFrj58tFPCpcQF) @IgorSim users need to satisfy channel application writers policy to submit a transaction

aambati (Thu, 31 May 2018 14:53:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YxbMFrj58tFPCpcQF) @IgorSim by default, users need to satisfy channel application (groups.Application) writers policy to submit a transaction...so, if the user satisfies his org's writers policy, he/she should be able to submit a transaction

aambati (Thu, 31 May 2018 14:54:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fqjszKRaoYWCJsosR) @migrenaa it seems the user is not registered with the intermediate server...are you sure the user was registered with intermediate CA and not root CA?

migrenaa (Thu, 31 May 2018 15:18:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2sjqdvAayhxeSZpeX) @aambati Thanks a lot... I was not registering the user at all....

mp (Thu, 31 May 2018 22:10:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3H46uyGQ9fgHhgoMi) @aambati created ticket FAB-10507

alexvicegrab (Thu, 31 May 2018 22:26:06 GMT):
Hello, is there a best practice example of how to generate the Channel MSP (not Local MSP) required for the genesis.block for the Orderer(s) without using `cryptogen`, but solely using the `fabric-ca-client`/server? i.e. do I merely need to obtain the certificates (`cainfo` command) from the CA Servers using the Client and then specify the location of these certificates in the configtx.yaml for each of the relevant organisations when generating the Genesis block?

alexvicegrab (Thu, 31 May 2018 22:26:06 GMT):
Hello, is there a best practice example of how to generate the Channel MSP (not Local MSP) required for the genesis.block for the Orderer(s) without using `cryptogen`, but solely using the `fabric-ca-client`/server? i.e. do I merely need to obtain the certificates ( `cainfo` command) from the CA Servers using the Client and then specify the location of these certificates in the configtx.yaml for each of the relevant organisations when generating the Genesis block?

TobiasN (Fri, 01 Jun 2018 01:25:12 GMT):
Hi, I want to update a users attributes, My app uses the node-sdk. the situation is, a User is registered, He uses some channels. after a while he is supposed to gain new privileges. In chaincode I want to do permission control using attributes. What would be the preferred way to implement update the attributes in the database. Until now I still use CA-server with sqlite. It works to update the attributes by updating the sqlite directly. Switching to mysql or postgresql would make that update easyer. I thought there should be an API for the CA-server, but I could not find it. what would be your preferred solution?

tian (Fri, 01 Jun 2018 01:51:48 GMT):
Has joined the channel.

VinayChaudharyOfficial (Fri, 01 Jun 2018 04:54:52 GMT):
Has joined the channel.

sandman4 (Fri, 01 Jun 2018 04:56:33 GMT):
Hi, cryptogen provides a extend command. To my understanding it generates certificates for more nodes relative to nodes already in network, but I cant seem to get its usage right. Can anyone please guide me?

sandman4 (Fri, 01 Jun 2018 04:57:05 GMT):
also is cryptogen well suited for production environment?

IgorSim (Fri, 01 Jun 2018 05:53:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=F7cZFmKcwBKLCfGBL) @alexvicegrab Yes, you need to have organizations MSP created before creating genesis block. You can look at fabric-sample/fabric-ca example where all crypto material are generated with CA.

mageover (Fri, 01 Jun 2018 06:36:48 GMT):
Has joined the channel.

mageover (Fri, 01 Jun 2018 06:48:16 GMT):
Hi,guys. I have built a well-worked fabric network consist of two orgs. And I tried to use certificates from CA server. I do apply certs as below: fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 fabric-ca-client register --id.name Admin@org1-f-1 --id.type user --id.affiliation org1.department1 --id.secret peeradminpw --id.attrs hf.admin=true:ecert fabric-ca-client enroll -u http://Admin@org1-f-1:peeradminpw@localhost:7054 -M /etc/hyperledger/fabric-ca-server/adminMSP fabric-ca-client register --id.name User1@org1-f-1 --id.type user --id.affiliation org1.department1 --id.secret user1pw fabric-ca-client enroll -u http://User1@org1-f-1:user1pw@localhost:7054 -M /etc/hyperledger/fabric-ca-server/userMSP fabric-ca-client register --id.name peer0.org1-f-1 --id.type peer --id.affiliation org1.department1 --id.secret peer0pw fabric-ca-client enroll -u http://peer0.org1-f-1:peer0pw@localhost:7054 -M /etc/hyperledger/fabric-ca-server/peer0MSP fabric-ca-client register --id.name peer1.org1-f-1 --id.type peer --id.affiliation org1.department1 --id.secret peer1pw fabric-ca-client enroll -u http://peer1.org1-f-1:peer1pw@localhost:7054 -M /etc/hyperledger/fabric-ca-server/peer1MSP And then I replace the corresponding certs in crypto-config. But when I try "create channel" command, error occurs. The below is orderer logs:

mageover (Fri, 01 Jun 2018 06:48:32 GMT):

architect.png

alexvicegrab (Fri, 01 Jun 2018 10:12:58 GMT):
Thanks @IgorSim.

alexvicegrab (Fri, 01 Jun 2018 10:12:58 GMT):
Thanks @IgorSim

alexvicegrab (Fri, 01 Jun 2018 10:17:14 GMT):
I have another question regarding best practices. If a single entity ( `EntityA` ) logically participates both as the orderer organisation ( `OrdOrg` ) and as one of the peer/channel organisations ( `PeerOrg` ), should I... 1) setup 2 completely separate Root CAs (each with its own Intermediate CA, etc.) for the `OrdOrg` and its nodes and the peer/channel and nodes? or is it better to use: 2) setup a single Root CA, but 2 attached intermediate CAs, each serving `OrdOrg` and `PeerOrg` in turn?

nmarcetic (Fri, 01 Jun 2018 12:34:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7mS8SuaX4EWQCgYP7) @aambati Works like a charm! Thank you :beer:

SimonOberzan (Fri, 01 Jun 2018 12:57:21 GMT):
Hi. I am trying to declare affiliations for my ca-server using environmental variables, but I am having truble with it. Could someone please post an example env variable definition for setting an affiliation?

aambati (Fri, 01 Jun 2018 14:31:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=F7cZFmKcwBKLCfGBL) @alexvicegrab yes. Form the msp folder structure, using the fabric-ca-client get ca certs (intermediate and root ca certs) , put certificate of the admins in the admincerts folder

aambati (Fri, 01 Jun 2018 14:34:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fBDn82uHadmB2DmhL) @TobiasN fabric-ca-client identity command would do...http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#getting-identity-mixer-credential-for-a-user

aambati (Fri, 01 Jun 2018 14:36:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=y6z7WK7RETtKeEaM8) @sandman 4 I don't know much about extend command but it is recommended that you use a CA like Fabric CA for production environments

aambati (Fri, 01 Jun 2018 14:41:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JJcHFQS7GdtjAw6Gh) @SimonOberzan affiliations are hierarchical and can have arbitrary names, for this reason they cannot be specified using env variable

SimonOberzan (Fri, 01 Jun 2018 14:41:47 GMT):
@aambati ah, I see. Thanks

alexvicegrab (Fri, 01 Jun 2018 14:45:19 GMT):
Thanks @aambati , would you have also advice regarding the best practices relating to Orderer and Peer orgs, as above? [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BCLBsZTCQjhuW5bPY)

aambati (Fri, 01 Jun 2018 15:08:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rRKQbwXEgKt3e2Lig) @mageover That basically says that policy was not satisfies for making config update....which means, that channel config update transaction was not signed by enough organizations

xo-Lai (Fri, 01 Jun 2018 15:16:09 GMT):
Has joined the channel.

tom.appleyard (Fri, 01 Jun 2018 16:43:28 GMT):
Has joined the channel.

tom.appleyard (Fri, 01 Jun 2018 16:43:31 GMT):
Hey All

tom.appleyard (Fri, 01 Jun 2018 16:44:16 GMT):
`2018/06/01 16:31:05 [DEBUG] Registration of 'tom' failed: Registration of 'tom' to validate: Failed getting affiliation 'Org1MSP': : scode: 404, code: 63, msg: Failed to get Affiliation: sql: no rows in result set`

tom.appleyard (Fri, 01 Jun 2018 16:44:23 GMT):
Does anyone know what this means and how to fix it

tom.appleyard (Fri, 01 Jun 2018 16:44:38 GMT):
I'm trying to register a new user using some code I wrote for the SDK

tom.appleyard (Fri, 01 Jun 2018 16:45:04 GMT):
``` /** * Registers a new user with the CA service, the current user context MUST be an account with the privileges to * create new users to run this without error. * @param {*} username */ async registerUser(id, secret, mspId) { // Specify who we want to register and with what secret, // setting maxEnrollments to 0 means they are infinite const request = { enrollmentID: id, enrollmentSecret: secret, maxEnrollments: 0, affiliation: mspId }; // Who is executing this action? const registrar = await this.client.getUserContext('admin'); // winston.info(registrar.getSigningIdentity()) // Make a new user return this.caClients[0].register(request, registrar); }```

tom.appleyard (Fri, 01 Jun 2018 16:45:04 GMT):
``` /** * Registers a new user with the CA service, the current user context MUST be an account with the privileges to * create new users to run this without error. * @param {*} username */ async registerUser(id, secret, mspId) { const request = { enrollmentID: id, enrollmentSecret: secret, maxEnrollments: 0, affiliation: mspId }; const registrar = await this.client.getUserContext('admin'); return this.caClients[0].register(request, registrar); }```

tom.appleyard (Fri, 01 Jun 2018 16:45:53 GMT):
I assume there is some issue with what I'm setting as the 'affiliation'

tom.appleyard (Fri, 01 Jun 2018 16:45:56 GMT):
can anyone help me out?

aambati (Fri, 01 Jun 2018 18:43:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=69KyvzdD6oZxd7W4n) @alexvicegrab are you saying that EntityA is a member of orderer org as well as peer org? in which case, EntityA could have two credentials (x509 certs), one issued by orderer org CA and other issued by peer org CA. I don't understand your suggested solutions just to accommodate an user who is member of two orgs

aambati (Fri, 01 Jun 2018 18:47:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Hhr4ckNp3vdA39fWd) @tom.appleyard Seems like the affiliation "Org1MSP' is not defined...you can either specify the affiliations in the server config file or use `fabric-ca-client affiliations` to create new affiliations... https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#adding-an-affiliation

alexvicegrab (Fri, 01 Jun 2018 19:47:42 GMT):
@aambati, sorry if I was not clear I meant that EntityA is not a user, but a Company (e.g. the Example company with example.com domain), in control of both the Orderer nodes and at least some of the Peer nodes. Should this company: A) host two separate root CA's each with an intermediate CA (each responsible for the set of Orderers and one for the set of Peers) B) host a single root CA, but with 2 intermediate CAs (again, each responsible for the set of Orderers and one for the set of Peers)

alexvicegrab (Fri, 01 Jun 2018 19:47:42 GMT):
I'm still quite new to CAs and MSPs and have a few more questions. I understand that to create the genesis block, I need to get the `cacerts` (this is easy, by getting the `getcainfo`, as discussed above) and `admincerts`, I need to enroll the Admin (bootstrap) user of the intermediate CA, and copy/use the `signcerts` generated as the `admincerts`. I imagine the best thing is to enroll this identity on the Intermediate server once and pass the relevant certificates ( `cacerts` & `signcerts` / `admincerts` ) to be used for the creation of the relevant genesis block. A) Is this correct & best-practice? Or is there a more correct way of obtaining these certificates? B) If somehow the Intermediate CA is re-enrolled and the private key & certificate are updated, the genesis block will still refer to the old `admincerts` certificate. Will this be problematic?

aambati (Fri, 01 Jun 2018 23:23:07 GMT):
I think one CA should suffice...but either of your options is also not a bad idea...But I don't know why you need to have separate CAs , what is your reason for having two separate root of trusts for orderer node and peer nodes?

vijay5378 (Sat, 02 Jun 2018 11:52:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NRt7F49EtGE4aDHZq) @aambati Thanks

vijay5378 (Sat, 02 Jun 2018 11:53:48 GMT):
If I am using my own means to generate a private key, is there a naming convention that I should follow? The private key names seem to be a random hash followed by _sk

vijay5378 (Sat, 02 Jun 2018 11:54:36 GMT):
Can I use a random hash value followed by _sk to store the private key file?

demonkm (Sun, 03 Jun 2018 02:25:30 GMT):
Has joined the channel.

jcwarfield (Sun, 03 Jun 2018 20:43:39 GMT):
Has joined the channel.

ulinux (Mon, 04 Jun 2018 01:30:43 GMT):
Has joined the channel.

IsaacWong (Mon, 04 Jun 2018 08:37:33 GMT):
Has joined the channel.

vijay5378 (Mon, 04 Jun 2018 09:43:27 GMT):
Hi, do we have a java implementation for fabric-ca-client getcacert? I checked HFCAClient but it doesn't have the method..

skarim (Mon, 04 Jun 2018 13:50:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EqyrSRQYkEEWuqBxq) @vijay5378 In HFCAClient in the Java SDK, the method is called `info`

NihadOgresevic (Mon, 04 Jun 2018 13:50:43 GMT):
Has joined the channel.

migrenaa (Mon, 04 Jun 2018 14:56:25 GMT):
Hello, I am trying to enroll a user but I got connection received error. The CA server is deployed on a server but it is in the same network and the port is exposed. Any ideas?

aambati (Mon, 04 Jun 2018 15:00:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Kn6fWWr3yrFCKsmyC) @vijay5378 There is no naming convention... _sk naming convention is used by BCCSP , which is the crypto provider that Fabric CA uses...

anugu (Mon, 04 Jun 2018 18:21:40 GMT):
Has joined the channel.

mgalat (Mon, 04 Jun 2018 18:30:52 GMT):
Has joined the channel.

Gaoqi (Mon, 04 Jun 2018 20:31:44 GMT):
Has joined the channel.

alexvicegrab (Mon, 04 Jun 2018 23:10:07 GMT):
I'm still quite new to CAs and MSPs and have a few more questions. I understand that to create the genesis block, I need to get the `cacerts` (this is easy, by getting the `getcainfo`, as discussed above) and `admincerts`, I need to enroll the Admin (bootstrap) user of the intermediate CA, and copy/use the `signcerts` generated as the `admincerts`. I imagine the best thing is to enroll this identity on the Intermediate server once and pass the relevant certificates ( `cacerts` & `signcerts` / `admincerts` ) to be used for the creation of the relevant genesis block. A) Is this correct & best-practice? Or is there a more correct way of obtaining these certificates? B) If somehow the Intermediate CA is re-enrolled and the private key & certificate are updated, the genesis block will still refer to the old `admincerts` certificate. Will this be problematic?

alexvicegrab (Mon, 04 Jun 2018 23:10:07 GMT):
Hello, I understand that to create the genesis block, I need to get the `cacerts` (this is easy, by getting the `getcainfo`, as discussed above) and `admincerts`, I need to enroll the Admin (bootstrap) user of the intermediate CA, and copy/use the `signcerts` generated as the `admincerts`. I imagine the best thing is to enroll this identity on the Intermediate server once and pass the relevant certificates ( `cacerts` & `signcerts` / `admincerts` ) to be used for the creation of the relevant genesis block. A) Is this correct & best-practice? Or is there a more correct way of obtaining these certificates? B) If somehow the Intermediate CA is re-enrolled and the private key & certificate are updated, the genesis block will still refer to the old `admincerts` certificate. Will this be problematic?

alexvicegrab (Tue, 05 Jun 2018 00:13:39 GMT):
Furthermore, I see that there should exist a way of obtaining the certificate directly from a CA by [http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#contact-specific-ca-instance]: ``` Configure an identity to be an admin, by storing certificates for an identity in the MSP: export FABRIC_CA_CLIENT_HOME=/tmp/clientHome fabric-ca-client certificate list --id admin --store msp/admincerts ``` But this command does not appear to be available in either the published binaries or when building from source the latest fabric-ca-client (using the Gerrit repo). C) When will this capability become available?

alexvicegrab (Tue, 05 Jun 2018 00:13:39 GMT):
Furthermore, I see that there should exist a way of obtaining the certificate directly from a CA by [http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#contact-specific-ca-instance]: ``` # Configure an identity to be an admin, by storing certificates for an identity in the MSP: export FABRIC_CA_CLIENT_HOME=/tmp/clientHome fabric-ca-client certificate list --id admin --store msp/admincerts ``` But this command does not appear to be available in either the published binaries or when building from source the latest fabric-ca-client (using the Gerrit repo). C) When will this capability become available?

alexvicegrab (Tue, 05 Jun 2018 00:13:39 GMT):
Furthermore, I see that there should exist a way of obtaining the certificate directly from a CA by [http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#listing-certificates-information]: ``` # Configure an identity to be an admin, by storing certificates for an identity in the MSP: export FABRIC_CA_CLIENT_HOME=/tmp/clientHome fabric-ca-client certificate list --id admin --store msp/admincerts ``` But this command does not appear to be available in either the published binaries or when building from source the latest fabric-ca-client (using the Gerrit repo). C) When will this capability become available?

ymjnudt (Tue, 05 Jun 2018 01:08:17 GMT):
Has joined the channel.

mastersingh24 (Tue, 05 Jun 2018 08:30:46 GMT):
@alexvicegrab - you are looking at the "latest" docs which correspond to the release which is currently under development. The released images and binaries are v1.1.0. You can select the release version in the docs. To answer the "when" question, the v1.2 release is due out at the end of this month

gravity (Tue, 05 Jun 2018 09:59:12 GMT):
Hi there How to create one more organization admin who can create channels and instantiate chaincodes? I've tried to copy `cert.pem` from `signcerts` to `admincerts`, but it doesn't work this way Thanks in advance

IgorSim (Tue, 05 Jun 2018 10:22:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HyPGN34cDgqvq8zSa) @gravity I guess it depends if you want to add one more org admin to existing network or not. If yes, then i think you need to go through 'updating channel configuration'.

gravity (Tue, 05 Jun 2018 10:33:11 GMT):
@IgorSim thanks, I'll take a look. But I've got a problem here with admin user. I've started with `fabric-ca` sample. There is a function where the admin is enrolled and admin's `cert.pem` file was copied to `admincerts` folder. Later, if I enroll the admin via CA client in java sdk and I try to create a channel on behalf of this admin, I'm receiving an error `This identity is not an admin`. But if I manually copy `cert.pem` and `*_sk` files and put them into enrollment object and try to create a channel on behalf of this user - everything is ok

IgorSim (Tue, 05 Jun 2018 10:40:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CSDxPjcozBFESeZ9N) @gravity When you enroll the admin via java SDK, is the certificate you receive in response the same with the 'cert.pem' (the one you copy manually and works) ?

gravity (Tue, 05 Jun 2018 11:34:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HHbRACdJ9Arq3c3Xt) @IgorSim actually they are different now I don't understand, who is an owner of that `cert.pem` in `admincerts` folder

IgorSim (Tue, 05 Jun 2018 11:56:35 GMT):
@gravity So, i guess upon every new enrollment you get different cert, and if this cert isn't in peer's MSP 'admincerts' folder then you can't execute 'admin' operations? I'm not sure i understand entire picture either

gravity (Tue, 05 Jun 2018 12:07:52 GMT):
@IgorSim upon every enrollment I receive the same cert.pem, but it differs from `admincerts/cert.pem` and now I don't credentials for the user who is an owner of the `admincerts/cert.pem`. but if I put `cert.pem` of another user to `admincerts/`, what else I have to do to make this user an admin (who can create channels etc.)?

alexvicegrab (Tue, 05 Jun 2018 13:09:08 GMT):
Thanks @mastersingh24. What about this part of the question? [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3ac33SjWeahPHzzhJ)

vijay5378 (Tue, 05 Jun 2018 13:48:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YqnQoAf3wcoMLvpSe) @skarim Thanks this works. A follow up question..... is there any mechanism to retrieve the servers tls certificate using java? If I set the enrollment profile to tls and use fabric-ca-client enroll in CLI, the tls certificate is stored under tlscacerts

aambati (Tue, 05 Jun 2018 14:06:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=enMnoYDv5wDJi8CAk) @alexvicegrab Admin is little overloaded term. There is a bootstrap user in Fabric CA, who is usually designated as admin for Fabric CA. Then there is peer admin, whose cert must be in the admincerts folder of peer's msp (which is on the peer file system) and there is channel admin , whose cert must be in admincerts folder of the msp that is in channel configuration... A. Short answer is yes. B. yes, if you meant, if the user is reenrolled, in which case the user will be given new set of cert, private key. But if previous cert is not expired user can continue to use it. But if the new cert is used, the user will not be considered admin because the cert is not in admincerts folder

javrevasandeep (Tue, 05 Jun 2018 14:30:14 GMT):
@Aambati I am trying to configure couchDB to store user credentials instead of FileKeyValueStore. While doing so, I made some changes to org1.yaml file client: organization: org1 credentialStore: url: "http://mushu:blockchain@localhost:5984" cryptoStore: path: "/tmp/fabric-client-kv-org1" wallet: wallet-name But I am getting the below error Error that we are getting is I am getting [2018-06-04 23:16:03.142] [DEBUG] Helper - [FileKeyValueStore.js]: constructor { options: { url: 'http://:@localhost:5984', wallet: 'wallet-name', cryptoStore: { path: '/tmp/fabric-client-kv-org1' } } } [2018-06-04 23:16:03.144] [ERROR] Helper - Failed to get registered user: feng with error: Error: Must provide the path to the directory to hold files for the store.

javrevasandeep (Tue, 05 Jun 2018 14:30:14 GMT):
@aambati I am trying to configure couchDB to store user credentials instead of FileKeyValueStore. While doing so, I made some changes to org1.yaml file client: organization: org1 credentialStore: url: "http://mushu:blockchain@localhost:5984" cryptoStore: path: "/tmp/fabric-client-kv-org1" wallet: wallet-name But I am getting the below error Error that we are getting is I am getting [2018-06-04 23:16:03.142] [DEBUG] Helper - [FileKeyValueStore.js]: constructor { options: { url: 'http://:@localhost:5984', wallet: 'wallet-name', cryptoStore: { path: '/tmp/fabric-client-kv-org1' } } } [2018-06-04 23:16:03.144] [ERROR] Helper - Failed to get registered user: feng with error: Error: Must provide the path to the directory to hold files for the store.

mgalat (Tue, 05 Jun 2018 14:38:41 GMT):
Hi, I am trying to spin up a new peer into an existing org, I have followed the steps in the fabric-ca example to register and enroll it, but then when I run "peer node start" i get the following gossip error: "Authentication failed: failed classifying identity: Unable to extract msp.Identity from peer Identity: Peer Identity [...] cannot be validated. No MSP found able to do that." Any idea what I did wrong?

alexvicegrab (Tue, 05 Jun 2018 14:38:56 GMT):
@aambati thank you. This is where everything becomes quite confusing to me (particularly when thinking about using multiple peers, etc), as the Fabric-CA example in the `fabric-samples` references a lot of different parts across separate scripts. It initially looked as if the bootstrap Admin of the Intermediate CA is the Admin needed for the `OrdererMSP` and `PeerMSP` sides of the `configtx.yaml`, but apparently we need a separate peer admin, channel admin, etc. for these instead. I'm guessing we need to separately enroll an Admin for the Peer organisation and the Orderer organisation - Is this correct? I'm also guessing we can keep the private key of each Admin away from each of the peers and orderers, or: - do we need the private key to be able to join a channel, or can this material be kept out of the peers (and orderers)?

aambati (Tue, 05 Jun 2018 14:49:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qy7NgQpBEg4uz4QJs) @mgalat I am assuming you have setup msp directory structure (see https://hyperledger-fabric.readthedocs.io/en/latest/msp.html?highlight=msp) and pointed the peer to it?

mgalat (Tue, 05 Jun 2018 14:52:14 GMT):
Yes, I have all of the required directories and they are populated with the proper files from the CA

aambati (Tue, 05 Jun 2018 14:58:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=M3ybTYhy9EmgJ5CSi) @alexvicegrab 1) yes 2) i am not completely sure about this, admin private keys need not be part of the peer/orderer msp. When peer join channel is issued, it is issued using the admin's msp

aambati (Tue, 05 Jun 2018 15:30:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZqmaLW6cafXNwk2Dh) @javrevasandeep i don't know much about using CouchDB for storing credentials...Please ask this question in SDK channel

ping40 (Wed, 06 Jun 2018 01:15:55 GMT):
@aambati can you help me to merge https://gerrit.hyperledger.org/r/#/c/22345/ ? thanks

vijay5378 (Wed, 06 Jun 2018 05:41:01 GMT):
@aambati Is there any way to retrieve server's tlscacertificate through java? I used HFCAClient.info to get the ca certificates, however stumped while retrieving the tls certs.

vijay5378 (Wed, 06 Jun 2018 05:41:01 GMT):
@aambati @skarim Is there any way to retrieve server's tlscacertificate through java? I used HFCAClient.info to get the ca certificates, however stumped while retrieving the tls certs.

vijay5378 (Wed, 06 Jun 2018 07:41:32 GMT):
Also as a followup question - Why does the java implementation force us to specify a keypair when we set the csr?

RealDeanZhao (Wed, 06 Jun 2018 09:01:40 GMT):
Has joined the channel.

RealDeanZhao (Wed, 06 Jun 2018 09:02:19 GMT):
Hi all, I have a question that is the fabric ca user the same as the user registered from the websites?

vidor (Wed, 06 Jun 2018 09:02:55 GMT):
Has joined the channel.

mastersingh24 (Wed, 06 Jun 2018 11:36:25 GMT):
@RealDeanZhao - not sure I understand your question?

smithbk (Wed, 06 Jun 2018 11:55:06 GMT):
@ping40 merged

smithbk (Wed, 06 Jun 2018 12:14:35 GMT):
@vijay5378 The server's TLS cert is issued by the CA cert, so your client can specify the following for TLS to a root CA `FABRIC_CA_CLIENT_TLS_CERTFILES=ca-cert.pem`. or `FABRIC_CA_CLIENT_TLS_CERTFILES=ca-chain.pem` for TLS to an intermediate CA

smithbk (Wed, 06 Jun 2018 12:15:20 GMT):
I suggest you ask the followup question on the #fabric-sdk-java channel

ping40 (Wed, 06 Jun 2018 12:47:03 GMT):
@aambati thanks

ping40 (Wed, 06 Jun 2018 12:58:55 GMT):
@smithbk thanks

angeloatleadiq (Wed, 06 Jun 2018 13:33:54 GMT):
How do I generate same files for my local setup? ``` certificateAuthorities: ca.org1.hf.leadiq.com: url: https://localhost:7054 tlsCACerts: # Comma-Separated list of paths path: "${GOPATH}/src/github.com/leadiq/dataiq/network/crypto-config/ordererOrganizations/hf.leadiq.com/ca/ca.hf.leadiq.com-cert.pem" # Client key and cert for SSL handshake with Fabric CA client: key: path: $GOPATH/src/github.com/securekey/fabric-examples/fabric-cli/fabric-sdk-go/test/fixtures/fabricca/tls/certs/client/client_fabric_client-key.pem cert: path: ```

angeloatleadiq (Wed, 06 Jun 2018 13:33:54 GMT):
How do I generate sample client's key and cert? ``` certificateAuthorities: ca.org1.hf.leadiq.com: url: https://localhost:7054 tlsCACerts: # Comma-Separated list of paths path: "${GOPATH}/src/github.com/leadiq/dataiq/network/crypto-config/ordererOrganizations/hf.leadiq.com/ca/ca.hf.leadiq.com-cert.pem" # Client key and cert for SSL handshake with Fabric CA client: key: path: cert: path: ```

angeloatleadiq (Wed, 06 Jun 2018 13:33:54 GMT):
How do I generate sample client's key and cert? ``` certificateAuthorities: ca.org1.hf.leadiq.com: url: https://localhost:7054 tlsCACerts: # Comma-Separated list of paths path: "${GOPATH}/src/github.com/..../network/crypto-config/ordererOrganizations/hf.leadiq.com/ca/ca.hf.leadiq.com-cert.pem" # Client key and cert for SSL handshake with Fabric CA client: key: path: cert: path: ```

angeloatleadiq (Wed, 06 Jun 2018 13:33:54 GMT):
How do I generate sample client's key and cert? ``` certificateAuthorities: ca.org1.hf.example.com: url: https://localhost:7054 tlsCACerts: # Comma-Separated list of paths path: "${GOPATH}/src/github.com/example.com/network/crypto-config/ordererOrganizations/hf.leadiq.com/ca/ca.hf.leadiq.com-cert.pem" # Client key and cert for SSL handshake with Fabric CA client: key: path: cert: path: ```

angeloatleadiq (Wed, 06 Jun 2018 13:33:54 GMT):
How do I generate sample client's key and cert? ``` certificateAuthorities: ca.org1.hf.example.com: url: https://localhost:7054 tlsCACerts: # Comma-Separated list of paths path: "${GOPATH}/src/github.com/example/network/crypto-config/ordererOrganizations/hf.leadiq.com/ca/ca.hf.leadiq.com-cert.pem" # Client key and cert for SSL handshake with Fabric CA client: key: path: cert: path: ```

angeloatleadiq (Wed, 06 Jun 2018 13:33:54 GMT):
How do I generate sample CA client's key and cert? ``` certificateAuthorities: ca.org1.hf.example.com: url: https://localhost:7054 tlsCACerts: # Comma-Separated list of paths path: "${GOPATH}/src/github.com/example/network/crypto-config/ordererOrganizations/hf.leadiq.com/ca/ca.hf.leadiq.com-cert.pem" # Client key and cert for SSL handshake with Fabric CA client: key: path: cert: path: ```

aambati (Wed, 06 Jun 2018 14:19:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FLYwAr7zx5u2Q4w32) @angeloatleadiq by calling `fabric-ca-client enroll --enrollment.profile tls` ...you can use same userid and password that is used to get client's enrollment certificate

vish146 (Wed, 06 Jun 2018 18:12:20 GMT):
Has joined the channel.

KarandeepSingh (Thu, 07 Jun 2018 05:26:38 GMT):
Has joined the channel.

tfls08 (Thu, 07 Jun 2018 07:04:48 GMT):
Has joined the channel.

Adam_Hardie (Thu, 07 Jun 2018 14:27:40 GMT):
Has joined the channel.

SaraEmily (Thu, 07 Jun 2018 15:02:30 GMT):
Hello! I'm trying to extend the Node SDK example balance-transfer and have the exact same problems as in this post: https://stackoverflow.com/questions/48836728/unable-to-enroll-user-in-new-org-added-to-balance-transfer-sample According to this the fabric ca only have two affiliations and I need a new one for the third organization I want to add. I don't know how to add a new affiliation, the answer given in the stackoverflow is good but I need more info, like where to runt the fabric-ca-client command etc. I hope someone here can help, thanks!

migrenaa (Thu, 07 Jun 2018 15:31:12 GMT):
Hi guys. I am trying to enroll the admin of the CA using the node js sdk, but I got the error

migrenaa (Thu, 07 Jun 2018 15:31:12 GMT):
Hi guys. I am trying to enroll the admin of the CA using the node js sdk, but I got the error Enrollment failed with errors [[{"code":20,"message":"Authorization failure"}]] The last log on the CA server is : POST /api/v1/enroll 401 23 "Failed to get user: : scode: 404, code: 63, msg: Failed to get User: sql: no rows in result set" I am wondering if the problem is in the CA configuration ( I am using Intermediate CA Server) or in my node js client.. Do you have any idea?

IgorSim (Thu, 07 Jun 2018 16:32:49 GMT):
hi, i'm trying to delete an affiliation but i see in CA logs following message : "Affiliation removal is disabled" . How can i enable removal of an affiliation, i can't find it in the docs...

aambati (Thu, 07 Jun 2018 17:58:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kqDTDdTnGbb8vuHWo) @IgorSim using `--cfg.affiliations.allowremove` option

aambati (Thu, 07 Jun 2018 18:03:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=w6ECRRFbd44h7m4p8) @SaraEmily you can use `fabric-ca-client affiliation` command to add new affiliation.. You can run in any container that has fabric-ca-client executable and that has CA admin credentials... "I need a new one for the third organization " seems to suggest that you have one CA for multiple orgs?

alexvicegrab (Thu, 07 Jun 2018 23:08:30 GMT):
@aambati, speaking of the issue of @IgorSim, I have added a small fix to add the relevant configuration options to the fabric-ca-server configuration file: https://gerrit.hyperledger.org/r/#/c/22829/ https://jira.hyperledger.org/browse/FAB-10566

abraham (Fri, 08 Jun 2018 04:13:41 GMT):
Has joined the channel.

wangrangli (Fri, 08 Jun 2018 05:29:10 GMT):
Has joined the channel.

aKesav (Fri, 08 Jun 2018 07:39:55 GMT):
Has joined the channel.

SaraEmily (Fri, 08 Jun 2018 08:55:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Mt4n5WEgQ4DjhjFdE) @aambati Thanks for the reply! No I have one CA per org, sorry for poor wording, I just need a new affiliation for the new org

kostas (Fri, 08 Jun 2018 13:23:53 GMT):
Has joined the channel.

kostas (Fri, 08 Jun 2018 13:24:24 GMT):
Quick question for you all: should it be possible to use non-ASCII characters in cert attributes? Looking at this one: https://jira.hyperledger.org/browse/FAB-10507

SaraEmily (Fri, 08 Jun 2018 14:11:39 GMT):
Hey! I'm starting from the balance-transfer node sdk example and want to expand it with more orgs. In order to achive this I need to add affiliations for them. Which I can do with `fabric-ca-client affiliation` Okay so in order to run fabric-ca-client affiliation I new to enroll an admin user from inside a container. I'm running `fabric-ca-client enroll -u http://admin:adminpw@dockerhost:4000` and I can see errors comming to my localhost server so somehow they are connected, I get[INFO] Created default config, [INFO] generating keys so far so good. But I get an error (on both sides) when it tries to encode(or decode?) the CSR `UnauthorizedError: Format is Authorization: Bearer [token] at middleware` Is there anyone who knows what I'm doing wrong? Thanks!

SaraEmily (Fri, 08 Jun 2018 14:11:39 GMT):
Hey! I'm starting from the balance-transfer node sdk example and want to expand it with more orgs. In order to achive this I need to add affiliations for them. Which I can do with `fabric-ca-client affiliation` Okay so in order to run fabric-ca-client affiliation I new to enroll an admin user from inside a container. I'm running `fabric-ca-client enroll -u http://admin:adminpw@dockerhost:4000` and I can see errors comming to my localhost server so somehow they are connected, I get[INFO] Created default config, [INFO] generating keys. So far so good. But I get an error (on both sides) when it tries to encode(or decode?) the CSR `UnauthorizedError: Format is Authorization: Bearer [token] at middleware` Is there anyone who knows what I'm doing wrong? Thanks!

khalifa (Fri, 08 Jun 2018 14:53:07 GMT):
Hi all

khalifa (Fri, 08 Jun 2018 14:53:26 GMT):
I am developping a java client that communicate with my blockchain.

khalifa (Fri, 08 Jun 2018 14:54:07 GMT):
In my java code, I enroll again the admin and I try to send a query However, i got this error

khalifa (Fri, 08 Jun 2018 14:54:33 GMT):
ERROR CryptoPrimitives - Cannot validate certificate. Error is: signature check failed Certificate [0] Version: 3 SerialNumber: 169195925483891049291001689070156112549517931656 IssuerDN: C=US,ST=North Carolina,O=Hyperledger,OU=Fabric,CN=rca-org0 Start Date: Fri Jun 08 15:40:00 CEST 2018 Final Date: Sat Jun 08 15:45:00 CEST 2019 SubjectDN: C=US,ST=North Carolina,O=Hyperledger,OU=peer+OU=org1,CN=peer1-xxxx Public Key: EC Public Key [ad:0a:4a:40:c7:2e:b1:47:a2:7c:eb:30:20:6a:f0:4e:e8:64:bd:3e] X: e59844b344cb38e0515710b6f0969c754ebfb836d1f65259e78a11bf1ddc587e Y: fbc9b643dc860a3c849bef704e8608bad44f2efa010a6f6c6ae9cfcd6cd46f92 Signature Algorithm: SHA256withECDSA Signature: 304402206f66e7c32503e02caaed291affe60407 1d9adeea1a2d7f24a6783448c099fe250220091d fb66eded141b1a4f406fd0fc20305a230ef84f36 a927a57fa9cc366c4c74 Extensions: critical(true) KeyUsage: 0x80 critical(true) BasicConstraints: isCa(false) critical(false) 2.5.29.14 value = DER Octet String[20] critical(false) 2.5.29.35 value = Sequence Tagged [0] IMPLICIT DER Octet String[20] critical(false) 2.5.29.17 value = Sequence Tagged [2] IMPLICIT DER Octet String[12] critical(false) 1.2.3.4.5.6.7.8.1 value = java.io.EOFException: DEF length 116 object truncated by 84

khalifa (Fri, 08 Jun 2018 14:54:53 GMT):
Have you any idea how to follow this issue.

khalifa (Fri, 08 Jun 2018 14:54:57 GMT):
Thanks in advance

ashutosh_kumar (Fri, 08 Jun 2018 15:10:09 GMT):
@kostas , byte array is the Data type for extension value and hence non-ascii is allowed.

aambati (Fri, 08 Jun 2018 15:27:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gLtR5RkmYu7CRiA66) @SaraEmily can u pls run server and client with -d option , that will give more information...

aambati (Fri, 08 Jun 2018 15:29:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WBnyGz9ZSbgevFydv) @khalifa This error looks familiar...i think this might have been fixed...did you ask this question in Java SDK channel

aambati (Fri, 08 Jun 2018 15:45:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JGFJkkExpTuh5PwjK) @ashutosh_kumar although all strings in golang represented in utf-8, there seems to be an issue with how they are being stored in the certificate...

aambati (Fri, 08 Jun 2018 17:29:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NE8o9h8BYHC4SGpSH) Are you using SDK 1.1.0?

IgorSim (Fri, 08 Jun 2018 21:17:54 GMT):
Hi, i have one question about 'fabric-samples/fabric-ca' example when user identity is used to query and invoke chaincode. Before trx. proposal is sent switch is made which is basically setting up MSP for user identity through enrollment using fabric-ca-client. And this works fine. So far, so good. Next, i enrolled with user identity again, this time using fabric java-sdk and tried to invoke chaincode. But, it doesn't work, i see an error in orderer log that identity isn't in writers policy(Signature set did not satisfy policy /Channel/Writers) What's the difference? As far i understand, one difference is that when creating MSP 'admincerts' is populated with Org admin which isn't done when enrollment is done via sdk. Maybe question is for #fabric-sdk-java channel but i hope someone will explain how it works in fabric-ca example.

MuhammadSalah (Fri, 08 Jun 2018 22:29:48 GMT):
Hello everyone, can somebody help me with this error "{"code":19,"message":"CA 'ca.org1.example.com' does not exist"}"

MuhammadSalah (Fri, 08 Jun 2018 22:30:01 GMT):
How to properly configure the CA server?

MuhammadSalah (Fri, 08 Jun 2018 22:30:19 GMT):
although it works okay through the client "fabric-ca-client"

MuhammadSalah (Fri, 08 Jun 2018 22:30:31 GMT):
Not through the composer playground

kostas (Fri, 08 Jun 2018 22:52:29 GMT):
Has left the channel.

sampath06 (Sat, 09 Jun 2018 01:19:42 GMT):
With fabric-ca, is it possible to use something similar to the deterministic wallets in ethereum/bitcoin?

alexvicegrab (Sat, 09 Jun 2018 20:45:37 GMT):
@IgorSim, the population of the admincerts is not done via the enrollment, but via a "manual" copying step in the samples, as far as I could see: https://github.com/hyperledger/fabric-samples/blob/master/fabric-ca/scripts/env.sh#L250

aambati (Sat, 09 Jun 2018 22:13:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=h4bbJzJTb3RYgRuPA) @IgorSim by default, all users with a vald cert issued by org CA can submit a transaction...did u change writers policy? The new user you are enrolling via sdk is with a CA of a participating org, right?

IgorSim (Sun, 10 Jun 2018 06:38:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GPbFWagKYK8tzdTBz) @aambati Yes, new user is registered at CA of participating ORG. And, i didn't touch writers policy, i have default one. OK, i will double check what's going on, maybe i have some problem...tnx.

IgorSim (Sun, 10 Jun 2018 06:42:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zfLkCxqniqCLFCbRw) @alexvicegrab Yes, 'admincerts' is not populated through enrollment, i just want to emphasize the fact that when i enroll with sdk admin cert is not used at all , but in fabric-ca examples admin certs is first copied manually before user is used.

IgorSim (Sun, 10 Jun 2018 07:11:05 GMT):
@aambati @alexvicegrab my reasoning was, ok 'fabric-ca' example is clear and it works, let's try now to switch to sdk, enroll with org user, send query and invoke transactions and check if it works

khalifa (Sun, 10 Jun 2018 07:17:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ApfNkehEfN2Q4DMHH) @aambati Thank you i will put it in the java SDK channel

SaraEmily (Mon, 11 Jun 2018 09:53:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jkqu2P2kH7y4jqSy3) @aambati I run the same thing with the -d flag and everything looks find until it sends the POST fpr the certificate request, it receives the response 401 - Unauthorized. So I tried using https and specifying the tls-certfile, tls-client-certfile and tls.client.keyfile. It still fails at the same place, when trying the POST request for the certificate. This time the error is EOF: Error: POST failure of request: POST https://dockerhost:4000/enroll {"hosts":["c15439552dbc"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBQTCB6QIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEL1MvoPVioCW8JHkP\nUFBFX7BFiKZNmALKUyyXSPipdTkncnU3JF7zHzUjaKvebuiqgOgQXRtYexUcFzNM\njeRuYKAqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDoIMYzE1NDM5NTUyZGJj\nMAoGCCqGSM49BAMCA0cAMEQCIG/VL7nSsfm6gJdqPQw1dRn496WH6joTWrHI1CZs\nKHSSAiA4s1iuLOrzux6pRvWeKTu9EWMUxXE7GyiWnxqts3DJoQ==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":"ca-org1"}: Post https://dockerhost:4000/enroll: EOF No logs appear on the server-side. Thanks in advance!

Sreesha (Mon, 11 Jun 2018 10:28:26 GMT):
fabric-ca-server-config.yaml i changed the db section like this:

Sreesha (Mon, 11 Jun 2018 10:29:02 GMT):
db: type: mysql datasource : root:password@tcp(localhost:3306)/testDB?parseTime=true tls: enabled: false certfiles: client: certfile: keyfile:

Sreesha (Mon, 11 Jun 2018 10:29:29 GMT):
On docker compose up the following error was shown:

Sreesha (Mon, 11 Jun 2018 10:29:41 GMT):
[ERROR] Error occurred initializing database: Failed to create user registry for MySQL: Failed to connect to MySQL database: dial tcp 127.0.0.1:3306: getsockopt: connection refused

Sreesha (Mon, 11 Jun 2018 10:29:57 GMT):
Does anyone know why this happened?

Saachi (Mon, 11 Jun 2018 12:26:53 GMT):
Has joined the channel.

Saachi (Mon, 11 Jun 2018 12:27:34 GMT):
Hey Guys. I am getting the following error.

Saachi (Mon, 11 Jun 2018 12:27:48 GMT):
If in Hyperledger fabric-samples , I shut down my dockers and start them again (without removing my existing hfc-key-store content ) using startFabric.sh , I am able to query the ledger using the previous user1 but unable to register new users using registerUser.js It gives the following error : Failed to register: Error: fabric-ca request register failed with errors [[{"code":20,"message":"Authorization failure"}]] Authorization failures may be caused by having admin credentials from a previous CA instance.

bourbonkidQ (Mon, 11 Jun 2018 13:26:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HWS992joTQaAyXRrw) @Sreesha Have you try to put the real IP of the host instead of "localhost" ?

aambati (Mon, 11 Jun 2018 14:33:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8DDcfjQMA2mpduz8W) @SaraEmily please post exact command you ran...tls client cert and key file are required if you have enabled mutual auth on the server...tls-certfile should point to the server's default ca cert

aambati (Mon, 11 Jun 2018 14:37:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jKDQXCh66j6MncJB7) @IgorSim i understand...but if you are using default policies, the certificate of the user who is invoking a transaction should not have to be in the admincerts of the msp

SaraEmily (Mon, 11 Jun 2018 14:40:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ptDcDtPDRFpHjRAK7) @aambati Sorry, I thought I deleted my post, I found the problem, it was really silly, I simply used the wrong serveraddress... Thanks for your help!

aambati (Mon, 11 Jun 2018 15:02:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8fpb2DTmmZkvNdCod) @Saachi i am assuming you are running fabcar sample (that is the only sample that has registerUser.js) ...are you sure restarting the fabcar sample does not generate new CA cert/key pair, which will invalidate the admin cert that is in the hfc-key-store?

IgorSim (Mon, 11 Jun 2018 21:18:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gPDrA9eJFhyi6RPXX) @aambati Well, that's what i also understood. Btw, maybe my assumption is not correct, i'm assuming that what's called as 'switchToUserIdentity' in fabric-samples/fabric-ca examples in SDK world is basically 'enrolling' with that identity, is that correct?

IgorSim (Mon, 11 Jun 2018 21:18:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gPDrA9eJFhyi6RPXX) @aambati Well, that's what i also understood. Btw, maybe my assumption is not correct, i'm assuming that what's called as 'switchToUserIdentity' in fabric-samples/fabric-ca examples, in SDK world is basically 'enrolling' with that identity, is that correct?

aambati (Tue, 12 Jun 2018 00:17:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=b5csJGjQ9MyTYzFi5) @IgorSim switchToUserIdentity is going to that user's credentials, in sdk world that would be using that user's cert/key from the keystore

sarapara (Tue, 12 Jun 2018 00:35:07 GMT):
Has joined the channel.

Sreesha (Tue, 12 Jun 2018 04:22:53 GMT):
@bourbonkidQ

Sreesha (Tue, 12 Jun 2018 04:23:15 GMT):
yes i did tried with the ip.but i got the same error

sreeharsha_katta (Tue, 12 Jun 2018 04:39:25 GMT):
Has joined the channel.

Saachi (Tue, 12 Jun 2018 05:40:10 GMT):
@aambati Yes I am running fabcar sample. I modified the startFabric shell script so that the hfc-key-store contents are not removed when it runs. So I have the previous admin and user certificates in hfc-key store . I am able to use them to query the ledger or make changes in the ledger using that previously created user but I am unable to register aany more user

bourbonkidQ (Tue, 12 Jun 2018 09:25:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=d5ezY5AHNtxo7n8Tb) @Sreesha You have try to curl the mysql database ?

Sreesha (Tue, 12 Jun 2018 09:31:56 GMT):
@bourbonkidQ No.

Sreesha (Tue, 12 Jun 2018 09:32:47 GMT):
Iam getting this error while executing docker-compose up command to start the ca server through docker compose file

bourbonkidQ (Tue, 12 Jun 2018 13:35:53 GMT):
Let's imagine that certificates on my network are about to expire ... how does certificate renewal work with crypto-gen? Once you have generated the new ones, what should I do?

rthatcher (Tue, 12 Jun 2018 13:37:06 GMT):
Has joined the channel.

rthatcher (Tue, 12 Jun 2018 13:39:32 GMT):
Apart from syntax, is there any difference in result in using `fabric-ca-client identity add` or `fabric-ca-client register` ? - or is there a preferred method?

skarim (Tue, 12 Jun 2018 14:06:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hS4mkgLMMDKGQwz3k) @rthatcher There is no difference, they do the same thing. You can use either one for adding a new identity, there is not a preferred method.

waleed (Wed, 13 Jun 2018 14:44:37 GMT):
Has joined the channel.

ajdav (Wed, 13 Jun 2018 14:51:50 GMT):
Has joined the channel.

ajdav (Wed, 13 Jun 2018 14:51:56 GMT):
Hey everyone, is there anyone here I would be able to chat with about in-depth details on the MSP? I've read online as much information is available however I still have a lot of questions. Thank you!

aambati (Wed, 13 Jun 2018 15:41:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=siofgWGvYpxCrkuEF) @Saachi probably CA comes up with new set of ca cert /key pair when it is restarted, which will invalidate the registrars credential...make sure that ca cert that is on the registrars machine is same as the one that CA is using...you can view the certs using openssl

aambati (Wed, 13 Jun 2018 15:43:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QXv3wJYqbpPqXsPir) @ajdav Any specific questions?

ajdav (Wed, 13 Jun 2018 15:51:28 GMT):
So when talking about local vs. channel MSPs, If you have an organization, is every actor in the organization under the same local MSP? I understand there might be certain actors of an organization who have access to channels and would therefore be configured in the channel MSP, however is there any place where every actor is configured? and if so, is that the local MSP?

ajdav (Wed, 13 Jun 2018 15:51:28 GMT):
@aambati So when talking about local vs. channel MSPs, If you have an organization, is every actor in the organization under the same local MSP? I understand there might be certain actors of an organization who have access to channels and would therefore be configured in the channel MSP, however is there any place where every actor is configured? and if so, is that the local MSP?

aambati (Wed, 13 Jun 2018 18:37:51 GMT):
@ajdav No. Local MSP is local to a peer/orderer...so, any local actions like installing chaincode, local MSP is used....for example, if the cert of the user that is trying to install chaincode is not in admincerts folder of the peer's local msp, it will fail. For channel specific actions like updating channel config, submitting a transaction, instantiating a chaincode, msp information that is in the channel configuration (sometimes referred to as channel msp) is used...

inquiringtimes (Wed, 13 Jun 2018 18:56:50 GMT):
Has joined the channel.

inquiringtimes (Wed, 13 Jun 2018 18:58:18 GMT):
Hello, I'm hoping someone can explain to me the relationship between CA and MSP

inquiringtimes (Wed, 13 Jun 2018 19:30:23 GMT):
I've spent quite a bit of time digging through the docs... but I'm still confused

0xSEGFAULT (Wed, 13 Jun 2018 19:51:23 GMT):
Has joined the channel.

0xSEGFAULT (Wed, 13 Jun 2018 19:53:19 GMT):
when using fabric-ca how do I tell it to create TLS certs. It creates the org certs just fine but it never generates the TLS certs like `cryptogen` does. Thanks!

nacerix (Wed, 13 Jun 2018 20:51:54 GMT):
Has joined the channel.

nacerix (Wed, 13 Jun 2018 21:19:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wagpZiNgL8GsE4Qqq) @inquiringtimes http://hyperledger-fabric.readthedocs.io/en/release-1.1/msp.html

inquiringtimes (Wed, 13 Jun 2018 21:21:19 GMT):
so MSP gets certificate from CA, and does it's job in TX flow?

inquiringtimes (Wed, 13 Jun 2018 21:22:34 GMT):
my question being, also, does CA have any involvement in TX flow? or they give certificate to client, and msp verifies during transactions

0xSEGFAULT (Wed, 13 Jun 2018 21:23:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4oAFYycJonsZRscz3) --enrollment.profile tls

inquiringtimes (Wed, 13 Jun 2018 21:40:48 GMT):
thx @nacerix I thought I already read the docs on MSP but that page had exactly what I needed to know

Zihong (Thu, 14 Jun 2018 01:08:12 GMT):
Has joined the channel.

pauljithink (Thu, 14 Jun 2018 01:41:53 GMT):
Has joined the channel.

GowriR (Thu, 14 Jun 2018 06:08:34 GMT):
Has joined the channel.

anishman (Thu, 14 Jun 2018 06:29:41 GMT):
hello everyone, I wanted to know if there is some restriction that 1 peer of 1 org (for eg: peer0.org1.com) can have only have a maximum of 1 admin user? Even if I change the value of "users" of an org to a value greater than 1 in the crypto-config.yaml file, only one of them is created as admin (the rest are created as "user1", "user2"....onwards. I wanted to create two separate admin users (1 for creating/joining the channel) and 1 for (installing/instantiating the chaincode). I tried creating a user of type "admin" using the fabric ca (node sdk version) , but when I tried to install the chaincode using that particular user, it is giving me the following error. --------------------------------- - Installing chaincode cc.v1 on peers : peer0.org1.example.com:7051 info: [packager/Golang.js]: packaging GOLANG from cc_common error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: chaincode error (status: 500, message: Authorization for INSTALL has been denied (error-Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin])) at /home/ubuntu/fabric/node_modules/grpc/src/node/src/client.js:434:17 ---------------------------------

anishman (Thu, 14 Jun 2018 06:29:41 GMT):
hello everyone, I wanted to know if there is some restriction that 1 peer of 1 org (for eg: peer0.org1.example.com) can have only have a maximum of 1 admin user? Even if I change the value of "users" of an org to a value greater than 1 in the crypto-config.yaml file, only one of them is created as admin (the rest are created as "user1", "user2"....onwards. I wanted to create two separate admin users (1 for creating/joining the channel) and 1 for (installing/instantiating the chaincode). I tried creating a user of type "admin" using the fabric ca (node sdk version) , but when I tried to install the chaincode using that particular user, it is giving me the following error. --------------------------------- - Installing chaincode cc.v1 on peers : peer0.org1.example.com:7051 info: [packager/Golang.js]: packaging GOLANG from cc_common error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: chaincode error (status: 500, message: Authorization for INSTALL has been denied (error-Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin])) at /home/ubuntu/fabric/node_modules/grpc/src/node/src/client.js:434:17 ---------------------------------

anishman (Thu, 14 Jun 2018 06:29:41 GMT):
hello everyone, I wanted to know if there is some restriction that 1 peer of 1 org (for eg: peer0.org1.example.com) can have only have a maximum of 1 admin user? Even if I change the value of "users" of an org to a value greater than 1 in the crypto-config.yaml file, only one of them is created as admin (the rest are created as "user1", "user2"....onwards. I wanted to create two separate admin users (1 for creating/joining the channel) and 1 for (installing/instantiating the chaincode). I tried creating a user of type "admin" using the fabric ca (node sdk version) by passing the attribute < registerUser.role = "admin"; > , but when I tried to install the chaincode using that particular user, it is giving me the following error. --------------------------------- - Installing chaincode cc.v1 on peers : peer0.org1.example.com:7051 info: [packager/Golang.js]: packaging GOLANG from cc_common error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: chaincode error (status: 500, message: Authorization for INSTALL has been denied (error-Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin])) at /home/ubuntu/fabric/node_modules/grpc/src/node/src/client.js:434:17 ---------------------------------

Saachi (Thu, 14 Jun 2018 06:52:57 GMT):
Hello , I want to used abac in fabcar sample. I have imported the required library in the chaincode.But I am unable to GetAttributeValue or use any other API. It return with error "The client identity does not possess the attribute". I registered my user by : return fabric_ca_client.register({enrollmentID: 'user1', affiliation: 'org1.department1',role: 'client' ,attrs : [{name: 'canquery', value:'true:ecert'}]}, admin_user);

titoe (Thu, 14 Jun 2018 07:26:49 GMT):
Has joined the channel.

indira.kalagara (Thu, 14 Jun 2018 12:21:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EQDDWfHKnTtR6JkWc) @aambati where do we have the user's wallet in this configuration ? Can each user have separate wallet and have access only for him/her ? My understanding is that the enrolment certs / keys are stored in the KeyStore (or lets say database ) from where the application is accessing them. I think it is possible that the Org which is hosting the application can manipulates and get access to certs and submit the transactions on behalf of users. How to avoid such scenario ? Please clarify.

aambati (Thu, 14 Jun 2018 14:33:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vXh2dkm2ZFNvMoWtt) @inquiringtimes CA is issuer of certs to identities..these certs are then populated in the MSP repo (a well defined directory structure), which are used by peer, orderer to validate transactions...CA has no involvement in TX flow

aambati (Thu, 14 Jun 2018 14:34:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZxRdw6esbfhmptjuA) @0xSEGFAULT yes

aambati (Thu, 14 Jun 2018 14:49:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uHvaQXpK9koBTFkgh) @anishman role is just attribute and can be used to make access control decisions in the chaincode...but to make an user admin that has create/join channel capability, his/her cert should be specified in the consortiums.groups..groups..values.MSP.value.config.admins property of the orderer system channel (testchannelid) configuration . to give the user installing chaincode capability, cert should be added to the admincerts folder of the local MSP (which is on peer filesystem)...if this user needs to do channel actions like updating channel config or instantiating chaincode add the cert to the consortiums.groups..groups..values.MSP.value.config.admins property in the channel configuration

aambati (Thu, 14 Jun 2018 14:51:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GLeqs9S3qPYWuov6i) @Saachi Are you trying to get value of canquery attribute? You can also see the cert using openssl to make sure canquery attribute is indeed in the certificate

ajdav (Thu, 14 Jun 2018 15:06:23 GMT):
@aambati Hi again - So on the subject of MSPs again. So (and please correct me if I'm wrong, which is very possible) network MSPs define all the members in the network/blockchain and define administration authorization. 1, how is administration authorized? is it specified through identities and X.509s? 2, if an identity is defined in the network MSP would they also be listed as verified identies in peer or orderer MSPs?

mastersingh24 (Thu, 14 Jun 2018 15:19:20 GMT):
@ajdav - Let's take this from the perspective of a channel: 1) channels have members ... we call those organizations 2) the definition of each organization in a channel includes their MSP definition / configuration 3) currently only X509 MSPs are supported 4) The MSP definition for an organization includes: - the root / intermediate CAs which will issue signing certificates for the organization - the root / intermediate CAs which will issue TLS (client and server) certificates for the organization - administrator certificates - explicit X509 certificates issued by the root/intermediates CAs for the organization. If the role "ORG.ADMIN" is used, the certificate used to sign an endorsement request and/or transaction is explicitly checked against these certificates Network nodes (peers, orderers, clients) each also have a local MSP. These MSPs actually contain the identity (private key and public X509 cert) used to identify the node and used by the node to sign endorsement requests / responses, etc. In the case of peer, the admincerts are also used to determine who has administrative access to the peer to do things such as install chaincode

ajdav (Thu, 14 Jun 2018 15:25:53 GMT):
@mastersingh24 this is super helpful! My next question would be, when adding or updating membership, how would that work? is there a place you have to "register" identities/X509s or does simply having an X509 issued by the accepted CAs gain you membership?

paulananth (Thu, 14 Jun 2018 16:21:46 GMT):
Has joined the channel.

smithbk (Thu, 14 Jun 2018 16:33:52 GMT):
@ajdav Members of an org can be managed via fabric CA ... see `fabric-ca-client identity -h`. Membership of a channel (i.e. adding a new org) depends on the channel's policy. For example, it could require that an admin from each org grant approval, or the policy could allow a specific org to add another org, or some combination.

inquiringtimes (Thu, 14 Jun 2018 17:38:39 GMT):
Thanks @aambati

bourbonkidQ (Thu, 14 Jun 2018 20:50:29 GMT):
Let's imagine that certificates on my network are about to expire ... how does certificate renewal work with crypto-gen? Once you have generated the new ones, what should I do?

yacovm (Thu, 14 Jun 2018 21:02:05 GMT):
@bourbonkidQ - there is a command called `extend` in `cryptogen`

yacovm (Thu, 14 Jun 2018 21:02:36 GMT):
you can just perhaps delete the existing certificate(s) from the file system and run it and it should regenrate them

yacovm (Thu, 14 Jun 2018 21:02:42 GMT):
but please back up the certificates before you do ;)

bourbonkidQ (Thu, 14 Jun 2018 21:03:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=i3qJrwxznRLr8oHGD) @yacovm why should I back up the certificate ?

yacovm (Thu, 14 Jun 2018 21:03:59 GMT):
what if what i told you is wrong?

yacovm (Thu, 14 Jun 2018 21:04:09 GMT):
i mean back up whatever you delete...

yacovm (Thu, 14 Jun 2018 21:04:33 GMT):
and i meant also the private keys of the certificates of course

bourbonkidQ (Thu, 14 Jun 2018 21:04:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JbkS44Ro6nzmRHjqT) @yacovm So, i must stop the network and restart each element (orderer, peer etc ...) ?

yacovm (Thu, 14 Jun 2018 21:05:07 GMT):
ah...

yacovm (Thu, 14 Jun 2018 21:05:16 GMT):
so to replace the private key and certificate of a node

yacovm (Thu, 14 Jun 2018 21:05:22 GMT):
you need to restart it

yacovm (Thu, 14 Jun 2018 21:05:41 GMT):
in the future we might add an option to do it while it's online

yacovm (Thu, 14 Jun 2018 21:06:33 GMT):
also note that if you replace a peer's certificate, the other peers might complain for a while in the logs

yacovm (Thu, 14 Jun 2018 21:06:46 GMT):
but eventually they'll become the new peer's friends

bourbonkidQ (Thu, 14 Jun 2018 21:10:28 GMT):
It's a bit heavy this certificate renewal. Because I also have to reinstall and instanciate my chaincodes with the new cert too?

bourbonkidQ (Thu, 14 Jun 2018 21:10:49 GMT):
:cold_sweat:

bourbonkidQ (Thu, 14 Jun 2018 21:12:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cBGQQJwxY9vaKj8Ju) @yacovm If a replace the old cert by new cert from crypto-gen i think they are not going to be friends because the Authority key of the certificate will be different

yacovm (Thu, 14 Jun 2018 21:13:01 GMT):
no...

yacovm (Thu, 14 Jun 2018 21:13:08 GMT):
why is it heavy?

yacovm (Thu, 14 Jun 2018 21:13:12 GMT):
shutdown the peer

yacovm (Thu, 14 Jun 2018 21:13:14 GMT):
replace the files

yacovm (Thu, 14 Jun 2018 21:13:16 GMT):
start it again

yacovm (Thu, 14 Jun 2018 21:13:17 GMT):
that's it

yacovm (Thu, 14 Jun 2018 21:13:50 GMT):
> If a replace the old cert by new cert from crypto-gen i think they are not going to be friends because the Authority key of the certificate will be different So I'm telling you that `cryptogen extend` preserves the old verification chain!

yacovm (Thu, 14 Jun 2018 21:14:05 GMT):
it won't generate the CA certificate(s) if their folders already exist....

yacovm (Thu, 14 Jun 2018 21:14:15 GMT):
do some experiments, ok?

yacovm (Thu, 14 Jun 2018 21:14:24 GMT):
generate a crypto-config

yacovm (Thu, 14 Jun 2018 21:14:28 GMT):
then delete a peer folder

yacovm (Thu, 14 Jun 2018 21:14:36 GMT):
and run `cryptogen extend`

bourbonkidQ (Thu, 14 Jun 2018 21:14:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Kf9dzN72x4pJZXMoB) @yacovm ooh ok i will test thanks

yacovm (Thu, 14 Jun 2018 21:14:55 GMT):
obviously if you replace the CA certificates

yacovm (Thu, 14 Jun 2018 21:14:58 GMT):
it will be a nightmare

bourbonkidQ (Thu, 14 Jun 2018 21:15:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zNzgdeSuzkwbbf2Lp) @yacovm no , my cert are backup

bourbonkidQ (Thu, 14 Jun 2018 21:16:10 GMT):
thanks @yacovm

mogamboizer (Fri, 15 Jun 2018 03:20:15 GMT):
*How and where is symmetric and asymmetric encryption used in Fabric operations? Thank you.*

migrenaa (Fri, 15 Jun 2018 09:21:38 GMT):
Is there a way to customize Fabric CA server to store encrypted with password (symmetric algorithm) in the server ?

aambati (Fri, 15 Jun 2018 15:05:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Tq5ve3z77JsgeF2n2) @migrenaa i don't understand your question, are you asking if there is a way to configure CA server to store encrypted password? What password? Can you pls elaborate?

migrenaa (Fri, 15 Jun 2018 15:30:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LYNCkiLSAeisCxbor) @aambati I want to configure it to store the keys and certificates encrypted with password. I don't want to store them as plain text.

migrenaa (Fri, 15 Jun 2018 15:30:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LYNCkiLSAeisCxbor) @aambati I want to configure Fabric CA to store the keys and certificates encrypted with password. I don't want to store them as plain text.

aambati (Fri, 15 Jun 2018 15:53:41 GMT):
oh, Fabric CA uses BCCSP , which can be extended to store keys/certs the way you want

aambati (Fri, 15 Jun 2018 15:54:18 GMT):
https://github.com/hyperledger/fabric/tree/master/bccsp

migrenaa (Fri, 15 Jun 2018 16:05:00 GMT):
@aambati thanks I will check it :)

aambati (Fri, 15 Jun 2018 17:38:16 GMT):
specifically, implement this interface: https://github.com/hyperledger/fabric/blob/release-1.1/bccsp/bccsp.go#L100

aambati (Fri, 15 Jun 2018 17:38:16 GMT):
specifically, implement this interface: https://github.com/hyperledger/fabric/blob/release-1.1/bccsp/bccsp.go#L100, https://github.com/hyperledger/fabric/blob/release-1.1/bccsp/factory/pkcs11.go#L107

aambati (Fri, 15 Jun 2018 18:41:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pyD7g8HxSLwjYS2NF) @indira.kalagara i think each user is responsible for storing credentials securely. Application don't need to access user's credentials once they are issued. Users could login to the application using some mechanism (two factor authentication for example) and then submit transactions using their key/cert. Ultimately, it depends on the requirements ...it is also conceivable that an application is managing user's credentials and using them to sign the transactions on behalf of the users

IgorSim (Sat, 16 Jun 2018 15:22:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YgFmMrwaYgevbkuEz) @aambati In orderer logs i see the following: [msp] SatisfiesPrincipal -> DEBU 95d^[[0m Checking if identity satisfies MEMBER role for xxxxx [msp] Validate -> DEBU 95e^[[0m MSP xxxx validating identity [cauthdsl] func2 -> DEBU 95f^[[0m 0xc420e3a048 principal matched by identity 0 [msp/identity] Verify -> DEBU 960^[[0m Verify: digest = 00000000 2f 16 7d 67 04 8c 00... ..... UTC [msp/identity] Verify -> DEBU 961^[[0m Verify: sig = 00000000 30 45 02 21... ..... UTC [cauthdsl] func2 -> DEBU 962^[[0m 0xc420e3a048 signature for identity 0 is invalid: The signature is invalid UTC [cauthdsl] func2 -> DEBU 963^[[0m 0xc420e3a048 principal evaluation fails UTC [cauthdsl] func1 -> DEBU 964^[[0m 0xc420e3a048 gate 1529142145627170591 evaluation fails UTC [policies] Evaluate -> DEBU 965^[[0m Signature set did not satisfy policy /Channel/Application/xxxx/Writers UTC [policies] Evaluate -> DEBU 966^[[0m == Done Evaluating *cauthdsl.policy Policy /Channel/Application/xxxx/Writers So, it basically means this ORG user doesn't have write poilcy, right?

jdpond (Sat, 16 Jun 2018 19:06:26 GMT):
Has joined the channel.

mogamboizer (Sat, 16 Jun 2018 20:00:00 GMT):
Hi - Fabric CA can be clustered. This could be a cluster of root servers only? If there is a intermediate fabric ca cluster and one root server where should the location of the root server be in a HA/DR setup? What would be the role of HSM in this?

migrenaa (Mon, 18 Jun 2018 07:27:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LDxcgDRnFFYTYdfz6) @aambati Hello again. How can I extend bccsp. If I change the implementation of bccsp how can I plug mine implementation into fabric CA. I was looking for documentation but I cannot find anything.

migrenaa (Mon, 18 Jun 2018 07:27:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LDxcgDRnFFYTYdfz6) @aambati Hello again. How can I extend bccsp? If I change the implementation of bccsp, how can I plug mine implementation into fabric CA? I was looking for documentation but I cannot find anything.

Saachi (Mon, 18 Jun 2018 10:37:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ionSeagfFnZK7S2T9) @aambati Yes , I am trying to get value of canquery attribute in fabcar . It is not present in the ecert.I registered my user by : return fabric_ca_client.register({enrollmentID: 'user1', affiliation: 'org1.department1',role: 'client' ,attrs : [{name: 'canquery', value:'true:ecert'}]}, admin_user);

aambati (Mon, 18 Jun 2018 13:31:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zGeKMZudsamoCxovY) @IgorSim yes

aambati (Mon, 18 Jun 2018 13:37:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NwZsxxGMTvw3Rk7JL) @mogamboizer it can be a cluster of root or intermediate CA servers...location of root server would be specified either on the command line or in the config file...(also note that each cluster member can host multiple CAs, where each CA on all members should share one database and config file) Using HSM to store keys is little tricky...either you need to use network HSM so all cluster members use one HSM or they use different HSMs but exchange their certs, so a cert issued by one member can be verified by another member

aambati (Mon, 18 Jun 2018 13:50:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Pq6P3dRZ9hfCuqFmb) @migrenaa if you think your extension would be helpful for others then submit as a change set , community will review and accept OR you would need to build CA with your extension and create a docker container using it ...your extension can be a plugin as well

aambati (Mon, 18 Jun 2018 14:03:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QnKs9qQTTSts2C9Tf) @Saachi what error do you get when trying to get the value? assuming you are getting the value in the chaincode?

Saachi (Mon, 18 Jun 2018 16:17:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yr8vqBXF6QGdMzkyu) @aambati I am not getting the value anywhere. I am getting the following error : error from query = { Error: 2 UNKNOWN: chaincode error (status: 500, message: Attribute 'canquery' was not found)

Saachi (Mon, 18 Jun 2018 16:58:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yr8vqBXF6QGdMzkyu) @aambati By using openssl x509 -in -text I am getting the following : usage: x509 args -inform arg - input format - default PEM (one of DER, NET or PEM) -outform arg - output format - default PEM (one of DER, NET or PEM) -keyform arg - private key format - default PEM -CAform arg - CA format - default PEM -CAkeyform arg - CA key format - default PEM -in arg - input file - default stdin -out arg - output file - default stdout -passin arg - private key password source -serial - print serial number value -subject_hash - print subject hash value -subject_hash_old - print old-style (MD5) subject hash value -issuer_hash - print issuer hash value -issuer_hash_old - print old-style (MD5) issuer hash value -hash - synonym for -subject_hash -subject - print subject DN -issuer - print issuer DN -email - print email address(es) -startdate - notBefore field -enddate - notAfter field -purpose - print out certificate purposes -dates - both Before and After dates -modulus - print the RSA key modulus -pubkey - output the public key -fingerprint - print the certificate fingerprint -alias - output certificate alias -noout - no certificate output -ocspid - print OCSP hash values for the subject name and public key -ocsp_uri - print OCSP Responder URL(s) -trustout - output a "trusted" certificate -clrtrust - clear all trusted purposes -clrreject - clear all rejected purposes -addtrust arg - trust certificate for a given purpose -addreject arg - reject certificate for a given purpose -setalias arg - set certificate alias -days arg - How long till expiry of a signed certificate - def 30 days -checkend arg - check whether the cert expires in the next arg seconds exit 1 if so, 0 if not -signkey arg - self sign cert with arg -x509toreq - output a certification request object -req - input is a certificate request, sign and output. -CA arg - set the CA certificate, must be PEM format. -CAkey arg - set the CA key, must be PEM format missing, it is assumed to be in the CA file. -CAcreateserial - create serial number file if it does not exist -CAserial arg - serial file -set_serial - serial number to use -text - print the certificate in text form -C - print out C code forms -md2/-md5/-sha1/-mdc2 - digest to use -extfile - configuration file with X509V3 extensions to add -extensions - section from config file with X509V3 extensions to add -clrext - delete extensions before signing and input certificate -nameopt arg - various certificate name options -engine e - use engine e, possibly a hardware device. -certopt arg - various certificate text options -checkhost host - check certificate matches "host" -checkemail email - check certificate matches "email" -checkip ipaddr - check certificate matches "ipaddr"

skarim (Mon, 18 Jun 2018 17:59:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9rzabFz7wgmyY2Nqf) @Saachi Try the following command to display your certificate: `openssl x509 -noout -text -in `

Saachi (Tue, 19 Jun 2018 05:54:43 GMT):
@skarim I am getting the following unable to load certificate 140703257708184:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE

Saachi (Tue, 19 Jun 2018 06:28:47 GMT):
@skarim @aambati read EC key Private-Key: (256 bit) priv: 1b:66:c6:5e:4d:77:7f:e6:93:06:df:9f:8e:d1:fc: e9:ce:7d:4a:bf:f7:59:9d:06:1b:1c:63:25:6d:e9: f6:fb pub: 04:e6:3e:78:ca:e9:8b:21:0d:33:79:95:27:5d:fd: 7f:0c:e7:59:59:5e:9f:b2:4b:b8:0e:e9:e1:aa:b2: 73:e8:cf:2b:71:d6:6a:e1:6e:cb:71:bd:db:2f:08: e1:6c:dd:7c:92:07:58:b3:91:08:20:c6:d7:16:1f: c6:33:fb:12:85 ASN1 OID: prime256v1 NIST CURVE: P-256 writing EC key -----BEGIN EC PRIVATE KEY----- MHcCAQEEIBtmxl5Nd3/mkwbfn47R/OnOfUq/91mdBhscYyVt6fb7oAoGCCqGSM49 AwEHoUQDQgAE5j54yumLIQ0zeZUnXf1/DOdZWV6fsku4DunhqrJz6M8rcdZq4W7L cb3bLwjhbN18kgdYs5EIIMbXFh/GM/sShQ== -----END EC PRIVATE KEY----- This is my user priv key

IgorSim (Tue, 19 Jun 2018 07:22:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fdaE5H9HMikqtM5JP) @aambati tnx, i fetched most recent config block and translated to json, writers policy(for the org looks like this: "Writers": { "mod_policy": "Admins", "policy": { "type": 1, "value": { "identities": [{ "principal": { "msp_identifier": "xxxMSP", "role": "MEMBER" }, "principal_classification": "ROLE" }], "rule": { "n_out_of": { "n": 1, "rules": [{ "signed_by": 0 }] } If i understand right, it means any identity that is MEMBER of the ORG should have write policy. Btw, what does it mean 'MEMBER' , does it mean his/her crypto is generated by CA of that ORG?

Unni_1994 (Tue, 19 Jun 2018 08:34:51 GMT):
Hi All,How can i configure root ca for fabric?

athul7744 (Tue, 19 Jun 2018 09:46:41 GMT):
Has joined the channel.

athul7744 (Tue, 19 Jun 2018 09:51:10 GMT):
how to make fabric-ca generate certificates with custom attributes? Like for instance i want to add a key "Type" which can have values "Employee" or "Employer" . How would i do that?

sgiessmann (Tue, 19 Jun 2018 12:16:08 GMT):
Has joined the channel.

skarim (Tue, 19 Jun 2018 13:53:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7P3eb8CZjuY67DKtJ) @Saachi The attributes won't be in the key, they are going to be part of the certificate. You want to inspect the certificate to see if the attributes are there

skarim (Tue, 19 Jun 2018 13:56:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DWZmFPxuzfzs4GjiA) @athul7744 The following documentation should guide you on how to do this. https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#attribute-based-access-control

athul7744 (Tue, 19 Jun 2018 14:22:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wAy373SnhGzDAwuGW) @skarim Thanks. I'll check it out.

aambati (Tue, 19 Jun 2018 14:40:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xf2kacJoACmKdw52j) @Unni_1994 Have you looked at the user guide: http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#table-of-contents

aambati (Tue, 19 Jun 2018 14:45:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DWZmFPxuzfzs4GjiA) @athul7744 First, registrar need to assign the custom attribute and value to the user, and user need to enroll to get a certificate with that attribute...Pls see http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#attribute-based-access-control

XingqiangMao (Tue, 19 Jun 2018 19:13:17 GMT):
XingqiangMao 3:08 PM Hi Guys. I was using cryptogen to generate ceritficate Keep getting Error creating channelconfig bundle: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.example.com") panic: Error creating channelconfig bundle: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.example.com") goroutine 1 [running]: github.com/hyperledger/fabric/vendor/github.com/op/go-logging.(*Logger).Panicf(0xc420228cc0, 0x1829565, 0x27, 0xc420307f30, 0x1, 0x1) /w/workspace/fabric-binaries-x86_64/gopath/src/github.com/hyperledger/fabric/vendor/github.com/op/go-logging/logger.go:194 +0x134 github.com/hyperledger/fabric/orderer/common/multichannel.(*Registrar).newLedgerResources(0xc42020a310, 0xc420190840, 0xc420190840) /w/workspace/fabric-binaries-x86_64/gopath/src/github.com/hyperledger/fabric/orderer/common/multichannel/registrar.go:253 +0x391 github.com/hyperledger/fabric/orderer/common/multichannel.NewRegistrar(0x1c5a4e0, 0xc4201682a0, 0xc420150cf0, 0x1c56ee0, 0x1cc44d8, 0xc4201666e8, 0x1, 0x1, 0x0) /w/workspace/fabric-binaries-x86_64/gopath/src/github.com/hyperledger/fabric/orderer/common/multichannel/registrar.go:144 +0x352 github.com/hyperledger/fabric/orderer/common/server.initializeMultichannelRegistrar(0xc42029a780, 0x1c56ee0, 0x1cc44d8, 0xc4201666e8, 0x1, 0x1, 0xc4204000d0) /w/workspace/fabric-binaries-x86_64/gopath/src/github.com/hyperledger/fabric/orderer/common/server/main.go:262 +0x277 github.com/hyperledger/fabric/orderer/common/server.Start(0x180e972, 0x5, 0xc42029a780) /w/workspace/fabric-binaries-x86_64/gopath/src/github.com/hyperledger/fabric/orderer/common/server/main.go:103 +0x24c github.com/hyperledger/fabric/orderer/common/server.Main() /w/workspace/fabric-binaries-x86_64/gopath/src/github.com/hyperledger/fabric/orderer/common/server/main.go:82 +0x20f main.main() /w/workspace/fabric-binaries-x86_64/gopath/src/github.com/hyperledger/fabric/orderer/main.go:15 +0x20 When I try to start orderer

nelaturuk (Tue, 19 Jun 2018 20:52:02 GMT):
Has joined the channel.

athul7744 (Wed, 20 Jun 2018 04:23:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=375q6XQZaG3QKyN7Y) @aambati Thank you. I'll check it out.

Saachi (Wed, 20 Jun 2018 05:40:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CAmXQh2bpLbkAumjM) @skarim Are you reffering to the certificate in hfc-key-store ? I am unable to read that certificate. Can you pls help me ?

Saachi (Wed, 20 Jun 2018 09:12:45 GMT):
How can I delete a user in fabcar sample ?

st (Wed, 20 Jun 2018 11:45:05 GMT):
Has joined the channel.

st (Wed, 20 Jun 2018 11:48:01 GMT):
Has left the channel.

skarim (Wed, 20 Jun 2018 14:07:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NYhzLKPA7kfxcriTa) @Saachi Are you getting the usage error message as before when reading the certificate? if so, did you try the command I posted earlier? Is the certificate PEM encoded? If you open up the certificate file in a text editor what do you see?

skarim (Wed, 20 Jun 2018 14:07:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NYhzLKPA7kfxcriTa) @Saachi Are you getting the same usage error message as before when reading the certificate? if so, did you try the command I posted earlier? Is the certificate PEM encoded? If you open up the certificate file in a text editor what do you see?

skarim (Wed, 20 Jun 2018 14:10:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QBkkvDd38sfhpaJx6) @Saachi The fabric ca client in Node has an API that can delete users. https://github.com/hyperledger/fabric-sdk-node/blob/release-1.1/test/integration/fabric-ca-identity-service-tests.js#L83

paul.sitoh (Wed, 20 Jun 2018 15:26:59 GMT):
Folks how do you override the affiliation via cli -- i.e. `fabric-ca-server`?

paul.sitoh (Wed, 20 Jun 2018 15:26:59 GMT):
Folks how do you override the affiliation via cli -- i.e. `fabric-ca-server` on startup?

skarim (Wed, 20 Jun 2018 18:09:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nmf9yvzvb8Y4awWh4) @paul.sitoh You can't override the affiliations on startup, but once you have server running you can use the affiliation command on the fabric ca client to add/remove affiliations. See doc: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#dynamically-updating-affiliations

skarim (Wed, 20 Jun 2018 18:09:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nmf9yvzvb8Y4awWh4) @paul.sitoh You can't override the affiliations on startup, but once you have the server running you can use the affiliation command on the fabric ca client to add/remove affiliations. See doc: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#dynamically-updating-affiliations

Katie_Wei (Wed, 20 Jun 2018 18:41:03 GMT):
Has joined the channel.

XingqiangMao (Wed, 20 Jun 2018 21:07:10 GMT):
018-06-20 17:02:32.090 EDT [orderer/commmon/multichannel] newLedgerResources -> CRIT 051 Error creating channelconfig bundle: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.example.com") panic: Error creating channelconfig bundle: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.example.com")

XingqiangMao (Wed, 20 Jun 2018 21:07:27 GMT):
Keep block me when I bring up orderer in my local

XingqiangMao (Wed, 20 Jun 2018 21:07:43 GMT):
Folks, anyone can help me out?

Saachi (Thu, 21 Jun 2018 06:05:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qffcvemhqQ5MFm2mP) @skarim I am getting the following error on udsing delete API : TypeError: fabric_ca_client.delete is not a function My deleteuser.js file : 'use strict'; var Fabric_Client = require('fabric-client'); var Fabric_CA_Client = require('fabric-ca-client'); var path = require('path'); var util = require('util'); var os = require('os'); var fabric_client = new Fabric_Client(); var fabric_ca_client = null; var admin_user = null; var member_user = null; var store_path = path.join(__dirname, 'hfc-key-store'); console.log(' Store path:'+store_path); // create the key value store as defined in the fabric-client/config/default.json 'key-value-store' setting Fabric_Client.newDefaultKeyValueStore({ path: store_path }).then((state_store) => { // assign the store to the fabric client fabric_client.setStateStore(state_store); var crypto_suite = Fabric_Client.newCryptoSuite(); // use the same location for the state store (where the users' certificate are kept) // and the crypto store (where the users' keys are kept) var crypto_store = Fabric_Client.newCryptoKeyStore({path: store_path}); crypto_suite.setCryptoKeyStore(crypto_store); fabric_client.setCryptoSuite(crypto_suite); var tlsOptions = { trustedRoots: [], verify: false }; // be sure to change the http to https when the CA is running TLS enabled fabric_ca_client = new Fabric_CA_Client('http://localhost:7054', null , '', crypto_suite); // first check to see if the admin is already enrolled return fabric_client.getUserContext('admin', true); }).then((user_from_store) => { if (user_from_store && user_from_store.isEnrolled()) { console.log('Successfully loaded admin from persistence'); admin_user = user_from_store; } else { throw new Error('Failed to get admin.... run enrollAdmin.js'); } // at this point we should have the admin user return fabric_ca_client.delete({enrollmentID: 'user2'}, admin_user); }).then((resp) => { console.log('Successfully deleted user2 '); }).catch((err) => { console.error('Failed to register: ' + err); if(err.toString().indexOf('Authorization') > -1) { console.error('Authorization failures may be caused by having admin credentials from a previous CA instance.\n' + 'Try again after deleting the contents of the store directory '+store_path); } });

Saachi (Thu, 21 Jun 2018 06:05:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=drQrcRkj53Pp6SxpP) @skarim Yes , Using your command (openssl x509 -noout -text -in /home/parikshit/demo/fabric-samples/fabcar/hfc-key-store/user2 ) I am getting the following error unable to load certificate 140199054952088:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE In text editor it looks like this : {"name":"user2","mspid":"Org1MSP","roles":null,"affiliation":"","enrollmentSecret":"","enrollment":{"signingIdentity":"e1c8e42ac8e80fbf3872db8ad968c9cdca47d1632abdec13752b0673da0f3777","identity":{"certificate":"-----BEGIN CERTIFICATE-----\nMIICjzCCAjWgAwIBAgIUZwcbYNUqaGaQN9+6ZH/vdl2AhVYwCgYIKoZIzj0EAwIw\nczELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh\nbiBGcmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMT\nE2NhLm9yZzEuZXhhbXBsZS5jb20wHhcNMTgwNjIxMDUxNDAwWhcNMTkwNjIxMDUx\nOTAwWjBCMTAwDQYDVQQLEwZjbGllbnQwCwYDVQQLEwRvcmcxMBIGA1UECxMLZGVw\nYXJ0bWVudDExDjAMBgNVBAMTBXVzZXIyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\nQgAEbRzhfqs287FPTWXgNed6w1Qb3XGT71+I4U8aw8te0z9BM8vAZpOI747Kjhjg\n6bzB+jY4P4cDeIqDSd1zeEZLzKOB1zCB1DAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0T\nAQH/BAIwADAdBgNVHQ4EFgQU7Vi6WeemXG0pOjk6bQHZhRXEKHQwKwYDVR0jBCQw\nIoAgQjmqDc122u64ugzacBhR0UUE0xqtGy3d26xqVzZeSXwwaAYIKgMEBQYHCAEE\nXHsiYXR0cnMiOnsiaGYuQWZmaWxpYXRpb24iOiJvcmcxLmRlcGFydG1lbnQxIiwi\naGYuRW5yb2xsbWVudElEIjoidXNlcjIiLCJoZi5UeXBlIjoiY2xpZW50In19MAoG\nCCqGSM49BAMCA0gAMEUCIQD48gtLJuJVRuV7nZ9ohLON9Q2wxuDwmCDMPhnoTgpw\n7gIgE3Y/Vd4koIFd1DxozaLQfvmcgdrxk5bV44Xlr5bP5gc=\n-----END CERTIFICATE-----\n"}}}

Saachi (Thu, 21 Jun 2018 06:13:46 GMT):
@skarim My deleteuser.js looks like : var Fabric_Client = require('fabric-client'); var Fabric_CA_Client = require('fabric-ca-client'); var path = require('path'); var util = require('util'); var os = require('os'); var fabric_client = new Fabric_Client(); var fabric_ca_client = null; var admin_user = null; var member_user = null; var store_path = path.join(__dirname, 'hfc-key-store'); console.log(' Store path:'+store_path); // create the key value store as defined in the fabric-client/config/default.json 'key-value-store' setting Fabric_Client.newDefaultKeyValueStore({ path: store_path }).then((state_store) => { // assign the store to the fabric client fabric_client.setStateStore(state_store); var crypto_suite = Fabric_Client.newCryptoSuite(); // use the same location for the state store (where the users' certificate are kept) // and the crypto store (where the users' keys are kept) var crypto_store = Fabric_Client.newCryptoKeyStore({path: store_path}); crypto_suite.setCryptoKeyStore(crypto_store); fabric_client.setCryptoSuite(crypto_suite); var tlsOptions = { trustedRoots: [], verify: false }; // be sure to change the http to https when the CA is running TLS enabled fabric_ca_client = new Fabric_CA_Client('http://localhost:7054', null , '', crypto_suite); // first check to see if the admin is already enrolled return fabric_client.getUserContext('admin', true); }).then((user_from_store) => { if (user_from_store && user_from_store.isEnrolled()) { console.log('Successfully loaded admin from persistence'); admin_user = user_from_store; } else { throw new Error('Failed to get admin.... run enrollAdmin.js'); } return fabric_ca_client.delete({enrollmentID: 'user2'}, admin_user); }).then((resp) => { console.log('Successfully deleted user2 '); }).catch((err) => { console.error('Failed to register: ' + err); if(err.toString().indexOf('Authorization') > -1) { console.error('Authorization failures may be caused by having admin credentials from a previous CA instance.\n' + 'Try again after deleting the contents of the store directory '+store_path); } It gives the error : fabric_ca_client.delete is not a function

paul.sitoh (Thu, 21 Jun 2018 06:51:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PaAqAGDTrCMrYFYSy) @skarim Can you do it via SDKs?

javrevasandeep (Thu, 21 Jun 2018 06:53:03 GMT):
I am using fabric-ca in fabric-samples. unfortunately due to some reason all of my containers got stopped running in different machines. Is there any way to restore back all of the network state

javrevasandeep (Thu, 21 Jun 2018 07:33:49 GMT):
@skarim can you please help me out. Actually I am running fabric-ca example in fabric-samples on 20 Azure servers having each service like peers orderers running on different machine. Now recently all of the services got stopped. That means all of the peers, orderers, ica containers each running on different machine got stopped. Below given are the steps that i followed. 1. I restarted the ica-org0, ica-org1, ica-org2 containers which created new org0-ca-chain, org1-ca-chain and org2-ca-chain certificates. 2. Then i copied those certificates on peers and orderer machines and then restarted the containers. However while doing so, I restarted all of the peers but mistakenly I did recreate the container for peer1-org1 instead of restart. 3. Now while all of the other containers except peer1-org1 are restarted but all of these peers are looking for peer1-org1 to communicate which is newly created with new org1-ca-chain certificate. 4. When i checked the peer1-org1 log, I found below messages [gossip/comm] authenticateRemotePeer -> WARN 1d4 Identity store rejected 10.64.37.229:49692 : failed classifying identity: Unable to extract msp.Identity from peer Identity [gossip/comm] GossipStream -> ERRO 1d5 Authentication failed: failed classifying identity: Unable to extract msp.Identity from peer Identity 5. Also when i chekced peer1-org2 which is running on 10.64.37.229, I found the below messages [gossip/comm] sendToEndpoint -> WARN 18e8[0m Failed obtaining connection for peer1-org1:7051, PKIid:[130 169 200 147 151 98 112 245 155 234 176 88 178 195 88 136 118 154 94 91 90 37 108 90 11 182 83 100 124 97 165 32] reason: Authentication failure [33m2018-06-21 00:00:12.581 UTC [gossip/comm] createConnection -> WARN 18e9[0m Remote endpoint claims to be a different peer, expected [130 169 200 147 151 98 112 245 155 234 176 88 178 195 88 136 118 154 94 91 90 37 108 90 11 182 83 100 124 97 165 32] but got [163 170 196 200 27 103 168 165 139 214 157 20 189 220 36 72 37 81 44 18 9 226 194 227 210 149 141 128 30 214 113 200] 6. Now i want to have peer1-org1 to be running as it was before getting stopped. How do i resolve this issue.

Sreesha (Thu, 21 Jun 2018 09:25:30 GMT):
Iam trying to run ./build-images.sh (Hyperledger/fabric-ca/)

Sreesha (Thu, 21 Jun 2018 09:26:05 GMT):
But its showing error :

Sreesha (Thu, 21 Jun 2018 09:26:17 GMT):
2018-06-21 14:54:00 FATAL: You must switch to the master branch in /home/1114473/go/src/github.com/hyperledger/fabric-ca

Sreesha (Thu, 21 Jun 2018 09:27:01 GMT):
Iam tring to run ./build-images.sh

Sreesha (Thu, 21 Jun 2018 09:27:39 GMT):
this file is inside hyperledger/fabric-samples/fabric-ca

Sreesha (Thu, 21 Jun 2018 09:27:48 GMT):
But its showing error:

Sreesha (Thu, 21 Jun 2018 09:28:18 GMT):
FATAL: You must switch to the master branch in go/src/github.com/hyperledger/fabric-ca

javrevasandeep (Thu, 21 Jun 2018 10:24:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cpxz5jfnQJrjvZjth) Hello everyone. Any update on the below issue.

javrevasandeep (Thu, 21 Jun 2018 11:30:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RubrRxhYukorwzvk2) @smithbk @aambati Could you please help me with the below given issue

skarim (Thu, 21 Jun 2018 13:51:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XsgXbZjJtWm6JCCWt) @paul.sitoh Yes, both Node and Java SDK support this

skarim (Thu, 21 Jun 2018 13:53:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=adR8KtxezySBNLCCX) @Saachi ah thats the problem, the file you are trying to open is not actually a proper PEM encoded certificate file. Not sure why the Node SDK stores it in this format but if you copy text after "certificate" in that JSON into a separate file and then use the openssl command on this new file I believe it should work.

skarim (Thu, 21 Jun 2018 13:57:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8vYMif5MYFbvNhgwA) @Saachi I don't see where you created the newIdentityService. You can only call delete on the identity service. Please take a look here: https://github.com/hyperledger/fabric-sdk-node/blob/release-1.1/test/integration/fabric-ca-identity-service-tests.js#L55

javrevasandeep (Thu, 21 Jun 2018 15:28:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BWQbshTMxXZePuTCC) @skarim @aambati @smithbk Could you please help me with the below given issue

skarim (Thu, 21 Jun 2018 15:32:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BWQbshTMxXZePuTCC) @javrevasandeep After you recreated peer1-org1 did you copy the chain certificates to peer1-org1 again?

javrevasandeep (Thu, 21 Jun 2018 15:33:17 GMT):
yes

javrevasandeep (Thu, 21 Jun 2018 15:33:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Q2ma3dzTGszRt6LFh) @skarim yes

aambati (Thu, 21 Jun 2018 15:39:00 GMT):
@java

aambati (Thu, 21 Jun 2018 15:39:00 GMT):
@javrevasandeep I think this error message `[gossip/comm] GossipStream -> ERRO 1d5 Authentication failed: failed classifying identity: Unable to extract msp.Identity from peer Identity` means that MSP is not setup for the peer, specifically, no cert was found in the signcerts folder of the peer MSP...Please make sure that peer's core.yaml is pointing to the msp directory that you setup and there is a cert for peer in the signcerts folder and corresponding key in the keystore

pyzhang (Thu, 21 Jun 2018 15:50:53 GMT):
Has joined the channel.

javrevasandeep (Thu, 21 Jun 2018 16:05:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Lqe9khwEdxLmXAgBq) @aambati I am able to see signcerts and keystore present in /opt/gopath/src/github.com/hyperledger/fabric/peer/msp/signcerts and keystore folder inside peer1-org1 container

javrevasandeep (Thu, 21 Jun 2018 16:22:17 GMT):
@aambati @skarim I am using fabric-ca example in fabric-samples. I reconfigured this example to run on multihosts. It was running fine untill last week. This happened probably due to some security installation on our server machines, all of the containers running on different machines got stopped due to ports blocking. However now our security team have resolved ports blocking issue but still I am unable to restart the whole network again with the same state. I restarted the ica-org0, ica-org1, ica-org2 and then restarted all of the peers and orderers by docker restart . However by mistake I recreated the peer1-org1 container instead of just restart. Due to this, although other peers and orderers are started up but all of these are looking for peer1-org1 connection and throwing authentication failure while trying to connect peer1-org1. same thing on peer1-org1 container logs as well. It is trying to connect to other peers but failing due to authorization issue.

Saachi (Fri, 22 Jun 2018 04:59:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5r22TuRzL2bigv3Pm) @skarim I created a new file - certificate.pem "-----BEGIN CERTIFICATE-----\nMIICATCCAaigAwIBAgIUYtwkUANC6cZ0CbTuu75I3jk9omMwCgYIKoZIzj0EAwIw\nczELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh\nbiBGcmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMT\nE2NhLm9yZzEuZXhhbXBsZS5jb20wHhcNMTgwNjIyMDQ0NDAwWhcNMTkwNjIyMDQ0\nOTAwWjAhMQ8wDQYDVQQLEwZjbGllbnQxDjAMBgNVBAMTBWFkbWluMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEBb6GRGzmiBQh0vqnU3ZpVJuEhwGy8OTP0M22jT50\nAvfnoX0S0MRaYlv9C7oSZ4O8GHccYmcBzjLjIjkWp7wHsqNsMGowDgYDVR0PAQH/\nBAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKRC40/THR20bN93xJpw+/1k\nEqCxMCsGA1UdIwQkMCKAIEI5qg3NdtruuLoM2nAYUdFFBNMarRst3dusalc2Xkl8\nMAoGCCqGSM49BAMCA0cAMEQCIF38hKMa2YxnWcpGKnsYnOhXHJRjpav1qDbC1q6o\nDBeiAiAW8xy3oCqTBF79aLGqUyf4ylCH9bKTqezk9VT9rFapHQ==\n-----END CERTIFICATE-----" But on using openssl x509 -noout -text -in /home/parikshit/demo/fabric-samples/fabcar/hfc-key-store/certificate.pem I am getting the same error unable to load certificate 140160527652504:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE . I can't understand why it is not loading the certificate now that it is in PEM format.

Saachi (Fri, 22 Jun 2018 04:59:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5r22TuRzL2bigv3Pm) @skarim I created a new file - certificate.pem "-----BEGIN CERTIFICATE-----\nMIICATCCAaigAwIBAgIUYtwkUANC6cZ0CbTuu75I3jk9omMwCgYIKoZIzj0EAwIw\nczELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh\nbiBGcmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMT\nE2NhLm9yZzEuZXhhbXBsZS5jb20wHhcNMTgwNjIyMDQ0NDAwWhcNMTkwNjIyMDQ0\nOTAwWjAhMQ8wDQYDVQQLEwZjbGllbnQxDjAMBgNVBAMTBWFkbWluMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAEBb6GRGzmiBQh0vqnU3ZpVJuEhwGy8OTP0M22jT50\nAvfnoX0S0MRaYlv9C7oSZ4O8GHccYmcBzjLjIjkWp7wHsqNsMGowDgYDVR0PAQH/\nBAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKRC40/THR20bN93xJpw+/1k\nEqCxMCsGA1UdIwQkMCKAIEI5qg3NdtruuLoM2nAYUdFFBNMarRst3dusalc2Xkl8\nMAoGCCqGSM49BAMCA0cAMEQCIF38hKMa2YxnWcpGKnsYnOhXHJRjpav1qDbC1q6o\nDBeiAiAW8xy3oCqTBF79aLGqUyf4ylCH9bKTqezk9VT9rFapHQ==\n-----END CERTIFICATE-----" But on using openssl x509 -noout -text -in /home/parikshit/demo/fabric-samples/fabcar/hfc-key-store/certificate.pem I am getting the same error: unable to load certificate 140160527652504:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE . I can't understand why it is not loading the certificate now that it is in PEM format.

Saachi (Fri, 22 Jun 2018 06:10:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vaTjvwNAjwH75AiNR) @skarim Thanks a lot. It works now :)

nvxtien (Fri, 22 Jun 2018 11:25:06 GMT):
Has joined the channel.

Sreesha (Fri, 22 Jun 2018 11:58:22 GMT):
Iam registering and enrolling peers and orderers by fabric ca server instead of using cryptogen.

Sreesha (Fri, 22 Jun 2018 11:58:58 GMT):
But when i tried to register a peer under org3 it threw an error as shown below:

Sreesha (Fri, 22 Jun 2018 11:59:14 GMT):
Error Code: 63 - Failed to get Affiliation: sql: no rows in result set

Saachi (Fri, 22 Jun 2018 12:47:23 GMT):
How can we get the caller's id in chaincode ? id, err := cid.GetID(stub) . This returns an id which is unique within MSP but I want to get the enrollment id in chaincode (example enrollment id -user1)

Saachi (Fri, 22 Jun 2018 12:47:23 GMT):
In Fabric samples , how can we get the caller's id in chaincode ? id, err := cid.GetID(stub) . This returns an id which is unique within MSP but I want to get the enrollment id in chaincode (example enrollment id -user1)

skarim (Fri, 22 Jun 2018 13:33:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4sNm6pBEYrFoPZXXH) @Saachi One way to pull the enrollment ID would be use cid.GetX509Certificate(stub) and then once you have certificate object you can get the common name, which is the enrollment ID.

mogamboizer (Fri, 22 Jun 2018 21:39:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=A64qmxW5xNoAcMe8G) @aambati Than you.

mogamboizer (Fri, 22 Jun 2018 21:39:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=A64qmxW5xNoAcMe8G) @aambati Thank you.

Saachi (Sat, 23 Jun 2018 16:47:00 GMT):
@skarim Thanks , But I need your help in viewing the certificate as well.

Saachi (Sat, 23 Jun 2018 16:58:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wpMoSoq2ZNFim6mWu) @skarim This is not returning anything.

sureshtedla (Sat, 23 Jun 2018 23:27:07 GMT):
Has joined the channel.

sureshtedla (Sat, 23 Jun 2018 23:27:15 GMT):
Hii

Event (Sun, 24 Jun 2018 08:36:43 GMT):
Has joined the channel.

Event (Sun, 24 Jun 2018 08:36:54 GMT):
Hi, I am new to this chat and Hyperledger. Are there any coders and UI Developers interested to collaborate on an exciting project? I have entire business logic but need help with coding and making a functional UI, as first step. Any suggestions are most welcome. Thanks.

Jaline (Mon, 25 Jun 2018 02:58:26 GMT):
Has joined the channel.

Sreesha (Mon, 25 Jun 2018 06:15:48 GMT):
I have generated certs for orderer peers using fabric-ca client.Can anyone help me on how to use these certs for creating byfn and dwploy smart contracts

sandman (Mon, 25 Jun 2018 09:43:24 GMT):
Has joined the channel.

sandman (Mon, 25 Jun 2018 09:44:03 GMT):
how to use fabric-ca image to generate TLS certificates?

sandman (Mon, 25 Jun 2018 09:44:03 GMT):
how to use fabric-ca image to generate TLS certificates?``` can someone please mention relevant sections of fabric-ca-server-config.yaml and fabric-ca-client-config.yaml ```

sandman (Mon, 25 Jun 2018 09:54:40 GMT):
can someone please mention relevant sections of fabric-ca-server-config.yaml and fabric-ca-client-config.yaml

skarim (Mon, 25 Jun 2018 13:57:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KAFPCuJ7dJtobBCXp) @sandman To generate TLS certificates on the server, all you have to do is set TLS enabled to true and it will generate the certificates for you. If you already have existing certificates you can specify them in the TLS section of the configuration file. ``` ############################################################################# # TLS section for the server's listening port # # The following types are supported for client authentication: NoClientCert, # RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, # and RequireAndVerifyClientCert. # # Certfiles is a list of root certificate authorities that the server uses # when verifying client certificates. ############################################################################# tls: # Enable TLS (default: false) enabled: false # TLS for the server's listening port certfile: keyfile: clientauth: type: noclientcert certfiles: ```

skarim (Mon, 25 Jun 2018 13:59:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QLfxCJNzCEeDekALh) @Saachi You might want to try the #fabric-sdk-node channel to see if they have guidance on viewing the certificate that its client returns. If you were using the fabric ca client CLI, the steps I had provided earlier should have worked.

RealDeanZhao (Tue, 26 Jun 2018 06:04:35 GMT):
Hi, What will happen if the admin/user cert and key files are lost..

RealDeanZhao (Tue, 26 Jun 2018 06:05:33 GMT):
Is there any chance to generate a new admin/user from the ca and configure them in the blockchain?

Sreesha (Tue, 26 Jun 2018 06:43:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6ZK7WWqjXvdRAwKfZ) @skarim But while doing so iam getting TLS handshake error, transport connection broken: malformed HTTP response

Sreesha (Tue, 26 Jun 2018 06:55:03 GMT):
but when i tried to enroll admin using https,the error was like Failed to get client TLS config: No TLS certificate files were provided

qsmen (Tue, 26 Jun 2018 08:54:09 GMT):
In fabric release doc, crytogen is used to generate msp for fabric. but it can't be used for product scenario. If we use fabric-ca, dose fabric-ca-client generate key pair locally?

qsmen (Tue, 26 Jun 2018 08:54:09 GMT):
In fabric release doc, crytogen is used to generate msp for fabric. but it can't be used for product scenario. If we use fabric-ca, does fabric-ca-client generate key pair locally?

qsmen (Tue, 26 Jun 2018 08:54:20 GMT):
thank you

Saachi (Tue, 26 Jun 2018 11:03:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kHWDX5cchbzToxwEg) @skarim Thanks

lkchao78 (Tue, 26 Jun 2018 15:02:28 GMT):
Has joined the channel.

lkchao78 (Tue, 26 Jun 2018 15:08:19 GMT):
Hello, I'm having a hard time to understand how to generate crypto material with Fabric-CA. I was using cryptogen before but it's not the recommanded way to do it. So far I can enrolled users with the node SDK, but it's not really the same isn't it?

lkchao78 (Tue, 26 Jun 2018 15:08:19 GMT):
Hello, I'm having a hard time to understand how to generate crypto material with Fabric-CA. I was using cryptogen before but it's not the recommanded way to do it. So far I can enroll users with the node SDK, but it's not really the same isn't it?

skarim (Tue, 26 Jun 2018 17:17:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GqZYM76aCABSRJu63) @Sreesha You need to configure the TLS section for the client as well. You need to specify `certfiles` under the `tls` section. You should set this to the TLS certificate that was generated by the server. ``` ############################################################################# # TLS section for secure socket connection # # certfiles - PEM-encoded list of trusted root certificate files # client: # certfile - PEM-encoded certificate file for when client authentication # is enabled on server # keyfile - PEM-encoded key file for when client authentication # is enabled on server ############################################################################# tls: # TLS section for secure socket connection certfiles: client: certfile: keyfile: ```

skarim (Tue, 26 Jun 2018 17:17:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=boJ72e67MxAe6WzYi) @qsmen Yes, the key pair is generated locally by client.

DavidPark (Tue, 26 Jun 2018 23:00:21 GMT):
Has joined the channel.

sureshtedla (Wed, 27 Jun 2018 02:17:06 GMT):
Hi

qsmen (Wed, 27 Jun 2018 03:40:59 GMT):
@lkchao78, sdk and cli both use fabric-ca

qsmen (Wed, 27 Jun 2018 03:44:43 GMT):
if some could explain how to use fabric-ca to generate network msp, output the same result as cryptogen gives, that would be greatly appreciated.

qsmen (Wed, 27 Jun 2018 05:18:08 GMT):
thank you, Skarim

lkchao78 (Wed, 27 Jun 2018 07:35:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gxRKuyWyTvBopTGd8) @qsmen OK because from the node SDK website in the User class page there is this sentence that confuses me : "Sometimes User identities are confused with Peer identities." So I guess enrollment is generating user identities but then how about peer identities? What I would like to know is how I am supposed to create a node (orderer/peer) msp directory with fabric-ca (with node sdk if possible). Thanks

qsmen (Wed, 27 Jun 2018 07:55:48 GMT):
NodeOUs: Enable: true ClientOUIdentifier: Certificate: "cacerts/cacert.pem" OrganizationalUnitIdentifier: "client" PeerOUIdentifier: Certificate: "cacerts/cacert.pem" OrganizationalUnitIdentifier: "peer"

qsmen (Wed, 27 Jun 2018 07:58:58 GMT):
I am sure how to enroll a user identity or peer identity or how to judge what you enrolled is peer identity or user identity. I know something like organizational Unit identity, that is, identity as an orgnizational unit? NodeOUs: Enable: true ClientOUIdentifier: Certificate: "cacerts/cacert.pem" OrganizationalUnitIdentifier: "client" PeerOUIdentifier: Certificate: "cacerts/cacert.pem" OrganizationalUnitIdentifier: "peer"

qsmen (Wed, 27 Jun 2018 07:58:58 GMT):
I am not sure how to enroll a user identity or peer identity or how to judge what you enrolled is peer identity or user identity. I know something like organizational Unit identity, that is, identity as an orgnizational unit? NodeOUs: Enable: true ClientOUIdentifier: Certificate: "cacerts/cacert.pem" OrganizationalUnitIdentifier: "client" PeerOUIdentifier: Certificate: "cacerts/cacert.pem" OrganizationalUnitIdentifier: "peer"

qsmen (Wed, 27 Jun 2018 07:59:47 GMT):
I am new to this topic too

qsmen (Wed, 27 Jun 2018 08:10:54 GMT):
I also consult about the question proposed by lkcha78.

skarim (Wed, 27 Jun 2018 14:32:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mTr5oxCzJirn9cWDt) @qsmen With Fabric CA, you have to first register any identity that will require a certificate. Then after registering, this identity can enroll to get a certificate. This certificate will be put in the home directory of the client inside the msp folder there. You will have to do this for each identity that requires a certificate. Once you have all the MSPs, you will create the gensis block and channel tx that will be used bootstrap your network. I would suggest reading the following docs: https://hyperledger-fabric.readthedocs.io/en/release-1.2/msp.html https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#fabric-ca-client

skarim (Wed, 27 Jun 2018 14:35:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xdrEqvqzTGhuaeWcd) @lkchao78 When you register an identity in Fabric CA, you can give a type to this identity and this type can be peer or orderer. But you may also want to look at these section, I think they answers your question. https://hyperledger-fabric.readthedocs.io/en/release-1.2/msp.html#identity-classification

skarim (Wed, 27 Jun 2018 14:35:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xdrEqvqzTGhuaeWcd) @lkchao78 When you register an identity in Fabric CA, you can give a type to this identity and this type can be peer or orderer. But you may also want to look at these section, I think they answers your question. https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enrolling-a-peer-identity https://hyperledger-fabric.readthedocs.io/en/release-1.2/msp.html#identity-classification

qsmen (Thu, 28 Jun 2018 05:59:08 GMT):
Thank you, SKarim. Is the reason why cryptogen cannot be used for production scenario that private key is plaintext and produced by one administarator? then when we use fabric-ca client, is the private key protected by user's password?

qsmen (Thu, 28 Jun 2018 05:59:08 GMT):
Thank you, SKarim. Is the reason why cryptogen cannot be used for production scenario that private key is plaintext and produced by the operator who runs the cryptogen ? then when we use fabric-ca client, is the private key protected by user's password?

qsmen (Thu, 28 Jun 2018 05:59:08 GMT):
Thank you, SKarim. Is the reason why cryptogen cannot be used for production scenario that all private keys are plaintexts and produced by the operator who runs the cryptogen ? then when we use fabric-ca client, is the private key protected by user's password?

silencily (Thu, 28 Jun 2018 06:49:30 GMT):
Has joined the channel.

joaquimpedrooliveira (Thu, 28 Jun 2018 14:10:54 GMT):
Has joined the channel.

mondraymond (Thu, 28 Jun 2018 16:35:41 GMT):
Has joined the channel.

montana (Thu, 28 Jun 2018 19:34:48 GMT):
Has joined the channel.

montana (Thu, 28 Jun 2018 19:37:06 GMT):
Using fabric CA server and fabric-ca-client the private key of the client is never exposed to whoever is running the server. The client just sends a CSR to the server to get the ECERT or TLS cert

vagnerasilva (Thu, 28 Jun 2018 22:21:26 GMT):
Has joined the channel.

montana (Fri, 29 Jun 2018 00:32:27 GMT):
Question for you all, is there an issue with having the same Root CA for multiple organizations? Can the subject fields in the certificates be sufficient to use for identity verification?

BlockMcChainy (Fri, 29 Jun 2018 07:13:21 GMT):
Has joined the channel.

leofantast (Fri, 29 Jun 2018 09:30:42 GMT):
Has joined the channel.

AbidiBassem (Fri, 29 Jun 2018 11:09:47 GMT):
Has joined the channel.

Sreesha (Fri, 29 Jun 2018 11:41:28 GMT):
I have created 3 root cas and their corresponding intermediate cas

Sreesha (Fri, 29 Jun 2018 11:41:59 GMT):
now iam trying to add an admin using ica0

Sreesha (Fri, 29 Jun 2018 11:42:15 GMT):
iam getting an error like this

Sreesha (Fri, 29 Jun 2018 11:42:48 GMT):
Post https://182.18.0.5:7054/enroll: x509: cannot validate certificate for 182.18.0.5 because it doesn't contain any IP SANs

Sreesha (Fri, 29 Jun 2018 11:43:30 GMT):
here 182.18.0.5 is the ip of the container in which ica server is running

KGiou (Fri, 29 Jun 2018 12:40:06 GMT):
image

hyperlearner (Fri, 29 Jun 2018 12:48:50 GMT):
Has joined the channel.

skarim (Fri, 29 Jun 2018 14:26:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HHhZAp3jKFKP2ctDF) @montana A msp is per organization, and thus there is usually a CA per org. The main access control on a channel is an MSP. If you only have one CA thus one msp, then all organizations will have access to all channels at all times because they will all be enrolling with the same CA. Having one root ca for multiple org, will greatly limit the ability to restrict access to channels.

sureshtedla (Fri, 29 Jun 2018 14:43:38 GMT):
we dont need fabric-ca if we have fabric-dev-servers ?

sureshtedla (Fri, 29 Jun 2018 14:43:50 GMT):
fabric-tools

mark.zhang (Sat, 30 Jun 2018 02:45:50 GMT):
Has joined the channel.

maksimfedin (Sat, 30 Jun 2018 12:13:29 GMT):
Has joined the channel.

athul7744 (Sun, 01 Jul 2018 18:22:04 GMT):
Post http://localhost:7054/enroll: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02\x16" Im getting this error while enrolling. Can someone help me in pointing out what it is

sigma67 (Sun, 01 Jul 2018 19:49:05 GMT):
Has joined the channel.

Sreesha (Mon, 02 Jul 2018 06:49:08 GMT):
@athul7744 try https:

athul7744 (Mon, 02 Jul 2018 07:26:44 GMT):
okay ill try that :)

athul7744 (Mon, 02 Jul 2018 07:28:25 GMT):
that worked but i get a different error now. How will i generate the tls certificates before enrolling?

athul7744 (Mon, 02 Jul 2018 07:32:52 GMT):
Error: Failed to get client TLS config: No TLS certificate files were provided

athul7744 (Mon, 02 Jul 2018 07:32:59 GMT):
this is the error i get

MohammadObaid (Mon, 02 Jul 2018 11:02:00 GMT):
Hey @smithbk when I try to run `make fabric-ca-server` I am getting this error . Any clue to solve this !

MohammadObaid (Mon, 02 Jul 2018 11:02:13 GMT):

fabriccaservererror.png

smithbk (Mon, 02 Jul 2018 11:13:04 GMT):
@MohammadObaid Try upgrading to go 1.10

MohammadObaid (Mon, 02 Jul 2018 11:19:56 GMT):
Thanks :) Fixed after updating go version

firozmi (Mon, 02 Jul 2018 11:48:12 GMT):
Has joined the channel.

athul7744 (Mon, 02 Jul 2018 12:06:55 GMT):
fabric-ca-client enroll -u https://admin:adminpw@localhost:7054

athul7744 (Mon, 02 Jul 2018 12:07:07 GMT):
`fabric-ca-client enroll -u https://admin:adminpw@localhost:7054`

athul7744 (Mon, 02 Jul 2018 12:07:40 GMT):
when im running this i get the error saying**

athul7744 (Mon, 02 Jul 2018 12:07:48 GMT):
*2018/07/02 17:36:29 [INFO] TLS Enabled Error: Failed to get client TLS config: No TLS certificate files were provided *

athul7744 (Mon, 02 Jul 2018 12:08:27 GMT):
*2018/07/02 17:36:29 [INFO] TLS Enabled* *Error: Failed to get client TLS config: No TLS certificate files were provided*

athul7744 (Mon, 02 Jul 2018 12:09:22 GMT):
how do i generate the tls certificates before enrolling the administrator for the rootCA

vijay5378 (Mon, 02 Jul 2018 12:27:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RzhSWivsbEG4ejN7u) @athul7744 Is your fabric-ca-server-config.yaml correct? The tls section should be: tls: # Enable TLS (default: false) enabled: false # TLS for the server's listening port certfile: keyfile: clientauth: type: noclientcert certfiles:

vijay5378 (Mon, 02 Jul 2018 12:30:03 GMT):
In fabric-ca java sdk, when a call is made to client.info().getCACertificateChain();, does it return the properly encoded pem file? I double checked and the returned certificate lacks the start "BEGIN CERTIFICATE" and "END CERTIFICATE" portion. Is it left to the user to create a proper pem certificate?

LuigiRiva (Mon, 02 Jul 2018 14:15:58 GMT):
Has joined the channel.

skarim (Mon, 02 Jul 2018 14:18:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iX8w7oMohBHAhHenj) @vijay5378 Have you tried base 64 decoding the chain to see if you get a properly formated PEM file?

LuigiRiva (Mon, 02 Jul 2018 14:18:45 GMT):
Hi! Anyone has some previous experience or information that can share on how to connect Hyperledger Indy with Fabric? The idea would be to have Indy DIDs as a IAM solution for Fabric. In my understanding there isn't any direct "integration"...but any workaroud?

Maria (Mon, 02 Jul 2018 14:56:40 GMT):
Has joined the channel.

vijay5378 (Mon, 02 Jul 2018 17:29:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CwkztAptAsJif7Q3c) @skarim I will try that. However, currently I am trying by just appending BEGINCERTIFICATE and END CERTIFICATE strings.

vdods (Mon, 02 Jul 2018 23:21:30 GMT):
Hi all, I'm designing a web app frontend for my Fabric app, and I'm currently trying to figure out how to manage enrollment and private keys. Is it possible to enroll in a fabric-ca-server from web frontend (presumably just via the appropriate REST API calls)? Is there existing JS code to do so?

athul7744 (Tue, 03 Jul 2018 05:06:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RemertY85QWZiiz8k) @vijay5378 But i wanted to run it with TLS Certificates. So i need to generate them externally

athul7744 (Tue, 03 Jul 2018 05:06:33 GMT):
using another rootCA just for tls enrollment maybe?

vijay5378 (Tue, 03 Jul 2018 05:22:18 GMT):
@athul7744 noclientcert still works on TLS, only the server doesnt request for certificates from the client side. My bad. The config file can be: tls: # Enable TLS (default: false) enabled: true # TLS for the server's listening port certfile: keyfile: clientauth: type: noclientcert certfiles:

athul7744 (Tue, 03 Jul 2018 06:23:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HgiEjKpbgLbjqyjYd) @vijay5378 OKay ill try this. Thanks

MohammadObaid (Tue, 03 Jul 2018 08:09:15 GMT):
Hey guys I am following tutorial to setup fabric-ca-server and client but I am stuck in one issue. When I try to enroll user with fabric-client I am getting this error `Error: Response from server: Error Code: 20 - Authorization failure` . I have checked that sqlite db contains admin entry but still I am getting this error. Below are screenshots

MohammadObaid (Tue, 03 Jul 2018 08:09:40 GMT):

fabric-ca-serverenroll.png

MohammadObaid (Tue, 03 Jul 2018 08:10:06 GMT):

fabric-ca-clientenroll.png

MohammadObaid (Tue, 03 Jul 2018 08:11:47 GMT):

fabricdb.png

MohammadObaid (Tue, 03 Jul 2018 08:12:30 GMT):
Any clue to fix this

MohammadObaid (Tue, 03 Jul 2018 08:40:18 GMT):
II have tried with fabric-ca version `1.1.0-rc1` and `1.2.0` but getting same error in both

saeedi (Tue, 03 Jul 2018 10:49:14 GMT):
Has joined the channel.

skarim (Tue, 03 Jul 2018 14:12:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vwpkyi2FMda6RKquc) @MohammadObaid Can you enable debug on both client and server, then reproduce the issue and send those logs please

suchith.arodi (Tue, 03 Jul 2018 18:20:27 GMT):
Has joined the channel.

vijay5378 (Tue, 03 Jul 2018 19:15:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CwkztAptAsJif7Q3c) @skarim You were right! It was returning a BASE64 encoded string. Once I decoded it, it worked fine. Thanks. However any design reasons as to why ?Returning a simple pem file would definitely be easier.

MohammadObaid (Wed, 04 Jul 2018 07:34:28 GMT):
@skarim Here are debug information

MohammadObaid (Wed, 04 Jul 2018 07:34:50 GMT):

fabricaserverdebug.png

MohammadObaid (Wed, 04 Jul 2018 07:35:10 GMT):

fabriccaclientdebug.png

vijay5378 (Wed, 04 Jul 2018 09:14:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ghS4W77Ls4ADvK8bo) @MohammadObaid The client calls on https but the server seems to be listening on http

MohammadObaid (Wed, 04 Jul 2018 10:44:19 GMT):
Hey @vijay5378 in the second request from fabric-ca-client I am sending http request .

Sreesha (Wed, 04 Jul 2018 12:08:53 GMT):
I have generated certs and keys for all the entities using fabric-ca

Sreesha (Wed, 04 Jul 2018 12:10:18 GMT):
i edited the network-config and docker-compose files in the folder balance-transfer/artifacts

Sreesha (Wed, 04 Jul 2018 12:10:29 GMT):
now when iam giving runapp.sh

Sreesha (Wed, 04 Jul 2018 12:11:04 GMT):
and testAPIs.sh,

Sreesha (Wed, 04 Jul 2018 12:11:14 GMT):
the following error is occuring

Sreesha (Wed, 04 Jul 2018 12:11:20 GMT):
POST request Enroll on Org1 ... {"success":false,"message":"failed Error: Enrollment failed with errors [[{\"code\":19,\"message\":\"CA 'ca-org1' does not exist\"}]]"}

Sreesha (Wed, 04 Jul 2018 12:12:22 GMT):
Can anyone guide me on what fields i should edit properly in the network-config and docker-compose files

BabuPallam (Wed, 04 Jul 2018 22:19:57 GMT):
Has joined the channel.

khaledMD (Wed, 04 Jul 2018 23:47:24 GMT):
Has joined the channel.

MohammadObaid (Thu, 05 Jul 2018 07:07:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sYzoEfyQoJGqce4hM) Hey @smithbk can you help me on my issue ?

MohammadObaid (Thu, 05 Jul 2018 09:09:18 GMT):
Hey after enrolling bootstrap identity `admin` I want to create peer identity with folloing command `Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw@serverAddr:serverPort` . As per doc we should register new peer and then enroll but I am getting error that I should enroll first . Can anyone explain ?

smithbk (Thu, 05 Jul 2018 12:55:12 GMT):
@MohammadObaid Yes, you must register an identity before it can be enrolled, but the act of registering a new identity must be done by a registrar identity that has already been enrolled. For example, the bootstrap identity specified by the `-b` option has sufficient privileges to register your new peer identities. You just need to make sure that the FABRIC_CA_CLIENT_HOME env variable points to the home directory of your registrar identity when registering your peer identities. Remember that it is the enroll command that creates the home directory of a user. Another way of looking at this is `registration is like inviting someone to a party` and `enrollment is like accepting the invitation`. Only authorized identities can invite others to the party.

smithbk (Thu, 05 Jul 2018 12:56:36 GMT):
@Sreesha Try on the fabric-sdk-node channel

merth (Thu, 05 Jul 2018 18:53:09 GMT):
Has joined the channel.

Sreesha (Fri, 06 Jul 2018 06:28:01 GMT):
Iam getting an error like this on testAPIs.sh, while deploying chaincode using certificates generated by fabric ca

Sreesha (Fri, 06 Jul 2018 06:28:17 GMT):
{"success":false,"message":"failed Error: Network configuration is missing this client's organization and certificate authority"}

Sreesha (Fri, 06 Jul 2018 06:28:34 GMT):
Can anyone explain?

IronStrong (Fri, 06 Jul 2018 06:41:07 GMT):
Has joined the channel.

alek (Fri, 06 Jul 2018 12:15:01 GMT):
Has joined the channel.

vdods (Sat, 07 Jul 2018 21:06:24 GMT):
Hi all, has there been any work done on making a javascript SDK for fabric-ca? I just want to figure out if it's possible for the client to enroll itself and handle its own private key and signing processes, as opposed to having the backend do that.

yacovm (Sat, 07 Jul 2018 21:07:42 GMT):
what's the point in doing that without a corresponding javascript SDK for the fabric-(not-ca) though?

vdods (Sat, 07 Jul 2018 21:09:05 GMT):
Ideally that would also exist, but as an intermediate step, the backend could formulate transaction proposals, send them to the js client which signs and returns them, then the backend ships the transaction proposals off to the peers. Yes, that requires cracking things open a bit on the backend side a little.

yacovm (Sat, 07 Jul 2018 21:09:40 GMT):
so the private key is kept inside the memory of the javascript app?

vdods (Sat, 07 Jul 2018 21:09:48 GMT):
Yeah

yacovm (Sat, 07 Jul 2018 21:09:53 GMT):
and you generate it each time from scratch?

vdods (Sat, 07 Jul 2018 21:09:59 GMT):
Per login session

yacovm (Sat, 07 Jul 2018 21:10:04 GMT):
I like it

vdods (Sat, 07 Jul 2018 21:10:24 GMT):
I'm mainly trying to figure out what's architecturally possible right now

yacovm (Sat, 07 Jul 2018 21:10:25 GMT):
so you only need to remember a password right?

yacovm (Sat, 07 Jul 2018 21:10:36 GMT):
which you use to authenticate to the CA

vdods (Sat, 07 Jul 2018 21:10:45 GMT):
Right, if the js client is logging into the fabric CA server directly

yacovm (Sat, 07 Jul 2018 21:11:04 GMT):
so... I saw some JIRA that said that fabric-CA doesn't set the CORS thingy

yacovm (Sat, 07 Jul 2018 21:11:15 GMT):
if it would then it would be possible to issue a cross origin request to it

yacovm (Sat, 07 Jul 2018 21:11:52 GMT):
let me find the JIRA, hold on

vdods (Sat, 07 Jul 2018 21:12:02 GMT):
Thanks!

yacovm (Sat, 07 Jul 2018 21:12:03 GMT):
https://jira.hyperledger.org/browse/FAB-11019

yacovm (Sat, 07 Jul 2018 21:15:33 GMT):
But you assume in your solution that the backend isn't hacked, otherwise it can send to the client a payload to be signed that does something bad, right? @vdods

vdods (Sat, 07 Jul 2018 21:17:15 GMT):
Yeah, though that vulnerability would be the same if the backend were making all requests on behalf of the user (i.e. if backend had the user's private key)

vdods (Sat, 07 Jul 2018 21:17:32 GMT):
Potentially the client could verify that the transaction proposal match what it expected

yacovm (Sat, 07 Jul 2018 21:17:49 GMT):
the protobuf is actually not that hard to wrap your head around... i'm sure you can produce code that assembles the entire proposal protobuf , send it to a dumb backend that just relays that to the peers, sends back the endorsements to the web app, which it assembles and turns into a transaction, signs it again, and then sends again to the backend to relay to the orderer

vdods (Sat, 07 Jul 2018 21:19:11 GMT):
That makes sense

vdods (Sat, 07 Jul 2018 21:20:55 GMT):
On the Jira ticket you linked, where it mentions "Javascript based SDK (based on Node.js)", doesn't that exclude the possibility of it running on a web client?

vdods (Sat, 07 Jul 2018 21:21:06 GMT):
*browser? I thought node.js was a server-side only thing.

yacovm (Sat, 07 Jul 2018 21:21:40 GMT):
i think they meant based on the node.js SDK

vdods (Sat, 07 Jul 2018 21:24:31 GMT):
Like starting with the node SDK and porting it to work in javascript client land?

yacovm (Sat, 07 Jul 2018 21:25:40 GMT):
yes

sean (Sun, 08 Jul 2018 02:40:56 GMT):
Has joined the channel.

mastersingh24 (Sun, 08 Jul 2018 14:05:34 GMT):
It's unclear what problem they are really trying to solve .... perhaps they are implying being able to directly interact with peers, orderers and CAs from a web browser without requiring a REST server in between. Of course we can easily fix the CORS issue with the fabric-ca. For the others, I've been looking at grpc-web ... mostly because I don't want a middle tier managing private keys ;)

yacovm (Sun, 08 Jul 2018 14:06:39 GMT):
I believe that's what they're trying to solve, @mastersingh24

mastersingh24 (Sun, 08 Jul 2018 14:11:34 GMT):
Well then it's a duplicate of a new feature and of a bug ... I linked them to the issue

nishant_thite (Mon, 09 Jul 2018 02:39:54 GMT):
Has joined the channel.

qsmen (Mon, 09 Jul 2018 07:14:52 GMT):
hi, using fabric-ca- server and fabric-ca-client, peers and client app users under the same org can be registered and enrolled. Would this cause any problem?

qsmen (Mon, 09 Jul 2018 08:52:13 GMT):
in order genesis block and channel genesis block, org.member, org.user, and org.admin are used in defining all kinds of policies. the definitions of user and admin are clear, but what 's org.memeber?

alek (Mon, 09 Jul 2018 12:52:00 GMT):
HI Guys, i am trying to use CA REST API and invoke any request. I set up `fabric-ca` example and then enroll admin. Then i invoked `localhost:7054/api/v1/identities` but got `401` error response because of missing authorization header. According to @aambati https://chat.hyperledger.org/channel/fabric-ca?msg=NRt7F49EtGE4aDHZq it's just base 64 of id:password so in `fabric-ca` example it's the result of `base64("admin:adminpw")`. I added the result of that to header but still with no success. Can anyone help me with understanding what's wrong ?

Khaled.MH (Mon, 09 Jul 2018 13:38:11 GMT):
hi guys am trying to add new fabric-ca-client register using with fabric CA using this command fabric-ca-client -d --id.name abcuser --id.affiliation org1.department1 --id.attrs '"hf.Registrar.Roles=peer,user"' but get this error ``` {"id":"abcuser","type":"","max_enrollments":-1,"affiliation":"org1.department1","attrs":[{"name":"hf.Registrar.Roles","value":"peer"}]} 2018/07/09 13:33:48 [DEBUG] Received response statusCode=500 (500 Internal Server Error) Error: Error response from server was: No identity type provided. Please provide identity type ```

skarim (Mon, 09 Jul 2018 13:38:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BsSmaz8n45PQSkucD) @qsmen This should not be a problem, all identities belong to a particular organization can be enrolled with the CA for that rog

skarim (Mon, 09 Jul 2018 13:42:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=94E9apHfHqxDbHPL5) @alek Only the enroll API used basic auth (id, password). For the identities API, you need to generate a token and use that in the authorization header. You can look to see how the fabric CA client generate a token here: https://github.com/hyperledger/fabric-ca/blob/3bcdbb2bb9f46c7eb705c9de8b9bb002c5c15fe3/util/util.go#L234. You will need to do something similar.

skarim (Mon, 09 Jul 2018 13:44:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=P4EsjGKFP3jcJBm2y) @Khaled.MH It seems like you are using an old version of fabric-ca-client. The reason you are getting that error is because you have not specified a type using flag `--id.type`. I believe this is no longer required in newer versions of the client, but it was required in previous version. Please try specifying type and try again.

Khaled.MH (Mon, 09 Jul 2018 13:52:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sbe5ZzK2R9bivHpcT) @skarim yes all right thanks a lot :)

Telijas (Mon, 09 Jul 2018 13:54:27 GMT):
Has joined the channel.

dairehoman (Mon, 09 Jul 2018 14:01:20 GMT):
Has joined the channel.

ashutosh_kumar (Mon, 09 Jul 2018 14:31:54 GMT):
CORS policies are to prevent something like clickjack attack , which can be exploited via GUI.

qsmen (Tue, 10 Jul 2018 00:37:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KruGWCLWXPa9yKAmk) @skarim Thank you, skarim

AshishMishra 1 (Tue, 10 Jul 2018 05:26:00 GMT):
Hi guys, getting this error on CA server. Using MySQL (AWS RDS) as a backend database. * Failed to remove expired nonces from DB for CA 'ca-xooa': Error 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?)' at line 1* Can anyone help?

asadhayat (Tue, 10 Jul 2018 08:48:44 GMT):
I cannot retrieve attribute values in chaincode, details given in this stackoverflow question (https://stackoverflow.com/questions/51249106/attributes-in-chaincode-returns-blank-value). Any idea what i am doing wrong.

asadhayat (Tue, 10 Jul 2018 09:45:19 GMT):
I am trying to retrieve attribute value in chaincode with cid library (https://github.com/hyperledger/fabric/tree/release-1.1/core/chaincode/lib/cid) but it return a blank value. I modified `fabcar` sample to use attribute values in fabcar chaincode for experiment. My approach to this is as follow 1. `cid` library was not available in `cli` container, so i map entire fabric code base from host to docker container via docker compose file. `valumes:` `/home/asad/projects_fabric_1.2/src/github.com/hyperledger/fabric:/opt/gopath/src/github.com/hyperledger/fabric` now i can access APIs from `cid` library. 2- I enroll another user (`myuser`) with `ca.example.com` (CA in fabcar example) with attributes in my config file as below: id: name: myuser type: user affiliation: org1.department1 maxenrollments: 0 attributes: - name: hf.IntermediateCA value: false - name: hf.Registrar.Roles value: "peer,orderer,client,user" - name: hf.Registrar.DelegateRoles value: "peer,orderer,client,user" - name: hf.Registrar.Attributes value: "*" - name: hf.GenCRL value: false - name: hf.Revoker value: false - name: hf.AffiliationMgr value: false - name: 'full_name' value: "Jhon Doe" - name: 'department' value: "Computer Engineering" i enrolled and registered `myuser`via `fabric-ca-client`,and modify registerUser.js and invoke.js javascript files use `myuser`. Now i modify fabcar chaincode to retrieve and log these attribute values. mspid, err := cid.GetMSPID(APIstub) fmt.Printf("\nMSPID:\n %s \n\n", mspid) fmt.Printf("\n\n\n") if err != nil { fmt.Printf("\n%e\n\n", err) } attr1, ok, err := cid.GetAttributeValue(APIstub, "full_name") if !ok { fmt.Printf("\nFull_Name not OK.\n") } fmt.Printf("\nfull_name:\n %s \n\n", attr1) fmt.Printf("\n\n\n") if err != nil { fmt.Printf("\n%e\n\n", err) } attr2, ok, err := cid.GetAttributeValue(APIstub, "department") if !ok { fmt.Printf("\nDepartment not OK.\n") } fmt.Printf("\ndepartment:\n %s \n\n", attr2) fmt.Printf("\n\n\n") if err != nil { fmt.Printf("\n%e\n\n", err) } Now when i run the invoke the chaincode via `node invoke.js`, and inspect logs of chaincode container, i get following output. MSPID: Org1MSP Full_Name not OK. full_name: Department not OK. department: Any idea why i am not getting my attribute values...?

skarim (Tue, 10 Jul 2018 14:06:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mAdemRyngT8usC3ok) @AshishMishra 1 This looks to be a bug. @aambati

aambati (Tue, 10 Jul 2018 14:36:21 GMT):
@AshishMishra 1 Can you pls open a bug?

sasquatch85 (Tue, 10 Jul 2018 18:08:21 GMT):
Has left the channel.

corykacal (Tue, 10 Jul 2018 20:00:26 GMT):
Has joined the channel.

vdods (Tue, 10 Jul 2018 20:31:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kuAiM7m2oNmGuYiiB) @mastersingh24 Agreed! Glad to hear you're also interested in that.

montana (Tue, 10 Jul 2018 21:35:48 GMT):
Does anyone have any guidance on how to integrate the Fabric-CA server with an HSM? I see steps on how to integrate with a SoftHSM http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#hsm but not a hard one.

Sreesha (Wed, 11 Jul 2018 06:12:33 GMT):
how to use fabric-ca generated certs in balance-transfer

NoLimitHoldem (Wed, 11 Jul 2018 06:15:09 GMT):
Has joined the channel.

jayeshjawale95 (Wed, 11 Jul 2018 07:28:49 GMT):
Has joined the channel.

ashutosh_kumar (Wed, 11 Jul 2018 13:59:45 GMT):
@montana , what do you mean by guidance ? What else do you need ?

ashutosh_kumar (Wed, 11 Jul 2018 13:59:45 GMT):
@montana , what do you mean by guidance ?

touqeershah (Wed, 11 Jul 2018 15:10:21 GMT):
Has joined the channel.

touqeershah (Wed, 11 Jul 2018 15:10:42 GMT):
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 2018/07/11 20:01:45 [INFO] generating key: &{A:ecdsa S:256} 2018/07/11 20:01:45 [INFO] encoded CSR Error: Response from server: Error Code: 20 - Authorization failure fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 2018/07/11 20:01:45 [INFO] generating key: &{A:ecdsa S:256} 2018/07/11 20:01:45 [INFO] encoded CSR Error: Response from server: Error Code: 20 - Authorization failure fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 2018/07/11 20:01:45 [INFO] generating key: &{A:ecdsa S:256} 2018/07/11 20:01:45 [INFO] encoded CSR Error: Response from server: Error Code: 20 - Authorization failure fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 2018/07/11 20:01:45 [INFO] generating key: &{A:ecdsa S:256} 2018/07/11 20:01:45 [INFO] encoded CSR Error: Response from server: Error Code: 20 - Authorization failure fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 2018/07/11 20:01:45 [INFO] generating key: &{A:ecdsa S:256} 2018/07/11 20:01:45 [INFO] encoded CSR Error: Response from server: Error Code: 20 - Authorization failure

touqeershah (Wed, 11 Jul 2018 15:10:54 GMT):
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054 2018/07/11 20:01:45 [INFO] generating key: &{A:ecdsa S:256} 2018/07/11 20:01:45 [INFO] encoded CSR Error: Response from server: Error Code: 20 - Authorization failure

skarim (Wed, 11 Jul 2018 15:38:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jFmEcQ5gnTihYJ2i8) @touqeershah Can you provide more detailed logs with `debug` enabled both from client and server?

aanugu (Thu, 12 Jul 2018 01:47:35 GMT):
Has joined the channel.

noif (Thu, 12 Jul 2018 05:56:11 GMT):
Has joined the channel.

WadeLu (Thu, 12 Jul 2018 07:31:47 GMT):
Has joined the channel.

Ashish (Thu, 12 Jul 2018 08:52:31 GMT):
Hi

Ashish (Thu, 12 Jul 2018 08:52:55 GMT):

Fabric CA documentation

Ashish (Thu, 12 Jul 2018 08:54:22 GMT):
Can some one tell me which directory under msp directory would contain ECert ? And which directory under msp would contain the corresponding private key and which directory would contain the CA certificate chain PEM files?

Ashish (Thu, 12 Jul 2018 08:58:52 GMT):
Do we use ECerts for Transaction Signing?

Sreesha (Thu, 12 Jul 2018 09:01:47 GMT):
@Ashish I think private key will be inside keystore

Ashish (Thu, 12 Jul 2018 09:02:07 GMT):
the file with _sk rite?

Sreesha (Thu, 12 Jul 2018 09:05:07 GMT):
@Ashish Yes

BhaskarNarayan (Thu, 12 Jul 2018 09:24:55 GMT):
Has joined the channel.

amolpednekar (Thu, 12 Jul 2018 10:43:27 GMT):
Hi guys, I'm trying to use the fabric-ca-client binary to register and enroll a peer identity. The CA server for my org is running on IBP. Ran the following commands `fabric-ca-client register --id.name peer3 --id.type peer --id.secret peer3pw --tls.certfiles /root/amol/tlsca.cert --caname org1CA fabric-ca-client enroll -u https://peer3:peer3pw@-org1-ca.us7.blockchain.ibm.com:31011 --tls.certfiles /root/amol/tlsca.cert --caname org1CA -M /root/ibp-creds/peer3/msp ` This generated the MSP folder for this new peer. But the peer container also requires a TLS folder to be mounted when starting the image. How to generate this folder?

amolpednekar (Thu, 12 Jul 2018 10:43:27 GMT):
Hi guys, I'm trying to use the fabric-ca-client binary to register and enroll a peer identity. The CA server for my org is running on IBP. Ran the following commands `fabric-ca-client register --id.name peer3 --id.type peer --id.secret peer3pw --tls.certfiles /root/amol/tlsca.cert --caname org1CA fabric-ca-client enroll -u https://peer3:peer3pw@-org1-ca.us7.blockchain.ibm.com:31011 --tls.certfiles /root/amol/tlsca.cert --caname org1CA -M /root/ibp-creds/peer3/msp` This generated the MSP folder for this new peer. But the peer container also requires a TLS folder to be mounted when starting the image. How to generate this folder?

amolpednekar (Thu, 12 Jul 2018 10:43:27 GMT):
Hi guys, I'm trying to use the fabric-ca-client binary to register and enroll a peer identity. The CA server for my org is running on IBP. Ran the following commands ` fabric-ca-client register --id.name peer3 --id.type peer --id.secret peer3pw --tls.certfiles /root/amol/tlsca.cert --caname org1CA fabric-ca-client enroll -u https://peer3:peer3pw@-org1-ca.us7.blockchain.ibm.com:31011 --tls.certfiles /root/amol/tlsca.cert --caname org1CA -M /root/ibp-creds/peer3/msp ` This generated the MSP folder for this new peer. But the peer container also requires a TLS folder to be mounted when starting the image. How to generate this folder?

amolpednekar (Thu, 12 Jul 2018 10:43:27 GMT):
Hi guys, I'm trying to use the fabric-ca-client binary to register and enroll a peer identity. The CA server for my org is running on IBP. Ran the following commands `fabric-ca-client register --id.name peer3 --id.type peer --id.secret peer3pw --tls.certfiles /root/amol/tlsca.cert --caname org1CA fabric-ca-client enroll -u https://peer3:peer3pw@-org1-ca.us7.blockchain.ibm.com:31011 --tls.certfiles /root/amol/tlsca.cert --caname org1CA -M /root/ibp-creds/peer3/msp` This generated the MSP folder for this new peer. But the peer container also requires a TLS folder to be mounted when starting the image. How to generate this folder?

amolpednekar (Thu, 12 Jul 2018 10:43:27 GMT):
Hi guys, I'm trying to use the fabric-ca-client binary to register and enroll a peer identity. Ran the following commands `fabric-ca-client register --id.name peer3 --id.type peer --id.secret peer3pw --tls.certfiles /root/amol/tlsca.cert --caname org1CA fabric-ca-client enroll -u https://peer3:peer3pw@-org1-ca.us7.blockchain.ibm.com:31011 --tls.certfiles /root/amol/tlsca.cert --caname org1CA -M /root/ibp-creds/peer3/msp` This generated the MSP folder for this new peer. But the peer container also requires a TLS folder to be mounted when starting the image. How to generate this folder?

amolpednekar (Thu, 12 Jul 2018 10:43:27 GMT):
Hi guys, I'm trying to use the fabric-ca-client binary to register and enroll a peer identity. Ran the following commands `fabric-ca-client register --id.name peer3 --id.type peer --id.secret peer3pw --tls.certfiles /root/amol/tlsca.cert --caname org1CA` `fabric-ca-client enroll -u https://peer3:peer3pw@-org1-ca.us7.blockchain.ibm.com:31011 --tls.certfiles /root/amol/tlsca.cert --caname org1CA -M /root/ibp-creds/peer3/msp` This generated the MSP folder for this new peer. But the peer container also requires a TLS folder to be mounted when starting the image. How to generate this folder?

amolpednekar (Thu, 12 Jul 2018 10:43:27 GMT):
Hi guys, I'm trying to use the fabric-ca-client binary to register and enroll a peer identity. Ran the following commands ```fabric-ca-client register --id.name peer3 --id.type peer --id.secret peer3pw --tls.certfiles /root/amol/tlsca.cert --caname org1CA fabric-ca-client enroll -u https://peer3:peer3pw@-org1-ca.us7.blockchain.ibm.com:31011 --tls.certfiles /root/amol/tlsca.cert --caname org1CA -M /root/ibp-creds/peer3/msp``` This generated the MSP folder for this new peer. But the peer container also requires a TLS folder to be mounted when starting the image. How to generate this folder?

IgorSim (Thu, 12 Jul 2018 11:01:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Cca2qEAC5tnjRwhxs) @amolpednekar You need to enroll again, but with TLS enrollment profile flag set, for example : .... --enrollment.profile tls -M

amolpednekar (Thu, 12 Jul 2018 11:49:11 GMT):
@IgorSim Thanks, if I add tls tag, it generated additional folders, called `tlscacerts` and `tlsintermediatecerts` The tls folder inside peers generated by crypto-config tool contains ca.crt, server.crt and server.key Should I use the private key generated under `keystore` as server.key as well?

amolpednekar (Thu, 12 Jul 2018 11:52:55 GMT):

Capture3.PNG

amolpednekar (Thu, 12 Jul 2018 11:52:57 GMT):

Capture2.PNG

amolpednekar (Thu, 12 Jul 2018 11:52:57 GMT):

Capture1.PNG

amolpednekar (Thu, 12 Jul 2018 11:55:48 GMT):

crpyto.png

amolpednekar (Thu, 12 Jul 2018 11:56:10 GMT):
@IgorSim ^^ Trying to map what should go where from the output of the fabric-ca-client too

montana (Thu, 12 Jul 2018 17:33:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8NvuAJZuHdzB5rf8u) @ashutosh_kumar @ashutosh_kumar Perhaps an explanation or some code examples on end to end integrating the Fabric CA service with an HSM. For example, showing the high level workflow for having a CA issue a cert whose key is protected by a private key.

ashutosh_kumar (Thu, 12 Jul 2018 17:54:18 GMT):
@montana : showing the high level workflow for having a CA issue a cert whose key is protected by a private key.

ashutosh_kumar (Thu, 12 Jul 2018 17:54:18 GMT):
@montana : showing the high level workflow for having a CA issue a cert whose key is protected by a private key , what do you mean ?

ashutosh_kumar (Thu, 12 Jul 2018 17:54:41 GMT):
I am confused.

Russ.corsha (Thu, 12 Jul 2018 18:15:10 GMT):
Has joined the channel.

tongli (Thu, 12 Jul 2018 18:18:32 GMT):
good day, using fabric -ca 1.2.0 , when request identity from composer, getting the following error

tongli (Thu, 12 Jul 2018 18:18:36 GMT):
```POST /api/v1/enroll 500 0 "api/v1/enroll handler failed to initialize DB: Failed to update schema: sql: no rows in result set```

tongli (Thu, 12 Jul 2018 18:18:46 GMT):
can anyone tell what the problem was?

tongli (Thu, 12 Jul 2018 18:18:46 GMT):
can anyone tell me what the problem was?

tongli (Thu, 12 Jul 2018 18:20:02 GMT):
other part of the logs look fine.

tongli (Thu, 12 Jul 2018 18:20:05 GMT):
```2018/07/12 18:14:20 [DEBUG] Received request for /api/v1/enroll 2018/07/12 18:14:20 [DEBUG] Initializing DB 2018/07/12 18:14:20 [DEBUG] Initializing 'sqlite3' database at '/etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca/fabric-ca-server.db' 2018/07/12 18:14:20 [DEBUG] Using sqlite database, connect to database in home (/etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca/fabric-ca-server.db) directory 2018/07/12 18:14:20 [DEBUG] Creating SQLite database (/etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca/fabric-ca-server.db) if it does not exist... 2018/07/12 18:14:21 [DEBUG] Creating users table if it does not exist 2018/07/12 18:14:21 [DEBUG] Creating affiliations table if it does not exist 2018/07/12 18:14:21 [DEBUG] Creating certificates table if it does not exist 2018/07/12 18:14:21 [DEBUG] Creating credentials table if it does not exist 2018/07/12 18:14:21 [DEBUG] Creating revocation_authority_info table if it does not exist 2018/07/12 18:14:21 [DEBUG] Creating nonces table if it does not exist 2018/07/12 18:14:21 [DEBUG] Creating properties table if it does not exist 2018/07/12 18:14:21 [DEBUG] Successfully opened sqlite3 DB 2018/07/12 18:14:21 [DEBUG] Checking database schema... 2018/07/12 18:14:21 [DEBUG] Update SQLite schema, if using outdated schema```

tongli (Thu, 12 Jul 2018 18:26:16 GMT):
I was following this document. https://hyperledger.github.io/composer/latest/tutorials/deploy-to-fabric-multi-org

tongli (Thu, 12 Jul 2018 18:26:32 GMT):
when did the composer identity request, it failed.

tongli (Thu, 12 Jul 2018 18:26:37 GMT):
please help. Stuck.

Russ.corsha (Thu, 12 Jul 2018 19:05:03 GMT):
Hi guys, When register/enrolling a user, I'm trying to give a "user" identity a certificate that has ```X509v3 Extended Key usage: TLS Web Client Authentication```. This would allow the user identity to mutually authenticate to some of my Servers with Fabric certs. Unfortunately I have hit a wall. Is there any way to add the Extended Key Usage to the cert during enrollment? Could I somehow add that to the default user profile? Better explanation in my stack overflow post: https://stackoverflow.com/questions/51311780/add-web-tls-client-authentication-to-the-user-identity-cert

skarim (Thu, 12 Jul 2018 19:11:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CsnerHzmzjoWJ8nDw) @Russ.corsha Yes, if you wanted to do you could by default have each enrollment certificate have that key usage. You will need to add `client auth` to the usage under default signing profile in your server configuration file.

skarim (Thu, 12 Jul 2018 19:12:12 GMT):
like this: ``` signing: default: usage: - digital signature - client auth ```

skarim (Thu, 12 Jul 2018 19:12:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gtxXYgGp8xSHJTFpa) @tongli Do you have entire logs from the fabric ca server start up? There was an error initializing the database that is why you are hitting that issue during enrollment

tongli (Thu, 12 Jul 2018 19:13:46 GMT):
@skarim, thanks for your response. That is all logs from the ca container.

tongli (Thu, 12 Jul 2018 19:14:44 GMT):
I wonder if there is any configuration changes between 1.1 and 1.2 in terms of ca configuration.

tongli (Thu, 12 Jul 2018 19:17:17 GMT):
I did not change any ca container configuration, which worked for 1.1

tongli (Thu, 12 Jul 2018 19:17:29 GMT):
but with 1.2, it fails.

skarim (Thu, 12 Jul 2018 19:18:29 GMT):
I imagine you had 1.1 version of CA before, but now you got 1.2 binaries that you are trying start against an already existing database. Is that correct?

tongli (Thu, 12 Jul 2018 19:22:10 GMT):
that is right.

skarim (Thu, 12 Jul 2018 19:22:20 GMT):
Do you have data in your current database?

tongli (Thu, 12 Jul 2018 19:22:44 GMT):
when I just start using the 1.2 docker ca image, I can not do identity request any more.

tongli (Thu, 12 Jul 2018 19:22:55 GMT):
no existing data,

skarim (Thu, 12 Jul 2018 19:23:07 GMT):
the `no rows in result set` seems to indicate that at least one of the tables is empty

tongli (Thu, 12 Jul 2018 19:23:10 GMT):
everything starts up brand new

Russ.corsha (Thu, 12 Jul 2018 19:23:22 GMT):
@skarim Thanks for the info! any chance you know the file name for the server configuration file?

skarim (Thu, 12 Jul 2018 19:23:46 GMT):
@tongli could try deleting the existing sqlite database and start the server again?

skarim (Thu, 12 Jul 2018 19:24:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7BoEnuENxrx2N2oNR) @Russ.corsha by default it's fabric-ca-server-config.yaml, but the name is customizable

tongli (Thu, 12 Jul 2018 19:26:46 GMT):
@skarim I have tried few times, same problem.

tongli (Thu, 12 Jul 2018 19:27:16 GMT):
@skarim do you know there is any configuration changes setting up ca?

skarim (Thu, 12 Jul 2018 19:27:25 GMT):
ok, if you could try to collect the logs from the server with debug enabled I think that could shed some light as to what is happening

skarim (Thu, 12 Jul 2018 19:27:44 GMT):
I am not aware of any configuration changes

tongli (Thu, 12 Jul 2018 19:27:48 GMT):
ok.

tongli (Thu, 12 Jul 2018 20:40:13 GMT):
@skarim enabled the debug. clean new install, no client request yet. here is the log file.

tongli (Thu, 12 Jul 2018 20:43:29 GMT):
```2018/07/12 20:25:34 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca/fabric-ca-server-config.yaml 2018/07/12 20:25:34 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca 2018/07/12 20:25:34 [INFO] Server Version: 1.2.0-stable 2018/07/12 20:25:34 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} 2018/07/12 20:25:34 [DEBUG] Making server filenames absolute 2018/07/12 20:25:34 [DEBUG] Initializing default CA in directory /etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca 2018/07/12 20:25:34 [DEBUG] Init CA with home /etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca and config {Version:1.1.0 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name:ca1st-orga Keyfile:/etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca/ca_private.key Certfile:/etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca/ca.orga-cert.pem Chainfile:ca-chain.pem} Signing:0xc420497710 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[ca1st-orga localhost] KeyRequest: CA:0xc42049b5a0 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.AffiliationMgr:1 hf.Registrar.Roles:peer,orderer,client,user hf.Registrar.DelegateRoles:peer,orderer,client,user hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:*] }]} Affiliations:map[org1:[department1 department2] org2:[department1]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc42047ae70 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR: Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:0 NonceExpiration: NonceSweepInterval:}} 2018/07/12 20:25:34 [DEBUG] CA Home Directory: /etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca 2018/07/12 20:25:34 [DEBUG] Checking configuration file version '1.1.0' against server version: '1.2.0-stable'```

tongli (Thu, 12 Jul 2018 20:44:21 GMT):
```2018/07/12 20:25:34 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc42047aed0 PluginOpts: Pkcs11Opts:} 2018/07/12 20:25:34 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42049efe0 DummyKeystore:} 2018/07/12 20:25:34 [DEBUG] Initialize key material 2018/07/12 20:25:34 [DEBUG] Making CA filenames absolute 2018/07/12 20:25:34 [INFO] The CA key and certificate files already exist 2018/07/12 20:25:34 [INFO] Key file location: /etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca/ca_private.key 2018/07/12 20:25:34 [INFO] Certificate file location: /etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca/ca.orga-cert.pem 2018/07/12 20:25:34 [DEBUG] Validating the CA certificate and key 2018/07/12 20:25:34 [DEBUG] Check CA certificate for valid dates 2018/07/12 20:25:34 [DEBUG] Check CA certificate for valid usages 2018/07/12 20:25:34 [DEBUG] Check CA certificate for valid IsCA value 2018/07/12 20:25:34 [DEBUG] Check that key type is supported 2018/07/12 20:25:34 [DEBUG] Check that key size is of appropriate length 2018/07/12 20:25:34 [DEBUG] Check that public key and private key match 2018/07/12 20:25:34 [DEBUG] Validation of CA certificate and key successful 2018/07/12 20:25:34 [DEBUG] Loading CN from existing enrollment information 2018/07/12 20:25:34 [DEBUG] Initializing DB 2018/07/12 20:25:34 [DEBUG] Initializing 'sqlite3' database at '/etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca/fabric-ca-server.db' 2018/07/12 20:25:34 [DEBUG] Using sqlite database, connect to database in home (/etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca/fabric-ca-server.db) directory 2018/07/12 20:25:34 [DEBUG] Creating SQLite database (/etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca/fabric-ca-server.db) if it does not exist... 2018/07/12 20:25:34 [DEBUG] Creating users table if it does not exist 2018/07/12 20:25:34 [DEBUG] Creating affiliations table if it does not exist 2018/07/12 20:25:34 [DEBUG] Creating certificates table if it does not exist 2018/07/12 20:25:34 [DEBUG] Creating credentials table if it does not exist 2018/07/12 20:25:34 [DEBUG] Creating revocation_authority_info table if it does not exist 2018/07/12 20:25:34 [DEBUG] Creating nonces table if it does not exist 2018/07/12 20:25:34 [DEBUG] Creating properties table if it does not exist 2018/07/12 20:25:34 [DEBUG] Successfully opened sqlite3 DB 2018/07/12 20:25:34 [DEBUG] Checking database schema... 2018/07/12 20:25:34 [DEBUG] Update SQLite schema, if using outdated schema 2018/07/12 20:25:34 [ERROR] Error occurred initializing database: Failed to update schema: sql: no rows in result set```

tongli (Thu, 12 Jul 2018 20:44:39 GMT):
```2018/07/12 20:25:34 [DEBUG] Initializing enrollment signer 2018/07/12 20:25:34 [DEBUG] No key found in BCCSP keystore, attempting fallback 2018/07/12 20:25:34 [DEBUG] validating configuration 2018/07/12 20:25:34 [DEBUG] validate local profile 2018/07/12 20:25:34 [DEBUG] profile is valid 2018/07/12 20:25:34 [DEBUG] validate local profile 2018/07/12 20:25:34 [DEBUG] profile is valid 2018/07/12 20:25:34 [DEBUG] validate local profile 2018/07/12 20:25:34 [DEBUG] profile is valid 2018/07/12 20:25:34 [DEBUG] CA initialization successful 2018/07/12 20:25:34 [DEBUG] Returning without initializing Idemix issuer for CA 'ca1st-orga' as the database is not initialized 2018/07/12 20:25:34 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca 2018/07/12 20:25:34 [DEBUG] 1 CA instance(s) running on server 2018/07/12 20:25:34 [INFO] Listening on http://0.0.0.0:7054 2018/07/12 20:28:31 [DEBUG] Received request for /api/v1/enroll 2018/07/12 20:28:31 [DEBUG] Initializing DB 2018/07/12 20:28:31 [DEBUG] Initializing 'sqlite3' database at '/etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca/fabric-ca-server.db' 2018/07/12 20:28:31 [DEBUG] Using sqlite database, connect to database in home (/etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca/fabric-ca-server.db) directory 2018/07/12 20:28:31 [DEBUG] Creating SQLite database (/etc/hyperledger/fabric-ca-server-config/keyfiles/orga/ca/fabric-ca-server.db) if it does not exist... 2018/07/12 20:28:31 [DEBUG] Creating users table if it does not exist 2018/07/12 20:28:31 [DEBUG] Creating affiliations table if it does not exist 2018/07/12 20:28:31 [DEBUG] Creating certificates table if it does not exist 2018/07/12 20:28:31 [DEBUG] Creating credentials table if it does not exist 2018/07/12 20:28:31 [DEBUG] Creating revocation_authority_info table if it does not exist 2018/07/12 20:28:31 [DEBUG] Creating nonces table if it does not exist 2018/07/12 20:28:31 [DEBUG] Creating properties table if it does not exist 2018/07/12 20:28:31 [DEBUG] Successfully opened sqlite3 DB 2018/07/12 20:28:31 [DEBUG] Checking database schema... 2018/07/12 20:28:31 [DEBUG] Update SQLite schema, if using outdated schema 2018/07/12 20:28:31 [INFO] 10.0.1.95:35684 POST /api/v1/enroll 500 0 "api/v1/enroll handler failed to initialize DB: Failed to update schema: sql: no rows in result set"```

montana (Thu, 12 Jul 2018 20:45:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=96iQsTWSy8WwsZQzt) @ashutosh_kumar Sorry I mean to say "For example, showing the high level workflow for having a CA issue a cert where the CA's key is protected by an HSM"

tongli (Thu, 12 Jul 2018 20:46:29 GMT):
the ca configuration parameters are set like this.

tongli (Thu, 12 Jul 2018 20:46:33 GMT):
``` - { name: "FABRIC_CA_SERVER_DEBUG", value: "true" } - { name: "FABRIC_CA_HOME", value: "/etc/hyperledger/fabric-ca-server-config//keyfiles/orgd/ca" } - { name: "FABRIC_CA_SERVER_CA_NAME", value: "ca1st-orgd" } - { name: "FABRIC_CA_SERVER_CA_KEYFILE", value: "/etc/hyperledger/fabric-ca-server-config/keyfiles/orgd/ca/ca_private.key" } - { name: "FABRIC_CA_SERVER_CA_CERTFILE", value: "/etc/hyperledger/fabric-ca-server-config/keyfiles/orgd/ca/ca.orgd-cert.pem" }```

ashutosh_kumar (Thu, 12 Jul 2018 20:52:49 GMT):
@montana , I do not think , we have that in place yet.

montana (Thu, 12 Jul 2018 21:07:46 GMT):
Are you familiar with how the process would work?

swagger (Thu, 12 Jul 2018 22:23:48 GMT):
Has joined the channel.

skarim (Thu, 12 Jul 2018 22:32:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TuiyJZpsGJGtsTZ56) @tongli Can you inspect your sqlite database to see if you have a `properties` table? If so, can you see if this table has entries?

swagger (Thu, 12 Jul 2018 22:58:58 GMT):
Hey all, I'm new to hyperledger following these tutorials:

swagger (Thu, 12 Jul 2018 22:59:35 GMT):
https://medium.com/coinmonks/building-a-blockchain-application-using-hyperledger-fabric-with-angular-frontend-part-2-22ef7c77f53, https://www.ibm.com/developerworks/cloud/library/cl-deploy-interact-extend-local-blockchain-network-with-hyperledger-composer/index.html

swagger (Thu, 12 Jul 2018 23:01:54 GMT):
All works fine till I get to the terminal command:"composer network ping --card admin@block-track" which throws me the error: "Error: Error trying login and get user Context. Error: Error trying to enroll user or load channel configuration. Error: Enrollment failed with errors [[{“code”:0,”message”:”open /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem: no such file or directory”}]]"

swagger (Thu, 12 Jul 2018 23:04:43 GMT):
https://github.com/hyperledger/composer/issues/1769 made it seem like it was a certificate authority problem, but since I'm new I'm not too sure how to fix it. Another user said the issue was fixed after doing a completely new setup, and I deleted all the files and retried but I still get the same issue on both tutorials. Any ideas on how to fix the error? Appreciate any feedback!

ashutosh_kumar (Fri, 13 Jul 2018 01:54:36 GMT):
@montana , I am familiar , but do not have time to write it down.

Wallace_wang (Fri, 13 Jul 2018 02:47:04 GMT):
Has joined the channel.

Sreesha (Fri, 13 Jul 2018 05:15:27 GMT):
ca.crt

Sreesha (Fri, 13 Jul 2018 06:44:42 GMT):
In orderer/tls folder i have server.key and server.cert files only.

Sreesha (Fri, 13 Jul 2018 06:45:24 GMT):
But in cryptoconfig another file called ca.crt is also present and the same is used in network-config.yaml

Sreesha (Fri, 13 Jul 2018 06:45:45 GMT):
What is this ca.crt and how to generate it

skarim (Fri, 13 Jul 2018 15:22:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=h8sC6AxEuMSqw4DHm) @Sreesha I believe the ca.crt should be the certificate that is in the msp/cacerts folder when enrolling using fabric ca

montana (Fri, 13 Jul 2018 16:42:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oRnj9oMTmxWzHg4nm) @ashutosh_kumar Totally understand that. Maybe I can send you specific questions and you can answer them on your own time? @ashutosh_kumar

jiulama (Sat, 14 Jul 2018 07:10:03 GMT):
Has joined the channel.

underbell (Mon, 16 Jul 2018 02:34:14 GMT):
Has joined the channel.

MeghaGupta (Tue, 17 Jul 2018 06:32:25 GMT):
Has joined the channel.

MeghaGupta (Tue, 17 Jul 2018 06:32:31 GMT):
Hi

MeghaGupta (Tue, 17 Jul 2018 06:33:08 GMT):
fabric-ca-server | Error: Configuration file version '1.2.1-snapshot-3bcdbb2' is higher than server version '1.2.0-stable'

MeghaGupta (Tue, 17 Jul 2018 06:33:15 GMT):
do i need to set anr env veriable

MeghaGupta (Tue, 17 Jul 2018 07:01:49 GMT):
I took latest CA code and trying to run through docker composer

MeghaGupta (Tue, 17 Jul 2018 07:01:57 GMT):
cd $GOPATH/src/github.com/hyperledger/fabric-ca make docker cd docker/server docker-compose up -d

Othman.Darwish (Tue, 17 Jul 2018 07:27:03 GMT):
swagger

ThomasBereczky (Tue, 17 Jul 2018 08:43:29 GMT):
Has joined the channel.

ThomasBereczky (Tue, 17 Jul 2018 08:43:33 GMT):
Hey Guys

ThomasBereczky (Tue, 17 Jul 2018 08:43:35 GMT):
Good Morning

ThomasBereczky (Tue, 17 Jul 2018 08:43:49 GMT):
I got a little bit stuck and I would really appriciate if someone could point me to the right direction

ThomasBereczky (Tue, 17 Jul 2018 08:43:55 GMT):
I'm trying to deploy a multi org network

ThomasBereczky (Tue, 17 Jul 2018 08:44:33 GMT):
and I'm getting this error --> access denied: channel [composerchannel] creator org [alaskaairMSP]

ThomasBereczky (Tue, 17 Jul 2018 08:44:51 GMT):
This is how my deployment looks like -->

ThomasBereczky (Tue, 17 Jul 2018 08:45:37 GMT):

kv00j4.zip

ThomasBereczky (Tue, 17 Jul 2018 08:46:05 GMT):
what am I doing wrong? I have been all over this issue since friday and I can't seem to figure it out...

ZackPhan (Tue, 17 Jul 2018 20:12:46 GMT):
Has joined the channel.

Sreesha (Wed, 18 Jul 2018 09:46:45 GMT):
Hi everyone.Has anyone tried generating certificates using fabric-ca rather than cryptogen and using them to run balance-transfer

Sreesha (Wed, 18 Jul 2018 09:47:10 GMT):
For me the orderer is rejecting the channel creation request.

Sreesha (Wed, 18 Jul 2018 09:47:18 GMT):
Can anyone help ,e

NilsPe (Wed, 18 Jul 2018 11:46:33 GMT):
Has joined the channel.

skarim (Wed, 18 Jul 2018 13:38:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GuZ4HsxSvyjhb9qjA) @MeghaGupta Do you have a configuration file present in your server home directory from another version of fabric ca server?

MeghaGupta (Wed, 18 Jul 2018 13:39:11 GMT):
Thaanks @skarim it solved now

skarim (Wed, 18 Jul 2018 13:39:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jgrQAoqv9NG75ZRgx) @ThomasBereczky It seems like you are invoking a request on a channel using a identity that does not belong to correct MSP for that channel

skarim (Wed, 18 Jul 2018 13:39:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PL4hS3HAXS94FjZ8o) @Sreesha What is the error? Did you generate a new genesis block?

yuriiuhlanov (Wed, 18 Jul 2018 14:52:40 GMT):
Has joined the channel.

yuriiuhlanov (Wed, 18 Jul 2018 14:53:38 GMT):
Guys, I don't understand the difference between registration and enrollment of a user, could someone help me please?

qubing (Wed, 18 Jul 2018 16:09:08 GMT):
Has joined the channel.

qubing (Wed, 18 Jul 2018 16:10:52 GMT):
@yuriiuhlanov you can understand by this: (registration=create user, enrollment=login)

newthinker (Thu, 19 Jul 2018 01:56:16 GMT):
Has joined the channel.

Hz (Thu, 19 Jul 2018 03:09:58 GMT):
Has joined the channel.

samir.tata (Thu, 19 Jul 2018 03:55:24 GMT):
Has joined the channel.

Sreesha (Thu, 19 Jul 2018 05:03:39 GMT):
@skarim Yes i have generated new genesis channel tx and anchors.tx

nvlasov (Thu, 19 Jul 2018 05:54:08 GMT):
Has joined the channel.

alejandrolr (Thu, 19 Jul 2018 08:42:42 GMT):
Has joined the channel.

alejandrolr (Thu, 19 Jul 2018 08:49:35 GMT):
Hi all! I'm trying to set up a ldap based fabric-ca to manage my users, do you have any example or tutorial?

vietanh (Thu, 19 Jul 2018 09:13:17 GMT):
Has joined the channel.

yuriiuhlanov (Thu, 19 Jul 2018 09:30:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JMHvbJt5mNyJAfEeo) @qubing @qubing Thank you for your answer!

yuriiuhlanov (Thu, 19 Jul 2018 09:30:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JMHvbJt5mNyJAfEeo) @qubing Thank you for your answer!

SandeepPerugu (Thu, 19 Jul 2018 09:48:52 GMT):
Has joined the channel.

IgorSim (Thu, 19 Jul 2018 10:21:39 GMT):
hi, i've upgraded fabric and fabric-ca to 1.2. I'm using mysql as CA DB. Now, i'm seeing errors in the log like this: Failed to remove expired nonces from DB for CA '': Error 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?)'

skarim (Thu, 19 Jul 2018 13:55:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=y4y9caQ3tc8ihpdkG) @IgorSim This is a known bug, I am working on the fix. The error should not cause any issues to current CA functionality.

IgorSim (Thu, 19 Jul 2018 14:02:51 GMT):
@skarim tnx for heads up

skarim (Thu, 19 Jul 2018 14:13:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YdvNccfNjnxg9P9kh) @alejandrolr Have you looked the configuring LDAP section in the read me? https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#configuring-ldap

titog (Thu, 19 Jul 2018 19:58:02 GMT):
Has joined the channel.

sean (Thu, 19 Jul 2018 21:18:13 GMT):
I downloaded the Fabric-CA Go pkg `go get -u github.com/hyperledger/fabric-ca/cmd/...` (per http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html), and I'm getting this error: `$ go get -u github.com/hyperledger/fabric-ca/cmd/...` `# github.com/hyperledger/fabric-ca/lib` `fabric-ca/lib/server.go:714:23: cert.Issuer.String undefined (type pkix.Name has no field or method String)` `fabric-ca/lib/server.go:715:24: cert.Subject.String undefined (type pkix.Name has no field or method String)` ...which is obviously not correct since the pkix package Name struct does have a `String()` method (https://golang.org/pkg/crypto/x509/pkix/#Name.String). Any idea how to remedy this? I already tried to update my pkix pkg `go get crypto/x509/pkix`, but that did not help.

sean (Thu, 19 Jul 2018 21:18:13 GMT):
I downloaded the Fabric-CA Go pkg (`go get -u github.com/hyperledger/fabric-ca/cmd/...`) (per http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html), and I'm getting this error: `$ go get -u github.com/hyperledger/fabric-ca/cmd/... # github.com/hyperledger/fabric-ca/lib fabric-ca/lib/server.go:714:23: cert.Issuer.String undefined (type pkix.Name has no field or method String) fabric-ca/lib/server.go:715:24: cert.Subject.String undefined (type pkix.Name has no field or method String)` ...which is obviously not correct since the pkix package Name struct does have a `String()` method (https://golang.org/pkg/crypto/x509/pkix/#Name.String). Any idea how to remedy this? I already tried to update my pkix pkg (`go get crypto/x509/pkix`), but that did not help.

sean (Thu, 19 Jul 2018 21:18:13 GMT):
I downloaded the Fabric-CA Go pkg (`go get -u github.com/hyperledger/fabric-ca/cmd/...`) (per http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html), and I'm getting this error: `$ go get -u github.com/hyperledger/fabric-ca/cmd/...` `# github.com/hyperledger/fabric-ca/lib` `fabric-ca/lib/server.go:714:23: cert.Issuer.String undefined (type pkix.Name has no field or method String)` `fabric-ca/lib/server.go:715:24: cert.Subject.String undefined (type pkix.Name has no field or method String)` ...which is obviously not correct since the pkix package Name struct does have a `String()` method (https://golang.org/pkg/crypto/x509/pkix/#Name.String). Any idea how to remedy this? I already tried to update my pkix pkg (`go get crypto/x509/pkix`), but that did not help.

sean (Thu, 19 Jul 2018 21:18:13 GMT):
I downloaded the Fabric-CA Go pkg (`go get -u github.com/hyperledger/fabric-ca/cmd/...`) (per http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html), and I'm getting this error: `$ go get -u github.com/hyperledger/fabric-ca/cmd/...` `# github.com/hyperledger/fabric-ca/lib` `fabric-ca/lib/server.go:714:23: cert.Issuer.String undefined (type pkix.Name has no field or method String)` `fabric-ca/lib/server.go:715:24: cert.Subject.String undefined (type pkix.Name has no field or method String)` ...which is obviously not correct since the pkix package Name struct does have a `String()` method (https://golang.org/pkg/crypto/x509/pkix/#Name.String). Any idea how to remedy this? I already tried to update my pkix pkg `go get crypto/x509/pkix`, but that did not help.

sean (Thu, 19 Jul 2018 21:24:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hzWDg68QaxFFXdkXN) The problematic method is here (https://github.com/hyperledger/fabric-ca/blob/release-1.2/lib/server.go): func (s *Server) loadDNFromCertFile(certFile string) (*DN, error) { log.Debugf("Loading DNs from certificate %s", certFile) cert, err := util.GetX509CertificateFromPEMFile(certFile) if err != nil { return nil, err } distinguishedName := &DN{ issuer: cert.Issuer.String(), subject: cert.Subject.String(), } return distinguishedName, nil }

aambati (Thu, 19 Jul 2018 21:25:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hzWDg68QaxFFXdkXN) @sean what version of Go are you using? You must use 1.10

aambati (Thu, 19 Jul 2018 21:25:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hzWDg68QaxFFXdkXN) @sean what version of Go are you using?

Russ.corsha (Thu, 19 Jul 2018 21:26:29 GMT):
`go version`

Russ.corsha (Thu, 19 Jul 2018 21:26:29 GMT):
`$go version`

Russ.corsha (Thu, 19 Jul 2018 21:26:29 GMT):
`go version` in terminal

sean (Thu, 19 Jul 2018 21:27:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=54fs9G6iBTapefDLE) @aambati `go version go1.9.2 darwin/amd64`

sean (Thu, 19 Jul 2018 21:27:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=t2Xe3Ay6xCdD44LTS) thanks, I haven't had an issue until now, will try that

Russ.corsha (Thu, 19 Jul 2018 21:27:59 GMT):
https://imgur.com/gallery/RG0BS1U

sean (Thu, 19 Jul 2018 21:36:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=54fs9G6iBTapefDLE) @aambati Yup, I should have realized `go get` isn't going to update a standard package. The go upgrade fixed the issue - thanks for the help!

chandrakanthMamillapalli (Fri, 20 Jul 2018 01:10:53 GMT):
Has joined the channel.

chandrakanthMamillapalli (Fri, 20 Jul 2018 01:11:38 GMT):
how can we query all the users enrolled under a msp ?

pandagopal (Fri, 20 Jul 2018 05:14:20 GMT):
Has joined the channel.

skarim (Fri, 20 Jul 2018 13:36:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Nf9m55bxY9XAiovk6) @chandrakanthMamillapalli By under a MSP, you mean all users that enrolled with a particular CA? If you are an admin user with root affiliation, you can list all identities using the `fabric-ca-client identity list` command.

montana (Fri, 20 Jul 2018 17:42:57 GMT):
``` make docker Building docker fabric-ca-orderer image docker build -t hyperledger/fabric-ca-orderer --build-arg FABRIC_CA_DYNAMIC_LINK= build/image/fabric-ca-orderer Sending build context to Docker daemon 19.96MB Step 1/6 : FROM nexus3.hyperledger.org:10001/hyperledger/fabric-orderer:amd64-1.2.1-stable Get https://nexus3.hyperledger.org:10001/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) make: *** [build/image/fabric-ca-orderer/.dummy-amd64-1.2.1-snapshot-01f2bb5] Error 1 ```

montana (Fri, 20 Jul 2018 17:43:16 GMT):
Anyone know what my issue is?

aambati (Fri, 20 Jul 2018 18:08:34 GMT):
@montana fabric-ca-orderer image is based on fabric-orderer image, if you don't have it on your machine, it will get it from docker hub, i think docker hub is pulling the image from nexus repository manager...what version of CA code do you have in your workspace?

montana (Fri, 20 Jul 2018 19:29:57 GMT):
release-1.2

montana (Fri, 20 Jul 2018 19:30:00 GMT):
@aambati

junewalk2 (Sat, 21 Jul 2018 02:45:49 GMT):
Has joined the channel.

wtlife (Mon, 23 Jul 2018 03:28:26 GMT):
Has joined the channel.

Sreesha (Mon, 23 Jul 2018 05:34:32 GMT):
Hi everyone.

Sreesha (Mon, 23 Jul 2018 05:34:53 GMT):
Iam trying to connect to orderer to create channel

Sreesha (Mon, 23 Jul 2018 05:35:08 GMT):
Iam using fabric-ca instead of cryptogen

Sreesha (Mon, 23 Jul 2018 05:35:27 GMT):
Iam using localhost to connect to orderers and peers

Sreesha (Mon, 23 Jul 2018 05:35:39 GMT):
but iam getting an error like this

Sreesha (Mon, 23 Jul 2018 05:35:43 GMT):
27123 ssl_transport_security.c:921] Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed.

ShobhitSrivastava (Mon, 23 Jul 2018 06:27:51 GMT):
Has joined the channel.

ShobhitSrivastava (Mon, 23 Jul 2018 06:32:17 GMT):
Hi @skarim

ShobhitSrivastava (Mon, 23 Jul 2018 06:39:41 GMT):
Hi @skarim . I have been using cryptogen tool to generate certificate for a multiorg network and it is working fine I have few queries regarding Fabric-ca. 1) If now I want to use these multiorg network to get certificates from a Fabric-ca, then how many instance should I start of CA..One for each org or one CA for all org? 2) If I have to register/enroll a user name test1 and password hello123 for invoking a chaincode on one of the peer then how should I get the certificate for it. I followed the link on hyperledger docs but still confused with configuration and affiliation. Can you please provide answer to the above queries? Thanks, Shobhit

arash_sr7 (Mon, 23 Jul 2018 09:39:05 GMT):
Has joined the channel.

sean (Mon, 23 Jul 2018 12:05:44 GMT):
Hey everyone, I'm a developer with little detailed experience with identity management, and although the MSP docs, videos, and running the samples have helped, I still feel like I'm missing a clear picture of a production environment. The `cryptogen` tool is great, but it just spits out a directory structure for development that's unrealistic for production. *Does anyone know of a github repo or other example that shows the final, _production directory structure_ of each orderer, peer, client?* Just one decent production example would fill in a lot of mental gaps here.

aambati (Mon, 23 Jul 2018 14:44:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aoJsRNWiZnLoKMkyX) @Sreesha @Sreesha I think this error means client is not able to verify orderer's TLS cert. do you see any tls errors in the orderer log? I am assuming you have specified `--cafile` argument to `peer channel create` that specifies a file that contains orderer'a CA cert chain.

aambati (Mon, 23 Jul 2018 14:44:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zpTKREQX64df5juLk) @montana @rameshthoomu can u pls help @montana with this problem? he is getting this error when `make docker` is issued in the fabric-ca project: https://chat.hyperledger.org/channel/fabric-ca?msg=GnT2WmQubcrwixtec

aambati (Mon, 23 Jul 2018 14:51:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mtBmCexocAKRjCXyp) @ShobhitSrivastava 1. Typically one CA per org 2) enroll the user (using id/pwd) to get cert/key pair for the user . Affiliation associated with the user is used to set the OU of the cert that is issued to the user. Affiliation is also added as an attribute to the user's cert. Both OU and the attribute can be accessed in the chaincode to make access control decisions.

aambati (Mon, 23 Jul 2018 14:53:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FDozcehmMpiBmeTTm) @sean @sean https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca is an example that demonstrates how to bootstrap a network using Fabric CA

sean (Mon, 23 Jul 2018 17:47:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LHY5JTJewi9Mw2Gh3) @aambati Thanks @aambati, and although that example is more comprehensive, it still just dumps all the crypto material together and shares it between all containers (see below) (as the README explains). This is obviously not how to handle this process for production, and although I can probably guess as to how it should be structured in each container and how to set it up from the perspective of each organization admin working separately, it still would be nice to have a "best-practices" walkthrough for handling the certs and keys for those of us who are developers hoping to work with the platform, but with limited identity management experience. This is one of the key areas where an improper setup / handling of initial data could lead to serious security issues down the road. ``` $ docker exec -it orderer1-org0 bash root@2e13775fd8cb:/# ls -l total 64 drwxr-xr-x 1 root root 4096 Jul 3 19:09 bin drwxr-xr-x 2 root root 4096 Apr 12 2016 boot drwxr-xr-x 15 root root 480 Jul 23 17:35 data drwxr-xr-x 5 root root 340 Jul 23 17:33 dev drwxr-xr-x 1 root root 4096 Jul 23 17:33 etc drwxr-xr-x 2 root root 4096 Apr 12 2016 home drwxr-xr-x 1 root root 4096 Sep 13 2015 lib drwxr-xr-x 2 root root 4096 May 25 17:45 lib64 drwxr-xr-x 2 root root 4096 May 25 17:45 media drwxr-xr-x 2 root root 4096 May 25 17:45 mnt drwxr-xr-x 2 root root 4096 May 25 17:45 opt dr-xr-xr-x 232 root root 0 Jul 23 17:33 proc drwx------ 2 root root 4096 May 25 17:45 root drwxr-xr-x 1 root root 4096 May 25 17:45 run drwxr-xr-x 1 root root 4096 Jun 5 21:21 sbin drwxr-xr-x 9 root root 288 Jul 5 17:47 scripts drwxr-xr-x 2 root root 4096 May 25 17:45 srv dr-xr-xr-x 13 root root 0 Jul 20 11:34 sys drwxrwxrwt 1 root root 4096 Jul 23 17:33 tmp drwxr-xr-x 1 root root 4096 May 25 17:45 usr drwxr-xr-x 1 root root 4096 Jul 3 12:37 var root@2e13775fd8cb:/# cd data root@2e13775fd8cb:/data# ls -l total 48 -rw-r--r-- 1 root root 296 Jul 23 17:32 channel.tx -rw-r--r-- 1 root root 3780 Jul 23 17:32 configtx.yaml -rw-r--r-- 1 root root 14279 Jul 23 17:32 genesis.block drwxr-xr-x 24 root root 768 Jul 23 17:35 logs -rw-r--r-- 1 root root 765 Jul 23 17:32 org0-ca-cert.pem -rw-r--r-- 1 root root 1579 Jul 23 17:32 org0-ca-chain.pem -rw-r--r-- 1 root root 765 Jul 23 17:32 org1-ca-cert.pem -rw-r--r-- 1 root root 1583 Jul 23 17:32 org1-ca-chain.pem -rw-r--r-- 1 root root 761 Jul 23 17:32 org2-ca-cert.pem -rw-r--r-- 1 root root 1579 Jul 23 17:32 org2-ca-chain.pem drwx------ 5 root root 160 Jul 23 17:32 orgs drwxr-xr-x 18 root root 576 Jul 23 17:32 tls root@2e13775fd8cb:/data# cd tls root@2e13775fd8cb:/data/tls# ls -l total 64 -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org1-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org1-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org1-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org1-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org2-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org2-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org2-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org2-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org1-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org1-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org1-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org1-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org2-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org2-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org2-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org2-client.key root@2e13775fd8cb:/data/tls# ```

sean (Mon, 23 Jul 2018 17:47:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LHY5JTJewi9Mw2Gh3) @aambati Thanks @aambati, and although that example is more comprehensive, it still just dumps all the crypto material together and shares it between all containers (see below) (as the README explains). This is obviously not how to handle this process for production, and although I can probably guess as to how it should be structured in each container and how to set it up from the perspective of each organization admin working separately, it still would be nice to have a "best-practices" walkthrough for handling the certs and keys for those of us who are developers hoping to work with the platform, but with limited identity management experience. This is one of the key areas where an improper setup / handling of initial data could lead to serious security issues down the road. `$ docker exec -it orderer1-org0 bash root@2e13775fd8cb:/# ls -l total 64 drwxr-xr-x 1 root root 4096 Jul 3 19:09 bin drwxr-xr-x 2 root root 4096 Apr 12 2016 boot drwxr-xr-x 15 root root 480 Jul 23 17:35 data drwxr-xr-x 5 root root 340 Jul 23 17:33 dev drwxr-xr-x 1 root root 4096 Jul 23 17:33 etc drwxr-xr-x 2 root root 4096 Apr 12 2016 home drwxr-xr-x 1 root root 4096 Sep 13 2015 lib drwxr-xr-x 2 root root 4096 May 25 17:45 lib64 drwxr-xr-x 2 root root 4096 May 25 17:45 media drwxr-xr-x 2 root root 4096 May 25 17:45 mnt drwxr-xr-x 2 root root 4096 May 25 17:45 opt dr-xr-xr-x 232 root root 0 Jul 23 17:33 proc drwx------ 2 root root 4096 May 25 17:45 root drwxr-xr-x 1 root root 4096 May 25 17:45 run drwxr-xr-x 1 root root 4096 Jun 5 21:21 sbin drwxr-xr-x 9 root root 288 Jul 5 17:47 scripts drwxr-xr-x 2 root root 4096 May 25 17:45 srv dr-xr-xr-x 13 root root 0 Jul 20 11:34 sys drwxrwxrwt 1 root root 4096 Jul 23 17:33 tmp drwxr-xr-x 1 root root 4096 May 25 17:45 usr drwxr-xr-x 1 root root 4096 Jul 3 12:37 var root@2e13775fd8cb:/# cd data root@2e13775fd8cb:/data# ls -l total 48 -rw-r--r-- 1 root root 296 Jul 23 17:32 channel.tx -rw-r--r-- 1 root root 3780 Jul 23 17:32 configtx.yaml -rw-r--r-- 1 root root 14279 Jul 23 17:32 genesis.block drwxr-xr-x 24 root root 768 Jul 23 17:35 logs -rw-r--r-- 1 root root 765 Jul 23 17:32 org0-ca-cert.pem -rw-r--r-- 1 root root 1579 Jul 23 17:32 org0-ca-chain.pem -rw-r--r-- 1 root root 765 Jul 23 17:32 org1-ca-cert.pem -rw-r--r-- 1 root root 1583 Jul 23 17:32 org1-ca-chain.pem -rw-r--r-- 1 root root 761 Jul 23 17:32 org2-ca-cert.pem -rw-r--r-- 1 root root 1579 Jul 23 17:32 org2-ca-chain.pem drwx------ 5 root root 160 Jul 23 17:32 orgs drwxr-xr-x 18 root root 576 Jul 23 17:32 tls root@2e13775fd8cb:/data# cd tls root@2e13775fd8cb:/data/tls# ls -l total 64 -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org1-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org1-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org1-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org1-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org2-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org2-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org2-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org2-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org1-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org1-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org1-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org1-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org2-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org2-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org2-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org2-client.key root@2e13775fd8cb:/data/tls#`

sean (Mon, 23 Jul 2018 17:47:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LHY5JTJewi9Mw2Gh3) @aambati Thanks @aambati, and although that example is more comprehensive, it still just dumps all the crypto material together and shares it between all containers (see below) (as the README explains). This is obviously not how to handle this process for production, and although I can probably guess as to how it should be structured in each container and how to set it up from the perspective of each organization admin working separately, it still would be nice to have a "best-practices" walkthrough for handling the certs and keys for those of us who are developers hoping to work with the platform, but with limited identity management experience. This is one of the key areas where an improper setup / handling of initial data could lead to serious security issues down the road. \begin{lstlisting} $ docker exec -it orderer1-org0 bash root@2e13775fd8cb:/# ls -l total 64 drwxr-xr-x 1 root root 4096 Jul 3 19:09 bin drwxr-xr-x 2 root root 4096 Apr 12 2016 boot drwxr-xr-x 15 root root 480 Jul 23 17:35 data drwxr-xr-x 5 root root 340 Jul 23 17:33 dev drwxr-xr-x 1 root root 4096 Jul 23 17:33 etc drwxr-xr-x 2 root root 4096 Apr 12 2016 home drwxr-xr-x 1 root root 4096 Sep 13 2015 lib drwxr-xr-x 2 root root 4096 May 25 17:45 lib64 drwxr-xr-x 2 root root 4096 May 25 17:45 media drwxr-xr-x 2 root root 4096 May 25 17:45 mnt drwxr-xr-x 2 root root 4096 May 25 17:45 opt dr-xr-xr-x 232 root root 0 Jul 23 17:33 proc drwx------ 2 root root 4096 May 25 17:45 root drwxr-xr-x 1 root root 4096 May 25 17:45 run drwxr-xr-x 1 root root 4096 Jun 5 21:21 sbin drwxr-xr-x 9 root root 288 Jul 5 17:47 scripts drwxr-xr-x 2 root root 4096 May 25 17:45 srv dr-xr-xr-x 13 root root 0 Jul 20 11:34 sys drwxrwxrwt 1 root root 4096 Jul 23 17:33 tmp drwxr-xr-x 1 root root 4096 May 25 17:45 usr drwxr-xr-x 1 root root 4096 Jul 3 12:37 var root@2e13775fd8cb:/# cd data root@2e13775fd8cb:/data# ls -l total 48 -rw-r--r-- 1 root root 296 Jul 23 17:32 channel.tx -rw-r--r-- 1 root root 3780 Jul 23 17:32 configtx.yaml -rw-r--r-- 1 root root 14279 Jul 23 17:32 genesis.block drwxr-xr-x 24 root root 768 Jul 23 17:35 logs -rw-r--r-- 1 root root 765 Jul 23 17:32 org0-ca-cert.pem -rw-r--r-- 1 root root 1579 Jul 23 17:32 org0-ca-chain.pem -rw-r--r-- 1 root root 765 Jul 23 17:32 org1-ca-cert.pem -rw-r--r-- 1 root root 1583 Jul 23 17:32 org1-ca-chain.pem -rw-r--r-- 1 root root 761 Jul 23 17:32 org2-ca-cert.pem -rw-r--r-- 1 root root 1579 Jul 23 17:32 org2-ca-chain.pem drwx------ 5 root root 160 Jul 23 17:32 orgs drwxr-xr-x 18 root root 576 Jul 23 17:32 tls root@2e13775fd8cb:/data# cd tls root@2e13775fd8cb:/data/tls# ls -l total 64 -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org1-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org1-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org1-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org1-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org2-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org2-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org2-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org2-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org1-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org1-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org1-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org1-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org2-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org2-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org2-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org2-client.key root@2e13775fd8cb:/data/tls# \end{lstlisting}

sean (Mon, 23 Jul 2018 17:47:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LHY5JTJewi9Mw2Gh3) @aambati Thanks @aambati, and although that example is more comprehensive, it still just dumps all the crypto material together and shares it between all containers (see below) (as the README explains). This is obviously not how to handle this process for production, and although I can probably guess as to how it should be structured in each container and how to set it up from the perspective of each organization admin working separately, it still would be nice to have a "best-practices" walkthrough for handling the certs and keys for those of us who are developers hoping to work with the platform, but with limited identity management experience. This is one of the key areas where an improper setup / handling of initial data could lead to serious security issues down the road. \begin{lstlisting}[language=bash] $ docker exec -it orderer1-org0 bash root@2e13775fd8cb:/# ls -l total 64 drwxr-xr-x 1 root root 4096 Jul 3 19:09 bin drwxr-xr-x 2 root root 4096 Apr 12 2016 boot drwxr-xr-x 15 root root 480 Jul 23 17:35 data drwxr-xr-x 5 root root 340 Jul 23 17:33 dev drwxr-xr-x 1 root root 4096 Jul 23 17:33 etc drwxr-xr-x 2 root root 4096 Apr 12 2016 home drwxr-xr-x 1 root root 4096 Sep 13 2015 lib drwxr-xr-x 2 root root 4096 May 25 17:45 lib64 drwxr-xr-x 2 root root 4096 May 25 17:45 media drwxr-xr-x 2 root root 4096 May 25 17:45 mnt drwxr-xr-x 2 root root 4096 May 25 17:45 opt dr-xr-xr-x 232 root root 0 Jul 23 17:33 proc drwx------ 2 root root 4096 May 25 17:45 root drwxr-xr-x 1 root root 4096 May 25 17:45 run drwxr-xr-x 1 root root 4096 Jun 5 21:21 sbin drwxr-xr-x 9 root root 288 Jul 5 17:47 scripts drwxr-xr-x 2 root root 4096 May 25 17:45 srv dr-xr-xr-x 13 root root 0 Jul 20 11:34 sys drwxrwxrwt 1 root root 4096 Jul 23 17:33 tmp drwxr-xr-x 1 root root 4096 May 25 17:45 usr drwxr-xr-x 1 root root 4096 Jul 3 12:37 var root@2e13775fd8cb:/# cd data root@2e13775fd8cb:/data# ls -l total 48 -rw-r--r-- 1 root root 296 Jul 23 17:32 channel.tx -rw-r--r-- 1 root root 3780 Jul 23 17:32 configtx.yaml -rw-r--r-- 1 root root 14279 Jul 23 17:32 genesis.block drwxr-xr-x 24 root root 768 Jul 23 17:35 logs -rw-r--r-- 1 root root 765 Jul 23 17:32 org0-ca-cert.pem -rw-r--r-- 1 root root 1579 Jul 23 17:32 org0-ca-chain.pem -rw-r--r-- 1 root root 765 Jul 23 17:32 org1-ca-cert.pem -rw-r--r-- 1 root root 1583 Jul 23 17:32 org1-ca-chain.pem -rw-r--r-- 1 root root 761 Jul 23 17:32 org2-ca-cert.pem -rw-r--r-- 1 root root 1579 Jul 23 17:32 org2-ca-chain.pem drwx------ 5 root root 160 Jul 23 17:32 orgs drwxr-xr-x 18 root root 576 Jul 23 17:32 tls root@2e13775fd8cb:/data# cd tls root@2e13775fd8cb:/data/tls# ls -l total 64 -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org1-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org1-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org1-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org1-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org2-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org2-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org2-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org2-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org1-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org1-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org1-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org1-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org2-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org2-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org2-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org2-client.key root@2e13775fd8cb:/data/tls# \end{lstlisting}

sean (Mon, 23 Jul 2018 17:47:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LHY5JTJewi9Mw2Gh3) @aambati Thanks @aambati, and although that example is more comprehensive, it still just dumps all the crypto material together and shares it between all containers (see below) (as the README explains). This is obviously not how to handle this process for production, and although I can probably guess as to how it should be structured in each container and how to set it up from the perspective of each organization admin working separately, it still would be nice to have a "best-practices" walkthrough for handling the certs and keys for those of us who are developers hoping to work with the platform, but with limited identity management experience. This is one of the key areas where an improper setup / handling of initial data could lead to serious security issues down the road. \documentclass{article} \usepackage{xcolor} \usepackage{listings} \lstset{basicstyle=\ttfamily, showstringspaces=false, commentstyle=\color{red}, keywordstyle=\color{blue} } \begin{document} \begin{lstlisting}[language=bash] $ docker exec -it orderer1-org0 bash root@2e13775fd8cb:/# ls -l total 64 drwxr-xr-x 1 root root 4096 Jul 3 19:09 bin drwxr-xr-x 2 root root 4096 Apr 12 2016 boot drwxr-xr-x 15 root root 480 Jul 23 17:35 data drwxr-xr-x 5 root root 340 Jul 23 17:33 dev drwxr-xr-x 1 root root 4096 Jul 23 17:33 etc drwxr-xr-x 2 root root 4096 Apr 12 2016 home drwxr-xr-x 1 root root 4096 Sep 13 2015 lib drwxr-xr-x 2 root root 4096 May 25 17:45 lib64 drwxr-xr-x 2 root root 4096 May 25 17:45 media drwxr-xr-x 2 root root 4096 May 25 17:45 mnt drwxr-xr-x 2 root root 4096 May 25 17:45 opt dr-xr-xr-x 232 root root 0 Jul 23 17:33 proc drwx------ 2 root root 4096 May 25 17:45 root drwxr-xr-x 1 root root 4096 May 25 17:45 run drwxr-xr-x 1 root root 4096 Jun 5 21:21 sbin drwxr-xr-x 9 root root 288 Jul 5 17:47 scripts drwxr-xr-x 2 root root 4096 May 25 17:45 srv dr-xr-xr-x 13 root root 0 Jul 20 11:34 sys drwxrwxrwt 1 root root 4096 Jul 23 17:33 tmp drwxr-xr-x 1 root root 4096 May 25 17:45 usr drwxr-xr-x 1 root root 4096 Jul 3 12:37 var root@2e13775fd8cb:/# cd data root@2e13775fd8cb:/data# ls -l total 48 -rw-r--r-- 1 root root 296 Jul 23 17:32 channel.tx -rw-r--r-- 1 root root 3780 Jul 23 17:32 configtx.yaml -rw-r--r-- 1 root root 14279 Jul 23 17:32 genesis.block drwxr-xr-x 24 root root 768 Jul 23 17:35 logs -rw-r--r-- 1 root root 765 Jul 23 17:32 org0-ca-cert.pem -rw-r--r-- 1 root root 1579 Jul 23 17:32 org0-ca-chain.pem -rw-r--r-- 1 root root 765 Jul 23 17:32 org1-ca-cert.pem -rw-r--r-- 1 root root 1583 Jul 23 17:32 org1-ca-chain.pem -rw-r--r-- 1 root root 761 Jul 23 17:32 org2-ca-cert.pem -rw-r--r-- 1 root root 1579 Jul 23 17:32 org2-ca-chain.pem drwx------ 5 root root 160 Jul 23 17:32 orgs drwxr-xr-x 18 root root 576 Jul 23 17:32 tls root@2e13775fd8cb:/data# cd tls root@2e13775fd8cb:/data/tls# ls -l total 64 -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org1-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org1-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org1-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org1-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org2-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org2-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org2-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org2-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org1-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org1-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org1-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org1-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org2-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org2-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org2-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org2-client.key root@2e13775fd8cb:/data/tls# \end{lstlisting} \end{document}

sean (Mon, 23 Jul 2018 17:47:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LHY5JTJewi9Mw2Gh3) @aambati Thanks @aambati, and although that example is more comprehensive, it still just dumps all the crypto material together and shares it between all containers (see below) (as the README explains). This is obviously not how to handle this process for production, and although I can probably guess as to how it should be structured in each container and how to set it up from the perspective of each organization admin working separately, it still would be nice to have a "best-practices" walkthrough for handling the certs and keys for those of us who are developers hoping to work with the platform, but with limited identity management experience. This is one of the key areas where an improper setup / handling of initial data could lead to serious security issues down the road. \documentclass{article} \usepackage{xcolor} \usepackage{listings} \lstset{basicstyle=\ttfamily, showstringspaces=false, commentstyle=\color{red}, keywordstyle=\color{blue} } \begin{document} \begin{lstlisting} $ docker exec -it orderer1-org0 bash root@2e13775fd8cb:/# ls -l total 64 drwxr-xr-x 1 root root 4096 Jul 3 19:09 bin drwxr-xr-x 2 root root 4096 Apr 12 2016 boot drwxr-xr-x 15 root root 480 Jul 23 17:35 data drwxr-xr-x 5 root root 340 Jul 23 17:33 dev drwxr-xr-x 1 root root 4096 Jul 23 17:33 etc drwxr-xr-x 2 root root 4096 Apr 12 2016 home drwxr-xr-x 1 root root 4096 Sep 13 2015 lib drwxr-xr-x 2 root root 4096 May 25 17:45 lib64 drwxr-xr-x 2 root root 4096 May 25 17:45 media drwxr-xr-x 2 root root 4096 May 25 17:45 mnt drwxr-xr-x 2 root root 4096 May 25 17:45 opt dr-xr-xr-x 232 root root 0 Jul 23 17:33 proc drwx------ 2 root root 4096 May 25 17:45 root drwxr-xr-x 1 root root 4096 May 25 17:45 run drwxr-xr-x 1 root root 4096 Jun 5 21:21 sbin drwxr-xr-x 9 root root 288 Jul 5 17:47 scripts drwxr-xr-x 2 root root 4096 May 25 17:45 srv dr-xr-xr-x 13 root root 0 Jul 20 11:34 sys drwxrwxrwt 1 root root 4096 Jul 23 17:33 tmp drwxr-xr-x 1 root root 4096 May 25 17:45 usr drwxr-xr-x 1 root root 4096 Jul 3 12:37 var root@2e13775fd8cb:/# cd data root@2e13775fd8cb:/data# ls -l total 48 -rw-r--r-- 1 root root 296 Jul 23 17:32 channel.tx -rw-r--r-- 1 root root 3780 Jul 23 17:32 configtx.yaml -rw-r--r-- 1 root root 14279 Jul 23 17:32 genesis.block drwxr-xr-x 24 root root 768 Jul 23 17:35 logs -rw-r--r-- 1 root root 765 Jul 23 17:32 org0-ca-cert.pem -rw-r--r-- 1 root root 1579 Jul 23 17:32 org0-ca-chain.pem -rw-r--r-- 1 root root 765 Jul 23 17:32 org1-ca-cert.pem -rw-r--r-- 1 root root 1583 Jul 23 17:32 org1-ca-chain.pem -rw-r--r-- 1 root root 761 Jul 23 17:32 org2-ca-cert.pem -rw-r--r-- 1 root root 1579 Jul 23 17:32 org2-ca-chain.pem drwx------ 5 root root 160 Jul 23 17:32 orgs drwxr-xr-x 18 root root 576 Jul 23 17:32 tls root@2e13775fd8cb:/data# cd tls root@2e13775fd8cb:/data/tls# ls -l total 64 -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org1-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org1-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org1-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org1-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org2-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org2-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org2-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org2-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org1-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org1-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org1-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org1-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org2-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org2-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org2-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org2-client.key root@2e13775fd8cb:/data/tls# \end{lstlisting} \end{document}

sean (Mon, 23 Jul 2018 17:47:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LHY5JTJewi9Mw2Gh3) @aambati Thanks @aambati, and although that example is more comprehensive, it still just dumps all the crypto material together and shares it between all containers (see below) (as the README explains). This is obviously not how to handle this process for production, and although I can probably guess as to how it should be structured in each container and how to set it up from the perspective of each organization admin working separately, it still would be nice to have a "best-practices" walkthrough for handling the certs and keys for those of us who are developers hoping to work with the platform, but with limited identity management experience. This is one of the key areas where an improper setup / handling of initial data could lead to serious security issues down the road. \documentclass{article} \usepackage{xcolor} \usepackage{listings} \lstset{basicstyle=\ttfamily, showstringspaces=false, commentstyle=\color{red}, keywordstyle=\color{blue} } \begin{document} \begin{lstlisting}[language=bash,caption={bash version}] $ docker exec -it orderer1-org0 bash root@2e13775fd8cb:/# ls -l total 64 drwxr-xr-x 1 root root 4096 Jul 3 19:09 bin drwxr-xr-x 2 root root 4096 Apr 12 2016 boot drwxr-xr-x 15 root root 480 Jul 23 17:35 data drwxr-xr-x 5 root root 340 Jul 23 17:33 dev drwxr-xr-x 1 root root 4096 Jul 23 17:33 etc drwxr-xr-x 2 root root 4096 Apr 12 2016 home drwxr-xr-x 1 root root 4096 Sep 13 2015 lib drwxr-xr-x 2 root root 4096 May 25 17:45 lib64 drwxr-xr-x 2 root root 4096 May 25 17:45 media drwxr-xr-x 2 root root 4096 May 25 17:45 mnt drwxr-xr-x 2 root root 4096 May 25 17:45 opt dr-xr-xr-x 232 root root 0 Jul 23 17:33 proc drwx------ 2 root root 4096 May 25 17:45 root drwxr-xr-x 1 root root 4096 May 25 17:45 run drwxr-xr-x 1 root root 4096 Jun 5 21:21 sbin drwxr-xr-x 9 root root 288 Jul 5 17:47 scripts drwxr-xr-x 2 root root 4096 May 25 17:45 srv dr-xr-xr-x 13 root root 0 Jul 20 11:34 sys drwxrwxrwt 1 root root 4096 Jul 23 17:33 tmp drwxr-xr-x 1 root root 4096 May 25 17:45 usr drwxr-xr-x 1 root root 4096 Jul 3 12:37 var root@2e13775fd8cb:/# cd data root@2e13775fd8cb:/data# ls -l total 48 -rw-r--r-- 1 root root 296 Jul 23 17:32 channel.tx -rw-r--r-- 1 root root 3780 Jul 23 17:32 configtx.yaml -rw-r--r-- 1 root root 14279 Jul 23 17:32 genesis.block drwxr-xr-x 24 root root 768 Jul 23 17:35 logs -rw-r--r-- 1 root root 765 Jul 23 17:32 org0-ca-cert.pem -rw-r--r-- 1 root root 1579 Jul 23 17:32 org0-ca-chain.pem -rw-r--r-- 1 root root 765 Jul 23 17:32 org1-ca-cert.pem -rw-r--r-- 1 root root 1583 Jul 23 17:32 org1-ca-chain.pem -rw-r--r-- 1 root root 761 Jul 23 17:32 org2-ca-cert.pem -rw-r--r-- 1 root root 1579 Jul 23 17:32 org2-ca-chain.pem drwx------ 5 root root 160 Jul 23 17:32 orgs drwxr-xr-x 18 root root 576 Jul 23 17:32 tls root@2e13775fd8cb:/data# cd tls root@2e13775fd8cb:/data/tls# ls -l total 64 -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org1-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org1-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org1-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org1-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org2-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org2-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org2-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org2-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org1-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org1-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org1-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org1-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org2-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org2-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org2-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org2-client.key root@2e13775fd8cb:/data/tls# \end{lstlisting} \end{document}

sean (Mon, 23 Jul 2018 17:47:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LHY5JTJewi9Mw2Gh3) @aambati Thanks @aambati, and although that example is more comprehensive, it still just dumps all the crypto material together and shares it between all containers (see below) (as the README explains). This is obviously not how to handle this process for production, and although I can probably guess as to how it should be structured in each container and how to set it up from the perspective of each organization admin working separately, it still would be nice to have a "best-practices" walkthrough for handling the certs and keys for those of us who are developers hoping to work with the platform, but with limited identity management experience. This is one of the key areas where an improper setup / handling of initial data could lead to serious security issues down the road. `$ docker exec -it orderer1-org0 bash` `root@2e13775fd8cb:/# ls -l` total 64 drwxr-xr-x 1 root root 4096 Jul 3 19:09 bin drwxr-xr-x 2 root root 4096 Apr 12 2016 boot drwxr-xr-x 15 root root 480 Jul 23 17:35 data drwxr-xr-x 5 root root 340 Jul 23 17:33 dev drwxr-xr-x 1 root root 4096 Jul 23 17:33 etc drwxr-xr-x 2 root root 4096 Apr 12 2016 home drwxr-xr-x 1 root root 4096 Sep 13 2015 lib drwxr-xr-x 2 root root 4096 May 25 17:45 lib64 drwxr-xr-x 2 root root 4096 May 25 17:45 media drwxr-xr-x 2 root root 4096 May 25 17:45 mnt drwxr-xr-x 2 root root 4096 May 25 17:45 opt dr-xr-xr-x 232 root root 0 Jul 23 17:33 proc drwx------ 2 root root 4096 May 25 17:45 root drwxr-xr-x 1 root root 4096 May 25 17:45 run drwxr-xr-x 1 root root 4096 Jun 5 21:21 sbin drwxr-xr-x 9 root root 288 Jul 5 17:47 scripts drwxr-xr-x 2 root root 4096 May 25 17:45 srv dr-xr-xr-x 13 root root 0 Jul 20 11:34 sys drwxrwxrwt 1 root root 4096 Jul 23 17:33 tmp drwxr-xr-x 1 root root 4096 May 25 17:45 usr drwxr-xr-x 1 root root 4096 Jul 3 12:37 var root@2e13775fd8cb:/# cd data root@2e13775fd8cb:/data# ls -l total 48 -rw-r--r-- 1 root root 296 Jul 23 17:32 channel.tx -rw-r--r-- 1 root root 3780 Jul 23 17:32 configtx.yaml -rw-r--r-- 1 root root 14279 Jul 23 17:32 genesis.block drwxr-xr-x 24 root root 768 Jul 23 17:35 logs -rw-r--r-- 1 root root 765 Jul 23 17:32 org0-ca-cert.pem -rw-r--r-- 1 root root 1579 Jul 23 17:32 org0-ca-chain.pem -rw-r--r-- 1 root root 765 Jul 23 17:32 org1-ca-cert.pem -rw-r--r-- 1 root root 1583 Jul 23 17:32 org1-ca-chain.pem -rw-r--r-- 1 root root 761 Jul 23 17:32 org2-ca-cert.pem -rw-r--r-- 1 root root 1579 Jul 23 17:32 org2-ca-chain.pem drwx------ 5 root root 160 Jul 23 17:32 orgs drwxr-xr-x 18 root root 576 Jul 23 17:32 tls root@2e13775fd8cb:/data# cd tls root@2e13775fd8cb:/data/tls# ls -l total 64 -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org1-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org1-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org1-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org1-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org2-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org2-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org2-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org2-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org1-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org1-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org1-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org1-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org2-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org2-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org2-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org2-client.key root@2e13775fd8cb:/data/tls#`

sean (Mon, 23 Jul 2018 17:47:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LHY5JTJewi9Mw2Gh3) @aambati Thanks @aambati, and although that example is more comprehensive, it still just dumps all the crypto material together and shares it between all containers (see below) (as the README explains). This is obviously not how to handle this process for production, and although I can probably guess as to how it should be structured in each container and how to set it up from the perspective of each organization admin working separately, it still would be nice to have a "best-practices" walkthrough for handling the certs and keys for those of us who are developers hoping to work with the platform, but with limited identity management experience. This is one of the key areas where an improper setup / handling of initial data could lead to serious security issues down the road. `$ docker exec -it orderer1-org0 bash root@2e13775fd8cb:/# ls -l total 64 drwxr-xr-x 1 root root 4096 Jul 3 19:09 bin drwxr-xr-x 2 root root 4096 Apr 12 2016 boot drwxr-xr-x 15 root root 480 Jul 23 17:35 data drwxr-xr-x 5 root root 340 Jul 23 17:33 dev drwxr-xr-x 1 root root 4096 Jul 23 17:33 etc drwxr-xr-x 2 root root 4096 Apr 12 2016 home drwxr-xr-x 1 root root 4096 Sep 13 2015 lib drwxr-xr-x 2 root root 4096 May 25 17:45 lib64 drwxr-xr-x 2 root root 4096 May 25 17:45 media drwxr-xr-x 2 root root 4096 May 25 17:45 mnt drwxr-xr-x 2 root root 4096 May 25 17:45 opt dr-xr-xr-x 232 root root 0 Jul 23 17:33 proc drwx------ 2 root root 4096 May 25 17:45 root drwxr-xr-x 1 root root 4096 May 25 17:45 run drwxr-xr-x 1 root root 4096 Jun 5 21:21 sbin drwxr-xr-x 9 root root 288 Jul 5 17:47 scripts drwxr-xr-x 2 root root 4096 May 25 17:45 srv dr-xr-xr-x 13 root root 0 Jul 20 11:34 sys drwxrwxrwt 1 root root 4096 Jul 23 17:33 tmp drwxr-xr-x 1 root root 4096 May 25 17:45 usr drwxr-xr-x 1 root root 4096 Jul 3 12:37 var root@2e13775fd8cb:/# cd data root@2e13775fd8cb:/data# ls -l total 48 -rw-r--r-- 1 root root 296 Jul 23 17:32 channel.tx -rw-r--r-- 1 root root 3780 Jul 23 17:32 configtx.yaml -rw-r--r-- 1 root root 14279 Jul 23 17:32 genesis.block drwxr-xr-x 24 root root 768 Jul 23 17:35 logs -rw-r--r-- 1 root root 765 Jul 23 17:32 org0-ca-cert.pem -rw-r--r-- 1 root root 1579 Jul 23 17:32 org0-ca-chain.pem -rw-r--r-- 1 root root 765 Jul 23 17:32 org1-ca-cert.pem -rw-r--r-- 1 root root 1583 Jul 23 17:32 org1-ca-chain.pem -rw-r--r-- 1 root root 761 Jul 23 17:32 org2-ca-cert.pem -rw-r--r-- 1 root root 1579 Jul 23 17:32 org2-ca-chain.pem drwx------ 5 root root 160 Jul 23 17:32 orgs drwxr-xr-x 18 root root 576 Jul 23 17:32 tls root@2e13775fd8cb:/data# cd tls root@2e13775fd8cb:/data/tls# ls -l total 64 -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org1-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org1-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org1-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org1-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org2-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org2-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer1-org2-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer1-org2-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org1-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org1-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org1-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org1-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org2-cli-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org2-cli-client.key -rw-r--r-- 1 root root 1034 Jul 23 17:32 peer2-org2-client.crt -rwx------ 1 root root 241 Jul 23 17:32 peer2-org2-client.key root@2e13775fd8cb:/data/tls#`

StefanKosc (Tue, 24 Jul 2018 11:54:31 GMT):
Has joined the channel.

aambati (Tue, 24 Jul 2018 13:49:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CW3sHpJh43MADgeD3) @sean i agree, fabric-ca could be enhanced in that regard and additional documentation would also help..may be open a JIRA item

fabiomolinar (Tue, 24 Jul 2018 15:04:03 GMT):
Has joined the channel.

sean (Tue, 24 Jul 2018 16:32:46 GMT):
@aambati Please let me know if I need to help with that. From what I can tell, I can't add/edit on JIRA

sean (Tue, 24 Jul 2018 16:39:44 GMT):
Are we able to use a manually-created server config file? I'd rather edit the config file directly than add a huge list of environment variables to docker-compose. I tried adding a custom `fabric-ca-server-config.yaml` to the home directory before bringing up the server, but I'm getting this error: ``` 2018/07/24 [INFO] Configuration file location: /etc/hyperledger/fabric-ca/fabric-ca-server-config.yaml Error: Failed to read config file '/etc/hyperledger/fabric-ca/fabric-ca-server-config.yaml': open /etc/hyperledger/fabric-ca/fabric-ca-server-config.yaml: not a directory ``` I tried changing the filename and adding the --cafiles flag, but that just seems to create two signing CAs, which is expected given this explanation in the config file: ``` ############################################################################# # Multi CA section # # Each Fabric CA server contains one CA by default. This section is used # to configure multiple CAs in a single server. # # ... # # 2) --cafiles # For each CA config file in the list, generate a separate signing CA. Each CA # config file in this list MAY contain all of the same elements as are found in # the server config file except port, debug, and tls sections. # # Examples: # fabric-ca-server start -b admin:adminpw --cacount 2 # # fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml # --cafiles ca/ca2/fabric-ca-server-config.yaml # ############################################################################# ```

sean (Tue, 24 Jul 2018 16:39:44 GMT):
*EDIT:* I was able to allow the default config file be initiated with `init`, replace it, and then `start` with my custom file. That works. ``` # Initialize the Root CA Server fabric-ca-server init -b $BOOTSTRAP_USER_PASS # Move the configuration file to the home dir # "setup" dir is a mapped dir with custom files cp /setup/fabric-ca-server-config.yaml $FABRIC_CA_SERVER_HOME # Start the Root CA Server fabric-ca-server start ``` ------------------------------------------------------------------ Are we able to use a manually-created server config file? I'd rather edit the config file directly than add a huge list of environment variables to docker-compose. I tried adding a custom `fabric-ca-server-config.yaml` to the home directory before bringing up the server, but I'm getting this error: ``` 2018/07/24 [INFO] Configuration file location: /etc/hyperledger/fabric-ca/fabric-ca-server-config.yaml Error: Failed to read config file '/etc/hyperledger/fabric-ca/fabric-ca-server-config.yaml': open /etc/hyperledger/fabric-ca/fabric-ca-server-config.yaml: not a directory ``` I tried changing the filename and adding the --cafiles flag, but that just seems to create two signing CAs, which is expected given this explanation in the config file: ``` ############################################################################# # Multi CA section # # Each Fabric CA server contains one CA by default. This section is used # to configure multiple CAs in a single server. # # ... # # 2) --cafiles # For each CA config file in the list, generate a separate signing CA. Each CA # config file in this list MAY contain all of the same elements as are found in # the server config file except port, debug, and tls sections. # # Examples: # fabric-ca-server start -b admin:adminpw --cacount 2 # # fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml # --cafiles ca/ca2/fabric-ca-server-config.yaml # ############################################################################# ```

sean (Tue, 24 Jul 2018 16:39:44 GMT):
*EDIT:* I was able to allow the default config file be initiated with `init`, replace it, and then `start` with my custom file. That works. ``` # Initialize the Root CA Server fabric-ca-server init -b $BOOTSTRAP_USER_PASS # Move the configuration file to the home dir # "setup" dir is a mapped dir with custom files cp /setup/fabric-ca-server-config.yaml $FABRIC_CA_SERVER_HOME # Start the Root CA Server fabric-ca-server start ``` *BTW*, not all environment variables seem to work. For example, "affiliations" doesn't seem to work: `- FABRIC_CA_SERVER_AFFILIATIONS=OrdererOrg:[]\n org1:[]\n org2:[]` (unsuccessful) ------------------------------------------------------------------ Are we able to use a manually-created server config file? I'd rather edit the config file directly than add a huge list of environment variables to docker-compose. I tried adding a custom `fabric-ca-server-config.yaml` to the home directory before bringing up the server, but I'm getting this error: ``` 2018/07/24 [INFO] Configuration file location: /etc/hyperledger/fabric-ca/fabric-ca-server-config.yaml Error: Failed to read config file '/etc/hyperledger/fabric-ca/fabric-ca-server-config.yaml': open /etc/hyperledger/fabric-ca/fabric-ca-server-config.yaml: not a directory ``` I tried changing the filename and adding the --cafiles flag, but that just seems to create two signing CAs, which is expected given this explanation in the config file: ``` ############################################################################# # Multi CA section # # Each Fabric CA server contains one CA by default. This section is used # to configure multiple CAs in a single server. # # ... # # 2) --cafiles # For each CA config file in the list, generate a separate signing CA. Each CA # config file in this list MAY contain all of the same elements as are found in # the server config file except port, debug, and tls sections. # # Examples: # fabric-ca-server start -b admin:adminpw --cacount 2 # # fabric-ca-server start -b admin:adminpw --cafiles ca/ca1/fabric-ca-server-config.yaml # --cafiles ca/ca2/fabric-ca-server-config.yaml # ############################################################################# ```

rbole (Wed, 25 Jul 2018 05:07:42 GMT):
Has joined the channel.

sean (Wed, 25 Jul 2018 05:49:38 GMT):
I've been attempting to deconstruct the "fabric-ca" example script files and end result files into steps that each organization admin would use in a production environment to set up their part of the network separately, and I'm having issues with which files are used where. Just to start, let's look at the CA and CLI (tools) container connections and admin enrollments. The Fabric CA Users Guide steps work fine to set this up in the native environment, and I was able to get the CLI - CA connection & admin enrollment to work with basic TLS (actually surprised this worked) with these settings: `fabric-ca-server-config.yaml`: ``` tls: # Enable TLS (default: false) enabled: true # TLS for the server's listening port certfile: keyfile: clientauth: type: noclientcert certfiles: ``` `fabric-ca-client-config.yaml`: ``` tls: # TLS section for secure socket connection certfiles: client: certfile: keyfile: ``` When setting up the docker containers, the `hyperledger/fabric-ca` image automatically started the server and created these files: ``` . ├── IssuerPublicKey ├── IssuerRevocationPublicKey ├── ca-cert.pem ├── msp │ └── keystore │ ├── 6c1b53d5c5e72f82c5ee6ea44fc2181afc57b2f9be00c5307e8db79dab85893d_sk │ ├── IssuerRevocationPrivateKey │ └── IssuerSecretKey └── tls-cert.pem ``` This is inadequate for production, and both major CA examples are inconsistent in how to fill in these TLS setting / file details: https://github.com/hyperledger/fabric-samples/first-network/docker-compose-e2e-template.yaml: ``` ca0: image: hyperledger/fabric-ca:$IMAGE_TAG environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca-org1 - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY ports: - "7054:7054" command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY -b admin:adminpw -d' ``` https://github.com/hyperledger/fabric-samples/fabric-ca/makeDocker.sh: ``` rca-org0: container_name: rca-org0 image: hyperledger/fabric-ca command: /bin/bash -c '/scripts/start-root-ca.sh 2>&1 | tee /data/logs/rca-org0.log' environment: - FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_CSR_CN=rca-org0 - FABRIC_CA_SERVER_CSR_HOSTS=rca-org0 - FABRIC_CA_SERVER_DEBUG=true - BOOTSTRAP_USER_PASS=rca-org0-admin:rca-org0-adminpw - TARGET_CERTFILE=/data/org0-ca-cert.pem - FABRIC_ORGS=org0 org1 org2 ``` It would be possible for me to continue working through the Fabric-CA example and figure out which `.pem` (and suffix-less keystore?) files to use them in the config settings, but I'm hoping someone can help me save hours more of this search by explaining these various files and sources more clearly (and best practices). Thanks.

sean (Wed, 25 Jul 2018 05:49:38 GMT):
I've been attempting to deconstruct the "fabric-ca" into steps that each organization admin would use to set up their part of the network separately, and I'm having issues with which files are used where. Just to start, let's look at the CA and CLI (tools) container connections and admin enrollments. The Fabric CA Users Guide steps work fine to set this up in the native environment, and I was able to get the CLI - CA connection & admin enrollment to work with basic TLS (actually surprised this worked) with these settings: `fabric-ca-server-config.yaml`: ``` tls: # Enable TLS (default: false) enabled: true # TLS for the server's listening port certfile: keyfile: clientauth: type: noclientcert certfiles: ``` `fabric-ca-client-config.yaml`: ``` tls: # TLS section for secure socket connection certfiles: client: certfile: keyfile: ``` When setting up the docker containers, the `hyperledger/fabric-ca` image automatically started the server and created these files: ``` . ├── IssuerPublicKey ├── IssuerRevocationPublicKey ├── ca-cert.pem ├── logs │ └── ca.log ├── msp │ └── keystore │ ├── 6c1b53d5c5e72f82c5ee6ea44fc2181afc57b2f9be00c5307e8db79dab85893d_sk │ ├── IssuerRevocationPrivateKey │ └── IssuerSecretKey └── tls-cert.pem ``` This is inadequate for production, and both major CA examples are inconsistent in how to fill in these TLS setting / file details: https://github.com/hyperledger/fabric-samples/first-network/docker-compose-e2e-template.yaml: ``` ca0: image: hyperledger/fabric-ca:$IMAGE_TAG environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca-org1 - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY ports: - "7054:7054" command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY -b admin:adminpw -d' ``` https://github.com/hyperledger/fabric-samples/fabric-ca/makeDocker.sh: ``` rca-org0: container_name: rca-org0 image: hyperledger/fabric-ca command: /bin/bash -c '/scripts/start-root-ca.sh 2>&1 | tee /data/logs/rca-org0.log' environment: - FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_CSR_CN=rca-org0 - FABRIC_CA_SERVER_CSR_HOSTS=rca-org0 - FABRIC_CA_SERVER_DEBUG=true - BOOTSTRAP_USER_PASS=rca-org0-admin:rca-org0-adminpw - TARGET_CERTFILE=/data/org0-ca-cert.pem - FABRIC_ORGS=org0 org1 org2 ``` It would be possible for me to continue working through the Fabric-CA example and figure out where all of those `.crt` and `.key` files come from, and where to use them in the config settings, but I'm hoping someone can help me save hours more of this search by explaining these various files and sources more clearly (and best practices). Thanks.

sean (Wed, 25 Jul 2018 05:49:38 GMT):
I've been attempting to deconstruct the "fabric-ca" example script files and end result files into steps that each organization admin would use in a production environment to set up their part of the network separately, and I'm having issues with which files are used where. Just to start, let's look at the CA and CLI (tools) container connections and admin enrollments. The Fabric CA Users Guide steps work fine to set this up in the native environment, and I was able to get the CLI - CA connection & admin enrollment to work with basic TLS (actually surprised this worked) with these settings: `fabric-ca-server-config.yaml`: ``` tls: # Enable TLS (default: false) enabled: true # TLS for the server's listening port certfile: keyfile: clientauth: type: noclientcert certfiles: ``` `fabric-ca-client-config.yaml`: ``` tls: # TLS section for secure socket connection certfiles: client: certfile: keyfile: ``` When setting up the docker containers, the `hyperledger/fabric-ca` image automatically started the server and created these files: ``` . ├── IssuerPublicKey ├── IssuerRevocationPublicKey ├── ca-cert.pem ├── logs │ └── ca.log ├── msp │ └── keystore │ ├── 6c1b53d5c5e72f82c5ee6ea44fc2181afc57b2f9be00c5307e8db79dab85893d_sk │ ├── IssuerRevocationPrivateKey │ └── IssuerSecretKey └── tls-cert.pem ``` This is inadequate for production, and both major CA examples are inconsistent in how to fill in these TLS setting / file details: https://github.com/hyperledger/fabric-samples/first-network/docker-compose-e2e-template.yaml: ``` ca0: image: hyperledger/fabric-ca:$IMAGE_TAG environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca-org1 - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY ports: - "7054:7054" command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY -b admin:adminpw -d' ``` https://github.com/hyperledger/fabric-samples/fabric-ca/makeDocker.sh: ``` rca-org0: container_name: rca-org0 image: hyperledger/fabric-ca command: /bin/bash -c '/scripts/start-root-ca.sh 2>&1 | tee /data/logs/rca-org0.log' environment: - FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_CSR_CN=rca-org0 - FABRIC_CA_SERVER_CSR_HOSTS=rca-org0 - FABRIC_CA_SERVER_DEBUG=true - BOOTSTRAP_USER_PASS=rca-org0-admin:rca-org0-adminpw - TARGET_CERTFILE=/data/org0-ca-cert.pem - FABRIC_ORGS=org0 org1 org2 ``` It would be possible for me to continue working through the Fabric-CA example and figure out where all of those `.crt` and `.key` files come from, and where to use them in the config settings, but I'm hoping someone can help me save hours more of this search by explaining these various files and sources more clearly (and best practices). Thanks.

sean (Wed, 25 Jul 2018 05:49:38 GMT):
I've been attempting to deconstruct the "fabric-ca" example script files and end result files into steps that each organization admin would use in a production environment to set up their part of the network separately, and I'm having issues with which files are used where. Just to start, let's look at the CA and CLI (tools) container connections and admin enrollments. The Fabric CA Users Guide steps work fine to set this up in the native environment, and I was able to get the CLI - CA connection & admin enrollment to work with basic TLS (actually surprised this worked) with these settings: `fabric-ca-server-config.yaml`: ``` tls: # Enable TLS (default: false) enabled: true # TLS for the server's listening port certfile: keyfile: clientauth: type: noclientcert certfiles: ``` `fabric-ca-client-config.yaml`: ``` tls: # TLS section for secure socket connection certfiles: client: certfile: keyfile: ``` When setting up the docker containers, the `hyperledger/fabric-ca` image automatically started the server and created these files: ``` . ├── IssuerPublicKey ├── IssuerRevocationPublicKey ├── ca-cert.pem ├── msp │ └── keystore │ ├── 6c1b53d5c5e72f82c5ee6ea44fc2181afc57b2f9be00c5307e8db79dab85893d_sk │ ├── IssuerRevocationPrivateKey │ └── IssuerSecretKey └── tls-cert.pem ``` This is inadequate for production, and both major CA examples are inconsistent in how to fill in these TLS setting / file details: https://github.com/hyperledger/fabric-samples/first-network/docker-compose-e2e-template.yaml: ``` ca0: image: hyperledger/fabric-ca:$IMAGE_TAG environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca-org1 - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY ports: - "7054:7054" command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY -b admin:adminpw -d' ``` https://github.com/hyperledger/fabric-samples/fabric-ca/makeDocker.sh: ``` rca-org0: container_name: rca-org0 image: hyperledger/fabric-ca command: /bin/bash -c '/scripts/start-root-ca.sh 2>&1 | tee /data/logs/rca-org0.log' environment: - FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_CSR_CN=rca-org0 - FABRIC_CA_SERVER_CSR_HOSTS=rca-org0 - FABRIC_CA_SERVER_DEBUG=true - BOOTSTRAP_USER_PASS=rca-org0-admin:rca-org0-adminpw - TARGET_CERTFILE=/data/org0-ca-cert.pem - FABRIC_ORGS=org0 org1 org2 ``` It would be possible for me to continue working through the Fabric-CA example and figure out where all of those `.crt` and `.key` files come from, and where to use them in the config settings, but I'm hoping someone can help me save hours more of this search by explaining these various files and sources more clearly (and best practices). Thanks.

chuojiang (Wed, 25 Jul 2018 07:25:34 GMT):
Has joined the channel.

josiebhai (Wed, 25 Jul 2018 08:25:27 GMT):
Has joined the channel.

kulbirgr8 (Wed, 25 Jul 2018 10:31:00 GMT):
Has joined the channel.

pragadeeshdharsha (Wed, 25 Jul 2018 10:45:04 GMT):
Has joined the channel.

SadhviNayak (Wed, 25 Jul 2018 11:39:30 GMT):
Has joined the channel.

StefanKosc (Wed, 25 Jul 2018 14:06:53 GMT):
Hi guys, I am investigating how identities work in fabric-ca sample and I have some doubts. in setup-fabric.sh function `registerPeerIdentities` in line 75 users are registered for all peer orgs and when switching to user identity using function `switchToUserIdentity` from env.sh line 263 I see `FABRIC_CA_CLIENT_HOME=/etc/hyperledger/fabric/orgs/$ORG/user`. My question is how user data got there? What distinguished them during registration from admin so they are exactly in that directory? Thanks in advance

jvsclp (Wed, 25 Jul 2018 17:40:56 GMT):
Has joined the channel.

chandrakanthMamillapalli (Thu, 26 Jul 2018 01:37:15 GMT):
Yes,Thank you

chandrakanthMamillapalli (Thu, 26 Jul 2018 01:37:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uDKSd27WExj9GYGnF) @skarim yes ,thank you

atomixxx (Thu, 26 Jul 2018 02:47:19 GMT):
Has joined the channel.

atomixxx (Thu, 26 Jul 2018 02:48:06 GMT):
Any manual or guide that you know to create role based certificates with Fabric-ca???

StefanKosc (Thu, 26 Jul 2018 06:48:41 GMT):
Hi, why do I have to switch `FABRIC_CA_CLIENT_HOME` everytime before enrolling new identity?

Muffi (Thu, 26 Jul 2018 06:53:09 GMT):
Has joined the channel.

OviiyaDominic (Thu, 26 Jul 2018 06:55:47 GMT):
Has joined the channel.

vladyslavmunin (Thu, 26 Jul 2018 08:08:54 GMT):
Has joined the channel.

naviat (Thu, 26 Jul 2018 08:57:55 GMT):
Has joined the channel.

ShobhitSrivastava (Thu, 26 Jul 2018 12:01:31 GMT):
@sean hey have you made any progress in Fabric-ca? I am not able to get user certs. I issued below command: fabric-ca-client enroll -u http://admin:adminpw@localhost:7054

ShobhitSrivastava (Thu, 26 Jul 2018 12:01:40 GMT):
It worked

ShobhitSrivastava (Thu, 26 Jul 2018 12:02:07 GMT):
After this when i tried this => fabric-ca-client register --id.name user --id.affiliation tfm.test --id.attrs 'hf.Revoker=true,admin=true:ecert'

ShobhitSrivastava (Thu, 26 Jul 2018 12:02:31 GMT):
I got this error => Error: Response from server: Error Code: 0 - Registration of 'user' failed in affiliation validation: Failed getting affiliation 'tfm.test': : scode: 404, code: 63, msg: Failed to get Affiliation: sql: no rows in result set

ShobhitSrivastava (Thu, 26 Jul 2018 12:02:59 GMT):
Do you have any idea? Adding @aambati also

ShobhitSrivastava (Thu, 26 Jul 2018 12:03:02 GMT):
Thanks

ascatox (Thu, 26 Jul 2018 12:31:31 GMT):
Hi All! I've a got problems!!!! My chaincodes works only with **Admin** user

ascatox (Thu, 26 Jul 2018 12:31:57 GMT):
Every other user has not the correct rights to use the chaincode.

ascatox (Thu, 26 Jul 2018 12:32:56 GMT):
I've created Admin with the cryptogen tool and I'm trying to add new users with the fabric-ca server using the docker version.

ascatox (Thu, 26 Jul 2018 12:33:07 GMT):
Someone has experienced the same problems

ascatox (Thu, 26 Jul 2018 12:33:07 GMT):
Someone has experienced the same problems.

alejandrolr (Thu, 26 Jul 2018 12:54:15 GMT):
I all!! I cannot find the node SDK fabric-ca-client documentation, has it disappeared?

ShobhitSrivastava (Thu, 26 Jul 2018 12:54:47 GMT):
@ascatox Exactly I have also asked same query

ShobhitSrivastava (Thu, 26 Jul 2018 12:55:31 GMT):
Are you able to get cets from ca for your organisation

ShobhitSrivastava (Thu, 26 Jul 2018 12:55:38 GMT):
*certs?

ascatox (Thu, 26 Jul 2018 13:11:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6Y7pbBS8xwPRyQKn8) @ShobhitSrivastava What fo you mean for getting the certs???

ascatox (Thu, 26 Jul 2018 13:11:21 GMT):
I've correctly registered and enrolled my users

ascatox (Thu, 26 Jul 2018 13:11:38 GMT):
and I own their certificates

ShobhitSrivastava (Thu, 26 Jul 2018 13:22:26 GMT):
By saying that i mean if you are getting the certificate files issued by CA.

ddurnev (Thu, 26 Jul 2018 15:28:31 GMT):
Has joined the channel.

sean (Thu, 26 Jul 2018 19:28:06 GMT):
@ShobhitSrivastava I've made some progress, but still deconstructing the fabric-ca example scripts and writing a step-by-step walkthrough to do this all manually (and separately for each org). That's the best way for me to really understand what's going on. It'll probably be a few more days, but I'll send a github link to the walkthrough when it's ready.

Thavarajajohn (Fri, 27 Jul 2018 06:05:57 GMT):
Has joined the channel.

ShobhitSrivastava (Fri, 27 Jul 2018 07:19:17 GMT):
@sean Thanks for the update

ShobhitSrivastava (Fri, 27 Jul 2018 07:36:49 GMT):
@aambati I am getting error Error: Response from server: Error Code: 0 - User does not have attribute 'hf.AffiliationMgr' on firing the command fabric-ca-client affiliation list. Can you tell how to add a affiliation or any other way around to fix this?

alejandrolr (Fri, 27 Jul 2018 08:21:04 GMT):
Hi! I've deployed a fabric-ca-server with a LDAP server to check if users exist prior the enrollment. I don't know how to do the enroll of the users, any help?

jakereps (Fri, 27 Jul 2018 15:17:56 GMT):
Has joined the channel.

atomixxx (Fri, 27 Jul 2018 17:35:43 GMT):
Hi, one doubt, msp gets create during enrollment or during register?

atomixxx (Fri, 27 Jul 2018 17:35:53 GMT):
Created*

jvsclp (Fri, 27 Jul 2018 17:40:31 GMT):
@atomixxx My understanding is you can't register without having a bootstrap identity enrolled. When enrolling the bootstrap identity if an MSP does not already exist it will be created on root of the FABRIC_CA_CLIENT_HOME path.

atomixxx (Fri, 27 Jul 2018 18:43:08 GMT):
Thx

sean (Fri, 27 Jul 2018 21:11:58 GMT):
``` configtxgen -outputBlock /data/genesis.block -profile OrgOrdererGenesis \ -channelID dsolosystem configtxgen -outputCreateChannelTx /data/channel.tx -profile OrgChannel \ -channelID dsolo configtxgen -outputAnchorPeersUpdate /data/anchors.tx -profile OrgChannel \ -channelID dsolo -asOrg org1 ``` ``` --- Organizations: - &org1 Name: org1 ID: org1MSP MSPDir: /data/orgs/org1/msp Policies: &Org1Policies Readers: Type: Signature Rule: "OR('org1.peer')" Writers: Type: Signature Rule: "OR('org1.peer')" Admins: Type: Signature Rule: "OR('org1.admin')" AnchorPeers: - Host: 127.0.0.1 Port: 7051 Capabilities: Global: &ChannelCapabilities V1_1: true Orderer: &OrdererCapabilities V1_1: true Application: &ApplicationCapabilities V1_2: true Application: &ApplicationDefaults ACLs: &ACLsDefault lscc/ChaincodeExists: /Channel/Application/Readers lscc/GetDeploymentSpec: /Channel/Application/Readers lscc/GetChaincodeData: /Channel/Application/Readers lscc/GetInstantiatedChaincodes: /Channel/Application/Readers qscc/GetChainInfo: /Channel/Application/Readers qscc/GetBlockByNumber: /Channel/Application/Readers qscc/GetBlockByHash: /Channel/Application/Readers qscc/GetTransactionByID: /Channel/Application/Readers qscc/GetBlockByTxID: /Channel/Application/Readers cscc/GetConfigBlock: /Channel/Application/Readers cscc/GetConfigTree: /Channel/Application/Readers cscc/SimulateConfigTreeUpdate: /Channel/Application/Readers peer/Propose: /Channel/Application/Writers peer/ChaincodeToChaincode: /Channel/Application/Readers event/Block: /Channel/Application/Readers event/FilteredBlock: /Channel/Application/Readers Organizations: Policies: &ApplicationDefaultPolicies Readers: Type: ImplicitMeta Rule: "ANY Readers" Writers: Type: ImplicitMeta Rule: "ANY Writers" Admins: Type: ImplicitMeta Rule: "MAJORITY Admins" Capabilities: <<: *ApplicationCapabilities Orderer: &OrdererDefaults OrdererType: solo Addresses: - 127.0.0.1:7050 BatchTimeout: 2s BatchSize: MaxMessageCount: 10 AbsoluteMaxBytes: 10 MB PreferredMaxBytes: 512 KB MaxChannels: 0 Kafka: Brokers: - 127.0.0.1:9092 Organizations: Policies: Readers: Type: ImplicitMeta Rule: "ANY Readers" Writers: Type: ImplicitMeta Rule: "ANY Writers" Admins: Type: ImplicitMeta Rule: "MAJORITY Admins" BlockValidation: Type: ImplicitMeta Rule: "ANY Writers" Capabilities: <<: *OrdererCapabilities Channel: &ChannelDefaults Policies: Readers: Type: ImplicitMeta Rule: "ANY Readers" Writers: Type: ImplicitMeta Rule: "ANY Writers" Admins: Type: ImplicitMeta Rule: "MAJORITY Admins" Capabilities: <<: *ChannelCapabilities Profiles: OrgOrdererGenesis: <<: *ChannelDefaults Orderer: <<: *OrdererDefaults Organizations: - *org1 Consortiums: DSoloConsortium: Organizations: - *org1 OrgChannel: Consortium: DSoloConsortium Application: <<: *ApplicationDefaults Organizations: - *org1 ```

sean (Fri, 27 Jul 2018 21:11:58 GMT):
Has anyone else been getting this error when running `peer channel create`?: `ERRO 001 Fatal error when initializing core config : error when reading core config file: Unsupported Config Type ""` I'm using configtxgen version 1.2.0, and below is by configtx file. This was working for me, I'm not sure what happened: ``` configtxgen -outputBlock /data/genesis.block -profile OrgOrdererGenesis \ -channelID dsolosystem configtxgen -outputCreateChannelTx /data/channel.tx -profile OrgChannel \ -channelID dsolo configtxgen -outputAnchorPeersUpdate /data/anchors.tx -profile OrgChannel \ -channelID dsolo -asOrg org1 ``` ``` --- Organizations: - &org1 Name: org1 ID: org1MSP MSPDir: /data/orgs/org1/msp Policies: &Org1Policies Readers: Type: Signature Rule: "OR('org1.peer')" Writers: Type: Signature Rule: "OR('org1.peer')" Admins: Type: Signature Rule: "OR('org1.admin')" AnchorPeers: - Host: 127.0.0.1 Port: 7051 Capabilities: Global: &ChannelCapabilities V1_1: true Orderer: &OrdererCapabilities V1_1: true Application: &ApplicationCapabilities V1_2: true Application: &ApplicationDefaults ACLs: &ACLsDefault lscc/ChaincodeExists: /Channel/Application/Readers lscc/GetDeploymentSpec: /Channel/Application/Readers lscc/GetChaincodeData: /Channel/Application/Readers lscc/GetInstantiatedChaincodes: /Channel/Application/Readers qscc/GetChainInfo: /Channel/Application/Readers qscc/GetBlockByNumber: /Channel/Application/Readers qscc/GetBlockByHash: /Channel/Application/Readers qscc/GetTransactionByID: /Channel/Application/Readers qscc/GetBlockByTxID: /Channel/Application/Readers cscc/GetConfigBlock: /Channel/Application/Readers cscc/GetConfigTree: /Channel/Application/Readers cscc/SimulateConfigTreeUpdate: /Channel/Application/Readers peer/Propose: /Channel/Application/Writers peer/ChaincodeToChaincode: /Channel/Application/Readers event/Block: /Channel/Application/Readers event/FilteredBlock: /Channel/Application/Readers Organizations: Policies: &ApplicationDefaultPolicies Readers: Type: ImplicitMeta Rule: "ANY Readers" Writers: Type: ImplicitMeta Rule: "ANY Writers" Admins: Type: ImplicitMeta Rule: "MAJORITY Admins" Capabilities: <<: *ApplicationCapabilities Orderer: &OrdererDefaults OrdererType: solo Addresses: - 127.0.0.1:7050 BatchTimeout: 2s BatchSize: MaxMessageCount: 10 AbsoluteMaxBytes: 10 MB PreferredMaxBytes: 512 KB MaxChannels: 0 Kafka: Brokers: - 127.0.0.1:9092 Organizations: Policies: Readers: Type: ImplicitMeta Rule: "ANY Readers" Writers: Type: ImplicitMeta Rule: "ANY Writers" Admins: Type: ImplicitMeta Rule: "MAJORITY Admins" BlockValidation: Type: ImplicitMeta Rule: "ANY Writers" Capabilities: <<: *OrdererCapabilities Channel: &ChannelDefaults Policies: Readers: Type: ImplicitMeta Rule: "ANY Readers" Writers: Type: ImplicitMeta Rule: "ANY Writers" Admins: Type: ImplicitMeta Rule: "MAJORITY Admins" Capabilities: <<: *ChannelCapabilities Profiles: OrgOrdererGenesis: <<: *ChannelDefaults Orderer: <<: *OrdererDefaults Organizations: - *org1 Consortiums: DSoloConsortium: Organizations: - *org1 OrgChannel: Consortium: DSoloConsortium Application: <<: *ApplicationDefaults Organizations: - *org1 ```

alaric (Sat, 28 Jul 2018 01:47:45 GMT):
Has joined the channel.

zZz (Sat, 28 Jul 2018 09:15:33 GMT):
Has joined the channel.

kkado (Sun, 29 Jul 2018 14:48:00 GMT):
Hi, I'd like to try fabric 1.1.1, but it looks like I can't find docker image hyperledger/fabric-ca:1.1.1. Should I use hyperledger/fabric-ca:1.2.0? https://hub.docker.com/r/hyperledger/fabric-ca/tags/

kkado (Sun, 29 Jul 2018 14:48:00 GMT):
Hi, I'd like to try fabric 1.1.1, but it looks like I can't find docker image hyperledger/fabric-ca:1.1.1. Should I use hyperledger/fabric-ca:latest(1.2.0)? https://hub.docker.com/r/hyperledger/fabric-ca/tags/

sean (Sun, 29 Jul 2018 22:32:00 GMT):
*EDIT:* I overlooked this note in `env.sh`: ``` # Affiliation is not used to limit users in this sample, so just put # all identities in the same affiliation. export FABRIC_CA_CLIENT_ID_AFFILIATION=org1 ``` ------------------------------------------------------------------------------------- The "fabric-ca" example appears to be giving an "org1" affiliation to all registration request payloads. I would have thought this would cause issues, but the setup ran successfully (including chaincode tests). Any ideas on why that doesn't have a detrimental effect? ``` -- POST https://ica-org0:7054/register {"id":"orderer1-org0","type":"orderer","secret":"orderer1-org0pw","affiliation":"org1"} -- POST https://ica-org0:7054/register {"id":"admin-org0","type":"client","secret":"admin-org0pw","affiliation":"org1","attrs":[{"name":"admin","value":"true","ecert":true}]} -- POST https://ica-org1:7054/register {"id":"peer1-org1","type":"peer","secret":"peer1-org1pw","affiliation":"org1"} -- POST https://ica-org1:7054/register {"id":"peer2-org1","type":"peer","secret":"peer2-org1pw","affiliation":"org1"} -- POST https://ica-org1:7054/register {"id":"admin-org1","type":"client","secret":"admin-org1pw","affiliation":"org1","attrs":[{"name":"hf.Registrar.Attributes","value":"*"},{"name":"hf.Revoker","value":"true"},{"name":"hf.GenCRL","value":"true"},{"name":"admin","value":"true","ecert":true},{"name":"abac.init","value":"true","ecert":true},{"name":"hf.Registrar.Roles","value":"client"}]} -- POST https://ica-org1:7054/register {"id":"user-org1","type":"client","secret":"user-org1pw","affiliation":"org1"} -- POST https://ica-org2:7054/register {"id":"peer1-org2","type":"peer","secret":"peer1-org2pw","affiliation":"org1"} -- POST https://ica-org2:7054/register {"id":"peer2-org2","type":"peer","secret":"peer2-org2pw","affiliation":"org1"} -- POST https://ica-org2:7054/register {"id":"admin-org2","type":"client","secret":"admin-org2pw","affiliation":"org1","attrs":[{"name":"hf.Registrar.Roles","value":"client"},{"name":"hf.Registrar.Attributes","value":"*"},{"name":"hf.Revoker","value":"true"},{"name":"hf.GenCRL","value":"true"},{"name":"admin","value":"true","ecert":true},{"name":"abac.init","value":"true","ecert":true}]} -- POST https://ica-org2:7054/register {"id":"user-org2","type":"client","secret":"user-org2pw","affiliation":"org1"} ```

sean (Sun, 29 Jul 2018 22:32:00 GMT):
The "fabric-ca" example appears to be giving an "org1" affiliation to all registration request payloads. I would have thought this would cause issues, but the setup ran successfully (including chaincode tests). Any ideas on why that doesn't have a detrimental effect? ``` -- POST https://ica-org0:7054/register {"id":"orderer1-org0","type":"orderer","secret":"orderer1-org0pw","affiliation":"org1"} -- POST https://ica-org0:7054/register {"id":"admin-org0","type":"client","secret":"admin-org0pw","affiliation":"org1","attrs":[{"name":"admin","value":"true","ecert":true}]} -- POST https://ica-org1:7054/register {"id":"peer1-org1","type":"peer","secret":"peer1-org1pw","affiliation":"org1"} -- POST https://ica-org1:7054/register {"id":"peer2-org1","type":"peer","secret":"peer2-org1pw","affiliation":"org1"} -- POST https://ica-org1:7054/register {"id":"admin-org1","type":"client","secret":"admin-org1pw","affiliation":"org1","attrs":[{"name":"hf.Registrar.Attributes","value":"*"},{"name":"hf.Revoker","value":"true"},{"name":"hf.GenCRL","value":"true"},{"name":"admin","value":"true","ecert":true},{"name":"abac.init","value":"true","ecert":true},{"name":"hf.Registrar.Roles","value":"client"}]} -- POST https://ica-org1:7054/register {"id":"user-org1","type":"client","secret":"user-org1pw","affiliation":"org1"} -- POST https://ica-org2:7054/register {"id":"peer1-org2","type":"peer","secret":"peer1-org2pw","affiliation":"org1"} -- POST https://ica-org2:7054/register {"id":"peer2-org2","type":"peer","secret":"peer2-org2pw","affiliation":"org1"} -- POST https://ica-org2:7054/register {"id":"admin-org2","type":"client","secret":"admin-org2pw","affiliation":"org1","attrs":[{"name":"hf.Registrar.Roles","value":"client"},{"name":"hf.Registrar.Attributes","value":"*"},{"name":"hf.Revoker","value":"true"},{"name":"hf.GenCRL","value":"true"},{"name":"admin","value":"true","ecert":true},{"name":"abac.init","value":"true","ecert":true}]} -- POST https://ica-org2:7054/register {"id":"user-org2","type":"client","secret":"user-org2pw","affiliation":"org1"} ```

OviiyaDominic (Mon, 30 Jul 2018 05:08:54 GMT):
############################################################################# # *Intermediate CA section* # # The relationship between servers and CAs is as follows: # 1) A single server process may contain or function as one or more CAs. # This is configured by the "Multi CA section" above. # 2) Each CA is either a root CA or an intermediate CA. # 3) Each intermediate CA has a parent CA which is either a root CA or another intermediate CA. # # This section pertains to configuration of #2 and #3. # If the "intermediate.parentserver.url" property is set, # then this is an intermediate CA with the specified parent # CA. # # parentserver section # url - The URL of the parent server # caname - Name of the CA to enroll within the server # # enrollment section used to enroll intermediate CA with parent CA # profile - Name of the signing profile to use in issuing the certificate # label - Label to use in HSM operations # # tls section for secure socket connection # certfiles - PEM-encoded list of trusted root certificate files # client: # certfile - PEM-encoded certificate file for when client authentication # is enabled on server # keyfile - PEM-encoded key file for when client authentication # is enabled on server ############################################################################# intermediate: parentserver: url: caname: enrollment: hosts: profile: label: tls: certfiles: client: certfile: keyfile: what are all the files that has to be provided under Intermediate CA section ?

ascatox (Mon, 30 Jul 2018 14:27:11 GMT):
Hi All! I'm trying to create new users for my chain!

Russ.corsha (Mon, 30 Jul 2018 15:26:54 GMT):
@ascatox check out enrollment, and registration!

OviiyaDominic (Tue, 31 Jul 2018 06:42:14 GMT):
how to configure One Organization with Multiple MSP’s ? e.g., ORG2-MSP-NATIONAL and ORG2-MSP-GOVERNMENT

ascatox (Tue, 31 Jul 2018 07:44:12 GMT):
Hi All!

ascatox (Tue, 31 Jul 2018 07:46:03 GMT):
I created new users for my chain, I can enroll correctly but when I try to invoke the chaincode with my java client, I always encounter this error ` UNKNOWN: access denied: channel [] creator org [Org1MSP]`

ascatox (Tue, 31 Jul 2018 07:46:37 GMT):
I have to change something to give the possibility to the peers to see my new users?

ascatox (Tue, 31 Jul 2018 07:51:42 GMT):
I've to move the certificates created by the ca somewhere.

sandman (Tue, 31 Jul 2018 09:46:52 GMT):
Hello, I understand that one should not use cryptogen in production, but why ? Cryptogen according to me has following shortcomings:- 1. while dynamically adding peers one cannot issue certs at a later stage. 2. CRL can't be generated.

jastisriradheshyam (Tue, 31 Jul 2018 10:11:06 GMT):
Has joined the channel.

Sreesha (Tue, 31 Jul 2018 10:21:45 GMT):
@sandman

Sreesha (Tue, 31 Jul 2018 10:22:36 GMT):
while using cryptogen you are generating all certs in one location and then you copy them to the respective containers.

Sreesha (Tue, 31 Jul 2018 10:23:12 GMT):
But while using fabric-ca you generate certs within the container

pmuller (Tue, 31 Jul 2018 10:23:24 GMT):
Has joined the channel.

pmuller (Tue, 31 Jul 2018 10:23:44 GMT):
Hi all, I'm having trouble connecting my fabric-ca container to my ldap (it is an openldap solution, running on a different container). I have configured my fabric-ca container to communicate with the LDAP. According to docker logs, the CA successfully initialized LDAP client and seems fine. The LDAP contains nothing but an dc=example and cn=admin,dc=example. When I execute " fabric-ca-client enroll -u http://LDAPADMIN:LDAPADMINPASSWD@localhost:7054 ", I get the error : Error: Response from server : Error Code : 20 - Authorization failure Can anyone help, or guide me to the correct ressources ? thanks !

sandman (Tue, 31 Jul 2018 10:24:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zRFWEQ4BzCLswK3Yu) @Sreesha valid point but that is not such a major difference, right?

pmuller (Tue, 31 Jul 2018 12:02:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qDqYoCc6Td3gStcpx) up

ashutosh_kumar (Tue, 31 Jul 2018 12:58:00 GMT):
@pmuller , try connecting to your LDAP instance using some tools like LDAP Browser etc and see what you get.

pmuller (Tue, 31 Jul 2018 13:01:11 GMT):
@ashutosh_kumar , the LDAP is connected successfully to a LDAP browser and we can browse it in CLI and via the Browser tool, using the same credentials as given to Fabric-ca

ashutosh_kumar (Tue, 31 Jul 2018 13:01:51 GMT):
Hmm , interesting.

omarqr (Tue, 31 Jul 2018 13:03:17 GMT):
Has joined the channel.

pmuller (Tue, 31 Jul 2018 13:05:39 GMT):
could this be the fabric-ca-server-config.yaml settings that could be ill-created ?

ashutosh_kumar (Tue, 31 Jul 2018 13:53:39 GMT):
Error code 20 is Authentication failure.

ashutosh_kumar (Tue, 31 Jul 2018 13:54:07 GMT):
Can you please confirm ?

pmuller (Tue, 31 Jul 2018 13:58:33 GMT):
confirmed

ashutosh_kumar (Tue, 31 Jul 2018 14:01:56 GMT):
is it authentication or authorization failure ?

pmuller (Tue, 31 Jul 2018 14:06:19 GMT):
Authorization failure, my bad

ashutosh_kumar (Tue, 31 Jul 2018 14:08:22 GMT):
ok.

StefanKosc (Tue, 31 Jul 2018 14:41:41 GMT):
hi, does anyone know how to fix `"Evaluating *cauthdsl.policy Policy /Channel/Application/org1/Admins == 2018-07-31 14:36:35.648 UTC [cauthdsl] deduplicate -> ERRO 12a Principal deserialization failure (MSP SampleOrg is unknown) for identity` ??

ascatox (Tue, 31 Jul 2018 15:08:58 GMT):
UNKNOWN: access denied: channel [] creator org

akshay.lawange (Tue, 31 Jul 2018 16:13:28 GMT):
Hi, while enrolling new user to network it does not take other username than 'admin'. It gives me this error ``` [2018-07-31T19:47:57.794] [DEBUG] Helper - getClientForOrg - ****** START org1 undefined Login Successful [2018-07-31T19:47:57.818] [DEBUG] Helper - getClientForOrg - ****** END org1 undefined [2018-07-31T19:47:57.818] [DEBUG] Helper - Successfully initialized the credential stores [2018-07-31T19:47:57.818] [INFO] Helper - User akshay was not enrolled, so we will need an admin user object to register [2018-07-31T19:47:58.733] [ERROR] Helper - Failed to get registered user: akshay with error: Error: fabric-ca request register failed with errors [[{"code":63,"message":"Failed to get Affiliation: sql: no rows in result set"}]] Enrolled and Registered successfully:"failed Error: fabric-ca request register failed with errors [[{\"code\":63,\"message\":\"Failed to get Affiliation: sql: no rows in result set\"}]]" ``` ignore "Login Successful" its just a log Can anyone help me with this?

jvsclp (Tue, 31 Jul 2018 20:30:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mw7Jx7jQQ54jMZFE7) @akshay.lawange Looking at the debug log, have you set up which organization User akshay is associated with? Your admin, I'm assuming, is your registrar, but if the affiliations for your user don't fall under the ones associated with your registrar (in this case admin) you cannot register the user identity. Check the registration section in your fabric-ca-client.yaml and see if it differs from your admin or use the command --id.affiliation when registering User akshay.

jvsclp (Tue, 31 Jul 2018 20:39:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=n49SabYA2BektaXyf) @OviiyaDominic It depends on your needs, but the bare minimum is to specify the url and the caname. The url will be the in the form http(s)://:@(ip/localhost):(port#). Where stuff in brackets and parentheses are what you need to fill in. The caname is the name of the certificate authority in the parent server used, to enroll your intermediate CA.

bh4rtp (Wed, 01 Aug 2018 02:23:04 GMT):
hi, can i configure an org with 2 ca hosts, i.e. ca0 and ca1?

bh4rtp (Wed, 01 Aug 2018 02:29:33 GMT):
if yes, do they use the same private key in peerOrganizations/orgname/ca created by cryptogen?

OviiyaDominic (Wed, 01 Aug 2018 04:25:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wPxPQkeCcwPpcMxXv) @jvsclp Thankyou

hariomgoyal (Wed, 01 Aug 2018 05:42:32 GMT):
Has joined the channel.

OviiyaDominic (Wed, 01 Aug 2018 05:47:48 GMT):
where is the config.yaml file ?

Sreesha (Wed, 01 Aug 2018 11:07:38 GMT):
export ORDERER_HOST=orderer1-${ORG} export CA_CHAINFILE=/data/${ORG}-ca-chain.pem export ORDERER_PORT_ARGS="-o $ORDERER_HOST:7050 --tls --cafile $CA_CHAINFILE --clientauth" export PEER_HOST=peer1-org1 export CORE_PEER_TLS_ROOTCERT_FILE=$CA_CHAINFILE export CORE_PEER_TLS_CLIENTCERT_FILE=/data/tls/$PEER_NAME-cli-client.crt export CORE_PEER_TLS_CLIENTKEY_FILE=/data/tls/$PEER_NAME-cli-client.key export CORE_PEER_PROFILE_ENABLED=true export CORE_PEER_GOSSIP_EXTERNALENDPOINT=$PEER_HOST:7051 export CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org1:7051 export CORE_PEER_TLS_ENABLED=true export CORE_PEER_TLS_CLIENTAUTHREQUIRED=true export ORDERER_CONN_ARGS="$ORDERER_PORT_ARGS --keyfile $CORE_PEER_TLS_CLIENTKEY_FILE --certfile $CORE_PEER_TLS_CLIENTCERT_FILE" export FABRIC_CA_CLIENT_HOME=/data/orgs/org1 export FABRIC_CA_CLIENT_TLS_CERTFILES=/data/org1-ca-chain.pem export CORE_PEER_MSPCONFIGPATH=/data/orgs/org1/admin/msp

sheetal-hlf (Wed, 01 Aug 2018 12:15:02 GMT):
Has joined the channel.

jvsclp (Wed, 01 Aug 2018 14:37:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GjxQEL4fJrvnjuYSC) @bh4rtp If you're using the cryptogen tool I don't believe it is possible to issue two ca hosts. The crypo-config.yaml file does not have the properties to allow it. The fabric-ca server would meet your needs.

akshay.lawange (Wed, 01 Aug 2018 14:37:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KH38DJ3koCRMbLdZx) @jvsclp yes, i did setup my own organisation. it worked. thanks.

bh4rtp (Wed, 01 Aug 2018 14:41:44 GMT):
@akshay.lawange i alse faced problem with my own organization. the client cannot enroll the user. would you please share us with your solution?\

bh4rtp (Wed, 01 Aug 2018 14:41:44 GMT):
@akshay.lawange i also faced problem with my own organization. the client cannot enroll the user. would you please share us with your solution?

bh4rtp (Wed, 01 Aug 2018 14:43:36 GMT):
i have three org, i.e. px1, px2 and reg. configtx.yaml, crypto-config.yaml and network-config.yaml are thought to be ok. still wonder how to setup the fabric-ca

bh4rtp (Wed, 01 Aug 2018 14:45:09 GMT):
@jvsclp thanks. the document says ca is outside the fabric network. so it may not need to setup a ca cluster.

asaningmaxchain123 (Thu, 02 Aug 2018 00:16:34 GMT):
@yacovm in the fabric-ca 1.2 branch,it uses the idemix to setup the ca,how can i set it to the bccsp

emiliastk (Thu, 02 Aug 2018 02:11:05 GMT):
Has joined the channel.

awesomebc (Thu, 02 Aug 2018 02:14:22 GMT):
Has joined the channel.

emiliastk (Thu, 02 Aug 2018 04:42:41 GMT):
Hi! I am trying to register and enroll my members with fabric-ca but am not understanding the flow fully. My setup is local with fabric and fabric-ca docker containers v1.1. I have started a docker fabric-ca container as described in the user guide with volumes: - "./fabric-ca-server:/etc/hyperledger/fabric-ca-server" command: sh -c 'fabric-ca-server start -b admin:adminpw' I went in to the docker to enroll the fabric-ca-client and it went fine. I can register and enroll made-up peers and orderer from inside the docker container, and my new generated certs are placed inside that same docker container. I guess I can move them out and copy them around, but don't think that's the way I am supposed to do it. I looked at the fabric-ca example where the fabric-ca-client enroll commands are called from the peer and orederer containers. Is that how I am supposed to do it? How do my peer containers get access to the fabric-ca-client command? It does not have it atm. Can someone please give me a explanation of the next step? With or without intermediate CAs 1. start the docker container with fabric-ca image and farbric-ca-server start -command 2. start the fabric-ca-client in that same docker container 3. register the first peer. From where, the same docker container again? 4. Then what? Thanks

Ashish (Thu, 02 Aug 2018 05:47:32 GMT):
I have a Root CA of my own company. Can I use it instead of Fabric CA in a Hyperledger Fabric Network?

Ashish (Thu, 02 Aug 2018 05:48:42 GMT):
I am guessing that the answer is No. We need either the CryptoGen generated keypairs and certificates OR Fabric-CA generated keypairs and certificates in a Hyperledger Fabric network rite?

knagware9 (Thu, 02 Aug 2018 05:54:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qjaKRXXf3aWWhahm3) @Ashish We can use any CA ,fabric-ca/Cryptogen not mandatory ...I tried with OpenSSL too

Ashish (Thu, 02 Aug 2018 05:55:03 GMT):
then how abt this affiliations and all?

Ashish (Thu, 02 Aug 2018 05:55:53 GMT):
somethings which we give as "hf.AffiliationMgr" & "hf.IntermediateCA" etc.. these would not work rite?

knagware9 (Thu, 02 Aug 2018 05:56:14 GMT):
Not sure...I used for ntework setup only

Ashish (Thu, 02 Aug 2018 05:56:34 GMT):
okay. Thank you @knagware9

emiliastk (Thu, 02 Aug 2018 06:46:04 GMT):
curl

1234 (Thu, 02 Aug 2018 08:40:57 GMT):
Has joined the channel.

1234 (Thu, 02 Aug 2018 08:48:47 GMT):
Hi experts , Am mathan am working in fabric ,can you plzz tell how to use ou in fabric -ca

pmuller (Thu, 02 Aug 2018 09:36:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qDqYoCc6Td3gStcpx) up

akshay.lawange (Thu, 02 Aug 2018 09:37:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Juc4ppfjRQXes3jWr) @bh4rtp If you are setting up your own network,the env variables and paths for fabric-ca setup will be declared in docker-compose-e2e.yaml

akshay.lawange (Thu, 02 Aug 2018 09:37:50 GMT):
you can refer to sample docker files in fabric-samples

akshay.lawange (Thu, 02 Aug 2018 09:40:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iBmXRADu66ncjKfPT) you can refer to sample docker files in fabric-samples. And the solution for client enrollment is same to change fabric-ca config. For which you can declare a path in docker-compose file and edit the affiliations in fabric-ca-server-config.yaml

bh4rtp (Thu, 02 Aug 2018 09:47:11 GMT):
@akshay.lawange thanks. i will try it.

akshay.lawange (Thu, 02 Aug 2018 09:54:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cxADpD9CPQYXasWFQ) @bh4rtp my pleasure.

bh4rtp (Thu, 02 Aug 2018 11:39:04 GMT):
how to specify my own fabric-ca-server-config.yaml file by env in docker-compose.yaml?

bh4rtp (Thu, 02 Aug 2018 11:52:31 GMT):
i use `FABRIC_CA_SERVER_CA_FILES=/var/hyperledger/fabric-ca-server-config/fabric-ca-server-config.yaml` to configure my own organizations. now the error messages read: ```[2018-08-02 19:50:26.662] [ERROR] Helper - Failed to get registered user: Allen with error: Error: fabric-ca request register failed with errors [[{"code":20,"message":"Authentication failure"}]]```

akshay.lawange (Thu, 02 Aug 2018 12:06:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tTGYJz3bpkRoGcPoi) @bh4rtp this is because you may have enroll first with admin and then other users

1234 (Thu, 02 Aug 2018 12:11:35 GMT):
fabric-ca-client enroll -u http://rootadmin:rootadminpw@localhost:7054 hi team i got error on enroll client using this command

1234 (Thu, 02 Aug 2018 12:11:58 GMT):
Error: POST failure of request: POST http://localhost:7054/enroll {"hosts":["f0d136ede405"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBRjCB7QIBADBhMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxEjAQBgNV\nBAMTCXJvb3RhZG1pbjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABImqGLULxOZe\nqt02GyRz1lX+Cl1JOR8+hvjXkAg6M9igz85wCJrxgp0xRySlPIRi1hibce628kmR\nQtAZgetkruygKjAoBgkqhkiG9w0BCQ4xGzAZMBcGA1UdEQQQMA6CDGYwZDEzNmVk\nZTQwNTAKBggqhkjOPQQDAgNIADBFAiEAop5dSkCA+2XH9axs6MfqNGRAaIAIieYH\nRQDZrw/TXV4CIGFav9ExhnK6VyeIz3Px0h4BmLC/OE81Q52OCvbLID65\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post http://localhost:7054/enroll: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02\x16" Error: POST failure of request: POST http://localhost:7054/enroll {"hosts":["f0d136ede405"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBRjCB7QIBADBhMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxEjAQBgNV\nBAMTCXJvb3RhZG1pbjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABImqGLULxOZe\nqt02GyRz1lX+Cl1JOR8+hvjXkAg6M9igz85wCJrxgp0xRySlPIRi1hibce628kmR\nQtAZgetkruygKjAoBgkqhkiG9w0BCQ4xGzAZMBcGA1UdEQQQMA6CDGYwZDEzNmVk\nZTQwNTAKBggqhkjOPQQDAgNIADBFAiEAop5dSkCA+2XH9axs6MfqNGRAaIAIieYH\nRQDZrw/TXV4CIGFav9ExhnK6VyeIz3Px0h4BmLC/OE81Q52OCvbLID65\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post http://localhost:7054/enroll: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02\x16"

bh4rtp (Thu, 02 Aug 2018 12:12:51 GMT):
@akshay.lawange thanks. almost succeed. :grinning:

akshay.lawange (Thu, 02 Aug 2018 12:13:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yqywYDttJRt5THruR) @bh4rtp :thumbsup:

bh4rtp (Thu, 02 Aug 2018 12:19:52 GMT):
@akshay.lawange my configuration with affliations: ```affiliations: px: - market - dispatch reg: - audit``` and enroll user tells an error like this: ```[2018-08-02 20:16:43.912] [ERROR] Helper - Failed to get registered user: Allen with error: Error: fabric-ca request register failed with errors [[{"code":0,"message":"Registration of 'Allen' failed in affiliation validation: Failed getting affiliation 'px.department1': : scode: 404, code: 63, msg: Failed to get Affiliation: sql: no rows in result set"}]]``` as above, the affiliation should be px.market but not px.department1. how can i specify the enroll arguments from sdk client?

akshay.lawange (Thu, 02 Aug 2018 12:23:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=85oKNi5Y4aWdY6pEm) @bh4rtp there are some api javascripts which are there in balance transfer example, if you are using them, there is a file called helper.js where register user method is defined and there you can change it to market'

bh4rtp (Thu, 02 Aug 2018 12:24:50 GMT):
@akshay.lawange yes. i am using `balance-transfer` as the example. let me read the help.js...

bh4rtp (Thu, 02 Aug 2018 12:34:08 GMT):
@akshay.lawange oh yeah. got it! thank you very much. :thumbsup:

akshay.lawange (Thu, 02 Aug 2018 12:35:34 GMT):
:slight_smile: :thumbsup:

kryp70 (Thu, 02 Aug 2018 12:55:22 GMT):
Has joined the channel.

jvsclp (Thu, 02 Aug 2018 14:05:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=anxwud5GZbJ7nLX2s) @emiliastk If you have a docker container it is simulating a server or computer running the fabric-ca server with its own address on the network. When you act as the client it can be at the docker container or in another terminal. So, if you had two containers (with two terminals) one running a root certificate authority and another an intermediate certificate authority docker treats them as two seperate instances and assigns them different IP addresses. They should still have the 7054 port open, but at different IP addresses on the docker bridge network. You can check this by running: *docker network inspect bridge*. For a docker container on your computer it will resolve to localhost:port# when issuing a command to a container on the bridge network so use different ports for a root and intermediate certificate authority server.``` ``` When you register the first peer it will call the appropriate docker container, but you first have to make sure you have exported your FABRIC_CA_CLIENT_HOME variable to the the directory you want your certificates located and enrolled your admin in the appropriate fabric-ca-server, root or intermediate, with the *enroll http://<>:<>@<>:<>*. Once your admin is enrolled you should be able to register more peers, clients, admins, etc. from the same docker container or another terminal acting as a different entity. From there, once you have your organization mapped to certificates you should be able to move on to generating a genesis block.

jvsclp (Thu, 02 Aug 2018 14:05:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=anxwud5GZbJ7nLX2s) @emiliastk If you have a docker container it is simulating a server or computer running the fabric-ca server with its own address on the network. When you act as the client it can be at the docker container or in another terminal. So, if you had two containers (with two terminals) one running a root certificate authority and another an intermediate certificate authority docker treats them as two seperate instances and assigns them different IP addresses. They should still have the 7054 port open, but at different IP addresses on the docker bridge network. You can check this by running: *docker network inspect bridge*. For a docker container on your computer it will resolve to localhost:port# when issuing a command to a container on the bridge network so use different ports for a root and intermediate certificate authority server.``` ``` When you register the first peer it will call the appropriate docker container, but you first have to make sure you have exported your FABRIC_CA_CLIENT_HOME variable to the the directory you want your certificates located and enrolled your admin in the appropriate fabric-ca-server, root or intermediate, with the *enroll http://<>:<>@<>:<>*. Once your admin is enrolled you should be able to register more peers, clients, admins, etc. from the same docker container or another terminal acting as a different entity. Then, you enroll the identity you just registered and the certificate authority server will generate certificates and place them in the directory you specified when setting the FABRIC_CA_CLIENT_HOME directory. From there, once you have your organization mapped to certificates you should be able to move on to generating a genesis block.

jvsclp (Thu, 02 Aug 2018 14:05:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=anxwud5GZbJ7nLX2s) @emiliastkIf you have a docker container it is simulating a server or computer running the fabric-ca server with its own address on the network. When you act as the client it can be at the docker container or in another terminal. So, if you had two containers (with two terminals) one running a root certificate authority and another an intermediate certificate authority docker treats them as two seperate instances and assigns them different IP addresses. They should still have the 7054 port open, but at different IP addresses on the docker bridge network. You can check this by running: *docker network inspect bridge*. For a docker container on your computer it will resolve to localhost:port# when issuing a command to a container on the bridge network so use different ports for a root and intermediate certificate authority server.``` ``` When you register the first peer it will call the appropriate docker container, but you first have to make sure you have exported your FABRIC_CA_CLIENT_HOME variable to the the directory you want your certificates located and enrolled your admin in the appropriate fabric-ca-server, root or intermediate, with the *enroll http://<>:<>@<>:<>*. Once your admin is enrolled you should be able to register more peers, clients, admins, etc. from the same docker container or another terminal acting as a different entity. Then, you enroll the identity you just registered and the certificate authority server will generate certificates and place them in the directory you specified when setting the FABRIC_CA_CLIENT_HOME directory. Adjust HOME based off the identity type, for example, don't register and enroll a peer in an admin directory. From there, once you have your organization mapped to certificates you should be able to move on to generating a genesis block.

jvsclp (Thu, 02 Aug 2018 14:05:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=anxwud5GZbJ7nLX2s) @emiliastk If you have a docker container it is simulating a server or computer running the fabric-ca server with its own address on the network. When you act as the client it can be at the docker container or in another terminal. So, if you had two containers (with two terminals) one running a root certificate authority and another an intermediate certificate authority docker treats them as two seperate instances and assigns them different IP addresses. They should still have the 7054 port open, but at different IP addresses on the docker bridge network. You can check this by running: *docker network inspect bridge*. For a docker container on your computer it will resolve to localhost:port# when issuing a command to a container on the bridge network so use different ports for a root and intermediate certificate authority server.``` ``` When you register the first peer it will call the appropriate docker container, but you first have to make sure you have exported your FABRIC_CA_CLIENT_HOME variable to the the directory you want your certificates located and enrolled your admin in the appropriate fabric-ca-server, root or intermediate, with the *enroll http://<>:<>@<>:<>*. Once your admin is enrolled you should be able to register more peers, clients, admins, etc. from the same docker container or another terminal acting as a different entity. Then, you enroll the identity you just registered and the certificate authority server will generate certificates and place them in the directory you specified when setting the FABRIC_CA_CLIENT_HOME directory. Adjust HOME based off the identity type, for example, don't register and enroll a peer in an admin directory. From there, once you have your organization mapped to certificates you should be able to move on to generating a genesis block.

jvsclp (Thu, 02 Aug 2018 15:48:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NBwxDnqk9gkofanqi) [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=anxwud5GZbJ7nLX2s) @emiliastk If you have a docker container it is simulating a server or computer running the fabric-ca server with its own address on the network. When you act as the client it can be at the docker container or in another terminal. So, if you had two containers (with two terminals) one running a root certificate authority and another an intermediate certificate authority docker treats them as two seperate instances and assigns them different IP addresses. They should still have the 7054 port open, but at different IP addresses on the docker bridge network. You can check this by running: *docker network inspect bridge*. For a docker container on your computer it will resolve to localhost:port# when issuing a command to a container on the bridge network so use different ports for a root and intermediate certificate authority server.``` ``` When you register the first peer it will call the appropriate docker container, but you first have to make sure you have exported your FABRIC_CA_CLIENT_HOME variable to the the directory you want your certificates located and enrolled your admin in the appropriate fabric-ca-server, root or intermediate, with the *enroll http://<>:<>@<>:<>*. Once your admin is enrolled you should be able to register more peers, clients, admins, etc. from the same docker container or another terminal acting as a different entity. Then, you enroll the identity you just registered and the certificate authority server will generate certificates and place them in the directory you specified when setting the FABRIC_CA_CLIENT_HOME directory. Adjust HOME based off the identity type, for example, don't register and enroll a peer in an admin directory. From there, once you have your organization mapped to certificates you should be able to move on to generating a genesis block.

chandrakanthMamillapalli (Thu, 02 Aug 2018 16:43:13 GMT):
How to query users using Fabric node sdk ?

chandrakanthMamillapalli (Thu, 02 Aug 2018 16:43:13 GMT):
How to query all users using Fabric node sdk ?

tinywell (Fri, 03 Aug 2018 05:55:20 GMT):
Has left the channel.

1234 (Fri, 03 Aug 2018 07:08:58 GMT):
hi Am mathan, enroll client admin got an error TLS handshake error from 127.0.0.1:52760: tls: oversized record received with length 21536

ashutosh_kumar (Fri, 03 Aug 2018 11:31:53 GMT):
which go version you are on ?

ashutosh_kumar (Fri, 03 Aug 2018 11:32:27 GMT):
Googling gave the result that it might happen when you have unknown CA cert.

1234 (Fri, 03 Aug 2018 11:34:38 GMT):
1.2

zmaro (Fri, 03 Aug 2018 15:15:51 GMT):
Has joined the channel.

pankajanand26 (Fri, 03 Aug 2018 15:32:23 GMT):
Has joined the channel.

mastersingh24 (Fri, 03 Aug 2018 19:20:32 GMT):
@1234 - are you sure you have TLS enabled on the fabric-ca-server?

akshay.sood (Sat, 04 Aug 2018 06:46:18 GMT):
Has joined the channel.

1234 (Sun, 05 Aug 2018 12:27:01 GMT):
Yes am enabled tls

manoj485 (Mon, 06 Aug 2018 05:25:19 GMT):
Has joined the channel.

manoj485 (Mon, 06 Aug 2018 05:26:03 GMT):
Hi ,How can i create publickey for user when he registered and with that publickey he can create his won privatekey ,is it possible to do so in hyperledger. And these keys should not stored in ledger. _ Hi ,How can we create publickey for user when he registered and with that publickey he can create his won privatekey ,is it possible to do so in hyperledger. And these keys should not stored in ledger. _ Hi , I need to create publickey when user registered and need send it to user, then user needs create privatekey it is possible in hyperledger? if possible how?

kjroger94 (Mon, 06 Aug 2018 06:12:03 GMT):
Has joined the channel.

kjroger94 (Mon, 06 Aug 2018 06:12:45 GMT):
can someone explain to me what is the actual meaning of this? attrs: hf.Registrar.Roles: "*" hf.Registrar.DelegateRoles: "*" hf.Revoker: true hf.IntermediateCA: true hf.GenCRL: true hf.Registrar.Attributes: "*" hf.AffiliationMgr: true

kjroger94 (Mon, 06 Aug 2018 06:13:21 GMT):
I am trying to understand it in the official docs but i am baffled. I don't understand practically what should I do.

kjroger94 (Mon, 06 Aug 2018 06:13:50 GMT):
I am looking to host the ca-server on one instance and have ca-clinets on different instances use this CA server

xmhuibm (Mon, 06 Aug 2018 07:56:10 GMT):
Has joined the channel.

gravity (Mon, 06 Aug 2018 08:42:24 GMT):
Has left the channel.

1234 (Mon, 06 Aug 2018 12:47:00 GMT):
enroll admin using intermediate CA got error POST /enroll 401 23 "Failed to get user: : scode: 404, code: 63, msg: Failed to get User: sql: no rows in result set" in the container

jvsclp (Mon, 06 Aug 2018 14:18:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4uer28XgmuioMXy4P) @kjroger94 The definition for each of those identity properties can be found here: http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#fabric-ca-client.``` ``` The "*" means it covers all values for the specific property.

jvsclp (Mon, 06 Aug 2018 14:18:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4uer28XgmuioMXy4P) @kjroger94 The definition for each of those identity properties can be found here: http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#fabric-ca-client.```The "*" means it covers all values for the specific property. ```

jvsclp (Mon, 06 Aug 2018 14:18:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4uer28XgmuioMXy4P) @kjroger94 The definition for each of those identity properties can be found here: http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#fabric-ca-client. The "*" means it covers all values for the specific property.

kjroger94 (Mon, 06 Aug 2018 14:19:08 GMT):
@jvsclp yes I understand that but what truly does this convey when I want to customize it.

jvsclp (Mon, 06 Aug 2018 14:24:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2o3tAxawperqo8Thr) @kjroger94 Let's use hf.Registrar.Roles. If you assign a property other than "*", say - peer, it means the identity you generate can only manage (enroll, register, modify, etc.) identities registered as peers assuming the hf.Registrar.Attributes property has not been changed.

jvsclp (Mon, 06 Aug 2018 14:27:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KGnkoLS4WbkYhCQJJ) @1234 Check if you are enrolling with the correct admin for the certificate authority

kjroger94 (Mon, 06 Aug 2018 15:32:45 GMT):
ok thank you @jvsclp

kjroger94 (Mon, 06 Aug 2018 15:34:17 GMT):
If the enrollment url is used something like this - https://peer1-org1:peer1-org1pw@rca-org1:7054 then if I am using just one RCA on another machine and using fabric client where i am hosting my peer, how do i give the IP? say RootCA is on instance 1 and Fabric Client and a peer on Instance 2

jvsclp (Mon, 06 Aug 2018 16:26:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Qjjmhu5NtHQfETJMx) @kjroger94 You give the IP or server address after the @. Right now, you have rca-org1, if that's on your intranet the address resolves to: https://rca-org1:7054. So you'd need to know the IP address or fully qualified domain name (FQDN) of your CA Server if you want your peer on Instance 2 to access the server on Instance 1. This would only be to enroll and register your peer to receive the identity certificates. Once you have the appropriate root of trust established you put the certificates in an appropriate Membership Service Provider directory locally for your peer and then only your administrator identity will have to interact with the root certificate authority server.

kjroger94 (Mon, 06 Aug 2018 16:28:29 GMT):
@jvsclp thanks a ton

kjroger94 (Mon, 06 Aug 2018 16:30:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Jz8PkzgbsMp5XXZoh) @jvsclp thanks a ton. The actual documentation can be a bit ambiguous for first timers i think. The CA sample on git helps a lot.

gen_el (Mon, 06 Aug 2018 17:29:08 GMT):
Has joined the channel.

mogarg (Mon, 06 Aug 2018 22:37:15 GMT):
Has joined the channel.

emiliastk (Tue, 07 Aug 2018 07:51:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NBwxDnqk9gkofanqi) @jvsclp Thank you the answer made things clearer! I was able to generate some certificates but still do not fully understanding everything: 1. - I can register and enroll types peer, app and user. - Is the orderer of type peer? - Is the admin of type user? - Do I need to enroll the fabric-tools as some type to use it for the configtx tool and generate genesis block? I did this: I started a docker with image fabric-ca and 'fabric-ca-client start -b admin:adminpw', and added some volumes to get generated certs out of the docker. I was unable to enroll intermediate cert, but must just have missed some detail in the config file, so I skipped intermediate cas for now. From inside the docker I did export FABRIC_CA_CLIENT_HOME=some/path/peer0 >fabric-ca-client enroll -u http://admin:adminpw@ca:7054 // this puts fabric-ca-client cert and key in peer0/msp, client cert in msp/signedcerts/cert.pem >fabric-ca-client register --id.name peer0 --id.type peer --id.secret peerpw >fabric-ca-client enroll http://peer0:peerpw@ca.test.com 2. // now the peer cert and key are added to the same path and the previous cert is overwritten by the new msp/signedcerts/cert.pem. What was the previous cert used for? Is that perhaps the admin cert and should be saved for later, if so what is it used for later? If I change the FABRIC_CA_CLIENT_HOME after the first enroll, I cannot register the peer because the fabric-ca-client can't find the client config file. I could copy the config file for all new $FABRIC_CA_CLIENT_HOME? Am I supposed to only enroll once and then use that same client to enroll all other identities? After enrolling the first peer I change the FABRIC_CA_CLIENT_HOME to same/path/peer1 and do the same thing again to enroll peer1. Enroll -> edit fabric-ca-client-config.yaml -> register peer1-> enroll peer1. After enrolling peers I plan to put the certs in msp, placing certs as in the msp directory tree I get when I run the first-network byfn example, and then do the same whole procedure for another org, then start peers and orderer with their new certs. - Is this how I am supposed to use the fabric-ca? - For peer0.theorg.nw.com, do I add 'theorg' or 'theorg.nw.com' under Affiliastions: in the config file? I am also not completely sure about the admin vs user vs app? Sorry for another long multi-question, I hope it makes sense! Thanks

migrenaa (Tue, 07 Aug 2018 12:30:47 GMT):
Hello, where are stored the certificates generated by FabricCA? Using the NodeJS SDK, I was specifying KeyValueStore a path in the file system and when a user is registered the certificates were stored there. But we need some centralized store because we will be using more than one application. How do you configure for example mysql to be the certificates store of the system?

migrenaa (Tue, 07 Aug 2018 12:30:47 GMT):
Hello, where are stored the certificates generated by FabricCA (except in the CA container)? Using the NodeJS SDK, I was specifying KeyValueStore a path in the file system and when a user is registered the certificates were stored there. But we need some centralized store because we will be using more than one application. Can I use database instead of some file system for certificates store?

huxiangdong (Tue, 07 Aug 2018 13:22:28 GMT):
Has joined the channel.

ashutosh_kumar (Tue, 07 Aug 2018 13:29:17 GMT):
@migrenaa , AFAIK , the Node js SDK supports file system based Key Store.

jvsclp (Tue, 07 Aug 2018 14:05:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8PTBv2bQcaj7xhXH9) @emiliastk Hi Emilia, 1. -The orderer is of type orderer. - The admin is of type client. - I'm not sure what you mean by enrolling fabric-tools. To create a genesis block, the minimum you need is admin - to enroll identities and an orderer - to arrange/order transactions and setup the genesis block. Your peers and users can be joined following the creation of the genesis block. 2. Perhaps I was not as clear as I should have been. - Enroll your admin in a clients/admin directory as in http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enrolling-the-bootstrap-identity. Then change the FABRIC_CA_CLIENT_HOME to your peer directory. Following that, register and enroll your peer identity. In your instance the admin is being overwritten as that's what you're telling your fabric-ca-client-config.yaml to do if you haven't changed the defaults and are writing the peer to the same directory you just put your admin certificates in. When you set up your peer Membership Service Provider (MSP) https://hyperledger-fabric.readthedocs.io/en/release-1.2/msp.html#msp-setup-on-the-peer-orderer-side you generate the peer certificates and copy over the admin certificates in charge of maintaining the peer and other certs needed if you're using TLS.

migrenaa (Tue, 07 Aug 2018 14:24:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KRt27hnAozPX4yn6c) @ashutosh_kumar And how are you using it when you have multiple nodeJS server instances using the same network ?

jvsclp (Tue, 07 Aug 2018 14:30:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8PTBv2bQcaj7xhXH9) @emiliastk 1. It's fine. We're all learning :slight_smile: -The orderer is of type orderer. - The admin is of type client. - I'm not sure what you mean by enrolling fabric-tools. To create a genesis block, the minimum you need is admin - to enroll identities and an orderer - to arrange/order transactions and setup the genesis block. Your peers and users can be joined following the creation of the genesis block. 2. Perhaps I was not as clear as I should have been. - Enroll your admin in a clients/admin directory as in . Then change the FABRIC_CA_CLIENT_HOME to your peer directory. Following that, register and enroll your peer identity. In your instance the admin is being overwritten as that's what you're telling your fabric-ca-client-config.yaml to do if you haven't changed the defaults and are writing the peer to the same directory you just put your admin certificates in. - When you change directories you have to also copy the fabric-ca-client-config.yaml into that identity's directory if you're using it as a template to generate your certificates instead of using commands in the terminal. Make your changes to the config file and generate the new identity. - When you set up your peer Membership Service Provider (MSP) you generate the peer certificates and copy over the admin certificates in charge of maintaining the peer and other certs needed if you're using TLS. You've got the right idea about only enrolling once and using the same client to enroll all other identities. You can get fancier and have specific admins to manage specific portions of your organization's membership, but leave that for another day. - The organization tree from the first-network should get you setup. You do understand the fabric-ca. Once the certificates are generated the only use is for managing identities in your organization. It is not connected to your ledger network (channel) - For the last bit on affiliations, think of it as further restricting or defining an identity's role within an organization and who is allowed to manage that identity. The affiliation does not have to be in a certificate's name, though it may help keep track at a glance. Using your peer0.theorg.nw.com, peer 0 can only be managed by admins affiliated with root affiliation ("."), theorg.*, or theorg.nw. If you did not change your default settings in the registration section of fabric-ca-client-config.yaml or add any other commands to the terminal your admin and peer should have the same affiliation. See

ashutosh_kumar (Tue, 07 Aug 2018 14:50:36 GMT):
@migrenaa , you might try out HSM option. HSM can be used as Key Store.

ashutosh_kumar (Tue, 07 Aug 2018 14:51:05 GMT):
you can ask your questions to fabric-sdk-node channel.

migrenaa (Tue, 07 Aug 2018 14:55:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Qh3HH5Ju5tTxshLy8) @ashutosh_kumar I will post my question is the sdk-node channel, thanks for the advise. Still do you have any idea if I can use AWS Key Management Service?

ashutosh_kumar (Tue, 07 Aug 2018 14:58:58 GMT):
I do not think so.

ashutosh_kumar (Tue, 07 Aug 2018 15:00:01 GMT):
I am curious like Curious George. Why you want to store your private keys in public cloud ?

ashutosh_kumar (Tue, 07 Aug 2018 15:00:38 GMT):
To me on prem Key Management or HSM are way to go.

migrenaa (Tue, 07 Aug 2018 15:04:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jJY54gwaj6g4Di3x9) @ashutosh_kumar As far as I know single HSM costs around 5k dollars. And the cloud can be private. Our entire system is cloud based at this point. What would you recommend for using as centralized certificate store?

ashutosh_kumar (Tue, 07 Aug 2018 15:05:14 GMT):
you can use vault.

ashutosh_kumar (Tue, 07 Aug 2018 15:05:21 GMT):
hashicorp valut

ashutosh_kumar (Tue, 07 Aug 2018 15:05:27 GMT):
vault.

migrenaa (Tue, 07 Aug 2018 15:05:43 GMT):
Thanks, I will research it.

ashutosh_kumar (Tue, 07 Aug 2018 15:05:54 GMT):
it has database backend.

ashutosh_kumar (Tue, 07 Aug 2018 15:06:17 GMT):
I mean you can hook database to it.

migrenaa (Tue, 07 Aug 2018 15:09:34 GMT):
Have you ever used it as a Fabric CA certificates store? I don't see how can I use it with the NodeJS fabric SDK.

ashutosh_kumar (Tue, 07 Aug 2018 15:15:40 GMT):
@migrenaa , I think , you are looking for Certificate store on the client side.

ashutosh_kumar (Tue, 07 Aug 2018 15:15:59 GMT):
Fabric CA cert does not play role here.

ashutosh_kumar (Tue, 07 Aug 2018 15:16:24 GMT):
Cert are stored on Fabric CA for different reasons.

migrenaa (Tue, 07 Aug 2018 15:24:53 GMT):
@ashutosh_kumar Yes. That is correct. I need the user certificates in order to sign the transactions. The certificates are stored on the CA Server, but I also need them in the Client, which in my case are the nodeJS applications. The problem is that if they are stored locally on the file system, the certificates will be separated on a different machines and I won't be able to invoke chaincode with all of the users from a single application. Maybe I don't understand how does fabric and fabric CA works. As far as I understand I need copy of the private keys client side, because all of the transactions have to be signed with the users private key.

migrenaa (Tue, 07 Aug 2018 15:24:53 GMT):
@ashutosh_kumar Yes. That is correct. I need the user certificates in order to sign the transactions. The certificates are stored on the CA Server, but I also need them in the Client, which in my case are the nodeJS applications. The problem is that if they are stored locally on the file system, the certificates will be separated on a different machines and I won't be able to invoke chaincode with all of the users from a single application. Maybe I don't understand how does fabric and fabric CA works. As far as I understand I need copies of the private keys client side, because all of the transactions have to be signed with the users private key.

migrenaa (Tue, 07 Aug 2018 15:30:10 GMT):
@ashutosh_kumar Also I forgot to mention, that in our application the relationship between hyperledger user and application user is 1-1. We create register users in the Fabric CA every time when a user is created in the system.

ashutosh_kumar (Tue, 07 Aug 2018 15:53:40 GMT):
fabric ca does not store private key.

ashutosh_kumar (Tue, 07 Aug 2018 15:54:32 GMT):
and Node SDK does not have capability to use Key Store.

ashutosh_kumar (Tue, 07 Aug 2018 15:54:53 GMT):
So , HSM is the way for you at this moment.

emiliastk (Wed, 08 Aug 2018 01:16:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ehSPJntSdHsmZatzy) @jvsclp Thank you! It really makes things clearer how I am supposed to use the CA-client. One part that I can not get to work is the register after changing the FABRIC_CA_CLIENT_HOME. I can enroll the admin and then register identities all from the same FABRIC_CA_CLIENT_HOME as I enrolled the admin in, and later change the $ to separate dirs before enrolling every identity, and that seem to work so far. However you write that I should first change the FABRIC_CA_CLIENT_HOME and then both register and enroll identities. If I enroll admin and then try to register identities with FABRIC_CA_CLIENT_HOME changed, I get Error: Enrollment information does not exist. Please execute enroll command first. Example: ... Is there another env I should set so that th eenrolled admni can be found? Thanks again

barry_liang (Wed, 08 Aug 2018 01:48:37 GMT):
Has joined the channel.

kjroger94 (Wed, 08 Aug 2018 04:49:06 GMT):
@jvsclp tell me if this is the correct sequence,

kjroger94 (Wed, 08 Aug 2018 04:53:40 GMT):
@jvsclp when i run init with a bootstrap identity, has that identity been enrolled and registered? or that is the work of the client after the server has started? And after the root ca is up and generated the cert and key where should i copy these for the client to connect over TLS?

kjroger94 (Wed, 08 Aug 2018 05:22:12 GMT):
when i want to enroll someone via TLS which cert file of Root CA admin should I have?

kjroger94 (Wed, 08 Aug 2018 05:30:30 GMT):
right now i have generated a tls-cert.pem, should this be copied to client folder and declared as trusted? I am having a hard time understanding what exactly should happen when i enable tls

Ryan2 (Wed, 08 Aug 2018 05:35:05 GMT):
`How to enroll a user identity or peer identity with organizational Unit enabled via fabric-ca-client` like this `fabric-ca-client enroll -u http://peer1:peer1pw@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/msp` (https://hyperledger-fabric-ca.readthedocs.io/en/release-1.2/users-guide.html#enrolling-a-peer-identity) I want to enable organizational Unit for peer identity, so that I can make the use of capability on fabric v1.1

kjroger94 (Wed, 08 Aug 2018 07:20:16 GMT):
when i run fabric-ca-client enroll -u https://rca-liqvis-admin:rca-liqvis-x256@someIP:7054 --tls.certfiles ca-cert.pem giving my system IP the following error is coming: Post https://someIP:7054/enroll: x509: cannot validate certificate for someIP because it doesn't contain any IP SANs but if i give localhost instead of "someIP" then it runs. thing is i want to do this via another docker container and preferably in another machine

akoenig (Wed, 08 Aug 2018 07:20:52 GMT):
Has joined the channel.

akoenig (Wed, 08 Aug 2018 07:23:01 GMT):
Hi, we crated an intermediate ca with the java sdk. Afterwards we added the cert and key to the right directory. When we want to start the intermidiate ca we get the following error: "Error: Validation of certificate and key failed: Invalid certificate in file '/etc/hyperledger/fabric-ca-server-config/ca.test.com-cert.pem': The 'cert sign' key usage is required"

zhaochy (Wed, 08 Aug 2018 08:26:33 GMT):
hello, is it possible to generate the private/public key pairs at client side?

kjroger94 (Wed, 08 Aug 2018 09:21:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qA9oeRfFjuJZhLtxF) ok i got this, under csr in hosts I had to mention the IPs or the host names from which the client would send requests.

thPart (Wed, 08 Aug 2018 09:41:27 GMT):
Has joined the channel.

thPart (Wed, 08 Aug 2018 09:42:23 GMT):
Hi! Just getting in touch with Fabric and Fabric CA....is there any best practice on how to connect Fabric-CA with OpenId Connect ?

jvsclp (Wed, 08 Aug 2018 14:15:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4ETGaZ9NrCKNz4D4g) @emiliastk It's okay and expected to copy the generated admin certificate you generated to enroll other identities into the admincerts folder in the Membership Services Provider directory when enrolling a peer. The certificate is the public part of the admin identity. After you've copied the certificate over you should be able to continue peer/orderer enrollment because it would be in the search path of FABRIC_CA_CLIENT_HOME for your peer identity as long as you did not change the directory structure in the fabric-ca-client-config.yaml.

jvsclp (Wed, 08 Aug 2018 14:17:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QQx8R5BCSpS5um99m) @zhaochy Yes, that is the point of the fabric-ca-client. If you have the admin information and the server information you can generate certificates from another terminal, location, container, etc for any identity you would need to generate.

kjroger94 (Wed, 08 Aug 2018 16:29:24 GMT):
when I start the server there is a ca-cert.pem present and when i enroll the bootstrap id, it generates a tls-cert.pem

kjroger94 (Wed, 08 Aug 2018 16:29:37 GMT):
how are they different and which one to use to contact the server via tls?

jvsclp (Wed, 08 Aug 2018 19:05:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=x22b2BoGoqYkSizKC) @kjroger94 The ca-cert.pem is the Certificate Authority certificate. If you are in the directory of the certificate and in a terminal run *openssl x509 -in <> -text* You would be able to see the decoded contents of the certificate. Under x509v3 extensions there are properties which declare the certificate as a certificate authority that can sign certificates. This means if you can trust the certificate authority you can trust the other identity certificates the authority generates. A good read on digital certificates can be found here: https://hyperledger-fabric.readthedocs.io/en/release-1.2/identity/identity.html#digital-certificates The tls-cert.pem is generated for TLS communication. If you run the above command on the certificate you would see the extension properties are specific to TLS. How you configured TLS on your server will determine how the tls-cert is used. That depends on the tls section, but the tls-cert is a public certificate so you can pass it on to whatever entity you want to contact your server. Essentially, it's an identity document and negotiation between the contacted server showing it's who you think you're contacting and how you want to communicate as the client.

FaeLLe (Wed, 08 Aug 2018 20:17:47 GMT):
Has joined the channel.

FaeLLe (Wed, 08 Aug 2018 20:18:44 GMT):
@jvsclp how does it work from a web application? can we generate an identity from a web app

FaeLLe (Wed, 08 Aug 2018 20:19:18 GMT):
what would be a recommended architecture to store the client id then? register the identity cert in the users browser?

jvsclp (Wed, 08 Aug 2018 20:26:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wYnGoChBBG5yRith7) @FaeLLe I couldn't speak to a web application, but I don't see why a well-written web app wouldn't be able to do what you're asking

kjroger94 (Thu, 09 Aug 2018 03:28:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7xvXLazbKbQHcgj2o) @jvsclp When I use the client to talk to the server I have tried giving --tls.certfiles ca-cert.pem as well as tls-cert.pem and it accepts both. Is it because it accepts both?

ziqbalbh (Thu, 09 Aug 2018 05:44:01 GMT):
Is there any solution for implementing user identity and authentication like oauth, openid or identityserver using fabric or composer?

manoj485 (Thu, 09 Aug 2018 06:46:10 GMT):
how can i get block hash from ledger

1234 (Thu, 09 Aug 2018 07:36:42 GMT):
step by step given a command for root ca and intermediate ca work

Ryan2 (Thu, 09 Aug 2018 08:36:02 GMT):
hi @jvsclp , how to check MSP role types of an Identity? Could you please show me how, Thanks!

kjroger94 (Thu, 09 Aug 2018 11:51:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=e6DnZAvRfaE6DfdL7) @Ryan2 if you mean identity roles and types, run fabric-ca-client identity list and if tls enabled add a --tls.cerfiles _yourcertfile _and then run that command. you should get a list of identities registered and their types

jvsclp (Thu, 09 Aug 2018 13:43:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KKth45bQZ8FGSAb45) @kjroger94 If you have no intermediate certificate authority servers your root server will accept the ca-cert.pem and the tls-cert.pem under the *--tls.certfiles* flag because the flag is looking for the root identification of who issued your TLS cert. Since both certificates show your root server it's considered valid by the client and allows the TLS handshake process to continue.

jvsclp (Thu, 09 Aug 2018 13:44:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hWyhjdFua3TFJ7C9G) @1234 This documentation should help: http://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#

jvsclp (Thu, 09 Aug 2018 13:45:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TbEeeyHjtCDEkhyeA) @manoj485 This is probably a better question for the fabric-questions channel

RezwanKabir (Thu, 09 Aug 2018 17:48:47 GMT):
I am executing `var user = await client.getUserContext(username, true);` But I need to verify usersecret for this user that has been generated during register. Is it possible ? Otherwise anyone who knows the username can enroll for that org.

jvsclp (Thu, 09 Aug 2018 19:13:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6Gmt57jvoiTeey5Fs) @RezwanKabir During user registration a password/enrollment secret is generated either by the certificate authority server or fed in as a flag during registration in the terminal. Without the password the user cannot be enrolled so trying to enroll a user without providing the password would fail.

sean (Thu, 09 Aug 2018 19:48:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pxxdM6jcMuir8Nq4h) @ShobhitSrivastava Hey, FYI here's the tutorial. Always feel free to send me questions, suggestions, or any mistakes you spot: **MAIN PAGE**: https://github.com/TangoJ-Labs/fabric-production-tutorials **EXAMPLE w/ Solo Orderer**: https://github.com/TangoJ-Labs/fabric-production-tutorials/tree/master/orderer_solo **CRYPTO / MSP notes**: https://github.com/TangoJ-Labs/fabric-production-tutorials/blob/master/CRYPTO.md I hope to add these updates in the next few months: - SDK examples (golang) - Kafka (w/ Docker Swarm) network - configtx.yaml v1.2 (with Profile section, etc.) - NodeOU utilization for use of ".peer", ".client", etc. in endorsement policy

sean (Thu, 09 Aug 2018 19:48:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pxxdM6jcMuir8Nq4h) @ShobhitSrivastava Hey, FYI here's the tutorial. Always feel free to send me questions, suggestions, or any mistakes you spot: **MAIN PAGE**: https://github.com/TangoJ-Labs/fabric-production-tutorials **EXAMPLE w/ Solo Orderer**: https://github.com/TangoJ-Labs/fabric-production-tutorials/tree/master/orderer_solo **CRPYTO / MSP notes**: https://github.com/TangoJ-Labs/fabric-production-tutorials/blob/master/CRYPTO.md I hope to add these updates in the next few months: - SDK examples (golang) - Kafka (w/ Docker Swarm) network - configtx.yaml v1.2 (with Profile section, etc.) - NodeOU utilization for use of ".peer", ".client", etc. in endorsement policy

kjroger94 (Fri, 10 Aug 2018 04:08:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8vtkLRd9mob56zLxo) @jvsclp what would you say is the correct way to get this ca-cert.pem from one instance to another in a secure way? any pointers for that? right now I am just using WinSCP and doing so but I know it's not the correct way. Hope you have some ideas.

ShobhitSrivastava (Fri, 10 Aug 2018 04:57:35 GMT):
@sean Will have a look. Thanks for the update.

kjroger94 (Fri, 10 Aug 2018 05:23:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LZZ6otwtrfQJ4CghH) @sean why would admin be enrolled again and again? _The /admincerts cert is the /signcert/cert.pem for the admin, when it was enrolled. Because this folder is manually created, IT MUST BE UPDATED EVERY TIME THE ADMIN IS ENROLLED (since the signcert/cert.pem public cert will change for every enroll request)_

kjroger94 (Fri, 10 Aug 2018 05:27:18 GMT):
Also, @sean this is probably the best walk-through and clarity on the Fabric CA setup that have come across. I did figure some stuff out looking at multiple setups but that repo is pure gold. thanks!

kjroger94 (Fri, 10 Aug 2018 05:27:18 GMT):
Also, @sean this is probably the best walk-through and clarity on the Fabric CA setup that I have come across. I did figure some stuff out looking at multiple setups but that repo is pure gold. thanks!

kopaygorodsky (Fri, 10 Aug 2018 09:12:10 GMT):
Has joined the channel.

kopaygorodsky (Fri, 10 Aug 2018 09:17:48 GMT):
hi there. I have a question about fabric-ca-client: my CA (tls disabled) is running under a proxy over https. When I want to enroll admin user via client I use the following command `fabric-ca-client enroll -u https:user:pass@domain.com` and `https` part forces client to enable TLS and require certificates. Why do we need certificates on client side for tls handshake? This command works If I disable TLS in the code of fabric-ca-client. (79 line clientconfig.go)

kopaygorodsky (Fri, 10 Aug 2018 09:17:48 GMT):
hi there. I have a question about fabric-ca-client: my CA (tls disabled) is running under a proxy over https. When I want to enroll admin user via client I use the following command `fabric-ca-client enroll -u https:user:pass@domain.com` and `https` part forces client to enable TLS and require certificates. Why do we need certificates on the client side for tls handshake? This command works If I disable TLS in the code of fabric-ca-client. (79 line clientconfig.go)

sean (Fri, 10 Aug 2018 09:20:24 GMT):
@kjroger94 great question on enrollment - if you check out the `login-admin.sh` script in the `/cli` directory, the goal is to not re-enroll continuously, but to just switch the environmental variables as necessary to point to the needed user's credentials. The point about changing admincerts was that when you do re-enroll, that needs to change as well. I haven't explored all scenarios surrounding enrollment though, so I could be wrong on some of those details. Let me know if you think that's wrong and I'll investigate some more.

sean (Fri, 10 Aug 2018 09:20:24 GMT):
@kjroger94 great question on enrollment - if you check out the `login-admin.sh` script in the `/cli` directory, the goal is to not re-enroll continuously, but to just switch the environmental variables as necessary to point to the needed user's credentials. The point about chancing admincerts was that when you do re-enroll, that needs to change as well. I haven't explored all scenarios surrounding enrollment though, so I could be wrong on some of those details. Let me know if you think that's wrong and I'll investigate some more.

sean (Fri, 10 Aug 2018 09:26:46 GMT):
@kopaygorodsky https needs TLS certs for the handshake. Try executing `fabric-ca-client enroll -d --enrollment.profile tls -u https://client:pass@ca-domain:7054 -M /tmp/tls --csr.hosts client` to get the TLS certs (transfer them from `/tmp/tls` to wherever you want), then use them in your enroll request

kjroger94 (Fri, 10 Aug 2018 09:28:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Ct4hA69tfvSj9Gmci) @sean Yeah since I first replied I have had the time to go through each and every line that is there. It seems to be fine. We are not re-enrolling anywhere. But could you think of a scenario where one would have to ?

sean (Fri, 10 Aug 2018 09:32:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tSv5BPfnmydQABhNQ) @kopaygorodsky Actually, I don't think you need to use those options. Try setting these environment variables before enrolling: ``` export FABRIC_CA_CLIENT_HOME={path to desired msp dir for user} export FABRIC_CA_CLIENT_TLS_CERTFILES={path to root ca-cert.pem} ``` Then, after enrolling, set this var: `export CORE_PEER_MSPCONFIGPATH=$FABRIC_CA_CLIENT_HOME/msp`

kopaygorodsky (Fri, 10 Aug 2018 09:32:57 GMT):
@sean yes, but CA is running with TLS disabled and client go to the CA server via proxy (tls termination point)

kjroger94 (Fri, 10 Aug 2018 09:34:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tSv5BPfnmydQABhNQ) @sean @kopaygorodsky if the export doesn't work, try `https://client:pass@ca-domain:7054 -M /tmp/tls --csr.hosts client --tls.certfiles /path/to/your/certfile`

sean (Fri, 10 Aug 2018 09:34:47 GMT):
@kjroger94 Good question - I think I'll understand enrollment a bit more once I've seen it in production use, but I think you re-enroll when you need to refresh credentials (security reasons)

kjroger94 (Fri, 10 Aug 2018 09:36:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4ppQ4TZosdfBmo4Gn) @sean I am preparing the CA for a production right now, need to play around a lot more and then I think i will also have a bit more clarity. Even for that matter the usage of the `_maxenrollments _`in the config file etc.

sean (Fri, 10 Aug 2018 09:38:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AWtcjfvpGqPTHzuKD) @kjroger94 Yea, actually `maxenrollments` is one of the major reasons I feel like I don't quite have a firm grasp on enrollment - I'm not sure how limiting that changes admin/user behavior. I'll look into it some more, I probably missed something.

sean (Fri, 10 Aug 2018 09:38:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AWtcjfvpGqPTHzuKD) @kjroger94 Yea, actually `maxenrollments` is one of the major reasons I feel like I don't quite have a firm grasp on enrollment - I'm not how limiting that changes admin/user behavior. I'll look into it some more, I probably missed something.

kopaygorodsky (Fri, 10 Aug 2018 09:39:51 GMT):
@kjroger94 @sean those certificates won't work, I have https termination on the proxy level. fabric-ca-client -> internet https://ca.domain.com -> proxy with https -> decrypted -> http -> CA container(tls disabled)

sean (Fri, 10 Aug 2018 09:40:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=S2mX8spEATdFzTyaW) @kopaygorodsky Yea, I apologize, I think the environment variables ( especially `FABRIC_CA_CLIENT_TLS_CERTFILES`) is what you want to set

kopaygorodsky (Fri, 10 Aug 2018 09:41:39 GMT):
but which certificates? basically client doesn't need any certificates to do a handshake. RFC 5246

kopaygorodsky (Fri, 10 Aug 2018 09:41:39 GMT):
@sean @kjroger94 but which certificates? basically client doesn't need any certificates to do a handshake. RFC 5246

kopaygorodsky (Fri, 10 Aug 2018 09:41:43 GMT):

Clipboard - August 10, 2018 12:41 PM

oborovyk (Fri, 10 Aug 2018 09:49:19 GMT):
Has joined the channel.

sean (Fri, 10 Aug 2018 10:17:56 GMT):
@kopaygorodsky I think #3 is where `FABRIC_CA_CLIENT_TLS_CERTFILES` is used - you need a copy of the root CA cert that was made when you logged in the CA admin (or created in the CA service itself - you can share that since it's the public portion)

kopaygorodsky (Fri, 10 Aug 2018 10:54:38 GMT):
I see, but just don't understand why I need to provide certificates on the client side, it's not how tls handshake should work :)

kopaygorodsky (Fri, 10 Aug 2018 10:54:38 GMT):
I see, but just don't understand why I need to provide certificates on the client side, it's not how tls handshake should work :) anyway thx for you time!

kjroger94 (Fri, 10 Aug 2018 11:04:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CKqhWpa2jDQLYCQW2) @kopaygorodsky how would the server validate that you are authorized to say hello in the first place? You can't just give someone a certificate for saying hello can you? the https itself means that you have a valid certificate to communicate with the server.

kopaygorodsky (Fri, 10 Aug 2018 11:31:28 GMT):
but I provide login and password

kopaygorodsky (Fri, 10 Aug 2018 11:32:45 GMT):
tls is only needed to secure communication channel, it's not an authorization protocol

kopaygorodsky (Fri, 10 Aug 2018 13:32:26 GMT):
Is it possible to add a parameter like `--tls.disabled` to fabric-ca-client ? I can submit a PR

jvsclp (Fri, 10 Aug 2018 13:42:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9NeNpvPtGC9fbAC3Q) @kopaygorodsky Why would the fabric-ca-client need a tls.disabled flag? The certificate authority server is either configured for TLS or it is not. If the server is not configured for TLS the client won't try to pass a TLS certificate. The purpose of the root CA certificate the client is accessing is for the client to validate the server's identity and encrypt communications with the server's public key. If you don't provide the certificate to the client it's like asking someone to call you, but not providing your phone number.

kopaygorodsky (Fri, 10 Aug 2018 13:45:33 GMT):
what if CA server is not configured for TLS, but is running behind a proxy server with TLS enabled?

ashutosh_kumar (Fri, 10 Aug 2018 13:57:05 GMT):
@kopaygorodsky tls-disabled is not a good idea. Why do you need that ?

jvsclp (Fri, 10 Aug 2018 13:59:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CSpQTdg2kAHa9wZAB) @kopaygorodsky I'm assuming you have access to the certificate for the proxy server? Have you tried passing that in the tls.certfiles of the client-config?

ashutosh_kumar (Fri, 10 Aug 2018 13:59:25 GMT):
@kopaygorodsky , in your proxy case , client TLS end point will be proxy server and there should be another TLS connection from Proxy Server to Fabric-CA server.

kopaygorodsky (Fri, 10 Aug 2018 14:19:24 GMT):
@ashutosh_kumar why do I need to encrypt two times my request? It's overhead. The purpose of TLS is to establish a secured connection to the server and be sure that it's the right server you are connecting to. according to RFC5246 it requires certificates only on the server side. The client gets the server's public key in a response of handshake request

ashutosh_kumar (Fri, 10 Aug 2018 14:24:30 GMT):
proxy does not work that way.

kopaygorodsky (Fri, 10 Aug 2018 14:26:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kfEX5PN2MxbuMZCxZ) hm, why? It works exactly this way. See this image, it's a diagram of standard tls handshake

kopaygorodsky (Fri, 10 Aug 2018 14:40:13 GMT):
I know about PKI, but it's not a case of proxy server.

pgarneau (Fri, 10 Aug 2018 19:22:33 GMT):
Has joined the channel.

shubham_aggarwal (Sun, 12 Aug 2018 06:03:24 GMT):
Has joined the channel.

shubham_aggarwal (Sun, 12 Aug 2018 06:03:38 GMT):
I am trying to get an intermediate CA and use that to generate all the certs for a particular organization. I am currently using fabric-sample as a base reference. Currently crypto-config.yaml, creates a root CA for each org and than use that to generate all certs for that org. How can I change the crypto-config.yaml file, so that either, it generate root CA and intermediate CA also for each org and use that as signing CA for peer and admin certs. or, it takes an already created root CA cert and key for each org, and than generate intermediate CA and use that as signing CA for peer and admin certs. Then I will use docker-compose-e2e-template to start intermediate CA and all peers and orderer. Is this approach is fine? If not, what is the easiest way to achieve the intermediate CA and use this CA to generate all peers and admin cert?

louisliu2048 (Sun, 12 Aug 2018 07:52:34 GMT):
Has joined the channel.

RockyRacer (Mon, 13 Aug 2018 07:30:22 GMT):
Has joined the channel.

RockyRacer (Mon, 13 Aug 2018 07:31:34 GMT):
Hi, is it possible to have Fabric CA server running on Windows ?

GuillaumeTong (Mon, 13 Aug 2018 08:44:33 GMT):
Has joined the channel.

ShobhitSrivastava (Mon, 13 Aug 2018 09:41:00 GMT):
@RockyRacer provided you have vagrant and virtual box setup in your windows machine.

RockyRacer (Mon, 13 Aug 2018 11:32:43 GMT):
OK I'm trying, thx

jvsclp (Mon, 13 Aug 2018 14:07:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5oKHFjeT6LHuuzt7G) @RockyRacer Yes, I run my Fabric CA Server on Windows 10. All you need is to follow the directions in: https://hyperledger-fabric.readthedocs.io/en/release-1.2/getting_started.html You can run in docker or natively. Be aware your directories have to be updated to reflect Windows conventions rather than Linux standard directories.

thPart (Mon, 13 Aug 2018 14:10:49 GMT):
thpart

RockyRacer (Mon, 13 Aug 2018 14:14:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JyHCjoCuTfFNHavYk) @jvsclp Thx, this is what I tried first, but the first step gave me problems `go get -u github.com/hyperledger/fabric-ca/cmd/...` returns `"gcc": executable file not found in %PATH%`

RockyRacer (Mon, 13 Aug 2018 14:16:46 GMT):
I then installed TDM-GCC but got others errors related to go build

RockyRacer (Mon, 13 Aug 2018 14:23:21 GMT):
I can download fabric-ca-server and fabric-ca-client binaries manually then go build with --nopkcs11 tag but I don't want to spend too much time on this and when it begins with error and tools requirements I prefer to stop as it seems a little bit DIY :)

RockyRacer (Mon, 13 Aug 2018 14:23:21 GMT):
I can download fabric-ca-server and fabric-ca-client binaries manually then go build with --nopkcs11 tag but I don't want to spend too much time on this and when it begins with errors and tools requirements I prefer to stop as it seems a little bit DIY :)

pankaj9310 (Mon, 13 Aug 2018 14:44:16 GMT):
Has joined the channel.

jvsclp (Mon, 13 Aug 2018 15:24:38 GMT):
Oh yea, it's been a while. The additional steps were to download TDM-GCC, unzip it to your C drive (which you've done), then map the bin directory for TDM-GCC to your System Path variable. I'm pretty sure that worked for me. I should have written that down.

jvsclp (Mon, 13 Aug 2018 15:24:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NkqdWZDW3Mmcy4x4g) @RockyRacer Oh yea, it's been a while. The additional steps were to download TDM-GCC, unzip it to your C drive (which you've done), then map the bin directory for TDM-GCC to your System Path variable. I'm pretty sure that worked for me. I should have written that down.

patent_person (Mon, 13 Aug 2018 20:33:59 GMT):
Has joined the channel.

kapilV (Tue, 14 Aug 2018 00:19:33 GMT):
Has joined the channel.

RockyRacer (Tue, 14 Aug 2018 07:14:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nSyLZnvkhJAi364Y8) @jvsclp OK it worked thanks, had just a syntax error in my command... :see_no_evil:

RockyRacer (Tue, 14 Aug 2018 07:15:03 GMT):
Let's deal with configuration now

alek (Tue, 14 Aug 2018 08:45:28 GMT):
Hi Guys, i have some kind of "best practise" question that refers to LDAP integration. I had Fabric CA without LDAP integration, and used Java client to register and enroll new users. Java client is working in the way that as the result of registration, it returns sth like `enrollemntSecret` that is later on assigned to user and used while performing enrollment. Right now i switched do LDAP so users are no longer registered via CA but are added to LDAP in other part of application but still enrollment process is the responsibility of java client. How i can integrate enrollment process in secure way via java client ? In case of using CLI it would be just passing user and password of LDAP user but cannot be considered here from many of reasons.

alexvicegrab (Tue, 14 Aug 2018 09:33:19 GMT):
The behaviour of the Fabric CA client appears to have changed in 1.2 `fabric-ca-client enroll -u http://user:pass@ica-ord.qa.aidtech-ifrc.com` now returns: ``` Error: Response from server: Error Code: 2 - No authorization header ```

alexvicegrab (Tue, 14 Aug 2018 09:33:19 GMT):
The behaviour of the Fabric CA client appears to have changed in 1.2 `fabric-ca-client enroll -u http://user:pass@my-fabric-ca.com` now returns: ``` Error: Response from server: Error Code: 2 - No authorization header ```

alexvicegrab (Tue, 14 Aug 2018 09:34:22 GMT):
Instead, specifying the port explicitly gives me the following error (I'm guessing because the Fabric CA is behind an NGINX proxy with HTTPS enabled): `fabric-ca-client enroll -u http://user:pass@ica-ord.qa.aidtech-ifrc.com` --> ```http: server gave HTTP response to HTTPS client```

alexvicegrab (Tue, 14 Aug 2018 09:34:22 GMT):
Instead, specifying the port explicitly gives me the following error (I'm guessing because the Fabric CA is behind an NGINX proxy with HTTPS enabled): `fabric-ca-client enroll -u http://user:pass@my-fabric-ca.com` --> ```http: server gave HTTP response to HTTPS client```

alexvicegrab (Tue, 14 Aug 2018 09:34:22 GMT):
Instead, specifying the port explicitly gives me the following error (I'm guessing because the Fabric CA is behind an NGINX proxy with HTTPS enabled): `fabric-ca-client enroll -u http://user:pass@my-fabric-ca.com:80` --> ```http: server gave HTTP response to HTTPS client```

alexvicegrab (Tue, 14 Aug 2018 09:35:36 GMT):
In Fabric 1.1, this worked fine, with the http request handled correctly, and the authorization headers being properly set by the client without a need to explicitly set the port.

alexvicegrab (Tue, 14 Aug 2018 09:37:20 GMT):
If I try to directly access via HTTPS: `fabric-ca-client enroll -u https://user:pass@my-fabric-ca.com` --> ```2018/08/14 12:35:59 [INFO] TLS Enabled Error: Failed to get client TLS config: No TLS certificate files were provided```

alexvicegrab (Tue, 14 Aug 2018 09:37:51 GMT):
In the latter, I want the Fabric CA to be protected by HTTPS encryption to it, but for it not to require the client to provide a TLS certificate.

alexvicegrab (Tue, 14 Aug 2018 09:38:01 GMT):
Please advise

alexvicegrab (Tue, 14 Aug 2018 09:47:49 GMT):
I've created a bug report in JIRA: https://jira.hyperledger.org/browse/FABC-703

alexvicegrab (Tue, 14 Aug 2018 09:47:49 GMT):
I've created a bug in JIRA to document it: https://jira.hyperledger.org/browse/FABC-703

PatrickWoodhead (Tue, 14 Aug 2018 10:25:01 GMT):
Has joined the channel.

kjroger94 (Wed, 15 Aug 2018 03:24:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nfmHLCRosBkPbt7PJ) @alexvicegrab Set `FABRIC_CA_CLIENT_TLS_CERTFILES` to your TLS cert provided by the Root/Int CA and then run that command, it will surely work.

alek (Wed, 15 Aug 2018 07:34:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DTA6fKhrwgD8TwewZ) @aambati could you please advice or point someone who could help me with that ?

pankajcheema (Wed, 15 Aug 2018 08:22:15 GMT):
hi all

pankajcheema (Wed, 15 Aug 2018 08:22:38 GMT):
Can we use a single `ca` for multiple `organizations` in a single network?

smithbk (Wed, 15 Aug 2018 14:03:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LKc7yKTwrx6ZR5drv) @pankajcheema Yes, there are two options: 1) A single fabric-ca-server with multiple CAs using the `--cafiles` option or 2) A single fabric-ca-server with a single CA and the `OU` field of the certificate is used to distinguish between organizations. Keep in mind that both the `type` and `affiliation` of a user become `OUs` in the issued certificates and it is important to give thought to who to register users of various types and/or affiliations so that there is no single point of trust (sort of). With either of these options, you need to give serious thought to the security implications. Ask yourself the question, what could the administrator of this single fabric-ca-server do if they went rogue.

aambati (Wed, 15 Aug 2018 14:12:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mSoYpYpwCEbqfEYaT) @alek What is the concern of sending userid:password over SSL? @smithbk or @mastersingh24 might have suggestions for you

alek (Wed, 15 Aug 2018 14:40:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=eK4LQYSJbzNSdRAAP) @aambati Hi @aambati thanks for your reply! The think is that from security reasons passwords should not be stored in plaintext in ldap. So while regisering user on ldap, their passwords will be encrypted, since they are encrypted we will not able to send them as plaintext to enrollment. I think it's rather common case for any kind of client integration with LDAP and wondering how it can be resolved

nekia (Thu, 16 Aug 2018 07:49:59 GMT):
Has joined the channel.

rzanini (Thu, 16 Aug 2018 12:25:54 GMT):
Has joined the channel.

ashutosh_kumar (Thu, 16 Aug 2018 13:40:21 GMT):
@alek , LDAP stores password in encrypted form. When you retrieve password , it gets decrypted and then you send it over TLS. This pattern is in vogue in industry for years. I do not see an issue here.

alek (Thu, 16 Aug 2018 13:53:50 GMT):
@ashutosh_kumar Thanks for your reply, but... There is some reason to keep encrypted passwords in LDAP or in DBs and then even idea of making the decryption of previously SHA stored password seems to me ridiculous....

beshogun (Thu, 16 Aug 2018 14:42:39 GMT):
Has joined the channel.

beshogun (Thu, 16 Aug 2018 14:43:00 GMT):
admin 0 error

kirbyclements (Thu, 16 Aug 2018 15:24:58 GMT):
Has joined the channel.

ashutosh_kumar (Fri, 17 Aug 2018 00:39:00 GMT):
@alek , in that case your password should not be stored hashed in LDAP.

davidkhala (Fri, 17 Aug 2018 04:52:49 GMT):
@aambati Dear Anil, I found a line saying `fabric-ca` in git ignore file, could we remove it if not necessary? Because it result in problems in some scenario

aambati (Fri, 17 Aug 2018 13:59:20 GMT):
@davidkhala i don't recall why it was added to fabric-ca...i think it should not be there..there is no folder called fabric-ca under root directory... @skarim do you recall why fabric-ca is in .gitignore

skarim (Fri, 17 Aug 2018 14:36:49 GMT):
@davidkhala I also think that it can be removed. But just curious what is the scenario in which it is causing a problem?

alexanderlamb (Fri, 17 Aug 2018 17:15:49 GMT):
Has joined the channel.

mastersingh24 (Fri, 17 Aug 2018 18:54:20 GMT):
@alek - I'm still not sure I understand the issue here. LDAP servers typically store a hashed version of the password. But the salt for this hash is actually part of the LDAP server configuration. When you authenticate with LDAP, you actually send the clear text password to the LDAP server which then salts / hashes it, looks up the password entry for the user and then compares the hashes

davidkhala (Sat, 18 Aug 2018 04:53:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4aZ9q6wygFbLrBcrB) @skarim Some git GUI software like `smartGit` will take `image/payload/fabric-ca` as a directory that should be ignored when I copy entire `fabric-ca` source to under another git root (of course along with remove `.git` direcotry)

davidkhala (Sat, 18 Aug 2018 04:53:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4aZ9q6wygFbLrBcrB) @skarim Some git GUI software like `smartGit` will take `images/fabric-ca` as a directory that should be ignored when I copy entire `fabric-ca` source to under another git root (of course along with remove `.git` direcotry)

davidkhala (Sat, 18 Aug 2018 04:54:13 GMT):
@aambati If it is OK to remove I would like to create issue and patch to illustrate this detail

davidkhala (Sat, 18 Aug 2018 05:22:34 GMT):
@aambati @skarim https://gerrit.hyperledger.org/r/#/c/25655/ created for that

minskeyguo (Sat, 18 Aug 2018 20:24:09 GMT):
Has joined the channel.

1234 (Mon, 20 Aug 2018 07:47:33 GMT):
Hi experts am doing create certificate uisng openssl ,but how to register and enroll admin or user using openssl

1234 (Mon, 20 Aug 2018 09:18:25 GMT):
In their someone Plzz say answer

skarim (Mon, 20 Aug 2018 13:54:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NovJtCatzy3CW5Kpo) @1234 There is no concept of register and enroll if you are using OpenSSL directly. OpenSSL allows you create X509 certificates, but you do not need to register an identity to create a certificate.

ashutosh_kumar (Mon, 20 Aug 2018 14:07:32 GMT):
@1234, you can create CSR using openSSL and then send it as part of enrollment request to Fabric CA. Fabric CA will return certificate signed by Fabric CA.

1234 (Mon, 20 Aug 2018 17:49:35 GMT):
@ashutosh_kumar fabrica CA only testing not production

1234 (Mon, 20 Aug 2018 17:51:04 GMT):
How to add attribute in openssl certificate eg : 1.2.3.4.5.6.7.8.1: {"attrs":{"firstName":"Lohith","hf.Affiliation":"org1.department1","hf.EnrollmentID":"mathan_sir","hf.Type":"client"}}

CarlosHuggins (Mon, 20 Aug 2018 19:47:16 GMT):
Has joined the channel.

CarlosHuggins (Mon, 20 Aug 2018 19:54:09 GMT):
Hi this is a noob question, I'm trying to install fabric-ca running the commannd `go get -u github.com/hyperledger/fabric-ca/cmd/...`

CarlosHuggins (Mon, 20 Aug 2018 19:55:29 GMT):
and I get the following output `=!=HQNCYNQbhMoJzynk2=!= `

CarlosHuggins (Mon, 20 Aug 2018 19:55:29 GMT):
and I get the following output # github.com/hyperledger/fabric-ca/lib go/src/github.com/hyperledger/fabric-ca/lib/server.go:714:23: cert.Issuer.String undefined (type pkix.Name has no field or method String) go/src/github.com/hyperledger/fabric-ca/lib/server.go:715:24: cert.Subject.String undefined (type pkix.Name has no field or method String)

CarlosHuggins (Mon, 20 Aug 2018 19:55:29 GMT):
and I get the following output `# github.com/hyperledger/fabric-ca/lib go/src/github.com/hyperledger/fabric-ca/lib/server.go:714:23: cert.Issuer.String undefined (type pkix.Name has no field or method String) go/src/github.com/hyperledger/fabric-ca/lib/server.go:715:24: cert.Subject.String undefined (type pkix.Name has no field or method String)`

CarlosHuggins (Mon, 20 Aug 2018 19:55:29 GMT):
and I get the following output ``` # github.com/hyperledger/fabric-ca/lib go/src/github.com/hyperledger/fabric-ca/lib/server.go:714:23: cert.Issuer.String undefined (type pkix.Name has no field or method String) go/src/github.com/hyperledger/fabric-ca/lib/server.go:715:24: cert.Subject.String undefined (type pkix.Name has no field or method String) ```

CarlosHuggins (Mon, 20 Aug 2018 19:58:45 GMT):
with out the fabric-ca-server command not being install

skarim (Mon, 20 Aug 2018 19:59:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=29i9ZRL7hdekAkEkj) @CarlosHuggins which version of go are you using? you must use v1.10

CarlosHuggins (Mon, 20 Aug 2018 20:01:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XjArjSnMkXgiKioRu) @skarim The prerequisites state 1.9+, I have Installed 1.9.1, I'll upgrade and post the result here....

CarlosHuggins (Mon, 20 Aug 2018 20:08:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=js3hu6tgPcEJiWuTm) Excellent I installed go1.10.3 and installed flawlessly.... how can I reach out some one to make changes on the docs?. thah will help some other people....

skarim (Mon, 20 Aug 2018 20:09:04 GMT):
I can update the doc

CarlosHuggins (Mon, 20 Aug 2018 20:11:12 GMT):
where is the `fabric-ca-server` command should be created....

CarlosHuggins (Mon, 20 Aug 2018 20:11:12 GMT):
where is the `fabric-ca-server` command should be created? as I'm running `fabric-ca-server start -b admin:adminpw` and it reads `fabric-ca-server: command not found`

CarlosHuggins (Mon, 20 Aug 2018 20:13:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=D4EcjwAkPjpT8KQDN) I found them under ~\go\bin, I guess they have to be moved to /usr/local/go/bin

skarim (Mon, 20 Aug 2018 20:14:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DYyRZmFkob69qxFAK) @CarlosHuggins yes, or you could also add that bin directory to your PATH env variable

CarlosHuggins (Mon, 20 Aug 2018 20:15:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3qss7szgQppg7pF3M) @skarim Exactly, Thank you very much for the help....I'm really happy to be part of this community and looking forward to be an active participant....

GuillaumeTong (Tue, 21 Aug 2018 03:52:48 GMT):
Hello, I am trying to use the fabric-ca-client node SDK to get the necessary files in the MSP folders of the different components of the fabric network (peers, orderers, admins and clients). Is there anywhere I can find examples for that? Or at least a better documentation than at https://fabric-sdk-node.github.io (which does not seem to have most of the documentation pertaining to fabric-ca-client)

skarim (Tue, 21 Aug 2018 15:37:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bpnJuKpdronMBrr88) @GuillaumeTong There is some documentation here https://hyperledger-fabric.readthedocs.io/en/release-1.2/msp.html that describes what the MSP structure is suppose to look like. Specifically I think this section would be useful https://hyperledger-fabric.readthedocs.io/en/release-1.2/msp.html#msp-setup-on-the-peer-orderer-side

JaccobSmith (Wed, 22 Aug 2018 05:25:25 GMT):
Has joined the channel.

akoenig (Wed, 22 Aug 2018 12:17:08 GMT):
Hi, maybe a stupid questions. But why are the peers trusting the orderer or know why this is the RIGHT orderer? Because the certficates are in the orderer.block?

tkg (Wed, 22 Aug 2018 12:49:17 GMT):
Has joined the channel.

alek (Wed, 22 Aug 2018 13:51:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xm6FxaaK59CbXyAgp) @mastersingh24 The think is that i would like to enroll users while using LDAP, using similar approach that is used while registering them via Fabric CA programmatically but it is not valid use for me anymore. Anyway thanks guys for your support !

jvsclp (Wed, 22 Aug 2018 14:08:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BEwNcSGrETnZLfJCS) @akoenig Yes, the membership configuration for the channel is in the genesis block or updates with channel transactions. Here's some reading on the subject: https://hyperledger-fabric.readthedocs.io/en/release-1.2/membership/membership.html#local-and-channel-msps

Arindam (Wed, 22 Aug 2018 17:56:50 GMT):
I am facing the exact same problem like this: https://stackoverflow.com/questions/50373274/hyperledger-fabric-node-js-sdk-api-failing-on-enrollment

Arindam (Wed, 22 Aug 2018 17:56:57 GMT):
Can anyone please help

alek (Thu, 23 Aug 2018 10:48:31 GMT):
Guys, again i have an issue with LDAP integration. What i am trying to do is to list of all identities using CLI. I was able to successfully connect CA with LDAP and enroll admin using LDAP password. Then i wanted to list all of identities by executing `fabric-ca-client identity list` command. As the result i am getting `Error: &{Code:49 Message:Failed to get users by affiliation and type: Not supported}` It works fine without LDAP, so in case of using bootstrap entity. I was trying to attach all properties that bootstrap registry has, to LDAP user, using converters and maps features in `fabric-ca-server-config.yaml` So currently `hf.Registrar.Roles`, `hf.Registrar.DelegateRoles`, `hf.AffiliationMgr` `hf.IntermediateCA` and `hf.GenCRL` have same value as registry. The only missing attributes for LDAP user are: `identity type`, `identity affiliation` <- are not supported in `fabric-ca-server-config.yaml` beacue there are no attributtes and `hf.Registrar.Attributes` <- `*` should be placed here but it's not supported in `fabric-ca-server-config.yaml` Are these attributes missing on LDAP user and cause the issue ? if so, how can we add them ?

skarim (Thu, 23 Aug 2018 12:07:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DAoGQ6e3mnrJBKGLL) @alek Listing identities is only supported if you are using a database backend (MySQL, Postgres, or SQLite). Also, when using LDAP registrar related attributes are of no use. When using the LDAP, registering of identities needs be handled separately by an LDAP admin. Registering identities is not supported through fabric ca with LDAP.

aambati (Thu, 23 Aug 2018 13:33:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ETifuwnQkC43YZAoN) @Arindam CA logs would help to diagnose the problem. Do you see my-ca configuration in the FABRIC_CA_HOME in the CA container?

alek (Thu, 23 Aug 2018 13:53:54 GMT):
@skarim thanks a lot for your response. Actually i was asking because i wanted to somehow use ABAC feature. So before integrating with LDAP, during the process of user registration, i used `ecert` flag so passed some attributes in that way: `myAttribute=true:ecert` then i was using that attribute in chaincode. Is that functionality supported somehow while integrating with LDAP? I mean, is it possible to use ABAC feature and see such attributes in chaincode when working with LDAP?

jvsclp (Thu, 23 Aug 2018 14:38:11 GMT):
I have been generating client certificates and they always come out with a generic cert.pem. Is it possible to configure the fabric-ca-client-config.yaml to have the certificate named specifically? For example, when configuring a server's root certificate you can specify the names of the certificate authority file, chain file, and tls certificate file in the fabric-ca-server-config.yaml. Renaming certificates manually takes time and I would like to remove a step from the process.

jvsclp (Thu, 23 Aug 2018 14:42:28 GMT):
For clarification I mean the .pem file name, not the common name.

skarim (Thu, 23 Aug 2018 16:43:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8kyKGiEuen2oksD8v) @alek When using LDAP, you will have to specify which attributes to include in a certificate during enrollment time. See step number 2 in the following doc: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#attribute-based-access-control

skarim (Thu, 23 Aug 2018 16:43:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bHBvyo7N4KEyre4wj) @jvsclp Unfortunately, there is not a way to specify the certificate file name

jvsclp (Thu, 23 Aug 2018 16:53:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vDR9M3sdWxPmK8LeM) @skarim Thank you. The cryptogen in the first-network example seems to have that capability I thought the fabric-ca would have it as well. Looks like I'm off to research if there's a feature request for this.

jvsclp (Thu, 23 Aug 2018 17:30:47 GMT):
After researching there does not seem to be an issue related to adjusting the generic cert.pem generated by the fabric-ca-client enroll requests. I opened a request: https://jira.hyperledger.org/browse/FABC-707

grsind19 (Thu, 23 Aug 2018 20:19:41 GMT):
Has joined the channel.

1234 (Fri, 24 Aug 2018 06:57:09 GMT):
Hi experts am create certificate using openssl ,that certificate using docker-compose.yaml file in msp config patha got an error on peer container "2018-08-24 06:18:31.547 UTC [main] main -> ERRO 023 Cannot run peer because error when setting up MSP of type bccsp from directory /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/msp/: Setup error: nil conf reference"

DavorKljajic (Fri, 24 Aug 2018 11:33:36 GMT):
Has joined the channel.

DavorKljajic (Fri, 24 Aug 2018 11:33:45 GMT):
hello, I'm wondering if someone has worked custom implementation mps with idemix, and where i can find the setup, on official site is not clear to much.

alek (Fri, 24 Aug 2018 15:14:02 GMT):
@skarim thanks a lot for your answer! i will check it

NiK0 2 (Fri, 24 Aug 2018 20:02:20 GMT):
Has joined the channel.

NiK0 2 (Fri, 24 Aug 2018 20:11:24 GMT):
Hi team!, i dont know if is this the correct channel. How can I configure hyperledger so that certificates get them from fabric-ca-server?

jvsclp (Fri, 24 Aug 2018 20:28:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bvxiXs9sWFn9FDRgv) @NiK0 2 You have to generate your certificates from the fabric-ca-server using fabric-ca-client, then provide the generated certificates to your organization's Membership Service Provider (MSP) directory

NiK0 2 (Fri, 24 Aug 2018 20:38:56 GMT):
Perfect! , thanks you @jvsclp I'm going to investigate

Mahdsckilz (Sun, 26 Aug 2018 03:55:43 GMT):
Has joined the channel.

Mahdsckilz (Sun, 26 Aug 2018 05:44:05 GMT):

Screenshot from 2018-08-26 14-09-36.png

Mahdsckilz (Sun, 26 Aug 2018 05:44:25 GMT):
anyone have an inkling to the cause?

carbonFeet (Mon, 27 Aug 2018 06:46:48 GMT):
Has joined the channel.

carbonFeet (Mon, 27 Aug 2018 09:47:50 GMT):
Hey, can anyone please help me with this? https://stackoverflow.com/questions/52036569/fabric-ca-client-user-enrolment-authorisation-failure

alek (Mon, 27 Aug 2018 09:52:56 GMT):
a

alek (Mon, 27 Aug 2018 10:07:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=txTfSGpd3u83gJmmX) @carbonFeet Did you try with stable version ? for example `Server Version: 1.2.0-stable` ?

alek (Mon, 27 Aug 2018 10:26:49 GMT):
@skarim i tried to make it working but without success. Let me describe it in more details. i successfully created LDAP connection using such details: `ldap://uid=admin,ou=system:mysecretpassword@host:port/uid=admin,ou=system` then created converter in `fabric-ca-server-config.yaml` file: `- name: hf.AffiliationMgr value: attr("uid") =~ "admin"`. Then perform enrollment: `fabric-ca-client enroll -u http://admin:mysecretpassword@localhost:7054 --enrollment.attrs "hf.AffiliationMgr"` and as the result i am getting: `Error: Response from server: Error Code: 0 - The following required attributes are missing: [hf.AffiliationMgr]`. My understanding is that i am should be able to retrieve later on that parameter, but it fail even earlier during the enrollment process. What i can do with that ? As you can see user has `uid` parameter set to `admin` so `attr("uid") =~ "admin"` should evaluate to true

carbonFeet (Mon, 27 Aug 2018 10:53:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mFNQvesqdxoW5dsxJ) @alek Hey @alek , fabric-ca-server: Version: 1.2.1-snapshot-3bcdbb2 Go version: go1.11 OS/Arch: linux/amd64

carbonFeet (Mon, 27 Aug 2018 11:01:55 GMT):
@alek Should I be trying with v1.2.0?

pmuller (Mon, 27 Aug 2018 12:04:20 GMT):
Hi there, anyone know how to use the Fabric-ca NodeJS SDK ? Documentation is messy

pmuller (Mon, 27 Aug 2018 12:05:06 GMT):
I need help to write the network.yaml file to use the loadFromConfig() command

alek (Mon, 27 Aug 2018 12:23:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bScYM7SXQ3stqNBuc) @carbonFeet Just the idea, i tried today with 1.2.0 stable version today and it worked fine for me

pmuller (Mon, 27 Aug 2018 12:42:04 GMT):
Hi there, I am using Fabric-ca-sdk for Nodejs. I want to create a program that simply execute the commands register and enroll. I need a Client() object to call these functions. Sadly, `var client = new Client()` `client.register()` doesnt work. Can anyone help ? I've seen functions like loadFromConfig and initCredentialStore but none are explained how they work.

skarim (Mon, 27 Aug 2018 14:21:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aozKv97W52nriHdZR) @pmuller Please try the #fabric-sdk-node channel

pmuller (Mon, 27 Aug 2018 14:25:02 GMT):
thanks @skarim !

skarim (Mon, 27 Aug 2018 15:14:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2qTqQqtBXMizdZkLx) @alek Could you try it again but with this syntax. Added `uid` in the --enrollment.attrs flag ``` fabric-ca-client enroll -u http://admin:mysecretpassword@localhost:7054 --enrollment.attrs uid,hf.AffiliationMgr ```

alek (Mon, 27 Aug 2018 17:01:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=K9ND6G3W2ZmMcMYN7) @skarim @skarim many thanks for your support, unfortunately it didn't help, current result: `Error: Response from server: Error Code: 0 - The following required attributes are missing: [uid hf.AffiliationMgr]`

skarim (Mon, 27 Aug 2018 17:30:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Bh5DCfLDdkzsRJ4Ca) @alek Can you provide debug logs using the original enrollment syntax? Thanks

smithbk (Mon, 27 Aug 2018 18:17:31 GMT):
@alek Did you also add `uid` as an attribute requested from the LDAP server by adding it to the list at `ldap.attribute.names`? As in the section below ```ldap: # Enables or disables the LDAP client (default: false) # If this is set to true, the "registry" section is ignored. enabled: false # The URL of the LDAP server url: ldap://:@:/ # TLS configuration for the client connection to the LDAP server tls: certfiles: client: certfile: keyfile: # Attribute related configuration for mapping from LDAP entries to Fabric CA attributes attribute: # 'names' is an array of strings containing the LDAP attribute names which are # requested from the LDAP server for an LDAP identity's entry names: ['uid','member'] ```

smithbk (Mon, 27 Aug 2018 18:18:32 GMT):
It would be good to see your entire `ldap` section

smithbk (Mon, 27 Aug 2018 18:20:30 GMT):
And your logs of course, as the following log statement will be very helpful ```log.Debugf("Evaluated expression for attribute '%s'; parms: %+v; result: %+v", ue.attr, parms, result)```

alek (Mon, 27 Aug 2018 18:54:38 GMT):
@skarim @smithbk I found the issue, `rubber ducking` really worked in that case ;) In `fabric-ca-server-config.yaml` file i included also additional converter: `- name: hf.Type` with `value: client` i wanted to hardcode that (for testing purposes) so assign to each enrolled user `hfType = client`. In logs i found `[DEBUG] Error evaluating expression for attribute 'hf.Type'; parms: map[DN:uid=admin,ou=system affiliation:[system]]; error: No parameter 'client' found.` <- it was generated as the result of enrollement. But the respone in CLI suggested sth different: `Error: Response from server: Error Code: 0 - The following required attributes are missing: [uid hf.AffiliationMgr]`. Do you think that it seems like bug that need to be reported with the lowest priority ? Anyway, many thanks for your kind support. I really Appreciate that !

alek (Mon, 27 Aug 2018 18:54:38 GMT):
@skarim @smithbk I found the issue, `rubber ducking` really worked in that case ;) In `fabric-ca-server-config.yaml` file i included also additional converter: `- name: hf.Type` with `value: client` i wanted to hardcode that (for testing purposes) so assign to each enrolled user `hfType = client`. In logs i found `[DEBUG] Error evaluating expression for attribute 'hf.Type'; parms: map[DN:uid=admin,ou=system affiliation:[system]]; error: No parameter 'client' found. ` <- it was generated as the result of enrollement. But the respone in CLI suggested sth different: `Error: Response from server: Error Code: 0 - The following required attributes are missing: [uid hf.AffiliationMgr]`. Do you think that it seems like bug that need to be reported with the lowest priority ? Anyway, many thanks for your kind support. I really Appreciate that !

smithbk (Mon, 27 Aug 2018 19:49:49 GMT):
@alek Yes, pls open a bug in jira as the original error should be preserved. Thanks

smithbk (Mon, 27 Aug 2018 19:50:53 GMT):
Also, if you could attach your logs to the bug, that would be helpful

WCamaly (Mon, 27 Aug 2018 20:46:05 GMT):
Has joined the channel.

rodders1991 (Mon, 27 Aug 2018 20:50:34 GMT):
Has joined the channel.

WCamaly (Mon, 27 Aug 2018 20:52:33 GMT):
Hello everyone, I need help. I try to configure the block browser on another server. I do not know how to get the pair's tls. Does anyone know how I can do?

rodders1991 (Mon, 27 Aug 2018 21:05:22 GMT):
Hi everyone, I'm trying to interact to a channel but I'm getting the following error and I want to know what it relates to: `sendPeersProposal - Promise is rejected: Error: 2 UNKNOWN: access denied: channel [certificates] creator org [PeerOrg2]` As you can see I'm trying to interact with a specific organisation and I'm wondering if there's post configuration steps after creating a channel with multiple organisations?

alek (Mon, 27 Aug 2018 21:13:44 GMT):
@smithbk issue was created: https://jira.hyperledger.org/browse/FABC-709 thanks for your help !

nicolas.alfonso (Mon, 27 Aug 2018 21:58:35 GMT):
Has joined the channel.

Ferrymania (Tue, 28 Aug 2018 01:55:42 GMT):
Has joined the channel.

Ferrymania (Tue, 28 Aug 2018 02:03:07 GMT):
Hi,guys,now I use ca to register user,for example after I register user ,there would be three files created,includeing ``` {"name":"Gloria","mspid":"Org2MSP","roles":null,"affiliation":"","enrollmentSecret":"BezFhgxIjXet","enrollment":{"signingIdentity":"06ea5fee62fc1d124f523cb1bb5827d3140bb8a581ab04fa3dc48f2b476c41ad","identity":{"certificate":"-----BEGIN CERTIFICATE-----\nMIICkDCCAjegAwIBAgIUFY1XNzB1DuwbVRh1t47Z3XANQi0wCgYIKoZIzj0EAwIw\nczELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh\nbiBGcmFuY2lzY28xGTAXBgNVBAoTEG9yZzIuZXhhbXBsZS5jb20xHDAaBgNVBAMT\nE2NhLm9yZzIuZXhhbXBsZS5jb20wHhcNMTgwODI4MDEzNzAwWhcNMTkwODI4MDE0\nMjAwWjBDMTAwDQYDVQQLEwZjbGllbnQwCwYDVQQLEwRvcmcyMBIGA1UECxMLZGVw\nYXJ0bWVudDExDzANBgNVBAMTBkdsb3JpYTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABOqQRJQEjtpRm3krDAi7XjiAiYpi8WLBdWaB6O9D3RrK0/g+mS3kh9Rh14qW\nB3xSD7MQhXLhfff1BORkJaGDn36jgdgwgdUwDgYDVR0PAQH/BAQDAgeAMAwGA1Ud\nEwEB/wQCMAAwHQYDVR0OBBYEFKg7aTJ1dteLiimUBwgHnxIYQKuqMCsGA1UdIwQk\nMCKAIKfUfvpGproHcwyFD+0sE3XfJzYNcif0jNwvgOUFZ4AFMGkGCCoDBAUGBwgB\nBF17ImF0dHJzIjp7ImhmLkFmZmlsaWF0aW9uIjoib3JnMi5kZXBhcnRtZW50MSIs\nImhmLkVucm9sbG1lbnRJRCI6Ikdsb3JpYSIsImhmLlR5cGUiOiJjbGllbnQifX0w\nCgYIKoZIzj0EAwIDRwAwRAIgPyMIitCbcDNK3LrBtQYTV7gRNTcJTi9YztzHcvcn\nfcACIFNMT7nDcbxZssDOf9z9qingfDdsijpNq4nXUqVfnUip\n-----END CERTIFICATE-----\n"}}} ``` ``` 06ea5fee62fc1d124f523cb1bb5827d3140bb8a581ab04fa3dc48f2b476c41ad-priv 06ea5fee62fc1d124f523cb1bb5827d3140bb8a581ab04fa3dc48f2b476c41ad-pub ``` what can I show to other users to show the user identity

qiangjiyi (Tue, 28 Aug 2018 02:09:53 GMT):
Has joined the channel.

jvsclp (Tue, 28 Aug 2018 14:07:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=n4jq6wGnYBNEAKtn4) @Ferrymania In the generated msp folder there should be a folder called signcerts with the generated certificate cert.pem. You can convert it to a text output in a terminal with *openssl x509 -in -text <>* with <> being the generated file. Additionally, you can convert the .pem to a .crt using openssl commands found here: https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key.

DiegoLeal (Tue, 28 Aug 2018 14:19:44 GMT):
Has joined the channel.

sean (Tue, 28 Aug 2018 14:36:53 GMT):
I am encountering inconsistencies in how the MSP tree should be constructed. In the `fabric-ca` library, the `lib` package [1] shows that the `Client` structure requires that the certFile be stored as `/signcerts/cert.pem`: ``` func (c *Client) Init() error { . . . certDir := path.Join(mspDir, "signcerts") . . . c.certFile = path.Join(certDir, "cert.pem") . . . } ``` However, the `fabric-sdk-go` library requires two different MSP tree structures: `filekeyvaluestore` [2] requires the certFile format `/signcerts/{userName}@{orgName}-cert.pem`: ``` func NewFileCertStore(cryptoConfigMSPPath string) (core.KVStore, error) { _, orgName := path.Split(path.Dir(path.Dir(path.Dir(cryptoConfigMSPPath)))) . . . r := strings.NewReplacer("{userName}", ck.ID, "{username}", ck.ID) certDir := path.Join(r.Replace(cryptoConfigMSPPath), "signcerts") return path.Join(certDir, fmt.Sprintf("%s@%s-cert.pem", ck.ID, orgName)), nil . . . } ``` The above path Split to find the orgName requires the MSP tree to be in the format e.g.: `/orgs/org1/users/{userName}/msp/signcerts/{userName}@{orgName}-cert.pem`, otherwise the orgName will not be found. `certfileuserstore` [3] requires the certFile format `/signcerts/{userName}@{MSPID}-cert.pem`: ``` func storeKeyFromUserIdentifier(key msp.IdentityIdentifier) string { return key.ID + "@" + key.MSPID + "-cert.pem" } ``` The most obvious solution would be to maintain multiple certFiles in the `signcerts` folders, each with the needed naming structure. However, this seems excessively complicated. Are there plans to simplify the MSP tree, or at least clarify the required structure in the notes? These limitations were only found when combing through the library code. [1] github.com/hyperledger/fabric-ca/lib/client.go [2] github.com/hyperledger/fabric-sdk-go/pkg/msp/filecertstore.go [3] github.com/hyperledger/fabric-sdk-go/pkg/msp/certfileuserstore.go

Ferrymania (Tue, 28 Aug 2018 15:09:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nBD6jcaqiSzEqB7Mj) @jvsclp Thanks a ton ,the method is so useful , what I want is to show ID ,for example ,when you register on bitcoin or ethereum,you would be given a public key and a private key ,in my application ,if I want show something to prove the user identity,which part can I use ?

jvsclp (Tue, 28 Aug 2018 16:06:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mcGMbpuD4p2aQjWkQ) @Ferrymania The cert.pem is the public certificate. In the msp folder there is another folder named keystore. This is the location of the private key for the corresponding cert.pem. The private key will be named with some hash and appended with _sk. You can rename the secret key. I choose to rename both my cert.pem and my hash_sk to correspond to one another. I have a feature request to allow the fabric-ca-client to specify the name of the generated certificate if you want to vote on it here: https://jira.hyperledger.org/browse/FABC-707

jvsclp (Tue, 28 Aug 2018 16:06:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mcGMbpuD4p2aQjWkQ) @Ferrymania The cert.pem is the public certificate. In the msp folder there is another folder named keystore. This is the location of the private key for the corresponding cert.pem. The private key will be named with some hash and appended with \_sk. You can rename the secret key. I choose to rename both my cert.pem and my hash_sk to correspond to one another. I have a feature request to allow the fabric-ca-client to specify the name of the generated certificate if you want to vote on it here: https://jira.hyperledger.org/browse/FABC-707

kjroger94 (Tue, 28 Aug 2018 16:54:24 GMT):
are there some keys or certificate that every peer should have of every other peer?

xiven (Tue, 28 Aug 2018 16:56:56 GMT):
Has joined the channel.

xiven (Tue, 28 Aug 2018 17:03:42 GMT):
I'm running a separate CA Server not dockerized and I'm am trying to figure out at a minimum what I need to generate in order to satisfy an instantiation policy. This is a test environment so I am not using tls. I bootstrapped the fabric-ca-server, set my values in the fabric-ca-server-config.yaml which I think are all set correctly and then enrolled the admin user, then registered an enrolled the orderer and peers. The orderer is registered as id.type orderer and peers as id.type peer. Is there anything else needed to get this satisfy the instantiation policy?

jvsclp (Tue, 28 Aug 2018 17:11:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=faYY5unuGtogfDf6R) @kjroger94 You shouldn't need any of the keys or certificates of other peers. You definitely would not want to share the private key. That being said, the peer node must have access to the certificate authority root or intermediate certificates and corresponding TLS certificates to allow a peer to validate another's identity on a channel.

jvsclp (Tue, 28 Aug 2018 17:14:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=p5JBJ9Jwwdgz7Nc9C) @xiven You should be good to generate a genesis block if you believe everything is set up correctly and there's nothing you've written that raises a red flag. The minimum needed to generate a genesis block is just the orderer identity. It's easier to have the other entities of the network configured for inclusion in the genesis block, but that's all you need.

xiven (Tue, 28 Aug 2018 17:19:15 GMT):
@jvsclp I don't seem to have trouble generating the genesis block. Its only when I get to the peer commands that I start having issues and it really seems like I don't have something in place properly as far as the certs and artifacts are concerned. I referenced in the BYFN example how the certs are generated using the cryptogen tool but the end results of the folder structure and key and certs that are generated look different than what I generated. That what I'm thinking that I'm missing a step something that is causing the policy to not be satisfied.

kjroger94 (Tue, 28 Aug 2018 17:32:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=P5K4Kwvxz3dziCRGu) @jvsclp so i should have tls certs of all other peers? where do I place them and which env variable should be set for this?

jvsclp (Tue, 28 Aug 2018 18:20:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TXuEKkAANzk95iJH5) @kjroger94 You don't need the peer TLS certificates either, just the certificate authority's certificate used to issue each peer's TLS cert. The node is looking for a chain of trust showing that the peer/orderer/user identity is valid. You just need the certificates that were used to build the chain of trust, not the peer/orderer/user identity. I feel the hyperledger docs do a pretty decent job here in explaining how to set up a node's directory to validate identities: https://hyperledger-fabric.readthedocs.io/en/release-1.2/msp.html#

jvsclp (Tue, 28 Aug 2018 18:24:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JExnWJvnE7t2uwkoB) @xiven Since you're referencing BYFN, when you say peer commands do you mean joining the peers to a channel similar to https://hyperledger-fabric.readthedocs.io/en/release-1.2/build_network.html#create-join-channel ?

xiven (Tue, 28 Aug 2018 18:29:54 GMT):
@jvsclp `peer channel create` is where I start running into issues

xiven (Tue, 28 Aug 2018 18:32:53 GMT):
So i just registered a new set of users for the orderer and peers. I'm going to copy the msp dir over to the orderer and peer servers. Then generate the genesis block and channel tx file. Then I'll start the orderer and peer node. Then at that point I'll attempt to create channel. Is this workflow correct?

jvsclp (Tue, 28 Aug 2018 19:09:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jNCubDESFgJgdhFxq) @xiven The mspdir does not matter to the orderer and peer servers. Once the certificates are issued as long as you provide the certificate authority root certificates to the mspdir for the orderer and peer the certificate authority servers are essentially done. The certificate servers do not interact with the channel at all. So, as long as you set up your mspdir following the documentation here: https://hyperledger-fabric.readthedocs.io/en/release-1.2/msp.html#msp-setup-on-the-peer-orderer-side and point your environment variables to the correct locations for the respective node you should be able to run `peer channel create`. I hope that helps and if it doesn't work come back with the error information to help better pin down the problem.

xiven (Tue, 28 Aug 2018 19:36:30 GMT):
@jvsclp `2018-08-28 19:22:55.326 UTC [cauthdsl] func2 -> DEBU 1f2 0xc42000e078 principal evaluation succeeds for identity 0 2018-08-28 19:22:55.326 UTC [cauthdsl] func1 -> DEBU 1f3 0xc42000e078 gate 1535484175325542760 evaluation succeeds 2018-08-28 19:22:55.326 UTC [policies] Evaluate -> DEBU 1f4 Signature set satisfies policy /Channel/Application/DevOrgMSP/Writers 2018-08-28 19:22:55.326 UTC [policies] Evaluate -> DEBU 1f5 == Done Evaluating *cauthdsl.policy Policy /Channel/Application/DevOrgMSP/Writers 2018-08-28 19:22:55.326 UTC [policies] Evaluate -> DEBU 1f6 Signature set satisfies policy /Channel/Application/Writers 2018-08-28 19:22:55.326 UTC [policies] Evaluate -> DEBU 1f7 == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Application/Writers 2018-08-28 19:22:55.326 UTC [policies] Evaluate -> DEBU 1f8 Signature set satisfies policy /Channel/Writers 2018-08-28 19:22:55.326 UTC [policies] Evaluate -> DEBU 1f9 == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Writers 2018-08-28 19:22:55.326 UTC [common/configtx] addToMap -> DEBU 1fa Adding to config map: [Group] /Channel 2018-08-28 19:22:55.326 UTC [common/configtx] addToMap -> DEBU 1fb Adding to config map: [Group] /Channel/Application 2018-08-28 19:22:55.326 UTC [common/configtx] addToMap -> DEBU 1fc Adding to config map: [Group] /Channel/Application/DevOrg2MSP 2018-08-28 19:22:55.326 UTC [common/configtx] addToMap -> DEBU 1fd Adding to config map: [Group] /Channel/Application/DevOrg1MSP 2018-08-28 19:22:55.326 UTC [common/configtx] addToMap -> DEBU 1fe Adding to config map: [Value] /Channel/Consortium 2018-08-28 19:22:55.326 UTC [orderer/common/broadcast] Handle -> WARN 1ff [channel: devchannel] Rejecting broadcast of config message from 192.122.206.182:35524 because of error: error authorizing update: error validating ReadSet: readset expected key [Group] /Channel/Application at version 0, but got version 1`

xiven (Tue, 28 Aug 2018 19:37:10 GMT):
So it looks as if some of it is working up to a certain point. I'm not sure at what point it is failing.

jvsclp (Tue, 28 Aug 2018 20:14:59 GMT):
It's the last error that's the key. Did you run BYFN with the same channel name? The output is telling you your channel is ahead by a version, so you started the channel earlier somewhere. Make sure you're in the first-network directory and try `./byfn.sh down`. Then give it another go.

xiven (Tue, 28 Aug 2018 20:22:48 GMT):
i'm not running byfn. I was only looking at that example as a reference point. How could it be created already if I haven't created a channel yet?

jvsclp (Tue, 28 Aug 2018 20:49:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xfze6pJswvRvKiW7Y) @xiven Yes, you are not running byfn. Did you run byfn at some point in the past using your chosen channel name? Your error, that line that says, "WARN" is referencing a channel that already exists. Sometimes the byfn errors out and leaves an artifact that must be cleaned up. Otherwise, you have a channel designated somewhere from an earlier attempt that has to be removed. Have you tried setting up a channel with a completely different channel name?

xiven (Tue, 28 Aug 2018 20:51:42 GMT):
@jvsclp when i do that i get `Invalid channel create transaction : mismatched channel ID devchannel != coretestchannel`

xiven (Tue, 28 Aug 2018 20:52:34 GMT):
how do i clear out the old channel

jvsclp (Tue, 28 Aug 2018 21:16:51 GMT):
The configuration for the channel should be stored in the same folder as your genesis.block as channel.tx. If you delete that file and anything generated after it should get rid of the old channel since there is no network running. Then you can run the configtxgen to create the channel topology from the genesis block as the genesis block does not change.

xiven (Tue, 28 Aug 2018 21:30:16 GMT):
still same error after doing that `readset expected key [Group] /Channel/Application at version 0, but got version 1`

jvsclp (Tue, 28 Aug 2018 21:43:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8cfPRisxcGaaPkbTL) @xiven I'm out of ideas since it seems your certificate paths are correct as you're able to generate a genesis block and run configtxgen. It seems you have a channel artifact somewhere and since you never ran byfn I don't know where it's coming from. The fabric-questions channel or stack overflow probably will be able to provide better help.

xiven (Tue, 28 Aug 2018 21:55:53 GMT):
ok thanks for all your help on this

AbhinayB (Wed, 29 Aug 2018 05:08:19 GMT):
Has joined the channel.

gravity (Wed, 29 Aug 2018 16:03:33 GMT):
Has joined the channel.

gravity (Wed, 29 Aug 2018 16:04:01 GMT):
Hi all I'm trying to figure out how to get the admin certificates from CA (special admin who can create the channels and install chaincode). because for now I see the only way is to load them from disk/db (like it done in End2EndIT.java) and just want to know is there any way to retrieve them from a CA?

skarim (Wed, 29 Aug 2018 17:34:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NSAzhdmHNAu74AA6E) @gravity Have you seen the fabric-ca-client command to list certificates. Please see doc https://hyperledger-fabric-ca.readthedocs.io/en/release-1.2/users-guide.html#manage-certificates. I think this part is of interest to you: `fabric-ca-client certificate list --id admin --store msp/admincerts`

skarim (Wed, 29 Aug 2018 17:34:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NSAzhdmHNAu74AA6E) @gravity https://gerrit.hyperledger.org/r/c/25957/ Have you seen the fabric-ca-client command to list certificate. Please see doc https://gerrit.hyperledger.org/r/c/25957/. I think this part is of interest to you: `fabric-ca-client certificate list --id admin --store msp/admincerts`

JuanSuero (Thu, 30 Aug 2018 01:50:47 GMT):
Has joined the channel.

JuanSuero (Thu, 30 Aug 2018 01:51:36 GMT):
when i do fabric-ca-client enroll -u http://admin2:adminpw@localhost:7054 even inside the container i get an error: Post http://localhost:7054/enroll: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02\x16"

parsiya (Thu, 30 Aug 2018 04:23:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=f62naR8MS64LXykyn) @JuanSuero What example are you running? `0x15 03 01` is the start of `ALERT` message in TLS 1.0 (`0x15` means alert and `03 01` means TLS 1.0). Are you perhaps trying to connect to CA running TLS? Try `fabric-ca-client enroll -u https://admin2:adminpw@localhost:7054` (note `https` instead of `http`)

parsiya (Thu, 30 Aug 2018 04:23:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=f62naR8MS64LXykyn) @JuanSuero What example are you running? `0x15 03 01` is the start of `ALERT` message in TLS 1.0 ( `0x15` means alert and `03 01` means TLS 1.0). Are you perhaps trying to connect to CA running TLS? Try `fabric-ca-client enroll -u https://admin2:adminpw@localhost:7054` (note `https` instead of `http`)

parsiya (Thu, 30 Aug 2018 04:23:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=f62naR8MS64LXykyn) @JuanSuero What example are you running? `0x15 03 01` is the start of `ALERT` message in TLS 1.0 ( `0x15` means alert and `03 01` means TLS 1.0). Are you perhaps trying to connect to a CA that is running TLS? Try `fabric-ca-client enroll -u https://admin2:adminpw@localhost:7054` (note `https` instead of `http`)

yulong12 (Thu, 30 Aug 2018 06:55:37 GMT):
Has joined the channel.

yulong12 (Thu, 30 Aug 2018 06:57:08 GMT):
Hi everyone. I want to add an ca in a launching fabric netwok. but I don't know how to do. who can help me?

crazyxrp (Thu, 30 Aug 2018 07:28:57 GMT):
Has joined the channel.

crazyxrp (Thu, 30 Aug 2018 07:31:23 GMT):
Hello everyone,I'm running the Fabric CA server in a cluster,and I want to connect the Postgres in another host.What should I do?Anyone could help me?

gravity (Thu, 30 Aug 2018 07:46:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zRBBksgpSWL3T53f4) @skarim and how in this case create a new admin? and who will be a registrar of the new admin?

AbhinayB (Thu, 30 Aug 2018 09:55:04 GMT):
Hi. I have a doubt regarding the affiliation set by the fabric-ca for a node/user. How do we set the affiliation to an organizaton named, "supply"? Or should the affiliation always be to "org1","org2",etc. ?

GuillaumeTong (Thu, 30 Aug 2018 10:23:58 GMT):
Hello everyone. I was testing the behavior of a peer after it has been revoked and after the crl has been updated onto the channel. As expected, the peer can no longer be used to make successful transactions, but there are a few unexpected things:

GuillaumeTong (Thu, 30 Aug 2018 10:26:00 GMT):
- The peer still receives gossip from other peers. This does not seem ideal if we imagine that the peer was revoked because it has been compromised. Is there any way to prevent other peers to send gossip to it? Same would apply for Orderers sending blocks to it.

GuillaumeTong (Thu, 30 Aug 2018 10:31:08 GMT):
- The peer can still go through the endorsement process and orderers will NOT reject the transaction proposal. The transaction is only marked as not valid once validating peers verify it before committing. I would have thought that the orderer might just drop communications entirely with revoked peers.

AbhinayB (Thu, 30 Aug 2018 11:06:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FqxJ4GYH4Y4gepiXS) Got the answer. All I had to do was add an affiliation using the fabric-ca-client binary and then register users or nodes to that affiliation!

mharris (Thu, 30 Aug 2018 11:57:59 GMT):
Has joined the channel.

jayeshjawale95 (Thu, 30 Aug 2018 12:18:21 GMT):
Hello everyone, I am running hyperledger fabric on kubernetes without ca-server, it's working fine for installing chaincode, invoke, query, channel creation etc through cli container, but when i use nodesdk for installing chaincode, it throws following error: E0830 08:17:03.265071344 38 ssl_transport_security.cc:989] Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed. error: [Remote.js]: Error: Failed to connect before the deadline error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: Failed to connect before the deadline at checkState (/geotrade-node/node_modules/grpc/src/client.js:838:16) error: [Remote.js]: Error: Failed to connect before the deadline error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: Failed to connect before the deadline at checkState (/geotrade-node/node_modules/grpc/src/client.js:838:16) error: proposalResponses.toJSON is not a function level=error, info: ::1 - - [30/Aug/2018:08:17:03 +0000] "POST /slas/134/accept HTTP/1.1" 400 55 "-" "curl/7.61.0"

jvsclp (Thu, 30 Aug 2018 13:57:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=f62naR8MS64LXykyn) @JuanSuero It sounds like you have tls configured on your server which uses https, but are trying to pass http with the client

jdfigure (Thu, 30 Aug 2018 17:37:49 GMT):
Has joined the channel.

JuanSuero (Thu, 30 Aug 2018 17:42:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aBS2eexMi4iDpPpDL) @jvsclp hey i figured it out. its very involved process if you just have the fabric-samples first network installed. the first step is as you said... using https in the url.. next step is to provide values for --tls.certfiles --tls.client.certfile --tls.client.keyfile finally the domain has to be a FQDN that matches the one in the certificate so ca.org1.example.com has to resolve to the IP of either the VM running your containers or the docker container running the CA so comes down to hacking the /etc/hosts files to make that work

GuillaumeTong (Fri, 31 Aug 2018 01:17:46 GMT):
About my statements earlier, is there any way to entirely cut off a peer from the network? Prevent it from getting the gossip block and block its requests as soon as possible?

nfrunza (Fri, 31 Aug 2018 16:24:38 GMT):
Has left the channel.

JuanSuero (Sun, 02 Sep 2018 14:48:26 GMT):
Trying to figure out how to run multiple CA processes on entirely different hosts. some of it is simple like 1. run fabric-ca-server start on a different machine and 2. make sure ca2.org1.mydomain.com resolves from my DNS. but then theres the fabric-ca-server-config.yaml file and how it lines up with crypto-config . I see a ca.org1.example.com.pem. do i need a ca1... and ca2.pem? Also is there a particular reason the fabric CA documentation only sets up multiple CAs on the SAME machine and not different ones? https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#setting-up-a-cluster Ive got my MYSQL cluster set up and ready to go on two KVM hosts. Now im just trying to understand how to run the CA Server process on those two hosts and put a load balancer in front. I guess ill just copy and paste the ca.org1.example.com: docker-compose section to ca2.org1.example.com then change both the command stanzas to include the appropriate bootstrap command like so --db.type mysql --db.datasource root:xxxxx@tcp(ca2.org1.example.com:3306)/fabric-ca?parseTime=true&tls=custom

JuanSuero (Mon, 03 Sep 2018 00:17:23 GMT):
ok ive got a 2 node MySQL Cluster running. on node1 i start my fabric-ca-server docker container with ... sh -c 'fabric-ca-server start --db.type mysql --db.datasource "root:xxxxx@tcp(mysqlca.org1.example.com:3306)/fabric_ca" and when i query Node1 mysql i see the database fabric_ca and a couple of tables. GREAT! but then when i query node2 i just see the database but no tables? not sure how to make sense of that

Sreesha (Mon, 03 Sep 2018 09:29:04 GMT):
On peer instantiate command iam getting new chaincode docker up But while checking the instantiated chaincodes in mychannel it is showing none at peer the following log is shown: 2018-09-03 09:04:20.405 UTC [chaincode] Execute -> DEBU 1b6c Exit 2018-09-03 09:04:20.405 UTC [endorser] callChaincode -> DEBU 1b6d [mychannelnew][04c4f8e6] Exit 2018-09-03 09:04:20.405 UTC [endorser] endorseProposal -> DEBU 1b6e [mychannelnew][04c4f8e6] Exit 2018-09-03 09:04:20.405 UTC [lockbasedtxmgr] Done -> DEBU 1b6f Done with transaction simulation / query execution [04c4f8e604bd10791c816338386e0c8e52196e0a89c56a11a201db840770485b] 2018-09-03 09:04:20.405 UTC [endorser] ProcessProposal -> DEBU 1b70 Exit: request from%!(EXTRA string=10.53.17.70:34546) and on invoke chaincode the following error is thrown: Error: error endorsing invoke: rpc error: code = Unknown desc = make sure the chaincode mycc2 has been successfully instantiated and try again: could not find chaincode with name 'mycc2' - proposal response:

Sreesha (Mon, 03 Sep 2018 10:12:37 GMT):
This is the orderer logs 018-09-03 10:05:39.108 UTC [orderer/common/broadcast] Handle -> WARN 3c65 Error reading from 172.18.0.3:41546: rpc error: code = Canceled desc = context canceled

Sreesha (Mon, 03 Sep 2018 12:38:34 GMT):

ordererlogfromserverafterinstantiate.png

Sreesha (Mon, 03 Sep 2018 12:41:13 GMT):

ordererlogs.png

Sreesha (Mon, 03 Sep 2018 12:41:54 GMT):
This is what i get after chaincode instantiation

1234 (Mon, 03 Sep 2018 12:56:30 GMT):
Can you check tls certificate in orderer or peer

Sreesha (Tue, 04 Sep 2018 03:38:29 GMT):
Yes its correct only or else channelcreation should have failed rt?

ArianStef (Tue, 04 Sep 2018 09:14:19 GMT):
Has joined the channel.

ArianStef (Tue, 04 Sep 2018 09:20:44 GMT):
Hi! I would like to know which are the advantages to use fabric ca instead of cryptogen tool. Thank you

skarim (Tue, 04 Sep 2018 13:40:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=e7rcEWXjjAPNQJygi) @ArianStef Cryptogen is meant for test environment. Fabric CA has more capabilities, as in it can revoke certificates, it can put attributes in certificates which allows for attribute based access control in chaincode, manage identities. I would take a glance at CA user's guide. https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html

ArianStef (Tue, 04 Sep 2018 15:43:49 GMT):
thank you skarim. I have studied that guide but I have still some doubts. 1) If I would like to add a new peer, I generate the cryptographic material with fabric ca server/client in a similar way they do her with cryptogen (https://hyperledger-fabric.readthedocs.io/en/release-1.2/channel_update_tutorial.htm) and then with CLI or some SDK I add the peer in the channel and install the chaincode ecc. ecc. Is this process right? 2) Will run fabric ca server and fabric client in pararell with my application (CLI or SDK api) all the time? Thank you and sorry for my bad english

ArianStef (Tue, 04 Sep 2018 15:44:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mcdPG2k8Lo7c6D8rE) @skarim thank you skarim. I have studied that guide but I have still some doubts. 1) If I would like to add a new peer, I generate the cryptographic material with fabric ca server/client in a similar way they do her with cryptogen (https://hyperledger-fabric.readthedocs.io/en/release-1.2/channel_update_tutorial.htm) and then with CLI or some SDK I add the peer in the channel and install the chaincode ecc. ecc. Is this process right? 2) Will run fabric ca server and fabric client in pararell with my application (CLI or SDK api) all the time? Thank you and sorry for my bad english

skarim (Tue, 04 Sep 2018 17:23:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RQPzHkMdKa8upvv9N) @ArianStef 1) Yes that is the correct process 2) The CA server doesn't need to running all the time if you don't want. The only time you need an instance of a CA server running is when you need to generate the crypto material.

rodolfoleal (Tue, 04 Sep 2018 18:48:59 GMT):
Has joined the channel.

iramiller (Tue, 04 Sep 2018 22:11:43 GMT):
Has joined the channel.

tlee38 (Wed, 05 Sep 2018 04:59:45 GMT):
Has joined the channel.

AbhinayB (Wed, 05 Sep 2018 09:39:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=j7TZSo6o5YcWtuNj5) @skarim Doesn't fabric CA help to generate certificates efficiently in a distributed environment? Using a cryptogen, we would need to generate all of the certificates in a single system and copy it to all the systems of the distributed network, which beats the idea of security in the first place. Am I right?

ArianStef (Wed, 05 Sep 2018 09:43:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kP7pjt8eFCNzYfw2n) @AbhinayB Do you know i it is possible using SDK nodejs without Fabric CA?

jvsclp (Wed, 05 Sep 2018 16:07:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kP7pjt8eFCNzYfw2n) @AbhinayB You're right about fabric-ca generating certificates in a distributed environment and how cryptogen works. However, once the certificates have been generated the certificate authority server(s) are done with their work. The certificates provide all the information necessary to provide root of trust. There is no check-in with the certificate server for an identity. You can bring the certificate authority server up or take the server down and it will not affect the validity of the generated certificates. I hope that helps.

jvsclp (Wed, 05 Sep 2018 16:07:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kP7pjt8eFCNzYfw2n) @AbhinayB You're right about fabric-ca generating certificates in a distributed environment and how cryptogen works. However, once the certificates have been generated the certificate authority servers are done with their work. The certificates provide all the information necessary to provide root of trust. There is no check-in with the certificate server for an identity. You can bring the certificate authority server up or take the server down and it will not affect the validity of the generated certificates. I hope that helps.

AbhinayB (Thu, 06 Sep 2018 04:22:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=d5pbxFSKYf83N6ewH) @jvsclp Thanks for the reply! That was immensely helpful! I have another doubt. In a distributed environment, if the certificates are all spread, how do we generate the genesis block? When I try to do that in a remote system using configtxgen, it expects the admincerts of all the organizations in the consortium. So how do we fetch these admincerts without manually transferring from one remote system to another?

Subhankar 3 (Thu, 06 Sep 2018 05:57:05 GMT):
Has joined the channel.

Sreesha (Thu, 06 Sep 2018 06:19:19 GMT):
Can an organisation admin query other organisation peer

mastersingh24 (Thu, 06 Sep 2018 09:02:33 GMT):
@Sreesha - yes ... for invoking and querying chaincode for channels both orgs are part of

Sreesha (Thu, 06 Sep 2018 09:09:34 GMT):
But iam getting an error like this:

Sreesha (Thu, 06 Sep 2018 09:10:20 GMT):

Clipboard - September 6, 2018 2:46 PM

Sreesha (Thu, 06 Sep 2018 09:13:37 GMT):
What is the actual role of organisation admin

RockyRacer (Thu, 06 Sep 2018 09:45:36 GMT):
Can we hot modify the configuration (fabric-ca-server-config.yaml) or do we have to restart server/container each time ?

aambati (Thu, 06 Sep 2018 11:04:27 GMT):
@RockyRacer you have to restart server

aambati (Thu, 06 Sep 2018 11:07:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PgstBvJaqiMBJCAzd) @Sreesha What do you mean by organization admin? are you referring to users whose certs are in the admincerts section of the msp in the bootstrap channel config

RockyRacer (Thu, 06 Sep 2018 11:11:01 GMT):
Indeed, works after restarting, thanks

Sreesha (Thu, 06 Sep 2018 11:24:15 GMT):
@aambati Yes iam referring to the user with admin right

HoneyShah (Thu, 06 Sep 2018 11:34:02 GMT):
Has joined the channel.

jvsclp (Thu, 06 Sep 2018 14:10:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=C9cm6FmyKu6KmEg4M) @AbhinayB Transferring the admin certificates or any of the generated cert.pem certificates is not a security problem. Those certificates are public certificates and meant to be shared and transferred. It is the secret key in the generated keystore folder that should not be transferred without significant precautions.

toddinpal (Thu, 06 Sep 2018 14:18:08 GMT):
Is there complete documentation anywhere for the contents of configtx.yaml? I know about the sample one, but it's a little thin on documentation.

tylerwince (Thu, 06 Sep 2018 15:42:50 GMT):
Has joined the channel.

jvsclp (Thu, 06 Sep 2018 16:58:42 GMT):
I am running into an issue in the process to install and instantiate chaincode on a peer node with fabric v1.2.0. When I attempt to stand up the node I receive an error: `ERRO 035 Cannot run peer because error when setting up MSP of type bccsp from directory path/to/directory/msp: The supplied identity is not valid: x509: certificate signed by unknown authority` I generated the certificates using fabric-ca server and client. The certificate chain runs from a self-signed root certificate authority (CA) to an intermediate-CA to the peer identity certificate and I verified it in openssl using: `openssl verify -CAfile certauthority-chain.pem peer-cert.pem` which returns OK. The membership service provider structure is set up in accordance with how to set up a local MSP for a peer node with the root CA in the cacerts folder, the intermediate CA in the intermediatecerts folder, and the peer certificate in the signcerts folder. I'm stumped why I am receiving this error and any help would be greatly appreciated.

jvsclp (Thu, 06 Sep 2018 17:00:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8wy8mKb2QrKekLEGW) @toddinpal You're referencing https://hyperledger-fabric.readthedocs.io/en/release-1.2/commands/configtxgen.html correct?

toddinpal (Thu, 06 Sep 2018 17:10:57 GMT):
@jvsclp Yes

jvsclp (Thu, 06 Sep 2018 17:12:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hNmekodEo6ycvjE3x) @toddinpal Between the file and the documentation I linked that's all I am aware of.

toddinpal (Thu, 06 Sep 2018 17:47:34 GMT):
That's unfortunate as I believe the function is hardly usable without more documentation

toddinpal (Thu, 06 Sep 2018 17:47:34 GMT):
@jvsclp That's unfortunate as I believe the function is hardly usable without more documentation

jvsclp (Thu, 06 Sep 2018 17:49:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iDYL5gtGv2JEpREia) @toddinpal What are you trying to accomplish with the file?

toddinpal (Thu, 06 Sep 2018 17:58:56 GMT):
I want to understand the details of the fine grained access control mechanism introduced in Fabric 1.2

toddinpal (Thu, 06 Sep 2018 17:58:56 GMT):
@jvsclp I want to understand the details of the fine grained access control mechanism introduced in Fabric 1.2

jvsclp (Thu, 06 Sep 2018 19:16:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8Wsxux6qEEKxggFbf) @toddinpal Have you checked here? https://hyperledger-fabric.readthedocs.io/en/release-1.2/access_control.html

toddinpal (Thu, 06 Sep 2018 19:44:47 GMT):
@jvsclp That helps, but I'm not sure I would call that a reference, especially as to what exactly can be in configtx.yaml

jvsclp (Thu, 06 Sep 2018 19:59:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zArTyobAnMteb4upB) @toddinpal I think we may be looking at two different versions of the configtx.yaml because the yaml linked on that page seems pretty extensive with respect to all the properties available for access control lists. If you have looked here: https://github.com/hyperledger/fabric/blob/release-1.2/sampleconfig/configtx.yaml and this is the version you're referencing then I have nothing more to offer.

jrosmith (Thu, 06 Sep 2018 20:57:32 GMT):
hey all, is there an example of defining a custom attribute to be used in ABAC for an LDAP backed CA?

jrosmith (Thu, 06 Sep 2018 20:57:51 GMT):
im stuck on figuring out how to template the LDIF file

toddinpal (Fri, 07 Sep 2018 00:11:17 GMT):
@jvsclp Sorry, but I don't see in that document a description of many things. Sure it shows an example of OR(), but no explanation. There isn't even an example of AND, which I "assume" exists. You can't call a sample a reference.

aatkddny (Fri, 07 Sep 2018 00:11:35 GMT):
Has joined the channel.

aatkddny (Fri, 07 Sep 2018 00:12:19 GMT):
So this just reared it's head CA (using mysql). Fresh start for both DB and CA. It seems to have made the ca-server unreachable too, since I'm now getting a connection refused from it. ``` 2018/09/07 00:01:12 [DEBUG] Cleaning up expired nonces for CA 'mca' 2018/09/07 00:01:12 [ERROR] Failed to remove expired nonces from DB for CA 'mca': Error 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?)' at line 1 2018/09/07 00:01:12 [ERROR] Failed to deleted expired nonces from DB for CA mca: Failed to remove expired nonces from DB ``` Any easy fix i can do or am I going to be doing the delete the databases and restart shuffle? Fortunately it's a dev install.

dsanchezseco (Fri, 07 Sep 2018 07:44:34 GMT):
Hi! i'm having trouble starting a CA and a intermediate CA when using TLS. The CA and ICA start went okay, but when i start the peer it crashes because the ICA cert is missing the subject key identifier from the extensions section and checking the cert with openssl i also see that the cert in the Basic constrains section has CA:False when it should be true. I'm creating both CA and ICA with the config in the config.yaml rather with params and using the selfsigned certs. Previously with the same process i had no problem, but with the TLS the peer reports that(the only addition is the recovery of the ICA tls pem so it should not interfere....). Thanks in advance

dsanchezseco (Fri, 07 Sep 2018 07:44:34 GMT):
Hi! i'm having trouble starting a CA and a intermediate CA when using TLS. The CA and ICA start went okay, but when i start the peer it crashes because the ICA cert is missing the `subject key identifier` from the extensions section and checking the cert with openssl i also see that the cert in the `basic constrains` section has `CA:False` when it should be true. I'm creating both CA and ICA with the config in the `config.yaml` rather with params and using the selfsigned certs. Previously with the same process i had no problem, but with the TLS the peer reports that(the only addition is the recovery of the ICA tls pem so it should not interfere....). Thanks in advance

dsanchezseco (Fri, 07 Sep 2018 07:52:53 GMT):
could be related to this? `Extensions in certificates are not transferred to certificate requests and vice versa.` [https://www.openssl.org/docs/man1.1.0/apps/x509.html#BUGS]

dsanchezseco (Fri, 07 Sep 2018 07:52:53 GMT):
could be related to this? `Extensions in certificates are not transferred to certificate requests and vice versa.` (https://www.openssl.org/docs/man1.1.0/apps/x509.html#BUGS)

Sreesha (Fri, 07 Sep 2018 09:11:56 GMT):
If org1 peers are down,can a user of org2 query org1 peers?

dsanchezseco (Fri, 07 Sep 2018 09:16:29 GMT):
@Sreesha it should be able to query, invoke depends on the endorsement policy...

Sreesha (Fri, 07 Sep 2018 09:38:33 GMT):
@dsanchezseco so signature mismatch wont happen?

dsanchezseco (Fri, 07 Sep 2018 09:51:59 GMT):
as long as the peers has the root CA of the other org it should be able to verify the cert and perform the query(i think, i hadn't test it yet)

skarim (Fri, 07 Sep 2018 12:56:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oTReGxswz7Zbi67tA) @aatkddny This is a bug in v1.2, it should not actually cause any negative impact as this functionality is related to idemix and idemix is not enabled in v1.2. If you get the latest code from github, this error is fixed.

skarim (Fri, 07 Sep 2018 12:58:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pF6PtHetBqW69z2fi) @dsanchezseco I don't understand how starting a peer is related to the ICA cert. Are you saying that the peer got a TLS certificate from the intermediate CA, and this cert has issues with it?

jrosmith (Fri, 07 Sep 2018 13:46:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NpMq4EoEfyytaiYYw) following up for visibility

aatkddny (Fri, 07 Sep 2018 14:36:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gze46sc3uBEG85TNZ) I'm pulling the images for 1.2. Do you happen to know if they were updated? I have flat zero desire to build this thing.

skarim (Fri, 07 Sep 2018 15:01:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Ao5ANZ6n2Z7MzFDSC) @aatkddny No, it is not fixed in 1.2. But, as I mentioned the server should start up and operate fine.

aatkddny (Fri, 07 Sep 2018 15:05:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Rb8ENagfKrYBY5Fzu) It doesn't. As I said it throws a `connection refused`. Otherwise I wouldn't have cared.

jvsclp (Fri, 07 Sep 2018 15:59:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dBcwk634MZnq8dG6J) I'm still working through this issue, but I have found it would be really helpful when you are trying to stand up the channel for the first time and there is a certificate error if the error message would pass the offending certificate's file name rather than the public key.

jvsclp (Fri, 07 Sep 2018 17:45:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dBcwk634MZnq8dG6J) I figured out the problem by looking through each of the public certificates in the MSP directory. The problem was not the peer certificate or the chain of trust, but Hyperledger was looking for the TLS root certificate authority in the cacerts folder of the membership service providers directory for the peer since it was used to issue the TLS administrator's certificate.

jvsclp (Fri, 07 Sep 2018 17:45:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dBcwk634MZnq8dG6J) I figured out the problem by looking through each of the public certificates in the MSP directory. The problem was not the peer certificate or the chain of trust, but Hyperledger was looking for the TLS root certificate authority in the intermediatecerts folder of the membership service providers directory for the peer since it was used to issue the TLS administrator's certificate. So I copied the TLS certificate authority's signing certificate from the tlsintermediatecerts to the intermediatecerts folder and that error was resolved.

jvsclp (Fri, 07 Sep 2018 17:45:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dBcwk634MZnq8dG6J) I figured out the problem by looking through each of the public certificates in the MSP directory. The problem was not the peer certificate or the chain of trust, but Hyperledger was looking for the intermediate TLS certificate authority's public certificate in the intermediatecerts folder of the membership service providers directory for the peer since it was used to issue the TLS administrator's certificate. So I copied the TLS certificate authority's signing certificate from the tlsintermediatecerts to the intermediatecerts folder and that error was resolved.

DattaPatil (Fri, 07 Sep 2018 18:07:10 GMT):
Has joined the channel.

AbhinayB (Sat, 08 Sep 2018 04:10:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wE5DRTo2AfdfyoT7x) @jvsclp Thank you for clarifying! Is there a method to share and transfer these public certificates across remote systems? For example, I came across the command provided in v1.2:

yousaf (Sat, 08 Sep 2018 14:29:15 GMT):
Has joined the channel.

raviyelleni (Sun, 09 Sep 2018 03:13:59 GMT):
Has joined the channel.

skarim (Sun, 09 Sep 2018 23:07:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wzdtHrSTiLjd8EWqi) @AbhinayB the certificate command was not available in 1.0 or 1.1, it was added in 1.2

AbhinayB (Mon, 10 Sep 2018 04:15:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hJRRJ8cHJzC3S9TZL) @skarim Thank you for the reply! I think its a good addition as it helps to fetch certificates in a distributed system and create the genesis block.

dsanchezseco (Mon, 10 Sep 2018 09:13:34 GMT):
@skarim it seems that when the peer starts check the ICA cert in its MSP and as the cert was malformed the peer doesn't accept it and fails to start, the ICA cert has been generated automatically when connecting to the root CA with the `-u parent_creds@parent_url`. Comparing the certs of the ICA and the ones generated with the cryptogen I see that the ICA's missing the field the peer is reporting while the one of cryptogen has it, as well as the RCA. Comparision of RCA and it's ICA ``` ╰╴ $ diff <(openssl x509 -in cacerts/ca.org1.example.com-cert.pem -text -noout) <(openssl x509 -in /tmp/vol18/msp/intermediatecerts/ica-peers-solution-a-org0-7054.pem -text -noout) 5c5 < cb:82:af:5d:78:51:b6:be:91:01:33:c6:08:8d:d1:73 --- > 7d:b6:ad:17:6e:34:b8:10:71:10:97:19:73:9b:ae:ab:ae:d3:e5:07 7c7 < Issuer: C = US, ST = California, L = San Francisco, O = org1.example.com, CN = ca.org1.example.com --- > Issuer: C = c, ST = state, L = location, O = org0, OU = root, CN = rca-org0 9,11c9,11 < Not Before: Sep 4 08:01:56 2018 GMT < Not After : Sep 1 08:01:56 2028 GMT < Subject: C = US, ST = California, L = San Francisco, O = org1.example.com, CN = ca.org1.example.com --- > Not Before: Sep 10 08:53:00 2018 GMT > Not After : Sep 9 08:58:00 2023 GMT > Subject: C = c, ST = state, L = location, O = org0, OU = client + OU = org0, CN = rca-org0 16,20c16,20 < 04:37:88:f0:89:1f:6e:f2:df:96:8b:86:5d:d7:8f: < e9:b5:04:04:70:23:7b:70:f5:ca:3b:ef:48:cf:cc: < 24:38:19:70:6a:1f:b5:db:f1:63:c2:c9:37:c9:22: < 46:a6:0c:00:5e:9d:2b:99:8e:7d:bd:a7:4b:32:b5: < f2:e3:d9:18:c8 --- > 04:fb:22:0a:3a:a2:5f:34:0c:ab:f3:f5:d9:0f:87: > 5f:a3:56:96:98:d0:06:8a:29:97:a2:99:fb:31:f7: > 95:df:9f:e1:16:db:70:d7:1e:44:fb:21:fa:c4:e0: > a8:ed:da:b0:be:41:64:56:9b:d8:27:56:aa:c7:b0: > 89:0d:38:88:ba 25,27c25 < Digital Signature, Key Encipherment, Certificate Sign, CRL Sign < X509v3 Extended Key Usage: < Any Extended Key Usage --- > Certificate Sign, CRL Sign 29c27 < CA:TRUE --- > CA:TRUE, pathlen:1 31c29,32 < 89:9B:24:35:27:C2:1E:9E:9A:5A:2B:A3:C8:DC:74:42:93:02:DE:E0:72:F6:3C:C5:E2:49:60:B5:5D:AA:72:29 # HERE IS THE MAIN DIFFERENT, THE LENGTH OF "X509v3 Subject Key Identifier: " --- > BE:0C:93:28:38:AC:4E:33:2C:03:48:E5:BD:EE:E3:DA:C7:0C:1B:B3 # WITH THIS ONE HERE > X509v3 Authority Key Identifier: > keyid:4D:6F:2B:C0:63:85:81:72:25:DB:3D:82:4C:97:51:CA:74:61:85:FE > 33,36c34,37 < 30:45:02:21:00:9d:3c:e6:8f:c6:4d:a7:82:e7:01:7c:73:be: < 27:2e:2a:a4:8e:d5:a2:f0:c2:2e:76:6b:a2:2e:92:e8:ca:28: < 1f:02:20:72:f0:f3:82:38:a8:1f:27:b7:60:19:06:e3:71:69: < 1a:e9:d6:14:4d:0a:43:ac:72:df:f9:36:6e:83:4c:e3:20 --- > 30:45:02:21:00:f8:82:f0:e3:ba:62:23:8f:2f:4b:7a:6f:2f: > 53:d3:fe:e8:7c:63:8a:b5:96:65:af:c4:e9:b5:93:fb:f4:7c: > 89:02:20:44:98:19:03:6b:d6:b6:70:19:4e:50:36:5c:77:02: > d7:d0:ba:0f:51:71:71:7b:d7:d9:e9:92:45:b8:f9:33:42 ``` Peer output about the error: ``` 2018-09-10 09:10:35.314 UTC [main] main -> ERRO 001 Cannot run peer because error when setting up MSP of type bccsp from directory /var/hyperledger/msp: CA Certificate did not have the Subject Key Identifier extension, (SN: 652803852665371704773327088558343054411323027552) ``` I saw that Openssl has a bug related to that field in the x509 certs and its that is not copying that field to the generated cert. Now I'm going to try to remove the ICAs to see if the problem persist or not. To be sure is related with the openssl bug and start digging in the CA source to check if i can figure something out( found this https://security.stackexchange.com/questions/150078/missing-x509-extensions-with-an-openssl-generated-certificate)

Larisaa (Mon, 10 Sep 2018 14:34:44 GMT):
Has joined the channel.

latitiah (Mon, 10 Sep 2018 22:20:03 GMT):
@skarim @smithbk I am seeing panics for the fabric-ca-orderer build (amd64-1.3.0-snapshot-0a5ff43) ``` 2018-09-10 14:56:12.795 UTC [orderer/commmon/multichannel] checkResourcesOrPanic -> CRIT 092 [channel behavesyschan] config requires unsupported channel capabilities: Channel capability V1_3 is required but not supported: Channel capability V1_3 is required but not supported panic: [channel behavesyschan] config requires unsupported channel capabilities: Channel capability V1_3 is required but not supported: Channel capability V1_3 is required but not supported ``` If I turn off V1_3 capability for the Channel and Application the panic goes away

smithbk (Tue, 11 Sep 2018 00:57:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=te25QebCQoJFZc3m4) @latitiah Do you have a stack trace, or point to where the logs are?

latitiah (Tue, 11 Sep 2018 02:34:20 GMT):
Yes, this is the orderer log: https://pastebin.com/TBNwiQ24 That said, it looks as though it's the build process. When building the fabric-ca-orderer (and fabric-ca-peer) it is based on the previous version which is v1.2. Here is what I see when building these images: https://pastebin.com/rq0Bnk52 Notice Step1/X is always referring to v1.2 of fabric-orderer/peer/...

latitiah (Tue, 11 Sep 2018 02:34:33 GMT):
@smithbk :^^^

latitiah (Tue, 11 Sep 2018 02:36:30 GMT):
For good measure, here is the peer log: https://pastebin.com/yAdDA8yL You can see that it indicates v1.2 as well

narendranathreddy (Tue, 11 Sep 2018 04:59:07 GMT):
Has joined the channel.

narendranathreddy (Tue, 11 Sep 2018 04:59:15 GMT):
hello guys

narendranathreddy (Tue, 11 Sep 2018 04:59:37 GMT):
in what case orderer reject genuine tls certificate ?

narendranathreddy (Tue, 11 Sep 2018 05:00:01 GMT):
trusted tls by orderer is rejecting when i make a contact with oprderer

david_dornseifer (Tue, 11 Sep 2018 08:53:47 GMT):
Hi just wondering, if I want to create a MSP for all my sub divisions in my company but all the sub division intermediate certs are derived from the same Root Cert Chain, do I run into any issues?

venzi (Tue, 11 Sep 2018 11:11:48 GMT):
Has joined the channel.

vikas.kundz (Tue, 11 Sep 2018 12:54:44 GMT):
Has joined the channel.

skarim (Tue, 11 Sep 2018 13:56:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=muP7RbXc7vyMnxtnv) @narendranathreddy What is the error you are getting?

skarim (Tue, 11 Sep 2018 13:57:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=H8Pj9vyTLQEzXWx7b) @david_dornseifer Should not run into any issues, this is a common topology where multiple intermediate CAs get certificate from a common root CA

rtorres (Tue, 11 Sep 2018 15:34:05 GMT):
Has joined the channel.

bandreghetti (Tue, 11 Sep 2018 16:53:08 GMT):
Has joined the channel.

moficodes (Tue, 11 Sep 2018 18:19:13 GMT):
Has joined the channel.

1234 (Wed, 12 Sep 2018 06:22:20 GMT):
how to add custom attribute in openssl certificate like this format 1.2.3.4.5.6.7.8.1=ASN1:PRINTABLESTRING:{"attrs":{"firstName:Lohith","hf.Affiliation":"org1.department1","hf.EnrollmentID":"Lohit","hf.Type":"client"}}

OviiyaDominic (Wed, 12 Sep 2018 07:13:01 GMT):
what is the difference between adding an identity ('fabric-ca-client identity add ...') and registering an identity ('fabric-ca-client register ...')

david_dornseifer (Wed, 12 Sep 2018 07:16:12 GMT):
@skarim thx for the quick answer :+1: - that means I can use the intermediate CA and put this cert into the `MSP CA` folder (e.g. for the configtxgen tool). Furthermore, I think I can ignore the `intermediate CA` folder in this case, since that the peers should just validate transactions on their MSP level.

narendranathreddy (Wed, 12 Sep 2018 08:12:49 GMT):
hello guys

narendranathreddy (Wed, 12 Sep 2018 08:12:53 GMT):
https://jira.hyperledger.org/browse/FABN-677

narendranathreddy (Wed, 12 Sep 2018 08:12:58 GMT):
iam also facing this issue

narendranathreddy (Wed, 12 Sep 2018 08:13:26 GMT):
@skarim

narendranathreddy (Wed, 12 Sep 2018 08:15:30 GMT):
orderer logs: 2018-09-07 10:19:49.483 UTC [grpc] Printf -> DEBU 0b1 grpc: Server.Serve failed to complete security handshake from "10.255.0.2:35348": tls: client didn't provide a certificate

narendranathreddy (Wed, 12 Sep 2018 08:15:58 GMT):
but i provided rca and ica chain pem files these are tls enabled

vineetmishra (Wed, 12 Sep 2018 11:46:47 GMT):
Has joined the channel.

vineetmishra (Wed, 12 Sep 2018 11:48:06 GMT):
Hi Guys, i can store fabric user's private keys in azure vault directly

vineetmishra (Wed, 12 Sep 2018 11:48:06 GMT):
Hi Guys, i can store fabric user's private keys in azure vault directly without storing at my application server

vineetmishra (Wed, 12 Sep 2018 11:48:06 GMT):
Hi Guys, can i store fabric user's private keys in azure vault directly without storing at my application server

vineetmishra (Wed, 12 Sep 2018 11:48:06 GMT):
Hi Guys, can i store fabric user's private keys in azure vault directly without storing at my application server. any idea

skarim (Wed, 12 Sep 2018 11:48:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HZavvuTaJYPGnee9T) @OviiyaDominic They perform the same function

vineetmishra (Wed, 12 Sep 2018 11:48:21 GMT):
without storing at my application server

dsanchezseco (Wed, 12 Sep 2018 13:27:32 GMT):
@skarim quick question: is the admin cert supposed to include IP SANs? Cause it can be used from different machines right?(Furthermore the orderer rejects the channel creation becasuse cert contains IP SANs and it doesn't match the caller...) kinda desperate now with the migration to TLS...

ashutosh_kumar (Wed, 12 Sep 2018 15:17:32 GMT):
@dsanchezseco , if Hostname in cert does not match the TLS cert , you usually get TLS Handshake error.

ashutosh_kumar (Wed, 12 Sep 2018 15:17:42 GMT):
are you using wildcard cert ?

dsanchezseco (Wed, 12 Sep 2018 15:20:07 GMT):
@ashutosh_kumar no, i'm generating the certs with the CA, and it automatically inserts the hostname in the SANs, wonder if not providing SANs would solve the problem(as appears to be working in the sample certs generated with cryptogen) or would prompt the "no IP SANs provided" error

dsanchezseco (Wed, 12 Sep 2018 15:22:07 GMT):
btw the only thing i've managed to do was to have the field empty, with --myhost "", but it had `X509v3 Subject Alternative Name: DNS:

dsanchezseco (Wed, 12 Sep 2018 15:22:07 GMT):
btw the only thing i've managed to do was to have the field empty, with --myhost "", but it had `X509v3 Subject Alternative Name: DNS:`

dsanchezseco (Wed, 12 Sep 2018 15:22:07 GMT):
btw the only thing i've managed to do was to have the field empty, with --myhost "", but it hadX509v3 Subject Alternative Name: DNS: ```

dsanchezseco (Wed, 12 Sep 2018 15:22:07 GMT):
btw the only thing i've managed to do was to have the field empty, with --myhost "", but it had ``` X509v3 Subject Alternative Name: DNS: ```

ashutosh_kumar (Wed, 12 Sep 2018 15:23:21 GMT):
looks like your cert CN does not match to the SERVER ip that you have.

ashutosh_kumar (Wed, 12 Sep 2018 15:23:46 GMT):
by server , I meant TLS Server.

ashutosh_kumar (Wed, 12 Sep 2018 15:25:07 GMT):
So , you have 2 options : 1)Either to change cert CN to match your host CN or 2) Add put TLS Server IP in cert SAN field.

ashutosh_kumar (Wed, 12 Sep 2018 15:25:07 GMT):
So , you have 2 options : 1)Either to change cert CN to match your TLS Server hostname or 2) Add put TLS Server IP in cert SAN field.

jvsclp (Wed, 12 Sep 2018 17:30:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cAhL6XpMZB6uKTk3x) @vineetmishra You could, but why would you want to consolidate the private keys on a cloud server? You will be creating a single point of failure and defeat the purpose of keeping private keys under the control of the identity.

yousaf (Wed, 12 Sep 2018 19:27:45 GMT):
yousaf@ubuntu:~/go/src/github.com/hyperledger/fabric-ca$ make fabric-ca-server Building fabric-ca-server in bin directory ... # github.com/hyperledger/fabric-ca/lib lib/server.go:710:23: cert.Issuer.String undefined (type pkix.Name has no field or method String) lib/server.go:711:24: cert.Subject.String undefined (type pkix.Name has no field or method String) Makefile:111: recipe for target 'bin/fabric-ca-server' failed make: *** [bin/fabric-ca-server] Error 2 Sir any solution related to this? I am using "make fabric-ca-server" and it is giving me the error given above.

jvsclp (Wed, 12 Sep 2018 19:33:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bBb4vCNHKtxAubwBC) @yousaf Why are you using the make command? Are you following the directions in https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#getting-started?

yousaf (Wed, 12 Sep 2018 20:00:43 GMT):
# github.com/hyperledger/fabric-ca/lib ../go/src/github.com/hyperledger/fabric-ca/lib/server.go:714:23: cert.Issuer.String undefined (type pkix.Name has no field or method String) ../go/src/github.com/hyperledger/fabric-ca/lib/server.go:715:24: cert.Subject.String undefined (type pkix.Name has no field or method String)

yousaf (Wed, 12 Sep 2018 20:01:01 GMT):
facing the same issue..@jvsclp

yousaf (Wed, 12 Sep 2018 20:11:30 GMT):
@jvsclp followed the official documentation to but still facing the same issue.

jvsclp (Wed, 12 Sep 2018 20:25:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rgcFs3dzwkK452qfJ) @yousaf Where are you seeing the *make fabric-ca-server* command in the docs? You can start the server natively pointing to the directory of your choice or with docker using *docker-compose*.

yousaf (Wed, 12 Sep 2018 20:28:16 GMT):
@jvsclp As you have said, i followed this command as described in official documentation. leave make fabric-ca-server. M juet getting while using this command too..i.e. go get -u github.com/hyperledger/fabric-ca/cmd/.... But in response m getting this error as told you above.

jvsclp (Wed, 12 Sep 2018 20:33:08 GMT):
You are receiving an error when you are trying to install the fabric-ca-server and fabric-ca-client binaries using the *go get* command, what is the error?

skarim (Wed, 12 Sep 2018 20:34:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BF5wxxFJivKzmSnin) @yousaf are you using go 1.9 or 1.10?

jvsclp (Wed, 12 Sep 2018 20:42:42 GMT):
@skarim While you're here, I'm having trouble with an error when trying to set up a network using fabric-ca generated certificates. The peer nodes stand up fine, but the Orderer node passes the error: `OrdererContainer | 2018-09-12 19:38:14.802 UTC [orderer/common/server] initializeLocalMsp -> CRIT 029 Failed to initialize local MSP: CA Certificate did not have the Subject Key Identifier extension, (SN: 234690659233761128389405762890313851636948479678) ` I've checked the Authority Key Identifier for the Orderer signing certificate and TLS certificate respectively against the root cert authority and the TLS cert authority Subject Key Identifiers and they match, but I can't tell where the errors are because the SN passed in the error does not match any of my certificates. I probably have something misconfigured, but after going through all the certificates in the Membership Service Provider I am at a loss of how to proceed. What are your thoughts?

jvsclp (Wed, 12 Sep 2018 20:42:42 GMT):
@skarim While you're here, I'm having trouble with an error when trying to set up a network using fabric-ca generated certificates. The peer nodes stand up fine, but the Orderer node passes the error: `OrdererContainer | 2018-09-12 19:38:14.802 UTC [orderer/common/server] initializeLocalMsp -> CRIT 029 Failed to initialize local MSP: CA Certificate did not have the Subject Key Identifier extension, (SN: 234690659233761128389405762890313851636948479678)` I've checked the Authority Key Identifier for the Orderer signing certificate and TLS certificate respectively against the root cert authority and the TLS cert authority Subject Key Identifiers and they match, but I can't tell where the errors are because the SN passed in the error does not match any of my certificates. I probably have something misconfigured, but after going through all the certificates in the Membership Service Provider I am at a loss of how to proceed. What are your thoughts?

jvsclp (Wed, 12 Sep 2018 20:42:42 GMT):
@skarim While you're here, I'm having trouble with an error when trying to set up a network using fabric-ca generated certificates. The peer nodes stand up fine, but the Orderer node passes the error: `OrdererContainer | 2018-09-12 19:38:14.802 UTC [orderer/common/server] initializeLocalMsp -> CRIT 029 Failed to initialize local MSP: CA Certificate did not have the Subject Key Identifier extension, (SN: 234690659233761128389405762890313851636948479678)` I've checked the Authority Key Identifier for the Orderer signing certificate and TLS certificate respectively against the root cert authority and the TLS cert authority Subject Key Identifiers and they match, but I can't tell where the errors are because the SN passed in the error does not match any of my certificates (converting decimal serial number to hexadecimal). I probably have something misconfigured, but after going through all the certificates in the Membership Service Provider I am at a loss of how to proceed. What are your thoughts?

yousaf (Wed, 12 Sep 2018 20:50:45 GMT):
@skarim Thanks sir. My issue got resolved by changing go v1.9 with v1.10

jvsclp (Wed, 12 Sep 2018 22:07:22 GMT):
It would be helpful if the error on initializing the local MSP passed either the certificate name or the serial number in hexadecimal which is the format shown when you check the certificate with: `openssl x509 -in cert.pem -text -noout`

lapdin_de_blockchain (Thu, 13 Sep 2018 01:34:16 GMT):
Has joined the channel.

lapdin_de_blockchain (Thu, 13 Sep 2018 01:52:11 GMT):
Could any tell me what does the parameter --csr.hosts with the fabric-ca-client enroll command do, and why we need it? thanks in advance

lapdin_de_blockchain (Thu, 13 Sep 2018 01:52:11 GMT):
Could anyone tell me what does the parameter --csr.hosts with the fabric-ca-client enroll command do, and why we need it? thanks in advance

vieiramanoel (Thu, 13 Sep 2018 02:14:18 GMT):
@lapdin_de_blockchain the csr.hosts is the hosts which that certificate will respond to (the valids hosts for that certificate) . So if you have a ca and its dns are ["ca.example.com", "ca0.example.com"] and you want make reqs in both address, you need to set this hosts in csr.hosts

vieiramanoel (Thu, 13 Sep 2018 02:14:18 GMT):
@lapdin_de_blockchain the csr.hosts is the hosts which that certificate will respond to (the valid hosts for that certificate) . So if you have a ca and its dns are ["ca.example.com", "ca0.example.com"] and you want make reqs in both address, you need to set this hosts in csr.hosts

vineetmishra (Thu, 13 Sep 2018 03:28:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zDS6AGPPZxjPquJPF) @jvsclp we don't want to keep it to application server as fabric do, user's private key should be with user or some secure place like aws or cloud secure place

inatatsu (Thu, 13 Sep 2018 06:24:21 GMT):
Has joined the channel.

gravity (Thu, 13 Sep 2018 10:02:48 GMT):
hi all where can I find a list of default values for each attribute that is used during identity registration?

migrenaa (Thu, 13 Sep 2018 10:55:55 GMT):
Hello guys. I enabled TLS in my network. In the nodejs code when I create peer/orderer instance I am setting the `pem` property with the certificates and also I am using `setTlsClientCertAndKey` function to set the certificates to the client. Now `channel.sendTransactionProposal(request)` throws the following error: ` sendPeersProposal - Promise is rejected: Error: 2 UNKNOWN: access denied: channel [orbixchannel] creator org [orbixorgMSP] ` I am not sure if I am setting wrong server certificates. And I am not sure if the problem is in the network or in the nodejs code. These are the docker-compose variables of the peer service ``` - FABRIC_CA_CLIENT_TLS_CERTFILES=/data/orbixorg-ca-chain.pem - CORE_PEER_TLS_ENABLED=true - CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/tls/server.crt - CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/tls/server.key - CORE_PEER_TLS_ROOTCERT_FILE=/data/orbixorg-ca-chain.pem - CORE_PEER_TLS_CLIENTAUTHREQUIRED=true - CORE_PEER_TLS_CLIENTROOTCAS_FILES=/data/orbixorg-ca-chain.pem - CORE_PEER_TLS_CLIENTCERT_FILE=/data/tls/peer0-orbixorg-client.crt - CORE_PEER_TLS_CLIENTKEY_FILE=/data/tls/peer0-orbixorg-client.key ``` And the server certificates that I am using are in this file `orbixorg-ca-chain.pem`, but in this file, there are two certificates. I don't know if this is a problem for fabric. Do you have any idea what am I doing wrong?

JaydipMakadia (Thu, 13 Sep 2018 12:38:05 GMT):
Has joined the channel.

latitiah (Thu, 13 Sep 2018 15:02:53 GMT):
So I've been looking but it is not apparent to me where I can find `hyperledger/fabric-javaenv:amd64-1.3.0`. I realize that it is not on dockerhub, but I'm also not building it in fabric. Can someone point me in the right direction? I am seeing a failure in CI because this image is missing `Failed to pull hyperledger/fabric-javaenv:amd64-1.3.0`

jvsclp (Thu, 13 Sep 2018 15:09:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iHw7NMqXCtCXqQiSw) @vineetmishra The fabric-ca-server does not store a user's private key. Private keys and all the other certificate information for users (peers, clients, admins) are stored in the directory you choose when you enroll a user using the fabric-ca-client. The command to point where you want the generated identity is found here: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enrolling-a-peer-identity in the second paragraph of the section.

jvsclp (Thu, 13 Sep 2018 15:09:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iHw7NMqXCtCXqQiSw) @vineetmishra The fabric-ca-server does not store a user's private key. Private keys and all the other certificate information for users (peers, clients, admins) are stored in the MSP directory you choose when you enroll a user using the fabric-ca-client. The command to point where you want the generated identity is found here: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enrolling-a-peer-identity in the second paragraph of the section.

jvsclp (Thu, 13 Sep 2018 15:11:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dKHc7a8gpGCiwyScJ) @gravity https://hyperledger-fabric-ca.readthedocs.io/en/latest/clientconfig.html

aatkddny (Thu, 13 Sep 2018 17:34:58 GMT):
Has there been any movement on the idea of an idemix that works across CAs? I'm back to looking at my particular worst case use case and thinking that it would be awfully helpful.

aatkddny (Thu, 13 Sep 2018 17:34:58 GMT):
Has there been any movement on the idea of an idemix anonymizer that works across CAs? I'm back to looking at my particular worst case use case and thinking that it would be awfully helpful.

jvsclp (Thu, 13 Sep 2018 19:59:06 GMT):
I'm back and still trying to stand up my orderer node using fabric-ca generated certs on v1.2. My last error with the subject key identifier (https://chat.hyperledger.org/channel/fabric-ca?msg=dMX2pvKdwNd8Yb6Xn) resolved itself somehow, I'd like to say I know what I did, but I don't. Now I'm getting an error stating one of my intermediate certificate authority certificates is signed by an unknown authority: `OrdererContainer | 2018-09-13 19:33:16.602 UTC [orderer/common/server] initializeLocalMsp -> CRIT 02a Failed to initialize local MSP: CA Certificate is not valid, (SN: 108551625344802190615550838078737618026118835691): could not obtain certification chain: the supplied identity is not valid: x509: certificate signed by unknown authority` I cannot find the problem because the intermediate CA is generated upon enrollment with the root CA, the int CA cert authority key identifier matches the root CA subject key identifier, and if I run a verify I get a valid chain: `openssl verify -CAfile ../../Root/fabric-ca-server/RootCA-cert.pem IntCA-cert.pem IntCA-cert.pem: OK` The root certificate .pem resides in the cacerts folder and the intermediate cert authority .pem resides in the intermediatecerts folder of Membership Service Provider directory for the orderer. What am I missing?

jvsclp (Thu, 13 Sep 2018 20:00:10 GMT):
I'm back and still trying to stand up my orderer node using fabric-ca generated certs on v1.2. My last error with the subject key identifier (https://chat.hyperledger.org/channel/fabric-ca?msg=dMX2pvKdwNd8Yb6Xn) resolved itself somehow, I'd like to say I know what I did, but I don't. Now I'm getting an error stating one of my intermediate certificate authority certificates is signed by an unknown authority: `OrdererContainer | 2018-09-13 19:33:16.602 UTC [orderer/common/server] initializeLocalMsp -> CRIT 02a Failed to initialize local MSP: CA Certificate is not valid, (SN: 108551625344802190615550838078737618026118835691): could not obtain certification chain: the supplied identity is not valid: x509: certificate signed by unknown authority` I cannot find the problem because the intermediate CA is generated upon enrollment with the root CA, the int CA cert authority key identifier matches the root CA subject key identifier, and if I run a verify I get a valid chain: `openssl verify -CAfile ../../Root/fabric-ca-server/RootCA-cert.pem IntCA-cert.pem IntCA-cert.pem: OK` The root certificate .pem resides in the cacerts folder and the intermediate cert authority .pem resides in the intermediatecerts folder of Membership Service Provider directory for the orderer. What am I missing?

jvsclp (Thu, 13 Sep 2018 20:00:10 GMT):
I'm back and still trying to stand up my orderer node using fabric-ca generated certs on v1.2. My last error with the subject key identifier (https://chat.hyperledger.org/channel/fabric-ca?msg=dMX2pvKdwNd8Yb6Xn) resolved itself somehow, I'd like to say I know what I did, but I don't. Now I'm getting an error stating one of my intermediate certificate authority certificates is signed by an unknown authority: `OrdererContainer | 2018-09-13 19:33:16.602 UTC [orderer/common/server] initializeLocalMsp -> CRIT 02a Failed to initialize local MSP: CA Certificate is not valid, (SN: 108551625344802190615550838078737618026118835691): could not obtain certification chain: the supplied identity is not valid: x509: certificate signed by unknown authority` I cannot find the problem because the intermediate CA is generated upon enrollment with the root CA, the int CA cert authority key identifier matches the root CA subject key identifier, and if I run a verify I get a valid chain: `openssl verify -CAfile ../../Root/fabric-ca-server/RootCA-cert.pem IntCA-cert.pem` `IntCA-cert.pem: OK` The root certificate .pem resides in the cacerts folder and the intermediate cert authority .pem resides in the intermediatecerts folder of Membership Service Provider directory for the orderer. What am I missing?

jvsclp (Thu, 13 Sep 2018 20:00:10 GMT):
I'm back and still trying to stand up my orderer node using fabric-ca generated certs on v1.2. My last error with the subject key identifier (https://chat.hyperledger.org/channel/fabric-ca?msg=dMX2pvKdwNd8Yb6Xn) resolved itself somehow, I'd like to say I know what I did, but I don't. Now I'm getting an error stating one of my intermediate certificate authority certificates is signed by an unknown authority: `OrdererContainer | 2018-09-13 19:33:16.602 UTC [orderer/common/server] initializeLocalMsp -> CRIT 02a Failed to initialize local MSP: CA Certificate is not valid, (SN: 108551625344802190615550838078737618026118835691): could not obtain certification chain: the supplied identity is not valid: x509: certificate signed by unknown authority` I cannot find the problem because the intermediate CA is generated upon enrollment with the root CA, the int CA cert authority key identifier matches the root CA subject key identifier, and if I run a verify I get a valid chain: `openssl verify -CAfile ../../Root/fabric-ca-server/RootCA-cert.pem IntCA-cert.pem` `IntCA-cert.pem: OK` The root certificate .pem resides in the cacerts folder and the intermediate cert authority .pem resides in the intermediatecerts folder of Membership Service Provider directory for the orderer. The peer node which relies on the problem intermediate certificate starts fine. What am I missing?

jvsclp (Thu, 13 Sep 2018 20:00:10 GMT):
I'm back and still trying to stand up my orderer node using fabric-ca generated certs on v1.2. My last error with the subject key identifier (https://chat.hyperledger.org/channel/fabric-ca?msg=dMX2pvKdwNd8Yb6Xn) resolved itself somehow, I'd like to say I know what I did, but I don't. Now I'm getting an error stating one of my intermediate certificate authority certificates is signed by an unknown authority: `OrdererContainer | 2018-09-13 19:33:16.602 UTC [orderer/common/server] initializeLocalMsp -> CRIT 02a Failed to initialize local MSP: CA Certificate is not valid, (SN: 108551625344802190615550838078737618026118835691): could not obtain certification chain: the supplied identity is not valid: x509: certificate signed by unknown authority` I cannot find the problem because the intermediate CA is generated upon enrollment with the root CA, the int CA cert authority key identifier matches the root CA subject key identifier, and if I run a verify I get a valid chain: `openssl verify -CAfile ../../Root/fabric-ca-server/RootCA-cert.pem IntCA-cert.pem` `IntCA-cert.pem: OK` The root certificate .pem resides in the cacerts folder and the intermediate cert authority .pem resides in the intermediatecerts folder of the Membership Service Provider directory for the orderer. The peer node which relies on the problem intermediate certificate starts fine. What am I missing?

jvsclp (Thu, 13 Sep 2018 20:23:13 GMT):
I have also replaced the root CA cert and the int CA cert with copies to make sure I did not leave an out of date certificate (which shouldn't verify anyhow) in the Membership Service Provider directory.

npc0405 (Fri, 14 Sep 2018 01:30:53 GMT):
Has joined the channel.

mahbub227 (Fri, 14 Sep 2018 03:07:32 GMT):
Has joined the channel.

vineetmishra (Fri, 14 Sep 2018 04:13:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5zNDHrRTWNjMif6KJ) @jvsclp you can find it at Fabric CA client’s configuration file

vinayjangir (Fri, 14 Sep 2018 05:56:10 GMT):
Has joined the channel.

sgaddam (Fri, 14 Sep 2018 06:04:35 GMT):
Has joined the channel.

kiranarshakota (Fri, 14 Sep 2018 06:06:21 GMT):
Has joined the channel.

sgaddam (Fri, 14 Sep 2018 06:09:37 GMT):
Hi I am getting the below error while getting the fabric-ca-client from git-hub /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:714:23: cert.Issuer.String undefined (type pkix.Name has no field or method String) /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:715:24: cert.Subject.String undefined (type pkix.Name has no field or method String)

sgaddam (Fri, 14 Sep 2018 06:15:47 GMT):
The above error i am getting while trying to run the below command go get -u github.com/hyperledger/fabric-ca/cmd/fabric-ca-client

sgaddam (Fri, 14 Sep 2018 07:07:29 GMT):
It got resolved as i have installed latest version of GO (1.10). Its already mentioned in the chat history. Thanks for the info @skarim and @yousaf

yousaf (Sat, 15 Sep 2018 04:13:08 GMT):
Can anyone tell me that what is meant by these fields in the registry section of fabric-ca-server-config.yaml file? hf.Registrar.Roles: "*" hf.Registrar.DelegateRoles: "*" hf.Revoker: true hf.IntermediateCA: true hf.GenCRL: true hf.Registrar.Attributes: "*" hf.AffiliationMgr: true

yousaf (Sat, 15 Sep 2018 04:21:05 GMT):
Or is there any resource that might be helpful in understanding the contents of this file?

kulbirgr8 (Sat, 15 Sep 2018 10:50:30 GMT):
i am working on hyperledger fabric, i developed my own smart contract its working fine , did query invoke and added many more functions to it . Now what i want is to integrate it with an android app so that user can directly invoke or query data in hyperledger fabric from the android app. So what will be the best solution for this?

patent_person (Sat, 15 Sep 2018 12:17:30 GMT):
Hi, in the fabric-ca example, the docker-compose file contains the variable FABRIC_ORGS which equals to org0 org1 org2. Question, what is the function of this configuration element for the ca server ?? Is this really needed, if so why ?

aambati (Sat, 15 Sep 2018 20:59:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6cTRw6bzwB23JyWfT) @yousaf Have you looked at https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#registering-a-new-identity

aambati (Sat, 15 Sep 2018 21:07:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XDfqgaENWfAfQSrzf) @kulbirgr8 Android App means it would be written in Java..You would need to use Java SDK to enroll register/enroll users, submit transactions, and to query

aambati (Sat, 15 Sep 2018 21:14:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zuHePF6v8RH2JGq5N) @patent_person No it is not needed used by the CA server...It is used to start one root and intermediate CA server for each org specified by this environment variable

aambati (Sat, 15 Sep 2018 21:14:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zuHePF6v8RH2JGq5N) @patent_person No it is not needed by the CA server...It is used to start one root and intermediate CA server for each org specified by this environment variable

yousaf (Sat, 15 Sep 2018 21:30:30 GMT):
@aambati got it sir. Thanks :)

yousaf (Sat, 15 Sep 2018 21:32:35 GMT):
I am adding a new consortium to create new channel in my existing network (in configtx.yaml file). But getting error of "unknown consortium name" while issuing command peer channel create. Any solution?

aambati (Sat, 15 Sep 2018 22:18:38 GMT):
Adding a new consortium to an existing network? Can you even have more than one consortium? Besides, why would you need to add a new consortium to create a channel?

yousaf (Sun, 16 Sep 2018 13:01:17 GMT):
@aambati I was doing that for practice. But that has been fixed. Thanks for your support :)

yousaf (Sun, 16 Sep 2018 13:01:22 GMT):
HI.....I am trying to add a new organization to the existing channel with having only one peer joined it. ...I am using this command..........peer channel update -f org4_update_in_envelope.pb -c $CHANNEL_NAME -o orderer.example.com:7050 --tls --cafile $ORDERER_CA.......................and i am getting this error.;-..................Error: got unexpected status: BAD_REQUEST -- error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: Failed to reach implicit threshold of 2 sub-policies, required 1 remaining Any solution??

asaningmaxchain123 (Sun, 16 Sep 2018 13:49:40 GMT):
@yacovm @smithbk can you tell me what's the `affiliations`,what's function of it

smithbk (Sun, 16 Sep 2018 17:13:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rWM7vdkypWAztxvQx) @asaningmaxchain123 The purpose of an affiliation is to provide *hierarchical* control on what an identity can do. For example, identity 1 with the registrar privileges and affilation *a.b* can perform registrar type duties on identities with an affiliation of a.b, a.b.c, a.b.d, etc, but not those with an affiliation of a.c.

Jgnuid (Sun, 16 Sep 2018 17:43:44 GMT):
Has joined the channel.

fsl (Mon, 17 Sep 2018 02:11:06 GMT):
Has joined the channel.

ynlfsd (Mon, 17 Sep 2018 02:13:47 GMT):
Has joined the channel.

ynlfsd (Mon, 17 Sep 2018 02:23:42 GMT):
hi, Does the hf.Registrar.DelegateRoles attribute mean that if a user's DelegateRoles is "client, user",it only can register the new user's hf.Registrar.Roles within "client ,user"?

lapdin_de_blockchain (Mon, 17 Sep 2018 05:20:53 GMT):
Question about the file "scripts/setup-fabric.sh" of fabric-sample/fabric-ca. For the command fabric-ca-client register -d --id.name $ADMIN_NAME --id.secret $ADMIN_PASS --id.attrs "hf.Registrar.Roles=...." in function registerPeerIdentities, does it trying to register a admin account at an intermediate ca host? if so, why do we need a admin account? thanks in advance

lapdin_de_blockchain (Mon, 17 Sep 2018 05:20:53 GMT):
Question about the file "scripts/setup-fabric.sh" of fabric-sample/fabric-ca. For the command fabric-ca-client register -d --id.name $ADMIN_NAME --id.secret $ADMIN_PASS --id.attrs "hf.Registrar.Roles=...." in function registerPeerIdentities, does it register a admin account at an intermediate ca host? if so, why do we need an admin account? thanks in advance

yulong12 (Mon, 17 Sep 2018 05:53:55 GMT):
Hi everyone . I want to ask a question.in the ca directory What is the format of this private key? for example ``` /first-network/crypto-config/peerOrganizations/org1.example.com/ca/ce8265a21ffbffc8476caa1a5617bffbeba2835ae601486e8ebdb4045d00cb93_sk ``` What is the format of this private key?

jvsclp (Mon, 17 Sep 2018 14:28:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WviXrpuuZvDAhpLh6) @yulong12 It's a private certificate. The _sk at the end refers to secret key. I rename mine to more accurately describe which public certificate the secret key is associated with and give it a *.key* file extension opened with any text editor. For example, if it was the secret key to peerA I would rename the file peerA-cert.key. This does not seem to affect it's use when being passed in the membership service provider.

jvsclp (Mon, 17 Sep 2018 14:28:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WviXrpuuZvDAhpLh6) @yulong12 It's a private certificate. The _sk at the end refers to secret key. I rename mine to more accurately describe which public certificate the secret key is associated with and give it a *.key* file extension opened with any text editor. For example, if it was the secret key to peerA I would rename the file peerA-cert.key. This does not seem to affect its use when being passed in the membership service provider.

smithbk (Mon, 17 Sep 2018 19:46:41 GMT):
The format of the contents is PEM-encoded PKCS 8 format

smithbk (Mon, 17 Sep 2018 19:51:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=69tPHCSTL29SmnYNv) @lapdin_de_blockchain All ecerts come from the intermediate CA. The only purpose of the root CA is to generate the signing CA cert for the intermediate CA and then the root CA should be taken off line typically. This is to model that. The admin identity is a peer admin which has the privilege to do things such as install chaincode on the peer, so it is creating that identity.

smithbk (Mon, 17 Sep 2018 19:52:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QpLPmXxLaTQB9kAaS) @ynlfsd yes, exactly

ashutosh_kumar (Mon, 17 Sep 2018 20:49:21 GMT):
ski is not PEM encoded PKCS8.

jvsclp (Mon, 17 Sep 2018 22:20:06 GMT):
I'm still stuck trying to stand up my orderer node using fabric and fabric-ca v1.2. I can get two peer nodes to stand up with my generated cryptographic material, but when it comes to getting the orderer node stood up I receive this message: `OrdererContainer | 2018-09-17 21:57:51.395 UTC [orderer/commmon/multichannel] newLedgerResources -> CRIT 065 Error creating channelconfig bundle: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: the supplied identity is not valid: x509: certificate signed by unknown authority` This seems to be occurring in the admins folder of the orderer's membership service provider structure. I've regenerated all the crypto material a second time in an attempt to get rid of the signed by unknown authority error. I've generated a new genesis block and channel transactions. I've pruned all the docker volumes after trying to stand up the nodes to make sure I'm working with the freshest volumes and there are no artifacts colliding with the containers I'm trying to stand up. I've moved certificates in and out of the folder to try and eliminate which one is the issue. I cannot figure out why I am continually receiving this error. Any idea of what I can check to continue working through this error?

montana (Mon, 17 Sep 2018 22:29:42 GMT):
I'm aware that RSA keys are not supported for ecerts in MSPs. However is RSA supported for TLS certs?

ashutosh_kumar (Mon, 17 Sep 2018 22:53:17 GMT):
Yes RSA is supported for TLS cert

asaningmaxchain123 (Tue, 18 Sep 2018 02:42:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CDPvYvtDnLeWWHbzx) @smithbk got it,thx

ynlfsd (Tue, 18 Sep 2018 02:59:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Gr2oLELDYPrpGXQPz) @smithbk @smithbk Thank you sir! I got a problem that I register a new user A with { hf.Register.Roles="client, user ,peer" hf.Register.DelegateRole="client, user" hf.Register.Attributes=*}, and then i use the user A to register another user B with {hf.Register.Roles="client, user ,peer" hf.Register.DelegateRole="client, user" hf.Register.Attributes=*}. It can register successfully. Do i use the attritubes correctly?

ynlfsd (Tue, 18 Sep 2018 03:02:08 GMT):
@smithbk Thank you sir! I got a problem that I register a new user A with { hf.Register.Roles="client, user ,peer" hf.Register.DelegateRole="client, user" hf.Register.Attributes=*}, and then i use the user A to register another user B with {hf.Register.Roles="client, user ,peer" hf.Register.DelegateRole="client, user" hf.Register.Attributes=*}. It can register successfully. Do i use the attritubes correctly?

ynlfsd (Tue, 18 Sep 2018 03:02:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Gr2oLELDYPrpGXQPz) @smithbk Thank you sir! I got a problem that I register a new user A with { hf.Register.Roles="client, user ,peer" hf.Register.DelegateRole="client, user" hf.Register.Attributes=*}, and then i use the user A to register another user B with {hf.Register.Roles="client, user ,peer" hf.Register.DelegateRole="client, user" hf.Register.Attributes=*}. It can register successfully. Do i use the attritubes correctly?

Randyshu2018 (Tue, 18 Sep 2018 03:25:27 GMT):
Hi, How to add peer dynamically with production environment?

HoneyShah (Tue, 18 Sep 2018 07:10:47 GMT):
Hello, Has anyone used mysql/postgre dabtabase for fabric-ca?

HoneyShah (Tue, 18 Sep 2018 07:18:23 GMT):
I am getting the following error: ``` Failed to create user registry for MySQL: Failed to connect toMySQL database: dial tcp 127.0.0.1:3306: getsockopt: connection refused ``` Here is config file changes: ``` type: mysql datasource: root:rootpw@tcp(localhost:3306)/fabric_ca?parseTime=true tls: enabled: false certfiles: client: certfile: keyfile: ```

HoneyShah (Tue, 18 Sep 2018 07:18:23 GMT):
While configuring mysql with fabri ca I am getting the following error: ``` Failed to create user registry for MySQL: Failed to connect toMySQL database: dial tcp 127.0.0.1:3306: getsockopt: connection refused ``` Here is config file changes: ``` type: mysql datasource: root:rootpw@tcp(localhost:3306)/fabric_ca?parseTime=true tls: enabled: false certfiles: client: certfile: keyfile: ``` Can anyone help please?

gravity (Tue, 18 Sep 2018 09:50:09 GMT):
hi all I'm playing with the `fabric-ca` from fabric-samples therein scripts ad admin user (which is used to create channels and install chaincodes) is registered on ca server and later enrolled to create a channel and here everything works well but when I', trying to enroll this admin on ca with the same credentials using fabric-sdk, I'm told that identity is not an admin. but if I manually load cert and a keystore files from disks and create an enrollment object - everything is fine. as for me, this is not very handy to load cert and a keystore file directly from disk and it would be better to enroll admin on ca when it's needed is there any way to do this? am I missing something?

npc0405 (Tue, 18 Sep 2018 12:21:08 GMT):
Invalid network configuration due to missing configuration data When trying to enroll user.... after org name is changed.. Any idea?

umamaheswarv (Tue, 18 Sep 2018 14:48:19 GMT):
Has joined the channel.

GuillaumeCisco (Tue, 18 Sep 2018 15:11:30 GMT):
Hello there, just cloned a fresh new fabric-ca and run the unit-tests, it failed. Is this normal? `master` and `release-1.2` both failed. Can we know if the tests should run successfully? ``` Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw@serverAddr:serverPort ```

skarim (Wed, 19 Sep 2018 01:17:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jq3PkE8DLi9qywsBo) @HoneyShah Do you seen any errors in your MySQL logs?

skarim (Wed, 19 Sep 2018 01:17:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=H4grqTnn9mmJLSGgF) @gravity which sdk are you using?

skarim (Wed, 19 Sep 2018 01:18:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zbFdio2EC6cg7kWtp) @npc0405 Can you provide more details? Where are you seeing the "Invalid network configuration" error? Where did you change the name of the org?

skarim (Wed, 19 Sep 2018 01:19:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aDLLXtNMKxHkKFXTx) @GuillaumeCisco Unit tests should pass. Does it say what test is failing? How are you executing the unit tests, by running `make unit-tests`?

lapdin_de_blockchain (Wed, 19 Sep 2018 02:02:26 GMT):
After running the fabric-ca sample code, I try to add another peer to org1. I tried to imitate how the sample code does. However, running "fabric-ca-client register -d --id.name $PEER_NAME --id.secret $PEER_PASS --id.type peer", got me an error "Enrollment check failed: Idemix enrollment information does not exist" in the log. Could anyone tell me what am I doing wrong? thanks in advance.

npc0405 (Wed, 19 Sep 2018 02:30:21 GMT):
@skarim I could able to resolve it. Some more configuration was required to do for network-config.yaml and config.js files Thanks :)

npc0405 (Wed, 19 Sep 2018 02:33:47 GMT):
@lapdin_de_blockchain check for affiliations inside container /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml

npc0405 (Wed, 19 Sep 2018 02:37:02 GMT):
Hope you are using first-network of version 1.2

lapdin_de_blockchain (Wed, 19 Sep 2018 03:42:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=W4NpHp3KDon9DG74v) never mind... I forget to enroll as an admin. adding these two line solves the problem, " initOrgVars $ORG \ enrollCAAdmin"

HoneyShah (Wed, 19 Sep 2018 05:31:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7w2TD2e4ZQcPoDcXg) @skarim I solved the issue

HoneyShah (Wed, 19 Sep 2018 05:36:54 GMT):
What is the difference between setting up CA server cluster and running multiple ca inside the one fabric-ca-server? And what about the intermediate CA it should be one CA server in the cluster of CA or should be the part of one fabric-ca-server? Can we have the mixture of intermediate CA and root ca in the CA cluster? I find it very confusing.

lapdin_de_blockchain (Wed, 19 Sep 2018 06:58:03 GMT):
I set up fabric-sample/fabric-ca successfully. Then, I created a new folder( fabric-ca-test) in fabric-sample/, and copy *.sh, scripts/*.sh into the new folder. However, I couldn't pass the test in scripts/run-fabric after I run start.sh in the new folder. It seems that in the new environment, docker creates a different network name. could anyone tell me what was happening ... thanks in advance

gravity (Wed, 19 Sep 2018 07:55:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3DB9EXc3C5nc88Qvw) @skarim java sdk I've asked this question in #fabric-sdk-java but was to this channel :)

GuillaumeCisco (Wed, 19 Sep 2018 08:00:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9dXuscMh4juzxS8wz) @skarim I have only a lot of trace with debug and info. And the error I posted above. I simply clone the project and run `make unit-tests`, my GOPATH is set correctly. I used the command from the bash_profile available here https://github.com/hyperledger/fabric-ca. Can someone confirm me the same issue?

yulong12 (Wed, 19 Sep 2018 08:40:31 GMT):
Hi everyone .How can I replace the first-network/crypto-config/peerOrganizations/org1.example.com/ca with the certificate and key which are generated by openssl?

yulong12 (Wed, 19 Sep 2018 08:41:10 GMT):
How can I replace the first-network/crypto-config/peerOrganizations/org1.example.com/ca with the certificate and key which are generated by openssl?

JayJong (Wed, 19 Sep 2018 10:22:16 GMT):
hi all, i want to replace cryptogen with fabric-ca but im unsure abt the part where we have to use configtx.yaml to create the channel because we have to input the orgMSP into this config file. Without cryptogen, theres no longer a crypto-config file so where does it get the certs from? My configtx.yaml file is on master node which is different from my peer nodes. So do i have to enroll/register on the master node to get all the certs of the orgs and orderer as well?

npc0405 (Wed, 19 Sep 2018 10:41:49 GMT):
E0919 10:06:31.236451383 26206 ssl_transport_security.cc:989] Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed. While joininh channel after new org is added in network any idea?

npc0405 (Wed, 19 Sep 2018 10:41:49 GMT):
E0919 10:06:31.236451383 26206 ssl_transport_security.cc:989] Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed. While joining channel after new org is added in network any idea?

mastersingh24 (Wed, 19 Sep 2018 10:58:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=njrAjm4mZ8gT87xzS) @JayJong You will need to set up the MSP structure for each org .... you'll need to populate: `cacerts` - this should be the signing certificate for that org's CA `admincerts` - this will be the enrolled public key(s) for whomever you want to be admin `tlscacerts` - if you plan to use TLS, this will be the root CA that issued the TLS certs for the org In configtx.yaml you can then reference the location of the MSP directory for each org

HoneyShah (Wed, 19 Sep 2018 11:41:42 GMT):
Can anyone tell me the detail steps for https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enrolling-an-intermediate-ca

skarim (Wed, 19 Sep 2018 14:11:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JqK5Yv9JG8uHyop8D) @HoneyShah A cluster is to provide high availability, so if one server goes down their are back ups that can handle the incoming requests. In a cluster of CAs, they would all use the same singing key with the same backend database. The multiple CAs in a single server process are not identical CAs and will have different signing keys and be connected to different databases. This is a way to allow you to have different CAs in a single process. In a cluster setup, you should have different server processes and not use a single server running multiple CAs. You should not have a mixture of intermediate CA and root CA in a single cluster. A cluster should consist of multiple servers with identical configurations.

skarim (Wed, 19 Sep 2018 14:11:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iquyGr5bE3DFo57Pe) @gravity Do you have the exact error that you get back? Is it coming from the fabric CA server or from the Java SDK?

jvsclp (Wed, 19 Sep 2018 14:22:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6SH5AvWQaJsw7cThh) @GuillaumeCisco I may be off, but have you registered the bootstrap identity for the fabric-ca-server you stood up? If so, is your FABRIC_CA_CLIENT_HOME variable pointing to the directory containing that admin's public certificate and is that certificate file named cert.pem? The admin certificate file can only be named cert.pem when being used to register other identities.

GuillaumeCisco (Wed, 19 Sep 2018 14:25:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iCeWmPowPopw4wSEK) @jvsclp I'm only running `make unit-tests`. Modifying nothing. From a fresh installation. I will test the project in a virtual machine or an ubuntu docker container to be sure...

gravity (Wed, 19 Sep 2018 14:33:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6yCD35BsS9nsacjEX) @skarim this is the message from orderer: ``` default-orderer-1 | 2018-09-19 14:30:40.132 UTC [msp] satisfiesPrincipalInternalPreV13 -> DEBU 1be9 Checking if identity satisfies ADMIN role for default-orgMSP default-orderer-1 | 2018-09-19 14:30:40.132 UTC [cauthdsl] func2 -> DEBU 1bea 0xc42017ad08 identity 0 does not satisfy principal: This identity is not an admin default-orderer-1 | 2018-09-19 14:30:40.132 UTC [cauthdsl] func2 -> DEBU 1beb 0xc42017ad08 principal evaluation fails default-orderer-1 | 2018-09-19 14:30:40.132 UTC [cauthdsl] func1 -> DEBU 1bec 0xc42017ad08 gate 1537367440132867608 evaluation fails default-orderer-1 | 2018-09-19 14:30:40.132 UTC [policies] Evaluate -> DEBU 1bed Signature set did not satisfy policy /Channel/Application/default-org/Admins default-orderer-1 | 2018-09-19 14:30:40.132 UTC [policies] Evaluate -> DEBU 1bee == Done Evaluating *cauthdsl.policy Policy /Channel/Application/default-org/Admins default-orderer-1 | 2018-09-19 14:30:40.132 UTC [policies] func1 -> DEBU 1bef Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ default-org.Admins ] default-orderer-1 | 2018-09-19 14:30:40.132 UTC [policies] Evaluate -> DEBU 1bf0 Signature set did not satisfy policy /Channel/Application/ChannelCreationPolicy default-orderer-1 | 2018-09-19 14:30:40.132 UTC [policies] Evaluate -> DEBU 1bf1 == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Application/ChannelCreationPolicy ``` Java SDK exception ``` 2018-09-19 17:30:40.168 ERROR 687 --- [ main] org.hyperledger.fabric.sdk.Channel : Channel defaultchannel error: Channel defaultchannel, send transaction failed on orderer OrdererClient-defaultchannel-default-orderer-1(grpc://localhost:5000). Reason: Channel defaultchannel orderer default-orderer-1 status returned failure code 400 (BAD_REQUEST) during orderer next org.hyperledger.fabric.sdk.exception.TransactionException: Channel defaultchannel, send transaction failed on orderer OrdererClient-defaultchannel-default-orderer-1(grpc://localhost:5000). Reason: Channel defaultchannel orderer default-orderer-1 status returned failure code 400 (BAD_REQUEST) during orderer next at org.hyperledger.fabric.sdk.OrdererClient.sendTransaction(OrdererClient.java:223) ~[fabric-sdk-java-1.2.0.jar:na] at org.hyperledger.fabric.sdk.Orderer.sendTransaction(Orderer.java:158) ~[fabric-sdk-java-1.2.0.jar:na] at org.hyperledger.fabric.sdk.Channel.sendUpdateChannel(Channel.java:509) [fabric-sdk-java-1.2.0.jar:na] at org.hyperledger.fabric.sdk.Channel.(Channel.java:232) [fabric-sdk-java-1.2.0.jar:na] at org.hyperledger.fabric.sdk.Channel.createNewInstance(Channel.java:324) [fabric-sdk-java-1.2.0.jar:na] at org.hyperledger.fabric.sdk.HFClient.newChannel(HFClient.java:206) [fabric-sdk-java-1.2.0.jar:na] ```

skarim (Wed, 19 Sep 2018 14:50:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=42Z5WWtmqeATtFJ7g) @gravity In the docker-compose.yml file that brings up the network there are multiple instance of environment variable ORG_ADMIN_CERT that points to admin certificate file. if you are generating a new admin certificate, I believe that you will have to update the variable to the location of this new certificate.

gravity (Wed, 19 Sep 2018 15:05:10 GMT):
@skarim Ok, having this information may I assume that we cannot use enrollment object from CA server in Java SDK to perform admin actions, because each time we do `enroll`, a different cert is generated and sent to client, and this cert is different to this one that we have set in ORG_ADMIN_CERT?

gravity (Wed, 19 Sep 2018 15:05:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LGqLShjhxcGRfCy5B) Ok, having this information may I assume that we cannot use enrollment object from CA server in Java SDK to perform admin actions, because each time we do `enroll`, a different cert is generated and sent to client, and this cert is different to this one that we have set in ORG_ADMIN_CERT?

yousaf (Wed, 19 Sep 2018 16:46:58 GMT):
Hi. What are the benefits of using fabric-ca in hyperledger fabric ??

jvsclp (Wed, 19 Sep 2018 17:21:17 GMT):
I'm still trying to stand up the orderer node and working through one certificate at a time. Here, I am receiving an error about the parent certificate being a leaf of the certification tree for the admin certificate used to issue the orderer's identity certificate.

jvsclp (Wed, 19 Sep 2018 17:21:56 GMT):

Error.PNG

jvsclp (Wed, 19 Sep 2018 17:23:20 GMT):

CLPRootAdmin-cert.PNG

jvsclp (Wed, 19 Sep 2018 17:24:23 GMT):

CLPRootCA-cert.PNG

jvsclp (Wed, 19 Sep 2018 17:26:17 GMT):
These certificates were generated with fabric-ca v1.2. If I need to provide any further information please let me know.

skarim (Wed, 19 Sep 2018 19:41:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NQZxptzeALjbs5XAm) @jvsclp After you generated these certificates, did you update the orderer config to point to this new crypto that was generated?

jvsclp (Wed, 19 Sep 2018 21:06:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tMTGhzH9m69yfufEg) @skarim Both the configtx.yaml (MSPDir) and the orderer.yaml (LocalMSPDir) point to the same msp directory containing the crypto material needed for the orderer. When I add other organization admin certificates into the admincerts folder the error number changes along with the position of the RootAdmin-cert, but the message stays the same.

jvsclp (Wed, 19 Sep 2018 21:07:18 GMT):

Error38.PNG

lapdin_de_blockchain (Thu, 20 Sep 2018 02:30:07 GMT):
In the configure file for fabric-ca server, what does the "affiliation" part does? I seems that we must predefine the organization structure before starting up the fabric-ca server. Does it mean we couldn't add a new intermediate ca / organization to the fabric-ca server afterwards?

JayJong (Thu, 20 Sep 2018 02:45:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sPha8P8gt2Y5LF2LR) @mastersingh24 if we are setting up the msp structure for each org on their individual nodes, then how do u make the configtx.yaml reference the location of the msp on the master node?

kjroger94 (Thu, 20 Sep 2018 03:52:28 GMT):
anone knows why this error would come? i generated certs via the ca for 2 peers in 1 org

kjroger94 (Thu, 20 Sep 2018 03:52:34 GMT):
`Bad configuration detected: Received AliveMessage from a peer with the same PKI-ID as myself`

rgunn (Thu, 20 Sep 2018 03:58:46 GMT):
Has joined the channel.

knagware9 (Thu, 20 Sep 2018 04:00:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZPG6Cy7XQwPj4mcx7) @lapdin_de_blockchain You can add..you need to change fabric ca-config file ,,,need to add new affiliation there

ynlfsd (Thu, 20 Sep 2018 05:28:38 GMT):
Hi everyone , I got a problem that I register a new user A with { hf.Register.Roles="client, user ,peer" hf.Register.DelegateRole="client, user" hf.Register.Attributes=*}, and then i use the user A to register another user B with {hf.Register.Roles="client, user ,peer" hf.Register.DelegateRole="client, user" hf.Register.Attributes=*}. It can register successfully. Does the DelegateRole attritube work correctly?

Shyam_Pratap_Singh (Thu, 20 Sep 2018 06:23:52 GMT):
Has joined the channel.

krabradosty (Thu, 20 Sep 2018 07:42:02 GMT):
Hi. After I enrolled a new user in CA, I got an identity certificate and signingIdentity. What is the purpose of signingIdentity? Does signingIdentity contain additional information of identity? I've tried to parse certificate as x509 and I haven't seen anything useful. In Fabric we distinguish a peer, admin, client certificates. Where is this information contained?

HoneyShah (Thu, 20 Sep 2018 08:09:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sex2se8pgWYoBAz3a) @skarim Thanks for the explanation. It's helpful.

HoneyShah (Thu, 20 Sep 2018 08:12:49 GMT):
I am getting the following error while enrolling admin to intermediate ca``` signed certificate with serial number 619423114660023963149266564884451731119475746692 ca1.example.com | 2018/09/20 06:38:53 [INFO] 127.0.0.1:47144 POST /enroll 500 0 "Certificate signing failure: Failed to insert record intodatabase: attempt to write a readonly database" ``` can anyone help please?

JaccobSmith (Thu, 20 Sep 2018 08:27:06 GMT):
hello everyone ,how can I produce a TLSCA with fabric-ca?

GowriR (Thu, 20 Sep 2018 10:36:12 GMT):
hello all, on using cryptogen tool - the crypto-config file is generated with lots of files as you all know and is mentioned in the documentation. Can experts here point me to any info or explain what each file means and when it needs to be used? and what files to use for TLS and CA, while using the CLI commands - peer channel, peer chaincode etc commands

rrishmawi (Thu, 20 Sep 2018 12:12:47 GMT):
Has joined the channel.

rrishmawi (Thu, 20 Sep 2018 12:14:51 GMT):
Hi experts, i am a little bit confused about the concept of an identity and participant. should the identity be bound to the participant for it to invoke transactions?

Ryan2 (Thu, 20 Sep 2018 13:37:18 GMT):
Can I ask, https://github.com/hyperledger/fabric-samples/blob/release/fabcar/registerUser.js#L56 I want to register new user with attributes , I added attribute into this code https://github.com/hyperledger/fabric-samples/blob/release/fabcar/registerUser.js#L56 when running this function, created user, don't have the attribute I added (var attributes1 = [{name:'foo',value:'bar'}];) `return fabric_ca_client.register({enrollmentID: 'user1', affiliation: 'org1.department1', attributes: attributes1}, admin_user);` Can someone help? thanks

Ryan2 (Thu, 20 Sep 2018 13:37:18 GMT):
Can I ask, I want to register new user with attributes , I added attribute (`var attributes1 = [{name:'foo',value:'bar'}];`) into this code https://github.com/hyperledger/fabric-samples/blob/release/fabcar/registerUser.js#L56 like this `return fabric_ca_client.register({enrollmentID: 'user1', affiliation: 'org1.department1', attributes: attributes1}, admin_user);` however when running this function, created user, don't have the attribute I added. Can someone help, what is correct way to modify above example code in order to add user attributes? thanks

gravity (Thu, 20 Sep 2018 14:28:13 GMT):
hi all is it actually possible to add additional attributes to account certificate after registration? for example, if I create an account with an attribute `attr=someValue:ecert`, can I add a new attribute or change existing later?

skarim (Thu, 20 Sep 2018 14:31:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2JSf4d39DC3R7pNNz) @jvsclp Have you tried posting in #fabric channel, I don't have much familiarity with the orderer

skarim (Thu, 20 Sep 2018 14:31:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZPG6Cy7XQwPj4mcx7) @lapdin_de_blockchain The purpose of an affiliation is to provide *hierarchical* control on what an identity can do. For example, identity 1 with the registrar privileges and affilation *a.b* can perform registrar type duties on identities with an affiliation of a.b, a.b.c, a.b.d, etc, but not those with an affiliation of a.c.

jvsclp (Thu, 20 Sep 2018 14:32:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mdSZwQDWTHLbuRwka) @skarim I tried the fabric channel, but I just discovered the fabric-orderer channel so I'll be giving it a try. Thanks for giving my problem a go :slight_smile:

skarim (Thu, 20 Sep 2018 14:33:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DDJvEMQvL4FHafCuR) @krabradosty If you examine the x509 certificate you should see that type is listed as an 'ou' in the distinguished name

skarim (Thu, 20 Sep 2018 14:34:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LHAYdQNbbWjhmwKwe) @rrishmawi In what context are the terms being used? To me identity and participant mean the same thing

skarim (Thu, 20 Sep 2018 14:36:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yDRkJJ4X83tgraNn7) @ynlfsd what version of CA are you using?

skarim (Thu, 20 Sep 2018 14:37:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jcNfuQBf64a5D66Lr) @Ryan2 This is a node example, I would try posting in #fabric-sdk-node channel. Someone there should be able to help you out

Ryan2 (Thu, 20 Sep 2018 14:38:33 GMT):
https://chat.hyperledger.org/channel/fabric-ca?msg=jcNfuQBf64a5D66Lr I know how to solve this by referring to https://gerrit.hyperledger.org/r/#/c/14635/1/test/integration/fabric-ca-services-tests.js@274

skarim (Thu, 20 Sep 2018 14:41:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DHmrgLDZttzZAarmM) @gravity First you will have to update the identity to include the new attribute, you can use the modify identity command to help you with that. See https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#modifying-an-identity. Once the new attribute is associated with identity, you will have to enroll again to get a new certificate.

gravity (Thu, 20 Sep 2018 14:45:29 GMT):
@skarim got it, thanks!

gravity (Thu, 20 Sep 2018 15:22:26 GMT):
@skarim hi one more question: what is the difference between `enroll` and `reenroll`?

jvsclp (Thu, 20 Sep 2018 15:28:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QncSuMQYzftN7gehF) @gravity `enroll` is for the initial enrollment of an identity. While `reenroll` allows an identity with an active certificate to have an updated certificate. For example, you enroll peer1 when standing up your organization, and a year later when peer1's cert is coming up on its expiration you reenroll peer1. There's more information here: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#reenrolling-an-identity

JuanSuero (Thu, 20 Sep 2018 16:15:22 GMT):
Im getting a failed to invoke chaincode name:"lscc" , error: handler not found for chaincode mynetwork:0.0.1 failed to init chaincode in the docker logs.... not sure what to do. the only difference i have is that i use FQDN for everything and im sharing, /etc/hyperledger/peer/msp, /etc/hyperledger/msp/users and /etc/hyperledger/configtx out from NFS and they have user Nobody/Nogroup instead of user 1000/1000 when i EXEC into the container.. any ideas?

JuanSuero (Thu, 20 Sep 2018 16:31:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GsZm9kmJsvTnbxmdX) also i just tested without nfs on same server ( still using FQDN everywhere ) ( i set my /etc/hosts to resolve all to the same machine 192.168.122.80 ) still getting this error

GuillaumeTong (Fri, 21 Sep 2018 02:42:35 GMT):
Hi all, I have noticed it is possible to setup two CAs to share one database, but have different certificates and keys. This can be convenient in my setup where each organisation have two different CAs: one for the MSP, one for the TLS, but they have the exact same identities. However, I also noticed that in a setup where I have CA1 and CA2, I can have an admin connect to CA1 and obtain a revocation by CA1 on a certificate generated by CA2. Is this a normal behavior? Is the resulting CRL actually usable?

qsmen (Fri, 21 Sep 2018 02:59:11 GMT):
Hi experts here, using cryptogen can generate msp and tls. Now I want to generate a tls cert for a newly added peer, How to do ? Thank you

lapdin_de_blockchain (Fri, 21 Sep 2018 05:40:25 GMT):
fabric-ca-server liston on port 7054. My question is, will the server sends messages to clients also through port 7054? thanks in advance

amitkumar991 (Fri, 21 Sep 2018 06:03:43 GMT):
Has joined the channel.

amitkumar991 (Fri, 21 Sep 2018 06:03:57 GMT):
#fabric-chaintool

atirekg (Fri, 21 Sep 2018 06:04:00 GMT):
Has joined the channel.

atirekg (Fri, 21 Sep 2018 06:04:07 GMT):
Hi Since when I have started on the hyperledger fabric I am asking a question to myself and search for it as well but not getting the answer, When Create docker container for HF development environment it uses org1[dot]example[dot]com in many area, example[dot]com is a domain which we use to give examples in our documents so should be change it when we are setting up our environment or it should be kept as it is. What is the purpose of this and what does it represent. What is the purpose of using example[dot]com, and if we need to change it then how can we replace it and setup new domain, say my domain is ati[dot]com there should all I replace it. can anyone please clear my doubt

varunagarwal (Fri, 21 Sep 2018 09:16:44 GMT):
Has joined the channel.

varunagarwal (Fri, 21 Sep 2018 09:17:14 GMT):
Hey guys, I am just starting out with `fabric-ca`, so far been using the default config that comes with composer, is there any good resorce/ github samples that I should start out with?

varunagarwal (Fri, 21 Sep 2018 09:18:13 GMT):
Basically I have been using `./startFabric.sh` commands from `composer` and now need to shift into production, so will need to run own server and authentication keys

ynlfsd (Fri, 21 Sep 2018 10:03:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BPQq2zMDdTMYCKnZp) @skarim 1.2.0

ynlfsd (Fri, 21 Sep 2018 10:03:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wuWtDwAnRNLHERQEh) @skarim 1.2.0

skarim (Fri, 21 Sep 2018 17:29:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NxybeadBGSgFXY5bm) @GuillaumeTong This is not best practice, two different CA with separate signing keys should not be using the same database. Aslong as you know the serial and aki of the certificate you will be able to revoke the certificate regardless of which CA issued the certificate. I would highly recommend using different databases if different signing keys are being used.

HoneyShah (Sat, 22 Sep 2018 05:11:11 GMT):
Anyone has setup haproxy?

skarim (Sun, 23 Sep 2018 19:40:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8KzcT3WDaCwkDiMK2) @HoneyShah I would start by reading https://hyperledger-fabric-ca.readthedocs.io/en/release-1.2/users-guide.html#setting-up-a-cluster

GuillaumeTong (Mon, 24 Sep 2018 01:04:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pFnYMSMjw8EGHaA8e) @skarim Noted, I'll avoid using this configuration then

Ilya_Eremenko (Mon, 24 Sep 2018 03:00:28 GMT):
Has joined the channel.

HoneyShah (Mon, 24 Sep 2018 03:16:08 GMT):
@skarim I already read that and done some configurations but I am bit confuse about haproxy set up.

HoneyShah (Mon, 24 Sep 2018 03:16:08 GMT):
@skarim I already read that and done some configurations but I am bit confuse about haproxy set up. Any guide or demo about this?

HoneyShah (Mon, 24 Sep 2018 03:16:08 GMT):
@skarim I already read that and done some configurations but I am bit confuse about haproxy set up. Any guide or demo for this?

mastersingh24 (Mon, 24 Sep 2018 10:07:32 GMT):
@HoneyShah - are you looking for specific guidance on how to set up HAProxy or something specific to Fabric CA? The documentation provided by haproxy itself is excellent ....

Jayshree_Devan (Mon, 24 Sep 2018 10:27:29 GMT):
Has joined the channel.

Jayshree_Devan (Mon, 24 Sep 2018 10:27:40 GMT):
is there any api for enrolling the peers through ca?

skarim (Mon, 24 Sep 2018 14:32:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZNax8C7fK9E9wzP3d) @Jayshree_Devan There is not a specific api for enrolling peers, all identities use the same enroll API

jmason900 (Mon, 24 Sep 2018 18:44:28 GMT):
Has joined the channel.

srinivasd (Tue, 25 Sep 2018 01:50:28 GMT):
Has joined the channel.

srinivasd (Tue, 25 Sep 2018 01:51:10 GMT):
Hi all, I have revoked an identity using the command `fabric-ca-client revoke -e peer1 -r keycompromise --gencrl` How can I get the reason of a revoked identity using 'fabric-ca client'. Please suggest me. Thanks in advance

HoneyShah (Tue, 25 Sep 2018 03:03:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bdMjYkfGNnaKfEhMh) @mastersingh24 I am trying to configure HAProxy for fabric ca using docker but fail to resolve ca (routing) using proxy. So I wanted to verify all the steps I followed are correct or not .

HoneyShah (Tue, 25 Sep 2018 03:22:44 GMT):
@mastersingh24 I am also facing the issue described in https://stackoverflow.com/questions/52422179/how-to-start-intermediate-ca-using-docker-compose Any help would be appriciated.

Roma_18 (Tue, 25 Sep 2018 08:09:05 GMT):
Has joined the channel.

jensmueller (Tue, 25 Sep 2018 09:25:07 GMT):
Has joined the channel.

smithbk (Tue, 25 Sep 2018 13:03:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZxX6EgSd8z7KdQ6bA) @HoneyShah Try looking at https://github.com/hyperledger/fabric-ca/blob/release-1.2/scripts/fvt/fabric-ca_setup.sh#L139 to see how fabric-ca FVT configures and runs haproxy

skarim (Tue, 25 Sep 2018 13:22:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5ccdee36-a374-4adc-becf-5ff17d991f2b) @srinivasd Currently there is no way to retrieve the reason for revocation. If this is something you desire, you can open up a feature request

srinivasd (Tue, 25 Sep 2018 13:46:30 GMT):
Hi All, I tried to configure Hyperledger Fabric CA server to use softhsm2 HSM module for private key store by following this link `https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#hsm` Got following error while starting the fabric-ca-server ``` # fabric-ca-server init -b admin:adminpw [INFO] Created default configuration file at /opt/gopath/fabric-ca-server-config.yaml [INFO] Server Version: 1.2.0 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} [FATAL] Initialization failure: Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP ``` Please suggest me how to resolve this. Thanks in Advance

srinivasd (Tue, 25 Sep 2018 13:47:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rBFKoZwbwakePKj9s) @skarim Ok, Thank you

krabradosty (Tue, 25 Sep 2018 16:14:51 GMT):
Hello! Should I have separate CA for each of the organization in my network?

jvsclp (Tue, 25 Sep 2018 19:24:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BbfQ9A6A5hzJ4GWBf) @krabradosty You mean a separate CA for Organization A, Org B, etc? I'd recommend yes, have a seperate CA for each seperate organization as an entity. However, here are some other approaches you may take if it better fits your requirements: https://hyperledger-fabric.readthedocs.io/en/release-1.2/msp.html#best-practices

PyiTheinKyaw (Wed, 26 Sep 2018 03:44:30 GMT):
Has joined the channel.

ZL.HYPERLEDGER (Wed, 26 Sep 2018 06:50:00 GMT):
Has joined the channel.

ZL.HYPERLEDGER (Wed, 26 Sep 2018 06:50:03 GMT):
I have created a Hyperledger Fabric using Hyperledger compose. Then i can want to create a client based on the Android smartphone to connect the Fabric server. I have no idea about it, who would like to give me some advices?

githubcpc (Wed, 26 Sep 2018 07:17:08 GMT):
Has joined the channel.

Kelvin_Moutet (Wed, 26 Sep 2018 07:18:52 GMT):
Has joined the channel.

lapdin_de_blockchain (Wed, 26 Sep 2018 07:30:05 GMT):
with fabric-sample/fabric-ca sample code, I manage to setup two orgs and one orderer network with the ./start.sh script. I try to increase an root ca org3 and add to the channel. However, after the " peer channel update -f org3_update_in_envelope.pb -c $CHANNEL_NAME $ORDERER_CONN_ARGS " command, I got the following error "Error: got unexpected status: BAD_REQUEST -- error authorizing update: Update not for correct channel: for mychannel". Could anyone tell what am I doing wrong? thanks in advance :)

aneb (Wed, 26 Sep 2018 11:08:07 GMT):
Has joined the channel.

HoneyShah (Wed, 26 Sep 2018 11:50:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=K2qR4LzWnqrTuuSSK) @smithbk Thank you!!

Kelvin_Moutet (Wed, 26 Sep 2018 12:11:07 GMT):
Hello, I'm trying to adapt the **add a new organisation** (https://hyperledger-fabric.readthedocs.io/en/release-1.2/channel_update_tutorial.html#) to my current setup. But when I tried to update the channel (after doing all the previous steps with success) with : `peer channel update --logging-level=DEBUG -f org3_update_in_envelope.pb -o orderer:7050 -c ${MYCHANNEL} --tls --clientauth --cafile ${ORDERER_CA} --keyfile ${CLIENT_KEYFILE} --certfile ${CLIENT_CERTFILE}` I have this error message : ``` 2018-09-26 09:08:46.430 UTC [orderer/common/broadcast] Handle -> WARN f2a [channel: mychannel] Rejecting broadcast of config message from 172.30.0.1:39324 because of error: initializing channelconfig failed: could not create channel Application sub-group config: setting up the MSP manager failed: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "rca-org3") 2018-09-26 09:08:46.430 UTC [orderer/common/server] func1 -> DEBU f2b Closing Broadcast stream 2018-09-26 09:08:46.432 UTC [common/deliver] Handle -> WARN f2c Error reading from 172.30.0.1:39322: rpc error: code = Canceled desc = context canceled ``` "rca-org3" is a reference to my Root CA of the new org that I'm trying to add to my current network I also have logs in the orderer ``` Error: got unexpected status: BAD_REQUEST -- initializing channelconfig failed: could not create channel Application sub-group config: setting up the MSP manager failed: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "rca-org3") ``` Does someone have an insight to solve this issue ? Thanks in advance :)

skarim (Wed, 26 Sep 2018 14:02:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=w44bJPbFRv8ebdaro) @Kelvin_Moutet When doing the peer channel update, are you using a peer admin identity that is trusted by the network?

Kelvin_Moutet (Wed, 26 Sep 2018 14:30:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bq6ZhLyjKDdqZktSJ) @skarim Hello skarim, thank you for your help. What do you mean by "using a peer admin identity" ? Along to the tutorial, I set the env variable along to peer identity before signing (for the first org) and another time for the second org to update (which is auto signing the update envelope) If a just sign with one org, I have a message that ask me to have, at least, 2 orgs signitature to consider the update ! Do you have another way to check that ?

Kelvin_Moutet (Wed, 26 Sep 2018 14:30:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bq6ZhLyjKDdqZktSJ) @skarim Hello skarim, thank you for your help. What do you mean by "using a peer admin identity" ? Along to the tutorial, I set the env variable along to peer identity before signing (for the first org) and another time for the second org to update (which is auto signing the update envelope) If a just sign with one org, I have a message that ask me to have, at least, 2 orgs signatures to consider the update ! Do you have another way to check that ?

Kelvin_Moutet (Wed, 26 Sep 2018 14:36:34 GMT):
@skarim We can notice that the ledger show an error message on the certificate of the new organisation (that we are trying to add) and not the two, already registered and enroll, organisations :)

alekhyam (Wed, 26 Sep 2018 15:47:38 GMT):
Has joined the channel.

zconger (Wed, 26 Sep 2018 16:40:02 GMT):
Has joined the channel.

raidinesh80 (Wed, 26 Sep 2018 19:57:09 GMT):
Has joined the channel.

raidinesh80 (Wed, 26 Sep 2018 19:58:54 GMT):
Do we have Idemix available with Nodejs SDK for fabric-ca-client? any example for its use is really appreciated.I can see from fabric 1.2 doc that it is only supported for java SDK

caveman7 (Wed, 26 Sep 2018 23:54:54 GMT):
Has joined the channel.

indirajith (Thu, 27 Sep 2018 10:14:51 GMT):
Hi, can anyone help me understand what fabric-ca-tools docker image does and its purpose? Can't we just use fabric-ca alone?

krabradosty (Thu, 27 Sep 2018 10:24:37 GMT):
Hello! I found an [article](https://medium.com/@wahabjawed/extending-hyperledger-fabric-network-adding-a-new-peer-4f52f70a7217) where authors generate credentials for a new peer of the existing organization using `cryptogen extend` command. Am I right that I can do this directly by making a request to the CA to create a new participant with *Peer* role?

halilkalkan (Thu, 27 Sep 2018 13:32:35 GMT):
Has joined the channel.

skarim (Thu, 27 Sep 2018 13:57:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BzEQ6ano958juM6mx) @raidinesh80 There is no Node SDK support for idemix yet

skarim (Thu, 27 Sep 2018 14:07:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vFR8qofyNsufFLX3z) @krabradosty Yes, using the CA with peer role should give you the same crypto material.

krabradosty (Thu, 27 Sep 2018 16:29:59 GMT):
What is the purpose of the certificate under directory `./org1.example.com/msp/admincerts` that we provide in genesis block for each organization? I see that this is the certificate of organization's Admin, generated by `cryptogen` . But I can generate another admin via CA later when my network will be already run. What will be the difference between this admins?

krabradosty (Thu, 27 Sep 2018 16:29:59 GMT):
What is the purpose of the certificate under directory `./org1.example.com/msp/admincerts` that we provide in genesis block for each organization? I see that this is the certificate of organization's Admin, generated by `cryptogen` . But I can generate another admin via CA later (with credentials from Fabric CA server initialization) when my network will be already run. What will be the difference between this admins?

krabradosty (Thu, 27 Sep 2018 16:29:59 GMT):
What is the purpose of the certificate under directory `./org1.example.com/msp/admincerts` that we provide in genesis block for each organization? I see that this is the certificate of organization's Admin, generated by `cryptogen` . But I can generate another admin via CA later (with credentials from Fabric CA server initialization) when my network will be already run. What will be the difference between this admins? I can guess that only the first one can and should participate in, for example, channel update.

jvsclp (Thu, 27 Sep 2018 16:49:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FfwG8TwdCmquhxbFa) @krabradosty For the first question, the admin certificates provide the membership service provider (MSP) properties showing the admins are allowed to make certain configuration changes to the structure of the identities within the organization. The administrator certificates should have some properties (hf.Registrar, hf.AffiliationMgr, etc) telling the fabric-ca-server what that administrator can control on identities registered and enrolled within the CA server. For the second question, the difference between your admins will be root of trust. The admins registered under cryptogen will not have the necessary properties to show authority to make changes to the identities registered and enrolled with your CA server and your admins from your CA would not be able to adjust identity properties of those generated through cryptogen. You also would not be able to mix and match admins as I read your last sentence. Unless you plan on having two organizations one whose entities are generated from cryptogen and the other from the fabric-ca service or other tool, the channel update would only be valid for members registered to the root of trust which generated the admin certificate.

krabradosty (Thu, 27 Sep 2018 17:39:28 GMT):
@jvsclp thank you for the information

blakem (Thu, 27 Sep 2018 21:09:41 GMT):
Has joined the channel.

blakem (Thu, 27 Sep 2018 21:19:44 GMT):
I am trying to modify my network so to use Fabric-CA over cryptogen. For some reason, I am getting an error regarding my configtx.yaml file please let me know if any of you have any pointers as I would really appreciate any help. ```018-09-27 20:31:37.359 UTC [common/tools/configtxgen/localconfig] Load -> CRIT 003 Error reading configuration: While parsing config: yaml: unknown anchor 'OrdererMSP' referenced setup | 2018-09-27 20:31:37.359 UTC [common/tools/configtxgen] func1 -> CRIT 004 Error reading configuration: While parsing config: yaml: unknown anchor 'OrdererMSP' referenced setup | panic: Error reading configuration: While parsing config: yaml: unknown anchor 'OrdererMSP' referenced [recovered] setup | panic: Error reading configuration: While parsing config: yaml: unknown anchor 'OrdererMSP' referenced ```

blakem (Thu, 27 Sep 2018 21:27:51 GMT):
``` /usr/local/bin/configtxgen setup | ##### 2018-09-27 20:31:37 Generating orderer genesis block at hyperledger/generated_files/channel/genesis.block setup | testing at setup | /etc/hyperledger/fabric setup | 2018-09-27 20:31:37.358 UTC [common/tools/configtxgen] main -> WARN 001 Omitting the channel ID for configtxgen is deprecated. Explicitly passing the channel ID will be required in the future, defaulting to 'testchainid'. setup | 2018-09-27 20:31:37.358 UTC [common/tools/configtxgen] main -> INFO 002 Loading configuration setup | 2018-09-27 20:31:37.359 UTC [common/tools/configtxgen/localconfig] Load -> CRIT 003 Error reading configuration: While parsing config: yaml: unknown anchor 'OrdererMSP' referenced setup | 2018-09-27 20:31:37.359 UTC [common/tools/configtxgen] func1 -> CRIT 004 Error reading configuration: While parsing config: yaml: unknown anchor 'OrdererMSP' referenced setup | panic: Error reading configuration: While parsing config: yaml: unknown anchor 'OrdererMSP' referenced [recovered] setup | panic: Error reading configuration: While parsing config: yaml: unknown anchor 'OrdererMSP' referenced setup | setup | goroutine 1 [running]: setup | github.com/hyperledger/fabric/vendor/github.com/op/go-logging.(*Logger).Panic(0xc420191e00, 0xc4203d6380, 0x1, 0x1) setup | /opt/gopath/src/github.com/hyperledger/fabric/vendor/github.com/op/go-logging/logger.go:188 +0xbd setup | main.main.func1() setup | /opt/gopath/src/github.com/hyperledger/fabric/common/tools/configtxgen/main.go:254 +0x1ae setup | panic(0xc6ea00, 0xc4203d6370) setup | /opt/go/src/runtime/panic.go:505 +0x229 setup | github.com/hyperledger/fabric/vendor/github.com/op/go-logging.(*Logger).Panic(0xc420191c50, 0xc42018b700, 0x2, 0x2) setup | /opt/gopath/src/github.com/hyperledger/fabric/vendor/github.com/op/go-logging/logger.go:188 +0xbd setup | github.com/hyperledger/fabric/common/tools/configtxgen/localconfig.Load(0x7ffd48321736, 0x15, 0x0, 0x0, 0x0, 0x1) setup | /opt/gopath/src/github.com/hyperledger/fabric/common/tools/configtxgen/localconfig/config.go:277 +0x469 setup | main.main() setup | /opt/gopath/src/github.com/hyperledger/fabric/common/tools/configtxgen/main.go:265 +0xce7 setup exited with code 2 ```

srinivasd (Fri, 28 Sep 2018 05:10:57 GMT):
@skarim Hi, I tried to configure Hyperledger Fabric CA server to use softhsm2 HSM module for the private key store by following this link `https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#hsm` Got following error while starting the fabric-ca-server ``` # fabric-ca-server init -b admin:adminpw [INFO] Created default configuration file at /opt/gopath/fabric-ca-server-config.yaml [INFO] Server Version: 1.2.0 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} [FATAL] Initialization failure: Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP ```

yulong12 (Fri, 28 Sep 2018 05:39:14 GMT):
HI who can help me in this question?https://stackoverflow.com/questions/52548965/how-to-set-tls-in-fabric-ca

DheerajBalodia (Fri, 28 Sep 2018 06:32:51 GMT):
Has joined the channel.

skarim (Fri, 28 Sep 2018 13:21:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=poNnFjpPiwcnx3fb7) @srinivasd In your server's configuration file, do you have the following section? ``` bccsp: default: PKCS11 pkcs11: Library: /usr/local/Cellar/softhsm/2.1.0/lib/softhsm/libsofthsm2.so Pin: 98765432 Label: ForFabric hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: msp/keystore ```

skarim (Fri, 28 Sep 2018 13:30:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DTZxz7C2Q6zA83SKi) @yulong12 You are using a TLS certificate that is valid for peer0.org1.example.com but in your client request you use 'localhost'. You need a TLS certificate that also has 'localhost' in its SANs. Fyi, if you enable TLS on the server without providing a TLS certificate it will automatically generate one for you that you can use.

srinivasd (Fri, 28 Sep 2018 13:46:58 GMT):
@skarim `/usr/local/Cellar/softhsm/2.1.0/lib/softhsm/libsofthsm2.so` is this default path or it varies

skarim (Fri, 28 Sep 2018 13:47:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=c3rASq8f2cuf3iNNG) @srinivasd I believe that is the default path on mac os

ashutosh_kumar (Fri, 28 Sep 2018 14:04:20 GMT):
@srinivasd , path is OS specific.

rmorbach (Fri, 28 Sep 2018 14:18:58 GMT):
Has joined the channel.

rmorbach (Fri, 28 Sep 2018 14:20:15 GMT):
Anyone can give an example of assembling the Authorization header while using Fabric CA server REST API? _an enrollment certificate; a signature over the certificate and body of request. _

srinivasd (Fri, 28 Sep 2018 14:43:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=L7MrcaZTnsXcysQPN) @skarim @skarim After use this configuration also i am getting same

srinivasd (Fri, 28 Sep 2018 14:43:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=L7MrcaZTnsXcysQPN) @skarim @skarim After use this configuration also i am getting same error

krabradosty (Fri, 28 Sep 2018 14:56:05 GMT):
I've decoded peer certificate from one of the Fabric examples: ``` Certificate: Data: Version: 3 (0x2) Serial Number: f9:70:17:fa:d4:65:43:fd:9a:a3:78:c1:29:a5:e2:2b Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1.example.com Validity Not Before: Aug 31 09:14:32 2017 GMT Not After : Aug 29 09:14:32 2027 GMT Subject: C=US, ST=California, L=San Francisco, CN=peer0.org1.example.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:78:a1:c5:6e:a4:b3:70:76:fb:95:dd:6c:05:6a: dc:20:60:c5:14:51:67:6d:b1:cf:3a:6a:9c:3f:3a: 9c:a9:33:ed:f0:44:94:1b:a1:95:79:76:2b:aa:d3: c7:26:36:38:13:81:d2:db:3c:91:ea:99:f7:7c:6e: 79:11:b2:9a:b6 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Basic Constraints: critical CA:FALSE X509v3 Authority Key Identifier: keyid:42:39:AA:0D:CD:76:DA:EE:B8:BA:0C:DA:70:18:51:D1:45:04:D3:1A:AD:1B:2D:DD:DB:AC:6A:57:36:5E:49:7C Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:f8:8f:44:67:7b:5a:eb:77:41:52:0b:3b:11: ea:ef:88:ba:e3:ca:e5:d2:3f:91:1f:db:87:bf:95:2d:fd:13: 36:02:20:09:f5:2d:90:9b:df:bf:35:44:c1:92:c5:a0:5c:a3: a0:7b:6b:b6:fc:33:35:44:b5:53:48:44:a8:86:83:7a:8e ```

jvsclp (Fri, 28 Sep 2018 15:23:14 GMT):
@krabradosty First, towards the bottom there's a property called `x509v3 Authority Key Identifier` or AKI. That AKI should match the issuing authority's Subject Key Identifier (SKI). The AKI is what you need to compare to a claimed issuer's SKI to lead back to the root of trust. Second, the Orderer will know the certificate belongs to a peer based off how the node is configured. For example, in the `docker-compose-cli.yaml` and `docker-compose-base.yaml` the peer will be set up to broadcast itself as a peer node from which transactions can be endorsed. A client by definition connects to its organizations peer node(s), not the orderer, to submit transaction requests.

krabradosty (Fri, 28 Sep 2018 15:38:06 GMT):
@jvsclp Got it. But it that case I'm confused about Endorsement policies. In docs they say that there are 4 roles exist: member, admin, client, and peer. So I expect that each participant within its certificate has an appropriate attribute (hf.Type?) that should be used during validation of policies. Could you give some comments about that? Thanks. I really appreciate your help.

jvsclp (Fri, 28 Sep 2018 15:55:45 GMT):
@krabradosty I can't speak to the reasoning behind why the hyperledger fabric team decided to set their certificate this way. Perhaps simplicity of setup or ease of use across different systems, I don't know. That being said, you are correct four roles do exist and certificates issued using fabric-ca do have the attributes present. Here's an example of an orderer certificate I generated using fabric-ca showing the different attribute types: https://hastebin.com/inepawiqiw.rb

rmorbach (Fri, 28 Sep 2018 17:59:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HcSXkrEZhBndYzPxr) Up

zacpl (Fri, 28 Sep 2018 18:35:41 GMT):
Has joined the channel.

sivak2018 (Sat, 29 Sep 2018 04:23:44 GMT):
Has joined the channel.

liuhy (Sat, 29 Sep 2018 06:39:41 GMT):
Has joined the channel.

guhy1011 (Sat, 29 Sep 2018 08:32:28 GMT):
Has joined the channel.

guhy1011 (Sat, 29 Sep 2018 08:32:38 GMT):
hi

akshay.sood (Sun, 30 Sep 2018 04:43:15 GMT):
I need expert reviews on this question https://stackoverflow.com/questions/52574694/user-registration-login-in-hyperledger-fabric

MohammadObaid (Sun, 30 Sep 2018 06:48:43 GMT):
@smithbk I am having a little problem with my affiliations . I defined my affiliations like this in fabric-ca-server-config.yaml ``` org2: - department1 - department2 -member1 ```` . When I am trying to register user with affiliation `org2.department2.member1` I am getting error `failed to find affiliation` . Am I doing something wrong here ?

MohammadObaid (Sun, 30 Sep 2018 06:50:05 GMT):
my sqlite affiliation table contain entry like this `org2.department2 - member1|org2|1`

HoneyShah (Mon, 01 Oct 2018 03:43:46 GMT):
Can anyone please help in this? https://stackoverflow.com/questions/52422179/how-to-start-intermediate-ca-using-docker-compose

asaningmaxchain123 (Mon, 01 Oct 2018 04:59:20 GMT):
@mastersingh24 for the bccsp plugin,it support golang ? now i write the plugin bccsp and it generate a gm.a static lib,so how can i take it work?

srinivasd (Mon, 01 Oct 2018 05:51:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zCQQAa82fpEXZXcer) @skarim Hi, When I configured HSM with PKCS11. I am getting opts.Swopts as nill `https://github.com/hyperledger/fabric-ca/blob/release-1.2/util/configurebccspnopkcs11.go#L68`

atirekg (Mon, 01 Oct 2018 06:53:26 GMT):
Hello if anyone can help me to setup a demo for login I have got all the basic knowledge but not able to track how to setup CA authority to approve the transaction and logins for different kind of users

PKA (Mon, 01 Oct 2018 07:52:31 GMT):
Has joined the channel.

migrenaa (Mon, 01 Oct 2018 09:08:48 GMT):
Hello guys :) . Is far as I understand I cannot revoke certificates using the SDK, because the CRL-s are not being updated on the peers and orderers. How do you do this? And why is there revoke method in the SDK, having in mind that it is not actually revoking the certificates of the identity :/ ?

migrenaa (Mon, 01 Oct 2018 09:10:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2mdAC9tE8oJsBQR8E) @atirekg you can use the fabric-ca sample from fabric samples repo. I have used it it is working quite well and you have the root ca and intermediate ca configurations :)

atirekg (Mon, 01 Oct 2018 09:23:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=E78bkvm4sHwPreMA9) @migrenaa Thanks Migrenaa, right now I am using https://github.com/hyperledger/education/tree/master/LFS171x as and example. But I am not able to find how can I setup logins for User, like CA's, and Buyer, Seller with specific roles and action

atirekg (Mon, 01 Oct 2018 09:25:55 GMT):
if you can help me in this will be very helpful to me

atirekg (Mon, 01 Oct 2018 09:25:55 GMT):
if you can guide me in this will be very helpful to me

atirekg (Mon, 01 Oct 2018 09:25:55 GMT):
if you can guide me in this will be very helpful

asaningmaxchain123 (Mon, 01 Oct 2018 10:28:19 GMT):
@mastersingh24 can you take a look, in the fabric-ca, use the bccsp with plugin,the below is my configuration,can you take a look

asaningmaxchain123 (Mon, 01 Oct 2018 10:28:23 GMT):

Clipboard - October 1, 2018 6:28 PM

MohammadObaid (Mon, 01 Oct 2018 10:36:59 GMT):
Hey all . I am running CA server locally wihtout docker . Now to create and run intermediate server should I modify my fabric-ca-server config file or just to run this command https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enrolling-an-intermediate-ca . ?

skarim (Mon, 01 Oct 2018 13:51:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=d5oHNzHdkmobrapeF) @MohammadObaid I would just run the command

skarim (Mon, 01 Oct 2018 13:53:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BZpsmvgEAbyyeA6s4) @migrenaa I am not sure which SDK you are using, but in JAVA you can request a CRL after revoking a certificate. You can then do a config update on the orderer to update the CRL and for the peer you I believe you have to manually copy over the CRL into the MSP.

skarim (Mon, 01 Oct 2018 13:53:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BZpsmvgEAbyyeA6s4) @migrenaa I am not sure which SDK you are using, but in JAVA you can request a CRL after revoking a certificate. You can then do a config update on the orderer to update the CRL and for the peer I believe you have to manually copy over the CRL into the MSP.

skarim (Mon, 01 Oct 2018 13:54:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2mdAC9tE8oJsBQR8E) @atirekg The CA has no role in approving transactions, the CA issues enrollment certificates which are then used in fabric. Can you explain what you mean by different kind of users?

skarim (Mon, 01 Oct 2018 13:54:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=L6cm72PpbRyBeR6Ah) @srinivasd Can you send me your config file?

ashutosh_kumar (Mon, 01 Oct 2018 13:57:37 GMT):
@srinivasd , opts.Swopts should be nil.

ashutosh_kumar (Mon, 01 Oct 2018 13:57:53 GMT):
so you are getting right behavior there.

atirekg (Mon, 01 Oct 2018 13:58:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iDkakDbHBzEzSxyHw) @skarim By different types of user I mean Buyer, Seller, Supplier and so on, I have got the concept of affiliations from @migrenaa so trying that now

srinivasd (Mon, 01 Oct 2018 14:44:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=L7MrcaZTnsXcysQPN) @skarim @skarim this the configuration i used. Just replaced the library with `/usr/local/lib/` and remaining as it is

srinivasd (Mon, 01 Oct 2018 14:46:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TojmDwrWLcmrraJp6) @ashutosh_kumar Ok thanks. I am unable to start the fabric-ca server by this error `failed to intialise the bccsp factories`

skarim (Mon, 01 Oct 2018 17:03:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ec6af510-0ef5-435e-96eb-73561d27571e) @srinivasd Can you enable debug logging when you start up the server and please share those logs? You can pass in the `-d` flag on the command line. Thanks.

MohammadObaid (Mon, 01 Oct 2018 17:48:39 GMT):
Hey @skarim So my root fabric-ca-server running on aws vps and then I tried to enroll intermediate server by first registering with attr `hf.IntermediateCA=true` and then running this command ```fabric-ca-server start -b admin:adminpw -u http://intermediateserver:kqVtKnXAAcLA@xxx-xx-xx-xxx-xxx.compute-1.amazonaws.com:7054``` it generate fabric-ca-server config file and db files on my local directory and start listening . Now problem is that those generated files contains default entries and affiliations and not the one which I added in my root server . Is it normal ? Should'nt it generate same db file and same server configuration file as of root server ?

skarim (Mon, 01 Oct 2018 17:52:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QCrs9QSWdD2diRmnL) @MohammadObaid yes, that is normal. Each CA has their own configuration and thus its own db and affiliations settings. If you want to use different affiliations than the default, I would delete the database that was created and modify the config file to use the affiliations that you desire and then restart the server. You can also use the following command modify to affiliations: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#dynamically-updating-affiliations

MohammadObaid (Mon, 01 Oct 2018 17:53:28 GMT):
@skarim thanks . but how then intermediate server links up with root server if both have different configurations and databases ?

skarim (Mon, 01 Oct 2018 17:54:12 GMT):
the only link is that the certificate of the intermediate server is signed by root CA, and thus the chain of trust is established

MohammadObaid (Mon, 01 Oct 2018 17:56:57 GMT):
Okay thanks and then intermediate server can have their own affiliations and things right ?

skarim (Mon, 01 Oct 2018 17:57:05 GMT):
right

MohammadObaid (Mon, 01 Oct 2018 17:57:52 GMT):
Thanks :)

gmkprabhu1983 (Mon, 01 Oct 2018 20:31:13 GMT):
Has joined the channel.

uherr89 (Tue, 02 Oct 2018 01:48:11 GMT):
Has joined the channel.

asaningmaxchain123 (Tue, 02 Oct 2018 03:13:03 GMT):
@skarim what's the best practice in the production env,like home many intermediate ca and the level depth about the ca

Bartb0 (Tue, 02 Oct 2018 10:39:57 GMT):
Has joined the channel.

mastersingh24 (Tue, 02 Oct 2018 11:03:55 GMT):
@asaningmaxchain123 - you should likely run at least 2 instances of the Fabric CA server. Generally speaking, you'd likely want to have a root CA and at least two intermediate CA instances. You would then take the root CA offline. It's up to you whether or not you go with a shared cert pair for your intermediate CAs

asaningmaxchain123 (Tue, 02 Oct 2018 11:10:56 GMT):
what's the shared cert pair?

asaningmaxchain123 (Tue, 02 Oct 2018 11:43:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7NKNvjWMd2Hr9RtFj) @skarim that means the each ca only manage self properties. it doesn't effect sub ca

asaningmaxchain123 (Tue, 02 Oct 2018 11:43:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=imsSuQBe9hm2DWhTf) [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7NKNvjWMd2Hr9RtFj) @skarim that means the each ca only manage self properties. it doesn't effect sub ca?

micklynch (Tue, 02 Oct 2018 13:40:00 GMT):
Has joined the channel.

micklynch (Tue, 02 Oct 2018 13:41:46 GMT):
hello there everyone! :wave: I have a question about making my transactions generic for multiple assetTypes...is there a beginner room in here that I should be asking in?

rrishmawi (Tue, 02 Oct 2018 14:10:34 GMT):
Hi experts, does restarting fabric ca resets identities?

skarim (Tue, 02 Oct 2018 14:45:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=imsSuQBe9hm2DWhTf) @asaningmaxchain123 Right, each CA manages its own affiliations, identities, and certificates

skarim (Tue, 02 Oct 2018 14:45:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WyySovgNEqM8nHn5N) @rrishmawi No, it will not reset identities

asaningmaxchain123 (Wed, 03 Oct 2018 02:08:32 GMT):
@skarim can you explain the `Getting Idemix CRI (Certificate Revocation Information)`

asaningmaxchain123 (Wed, 03 Oct 2018 02:08:32 GMT):
@skarim can you explain the `Getting Idemix CRI (Certificate Revocation Information)` more detail

srinivasd (Wed, 03 Oct 2018 03:25:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JybKyS2Szkb4v86Pi) @skarim @skarim This is the configuration that i used and debug logs in this link `https://hastebin.com/defotezitu.rb`

MaddaliPadmaja (Wed, 03 Oct 2018 07:12:24 GMT):
Has joined the channel.

skarim (Wed, 03 Oct 2018 13:48:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hjQnXfPS4NR3t8jE8) @asaningmaxchain123 Do you have a specific question. CRI works similar to X509's CRL but it is for idemix credential. Also, revocation is not currently that supported for Idemix

blakem (Wed, 03 Oct 2018 14:48:57 GMT):
for a custom fabric-ca network, I am getting the following error when I try to run "start-peer.sh"``` 2018/10/03 14:38:34 [DEBUG] Received response statusCode=401 (401 Unauthorized) Error: Response from server: Error Code: 20 - Authorization failure ```

blakem (Wed, 03 Oct 2018 14:49:23 GMT):
if anyone could assist by pointing me in the right direction i'd appreciate it.

skarim (Wed, 03 Oct 2018 15:14:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZipxQ7taa2GkFDcar) @blakem Can you explain a bit more what you mean by "custom"? The start-peer.sh is a script that is executed as part of the fabric-ca sample, which is launched by running the `start.sh` script and not `start-peer.sh`. The error you are getting happens when you try to perform an action on the CA but you lack the property access, usually because you are using the wrong certificate.

skarim (Wed, 03 Oct 2018 15:14:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZipxQ7taa2GkFDcar) @blakem Can you explain a bit more what you mean by "custom"? The start-peer.sh is a script that is executed as part of the fabric-ca sample, which is launched by running the `start.sh` script and not `start-peer.sh`. The error you are getting happens when you try to perform an action on the CA but you lack the proper access, usually because you are using the wrong certificate.

srinivasd (Wed, 03 Oct 2018 15:47:37 GMT):
@skarim hi, i have shared you the debug logs info

skarim (Wed, 03 Oct 2018 15:51:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=b2fcc008-b423-41e9-a68a-ef314be635bf) @srinivasd thanks! We are looking into it

srinivasd (Wed, 03 Oct 2018 16:11:00 GMT):
@skarim Thank you

atirekg (Wed, 03 Oct 2018 16:26:28 GMT):
Guys

atirekg (Wed, 03 Oct 2018 16:26:35 GMT):
I need urgent help

atirekg (Wed, 03 Oct 2018 16:26:35 GMT):
Failed to invoke successfully :: Error: fabric-ca request register failed with errors [[{"code":0,"message":"Registration of 'office111' failed in affiliation validation: Failed getting affiliation 'org1.office': : scode: 404, code: 63, msg: Failed to get Affiliation: sql: no rows in result set"}]]

atirekg (Wed, 03 Oct 2018 16:27:43 GMT):
getting this error when registering user

atirekg (Wed, 03 Oct 2018 16:28:21 GMT):
added following code in configtx.yaml

atirekg (Wed, 03 Oct 2018 16:28:22 GMT):
############################################################################# # Affiliation section ############################################################################# affiliations: org1: - department1 - office - office1 - office2

atirekg (Wed, 03 Oct 2018 16:28:28 GMT):
still getting the error

jvsclp (Wed, 03 Oct 2018 16:36:44 GMT):
@atirekg I've had this issue before too when my affiliations section was set up correctly when initializing and starting a CA server. I resolved it by forcing the affiliation. From your administrator's `FABRIC_CA_CLIENT_HOME` run `fabric-ca-client affiliation add `. If that doesn't work try the `--force` flag. More info can be found here: https://hyperledger-fabric-ca.readthedocs.io/en/latest/clientcli.html

atirekg (Wed, 03 Oct 2018 16:50:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SZugNfB3MzGxENL5d) @jvsclp thanks I am trying this

blakem (Wed, 03 Oct 2018 17:12:57 GMT):
@skarim I took the sample network and modifired a few things including the configtx.yaml file and the names of the orgs.

ashutosh_kumar (Wed, 03 Oct 2018 19:25:37 GMT):
@srinivasd , I was able to reproduce the problem. Before , running the fabric-ca-sever command , you need to initialize softhsm. You should run this command softhsm2-util --init-token --slot 0 --label <> --so-pin <> --pin <>.

ashutosh_kumar (Wed, 03 Oct 2018 19:26:08 GMT):
after that , you can run fabric-ca-server command.

ashutosh_kumar (Wed, 03 Oct 2018 19:32:25 GMT):
you need to read the doc carefully.:wink:

ashutosh_kumar (Wed, 03 Oct 2018 19:32:25 GMT):
you need to read the doc carefully

ashutosh_kumar (Wed, 03 Oct 2018 19:34:03 GMT):
:wink:

alek (Wed, 03 Oct 2018 20:38:46 GMT):
guys, i have a question, most probably to @aambati or @skarim to LDAP converters, lest say that for LDAP identity have `DN= cn=admin1,ou=admin,ou=engineering,ou=Groups,dc=mydomain,dc=example,dc=com` and converters in ca-server-config: ```names: ['ou','cn', 'dc'] converters: - name: property_ou value: attr("ou") - name: property_cn value: attr("cn") - name: property_dc value: attr("dc")``` and then perform enrollment user with all of these attributes. The attributes attached to ecert looks like this: `{"attrs":{"property_cn":"admin1","property_dc":"","property_ou":""}}` so generally when using properties that occur only once in DN works fine ( `cn` is unique) and values are properly mapped, but when doing that with LDAP properties that are used more than once: ( `ou` 3 times: `ou=admin,ou=engineering,ou=Groups`, `dc` 3 times: `dc=mydomain,dc=example,dc=com` ) i am getting empty string. Is that expected behavious or that's bug ?

alek (Wed, 03 Oct 2018 20:38:46 GMT):
guys, i have a question, most probably to @aambati or @skarim to LDAP converters, lest say that for LDAP identity have `DN= cn=admin1,ou=admin,ou=engineering,ou=Groups,dc=mydomain,dc=example,dc=com` and converters in ca-server-config: `names: ['ou','cn', 'dc'] converters: - name: property_ou value: attr("ou") - name: property_cn value: attr("cn") - name: property_dc value: attr("dc")` and then perform enrollment user with all of these attributes. The attributes attached to ecert looks like this: `{"attrs":{"property_cn":"admin1","property_dc":"","property_ou":""}}` so generally when using properties that occur only one in DN works fine (`cn` is unique) values are properly mapped, but when doing that with LDAP properties that are used more than once: (`ou` 3 times: `ou=admin,ou=engineering,ou=Groups`, `dc` 3 times: `dc=mydomain,dc=example,dc=com` ) i am getting empty string. Is that expected behavious or that's bug ?

alek (Wed, 03 Oct 2018 20:38:46 GMT):
guys, i have a question, most probably to @aambati or @skarim to LDAP converters, lest say that for LDAP identity have `DN= cn=admin1,ou=admin,ou=engineering,ou=Groups,dc=mydomain,dc=example,dc=com` and converters in ca-server-config: ```names: ['ou','cn', 'dc'] converters: - name: property_ou value: attr("ou") - name: property_cn value: attr("cn") - name: property_dc value: attr("dc")``` and then perform enrollment user with all of these attributes. The attributes attached to ecert looks like this: `{"attrs":{"property_cn":"admin1","property_dc":"","property_ou":""}}` so generally when using properties that occur only one in DN works fine (`cn` is unique) values are properly mapped, but when doing that with LDAP properties that are used more than once: (`ou` 3 times: `ou=admin,ou=engineering,ou=Groups`, `dc` 3 times: `dc=mydomain,dc=example,dc=com` ) i am getting empty string. Is that expected behavious or that's bug ?

alek (Wed, 03 Oct 2018 20:38:46 GMT):
guys, i have a question, most probably to @aambati or @skarim to LDAP converters, lest say that for LDAP identity have `DN= cn=admin1,ou=admin,ou=engineering,ou=Groups,dc=mydomain,dc=example,dc=com` and converters in ca-server-config: ```names: ['ou','cn', 'dc'] converters: - name: property_ou value: attr("ou") - name: property_cn value: attr("cn") - name: property_dc value: attr("dc")``` and then perform enrollment user with all of these attributes. The attributes attached to ecert looks like this: `{"attrs":{"property_cn":"admin1","property_dc":"","property_ou":""}}` so generally when using properties that occur only once in DN works fine (`cn` is unique) and values are properly mapped, but when doing that with LDAP properties that are used more than once: (`ou` 3 times: `ou=admin,ou=engineering,ou=Groups`, `dc` 3 times: `dc=mydomain,dc=example,dc=com` ) i am getting empty string. Is that expected behavious or that's bug ?

alek (Wed, 03 Oct 2018 20:38:46 GMT):
guys, i have a question, most probably to @aambati or @skarim to LDAP converters, lest say that for LDAP identity have `DN= cn=admin1,ou=admin,ou=engineering,ou=Groups,dc=mydomain,dc=example,dc=com` and converters in ca-server-config: ```names: ['ou','cn', 'dc'] converters: - name: property_ou value: attr("ou") - name: property_cn value: attr("cn") - name: property_dc value: attr("dc")``` and then perform enrollment user with all of these attributes. The attributes attached to ecert looks like this: `{"attrs":{"property_cn":"admin1","property_dc":"","property_ou":""}}` so generally when using properties that occur only once in DN works fine (`cn` is unique) and values are properly mapped, but when doing that with LDAP properties that are used more than once: ( `ou` 3 times: `ou=admin,ou=engineering,ou=Groups`, `dc` 3 times: `dc=mydomain,dc=example,dc=com` ) i am getting empty string. Is that expected behavious or that's bug ?

skarim (Wed, 03 Oct 2018 21:15:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AEC8JoyzRRs4G988G) @alek let me investigate this, and i'll get back to you

alek (Wed, 03 Oct 2018 23:03:17 GMT):
@skarim sure, many thanks !

srinivasd (Thu, 04 Oct 2018 01:37:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KuBkgZLd7WPZX58s9) @ashutosh_kumar I initialize the softhsm. Even though I am getting error. I followed the GitHub link of softhsm module.

srinivasd (Thu, 04 Oct 2018 01:37:05 GMT):
@ashutosh_kumar I initialize the softhsm and I can the solts what I created. Even though I am getting error. I followed the GitHub link of softhsm module.

srinivasd (Thu, 04 Oct 2018 01:37:05 GMT):
@ashutosh_kumar I initialize the softhsm and I can see the solts what I created. Even though I am getting error. I followed the GitHub link of softhsm module.

srinivasd (Thu, 04 Oct 2018 01:37:05 GMT):
@ashutosh_kumar I have taken reference from `https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#hsm ` and `https://github.com/opendnssec/SoftHSMv2`. I used this command to init a token `softhsm2-util --init-token --slot 0 --label Label1 --so-pin 1234 --pin 93845132`. I can see the created slots using `softhsm2-util --show-slots` and output is at `https://hastebin.com/elepabahop.nginx`. Even though I am getting the above mentioned error.

MohammadObaid (Thu, 04 Oct 2018 06:24:16 GMT):
Hey can we use Lets Encrypt CA instead of fabric-ca in fabric ?

mrjdomingus (Thu, 04 Oct 2018 08:06:26 GMT):
Has joined the channel.

MohammadObaid (Thu, 04 Oct 2018 08:40:05 GMT):
Hey @skarim will nedd little bit of your assist. I am trying to enroll intermediate server with root affiliation . This is the command I am running ```fabric-ca-client register --id.name intermediateserver --id.affiliation "." --id.attrs 'hf.Registrar.DelegateRoles= *,hf.Revoker=true,hf.IntermediateCA=true,hf.GenCRL=true,hf.Registrar.Attributes= *,hf.AffiliationMgr=true,hf.Registrar.Roles= *' ``` to register that identity but I am getting error `Caller does not have authority to act on affiliation ''` . Can we register intermediateserver identity with root level access as of root CA ?

MohammadObaid (Thu, 04 Oct 2018 11:48:44 GMT):
Hey guys is there any guide as how to configure fabric-ca-server and fabric-ca-client with tls enabled ? I am following this one https://lists.hyperledger.org/g/fabric/message/2353 but continuously getting `bad certificate` error

MohammadObaid (Thu, 04 Oct 2018 11:48:44 GMT):
Hey guys @smithbk @skarim is there any guide as how to configure fabric-ca-server and fabric-ca-client with tls enabled ? I am following this one https://lists.hyperledger.org/g/fabric/message/2353 but continuously getting `bad certificate` error

migrenaa (Thu, 04 Oct 2018 13:03:04 GMT):
Hey guys! I am trying to revoke certificates using fabric-ca-client inside fabric-tools container. I am also updating the config block using `configtxlator` in order to update the Certificate Revocation List. I am fetching the block and creating the payload successfully, but when I try to update the block I am getting an error : ``` Error: got unexpected status: BAD_REQUEST -- initializing channelconfig failed: could not create channel Orderer sub-group config: Attempted to define two different versions of MSP: MSPId ``` Do you have any idea what might cause the issue?

ashutosh_kumar (Thu, 04 Oct 2018 13:58:39 GMT):
@srinivasd , somehow your error being thrown by fabric-ca-server is truncated. In my setup , I get error indicating reason for the problem. Can you please look into Fabric-ca-server log again and show me again.

skarim (Thu, 04 Oct 2018 14:00:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DC8kQJEkWD77HZuoX) @MohammadObaid What identity are you using to register this user? Does this identity also have root affiliation? You need to have same or higher level affiliation as caller

skarim (Thu, 04 Oct 2018 14:02:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nbepPscHdT6M8A2Tg) @MohammadObaid Is this with mutual auth? If no mutual auth, in your client config under the tls section did you set the certfiles property?

skarim (Thu, 04 Oct 2018 14:03:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KYZhvFpQcWPEec5eR) @migrenaa You might want to ask this in the #fabric channel. But, from the error message you might have two MSPs configured with an id `MSPId` in you configtx.yaml

migrenaa (Thu, 04 Oct 2018 14:06:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=M5BDmpc5Ej23LTgfj) @skarim Thank you for the response. I have a single Organisation. I don't have multiple MSPs for sure. I will ask in the other channel.

ashutosh_kumar (Thu, 04 Oct 2018 14:20:20 GMT):
@srinivasd , I was able to reproduce your problem , I think. Can you do me a favor : Can you run this command : softhsm2-util --init-token --slot 0 --label "ForFabric" --so-pin 1234 --pin 98765432 and tell me what you get.

ashutosh_kumar (Thu, 04 Oct 2018 14:34:32 GMT):
@srinivasd , make sure your hsm parameter that you created with softhsmutil matches to the one that you have defined in fabric-ca-server-config.yaml file.

ashutosh_kumar (Thu, 04 Oct 2018 14:34:59 GMT):
I had those 2 mismatching in my test , which caused it to fail.

ashutosh_kumar (Thu, 04 Oct 2018 14:39:43 GMT):
can you share you fabric-ca-server-config.yaml file ?

MohammadObaid (Thu, 04 Oct 2018 17:04:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xoddbYE74tPW2wXeS) @skarim @skarim no mutul auth . at client side I tried to create cert files using openssl and update client-config.yaml file but that didnt work . After then I tried to follow those steps mentioned in this https://lists.hyperledger.org/g/fabric/message/2353 which also didnt work .

MohammadObaid (Thu, 04 Oct 2018 17:04:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xoddbYE74tPW2wXeS) @skarim no mutul auth . at client side I tried to create cert files using openssl and update client-config.yaml file but that didnt work . After then I tried to follow those steps mentioned in this https://lists.hyperledger.org/g/fabric/message/2353 which also didnt work .

ashutosh_kumar (Thu, 04 Oct 2018 17:17:17 GMT):
guys, i have a question, most probably to @aambati or @skarim to LDAP converters, lest say that for LDAP identity have `DN= cn=admin1,ou=admin,ou=engineering,ou=Groups,dc=mydomain,dc=example,dc=com` and converters in ca-server-config: ```names: ['ou','cn', 'dc'] converters: - name: property_ou value: attr("ou") - name: property_cn value: attr("cn") - name: property_dc value: attr("dc")``` and then perform enrollment user with all of these attributes. The attributes attached to ecert looks like this: `{"attrs":{"property_cn":"admin1","property_dc":"","property_ou":""}}` so generally when using properties that occur only once in DN works fine ( `cn` is unique) and values are properly mapped, but when doing that with LDAP properties that are used more than once: ( `ou` 3 times: `ou=admin,ou=engineering,ou=Groups`, `dc` 3 times: `dc=mydomain,dc=example,dc=com` ) i am getting empty string. Is that expected behavious or that's bug ?

ashutosh_kumar (Thu, 04 Oct 2018 17:19:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AEC8JoyzRRs4G988G) @alek @alek , I am setting up my test environment to test out your scenario.

grsind19 (Thu, 04 Oct 2018 17:21:09 GMT):
I'm facing an issues when I init the fabric-ca-server, I could not able to located the ca-key.pem file generated. 2018/10/04 22:28:42 [INFO] Created default configuration file at /Users/dreambig/Seetha/Blockchain/HyperLedger/fabric-ca/rootca/fabric-ca-server-config.yaml 2018/10/04 22:28:42 [INFO] Server Version: 1.2.0 2018/10/04 22:28:42 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} 2018/10/04 22:28:42 [WARNING] &{69 The specified CA certificate file /Users/dreambig/Seetha/Blockchain/HyperLedger/fabric-ca/rootca/ca-cert.pem does not exist} 2018/10/04 22:28:42 [INFO] generating key: &{A:ecdsa S:256} 2018/10/04 22:28:42 [INFO] encoded CSR 2018/10/04 22:28:42 [INFO] signed certificate with serial number 482281718199235672673681231647746982638213106698 2018/10/04 22:28:42 [INFO] The CA key and certificate were generated for CA 2018/10/04 22:28:42 [INFO] The key was stored by BCCSP provider 'SW' 2018/10/04 22:28:42 [INFO] The certificate is at: /Users/dreambig/Seetha/Blockchain/HyperLedger/fabric-ca/rootca/ca-cert.pem 2018/10/04 22:28:42 [INFO] Initialized sqlite3 database at /Users/dreambig/Seetha/Blockchain/HyperLedger/fabric-ca/rootca/fabric-ca-server.db 2018/10/04 22:28:42 [INFO] The issuer key was successfully stored. The public key is at: /Users/dreambig/Seetha/Blockchain/HyperLedger/fabric-ca/rootca/IssuerPublicKey, secret key is at: /Users/dreambig/Seetha/Blockchain/HyperLedger/fabric-ca/rootca/msp/keystore/IssuerSecretKey 2018/10/04 22:28:42 [INFO] The revocation key was successfully stored. The public key is at: /Users/dreambig/Seetha/Blockchain/HyperLedger/fabric-ca/rootca/IssuerRevocationPublicKey, private key is at: /Users/dreambig/Seetha/Blockchain/HyperLedger/fabric-ca/rootca/msp/keystore/IssuerRevocationPrivateKey 2018/10/04 22:28:42 [INFO] Home directory for default CA: /Users/dreambig/Seetha/Blockchain/HyperLedger/fabric-ca/rootca 2018/10/04 22:28:42 [INFO] Initialization was successful

grsind19 (Thu, 04 Oct 2018 17:21:31 GMT):
Where can I find the file

jvsclp (Thu, 04 Oct 2018 17:49:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AnWLmBAo449JvoycA) @grsind19 When the log refers to the `CA key and certificate were generated for CA` the key should be located in the `msp/keystore` and it will be a file with `_sk` at the end

grsind19 (Thu, 04 Oct 2018 17:52:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=25yYD4ZQzLGKboS64) @jvsclp When I do the same init inside docker-container i could able to see the ca-key.pem file. I understand the private key is under keystore/msp. Is there something different between container and running with go binary?

grsind19 (Thu, 04 Oct 2018 17:54:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=25yYD4ZQzLGKboS64) @jvsclp Thanks a lot.

skarim (Thu, 04 Oct 2018 17:54:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KW558jDhreD9aqEdJ) @MohammadObaid Did you start the server with the tls cert/key that you create with openssl, you could use `--tls.keyfile` and `--tls.certfile` when starting up the server. Then if your client if the `certfiles` is correctly pointing to this certificate, it should work. Can you confirm that is what you have done?

skarim (Thu, 04 Oct 2018 17:54:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KW558jDhreD9aqEdJ) @MohammadObaid Did you start the server with the tls cert/key that you create with openssl, you could use `--tls.keyfile` and `--tls.certfile` when starting up the server. Then in your client, if the `certfiles` is correctly pointing to this certificate it should work. Can you confirm that is what you have done?

pianoraptor (Fri, 05 Oct 2018 02:24:15 GMT):
Has joined the channel.

pianoraptor (Fri, 05 Oct 2018 02:26:27 GMT):
@skarim Hi, I wanted to let you know, I'm having the exact same error as @srinivasd is having setting up the PKCS11 provider. I worked on it for 6 hours today. Any ideas?

srinivasd (Fri, 05 Oct 2018 02:59:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=joCB5qiJeY9auyFaG) @ashutosh_kumar Hi, All the details of the server config and init-token are present in this link `https://hastebin.com/oqiquyupob.shell`

LevinLMKwong (Fri, 05 Oct 2018 03:13:32 GMT):
Has joined the channel.

LevinLMKwong (Fri, 05 Oct 2018 03:21:11 GMT):
Hi guys, in order to move on to production environment, I need to use fabric-CA to generate the certificates for MSP. Do I still need to configure everything like the CSR, or I can just use the docker compose setting and configure those environment variables like `TARGET_CERTFILE`? In another word, what I want is to use 1 (or few) certificate to generate all MSP materials. I don't need the fabric-ca up and running to register/enroll future users.

MohammadObaid (Fri, 05 Oct 2018 07:22:47 GMT):
Hey @skarim thanks for the followup . You mean to say I should do following : 1- Using openssl on fabric-ca-server create tls keyfile and certfile . 2- Start fabric-ca-server 3- Copy that cert file generated in step1 into fabric-ca-client system .4- Point fabric-ca-client towards that certificate 5- Run fabric-ca-server and fabric-ca-client . This is what you mean ?

MohammadObaid (Fri, 05 Oct 2018 07:22:47 GMT):
Hey @skarim thanks for the followup . You mean to say I should do following : 1- Using openssl on fabric-ca-server create tls keyfile and certfile . 2- Start fabric-ca-server 3- Copy that cert file generated in step1 into fabric-ca-client system . 4- Point fabric-ca-client towards that certificate 5- Run fabric-ca-server and fabric-ca-client . This is what you mean ?

MohammadObaid (Fri, 05 Oct 2018 07:22:47 GMT):
Hey @skarim thanks for the followup . So I was able to use tls with fabric-ca-client by following these steps 1- Using openssl on fabric-ca-server create tls keyfile and certfile . 2- Start fabric-ca-server 3- Copy that cert file generated in step1 into fabric-ca-client system . 4- Point fabric-ca-client towards that certificate 5- Run fabric-ca-server and fabric-ca-client . Now I want to start intermediate server with tls enabled. for that I am doing this ```fabric-ca-server start -b admin:adminpw -u https://intermediateserver:vkajYvWAomOM@xxx-xx-xx-xxx-xxx.compute-1.amazonaws.com:7054 --tls.enabled --tls.keyfile intermediateprivatekeyserver.pem --tls.certfile intermediateserver.pem ``` for which I am getting error `Error: Failed to get client TLS config: No TLS certificate files were provided` . For intermediate server I generated seperate certfiles using openssl . Do I need to use same certs file and keys generated in root certificate ?

vtech (Fri, 05 Oct 2018 07:53:05 GMT):
Has joined the channel.

vtech (Fri, 05 Oct 2018 07:53:13 GMT):
Hi, I am enabling the softHSM feature using hyperedger fabric CA client by setting up 'bccp' as 'PKCS11'. Now when I am trying to up the network from ..fabric/examples/e2e_cli/network_setup.sh it is throwing error that ' ERRO 018 Cannot run peer because error when setting up MSP of type bccsp from directory /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp: could not initialize BCCSP Factories: Failed initializing BCCSP.: Could not initialize BCCSP SW [Failed to initialize software key store: An invalid KeyStore path provided. Path cannot be an empty string.] Could not find default `PKCS11` BCCSP' Can somebody please guide on this ? Below is the error trace for the same. Creating orderer.example.com ... Creating cli ... ____ _____ _ ___ _____ _____ ____ _____ / ___| |_ _| / \ | _ \ |_ _| | ___| |___ \ | ____| \___ \ | | / _ \ | |_) | | | _____ | _| _) | | _| ___) | | | / ___ \ | _ < | | |____| | |___ / _/ | |__ |____/ |_| /_/ \_\ |_| \_\ |_| |_____| |_____| |_____| Channel name : mychannel Check orderering service availability... Attempting to fetch system channel 'e2e-orderer-syschan' ...3 secs Attempting to fetch system channel 'e2e-orderer-syschan' ...60 secs -------------------------------------------- 2018-10-04 13:54:28.866 UTC [viperutil] getKeysRecursively -> DEBU 016 Found real value for peer.BCCSP.Default setting to string PKCS11 2018-10-04 13:54:28.866 UTC [viperutil] EnhancedExactUnmarshalKey -> DEBU 017 map[peer.BCCSP:map[SW:map[Hash:SHA2 Security:256 FileKeyStore:map[KeyStore:]] PKCS11:map[Pin:******* Hash:SHA2 Security:256 Library:/etc/hyperledger/fabric/dpod/orderer.example.com/libs/64/libCryptoki2.so Label:orderer.example.com] Default:PKCS11]] 2018-10-04 13:54:28.866 UTC [main] InitCmd -> ERRO 018 Cannot run peer because error when setting up MSP of type bccsp from directory /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp: could not initialize BCCSP Factories: Failed initializing BCCSP.: Could not initialize BCCSP SW [Failed to initialize software key store: An invalid KeyStore path provided. Path cannot be an empty string.] Could not find default `PKCS11` BCCSP !!!!!!!!!!!!!!! Ordering Service is not available, Please try again ... !!!!!!!!!!!!!!!! ================== ERROR !!! FAILED to execute End-2-End Scenario ==================

Aschi (Fri, 05 Oct 2018 08:26:12 GMT):
Has joined the channel.

skarim (Fri, 05 Oct 2018 13:16:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kbWfFXazA7uJsRvHn) @MohammadObaid If you want to use openssl you can, if you do then start the fabric-ca-server as follows `fabric-ca-server start --tls.enabled --tls.certfile --tls.keyfile `. Or you can have the server generate the tls cert/key for you, if you just set `--tls.enabled` flag without certfile and keyfile it will generate tls cert/key automatically. Once you have the tls certificate, yes copy that over to where the client is and set the `tls.certfile` to the tls certificate on the client side.

ashutosh_kumar (Fri, 05 Oct 2018 13:16:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZQr8FaPzNyTM7ny2F) @srinivasd you are still running into issue ?

ashutosh_kumar (Fri, 05 Oct 2018 13:17:27 GMT):
config seems correct. Can you make sure your PKCS11_LIB path is correct ?

ashutosh_kumar (Fri, 05 Oct 2018 13:17:58 GMT):
Can you provide log also for this config ?

ashutosh_kumar (Fri, 05 Oct 2018 13:18:23 GMT):
by log , I mean fabric ca server log.

ashutosh_kumar (Fri, 05 Oct 2018 13:19:52 GMT):
I am running out of ideas as positive and negative tests , both are passing for me.

ashutosh_kumar (Fri, 05 Oct 2018 13:22:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=i7kXSa9ZJtqs7rZz6) @vtech for channels , you need to configure HSM on Fabric side , not Fabric CA.

ashutosh_kumar (Fri, 05 Oct 2018 13:23:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=i7kXSa9ZJtqs7rZz6) @vtech You need to set pkcs11 on Fabric side , not on Fabric CA.

ashutosh_kumar (Fri, 05 Oct 2018 13:24:37 GMT):
@vtech , you need to configure PKCS11 on Fabric side , not Fabric CA.

ashutosh_kumar (Fri, 05 Oct 2018 13:32:14 GMT):
@vtech , you need to configure PKCS11 on Fabric side , not Fabric CA. please refer sampleconfig/core.yaml

MohammadObaid (Fri, 05 Oct 2018 13:33:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LR83ktfKkNMNqWgEt) @skarim Yes @skarim you are right . This will work with 1 fabric-ca-server and fabric-ca-client . But if I want to enroll one more intermediate server then it will ask for tls I guess . For example I started my root fabric ca server with following command ```fabric-ca-server start -b admin:adminpw --tls.enabled --tls.keyfile privatekeyserver.pem --tls.certfile mailserver.pem ``` and then copy that tls cert into another system . Using fabric-ca-client I register identity and get userid and enrollment Now I am trying to enroll intermediate server using that userid and enrollment ```fabric-ca-server start -b admin:adminpw -u http://intermediateserver:vkajYvWAomOM@ec2-52-91-159-152.compute-1.amazonaws.com:7054 --tls.enabled ``` but getting following error

MohammadObaid (Fri, 05 Oct 2018 13:35:32 GMT):

intermediateserver.png

MohammadObaid (Fri, 05 Oct 2018 13:36:06 GMT):

fabric-ca-rootserver.png

skarim (Fri, 05 Oct 2018 13:38:51 GMT):
@MohammadObaid You are using `http` in the url, you need to use `https`. Then on the need to the ` --intermediate.tls.certfiles` flag when you do the intermediate server start command, and point to the tls certificate of the root server. `fabric-ca-server start -b admin:adminpw -u https://intermediateserver:vkajYvWAomOM@ec2-52-91-159-152.compute-1.amazonaws.com:7054 --tls.enabled --intermediate.tls.certfiles ` Please give that a try

skarim (Fri, 05 Oct 2018 13:38:51 GMT):
@MohammadObaid You are using `http` in the url, you need to use `https`. Then on you need to add the ` --intermediate.tls.certfiles` flag when you do the intermediate server start command, and point to the tls certificate of the root server. `fabric-ca-server start -b admin:adminpw -u https://intermediateserver:vkajYvWAomOM@ec2-52-91-159-152.compute-1.amazonaws.com:7054 --tls.enabled --intermediate.tls.certfiles ` Please give that a try

MohammadObaid (Fri, 05 Oct 2018 13:43:43 GMT):
Thanks a lot . It works finally :)

srinivasd (Fri, 05 Oct 2018 13:47:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ajWwyCZtdGrbaD7T3) @ashutosh_kumar Yes. I am unable to solve the issue. I don't know where I did wrong

srinivasd (Fri, 05 Oct 2018 13:48:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KhXJTjZprvj3gEgjS) @ashutosh_kumar I check the path of pkcs11... It is right path

ashutosh_kumar (Fri, 05 Oct 2018 13:58:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=28933866-d826-4c21-bc08-8292493187cd) @srinivasd Can you attach ca server log here ?

vtech (Fri, 05 Oct 2018 14:55:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HbQY8bKi57hwYxZth) @ashutosh_kumar I have taken the sampleconfig/core.yaml and copied to ../fabric/examples/e2e_cli . BCCSP in core.yaml is configured to PKCS11 as default . But still I am getting the same error. Am I missing anything here ? ` # Settings for the PKCS#11 crypto provider (i.e. when DEFAULT: PKCS11) PKCS11: # Location of the PKCS11 module library Library: /etc/hyperledger/fabric/dpod/org1.example.com/libs/64/libCryptoki2.so # Token Label Label: org1.example.com # User PIN Pin: ****** Hash: SHA2 Security: 256 #FileKeyStore: # KeyStore: `

pianoraptor (Fri, 05 Oct 2018 15:56:09 GMT):
I finally got PKCS11 working with SoftHSM

pianoraptor (Fri, 05 Oct 2018 15:56:37 GMT):
Here's the correct format in the fabric-ca-server-config.yaml file:

pianoraptor (Fri, 05 Oct 2018 15:57:13 GMT):

Clipboard - October 5, 2018 8:57 AM

pianoraptor (Fri, 05 Oct 2018 15:57:42 GMT):
Make sure to remove any old keys that you may have generated prior to configuring the HSM. that will cause the initialization to fail.

ashutosh_kumar (Fri, 05 Oct 2018 16:07:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QsMJSbWiLTihZ6Ttc) @vtech Can you provide core.yaml

vtech (Fri, 05 Oct 2018 16:15:03 GMT):

core.txt

pianoraptor (Fri, 05 Oct 2018 16:23:02 GMT):
Found another problem. If you are following the instructions to set up Fabric-CA on this site: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#getting-started It's going to install version 1.2.0. For some reason the PKCS11 settings do NOT WORK.

pianoraptor (Fri, 05 Oct 2018 16:23:25 GMT):
If I clone the current version of Fabric CA out of github, it's version 1.3.0-rc1. The EXACT same PKCS11 settings DO work.

vtech (Fri, 05 Oct 2018 16:46:02 GMT):
I am using fabric-ca-client to generate csr as ./fabric-ca-client gencsr --csr.cn $CN --mspdir $MSP --csr.names "C=US,ST=California,L=San Francisco,OU=$NODE_OU"

Chandoo (Fri, 05 Oct 2018 18:30:07 GMT):
Has joined the channel.

caveman7 (Sat, 06 Oct 2018 05:04:52 GMT):
hi guys, how do i set affiliation in the fabric ca environment variable? i know i can set it in the config file, but i want to know what is the environment variable. is it ```FABRIC_CA_SERVER_AFFILIATIONS=org3``` how do i define the sub affiliations?

qiangqinqq (Sat, 06 Oct 2018 07:34:24 GMT):
Has joined the channel.

srinivasd (Sat, 06 Oct 2018 08:41:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PSTLwckqN54vGj55x) @pianoraptor Thank you.

srinivasd (Sat, 06 Oct 2018 08:42:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PSTLwckqN54vGj55x) @pianoraptor After changing the version of fabric ca server for me issue has been solved. Thank you

mattremy (Sat, 06 Oct 2018 09:21:22 GMT):
Has joined the channel.

mattremy (Sat, 06 Oct 2018 09:22:39 GMT):
Hi, I have tried setting the custom attributes while registering a peer. The registration goes through (as seen in the fabric-ca logs). However the attribute are not visible when I open the registered file. Any idea how I can see if the custom attributes are actually getting registered or not?

asaningmaxchain123 (Sat, 06 Oct 2018 09:43:55 GMT):
@skarm

asaningmaxchain123 (Sat, 06 Oct 2018 09:43:55 GMT):
@skarim when i use the mysql as the database,i got the error

asaningmaxchain123 (Sat, 06 Oct 2018 09:44:23 GMT):

Clipboard - October 6, 2018 5:44 PM

asaningmaxchain123 (Sat, 06 Oct 2018 09:55:47 GMT):
i find the answer `db.SetMaxIdleConns(0)`

asaningmaxchain123 (Sat, 06 Oct 2018 11:50:47 GMT):
@skarim i meet a question when i use the mysql as db

asaningmaxchain123 (Sat, 06 Oct 2018 11:51:09 GMT):

Clipboard - October 6, 2018 7:51 PM

asaningmaxchain123 (Sat, 06 Oct 2018 11:51:20 GMT):
i use the cmd to get ca log

asaningmaxchain123 (Sat, 06 Oct 2018 11:51:41 GMT):
but when i start fabric ca by the ide,it's ok

asaningmaxchain123 (Sat, 06 Oct 2018 11:51:49 GMT):
so can you give me a clue?

asaningmaxchain123 (Sat, 06 Oct 2018 13:20:32 GMT):

Clipboard - October 6, 2018 9:20 PM

asaningmaxchain123 (Sat, 06 Oct 2018 13:20:36 GMT):
i use the postgresql,

asaningmaxchain123 (Sat, 06 Oct 2018 13:20:52 GMT):
it still has error,can you tell me doesn't it work?

asaningmaxchain123 (Sat, 06 Oct 2018 17:46:14 GMT):
0.

GuillaumeTong (Mon, 08 Oct 2018 06:22:17 GMT):
Hello, I am trying to obtain the binaries for fabric-ca-server and fabric-ca-client in version 1.3 (I want to try out the idemix features). Currently I am cloning the 1.3 branch of fabric-ca from github, but then when I try to do make `fabric-ca-server` and `make fabric-ca-client` it shows: `make: *** No rule to make target 'fabric-ca-client'. Stop.` Is there any better way to obtain the binaries, or a workaround?

migrenaa (Mon, 08 Oct 2018 08:59:10 GMT):
Hello. `fabric-ca-client revoke -d --revoke.name someIdentityName --gencrl` - this command is revoking the user and also creating the revocation list, but do you know where it is stored, I cannot find it....?

migrenaa (Mon, 08 Oct 2018 08:59:10 GMT):
Hello. `fabric-ca-client revoke -d --revoke.name someIdentityName --gencrl` This command is revoking the user and also creating the revocation list, but do you know where it is stored? I cannot find it....

Muttakin (Mon, 08 Oct 2018 09:35:07 GMT):
Has joined the channel.

asaningmaxchain123 (Mon, 08 Oct 2018 10:08:45 GMT):
@migrenaa you can find in the db

asaningmaxchain123 (Mon, 08 Oct 2018 10:10:38 GMT):
@skarim https://github.com/hyperledger/fabric-ca/blob/6d37cf3e9d60b21da0b88225e739102d6fd2eac3/lib/dbaccessor.go#L80 can you provide describe about the field each structure

Legiit (Mon, 08 Oct 2018 11:14:02 GMT):
Has joined the channel.

shrutidixit12 (Mon, 08 Oct 2018 12:04:55 GMT):
Has joined the channel.

shrutidixit12 (Mon, 08 Oct 2018 12:06:12 GMT):
Hello, I am trying to connect fabric-ca-server with mysql database but I am getting following error:

shrutidixit12 (Mon, 08 Oct 2018 12:11:19 GMT):

fabric-ca.PNG

alek (Mon, 08 Oct 2018 12:55:33 GMT):
@ashutosh_kumar Did you maybe chance to reproduce the issue that i faced with LDAP ?

ashutosh_kumar (Mon, 08 Oct 2018 13:49:47 GMT):
@alek , will work on that today. Will keep you posted.

skarim (Mon, 08 Oct 2018 14:12:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dNQQbaRMAy9fiWfdK) @mattremy Did you specify the attributes using the `--enrollment.attrs` flag when you enrolled? See: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#attribute-based-access-control

skarim (Mon, 08 Oct 2018 14:13:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PtyreA7PnNmZ89RRM) @asaningmaxchain123 Which version of MySQL and Postgres are you using? Can you ping the database server from the host machine where the ca server is running?

skarim (Mon, 08 Oct 2018 14:17:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SXKHnWi5GnBcMj43W) @GuillaumeTong Did you execute the make command from the root fabric-ca folder?

skarim (Mon, 08 Oct 2018 14:19:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=78giaMYG3AKFMgZfG) @migrenaa It should be in the msp folder, there should be a crl folder

asaningmaxchain123 (Tue, 09 Oct 2018 00:44:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sSJ4a3rGKN9sG25NA) @skarim mysql version is 5.7.23 and postgresql is 9.6

asaningmaxchain123 (Tue, 09 Oct 2018 00:46:42 GMT):
i can ping the db from the ca server.

asaningmaxchain123 (Tue, 09 Oct 2018 01:48:43 GMT):
what's the difference between the `FabricCAServices.register` and `IdentityService.create`

GuillaumeTong (Tue, 09 Oct 2018 02:22:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9uD9XJdEthmL86uSW) @skarim My current process: ```git clone https://github.com/hyperledger/fabric.git fabric-ca-1.3 -b release-1.3 cd fabric-ca-1.3 make fabric-ca-server make fabric-ca-client```

asaningmaxchain123 (Tue, 09 Oct 2018 02:26:24 GMT):
@skarim the method `IdentityService.getAll` support pagination?

NageshCR (Tue, 09 Oct 2018 02:43:14 GMT):
Has joined the channel.

guhy1011 (Tue, 09 Oct 2018 06:18:22 GMT):
Hello, when I enable TLS on the server without providing a TLS certificate it will automatically generate a certificate which named tls-cert.pem and a keysfile, then can enroll and register on the client with tls-cert.pem, but with CA root certificate named ca-cert.pem, it still works well, who can help to explain the reasons, thanks in advance.

vtech (Tue, 09 Oct 2018 06:28:11 GMT):
Hi, I am generating certificates using below command ./fabric-ca-client gencsr --csr.cn $CN --mspdir $MSP --csr.names "C=US,ST=California,L=San Francisco,OU=$NODE_OU". Above command is throwing error as below, can somebody help on this [INFO] generating key: &{A:ecdsa S:256} Error: Failed generating ECDSA P256 key: P11: keypair generate failed [pkcs11: 0x8000002C: ]

atirekg (Tue, 09 Oct 2018 10:30:35 GMT):
Hello guys, anyone knows anything about the below one # Create the channel docker exec -e "CORE_PEER_LOCALMSPID=Org1MSP" -e "CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin@org1.example.com/msp" peer1.org1.example.com peer channel create -o orderer.example.com:7050 -c mychannel -f /etc/hyperledger/configtx/channel.tx 2018-10-09 10:20:07.951 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized Error: got unexpected status: BAD_REQUEST -- error authorizing update: error validating ReadSet: readset expected key [Group] /Channel/Application at version 0, but got version 1

skarim (Tue, 09 Oct 2018 12:32:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MaTfXJeDRvhksuiiu) @asaningmaxchain123 Can you gather logs from the databases when the ca server tries to connect to them?

skarim (Tue, 09 Oct 2018 12:33:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Thy3ymaTqfBYMHJZ6) @asaningmaxchain123 no difference, they do the same thing

skarim (Tue, 09 Oct 2018 12:33:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oyhFqrRTht2hdZETX) @asaningmaxchain123 Please ask in the appropriate SDK channel

skarim (Tue, 09 Oct 2018 12:34:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tTJaNu2Lf77pgxYjq) @atirekg Please ask in #fabric channel

skarim (Tue, 09 Oct 2018 12:35:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LLTDSJAmEy6nyipJT) @guhy1011 That is because the tls-cert.pem is signed using the key associated with ca-cert.pem. If you set ca-cert.pem as the certfiles on the client, when the server presents its tls certificate the root of trust is valid because on the client it is using the ca-cert.pem to validate the tls cert.

skarim (Tue, 09 Oct 2018 12:36:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Gu3oQ9PToAoERj2xo) @vtech Can you enable debug and provide logs? Also your client configuration file.

vtech (Tue, 09 Oct 2018 12:50:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fM4Zg9ZhfWjT5sHsH) @skarim ./fabric-ca-client gencsr --csr.cn peer0.org1.example.com --mspdir /opt/gopath/src/github.com/hyperledger/fabric/examples/e2e_cli/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp --csr.names C=US,ST=California,L=San Francisco,OU=peer 2018/10/09 12:38:28 [DEBUG] Home directory: /root/.fabric-ca-client 2018/10/09 12:38:28 [DEBUG] Client configuration settings: &{URL:http://localhost:7090 MSPDir:/opt/gopath/src/github.com/hyperledger/fabric/examples/e2e_cli/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** Profile: Label: CSR: CAName: AttrReqs:[] } CSR:{CN:admin Names:[{C:US ST: L: O: OU: SerialNumber:} {C: ST:California L: O: OU: SerialNumber:} {C: ST: L:San Francisco O: OU: SerialNumber:} {C: ST: L: O: OU:peer SerialNumber:}] Hosts:[safenet] KeyRequest: CA: SerialNumber:} ID:{Name: Type:client Secret: MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc4201e75c0} 2018/10/09 12:38:28 [DEBUG] Entered runGenCSR 2018/10/09 12:38:28 [DEBUG] Initializing client with config: &{URL:http://localhost:7090 MSPDir:/opt/gopath/src/github.com/hyperledger/fabric/examples/e2e_cli/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** Profile: Label: CSR: CAName: AttrReqs:[] } CSR:{CN:peer0.org1.example.com Names:[{C:US ST: L: O: OU: SerialNumber:} {C: ST:California L: O: OU: SerialNumber:} {C: ST: L:San Francisco O: OU: SerialNumber:} {C: ST: L: O: OU:peer SerialNumber:}] Hosts:[safenet] KeyRequest: CA: SerialNumber:} ID:{Name: Type:client Secret: MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc4201e75c0} 2018/10/09 12:38:28 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:0xc4201e75f0 PluginOpts: Pkcs11Opts:0xc420210cb0} 2018/10/09 12:38:28 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42020b310 DummyKeystore:} 2018/10/09 12:38:28 [DEBUG] Initializing BCCSP with PKCS11 options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42020b070 DummyKeystore: Library:/etc/hyperledger/fabric/dpod/org1.example.com/libs/64/libCryptoki2.so Label:org1.example.com Pin:***** Sensitive:false SoftVerify:false} 2018/10/09 12:38:32 [DEBUG] GenCSR &{CN:peer0.org1.example.com Names:[{C:US ST: L: O: OU: SerialNumber:} {C: ST:California L: O: OU: SerialNumber:} {C: ST: L:San Francisco O: OU: SerialNumber:} {C: ST: L: O: OU:peer SerialNumber:}] Hosts:[safenet] KeyRequest: CA: SerialNumber:} 2018/10/09 12:38:32 [INFO] generating key: &{A:ecdsa S:256} 2018/10/09 12:38:32 [DEBUG] generate key from request: algo=ecdsa, size=256 2018/10/09 12:38:33 [DEBUG] failed generating BCCSP key: Failed generating ECDSA P256 key: P11: keypair generate failed [pkcs11: 0x8000002C: ] Error: Failed generating ECDSA P256 key: P11: keypair generate failed [pkcs11: 0x8000002C: ]

vtech (Tue, 09 Oct 2018 12:53:18 GMT):

fabric-ca-client-config.txt

blakem (Tue, 09 Oct 2018 13:39:50 GMT):
Setting up a rest server for hyperledger fabric one needs the tlsCACerts of the peers, orderers, and CA. Using cryptogen this was fairly straight forward and an example path of where a tlsCACert may be for a peer was ``` /app/hyperledger/generated_files/channel/crypto-config/peerOrganizations/creator.example.com/peers/peer0.creator.example.com/tls/ca.crt ```

blakem (Tue, 09 Oct 2018 13:40:37 GMT):
However, for fabric-ca this isn't as clear, what would the appropriate cert be now?

blakem (Tue, 09 Oct 2018 13:45:12 GMT):
I was thinking it would be like peer0-creator-client.crt in the /data/tls folder that was created in the example, but I am unsure. For the orderers and CA I am even less sure. I think it would be an intermediate cert for the CA, but I have been having issues. Any help in this area I would greatly appreciate.

ashutosh_kumar (Tue, 09 Oct 2018 14:06:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6DMRnej3SePt2AGtj) @vtech Are you not using softhsm ? Can you try with softhsm ?

asaningmaxchain123 (Tue, 09 Oct 2018 14:10:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PRZMxz7fHaPK7GHix) @skarim got it

ashutosh_kumar (Tue, 09 Oct 2018 14:25:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6DMRnej3SePt2AGtj) @vtech my bccsp block is this : bccsp: default: PKCS11 pkcs11: Library: /usr/local/Cellar/softhsm/2.4.0/lib/softhsm/libsofthsm2.so Pin: 987234 Label: Forash hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: msp/keystore

ashutosh_kumar (Tue, 09 Oct 2018 14:26:09 GMT):
can you make it like above and remove sw block.

asaningmaxchain123 (Tue, 09 Oct 2018 16:10:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Gp2oKiXK6vkPRFM4o) @skarim the ca logs

asaningmaxchain123 (Tue, 09 Oct 2018 16:10:24 GMT):

Clipboard - October 10, 2018 12:10 AM

asaningmaxchain123 (Tue, 09 Oct 2018 16:10:49 GMT):
the mysql container only just startup log

asaningmaxchain123 (Tue, 09 Oct 2018 16:10:57 GMT):
```version: '3.2' services: ca.org1.example.com: image: hyperledger/fabric-ca environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca-org1 - FABRIC_CA_SERVER_DB_TYPE=mysql - FABRIC_CA_SERVER_DB_DATASOURCE=root:root@tcp(mysql:3306)/ca1?parseTime=true - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/9a0210ed396887ec4f6b6ea27c9cc3219600dcbd6969db591b65db1aaf5a8468_sk - FABRIC_CA_SERVER_TLS_ENABLED=false - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/9a0210ed396887ec4f6b6ea27c9cc3219600dcbd6969db591b65db1aaf5a8468_sk ports: - "7054:7054" command: sh -c 'fabric-ca-server start --cfg.identities.allowremove --cfg.affiliations.allowremove -b admin:adminpw -d' volumes: - ./channel/crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config - ./fabric-ca-server-config-1.yaml:/etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml container_name: ca_peerOrg1 links: - mysql mysql: image: mysql:5.7 environment: - MYSQL_ROOT_PASSWORD=root container_name: mysql ```

asaningmaxchain123 (Tue, 09 Oct 2018 16:10:57 GMT):
```version: '3.2' services: ca.org1.example.com: image: hyperledger/fabric-ca environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca-org1 - FABRIC_CA_SERVER_DB_TYPE=mysql - FABRIC_CA_SERVER_DB_DATASOURCE=root:root@tcp(mysql:3306)/ca1?parseTime=true # - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem # - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/9a0210ed396887ec4f6b6ea27c9cc3219600dcbd6969db591b65db1aaf5a8468_sk # - FABRIC_CA_SERVER_TLS_ENABLED=false # - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem # - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/9a0210ed396887ec4f6b6ea27c9cc3219600dcbd6969db591b65db1aaf5a8468_sk ports: - "7054:7054" command: sh -c 'fabric-ca-server start --cfg.identities.allowremove --cfg.affiliations.allowremove -b admin:adminpw -d' # volumes: # - ./channel/crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config # - ./fabric-ca-server-config-1.yaml:/etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml container_name: ca_peerOrg1 links: - mysql mysql: image: mysql:5.7 environment: - MYSQL_ROOT_PASSWORD=root container_name: mysql ```

asaningmaxchain123 (Tue, 09 Oct 2018 16:11:06 GMT):
the above is mysql configuration

asaningmaxchain123 (Tue, 09 Oct 2018 16:11:06 GMT):
the above is docker-compose yaml file

asaningmaxchain123 (Tue, 09 Oct 2018 16:12:40 GMT):
@skarim @smithbk can you take a look?

skarim (Tue, 09 Oct 2018 16:13:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qNpX9gLNG5EQs9Noq) @asaningmaxchain123 Do you have the mysql logs? It would be helpful to see what is happening on the database side

asaningmaxchain123 (Tue, 09 Oct 2018 16:15:25 GMT):
wait a moment

asaningmaxchain123 (Tue, 09 Oct 2018 16:17:31 GMT):
https://pastebin.com/VUudyHJ5

asaningmaxchain123 (Tue, 09 Oct 2018 16:19:33 GMT):
@skarim can you run the above docker-compose file

asaningmaxchain123 (Tue, 09 Oct 2018 16:38:21 GMT):
do you have any clue?

skarim (Tue, 09 Oct 2018 16:50:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pquj8dp8j9SZqZvZo) @asaningmaxchain123 I think the problem was that in your docker-compose you were starting mysql after the fabric-ca server. I moved the mysql section above the ca section the docker-compose file, and I no longer saw the connection refused error. But, I think there might be a bug there. I am seeing this error currently: `ca_peerOrg1 | 2018/10/09 16:48:21 [ERROR] Error occurred initializing database: Failed to create user registry for MySQL: Failed to create MySQL tables: Error creating certificates table: Error 1067: Invalid default value for 'expiry'`

asaningmaxchain123 (Tue, 09 Oct 2018 16:55:05 GMT):
@skarim can you paste your docker-compose

asaningmaxchain123 (Tue, 09 Oct 2018 16:55:40 GMT):
i move the mysql service section to the top,however it still has error

skarim (Tue, 09 Oct 2018 16:56:17 GMT):
``` version: '3.2' services: mysql: image: mysql:5.7 environment: - MYSQL_ROOT_PASSWORD=root container_name: mysql ca.org1.example.com: image: hyperledger/fabric-ca environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca-org1 - FABRIC_CA_SERVER_DB_TYPE=mysql - FABRIC_CA_SERVER_DB_DATASOURCE=root:root@tcp(mysql:3306)/ca1?parseTime=true # - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem # - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/9a0210ed396887ec4f6b6ea27c9cc3219600dcbd6969db591b65db1aaf5a8468_sk # - FABRIC_CA_SERVER_TLS_ENABLED=false # - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem # - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/9a0210ed396887ec4f6b6ea27c9cc3219600dcbd6969db591b65db1aaf5a8468_sk ports: - "7054:7054" command: sh -c 'fabric-ca-server start --cfg.identities.allowremove --cfg.affiliations.allowremove -b admin:adminpw -d' # volumes: # - ./channel/crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config # - ./fabric-ca-server-config-1.yaml:/etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml container_name: ca_peerOrg1 links: - mysql ```

skarim (Tue, 09 Oct 2018 16:57:58 GMT):
There is a timing element to it too, if mysql doesn't start up before the ca server starts you will continue to get this error. Please try again. Also, just want to point out that even if you get this db related error the server starts up, and then when a request comes to server it will try to reinitialize the db again and by this time the mysql server should be up and running

asaningmaxchain123 (Tue, 09 Oct 2018 17:01:01 GMT):
`2018/10/10 00:58:39 [DEBUG] Database Name: ca1 2018/10/10 00:58:39 [DEBUG] Connecting to MySQL server, using connection string: ****:****@tcp(mysql:3306)/?parseTime=true 2018/10/10 00:58:39 [ERROR] Error occurred initializing database: Failed to create user registry for MySQL: Failed to connect to MySQL database: dial tcp 172.18.0.2:3306: connect: connection refused`

asaningmaxchain123 (Tue, 09 Oct 2018 17:01:01 GMT):
```2018/10/10 00:58:39 [DEBUG] Database Name: ca1 2018/10/10 00:58:39 [DEBUG] Connecting to MySQL server, using connection string: ****:****@tcp(mysql:3306)/?parseTime=true 2018/10/10 00:58:39 [ERROR] Error occurred initializing database: Failed to create user registry for MySQL: Failed to connect to MySQL database: dial tcp 172.18.0.2:3306: connect: connection refused```

asaningmaxchain123 (Tue, 09 Oct 2018 17:01:21 GMT):
i still have error

skarim (Tue, 09 Oct 2018 17:04:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uvMoTdvvGGz78ZA7K) @asaningmaxchain123 can you introduce a sleep before starting the server, like: ` command: sh -c 'sleep 5 && fabric-ca-server start --cfg.identities.allowremove --cfg.affiliations.allowremove -b admin:adminpw -d'`

asaningmaxchain123 (Tue, 09 Oct 2018 17:05:07 GMT):
of course

asaningmaxchain123 (Tue, 09 Oct 2018 17:05:30 GMT):
but i use the links in the ca service

asaningmaxchain123 (Tue, 09 Oct 2018 17:05:37 GMT):
it doesn't work?

skarim (Tue, 09 Oct 2018 17:05:50 GMT):
it doesn't seem like it

asaningmaxchain123 (Tue, 09 Oct 2018 17:07:01 GMT):
`Error occurred initializing database: Failed to create user registry for MySQL: Failed to create MySQL tables: Error creating certificates table: Error 1067: Invalid defaultvalue for 'expiry'`

asaningmaxchain123 (Tue, 09 Oct 2018 17:07:21 GMT):
In my.cnf, find the configuration option sql_mode and remove NO_ZERO_DATE if present. Restart MySQL server after making this change.

asaningmaxchain123 (Tue, 09 Oct 2018 17:07:21 GMT):
In my.cnf, find the configuration option sql_mode and remove NO_ZERO_DATE if present. Restart MySQL server after making this change.the answer how to resolve the error

asaningmaxchain123 (Tue, 09 Oct 2018 17:07:21 GMT):
`In my.cnf, find the configuration option sql_mode and remove NO_ZERO_DATE if present. Restart MySQL server after making this change`.the answer how to resolve the error

skarim (Tue, 09 Oct 2018 17:07:56 GMT):
cool, good to know

atirekg (Tue, 09 Oct 2018 17:49:00 GMT):
Failed to invoke successfully :: Error: There was a problem with the eventhub ::Error: 14 UNAVAILABLE: TCP Write failed

atirekg (Tue, 09 Oct 2018 17:49:11 GMT):
hello guys getting this error

smb2796 (Tue, 09 Oct 2018 19:11:41 GMT):
Has joined the channel.

ashutosh_kumar (Tue, 09 Oct 2018 19:42:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RTjH9CCmhnxP7WbCe) I was able to reproduce your problem and your finding is correct. But let me question your use case : Why do you want attribute to be set as the part of DIT. Your attribute should be an field of your ldap object class. if you want to discuss it further , please open a JIRA item , and we'll provide fix , if required.

ashutosh_kumar (Tue, 09 Oct 2018 19:42:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RTjH9CCmhnxP7WbCe) I was able to reproduce your problem and your finding is correct. But let me question your use case : Why do you want attribute to an element of DIT. Your attribute should be an field of your ldap object class. if you want to discuss it further , please open a JIRA item , and we'll provide fix , if required.

ashutosh_kumar (Tue, 09 Oct 2018 19:44:07 GMT):
bottom line is your attribute should be able to retrieved from LDAP based on legitimate LDAP search filter

ashutosh_kumar (Tue, 09 Oct 2018 19:44:40 GMT):
but go ahead and open a JIRA and we'll discuss it there. Thanks.

alek (Tue, 09 Oct 2018 20:44:26 GMT):
@ashutosh_kumar thank you very much for your help, i will open jira for that. The use case for that was that i wanted to be able to execute chaincode for members of one `organization unit`, that's why converter was created.

ashutosh_kumar (Tue, 09 Oct 2018 20:50:45 GMT):
if that the case , your name entry should have field from Organizational unit object class.

alek (Tue, 09 Oct 2018 20:52:16 GMT):
@ashutosh_kumar sorry, i am not sure if i got it correctly, could you please advise what is a workaround for that ?

alek (Tue, 09 Oct 2018 20:52:16 GMT):
sorry, i am not sure if i got it correctly, could you please advise what i a workaround for that ?

alek (Tue, 09 Oct 2018 20:52:16 GMT):
@ashutosh_kumar sorry, i am not sure if i got it correctly, could you please advise what i a workaround for that ?

ashutosh_kumar (Tue, 09 Oct 2018 20:58:19 GMT):
It seems like enhancement item to me. Please open JIRA.

ashutosh_kumar (Tue, 09 Oct 2018 21:00:03 GMT):
currently LDAP attribute for the the user that is being enrolled is returned. You want to make sure that , that particular user is part of an orgnaizational unit.

ashutosh_kumar (Tue, 09 Oct 2018 21:00:33 GMT):
you can control is via DIT.

ashutosh_kumar (Tue, 09 Oct 2018 21:00:33 GMT):
you can control it via DIT.

ashutosh_kumar (Tue, 09 Oct 2018 21:01:02 GMT):
you have to put your user in DIT that belongs to organizational unit.

ashutosh_kumar (Tue, 09 Oct 2018 21:01:32 GMT):
I do not think Fabric CA plays a role here , if I understand it correctly.

ashutosh_kumar (Tue, 09 Oct 2018 21:02:23 GMT):
thinking aloud , it does not seem an enhancement item , unless I am missing something.

alek (Tue, 09 Oct 2018 21:06:44 GMT):
@ashutosh_kumar thank you, maybe there is something that i am not aware of and that's why doing that in a wrong way. let me open jira taskt for further discussion and more clarifications

ashutosh_kumar (Tue, 09 Oct 2018 21:07:04 GMT):
ok sounds good.

ashutosh_kumar (Tue, 09 Oct 2018 21:07:23 GMT):
what I am saying is 101 of LDAP configuration.

ashutosh_kumar (Tue, 09 Oct 2018 21:07:45 GMT):
we'll discuss on JIRA then.

guhy1011 (Wed, 10 Oct 2018 01:55:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fCESF5a2gBKuWLCZt) @skarim @skarim Thanks for your kindly reply and would you please help me solve another problem: Is there any other way to get TLS certificate and could you share some materials about tls? many thanks.

dochui (Wed, 10 Oct 2018 02:39:30 GMT):
Has joined the channel.

dexhunter (Wed, 10 Oct 2018 05:41:50 GMT):
Has joined the channel.

dexhunter (Wed, 10 Oct 2018 05:42:46 GMT):
Hi! I was wondering could someone recommend some examples/demos using fabric-ca?

dexhunter (Wed, 10 Oct 2018 06:35:26 GMT):
Are there any example that makes a log in system with fabric-ca system? Thanks

vtech (Wed, 10 Oct 2018 06:50:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3pMiAbh9hojPzdeRE) @ashutosh_kumar Yeah it works fine with above softhsm configuration as suggested. It seems issue with the crypto configuration I am using. Anyways thanks for your help.

guhy1011 (Wed, 10 Oct 2018 06:52:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=F7C8x22TFiGvkuGeF) @dexhunter https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#

guhy1011 (Wed, 10 Oct 2018 06:52:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=F7C8x22TFiGvkuGeF) @dexhunter https://www.cnblogs.com/midfielder/p/7173121.html

ymlbright (Wed, 10 Oct 2018 07:06:15 GMT):
Has joined the channel.

dexhunter (Wed, 10 Oct 2018 07:11:50 GMT):
@guhy1011 Many thanks!

dexhunter (Wed, 10 Oct 2018 08:01:46 GMT):
Hi! Might be a noob question, but why do we need to register first and enroll. Isn't the enroll stop unnecessary?

dexhunter (Wed, 10 Oct 2018 08:01:46 GMT):
Hi! Might be a noob question, but why do we need to register first and enroll separately. Isn't the enroll stop unnecessary?

Muttakin (Wed, 10 Oct 2018 10:25:41 GMT):
FIck this Rocket CHat

Muttakin (Wed, 10 Oct 2018 10:26:43 GMT):
Fuck this Rocket Chat!

Muttakin (Wed, 10 Oct 2018 10:31:10 GMT):
Documents/Blockchain/src/github.com/hyperledger/fabric-ca/lib/server.go:714:23: cert.Issuer.String undefined (type pkix.Name has no field or method String) Documents/Blockchain/src/github.com/hyperledger/fabric-ca/lib/server.go:715:24: cert.Subject.String undefined (type pkix.Name has no field or method String) Got this error while installing Fabric CA using: go get -u github.com/hyperledger/fabric-ca/cmd/... Can anyone help me please?

skarim (Wed, 10 Oct 2018 13:55:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=a7tAqE5Rd8CtSQYEW) @Muttakin Please use go version 1.10+

skarim (Wed, 10 Oct 2018 13:56:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LiAwuiCMuFwXwobih) @dexhunter The enroll step is the step that will get you the enrollment certificate

dexhunter (Wed, 10 Oct 2018 13:59:37 GMT):
@skarim Hi! Thanks for the reply. So I was wondering could I use the fabric-ca to register user & secret as traditional (centralized) user system (username & password)?

skarim (Wed, 10 Oct 2018 14:04:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SBRTxMJsnC277mv2k) @dexhunter Registering is different the enrollment. For the enroll command, the authentication is done via username and password. Registration is the process of registering an identity with a username/password with fabric-ca. A non-registered user cannot enroll. So, the identity must first be registered and then enrolled. For more information on registering an identity, see: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#registering-a-new-identity

dexhunter (Wed, 10 Oct 2018 14:08:31 GMT):
Thank you. My last question for today is how to manage key pair & certificate generated by fabric-ca? Do I store public key & certificate on ca server and give private key to the user and delete private key on server? Thanks again!

guhy1011 (Wed, 10 Oct 2018 14:11:21 GMT):
Is there any other way to get TLS certificate and could anyone share some materials about tls? many thanks.

skarim (Wed, 10 Oct 2018 14:18:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8eZ6NtEme5erDnSsx) @dexhunter All certificates issued by the ca are already stored in a database that the server is connected to. The private keys should never leave the client and should not be shared.

skarim (Wed, 10 Oct 2018 14:21:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jC2GsrWfbvAMNk8DR) @guhy1011 If you are talking about a client getting a TLS certificate then they can use 'tls' profile. You would enroll as you do regularly, but would specify the following flag `--enrollment.profile tls`. The enroll command might look like: `fabric-ca-client enroll -d --enrollment.profile tls -u $ENROLLMENT_URL -M /tmp/tls`

dexhunter (Wed, 10 Oct 2018 16:08:48 GMT):
Are there any metamask-like tools for fabric-ca?

mslavitch (Wed, 10 Oct 2018 20:11:40 GMT):
Has joined the channel.

WenXingWang (Wed, 10 Oct 2018 20:36:21 GMT):
Has joined the channel.

toddinpal (Wed, 10 Oct 2018 20:42:19 GMT):
Is there any way to modify the attributes associated with an identity? They are provided on the register() request, but I see nothing that allows the attributes to be altered through something like reregister()

jvsclp (Wed, 10 Oct 2018 21:20:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hRf2pdjTygAf73Skq) @toddinpal Here are the fabric-ca-client CLI commands that would allow you to modify attributes of an identity: https://hyperledger-fabric-ca.readthedocs.io/en/latest/clientcli.html

toddinpal (Wed, 10 Oct 2018 21:45:38 GMT):
@jvsclp Thanks, I see now the PUT on /identities allows updating an identity.

guhy1011 (Thu, 11 Oct 2018 02:02:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kvMXQW83GhYg5ywkK) @skarim @skarim I did try the enroll command with flag `--enrollment.profile tls` and get the TLS root CA certificate named tls-localhost-7054.pem on the client, But I want to know how to get TLS certificate on the server side except for`fabric-ca-server start -b admin:adminpw --tls.enabled=true`,thanks in advance.

yulong12 (Thu, 11 Oct 2018 05:40:54 GMT):
Hi everyone

yulong12 (Thu, 11 Oct 2018 05:41:25 GMT):
How can I use a CA to issue the root certificate of the newly added CA server?

yulong12 (Thu, 11 Oct 2018 05:46:38 GMT):
Hi Can some help me?

yulong12 (Thu, 11 Oct 2018 05:46:45 GMT):
How can I use a CA to issue the root certificate of the newly added CA server?

lapdin_de_blockchain (Thu, 11 Oct 2018 06:47:38 GMT):
How can I enable / disable mutual authentication between fabric-ca server and client? thanks in advance.

vtech (Thu, 11 Oct 2018 07:43:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3pMiAbh9hojPzdeRE) @ashutosh_kumar I am integrating the softhsm2 with fabric-ca server but getting `Error: Failed to initialize BCCSP Factories: %!s() Could not find default PKCS11 BCCSP` BCCSP section in fabric-ca-server-config.yaml is as follows `bccsp: default: PKCS11 pkcs11: Library: /usr/local/Cellar/softhsm/2.1.0/lib/softhsm/libsofthsm2.so Pin: 98765432 Label: ForFabric hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: msp/keystore` Error is appearing while starting the server with command `./fabric-ca-server start -b admin:passwd`

Muttakin (Thu, 11 Oct 2018 09:08:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RqAfZ7BSw45wtLWjy) @skarim Thank you.

ashutosh_kumar (Thu, 11 Oct 2018 12:35:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZhX2RSi9Em4bTvi3E) @vtech which OS you are using ?

ashutosh_kumar (Thu, 11 Oct 2018 12:35:46 GMT):
your BCCSP is not getting loaded right.

ashutosh_kumar (Thu, 11 Oct 2018 12:36:36 GMT):
can you attach log ? Also , your log does not give enough evidence.

vtech (Thu, 11 Oct 2018 12:36:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=comTJ3ANDxhGGQxCR) @ashutosh_kumar I am using 16.04.1 Ubuntu

ashutosh_kumar (Thu, 11 Oct 2018 12:37:53 GMT):
can you start the server with -d flag and give me the log ?

ashutosh_kumar (Thu, 11 Oct 2018 12:38:33 GMT):
strangely , your previous logs were not giving me enough evidence.

vtech (Thu, 11 Oct 2018 12:39:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DikHGoMGWwDWnhwvq) @ashutosh_kumar root@safenet:/opt/gopath/bin# 2018/10/11 12:37:52 [INFO] Configuration file location: /opt/gopath/bin/fabric-ca-server-config.yaml 2018/10/11 12:37:52 [INFO] Starting server in home directory: /opt/gopath/bin 2018/10/11 12:37:52 [INFO] Server Version: 1.2.0 2018/10/11 12:37:52 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} 2018/10/11 12:37:52 [DEBUG] Making server filenames absolute 2018/10/11 12:37:52 [DEBUG] Initializing default CA in directory /opt/gopath/bin 2018/10/11 12:37:52 [DEBUG] Init CA with home /opt/gopath/bin and config {Version:1.2.0 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name: Keyfile: Certfile:ca-cert.pem Chainfile:ca-chain.pem} Signing:0xc4202a5cf0 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[safenet localhost] KeyRequest: CA:0xc4202aee00 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:* hf.Registrar.DelegateRoles:*] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc4202af200 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR: Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:0 NonceExpiration: NonceSweepInterval:}} 2018/10/11 12:37:52 [DEBUG] CA Home Directory: /opt/gopath/bin 2018/10/11 12:37:52 [DEBUG] Checking configuration file version '1.2.0' against server version: '1.2.0' 2018/10/11 12:37:52 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts: PluginOpts:} 2018/10/11 12:37:52 [DEBUG] Closing server DBs Error: Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP

ashutosh_kumar (Thu, 11 Oct 2018 12:55:04 GMT):
have you run softhsmutil command to initialize your softhsm ?

ashutosh_kumar (Thu, 11 Oct 2018 12:56:18 GMT):
looks like some problem with your yaml file

ashutosh_kumar (Thu, 11 Oct 2018 12:56:48 GMT):
My log looks like this : 2018/10/11 08:54:00 [DEBUG] CA Home Directory: /Users/ash/go/src/github.com/hyperledger/fabric-ca/bin 2018/10/11 08:54:00 [DEBUG] Checking configuration file version '0' against server version: '1.4.0-snapshot-72d2f80' 2018/10/11 08:54:00 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts: PluginOpts: Pkcs11Opts:0xc420171b20} 2018/10/11 08:54:00 [DEBUG] Initializing BCCSP with PKCS11 options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42033f4f0 DummyKeystore: Library:/usr/local/Cellar/softhsm/2.4.0/lib/softhsm/libsofthsm2.so Label:ForFabric Pin:98765432 SoftVerify:false Immutable:false} 2018/10/11 08:54:00 [DEBUG] Closing server DBs Error: Failed to initialize BCCSP Factories: Failed initializing PKCS11.BCCSP %!s(): Could not initialize BCCSP PKCS11 [Failed initializing PKCS11 library /usr/local/Cellar/softhsm/2.4.0/lib/softhsm/libsofthsm2.so ForFabric: Could not find token with label ForFabric] Could not find default `PKCS11` BCCSP

ashutosh_kumar (Thu, 11 Oct 2018 12:57:10 GMT):
I did not initialize softhsm.

ashutosh_kumar (Thu, 11 Oct 2018 12:57:36 GMT):
2018/10/11 08:54:00 [DEBUG] Initializing BCCSP with PKCS11 options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42033f4f0 DummyKeystore: Library:/usr/local/Cellar/softhsm/2.4.0/lib/softhsm/libsofthsm2.so Label:ForFabric Pin:98765432 SoftVerify:false Immutable:false} is missing in your case.

ashutosh_kumar (Thu, 11 Oct 2018 12:57:36 GMT):
*2018/10/11 08:54:00 [DEBUG] Initializing BCCSP with PKCS11 options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42033f4f0 DummyKeystore: Library:/usr/local/Cellar/softhsm/2.4.0/lib/softhsm/libsofthsm2.so Label:ForFabric Pin:98765432 SoftVerify:false Immutable:false}* is missing in your case.

ashutosh_kumar (Thu, 11 Oct 2018 12:59:06 GMT):
and my bccsp section is : bccsp: default: PKCS11 pkcs11: Library: /usr/local/Cellar/softhsm/2.4.0/lib/softhsm/libsofthsm2.so Pin: 98765432 Label: ForFabric hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: msp/keystore

ashutosh_kumar (Thu, 11 Oct 2018 12:59:33 GMT):
I am using macOS.

vtech (Thu, 11 Oct 2018 13:03:39 GMT):

fabric-ca-server-config.zip

atirekg (Thu, 11 Oct 2018 13:35:24 GMT):
Hello Guys, What is # Version of config file version: 1.3.0-rc1 in fabric-ca-server-config.yaml file and how we can modify the server version to match file version

skarim (Thu, 11 Oct 2018 13:37:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jeSwzkHwKwPKENrpz) @guhy1011 Is there a reason tls.enabled is not enough for the server? You can always generate TLS certificate out of band using OpenSSL. Another option might be to use the fabric-ca-client its self and generate the TLS certificate using the `--enrollment.profile=tls` flag and use this certificate for the server.

skarim (Thu, 11 Oct 2018 13:39:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CJQMH33bGzBcRpcSh) @lapdin_de_blockchain This will require a server restart, but you can use the `--tls.clientauth.type` flag

vtech (Thu, 11 Oct 2018 13:41:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XFemhjuBzfea9kNCt) @ashutosh_kumar Tried again in Ubuntu 16.04 VM but got the same error. Can you please send your yaml so that can verify in my environment ?

skarim (Thu, 11 Oct 2018 13:41:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=eZ7Q3Ys8KGPwyS9zZ) @atirekg If this configuration file was created by the server when you started it up, the version should already match the server version

atirekg (Thu, 11 Oct 2018 13:52:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6hBP4KuxLz8ASfE4p) @skarim I have created the configuration manually to achieve affiliations and when I am deploying the code to new server it is giving me the problem of version

skarim (Thu, 11 Oct 2018 13:53:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DAfWcRChthqWcXovT) @atirekg can you post the exact error

atirekg (Thu, 11 Oct 2018 13:53:52 GMT):
2018/10/11 13:31:18 [DEBUG] CA Home Directory: /etc/hyperledger/fabric-ca-server 2018/10/11 13:31:18 [DEBUG] Checking configuration file version '1.3.0-rc1' against server version: '1.2.1' 2018/10/11 13:31:18 [DEBUG] Closing server DBs Error: Configuration file version '1.3.0-rc1' is higher than server version '1.2.1'

atirekg (Thu, 11 Oct 2018 13:54:00 GMT):
server version is '1.2.1'

atirekg (Thu, 11 Oct 2018 13:54:13 GMT):
and version in m file is '1.3.0-rc1'

atirekg (Thu, 11 Oct 2018 13:54:29 GMT):
I know if I change the version in file it will fix the issue

atirekg (Thu, 11 Oct 2018 13:55:10 GMT):
but I am following the git and this change will create problem for another install

skarim (Thu, 11 Oct 2018 13:56:08 GMT):
If you created the configuration file manually, did you put the '1.3.0-rc1' file version? You could try just removing the version from the config file all together

atirekg (Thu, 11 Oct 2018 13:58:00 GMT):
I have taken it from another server when I created the file first, If I remove version: 1.3.0-rc1 will it be fine?

skarim (Thu, 11 Oct 2018 13:59:54 GMT):
ideally you should use the configuration file with a version that matches the server version. but it sounds like you are trying to use the same configuration file on different server versions? you have two options I think, multiple configuration files that match server version or removing the version from configuration file (i think this should be okay).

atirekg (Thu, 11 Oct 2018 14:16:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=27u9ZTfhi8PThKBAn) @skarim I am trying with removing version right now, Please let me know if I can create the new affiliations by chaincode (golang) or by compose.yaml or by sh file (docker exec to cli) in this case I don't need to use manually written configuration file

ashutosh_kumar (Thu, 11 Oct 2018 14:56:07 GMT):
@vtech , my log says , the server version is 1.4.

ashutosh_kumar (Thu, 11 Oct 2018 14:56:16 GMT):
whereas yours is 1.2.

skarim (Thu, 11 Oct 2018 15:29:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Yh3yxyHMNJuFuSPdJ) @atirekg you can use the fabric-ca-client to add affiliations, see: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#adding-an-affiliation maybe you can use the client in a script to add affiliations

ASell (Thu, 11 Oct 2018 21:47:17 GMT):
Has joined the channel.

guhy1011 (Fri, 12 Oct 2018 03:05:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BKoAKDs7CJtDtMvCG) @skarim when using `--tls.clientauth.type=RequireAndVerifyClientCert` flag on the server, How to configure to ensure communication smoothly between client and server ? looking forward to your reply and many thanks.

vtech (Fri, 12 Oct 2018 07:18:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ik4k2zsRiyCzKbm4j) @ashutosh_kumar Just checked out the latest fabric server ( it is version 1.3) ,but I have got the same error. Please let me know if I can clone the 1.4 server repository. 2018/10/12 07:16:53 [DEBUG] CA Home Directory: /opt/gopath/bin 2018/10/12 07:16:53 [DEBUG] Checking configuration file version '1.3.0' against server version: '1.3.0' 2018/10/12 07:16:53 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts: PluginOpts:} 2018/10/12 07:16:53 [DEBUG] Closing server DBs Error: Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP

ASell (Fri, 12 Oct 2018 12:00:13 GMT):
type

MohammadObaid (Fri, 12 Oct 2018 13:11:04 GMT):
Hey @skarim can we run fabric-ca-server as background process like in production environment (on aws servers) can we run fabric-server on background and save logs in file ?

MohammadObaid (Fri, 12 Oct 2018 13:11:04 GMT):
Hey @skarim can we run fabric-ca-server (natively) as background process like in production environment (on aws servers) can we run fabric-server on background and save logs in file ? or docker containers are the only option !

ashutosh_kumar (Fri, 12 Oct 2018 13:11:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uBFXu8hyiyY3yEA57) @vtech can you send me your fabric-server-config.yaml file ? I'll try that on my end

ASell (Fri, 12 Oct 2018 13:25:31 GMT):
Re: fabric-ca-client register --id.type Is this identity type used by the system for validation at any point? I have access to a working v1.1 network where the orderers are set as peer, which seems odd, and I see in Fabric v1.2 basic-network sample they use orderer for orderers and peer for peers. The description in document https://hyperledger-fabric-ca.readthedocs.io/en/latest/clientcli.html is: --id.type string Type of identity being registered (e.g. 'peer, app, user') (default "client")

ASell (Fri, 12 Oct 2018 13:27:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ftyZKsww9tATuEQiY) @MohammadObaid It does not need to be run through docker

ashutosh_kumar (Fri, 12 Oct 2018 13:43:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HfHChyuMhxNd5Mnbr) @ASell The check is being done as MSP level in Fabric.

ashutosh_kumar (Fri, 12 Oct 2018 13:43:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HfHChyuMhxNd5Mnbr) @ASell The check is being done at MSP level in Fabric.

skarim (Fri, 12 Oct 2018 14:36:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ftyZKsww9tATuEQiY) @MohammadObaid You could execute the fabric-ca-server binary, and run the server in background and direct stdout and stderr to a log file

vtech (Fri, 12 Oct 2018 16:25:59 GMT):

fabric-ca-server-config.zip

vtech (Fri, 12 Oct 2018 16:27:18 GMT):

fabric-ca-server-config.zip

vtech (Fri, 12 Oct 2018 16:28:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sL4Y6dK4SduXdguRs) @ashutosh_kumar attached the fabric-server-config.yaml file as above.

ashutosh_kumar (Fri, 12 Oct 2018 17:09:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZpWywkj3Kwb8qHGkM) @vtech I used your yaml and my server came up just fine. Here is the output :

ashutosh_kumar (Fri, 12 Oct 2018 17:11:29 GMT):
Checking configuration file version '1.2.0' against server version: '1.4.0-snapshot-72d2f80' 2018/10/12 13:06:58 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts: PluginOpts: Pkcs11Opts:0xc4207f03f0} 2018/10/12 13:06:58 [DEBUG] Initializing BCCSP with PKCS11 options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc4207eeb70 DummyKeystore: Library:/usr/local/Cellar/softhsm/2.4.0/lib/softhsm/libsofthsm2.so Label:ForFabric Pin:98765432 SoftVerify:false Immutable:false} 2018/10/12 13:06:58 [DEBUG] Initialize key material 2018/10/12 13:06:58 [DEBUG] Making CA filenames absolute 2018/10/12 13:06:58 [WARNING] &{69 The specified CA certificate file /Users/ash/Downloads/ca-cert.pem does not exist} 2018/10/12 13:06:58 [DEBUG] Root CA certificate request: {CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[safenet localhost] KeyRequest:0xc4202bb840 CA:0xc4202bb000 SerialNumber:} 2018/10/12 13:06:58 [INFO] generating key: &{A:ecdsa S:256} 2018/10/12 13:06:58 [DEBUG] generate key from request: algo=ecdsa, size=256 2018-10-12 13:06:58.953 EDT [bccsp_p11] generateECKey -> INFO 001 Generated new P11 key, SKI abe3b86aa105e3307889386f00e46b54240eeb1c8adee571789e565291496035

ashutosh_kumar (Fri, 12 Oct 2018 17:12:18 GMT):
there must be something wrong with your environment.

ashutosh_kumar (Fri, 12 Oct 2018 17:13:08 GMT):
which level of Fabric ca you are on ?

ashutosh_kumar (Fri, 12 Oct 2018 17:31:06 GMT):
Here is my version : fabric-ca-server: Version: 1.4.0-snapshot-72d2f80 Go version: go1.10.2 OS/Arch: darwin/amd64

ashutosh_kumar (Fri, 12 Oct 2018 18:07:12 GMT):
I have tested it on MacOS. I'll give a try on Ubuntu later.

yousaf (Sat, 13 Oct 2018 22:30:58 GMT):
My all docker containers of peers and orderer are exiting except the cli container when i run docker-compose command to up my network. What could be the reason? Any info related to this?

caveman7 (Sun, 14 Oct 2018 07:10:57 GMT):
hi guys, i can add affiliations but i can't remove the default affiliation (org1 and org2). i used the bootstrap admin ```fabric-ca-client affiliation remove org1 --force --tls.certfiles $TLSCERT -u https://rca0-org:7054 2018/10/14 07:06:44 [INFO] Configuration file location: /org-shared/users/admin/fabric-ca-client-config.yaml 2018/10/14 07:06:44 [INFO] TLS Enabled 2018/10/14 07:06:44 [INFO] TLS Enabled Error: Response from server: Error Code: 20 - Authorization failure ``` log from the CA server: ``` 2018/10/14 07:06:44 [DEBUG] DB: Getting identity admin 2018/10/14 07:06:44 [DEBUG] Successful token authentication of 'admin' 2018/10/14 07:06:44 [DEBUG] Received affiliation update request from admin 2018/10/14 07:06:44 [DEBUG] Processing affiliation configuration update request 2018/10/14 07:06:44 [DEBUG] Processing DELETE request 2018/10/14 07:06:44 [INFO] 172.17.0.4:57358 DELETE /affiliations/org1?ca=&force=true 401 61 "Affiliation removal is disabled" ```

rbole (Sun, 14 Oct 2018 13:52:35 GMT):
clientauth

rbole (Sun, 14 Oct 2018 14:00:12 GMT):
Hi Im looking for some examples about the usage from client authentication for the fabric-ca-server.Thanks for some links or explanations.

SumanPapanaboina (Sun, 14 Oct 2018 15:33:13 GMT):
Has joined the channel.

GuillaumeTong (Mon, 15 Oct 2018 01:13:00 GMT):
@caveman7 by default, affiliation (and identity) removal is disabled on fabric ca servers. You need to start the server with something like ```./fabric-ca-server start --cfg.affiliations.allowremove --cfg.identities.allowremove``` So that removal is enabled

caveman7 (Mon, 15 Oct 2018 05:35:38 GMT):
thanks @GuillaumeTong

raccoonrat (Mon, 15 Oct 2018 06:04:44 GMT):
Has joined the channel.

raccoonrat (Mon, 15 Oct 2018 06:07:16 GMT):
Hi erveryone, Did fabric-ca can support ceriticate-less feature?

vtech (Mon, 15 Oct 2018 06:25:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hckNDtM3HLAmhaAGg) @ashutosh_kumar Here is my version: It works fine with SW option, but failing with PKCS fabric-ca-server: Version: 1.3.0 Go version: go1.10.3 OS/Arch: linux/amd64 ( Ubuntu 16.04.1)

srinivasd (Mon, 15 Oct 2018 08:31:58 GMT):
Hi All, I am facing issue while using PKCS11. I am getting following error ``` 2018/10/15 08:31:11 [INFO] Configuration file location: /opt/gopath/src/github.com/hyperledger/fabric-ca/fabric-ca-server-config.yaml 2018/10/15 08:31:11 [INFO] Starting server in home directory: /opt/gopath/src/github.com/hyperledger/fabric-ca 2018/10/15 08:31:11 [INFO] Server Version: 1.3.1 2018/10/15 08:31:11 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} Error: Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP ```

shrutidixit12 (Mon, 15 Oct 2018 08:34:33 GMT):
Hi all, I am facing following issue. Can someone help? Thanks in advance.

shrutidixit12 (Mon, 15 Oct 2018 08:35:47 GMT):

fabric-ca.PNG

halilkalkan (Mon, 15 Oct 2018 12:51:29 GMT):
Hi guys, I'm running fabric-samples/fabric-ca example and I want to find user's certificate files but the user directory under msp is empty. I want to reach user file and see attributes that I set before. Thank you,

skarim (Mon, 15 Oct 2018 13:59:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WPhjfCvHtoAzHvcgE) @shrutidixit12 In my.cnf, find the configuration option sql_mode and remove NO_ZERO_DATE if present. Restart MySQL server after making this change

ashutosh_kumar (Mon, 15 Oct 2018 14:17:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZJDceFZcpSb7CFj77) @srinivasd which PKCS11 lib are you using ? Are you using softhsm ? Have you initialized your softhsm library ?

ashutosh_kumar (Mon, 15 Oct 2018 14:18:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=n5CHz8aah6XzamjE6) @vtech Can you pull latest Fabric CA code/binary from master and run your test again ?

baoyangc (Mon, 15 Oct 2018 14:24:48 GMT):
https://jira.hyperledger.org/browse/FABC-739 @rameshthoomu

rameshthoomu (Mon, 15 Oct 2018 14:27:17 GMT):
@baoyangc Is this something I can do with CI?

ashutosh_kumar (Mon, 15 Oct 2018 15:42:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZJDceFZcpSb7CFj77) @srinivasd Can you pull latest code/image , test it out and let me know the result ? Thanks.

ashutosh_kumar (Mon, 15 Oct 2018 16:00:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=n5CHz8aah6XzamjE6) @vtech My softHSM version is 2.4.0. Can you upgrade to 2.4 version of softHSM.

srinivasd (Mon, 15 Oct 2018 16:50:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=erkzYMMe3FceFDZGT) @ashutosh_kumar I am using softhsm2. I installed using apt. Yes I have intialised.

srinivasd (Mon, 15 Oct 2018 16:51:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Kg2QcJjrgJp8n84Zw) @ashutosh_kumar I used go get command to get the latest code of fabric ca. Build the binaries for the fabric-ca-server and client

srinivasd (Mon, 15 Oct 2018 16:57:30 GMT):
@pianoraptor hi. Did you test the fabric ca server in new release

srinivasd (Mon, 15 Oct 2018 16:57:30 GMT):
@pianoraptor hi. Did you test the fabric ca server in new release. I am facing same issue as previous

ashutosh_kumar (Mon, 15 Oct 2018 18:13:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4b35354c-8ad9-4e8e-8dd5-3ae3b2359991) @srinivasd what is yous OS ? And can you pull latest fabric ca code/image and run test again ?

srinivasd (Mon, 15 Oct 2018 21:46:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aSm6BzL6P9Fx64B75) @ashutosh_kumar Ubuntu 16.04 and ok I will test again and let you know the results.

ashutosh_kumar (Mon, 15 Oct 2018 21:47:29 GMT):
sounds like a plan.

joenyzio (Tue, 16 Oct 2018 02:02:02 GMT):
Has joined the channel.

JayJong (Tue, 16 Oct 2018 03:35:50 GMT):
Hi, does anyone have an answer to this qn? Is it necessary to define this organization section (All organizations and msp dir path) https://github.com/hyperledger/fabric-samples/blob/release-1.2/balance-transfer/artifacts/channel/configtx.yaml#L15-L64 when generating genesis block ? I am asking this question from production environment perspective . I am using fabric-ca to generate crypto materials and using multi orderers . I do assume that in production environment all crypto material will not be in same root directory so how we will fill that organization part ?

srinivasd (Tue, 16 Oct 2018 04:19:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=917f948d-3018-4d6d-901e-de813ac246f8) Hi, Same issue even i cloned the latest fabric-ca repository

shrutidixit12 (Tue, 16 Oct 2018 04:59:38 GMT):

my.zip

alekhyam (Tue, 16 Oct 2018 06:46:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZJDceFZcpSb7CFj77) @srinivasd @ashutosh_kumar @pianoraptor Hi, even I am facing the same issue `1.3.1-snapshot-4f6586e` with latest version . It got it worked by checking out to `v1.3.0-rc1` github tag. Can any one have idea about this issue?

vtech (Tue, 16 Oct 2018 07:01:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vdgCtb58hW2GLmKDe) @ashutosh_kumar It works fine with latest fabric-ca code. Thanks

vtech (Tue, 16 Oct 2018 07:01:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yuhsbT83PDxN8eX5d) @alekhyam It works fine with latest tag 1.4.0-snapshot-cb7353f for me.

alekhyam (Tue, 16 Oct 2018 07:14:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5nYczrqAoRwhY7NG8) @vtech Thanks. It got worked with `1.4.0-snapshot-cb7353f`.

MohammadObaid (Tue, 16 Oct 2018 10:23:22 GMT):
Hey @skarim should fabric-ca return `admincerts` folder when enrolling new peer identity after registeration . I got only four things from fabric-ca `cacerts` , `keystore`,`signcerts` `user` . To make genesis block using configtxgen I need admincerts which is not retreived from fabric-ca .

MohammadObaid (Tue, 16 Oct 2018 10:23:22 GMT):
Hey @skarim should fabric-ca return `admincerts` folder when enrolling new peer identity after registeration . I got only four things from fabric-ca `cacerts` , `keystore`, `signcerts`, `user` . To make genesis block using configtxgen I need admincerts which is not retreived from fabric-ca .

skarim (Tue, 16 Oct 2018 13:46:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DL4h2EZPfSue78BmR) @MohammadObaid You'll have to create this folder manually

skarim (Tue, 16 Oct 2018 13:48:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5a9HXgJ5wSEPvvNvd) @shrutidixit12 if it is not there, you can just add it. for example: `sql_mode=NO_ZERO_Date`

ashutosh_kumar (Tue, 16 Oct 2018 14:17:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=keMBpF92nAKxK4c4a) @srinivasd Are you at 1.4 level. Can you run fabric-ca-server version

ashutosh_kumar (Tue, 16 Oct 2018 14:17:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=keMBpF92nAKxK4c4a) @srinivasd Are you at 1.4 level. Can you run fabric-ca-server version command and share the result ?

MohammadObaid (Tue, 16 Oct 2018 15:51:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KABCCqTb6gRwzdMGz) @skarim @skarim Alright and inside admincert folder certificate will be same as of signcert right ?

skarim (Tue, 16 Oct 2018 15:59:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iSAqYwMz6EmAkAJhW) @MohammadObaid yes, the signcert of the identity that you want to be admin

MohammadObaid (Tue, 16 Oct 2018 15:59:37 GMT):
Alright . Got it Thanks :)

ashutosh_kumar (Tue, 16 Oct 2018 19:03:30 GMT):
@srinivasd , I was able to run the pkcs11 on Linux with server 1.3. The document needs update. I'll update the doc.

ashutosh_kumar (Tue, 16 Oct 2018 19:22:37 GMT):
https://jira.hyperledger.org/browse/FABC-741

JaccobSmith (Wed, 17 Oct 2018 03:24:28 GMT):
Dose anyone have a document to navigate to produce all the needed certificates with a two-orgs fabric network？

JaccobSmith (Wed, 17 Oct 2018 03:24:58 GMT):
with the fabric-ca

shrutidixit12 (Wed, 17 Oct 2018 05:16:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=E4zZwF2L89P6sRzD7) @skarim Thanks for the answer. I tried this also but getting the same error.

vtech (Wed, 17 Oct 2018 10:25:12 GMT):
@ashutosh_kumar I am trying e2e example from fabric repository while enabling the softhsm (using core & orderer yaml and overriding the PKCS property value), but it is switching back to SW. Are there any further configuration need to overrride in this scenario ? Below is the debug log while retrieving the key `2018-10-17 11:00:53.692 UTC [viperutil] unmarshalJSON -> DEBU 001 Unmarshal JSON: value is not a string: 2018-10-17 11:00:53.692 UTC [viperutil] getKeysRecursively -> DEBU 002 Found real value for peer.BCCSP setting to 2018-10-17 11:00:53.692 UTC [viperutil] EnhancedExactUnmarshalKey -> DEBU 003 map[peer.BCCSP:] 2018-10-17 11:00:53.692 UTC [bccsp_sw] createKeyStoreIfNotExists -> DEBU 004 KeyStore path [/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/keystore] missing [true]: [] `

vtech (Wed, 17 Oct 2018 10:25:12 GMT):
@ashutosh_kumar I am trying e2e example from fabric repository while enabling the softhsm (using core & orderer yaml and overriding the PKCS property value), but it is switching back to SW. Are there any further configuration need to overrride in this scenario ? Below is the debug log while retrieving the key ` 2018-10-17 11:00:53.692 UTC [viperutil] unmarshalJSON -> DEBU 001 Unmarshal JSON: value is not a string: 2018-10-17 11:00:53.692 UTC [viperutil] getKeysRecursively -> DEBU 002 Found real value for peer.BCCSP setting to 2018-10-17 11:00:53.692 UTC [viperutil] EnhancedExactUnmarshalKey -> DEBU 003 map[peer.BCCSP:] 2018-10-17 11:00:53.692 UTC [bccsp_sw] createKeyStoreIfNotExists -> DEBU 004 KeyStore path [/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/keystore] missing [true]: [] `

giacomo.minighin (Wed, 17 Oct 2018 13:11:25 GMT):
Has joined the channel.

giacomo.minighin (Wed, 17 Oct 2018 13:11:40 GMT):
how can I use fabric-ca to create orderers and peers?

ashutosh_kumar (Wed, 17 Oct 2018 13:16:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ke47EGQrNxPhik3ZX) @vtech Can you share yaml file that you are using ?

ashutosh_kumar (Wed, 17 Oct 2018 13:16:39 GMT):
Looks like your bccsp is not set to use PKCS11.

atirekg (Wed, 17 Oct 2018 14:43:48 GMT):
Guys, getting this error 2018/10/17 14:31:08 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server 2018/10/17 14:31:08 [DEBUG] 1 CA instance(s) running on server 2018/10/17 14:31:08 [INFO] Listening on http://0.0.0.0:7054 2018/10/17 14:41:50 [DEBUG] Received request for /api/v1/register 2018/10/17 14:41:50 [DEBUG] Caller is using a x509 certificate 2018/10/17 14:41:50 [INFO] 172.24.0.1:44133 POST /api/v1/register 401 26 "Untrusted certificate: Failed to verify certificate: x509: certificate signed by unknown authority"

atirekg (Wed, 17 Oct 2018 14:44:57 GMT):
generated certificate and other config file using configtxgen

jvsclp (Wed, 17 Oct 2018 15:44:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bfFudKA8pWQGd4du8) @giacomo.minighin This should help: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#

skarim (Wed, 17 Oct 2018 17:11:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7QFSvMG7jJws2qM83) @atirekg You generated the certificate using cryptogen? If so, you can't use a certificate from cryptogen with fabric-ca-server. If the ca server did not sign the certificate then you will get his error.

vtech (Thu, 18 Oct 2018 04:09:40 GMT):

orderer.txt

vtech (Thu, 18 Oct 2018 04:09:42 GMT):

core.txt

vtech (Thu, 18 Oct 2018 04:10:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WqcrB9fSF5K4Q9BxT) @ashutosh_kumar Please find above yaml

atirekg (Thu, 18 Oct 2018 06:07:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mwCipyo4TRgGK54Jv) @skarim Any Idea how to solve it?

JaccobSmith (Thu, 18 Oct 2018 07:53:11 GMT):
Dose the “key” part in the “csr“ section in the file of config work？ I change the config file such as： csr: key: algo: ecdsa size: 384 but it didn't work, the csr file was still a "ecdsa-sha256" one

JaccobSmith (Thu, 18 Oct 2018 07:53:49 GMT):
csr: key: algo: ecdsa size: 384

JaccobSmith (Thu, 18 Oct 2018 07:55:09 GMT):
I used the command ”fabric-ca-client gencsr"

KGiou (Thu, 18 Oct 2018 13:22:43 GMT):
Hi all. What is the best practice? To have all the certificates of the identities(lets say identities=peers) in the container of the intermediate Ca OR to have each peer's certificate in the corresponding container of the peer?

skarim (Thu, 18 Oct 2018 13:37:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NZCCiWJDb8zZoqT2a) @atirekg You need to enroll and get a certificate from the CA that you are trying to interact with

aambati (Thu, 18 Oct 2018 14:07:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ATQeHWPFAWBmY2P4f) @KGiou to have each peer's cert in the peer container

giacomo.minighin (Thu, 18 Oct 2018 15:14:40 GMT):
when should I use a Fabric-CA Client’s Configuration File?

decameron (Thu, 18 Oct 2018 21:16:18 GMT):
Has joined the channel.

kh.nguyen (Fri, 19 Oct 2018 00:18:54 GMT):
Has joined the channel.

qubing (Fri, 19 Oct 2018 07:16:41 GMT):
@giacomo.minighin Just when you access fabric-ca-server via fabric-ca-client CLI.

AndrewNRise (Fri, 19 Oct 2018 08:15:47 GMT):
Has joined the channel.

giacomo.minighin (Fri, 19 Oct 2018 12:08:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aztyjDmdgZGC6rw92) @qubing is it possible via sdk?

kingpasan (Fri, 19 Oct 2018 20:53:56 GMT):
Has joined the channel.

toddinpal (Sat, 20 Oct 2018 13:11:06 GMT):
Does anyone have an example of using curl to interact with fabric-ca?

javrevasandeep (Sun, 21 Oct 2018 14:10:11 GMT):
Hi Guys I have one query related to fabric-ca. lets say i have one root CA and one intermediate CA up and running. Now due to some reason either one of them or both of them got crashed or removed (docker containers got removed). How to avoid such failover. Is there any way to save /etc/hyperlegder/fabric-ca folder inside container to host machine and recreate the CA (root or intermediate) with the same certificates root-ca-cert.pem and intermediate-ca-chain-cert.pem as it was before failover.

Ashish_ydv (Mon, 22 Oct 2018 06:09:07 GMT):
Has joined the channel.

guhy1011 (Mon, 22 Oct 2018 07:35:15 GMT):
http: TLS handshake

giacomo.minighin (Mon, 22 Oct 2018 07:42:15 GMT):
@javrevasandeep try with this https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#initializing-the-server

grevaud (Mon, 22 Oct 2018 08:22:39 GMT):
Has joined the channel.

grevaud (Mon, 22 Oct 2018 08:55:01 GMT):
Hello everyone, I am trying to create a PKI with fabric-ca with TLS enable, but I have an issue : when I try to enroll the admin with fabric-ca-client, the POST request enroll fails with the error "x509: certificate is valid for cab39dbcea97, not ca-server.com". Do you know what I have done wrong to get this error ?

shrutidixit12 (Mon, 22 Oct 2018 10:57:24 GMT):

fabric-ca.PNG

rmaurer (Mon, 22 Oct 2018 13:14:22 GMT):
Has joined the channel.

ameijer (Mon, 22 Oct 2018 22:26:47 GMT):
Has joined the channel.

vtech (Tue, 23 Oct 2018 04:59:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Reh85HSPY43wzYsH8) @ashutosh_kumar Were you able to try with these yaml configurations please ?

vtech (Tue, 23 Oct 2018 04:59:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Reh85HSPY43wzYsH8) Were you able to try with these yaml configurations please ?

guhy1011 (Tue, 23 Oct 2018 08:14:19 GMT):
`$ kubectl logs dining-greyhound-fabric-ca-deployment-c9fff7d76-pwxsr 2018/10/23 05:49:41 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml 2018/10/23 05:49:41 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server 2018/10/23 05:49:41 [INFO] Server Version: 1.2.1 2018/10/23 05:49:41 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} 2018/10/23 05:49:41 [INFO] Loading CA from /etc/hyperledger/fabric-ca-server/ca/tls/fabric-ca-config.yaml 2018/10/23 05:49:41 [WARNING] &{69 The specified CA certificate file /etc/hyperledger/fabric-ca-server/ca/tls/ca-cert.pem does not exist} 2018/10/23 05:49:41 [INFO] generating key: &{A:ecdsa S:256} 2018/10/23 05:49:41 [INFO] encoded CSR 2018/10/23 05:49:41 [INFO] signed certificate with serial number 300553967600525144134748625975577843791221230468 2018/10/23 05:49:41 [INFO] The CA key and certificate were generated for CA tlsca 2018/10/23 05:49:41 [INFO] The key was stored by BCCSP provider 'SW' 2018/10/23 05:49:41 [INFO] The certificate is at: /etc/hyperledger/fabric-ca-server/ca/tls/ca-cert.pem 2018/10/23 05:49:41 [INFO] Initialized sqlite3 database at /etc/hyperledger/fabric-ca-server/ca/tls/fabric-ca-server.db 2018/10/23 05:49:41 [INFO] The issuer key was successfully stored. The public key is at: /etc/hyperledger/fabric-ca-server/ca/tls/IssuerPublicKey, secret key is at: /etc/hyperledger/fabric-ca-server/ca/tls/msp/keystore/IssuerSecretKey 2018/10/23 05:49:41 [INFO] The revocation key was successfully stored. The public key is at: /etc/hyperledger/fabric-ca-server/ca/tls/IssuerRevocationPublicKey, private key is at: /etc/hyperledger/fabric-ca-server/ca/tls/msp/keystore/IssuerRevocationPrivateKey 2018/10/23 05:49:41 [INFO] The CA key and certificate already exist 2018/10/23 05:49:41 [INFO] The key is stored by BCCSP provider 'SW' 2018/10/23 05:49:41 [INFO] The certificate is at: /etc/hyperledger/fabric-ca-server/ca-cert.pem 2018/10/23 05:49:41 [INFO] Initialized sqlite3 database at /etc/hyperledger/fabric-ca-server/fabric-ca-server.db 2018/10/23 05:49:41 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server 2018/10/23 05:49:41 [INFO] generating key: &{A:ecdsa S:256} 2018/10/23 05:49:41 [INFO] encoded CSR 2018/10/23 05:49:41 [INFO] signed certificate with serial number 42290392533484875289814047899335412045689703264 2018/10/23 05:49:41 [INFO] Listening on https://0.0.0.0:7054 2018/10/23 05:49:57 http: TLS handshake error from 10.1.0.1:35198: EOF 2018/10/23 05:50:02 http: TLS handshake error from 10.1.0.1:35220: EOF 2018/10/23 05:50:04 http: TLS handshake error from 10.1.0.1:35222: EOF 2018/10/23 05:50:07 http: TLS handshake error from 10.1.0.1:35236: EOF 2018/10/23 05:50:12 http: TLS handshake error from 10.1.0.1:35258: EOF 2018/10/23 05:50:14 http: TLS handshake error from 10.1.0.1:35260: EOF 2018/10/23 05:50:17 http: TLS handshake error from 10.1.0.1:35274: EOF 2018/10/23 05:50:22 http: TLS handshake error from 10.1.0.1:35296: EOF 2018/10/23 05:50:24 http: TLS handshake error from 10.1.0.1:35298: EOF 2018/10/23 05:50:27 http: TLS handshake error from 10.1.0.1:35314: EOF 2018/10/23 05:50:32 http: TLS handshake error from 10.1.0.1:35334: EOF 2018/10/23 05:50:34 http: TLS handshake error from 10.1.0.1:35336: EOF 2018/10/23 05:50:37 http: TLS handshake error from 10.1.0.1:35354: EOF 2018/10/23 05:50:42 http: TLS handshake error from 10.1.0.1:35374: EOF 2018/10/23 05:50:44 http: TLS handshake error from 10.1.0.1:35378: EOF 2018/10/23 05:50:47 http: TLS handshake error from 10.1.0.1:35392: EOF 2018/10/23 05:50:52 http: TLS handshake error from 10.1.0.1:35412: EOF`

guhy1011 (Tue, 23 Oct 2018 08:16:18 GMT):
Hello everyone,who can help to explain the reasons about TLS handshake error, thanks in advance.

hyperlearner (Tue, 23 Oct 2018 13:01:08 GMT):
Hi, We are trying a 3-node network setup. We created a channel in one node and the two other nodes joined the channel.We are able to install the chaincode in all the peers. But we are facing issues in instantiating the chaincode through node-sdk.Other two nodes are unable to get the instatiated chaincode. But through peer-commands,we are able to instatiate.Can anybody help us with the issue? #fabric #fabric-ca

srinivasd (Tue, 23 Oct 2018 13:02:19 GMT):
Hi All, How to set `maxenrollments` to an affiliation using `fabric-ca-server`.

skarim (Tue, 23 Oct 2018 14:45:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LZMBi4dh8PoGyfqwG) @srinivasd `maxenrollments` are not associated to affiliations. The max enrollment value is per identity

srinivasd (Tue, 23 Oct 2018 14:47:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GxcdqEyyzm7rXjQLY) @skarim Thanks.

skarim (Tue, 23 Oct 2018 17:46:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wt2pqZnvd3wKcRKyx) @hyperlearner Please post in #fabric-sdk-node channel

skarim (Tue, 23 Oct 2018 17:47:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rbBLp5Ztp4jPZHxjF) @guhy1011 Are the clients configured correctly to verify server's tls certificate?

jrosmith (Tue, 23 Oct 2018 18:46:28 GMT):
@hyperlearner chaincode needs to be installed per endorsing peer, but only instantiated once per channel. the node sdk is properly returning errors because the chaincode is already instantiated

huxiangdong (Wed, 24 Oct 2018 00:45:20 GMT):
we are getting error when trying to start orderer using certificates generated by the fabric ca server:

huxiangdong (Wed, 24 Oct 2018 00:45:22 GMT):
2018-10-24 00:22:01.889 UTC [orderer/common/server] initializeLocalMsp -> CRIT 01c Failed to initialize local MSP: CA Certificate did not have the Subject Key Identifier extension, (SN: 280601438659103150156984823243408827159803483994)

huxiangdong (Wed, 24 Oct 2018 00:46:30 GMT):
any idea what might be wrong? is it problem of setting in the fabric ca server or any parameter missing when we register/enroll the identity?

arcynosure (Wed, 24 Oct 2018 11:24:21 GMT):
Has joined the channel.

arcynosure (Wed, 24 Oct 2018 11:24:49 GMT):
Hi, Cud u like help me to solve this problem in hyperledger fabric, i was trying to setup a fabric network consisting of 3 Organisations and 12 peers. I have used ur chainhero tutorial as a reference. I have built the network and it is up and running but when i try to run the built file (./chain-heroes in ur example) the SDK and resource management gets created but then this error shows up Unable to initialize the Fabric SDK: failed to save channel: create channel failed: SendEnvelope failed: calling orderer 'localhost:7050' failed: Orderer Server Status Code: (400) BAD_REQUEST. Description: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining Then i checked the orderer logs and i see this [cauthdsl] deduplicate -> ERRO 259 Principal deserialization failure (MSP Org1 is unknown) Now my doubt is that i have used the same setup.go file u have used in ur tutorial. Is there any issue in using the setup.go file u used for single org setup for multi org setup? Please do help me, thanks in advance.

MegganDo (Wed, 24 Oct 2018 21:37:11 GMT):
Has joined the channel.

yulong12 (Thu, 25 Oct 2018 05:15:09 GMT):
hello everyone! I want to ask a question. the peer's rootca and the orderer rootca is the same rootca or is signed by the same rootca?

yulong12 (Thu, 25 Oct 2018 05:15:17 GMT):
right?

caveman7 (Thu, 25 Oct 2018 05:17:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QgeubKYgG2B2C64hE) @yulong12 typically orderer org is a separate organization, so it will have its own RCA. but i think it's not impossible for the peer and orderer certs to be signed by the same RCA

yulong12 (Thu, 25 Oct 2018 05:21:39 GMT):
so can I add any network such as including 2 peers and 1 org to an launching network such as the byfn network?

yulong12 (Thu, 25 Oct 2018 05:21:42 GMT):
@caveman7

cagdast (Thu, 25 Oct 2018 07:36:44 GMT):
Has joined the channel.

HoneyShah (Thu, 25 Oct 2018 11:54:14 GMT):
Hello, I found the following command for getting aki and serial number from a certificate. But these are using the command line. ``` serial=$(openssl x509 -in userecert.pem -serial -noout | cut -d "=" -f 2) aki=$(openssl x509 -in userecert.pem -text | awk '/keyid/ {gsub(/ *keyid:|:/,"",$1);print tolower($0)}') ``` How can we get that using node sdk?

dcasado (Thu, 25 Oct 2018 14:15:20 GMT):
Has joined the channel.

MohammadObaid (Fri, 26 Oct 2018 06:03:48 GMT):
Question: Suppose I have following affiliations ```affiliations: abc: orga: - abc orgb: - busers - busers cSection: - cusers - cusers - cusers - cusers dSection: - dusers ``` . When I register and enroll identity with organization `dsection` shouldnt it return only certificates and no keystore folder as its sort of organization msp and need to be used in channel msp and genesis block creation . ?

MohammadObaid (Fri, 26 Oct 2018 06:05:09 GMT):
and my second question related to this if I enroll identity for `dusers` under dsection , then certificates and crypto material generated are linked to dSection root certificate right ? @skarim

pravindia (Fri, 26 Oct 2018 06:45:18 GMT):

Screenshot from 2018-10-25 16-36-10.png

MegganDo (Fri, 26 Oct 2018 07:26:40 GMT):
revoke

gravity (Fri, 26 Oct 2018 16:24:57 GMT):
hello how to register a new admin (who can create channels, install chaincodes etc.)?

skarim (Fri, 26 Oct 2018 17:53:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RwugxcqPAqWrFTvj3) @MohammadObaid Every time you enroll, you will have a new private key and associated certificate (public key). The MSP configured for a channel would contain the ca signing cert, which is then used to verify if a certificate is signed by the appropriate signing authority.

skarim (Fri, 26 Oct 2018 17:55:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mnDnA3Dx8zKSXE6TF) @MohammadObaid signing certificates are not per affiliation, there is one signing certificate per CA. The identity's affiliation can be inserted into the certificate, but it won't be signed by a certificate for a specific affiliation.

skarim (Fri, 26 Oct 2018 17:56:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8iAYWZBTpde9WFCcC) @gravity Aslong as the certificate is placed in the `admin` folder in peer's local MSP, it can perform those actions

AbhinayB (Mon, 29 Oct 2018 09:07:08 GMT):
Hi! Is there a way for python program to connect to a fabric CA? As the fabric-sdk-py isn't ready yet, I was wondering if there is a workaround. How about the python program connecting to an end point of CA's REST API? Any suggestions?

mko (Mon, 29 Oct 2018 11:25:25 GMT):
Has joined the channel.

Paradox-AT (Mon, 29 Oct 2018 15:12:32 GMT):
Has joined the channel.

skarim (Mon, 29 Oct 2018 20:02:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fMF5wF4EhngfRQzPo) @AbhinayB You can use the REST APIs to talk the fabric CA server, if you look at the fabric CA repo you will find the swagger doc that provides more details on the REST APIs

AbhinayB (Tue, 30 Oct 2018 04:11:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aGf7XuuS4Pyncjxqk) @skarim Thank you! I guessed so. I am having a look at it. I couldn't understand the arguments in the request body to be passed to the enroll endpoint as mentioned in https://github.com/hyperledger/fabric-ca/blob/release-1.3/swagger/swagger-fabric-ca.json. What are 'label', 'attr_reqs', 'profile' attributes mean?

EvansChang (Tue, 30 Oct 2018 09:25:22 GMT):
Has joined the channel.

waxer (Tue, 30 Oct 2018 17:18:05 GMT):
Has joined the channel.

waxer (Tue, 30 Oct 2018 17:18:27 GMT):
Question: What is the purpose of the 'Affiliations'? which use has in the Fabric network?

srinivas (Tue, 30 Oct 2018 17:54:25 GMT):
Has joined the channel.

skarim (Tue, 30 Oct 2018 19:28:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Ln2XBvPvzrLsqJtxi) @AbhinayB 'attr_reqs' is a list of attributes that would like to be inserted in to your enrollment certificate. 'profile' is the profile that you would like to enroll against. A CA can have multiple profiles, see fabric ca server configuration. 'label' is associated with each enrollment certificate in the database.

skarim (Tue, 30 Oct 2018 19:30:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qogtaqihLP9Q9kBQh) @waxer The purpose of an affiliation is to provide hierarchical control on what an identity can do. For example, identity 1 with the registrar privileges and affiliation a.b can perform registrar type duties on identities with an affiliation of a.b, a.b.c, a.b.d, etc, but not those with an affiliation of a.c. Affiliations can be inserted into the enrollment certificate as an attribute, this attribute can then be retrieved in chaincode and access control decisions can be based on affiliations.

waxer (Tue, 30 Oct 2018 19:37:39 GMT):
@skarim , oh, it can be used as a ACL. Can I provide totally custom attributes to be included in the eCert too?

waxer (Tue, 30 Oct 2018 19:37:49 GMT):
to use it in the chaincodes too?

skarim (Tue, 30 Oct 2018 19:38:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RJdYR6Pi4QBmggTo9) @waxer Yes, see: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#attribute-based-access-control

dave.enyeart (Tue, 30 Oct 2018 19:38:41 GMT):
@skarim The chaincode CID library does not mention the use of affiliations... I assume it should?

dave.enyeart (Tue, 30 Oct 2018 19:40:06 GMT):
since CID library is the way to get cert attributes for access control decisions

skarim (Tue, 30 Oct 2018 19:40:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DY2s2jiRntfG4N5GK) @dave.enyeart It uses the GetAttributeValue function in which you can use to retrieve attributes from the certificate. Are you saying we don't talk about affiliations in doc related to CID library?

dave.enyeart (Tue, 30 Oct 2018 19:41:16 GMT):
right, if this is a common pattern we want to encourage, shouldn't it be mentioned in CID document?

skarim (Tue, 30 Oct 2018 19:41:35 GMT):
yeah, we can mention it. where is this doc?

skarim (Tue, 30 Oct 2018 19:41:56 GMT):
ah, the Readme

dave.enyeart (Tue, 30 Oct 2018 19:42:08 GMT):
right

dave.enyeart (Tue, 30 Oct 2018 19:42:13 GMT):
there are two copies now:

dave.enyeart (Tue, 30 Oct 2018 19:42:15 GMT):
https://github.com/hyperledger/fabric/tree/master/core/chaincode/shim/ext/cid

dave.enyeart (Tue, 30 Oct 2018 19:42:23 GMT):
https://github.com/hyperledger/fabric/tree/master/core/chaincode/lib/cid

dave.enyeart (Tue, 30 Oct 2018 19:42:30 GMT):
i believe one will go away in v2.0 right?

skarim (Tue, 30 Oct 2018 19:42:37 GMT):
right, the lib/cid should go away. yes that is the plan

dave.enyeart (Tue, 30 Oct 2018 19:43:26 GMT):
so it would be nice to put an affiliation example in for GetAttributeValue() right

skarim (Tue, 30 Oct 2018 19:43:30 GMT):
I can add an example to the readme

dave.enyeart (Tue, 30 Oct 2018 19:43:35 GMT):
thanks

dave.enyeart (Tue, 30 Oct 2018 19:47:07 GMT):
similarly, the ca doc for ABAC at https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#attribute-based-access-control doesn't explicitly mention using affiliation for access control. somebody could draw that conclusion by reading between the lines, but the pattern should be explicitly mentioned if we want to encourage that pattern

skarim (Tue, 30 Oct 2018 19:47:41 GMT):
right, I can add an example there as well

dave.enyeart (Tue, 30 Oct 2018 19:47:49 GMT):
perfect

dave.enyeart (Tue, 30 Oct 2018 19:48:23 GMT):
bonus points if you use the same example across CA doc and CID readme :)

skarim (Tue, 30 Oct 2018 19:48:39 GMT):
:)

waxer (Tue, 30 Oct 2018 20:16:15 GMT):
@skarim , cool. And what is the purpose of defining affiliations in the server CA config file to be boostraped?.

waxer (Tue, 30 Oct 2018 20:17:22 GMT):
Even if an admin user has a * on Affiliations, does the CA server limits what values could be possible using that configuration?

waxer (Tue, 30 Oct 2018 20:17:50 GMT):
(saying it differently, when registering new users, only affiliations specified in the config file of the CA would be allowed prefixes?)

skarim (Tue, 30 Oct 2018 20:36:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Kky9oPWmbiRLKkFaD) @waxer Yes, you are limited to affiliations that the CA server is configured with. Identities can only be registered with the exact affiliations that the CA is configured with. However, you are not limited to the affiliations that the server is configured with at bootstrap. There is an affiliations API that allows you to manage affiliation, by deleting, renaming, or creating new affiliations.

vdods (Tue, 30 Oct 2018 21:03:16 GMT):
Regarding hf.Registrar.Roles, can arbitrary role names be made up and used in an application? Like for example, say I wanted to define a subtype of `user`, called `foobar-user` which is more specific than user. Can I just do that?

vdods (Tue, 30 Oct 2018 23:11:41 GMT):
Also, are modifications to an identity's attributes constrained by hf.Registrar.Attributes, just as registering an identity is?

AbhinayB (Wed, 31 Oct 2018 05:20:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ysTtDJyz5QMEAdHPz) @skarim Thank you for the clarification. Are these parameters optional? I know CSR isn't. So how do we generate a CSR? While using a fabric-sdk-java, I didn't need to do it as the sdk uses a pre-defined CryptoPrimitives library that generates the CSR. How to generate all the necessary parameters and send to the enroll endpoint?

AbhinayB (Wed, 31 Oct 2018 05:20:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ysTtDJyz5QMEAdHPz) @skarim Thank you for the clarification. Are these parameters optional? I know CSR isn't. So how do we generate a CSR? While using fabric-sdk-java, I didn't need to generate all these addition parameters as the sdk uses a pre-defined CryptoPrimitives library that generates the CSR. How to generate all the necessary parameters and send to the enroll endpoint?

skarim (Wed, 31 Oct 2018 13:21:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WNtHzgGRmREw73Xvp) @AbhinayB I would assume that python has similar crypto libraries that you could use.

mrlinjun (Wed, 31 Oct 2018 13:29:00 GMT):
Has joined the channel.

waxer (Wed, 31 Oct 2018 14:09:16 GMT):
Question regarding fabric-ca-client: Say the admin registers a new identity. Then this new identity has his name and secret. When it's going to enroll, he configures a .yaml with the CSR. This CSR is checked against the settings setted by the admin when it registered the identity?. If the parameters of the registration didn't specify the 'C' (country) attribute; this means that the new identity can choose whatever Country it likes in the enrollment?

skarim (Wed, 31 Oct 2018 14:21:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=w3pqCBTD74ji2twnK) @vdods fabric ca does not place limits on what you can define as a role, you can use any role name you'd like.

srinivasd (Wed, 31 Oct 2018 15:54:28 GMT):
@skarim hi, how to add maximum enrollment to the organization in the fabric ca server

skarim (Wed, 31 Oct 2018 16:11:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rsMmYichW2J3K4y3f) @waxer The registration is not linked to the CSR at all, you can specify whatever you'd like in CSR during enrollment time. The only restriction is that the CN in the CSR will always be the enrollment ID, but other than that you are free to set the CSR properties to your liking.

skarim (Wed, 31 Oct 2018 16:12:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3a99a01e-4be1-403e-81b1-6a5b564e070f) @srinivasd Not sure what you mean by organization, the max enrollment value is per CA. This can be set using the `registry.maxenrollments` property

srinivasd (Wed, 31 Oct 2018 16:20:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MaXSHSSBCfSsEx6eZ) @skarim In CA, I want to add maximum enrollment for the affiliation organization org1.

skarim (Wed, 31 Oct 2018 16:20:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=63e84c84-585e-473d-a006-ab2e16b77ef5) @srinivasd There is not a way to do that currently

srinivasd (Wed, 31 Oct 2018 16:21:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MaXSHSSBCfSsEx6eZ) @skarim registry.maxenrollments for the admin user

skarim (Wed, 31 Oct 2018 16:22:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=060093e6-f1a2-4128-a836-6b182b52786d) @srinivasd its not specifically for the admin user, it applies to all identities

waxer (Wed, 31 Oct 2018 16:23:33 GMT):
@skarim , yes.. I tried to change the CN in the CSR and inspecting the generated ECert I see that is overrided by the real CN (I guess it takes it from the authentication). Also, I tried to specify a random OU and I See that also the ECert has the OU corresponding to the value that the admin chose when registering the identity. The Country, state, etc, yes seems to be choosen by the enrollement configuration file. This is the way it works?

skarim (Wed, 31 Oct 2018 16:24:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9eAQj4uKxyRHdkdRN) @waxer yes, that is working as intended

srinivasd (Wed, 31 Oct 2018 16:24:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Gd4hDFoctsaAeT9pa) @skarim Ok thanks. While starting fabric ca server I have to give option registry.maxenrollments option

skarim (Wed, 31 Oct 2018 16:24:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ce9a32c2-c8d0-4a52-aa56-d7c861ed49d1) @srinivasd right

srinivasd (Wed, 31 Oct 2018 16:25:56 GMT):
Ok. In fabric-ca-server-config.yaml their is a registry key, we can add their maxenrollment

srinivasd (Wed, 31 Oct 2018 16:25:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mRvef6WF4dK6AbP4w) @skarim @sk Ok. In fabric-ca-server-config.yaml their is a registry key, we can add their maxenrollment

srinivasd (Wed, 31 Oct 2018 16:25:56 GMT):
@skarim Ok. In fabric-ca-server-config.yaml their is a registry key, we can add their maxenrollment instead of giving at the time of starting the fabric ca server

srinivasd (Wed, 31 Oct 2018 16:31:58 GMT):
@skarim I configured the fabric ca server to use pkcs11 and how can i know it is using pkcs11 through command instead of logs

waxer (Wed, 31 Oct 2018 16:35:12 GMT):
@skarim , the ca-server also can generate TLS certificates?

skarim (Wed, 31 Oct 2018 17:04:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9525e25f-caee-47a3-8f2e-9c5347f20dc4) @srinivasd there is no command that will tell you that, you will have to rely on logs

skarim (Wed, 31 Oct 2018 17:05:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qH3ZnnRrTrktxmKny) @waxer yes, by default the CA contains a TLS profile, if you enroll against this profile you will get back a TLS certificate. use the `--enrollment.profile=tls` flag

waxer (Wed, 31 Oct 2018 17:17:00 GMT):
@skarim , ok I ran it. I see that now the certificate in the signcert folder has defined the 'hosts' defined in the yaml file. This means that this only certificate works for TLS use and also as the cert for the peer in the Fabric network?

waxer (Wed, 31 Oct 2018 17:17:22 GMT):
I mean is ok to use the same cert for TLS and for the identity in Fabric network?

ashutosh_kumar (Wed, 31 Oct 2018 17:21:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4JuyDaLgsiXHPghQ9) @waxer I think so. We do not check for cert usage in the code.

iramiller (Wed, 31 Oct 2018 18:35:55 GMT):
is it possible to use openssl to generate certificates with the `1.2.3.4.5.6.7.8.1` (hlfAttributes) and not mangle them?

iramiller (Wed, 31 Oct 2018 18:37:14 GMT):
I see the output from fabric-ca-client looks like so ... ``` 627:d=5 hl=2 l= 95 prim: OCTET STRING :{"attrs":{"hf.Affiliation":"orgname","hf.EnrollmentID":"peer2-orgname","hf.Type":"peer"}} ``` but the closest I get when trying to encode is ``` 0:d=0 hl=2 l= 80 prim: OCTET STRING [HEX DUMP]:604E044C7B61747472733A7B68662E416666696C...06565722C68662E547970653A706565727D7D ```

iramiller (Wed, 31 Oct 2018 18:38:10 GMT):
or ``` hlfAttributes: `N.L{attrs:{hf.Affiliation``` (note the prefix chars for the ASN1 encoding type wrapper

vdods (Wed, 31 Oct 2018 23:36:30 GMT):
Is there a way to assign hf.XYZ attributes to a user so that they can change their own password but nothing extra (e.g. register users or modify other users' identities)?

vdods (Wed, 31 Oct 2018 23:37:16 GMT):
i'm attempting to have a user modify their own password (using the user's identity as the modifying identity), but I'm getting `Failed to verify if user can act on type 'ld.app.role.user': : scode: 401, local code: 42, local msg: 'user1' is not a registrar, remote code: 20, remote msg: Authorization failure`

vdods (Wed, 31 Oct 2018 23:37:35 GMT):
presumably this should be possible without granting other permissions

vdods (Thu, 01 Nov 2018 00:35:55 GMT):
Also, is there a way to specify that a user is allowed to register users but not modify them? In particular, so that the registrar can't change the new user's password or other attributes.

Jgnuid (Thu, 01 Nov 2018 00:40:11 GMT):
Question: What is the difference between the 'reenroll' command vs the 'enroll' one?

Jgnuid (Thu, 01 Nov 2018 01:02:36 GMT):
Why does reenrolling an identity generates a new private key and not only a new .pem file for the same key as the previous .pem?

srinivasd (Thu, 01 Nov 2018 03:50:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aB5kyWJLRJksHhhCY) @skarim Ok thank you.

AbhinayB (Thu, 01 Nov 2018 04:31:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WFZqkA8W9q8KPHf2X) @skarim Thank you. I will have a look.

ataul443 (Thu, 01 Nov 2018 07:16:41 GMT):
Has joined the channel.

ataul443 (Thu, 01 Nov 2018 07:18:14 GMT):
What should we provide for certfile and keyfile field inside tls?

NareshThumma (Thu, 01 Nov 2018 08:57:30 GMT):
Has joined the channel.

esaygi (Thu, 01 Nov 2018 11:44:03 GMT):
Has joined the channel.

esaygi (Thu, 01 Nov 2018 11:48:07 GMT):
Hello, If I have a Root CA and Intermediate CA running, Is there a way (or does it makes sense) to revoke and re-issue Intermediate CA certificates ?

m.hago (Thu, 01 Nov 2018 12:15:09 GMT):
Has joined the channel.

caveman7 (Thu, 01 Nov 2018 12:18:38 GMT):
@dave.enyeart relating to this feature: https://jira.hyperledger.org/browse/FABC-29 (https://docs.google.com/document/d/13v6rVhw0wcCe5k-P1LqES-O6XlNrVzKitIZYsygcXEQ/edit), how far along are we? is there any way to seamlessly reissue ICA/RCA certificates?

dave.enyeart (Thu, 01 Nov 2018 12:57:01 GMT):
I'll have to defer to the CA experts on that one... @smithbk @skarim

caveman7 (Thu, 01 Nov 2018 13:00:40 GMT):
okay..1 more question. seems to me that if we re-enroll peer identity and restart the peer, we need to rejoin the peer to the channel. is this normal behaviour?

caveman7 (Thu, 01 Nov 2018 13:00:40 GMT):
okay..1 more question. seems to me that if we re-enroll peer identity and restart the peer (so that it loads the new certs), we need to rejoin the peer to the channel. is this normal behaviour?

ashutosh_kumar (Thu, 01 Nov 2018 13:14:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ndcqt95v6MYfhoyeF) @caveman7 These certs are usually long term , so it is better to create them manually IMO.

smithbk (Thu, 01 Nov 2018 13:37:03 GMT):
@dave.enyeart No progress has been made on https://jira.hyperledger.org/browse/FABC-29 because there was some push back and didn't hear anyone speaking up for its need. Obviously I thought it was important even though infrequent since I wrote the jira.

andrewhw (Thu, 01 Nov 2018 13:48:34 GMT):
Has joined the channel.

iramiller (Thu, 01 Nov 2018 15:08:36 GMT):
It would seem that managing the certificate format of hlfAttribute extensions with openssl is a tough question since there haven't been any replies. It isn't a blocker of course as we can use the fabric-ca-client however I feel like it is important to understand what exactly is going on with these customizations for interoperability purposes.

blakem (Thu, 01 Nov 2018 16:17:49 GMT):
in the fabric-ca sample, there is a shared docker volume called data used to share the needed certs. For distributed network this wouldn't work. This there some built in tool for transferring the certs between nodes, or should I build a custom image with sftp/ftp?

skarim (Thu, 01 Nov 2018 16:24:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PKPyi4ceCQn6SAZz3) @blakem There is no tool that does this transferring, this has been a manual process thus far

blakem (Thu, 01 Nov 2018 16:33:04 GMT):
@skarim thanks for the response. I will look into developing my own solution for this problem then.

skarim (Thu, 01 Nov 2018 16:34:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=N8wzYcyDimozQmAoR) @iramiller I am not really familiar with how you would add this additional extension using OpenSSL, but if you want to see what we have done to get this behavior in go. I would checkout this code: https://github.com/hyperledger/fabric-ca/blob/release-1.3/lib/serverrequestcontext.go#L271

waxer (Thu, 01 Nov 2018 17:30:02 GMT):
@skarim , any idea why I could get 'Password mismatch: crypto/bcrypt: hashedPassword is not the hash of the given password'... I'm using the same user and password for enrolling using fabric-ca-client and I don't have this problem.

waxer (Thu, 01 Nov 2018 18:04:43 GMT):
@skarim , forget it... for some weird reason the admin credentials in the nodesdk is assuming 'admin' 'adminpw'. Gonna ask in the corresponding channel.

vdods (Thu, 01 Nov 2018 19:27:46 GMT):
Also, is there a way to allow an identity to register identities without then being able to modify those identities? I'm thinking of a "weak admin" type user who can register users, but then is unable to do anything further (e.g. change their password). Really what I'm looking for is the registration and identity-modification actions to be decoupled (also as in the user changing their own password example I gave earlier)

waxer (Thu, 01 Nov 2018 20:23:50 GMT):
Question: there's any way to remove identities?. I get the message that removing identities wasn't enabled by default, but I don't find where in the .yaml I can set the configuration to allow it since I want to purge identities from testing.

vdods (Thu, 01 Nov 2018 22:03:25 GMT):
@waxer Looks like it is possible: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#removing-an-identity (presumably "latest" version is 1.2)

vdods (Thu, 01 Nov 2018 22:04:12 GMT):
Question: what is the most straightforward way to get the hf.* attribute values from an x509 cert in golang? e.g. hf.Type and so forth

caveman7 (Thu, 01 Nov 2018 22:59:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2z9zRXW8EsWMs8pr6) @vdods check this out: https://github.com/hyperledger/fabric/tree/master/core/chaincode/lib/cid

caveman7 (Thu, 01 Nov 2018 23:02:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7wKTkRdh48Nhq2zfv) @waxer check this out: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=2ahUKEwi8vZrNprTeAhWEM94KHbEcDIwQFjABegQIBRAB&url=https%3A%2F%2Fjira.hyperledger.org%2Fbrowse%2FFABC-503&usg=AOvVaw0BKbqrOVcbIFfhfn6BNysj

caveman7 (Thu, 01 Nov 2018 23:02:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7wKTkRdh48Nhq2zfv) @waxer check this out: https://jira.hyperledger.org/browse/FABC-503

vdods (Fri, 02 Nov 2018 00:06:31 GMT):
@caveman7 Good tip, thanks!

waxer (Fri, 02 Nov 2018 00:29:32 GMT):
@caveman7 thanks, I'll try the flags when starting thr server. And also great info about the CID interface, very useful.

mhs22 (Fri, 02 Nov 2018 05:46:44 GMT):
Has joined the channel.

hyper-sunder (Fri, 02 Nov 2018 06:21:13 GMT):
Has joined the channel.

smithbk (Fri, 02 Nov 2018 11:40:59 GMT):
@caveman7 @vdods The following is the new location of the cid library which also works appropriately for idemix identities https://github.com/hyperledger/fabric/tree/master/core/chaincode/shim/ext/cid The other will be deprecated and removed in the future

srinivasd (Sat, 03 Nov 2018 13:53:42 GMT):
@skarim Hi, What is the importance of `registry` in fabric-ca-server-config.yaml. I started the fabric-ca-server as `fabric-ca-server start -b admin:adminpw`. Even i change the name in registry.identities to `ad` adn pass as `adminpw`. Where it will effect? Thanks in advance

vdods (Sun, 04 Nov 2018 07:23:39 GMT):
Is there any way to log out an identity without revoking its cert? basically so that fabric-ca-server can record that the cert's validity should be considered over, and where presumably that fact can be checked via fabric-ca-client somehow?

vdods (Sun, 04 Nov 2018 07:24:59 GMT):
i'm thinking of ordinary logout, but also if a user's ECert-attribute-based permissions are decreased, where the user has no incentive to log out and back in, to log them out involuntarily and require them to log back in to get the updated credential

vdods (Sun, 04 Nov 2018 07:24:59 GMT):
I'm thinking of ordinary logout, but also if a user's ECert-attribute-based permissions are decreased, where the user has no incentive to log out and back in, to log them out involuntarily and require them to log back in to get the updated credential

mevir (Sun, 04 Nov 2018 10:09:05 GMT):
Has joined the channel.

Sreesha (Mon, 05 Nov 2018 09:19:26 GMT):
Idemix

Sreesha (Mon, 05 Nov 2018 09:21:22 GMT):
Do we have Idemix implementation for node sdk

skarim (Mon, 05 Nov 2018 14:29:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FaJf27qYWF5HMXCBf) @srinivasd The identities in the `registry` section are identities that will be registered when you start up the server. It will only add identities, you can't modify or delete existing identities using this section. Please use the `identities` command for that

skarim (Mon, 05 Nov 2018 14:29:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=foccFmBmeKp7wLDP7) @vdods There is currently no logout mechanism in place

skarim (Mon, 05 Nov 2018 14:30:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GsE3Cpin8u5KoNvbG) @Sreesha I don't believe there is one currently, you can ask in the #fabric-sdk-node channel for more details on the status of the implementation

awes0menessInc (Tue, 06 Nov 2018 03:35:39 GMT):
Has joined the channel.

yulong12 (Tue, 06 Nov 2018 05:53:38 GMT):
Hi everyone. I use the tls which is generated fabric-ca to create channel. but it failed .my steps is :```fabric-ca-server start -b admin:adminpw fabric-ca-server start -b admin:adminpw --tls.enabled=true fabric-ca-client enroll --enrollment.profile tls -u http://admin:adminpw@localhost:7054 ```

mastersingh24 (Tue, 06 Nov 2018 12:55:21 GMT):
@yulong12 - what failed? what's the error?

waxer (Tue, 06 Nov 2018 14:03:54 GMT):
Question: for some reason I get the error that 'CA xxxx doesn't exists', that I can fix setting the environment variable FABRIC_CA_SERVER_CA_NAME which fixes the issue. But anyone knows how is the attribute to set this in the .yaml?

waxer (Tue, 06 Nov 2018 14:05:03 GMT):
There is a 'name' under the 'tls' section but it doesn't seem to work for this.

skarim (Tue, 06 Nov 2018 16:22:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LwQDucRdtGt73n5Bf) @waxer In the server's yaml file, you should see a section like this: ``` ############################################################################# # The CA section contains information related to the Certificate Authority # including the name of the CA, which should be unique for all members # of a blockchain network. It also includes the key and certificate files # used when issuing enrollment certificates (ECerts) and transaction # certificates (TCerts). # The chainfile (if it exists) contains the certificate chain which # should be trusted for this CA, where the 1st in the chain is always the # root CA certificate. ############################################################################# ca: # Name of this CA name: # Key file (is only used to import a private key into BCCSP) keyfile: # Certificate file (default: ca-cert.pem) certfile: # Chain file chainfile: ``` You can set the CA name here

waxer (Tue, 06 Nov 2018 16:26:10 GMT):
@skarim , thanks... somehow the 'ca:' line was deleted, thats why was 'under' the 'tls' hierchary hehe

satyajitdeshmukh (Tue, 06 Nov 2018 19:36:09 GMT):
Has joined the channel.

yulong12 (Wed, 07 Nov 2018 02:39:42 GMT):
@mastersingh24 ```+ peer channel create -o orderer.example.com:7050 -c mychannel -f ./channel-artifacts/channel.tx --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem Creating channel... + res=1 + set +x Error: failed to create deliver client: orderer client failed to connect to orderer.example.com:7050: failed to create new connection: context deadline exceeded !!!!!!!!!!!!!!! Channel creation failed !!!!!!!!!!!!!!!!```

fupeng (Wed, 07 Nov 2018 04:22:11 GMT):
Has joined the channel.

jaguarg (Wed, 07 Nov 2018 10:09:35 GMT):
Hello, I have a question regarding the PKI infrastructure. I need to do some encryption (off-chain), I would like to leverage the HLF public / private keys to encrypt the data.

jaguarg (Wed, 07 Nov 2018 10:10:09 GMT):
But I need a way to make public keys available to all parties . Is there a way to achieve that with HLF ?

enriquebusti (Wed, 07 Nov 2018 12:00:47 GMT):
Has joined the channel.

MohammadObaid (Wed, 07 Nov 2018 15:16:05 GMT):
Hi @skarim . I have two questions related to msp . Question1: `admincerts` folder contain certificates of all adminpeers and should be mounted in all peers of an organization and `signcerts` folder contain only relevant peer certificate right? Question2: if organization revoke certifacte of any peer then crlf` folder should only be presented in local msp directory of all peer of that specific organizations and not on the channel level msp right ?

skarim (Wed, 07 Nov 2018 18:38:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Tuhq8pXpNu4AWtK4u) @MohammadObaid Q1: Yes Q2: The CRL needs to be updated in peer local MSP and channel MSPs

mshirman (Wed, 07 Nov 2018 21:35:37 GMT):
Has joined the channel.

Skprog (Thu, 08 Nov 2018 06:30:23 GMT):
Has joined the channel.

MohammadObaid (Thu, 08 Nov 2018 07:33:04 GMT):
:thumbsup:

kisna (Thu, 08 Nov 2018 07:45:23 GMT):
Has joined the channel.

kisna (Thu, 08 Nov 2018 07:46:30 GMT):
Hello, running my custom e2e cluster test fails when I change the affiliations, why are we hardcoding affiliations, how do I change them and what do they mean in the e2e test `2018/11/08 07:42:08 [DEBUG] Registered identity: { Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:-1 Attrs:map[hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:* hf.Registrar.DelegateRoles:* hf.Revoker:1] } 2018/11/08 07:42:08 [DEBUG] Successfully loaded identity table 2018/11/08 07:42:08 [DEBUG] Loading affiliations table 2018/11/08 07:42:08 [DEBUG] DB: Add affiliation org2 2018/11/08 07:42:08 [DEBUG] Affiliation 'org2' added 2018/11/08 07:42:08 [DEBUG] DB: Add affiliation org2.department1 2018/11/08 07:42:08 [DEBUG] Affiliation 'org2.department1' added 2018/11/08 07:42:08 [DEBUG] DB: Add affiliation org1 2018/11/08 07:42:08 [DEBUG] Affiliation 'org1' added 2018/11/08 07:42:08 [DEBUG] DB: Add affiliation org1.department1 2018/11/08 07:42:08 [DEBUG] Affiliation 'org1.department1' added 2018/11/08 07:42:08 [DEBUG] DB: Add affiliation org1.department2 2018/11/08 07:42:08 [DEBUG] Affiliation 'org1.department2' added`

kisna (Thu, 08 Nov 2018 07:46:30 GMT):
Hello, running my custom e2e cluster test fails when I change the affiliations, why are we hardcoding affiliations, how do I change them and what do they mean in the e2e test what is code: 404, code: 63, msg: Failed to get Affiliation? In RegistrationRequest(user.getName(), "org1.department1"); what is this department and org already set? if I change it msp org, it keeps failing with failed to get affiliation `2018/11/08 07:42:08 [DEBUG] Registered identity: { Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:-1 Attrs:map[hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:* hf.Registrar.DelegateRoles:* hf.Revoker:1] } 2018/11/08 07:42:08 [DEBUG] Successfully loaded identity table 2018/11/08 07:42:08 [DEBUG] Loading affiliations table 2018/11/08 07:42:08 [DEBUG] DB: Add affiliation org2 2018/11/08 07:42:08 [DEBUG] Affiliation 'org2' added 2018/11/08 07:42:08 [DEBUG] DB: Add affiliation org2.department1 2018/11/08 07:42:08 [DEBUG] Affiliation 'org2.department1' added 2018/11/08 07:42:08 [DEBUG] DB: Add affiliation org1 2018/11/08 07:42:08 [DEBUG] Affiliation 'org1' added 2018/11/08 07:42:08 [DEBUG] DB: Add affiliation org1.department1 2018/11/08 07:42:08 [DEBUG] Affiliation 'org1.department1' added 2018/11/08 07:42:08 [DEBUG] DB: Add affiliation org1.department2 2018/11/08 07:42:08 [DEBUG] Affiliation 'org1.department2' added`

kisna (Thu, 08 Nov 2018 07:46:30 GMT):
Hello, running my custom e2e cluster test fails when I change the affiliations, why are we hardcoding affiliations, how do I change them and what do they mean in the e2e test what is code: 404, code: 63, msg: Failed to get Affiliation? if I change it msp org, it keeps failing with failed to get affiliation In RegistrationRequest(user.getName(), "org1.department1"); what is this department and org already set? if I change it msp org, it keeps failing with failed to get affiliation `2018/11/08 07:42:08 [DEBUG] Registered identity: { Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:-1 Attrs:map[hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:* hf.Registrar.DelegateRoles:* hf.Revoker:1] } 2018/11/08 07:42:08 [DEBUG] Successfully loaded identity table 2018/11/08 07:42:08 [DEBUG] Loading affiliations table 2018/11/08 07:42:08 [DEBUG] DB: Add affiliation org2 2018/11/08 07:42:08 [DEBUG] Affiliation 'org2' added 2018/11/08 07:42:08 [DEBUG] DB: Add affiliation org2.department1 2018/11/08 07:42:08 [DEBUG] Affiliation 'org2.department1' added 2018/11/08 07:42:08 [DEBUG] DB: Add affiliation org1 2018/11/08 07:42:08 [DEBUG] Affiliation 'org1' added 2018/11/08 07:42:08 [DEBUG] DB: Add affiliation org1.department1 2018/11/08 07:42:08 [DEBUG] Affiliation 'org1.department1' added 2018/11/08 07:42:08 [DEBUG] DB: Add affiliation org1.department2 2018/11/08 07:42:08 [DEBUG] Affiliation 'org1.department2' added`

kisna (Thu, 08 Nov 2018 07:51:08 GMT):
also, when I register a user, occassionally get a 2018/11/08 07:44:00 http: TLS handshake error from 172.20.0.1:37460: tls: oversized record received with length 21536

kisna (Thu, 08 Nov 2018 07:51:08 GMT):
also, when I register a user, ONLY some user registrations in some tests alone fail with a 2018/11/08 07:44:00 http: TLS handshake error from 172.20.0.1:37460: tls: oversized record received with length 21536

srinivasd (Thu, 08 Nov 2018 11:03:31 GMT):
Hi All, I have enabled Fabric CA with PKCS11 using softhsm. When I used PIN with value `05964562` starting with 0(zero), fabric-ca-server is not started successfully, throwing an error `Login failed [pkcs11: 0xA0: CKR_PIN_INCORRECT]]`. Any help on this. Thanks in advance.

VenkatThota (Thu, 08 Nov 2018 11:07:51 GMT):
Has joined the channel.

halilkalkan (Thu, 08 Nov 2018 12:33:40 GMT):
How can we implement attribute-based-access-control for users with idemix credentials? I don't think cid library is capable of doing this.

skarim (Thu, 08 Nov 2018 14:19:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SLiG2LvMLoMdSgeAj) @kisna If you want to use an affiliation that the server is not bootstrapped with then you must add the affiliation, there is an affiliation command on the client that lets you add custom affiliation which you can then use to register identities. The other option is to bootstrap the server with affiliations that you know you will need to register users.

skarim (Thu, 08 Nov 2018 14:21:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HoZ6outhhpcdmso6C) @halilkalkan Currently idemix credentials only expose two attributes, they are 'role' and 'ou'. You can use the same get attribute value function from the cid library to get these two attributes. There is no support for custom attributes yet with idemix.

ashutosh_kumar (Thu, 08 Nov 2018 14:36:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NXY9KC5T3CvBhJEgz) @srinivasd I do not think starting with zero in pin should throw an error. The Log says , the PIN for slot and the pin that you are using in yaml file , does not match.

srinivasd (Thu, 08 Nov 2018 14:38:17 GMT):
@ashutosh_kumar Thanks, I placed the pin correctly in config file. When I replace `zero` with `one, it is working

srinivasd (Thu, 08 Nov 2018 14:38:17 GMT):
@ashutosh_kumar Thanks, I placed the pin correctly in config file. When I replace `zero` with `one`, it is working

ashutosh_kumar (Thu, 08 Nov 2018 14:43:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6ALvke7PaN5pEzQae) @srinivasd ok. I did not know that. Thanks for pointing it out. I'll have a look.

srinivasd (Thu, 08 Nov 2018 15:09:48 GMT):
@ashutosh_kumar This is the error in the log file ``` 2018/11/08 15:08:36 [INFO] Configuration file location: /etc/fabric-ca-server/fabric-ca-server-config.yaml 2018/11/08 15:08:36 [INFO] Starting server in home directory: /etc/fabric-ca-server 2018/11/08 15:08:36 [INFO] Server Version: 1.3.1-snapshot-4f6586e 2018/11/08 15:08:36 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} Error: Failed to initialize BCCSP Factories: Failed initializing PKCS11.BCCSP %!s(): Could not initialize BCCSP PKCS11 [Failed initializing PKCS11 library /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so FabTok: Login failed [pkcs11: 0xA0: CKR_PIN_INCORRECT]] Could not find default `PKCS11` BCCSP ```

srinivasd (Thu, 08 Nov 2018 15:22:21 GMT):
@ashutosh_kumar, I used like this `Pin: "02596456"` in ca config file then fabric ca started successfully. Is it correct way? Thnaks in Advance

ashutosh_kumar (Thu, 08 Nov 2018 16:10:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZrsBWKbp6A2iYR5st) @srinivasd That is correct. Pin is taken as string.

halilkalkan (Fri, 09 Nov 2018 05:41:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EG7AfAeACSuwdzDfE) Skarim thank you for your answer. So we cannot implement a case like a user logins our system and only view his assets? I think this kind of scenario can be implemented with cid library but if we cannot get user's enrollment id or another unique identifier we wont be able to distinguish him?

yulong12 (Fri, 09 Nov 2018 07:38:21 GMT):
Hi, I use the fabric-ca to generate tls certs,but when I create channel it appear error. ```Error: failed to create deliver client: orderer client failed to connect to orderer.example.com:7050: failed to create new connection: context deadline exceeded ```

yulong12 (Fri, 09 Nov 2018 07:38:51 GMT):
Can someone help me?

yulong12 (Fri, 09 Nov 2018 07:40:12 GMT):
I use this command to generate tls certs ```export FABRIC_CA_CLIENT_HOME=$HOME/Documents/GOPATH/src/github.com/hyperledger/TextFabricCA/first-network/ca_org1/ca_org1_client/peer1 fabric-ca-client enroll -d --enrollment.profile tls -u http://peer1:peer1pw@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/tls ```

AlexanderZhovnuvaty (Fri, 09 Nov 2018 08:20:27 GMT):
Has left the channel.

vtech (Fri, 09 Nov 2018 12:15:21 GMT):
Hi, I am getting below error while executing the e2e_cli, did anybody else encounter this error ?``` 2018-11-05 07:37:40.450 UTC [msp] setupSigningIdentity -> DEBU 035 Signing identity expires at 2028-11-02 07:29:20 +0000 UTC 2018-11-05 07:37:40.450 UTC [msp] Validate -> DEBU 036 MSP OrdererMSP validating identity 2018-11-05 07:37:40.451 UTC [msp] GetDefaultSigningIdentity -> DEBU 037 Obtaining default signing identity 2018-11-05 07:37:40.451 UTC [grpc] DialContext -> DEBU 038 parsed scheme: "" 2018-11-05 07:37:40.451 UTC [grpc] DialContext -> DEBU 039 scheme "" not registered, fallback to default scheme 2018-11-05 07:37:40.451 UTC [grpc] watcher -> DEBU 03a ccResolverWrapper: sending new addresses to cc: [{orderer.example.com:7050 0 }] 2018-11-05 07:37:40.451 UTC [grpc] switchBalancer -> DEBU 03b ClientConn switching balancer to "pick_first" 2018-11-05 07:37:40.451 UTC [grpc] HandleSubConnStateChange -> DEBU 03c pickfirstBalancer: HandleSubConnStateChange: 0xc42039d270, CONNECTING 2018-11-05 07:37:40.456 UTC [grpc] createTransport -> DEBU 03d grpc: addrConn.createTransport failed to connect to {orderer.example.com:7050 0 }. Err :connection error: desc = "transport: Error while dialing dial tcp: lookup orderer.example.com on 127.0.0.11:53: no such host". Reconnecting... 2018-11-05 07:37:40.456 UTC [grpc] HandleSubConnStateChange -> DEBU 03e pickfirstBalancer: HandleSubConnStateChange: 0xc42039d270, TRANSIENT_FAILURE 2018-11-05 07:37:41.452 UTC [grpc] HandleSubConnStateChange -> DEBU 03f pickfirstBalancer: HandleSubConnStateChange: 0xc42039d270, CONNECTING 2018-11-05 07:37:41.455 UTC [grpc] createTransport -> DEBU 040 grpc: addrConn.createTransport failed to connect to {orderer.example.com:7050 0 }. Err :connection error: desc = "transport: Error while dialing dial tcp: lookup orderer.example.com on 127.0.0.11:53: no such host". Reconnecting... 2018-11-05 07:37:41.455 UTC [grpc] HandleSubConnStateChange -> DEBU 041 pickfirstBalancer: HandleSubConnStateChange: 0xc42039d270, TRANSIENT_FAILURE 2018-11-05 07:37:43.366 UTC [grpc] HandleSubConnStateChange -> DEBU 042 pickfirstBalancer: HandleSubConnStateChange: 0xc42039d270, CONNECTING 2018-11-05 07:37:43.370 UTC [grpc] createTransport -> DEBU 043 grpc: addrConn.createTransport failed to connect to {orderer.example.com:7050 0 }. Err :connection error: desc = "transport: Error while dialing dial tcp: lookup orderer.example.com on 127.0.0.11:53: no such host". Reconnecting... 2018-11-05 07:37:43.370 UTC [grpc] HandleSubConnStateChange -> DEBU 044 pickfirstBalancer: HandleSubConnStateChange: 0xc42039d270, TRANSIENT_FAILURE Error: failed to create deliver client: orderer client failed to connect to orderer.example.com:7050: failed to create new connection: context deadline exceeded !!!!!!!!!!!!!!! Ordering Service is not available, Please try again ... !!!!!!!!!!!!!!!! ================== ERROR !!! FAILED to execute End-2-End Scenario ================== ```

vtech (Fri, 09 Nov 2018 12:15:21 GMT):
Hi, I am getting below error while executing the e2e_cli, did anybody else encountered this error ?``` 2018-11-05 07:37:40.450 UTC [msp] setupSigningIdentity -> DEBU 035 Signing identity expires at 2028-11-02 07:29:20 +0000 UTC 2018-11-05 07:37:40.450 UTC [msp] Validate -> DEBU 036 MSP OrdererMSP validating identity 2018-11-05 07:37:40.451 UTC [msp] GetDefaultSigningIdentity -> DEBU 037 Obtaining default signing identity 2018-11-05 07:37:40.451 UTC [grpc] DialContext -> DEBU 038 parsed scheme: "" 2018-11-05 07:37:40.451 UTC [grpc] DialContext -> DEBU 039 scheme "" not registered, fallback to default scheme 2018-11-05 07:37:40.451 UTC [grpc] watcher -> DEBU 03a ccResolverWrapper: sending new addresses to cc: [{orderer.example.com:7050 0 }] 2018-11-05 07:37:40.451 UTC [grpc] switchBalancer -> DEBU 03b ClientConn switching balancer to "pick_first" 2018-11-05 07:37:40.451 UTC [grpc] HandleSubConnStateChange -> DEBU 03c pickfirstBalancer: HandleSubConnStateChange: 0xc42039d270, CONNECTING 2018-11-05 07:37:40.456 UTC [grpc] createTransport -> DEBU 03d grpc: addrConn.createTransport failed to connect to {orderer.example.com:7050 0 }. Err :connection error: desc = "transport: Error while dialing dial tcp: lookup orderer.example.com on 127.0.0.11:53: no such host". Reconnecting... 2018-11-05 07:37:40.456 UTC [grpc] HandleSubConnStateChange -> DEBU 03e pickfirstBalancer: HandleSubConnStateChange: 0xc42039d270, TRANSIENT_FAILURE 2018-11-05 07:37:41.452 UTC [grpc] HandleSubConnStateChange -> DEBU 03f pickfirstBalancer: HandleSubConnStateChange: 0xc42039d270, CONNECTING 2018-11-05 07:37:41.455 UTC [grpc] createTransport -> DEBU 040 grpc: addrConn.createTransport failed to connect to {orderer.example.com:7050 0 }. Err :connection error: desc = "transport: Error while dialing dial tcp: lookup orderer.example.com on 127.0.0.11:53: no such host". Reconnecting... 2018-11-05 07:37:41.455 UTC [grpc] HandleSubConnStateChange -> DEBU 041 pickfirstBalancer: HandleSubConnStateChange: 0xc42039d270, TRANSIENT_FAILURE 2018-11-05 07:37:43.366 UTC [grpc] HandleSubConnStateChange -> DEBU 042 pickfirstBalancer: HandleSubConnStateChange: 0xc42039d270, CONNECTING 2018-11-05 07:37:43.370 UTC [grpc] createTransport -> DEBU 043 grpc: addrConn.createTransport failed to connect to {orderer.example.com:7050 0 }. Err :connection error: desc = "transport: Error while dialing dial tcp: lookup orderer.example.com on 127.0.0.11:53: no such host". Reconnecting... 2018-11-05 07:37:43.370 UTC [grpc] HandleSubConnStateChange -> DEBU 044 pickfirstBalancer: HandleSubConnStateChange: 0xc42039d270, TRANSIENT_FAILURE Error: failed to create deliver client: orderer client failed to connect to orderer.example.com:7050: failed to create new connection: context deadline exceeded !!!!!!!!!!!!!!! Ordering Service is not available, Please try again ... !!!!!!!!!!!!!!!! ================== ERROR !!! FAILED to execute End-2-End Scenario ================== ```

edoardo_bdf (Fri, 09 Nov 2018 18:00:37 GMT):
Has joined the channel.

skarim (Fri, 09 Nov 2018 18:08:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YsxEChqiLEP98LCH3) @halilkalkan Right, at the moment that capability is limited with idemix. But going forward when there is support for dynamic attributes, this should be possible

skarim (Fri, 09 Nov 2018 18:09:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=p9imy73hFS985LYGx) @yulong12 can you provide logs with debug enabled? its not clear the what is happening before you see this error

skarim (Fri, 09 Nov 2018 18:10:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DgtBjqm4QGe78PgnL) @vtech Seems like your orderer is not running, can you check your orderer logs and see if it encountered an error?

halilkalkan (Fri, 09 Nov 2018 18:32:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zFzvr3id7d6WXRmKr) @skarim Thank you Skarim for your answers.

vtech (Mon, 12 Nov 2018 04:41:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wGFeFSQ7LgSLaXtKu) @skarim Orderer is not up and when I check the logs it says``` docker logs 94775c5690bc orderer: error while loading shared libraries: libltdl.so.7: cannot open shared object file: No such file or directory ```

sayan.hlf (Mon, 12 Nov 2018 05:07:49 GMT):
Has joined the channel.

sayan.hlf (Mon, 12 Nov 2018 05:08:17 GMT):
I have two questions: 1. Why shouldn't we use cryptogen tool for production and instead use fabric-ca? 2. How to provide multiple csr.hosts while enrollment? (Providing hosts in the below way doesn't work) fabric-ca-client enroll -d --enrollment.profile tls -u $ENROLLMENT_URL -M /tmp/tls --csr.hosts *host1.compute-1.amazonaws.com* *host2.compute-1.amazonaws.com

vtech (Mon, 12 Nov 2018 06:38:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wGFeFSQ7LgSLaXtKu) @skarim Orderer is exited with below logs ``` 2018-11-12 06:23:48.051 UTC [orderer/common/server] Main -> ERRO 001 failed to parse config: Error unmarshaling config into struct: 2 error(s) decoding: * 'General' has invalid keys: Cluster * 'General.BCCSP.PKCS11' has invalid keys: SensitiveKeys ```

MuhammedHafil (Mon, 12 Nov 2018 06:49:19 GMT):
Has joined the channel.

MuhammedHafil (Mon, 12 Nov 2018 07:02:37 GMT):
Can anybody tell me how i fix this error? ``` Failed to get Affiliation: sql: no rows in result set ```

MuhammedHafil (Mon, 12 Nov 2018 07:02:37 GMT):
Can anybody tell me how i fix this error? ``` Failed to register: Error: fabric-ca request register failed with errors [[{"code":0,"message":"Registration of 'user2' failed in affiliation validation: Failed getting affiliation 'myorgmsp.department1': : scode: 404, code: 63, msg: Failed to get Affiliation: sql: no rows in result set"}]] ```

MuhammedHafil (Mon, 12 Nov 2018 07:02:37 GMT):
Can anybody tell me how to fix this error with fabric ca and node sdk? ``` Failed to register: Error: fabric-ca request register failed with errors [[{"code":0,"message":"Registration of 'user2' failed in affiliation validation: Failed getting affiliation 'myorgmsp.department1': : scode: 404, code: 63, msg: Failed to get Affiliation: sql: no rows in result set"}]] ```

MuhammedHafil (Mon, 12 Nov 2018 08:12:34 GMT):
I'm getting `failed TypeError: Cannot read property 'curve' of undefined` when calling `let adminUserObj = await client.setUserContext({username: admins[0].username, password: admins[0].secret})`

yulong12 (Mon, 12 Nov 2018 09:29:02 GMT):
Hi everyone .who can help me in https://stackoverflow.com/questions/53259208/using-tls-cert-and-create-channel-failed

yulong12 (Mon, 12 Nov 2018 09:29:14 GMT):
thank you very much

knagware9 (Mon, 12 Nov 2018 09:44:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tcNhMzvQdpRBqL5go) @yulong12 its just time out error

knagware9 (Mon, 12 Nov 2018 09:44:51 GMT):
orderer client failed to connect to orderer.example.com:7050: failed to create new connection: context deadline exceeded

vtech (Mon, 12 Nov 2018 12:55:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xyqpmesz5TRxNFsXg) @skarim Orderer was running fine after removing above keys , but can somebody please explain uses of 'Cluster' & 'SensitiveKeys' or any reference document I can go through it ?

vtech (Mon, 12 Nov 2018 12:55:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xyqpmesz5TRxNFsXg) Orderer was running fine after removing above keys , but can somebody please explain uses of 'Cluster' & 'SensitiveKeys' or any reference document I can go through it ?

maozhuzi (Mon, 12 Nov 2018 13:46:25 GMT):
Has joined the channel.

ashutosh_kumar (Mon, 12 Nov 2018 15:34:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ShYTubgtBWqRL3dF4) @vtech SensitiveKeys are not being used any more.

vtech (Mon, 12 Nov 2018 17:00:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=48fmFkPkZtprecd8w) @ashutosh_kumar How about the Cluster ?

ashutosh_kumar (Mon, 12 Nov 2018 17:03:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jhbJDZmTx5zLLtWfp) @vtech I do not know about cluster first hand. I might explore.

yulong12 (Tue, 13 Nov 2018 02:00:59 GMT):
@knagware9 Hi ,I have tried it some times,but it appears the same errors

AndresMartinezMelgar.itcl (Tue, 13 Nov 2018 07:26:06 GMT):
Has joined the channel.

gravity (Tue, 13 Nov 2018 11:13:37 GMT):
Hi all is it necessary to generate CRL when a certificate is revoked?

knagware9 (Tue, 13 Nov 2018 13:33:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=T9zqRuzuKi6NboMcF) @yulong12 ok..seems certificate error TLS handshake failed with error remote error: tls: bad certificate {"server": "PeerServer", "remote address": "172.18.0.7:50770"}

skarim (Tue, 13 Nov 2018 14:14:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qHAvv4AGZbTBKCSNo) @gravity Yes, for that certificate to become invalid on the fabric network, the CRL must be generated and pushed to all local Peer MSPs and channel MSPs as well

gravity (Tue, 13 Nov 2018 14:28:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pDmPJvcrFGM2fD6sc) @skarim I'm looking at Java SDK and there are several methods to revoke a certificate. and some of them contains a boolean parameter that indicates whether to generate CRL or not and some method has the value for this parameter `false` (it means do not generate CRL). even when I call this method, a certificate is revoked, because I'm getting the authentication error when trying to use it

skarim (Tue, 13 Nov 2018 14:29:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XNo7uojLL2kWXo4Mw) @gravity It is revoked on that CA server, but the certificate would still be considered valid on the Peer until the CRL is updated.

gravity (Tue, 13 Nov 2018 14:34:38 GMT):
@skarim ok, thanks

megafyk (Tue, 13 Nov 2018 15:16:14 GMT):
Has joined the channel.

ShefaliMittal (Wed, 14 Nov 2018 04:49:30 GMT):
Hi, I am using mysql with fabric ca. It works fine when I start the network first time. But when I restart the network and tries to register same user again, It shows user already registered with fabric CA. I understand that somewhere mysql data is not clearing out. But not sure how to do that. Can anyone please help me with that.

vtech (Wed, 14 Nov 2018 06:19:27 GMT):
Hi All,

vtech (Wed, 14 Nov 2018 06:24:29 GMT):
Hi All, I have enabled the softhsm in Fabric. Softhsm is initialised for labels orderer.example.com, org1.example.com & org2.example.com . Orderer is throwing initialisation error while starting up the network. OS is Ubuntu 16.04. Can somebody please help ? ``` 2018-11-14 06:14:39.027 UTC [localconfig] completeInitialization -> INFO 001 Kafka.Version unset, setting to 0.10.2.0 2018-11-14 06:14:39.039 UTC [bccsp] initBCCSP -> DEBU 002 Initialize BCCSP [SW] 2018-11-14 06:14:39.039 UTC [bccsp_p11] loadLib -> DEBU 003 Loading pkcs11 library [/usr/local/lib/softhsm/libsofthsm2.so] 2018-11-14 06:14:39.039 UTC [orderer/common/server] initializeLocalMsp -> FATA 004 Failed to initialize local MSP: could not initialize BCCSP Factories: Failed initializing PKCS11.BCCSP %!s(): Could not initialize BCCSP PKCS11 [Failed initializing PKCS11 library /usr/local/lib/softhsm/libsofthsm2.so orderer.example.com: Instantiate failed [/usr/local/lib/softhsm/libsofthsm2.so]] Could not find default `PKCS11` BCCSP ``` Orderer slot details:``` Slot 2033305765 Slot info: Description: SoftHSM slot ID 0x7931c8a5 Manufacturer ID: SoftHSM project Hardware version: 2.3 Firmware version: 2.3 Token present: yes Token info: Manufacturer ID: SoftHSM project Model: SoftHSM v2 Hardware version: 2.3 Firmware version: 2.3 Serial number: b998add27931c8a5 Initialized: yes User PIN init.: yes Label: orderer.example.com ```

vtech (Wed, 14 Nov 2018 06:24:29 GMT):
Hi All, I have enabled the softhsm in Fabric. Softhsm is initialised for labels orderer.example.com, org1.example.com & org2.example.com . Orderer is throwing initialisation error while starting up the network. Can somebody please help ? ``` 2018-11-14 06:14:39.027 UTC [localconfig] completeInitialization -> INFO 001 Kafka.Version unset, setting to 0.10.2.0 2018-11-14 06:14:39.039 UTC [bccsp] initBCCSP -> DEBU 002 Initialize BCCSP [SW] 2018-11-14 06:14:39.039 UTC [bccsp_p11] loadLib -> DEBU 003 Loading pkcs11 library [/usr/local/lib/softhsm/libsofthsm2.so] 2018-11-14 06:14:39.039 UTC [orderer/common/server] initializeLocalMsp -> FATA 004 Failed to initialize local MSP: could not initialize BCCSP Factories: Failed initializing PKCS11.BCCSP %!s(): Could not initialize BCCSP PKCS11 [Failed initializing PKCS11 library /usr/local/lib/softhsm/libsofthsm2.so orderer.example.com: Instantiate failed [/usr/local/lib/softhsm/libsofthsm2.so]] Could not find default `PKCS11` BCCSP ``` Orderer slot details:``` Slot 2033305765 Slot info: Description: SoftHSM slot ID 0x7931c8a5 Manufacturer ID: SoftHSM project Hardware version: 2.3 Firmware version: 2.3 Token present: yes Token info: Manufacturer ID: SoftHSM project Model: SoftHSM v2 Hardware version: 2.3 Firmware version: 2.3 Serial number: b998add27931c8a5 Initialized: yes User PIN init.: yes Label: orderer.example.com ```

bh4rtp (Wed, 14 Nov 2018 06:40:05 GMT):
hi all, can i specify bccsp to use sha3 hash alogithm in stead of default sha2?

AndresMartinezMelgar.itcl (Wed, 14 Nov 2018 10:20:02 GMT):
One question, when you download the docker with the hyperledger fabric repository, there is one that is called fabric-ca. On the other hand there is a hyperledger / fabric-ca repository on github. My question is: is it the same? I am following the guide https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html

skarim (Wed, 14 Nov 2018 14:23:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ecorfBjmxS7euJFs3) @ShefaliMittal Restarting the server will not purge the data in the database. If you want to have fresh start you must manually delete the database before starting the server

dave.enyeart (Wed, 14 Nov 2018 15:50:01 GMT):
@AndresMartinezMelgar.itcl yes they are the same. github has the source code, and dockerhub has a docker image per release.

ashutosh_kumar (Wed, 14 Nov 2018 18:36:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2P8Y6bRDPuvjxsXDh) @bh4rtp sha3 as hash algorithm is supported.

ashutosh_kumar (Wed, 14 Nov 2018 18:40:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MRD6xTKbT8fKQFu3Q) @vtech hard to replicate your problem , but looks like your your libsofthsm2 cannot be loaded into fabric.

ashutosh_kumar (Wed, 14 Nov 2018 18:41:38 GMT):
The error is being thrown when fabric is trying to load your softhsm lib.

bh4rtp (Thu, 15 Nov 2018 03:34:39 GMT):
@ashutosh_kumar awesome, how can i activate sha3 hash algorithm for fabric?

ShefaliMittal (Thu, 15 Nov 2018 04:09:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Pp2maqx8zysuD894t) @skarim thank you. I some how was not getting the location of database. But I do get it now. :)

MuthuT (Thu, 15 Nov 2018 05:14:37 GMT):
Has joined the channel.

vtech (Thu, 15 Nov 2018 05:36:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=snE6JSESmCWpdnQpA) @ashutosh_kumar Any other pointers on this or any other reference for integrating with Hyperledger Fabric ?

AndresMartinezMelgar.itcl (Thu, 15 Nov 2018 07:06:56 GMT):
@dave.enyeart THANKS! It was driving me crazy with this nonsense

Paradox-AT (Thu, 15 Nov 2018 11:47:09 GMT):
Hello guys, I am trying to initialize fabric-ca following its user guide using this config file but when executing the following command: `fabric-ca-server init --cafiles fabric-ca-server-config.yaml` I am getting the following error: ``````

Paradox-AT (Thu, 15 Nov 2018 11:47:09 GMT):
Hello guys, I am trying to initialize fabric-ca following its [user guide](https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#fabric-ca-server) using [this](https://pastebin.com/aZfsvYYp) config file but when executing the following command: `fabric-ca-server init --cafiles fabric-ca-server-config.yaml` I am getting the following error: ``` 2018/11/12 22:59:45 [DEBUG] Intializing nonce manager for issuer 'undercroft' 2018/11/12 22:59:45 [DEBUG] Closing server DBs 2018/11/12 22:59:45 [FATAL] Initialization failure: CA name 'undercroft' is used in '/home/paradox/hyperledger/fabric/undercroft/fabric-ca/server/fabric-ca-server-config.yaml' and '/home/paradox/hyperledger/fabric/undercroft/fabric-ca/server/fabric-ca-server-config.yaml' ``` While I am getting this error if I am using the command line flags of fabric-ca-server I am successfully able to initialize and launch the server. [This](https://pastebin.com/VnpzA7VE) is the full error log

ashutosh_kumar (Thu, 15 Nov 2018 14:03:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9xNZzPmrsyWanTjKu) @vtech To me , it seems like your environment issue. One thing you might try is to put all HSM parameters in yaml file as string and see , if that works.

gravity (Thu, 15 Nov 2018 14:03:17 GMT):
Is it possible to several admins (who is allowed to create channels and join peers to channels)?

ashutosh_kumar (Thu, 15 Nov 2018 14:20:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oSvceq9EvaBb9AWvu) @bh4rtp your yaml file will look like this : BCCSP: default: PKCS11 SW: Hash: SHA3 Security: 256 PKCS11: Hash: SHA3 Security: 256

ashutosh_kumar (Thu, 15 Nov 2018 14:20:47 GMT):
you can set SHA 384 by changing Security field from 256 to 384.

skarim (Thu, 15 Nov 2018 14:32:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Y8XGoWGv5EBaxeK3M) @Paradox-AT The `--cafiles` is for starting multiple CAs in a single server process. If you are just trying to start up a single CA you need to use the `-H` flag to specify your home directory and place your `fabric-ca-server-config.yaml` file in your home directory.

vtech (Thu, 15 Nov 2018 17:16:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bMFo5me7cvEPHN8BF) @ashutosh_kumar Do you mean orderer.yaml I have orderer like this...``` BCCSP: Default: PKCS11 PKCS11: Library: /usr/local/lib/softhsm/libsofthsm2.so Pin: pwd123 Label: orderer.example.com Hash: SHA2 Security: 256 SoftwareVerify: true ```

ashutosh_kumar (Thu, 15 Nov 2018 17:38:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5xBsfiyB9FZnygHyC) @vtech it should be like Pin : "pwd123"

blakem (Thu, 15 Nov 2018 18:16:41 GMT):
For the command fabric-ca-client getcacert how does one go about getting a chain-cert in addition to the root cert and the ica-cert. Currently I am just getting the root cert and ica cert, but need the chain cert for other things. I am running a command like ``` #fabric-ca-client getcacert -u http://$BOOSTRAP_USER_PASS@$CA_HOST:$ENROLL_PORT -M $ORG_MSP_DIR ``` I greatly appreciate any and all help

h4995974 (Thu, 15 Nov 2018 22:02:52 GMT):
Has joined the channel.

h4995974 (Thu, 15 Nov 2018 22:02:54 GMT):
Hello everyone. We're receiving the following error when trying to spin up peers inside a kubernetes pods. `2018-11-15 21:52:25.172 UTC [gossip/gossip] handleMessage -> WARN 01f Message GossipMessage: tag:EMPTY alive_msg: timestamp: > , Envelope: 83 bytes, Signature: 70 bytes Secret payload: 16 bytes, Secret Signature: 71 bytes isn't valid` Any ideas?

bh4rtp (Fri, 16 Nov 2018 02:57:34 GMT):
@ashutosh_kumar do you mean the yaml file `fabric-ca-server-config.yaml`?

ashutosh_kumar (Fri, 16 Nov 2018 02:59:36 GMT):
yes.

bh4rtp (Fri, 16 Nov 2018 03:00:20 GMT):
thanks. it is most helpful.

vtech (Fri, 16 Nov 2018 04:03:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=S2MyDaLNKtoc3mJG3) @ashutosh_kumar Error remains same even changing the pin as Pin : "pwd123"

bh4rtp (Fri, 16 Nov 2018 06:04:58 GMT):
@ashutosh_kumar i cannot find `libsofthsm2.so` in `fabric-ca` container. i am using release-1.3.

bh4rtp (Fri, 16 Nov 2018 06:13:44 GMT):
need i install `github.com/miekg/pkcs11` on host manually?

Paradox-AT (Fri, 16 Nov 2018 08:02:02 GMT):
@skarim Ohh, so isnt there any way to organize all config files in a single place then :(

Paradox-AT (Fri, 16 Nov 2018 08:03:11 GMT):
@skarim Ooh thanks I didn't know that XD

bh4rtp (Fri, 16 Nov 2018 09:03:25 GMT):
@ashutosh_kumar i installed softhsm2 in fabric-ca container. and run `softhsm2-util --init-token --slot 0 --label ForFabric --pin 98765432`. configured `fabric-ca-server-config.yaml` as: ```bccsp: default: PKCS11 pkcs11: Library: /usr/local/Cellar/softhsm/2.1.0/lib/softhsm/libsofthsm2.so Pin: 98765432 Label: ForFabric hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: msp/keystore``` `fabric-ca` containers exit with these messages: ```2018/11/16 16:47:46 [DEBUG] CA Home Directory: /etc/hyperledger/fabric-ca-server 2018/11/16 16:47:46 [DEBUG] Checking configuration file version '1.2.0' against server version: '1.3.1-snapshot-4f6586e' 2018/11/16 16:47:46 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts: PluginOpts:} 2018/11/16 16:47:46 [DEBUG] Closing server DBs Error: Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP```

bh4rtp (Fri, 16 Nov 2018 09:03:25 GMT):
@ashutosh_kumar i installed `softhsm2` in `fabric-ca` container. and run `softhsm2-util --init-token --slot 0 --label ForFabric --pin 98765432`. configured `fabric-ca-server-config.yaml` as: ```bccsp: default: PKCS11 pkcs11: Library: /usr/local/x86_64-linux-gnu/libsofthsm2.so Pin: 98765432 Label: ForFabric hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: msp/keystore``` `fabric-ca` containers exit with these messages: ```2018/11/16 16:47:46 [DEBUG] CA Home Directory: /etc/hyperledger/fabric-ca-server 2018/11/16 16:47:46 [DEBUG] Checking configuration file version '1.2.0' against server version: '1.3.1-snapshot-4f6586e' 2018/11/16 16:47:46 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts: PluginOpts:} 2018/11/16 16:47:46 [DEBUG] Closing server DBs Error: Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP```

bh4rtp (Fri, 16 Nov 2018 09:03:25 GMT):
@ashutosh_kumar i installed `softhsm2` in `fabric-ca` container. and run `softhsm2-util --init-token --slot 0 --label ForFabric --pin 98765432`. configured `fabric-ca-server-config.yaml` as: ```bccsp: default: PKCS11 pkcs11: Library: /usr/local/x86_64-linux-gnu/softhsm2/libsofthsm2.so Pin: 98765432 Label: ForFabric hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: msp/keystore``` `fabric-ca` containers exit with these messages: ```2018/11/16 16:47:46 [DEBUG] CA Home Directory: /etc/hyperledger/fabric-ca-server 2018/11/16 16:47:46 [DEBUG] Checking configuration file version '1.2.0' against server version: '1.3.1-snapshot-4f6586e' 2018/11/16 16:47:46 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts: PluginOpts:} 2018/11/16 16:47:46 [DEBUG] Closing server DBs Error: Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP```

ashutosh_kumar (Fri, 16 Nov 2018 13:43:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nuFaorRHfYzLJgAZQ) @bh4rtp Can you get latest fabric ca and run your test again ?

ashutosh_kumar (Fri, 16 Nov 2018 13:49:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7zh2444CijvThpnZv) can you change bccsp to BCCSP and see if it works ? Your PKCS options from YAML is not getting populated.

neha.sharma (Fri, 16 Nov 2018 14:33:48 GMT):
Has joined the channel.

blakem (Fri, 16 Nov 2018 18:42:50 GMT):
For the command fabric-ca-client getcacert how does one go about getting a chain-cert in addition to the root cert and the ica-cert. Currently I am just getting the root cert and ica cert, but need the chain cert for other things. I am running a command like ``` fabric-ca-client getcacert -u http://$BOOSTRAP_USER_PASS@$CA_HOST:$ENROLL_PORT -M $ORG_MSP_DIR ``` I greatly appreciate any and all help

skarim (Fri, 16 Nov 2018 19:38:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Buos7XT84b2RHCigT) @blakem Are you looking for a chain file that contains both the root and intermediate certificate? You will have a chain file that contains all intermediate servers in the chain, but not one that contains all intermediate and the root certificate. If you only have one intermediate ca then you will only have one certificate in there

blakem (Fri, 16 Nov 2018 21:20:16 GMT):
@skarim I am looking for a chain file that contains both the root and intermediate cert. I am currently taking the fabric-ca sample and trying to distribute it. When it runs on one host, they use a shared volume called data and that is how certs are transferred for bringing up the network. The chain certs in that example contain both the root and the intermediate certs in one chain file. Currently, using "fabric-ca-client getcacert" I am getting both the root and intermediate cert, but not in the form of a chain cert, which I am fairly certain what I need.

BellaAdams (Sat, 17 Nov 2018 00:45:32 GMT):
Has joined the channel.

bh4rtp (Sat, 17 Nov 2018 02:07:21 GMT):
@ashutosh_kumar thanks. i will test as you said.

bh4rtp (Sat, 17 Nov 2018 06:52:14 GMT):
@ashutosh_kumar i switched to use latest master branch fabric-ca. and the issue remains using both fabric-ca-server-config.yaml file and environment variables configuration of bccsp.

Buckley404 (Sat, 17 Nov 2018 13:33:32 GMT):
After swapping the tls certs that were made with cryptogen with new certs I am getting the following when trying to create a channel: Cannot run peer because error when setting up MSP of type bccsp from directory /etc/hyperledger/msp/users/Admin@Org1.com/msp: CA Certificate did not have the Subject Key Identifier extension, (SN: 138989687027704726609965297904848867332008936010)

Buckley404 (Sat, 17 Nov 2018 13:34:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=j9gCFb6FbAeD2ANqE) I assume I missed a file i was also meant to update, i'm just not sure which one. I'd be very grateful for help.

bh4rtp (Sun, 18 Nov 2018 07:55:38 GMT):
@ashutosh_kumar solved. `orderer.yaml` and `core.yaml` were not configured with pkcs11, and bccsp was then revendored to be nopkcs11.

bh4rtp (Sun, 18 Nov 2018 07:55:38 GMT):
@ashutosh_kumar running fabric-ca-server on localhost is ok, but in fabric-ca container it fails. i noticed that in the container condition, configurebccspnopkcs11.go is used to process yaml file. why?

bh4rtp (Sun, 18 Nov 2018 07:55:38 GMT):
@ashutosh_kumar running `fabric-ca-server` on local host is ok, but in `fabric-ca` container it will fail. i noticed that in the container condition, configurebccspnopkcs11.go is used to process yaml file. the `fabric-ca` image is created by `FABRIC_CA_DYNAMIC_LINK=true make docker`. and for the same fabric-ca-server-config.yaml file, fabric-ca-server on local host prints: `2018/11/18 16:37:10 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:0xc0001db920 PluginOpts: Pkcs11Opts:0xc0000fa380}`. however, in the container, it prints `2018/11/18 17:08:19 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:0xc000184210 PluginOpts:}`. it is different! why?

bh4rtp (Sun, 18 Nov 2018 07:55:38 GMT):
@ashutosh_kumar running `fabric-ca-server` on local host is ok, but in `fabric-ca` container it will fail. i noticed that in the container condition, configurebccspnopkcs11.go is used to process the yaml file. the `fabric-ca` image is created by `FABRIC_CA_DYNAMIC_LINK=true make docker`. for the same fabric-ca-server-config.yaml file, `fabric-ca-server` on local host prints: `2018/11/18 16:37:10 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:0xc0001db920 PluginOpts: Pkcs11Opts:0xc0000fa380}`. however, in the container, it prints `2018/11/18 17:08:19 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:0xc000184210 PluginOpts:}`. it is different! why?

bh4rtp (Sun, 18 Nov 2018 07:55:38 GMT):
@ashutosh_kumar running `fabric-ca-server` on local host is ok, but in the `fabric-ca` container it will fail. i noticed that in the container condition, configurebccspnopkcs11.go is used to process the yaml file. the `fabric-ca` image is created by `FABRIC_CA_DYNAMIC_LINK=true make docker`. for the same fabric-ca-server-config.yaml file, `fabric-ca-server` on local host prints: `2018/11/18 16:37:10 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:0xc0001db920 PluginOpts: Pkcs11Opts:0xc0000fa380}`. however, in the container, it prints `2018/11/18 17:08:19 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:0xc000184210 PluginOpts:}`. it is different! why?

maksimfedin (Sun, 18 Nov 2018 10:51:26 GMT):
hi everyone, could you tell me how can I grant an attribute to an admin by default in fabric-ca-server-config.yaml, as using the hf.Registrar.Attributes: "*" I'm able to register users with any attributes, however the admin doesn't have them by default. Hence, I'm not able to invoke/query functions with an admin which have CID checks of existence of particular attribute, but I'm able to do it,using the new user, which I register with those attributes

gyeben (Sun, 18 Nov 2018 11:44:17 GMT):
Has joined the channel.

bh4rtp (Mon, 19 Nov 2018 08:16:31 GMT):
why need `CMD fabric-ca-server start -b admin:adminpw` to run at the end of `fabric-ca/images/fabric-ca/Dockerfile.in`? i think it is of no use during building docker image because we will specify this command for fabric-ca containers in docker-compose.yaml file.

AndresMartinezMelgar.itcl (Mon, 19 Nov 2018 10:45:18 GMT):
Hi, I have a question about CA. If channels and peers have a CA, I imagine that users also have it (people who interact with the application). Where is this information stored?

jarvis26 (Mon, 19 Nov 2018 11:16:29 GMT):
Hi...I was trying to setup a shared ordering service..came across this: ```Although this is possible, it is a highly discouraged configuration. By default the /Channel/Orderer/BlockValidation policy allows any valid certificate of the ordering organizations to sign blocks. If an organization is acting both in an ordering and application role, then this policy should be updated to restrict block signers to the subset of certificates authorized for ordering``` which explains why is it not a good design to share ordering service ownership. [https://hyperledger-fabric.readthedocs.io/en/release-1.1/ordering-service-faq.html]. Could anybody please elaborate on why and how should the block signers be restricted to the subset of certificates authorized for ordering and what are the caveats if you don't restrict this? Thanks in advance

skarim (Mon, 19 Nov 2018 15:51:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bY6uAcYuadvokoGLm) @maksimfedin You'll to have register the admin with the attributes that it needs to be able to execute the chaincode. If you are using the default config file the bootstrap admin user should have all attributes. You should configure you config file to look like this for the admin user: ``` identities: - name: a pass: b type: client affiliation: "" attrs: hf.Registrar.Roles: "*" hf.Registrar.DelegateRoles: "*" hf.Revoker: true hf.IntermediateCA: true hf.GenCRL: true hf.Registrar.Attributes: "*" hf.AffiliationMgr: true ```

skarim (Mon, 19 Nov 2018 15:52:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8wmbWLSxuXZuxYCmc) @bh4rtp it was done so you don't have to specify the command in the docker-compose file. But if you would like this level of control, it could be removed the Dockerfile.in file

skarim (Mon, 19 Nov 2018 15:52:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qY5oDqJjfgHJ9P72W) @AndresMartinezMelgar.itcl This would be stored on locally on the client that enrolled with the CA

bh4rtp (Tue, 20 Nov 2018 00:29:51 GMT):
@skarim sorry, i mistake the usage of `CMD`. thanks.

RoshanGmr (Tue, 20 Nov 2018 01:10:25 GMT):
Has joined the channel.

maksimfedin (Tue, 20 Nov 2018 02:55:08 GMT):
@skarim If I try to query/invoke chain code with cid check with admin, I get this error: ``` error from query = { Error: Error retrieving attribute, user doesn't have an attribute at self._endorserClient.processProposal (/root/fabric-api/node_modules/fabric-client/lib/Peer.js:123:36) at Object.onReceiveStatus (/root/fabric-api/node_modules/grpc/src/client_interceptors.js:1191:9) at InterceptingListener._callNext (/root/fabric-api/node_modules/grpc/src/client_interceptors.js:564:42) at InterceptingListener.onReceiveStatus (/root/fabric-api/node_modules/grpc/src/client_interceptors.js:614:8) at callback (/root/fabric-api/node_modules/grpc/src/client_interceptors.js:841:24) status: 500, payload: , isProposalResponse: true } ``` But if I register new user with this attribute, it works fine.

Link-He (Tue, 20 Nov 2018 07:43:10 GMT):
Has joined the channel.

YoumnaKhalifa (Tue, 20 Nov 2018 11:38:19 GMT):
Has joined the channel.

halilkalkan (Tue, 20 Nov 2018 12:24:18 GMT):
Hi guys, I couldn't figure out affiliations section. For instance, when I build a CA1 on a docker, default config contains org1.department1,2 and org2.department1 as affiliations. So, if I make a chaincode with attribute based access control so that only org1.department1 can access this function, what happens other CA2 add affiliation as org1.department1 and create a client with this affiliation. So, can we say chaincodes can be fooled with this scenario?

Pradeep_Pentakota (Tue, 20 Nov 2018 16:44:40 GMT):
Has joined the channel.

Legiit (Wed, 21 Nov 2018 10:21:37 GMT):
how are certificates from the CryptoStore (from the Fabric-sdk) related to the MySQL/PostGresQL from the CA? https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#mysql What's the difference or what's stored in both

maksimfedin (Thu, 22 Nov 2018 01:48:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bY6uAcYuadvokoGLm) can anyone help me with this issue?

Paradox-AT (Thu, 22 Nov 2018 07:28:49 GMT):
Hello guys, I am trying to wrap my head around fabric-ca-client. I've got a few questions: 1: While initializing the FabricClient(FabricCAServices) under tlsOptions.trusted roots should we put ca-cert or tls-cert from the server? If I am using ca-cert then everything works fine but when I am trying to use tls-cert it is giving me the following error: `Error: Calling enrollment endpoint failed with error [Error: unable to verify the first certificate]`. 2: How to get the certificates from CA in order to do a transaction or initialization?

kwakwa (Thu, 22 Nov 2018 11:49:55 GMT):
Has joined the channel.

kwakwa (Thu, 22 Nov 2018 14:02:27 GMT):
Hello, could someone help me out with an issue ? I've installed Fabric-CA using the user's guide with the "go get -u github.com/hyperledger/fabric-ca/cmd/...", I've also setup the GOPATH to "C:/Users/User/go", this has installed everything under go/src (there's no bin file). When using docker now, I can run fabric-ca-client commands but any fabric-ca-server command returns "fabric-ca-server: command not found", I can start server via Docker but not nativel... I've looked online on stackoverflow, among others to no avail... has this happened to anyone ? Anyone has any suggestions I could try ? I'm using version 1.3.0. Thank you so much for your patience!

praveen.aloker (Fri, 23 Nov 2018 05:11:02 GMT):
Has joined the channel.

yousaf (Sun, 25 Nov 2018 17:28:36 GMT):
Hi everyone. I am getting this error......Any solution for this> Error: Failed to find private key for certificate in '/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem': Could not find matching private key for SKI: Failed getting key for SKI [[120 123 167 36 68 53 51 38 189 253 244 99 233 230 175 254 150 238 97 201 172 53 134 39 5 238 62 240 195 33 28 116]]: Key with SKI 787ba72444353326bdfdf463e9e6affe96ee61c9ac35862705ee3ef0c3211c74 not found in /etc/hyperledger/fabric-ca-server/msp/keystore

OviiyaDominic (Mon, 26 Nov 2018 05:06:03 GMT):
openssl

yulong12 (Mon, 26 Nov 2018 07:03:12 GMT):
Hi everyone.I use fabric-ca to generate msp certs and tls certs.so I want to ask a question. ths msp certs and tls certs have the same admin certs?

yulong12 (Mon, 26 Nov 2018 07:04:08 GMT):
or the msp certs has a admin cert and the tls cert has a admin cert

Paradox-AT (Mon, 26 Nov 2018 07:07:34 GMT):
@kwakwa I think there is some problem while building the binary. remove the go folder from your home directory then try issuing the command again, If the command is successful then you will definitely find the bin folder with server and client binaries on it. By the way if there is no bin folder then how come you are able to use fabric-ca-client. I think you should find the location of that binary and look of the server binary is there or not.

yulong12 (Mon, 26 Nov 2018 07:10:43 GMT):
Hi everyone.I use fabric-ca to generate msp certs and tls certs. so I want to ask a question. the msp certs and tls certs have the same admin certs? or the msp certs has a admin cert and the tls cert has a admin cert

bh4rtp (Mon, 26 Nov 2018 08:53:24 GMT):
Hi, i enabled pkcs11 with softhsm2. when enrolling user Allen, it prints an error: ```[2018-11-26 16:45:20.338] [ERROR] Helper - Failed to get registered user: Allen with error: Error: CKR_USER_ALREADY_LOGGED_IN:256 at Error (native) C_Login:372``` hash algorithm sha3 384 is used.

Paradox-AT (Mon, 26 Nov 2018 13:50:25 GMT):
@maksimfedin What are the roles for the admin?

skarim (Mon, 26 Nov 2018 14:41:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sCEy8Py573ZQPPeT9) @halilkalkan If you are using affiliations as the means for access control, then yes if two orgs have the same affiliation that form of access control would not be sufficient. By default, affiliations in the CA are not unique. But, the affiliations can be set to whatever value you desire at server start up.

skarim (Mon, 26 Nov 2018 14:42:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cwJdoaCEsvP6BvhFX) @Paradox-AT It seems like you are using the Node SDK, someone over at #fabric-sdk-node channel could probably answer your question better. They have their own implementation of the fabric ca client.

skarim (Mon, 26 Nov 2018 14:44:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZqfAFEXpepwnnG9yy) @yulong12 There is not admin TLS certificate, an enrollment cert can be made admin by placing it into the 'admin' folder in an MSP

ashutosh_kumar (Mon, 26 Nov 2018 15:20:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=D4sz3r79YpAFQPanE) @bh4rtp Can you reinitialize the token and try it one more time ?

ashutosh_kumar (Mon, 26 Nov 2018 15:21:19 GMT):
login into HSM is failing because of some slot misconfig.

lwan2000 (Mon, 26 Nov 2018 17:13:42 GMT):
Has joined the channel.

bh4rtp (Tue, 27 Nov 2018 00:38:19 GMT):
@ashutosh_kumar thanks. i will try it again.

yulong12 (Tue, 27 Nov 2018 02:34:12 GMT):
So. How can I get the tls certs?just use the `--enrollment.profile tls`? If I use a ca to generate msp certs and use another ca to generate tls certs，the another must get the admin certs fist,then use this admin certs to generate tls certs,right?

yulong12 (Tue, 27 Nov 2018 02:34:18 GMT):
@skarim

JordyBaylac (Tue, 27 Nov 2018 05:05:25 GMT):
Has joined the channel.

halilkalkan (Tue, 27 Nov 2018 05:52:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oEaBvQFA3LYKPA4ft) @skarim Okey Skarim, then I shouldn't develop an ACL based on affiliations in a network with different organizations. Thank you for your support.

gsolaich (Tue, 27 Nov 2018 06:13:28 GMT):
Has joined the channel.

longnv1a (Tue, 27 Nov 2018 06:37:20 GMT):
Has joined the channel.

longnv1a (Tue, 27 Nov 2018 06:49:35 GMT):
Hi all, I have network with multiple Orgs, Should I use only 1 CA service for all or each Org using its own CA?

AndresMartinezMelgar.itcl (Tue, 27 Nov 2018 07:07:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=B7xRm5XDeXWmyguYo) @longnv1a when you execute "cryptogen generate --config=./crypto-config.yaml", you obtain a folder for each organization you describe. So you have to use the CA you need

Paradox-AT (Tue, 27 Nov 2018 09:58:19 GMT):
@skarim Nobody had responded yet :laughing:

krabradosty (Tue, 27 Nov 2018 10:53:28 GMT):
Hello. Where is an identity type (`client,peer,orderer` that one can specify during identity registration) used? How does it relate to an organizational unit?

krabradosty (Tue, 27 Nov 2018 10:53:28 GMT):
Hello. Where is an identity type ( `client,peer,orderer` that one can specify during identity registration) used? How does it relate to an organizational unit?

ashutosh_kumar (Tue, 27 Nov 2018 14:37:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8j7oysTyxMDG5gC4R) @bh4rtp Let me know.

ashutosh_kumar (Tue, 27 Nov 2018 15:06:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=c2hgbbGBEEyYnzMtw) There might be some scope for improvement in implementation.

gravity (Tue, 27 Nov 2018 17:51:21 GMT):
Hi all I'm looking at the `fabric-ca` sample project and there is a script `start-intermediate-ca.sh` in this line `fabric-ca-server` is going to be initialized using command `fabric-ca-server init`. https://github.com/hyperledger/fabric-samples/blob/release-1.2/fabric-ca/scripts/start-intermediate-ca.sh#L17 and this script runs every time you restart the `ca-server`. the same is for `start-root-ca.sh`. Does this mean that fabric `ica` and `rca` are re-initialized on each restart? Or how it exactly works? Can this re-init action cause data loss or cause some problems with the certificates that are generated during initialization phase? thanks in advance

gravity (Tue, 27 Nov 2018 17:51:21 GMT):
Hi @skarim I'm looking at the `fabric-ca` sample project and there is a script `start-intermediate-ca.sh` in this line `fabric-ca-server` is going to be initialized using command `fabric-ca-server init`. https://github.com/hyperledger/fabric-samples/blob/release-1.2/fabric-ca/scripts/start-intermediate-ca.sh#L17 and this script runs every time you restart the `ca-server`. the same is for `start-root-ca.sh`. Does this mean that fabric `ica` and `rca` are re-initialized on each restart? Or how it exactly works? Can this re-init action cause data loss or cause some problems with the certificates that are generated during initialization phase? thanks in advance

bh4rtp (Wed, 28 Nov 2018 04:57:56 GMT):
@ashutosh_kumar still prints ```Error: CKR_USER_ALREADY_LOGGED_IN:256 at Error (native) C_Login:372``` i am using `balance_transfer` and installed softhsm2 in fabric-ca. before run `runApp.sh`, i did: 1) run `softhsm2-util --init-token --slot 0 --label ForFabric --so-pin 1234 --pin 98765432` on localhost and fabric-ca container 2) change "crypto-hash-algo": "SHA3", "crypto-keysize": 384, "crypto-hsm": true,fabric-sdk-node/fabric-ca/config/default.json and fabric-ca-client/config/default.json 3) export SOFTHSM2_CONF=/etc/softhsm2.conf, export CRYPTO_PKCS11_LIB="/usr/local/lib/softhsm/libsofthsm2.so", export CRYPTO_PKCS11_PIN="98765432", export CRYPTO_PKCS11_SLOT="0" 4) run `runApp.sh` and `testAPIs.sh`

bh4rtp (Wed, 28 Nov 2018 04:57:56 GMT):
@ashutosh_kumar still prints ```Error: CKR_USER_ALREADY_LOGGED_IN:256 at Error (native) C_Login:372``` i am using `balance_transfer` and installed softhsm2 in fabric-ca with pkcs11 fabric-ca-server-config.yaml. before run `runApp.sh`, i did: 1) run `softhsm2-util --init-token --slot 0 --label ForFabric --so-pin 1234 --pin 98765432` on localhost and fabric-ca container 2) change "crypto-hash-algo": "SHA3", "crypto-keysize": 384, "crypto-hsm": true,fabric-sdk-node/fabric-ca/config/default.json and fabric-ca-client/config/default.json 3) export SOFTHSM2_CONF=/etc/softhsm2.conf, export CRYPTO_PKCS11_LIB="/usr/local/lib/softhsm/libsofthsm2.so", export CRYPTO_PKCS11_PIN="98765432", export CRYPTO_PKCS11_SLOT="0" 4) run `runApp.sh` and `testAPIs.sh`

bh4rtp (Wed, 28 Nov 2018 04:57:56 GMT):
@ashutosh_kumar still prints ```Error: CKR_USER_ALREADY_LOGGED_IN:256 at Error (native) C_Login:372``` i am using `balance_transfer` and installed softhsm2 in fabric-ca with pkcs11 fabric-ca-server-config.yaml. before run `runApp.sh`, i did: 1) run `softhsm2-util --init-token --slot 0 --label ForFabric --so-pin 1234 --pin 98765432` 2) change "crypto-hash-algo": "SHA3", "crypto-keysize": 384, "crypto-hsm": true,fabric-sdk-node/fabric-ca/config/default.json and fabric-ca-client/config/default.json 3) export SOFTHSM2_CONF=/etc/softhsm2.conf, export CRYPTO_PKCS11_LIB="/usr/local/lib/softhsm/libsofthsm2.so", export CRYPTO_PKCS11_PIN="98765432", export CRYPTO_PKCS11_SLOT="0" 4) run `runApp.sh` and `testAPIs.sh`

bh4rtp (Wed, 28 Nov 2018 04:57:56 GMT):
@ashutosh_kumar still prints ```Error: CKR_USER_ALREADY_LOGGED_IN:256 at Error (native) C_Login:372``` i am using `balance_transfer` and installed softhsm2 in fabric-ca with pkcs11 fabric-ca-server-config.yaml. before run `runApp.sh`, i did: 1) run `softhsm2-util --init-token --slot 0 --label ForFabric --so-pin 1234 --pin 98765432` 2) change "crypto-hash-algo": "SHA3", "crypto-keysize": 384, "crypto-hsm": true in `fabric-sdk-node/fabric-ca/config/default.json` and `fabric-ca-client/config/default.json` 3) export SOFTHSM2_CONF=/etc/softhsm2.conf, export CRYPTO_PKCS11_LIB="/usr/local/lib/softhsm/libsofthsm2.so", export CRYPTO_PKCS11_PIN="98765432", export CRYPTO_PKCS11_SLOT="0" 4) run `runApp.sh` and `testAPIs.sh`

PonmudiK (Wed, 28 Nov 2018 07:21:07 GMT):
Has joined the channel.

ajit1433 (Wed, 28 Nov 2018 12:04:14 GMT):
Has joined the channel.

JoydeepSarkar (Wed, 28 Nov 2018 12:26:48 GMT):
Has joined the channel.

JoydeepSarkar (Wed, 28 Nov 2018 12:29:05 GMT):
Hi, I am trying to configure SoftHSM with fabric-ca 1.3 but not able to get it working. I have tried both fabric-ca-release1.3 and master(As specified in the https://jira.hyperledger.org/browse/FAB-12427 ), but both giving same error.

JoydeepSarkar (Wed, 28 Nov 2018 12:29:34 GMT):
AI get the error message Could not find default `PKCS11` BCCSP

JoydeepSarkar (Wed, 28 Nov 2018 12:29:48 GMT):
can someone please help me?

JoydeepSarkar (Wed, 28 Nov 2018 12:35:32 GMT):
``` This is how my BCCSP entry looks like, ```

JoydeepSarkar (Wed, 28 Nov 2018 12:35:34 GMT):
bccsp: default: PKCS11 pkcs11: libraty: /usr/local/lib/softhsm/libsofthsm2.so pin: 98765432 label: ForFabric hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: msp/keystore

ashutosh_kumar (Wed, 28 Nov 2018 14:28:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pKBzTnG2kZaZEm2xG) @bh4rtp Can you change to default sha algo setting and see if it works. I do not think , it should work. Also soft_hsm does not provide logout option at CLI.

ashutosh_kumar (Wed, 28 Nov 2018 14:28:48 GMT):
In the worst case , I'll open a JIRA for the fix.

skarim (Wed, 28 Nov 2018 14:31:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Ma4N2c4aoAjyxfBqa) @gravity Using 'init' will create your cert/key pair and create the database with your bootstrap users. If you were to issue the 'init' command again and your cert/key and database still existed then init command will not do anything and your data will not be overridden. But ofcourse, if somewhere in the script the cert/key and database are deleted before initializing again then you would lose all your previous data.

gravity (Wed, 28 Nov 2018 14:36:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=W5sHzbDGBaPi2fhyz) @skarim get it, thanks

krabradosty (Wed, 28 Nov 2018 16:11:19 GMT):
Hello. In fabric-ca example an intermediate CA is initialized by ``` fabric-ca-server init -b $BOOTSTRAP_USER_PASS -u $PARENT_URL ``` But when I do the same in my project I get an error: ``` [FATAL] Initialization failure: Failed to get client TLS config: No trusted root certificates for TLS were provided ``` Why I don't get this error in example project and which flag should I use to provide root certificate?

vladyslavmunin (Wed, 28 Nov 2018 17:07:00 GMT):
Hi , all . Is it possible to re-enroll user whose certificate has been revoked ?

skarim (Wed, 28 Nov 2018 21:19:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TPqb8GRNPnPfECWd5) @krabradosty You are probably using 'https' in your $PARENT_URL, when trying to connect to a secure socket you can use the flag `--intermediate.tls.certfiles` to specify trusted TLS root files on your intermediate CA

skarim (Wed, 28 Nov 2018 21:20:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BAZ7Auy5CdFWQrSXt) @vladyslavmunin You can't re-enroll if the certificate has been revoked, you will have to enroll again using the username/password

theezenaku (Wed, 28 Nov 2018 22:49:29 GMT):
Has joined the channel.

krabradosty (Thu, 29 Nov 2018 06:50:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5g5wwR2NWJqrWqiNL) @skarim But in example they also use https: `- PARENT_URL=https://$ROOT_CA_ADMIN_USER_PASS@$ROOT_CA_HOST:7054` It is my first start of intermediate CA from scratch, I don't have an intermediate CA certificate yet.

PonmudiK (Thu, 29 Nov 2018 06:58:05 GMT):
Hi All

PonmudiK (Thu, 29 Nov 2018 06:58:33 GMT):
I am getting the below error while enabling the SoftHSM for fabric-ca

PonmudiK (Thu, 29 Nov 2018 06:58:57 GMT):
I have tried the following approaches

PonmudiK (Thu, 29 Nov 2018 06:59:28 GMT):
1. Taken latest fabric ca code and build the fabric-ca-server binary and tested

PonmudiK (Thu, 29 Nov 2018 06:59:40 GMT):
2. Build docker image and tested

PonmudiK (Thu, 29 Nov 2018 06:59:52 GMT):
I am getting the same error

PonmudiK (Thu, 29 Nov 2018 07:00:19 GMT):

Clipboard - November 29, 2018 12:30 PM

PonmudiK (Thu, 29 Nov 2018 07:01:05 GMT):
fabric-ca-server | 2018/11/29 06:47:56 [DEBUG] CA Home Directory: /etc/hyperledger/fabric-ca-server fabric-ca-server | 2018/11/29 06:47:56 [DEBUG] Checking configuration file version '1.4.0-snapshot-afa77f9' against server version: '1.4.0-snapshot-afa77f9' fabric-ca-server | 2018/11/29 06:47:56 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:0xc000300600 PluginOpts:} fabric-ca-server | 2018/11/29 06:47:56 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc000317a60 DummyKeystore:} fabric-ca-server | 2018/11/29 06:47:56 [DEBUG] Closing server DBs fabric-ca-server | Error: Failed to initialize BCCSP Factories: %!s() fabric-ca-server | Could not find default `PKCS11` BCCSP

PonmudiK (Thu, 29 Nov 2018 07:01:37 GMT):
when I build docker image I am getting the docker image tag like 1.4.0-snapshot-afa77f9

PonmudiK (Thu, 29 Nov 2018 07:01:58 GMT):
can anyone please help me to solve the issue ?

vladyslavmunin (Thu, 29 Nov 2018 08:22:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NzEFiEG6mBRmT4ZXB) @skarim @skarim Thanks for the answer. But this is only possible if I register an identity with maxEnrollments >= 1.Let's assume that I register the identity with maxEnrollments = 1 . After that the user key is some way was compromised and I have to revoke user certificate. In this case user identity is completely lost because as I understood it's not possible to re-enroll it. (maxEnrollments = 1) .am I right? so why I'm allowed to set maxEnrollments = 1 or when I should use this possibility , because the possibility of key compromising always exists

krabradosty (Thu, 29 Nov 2018 09:23:10 GMT):
Hello again. I'm getting error during initializing an intermediate CA: ``` Error: POST failure of request: POST https://ca.org1.example.com:7054/enroll: certificate is valid for tlsca.org1.example.com, not ca.org1.example.com ``` This is because root CA tls certificate contains `tlsca.org1.example.com` in CN field: ``` Certificate: Data: Version: 3 (0x2) Serial Number: ee:99:36:b6:d6:64:a0:12:69:54:53:26:52:66:dc:f7 Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = California, L = San Francisco, O = org1.example.com, CN = tlsca.org1.example.com Validity Not Before: Nov 29 08:26:36 2018 GMT Not After : Nov 26 08:26:36 2028 GMT Subject: C = US, ST = California, L = San Francisco, O = org1.example.com, CN = tlsca.org1.example.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) ``` I'm generating crypto materials with cryptogen tool. How can I override this behavior?

greivinlopez (Thu, 29 Nov 2018 13:59:47 GMT):
Has joined the channel.

skarim (Thu, 29 Nov 2018 14:47:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=L7kbJnJxHk2QrWqfa) @vladyslavmunin If you don't want an identity to be able to get multiple different enrollment certificates, then you would use a max enrollment value of one. But, in your case the user is essentially locked. Your option to get this identity reenabled again would be to have an admin modify the max enrollment value of the identity to greater than 2. See: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#modifying-an-identity

skarim (Thu, 29 Nov 2018 14:47:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=L7kbJnJxHk2QrWqfa) @vladyslavmunin If you don't want an identity to be able to get multiple different enrollment certificates, then you would use a max enrollment value of one. But, in your case the user is essentially locked out. Your option to get this identity reenabled again would be to have an admin modify the max enrollment value of the identity to greater than 1. See: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#modifying-an-identity

skarim (Thu, 29 Nov 2018 14:49:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=acRLpyjnkauu9Axbk) @krabradosty You are using a tls certificate that is consider valid for `tlsca.org1.example.com`, but you are sending your request to `ca.org1.example.com` and this is why its getting rejected. You need to use the tls certificate this for `ca.org1.example.com`

krabradosty (Thu, 29 Nov 2018 15:01:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QsNh2RaT9u5SweJid) @skarim I understand. But how can I generate this certificate with `cryptogen`? By default it uses `tlsca.*`

aambati (Thu, 29 Nov 2018 16:25:10 GMT):
you can use fabric-ca-client to generate a tls certficate using `enroll` command with `--tls` option instead of cryptogen

krabradosty (Thu, 29 Nov 2018 17:19:31 GMT):
@aambati Thanks. There is the only one way? In this case I have to generate all crypto materials manually without cryptogen.

krabradosty (Thu, 29 Nov 2018 17:19:31 GMT):
@aambati Thanks. There is the only one way? In this case I have to generate all crypto materials manually without cryptogen. Also could you provide full command how to generate self signed tls certificate for new CA server with custom CN? I've tried `fabric-ca-client enroll --enrollment.profile tls --csr.cn ca.example.com` but got an error: ``` Error: Failed to create default configuration file: No username and password provided as part of the Fabric CA server URL ```

krabradosty (Thu, 29 Nov 2018 19:06:33 GMT):
And one more question. When I start intermediate CA server from scratch (also when I start new root CA server), a tls certificate contains strange bytes in `CN` field: ``` Subject: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=6892bf1d387b ``` I understand that certificate contains `DNS` field with correct host name and certificate will work, but maybe we can put host name to the `CN` field? Just to avoid a mess.

aambati (Thu, 29 Nov 2018 19:23:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=84EdhnxKrAsgGvL9e) @krabradosty If you are trying to generate a TLS certificate for Fabric CA server, you can do it by enabling TLS in the server config. The server will automatically generate the certificate...Set `tls.enabled` to `true` and update `csr.hosts` property (this CSR info is used to generate both CA root cert and tls cert for the server), and update `signing.profiles.tls` section if needed in the server config (https://hyperledger-fabric-ca.readthedocs.io/en/latest/serverconfig.html)

aambati (Thu, 29 Nov 2018 19:26:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DcS6s34DokMYw6G3z) @krabradosty It used to be hostname in the CN field...I guess it was changed recently... @skarim may know why that was changed

Taffies (Fri, 30 Nov 2018 04:33:33 GMT):
I am currently using cryptogen and I would like to switch over to fabric-ca. Currently testing this on the BYFN example but I'm kind of stuck for a while now - any help or tutorial would be appreciated. :)

sudijovski (Fri, 30 Nov 2018 12:55:01 GMT):
Has joined the channel.

aambati (Fri, 30 Nov 2018 15:39:22 GMT):
I am not sure there is a tutorial as such but i am guessing you already checked https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#getting-started Also, look at https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca sample ...if you have specific questions, i am sure someone on this channel will answer your questions

aambati (Fri, 30 Nov 2018 15:39:22 GMT):
I am not sure if there is a tutorial as such but i am guessing you already checked https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#getting-started Also, look at https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca sample ...if you have specific questions, i am sure someone on this channel will answer your questions

aambati (Fri, 30 Nov 2018 15:39:22 GMT):
@Taffies I am not sure if there is a tutorial as such but i am guessing you already checked https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#getting-started Also, look at https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca sample ...if you have specific questions, i am sure someone on this channel will answer your questions

bh4rtp (Sat, 01 Dec 2018 03:01:30 GMT):
@ashutosh_kumar is my operation correct? and how to set pkcs11 for node sdk if not configured in default.json?

krabradosty (Sat, 01 Dec 2018 10:46:56 GMT):
Hello again. After I started intermediate CA by: ``` fabric-ca-server start -b admin:adminpw --tls.enabled -u https://admin:adminpw@tlsca.org1.example.com:7054 --intermediate.tls.certfiles /data/tlsca/tlsca.org1.example.com-cert.pem --csr.hosts int.ca.org1.example.com ``` I copied just generated $FABRIC_CA_HOME/ca-cert.pem` and `$FABRIC_CA_HOME/tls-cert.pem` to the /intermediatecerts and /tlsintermediatecerts directories in the org1 msp dir. Then I generated configuration files and started network. Orderer failed with error: ``` 2018-11-30 13:49:45.971 UTC [orderer/commmon/multichannel] newLedgerResources -> PANI 05f Error creating channelconfig bundle: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: CA Certificate did not have the Subject Key Identifier extension, (SN: 579386462760088976293046332568118716706373949620) panic: Error creating channelconfig bundle: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: CA Certificate did not have the Subject Key Identifier extension, (SN: 579386462760088976293046332568118716706373949620) ``` mastersingh24 from fabric-orderer channel suggested that "the root CA did not actually issue the intermediate certificates". And indeed, I checked signatures of certificates for intermediate CA: ``` openssl verify -verbose -CAfile cacerts/ca.org1.example.com-cert.pem intermediatecerts/ca-cert.pem intermediatecerts/ca-cert.pem: OK ``` but ``` openssl verify -verbose -CAfile tlscacerts/tlsca.org1.example.com-cert.pem tlsintermediatecerts/tls-cert.pem C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = c0c4b19f79b2 error 20 at 0 depth lookup: unable to get local issuer certificate error tlsintermediatecerts/tls-cert.pem: verification failed ``` So, signature verification of intermediate tls certificate fails due to some error. Any suggestions?

krabradosty (Sat, 01 Dec 2018 10:46:56 GMT):
Hello again. After I started intermediate CA by: ``` fabric-ca-server start -b admin:adminpw --tls.enabled -u https://admin:adminpw@tlsca.org1.example.com:7054 --intermediate.tls.certfiles /data/tlsca/tlsca.org1.example.com-cert.pem --csr.hosts int.ca.org1.example.com ``` I copied just generated $FABRIC_CA_HOME/ca-cert.pem` and `$FABRIC_CA_HOME/tls-cert.pem` to the /intermediatecerts and /tlsintermediatecerts directories in the org1 msp dir. Then I generated configuration files and started network. Orderer failed with error: ``` 2018-11-30 13:49:45.971 UTC [orderer/commmon/multichannel] newLedgerResources -> PANI 05f Error creating channelconfig bundle: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: CA Certificate did not have the Subject Key Identifier extension, (SN: 579386462760088976293046332568118716706373949620) panic: Error creating channelconfig bundle: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: CA Certificate did not have the Subject Key Identifier extension, (SN: 579386462760088976293046332568118716706373949620) ``` mastersingh24 from fabric-orderer channel guessed that "the root CA did not actually issue the intermediate certificates". And indeed, I checked signatures of certificates for intermediate CA: ``` openssl verify -verbose -CAfile cacerts/ca.org1.example.com-cert.pem intermediatecerts/ca-cert.pem intermediatecerts/ca-cert.pem: OK ``` but ``` openssl verify -verbose -CAfile tlscacerts/tlsca.org1.example.com-cert.pem tlsintermediatecerts/tls-cert.pem C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = c0c4b19f79b2 error 20 at 0 depth lookup: unable to get local issuer certificate error tlsintermediatecerts/tls-cert.pem: verification failed ``` So, signature verification of intermediate tls certificate fails due to some error. Any suggestions?

krabradosty (Sat, 01 Dec 2018 10:46:56 GMT):
Hello again. After I started intermediate CA by: ``` fabric-ca-server start -b admin:adminpw --tls.enabled -u https://admin:adminpw@tlsca.org1.example.com:7054 --intermediate.tls.certfiles /data/tlsca/tlsca.org1.example.com-cert.pem --csr.hosts int.ca.org1.example.com ``` I copied just generated $FABRIC_CA_HOME/ca-cert.pem` and `$FABRIC_CA_HOME/tls-cert.pem` to the /intermediatecerts and /tlsintermediatecerts directories in the org1 msp dir. Then I generated configuration files and started network. Orderer failed with error: ``` 2018-11-30 13:49:45.971 UTC [orderer/commmon/multichannel] newLedgerResources -> PANI 05f Error creating channelconfig bundle: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: CA Certificate did not have the Subject Key Identifier extension, (SN: 579386462760088976293046332568118716706373949620) panic: Error creating channelconfig bundle: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: CA Certificate did not have the Subject Key Identifier extension, (SN: 579386462760088976293046332568118716706373949620) ``` mastersingh24 from fabric-orderer channel guessed that "the root CA did not actually issue the intermediate certificates". And indeed, I checked signatures of certificates for intermediate CA: ``` openssl verify -verbose -CAfile cacerts/ca.org1.example.com-cert.pem intermediatecerts/ca-cert.pem intermediatecerts/ca-cert.pem: OK ``` but ``` openssl verify -verbose -CAfile tlscacerts/tlsca.org1.example.com-cert.pem tlsintermediatecerts/tls-cert.pem C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = c0c4b19f79b2 error 20 at 0 depth lookup: unable to get local issuer certificate error tlsintermediatecerts/tls-cert.pem: verification failed ``` So, signature verification of intermediate tls certificate fails due to some error. I think this error only means that signature verification was not passed. Any suggestions?

krabradosty (Sat, 01 Dec 2018 10:46:56 GMT):
Hello again. After I started intermediate CA by: ``` fabric-ca-server start -b admin:adminpw --tls.enabled -u https://admin:adminpw@tlsca.org1.example.com:7054 --intermediate.tls.certfiles /data/tlsca/tlsca.org1.example.com-cert.pem --csr.hosts int.ca.org1.example.com ``` I copied just generated $FABRIC_CA_HOME/ca-cert.pem` and `$FABRIC_CA_HOME/tls-cert.pem` to the /intermediatecerts and /tlsintermediatecerts directories in the org1 msp dir. Then I generated configuration files and started network. Orderer failed with error: ``` 2018-11-30 13:49:45.971 UTC [orderer/commmon/multichannel] newLedgerResources -> PANI 05f Error creating channelconfig bundle: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: CA Certificate did not have the Subject Key Identifier extension, (SN: 579386462760088976293046332568118716706373949620) panic: Error creating channelconfig bundle: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: CA Certificate did not have the Subject Key Identifier extension, (SN: 579386462760088976293046332568118716706373949620) ``` mastersingh24 from fabric-orderer channel guessed that "the root CA did not actually issue the intermediate certificates". And indeed, I checked signatures of certificates for intermediate CA: ``` openssl verify -verbose -CAfile cacerts/ca.org1.example.com-cert.pem intermediatecerts/ca-cert.pem intermediatecerts/ca-cert.pem: OK ``` but ``` openssl verify -verbose -CAfile tlscacerts/tlsca.org1.example.com-cert.pem tlsintermediatecerts/tls-cert.pem C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = c0c4b19f79b2 error 20 at 0 depth lookup: unable to get local issuer certificate error tlsintermediatecerts/tls-cert.pem: verification failed ``` So, signature verification of intermediate tls certificate fails due to some error. I think this error only means that signature validation was not passed. Any suggestions? P.S. for peer's tls certificate (generated with cryptogen) the validation successfully passed.

cppchedy (Sun, 02 Dec 2018 00:17:43 GMT):
Has joined the channel.

bh4rtp (Sun, 02 Dec 2018 01:01:12 GMT):
@ashutosh_kumar need it to make modifications for tls when using pkcs11?

yulong12 (Mon, 03 Dec 2018 02:58:34 GMT):
Hi everyone. I have a question.what is the difference among app,user,orderer,peer when I use fabric-ca-client register comand and use the id.type attribute?

martin-halford (Mon, 03 Dec 2018 03:27:37 GMT):
Has joined the channel.

ArpitKhurana1 (Mon, 03 Dec 2018 05:59:41 GMT):
Has joined the channel.

ArpitKhurana1 (Mon, 03 Dec 2018 06:00:16 GMT):
HI, i have a question, is there any api to know if a user is already registered with CA or not

ArpitKhurana1 (Mon, 03 Dec 2018 06:00:16 GMT):
HI, i have a question, is there any api to know if a user is already registered with CA or not ( solved)

AndresMartinezMelgar.itcl (Mon, 03 Dec 2018 07:20:12 GMT):
How can i leave a channel? i just can join

ShefaliMittal (Mon, 03 Dec 2018 07:41:00 GMT):
how do I heck if a user with same email exists with fabric ca

CheeChyuan (Mon, 03 Dec 2018 09:05:24 GMT):
Has joined the channel.

MuhammedHafil (Mon, 03 Dec 2018 11:39:04 GMT):
Can anybody tell why users are not enrolled in this example ?https://github.com/hyperledger/fabric-samples/tree/master/balance-transfer ? only registered? refer `app/helper.js

MuhammedHafil (Mon, 03 Dec 2018 13:16:16 GMT):
How to register user with custom attributes and access it in chaincode? how to access the `role` or any key from `attrs` from chaincode? I have tried this, but not working https://pastebin.com/BKDJeegt

MuhammedHafil (Mon, 03 Dec 2018 13:18:09 GMT):
@skarim

MuhammedHafil (Mon, 03 Dec 2018 13:18:21 GMT):
@aambati

ashutosh_kumar (Mon, 03 Dec 2018 14:34:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xcPZBde6pBSD2sCvn) @bh4rtp Which Operation ? Can you please elaborate ?

aambati (Mon, 03 Dec 2018 14:50:05 GMT):
@krabradosty you are starting the intermediate server by pointing it to the root ca that is running at tlsca.org1.example.com...I am assuming this root CA's cert is `ca.org1.example.com-cert.pem`? If so, intermediate CA's tls cert will be signed by the key associated with this cert. In other words, intermediate CA tls cert's AKI should match SKI of the `ca.org1.example.com-cert.pem`

aambati (Mon, 03 Dec 2018 14:51:59 GMT):
Also, pls check https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca example, it demonstrates how to setup a network with an org with root CA and intermediate CA certs

aambati (Mon, 03 Dec 2018 14:56:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oExpZPy4pzG2w28h4) @yulong12 Last I checked, Identity type was not being used in Fabric...You would normally set id.type to user or app for end user identities, and orderer and peer for orderer and peer identities, respectively. You can also defined custom types and use the id.type property to make ABAC decisions in the chaincode

aambati (Mon, 03 Dec 2018 15:04:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xcoNEvowznuMh8ZoQ) @ArpitKhurana1 `fabric-ca-client identity list --id` to get the user info for a user.. if the user exists and the requester has access, user info will be displayed...the rest API is https://github.com/hyperledger/fabric-ca/blob/afa77f9e59a400c54118f01d5c449ce37b4b501c/swagger/swagger-fabric-ca.json#L1908

aambati (Mon, 03 Dec 2018 15:04:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xcoNEvowznuMh8ZoQ) @ArpitKhurana1 `fabric-ca-client identity list --id` to get the user info for a user.. if the user exists and the requester has access, user info will be displayed (https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#getting-identity-information)... the rest API is https://github.com/hyperledger/fabric-ca/blob/afa77f9e59a400c54118f01d5c449ce37b4b501c/swagger/swagger-fabric-ca.json#L1908

aambati (Mon, 03 Dec 2018 15:09:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=f42yLXrwCnvbG6aQ5) @ShefaliMittal Are you using email id as user id wen registering with fabric-ca? if so, pls see my response to @ArpitKhurana1

aambati (Mon, 03 Dec 2018 15:36:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xCPPaJJ3eXaAmfMXY) @MuhammedHafil https://github.com/hyperledger/fabric-samples/tree/master/fabric-ca demonstrates ABAC function.. https://github.com/hyperledger/fabric-samples/blob/94c21eb9bd6f6ac808e189259bc1abec756694e6/fabric-ca/scripts/setup-fabric.sh#L71 is where user is registered with an attribute and https://github.com/hyperledger/fabric-samples/blob/53ae43530468426e23e5638fce157ec42dbeaa80/chaincode/abac/go/abac.go#L42 is where it is used in the chaincode

GiorgiLaghidze (Mon, 03 Dec 2018 19:35:39 GMT):
Has joined the channel.

OmarShekriladze (Mon, 03 Dec 2018 19:35:51 GMT):
Has joined the channel.

GiorgiLaghidze (Mon, 03 Dec 2018 19:53:55 GMT):
does anyone know the answer? https://stackoverflow.com/questions/53600412/why-does-fabric-ca-start-as-self-signed-certificate

mastersingh24 (Mon, 03 Dec 2018 21:14:15 GMT):
https://stackoverflow.com/a/53601926/6160507

krabradosty (Mon, 03 Dec 2018 22:53:20 GMT):
@aambati I'm checking fabric-ca example and it's not clear for me: what is the purpose of certificate `$FABRIC_CA_HOME/tls-cert.pem`? I thought it is a CA's tls cert. But in fabric-ca example a ``msp directory of an organization contains `FABRIC_CA_HOME/ca-cert.pem` certificate in both /cacerts and /tlscacerts directories (in case of root CA). You also talk that I should use main certificate for TLS. I'm confused. And I have to notice: cryptogen tool populate /cacerts and /tlscacerts directories with different certificates.

krabradosty (Mon, 03 Dec 2018 22:53:20 GMT):
@aambati I'm checking fabric-ca example and it's not clear for me: what is the purpose of certificate `$FABRIC_CA_HOME/tls-cert.pem`? I thought it is a CA's tls cert. But in fabric-ca example a msp directory of an organization contains `FABRIC_CA_HOME/ca-cert.pem` certificate in both /cacerts and /tlscacerts directories (in case of root CA). You also talk that I should use main certificate for TLS. I'm confused. And I have to notice: cryptogen tool populate /cacerts and /tlscacerts directories with different certificates.

JaccobSmith (Tue, 04 Dec 2018 02:18:14 GMT):
I want to use fabric-ca with LDAP， is there a tutorial for this？

yulong12 (Tue, 04 Dec 2018 02:20:17 GMT):
So，How to use the id.type when I execute the fabric-ca-client regtister command?

yulong12 (Tue, 04 Dec 2018 02:20:29 GMT):
@aambati

hyper_learner_ak (Tue, 04 Dec 2018 03:43:10 GMT):
I am running byfn example from fabric samples v1.3 and I see there is no container generated for ca.peerOrg1 services from docker-compose-e2e.yaml

hyper_learner_ak (Tue, 04 Dec 2018 03:43:53 GMT):
This is contrasting to version 1.2 where in it was generated. If this is not generated how would I be able to enroll admin

rootDistress (Tue, 04 Dec 2018 09:25:34 GMT):
Has joined the channel.

AndresMartinezMelgar.itcl (Tue, 04 Dec 2018 10:13:54 GMT):
hi, i am looking for a fabric-ca java sdk, and i dont find it. Anyone know where i can search?

mallikarjunasai995 (Tue, 04 Dec 2018 12:21:56 GMT):
Has joined the channel.

skarim (Tue, 04 Dec 2018 14:46:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HwEPaoPGsjwkm3cjT) @yulong12 You can use the command line flag. `fabric-ca-client register --id.type `

skarim (Tue, 04 Dec 2018 14:47:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ikZcjJMyxMmvai5QD) @JaccobSmith There is not a tutorial that I am aware of. Have you looked at the read me? https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#configuring-ldap

skarim (Tue, 04 Dec 2018 14:48:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rBBSZEBsDQfTNe7nv) @AndresMartinezMelgar.itcl There is not a specific fabric-ca java sdk. There is the overall Java SDK which contains a fabric ca client. https://github.com/hyperledger/fabric-sdk-java

ashutosh_kumar (Tue, 04 Dec 2018 14:51:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ikZcjJMyxMmvai5QD) @JaccobSmith Here is the user guide : https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#configuring-ldap

ashutosh_kumar (Tue, 04 Dec 2018 14:53:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rBBSZEBsDQfTNe7nv) @AndresMartinezMelgar.itcl Fabric ca java sdk client is separate repo within fabric. The Rocket chat link is #fabric-sdk-java

gravity (Tue, 04 Dec 2018 16:40:26 GMT):
Hi @skarim Is it possible to create a network with TLS disabled, but later enable TLS without network re-creating and without data loss? are there any issues with such an approach?

aambati (Tue, 04 Dec 2018 17:55:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hRsoaX467hcKZDT25) @krabradosty yes, `$FABRIC_CA_HOME/tls-cert.pem` is the tls certificate of the CA server, which is signed by the CA's root certificate. /tlscacerts folder contains root cert that issued the tls certs. since both enrollment certs and tls certs are issued by same CA (have same roots) , `FABRIC_CA_HOME/ca-cert.pem` is in both /cacerts and /tlscacerts folders

ashutosh_kumar (Tue, 04 Dec 2018 19:25:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xvJeNFPGFGg86amn2) @gravity I do not think so.

arjitkhullar (Wed, 05 Dec 2018 00:00:56 GMT):
Has joined the channel.

AndresMartinezMelgar.itcl (Wed, 05 Dec 2018 07:09:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sDeYuE4dMhorF6W9x) @ashutosh_kumar I read you can turn on your network with TLS disable, then with global variables you can put it on. ORDERER_GNERAL_TLSENABLE

hyper_learner_ak (Wed, 05 Dec 2018 09:34:02 GMT):
I am getting this error response from sendTransactionProposal=====Error: 2 UNKNOWN: access denied: channel [mychannel] creator org [Org1MSP] where can I explore to resolve this error

chandrasekarangengadharan (Wed, 05 Dec 2018 11:24:44 GMT):
Has joined the channel.

FLASHJr (Wed, 05 Dec 2018 11:57:09 GMT):
Has joined the channel.

PonmudiK (Wed, 05 Dec 2018 12:43:52 GMT):
hsm

JoydeepSarkar (Wed, 05 Dec 2018 14:36:28 GMT):
Hi, I am getting "Failed to initialize BCCSP Factories" when using SoftHSMv2. What I have done is installed the *softhsm2 *in a VM and in the same VM I am starting Fabric-CA-server using docker(With PKCS11 configuration). Just wondering if this is the reason that the BCCSP can not be initialized, since it is not part of the docker image? I tried with fabric ca server 1.1 and 1.3(Master) as well. Can anyone advise a solution? ``` ```

npc0405 (Wed, 05 Dec 2018 18:20:23 GMT):
After adding 3rd org to network, I am trying to enroll user on that. It throws error of affiliation

npc0405 (Wed, 05 Dec 2018 18:23:19 GMT):
Is there correct way to add affiliations in fabric-ca-server-config.yaml file

skarim (Wed, 05 Dec 2018 18:26:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xivBWRT8MDKCvaaam) @npc0405 you will need to restart the server if you make changes to the config file. You can use the command line to dynamically add affiliations, without server restart. See: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#adding-an-affiliation

halilkalkan (Wed, 05 Dec 2018 18:33:35 GMT):
Can we say ABAC useless when there are multiple CAs? Because each CA can generate certificates with attributes based on chaincode restrictions and I couldn't figure out how should we trust this kind of access control?

skarim (Wed, 05 Dec 2018 18:53:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wGN3zkzrbnwgLYo77) @halilkalkan Could give a more elaborate example? What kind of access restrictions are you trying to do that are prevented by having multiple CAs?

halilkalkan (Wed, 05 Dec 2018 18:58:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=naKsqmT9WLZJqnshp) For instance I want to give access to only "userType = 'doctor'". I can give certificates from CA0 and manage who has 'doctor' attribute. However when there are myltiple CAs the other CA can generate random user with 'doctor' attribute and it can be tricked this way. What I mean is that we cannot prevent other CAs to create certificates with restricted attributes.

skarim (Wed, 05 Dec 2018 19:05:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DyK5hiKgnJSQ9hMAZ) @halilkalkan You could also check the MSPID when making the check using the the GetMSPID functions. Maybe you could make a check similar to: `MSPID=="CA0" && userType== "doctor"`

skarim (Wed, 05 Dec 2018 19:05:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DyK5hiKgnJSQ9hMAZ) @halilkalkan You could also check the MSPID when making the check using the the GetMSPID function. Maybe you could make a check similar to: `MSPID=="CA0" && userType== "doctor"`

halilkalkan (Wed, 05 Dec 2018 19:08:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TysWeaAWkE2BRaQ9L) @skarim Great, thank you for your support. I'm gonna try this one.

Joe-mcgee (Wed, 05 Dec 2018 22:11:23 GMT):
Has joined the channel.

npc0405 (Thu, 06 Dec 2018 01:51:14 GMT):
@skarim I tried that but I get following error asking for Idemix enrolment

npc0405 (Thu, 06 Dec 2018 01:51:26 GMT):
Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml 2018/12/05 17:52:29 [ERROR] Enrollment check failed: Idemix enrollment information does not exist Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw@serverAddr:serverPort

npc0405 (Thu, 06 Dec 2018 01:52:24 GMT):
So I try to enroll by following command fabric-ca-client enroll -u http://admin:adminpw@localhost:7054

npc0405 (Thu, 06 Dec 2018 01:52:51 GMT):
but then on re-trying, it throws same error

yulong12 (Thu, 06 Dec 2018 02:07:18 GMT):
@skarim yes I know that command.But the id.Type has peer orderer app user and client ，I don't know what is difference between them

JaccobSmith (Thu, 06 Dec 2018 03:14:33 GMT):
Hello，all，I have a doubt about why there ‘s just need one organization’s signature when instantiating a chaincode with “AND” policy ？ shouldn't this need two signatures from two orgaizations

JaccobSmith (Thu, 06 Dec 2018 03:14:44 GMT):
？

JaccobSmith (Thu, 06 Dec 2018 03:20:10 GMT):
and the chaincode container of one orgainzation will run into the “Init” function，but when the other organization create a chaincode container，then this one will not run the Init function？

JaccobSmith (Thu, 06 Dec 2018 03:20:15 GMT):
is this right？

JayJong (Thu, 06 Dec 2018 10:47:30 GMT):
Hi, may i know whats the difference between using fabric-ca and fabric-ca-peer? can i use fabric-ca-peer for production? appreciate any response.

pujabhattad (Thu, 06 Dec 2018 11:00:31 GMT):
Has joined the channel.

mallikarjunasai995 (Thu, 06 Dec 2018 13:44:35 GMT):
does peers perform the signing transaction or users in that peers will do that ?

JoydeepSarkar (Thu, 06 Dec 2018 13:52:28 GMT):
Hi, I would like to report an issue with SoftHSM using Fabric CA Server. I have used the latest Fabric CA(1.3.1) I have installed CA server using go get -u github.com/hyperledger/fabric-ca/cmd/... and started the server with default setting _fabric-ca-server start -b admin:adminpw_ After that I updated the BCCSP with softhsm library(Following is the setting in fabric-ca-server-config.yaml). Please note that I am able to generate token using softhsm2-util successfully. bccsp: default: PKCS11 sw: hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: msp/keystore pkcs11: library: /home/jdblkchn/softhsm-2.3.0/src/lib/.libs/libsofthsm2.so pin: 98765432 label: ForFabric hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: msp/keystore I added env variable export SOFTHSM2_CONF=/etc/softhsm2.conf jdblkchn@ubuntuvm1:~/work/src/github.com/hyperledger/fabric-ca$ fabric-ca-server start -b admin:adminpw -d 2018/12/06 13:22:19 [INFO] Configuration file location: /home/jdblkchn/work/src/github.com/hyperledger/fabric-ca/fabric-ca-server-config.yaml 2018/12/06 13:22:19 [INFO] Starting server in home directory: /home/jdblkchn/work/src/github.com/hyperledger/fabric-ca 2018/12/06 13:22:19 [INFO] Server Version: 1.3.1 2018/12/06 13:22:19 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} 2018/12/06 13:22:19 [DEBUG] Making server filenames absolute 2018/12/06 13:22:19 [DEBUG] Initializing default CA in directory /home/jdblkchn/work/src/github.com/hyperledger/fabric-ca 2018/12/06 13:22:19 [DEBUG] Init CA with home /home/jdblkchn/work/src/github.com/hyperledger/fabric-ca and config {Version:1.3.1 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name: Keyfile: Certfile:ca-cert.pem Chainfile:ca-chain.pem} Signing:0xc0001d4820 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[ubuntuvm1 localhost] KeyRequest:0xc00000cea0 CA:0xc00000cf20 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:* hf.Registrar.DelegateRoles:*] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc00000cac0 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR: Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}} 2018/12/06 13:22:19 [DEBUG] CA Home Directory: /home/jdblkchn/work/src/github.com/hyperledger/fabric-ca 2018/12/06 13:22:19 [DEBUG] Checking configuration file version '1.3.1' against server version: '1.3.1' 2018/12/06 13:22:19 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:0xc000183da0 PluginOpts:} 2018/12/06 13:22:19 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc0001cf8c0 DummyKeystore:} 2018/12/06 13:22:19 [DEBUG] Closing server DBs Error: Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP I have no clue why this error is there. I am wondering if I have to create a docker as referenced in https://jira.hyperledger.org/browse/FAB-6161. Please advise.

ashutosh_kumar (Thu, 06 Dec 2018 15:28:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5HzpEqxXP73gPXur9) @JoydeepSarkar Remove sw section from yaml file and restart the server. I do not think , this issue is directly related to Fab-6161.

skarim (Thu, 06 Dec 2018 15:32:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8hvqeq58vSx6SY69A) @npc0405 The types associate to what you are registering. For you want to enroll a peer, you would register an identity of type 'peer. The same for the orderer and so on. The types arbitrary, the CA does not put restrictions on what can be a type. And the last I checked, fabric really doesn't do much validation on type currently either.

MuhammedHafil (Thu, 06 Dec 2018 16:14:41 GMT):
is there any documentation about getting started with fabric ca server API other than swagger file?

jrosmith (Thu, 06 Dec 2018 16:30:49 GMT):
@MuhammedHafil here are the latest [docs](https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#fabric-ca-server) for fabric ca server

MuhammedHafil (Thu, 06 Dec 2018 16:33:14 GMT):
to be honest. i have read almost 60% of that doc. still i was not able to make any call to API. i tried with localhost:caport

JoydeepSarkar (Thu, 06 Dec 2018 18:59:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=77YQF5wAjWE4ippWH) @ashutosh_kumar @ashutosh_kumar Still seeing the same error.

ashutosh_kumar (Thu, 06 Dec 2018 19:07:21 GMT):
can you put your log here ?

JoydeepSarkar (Thu, 06 Dec 2018 19:08:23 GMT):
``` boeingblkchn@ubuntuvm1:~/work/src/github.com/hyperledger/fabric-ca$ fabric-ca-server start -b admin:adminpw -d 2018/12/06 19:07:55 [INFO] Configuration file location: /home/boeingblkchn/work/src/github.com/hyperledger/fabric-ca/fabric-ca-server-config.yaml 2018/12/06 19:07:55 [INFO] Starting server in home directory: /home/boeingblkchn/work/src/github.com/hyperledger/fabric-ca 2018/12/06 19:07:55 [INFO] Server Version: 1.3.1 2018/12/06 19:07:55 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} 2018/12/06 19:07:55 [DEBUG] Making server filenames absolute 2018/12/06 19:07:55 [DEBUG] Initializing default CA in directory /home/boeingblkchn/work/src/github.com/hyperledger/fabric-ca 2018/12/06 19:07:55 [DEBUG] Init CA with home /home/boeingblkchn/work/src/github.com/hyperledger/fabric-ca and config {Version:1.3.1 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name: Keyfile: Certfile:ca-cert.pem Chainfile:ca-chain.pem} Signing:0xc000242690 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[ubuntuvm1 localhost] KeyRequest:0xc00023fd20 CA:0xc00023fda0 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:* hf.Registrar.DelegateRoles:* hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1] }]} Affiliations:map[org1:[department1 department2] org2:[department1]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc00023eba0 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR: Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}} 2018/12/06 19:07:55 [DEBUG] CA Home Directory: /home/boeingblkchn/work/src/github.com/hyperledger/fabric-ca 2018/12/06 19:07:55 [DEBUG] Checking configuration file version '1.3.1' against server version: '1.3.1' 2018/12/06 19:07:55 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts: PluginOpts:} 2018/12/06 19:07:55 [DEBUG] Closing server DBs Error: Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP ```

JoydeepSarkar (Thu, 06 Dec 2018 19:09:24 GMT):
``` jd@ubuntuvm1:~/work/src/github.com/hyperledger/fabric-ca$ fabric-ca-server start -b admin:adminpw -d 2018/12/06 19:07:55 [INFO] Configuration file location: /home/jd/work/src/github.com/hyperledger/fabric-ca/fabric-ca-server-config.yaml 2018/12/06 19:07:55 [INFO] Starting server in home directory: /home/jd/work/src/github.com/hyperledger/fabric-ca 2018/12/06 19:07:55 [INFO] Server Version: 1.3.1 2018/12/06 19:07:55 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} 2018/12/06 19:07:55 [DEBUG] Making server filenames absolute 2018/12/06 19:07:55 [DEBUG] Initializing default CA in directory /home/jd/work/src/github.com/hyperledger/fabric-ca 2018/12/06 19:07:55 [DEBUG] Init CA with home /home/jd/work/src/github.com/hyperledger/fabric-ca and config {Version:1.3.1 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name: Keyfile: Certfile:ca-cert.pem Chainfile:ca-chain.pem} Signing:0xc000242690 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[ubuntuvm1 localhost] KeyRequest:0xc00023fd20 CA:0xc00023fda0 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:* hf.Registrar.DelegateRoles:* hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1] }]} Affiliations:map[org1:[department1 department2] org2:[department1]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc00023eba0 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR: Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}} 2018/12/06 19:07:55 [DEBUG] CA Home Directory: /home/jd/work/src/github.com/hyperledger/fabric-ca 2018/12/06 19:07:55 [DEBUG] Checking configuration file version '1.3.1' against server version: '1.3.1' 2018/12/06 19:07:55 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts: PluginOpts:} 2018/12/06 19:07:55 [DEBUG] Closing server DBs Error: Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP ```

ashutosh_kumar (Thu, 06 Dec 2018 19:11:32 GMT):
Did you configure your softhsm ?

JoydeepSarkar (Thu, 06 Dec 2018 19:14:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8sA6ZzpnLGKyRTLxh) @ashutosh_kumar Yes. I used OpenSSL. I followed the steps mentioned here https://github.com/opendnssec/SoftHSMv2 And I am able to generate the tokens in multiple slots as well.

ashutosh_kumar (Thu, 06 Dec 2018 19:16:17 GMT):
looks like your yaml file problem.

JoydeepSarkar (Thu, 06 Dec 2018 19:18:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7WQ7qYgvFLLpBmH8w) Do you think there could be permission issues? The softhsm libs are all root and the ca server is running with jdblkchn user. ``` And the same yaml file works well with SW option. It is the default yaml I am using that gets generated while starting the server for the first time. Only customization is the PKCS11. ```

ashutosh_kumar (Thu, 06 Dec 2018 19:21:14 GMT):
I do not think so. But you can try.

ashutosh_kumar (Thu, 06 Dec 2018 19:21:33 GMT):
you can run softhsm as non-root.'

JoydeepSarkar (Thu, 06 Dec 2018 19:27:49 GMT):
Alright. Let me try that out as well.

mallikarjunasai995 (Fri, 07 Dec 2018 03:52:39 GMT):
what is the difference between ABAC(attribute based access control) and typical ACL (ACCESS CONTROL ) in fabric?

MuhammedHafil (Fri, 07 Dec 2018 05:46:01 GMT):
https://stackoverflow.com/questions/53663865/how-do-i-access-fabric-ca-server-rest-api

mallikarjunasai995 (Fri, 07 Dec 2018 05:56:38 GMT):
what is the difference between registering an user and enrolling an user?

MuhammedHafil (Fri, 07 Dec 2018 06:02:39 GMT):
https://stackoverflow.com/questions/53663865/how-do-i-access-fabric-ca-server-rest-api

Taffies (Fri, 07 Dec 2018 07:26:16 GMT):
hi, I got this error while trying to create a channel: `2018-12-07 07:25:17.343 UTC [msp] GetDefaultSigningIdentity -> DEBU 036 Obtaining default signing identity Error: failed to create deliver client: failed to load config for OrdererClient: unable to load orderer.tls.clientKey.file: open : no such file or directory` does anyone know what this error message is about?

pujabhattad (Fri, 07 Dec 2018 07:49:42 GMT):
fabric_ca_client.register({enrollmentID: 'user1', affiliation: 'org1.department1',role: 'client'}, admin_user); and fabric-ca-client register --id.name ${ORG_NAME} --id.secret pwd1 --id.type user \ --id.attrs "tradelimit=10000:ecert" -u http://ca:7054-- Is role in the first sentence and --id.type in second command - Same?

jastisriradheshyam (Fri, 07 Dec 2018 08:14:05 GMT):
how can we change the identity password in ca?

pujabhattad (Fri, 07 Dec 2018 08:25:12 GMT):
fabric-ca-client register --id.name User1 --id.secret pwd1 --id.type user, how can we give role to User1 in this command?

mallikarjunasai995 (Fri, 07 Dec 2018 10:15:13 GMT):
where are we creating an asset and at what time it is persisting into the ledger ?

GowriR (Fri, 07 Dec 2018 10:26:48 GMT):
Hi All, apart from the fabric-ca documentation - any help in understanding the fabric-ca identity, roles and atrributes to client SDK (UI) roles and what a chaincode can do (Access control lists)? A glossary in addition would be great too

GowriR (Fri, 07 Dec 2018 10:55:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bMQug6toafDhPA6zm) The purpose is to have roles Admin (who can start the ledger and create and join channels), a transactor (who can be allowed to transact on the CC) and guest (who can query the chaincode). Next step would be to have granularity in the levels of the transactor and Chaincode functions

MuhammedHafil (Fri, 07 Dec 2018 11:33:03 GMT):
Can anybody share any code example of interacting with CA via REST API?

MuhammedHafil (Fri, 07 Dec 2018 11:33:06 GMT):
Thanks

JoydeepSarkar (Fri, 07 Dec 2018 12:48:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zu5H72esGdpWSLHJh) @ashutosh_kumar No luck. Still run into same issues. All my attempts ended up with the same error message But from the log it is not very conclusive where the error is. Is there a comprehensive document or guideline available that one can refer? Any suggestion is welcome.

skarim (Fri, 07 Dec 2018 15:07:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LBoY5QNdNCrfpmMhH) @mallikarjunasai995 ABAC is for access control in chaincode only based on attributes in invoker's certificate

skarim (Fri, 07 Dec 2018 15:08:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=v6YLHGY7ccHbfQCcD) @mallikarjunasai995 Registering a user means that you define the properties of this identity, such as affilition, type, etc. Enrollment time is when the actual enrollment certificate is issued for the identity

skarim (Fri, 07 Dec 2018 15:08:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WRxEa6qokjvBGiRdS) @jastisriradheshyam https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#modifying-an-identity

skarim (Fri, 07 Dec 2018 15:09:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5Yt8gmPQuEyCjE5MY) @pujabhattad you are give this user the role of 'user', type = role

skarim (Fri, 07 Dec 2018 15:09:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5Yt8gmPQuEyCjE5MY) @pujabhattad you are giving this user the role of 'user', type = role

ashutosh_kumar (Fri, 07 Dec 2018 15:10:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aiCp34k58QmSnS9MQ) @JoydeepSarkar Can you paste your log here

ashutosh_kumar (Fri, 07 Dec 2018 15:11:13 GMT):
and you are not running docker , rt ?

mbanerjee (Fri, 07 Dec 2018 21:07:54 GMT):
Has joined the channel.

jesus-alastria (Sun, 09 Dec 2018 00:59:56 GMT):
Has joined the channel.

mallikarjunasai995 (Sun, 09 Dec 2018 11:02:25 GMT):
./trade.sh generate -c tradechannel Generating certs and genesis block with channel 'tradechannel' Continue? [Y/n] Y proceeding ... cryptogen tool not found. exiting

mallikarjunasai995 (Sun, 09 Dec 2018 11:03:07 GMT):
any thoughts to solve the above query .. i did make cryptogen into that folder that also failed to work..

javapriyan (Sun, 09 Dec 2018 17:12:58 GMT):
Has joined the channel.

javapriyan (Sun, 09 Dec 2018 17:18:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Pj5aFkF8Ft7tQfRBS) @mallikarjunasai995 Set the path variable for your crpto tools

JoydeepSarkar (Sun, 09 Dec 2018 19:44:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HJKFMbKxzv6pgPCs2) @ashutosh_kumar Here is the log. I ran the CA as root``` root@ubuntuvm1:/home/jdblkchn/work/src/github.com/hyperledger/fabric-ca# /home/jdblkchn/go/bin/fabric-ca-server start -b admin:adminpw -d 2018/12/09 19:40:59 [INFO] Configuration file location: /home/jdblkchn/work/src/github.com/hyperledger/fabric-ca/fabric-ca-server-config.yaml 2018/12/09 19:40:59 [INFO] Starting server in home directory: /home/jdblkchn/work/src/github.com/hyperledger/fabric-ca 2018/12/09 19:40:59 [INFO] Server Version: 1.3.1 2018/12/09 19:40:59 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} 2018/12/09 19:40:59 [DEBUG] Making server filenames absolute 2018/12/09 19:40:59 [DEBUG] Initializing default CA in directory /home/jdblkchn/work/src/github.com/hyperledger/fabric-ca 2018/12/09 19:40:59 [DEBUG] Init CA with home /home/jdblkchn/work/src/github.com/hyperledger/fabric-ca and config {Version:1.3.1 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name: Keyfile: Certfile:ca-cert.pem Chainfile:ca-chain.pem} Signing:0xc0002e7f20 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[ubuntuvm1 localhost] KeyRequest:0xc000300280 CA:0xc000300300 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.AffiliationMgr:1 hf.Registrar.Roles:* hf.Registrar.DelegateRoles:* hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:*] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc0003003c0 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR: Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}} 2018/12/09 19:40:59 [DEBUG] CA Home Directory: /home/jdblkchn/work/src/github.com/hyperledger/fabric-ca 2018/12/09 19:40:59 [DEBUG] Checking configuration file version '1.3.1' against server version: '1.3.1' 2018/12/09 19:40:59 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts: PluginOpts:} 2018/12/09 19:40:59 [DEBUG] Closing server DBs Error: Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP ```

JoydeepSarkar (Sun, 09 Dec 2018 19:45:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MsFGuWhfzJBzZDyEn) And I am not docker. Any clue?

vtech (Mon, 10 Dec 2018 08:14:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uZu2XYvP68RZJhAGH) @JoydeepSarkar It works with latest build.. last I tried with 1.4.0-snapshot-cb7353f as in FAB-12427. Can you print your fabric-ca-server version ? From the logs I see you are using 1.3.1

JoydeepSarkar (Mon, 10 Dec 2018 08:16:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7vppyfb2hPYxMSsmW) @vtech It is 1.3.1. Will it be possible to provide the steps you performed?

vtech (Mon, 10 Dec 2018 08:17:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uADC5QDv3SpZTcsoZ) @JoydeepSarkar It did not work with 1.3 , use master branch and then build the fabric-ca. https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#install

JoydeepSarkar (Mon, 10 Dec 2018 08:24:36 GMT):
Alright. Let me try with master.

GowriR (Mon, 10 Dec 2018 12:15:46 GMT):
hello all what are the use cases to use roles: client, user, peer, validator, auditor, ca with fabric-ca? What should i use if i have the peer creating transactions for a client and the client responding to he peers?

GowriR (Mon, 10 Dec 2018 12:16:35 GMT):
and what are the equivalent functions in node sdk?

GowriR (Mon, 10 Dec 2018 12:18:32 GMT):
I have 3 CA's for each peer?

GowriR (Mon, 10 Dec 2018 12:18:32 GMT):
I have 3 CA's for each peer.

GowriR (Mon, 10 Dec 2018 12:18:32 GMT):
I have 3 CA's for each peer in each org

JoydeepSarkar (Mon, 10 Dec 2018 12:37:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zazPTAkYc3oryLFsE) @vtech I cloned the master code and this is failing as well. But the version is still showing 1.3.1 (git clone https://github.com/hyperledger/fabric-ca.git).

JoydeepSarkar (Mon, 10 Dec 2018 12:39:36 GMT):
Where can I get the 1.4.0-snapshot-cb7353f from?

mallikarjunasai995 (Mon, 10 Dec 2018 14:07:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FTEXMNZsF4SfEruJd) @skarim thanks Skarim

krabradosty (Mon, 10 Dec 2018 16:25:19 GMT):
Hello! Can I use the same certificate for msp and tls?

ashutosh_kumar (Mon, 10 Dec 2018 22:24:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hb6ow64MQuA73eAqo) @krabradosty you can , but it is not advisable.

mhs22 (Tue, 11 Dec 2018 04:10:53 GMT):
hey guys, what what is the difference between fabric-ca-* images and fabric-*? for example, fabric-ca-orderer and fabric-orderer fabric-peer and fabric-ca-peer

YashParihar (Tue, 11 Dec 2018 04:22:35 GMT):
Has joined the channel.

MuhammedHafil (Tue, 11 Dec 2018 05:16:42 GMT):
Can anybody provide fabric ca server REST API code sample?``

vtech (Tue, 11 Dec 2018 05:28:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6eMEEwncWXPRAaMRF) @JoydeepSarkar After cloning you need to checkout the master through git.

GowriR (Tue, 11 Dec 2018 05:40:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XijGJC2w9LDiAx2Z2) @mhs22 CA for the orderer and the peer

GowriR (Tue, 11 Dec 2018 06:19:25 GMT):
Hello what is Mutual TLS? I understand that it is when the PEER can act as a server and client - how is the fabric-CA involved here. I read this - https://hyperledger-fabric.readthedocs.io/en/release-1.2/enable_tls.html. But need more clarity to understand between the lines

GowriR (Tue, 11 Dec 2018 06:19:27 GMT):
Thanks

hyper_learner_ak (Tue, 11 Dec 2018 07:03:27 GMT):
hi, I am getting error with first-network in fabric-samples to make ca containers up and running I am getting error with Error: Failed to find private key for certificate in '/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem': Could not find matching private key for SKI: Failed getting key for SKI

krabradosty (Tue, 11 Dec 2018 08:34:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sLsnz23LKM3MFMoWH) @ashutosh_kumar Why? I don't see any security problem to use one key for both purposes.

zhuquanbin (Tue, 11 Dec 2018 08:55:39 GMT):
Has joined the channel.

FlorianStoica (Tue, 11 Dec 2018 10:47:07 GMT):
Has joined the channel.

MuhammedHafil (Tue, 11 Dec 2018 11:59:04 GMT):
is there anyone who made successful communications with fabric ca server REST API?

MuhammedHafil (Tue, 11 Dec 2018 11:59:16 GMT):
Please help if you have

vtech (Tue, 11 Dec 2018 13:05:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bBFg4iW7f3BYsLCi9) @MuhammedHafil just googled ,see if this helps you.. https://github.com/Altoros/fabric-rest

MuhammedHafil (Tue, 11 Dec 2018 13:06:56 GMT):
No i did not meant that. I have seen that too. it was issue with ssl verification in postman

MuhammedHafil (Tue, 11 Dec 2018 13:07:05 GMT):
Thanks

ashutosh_kumar (Tue, 11 Dec 2018 15:30:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ibeEdYyx5Begxj8BL) @krabradosty your TLS cert should have correct domain name in CN field or some other field and some implementation checks for keyUsage also.

ashutosh_kumar (Tue, 11 Dec 2018 15:31:16 GMT):
From crypto perspective , there is no issue,

JaccobSmith (Wed, 12 Dec 2018 02:36:45 GMT):
Hello，Can not a normal user change his own secret ？

JaccobSmith (Wed, 12 Dec 2018 02:37:43 GMT):
I must use a user who has an attribute “hf.Registrar.Role:User" to change a normal user's secret

JaccobSmith (Wed, 12 Dec 2018 03:04:53 GMT):
Intersting, I can't change my secret but by others:rofl:

JaccobSmith (Wed, 12 Dec 2018 03:21:23 GMT):
OK,I change this by myself

JaccobSmith (Wed, 12 Dec 2018 03:21:44 GMT):
func (ctx *serverRequestContextImpl) CanManageUser(user spi.User) error { userAff := strings.Join(user.GetAffiliationPath(), ".") err := ctx.ContainsAffiliation(userAff) if err != nil { return err } caller ,_:= ctx.GetCaller() if user.GetName() == caller.GetName() { return nil } userType := user.GetType() err = ctx.CanActOnType(userType) if err != nil { return err } return nil }

Taffies (Wed, 12 Dec 2018 04:03:02 GMT):
Hi, I have mutual TLS enabled on my orderer and peer, and trying to configure mutual TLS on my SDK. I currently have two questions regarding this: (1) Can the client key & cert files be written onto the common configuration profile, or do I need to set it manually? (I am looking at https://fabric-sdk-node.github.io/release-1.3/tutorial-mutual-tls.html but don't quite understand it - why do they use the same set of certs for both orderer and peer?) (2) If my invoke requires multiple endorsements from the peers, do I need to provide the mutual TLS on every single peer?

MuhammedHafil (Wed, 12 Dec 2018 06:34:30 GMT):
Can somebody provide sample request for enrolling with fabric ca REST? What is the data required in `request` and `profile` fields ``` { "request": "string", "profile": "string", "label": "string", "caname": "string", "attr_reqs": [ { "name": "string", "optional": true } ] } ```

JaccobSmith (Wed, 12 Dec 2018 06:53:54 GMT):
like this:

JaccobSmith (Wed, 12 Dec 2018 06:53:57 GMT):
curl -H 'Authorization: Basic YWRtaW46YWRtaW5wdw==' https://localhost:7055/enroll -X POST -d '{"hosts":["localhost"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBRzCB7wIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWdO3LtCPqEFRSQU9\nMy9K15raAr6DLtq5C470HnJOg9f620zZgpmw2zAO8qkILbDM9L327lzuacqzkXjW\nltcjhaAwMC4GCSqGSIb3DQEJDjEhMB8wHQYDVR0RBBYwFIIHZGVmYXVsdIIJbG9j\nYWxob3N0MAoGCCqGSM49BAMCA0cAMEQCIBqZtS7BCYiWXdrKe47IICFuOeF4Vwax\nZXLVnwdbsk9zAiBEQOEulKn032wA/L4S0/DP2jY5SouNTOYKRJZsWoV41Q==\n-----END CERTIFICATE REQUEST-----\n","subject":{"CN":"admin","name":"peer"},"attr_reqs":[{"name":"hf.IntermediateCA","optional":false}]}' --cacert ../server2/ca-chain.pem

JaccobSmith (Wed, 12 Dec 2018 06:54:34 GMT):
Header is generated by run " echo -n admin:adminpw | openssl base64"

JaccobSmith (Wed, 12 Dec 2018 06:56:08 GMT):
data part include a CSR and your cert's subject, attributes etc

JaccobSmith (Wed, 12 Dec 2018 06:56:44 GMT):
It's just a normal Token-way

AndresMartinezMelgar.itcl (Wed, 12 Dec 2018 07:27:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yqo5phi5GxdeZczyW) @JaccobSmith sorry, but what it is a secret? is a password? i am confuse (obviously a secrect is something that no one knows^^)

JaccobSmith (Wed, 12 Dec 2018 07:33:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HF6Weyb4mnmTLPKZy) @AndresMartinezMelgar.itcl Yes, it's just the password, you can try it with the current version of fabric-ca， You register a user with an administaror， then you use the user you just registered to enroll，and try using this user's MSP to change his password， you will got ”Authorization failed“

AndresMartinezMelgar.itcl (Wed, 12 Dec 2018 07:34:07 GMT):
ok, thx

halilkalkan (Wed, 12 Dec 2018 13:08:06 GMT):
Hello everyone, can we verify a public key to ensure its valid by sending a request to CA? For instance we want to check someone's certificate whether it is valid still or not.

halilkalkan (Wed, 12 Dec 2018 13:08:06 GMT):
Hello everyone, can we verify a public key to ensure it's valid by sending a request to CA? For instance we want to check someone's certificate whether it is valid still or not.

skarim (Wed, 12 Dec 2018 14:37:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=C763v3FFKmMCfGHop) @halilkalkan When you say valid, you mean that the certificate has been issued by the CA you send the request to?

JackMalinowski (Wed, 12 Dec 2018 15:57:17 GMT):
Has joined the channel.

rickr (Wed, 12 Dec 2018 22:13:37 GMT):
I just started with download of v1.4 I'm seeing : ``` ca_peerOrg1 | 2018/12/12 22:08:09 [INFO] signed certificate with serial number 198078304431284398020714115240217937369962737112 ca_peerOrg1 | 2018/12/12 22:08:09 [DEBUG] Closing server DBs ca_peerOrg1 | Error: Failed to store certificate: open /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem: read-only file system ca_peerOrg2 exited with code 1 ca_peerOrg1 exited with code 1 peer1.org2.example.com exited with code 1 peer1.org1.example.com exited with code 1 ``` The JSDK has always mounted this as readonly to avoid corruption (which was once seen and made running more that once not possible ) ``` ca0: image: hyperledger/fabric-ca${IMAGE_TAG_FABRIC_CA} environment: - FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca0 - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/fcf776b02a05600408d0be9d9752afc59f64950b721cacb363b5b95a0fea6216_sk - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/fcf776b02a05600408d0be9d9752afc59f64950b721cacb363b5b95a0fea6216_sk - FABRIC_CA_SERVER_REGISTRY_MAXENROLLMENTS=-1 ports: - "7054:7054" command: bash -c 'cp -R /tmp/msp /etc/hyperledger/fabric-ca-server; mv /etc/hyperledger/fabric-ca-server/msp/*PublicKey /etc/hyperledger/fabric-ca-server; fabric-ca-server start -b admin:adminpw ${V11_IDENTITIES_ALLOWREMOVE} ${V11_AFFILIATIONS_ALLOWREMOVE} ${ORG_HYPERLEDGER_FABRIC_SDKTEST_INTEGRATIONTESTS_CA_TLS} -d' volumes: - ./e2e-2Orgs/${FAB_CONFIG_GEN_VERS}/crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config:ro - ./e2e-2Orgs/${FAB_CONFIG_GEN_VERS}/crypto-config/peerOrganizations/org3.example.com/msp/:/tmp/msp:ro container_name: ca_peerOrg1 ``` Notice the *:ro* at the end of the volumes

rickr (Wed, 12 Dec 2018 22:24:26 GMT):
Was a bad configuration issue however the message was a bit misleading

skarim (Thu, 13 Dec 2018 03:05:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aEAMKHq5jAqif3GAb) @rickr What was the bad configuration?

qizhang (Thu, 13 Dec 2018 03:25:44 GMT):
My client ran into the following issue when it tries to connect to the orderer, looks like it is becuase the openssl on my client cannot use the cacert to successfully verify the orderer certificate. Details are as following, any suggestion to solve it? Thanks! The client error msg: ``` info: [PTE 0 util]: [getTLSCert] key: orderer, subkey: orderer0 info: [PTE 0 main]: [clientNewOrderer] orderer: grpcs://zaci-43.pok.ibm.com:5005 E1212 17:27:53.080721112 44583 ssl_transport_security.cc:1227] Handshake failed with fatal error SSL_ERROR_SSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed. E1212 17:27:54.081753813 44583 ssl_transport_security.cc:1227] Handshake failed with fatal error SSL_ERROR_SSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed. E1212 17:27:55.391927501 44583 ssl_transport_security.cc:1227] Handshake failed with fatal error SSL_ERROR_SSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed. ``` If I use openssl to verify the orderer certificate `openssl s_client --CAfile /root/git/src/github.com/hyperledger/fabric/common/tools/cryptogen/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -showcerts -connect zaci-43.pok.ibm.com:5005`, it gives the following error: ``` CONNECTED(00000007) depth=1 C = US, ST = California, L = San Francisco, O = example.com, CN = tlsca.example.com verify error:num=26:unsupported certificate purpose --- Certificate chain 0 s:C = US, ST = California, L = San Francisco, CN = orderer0.example.com i:C = US, ST = California, L = San Francisco, O = example.com, CN = tlsca.example.com -----BEGIN CERTIFICATE----- MIICWzCCAgKgAwIBAgIQfW6KND3qc6WhbTUnaiewSzAKBggqhkjOPQQDAjBsMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy YW5jaXNjbzEUMBIGA1UEChMLZXhhbXBsZS5jb20xGjAYBgNVBAMTEXRsc2NhLmV4 YW1wbGUuY29tMB4XDTE4MTIxMzAzMTQwMFoXDTI4MTIxMDAzMTQwMFowWTELMAkG A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFu Y2lzY28xHTAbBgNVBAMTFG9yZGVyZXIwLmV4YW1wbGUuY29tMFkwEwYHKoZIzj0C AQYIKoZIzj0DAQcDQgAEVda13Na/vHBEvDOhURpepli3a9gD16wv8H1O/S3Wgt44 Nhy1605aMSZYCWPok/JTeL5iJfS/q6rAkN2e7kv8GaOBmDCBlTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQC MAAwKwYDVR0jBCQwIoAg7tkV6l6Yel2CZIug5EWR2hNNF4ZuIlohqwQXwJukEIYw KQYDVR0RBCIwIIIUb3JkZXJlcjAuZXhhbXBsZS5jb22CCG9yZGVyZXIwMAoGCCqG SM49BAMCA0cAMEQCIHAFQV6wpnqRTbaEZKv7FLFRsFF2CVi8uoLLkdP96oFTAiAW IeXUOBRdU+wD4sfIaaAaMbHCjWPDMT2JGeYQ/tqP+A== -----END CERTIFICATE----- --- Server certificate subject=C = US, ST = California, L = San Francisco, CN = orderer0.example.com issuer=C = US, ST = California, L = San Francisco, O = example.com, CN = tlsca.example.com --- No client certificate CA names sent Client Certificate Types: RSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512 Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 888 bytes and written 416 bytes Verification error: unsupported certificate purpose --- New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-ECDSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: 90587BA15272D747DA72BBF94935867C0923C53C78396CD7A40939427319DB3907DC5AECE6696294D8764C877D0DE312 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1544671221 Timeout : 7200 (sec) Verify return code: 26 (unsupported certificate purpose) Extended master secret: no --- read:errno=0 ```

qizhang (Thu, 13 Dec 2018 03:25:44 GMT):
My client ran into the following issue when it tries to connect to the orderer, looks like it is becuase the openssl on my client cannot use the cacert to successfully verify the orderer certificate. Details are as following, any suggestion to solve it? Thanks! The client error msg: ``` info: [PTE 0 util]: [getTLSCert] key: orderer, subkey: orderer0 info: [PTE 0 main]: [clientNewOrderer] orderer: grpcs://zaci-43.pok.ibm.com:5005 E1212 17:27:53.080721112 44583 ssl_transport_security.cc:1227] Handshake failed with fatal error SSL_ERROR_SSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed. E1212 17:27:54.081753813 44583 ssl_transport_security.cc:1227] Handshake failed with fatal error SSL_ERROR_SSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed. E1212 17:27:55.391927501 44583 ssl_transport_security.cc:1227] Handshake failed with fatal error SSL_ERROR_SSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed. ``` If I use openssl to manually verify the orderer certificate `openssl s_client --CAfile /root/git/src/github.com/hyperledger/fabric/common/tools/cryptogen/crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -showcerts -connect zaci-43.pok.ibm.com:5005`, it gives the following error: ``` CONNECTED(00000007) depth=1 C = US, ST = California, L = San Francisco, O = example.com, CN = tlsca.example.com verify error:num=26:unsupported certificate purpose --- Certificate chain 0 s:C = US, ST = California, L = San Francisco, CN = orderer0.example.com i:C = US, ST = California, L = San Francisco, O = example.com, CN = tlsca.example.com -----BEGIN CERTIFICATE----- MIICWzCCAgKgAwIBAgIQfW6KND3qc6WhbTUnaiewSzAKBggqhkjOPQQDAjBsMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy YW5jaXNjbzEUMBIGA1UEChMLZXhhbXBsZS5jb20xGjAYBgNVBAMTEXRsc2NhLmV4 YW1wbGUuY29tMB4XDTE4MTIxMzAzMTQwMFoXDTI4MTIxMDAzMTQwMFowWTELMAkG A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFu Y2lzY28xHTAbBgNVBAMTFG9yZGVyZXIwLmV4YW1wbGUuY29tMFkwEwYHKoZIzj0C AQYIKoZIzj0DAQcDQgAEVda13Na/vHBEvDOhURpepli3a9gD16wv8H1O/S3Wgt44 Nhy1605aMSZYCWPok/JTeL5iJfS/q6rAkN2e7kv8GaOBmDCBlTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQC MAAwKwYDVR0jBCQwIoAg7tkV6l6Yel2CZIug5EWR2hNNF4ZuIlohqwQXwJukEIYw KQYDVR0RBCIwIIIUb3JkZXJlcjAuZXhhbXBsZS5jb22CCG9yZGVyZXIwMAoGCCqG SM49BAMCA0cAMEQCIHAFQV6wpnqRTbaEZKv7FLFRsFF2CVi8uoLLkdP96oFTAiAW IeXUOBRdU+wD4sfIaaAaMbHCjWPDMT2JGeYQ/tqP+A== -----END CERTIFICATE----- --- Server certificate subject=C = US, ST = California, L = San Francisco, CN = orderer0.example.com issuer=C = US, ST = California, L = San Francisco, O = example.com, CN = tlsca.example.com --- No client certificate CA names sent Client Certificate Types: RSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512 Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 888 bytes and written 416 bytes Verification error: unsupported certificate purpose --- New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-ECDSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: 90587BA15272D747DA72BBF94935867C0923C53C78396CD7A40939427319DB3907DC5AECE6696294D8764C877D0DE312 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1544671221 Timeout : 7200 (sec) Verify return code: 26 (unsupported certificate purpose) Extended master secret: no --- read:errno=0 ```

javapriyan (Thu, 13 Dec 2018 04:41:31 GMT):
What are the other commonly used CA alternative to f-ca

javapriyan (Thu, 13 Dec 2018 04:41:31 GMT):
What are the other commonly used CA other than the official one ? Anybody tried aws certificate manager ?

halilkalkan (Thu, 13 Dec 2018 05:17:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2EbrndpKcqEXpuy3t) @skarim Yes actually I want to make sure that when someone come with a certificate, public key, I'm going to check from their CA and say yes you are right.

prafullrawal (Thu, 13 Dec 2018 06:05:57 GMT):
Has joined the channel.

prafullrawal (Thu, 13 Dec 2018 06:07:14 GMT):
Hello everyone, can any some one please help me on this. https://stackoverflow.com/questions/53755227/cas-enrollment-registration-for-hyperledger-fabric-for-multi-organizational

JayJong (Thu, 13 Dec 2018 07:58:15 GMT):
hi guys, i keep getting this error `Error: Calling enrollment endpoint failed with error [Error: connect ECONNREFUSED` Im using kubernetes so my nodeport is 30000 in this case, it usually works when im nt using vpc. Now dat my master node is on a private subnet, i get this problem, any1 can shed some light on this?

JayJong (Thu, 13 Dec 2018 08:01:11 GMT):
when i go into the ca docker logs, it says `[DEBUG] Cleaning up expired nonces for CA 'ca'`, wad does this mean?

boymiss (Thu, 13 Dec 2018 08:37:41 GMT):
Has joined the channel.

edwardlee (Thu, 13 Dec 2018 08:50:02 GMT):
Has joined the channel.

boymiss (Thu, 13 Dec 2018 08:53:59 GMT):
hello

AmanAgrawal (Thu, 13 Dec 2018 12:44:15 GMT):
Has joined the channel.

AmanAgrawal (Thu, 13 Dec 2018 12:55:40 GMT):
hello, facing below error while CA container creation : Error: Failed to find private key for certificate in '/etc/hyperledger/fabric-ca-server-config/ca.depot2.ids.com-cert.pem': Could not find matching private key for SKI: Failed getting key for SKI [[34 70 204 151 153 44 153 10 212 1 175 160 201 214 119 116 57 151 133 234 144 85 207 205 239 180 246 170 205 231 193 223]]: Key with SKI 2246cc97992c990ad401afa0c9d67774399785ea9055cfcdefb4f6aacde7c1df not found in /etc/hyperledger/fabric-ca-server/msp/keystore

varubasi77 (Thu, 13 Dec 2018 14:48:47 GMT):
Has joined the channel.

smeyers (Thu, 13 Dec 2018 22:39:44 GMT):
Has joined the channel.

smeyers (Thu, 13 Dec 2018 22:42:32 GMT):
Is anyone able to clarify the point of enroll vs reenroll? The situation I am running into is when I bootstrap the orderer genesis block with the admin certs from an organization. Then, when the peer starts up and enrolls with the same credentials, on the same ca, it says the certs are not valid. They work if I copy and paste the certs from the orderer to the peer, but I don't see that as being an ideal situation. Shouldn't I be able to enroll multiple times from separate entities and receive the same certs?

smeyers (Thu, 13 Dec 2018 22:42:32 GMT):
Is anyone able to clarify the point of enroll vs reenroll? The situation I am running into is when I bootstrap the orderer genesis block with the admin certs from an organization. Then, when the peer starts up and enrolls with the same credentials, on the same ca, it says the certs are not admin certs for the organization. The channel join works if I copy and paste the certs from the orderer to the peer, but I don't see that as being an ideal situation. Shouldn't I be able to enroll multiple times from separate entities and receive the same certs?

avestaa (Fri, 14 Dec 2018 11:16:57 GMT):
Has joined the channel.

skarim (Fri, 14 Dec 2018 17:31:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AffkYdoLxpZPuLHzk) @smeyers `it says the certs are not admin certs for the organization`, do you have the exact error from the CA? I am not aware of such an error. But, no you will not get back the same certs for enroll/reenroll. An enroll/reenroll is based on a new key pair, and it will never be the same. In your CA you should have an orderer identity and peer identity, and enroll each one to with their respective identity.

skarim (Fri, 14 Dec 2018 17:31:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5xmDhft8Zaz28NY9a) @AmanAgrawal Do you have the full logs?

skarim (Fri, 14 Dec 2018 17:34:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YSzg8Z4w3gRBvSACp) @halilkalkan The CA has a certificate API. You can use this to search for a certificate based on serial and aki, and if the CA returns a match then the certificate was issued by this particular CA. See doc: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#listing-certificate-information

mkhraisha (Fri, 14 Dec 2018 21:23:08 GMT):
Has joined the channel.

mkhraisha (Fri, 14 Dec 2018 21:23:14 GMT):
When i try to connect to a fabric i get the error Hostname/IP doesn't match certificate's altnames: "$IPNAMEHERE is not in the cert's list:" and i cants eem to figure it out, i tried changing the name of the ca on init like so fabric-ca-init -b BOOTSTRAP USERPASS --csr.cn IPNAME and yet that error persists. is there a way to add a hostname/IP to the certificate?

mkhraisha (Fri, 14 Dec 2018 21:23:14 GMT):
When I try to connect to a fabric i get the error: Hostname/IP doesn't match certificate's altnames: "$IPNAMEHERE is not in the cert's list:" And I cant seem to figure it out. I tried changing the name of the ca on init like so: fabric-ca-init -b BOOTSTRAP USERPASS --csr.cn IPNAME and yet that error persists. Is there a way to add a hostname/IP to the certificate?

MuhammedHafil (Sun, 16 Dec 2018 07:58:07 GMT):
Is it possible to change attributes of a user after registering?

MuhammedHafil (Sun, 16 Dec 2018 07:58:46 GMT):
@skarim @aambati

skarim (Sun, 16 Dec 2018 17:33:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2htnHHFiuacsW3CRh) @MuhammedHafil Yes, see https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#modifying-an-identity

DJ_HC (Sun, 16 Dec 2018 18:18:54 GMT):
Has joined the channel.

GuillaumeTong (Mon, 17 Dec 2018 02:06:50 GMT):
Hi, how can I use Idemix? Is there any available tutorial currently? I have tried using the fabric-ca-client cli v1.4.0-rc1 (with matching fabric-ca) like so: `./fabric-ca-client enroll -u http://admin:pass@localhost:7054 -H . --enrollment.type idemix` but I get: ```Error: Failed to parse response: 404 page not found : invalid character 'p' after top-level value``` The x509 enrollment works for me: ```./fabric-ca-client enroll -u http://admin:pass@localhost:7054 -H . 2018/12/17 09:55:52 [INFO] generating key: &{A:ecdsa S:256} 2018/12/17 09:55:52 [INFO] encoded CSR 2018/12/17 09:55:53 [INFO] Stored client certificate at [...]msp/signcerts/cert.pem 2018/12/17 09:55:53 [INFO] Stored root CA certificate at [...]msp/cacerts/localhost-7054.pem``` I have seen mentions of the `/api/v1/idemix/credential` API endpoint and it seems the cli is trying to connect to `idemix/credential`, so I have tried to send request to both using curl and postman, which did no work. I have also seen that the issue of making idemix work end-to end with JAVA SDK is marked as done: https://jira.hyperledger.org/browse/FABJ-331 But so far I haven't been able to make it work with idemix (x509 enrollment sems to be working)

GuillaumeTong (Mon, 17 Dec 2018 02:06:50 GMT):
Hi, how can I use Idemix? Is there any available tutorial currently? I have tried using the fabric-ca-client cli v1.4.0-rc1 (with matching fabric-ca) like so: `$ ./fabric-ca-client enroll -u http://admin:pass@localhost:7054 -H . --enrollment.type idemix` but I get: ```Error: Failed to parse response: 404 page not found : invalid character 'p' after top-level value``` The x509 enrollment works for me: ```$ ./fabric-ca-client enroll -u http://admin:pass@localhost:7054 -H . 2018/12/17 09:55:52 [INFO] generating key: &{A:ecdsa S:256} 2018/12/17 09:55:52 [INFO] encoded CSR 2018/12/17 09:55:53 [INFO] Stored client certificate at [...]msp/signcerts/cert.pem 2018/12/17 09:55:53 [INFO] Stored root CA certificate at [...]msp/cacerts/localhost-7054.pem``` I have seen mentions of the `/api/v1/idemix/credential` API endpoint and it seems the cli is trying to connect to `idemix/credential`, so I have tried to send request to both using curl and postman, which did no work. I have also seen that the issue of making idemix work end-to end with JAVA SDK is marked as done: https://jira.hyperledger.org/browse/FABJ-331 But so far I haven't been able to make it work with idemix (x509 enrollment sems to be working)

GuillaumeTong (Mon, 17 Dec 2018 02:06:50 GMT):
Hi, how can I use Idemix? Is there any available tutorial currently? I have tried using the fabric-ca-client cli v1.4.0-rc1 (with matching fabric-ca) like so: `$ ./fabric-ca-client enroll -u http://admin:pass@localhost:7054 -H . --enrollment.type idemix` but I get: ```Error: Failed to parse response: 404 page not found : invalid character 'p' after top-level value``` The x509 enrollment works for me: ```$ ./fabric-ca-client enroll -u http://admin:pass@localhost:7054 -H . 2018/12/17 09:55:52 [INFO] generating key: &{A:ecdsa S:256} 2018/12/17 09:55:52 [INFO] encoded CSR 2018/12/17 09:55:53 [INFO] Stored client certificate at [...]msp/signcerts/cert.pem 2018/12/17 09:55:53 [INFO] Stored root CA certificate at [...]msp/cacerts/localhost-7054.pem``` I have seen mentions of the `/api/v1/idemix/credential` API endpoint and it seems the cli is trying to connect to `idemix/credential`, so I have tried to send request to both using curl and postman, which did no work. I have also seen that the issue of making idemix work end-to end with JAVA SDK is marked as done: https://jira.hyperledger.org/browse/FABJ-331 But so far I haven't been able to make it work with idemix (x509 enrollment seems to be working)

GuillaumeTong (Mon, 17 Dec 2018 02:06:50 GMT):
Hi, how can I use Idemix? Is there any available tutorial currently? I have tried using the fabric-ca-client cli v1.4.0-rc1 (with matching fabric-ca) like so: `$ ./fabric-ca-client enroll -u http://admin:pass@localhost:7054 -H . --enrollment.type idemix` but I get: ```Error: Failed to parse response: 404 page not found : invalid character 'p' after top-level value``` The x509 enrollment works for me: ```$ ./fabric-ca-client enroll -u http://admin:pass@localhost:7054 -H . 2018/12/17 09:55:52 [INFO] generating key: &{A:ecdsa S:256} 2018/12/17 09:55:52 [INFO] encoded CSR 2018/12/17 09:55:53 [INFO] Stored client certificate at [...]msp/signcerts/cert.pem 2018/12/17 09:55:53 [INFO] Stored root CA certificate at [...]msp/cacerts/localhost-7054.pem``` I have seen mentions of the `/api/v1/idemix/credential` API endpoint and it seems the cli is trying to connect to `idemix/credential`, so I have tried to send request to both using curl and postman, which did no work. I have also seen that the issue of making idemix work end-to end with JAVA SDK is marked as done: https://jira.hyperledger.org/browse/FABJ-331 But so far I haven't been able to make it work with either type of enrollment

GuillaumeTong (Mon, 17 Dec 2018 02:24:12 GMT):
@GuillaumeTong As a side note, does anyone know where I could find documentation for the JAVA SDK? I currently have to resort to looking into the source code and it is not efficient.

dinoradulovic (Mon, 17 Dec 2018 02:49:10 GMT):
Has joined the channel.

skarim (Mon, 17 Dec 2018 03:44:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5FNrddhH2fS9JXacv) @GuillaumeTong Which version of fabric ca server are you using? Please execute `fabric-ca-server version` and post output.

skarim (Mon, 17 Dec 2018 03:44:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DMQzogxkPn8hxqXHe) @GuillaumeTong You might want to ask in #fabric-sdk-java

MuhammedHafil (Mon, 17 Dec 2018 04:58:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MfWNxHiFnucHLoma7) @skarim This will not change the user's identity certificates, right?

NickXie (Mon, 17 Dec 2018 06:07:26 GMT):
Has joined the channel.

GuillaumeTong (Mon, 17 Dec 2018 06:32:02 GMT):
@skarim ```$ ./fabric-ca-server version fabric-ca-server: Version: 1.4.0-snapshot-236dec5 Go version: go1.10.3 OS/Arch: linux/amd64 ``` ```$ ./fabric-ca-client version fabric-ca-client: Version: 1.4.0-snapshot-236dec5 Go version: go1.10.3 OS/Arch: linux/amd64 ```

Thomas-tuo (Mon, 17 Dec 2018 06:52:34 GMT):
Has joined the channel.

jd232 (Mon, 17 Dec 2018 07:36:10 GMT):
Has joined the channel.

halilkalkan (Mon, 17 Dec 2018 08:47:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9iDcyHkXebfrMeJhv) Thank you for your response but my main concern here is that this certificate may come from another CA which I don't have admin rights. Assume I'm running Org1 and Org2 comes with their own certificate, I'm linking an asset with their certificate attributes. But before linking asset, I want to check whether this certificate is coming from Org2's CA. I hope I could explain the problem properly.

aviralwal (Mon, 17 Dec 2018 11:45:20 GMT):
Has joined the channel.

souravbadami (Mon, 17 Dec 2018 12:27:25 GMT):
Has joined the channel.

smeyers (Mon, 17 Dec 2018 17:46:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=grC73LcEoJuJhqsPs) @skarim @skarim Thank you for the reply, that does answer my question. I do have one more question on top of this then. I haven't been able to see a way to get the exact same certificate from the CA, for instance the cert for `peer0` of an org. Is it possible to retrieve the same cert from the CA without regenerating a new one from a key pair?

yulong12 (Tue, 18 Dec 2018 02:48:25 GMT):
How to use fabric-ca generate idemix certs?

AmanAgrawal (Tue, 18 Dec 2018 10:43:51 GMT):
@skarim Please see below full error stack:

AmanAgrawal (Tue, 18 Dec 2018 10:43:53 GMT):
2018/12/18 10:39:53 [DEBUG] Home directory: /etc/hyperledger/fabric-ca-server 2018/12/18 10:39:53 [DEBUG] parent server URL: '' 2018/12/18 10:39:53 [INFO] Created default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml 2018/12/18 10:39:53 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server 2018/12/18 10:39:53 [DEBUG] Set log level: 2018/12/18 10:39:53 [INFO] Server Version: 1.4.0-rc1 2018/12/18 10:39:53 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} 2018/12/18 10:39:53 [DEBUG] Making server filenames absolute 2018/12/18 10:39:53 [DEBUG] Initializing default CA in directory /etc/hyperledger/fabric-ca-server 2018/12/18 10:39:53 [DEBUG] Init CA with home /etc/hyperledger/fabric-ca-server and config {Version:1.4.0-rc1 Cfg:{Identities:{PasswordAttempts:10 AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name:ca-org2 Keyfile:/etc/hyperledger/fabric-ca-server-config/CA2_PRIVATE_KEY Certfile:/etc/hyperledger/fabric-ca-server-config/ca.org2.example.com-cert.pem Chainfile:ca-chain.pem} Signing:0xc0002e9c70 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[8dd5d2195b5c localhost] KeyRequest:0xc0004c3060 CA:0xc0004c30e0 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:* hf.Registrar.DelegateRoles:*] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc0004c2bc0 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR: Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}} 2018/12/18 10:39:53 [DEBUG] CA Home Directory: /etc/hyperledger/fabric-ca-server 2018/12/18 10:39:53 [DEBUG] Checking configuration file version '1.4.0-rc1' against server version: '1.4.0-rc1' 2018/12/18 10:39:53 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc00009d5c0 PluginOpts:} 2018/12/18 10:39:53 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc0002e8350 DummyKeystore: InmemKeystore:} 2018/12/18 10:39:53 [DEBUG] Initialize key material 2018/12/18 10:39:53 [DEBUG] Making CA filenames absolute 2018/12/18 10:39:53 [DEBUG] Closing server DBs Error: Failed to find private key for certificate in '/etc/hyperledger/fabric-ca-server-config/ca.org2.example.com-cert.pem': Could not find matching private key for SKI: Failed getting key for SKI [[80 249 156 197 236 123 61 84 103 235 149 103 183 19 141 155 87 116 177 200 41 186 172 255 141 243 34 195 24 109 65 130]]: Key with SKI 50f99cc5ec7b3d5467eb9567b7138d9b5774b1c829baacff8df322c3186d4182 not found in /etc/hyperledger/fabric-ca-server/msp/keystore

AmanAgrawal (Tue, 18 Dec 2018 10:46:05 GMT):
@skarim The interesting part is that the BYFN execution gets completed, but when you check the docker logs for CA containers, these are seen.

vtech (Tue, 18 Dec 2018 11:51:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SspQSBse7Xw3yeJA5) @AmanAgrawal This is because of key mismatch in your docker-compose with generated artifacts for ca. Updating docker-compose should solve this issue.

AmanAgrawal (Tue, 18 Dec 2018 12:12:17 GMT):
@vtech @skarim Thanks for your response, just resolved the issue, but this was not because of the key mismatch. Actually in the byfn.sh file, the generateChannelArtifacts() has a reference to docker-compose-cli file by default which infact should actually refer to the newly generated docker-compose-e2e file. Please also note that we would need to copy CA containers, cli containers and peer containers in docker compose e2e template file which would in turn generate the docker-compose-e2e file which which would be actually referred by byfn.sh file.

IgorSim (Tue, 18 Dec 2018 13:15:52 GMT):
hi, what is common approach to solve use-case when let's say there is organization in the 'network' but it's not network member(doesn't have peer etc) it is only network participant, i.e. there is one (or more) users on application part of the network that should be able to transact against network(send transaction proposal). How local MSP for such users is created? Is it possible for such orgs to have only CA node (but no peer) ? Is that allowed at all in configtx.yaml (MSPDir exists, but no AnchorPeers defined)?

i_Abhijeet (Tue, 18 Dec 2018 15:06:58 GMT):
Has joined the channel.

am (Tue, 18 Dec 2018 16:40:28 GMT):
Has joined the channel.

dabbertorres (Tue, 18 Dec 2018 22:48:55 GMT):
Has joined the channel.

adityanalgework (Tue, 18 Dec 2018 23:33:03 GMT):
Has joined the channel.

adityanalgework (Tue, 18 Dec 2018 23:33:19 GMT):
Getting authentication failure

adityanalgework (Tue, 18 Dec 2018 23:33:28 GMT):
while bootstraping user to server

adityanalgework (Tue, 18 Dec 2018 23:33:31 GMT):
can someone help?

adityanalgework (Tue, 18 Dec 2018 23:44:08 GMT):

Screen Shot 2018-12-18 at 3.42.04 PM.png

smeyers (Tue, 18 Dec 2018 23:54:15 GMT):
It looks like that user is not registered with the CA

smeyers (Tue, 18 Dec 2018 23:54:53 GMT):
try the `-b` flag without quotes, maybe?

adityanalgework (Wed, 19 Dec 2018 00:32:13 GMT):
still gives same error'

GuillaumeTong (Wed, 19 Dec 2018 03:39:27 GMT):

fabric-ca-1.4-version-mismatch-log.txt

GuillaumeTong (Wed, 19 Dec 2018 03:42:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xrivzDz4D7LFnmXDA) @skarim I think I have found the root of my problem: when using `fabric-ca-server version` the returned text is what I expect for version 1.4 but when doing `fabric-ca-server` the returned description of the cli seems like it comes from an older version. Am I doing something wrong when I build the binaries in the github repository? ---------- Edit: By ripping of some fabric-ca-server and fabric-ca-client binaries from a docker image I was able to get my idemix features working. I would still like someone to explain to me why my previous binaries were claiming to be v1.4 while behaving like some older version of binaries, and how it is that I am supposed to obtain the binaries of a specific version.

GuillaumeTong (Wed, 19 Dec 2018 03:42:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xrivzDz4D7LFnmXDA) @skarim I think I have found the root of my problem: when using `fabric-ca-server version` the returned text is what I expect for version 1.4 but when doing `fabric-ca-server` the returned description of the cli seems like it comes from an older version. Am I doing something wrong when I build the binaries in the github repository? ---------- Edit: By copying some fabric-ca-server and fabric-ca-client binaries from a docker image I was able to get my idemix features working. I would still like someone to explain to me why my previous binaries were claiming to be v1.4 while behaving like some older version of binaries, and how it is that I am supposed to obtain the binaries of a specific version.

smartheye (Wed, 19 Dec 2018 04:13:47 GMT):
Has joined the channel.

IgorSim (Wed, 19 Dec 2018 07:19:27 GMT):
Guys, if HLF network is up&running and there is request to change some of CSR fields in one CA. There are already registered&enrolled users in CA. According documentation keys should be deleted and server should be reinitialized again. This will generate new Root CA. What does this mean for old users and new users in respect to their permission to work with network? Does it basically narrows down to executing channel update configuration in a way that new Root CA will be part of channel configuration? Do we need to re-enroll existing users?

mastersingh24 (Wed, 19 Dec 2018 14:48:27 GMT):
@IgorSim - that seems like an awful lot of trouble to go through just to change some fields in the public CA certificate

mastersingh24 (Wed, 19 Dec 2018 14:48:51 GMT):
What exactly are you trying to accomplish?

IgorSim (Wed, 19 Dec 2018 14:54:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7ZYivRPge2v2pBeMq) @mastersingh24 For example, to change 'O' field in the Issuer section: Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric....

mastersingh24 (Wed, 19 Dec 2018 15:35:38 GMT):
If you generate a new root CA key pair, then all old identities will be invalid

mastersingh24 (Wed, 19 Dec 2018 15:35:57 GMT):
and you would have to update all channels as you mention

GuillaumeTong (Thu, 20 Dec 2018 02:11:46 GMT):
@mastersingh24 @IgorSim Is it then possible to keep the old key pair but change the other content of the CA certificate? In that case all the previous signatures over issued certificates should still be valid, right?

akshay.sood (Thu, 20 Dec 2018 08:41:03 GMT):
Hi guys

akshay.sood (Thu, 20 Dec 2018 08:41:16 GMT):
Anyone knows how to generate certificates without using cryptogen? Is there any way to achieve that or is that even possible to generate certificates for org directly without using cryptogen? I know it becomes very easy to generate those crypto using cryptogen but I was looking for an alternate way

vtech (Thu, 20 Dec 2018 09:18:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KBn9HjnwRKQa8CFGL) @akshay.sood https://github.com/hyperledger/fabric-samples/tree/release-1.3/fabric-ca

lepar (Thu, 20 Dec 2018 12:19:34 GMT):
Has joined the channel.

lightcap (Thu, 20 Dec 2018 16:37:01 GMT):
Has joined the channel.

httran88 (Fri, 21 Dec 2018 00:59:47 GMT):
Hello, how are the ids of signingIdentities derived? and is it unique only with in a CA?

BellaAdams (Fri, 21 Dec 2018 01:05:30 GMT):
how to delete a use using Fabric CA

BellaAdams (Fri, 21 Dec 2018 01:05:31 GMT):
?

BellaAdams (Fri, 21 Dec 2018 01:05:50 GMT):
How to add a user using Fabric CA

BellaAdams (Fri, 21 Dec 2018 01:05:50 GMT):
?

BellaAdams (Fri, 21 Dec 2018 01:06:40 GMT):
For example,what should I do when I want to add a user to a peer?

httran88 (Fri, 21 Dec 2018 01:10:59 GMT):
please read documentation, adding user with fabric ca has a lot of samples in the e2e tests, deleting users are a lot more difficult, we'll explain that when we cross that road

httran88 (Fri, 21 Dec 2018 01:12:07 GMT):
but you should understand the function of the ca first before we get into the deleting a user

BellaAdams (Fri, 21 Dec 2018 01:23:13 GMT):
thanks

httran88 (Fri, 21 Dec 2018 02:21:05 GMT):
welcome bella please run through the e2e tests for your preferred lang

seokm0 (Fri, 21 Dec 2018 02:23:33 GMT):
Has joined the channel.

IgorSim (Fri, 21 Dec 2018 11:26:08 GMT):
Hi, does CA server gets default CA name if its not explicitly set? If yes, how can i check what is the name?

dcasado (Fri, 21 Dec 2018 12:55:50 GMT):
Hi, here you have the default fabric-ca server configuration https://hyperledger-fabric-ca.readthedocs.io/en/latest/serverconfig.html

IgorSim (Fri, 21 Dec 2018 15:42:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4udWFKJQNFhEWQnGg) @dcasado yeah, i understand that, but default CA name in configuration is empty: ca: # Name of this CA name: What does this mean? That default CA name is empty string? I'm asking because i want to have multiple CA-s on the server and be able to connect using CA name...

skarim (Fri, 21 Dec 2018 16:17:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=puvjCkogo9jCC2DNR) @IgorSim Yes, by default the CA name is empty. For any new CAs you'd like to add, you will have to give a unique name to each new CA.

skarim (Fri, 21 Dec 2018 16:17:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=puvjCkogo9jCC2DNR) @IgorSim Yes. the default CA has an empty string for it's name. For any new CAs you'd like to add, you will have to give a unique name to each new CA.

merq (Sat, 22 Dec 2018 03:42:55 GMT):
Has joined the channel.

Venu_M (Mon, 24 Dec 2018 04:31:40 GMT):
Has joined the channel.

MuhammedHafil (Mon, 24 Dec 2018 05:24:37 GMT):
How i can change the default allowed roles in ca? where should i change it in config file? is there any node sdk way?

akshay.sood (Mon, 24 Dec 2018 15:12:20 GMT):
hi guys..

akshay.sood (Mon, 24 Dec 2018 15:12:54 GMT):
a very noob question here.. Does anyone knows how to change common name and other attributes of fabric ca server?

BellaAdams (Tue, 25 Dec 2018 02:01:39 GMT):
Error: Unrecognized arguments found: [?--id.name orderer.example.com]

BellaAdams (Tue, 25 Dec 2018 02:02:07 GMT):

Clipboard - December 25, 2018 10:01 AM

BellaAdams (Tue, 25 Dec 2018 02:02:14 GMT):
请教一个问题

BellaAdams (Tue, 25 Dec 2018 02:02:45 GMT):
When I register a user , something wrong appears

BellaAdams (Tue, 25 Dec 2018 02:02:55 GMT):
I am newbie

Lolololo (Tue, 25 Dec 2018 02:13:09 GMT):
Has joined the channel.

Lolololo (Tue, 25 Dec 2018 02:14:04 GMT):
Hi, everyone. Does anyone know what the affiliation used for on fabric-ca?

BellaAdams (Tue, 25 Dec 2018 02:45:12 GMT):

Clipboard - December 25, 2018 10:45 AM

BellaAdams (Tue, 25 Dec 2018 02:45:39 GMT):
There are two private key files in keystore?

MuhammedHafil (Tue, 25 Dec 2018 05:16:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CxoCsYhSXstKxHQpx) @akshay.sood with sdk or without?

JaccobSmith (Wed, 26 Dec 2018 05:07:13 GMT):
Is there an interface of SDK for just verifying the password of an existing identity ?

JaccobSmith (Wed, 26 Dec 2018 05:08:42 GMT):
I really don't want to use the enroll or reenroll interface ,because both of them cause a new generating of the key file and the certificate file

akshay.sood (Wed, 26 Dec 2018 06:04:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nXTYtKfQmp7pJySQq) its done.. created a config file with CSR

WouterVanHecke (Wed, 26 Dec 2018 10:42:41 GMT):
Has joined the channel.

WouterVanHecke (Wed, 26 Dec 2018 10:42:43 GMT):
I'm having a question about the startup of the fabric ca container. command: sh -c 'fabric-ca-server start -b admin:adminpw -d' ==> this is the command that is used to start the fabric ca, but going into production, I can't place my admin credentials in my docker compose like that. Does anyone have any suggestions on how to bypass this problem?

skarim (Wed, 26 Dec 2018 14:30:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DgjTTWNv8nyATgynR) @JaccobSmith There is no such interface

skarim (Wed, 26 Dec 2018 14:31:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zJeX4f2v7yBvzhmCF) @WouterVanHecke Use a config file that contains the bootstrap identity and pass the config file using the flag when you start the server

skarim (Wed, 26 Dec 2018 14:32:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PgHsM2FQjqdjWQCsY) @Lolololo In fabric-ca it is used for mostly access control, an identity of a certain affiliation can only act on an identity of the same affiliation or an affiliation that is below it in hierarchy

skarim (Wed, 26 Dec 2018 14:36:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zkvLafpGHo8xXN7Ay) @BellaAdams In your command, you are using `id.secret=password`. You don't want to use the equal sign.

cjml1982 (Wed, 26 Dec 2018 14:40:59 GMT):
Has joined the channel.

BellaAdams (Thu, 27 Dec 2018 02:53:39 GMT):
When I execute this command peer channel fetch config crypto-config/configtx/orderer-system-channel.pb -o orderer.example.com:7050 -c orderer-system-channel --tls --cafile /etc/hyperledger/crypto/orderer/tls/ca.crt

BellaAdams (Thu, 27 Dec 2018 02:53:47 GMT):
An error occurs

BellaAdams (Thu, 27 Dec 2018 02:53:58 GMT):

Clipboard - December 27, 2018 10:53 AM

BellaAdams (Thu, 27 Dec 2018 03:18:50 GMT):
what does cauthdsl mean?

sanjeevkkn (Thu, 27 Dec 2018 04:37:39 GMT):
Has joined the channel.

DaraPenhchet (Thu, 27 Dec 2018 09:50:34 GMT):
Has joined the channel.

DaraPenhchet (Thu, 27 Dec 2018 09:51:11 GMT):
Hello everyone, could I ask you some questions related to Fabric CA? Because I have a Client Identity and I have revoked that Identity, but it still can invoke to my Chaincode in Fabric Network? It means both revoked and notrevoked Identity can invoke the Chaincode right?

DaraPenhchet (Thu, 27 Dec 2018 10:16:58 GMT):
It needs to generate the CRL one more step right after we revoked Identity?

JaccobSmith (Fri, 28 Dec 2018 01:13:22 GMT):
Dose the Fabric-CA have some UI applications ?

JaccobSmith (Fri, 28 Dec 2018 04:00:07 GMT):
https://github.com/hyperledger/fabric-ca/pull/11

JaccobSmith (Fri, 28 Dec 2018 04:01:32 GMT):
I think a norml identity should be able to change his password by himself ,but not only by a registrar

akshay.sood (Fri, 28 Dec 2018 04:59:18 GMT):
Hi guys

akshay.sood (Fri, 28 Dec 2018 04:59:31 GMT):
I have configured SoftHSM

akshay.sood (Fri, 28 Dec 2018 04:59:41 GMT):
When I am trying to init `fabric-ca-server`

akshay.sood (Fri, 28 Dec 2018 04:59:55 GMT):
it gives me this error

akshay.sood (Fri, 28 Dec 2018 04:59:58 GMT):
```$ fabric-ca-server -d init -b admin:adminpw 2018/12/28 10:24:22 [DEBUG] Home directory: /home/akshay/dev/fabric-ca/fabric-ca-server 2018/12/28 10:24:22 [INFO] Configuration file location: /home/akshay/dev/fabric-ca/fabric-ca-server/fabric-ca-server-config.yaml 2018/12/28 10:24:22 [DEBUG] Set log level: 2018/12/28 10:24:22 [INFO] Server Version: 1.4.0 2018/12/28 10:24:22 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} 2018/12/28 10:24:22 [DEBUG] Making server filenames absolute 2018/12/28 10:24:22 [DEBUG] Initializing default CA in directory /home/akshay/dev/fabric-ca/fabric-ca-server 2018/12/28 10:24:22 [DEBUG] Init CA with home /home/akshay/dev/fabric-ca/fabric-ca-server and config {Version:1.4.0 Cfg:{Identities:{PasswordAttempts:10 AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name: Keyfile: Certfile:ca-cert.pem Chainfile:ca-chain.pem} Signing:0xc0002c3960 CSR:{CN:ca.org1.example.com Names:[{C:IN ST:Punjab L:Chandigarh O:org1.example.com OU:IT Services SerialNumber:}] Hosts:[akshay localhost] KeyRequest:0xc0002295e0 CA:0xc000229660 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:* hf.Registrar.DelegateRoles:* hf.Revoker:1] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc0002dc320 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR: Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}} 2018/12/28 10:24:22 [DEBUG] CA Home Directory: /home/akshay/dev/fabric-ca/fabric-ca-server 2018/12/28 10:24:22 [DEBUG] Checking configuration file version '1.4.0' against server version: '1.4.0' 2018/12/28 10:24:22 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts: PluginOpts:} 2018/12/28 10:24:22 [DEBUG] Closing server DBs 2018/12/28 10:24:22 [FATAL] Initialization failure: Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP```

akshay.sood (Fri, 28 Dec 2018 05:00:17 GMT):
I am using `fabric-ca-version`

akshay.sood (Fri, 28 Dec 2018 05:00:20 GMT):
```$ fabric-ca-server version fabric-ca-server: Version: 1.4.0 Go version: go1.11.2 OS/Arch: linux/amd64 ```

akshay.sood (Fri, 28 Dec 2018 06:19:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uRTtahdRt5AahXXNY) when I build the binary from source.. the issue was fixed automatically..

BellaAdams (Fri, 28 Dec 2018 07:27:52 GMT):
Client authorization revoked for deliver request

akshay.sood (Fri, 28 Dec 2018 10:33:07 GMT):
https://stackoverflow.com/questions/53956298/peer-node-start-throwing-could-not-find-default-pkcs11-bccsp-error

akshay.sood (Fri, 28 Dec 2018 10:34:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uRTtahdRt5AahXXNY) now facing the same error `Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP` when I try to bootstrap `peer` using `peer node start`

akshay.sood (Fri, 28 Dec 2018 10:34:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uRTtahdRt5AahXXNY) now facing the same error `Failed to initialize BCCSP Factories: %!s() Could not find default PKCS11 BCCSP` when I try to bootstrap `peer` using `peer node start`

akshay.sood (Fri, 28 Dec 2018 10:34:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uRTtahdRt5AahXXNY) now facing the same error ```Failed to initialize BCCSP Factories: %!s() Could not find default PKCS11 BCCSP``` when I try to bootstrap `peer` using `peer node start`

touqeershah (Fri, 28 Dec 2018 10:51:22 GMT):
2018-12-28 08:32:41.955 UTC [orderer/multichain] NewManagerImpl -> INFO 0e1 Starting with system channel testchainid and orderer type solo 2018-12-28 08:32:41.955 UTC [orderer/main] main -> INFO 0e2 Beginning to serve requests 2018-12-28 08:33:30.714 UTC [grpc] Printf -> DEBU 0e3 grpc: Server.Serve failed to complete security handshake from "10.0.0.29:37330": tls: first record does not look like a TLS handshake 2018-12-28 08:33:30.717 UTC [grpc] Printf -> DEBU 0e4 grpc: Server.Serve failed to complete security handshake from "10.0.0.29:37334": tls: first record does not look like a TLS handshake 2018-12-28 08:33:30.717 UTC [grpc] Printf -> DEBU 0e5 grpc: Server.Serve failed to complete security handshake from "10.0.0.29:37332": tls: first record does not look like a TLS handshake

rbole (Sat, 29 Dec 2018 07:48:17 GMT):
hi, I have a question about the fabric-ca example (fabric-samples). What I have to change in the docker-compser file if I would like to restart the docker-composition? I would like to restart the network without a complete re-installation. Thanks for any hints.

touqeershah (Sat, 29 Dec 2018 08:12:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oiz9nSQA56fL4Sukz) @rbole you don't need to edit docker-compose file you have run teardown file it will remove all the container and network

klkumar369 (Sat, 29 Dec 2018 10:09:03 GMT):
Has joined the channel.

shrek95 (Sat, 29 Dec 2018 12:15:12 GMT):
Has joined the channel.

rbole (Sat, 29 Dec 2018 12:53:53 GMT):
Hi, where I can find the teardown script? [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aNriXHWbYE2Sie6E2)

hteng (Sat, 29 Dec 2018 14:33:56 GMT):
Has joined the channel.

rbole (Sun, 30 Dec 2018 08:47:45 GMT):
Is there anyone how can point me to the right direction? I would like to stop and restart the fabric-sample "fabrica-ca" without losing the data. Or is there an other sample where I can learn to setup an fabric-ca environment?

httran88 (Mon, 31 Dec 2018 02:31:17 GMT):
use volume mapping

httran88 (Mon, 31 Dec 2018 02:32:04 GMT):
GL @rbole

akshay.sood (Mon, 31 Dec 2018 06:31:33 GMT):
Hi Experts

akshay.sood (Mon, 31 Dec 2018 06:31:40 GMT):
Can someone look into this issue on JIRA

akshay.sood (Mon, 31 Dec 2018 06:31:41 GMT):
https://jira.hyperledger.org/browse/FAB-13458

touqeershah (Mon, 31 Dec 2018 07:14:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=1rlfZytttVLpcyEtmC) @rbole go into first-netowrk directory where you are setup your network by issuing ./byfn.sh up command their you will run ./byfn.sh down command it will remove the network

rbole (Mon, 31 Dec 2018 07:56:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=e9sDmWitpxrNGZJCE) @touqeershah Hi, I think the fabric-ca sample works out of the box and is not part of the byfn script !

rbole (Mon, 31 Dec 2018 07:58:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JxKG3acQ5ePEhbf7B) @httran88 hi, this could be the solution, but I have not found the right solution yet, because of the script mixup into the startscripts

CheeChyuan (Mon, 31 Dec 2018 14:51:15 GMT):
hello. I am pretty sure i have set up my credential store and crypto store correctly and they have some certs already in it. However when registering for a new user using node sdk im kept getting TypeError: Cannot read property 'curve' of undefined. Any help is much appreciated. Thank you

touqeershah (Tue, 01 Jan 2019 07:35:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Ep9C8Nv6ZQcscY7DJ) @rbole In you docker file in network folder in the end of every service their was define a physical and visual both path was define which called volume in term of docker

touqeershah (Tue, 01 Jan 2019 07:37:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7z9HEfz2DQGiRAg6p) @CheeChyuan can you copy the complete error statement so we can understand your problem properly

touqeershah (Tue, 01 Jan 2019 08:26:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=eiMvwgcfz6X3tK6q3) teardown your network remove all the certs and generate again and check the ca key in docker-compose file is updated with new generated key and then check again

liaoruohuai (Tue, 01 Jan 2019 12:19:02 GMT):
Has joined the channel.

liaoruohuai (Tue, 01 Jan 2019 12:28:58 GMT):
Hello, I'm developing a system based on fabric network, and there are android mobile apps which show the user interface . I wonder If I can use fabric-ca for generating Users for mobile app which interacting with fabric network or peer directly , Or Should I build a back end server for switching the requests or responses? Which one is better & why?

touqeershah (Tue, 01 Jan 2019 13:08:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MteqEazNdPRAJK2Ad) @liaoruohuai it is depend on your app which type of app your developing what is the use case

liaoruohuai (Tue, 01 Jan 2019 13:51:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6prdknoszvkbjBxfJ) @touqeershah tks. Use care: Users can view and update their assets which maintained in my fabric network. Particularly , I want to make sure that payload of the User's invoke and query records are encoded by the user's private key so that others can't see or use the data of the actions what user did. Maybe it's so-called privacy protection that I want

nageshbandaru (Tue, 01 Jan 2019 19:59:54 GMT):
Has joined the channel.

rbole (Wed, 02 Jan 2019 06:09:31 GMT):
hi, I have found a working solution. I have changed the startup scripts and changed some points to the docker-composer file, remove run and setup service and changed the depends_on value of each service. Now I can stop and restart the networking without losing the data. @touqeershah [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=W9EQiyKL576vLvX6g)

touqeershah (Wed, 02 Jan 2019 08:06:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=IC4x5Q5GoS1Cw06KYD) @rbole In fabric-sample folder their is folder name their is folder name basic-network it will help you to understand all the scripts

gongliaoan (Wed, 02 Jan 2019 08:59:13 GMT):
Has joined the channel.

zhilongliu (Wed, 02 Jan 2019 09:28:32 GMT):
Has joined the channel.

WouterVanHecke (Wed, 02 Jan 2019 14:32:36 GMT):
I'm trying to create and join my channel. I'm able to create the channel on my peer0, then I try to join the channel immediately afterwards, but i get the this error: ``` 2019-01-02 14:25:15.029 UTC [core/comm] ServerHandshake -> ERRO 027 TLS handshake failed with error remote error: tls: bad certificate {"server": "PeerServer", "remote address": "127.0.0.1:44794"} ``` TLS is enabled, these are the commands: ``` peer channel create -o $ORDERER -c $CHANNEL_NAME -f $CHANNEL_CONFIG --tls --cafile $CA_FILE peer channel join -b $BLOCK ```

lepar (Wed, 02 Jan 2019 14:53:29 GMT):
@WouterVanHecke disable TLS in the docker-compose.yml file

WouterVanHecke (Wed, 02 Jan 2019 14:55:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3ZDj5ZmnffvEN64sy) @lepar The whole point is that it's enabled...

lepar (Wed, 02 Jan 2019 14:57:19 GMT):
I see. Then you gotta make sure the correct TLS files are in the correct path.

WouterVanHecke (Wed, 02 Jan 2019 14:58:06 GMT):
Well, creating with that CA file works. so i wouldn't now why joinen doesn't

lepar (Wed, 02 Jan 2019 14:58:13 GMT):
peer channel join -b $BLOCK --tls *path to file*

lepar (Wed, 02 Jan 2019 15:00:03 GMT):
I don't quite remember how to do it but maybe it's like that

WouterVanHecke (Wed, 02 Jan 2019 15:00:04 GMT):
tried this to: ``` peer channel join -b $BLOCK --tls --cafile $CA_FILE --certfile $CERT_FILE ``` With the ca file the path of the orderer tlsca cert_file, the tlsca file of the peer itself

WouterVanHecke (Wed, 02 Jan 2019 15:00:16 GMT):
same result

lepar (Wed, 02 Jan 2019 15:00:16 GMT):
That didn't work?

lepar (Wed, 02 Jan 2019 15:00:18 GMT):
Oh

lepar (Wed, 02 Jan 2019 15:00:32 GMT):
Not sure, check the documentation

aambati (Wed, 02 Jan 2019 15:24:48 GMT):
@WouterVanHecke try using tls cert of peer for --certfile

WouterVanHecke (Wed, 02 Jan 2019 15:27:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HfX32qo9jpq8LhovA) @aambati I did: ``` peer channel join -b $BLOCK --tls --cafile $CA_FILE --certfile $CERT_FILE ```

WouterVanHecke (Wed, 02 Jan 2019 15:29:27 GMT):
I get the same error, even if I put a false path into $CA_FILE or $CERT_FILE

ShajiThiyarathodi (Wed, 02 Jan 2019 19:31:41 GMT):
Has joined the channel.

AndresMartinezMelgar.itcl (Thu, 03 Jan 2019 08:26:19 GMT):
hi, i need use a ca-server and ca-client, but i dont find no one example in github or similars, can anyone help me?

DieYoungWsn (Thu, 03 Jan 2019 08:44:01 GMT):
Has joined the channel.

DieYoungWsn (Thu, 03 Jan 2019 08:47:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jemrkR5AT6P6Qf9W9) @AndresMartinezMelgar.itcl See Gerrit

Legiit (Thu, 03 Jan 2019 10:14:52 GMT):
``` grpc: addrConn.createTransport failed to connect to {0.0.0.0:7051 0 }. Err :connection error: desc = "transport: authentication handshake failed: x509: cannot validate certificate for 0.0.0.0 because it doesn't contain any IP SANs". Reconnecting... 2019-01-03 10:11:25.478 UTC [core/comm] ServerHandshake -> ERRO 114 TLS handshake failed with error remote error: tls: bad certificate {"server": "PeerServer", "remote address": "127.0.0.1:35048"} ``` Does anyone know how to resolve these errors? They occur when enabling TLS for the network

xaviarias (Thu, 03 Jan 2019 11:00:40 GMT):
Has joined the channel.

skarim (Thu, 03 Jan 2019 14:56:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jemrkR5AT6P6Qf9W9) @AndresMartinezMelgar.itcl have you looked at this sample? https://github.com/hyperledger/fabric-samples/tree/release-1.3/fabric-ca

skarim (Thu, 03 Jan 2019 14:58:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JTxKGDY4mbHYRESSE) @Legiit Just from that error, it seems like you are sending your request to 0.0.0.0 but the TLS cerficate that you are using is not valid for that IP address. Either you need to have a TLS certificate that has that IP address in its SANs, or you need to direct the traffic to the IP address for which the TLS certificate is valid for.

aambati (Thu, 03 Jan 2019 18:22:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jxEKmhCMfcEgn2n8v) @WouterVanHecke can u post the contents of orderer CA cert and peer tls cert file?

Imherenow (Thu, 03 Jan 2019 18:30:18 GMT):
Has joined the channel.

BellaAdams (Fri, 04 Jan 2019 08:30:48 GMT):
CORE_PEER_GOSSIP_SKIPHANDSHAKE=true what does this setting mean?

periodic (Fri, 04 Jan 2019 12:18:31 GMT):
Has joined the channel.

periodic (Fri, 04 Jan 2019 12:46:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DgjTTWNv8nyATgynR) @JaccobSmith @JaccobSmith Currently I've faced with the same "problem" (verifying the password of an existing identity without enroll/reenroll). In my vision it would be helpful feature to use fabric-ca as authentification layer of the app.

periodic (Fri, 04 Jan 2019 12:46:00 GMT):
@JaccobSmith Currently I've faced with the same "problem" (verifying the password of an existing identity without enroll/reenroll). In my vision it would be helpful feature to use fabric-ca as authentification layer of the app.

liaoruohuai (Fri, 04 Jan 2019 16:22:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZxCNMLqHY32HZsJ5b) @periodic hello,dudo, what's your solution to this 'problem'?

periodic (Fri, 04 Jan 2019 17:04:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=c2rdqLwb5uBddRfmc) @liaoruohuai Hi @liaoruohuai. As temporary solution in my case (fabric-ca with mysql cluster) I'm going to give readonly access to fabric's db for my auth service. In case I have more time - will fork fabric-ca and update it ;)

x4e-salvi (Fri, 04 Jan 2019 18:52:56 GMT):
Has joined the channel.

adityanalgework (Fri, 04 Jan 2019 19:07:27 GMT):
Post http://localhost:7054/enroll: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02\x16"

adityanalgework (Fri, 04 Jan 2019 19:07:38 GMT):
Can Anyone Help Me With This Error?

adityanalgework (Fri, 04 Jan 2019 19:11:27 GMT):
I bootstrap start my server with fabric-ca-server start -b admin:adminpw

adityanalgework (Fri, 04 Jan 2019 19:12:05 GMT):
environment variable is set to FABRIC_CA_HOME=$HOME/fabric-ca/server and FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin

adityanalgework (Fri, 04 Jan 2019 19:12:25 GMT):
Using fabric-ca-client enroll -u http://admin:adminpw@localhost:7054

adityanalgework (Fri, 04 Jan 2019 19:16:32 GMT):
Nevermind. Had a docker running in the background. Issue Resolved.

adityanalgework (Fri, 04 Jan 2019 23:47:38 GMT):
Trying to use api to enroll bootstrap identity

adityanalgework (Fri, 04 Jan 2019 23:47:45 GMT):
I have my fabric ca server running

adityanalgework (Fri, 04 Jan 2019 23:47:58 GMT):
Using the following curl request. Get CSR decode error code 9002

adityanalgework (Fri, 04 Jan 2019 23:50:56 GMT):
curl -X POST "https://localhost:7054/api/v1/enroll" -H "accept: application/json" -H "Authorization: Basic YWRtaW46YWRtaW5wdw==" -H "Content-Type: application/json" -d "{ \"request\": \"-----BEGIN CERTIFICATE REQUEST-----MIIBTDCB9AIBADBoMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxGTAXBgNVBAMTEGZhYnJpYy1jYS1zZXJ2ZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQbSE6B7UKqkorP32NAk9YXQLUwyc/4DZp0p1V+aTyBcr6Wp0zdGXhmUt13BQhr9i/v9+wZGd100xwupjOgN0spoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxDMDJYTjJLQUpIRDIwCgYIKoZIzj0EAwIDRwAwRAIgSzQc4UM+Y0pTXWDUXKIIQ+eTxxlu8dMrpcSpmhB+ddkCIBA0dZYIc1TDN3VKX4HvXa89SeJOuBLc0O5ioNYti4H0-----END CERTIFICATE REQUEST-----\",}"

adityanalgework (Fri, 04 Jan 2019 23:51:21 GMT):
I either get wrong version error, or no user/pass present in header error or code 9002 CSR decode error

adityanalgework (Fri, 04 Jan 2019 23:51:47 GMT):
I started my fabric server by bootstrapping as fabric-ca-server start -b admin:adminpw

AnkitGajera (Sat, 05 Jan 2019 15:09:54 GMT):
Has joined the channel.

ArpitKhurana1 (Sat, 05 Jan 2019 21:02:41 GMT):
Has anyone tried setting log level of fabric ca server? I tried setting it to error and received the following message even when debug is false in config yaml ```2019/01/05 20:59:14 [DEBUG] Set log level: ERROR 2019/01/05 20:59:14 [DEBUG] Closing server DBs Error: Can't specify log level 'ERROR' and set debug to true at the same time ```

akshay.sood (Sun, 06 Jan 2019 04:40:47 GMT):
Does anyone know how to generate tlc certs & key with `fabric-ca

akshay.sood (Sun, 06 Jan 2019 04:40:54 GMT):
tls

rsoeldner (Sun, 06 Jan 2019 09:31:56 GMT):
Has joined the channel.

rsoeldner (Sun, 06 Jan 2019 09:35:36 GMT):
Morning, the official documentation writes: ``` An enrollment token consisting of two base 64 encoded parts separated by a period: - an enrollment certificate; - a signature over the certificate and body of request. ``` What type of signature, ECDSA ?

mastersingh24 (Sun, 06 Jan 2019 10:29:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NjRjgu4TuQPv8WsDk) @akshay.sood https://stackoverflow.com/a/54060575/6160507

mastersingh24 (Sun, 06 Jan 2019 10:30:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=at4kxFedongEr6rfM) @ArpitKhurana1 Were you using the `-d` flag on the command line?

ArpitKhurana1 (Sun, 06 Jan 2019 11:49:34 GMT):
@mastersingh24 yeah you are write, didn't notice that, thanks

ArpitKhurana1 (Sun, 06 Jan 2019 11:49:38 GMT):
Right*

hhlee (Mon, 07 Jan 2019 02:55:53 GMT):
Has joined the channel.

ooharawork (Mon, 07 Jan 2019 04:11:12 GMT):
Has joined the channel.

adityanalgework (Mon, 07 Jan 2019 06:13:23 GMT):
fabric-ca-client gencsr --csr.cn fabric-ca-server

adityanalgework (Mon, 07 Jan 2019 06:13:41 GMT):
This command creates a CSR. But the pem encoded CSR is corrupted.

adityanalgework (Mon, 07 Jan 2019 06:13:52 GMT):
Any one has any comments on that?

ooharawork (Mon, 07 Jan 2019 06:49:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qoph3nk5GvHeyxWuT) @adityanalgework ``` $ fabric-ca-client gencsr -H admin --csr.cn my.example.com $ openssl x509 asn1parse -in admin/msp/signcerts/my.example.com.csr $ openssl x509 -req -days 3650 -signkey admin/msp/keystore/{private key file newly createed by gencsr} < admin/msp/signcerts/my.example.com.csr > output.crt ``` I'm not expertise on this, but as at least the commands above succeed, I couldn't find what is corrupted by appearance. Could you elaborate on your observation and what is against your expectation?

ooharawork (Mon, 07 Jan 2019 06:49:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qoph3nk5GvHeyxWuT) @adityanalgework ``` $ fabric-ca-client gencsr -H admin --csr.cn my.example.com $ openssl x509 asn1parse -in admin/msp/signcerts/my.example.com.csr $ openssl x509 -req -days 3650 -signkey admin/msp/keystore/{private key file newly createed by gencsr} < admin/msp/signcerts/my.example.com.csr > output.crt ``` I have no much expertise on this, but as at least the commands above succeed, I couldn't find what is corrupted by appearance. Could you elaborate on your observation and what is against your expectation?

ooharawork (Mon, 07 Jan 2019 06:56:32 GMT):
That said, I couldn't find a good use case of `gencsr` command in the whole context of the operational flow. If someone knows about that, kindly let me know.

ooharawork (Mon, 07 Jan 2019 09:28:11 GMT):
On revocation of a certificate, is this an expected behaviour?

ooharawork (Mon, 07 Jan 2019 09:28:11 GMT):
On revocation of a certificate, is this an expected behaviour? ``` fabric-ca-client revoke --revoke.name=peer1 --gencrl ```

ooharawork (Mon, 07 Jan 2019 09:28:11 GMT):
On revocation of a certificate, is this an expected behaviour? ``` $ fabric-ca-client revoke --revoke.name=peer1 --gencrl #--> will produce msp/crls/crl.pem with correct CRLs $ fabric-ca-client revoke --revoke.name=peer1 --gencrl #--> will produce an ampty msp/crls/crl.pem !! ```

ooharawork (Mon, 07 Jan 2019 09:28:11 GMT):
On revocation of a certificate, is this an expected behaviour? Yes I typed it twice, but I think it should be idempotent - the CRL should never be an empty file. ``` $ fabric-ca-client revoke --revoke.name=peer1 --gencrl #--> will produce msp/crls/crl.pem with correct CRLs $ fabric-ca-client revoke --revoke.name=peer1 --gencrl #--> will produce an ampty msp/crls/crl.pem !! ```

ooharawork (Mon, 07 Jan 2019 09:28:11 GMT):
On revocation of a certificate, is this an expected behaviour? Yes I typed it twice, but I think it should be idempotent - the CRL should never be an empty file. ``` $ fabric-ca-client revoke --revoke.name=peer1 --gencrl #--> will produce msp/crls/crl.pem with correct CRLs # run the same command again $ fabric-ca-client revoke --revoke.name=peer1 --gencrl #--> will produce an ampty msp/crls/crl.pem !! ```

ooharawork (Mon, 07 Jan 2019 09:28:11 GMT):
On revocation of a certificate, is this an expected behaviour? Yes I typed it twice, but I think it should be idempotent - the CRL should never be an empty file. (Fabric 1.3) ``` $ fabric-ca-client revoke --revoke.name=peer1 --gencrl #--> will produce msp/crls/crl.pem with correct CRLs # run the same command again $ fabric-ca-client revoke --revoke.name=peer1 --gencrl #--> will produce an ampty msp/crls/crl.pem !! ```

Legiit (Mon, 07 Jan 2019 12:51:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wehvSy4D2F5kmRMCS) How does one create a TLS certificate for a specific IP?

skarim (Mon, 07 Jan 2019 14:32:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vqRY7QAvw5F7DsQvh) @ooharawork On your second attempt, no revocation actually happens cause the peer1 identity has already been revoked and will not generate a CRL. If you want to get a CRL for all revoked certificates, I would suggest using the gencrl command

skarim (Mon, 07 Jan 2019 14:35:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uuvMAEPxFEbh5tet6) @Legiit If you are using the fabric ca server, you can enroll against the TLS profile with the host field in your CSR set to the specific IP. The command may look like: ``` fabric-ca-client enroll enrollment.profile tls csr.hosts 0.0.0.0,localhost -u ```

mrudav.shukla (Mon, 07 Jan 2019 14:47:20 GMT):
Has joined the channel.

mrudav.shukla (Mon, 07 Jan 2019 14:48:49 GMT):
Can we specify Country, State, Location for CA in a docker compose file?

adityanalgework (Mon, 07 Jan 2019 15:03:38 GMT):
@ooharawork gencsr worked great. thanks!

adityanalgework (Mon, 07 Jan 2019 15:04:31 GMT):
I am receiving a code 9002 & message CSR Decode failed when trying to enroll a bootstrap user on the fabric-ca-server through the following api

adityanalgework (Mon, 07 Jan 2019 15:05:17 GMT):
POST http://localhost:7054/api/v1/enroll Header: ``` ```

adityanalgework (Mon, 07 Jan 2019 15:05:28 GMT):
POST

adityanalgework (Mon, 07 Jan 2019 15:05:57 GMT):
``` POST http://localhost:7054/api/v1/enroll HEADER - http://localhost:7054/api/v1/enroll Authorization Basic YWRtaW46YWRtaW5wdw== ```

adityanalgework (Mon, 07 Jan 2019 15:08:06 GMT):
Using Postman``` POST http://localhost:7054/api/v1/enroll HEADER - Authorization Basic YWRtaW46YWRtaW5wdw== Content-Type application/json Body - { "request": "-----BEGIN CERTIFICATE REQUEST-----MIIBQTCB6QIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNVBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEs/sLo/WAXGG2QV80Lgu28v62gmE9B5JoAU/wLfro4uRgSPepkhRInhSnuUFvaid59yNEiz35smysukRhKuDBsqAqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDoIMQzAyWE4yS0FKSEQyMAoGCCqGSM49BAMCA0cAMEQCIHv9Qa1LozH+nbgyy8dAVk7mv9FRAkLu6nWTPUdd/mUDAiAG8NN7UH7aO+4rGQFejPBvpn1LwiSGouJaZ4nK387IVg==-----END CERTIFICATE REQUEST-----" } ```

adityanalgework (Mon, 07 Jan 2019 15:08:23 GMT):
My CA NAME under both server and client config file is admin

adityanalgework (Mon, 07 Jan 2019 20:06:31 GMT):
I am receiving a code 9002 & message CSR Decode failed when trying to enroll a bootstrap user on the fabric-ca-server through the following api Using Postman ``` POST http://localhost:7054/api/v1/enroll HEADER - Authorization Basic YWRtaW46YWRtaW5wdw== Content-Type application/json Body - {"request":"-----BEGIN CERTIFICATE REQUEST-----MIIBQTCB6QIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNVBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEs/sLo/WAXGG2QV80Lgu28v62gmE9B5JoAU/wLfro4uRgSPepkhRInhSnuUFvaid59yNEiz35smysukRhKuDBsqAqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDoIMQzAyWE4yS0FKSEQyMAoGCCqGSM49BAMCA0cAMEQCIHv9Qa1LozH+nbgyy8dAVk7mv9FRAkLu6nWTPUdd/mUDAiAG8NN7UH7aO+4rGQFejPBvpn1LwiSGouJaZ4nK387IVg==-----END CERTIFICATE REQUEST-----", "attr_reqs": [ { "name": "admin1" } ] } ``` My CA NAME under both server and client config file is admin

bh4rtp (Tue, 08 Jan 2019 00:42:07 GMT):
hi, may i ask a simple question? what is the difference between a fabric network with `fabric-ca` and without `fabric-ca`? does `orderer` and `peer` nodes communicate with `fabric-ca`?

adityanalgework (Tue, 08 Jan 2019 00:47:00 GMT):
@bh4rtp I believe that fabric-ca is the element that truly makes hyperledger fabric a permissioned blockchain. Fabric-ca is used to issue certificates and form affiliations between organizations. I do not think Orderer node needs to communicate with fabric-ca.

adityanalgework (Tue, 08 Jan 2019 00:47:18 GMT):
@bh4rtp This link might help https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#overview

bh4rtp (Tue, 08 Jan 2019 00:52:45 GMT):
@adityanalgework thank you for your instant answer. `blockchain-explorer` uses node sdk to communicate with peer node directly. how to add `fabric-ca` support for it?

bh4rtp (Tue, 08 Jan 2019 00:58:35 GMT):
@adityanalgework as for permissioned blockchain and considering `blockchain-explorer`, one can break the permissioned blockchain into permissionless blockchain through bypass `fabric-ca` and directly communicate with peer node like `blockchain-explorer`. am i right?

adityanalgework (Tue, 08 Jan 2019 01:04:33 GMT):
@bh4rtp See if the Config files in fabric-ca-server and fabric-ca-client helps you. I do believe you are right about the second part.

bh4rtp (Tue, 08 Jan 2019 01:05:23 GMT):
@adityanalgework ok. thanks again.

BellaAdams (Tue, 08 Jan 2019 04:01:59 GMT):

Clipboard - January 8, 2019 12:01 PM

BellaAdams (Tue, 08 Jan 2019 04:02:21 GMT):
How to solve this problem?

asurirk (Tue, 08 Jan 2019 19:21:52 GMT):
Has joined the channel.

JonathanLevi (Wed, 09 Jan 2019 07:00:36 GMT):
Hi @BellaAdams - I believe this error is a result of not "recognizing" the signing key. That is, an "identity" was not signed by a known authority...

JonathanLevi (Wed, 09 Jan 2019 07:02:12 GMT):
It's like me having a "signed certificate" that is signed by VeriSign123, but "VeriSign123" is not a trusted or known CA/Authority (specifically, the system does not know or treat the public key of "VeriSign123" as a key that is trusted)

BellaAdams (Wed, 09 Jan 2019 07:17:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GgEXzKEG9Yjy9sjP5) @JonathanLevi The signing cert is the root key that is signed by itself

WouterVanHecke (Wed, 09 Jan 2019 07:17:45 GMT):
It's about some policies in the configtx.yaml that isn't set

BellaAdams (Wed, 09 Jan 2019 07:20:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4r9Rp3ApwJCPR4wKm) @WouterVanHecke When I use cryptogen to generate the crypto material, all works well .But when I use the crypto material generated by Fabric CA, the problem occurs.

WouterVanHecke (Wed, 09 Jan 2019 07:21:08 GMT):
are you using the node sdk to communicate?

BellaAdams (Wed, 09 Jan 2019 07:21:27 GMT):
I use fabric-ca-client

BellaAdams (Wed, 09 Jan 2019 07:21:59 GMT):

Clipboard - January 9, 2019 3:21 PM

BellaAdams (Wed, 09 Jan 2019 07:22:42 GMT):
what does MAJORITY Admins mean?

WouterVanHecke (Wed, 09 Jan 2019 07:23:00 GMT):
make sure the UserContext is set in the Client object?

BellaAdams (Wed, 09 Jan 2019 07:24:46 GMT):
The UserContext is the admin of the only orderer organization

mrudav.shukla (Wed, 09 Jan 2019 08:27:35 GMT):
Hi, Can anyone please guide me here: https://stackoverflow.com/questions/54105891/custom-detailscountry-state-locality-for-msp-in-organisation-msp-of-hyperled

OlivierBitsch (Wed, 09 Jan 2019 13:25:19 GMT):
Has joined the channel.

OlivierBitsch (Wed, 09 Jan 2019 13:26:11 GMT):
Hello all, I would like to know what is the default FABRIC_CA_SERVER_CA_NAME when this is not defined the first time, is there anyway to know it ?

OlivierBitsch (Wed, 09 Jan 2019 13:40:56 GMT):
Ok, got it, this just need to be set in env during startup

skarim (Wed, 09 Jan 2019 14:33:43 GMT):
Aisle D, Building 500. Across from cube D206

JoshFodale (Wed, 09 Jan 2019 15:06:18 GMT):
Has joined the channel.

iramiller (Wed, 09 Jan 2019 15:42:00 GMT):
Within MSPs only two OU categories (peer, client) are directly supported and yet there are many different roles/categories (app, user, member, orderer, admin, etc) in the system. Can someone point me to the documentation that lays out this methodology? I see at one time there was even an Orderer OU in the MSP types but that was backed out ...

iramiller (Wed, 09 Jan 2019 16:13:07 GMT):
(I found some stuff in the #fabric-peer-endorser-committer channel) ... Not totally satisfied with the information about roles vs MSP identity types but it is what it is.

camillemarini (Wed, 09 Jan 2019 16:21:44 GMT):
Has joined the channel.

Kelvin_Moutet (Wed, 09 Jan 2019 16:37:34 GMT):
Hello every one, I am using the fabrc-ca-* images and recently (with 1.3 and 1.4) those images are not produced anymore With the following links, I see that there is an issue with those images but I didn't understand why ? Anyone has a clear understanding of this decision ? https://jira.hyperledger.org/browse/FABC-131 https://jira.hyperledger.org/browse/FABCI-24 https://jira.hyperledger.org/browse/FABC-781

Kelvin_Moutet (Wed, 09 Jan 2019 16:37:34 GMT):
Hello everyone, I am using the fabrc-ca-* images and recently (with 1.3 and 1.4) those images are not produced anymore With the following links, I see that there is an issue with those images but I didn't understand why ? Anyone has a clear understanding of this decision ? https://jira.hyperledger.org/browse/FABC-131 https://jira.hyperledger.org/browse/FABCI-24 https://jira.hyperledger.org/browse/FABC-781

firewater (Wed, 09 Jan 2019 20:09:42 GMT):
Has joined the channel.

adityanalgework1 (Thu, 10 Jan 2019 01:28:17 GMT):
Has joined the channel.

adityanalgework1 (Thu, 10 Jan 2019 01:28:41 GMT):
I wrote a simple go program where I call the lib.ClientConfig method.

adityanalgework1 (Thu, 10 Jan 2019 01:29:30 GMT):
I mean lib.ClientConfig struct and then call the Enroll Method

adityanalgework1 (Thu, 10 Jan 2019 01:29:38 GMT):
It generates the secret key but not the certificates

adityanalgework1 (Thu, 10 Jan 2019 01:29:50 GMT):
Code ``

adityanalgework1 (Thu, 10 Jan 2019 01:30:18 GMT):
```n := lib.ClientConfig{} // n.Enroll("http://admin:adminpw@localhost:7054", "admin") ```

adityanalgework1 (Thu, 10 Jan 2019 01:30:37 GMT):
``` // n := lib.ClientConfig{}n.Enroll("http://admin:adminpw@localhost:7054", "admin") ```

adityanalgework1 (Thu, 10 Jan 2019 01:33:17 GMT):
``` package main import ( "github.com/hyperledger/fabric-ca/lib" ) func main() { n := lib.ClientConfig{} n.Enroll("http://admin:adminpw@localhost:7054", "admin") } ```

adityanalgework1 (Thu, 10 Jan 2019 01:33:45 GMT):
I want to enroll the bootstrap identity to the server without using fabric-ca-client cli

ooharawork (Thu, 10 Jan 2019 05:12:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3ri6X6f5hkbHYog2j) @skarim Thanks for the suggestion. In practice, `fabric-ca-client gencrl` will work fine. As for `--gencrl` option of `revoke`, I think it would need more clarification of its usecase.

Ashish_ydv (Thu, 10 Jan 2019 05:54:58 GMT):
Is there any Fabric-CA related samples present?

ooharawork (Thu, 10 Jan 2019 07:35:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9QtWsKWj8Bb2iRuwr) @Ashish_ydv As for v1.3.0, refer to fabric-samples/fabric-ca. https://github.com/hyperledger/fabric-samples/tree/release-1.3/fabric-ca However this samples has been removed from v1.4.0 of fabric-samples. https://jira.hyperledger.org/browse/FABC-781

Kelvin_Moutet (Thu, 10 Jan 2019 07:37:34 GMT):
Hello everyone, I am using the fabrc-ca-* images and recently (with 1.3 and 1.4) those images are not produced anymore With the following links, I see that there is an issue with those images but I didn't understand why ? Anyone has a clear understanding of this decision ? https://jira.hyperledger.org/browse/FABC-131 https://jira.hyperledger.org/browse/FABCI-24 https://jira.hyperledger.org/browse/FABC-781

Kelvin_Moutet (Thu, 10 Jan 2019 07:39:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cvSNTpHbtGiPNqJpg) @ooharawork As said in my previous post, I try to understand why those samples (and moreover why the docker fabric-ca-*) has been removed. Cryptogen should not be used in production so the fabric-ca is not the way to go normally ?

ooharawork (Thu, 10 Jan 2019 07:59:16 GMT):
@Ashish_ydv According to the reporter of FABC-781, what they thought unpromotable was including fabric-ca-client in the same image as peer/orderer, which is the current implementation of fabric-samples/fabric-ca. So from that point, creating another image dedicated to fabric-ca-client and removing fabric-ca-cilent from other images would be better. I have no idea however why the sample was removed, not correcting the sample `more promotable' as mentioned above.

alain2sf (Thu, 10 Jan 2019 09:41:21 GMT):
@ooharawork Hi, do you know where we could find a Fabric 1.4 setup using fabric-ca instead cryptogen? Anyone could help me out findind docs/hints/examples... thanks!

GuillaumeCisco (Thu, 10 Jan 2019 09:43:20 GMT):
would be great if we can follow this issue here: https://jira.hyperledger.org/browse/FABC-781

RomanGromov (Thu, 10 Jan 2019 11:37:27 GMT):
Has joined the channel.

dev-d (Thu, 10 Jan 2019 16:20:03 GMT):
Has joined the channel.

mbanerjee (Thu, 10 Jan 2019 23:41:06 GMT):
./bin/cryptogen generate --config=./crypto-config.yaml works fine and we are able to generate the crypto artifacts for the orderer and the organization. When we tried to create the same crypto artifacts using the SDK (https://github.com/hyperledger/fabric-ca) we have been running into issues. Can some one point to tutorials for bootstrapping network using the SDK. Appreciate your help. TIA>

ooharawork (Fri, 11 Jan 2019 01:19:35 GMT):
Hello, is it possible to use a non-Fabric CA as a root of intermediate Fabric CAs? on stackoverflow: https://stackoverflow.com/questions/54139134/using-non-fabric-ca-as-a-parent-of-fabric-cas

akoita (Fri, 11 Jan 2019 03:31:11 GMT):
Has joined the channel.

vinayjangir (Fri, 11 Jan 2019 06:09:41 GMT):
How to replace Fabric-CA with any third party Certificate Authority? Please provide a sample code.

BellaAdams (Fri, 11 Jan 2019 07:02:29 GMT):
Fabric CA is a good choice

BellaAdams (Fri, 11 Jan 2019 07:02:40 GMT):
openssl is also a good choice

BellaAdams (Fri, 11 Jan 2019 07:02:53 GMT):
But Fabric CA is more friendly

AvinashMeda (Fri, 11 Jan 2019 07:29:58 GMT):
Has joined the channel.

glotov (Fri, 11 Jan 2019 11:56:54 GMT):
Where is the certificate for the newly created user stored? I see new public/private key under my `/tmp/fabric-client-kv-org`, but no cert there. I enroll a new user with `caClient.register()`, just as `balance-transfer` app does.

sstone1 (Fri, 11 Jan 2019 13:28:53 GMT):
@glotov the certificate is stored in the file named after the user, e.g. `user1`

sstone1 (Fri, 11 Jan 2019 13:29:07 GMT):
it's a JSON object that contains a PEM certificate

sstone1 (Fri, 11 Jan 2019 13:29:25 GMT):
it's a bit stupid and needs fixing so the certificate is an actual file ;-)

gentios (Mon, 14 Jan 2019 13:47:02 GMT):
can someone point me to a resource where we can use the Let's encrypt for generating the crypto material instead of cryptogen tool

lepar (Mon, 14 Jan 2019 14:02:42 GMT):
@gentios You can use the node module Crypto

gentios (Mon, 14 Jan 2019 14:10:47 GMT):
@lepar do you have any example please

lepar (Mon, 14 Jan 2019 14:27:02 GMT):
I don't. Cryptogens advantage is that it automatically creates the folders hierarchy, if you use the module then you have to create the necessary folder paths and certificates. It's quite complicated

gentios (Mon, 14 Jan 2019 14:32:27 GMT):
@lepar the cryptogen tool is not recommended for production pruposes, and I am exploring a way on how to achieve the same certificates using Let's Encrypt

mastersingh24 (Mon, 14 Jan 2019 14:33:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=L9Z3wG4P5xRwh6a5K) @gentios You can use Let's Encrypt for TLS certificates for any of the nodes .... peers, orderers and CA's all have config parameters for specifying the TLS certificates to use for their endpoints. You would also need to add the Let's Encrypt root / intermediate certs to the `tlscacerts` and `tlsintermediatecerts` directories for each organization's MSP when creating channels. You really cannot use Let's Encrypt to create enrollment / signing certificates as you cannot specificy OUs to separate different orgs

gentios (Mon, 14 Jan 2019 14:35:26 GMT):
@mastersingh24 thank you, I have also seen your stackoverflow answer. Do you recommend using the cryptogen tool for production purposes

mastersingh24 (Mon, 14 Jan 2019 14:38:32 GMT):
The issue with cryptogen is that it really does not provide any type of PKI lifecycle mgmt. I'd use the Fabric CA for enrollment / signing identities and use a 3rd party CA such as Let's Encrypt for generating the TLS certificates (of course you can also use Fabric CA for this as well but most companies have a preferred SSL/TLS certificate provider)

mastersingh24 (Mon, 14 Jan 2019 14:39:01 GMT):
At IBM, we used to use DigiCert for TLS/SSL certificates but now we are using Let's Encrypt

gentios (Mon, 14 Jan 2019 14:43:11 GMT):
@mastersingh24 thank you very much. Do you have any resources on this part that you could share please.

jacobsaur (Mon, 14 Jan 2019 20:35:34 GMT):
Has joined the channel.

adityanalgework1 (Mon, 14 Jan 2019 22:51:45 GMT):
I have a question on Fabric-CA. The documentation says that - "The enroll command stores an enrollment certificate (ECert), corresponding private key and CA certificate chain PEM files in the subdirectories of the Fabric CA client’s msp directory. You will see messages indicating where the PEM files are stored."

adityanalgework1 (Mon, 14 Jan 2019 22:52:15 GMT):
However, when I try to enroll a bootstrap identity. I am only able to generate the secret key.

adityanalgework1 (Mon, 14 Jan 2019 22:52:27 GMT):
Not the remaining certificates. What am I missing>

adityanalgework1 (Mon, 14 Jan 2019 22:53:07 GMT):
I use function enrollBootstrapUser("admin","adminpw","")

skarim (Tue, 15 Jan 2019 02:01:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=tFM7mmgBbpZBy8dZy) @adityanalgework1 You are reading the documentation for how the fabric-ca client (CLI) work. But it looks like you are using some SDK to perform enroll. You should look at the doc for the respective SDK to determine how they store the certificate.

darthsaini (Tue, 15 Jan 2019 05:14:25 GMT):
Has joined the channel.

AndresMartinezMelgar.itcl (Tue, 15 Jan 2019 07:57:09 GMT):
Can someone help me? i need create and configure a fabric ca server/client. i dont find no one example that use them

gentios (Tue, 15 Jan 2019 08:27:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=e3obDQRoXycAEkzQC) @AndresMartinezMelgar.itcl https://github.com/hyperledger/fabric-samples/blob/release-1.4/balance-transfer/artifacts/docker-compose.yaml#L10

gentios (Tue, 15 Jan 2019 08:29:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=e3obDQRoXycAEkzQC) @AndresMartinezMelgar.itcl https://github.com/hyperledger/fabric-samples/blob/release-1.4/balance-transfer/app/helper.js#L64

AndresMartinezMelgar.itcl (Tue, 15 Jan 2019 09:51:15 GMT):
@gentios thanks, but I mean that the project byfn.sh has the function generateCerts where it uses crytogen and configtxgen. I imagine that if there is a CA server it should provide the certificates and not use another tool. I have not seen any examples on how to do that. I'm working in java. Should it be done directly from the sdk? I'm stuck with this):

gentios (Tue, 15 Jan 2019 10:29:26 GMT):
@AndresMartinezMelgar.itcl the cryptogen tool is for creating the crypto material. After bringing up your containers than you can use the second link to register new users and identify them in the network

jlcs (Tue, 15 Jan 2019 10:43:32 GMT):
Has joined the channel.

jlcs (Tue, 15 Jan 2019 10:43:36 GMT):
Given a MSP with intermediateCAs, can an admin/user certificate be directly issued by the root CA, or does it have to be issued by one of the int. CAs?

AndresMartinezMelgar.itcl (Tue, 15 Jan 2019 10:55:30 GMT):
ok, i try it again Thanks!

ihormudryy (Tue, 15 Jan 2019 10:58:46 GMT):
Has joined the channel.

ihormudryy (Tue, 15 Jan 2019 11:01:16 GMT):
cryptogen tool is not supposed to be used in production, what is the best practice of generating crypto material and genesis block for biring new peers up?

AndresMartinezMelgar.itcl (Tue, 15 Jan 2019 11:18:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6adehWEWCmFAAsrdL) @ihormudryy i think that are CA servers, but i dont find examples yet

ihormudryy (Tue, 15 Jan 2019 11:36:17 GMT):
examples with fabric-ca servers were removed from 1.4 with some contradiction what should be really used in production https://jira.hyperledger.org/browse/FABC-781

gentios (Tue, 15 Jan 2019 12:04:07 GMT):
@ihormudryy we should use Let's Encrypt

AndresMartinezMelgar.itcl (Tue, 15 Jan 2019 12:07:32 GMT):
are there any complete production example?

ihormudryy (Tue, 15 Jan 2019 12:12:25 GMT):
letsencrypt can generate tls certificates, but what about genesis blocks, channel.txt anchor peer tx etc.?

gentios (Tue, 15 Jan 2019 13:53:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7RiiTLoH3C9HvvEyw) @AndresMartinezMelgar.itcl I am looking for the same

gentios (Tue, 15 Jan 2019 13:54:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2qWkxAWYjbCTmDrBG) @ihormudryy the genesis.block and changgel.tx can be freely generated with configtx tool

gentios (Tue, 15 Jan 2019 13:54:48 GMT):
but for the TLS certificates for production purposes is recommended Let's Encrypt or any other PKI Management Tool

gentios (Tue, 15 Jan 2019 14:03:33 GMT):
A good solution for production is this: https://github.com/aidtechnology/lf-k8s-hlf-webinar, they have used let's encrypt with Kubernetes. I am trying to do the same with Docker Swarm

gentios (Tue, 15 Jan 2019 14:04:04 GMT):
There is also a webinar regarding that repo, the guys from AidTech have done a great job

BellaAdams (Wed, 16 Jan 2019 02:26:50 GMT):
when I migrate my fabric from 1.2 to 1.4 some errors occur when I generate artifacts here is my config https://gist.github.com/global-blockchain/4c8c3c566b444d4e942ddfa5a7ea940e I don't know what's wrong

lewislau86 (Wed, 16 Jan 2019 08:44:45 GMT):
Has joined the channel.

gentios (Wed, 16 Jan 2019 09:05:39 GMT):
@BellaAdams what are the errors ?

KenvinNguyen (Wed, 16 Jan 2019 09:15:52 GMT):
Has joined the channel.

KenvinNguyen (Wed, 16 Jan 2019 09:16:41 GMT):
when I tried to run the command `fabric-ca-client identity remove 100022329009917 --force` to remove identity but I got error `Error: Response from server: Error Code: 56 - Identity removal is disabled`

KenvinNguyen (Wed, 16 Jan 2019 09:17:03 GMT):
can anybody help what should I do in this case

KenvinNguyen (Wed, 16 Jan 2019 09:17:03 GMT):
can anybody help what should I do in this case? thanks

BellaAdams (Wed, 16 Jan 2019 09:26:15 GMT):

Clipboard - January 16, 2019 5:26 PM

BellaAdams (Wed, 16 Jan 2019 09:26:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7qFdgmFnPPNBz9Ed3) @gentios 2019-01-16 09:25:28.220 UTC [common/tools/configtxgen/encoder] NewOrdererGroup -> WARN 003 Default policy emission is deprecated, please include policy specifications for the orderer group in configtx.yaml 2019-01-16 09:25:28.220 UTC [common/tools/configtxgen/encoder] NewOrdererOrgGroup -> WARN 004 Default policy emission is deprecated, please include policy specifications for the orderer org group Orderer in configtx.yaml 2019-01-16 09:25:28.220 UTC [common/tools/configtxgen] func1 -> PANI 005 proto: Marshal called with nil panic: proto: Marshal called with nil [recovered] panic: proto: Marshal called with nil goroutine 1 [running]: github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc4203a48f0, 0x0, 0x0, 0x0)

gentios (Wed, 16 Jan 2019 09:30:14 GMT):
@BellaAdams have you update the versions of configtx and cryptogen tool to the 1.4 version

gentios (Wed, 16 Jan 2019 09:31:52 GMT):
and ./path to binaries/configtxgen --version

gentios (Wed, 16 Jan 2019 09:31:52 GMT):
@BellaAdams can you do ./path to binaries/cryptogen version

BellaAdams (Wed, 16 Jan 2019 09:32:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=R4RgJgznrdsG6B63A) @gentios thanks, I will check it right now

gentios (Wed, 16 Jan 2019 09:33:10 GMT):
and ./path to binaries/cryptogen version

BellaAdams (Wed, 16 Jan 2019 09:33:52 GMT):
configtxgen: Version: 1.3.0 Commit SHA: ab0a67a Go version: go1.10.4 OS/Arch: linux/amd64

BellaAdams (Wed, 16 Jan 2019 09:33:57 GMT):
It's 1.3

BellaAdams (Wed, 16 Jan 2019 09:34:15 GMT):
But the config works when I use 1.2

gentios (Wed, 16 Jan 2019 09:34:46 GMT):
@BellaAdams please update the binaries first, and let's see

BellaAdams (Wed, 16 Jan 2019 09:34:57 GMT):
Ok ,thanks

gentios (Wed, 16 Jan 2019 09:35:14 GMT):
@BellaAdams you have the command in the ReadTheDocs how to update them

BellaAdams (Wed, 16 Jan 2019 09:38:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=s3ctHrnC6ugTkFx98) @gentios I use fabric 1.2 .And the error occurs

BellaAdams (Wed, 16 Jan 2019 09:38:19 GMT):
It's nothing with fabric 1.4

gentios (Wed, 16 Jan 2019 09:39:12 GMT):
I don't understand, you said that you want to migrate from 1.2 to 1.4

BellaAdams (Wed, 16 Jan 2019 09:52:50 GMT):
Yes. But I don't know why this error occurs suddenly

BellaAdams (Wed, 16 Jan 2019 09:52:59 GMT):
Something wrong with my ops

skarim (Wed, 16 Jan 2019 14:42:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LKA6aDvwQmMqYP5kv) @KenvinNguyen When you start the server you need to start it with the flag `--cfg.identities.allowremove` to allow removal of identities

bricakeld (Thu, 17 Jan 2019 04:22:00 GMT):
Has joined the channel.

gaijinviki (Thu, 17 Jan 2019 04:45:31 GMT):
Has joined the channel.

GuillaumeTong (Thu, 17 Jan 2019 07:56:02 GMT):
Hi, is there a procedure for changing the certs of peer/orderer nodes on a running network? Is the procedure the same if I am simply getting the new certs from a re-enrollment, near the expiry date of the old certs?

GuillaumeTong (Thu, 17 Jan 2019 08:00:43 GMT):
Also I suppose channel/org admin and user's certs would need to be changed

GuillaumeTong (Thu, 17 Jan 2019 08:02:52 GMT):
In my current case I need to do this because I want to introduce fabric CA servers into an existing network. But I am also interested in the case where I would have to renew nearly expired certs, or worse, change all certs after they all expired.

GuillaumeTong (Thu, 17 Jan 2019 08:02:52 GMT):
In my current case I need to do this because I want to introduce fabric CA servers into an existing network, generated based on cryptogen (I have already recovered the ca certs and keys from cryptogen and put them in the ca servers). But I am also interested in the case where I would have to renew nearly expired certs, or worse, change all certs after they all expired.

Kelvin_Moutet (Thu, 17 Jan 2019 09:22:18 GMT):
Hi, what is the best pratice (in production) to register and enroll new user/peer ? Should I use a SDK or use fabric-ca-client ?

byra (Fri, 18 Jan 2019 00:14:17 GMT):
Has joined the channel.

rdbmsdata78 (Fri, 18 Jan 2019 00:28:27 GMT):
Has joined the channel.

amolpednekar (Fri, 18 Jan 2019 05:44:16 GMT):
fabric-ca-client is part of the SDK .. :thinking_face:

BellaAdams (Fri, 18 Jan 2019 08:19:11 GMT):
anchors.tx

BellaAdams (Fri, 18 Jan 2019 08:19:20 GMT):
how to decode anchors.tx using configtxlator

Kelvin_Moutet (Fri, 18 Jan 2019 08:49:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fFTqNWtWAN2djJ3Pf) @amolpednekar I'm more talking about : is it better to use the SDK (nodejs, go or python) vs fabric-ca-client *binary* ?

gentios (Fri, 18 Jan 2019 09:40:32 GMT):
@Kelvin_Moutet definetly SDK, the binary is limitting you to do low level commands

gentios (Fri, 18 Jan 2019 10:06:05 GMT):
@mastersingh24 regarding the question above, on using let's encrypt for the crypto material, should we use a reverse proxy as NGINX also for mapping into our containers ?

Yair (Fri, 18 Jan 2019 11:02:52 GMT):
Has joined the channel.

mastersingh24 (Fri, 18 Jan 2019 12:28:41 GMT):
@gentios - the only problem with a reverse proxy is discovery and gossip will not currently work as they require mutual TLS. If you use a straight TCP proxy at Layer 4 or an SSL bridge at Layer 3 then you should be ok. But if you terminate at Layer 7 in the proxy then you'll have issues

mastersingh24 (Fri, 18 Jan 2019 12:29:26 GMT):
For Fabric CA, there are no real issue putting a reverse proxy in front

mastersingh24 (Fri, 18 Jan 2019 12:29:26 GMT):
For Fabric CA, there are no issues putting a reverse proxy in front

gentios (Fri, 18 Jan 2019 12:32:32 GMT):
thank you @mastersingh24

dan13 (Fri, 18 Jan 2019 16:01:54 GMT):
Has joined the channel.

dabbertorres (Fri, 18 Jan 2019 18:21:20 GMT):
Hi, I've been intermittently encountering an issue when two entities happen to register a user with the same identity around the same time. Then, when trying to enroll as that user, I get the error: `Error Code: 0 rows were affected when updating the state of identity `. I'm using Postgres as the DB for the cert authority, and when I `psql` into it (the intermediate CA's DB), the users table does have two entries, with the same `id`. I noticed in the fabric-ca code that the table creation SQL does not set a primary key (or any unique columns). My current setup is using a single intermediate CA with a root CA. Has this been seen before? Searching Google/JIRA/Stackoverflow hasn't come up with any results. I'll appreciate any guidance, or if I should file an issue on JIRA, etc.

dabbertorres (Fri, 18 Jan 2019 18:21:20 GMT):
Hi, I've been intermittently encountering an issue when two entities happen to register a user with the same identity around the same time. Then, when trying to enroll as that user, I get the error: `Error Code: 0 - 2 rows were affected when updating the state of identity `. I'm using Postgres as the DB for the cert authority, and when I `psql` into it (the intermediate CA's DB), the users table does have two entries, with the same `id`. I noticed in the fabric-ca code that the table creation SQL does not set a primary key (or any unique columns). My current setup is using a single intermediate CA with a root CA. Has this been seen before? Searching Google/JIRA/Stackoverflow hasn't come up with any results. I'll appreciate any guidance, or if I should file an issue on JIRA, etc.

skarim (Fri, 18 Jan 2019 19:48:46 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=skj5fDWuejM7vmeiS) @dabbertorres You should not have been able to register two identites with the same username. If you try to register an identity with the same username the second time, you should get an error. But you said that the registering is happening around the same time, perhaps there is a race condition here. If you have your server logs with debug enabled from the double registeration, please share.

dabbertorres (Fri, 18 Jan 2019 23:27:33 GMT):

fabric-ca-server-logs.log

dabbertorres (Fri, 18 Jan 2019 23:27:40 GMT):
@skarim That's been my guess on what's going on. Here's the (debug) server logs starting from the first registration to the enrollment attempts.

dabbertorres (Fri, 18 Jan 2019 23:27:40 GMT):
@skarim That's been my guess on what's going on. Here's the (debug) server logs starting from the first registration to the enrollment attempts. https://chat.hyperledger.org/channel/fabric-ca?msg=inuTPYwfxdKsPrLXW

lcj (Sat, 19 Jan 2019 06:07:09 GMT):
hello everyone. i have a question. how to install fabric-ca as a systemd service? thank you!! :bow:

lcj (Sat, 19 Jan 2019 07:12:35 GMT):
i finded it. thank you

viktoriya (Sat, 19 Jan 2019 18:13:03 GMT):
Has joined the channel.

milko.mitropolitsky (Sat, 19 Jan 2019 20:06:02 GMT):
Has joined the channel.

milko.mitropolitsky (Sat, 19 Jan 2019 20:20:16 GMT):
Hello, I am trying to implement the following scenario: Org1 is creating a channel and is installing Java chaincode. Org2 and Org3 need to add a transaction, i.e. call a method of the chaincode, without revealing their identity. It is really important that no user from Org1 knows which organization created the transaction, i.e. if it is a member of Org2 or Org3. From my research I found out that this is supposed to be done with Idemix. I am now stepping on top of the basic-network. I successfully managed to install the chaincode to the peer and am invoking it without problems. However, when I try to pass the user enrollment through the idemix `caClient.idemixEnroll`, the same scenario is not working. I have an "access denied" response. I tried editing the policies in configtx.yml and in the chaincode configuration during instantiation, but without any success. My question is, first: do you think this scenario that I described is feasable with fabric and fabric-ca, and second, what might be the problem with the Idemix enrollment?

milko.mitropolitsky (Sat, 19 Jan 2019 20:20:16 GMT):
Hello, I am trying to implement the following scenario: Org1 is creating a channel and is installing Java chaincode. Org2 and Org3 need to add a transaction, i.e. call a method of the chaincode, without revealing their identity. It is really important that no user from Org1 knows which organization created the transaction, i.e. if it is a member of Org2 or Org3. From my research I found out that this is supposed to be done with Idemix. I am now stepping on top of the basic-network. I successfully managed to install the chaincode to the peer and am invoking it without problems. However, when I try to pass the user enrollment through the idemix `caClient.idemixEnroll`, the same scenario is not working. I have an `access denied` response. I tried editing the policies in configtx.yml and in the chaincode configuration during instantiation, but without any success. My question is, first: do you think this scenario that I described is feasable with fabric and fabric-ca, and second, what might be the problem with the Idemix enrollment?

milko.mitropolitsky (Sat, 19 Jan 2019 20:20:16 GMT):
Hello, I am trying to implement the following scenario: Org1 is creating a channel and is installing Java chaincode. Org2 and Org3 need to add a transaction, i.e. call a method of the chaincode, without revealing their identity. It is really important that no user from Org1 knows which organization created the transaction, i.e. if it is a member of Org2 or Org3. From my research I found out that this is supposed to be done with Idemix. I am now stepping on top of the basic-network. I successfully managed to install the chaincode to the peer and am invoking it without problems. However, when I try to pass the user enrollment through the idemix `caClient.idemixEnroll`, the same scenario is not working. I have an `access denied` response. Error in the peer logs is: `ValidateProposalMessage -> WARN 056 channel [mychannel]: MSP error: could not decode the PEM structure` I tried editing the policies in configtx.yml and in the chaincode configuration during instantiation, but without any success. My question is, first: do you think this scenario that I described is feasable with fabric and fabric-ca, and second, what might be the problem with the Idemix enrollment?

pumicerD (Sat, 19 Jan 2019 22:09:02 GMT):
Has joined the channel.

jarvis26 (Sun, 20 Jan 2019 04:44:47 GMT):
Hi.. I am trying to setup fabric ca server using docker. Could any body please help me with how to set the environment variable for `FABRIC_CA_SERVER_REGISTRY_IDENTITIES` as an array for multiple entries of identities (name, password, type, affiliation etc).

varuntejay (Sun, 20 Jan 2019 18:09:27 GMT):
Has joined the channel.

varuntejay (Sun, 20 Jan 2019 18:12:26 GMT):
Hi, I've enrolled admin and user using fabric-sdk by giving my own secret(password). I've seen that when I use getUserContext('user1',true) function it is returning me user with out asking secret that I set, during enrollment. Can someone please let me know, how do I set the password check for this.

varuntejay (Sun, 20 Jan 2019 18:20:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zFSvNxe6cP73hftKa) @lcj Hi, can you please let me know the procedure to do the same

varuntejay (Sun, 20 Jan 2019 18:23:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JtcRHYqdbikE53P9c) @AndresMartinezMelgar.itcl You can generate the certificates using openssl command ecparam:prime256v1 params similar to cryptogen

Rrp1989 (Mon, 21 Jan 2019 00:40:56 GMT):
Has joined the channel.

AbhishekDudhrejia (Mon, 21 Jan 2019 05:34:35 GMT):
Has joined the channel.

SethiSaab (Mon, 21 Jan 2019 06:22:46 GMT):
Hi guys

SethiSaab (Mon, 21 Jan 2019 06:22:58 GMT):
I am getting the following error while integration AD with Hyperledger

SethiSaab (Mon, 21 Jan 2019 06:22:58 GMT):
Error: POST failure of request: POST http://localhost:7054/enroll {"hosts":["cz-1011"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBPjCB5QIBADBeMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDzANBgNV\nBAMTBlJvYmVydDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL0aTZWfNaFfc3Wl\nNNvOG/qUlzVXijnYo0T7cQFynegrlCb7n6kXDXCzATWocz/ud8YFqzf5TsyG/Kr/\n7oR7clugJTAjBgkqhkiG9w0BCQ4xFjAUMBIGA1UdEQQLMAmCB2N6LTEwMTEwCgYI\nKoZIzj0EAwIDSAAwRQIhAMEb/rxX2H8MQEXS6Xakcnba+WL9NdcmHTwJVkXE+axg\nAiBRvYjDgK6yeAwzf9wT8QuZhBKlvJ0CLfBJsA6rcWpuiQ==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":"","attr_reqs":[{"name":"hf.GenCRL"}]}: Post http://localhost:7054/enroll: dial tcp 127.0.0.1:7054: connect: connection refused

SethiSaab (Mon, 21 Jan 2019 06:23:09 GMT):
could someone please help me

SethiSaab (Mon, 21 Jan 2019 06:23:11 GMT):
?

s201003018 (Mon, 21 Jan 2019 06:24:09 GMT):
Has joined the channel.

qubing (Mon, 21 Jan 2019 06:57:50 GMT):
hi development team. I found there is only fabric-ca-client in the files on nexus repository. Why not add fabric-ca-server into it? It's usefull for installation without docker.

qubing (Mon, 21 Jan 2019 06:58:31 GMT):
Are there any special reasons?

harsha (Mon, 21 Jan 2019 06:59:50 GMT):
Hello, I understand we are leveraging Blowfish as an encryption algorithm, which is deprecated long time back, even Bruce Schneider recommends using TwoFish, is there any particular why we didn't move to TwoFish in fabric-ca ?

BellaAdams (Mon, 21 Jan 2019 09:35:28 GMT):

Clipboard - January 21, 2019 5:35 PM

BellaAdams (Mon, 21 Jan 2019 09:35:59 GMT):
I user Fabric CA to generate fabric crypto materials

BellaAdams (Mon, 21 Jan 2019 09:36:13 GMT):
And now I want to ad a new peer dynamically

BellaAdams (Mon, 21 Jan 2019 09:36:48 GMT):
But when I add the peer dynamically added to the channel ,ie let the peer join the channle

BellaAdams (Mon, 21 Jan 2019 09:36:58 GMT):
The error occured

BellaAdams (Mon, 21 Jan 2019 09:37:05 GMT):
The error occurs

mastersingh24 (Mon, 21 Jan 2019 11:49:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HuLgC2DFf779SG7E8) @harsha Exactly where do you think we are using encryption?

harsha (Mon, 21 Jan 2019 12:21:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vSpSHuuoExWcnRJXm) @mastersingh24 I see a func named `TestSRVMultiCAIntermediates` under `github.com/hyperledger/fabric-ca/lib` post profiling and reading through `go tool pprof -tree` there's a refrence to `blowfish.encryptBlock` .. which is coming from `vendor/golang.org/x/crypto/blowfish/cipher.go`

mastersingh24 (Mon, 21 Jan 2019 12:38:30 GMT):
@harsha - We don't use Blowfish directly for encyption ... we use the bcrypt password hashing algorithm (which is based on the Blowfish cipher). bcrypt is very secure and recommended for password hashing

varuntejay (Mon, 21 Jan 2019 12:55:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KuwpxRgcpkmgdv4ba) Any suggestion on above question?

Legiit (Mon, 21 Jan 2019 13:29:32 GMT):
Why is the Fabric-CA Sample gone on the 1.4 branch? https://github.com/hyperledger/fabric-samples/tree/release-1.3/fabric-ca

mastersingh24 (Mon, 21 Jan 2019 13:39:43 GMT):
It was using unsupported images

mastersingh24 (Mon, 21 Jan 2019 13:39:57 GMT):
which parts are you interested in?

Legiit (Mon, 21 Jan 2019 14:03:00 GMT):
How one would use the fabric-ca in production right now, where does all the artifacts come from (crypto config/genesis block etc) @mastersingh24

skarim (Mon, 21 Jan 2019 17:40:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9nG2W8dqaeemEWtyA) @SethiSaab It seems like the CA serve you are trying to enroll with is not up, or you are using the wrong address

skarim (Mon, 21 Jan 2019 17:40:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9nG2W8dqaeemEWtyA) @SethiSaab It seems like the CA server you are trying to enroll with is not up, or you are using the wrong address

skarim (Mon, 21 Jan 2019 17:42:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mTRmPquy9NMvu2W4v) @varuntejay Which SDK are you using? You might a quicker answer if you post in that respective SDKs channel

dabbertorres (Mon, 21 Jan 2019 21:22:00 GMT):
@skarim https://chat.hyperledger.org/channel/fabric-ca?msg=LMYxvRzRC4CfL5W6W

naqvijafar91 (Tue, 22 Jan 2019 06:13:15 GMT):
Has joined the channel.

naqvijafar91 (Tue, 22 Jan 2019 06:13:48 GMT):
Hi all, i want to implement a user authentication at the chaincode level irrespective of organizations, a user can obtain a certificate from any organization on the network but still has a unique id which could be confirmed by the user's private key, similar to what happens in Etherum: the user would have to keep his private key with him securely, whenever he imports the key into any organization's application, his public key is generated and he gets a certificate from the organization's CA then inside the chaincode , i derive the user's public key from the certificate and use it as the user id Would that be the correct implementation?

sPadawan (Tue, 22 Jan 2019 06:38:52 GMT):
Has joined the channel.

naqvijafar91 (Tue, 22 Jan 2019 06:54:29 GMT):
MspId + CertId gives you a unique id at the chaincode level: 1. What would happen if the certificate is revoked? 2. Can a user use a certificate issued from msp of org1 via org2 peer?

sPadawan (Tue, 22 Jan 2019 07:07:13 GMT):
I have one question about RootCA. Is it possible to use the non fabric-ca for RootCA? There is a similar question in stackoverflow. https://stackoverflow.com/questions/54139134/using-non-fabric-ca-as-a-parent-of-fabric-cas

naqvijafar91 (Tue, 22 Jan 2019 07:12:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=A5kdZScn78sDRh8Qg) there is also a question on stack overflow regarding this https://stackoverflow.com/questions/54302945/unique-id-for-a-user-across-multiple-organizations-for-acl-at-the-chaincode-leve

mattmaru (Tue, 22 Jan 2019 11:11:05 GMT):
Has joined the channel.

mattmaru (Tue, 22 Jan 2019 11:12:01 GMT):
Hi guys. I've a little question for you. I'm trying to add a peer to basic-network (fabcar) and i've problem with ca.example.com container.

mattmaru (Tue, 22 Jan 2019 11:12:43 GMT):
docker logs ca.example.com tell me that public key and private key not found

mattmaru (Tue, 22 Jan 2019 11:15:29 GMT):
log : "Error: Failed to find private key for certificate in '/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem': Could not find matching private key for SKI: Failed getting key for SKI [[206 84 231 75 34 90 218 50 227 110 155 142 163 3 184 167 42 70 79 10 19 52 238 147 212 158 251 82 193 203 157 205]]: Key with SKI ce54e74b225ada32e36e9b8ea303b8a72a464f0a1334ee93d49efb52c1cb9dcd not found in /etc/hyperledger/fabric-ca-server/msp/keystore "

mattmaru (Tue, 22 Jan 2019 11:17:27 GMT):
but I never change ca container ...I'm just to delete config,crypto-config folders and just run generate.sh to generate crypto materials. and next i've run startFabric.sh ....All is ok but ca.example.container is ever on EXIT

mattmaru (Tue, 22 Jan 2019 11:20:04 GMT):
this is my docker-compose.yml https://pastebin.com/QnNjNjxC

mattmaru (Tue, 22 Jan 2019 11:21:22 GMT):
this is my startFabric.sh : https://pastebin.com/d1eU9t8Z

mattmaru (Tue, 22 Jan 2019 11:21:51 GMT):
and this is my start.sh : https://pastebin.com/hxn1cwkX

mattmaru (Tue, 22 Jan 2019 11:22:16 GMT):
Could someone help me please ? I don't know what to do

mastersingh24 (Tue, 22 Jan 2019 11:27:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qcFLbgYozT4mKQNuG) @naqvijafar91 https://stackoverflow.com/a/54307264/6160507

pumicerD (Tue, 22 Jan 2019 11:39:30 GMT):
@mattmaru did you modify the FABRIC_CA_SERVER_CA_KEYFILE environment variable in _docker-compose.yml_ after regenerating the crypto-config folder ?

mattmaru (Tue, 22 Jan 2019 11:46:19 GMT):
how can i edit it ? @pumicerD ?

mattmaru (Tue, 22 Jan 2019 11:47:18 GMT):
and when? my only step is run startFabric.sh

mattmaru (Tue, 22 Jan 2019 11:49:54 GMT):
my steps are: 1) delete config and crypto-config folders 2) run generate.sh 3) run startFabric.sh

pumicerD (Tue, 22 Jan 2019 11:51:32 GMT):
@mattmaru at line 19 in _docker-compose.yaml_ you setup _FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c_sk_ for your CA container. After you ran generate.sh the private key file in _/crypto-config/peerOrganizations/org1.example.com/ca/_ is a new file, with a different name

pumicerD (Tue, 22 Jan 2019 11:52:05 GMT):
so just make sure to adjust this line every time after running generate.sh and before bringing up the network with startFabric.sh

mattmaru (Tue, 22 Jan 2019 11:53:23 GMT):
i love you ...do you tell me that i need to edit file name?

mattmaru (Tue, 22 Jan 2019 11:53:30 GMT):
or path?

pumicerD (Tue, 22 Jan 2019 11:53:53 GMT):
the filename

mattmaru (Tue, 22 Jan 2019 11:54:17 GMT):
oh thanks guy i will try as soon as possible

pumicerD (Tue, 22 Jan 2019 11:54:41 GMT):
set FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/ you can check _/crypto-config/peerOrganizations/org1.example.com/ca/_ for this name

mattmaru (Tue, 22 Jan 2019 11:55:17 GMT):
love you <3

pumicerD (Tue, 22 Jan 2019 11:55:34 GMT):
_./crypto-config/peerOrganizations/org1.example.com/ca/_ that is

mattmaru (Tue, 22 Jan 2019 11:55:49 GMT):
thanks man i'm trying to do that

mattmaru (Tue, 22 Jan 2019 11:57:34 GMT):
@pumicerD Do I need to edit only key file right?

mattmaru (Tue, 22 Jan 2019 11:59:04 GMT):
THANKS IT RAN !!!! thanks a lot

mattmaru (Tue, 22 Jan 2019 11:59:05 GMT):
<3

pumicerD (Tue, 22 Jan 2019 11:59:14 GMT):
Good luck with the rest

pumicerD (Tue, 22 Jan 2019 18:29:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-questions?msg=HKZ2Mh2DrZYPQMY6n) I tried setting the Orderer Capabilities in _configtx.yaml_ to both V1_1 and V1_3 with no success

pumicerD (Tue, 22 Jan 2019 18:30:35 GMT):
Anyone knows how to set the MSP Version for the orderer nodes ?

incarose (Wed, 23 Jan 2019 00:20:52 GMT):
Has joined the channel.

skarim (Wed, 23 Jan 2019 01:49:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Jvd3wkLEtaqzD6K37) @dabbertorres This is going to require some deep investigating, I suggest that you open up a JIRA against fabric ca to track this issue

AkhilKura (Wed, 23 Jan 2019 09:26:12 GMT):
Has joined the channel.

mastersingh24 (Wed, 23 Jan 2019 11:16:01 GMT):
@dabbertorres - what version are you using? I recall fixing a similar issue at some point @skarim

mastersingh24 (Wed, 23 Jan 2019 11:16:01 GMT):
@dabbertorres - what version are you using? @skarim I recall fixing a similar issue at some point

mastersingh24 (Wed, 23 Jan 2019 11:16:01 GMT):
@dabbertorres - what version are you using? @skarim I recall fixing a similar issue at some point - https://gerrit.hyperledger.org/r/#/c/10453/

pumicerD (Wed, 23 Jan 2019 13:51:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-questions?msg=HKZ2Mh2DrZYPQMY6n) I tried setting the Orderer Capabilities in _configtx.yaml_ to both V1_1 and V1_3 with no success

dabbertorres (Wed, 23 Jan 2019 14:25:53 GMT):
@mastersingh24 We've seen this with 1.3 and 1.4. The logs in the issue you linked seem to be a different issue. I'm unable to enroll at all due to a user id being in the users table more than once. @skarim Thanks, I created a bug: https://jira.hyperledger.org/browse/FABC-801

knagware9 (Thu, 24 Jan 2019 06:25:33 GMT):
How I can use fabric -ca to create crypto materials , genesis.block , channel.tx file.

AndresMartinezMelgar.itcl (Thu, 24 Jan 2019 07:09:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JXQA2WxRFyM4PBx9g) @knagware9 i have same question

knagware9 (Thu, 24 Jan 2019 08:02:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zaMDrw9HXr9fx4ETj) @AndresMartinezMelgar.itcl I found this article https://www.cnblogs.com/llongst/p/9786024.html & https://youtu.be/qvOXJAzgbC4 but not tried

AndresMartinezMelgar.itcl (Thu, 24 Jan 2019 08:13:31 GMT):
thx, i'll check tem

AndresMartinezMelgar.itcl (Thu, 24 Jan 2019 08:13:31 GMT):
thx, i'll check them

BellaAdams (Thu, 24 Jan 2019 08:35:41 GMT):
Hello .I have a question . When I enroll a certificate from Fabric CA, is there a copy of the private key in Fabric CA server?

BellaAdams (Thu, 24 Jan 2019 08:39:22 GMT):
And how do I get the certificate I enrolled last time

khalifa (Thu, 24 Jan 2019 09:17:21 GMT):
Hi All, I am trying to create a network with multiple CAs and dynamic users ( I have to add/revoke some user certficate) Each organisation has already its CA. Is it possible to configure my BC with these existing CAs or They have to belong to the same root CA. Thank you in advance for your responses.

eliseba (Thu, 24 Jan 2019 10:50:34 GMT):
Has joined the channel.

pumicerD (Thu, 24 Jan 2019 10:54:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-questions?msg=HKZ2Mh2DrZYPQMY6n) I tried setting the Orderer Capabilities in _configtx.yaml_ to both V1_1 and V1_3 with no success

NitheshS (Thu, 24 Jan 2019 11:39:00 GMT):
Has joined the channel.

jarvis26 (Thu, 24 Jan 2019 14:50:21 GMT):
Hi.. I am trying to register a new peer identity with the fabric-ca-server using this command - `fabric-ca-client register --url https://:7054 --tls.certfiles /var/hyperledger/ca-cert.pem --id.name peer1 --id.type peer --id.secret peer1pw -c /var/hyperledger/fabric-ca-client-config-peer.yaml --debug --id.maxenrollments -1 --id.affiliation org1.department1` But I am getting this error everytime - ```2019/01/24 14:49:23 [ERROR] Enrollment check failed: Idemix enrollment information does not exist Error: Enrollment information does not exist. Please execute enroll command first. ```

jarvis26 (Thu, 24 Jan 2019 14:50:54 GMT):
Could anybody suggest on how to fix this.

antoniovassell (Thu, 24 Jan 2019 17:01:24 GMT):
hi all, Are the `fabric-ca-peer` and releated images depreciated ?

antoniovassell (Thu, 24 Jan 2019 17:02:34 GMT):
I had build an application based on those images, I no longer see them in release-1.4, atleast not in the examples

antoniovassell (Thu, 24 Jan 2019 17:03:34 GMT):
or on docker hub

antoniovassell (Thu, 24 Jan 2019 17:04:26 GMT):
Please let me know thanks. I had initially used this images as they were the only ones that worked properly with an HSM

antoniovassell (Thu, 24 Jan 2019 17:05:41 GMT):
or is it that we have to manually build these?

GuillaumeCisco (Fri, 25 Jan 2019 08:40:11 GMT):
yes @antoniovassell there is a discussion about this

GuillaumeCisco (Fri, 25 Jan 2019 08:52:47 GMT):
You can follow these issues: https://jira.hyperledger.org/browse/FABC-131 https://jira.hyperledger.org/browse/FABCI-24 https://jira.hyperledger.org/browse/FABC-781

GuillaumeCisco (Fri, 25 Jan 2019 10:47:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=G235jxAMcKt4sogAh) You first need to enroll as an user which is allowed to register identities. Did you do it?

VadimInshakov (Fri, 25 Jan 2019 13:39:33 GMT):
Do I understand correctly how PKI in Fabric works? 1. Actor signs message and attach certificate to message. 2. Recipient decrypts cert with the public key of CA. 3. In decrypted cert it find public key of actor. 4. Recipient decrypts signature of message with pubkey of actor.

skarim (Fri, 25 Jan 2019 14:38:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=G235jxAMcKt4sogAh) @jarvis26 Have you first enrolled the bootstrap admin identity? You need an already enrolled admin identity to be able to register new users

skarim (Fri, 25 Jan 2019 14:41:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mTbzz9kNpWj7XCiRY) @BellaAdams The private key is not generated on the server and thus is not stored on the server, the private key will be only be available on the client. The client should already have the certificate that was issued to it via enroll. Otherwise, I would look into the certificates API: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#manage-certificates

VadimInshakov (Fri, 25 Jan 2019 14:49:18 GMT):
please check my understanding: https://chat.hyperledger.org/channel/fabric-ca?msg=SkBMQdzeot89ZFhxa

antoniovassell (Fri, 25 Jan 2019 15:52:24 GMT):
@GuillaumeCisco thanks so much for responding. On https://jira.hyperledger.org/browse/FABC-781 , Given the last comment from *yuxiang liu *, do you know where I could find these integration test that interacts with the fabric-ca images? such as doing registration of identities, etc.. ? I was expecting to find them here: https://github.com/hyperledger/fabric-ca

GuillaumeCisco (Fri, 25 Jan 2019 16:01:28 GMT):
You're welcome @antoniovassell Sadly I do not know :/ I think there are not yet created...

antoniovassell (Fri, 25 Jan 2019 16:04:09 GMT):
@GuillaumeCisco Okay. Am a bit confused, cryptogen isn't recommended to use in production, but recent documentation or examples on using it correct way fabric-ca images. am looking for the long term solution. as updating or redeploying in "production" sucks

GuillaumeCisco (Fri, 25 Jan 2019 16:04:37 GMT):
For instance, there is almost nothing in fabric-sdk-py regarding fabric-ca. But you can find some for fabric-sdk-node: https://github.com/hyperledger/fabric-sdk-node/tree/release-1.4/test/integration

GuillaumeCisco (Fri, 25 Jan 2019 16:05:26 GMT):
Yes we have the same issue @antoniovassell That's why I'm currently implementing fabric-sdk-py methods. But it will take time

antoniovassell (Fri, 25 Jan 2019 16:12:28 GMT):
@GuillaumeCisco okay been checking out the node sdk, was hoping i could interact directly with them rather than through the js sdk but will look into it some more.

silliman (Fri, 25 Jan 2019 16:35:31 GMT):
The Fabric-CA sample that was recently removed from fabric-samples looks like it may have landed here but I don't know if it has been modified to be in accord with "best practices" which was supposedly the reason it was removed from fabric-samples....haven't looked at it since it moved: https://github.com/hyperledger/fabric-test/tree/master/fca-sample

antoniovassell (Fri, 25 Jan 2019 18:08:48 GMT):
@silliman okay interesting. checking it out

jarvis26 (Sat, 26 Jan 2019 04:34:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2DC5ih35By9YnXJX4) @GuillaumeCisco Yes, I did with the admin identity. I was able to fix this by removing the -c tag with the path to the peer configuration file. When this was given, it was searching for the signer's identity in the peer's msp folder.

lcj (Sat, 26 Jan 2019 06:40:31 GMT):
@varuntejay the next is run fabric-ca as a systemd service git clone https://github.com/hyperledger/fabric-ca.git git checkout v1.3.0 make fabric-ca-server make fabric-ca-client fabric-ca-server init -b admin:adminpw

jarvis26 (Sat, 26 Jan 2019 15:10:35 GMT):
Hi..I was looking into the Idemix functionality in the newer fabric-ca release. What I get from the documentation is ```Idemix allows users to authenticate with verifiers without the involvement of the issuer (CA) and selectively disclose only those attributes that are required by the verifier and can do so without being linkable across their transactions. ``` Who exactly are the `verifiers` here and what does `selective disclosure of attributes` mean?

khudeja (Sun, 27 Jan 2019 07:24:46 GMT):
Has joined the channel.

lip-inagora (Mon, 28 Jan 2019 00:21:22 GMT):
Has joined the channel.

DaraPenhchet (Mon, 28 Jan 2019 02:01:41 GMT):
Hello everyone do you know how could check the valid certificate from Fabric CA in Fabric SDK Java?

kevinkbc (Mon, 28 Jan 2019 11:31:09 GMT):
Has joined the channel.

peter.danko (Mon, 28 Jan 2019 11:35:25 GMT):
Has joined the channel.

kevinkbc (Mon, 28 Jan 2019 12:16:58 GMT):
How do you disenroll a user? I am using golang chaincode and java sdk, fabric v 1.2

edisinovcic (Mon, 28 Jan 2019 13:13:33 GMT):
Has joined the channel.

basantanickal (Mon, 28 Jan 2019 13:44:06 GMT):
Has joined the channel.

pasimoes (Mon, 28 Jan 2019 14:36:55 GMT):
Has joined the channel.

SethiSaab (Mon, 28 Jan 2019 14:39:03 GMT):
HI Team , I have integrated OUD (oracle unified directory) with Hyperledger fabric . What i can see is certificates are getting saved on my local system . Could someone tell me how to save the certs in OUD itself or in some other database\

pasimoes (Mon, 28 Jan 2019 14:42:25 GMT):
Hi team, how is the most often (or recommended) key size used to generate certificates to participants? 256 or 384?

skarim (Mon, 28 Jan 2019 14:52:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5739GpSNciPxJKqZB) @jarvis26 Have you read this doc? https://hyperledger-fabric.readthedocs.io/en/release-1.4/idemix.html

skarim (Mon, 28 Jan 2019 14:52:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=S5LaxCmGYdbYH7yzc) @kevinkbc Please see my response in the #fabric-sdk-java channel

deelthor (Mon, 28 Jan 2019 14:54:11 GMT):
Has joined the channel.

deelthor (Mon, 28 Jan 2019 14:54:23 GMT):
Hi guys. I had an already running network. Now I had to restart a peer and the password for enrolling the peer at the ca is also gone. Now the Peer comes up and tries to enroll with a new password. But it fails since the Peer was already registered and enrolled with a different password before. Any ideas?

ooharawork (Tue, 29 Jan 2019 01:21:24 GMT):
Hello, I notice that in Fabric CA, any enrollee (user) can set an arbitrary expiry date to their certificate to enroll. Does someone know anything on this? I'm planning to create a JIRA issue because I don't think it as a desired behavior, unless it would turn out to be by design.

skarim (Tue, 29 Jan 2019 02:18:38 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=rE2oWbqEsWkDq9ibK) @ooharawork Where do you see that the use can specify the expiry date? The length of time before the certificate expires is set on the server side

ooharawork (Tue, 29 Jan 2019 04:12:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MP8DPc8BFaQWG9But) @skarim The server sets the length of time based on a request from the client. By default, the client sets zero value to the request, with which the server will fall back to the default behaviorto set an expiry date based on profiles. However, once a possibly modified client makes a request that explictly sends the date, the server does not check the validity of the date, hence arbitrary expiry date will be set to the enrolled certificate.

ooharawork (Tue, 29 Jan 2019 04:12:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MP8DPc8BFaQWG9But) @skarim The server sets the length of time based on a request from the client. By default, the client sets zero value to the request, with which the server will fall back to the default behaviorto set an expiry date based on profiles. That's how fabric-ca-client does, and it has no command line switch or something to modify the date in the request. However, once a modified client that can specify the date makes a request that explictly sends the date, the server does not check the validity of the date, hence arbitrary expiry date will be set to the enrolled certificate.

ooharawork (Tue, 29 Jan 2019 04:12:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MP8DPc8BFaQWG9But) @skarim The server sets the length of time based on a request from the client. By default, the client sets zero value to the request, with which the server will fall back to the default behavior to set an expiry date based on profiles. As fabric-ca-client by default has no command line switch etc. to set the date in the request, so normally it works good. However, once a modified client that can specify the date makes a request that explictly sends the date, the server does not check the validity of the date, hence arbitrary expiry date will be set to the enrolled certificate.

ooharawork (Tue, 29 Jan 2019 04:12:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MP8DPc8BFaQWG9But) @skarim The server sets the length of time based on a request from the client. By default, the client sets zero value to the request, with which the server will fall back to the default behavior to set an expiry date based on profiles. As fabric-ca-client by default has no command line switch etc. to set the date in the request, normally it works good. However, once a modified client that can specify the date makes a request , the server does not check the validity of the date, hence arbitrary expiry date will be set to the enrolled certificate.

ooharawork (Tue, 29 Jan 2019 04:12:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MP8DPc8BFaQWG9But) @skarim The server sets the length of time based on a request from the client. By default, the client sets a special zero value to the request, with which the server will fall back to the default behavior to set an expiry date based on profiles. As fabric-ca-client by default has no command line switch etc. to set the date in the request, normally it works good. However, once a modified client that can specify the date makes a request , the server does not check the validity of the date, hence arbitrary expiry date will be set to the enrolled certificate.

ooharawork (Tue, 29 Jan 2019 04:12:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MP8DPc8BFaQWG9But) @skarim In the current fabric-ca-server implementation, the server sets the length of time based on a request from the client. By default, the client sets a special zero value to the request, with which the server will fall back to the default behavior to set an expiry date based on profiles. As fabric-ca-client by default has no command line switch etc. to set the date in the request, normally it works good. However, once a modified client that can specify the date makes a request , the server does not check the validity of the date, hence arbitrary expiry date will be set to the enrolled certificate.

ooharawork (Tue, 29 Jan 2019 04:12:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MP8DPc8BFaQWG9But) @skarim In the current fabric-ca-server implementation, the server sets the length of time actually based on a request from the client. By default, the client sets a special zero value to the request, with which the server will fall back to the default behavior to set an expiry date based on profiles. As fabric-ca-client by default has no command line switch etc. to set the date in the request, normally it works good. However, once a modified client that can specify the date makes a request , the server does not check the validity of the date, hence arbitrary expiry date will be set to the enrolled certificate.

knagware9 (Tue, 29 Jan 2019 04:55:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iyxT4xBLNmFMMjdnM) @pasimoes 256

bricakeld (Tue, 29 Jan 2019 10:11:22 GMT):
hi all, there is a guide for adding a new org to a channel, but the guide is using cryptogen, is there any corresponding guide for fabric-ca?

skarim (Tue, 29 Jan 2019 16:51:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mH7RKrLvsrCpPx49B) @ooharawork I see what you are saying, the requested certificate expiration time should not be able to exceed what is defined on the server for that profile. If a user makes such a request, an error should be thrown. However, if the requested expiration time is below what is defined on the server for that profile, then it should be okay. Please open a JIRA.

GuillaumeCisco (Tue, 29 Jan 2019 17:48:32 GMT):
quick question, I tried to delete an identity with fabric-ca, and I got this error: `Identity removal is disabled` Does someone know how to enable identity removal ?

skarim (Tue, 29 Jan 2019 17:49:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uHiSbxzLi4pyimJnE) @GuillaumeCisco When you start the server you need to specify this flag `--cfg.identities.allowremove`

GuillaumeCisco (Tue, 29 Jan 2019 18:03:24 GMT):
Thanks @skarim , do you know if we can override this inside the fabric-ca-server-config.yaml?

GuillaumeCisco (Tue, 29 Jan 2019 18:06:49 GMT):
looks like already discussed here: https://jira.hyperledger.org/browse/FABC-503

GuillaumeCisco (Tue, 29 Jan 2019 18:08:54 GMT):
et you created a gerrit which was abandonned

GuillaumeCisco (Tue, 29 Jan 2019 18:10:37 GMT):
Furthermore, I've just tested this option and I got the same error :thumbsup:

GuillaumeCisco (Tue, 29 Jan 2019 18:10:37 GMT):
Furthermore, I've just tested this option and I got the same error :/

skarim (Tue, 29 Jan 2019 18:12:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9XKTRsEuRKKA7kp3E) @GuillaumeCisco Did you set it through the yaml file or flag?

ooharawork (Wed, 30 Jan 2019 05:35:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hQ6JzZHhikNMJxPg5) @skarim Thanks for the comment. opened as https://jira.hyperledger.org/browse/FABC-806.

GuillaumeCisco (Wed, 30 Jan 2019 08:48:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yRxmwJq7pH5p2Qowp) I've tested it throught the cli

GuillaumeCisco (Wed, 30 Jan 2019 08:48:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yRxmwJq7pH5p2Qowp) I've tested it throught the cli like `fabric-ca-server start --cfg.identities.allowremove`

GuillaumeCisco (Wed, 30 Jan 2019 09:30:37 GMT):
@skarim , Interestingly I use a fabric-ca-server-config.yaml file and place it in the right folder for being used. Looking at the log I can see: ``` 2019/01/30 09:23:43 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml 2019/01/30 09:23:43 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server 2019/01/30 09:23:43 [INFO] Server Version: 1.2.1 2019/01/30 09:23:43 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} 2019/01/30 09:23:43 [DEBUG] Making server filenames absolute 2019/01/30 09:23:43 [DEBUG] Initializing default CA in directory /etc/hyperledger/fabric-ca-server 2019/01/30 09:23:43 [DEBUG] Init CA with home /etc/hyperledger/fabric-ca-server and config {Version:1.2.1 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} ``` The cli parameter did not override the config file

GuillaumeCisco (Wed, 30 Jan 2019 09:32:29 GMT):
Adding: ``` cfg: affiliations: allowremove: true identities: allowremove: true ``` in the config file make it works

GuillaumeCisco (Wed, 30 Jan 2019 09:48:54 GMT):
New question, I'm testing the identity update method. When I update the secret used for enrolling, the user is well updated, I cannot enroll with the old password, and can with the new one. Unfortunately when I pass `maxEnrollments` or `affiliation` to update, these parameters are not updated when I get back the object from the server, even if the ca server tell me everything worked. Is it normal?

GuillaumeCisco (Wed, 30 Jan 2019 09:57:40 GMT):
I get it for affiliation with this line: https://github.com/hyperledger/fabric-ca/blob/ef74d7e4ff826781626559612c21053fb54152ad/lib/serveridentities.go#L456 (as I passed the value `'.'`)

GuillaumeCisco (Wed, 30 Jan 2019 10:06:18 GMT):
Ok I just found out why. There is a bug in the fabric-sdk-node. fabric-ca code waits for a `max_enrollments` key: https://github.com/hyperledger/fabric-ca/blob/ef74d7e4ff826781626559612c21053fb54152ad/api/client.go#L222 fabric-sdk-node sends a `maxEnrollments` key: https://github.com/hyperledger/fabric-sdk-node/blob/release-1.4/fabric-ca-client/lib/IdentityService.js#L227

GuillaumeCisco (Wed, 30 Jan 2019 10:06:28 GMT):
I will make a PR

GuillaumeCisco (Wed, 30 Jan 2019 10:26:50 GMT):
https://gerrit.hyperledger.org/r/#/c/29023/

KartikChauhan (Wed, 30 Jan 2019 10:43:50 GMT):
Has joined the channel.

KartikChauhan (Wed, 30 Jan 2019 10:45:58 GMT):
How can I invoke chaincode with a new user that didn't get create by command `cryptogen generate --config=./crypto-config.yml`? I registered and enrolled that user in fabric-ca container and its certificate don't exist in either cli or peer container. Do I need to send its certificates from fabric-ca docker container to peer container in order to invoke chaincode with the new user?

kYem 1 (Wed, 30 Jan 2019 12:57:13 GMT):
Has joined the channel.

VadimInshakov (Wed, 30 Jan 2019 13:32:18 GMT):
Help please: https://chat.hyperledger.org/channel/fabric-sdk-node?msg=fdKWNf2hR8uxTZYfQ

viktoriya (Wed, 30 Jan 2019 15:19:33 GMT):
Hi guys, I am trying to use Idemix functionality and I successfully enrolled an idemix user. But I can't query any chaincode, I always receive the following error: `[protoutils] ValidateProposalMessage -> WARN 4034 channel [mychannel]: creator certificate is not valid: Failed verifing with opts [&{ [] [{1 [111 114 103 49]} {2 1} {0 } {0 }] 3 [] 0 0xc002070060 0}]: signature invalid: APrime and ABar don't have the expected structure`. Can anyone help me?

HLFPOC (Wed, 30 Jan 2019 17:54:03 GMT):
Has joined the channel.

HLFPOC (Wed, 30 Jan 2019 17:57:38 GMT):
Hi team, Is there any tutorial or guide which one can refer to issue and enroll peers, orderers and other users identities using fabric - ca (I would recommend using fabric-ca node sdk). I have gone through the fabric - ca sample which is in github repo but I came to know later that is it not best practice to have fabric-ca server and client running into docker containers. So can anyone of you kindly guide how to use fabric ca efficiently.

ConnorChristie (Thu, 31 Jan 2019 02:29:24 GMT):
Has joined the channel.

ConnorChristie (Thu, 31 Jan 2019 02:34:00 GMT):
Hi all, is there any documentation on how an enrollment token should be created for a GET request to the ca client API which includes query params? I am able to authenticate POST requests just fine but am having trouble figuring out the body structure to sign for the token. I have tried `base64('serial=12341234') . cert`, `base64('?serial=12341234') . cert`, and `base64('api/v1/certificates?serial=12341234') . cert` but none seem to work..

ConnorChristie (Thu, 31 Jan 2019 02:34:46 GMT):
This is for the api/v1/certificates endpoint and I tried looking into both the Node SDK and go server but wasn't able to find anything in particular regarding GET requests with query params

ConnorChristie (Thu, 31 Jan 2019 02:36:48 GMT):
Here is the error message: ``` 2019/01/31 02:14:18 [DEBUG] Processing certificate request 2019/01/31 02:14:18 [DEBUG] Caller is using a x509 certificate 2019/01/31 02:14:18 [INFO] 10.54.0.0:58763 GET /api/v1/certificates?serial=0d4ef2f9b50d749495910a8abb5d87da9033654e 401 25 "Invalid token in authorization header: Token signature validation failed" ```

ConnorChristie (Thu, 31 Jan 2019 02:39:13 GMT):
Oooh wait, nvm. I just tried it without anything in the "body" and that worked. I thought I originally tried that and it didn't work but it does now!

pumicerD (Thu, 31 Jan 2019 08:31:15 GMT):
@HLFPOC they removed the fabric-ca sample from the samples repo in 1.4 because it was using outdated images, it's now in https://github.com/hyperledger/fabric-test/tree/master/fca-sample the setup of registering identities for peers and orderers is done with a _setup_ container, not from the _peers_ and _orderers_ containers directly. Is that what you are looking for ?

pumicerD (Thu, 31 Jan 2019 08:41:43 GMT):
Hi guys, I am trying to use Idemix functionality and I successfully enrolled an idemix user. But I can't query any chaincode, I always receive the following error: `[protoutils] ValidateProposalMessage -> WARN 4034 channel [mychannel]: creator certificate is not valid: Failed verifing with opts [&{ [] [{1 [111 114 103 49]} {2 1} {0 } {0 }] 3 [] 0 0xc002070060 0}]: signature invalid: APrime and ABar don't have the expected structure` Can anyone help me?

gravity (Thu, 31 Jan 2019 15:45:29 GMT):
Hi all could some describe how to reenrol enrollment certificates for peers, ordereres etc.? thanks in advance

skarim (Thu, 31 Jan 2019 15:47:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EbdMF3FnGfr3DB8KA) @pumicerD It seems like you are to verify an x509 certificate against a Idemix MSP. I imagine you are using the Java SDK, can you confirm that you are that you have enrolled the user using the proper Idemix ID (see: https://github.com/hyperledger/fabric-sdk-java/blob/master/src/test/java/org/hyperledger/fabric/sdkintegration/End2endIdemixIT.java#L130) and that you are using an Idemix credential and not x509 certificate?

skarim (Thu, 31 Jan 2019 15:47:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EbdMF3FnGfr3DB8KA) @pumicerD It seems like you are to trying verify an x509 certificate against a Idemix MSP or an Idemix Credential not associated with the MPS ID. I imagine you are using the Java SDK, can you confirm that you are that you have enrolled the user using the proper Idemix MSP ID (see: https://github.com/hyperledger/fabric-sdk-java/blob/master/src/test/java/org/hyperledger/fabric/sdkintegration/End2endIdemixIT.java#L130) and that you are using an Idemix credential and not x509 certificate?

skarim (Thu, 31 Jan 2019 15:47:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fDQW9GgttdxY4oCgm) @viktoriya See my response above $

skarim (Thu, 31 Jan 2019 15:47:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fDQW9GgttdxY4oCgm) @viktoriya See my response above ^

supremo 1 (Fri, 01 Feb 2019 03:57:13 GMT):
Has joined the channel.

AkhilKura (Fri, 01 Feb 2019 08:39:39 GMT):
can we define the block size in hyperledger fabric ?

rnisar (Fri, 01 Feb 2019 10:53:39 GMT):
Has joined the channel.

rnisar (Fri, 01 Feb 2019 12:24:21 GMT):
Hey Guys, I need to change the Fabric-CA-Server work with Root and Intermediate CA providers as Digicert. How should I proceed ? Should I just replace the certificates ?

DavidP (Fri, 01 Feb 2019 14:54:43 GMT):
Has joined the channel.

GuillaumeCisco (Fri, 01 Feb 2019 16:33:07 GMT):
Hello there, I've just discovered taht my tls-ca-cert generated from https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/serverconfig.html `tls.certfile` has different CN for Issuer and Subject. Is it normal?

GuillaumeCisco (Fri, 01 Feb 2019 16:33:07 GMT):
Hello there, I've just discovered that my tls-ca-cert generated from https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/serverconfig.html `tls.certfile` has different CN for Issuer and Subject. Is it normal?

mastersingh24 (Fri, 01 Feb 2019 23:37:21 GMT):
@GuillaumeCisco - this is normal ... the `tls.certfile` is not a root certificate ... it's a server TLS cert actually signed by the Fabric CA ... so the issuer subject should match the subject of the CA's root cert

SGJatla (Sat, 02 Feb 2019 12:55:38 GMT):
Has joined the channel.

nitishbhardwaj19 (Sun, 03 Feb 2019 04:46:32 GMT):
Has joined the channel.

Mozuffer (Sun, 03 Feb 2019 10:42:11 GMT):
Has joined the channel.

Legiit (Mon, 04 Feb 2019 07:42:59 GMT):
Hey guys! How can we prevent the need for the crypto-config folder to be present for the fabric-client SDK and instead go through the fabric-ca for these certs? I can assume we don't want all certificates in 1 place on the server

GuillaumeCisco (Mon, 04 Feb 2019 09:14:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FzbS8Gy3vy8FiZzwx) @mastersingh24 In fact, that was more deceitful than that. The subject CN got the hostname of the dockerit run into. In my case it was a generated id like `d162912c8bf6`. I had to add the `hostname` attribute to my docker declaration and set it to the hostname of my rca server for getting a correct CN.

GuillaumeCisco (Mon, 04 Feb 2019 09:14:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FzbS8Gy3vy8FiZzwx) @mastersingh24 In fact, it was more deceitful than that. The subject CN got the hostname of the dockerit run into. In my case it was a generated id like `d162912c8bf6`. I had to add the `hostname` attribute to my docker declaration and set it to the hostname of my rca server for getting a correct CN.

GuillaumeCisco (Mon, 04 Feb 2019 09:14:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FzbS8Gy3vy8FiZzwx) @mastersingh24 In fact, it was more deceitful than that. The subject CN got the hostname of the docker it ran into. In my case it was a generated id like `d162912c8bf6`. I had to add the `hostname` attribute to my docker declaration and set it to the hostname of my rca server for getting a correct CN.

GuillaumeCisco (Mon, 04 Feb 2019 09:15:32 GMT):
In terestingly, the ca-cert.pem did not show this issue.

GuillaumeCisco (Mon, 04 Feb 2019 09:15:32 GMT):
Interestingly, the ca-cert.pem did not show this issue.

HLFPOC (Mon, 04 Feb 2019 09:17:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KmGnWQ6YLdmJcWnX8) @Legiit Yes, instead of using cryptogen for generating all crypto material at the same place, we can use fabric-ca to generate certs for respective peers and orderers. You can refer to this sample for achieving it : https://github.com/hyperledger/fabric-test/tree/master/fca-sample

GuillaumeCisco (Mon, 04 Feb 2019 09:32:48 GMT):
When trying to query our chaincode from the fabric-sdk-py we pass our generated tls-ca-cert.pem file. Unfortunately we got an error like: ``` ssl_transport_security.cc:1229] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED. ``` Any idea why we get a certificate verify failed? Our generated cert looks like: ``` ``` Certificate: Data: Version: 3 (0x2) Serial Number: 72:fe:f0:06:5b:6e:65:84:e3:27:90:23:84:57:2c:98:83:f1:30:0c Signature Algorithm: ecdsa-with-SHA256 Issuer: C = FR, ST = Loire-Atlantique, L = Nantes, O = owkin, CN = rca-owkin Validity Not Before: Feb 1 14:47:00 2019 GMT Not After : Feb 1 14:47:00 2020 GMT Subject: C = FR, ST = Loire-Atlantique, L = Nantes, O = owkin, CN = rca-owkin Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:fc:a8:6d:a0:83:18:ad:a5:c9:1d:4b:97:4a:40: 79:43:f2:23:bd:33:15:be:68:dc:d8:1f:05:0f:34: 1b:9a:58:20:e9:98:6f:ec:e7:6c:4c:ad:0e:80:64: 0d:4a:5e:3e:71:bf:7e:37:f1:89:2e:6f:88:9d:10: 06:08:2c:45:d5 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: A6:1C:28:E7:BF:45:12:85:39:DB:F4:1A:00:F0:39:76:25:07:1F:01 X509v3 Authority Key Identifier: keyid:96:5A:E4:3B:0D:B7:35:56:69:79:1D:04:A7:DC:56:2D:B8:E0:BF:B8 X509v3 Subject Alternative Name: DNS:localhost, DNS:rca-owkin Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:99:69:2a:0a:6d:a9:d1:e7:5b:34:40:cd:e4: 3a:ed:b9:e1:52:b6:85:31:31:d1:3b:59:a1:4a:76:e6:c3:e7: 32:02:20:1e:8b:d4:fe:00:98:f4:3b:5f:ea:ac:ac:f5:a3:39: d5:0d:dd:1b:a2:a7:02:60:6a:e7:06:e5:98:b7:16:15:0d ``` ```

GuillaumeCisco (Mon, 04 Feb 2019 09:32:48 GMT):
When trying to query our chaincode from the fabric-sdk-py we pass our generated tls-ca-cert.pem file. Unfortunately we got an error like: ``` ssl_transport_security.cc:1229] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED. ``` Any idea why we get a certificate verify failed? Our generated cert looks like: ``` Certificate: Data: Version: 3 (0x2) Serial Number: 72:fe:f0:06:5b:6e:65:84:e3:27:90:23:84:57:2c:98:83:f1:30:0c Signature Algorithm: ecdsa-with-SHA256 Issuer: C = FR, ST = Loire-Atlantique, L = Nantes, O = owkin, CN = rca-owkin Validity Not Before: Feb 1 14:47:00 2019 GMT Not After : Feb 1 14:47:00 2020 GMT Subject: C = FR, ST = Loire-Atlantique, L = Nantes, O = owkin, CN = rca-owkin Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:fc:a8:6d:a0:83:18:ad:a5:c9:1d:4b:97:4a:40: 79:43:f2:23:bd:33:15:be:68:dc:d8:1f:05:0f:34: 1b:9a:58:20:e9:98:6f:ec:e7:6c:4c:ad:0e:80:64: 0d:4a:5e:3e:71:bf:7e:37:f1:89:2e:6f:88:9d:10: 06:08:2c:45:d5 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: A6:1C:28:E7:BF:45:12:85:39:DB:F4:1A:00:F0:39:76:25:07:1F:01 X509v3 Authority Key Identifier: keyid:96:5A:E4:3B:0D:B7:35:56:69:79:1D:04:A7:DC:56:2D:B8:E0:BF:B8 X509v3 Subject Alternative Name: DNS:localhost, DNS:rca-owkin Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:99:69:2a:0a:6d:a9:d1:e7:5b:34:40:cd:e4: 3a:ed:b9:e1:52:b6:85:31:31:d1:3b:59:a1:4a:76:e6:c3:e7: 32:02:20:1e:8b:d4:fe:00:98:f4:3b:5f:ea:ac:ac:f5:a3:39: d5:0d:dd:1b:a2:a7:02:60:6a:e7:06:e5:98:b7:16:15:0d ``` ```

GuillaumeCisco (Mon, 04 Feb 2019 09:32:48 GMT):
When trying to query our chaincode from the fabric-sdk-py we pass our generated tls-ca-cert.pem file. Unfortunately we got an error like: ``` ssl_transport_security.cc:1229] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED. ``` Any idea why we get a certificate verify failed? Our generated cert looks like: ``` Certificate: Data: Version: 3 (0x2) Serial Number: 72:fe:f0:06:5b:6e:65:84:e3:27:90:23:84:57:2c:98:83:f1:30:0c Signature Algorithm: ecdsa-with-SHA256 Issuer: C = FR, ST = Loire-Atlantique, L = Nantes, O = owkin, CN = rca-owkin Validity Not Before: Feb 1 14:47:00 2019 GMT Not After : Feb 1 14:47:00 2020 GMT Subject: C = FR, ST = Loire-Atlantique, L = Nantes, O = owkin, CN = rca-owkin Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:fc:a8:6d:a0:83:18:ad:a5:c9:1d:4b:97:4a:40: 79:43:f2:23:bd:33:15:be:68:dc:d8:1f:05:0f:34: 1b:9a:58:20:e9:98:6f:ec:e7:6c:4c:ad:0e:80:64: 0d:4a:5e:3e:71:bf:7e:37:f1:89:2e:6f:88:9d:10: 06:08:2c:45:d5 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: A6:1C:28:E7:BF:45:12:85:39:DB:F4:1A:00:F0:39:76:25:07:1F:01 X509v3 Authority Key Identifier: keyid:96:5A:E4:3B:0D:B7:35:56:69:79:1D:04:A7:DC:56:2D:B8:E0:BF:B8 X509v3 Subject Alternative Name: DNS:localhost, DNS:rca-owkin Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:99:69:2a:0a:6d:a9:d1:e7:5b:34:40:cd:e4: 3a:ed:b9:e1:52:b6:85:31:31:d1:3b:59:a1:4a:76:e6:c3:e7: 32:02:20:1e:8b:d4:fe:00:98:f4:3b:5f:ea:ac:ac:f5:a3:39: d5:0d:dd:1b:a2:a7:02:60:6a:e7:06:e5:98:b7:16:15:0d ```

Legiit (Mon, 04 Feb 2019 10:46:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=m7DQFtLmzinXHhenc) So every org needs a root and intermediate CA to work and an org can consist of a peer, orderer, couchd, all that? And hookinig this up results in the fabric SDK on a remote location to be able to initialize the fabric-client/ca instance

GuillaumeCisco (Mon, 04 Feb 2019 10:46:56 GMT):
non necessary need for an intermediate certificate

GuillaumeCisco (Mon, 04 Feb 2019 10:46:56 GMT):
no necessary need for an intermediate certificate

GuillaumeCisco (Mon, 04 Feb 2019 10:47:14 GMT):
no necessary need couchdb too

Legiit (Mon, 04 Feb 2019 10:47:43 GMT):
well, we're using couchdb :D Just asking because in the example the peer etc have their own org

GuillaumeCisco (Mon, 04 Feb 2019 10:48:29 GMT):
The SDK will interact with fabric-server/ca, but you have to initialize your network first

Legiit (Mon, 04 Feb 2019 10:50:01 GMT):
Hmm, alright Im not 100% how this would look like with the fabric-node-sdk, but I'll give it a go today and tomorrow

rnisar (Mon, 04 Feb 2019 15:00:12 GMT):
Hey Guys, I need to change the Fabric-CA-Server work with Root and Intermediate CA providers as Digicert. How should I proceed ? Should I just replace the certificates ?

gravity (Mon, 04 Feb 2019 17:30:27 GMT):
hi @skarim I have a question regarding the TLS setup Is it possible to enable TLS for the live network? I mean, if I start a network without TLS, will it be possible to enable TLS (generate all the certificates including client certificates) for peers and orderers? will it affect the network? thanks in advance

thakurnikk (Tue, 05 Feb 2019 03:16:05 GMT):
Has joined the channel.

HLFPOC (Tue, 05 Feb 2019 03:56:11 GMT):
Hi Team, I am trying to enroll user (using fabric-ca node sdk) and want to save in my cloudant db, however I am getting the below error on returning FabricCAClient object, once the connection is established between the cloudant db: Error: Invalid connection options. Protocol must be set to 'http' or 'https'. My ca is running at : https://localhost:7054. Any idea about this error ?

npc0405 (Tue, 05 Feb 2019 08:26:17 GMT):
When it comes to replacing existing CA and crypto-config file with external CA? What are the factors needs to be considered?

nasht00 (Tue, 05 Feb 2019 08:58:57 GMT):
Has joined the channel.

nasht00 (Tue, 05 Feb 2019 09:01:33 GMT):
Hello, In my application, I want to do some pre-checks on the provided certificate. For example, I want to check if the certificate path against a list of predefined CAs (similar to what MSP is doing). Now to play with this, I'm runing the fabric sample locally, which comes with fabric-ca. But I'm wondering, where can I find the CA certificate? So I can check the path of the user certificate against the CA that generated it?

pumicerD (Tue, 05 Feb 2019 09:06:53 GMT):
@nasht00 I would try `fabric-ca-client getcainfo -u `

ooharawork (Tue, 05 Feb 2019 09:11:31 GMT):
@nasht00 I thought what you meant was under `/cacerts`. Sorry if I'm wrong.

nasht00 (Tue, 05 Feb 2019 09:22:47 GMT):
I think what I am looking for is the opposite. I want to download the CA certificate so I can put it in that folder. @ooharawork [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vCjZgpSv25Bf7PZgo)

nasht00 (Tue, 05 Feb 2019 09:22:58 GMT):
Thanks I’ll try that @pumicerD [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=E4MS9xsgneaQSDEwf)

nasht00 (Tue, 05 Feb 2019 09:24:10 GMT):
Alternatively, can fabric’s “MSP” feature be used a some standalone module or service to protect my NodeJS REST server? Since my plan is very very similar to what MSP does...

ooharawork (Tue, 05 Feb 2019 09:39:04 GMT):
@nasht00 If you use `fabric-ca-client enroll`, obtaining a certificate for your identity under `msp/signcerts`, I believe the CA certs is also placed under `msp/cacerts` already. So if you don't have cacerts, my assumption would be different than your actual environment..

Legiit (Tue, 05 Feb 2019 10:12:58 GMT):
can I send a CSR request to the fabric CA using javascript? I don't see any API information on this. I'd like to generate a user cert without using the fabric sdk/cli

nasht00 (Tue, 05 Feb 2019 10:45:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=woZP85N39Hva3pMrR) @ooharawork Where can I find my "msp folder" when running locally the demo docker?

nasht00 (Tue, 05 Feb 2019 10:55:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=E4MS9xsgneaQSDEwf) @pumicerD That worked thanks

pumicerD (Tue, 05 Feb 2019 11:47:23 GMT):
Is there any example on how to restrict access to a channel to specific _Organizational Units_ ? e.g. _org1.department2_ and _org2.department1_

nasht00 (Tue, 05 Feb 2019 12:49:54 GMT):
Does it make sense that, if 2 developers install and run the fabric sample on their computer, the CA certificate is the same for both?

sureshtedla (Tue, 05 Feb 2019 13:02:22 GMT):
@nasht00 If i add new user or participant in fabric is it possible to convert to PEM File?

sureshtedla (Tue, 05 Feb 2019 13:02:22 GMT):
If i add new user or participant in fabric is it possible to convert to PEM File?

sureshtedla (Tue, 05 Feb 2019 13:02:22 GMT):
If i add new user or participant in fabric is it possible to convert certificate to PEM File?

sureshtedla (Tue, 05 Feb 2019 13:02:22 GMT):
If i add new user or participant in fabric is it possible to convert certificate to PEM File? @ooharawork

ooharawork (Tue, 05 Feb 2019 14:17:46 GMT):
@nasht00 I assumed that you're using `fabric-ca-client` command, installed directly in your computer or in your container. In both case, when you invoke `fabric-ca-client enroll`, an msp will be installed under the directory where you specify by `-M` switch or `/msp` by default. The ca-client-home is determined by the rules shown in the documentation: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#fabric-ca-client. If you're using `fabric-ca-client` via a docker container, the msp folder will be somewhere in the directory that can be visible from your container. Normally, in a configuration file of your container (like `docker-compose.yaml`), you can find fabric-ca-client folder to which a host folder is mounted via `volume:` etc. That depends on how you execute `fabric-ca-client`.

ooharawork (Tue, 05 Feb 2019 14:26:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PGsYJvo8MxLSyWHSs) @sureshtedla If you use `fabric-ca-client enroll` to obtain your certificate, it should be already generated as .pem format. If you couldn't find a `.pem` file anywhere, what you did is somewhat different from typical `fabric-ca-client` operations...

ooharawork (Tue, 05 Feb 2019 14:31:48 GMT):
@sureshtedla I demonstrate a simple example as a hint: ``` $ fabric-ca-client register --id.name=peer1 --id.type=peer --id.secret=pw $ fabric-ca-client enroll -H peer1home -u http://peer1:pw@localhost:7054 $ find ./peer1home -name '*.pem' peer1/msp/cacerts/localhost-7054.pem peer1/msp/signcerts/cert.pem ``` Please refer to Fabric CA User's guide for details. https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html

ooharawork (Tue, 05 Feb 2019 14:31:48 GMT):
@sureshtedla I demonstrate a simple example as a hint: ``` $ fabric-ca-client register --id.name=peer1 --id.type=peer --id.secret=pw $ fabric-ca-client enroll -H peer1home -u http://peer1:pw@localhost:7054 $ find ./peer1home -name '*.pem' peer1home/msp/cacerts/localhost-7054.pem peer1home/msp/signcerts/cert.pem ``` Please refer to Fabric CA User's guide for details. https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html

ooharawork (Tue, 05 Feb 2019 14:36:10 GMT):
I have no expertise of the cases to use SDK for CA operations, not `fabric-ca-client` and don't know if they are interoperable (convert from `fabric-ca-client` to SDK form or vice versa)..

ooharawork (Tue, 05 Feb 2019 14:36:10 GMT):
I have no expertise of the cases to use SDK for CA operations, not `fabric-ca-client` binary and don't know if they are interoperable (convert from MSPs generated by `fabric-ca-client` binary to a format which SDK needs, or vice versa)..

skarim (Tue, 05 Feb 2019 14:42:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YJ6f9JxT2x2TfwdDn) @gravity Enabling TLS will require a restarting of servers. However, I would get all the TLS crypto for all the entities on the network before you enable TLS. This is especially important if you are going to have Mutual Auth, otherwise you will end up restricting access for all your clients.

skarim (Tue, 05 Feb 2019 14:44:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zpnzLPHTNGXD3EWR9) @Legiit By sending CSR, I imagine you are trying to enroll. There is an enroll REST API, you can find info here: https://github.com/hyperledger/fabric-ca/blob/release-1.4/swagger/swagger-fabric-ca.json#L229 You should be able to send your request to this endpoint

gravity (Tue, 05 Feb 2019 21:29:43 GMT):
@skarim As I understood correctly, the next flow should be fine (please correct me if I'm wrong): configure and start a network without TLS -> work with the network for sometime with that setup -> shutdown the network -> enroll all TLS certificates (+ for clients for mutual TLS) -> enable TLS for peers, orderers, ca -> start a network again and continue working with the network from the place where we stopped it before enabling TLS

sureshtedla (Wed, 06 Feb 2019 09:25:38 GMT):
@ooharawork Hi we are integrating non blockchain application with hyperledger fabric in that case, when we are connecting nonblockchain app with hyperledger it will accept only JKS Keystore or DER Encoded object or PKCS7 to perform transactions in hyperledger

sureshtedla (Wed, 06 Feb 2019 09:26:41 GMT):
does hyperledger fabric support JKS keystore or DER or PKCS7 file extensions

nasht00 (Wed, 06 Feb 2019 09:28:15 GMT):
Hello, Running some demo code, I generated a user's fabric identity (private key and certificate). Someone pointed out that the key is "elliptic". I'm no expert in cryptography. But I need to know, will key/cert generated by fabric-ca always be elliptic? I'm writing some validation code, and I want to know if I should "assume" the keys to be in some format or another.

nasht00 (Wed, 06 Feb 2019 09:30:01 GMT):
Also, if that's the case, is it because of fabric-ca or because of requirements from fabric?

GuillaumeCisco (Wed, 06 Feb 2019 09:30:44 GMT):
You can change the way the keys are produced from config

nasht00 (Wed, 06 Feb 2019 09:32:40 GMT):
So fabric / fabric-ca will support *any* type of keys? What drives the requirements?

silliman (Wed, 06 Feb 2019 09:58:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zrvgWcpJdrHeQ2GL5) @nasht00 Hyperledger Fabric manages identities through the Membership Service Provider (MSP) interface, so, in theory, you could support any type of key by implementing the interface to support the type of key you desire to support. As you state that you are no expert in cryptography, you may not wish to do that. In reality, the Hyperledger Fabric Certificate Authority (CA) can generate X509 credentials using the Elliptic Curve Digital Signature Algorithm (ECDSA) and it can generate Idemix credentials. You may find reading the Fabric CA User's Guide beneficial at https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html and I will post here just one brief snippet from that document that will tell you what the project provides you today: ``` Note that Hyperledger Fabric will support clients/users to sign transactions with both X509 and Idemix credentials, but will only support X509 credentials for peer and orderer identities. As before, applications can use a Fabric SDK to send requests to the Fabric CA server. SDKs hide the complexity associated with creating authorization header and request payload, and with processing the response. ```

GuillaumeCisco (Wed, 06 Feb 2019 10:13:18 GMT):
Using fabric-sdk-py, I'd like to know how the tlsca cert in the fixtures test has been generated? https://github.com/hyperledger/fabric-sdk-py/blob/master/test/fixtures/e2e_cli/crypto-config/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem I try to generate one myself for query transaction with the fabric-sdk-py, without success

KartikChauhan (Wed, 06 Feb 2019 10:21:29 GMT):
Can `peer channel fetch oldest` and `peer channel fetch config` result in different content?

KartikChauhan (Wed, 06 Feb 2019 10:21:29 GMT):
Can `peer channel fetch oldest` and `peer channel fetch config` ever result in different content?

ooharawork (Wed, 06 Feb 2019 10:47:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=m54pdruyuCsBx9kMM) @KartikChauhan If you mean that the results of those two command may differ, the answer is yes. As you know, the former fetches the first block , while the latter tha latest configuration block. Initially, they will produce the identical file. However, as configuration blocks can be updated using `peer channel update`, the result of `peer channel fetch config` will change over time.

KartikChauhan (Wed, 06 Feb 2019 10:50:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oGPCCzHWYNQ2DW4TB) @ooharawork oh yes, I completely forgot about `peer channel update` scenario. Thanks for answering.

nasht00 (Wed, 06 Feb 2019 11:11:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FFJqCy37Z9MGguxTM) @silliman Thanks. I indeed do not want to implement my own interface. But I want to know what kind of keys will come in (I need to do some pre-validation). If we stick to the default MSP, does it mean that all X509 will be ECDSA? Or is it purely dependent on the CA? Meaning will the default MSP accept X509 that are anything else than ECDSA?

silliman (Wed, 06 Feb 2019 11:32:56 GMT):
The x509 keys supported by the default MSP must use ECDSA. @nasht00 [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=admQohMacYAiYDgWG)

thgoutham (Thu, 07 Feb 2019 05:01:16 GMT):
Has joined the channel.

thgoutham (Thu, 07 Feb 2019 05:01:57 GMT):
I have installed the fabric-client node modules in my project. There is a typescript index file in the node_module but when I try to access the exported members in the code I am getting a few errors similar to `[ts] Cannot find name 'Client'. [2304]`. This error appears for other fabric-client properties like `Channel` and `User` as well. I would be grateful if anyone could help me fix this. Thanks!

Legiit (Thu, 07 Feb 2019 07:32:55 GMT):
I don't really understand how you can replace the crypto-gen tool with the fabric CA In the example there are still certificates from 1 single source mounted to the peers etc.. What's the use of the CA when you still get the certs from a central folder? https://github.com/hyperledger/fabric-test/blob/master/fca-sample/docker-compose.yml#L168

Legiit (Thu, 07 Feb 2019 07:33:22 GMT):
I don't see how I could have a basic-network and use it with a fabric CA, without the use of the cryptogen tool for the certificates

Legiit (Thu, 07 Feb 2019 07:34:14 GMT):
It's not very clear to me how the network on the fabric-test repo is different from the byfn and how one could have a basic network and transform it to a basic-network with the use of a CA

Legiit (Thu, 07 Feb 2019 08:14:53 GMT):
and do you still have to use the configtxgen? Or does the fabic-ca replace this aswell?

basantanickal (Thu, 07 Feb 2019 09:43:40 GMT):
Hi, can anyone tell me how is the hash value used to name the keyfile corresponding to a certain certificate calculated?

npc0405 (Thu, 07 Feb 2019 09:47:42 GMT):
When I do `go get -u github.com/hyperledger/fabric-ca/cmd/...` I am getting errors that its not able to get it in repo and then it fails. How do I install fabric-ca-client

npc0405 (Thu, 07 Feb 2019 09:47:58 GMT):
?

mastersingh24 (Thu, 07 Feb 2019 09:59:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Gn5ZmYYZZyKqNLXeW) @npc0405 You can download binaries from https://nexus.hyperledger.org/content/repositories/releases/org/hyperledger/fabric-ca/hyperledger-fabric-ca/ - just find the link for version and OS

basantanickal (Thu, 07 Feb 2019 11:30:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LnJg25pes6NuHuLjg) Actually when I have multiple certificate-key, I want to establish relationship between them, so I am asking this question. Or is there any other way to establish the relationship?

DeepakDahiya (Thu, 07 Feb 2019 13:07:44 GMT):
Has joined the channel.

vtech (Thu, 07 Feb 2019 13:19:46 GMT):
Hi All, is there any example to use Idemix with private data collection ?

dave.enyeart (Thu, 07 Feb 2019 14:22:07 GMT):
@vtech They are orthogonal... Idemix provides client anonymity, private data ensures confidential data is not distributed to all peers in the network. You can apply both concepts independently in your solution.

Jonra1993 (Thu, 07 Feb 2019 14:31:52 GMT):
Has joined the channel.

xiven (Thu, 07 Feb 2019 15:10:23 GMT):
I'm running haproxy with 2 fabric ca instances on docker. I'm able to register users but after registering its throwing this error in my main console: `Error: Calling register endpoint failed, CONNECTION Timeout` when i check the logs of haproxy and fabric ca containers there are no errors. Any idea what could be causing this?

GuillaumeCisco (Thu, 07 Feb 2019 16:18:27 GMT):
I'd like to know the differences between the certs generated by the cryptogen tools and the one generated with fabric-ca with register and renroll. Is there a documentation about that? Thank you,

GuillaumeCisco (Thu, 07 Feb 2019 16:20:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2xiFbHGonWnKLeeqv) @Legiit It is done there: https://github.com/hyperledger/fabric-test/blob/master/fca-sample/scripts/setup-fabric.sh When enrolling and registering

Antimttr (Thu, 07 Feb 2019 16:21:04 GMT):
Has joined the channel.

Antimttr (Thu, 07 Feb 2019 16:21:51 GMT):
anyone digged deep into the balance-transfer code's use of fabric-ca? I was wondering what if the secret generated upon user registration can be used to renew the JWT token after it expires?

Antimttr (Thu, 07 Feb 2019 16:22:00 GMT):
there doesnt seem to be an api call to do so but perhaps i could write one

GuillaumeCisco (Thu, 07 Feb 2019 16:35:22 GMT):
@Antimttr are you talking about the reenroll method?

Antimttr (Thu, 07 Feb 2019 16:35:40 GMT):
yes, im looking at the getRegisteredUsers() method

Antimttr (Thu, 07 Feb 2019 16:35:53 GMT):
it grabs a secret when it registers a user

Antimttr (Thu, 07 Feb 2019 16:36:05 GMT):
but then after it enrolls the user it basically just throws the secret away,

Antimttr (Thu, 07 Feb 2019 16:36:19 GMT):
i'm theorizing that if you grab that secret you can use it to re-enroll at a later time?

GuillaumeCisco (Thu, 07 Feb 2019 16:36:30 GMT):
In my memory, you do not need the secret for reenrolling

Antimttr (Thu, 07 Feb 2019 16:36:31 GMT):
like say, after the current enrollment's jwt token expires?

Antimttr (Thu, 07 Feb 2019 16:37:03 GMT):
balance-transfer doesnt seem to have anything that uses the reenrollment process,

Antimttr (Thu, 07 Feb 2019 16:37:44 GMT):
is the idea of the re-enrollment that it can refresh the jwt token after it expires?

Antimttr (Thu, 07 Feb 2019 16:38:24 GMT):
the library doc says it can be used `Re-enroll the member in cases such as the existing enrollment certificate is about to expire, or it has been compromised `

Antimttr (Thu, 07 Feb 2019 16:38:40 GMT):
that makes it seem like it can only be used before teh jwt token expires

GuillaumeCisco (Thu, 07 Feb 2019 16:38:48 GMT):
you need the cert of the user to reenroll it

Antimttr (Thu, 07 Feb 2019 16:39:27 GMT):
and by cert, you mean the jwt token? or do you mean the actual cert int he key store that was created when the user was registered?

GuillaumeCisco (Thu, 07 Feb 2019 16:39:33 GMT):
and its private key

GuillaumeCisco (Thu, 07 Feb 2019 16:39:46 GMT):
the pem cert

GuillaumeCisco (Thu, 07 Feb 2019 16:40:01 GMT):
these are too files

GuillaumeCisco (Thu, 07 Feb 2019 16:40:01 GMT):
these are two files

GuillaumeCisco (Thu, 07 Feb 2019 16:40:19 GMT):
the secret is not needed, the secret is only needed for enrolling ang getting the cert and the private key

GuillaumeCisco (Thu, 07 Feb 2019 16:41:01 GMT):
for reenrolling, you need the cert and the private kay provided from an old enrol

GuillaumeCisco (Thu, 07 Feb 2019 16:41:01 GMT):
for reenrolling, you need the cert and the private key provided from an old enrol

Antimttr (Thu, 07 Feb 2019 16:41:13 GMT):
ok that makes sense

Antimttr (Thu, 07 Feb 2019 16:41:21 GMT):
so for like a user authentication scenario

Antimttr (Thu, 07 Feb 2019 16:42:03 GMT):
i could use the authentication mechanism in the website, and if the user is bound to a particular user id in the fabric-ca then i could have it use the cert and the private key from the registration

Antimttr (Thu, 07 Feb 2019 16:43:10 GMT):
so basically my website would act as an authenticator, and bind a particular user account on the website to a set of cert and private key after teh user registers for a hyperledger account

Antimttr (Thu, 07 Feb 2019 16:44:45 GMT):
and what i'd need to do is, at the time of user registration/enrollment, grab the location of the cert and the private key and store that location in the user account record table of the website

Antimttr (Thu, 07 Feb 2019 16:46:09 GMT):
so user logs into gateway with u/p, then hits the "login to hyperledger" button on the website which would re-enroll the user and then the user would be issued a new valid jwt token

Antimttr (Thu, 07 Feb 2019 16:48:53 GMT):
right now witht he default balance-transfer routines i get this back when i enroll a user: `{"success":true,"secret":"","message":"Barry enrolled Successfully","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NDk1MDY5MDAsInVzZXJuYW1lIjoiQmFycnkiLCJvcmdOYW1lIjoiT3JnMiIsImlhdCI6MTU0OTQ3MDkwMH0.DVtUCVFUQol_JdVSvRPRyV9vsECwK8IIJoSHSGXiXtw"}`

Antimttr (Thu, 07 Feb 2019 16:48:59 GMT):
(token already expired)

Antimttr (Thu, 07 Feb 2019 16:49:28 GMT):
so in that i'd also need to include some info about his private key and cert

Antimttr (Thu, 07 Feb 2019 16:50:09 GMT):
so the website can store that info in its database (or another keystore)

Antimttr (Thu, 07 Feb 2019 16:52:43 GMT):
@GuillaumeCisco does that make sense to you as a valid authentication scenario?

GuillaumeCisco (Thu, 07 Feb 2019 17:02:14 GMT):
be sure to read what does balance transfer, especially on the token part

GuillaumeCisco (Thu, 07 Feb 2019 17:02:32 GMT):
I do not know this example, so I cannot confirm you

GuillaumeCisco (Thu, 07 Feb 2019 17:05:01 GMT):
Furthermore, an empty secret should not be allowed according to the specs

Antimttr (Thu, 07 Feb 2019 17:11:03 GMT):
ahh yeah thats the default code, i havent changed anything yet

Antimttr (Thu, 07 Feb 2019 17:11:32 GMT):
i do see that they set a secret in code, but as i said, they just discard the secret, afaict

plato (Thu, 07 Feb 2019 18:10:26 GMT):
Has joined the channel.

gravity (Thu, 07 Feb 2019 19:40:39 GMT):
hi all what will happen if I run `fabric-ca-server init` for the second time when I have the ca db initialized? will it drop the database? thanks in advance

skarim (Thu, 07 Feb 2019 22:13:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WmQ2wcvcbyWvQGhZc) @gravity It will not drop the database. All your data will remain. If you have updated your server config with any new identities, they will get added to the database.

vtech (Fri, 08 Feb 2019 05:02:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oDtqkiDCKXSHQ57HT) @dave.enyeart Thanks, I need some more clarification regarding independently orthogonal.. does this mean at a same time I can implement only one of the feature in the same scenario?

Legiit (Fri, 08 Feb 2019 07:40:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9ASnAnP4xLZF6fuCA) cryptogen is not meant for production as you have all certs in 1 location and you have to move them over. With the fabric-ca it never leaves it's container, this is much more secure

GuillaumeCisco (Fri, 08 Feb 2019 17:40:23 GMT):
Thanks @Legiit, I've dug a lot in this code to understand it. I've been able to debug myself.

GuillaumeCisco (Fri, 08 Feb 2019 17:41:14 GMT):
quick question, do we have documentation about `clientAuthRequired` ? I have `SSLV3_ALERT_BAD_CERTIFICATE` erorrs when I activate it

GuillaumeCisco (Fri, 08 Feb 2019 17:41:14 GMT):
quick question, do we have documentation about `clientAuthRequired` ? I have `SSLV3_ALERT_BAD_CERTIFICATE` errors when I activate it

skarim (Fri, 08 Feb 2019 17:43:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=26YqaWMAKdBo4kTHa) @GuillaumeCisco `clientAuthRequired` pretty much means that the server will verify the client's certificate when using TLS. It seems like the certificate you are using on the server to validate the client certificate is rejecting it

hexiaohu (Sat, 09 Feb 2019 10:18:00 GMT):
Has joined the channel.

basantanickal (Sat, 09 Feb 2019 12:37:24 GMT):
Hi all, i have setup an MSP with a root CA, an intermediate CA per organization where the peers and orderers in an organization get themselves registered with the intermediate CA. I have setup five organizations in total, out of them one organization has the orderer setup. Now, for creating the genesis block, I collected the admin certificates, the root certificates and the intermediate certificates in respective folders under a root MSP folder for each organization (I didn't collect any keys). Now I have set the root MSP folder path for each organization in configtx.yaml pointing to the respective org msp folder that I have collected from across organizations. I ran configtxgen and used the block to start my orderer. Now, the orderer is unable to verify the intermediate CA certificate. Is there any problem in my approach to initialize the block or orderer in general?

malak (Sun, 10 Feb 2019 14:43:41 GMT):
Has joined the channel.

basantanickal (Mon, 11 Feb 2019 04:26:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KWtwgGydZWfANbv88) Thank you all, I found out what I was doing wrong. I was not collecting the TLS certificates ( as my network is TLS enabled) and so I was getting errors while starting the orderer.

Legiit (Mon, 11 Feb 2019 08:41:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6762ovM5yANbbNRc7) did you manage to get it working with only the CA?

GuillaumeCisco (Mon, 11 Feb 2019 09:14:11 GMT):
Yes @Legiit

GuillaumeCisco (Mon, 11 Feb 2019 09:15:02 GMT):
After one week of huge pain. Found a bug in grpc. Created a custom version of cryptogen binary. Created my own certificates. I finally understood

Legiit (Mon, 11 Feb 2019 09:21:44 GMT):
isn't the point of the CA to completely remove the need for the cryptogen binary

mtng (Mon, 11 Feb 2019 09:46:24 GMT):
Has joined the channel.

GuillaumeCisco (Mon, 11 Feb 2019 10:46:16 GMT):
yes. But to understand why it was working without fabric-ca, I needed to understand cryptogen tool. Now I have a right fabric-ca configuration

Legiit (Mon, 11 Feb 2019 10:48:47 GMT):
could you share some info on how to get a network up with the fabric-ca only?

Legiit (Mon, 11 Feb 2019 10:48:47 GMT):
could you share some pointers/guidances on how to get a network up with the fabric-ca only? @GuillaumeCisco

sureshtedla (Mon, 11 Feb 2019 13:14:06 GMT):
@GuillaumeCisco Non blockchain application need to use .pem file to interact with hyperledger application right?

GuillaumeCisco (Mon, 11 Feb 2019 13:16:04 GMT):
We used the one in the fabric-ca examples at first. Then we made our own configurations. We translated all the bash code in a python one for more clarity and maintenance. We had a lot of issues with the certificates, understanding how it works. And the parallel with the ones created with cryptogen. We ended up reading the code of cryptogen and the one from fabric-ca. We also removed the intermediate CA as they are not necessary in our setup. We also use a lot the config files. We have our own generated version of core.yaml, fabric-ca-client-config.yaml, fabric-ca-server-config.yaml, orderer.yaml. And our own derivated fabric-ca docker images. This is a very complex config. You can find my discoveries about how I manage to make our newtork to work in the #fabric-sdk-py channel. My team and I are working full time right now on the fabric-sdk-py SDK.

GuillaumeCisco (Mon, 11 Feb 2019 13:16:34 GMT):
I don't know @sureshtedla , what do you mean about non blockchain applications?

sureshtedla (Mon, 11 Feb 2019 13:17:32 GMT):
I am integrating b2b sterling tool with hyperledger

sureshtedla (Mon, 11 Feb 2019 13:17:32 GMT):
I am integrating b2b sterling tool with hyperledger @GuillaumeCisco

GuillaumeCisco (Mon, 11 Feb 2019 13:17:42 GMT):
@Legiit We will open source later this year tools for generating network correctly that works with fabric-ca and hyperledger explorer. Right now we have still a lot of spaghetti code we are cleaning

GuillaumeCisco (Mon, 11 Feb 2019 13:17:58 GMT):
I dont' know @sureshtedla, I'm sorry

sureshtedla (Mon, 11 Feb 2019 13:18:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RciyYpGY3Lh6nvsSr) @GuillaumeCisco Ok

Legiit (Mon, 11 Feb 2019 13:39:09 GMT):
alright - & and you able to "mass-enroll" users? If we register more than 20 users at once, the fabric-ca times out (using the nodeSDK) @GuillaumeCisco

Legiit (Mon, 11 Feb 2019 13:39:09 GMT):
alright - & and are you able to "mass-enroll" users? If we register more than 20 users at once, the fabric-ca times out (using the nodeSDK) @GuillaumeCisco

GuillaumeCisco (Mon, 11 Feb 2019 13:41:16 GMT):
Interesting @Legiit I've never tested it. When you say `mass-enroll` do you mean a bulk create or a for loop with 20 iterations?

Legiit (Mon, 11 Feb 2019 13:47:35 GMT):
In our use case there is the possibility that we have to enroll a lot of people in bulk yes (50 at least) but the register/enroll function from the SDK return a timeout after a certain amount of calls

GuillaumeCisco (Mon, 11 Feb 2019 13:49:48 GMT):
I did not see a way to enroll in bulk in the SDK specifications

GuillaumeCisco (Mon, 11 Feb 2019 13:50:02 GMT):
can you provide some code?

Legiit (Mon, 11 Feb 2019 13:52:04 GMT):
Oh yeah, by that I mean a for-loop indeed @GuillaumeCisco sorry for the misunderstanding :P

Legiit (Mon, 11 Feb 2019 13:52:55 GMT):
Well actually it's called through an API endpoint in our case

Legiit (Mon, 11 Feb 2019 13:53:02 GMT):
but a for-loop should do the trick aswell

Legiit (Mon, 11 Feb 2019 13:53:02 GMT):
but a forEach* should do the trick aswell

GuillaumeCisco (Mon, 11 Feb 2019 13:58:06 GMT):
I will test with our fabric-sdk-python

Legiit (Mon, 11 Feb 2019 14:45:16 GMT):
``` const arr = range(200); arr.map(async (temp, index) => { console.log("begin", index); const user = await register({ username: `user${index}`, role: "pleb", affiliation: "org1.department1" }); console.log("end"); }); ``` That's an example snippet @GuillaumeCisco

Legiit (Mon, 11 Feb 2019 14:45:33 GMT):
register includes the fabricCa.register and enroll call

Legiit (Mon, 11 Feb 2019 14:45:37 GMT):
it abstracted

bricakeld (Mon, 11 Feb 2019 15:17:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HGNJEQ59M6mLTeXcK) @GuillaumeCisco hi, may i ask if you managed to add org to channel using only fabric-ca? the guide provided in the hyperledger tutorial to add org is still using cryptogen only.. or perhaps you have any tips on how to go about adding org with only fabric-ca?

GuillaumeCisco (Mon, 11 Feb 2019 15:37:34 GMT):
I don't understand your question. You only manage users with fabric-ca, no orgs.

GuillaumeCisco (Mon, 11 Feb 2019 16:20:36 GMT):
https://media.readthedocs.org/pdf/hyperledger-fabric-ca/latest/hyperledger-fabric-ca.pdf

bricakeld (Tue, 12 Feb 2019 02:51:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NFZRic9B9HEjKjdoM) @GuillaumeCisco it's okay, i got it figured out already, thanks!

waxer (Tue, 12 Feb 2019 03:43:02 GMT):
Why if I enroll twice, another private key is generated? If I continue to enroll again and again it will keep generating private keys and still keep a single pem in signcerts. Why not keep the last private key since only the last pem is kept?

waxer (Tue, 12 Feb 2019 03:43:09 GMT):
Am I missing something?

SatoshiNishishita (Tue, 12 Feb 2019 04:57:26 GMT):
Has joined the channel.

ahatolkar-grepruby (Tue, 12 Feb 2019 07:43:50 GMT):
Has joined the channel.

GuillaumeCisco (Tue, 12 Feb 2019 08:19:34 GMT):
You are right @waxer . I do not know if we can still reuse the old private keys.

GuillaumeCisco (Tue, 12 Feb 2019 10:18:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XBmJwCtAwq8FwmxQH) @Legiit I've just tested to register 200 users with fabric-ca. It worked without timeout.

SunilHirole (Tue, 12 Feb 2019 11:30:05 GMT):
Has joined the channel.

Legiit (Tue, 12 Feb 2019 11:37:40 GMT):
this is our register function ``` const register = async (user, secret = null) => { if (!secret) { logger.info("Creating secret"); secret = await fabricCaClient .register( { role: user.role, enrollmentID: user.username, affiliation: user.affiliation, attrs: [] }, adminUser ) .catch(err => Promise.reject(new Error(`Failed to register: ${err}`))); } logger.info("Enrolling user on the fabric network"); // Enroll the user const enrollment = await fabricCaClient .enroll({ enrollmentID: user.username, enrollmentSecret: secret }) .catch(err => Promise.reject(new Error(`Failed to enroll: ${err}`))); // Create the user const finalUser = await fabricClient.createUser({ username: user.username, mspid: ORG_MSP, cryptoContent: { privateKeyPEM: enrollment.key.toBytes(), signedCertPEM: enrollment.certificate }, skipPersistence: false }); logger.info("User was succesfully enrolled on the fabric network!"); return Object.assign({}, finalUser, { signedCertPEM: enrollment.certificate, privateKeyPEM: enrollment.key.toBytes() }); }; ``` If I execute the snippet I shared here, which calls this function, I do get the timeout :sweat_smile:

Legiit (Tue, 12 Feb 2019 11:37:56 GMT):
not sure if what the cause of it is than @GuillaumeCisco

Legiit (Tue, 12 Feb 2019 11:37:56 GMT):
not sure what the cause of it is than @GuillaumeCisco

SethiSaab (Tue, 12 Feb 2019 14:04:24 GMT):
Hii All .... I have configured 2 intermediate CAs through root ca ... and created 2 bootstrap identites for my intermediate servers

SethiSaab (Tue, 12 Feb 2019 14:04:52 GMT):
but when i am trying to register a new identity.... i am getting error ^[[A^[[A2019/02/12 19:33:46 [INFO] 127.0.0.1:48536 POST /register 401 26 "Untrusted certificate: Failed to verify certificate: x509: certificate signed by unknown authorit

SethiSaab (Tue, 12 Feb 2019 14:05:45 GMT):
my root ca is running on 7054, intermediate servers are running on 8054,9054

GuillaumeCisco (Tue, 12 Feb 2019 14:12:28 GMT):
you know, you can register an user without passing a password. I don't understand your first `if`. Also I don't see the point of doing the last Object.assign. By the way I use fabric-sdk-py. Not fabric-sdk-node

GuillaumeCisco (Tue, 12 Feb 2019 14:22:11 GMT):
@SethiSaab Maybe your certificates does not reflect the correct CN (Common Name). You can check your certificates with `openssl x509 -text -noout -in path_to_my_cert.pem`

GuillaumeCisco (Tue, 12 Feb 2019 14:23:21 GMT):
you should also look a the logs of the root certificate authority server: `docker logs -f rca.example.com` replace `rca.example.com` by the hostname of your RCA server

SethiSaab (Tue, 12 Feb 2019 14:24:45 GMT):
ok @GuillaumeCisco thanks

SethiSaab (Tue, 12 Feb 2019 14:24:50 GMT):
let me see this

pchochu (Tue, 12 Feb 2019 16:21:21 GMT):
Has joined the channel.

Legiit (Wed, 13 Feb 2019 08:37:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EanCm37DErrC8by8D) So you don't register at all? and keep the enrollmentSercet blank? Also, the register is needed to for the additional attributes

SunilHirole (Wed, 13 Feb 2019 13:28:38 GMT):
Hello People, Does anyone know why fabric-ca example has been removed from fabric-samples and now since it is removed where i can found fabric-ca example https://github.com/hyperledger/fabric-samples/commit/461b6abcd6fc3ee779913b6f881a2bc5a8629948

Kelvin_Moutet (Wed, 13 Feb 2019 13:58:49 GMT):
@SunilHirole You can ask to @mastersingh24 :)

GuillaumeCisco (Wed, 13 Feb 2019 13:59:43 GMT):
@Legiit yes we register. But in your code, your misunderstanding thing, you're are passing a secret, do not use it, and then get a randomly generated secret...

GuillaumeCisco (Wed, 13 Feb 2019 14:00:18 GMT):
@SunilHirole

GuillaumeCisco (Wed, 13 Feb 2019 14:00:18 GMT):
@SunilHirole https://github.com/hyperledger/fabric-test/tree/master/fca-sample

glennd (Wed, 13 Feb 2019 14:01:16 GMT):
Has joined the channel.

Legiit (Thu, 14 Feb 2019 07:45:14 GMT):
only the admin has a predefined secret, for all other users we don't pass a secret, but use the secret from the register function, this is however not related to our async issue, which still remains

Legiit (Thu, 14 Feb 2019 08:53:28 GMT):
having a network with a CA look like the following: 1. Start the CA 2. Enroll the peers/orderers etc 3. Mount the retrieved certificates 4. Start the peers/orderes etc Is that how it's done?

GuillaumeCisco (Thu, 14 Feb 2019 13:50:51 GMT):
yes

lucasrol (Thu, 14 Feb 2019 22:01:23 GMT):
Has joined the channel.

krabradosty (Fri, 15 Feb 2019 14:46:54 GMT):
Hello. Which attributes an identity should to have to be able to start "full permissions" intermediate CA to work as main CA of an organization? Of course this identity is not allowed to do anything in root CA. It seems that `hf.IntermediateCA` is not enough.

varunagarwal (Fri, 15 Feb 2019 17:32:10 GMT):
Hi, I am trying to use `fabric-ca-client` and am bit confused. https://github.com/hyperledger/fabric-samples/blob/release-1.4/fabcar/javascript-low-level/enrollAdmin.js#L46-L70 https://github.com/hyperledger/fabric-samples/blob/release-1.4/fabcar/javascript-low-level/registerUser.js#L56-L70 As per these two docs, if I enroll and create user it becomes an admin, whereas if I register, enroll and then create, the user is not an admin? Is this correct? Unable to find an API reference doc for https://www.npmjs.com/package/fabric-ca-client

npc0405 (Sat, 16 Feb 2019 17:04:39 GMT):
I want to use external CA for HL network Can anybody refer to reference link for steps? Appreciate the help :)

mastersingh24 (Sun, 17 Feb 2019 13:18:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TS8Ngw4aA2Wa2TxWX) @npc0405 What do you mean by "external"? Not the Fabric CA?

ClaudioTesei (Sun, 17 Feb 2019 19:29:33 GMT):
Has joined the channel.

ClaudioTesei (Sun, 17 Feb 2019 19:33:11 GMT):
Hello. I am trying to get the tls cert and key from fabric-ca when I enroll the client. The fabrica-ca-server is running with tls then I use the client with this command: `fabric-ca-client enroll -d --enrollment.profile tls --tls.certfiles /root/fabric-samples/mytest/tls-cert.pem -u https://admin:adminpw@localhost:7054 -M ./tmp/tls`

ClaudioTesei (Sun, 17 Feb 2019 19:34:13 GMT):
inside the tls folder than I can find the tlscacerts folder with a file .pem

ClaudioTesei (Sun, 17 Feb 2019 19:34:58 GMT):
from that how can I generate the key and cert to pass at the peer to enable TLS?

GuillaumeCisco (Sun, 17 Feb 2019 21:41:47 GMT):
the cert is in signcert, and the private key in keystore folders

ClaudioTesei (Sun, 17 Feb 2019 23:20:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZY8W6P4WXTvFyXxpY) @GuillaumeCisco Thanks a lot

nasht00 (Mon, 18 Feb 2019 12:53:15 GMT):
Hello, I am looking at FabricCAClient.register (https://fabric-sdk-node.github.io/release-1.4/FabricCAClient.html#register__anchor). Does the `role` argument have special meaning? Or is it a free string to be used as I please in my chaincode? Is there a predefined list of supported roles?

mastersingh24 (Mon, 18 Feb 2019 14:15:09 GMT):
@nasht00 - If you choose to use policies based on "identity classification" (see https://hyperledger-fabric.readthedocs.io/en/release-1.4/msp.html#identity-classification ), roles are a handy way to set the OUs (since certs will be created with OU=role; e.g. OU=peer, OU=client, etc)

mastersingh24 (Mon, 18 Feb 2019 14:18:16 GMT):
In order to register an ID with roles, you must set the `hf.Registrar.Roles` for any user who will register other users and only roles in that list are permitted

nasht00 (Mon, 18 Feb 2019 14:19:19 GMT):
It seems like I need to chose whether we want to support "Organizational Units" or "Identity Classification". It can't be both right? Since they both use the "OU" field of the certificate?

mastersingh24 (Mon, 18 Feb 2019 14:20:47 GMT):
You also end up with `OU=affiliation` as well ... so technically you can do both

mastersingh24 (Mon, 18 Feb 2019 14:21:45 GMT):
Use the affilation to distinguish based on `Organizational Units` and use roles for `Identity Classification`

nasht00 (Mon, 18 Feb 2019 14:22:24 GMT):
aha ok. Thanks I'll play with it

ChinmayIngle (Mon, 18 Feb 2019 15:19:44 GMT):
Has joined the channel.

loneimmortal (Mon, 18 Feb 2019 17:27:45 GMT):
Has joined the channel.

hexiaohu (Tue, 19 Feb 2019 02:15:36 GMT):
Hello Fabric expert, if there is any BCCSP (BlockChain Crypto Service Provider) design document which can be used as reference? Thanks.

npc0405 (Tue, 19 Feb 2019 03:52:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=s4noHhTjCqGeLEktQ) @mastersingh24 @mastersingh24 Server can be Fabric CA, but root CA certificate from external vendor

npc0405 (Tue, 19 Feb 2019 06:56:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=omQukhvhQkfbF8MA5) @GuillaumeCisco Is there steps document to refer?

GuillaumeCisco (Tue, 19 Feb 2019 08:40:34 GMT):
@npc0405 You can check the fabric ca samples code. https://github.com/hyperledger/fabric-test/tree/master/fca-sample Looking the script part

GuillaumeCisco (Tue, 19 Feb 2019 08:40:34 GMT):
@npc0405 You can check the fabric ca samples code. https://github.com/hyperledger/fabric-test/tree/master/fca-sample Looking at the script part

npc0405 (Tue, 19 Feb 2019 09:40:19 GMT):
Thanks @GuillaumeCisco

BellaAdams (Tue, 19 Feb 2019 10:29:27 GMT):
Can I add users to an org dynamically

mastersingh24 (Tue, 19 Feb 2019 11:07:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sXrFjQ6c22GWAs2uW) @BellaAdams You can register users with the Fabric CA at anytime

bh4rtp (Tue, 19 Feb 2019 12:04:25 GMT):
hi, how to build fabric-ca release-1.4 docker image with support of softhsm2?

sureshtedla (Wed, 20 Feb 2019 10:08:33 GMT):
@mastersingh24 If Buyer want to see shipper details, Buyer send request to shipper If Shipper accept buyer request buyer can see shipper details, is this type of permissions are allowed in hyperledger Fabric?

npc0405 (Wed, 20 Feb 2019 13:38:14 GMT):
@GuillaumeCisco @mastersingh24 I was able to replace certificates for orderer in first network but when I am trying to replace certificates for peers. It throws error

GuillaumeCisco (Wed, 20 Feb 2019 13:38:58 GMT):
`replace`?

npc0405 (Wed, 20 Feb 2019 13:39:06 GMT):
` deduplicate -> ERRO 20c Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authority) for identity 0` These are logs of orderer.example.com

npc0405 (Wed, 20 Feb 2019 13:39:45 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8YEDoQHDXJDMk6SXh) @GuillaumeCisco generated with openssl and replaced root certificate to issue further certs

npc0405 (Wed, 20 Feb 2019 13:45:19 GMT):
Any thought?

GuillaumeCisco (Wed, 20 Feb 2019 14:37:43 GMT):
your certs should have been generated by fabric-ca

skarim (Wed, 20 Feb 2019 14:46:52 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=X6kjxew2Tsx6vmCr2) @npc0405 This error happens when you are using a certificate that is not signed by the MSP configured in the genesis block for this organization. How were these new certificates issued? Do they have a different trusted root certificate than the one configured currently?

hantorr (Wed, 20 Feb 2019 15:46:18 GMT):
Has joined the channel.

hantorr (Wed, 20 Feb 2019 15:46:39 GMT):
hello, Im new in this project so, i have the problem whit connected to source database in mysql, i have configuration in CA hyperledger, bap generate message: [ERROR] Error occurred initializing database: Failed to create user registry for MySQL: Failed to connect to MySQL database: driver: bad connection you know why this message?

skarim (Wed, 20 Feb 2019 15:55:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ekcz7sCdxQKAxnTwc) @hantorr What does your connection string look like? Is the MySQL server running? Is the MySQL server on the same host as your CA server? If not, are you able to ping the database from the CA server's host machine?

braduf (Wed, 20 Feb 2019 15:56:33 GMT):
Has joined the channel.

hantorr (Wed, 20 Feb 2019 16:06:12 GMT):
thanks for response What does your connection string look like? Is the MySQL server running? root:database@tcp(172.17.0.2:33060)/fabric_ca?parseTime=true&tls=false Is the MySQL server on the same host as your CA server? MySQL version 8.0 and is running docker If not, are you able to ping the database from the CA server's host machine? i can access to database from local machine

skarim (Wed, 20 Feb 2019 16:10:06 GMT):
@hantorr My first guess is that the CA's docker container is not able to resolve the 172.17.0.2 IP address. Try using the name of the MySQL docker container in you connection string instead of the IP address

npc0405 (Wed, 20 Feb 2019 16:20:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Rf3wyYehFuJmNWNiD) @skarim @skarim I have created channel artifacts after all required certificates are placed in respective folder. Yes all certs are issued with different root CA.

hantorr (Wed, 20 Feb 2019 16:47:36 GMT):
so, i change connnection string: root:database@mysql1:33060/fabric_ca?parseTime=true&tls=false

hantorr (Wed, 20 Feb 2019 16:48:04 GMT):
but this new message Error occurred initializing database: Failed to create user registry for MySQL: Failed to connect to MySQL database: default addr for network 'mysql1:33060' unknown

hantorr (Wed, 20 Feb 2019 16:48:31 GMT):
dont resolve this connection

hantorr (Wed, 20 Feb 2019 16:48:38 GMT):
some idea?

skarim (Wed, 20 Feb 2019 16:56:35 GMT):
@hantorr Not at the top of my head. The next thing would be look at the mysql logs from the ``bad connection`` run and see if there is anything helpful in there. BTW, what MySQL version are you using?

skarim (Wed, 20 Feb 2019 16:56:35 GMT):
@hantorr Not of the top of my head. The next thing would be look at the mysql logs from the `bad connection` run and see if there is anything helpful in there. BTW, what MySQL version are you using?

skarim (Wed, 20 Feb 2019 16:57:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yQZK4JvdpKfxzLnNE) @npc0405 When does this error happen? Are you doing a chaincode install or instantiate?

mastersingh24 (Wed, 20 Feb 2019 16:57:29 GMT):
@hantorr - I think you want to use/expose port `3306` rather than `33060`

mastersingh24 (Wed, 20 Feb 2019 16:57:49 GMT):
`33060` is for the MySQL X protocol

hantorr (Wed, 20 Feb 2019 17:07:55 GMT):
no, equal messgge

hantorr (Wed, 20 Feb 2019 17:08:04 GMT):
message

hantorr (Wed, 20 Feb 2019 17:11:20 GMT):
I neen configurate connection on: root:database@tcp(172.17.0.2:33060)/fabric_ca?parseTime=true&tls=false

hantorr (Wed, 20 Feb 2019 17:13:08 GMT):
but on name container docker, and i dont know how make configuration, because up docker compose for CA this message in the load CA: fabric-root-ca-fa | 2019/02/20 17:05:54 [ERROR] Error occurred initializing database: Failed to create user registry for MySQL: Failed to connect to MySQL database: default addr for network 'mysql1:3306' unknown

hantorr (Wed, 20 Feb 2019 17:13:42 GMT):
excuseme my english is very bad

nyet (Wed, 20 Feb 2019 17:54:24 GMT):
Has joined the channel.

nyet (Wed, 20 Feb 2019 17:55:12 GMT):
Why does enroll with TLS put the private key in `keystore`? It makes it difficult to figure out which of those goes with the new TLS cert in `signcerts`.

nyet (Wed, 20 Feb 2019 18:16:01 GMT):
Even worse, there is no way to tell the ca-server to use a different CA to sign TLS csrs, it can ONLY use the CA cert, not a TLSCA cert.

nyet (Wed, 20 Feb 2019 18:18:06 GMT):
https://jira.hyperledger.org/projects/FABC/issues/FABC-60

nyet (Wed, 20 Feb 2019 18:19:41 GMT):
https://lists.hyperledger.org/g/fabric/topic/29938289

mastersingh24 (Wed, 20 Feb 2019 18:41:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7YhAsSk92ufZ8R98n) @nyet You can use the multi-root CA feature: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#setting-up-multiple-cas

nyet (Wed, 20 Feb 2019 18:50:18 GMT):
Yea I'm looking at that but it doubles some of my workflow, so I'm not going to do it for now.

nyet (Wed, 20 Feb 2019 18:52:24 GMT):
They will listen on the same port, you just have to specify a different CA/CN on enroll?

nyet (Wed, 20 Feb 2019 18:55:06 GMT):
Also, I'm using environment vars, not config files, so ai ssume they look like `_CA_CA1_` instand of `_CA_`

hantorr (Wed, 20 Feb 2019 19:26:52 GMT):
none register logs in mysql

nfrunza (Wed, 20 Feb 2019 20:05:53 GMT):
Has joined the channel.

mastersingh24 (Wed, 20 Feb 2019 21:14:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=uJtedpyCrrotmQsSp) @hantorr Try `172.17.0.2:3306` ... seems like at least you were connecting via the IP address

mbanerjee (Thu, 21 Feb 2019 00:29:57 GMT):
Trying to start fabric-ca-server docker container with postgres running on localhost

mbanerjee (Thu, 21 Feb 2019 00:29:58 GMT):
[ERROR] Error occurred initializing database: Failed to create user registry for PostgreSQL: Failed to connect to Postgres

mbanerjee (Thu, 21 Feb 2019 00:31:05 GMT):
Any suggestions? thanks

nyet (Thu, 21 Feb 2019 00:54:28 GMT):
can you ping/curl the postgres port from inside the container?

nyet (Thu, 21 Feb 2019 00:54:28 GMT):
@mbanerjee can you ping/curl the postgres port from inside the container?

nyet (Thu, 21 Feb 2019 00:55:45 GMT):
note that docker is broken , and resolving dockerhost is not always possible due to braindamage https://github.com/docker/for-linux/issues/264#issuecomment-429588648

nyet (Thu, 21 Feb 2019 00:55:59 GMT):
I've brought it up to the docker guys and they can't seem to understand why its important to anyone lol

nyet (Thu, 21 Feb 2019 00:57:05 GMT):
They want you to ONLY talk to stuff in docker also. So you'll have to run postgres inside docker, or hairpin the connection to the hosts' external ip, or send it to another external host. All of which I tried to explain to the docker guys but .. they're dense.

npc0405 (Thu, 21 Feb 2019 02:40:58 GMT):
@skarim at very first step in byfn.sh, while create channel step.

mbanerjee (Thu, 21 Feb 2019 07:21:43 GMT):
@nyet - curl is not working from within fabric-ca-server. Failed to connect to 127.0.0.1 port 5432: Connection refused. postgressql.conf has listen_addresses = '*' and pg_hfa.conf has host all all 0.0.0.0/0 md5 host all all ::/0 md5

nyet (Thu, 21 Feb 2019 07:22:33 GMT):
127.0.0.1 your docker container not the docker host

nyet (Thu, 21 Feb 2019 07:22:33 GMT):
127.0.0.1 is your docker container not the docker host

nyet (Thu, 21 Feb 2019 07:24:03 GMT):
resolving the IP of your docker host is tricky, as I said above

nyet (Thu, 21 Feb 2019 07:24:17 GMT):
see the three things i mentioned :)

braduf (Thu, 21 Feb 2019 22:45:40 GMT):
Hi all, I would like to know where in a ca client config file you define if it is an administrator or a regular member? Is this by OU or is by type? Thanks for your answers

braduf (Thu, 21 Feb 2019 22:45:40 GMT):
Hi all, I would like to know where in a ca client config file you define if it is an administrator or a regular member? Is this by OU, by type or something else? Thanks for your answers

BellaAdams (Fri, 22 Feb 2019 03:19:13 GMT):
I am using ndoejs sdk to operate Fabric CA

BellaAdams (Fri, 22 Feb 2019 03:19:44 GMT):
I need some samples to leran the usage of the NodeJS SDK

BellaAdams (Fri, 22 Feb 2019 03:19:54 GMT):
Who can help me ?

mastersingh24 (Fri, 22 Feb 2019 11:43:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nccTKAbGcgqxmLay5) @BellaAdams Havwe you looked at the API docs? https://fabric-sdk-node.github.io/release-1.4/FabricCAClient.html It's pretty straighforward ... what issues are you having? Also ... probably best tom post is the #fabric-sdk-node channel

kevinkbc (Fri, 22 Feb 2019 19:23:45 GMT):
Hi, I have a question about HSMs. until now I have developed a POC using dockers only (local). Now I am searching material/tutorial about development on the cloud. I saw that some clouds offer a HSM, in this case how does the CA works? Does it connect with the HSM? Does anyone have any good links on this?

braduf (Fri, 22 Feb 2019 20:51:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=P9FpkG2avBZxN62Zo) I will reply myself because i think i figured it out and it would be nice if someone can confirm or tell me i'm wrong: An administrator is not a type or is not defined in the OU, but it is defined on every MSP level, by adding the admin certificates in the msp folders define the admins, it should not be defined in the certificates itself, right? Thanks!

braduf (Fri, 22 Feb 2019 20:51:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ipkvimnBsczan5FZn) [ ](https://chat.hyperledger.org/channel/fabric-ca?msg=P9FpkG2avBZxN62Zo) I will reply myself because i think i figured it out and it would be nice if someone can confirm or tell me i'm wrong: An administrator is not a type or is not defined in the OU, but it is defined on every MSP level, by adding certificates in the msp folder admincerts you define the admins, it should not be defined in the certificates itself, right? Thanks!

AlexTotheroh (Fri, 22 Feb 2019 21:30:39 GMT):
Has joined the channel.

ashutosh_kumar (Fri, 22 Feb 2019 22:22:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=chWnWkQyGB8Wkc3RL) @kevinkbc Fabric CA implementation of HSM is on colocated mode , i.e HSM Lib should be loaded where Fabric CA runs. So , there is no concept of Cloud HSM in Fabric CA.

AlexTotheroh (Fri, 22 Feb 2019 22:49:08 GMT):
I have searched pretty extensively in this chat history and in the Fabric CA docs, but I've yet to find a comprehensive guide to integrating a third party CA into the Fabric system. We have a custom CA which we control completely. What are the steps to using it to onboard new peers, orgs, etc.? I am happy to assist in creating such documentation if there's a need. Thank you.

AlexTotheroh (Fri, 22 Feb 2019 22:49:08 GMT):
I have searched pretty extensively in this chat history and in the Fabric CA docs, but I've yet to find a comprehensive guide to integrating a third party CA into the Fabric system. We have a custom CA which we control completely. What are the steps to using it to onboard new peers, orgs, etc.? Perhaps we use our CA as the root, and then run FabricCA containers as intermediates? I am happy to assist in creating such documentation if there's a need. Thank you.

walmon (Sat, 23 Feb 2019 02:50:55 GMT):
@AlexTotheroh did you try getting a certificate from your own CA and starting a intermediate Fabric-CA with that one? In the fabric samples the crypto materiales are generated before hand and the assigned as env vars

ashutosh_kumar (Sat, 23 Feb 2019 13:11:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2LMQbTkEJq63B5QFj) @AlexTotheroh You should look at Fabric MSP docs.

BellaAdams (Sun, 24 Feb 2019 03:04:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=bDvnzynmDTDzCf2Xf) @mastersingh24 Yes. But I find nothing about generate a PEM-encoded PKCS#10 certificate signing request in NodeJS SDK

BellaAdams (Sun, 24 Feb 2019 03:52:00 GMT):
how to enroll peer tls cert using nodejs SDK

ashutosh_kumar (Mon, 25 Feb 2019 00:29:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QsNZE6eDKufHFZ4NK) @BellaAdams you can use openssl to create csr request.

krabradosty (Mon, 25 Feb 2019 09:42:00 GMT):
Hello. Is there a plan to implement a search of identities by attributes in CA? Would be very useful. Or maybe you know open-source CA with this feature?

Legiit (Mon, 25 Feb 2019 10:42:33 GMT):
can we see with what password the CA was started? I get wrong password when trying to enroll the admin, altough I use the same password as in the startup command :sweat_smile:

Legiit (Mon, 25 Feb 2019 10:42:37 GMT):
I'd like to compare the 2 values

Legiit (Mon, 25 Feb 2019 12:46:43 GMT):
how do you register an user through the fabric-client cli?

kevinkbc (Mon, 25 Feb 2019 12:53:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hqEq6fkd98RyAZZAw) @ashutosh_kumar I am sorry. i didnt understand what is the colocated mode

kevinkbc (Mon, 25 Feb 2019 12:54:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hqEq6fkd98RyAZZAw) @ashutosh_kumar so the HSM handles all the authentication part and I don't need a CA? Is that correct?

ashutosh_kumar (Mon, 25 Feb 2019 14:32:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QQgLs9fKhY4HsYeAx) @kevinkbc hsm can stores CA Private Key and can perform Signature operations. It does not replace Fabric CA.

ashutosh_kumar (Mon, 25 Feb 2019 14:34:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jFjKt7JcsEKiJJ5xR) @kevinkbc Fabric CA cannot reach out to some cloud , say . aws and use aws Cloud HSM , e.g.

skarim (Mon, 25 Feb 2019 14:57:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wsjsBeRTXR9NFQDeh) @Legiit Fabric CA does not store the actual password, it only stores hashes of the password. There is no way to get back the actual password.

skarim (Mon, 25 Feb 2019 14:57:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XazRy9cmcNqTcCzDF) @Legiit Please see doc: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#registering-a-new-identity

skarim (Mon, 25 Feb 2019 14:58:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ybSox2s3QJWLbYMi8) @krabradosty Not currently. But, you can open up a JIRA work item to request this feature.

AlexTotheroh (Mon, 25 Feb 2019 20:08:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aJcAXRsjfanmyhRPF) @ashutosh_kumar Thank you, I think you are correct that what I needed was a better understanding of Fabric MSP. If I understand correctly, an MSP is just an abstraction away from all the crypto details and merely describes conventions for identifying and authorizing network entities. Then, one can use their own CA impl to generate crypto that follows the MSP conventions. Is that an accurate summary?

ashutosh_kumar (Mon, 25 Feb 2019 20:12:06 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=J6ttaCuXsrwiGMgfa) @AlexTotheroh yes , that seems right.

KristijanGlibo (Mon, 25 Feb 2019 20:40:11 GMT):
Has joined the channel.

haardikkk (Tue, 26 Feb 2019 03:17:48 GMT):
Has joined the channel.

haardikkk (Tue, 26 Feb 2019 03:18:21 GMT):
Hey, I'm a bit confused around the Admin roles for CA

haardikkk (Tue, 26 Feb 2019 03:18:39 GMT):
What's the difference between the Admin ID we register when spinning up a new CA, vs creating an organization admin on it

haardikkk (Tue, 26 Feb 2019 03:18:46 GMT):
I'm following Blockchain Platform 2.0 Build a network tutorial

Legiit (Tue, 26 Feb 2019 07:45:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=C7pmTTh4ZQTtvnfFs) Is it possible that, as I am using LetsEncrypt certificates on the server, and start the CA with the crypto-config files, that it doesn't acccept the password I am passing through due to these certificate mixes?

Legiit (Tue, 26 Feb 2019 14:27:25 GMT):
Fixed it!

Legiit (Tue, 26 Feb 2019 14:31:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=x2r2uf5c7EjYnqEPc) Just so we know, do you use PostrGres/MySQL or a cluster of CA's? We've only used 1 CA with SQLlite

aleksandar.nasuovski (Tue, 26 Feb 2019 14:51:55 GMT):
Has joined the channel.

braduf (Tue, 26 Feb 2019 16:35:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3KBCynYocL4Xqdn8N) @haardikkk From my understanding, the admin you register when spinning up a CA is an administrator for that CA and, depending on the permissions you gave it, it can register other roles, intermediate CAs, revoke certificates etc on that CA. But it is not an administrator of the rest of the Fabric Network yet, this is defined on MSP level by adding certificates to your MSP. So if you want some generated identity to be an administrator for your peers, you have to add his certificate to the local MSP. This can be the same admin form the CA or they can be other identities that were generated later.

braduf (Tue, 26 Feb 2019 16:35:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3KBCynYocL4Xqdn8N) @haardikkk From my understanding, the admin you register when spinning up a CA is an administrator for that CA and, depending on the permissions you gave it, it can register other roles, intermediate CAs, revoke certificates etc on that CA. But it is not an administrator of the rest of the Fabric Network yet, this is defined on MSP level by adding certificates to your MSP. So if you want some generated identity to be an administrator for your peers, you have to add his certificate to the local MSP. This can be the same admin from the CA or they can also be other identities that were generated later.

gravity (Tue, 26 Feb 2019 19:52:06 GMT):
Hi all how to reenroll an enrollment certificate for a peer admin (when it is going to expire)? is it enough to just reenroll using `fabric-ca-client`? or are there any other actions to be done? thanks in advance

ShefaliMittal (Wed, 27 Feb 2019 07:50:25 GMT):
Hi, While using fabric-ca-client I can create and customize values in fabric-ca-client configuration file. Do I have the similar option while using sdk for interacting with fabric ca server.

skarim (Wed, 27 Feb 2019 14:31:13 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=s89h6NHXRLBQtwZB8) @gravity After you reenroll and get the new certificate, you'll have to update all the MSPs where the old peer admin certificates was being used.

skarim (Wed, 27 Feb 2019 14:31:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=b3S96BBRZryKQLGW4) @ShefaliMittal I would imagine so, but you might want to ask in the appropriate sdk channel

gravity (Wed, 27 Feb 2019 14:36:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wMCSYQcX2tTBPwgyz) @skarim is it enough to put a new certificate to `admincert` folder on peers? or are there any other actions to be done like channel config update?

skarim (Wed, 27 Feb 2019 15:18:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=B4tZRXZocTwYdtFbp) @gravity you would need to do both

gravity (Wed, 27 Feb 2019 15:38:50 GMT):
@skarim could you please guide me on which section of a channel config should be updated to add a new admin certificate?

Antimttr (Wed, 27 Feb 2019 20:48:04 GMT):
Is there a way to list a set of users for a particular ca org?

skarim (Wed, 27 Feb 2019 21:37:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zAp2bLdgjY9n9gCKi) @gravity you might be to get someone more familiar with the process on the #fabric or #fabric-questions channel

skarim (Wed, 27 Feb 2019 21:37:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=zAp2bLdgjY9n9gCKi) @gravity you might be able to get someone more familiar with the process on the #fabric or #fabric-questions channel

skarim (Wed, 27 Feb 2019 21:38:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yWRa9238BmGPitfYh) @Antimttr You can get a list of identities registered on a particular CA. See: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#getting-identity-information But, this is restricted to CA that you are enrolled with. There is no public list of identities that is exposed to everyone.

Antimttr (Wed, 27 Feb 2019 22:55:50 GMT):
@skarim thanks for the great answer, is there any corresponding API call in the nodejs api's for that command?

Antimttr (Wed, 27 Feb 2019 22:55:50 GMT):
@skarim thanks for the great answer, is there any corresponding API call in the nodejs sdk's for that command?

Antimttr (Wed, 27 Feb 2019 23:09:38 GMT):
@skarim is this only for idemix setups, or will it work for a simple ca setup as well?

czar0 (Thu, 28 Feb 2019 11:21:52 GMT):
Has joined the channel.

skarim (Thu, 28 Feb 2019 14:37:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PFzRWkjLRcPewM324) @Antimttr I think you are looking for: https://github.com/hyperledger/fabric-sdk-node/blob/release-1.4/fabric-ca-client/test/IdentityService.js#L246 It will work for x509 or idemix

Antimttr (Thu, 28 Feb 2019 15:50:52 GMT):
awesome, thanks

ChinmayIngle (Thu, 28 Feb 2019 17:56:33 GMT):
While trying to get the Certificate Authority using admin(using Node SDK) i am getting this error "[ERROR] Helper - [FabricCAClientService.js]: Failed to enroll admin, error:Error: Calling enrollment endpoint failed with error [Error: connect ECONNREFUSED 127.0.0.1:7054] " When i googled this error it suggeted to "point the secretKey in docker-composer-yaml file for ca-fabric" I needed to confirm whether this secretkey is present in the crypto-config or at some other location. Can someone guide me Thank you!

Antimttr (Thu, 28 Feb 2019 18:17:21 GMT):
Is there a way to examine the logs of a fabric CA like you can the hyperledger docker?

Antimttr (Thu, 28 Feb 2019 23:04:39 GMT):
ok trying to use the fabriccaservices library, and im getting this error: Error: fabric-ca request identities?ca=undefined failed with errors [[{"code":19,"message":"CA 'undefined' does not exist"}]]

Antimttr (Thu, 28 Feb 2019 23:04:39 GMT):
ok trying to use the fabriccaservices library, and im getting this error: Error: `fabric-ca request identities?ca=undefined failed with errors [[{"code":19,"message":"CA 'undefined' does not exist"}]]`

Antimttr (Thu, 28 Feb 2019 23:06:25 GMT):
I initialized my object using these params: `const caServices = new FabricCAServices('https://localhost:7054', tlsOptions, 'ca-org2');`

Antimttr (Thu, 28 Feb 2019 23:16:18 GMT):
nm got it!

vieiramanoel (Fri, 01 Mar 2019 02:57:55 GMT):
hey guys, do you know how to generate a admin cert with role: Admin in a way that it's recognized by MSP's rules?

npc0405 (Fri, 01 Mar 2019 06:55:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2LMQbTkEJq63B5QFj) @AlexTotheroh Any luck....? I am stuck on same point. However we can use external root certificate in fabric-ca-server and issue rest of certs with fabric-ca-client.

npc0405 (Fri, 01 Mar 2019 06:59:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Rf3wyYehFuJmNWNiD) @skarim Yes, Using different root certificate and issued msp and tls certs with that. When starting first-network, its giving me error.

Legiit (Fri, 01 Mar 2019 08:35:44 GMT):
Is it a good practise to disable TLS for the CA and serve it only over HTTPS instead? I tried both, but (with SSL certificate from LetsEncrypt and TLS cert from crypto-config, but these don't seem to work together)

Legiit (Fri, 01 Mar 2019 08:35:44 GMT):
What's the best way to setup the CA with LetsEncrypt to enable it being served over HTTPS?

Legiit (Fri, 01 Mar 2019 08:39:13 GMT):
Like disabling TLS, but proxying calls from a secure domain over HTTPS to the CA? Or what is generally done

mastersingh24 (Fri, 01 Mar 2019 12:17:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=z7TkfLHRtFc94yzqL) @Legiit So you want to use Let's Encrypt certs for the CA's TLS endpoint?

mastersingh24 (Fri, 01 Mar 2019 12:17:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=z7TkfLHRtFc94yzqL) @Legiit So you want to use Let's Encrypt certs for the CA's TLS endpoint? It's trivial as you can specify the TLS cert that the CA will use ... in the fabric-ca-server config file: ``` tls: # Enable TLS (default: false) enabled: false # TLS for the server's listening port certfile: keyfile: clientauth: type: noclientcert certfiles: ``` simply specify the path to the `keyfile` and `certfile` .... you would of course generate your private key locally and the certfile would be the X509 cert you get back from Let's Encrypt

gade (Fri, 01 Mar 2019 13:02:35 GMT):
Has joined the channel.

Legiit (Fri, 01 Mar 2019 13:21:39 GMT):
Okey clear, thanks @mastersingh24 1 more thing - https://github.com/hyperledger/fabric-test/blob/master/fca-sample/docker-compose.yml#L354 Why is the fabric-ca-tools image used? As I can see here these will be discontinued regarding this issue: https://jira.hyperledger.org/browse/FABCI-24 Is there any other example as of how the ca would be used in production

Legiit (Fri, 01 Mar 2019 13:21:39 GMT):
Okey clear, thanks @mastersingh24 1 more thing - https://github.com/hyperledger/fabric-test/blob/master/fca-sample/docker-compose.yml#L354 Why is the fabric-ca-tools image used and what does it do? It's not documented anywhere As I can see here these will be discontinued regarding this issue: https://jira.hyperledger.org/browse/FABCI-24 Is there any other example as of how the ca would be used in production

Legiit (Fri, 01 Mar 2019 13:30:09 GMT):
and in the description there is 1 folder centrally mounted to share config: to access bootstrap certificates required by clients to connect over TLS. How is this done in production? The mounting of a volume is not recommended, but there's no other alternative described to share the TLS files

vieiramanoel (Fri, 01 Mar 2019 16:13:49 GMT):
@mastersingh24 why can't I set --id.type when registering a new admin on fabric-ca?

vieiramanoel (Fri, 01 Mar 2019 16:13:49 GMT):
@mastersingh24 why can't I set `--id.type "admin"` when registering a new admin on fabric-ca?

vieiramanoel (Fri, 01 Mar 2019 16:17:42 GMT):
ca-server logs: ```192.168.192.2:55040 POST /register 403 44 "Registrar does not have authority to act on type 'admin'" ```

skarim (Fri, 01 Mar 2019 16:34:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4vE5qWx5yZCyxyb3B) @vieiramanoel Is the identity that you are using to register have `admin` as one of the values for the attribute `hf.Registrar.Roles`?

vieiramanoel (Fri, 01 Mar 2019 16:38:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KhbWwY5pd5W36XSZ6) @skarim is default ca's admin, that one that you set at init

vieiramanoel (Fri, 01 Mar 2019 16:38:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KhbWwY5pd5W36XSZ6) @skarim it's default ca's admin, that one that you set at init

skarim (Fri, 01 Mar 2019 16:41:34 GMT):
@vieiramanoel Can you take a look at the server's configuration file and see what that attribute is set to?

vieiramanoel (Fri, 01 Mar 2019 16:57:19 GMT):
sure!

vieiramanoel (Fri, 01 Mar 2019 16:59:23 GMT):
found it! thanks!

Estebanrestrepo (Fri, 01 Mar 2019 19:38:12 GMT):
Has joined the channel.

harshitrajan (Fri, 01 Mar 2019 20:05:31 GMT):
Has joined the channel.

AlexTotheroh (Fri, 01 Mar 2019 20:12:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=czbfKHRsxQpanp7Tk) @npc0405 The short answer is no, I haven't figured out how to do it. For the time being, I've resigned to manually creating all the required certs (like what cryptogen does) with my own CA, and seeing how that goes. I think my biggest obstacle is my own ignorance, so maybe the exercise will help with that, too.

rsoeldner (Sun, 03 Mar 2019 08:38:42 GMT):
Hey, is there a way to request the public key from the ca for a corresponding enrollment id ? I want to encrypt data for a specific enrollment id and store it.

ashutosh_kumar (Mon, 04 Mar 2019 03:08:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=r3igBnxjxgYqkofFM) @rsoeldner You mean public key for CA ?

ashutosh_kumar (Mon, 04 Mar 2019 03:08:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=r3igBnxjxgYqkofFM) @rsoeldner You mean public key for Cert ? If yes , you can retrieve it from cert/

rsoeldner (Mon, 04 Mar 2019 06:26:12 GMT):
@ashutosh_kumar yes - this should correspond to the current identity, right ? I want to use it to encrypt stuff readable only for this participant (he could decrypt it with his corresponding priv. key) - I'm using the nodesdk do you know the functionality ?

ashutosh_kumar (Mon, 04 Mar 2019 15:20:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XYb7CMrsMmgZDHngb) @rsoeldner How is that going to work ? You as enrollment requester have your private key. you are going to encrypt message using your public key and give your Private Key to your participant ? I am totally confused.

nyet (Tue, 05 Mar 2019 02:57:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MnKghD8r6j9DNwYBC) @ashutosh_kumar You encrpyt using the public key of the recipient, who decrypts it with his private key. However, that is for TLS, not signing. Transactions themselves are not encrpyted, they are signed. The transport is encrypted using TLS, which is a different key pair.

ashutosh_kumar (Tue, 05 Mar 2019 14:14:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BpxMqEQmgxzMrwTep) @nyet I know that , I was trying to understand @rsoeldner use case.

nyet (Tue, 05 Mar 2019 15:48:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vG3o8874v6AMoLtwp) @ashutosh_kumar Sorry, I responded to the wrong message.

aacotroneo (Tue, 05 Mar 2019 20:03:47 GMT):
Has joined the channel.

aacotroneo (Tue, 05 Mar 2019 20:08:17 GMT):
hi! finding an issue while using the CA - I'm not an expert in go - but is this a bug? are args missing? https://github.com/hyperledger/fabric-ca/blob/release-1.4/lib/dbaccessor.go#L599

aacotroneo (Tue, 05 Mar 2019 20:09:24 GMT):
I got this error `"Failed to get users by affiliation and type: Failed to execute query 'SELECT * FROM users WHERE ((affiliation = ?) OR (affiliation LIKE ?))' for affiliation 'n3.acme' and types '*': Not enough args to execute query. Expected 2, got 0."` hope I traced it correctly

nyet (Tue, 05 Mar 2019 22:17:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6ypJWgqd3b6qH3Ga7) @aacotroneo That definitely looks like a bug. `Queryx()` is missing args.

nyet (Tue, 05 Mar 2019 22:20:56 GMT):
https://github.com/hyperledger/fabric-ca/commit/2b5ed40fa8a5d11af220243b5859290f374b29a0

nyet (Tue, 05 Mar 2019 22:24:50 GMT):
https://jira.hyperledger.org/browse/FABC-548

toddinpal (Tue, 05 Mar 2019 23:50:09 GMT):
I'm trying to query fabric-ca for a list of identities using the fabric-ca-client identity list command, and what I get back is: Error: invalid character '<' looking for beginning of value Any ideas what I'm doing wrong?

rsoeldner (Wed, 06 Mar 2019 07:25:00 GMT):
@ashutosh_kumar my usecase is that I want to securely transfer a message from person a to person b while preserving the history of exchange. My ideal workflow would be: Person A request public key from the ca of the enrollment id of person b. use this public key to encrypt a secret storing this transaction on the blockchain so that person b can retrieve this message, use his private key to decrypt the message. Does this makes sense to you ?

Jaline (Wed, 06 Mar 2019 08:56:36 GMT):
Hi guys! How to generate the tls certificate from fabric-ca by means of node-SDK?

luckforzhang (Wed, 06 Mar 2019 08:58:43 GMT):
Has joined the channel.

luckforzhang (Wed, 06 Mar 2019 08:59:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oicAPnmM84GBrWkAN) @Jaline I know how to do that with `fabric-ca-client` if you like to know

Jaline (Wed, 06 Mar 2019 09:00:24 GMT):
yes, I want to know.Please tell me.

luckforzhang (Wed, 06 Mar 2019 09:03:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cxX6k8M8actWP2gTd) @Jaline in cli we could download tls certs from ca with `fabric-ca-client enroll -d -u http://admin:adminpw@caserver:port --enrollment.profile tls --csr.hosts your_csr_file````and there is others args you may check on the hyperledger docs`fabric-ca` ```

luckforzhang (Wed, 06 Mar 2019 09:04:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=cxX6k8M8actWP2gTd) @Jaline it's not the method in nodeSDK, that's all I know

Jaline (Wed, 06 Mar 2019 09:04:31 GMT):
Thank you!

luckforzhang (Wed, 06 Mar 2019 09:07:23 GMT):
Q: How to use cli to complete a idemix transaction? Any clue?

Jaline (Wed, 06 Mar 2019 09:07:32 GMT):
--csr.hosts this field must be added? Can't you go without doing it? And what does it mean? @luckforzhang

luckforzhang (Wed, 06 Mar 2019 09:09:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YcmYj3GF62wfktYzy) @Jaline it must, if you haven't add it, you will find error in the future txs. It's a bit complicated, I will suggest you to read hyperledger docs

Jaline (Wed, 06 Mar 2019 09:10:34 GMT):
OK, thanks a lot

luckforzhang (Wed, 06 Mar 2019 09:12:24 GMT):
Can I have a write access to another channel's chaincode while I am using `invokechaincode`?

jlgarciasan (Wed, 06 Mar 2019 09:44:15 GMT):
Has joined the channel.

aacotroneo (Wed, 06 Mar 2019 12:02:17 GMT):
thanks @nyet for the help!

gravity (Wed, 06 Mar 2019 16:28:37 GMT):
hi all what will happen if the CA database with the information about all accounts and certificates is lost? is it possible to recover from this? thanks in advance

aambati (Wed, 06 Mar 2019 16:43:25 GMT):
db acts as user registry, so enrolls and reenrolls will not work...revocation will fail as well

mauricio (Wed, 06 Mar 2019 21:41:51 GMT):
Has joined the channel.

stephenman (Thu, 07 Mar 2019 01:47:15 GMT):
Has joined the channel.

stephenman (Thu, 07 Mar 2019 01:48:48 GMT):
Hi all, may I ask a stupid question? could anyone advise if fabric-ca can generate TLS certs?

stephenman (Thu, 07 Mar 2019 01:50:44 GMT):
Since the msp contains TLS folder, however, I don't find any ways to get a TLS cert from the fabric CA, but cryptogen

luckforzhang (Thu, 07 Mar 2019 02:22:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=o7NSTDsbiacNvRibH) @stephenman use `fabric-ca-client enroll` command with args `--enrollment.profile tls --csr.hosts your_csr_file`

luckforzhang (Thu, 07 Mar 2019 02:25:30 GMT):
You may like to see the docs of `fabric-ca-client` tool at ```https://hyperledger-fabric-ca.readthedocs.io/en/release-1.1/clientcli.html#fabric-ca-client-s-cli```

stephenman (Thu, 07 Mar 2019 05:25:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PsZpNEuyN9pJc4HQX) @luckforzhang I see, thank you so much Zhang!

zhoutong (Thu, 07 Mar 2019 09:04:26 GMT):
Has joined the channel.

zhoutong (Thu, 07 Mar 2019 09:04:49 GMT):
#fabric-samples

SashaPESIC (Thu, 07 Mar 2019 10:23:22 GMT):
Has joined the channel.

SashaPESIC (Thu, 07 Mar 2019 10:24:20 GMT):
Can someone please explain the difference between registering an identity and enroling an identity? Is registration done only once, and enrollment can be done multiple times?

braduf (Thu, 07 Mar 2019 16:48:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QXq6H88i4WRDTmtJa) @SashaPESIC Hi @SashaPESIC, registering is just creating a user of the CA, so you create a username and password and define what permissions this user has on the CA. You can then enroll this user, and that is really generating it's cryptographic material so this user has its identity to sign things with.

braduf (Thu, 07 Mar 2019 16:48:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QXq6H88i4WRDTmtJa) Hi @SashaPESIC, registering is just creating a user of the CA, so you create a username and password and define what permissions this user has on the CA. You can then enroll this user, and that is really generating it's cryptographic material so this user has its identity to sign things with.

braduf (Thu, 07 Mar 2019 16:50:28 GMT):
Hi all, what is exactly the use of the `users` folder in an MSP? Which certificates should go there?

nyet (Thu, 07 Mar 2019 18:14:01 GMT):
When using `--enrollment.profile tls`, `fabric-ca-client` puts the TLS private key in `msp/keystore/asdfasdfasdfasdfads_sk` where the filename is based on some hash. What is the algorithm for that hash? How am i supposed to know which of the `_sk` files to copy to the TLS privkey location? I can extract the pub key from each key in keystore and compare each one but that seems silly.

braduf (Thu, 07 Mar 2019 18:30:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fzRPES6nMtGHxB56L) @nyet You can create a new folder for every enrollment and point the FABRIC_CA_CLIENT_HOME variable to that new folder, then you will have the MSP structure for every enrolled identity in a separate folder and you know which key belongs to which identity...

nyet (Thu, 07 Mar 2019 18:54:36 GMT):
@braduf which requires doing an `ls` of `msp/keystore` to pull out the filename (for ansible, or scripting, or Makefiles).... I have that right now but man it is ugly as sin

nyet (Thu, 07 Mar 2019 19:03:22 GMT):
Ah on mailing list, is the SKI

nyet (Thu, 07 Mar 2019 19:03:22 GMT):
Ah on mailing list, it is the SKI

nyet (Thu, 07 Mar 2019 19:03:31 GMT):
https://lists.hyperledger.org/g/fabric/message/5630

nyet (Thu, 07 Mar 2019 19:03:47 GMT):
http://certificateerror.blogspot.com/2011/02/how-to-validate-subject-key-identifier.html

ashutosh_kumar (Thu, 07 Mar 2019 20:02:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FXi6pdbFDzN3pJFuE) @rsoeldner I do not think, you can get public key of the other user from Fabric CA. You need to get Certficate from your partner out of the band where Fabric CA is not involved.

nyet (Thu, 07 Mar 2019 20:02:34 GMT):
unfortunately, nothing works

braduf (Fri, 08 Mar 2019 02:20:09 GMT):
When doing a reenroll, is their some unique identifier in the new signcert that stays the same as the old signcert? Or how can you check in the chaincode that it is the same identity when the public key changed? Or is there a way so the public key doesn't change after a reenroll?

braduf (Fri, 08 Mar 2019 02:20:09 GMT):
When doing a reenroll, is their some unique identifier in the new signcert that stays the same as the old signcert? Or how can you check in the chaincode that it is the same identity when the public key changed? From what I tested, the public key changes after a reenroll, or should I pass in some attributes to prevent this?

luckforzhang (Fri, 08 Mar 2019 07:17:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fzRPES6nMtGHxB56L) @nyet You will need args `-H ./new_tls_folder` or `-M ./new_tls_folder` to put the new tls-certs in a new folder, this is the sample way to do.

luckforzhang (Fri, 08 Mar 2019 07:19:32 GMT):
Q: How to use cli to complete a idemix transaction? Any clue?

nyet (Fri, 08 Mar 2019 16:09:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HhGynGvydzbpZsyNQ) @luckforzhang Yea, I already do that, but I still have to look in the directory to determine the filename, there is no way to do it algorithmically w/o literally checking the dirent of the keystore/

nyet (Fri, 08 Mar 2019 16:09:55 GMT):
Its insane

vieiramanoel (Fri, 08 Mar 2019 18:46:20 GMT):
hey guys, when I generate cert OU is kinda strange

vieiramanoel (Fri, 08 Mar 2019 18:46:32 GMT):
``` Subject: C = BR, ST = Distrito Federal, L = Brasilia, O = org1, OU = admin + OU = org1, CN = admin@example.com ```

vieiramanoel (Fri, 08 Mar 2019 18:47:14 GMT):
I'm registering it with this commandline through fabric-ca-client ` fabric-ca-client register -d --id.name admin@ORGANIZATION_DOMAIN --id.secret adminpwd -M client/msp --id.attrs 'hf.Revoker=true,admin=true:ecert' --csr.names OU=client --id.type "admin" `

vieiramanoel (Fri, 08 Mar 2019 18:47:14 GMT):
I'm registering it with this commandline through fabric-ca-client `fabric-ca-client register -d --id.name admin@ORGANIZATION_DOMAIN --id.secret **** -M client/msp --id.attrs 'hf.Revoker=true,admin=true:ecert' --csr.names OU=client --id.type "admin" `

vieiramanoel (Fri, 08 Mar 2019 18:48:06 GMT):
the trouble is: when I try to start Orderer it fails due to this error: ```panic: Error creating channelconfig bundle: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: admin 0 is invalid: The identity is not valid under this MSP [org1MSP]: could not validate identity's OUs: the identity must be a client, a peer or an orderer identity to be valid, not a combination of them. OUs: [[0xc420533e60 0xc420533e90]], MSP: [org1MSP] ```

vieiramanoel (Fri, 08 Mar 2019 18:48:51 GMT):
And I trully believe that this is related to that `+ OU = $orgname` in first snippet

vieiramanoel (Fri, 08 Mar 2019 18:49:02 GMT):
@mastersingh24 @smithbk any clue?

skarim (Fri, 08 Mar 2019 19:33:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fzRPES6nMtGHxB56L) @nyet You could try putting the tls enrollment in a different MSP directory using the `--mspdir` flag. This way you only have one key per MSP.

nyet (Fri, 08 Mar 2019 21:58:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PnqL26ZQTdicprdK5) @skarim Yes, there is only one key but STILL have to `readdir()` `keystore/` to find the damn filename.

ParthKaloliya (Sat, 09 Mar 2019 12:35:25 GMT):
Has joined the channel.

ParthKaloliya (Sat, 09 Mar 2019 12:35:33 GMT):
Which are the root certificates and which are the client certificates to define the CA and to work with the NodeSDK when TLS enabled is set true.. Can anyone please help me with this

ParthKaloliya (Sat, 09 Mar 2019 12:36:11 GMT):
In single host

braduf (Sun, 10 Mar 2019 03:35:34 GMT):
How can a user be enrolled with an existing key pair on the Fabric CA?

logannwu (Sun, 10 Mar 2019 05:45:55 GMT):
Has joined the channel.

rbole (Sun, 10 Mar 2019 07:09:50 GMT):
hi, which fca version should be used for 1.4 ?

Luxii (Sun, 10 Mar 2019 09:08:49 GMT):
Has joined the channel.

Luxii (Sun, 10 Mar 2019 09:09:52 GMT):
It says `dial tcp conn failed no such host as ca.abc.example.com` when i request for enrollment Im using fabric-ca-client. However when I request the same in ca.org1.example container it works. It says `dial tcp conn failed no such host as ca.abc.example.com` when i request for enrollment Im using fabric-ca-client. However when I request the same in ca.org1.example container it works. It says `dial tcp conn failed no such host as ca.abc.example.com` when i request for enrollment Im using fabric-ca-client. However when I request the same in ca.org1.example container it works. It says `dial tcp conn failed no such host as ca.abc.example.com` when i request for enrollment Im using fabric-ca-client. However when I request the same in ca.org1.example container it works. It says `dial tcp conn failed no such host as ca.abc.example.com` when i request for enrollment Im using fabric-ca-client. However when I request the same in ca.org1.example container it works.

nyet (Sun, 10 Mar 2019 17:37:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XCJkw2i5dfKYQmzMN) @Luxii That's a docker problem not a fabric problem

nyet (Sun, 10 Mar 2019 21:57:27 GMT):
I confess I still don't understand what docker does for go applications that are entirely statically linked.

nyet (Sun, 10 Mar 2019 21:57:27 GMT):
I confess I still don't understand what docker does for go applications that are entirely statically linked. Other than cause connectivity issues.

mastersingh24 (Sun, 10 Mar 2019 22:30:34 GMT):
It's a fine line between explaining how to set up Fabric and how concepts such as networking, TLS (especially hostname verification), etc all work. In order to help people quikcly get started building applications, we use Docker and Docker Compose to stand up multi-component networks rather than wasting time on explaining the intricacies of networking. In a real multi-org / multi-party scenario, you'd only be setting up your own peer(s) and CA(s) ... so it's much simpler. Also ... chaincode itself currently requires Docker ... so it seemed to make sense to run other nodes in Docker as it's required anyway

Luxii (Mon, 11 Mar 2019 05:03:59 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=f4e92763-296a-40a8-aba5-4fdde7ba5e25) @nyet But why does it work in ca.org1.example.com container ?

nyet (Mon, 11 Mar 2019 05:17:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=aD6wKMsKqsp4MjJur) @Luxii Are you asking why `ca.abc.example.com` resolves inside docker, but not outside?

Luxii (Mon, 11 Mar 2019 05:18:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wRAZBZzebSxFga9R6) @nyet Im asking why ca.org1.example.com resolves but ca.abc.example.com does not.

nyet (Mon, 11 Mar 2019 05:19:33 GMT):
Inside or outside of docker? Inside the docker network, docker names are resolved by docker itself.

Luxii (Mon, 11 Mar 2019 05:27:39 GMT):
Inside of docker container.

nyet (Mon, 11 Mar 2019 05:39:18 GMT):
You'll probably need to learn how DNS works. Inside docker, containers will resolve DNS by container name. Outside of docker, you'll have to provide name resolution yourself.

nyet (Mon, 11 Mar 2019 05:39:18 GMT):
Inside docker, containers will resolve DNS by container name. Outside of docker, you'll have to provide name resolution yourself.

Luxii (Mon, 11 Mar 2019 06:37:00 GMT):
@nyet thanks for your help, solved it now.

AshutoshGupta888 (Mon, 11 Mar 2019 09:17:12 GMT):
Has joined the channel.

AshutoshGupta888 (Mon, 11 Mar 2019 09:17:22 GMT):
Hello team, I'm facing problem while creating composite key using a float64 and a string field. // ==== Index the marble to enable color-based range queries, e.g. return all blue marbles ==== // An 'index' is a normal key/value entry in state. // The key is a composite key, with the elements that you want to range query on listed first. // In our case, the composite key is based on indexName~color~name. // This will enable very efficient state range queries based on composite keys matching indexName~color~* indexName := "cust_amt~cust_name" custamtIndexKey, err := stub.CreateCompositeKey(indexName, []string{customer.Cust_amt, customer.Cust_name}) //custamtIndexKey, err := stub.CreateCompositeKey(indexName, float64, {customer.Cust_amt}) if err != nil { return shim.Error(err.Error()) } // Save index entry to state. Only the key name is needed, no need to store a duplicate copy of the marble. // Note - passing a 'nil' value will effectively delete the key from state, therefore we pass null character as value value := []byte{0x00} stub.PutState(custamtIndexKey, value) Here ''cust_amt" is a float64 valuePlease help me out as composite function have take only string fields as arguments. Hello team, I'm facing problem while creating composite key using a float64 and a string field. // ==== Index the marble to enable color-based range queries, e.g. return all blue marbles ==== // An 'index' is a normal key/value entry in state. // The key is a composite key, with the elements that you want to range query on listed first. // In our case, the composite key is based on indexName~color~name. // This will enable very efficient state range queries based on composite keys matching indexName~color~* indexName := "cust_amt~cust_name" custamtIndexKey, err := stub.CreateCompositeKey(indexName, []string{customer.Cust_amt, customer.Cust_name}) //custamtIndexKey, err := stub.CreateCompositeKey(indexName, float64, {customer.Cust_amt}) if err != nil { return shim.Error(err.Error()) } // Save index entry to state. Only the key name is needed, no need to store a duplicate copy of the marble. // Note - passing a 'nil' value will effectively delete the key from state, therefore we pass null character as value value := []byte{0x00} stub.PutState(custamtIndexKey, value) Here ''cust_amt" is a float64 valuePlease help me out as composite function have take only string fields as arguments.

AshutoshGupta888 (Mon, 11 Mar 2019 09:17:34 GMT):
Hello team, I'm facing problem while creating composite key using a float64 and a string field. // ==== Index the marble to enable color-based range queries, e.g. return all blue marbles ==== // An 'index' is a normal key/value entry in state. // The key is a composite key, with the elements that you want to range query on listed first. // In our case, the composite key is based on indexName~color~name. // This will enable very efficient state range queries based on composite keys matching indexName~color~* indexName := "cust_amt~cust_name" custamtIndexKey, err := stub.CreateCompositeKey(indexName, []string{customer.Cust_amt, customer.Cust_name}) //custamtIndexKey, err := stub.CreateCompositeKey(indexName, float64, {customer.Cust_amt}) if err != nil { return shim.Error(err.Error()) } // Save index entry to state. Only the key name is needed, no need to store a duplicate copy of the marble. // Note - passing a 'nil' value will effectively delete the key from state, therefore we pass null character as value value := []byte{0x00} stub.PutState(custamtIndexKey, value) Here ''cust_amt" is a float64 valuePlease help me out as composite function have take only string fields as arguments.

Luxii (Mon, 11 Mar 2019 09:32:31 GMT):
This does not change max enrollments of user `fabric-ca-client identity --tls.certfiles modify user6@abc --id.maxenrollments -1`

Luxii (Mon, 11 Mar 2019 09:32:44 GMT):
Am I doing something wrong ?

Luxii (Mon, 11 Mar 2019 09:33:28 GMT):
It says successfully modified but the max enrollment number stays the same i.e, 1

Luxii (Mon, 11 Mar 2019 09:45:07 GMT):
why do i get this error ` details: 'access denied: channel [mychannel] creator org [AbcMSP]'` while invoking a transaction from one user

mastersingh24 (Mon, 11 Mar 2019 09:59:16 GMT):
The org does not have access to the channel ... you'll need to check channel membership

Luxii (Mon, 11 Mar 2019 10:19:07 GMT):
org has the access, when i do a transaction with different user of same org it gets successfully invoked.

Luxii (Mon, 11 Mar 2019 10:20:01 GMT):
Who is sending this error though ? orderer, peer or ca ?

AshutoshGupta888 (Mon, 11 Mar 2019 13:06:28 GMT):
Can anyone send the code for "Sort" query using Selector?

SuperSeiyan (Mon, 11 Mar 2019 17:23:31 GMT):
Has joined the channel.

SuperSeiyan (Mon, 11 Mar 2019 18:11:08 GMT):
```` Hi all, I got an error with my fabric-ca ``` 2019/03/11 17:44:08 [DEBUG] Received request for /api/v1/register 2019/03/11 17:44:08 [DEBUG] Checking for revocation/expiration of certificate owned by 'meaomeao2' 2019/03/11 17:44:08 [DEBUG] DB: Get certificate by serial (3f4e7a23235c9d6fe695e7f2f5498580bb4aac06) and aki (471f5b0891da026d89f93a6aa87d6f523e5b6fd61fc9bfc0e0039a4762a78dab) 2019/03/11 17:44:08 [DEBUG] Received registration request from : { Name:newusertest31 Type: Secret:**** MaxEnrollments:1 Affiliation:org1 Attributes:[] CAName:ca.org1.example.com } 2019/03/11 17:44:08 [INFO] 172.28.0.1:52160 POST /api/v1/register 401 30 "Certificate not found with AKI '471f5b0891da026d89f93a6aa87d6f523e5b6fd61fc9bfc0e0039a4762a78dab' and serial '3f4e7a23235c9d6fe695e7f2f5498580bb4aac06'" ``` I've got this error after try to test reenroll feature multiple times using fabric-sdk-node. The question is why it use 'meaomeao2' user as registrar? ``` `

SuperSeiyan (Mon, 11 Mar 2019 18:11:42 GMT):
Hi all, I got an error with my fabric-ca ` 2019/03/11 17:44:08 [DEBUG] Received request for /api/v1/register 2019/03/11 17:44:08 [DEBUG] Checking for revocation/expiration of certificate owned by 'meaomeao2' 2019/03/11 17:44:08 [DEBUG] DB: Get certificate by serial (3f4e7a23235c9d6fe695e7f2f5498580bb4aac06) and aki (471f5b0891da026d89f93a6aa87d6f523e5b6fd61fc9bfc0e0039a4762a78dab) 2019/03/11 17:44:08 [DEBUG] Received registration request from : { Name:newusertest31 Type: Secret:**** MaxEnrollments:1 Affiliation:org1 Attributes:[] CAName:ca.org1.example.com } 2019/03/11 17:44:08 [INFO] 172.28.0.1:52160 POST /api/v1/register 401 30 "Certificate not found with AKI '471f5b0891da026d89f93a6aa87d6f523e5b6fd61fc9bfc0e0039a4762a78dab' and serial '3f4e7a23235c9d6fe695e7f2f5498580bb4aac06'" ` I've got this error after try to test reenroll feature multiple times using fabric-sdk-node. The question is why it use 'meaomeao2' user as registrar?

SuperSeiyan (Mon, 11 Mar 2019 18:12:49 GMT):
Hi all, I got an error with my fabric-ca ```2019/03/11 17:44:08 [DEBUG] Received request for /api/v1/register 2019/03/11 17:44:08 [DEBUG] Checking for revocation/expiration of certificate owned by 'meaomeao2' 2019/03/11 17:44:08 [DEBUG] DB: Get certificate by serial (3f4e7a23235c9d6fe695e7f2f5498580bb4aac06) and aki (471f5b0891da026d89f93a6aa87d6f523e5b6fd61fc9bfc0e0039a4762a78dab) 2019/03/11 17:44:08 [DEBUG] Received registration request from : { Name:newusertest31 Type: Secret:**** MaxEnrollments:1 Affiliation:org1 Attributes:[] CAName:ca.org1.example.com } 2019/03/11 17:44:08 [INFO] 172.28.0.1:52160 POST /api/v1/register 401 30 "Certificate not found with AKI '471f5b0891da026d89f93a6aa87d6f523e5b6fd61fc9bfc0e0039a4762a78dab' and serial '3f4e7a23235c9d6fe695e7f2f5498580bb4aac06'"``` I've got this error after try to test reenroll feature multiple times using fabric-sdk-node. The question is why it use 'meaomeao2' user as registrar?

KyunghoKim (Tue, 12 Mar 2019 03:06:59 GMT):
Has joined the channel.

SatheeshNehru (Tue, 12 Mar 2019 05:14:32 GMT):
Has joined the channel.

SatheeshNehru (Tue, 12 Mar 2019 05:14:53 GMT):
java sdk code to generate cert using fabric ca??

phantom.assasin (Tue, 12 Mar 2019 09:12:38 GMT):
Has joined the channel.

phantom.assasin (Tue, 12 Mar 2019 09:13:07 GMT):
Getting clang error when trying to include fabric-ca in go code. ```/usr/local/Cellar/go/1.11.4/libexec/pkg/tool/darwin_amd64/link: running clang failed: exit status 1 ld: warning: text-based stub file /System/Library/Frameworks//Security.framework/Security.tbd and library file /System/Library/Frameworks//Security.framework/Security are out of sync. Falling back to library file for linking. ld: warning: text-based stub file /System/Library/Frameworks//Security.framework/Security.tbd and library file /System/Library/Frameworks//Security.framework/Security are out of sync. Falling back to library file for linking. ld: warning: text-based stub file /System/Library/Frameworks//Security.framework/Security.tbd and library file /System/Library/Frameworks//Security.framework/Security are out of sync. Falling back to library file for linking. ld: warning: text-based stub file /System/Library/Frameworks//Security.framework/Security.tbd and library file /System/Library/Frameworks//Security.framework/Security are out of sync. Falling back to library file for linking. ld: warning: text-based stub file /System/Library/Frameworks//Security.framework/Security.tbd and library file /System/Library/Frameworks//Security.framework/Security are out of sync. Falling back to library file for linking. ld: warning: text-based stub file /System/Library/Frameworks//IOKit.framework/Versions/A/IOKit.tbd and library file /System/Library/Frameworks//IOKit.framework/Versions/A/IOKit are out of sync. Falling back to library file for linking. duplicate symbol _FetchPEMRootsCTX509_MountainLion in: /var/folders/v8/94mqr56n2yqd9pcj8rd21cyr0000gp/T/go-link-349309816/000024.o /var/folders/v8/94mqr56n2yqd9pcj8rd21cyr0000gp/T/go-link-349309816/000027.o duplicate symbol _FetchPEMRootsCTX509 in: /var/folders/v8/94mqr56n2yqd9pcj8rd21cyr0000gp/T/go-link-349309816/000024.o /var/folders/v8/94mqr56n2yqd9pcj8rd21cyr0000gp/T/go-link-349309816/000027.o duplicate symbol _useOldCodeCTX509 in: /var/folders/v8/94mqr56n2yqd9pcj8rd21cyr0000gp/T/go-link-349309816/000024.o /var/folders/v8/94mqr56n2yqd9pcj8rd21cyr0000gp/T/go-link-349309816/000027.o ld: 3 duplicate symbols for architecture x86_64 clang: error: linker command failed with exit code 1 (use -v to see invocation)```

phantom.assasin (Tue, 12 Mar 2019 09:13:43 GMT):
Libraries which i am trying to include are: ``` "github.com/hyperledger/fabric-ca/api" "github.com/hyperledger/fabric-ca/lib"```

FabricBeer (Tue, 12 Mar 2019 09:37:55 GMT):
Has joined the channel.

AkhilKura (Tue, 12 Mar 2019 09:37:58 GMT):
Why and when core.yaml file creates in containers?

gravity (Tue, 12 Mar 2019 12:04:33 GMT):
Hi all is there any guarantee that enrollment id for identity will unique across all ca servers within MSP? or

gravity (Tue, 12 Mar 2019 12:04:33 GMT):
Hi all is there any guarantee that enrollment id for identity will unique across all ca servers within MSP?

gravity (Tue, 12 Mar 2019 12:04:58 GMT):
or will it be unique only within single ca server?

SatheeshNehru (Tue, 12 Mar 2019 12:05:48 GMT):
need example where certs are generated from fabric-ca-server using java sdk??

UnaiUrkiaga (Tue, 12 Mar 2019 14:08:24 GMT):
Has joined the channel.

ashutosh_kumar (Tue, 12 Mar 2019 14:57:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mwKT6ZkNdg3hebZ6W) @SatheeshNehru Certs are not being generated by Fabric-ca-server. It is being signed by Fabric CA server.

lupass93 (Tue, 12 Mar 2019 15:11:15 GMT):
Has joined the channel.

czar0 (Wed, 13 Mar 2019 09:55:41 GMT):
Hi all, I noticed in 1.4 we need to use the `Admin` user generated by `cryptogen` to allow a peer creating a channel: ``` CORE_PEER_MSPCONFIGPATH=/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp ``` I have tried to use directly the `fabric-ca-client` to register and enroll an `admin` user, as follows: ``` fabric-ca-client register --id.name $peer_name --id.secret $peer_secret --id.type peer --id.attrs 'admin=true:ecert' fabric-ca-client enroll -d -u http://${peer_name}:${peer_secret}@$SERVICE_DNS:${ca_port} -M ${peer_msp}_${peer_name} fabric-ca-client certificate list --id $peer_name --store msp/admincerts ``` *but this will not work.* Peer create channel request: `peer channel create -o orderer-hlf-ord:31010 -c mychannel -f /hl_config/channel/mychannel_tx.pb` Peer log response: ``` UTC [channelCmd] InitCmdFactory -> INFO 003 Endorser and orderer connections initialized Error: got unexpected status: BAD_REQUEST -- error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining ``` Orderer log: ``` [orderer.common.broadcast] ProcessMessage -> WARN 00b [channel: mychannel] Rejecting broadcast of config message from 10.1.3.141:54372 because of error: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining 2019-03-13 09:27:29.756 UTC [comm.grpc.server] 1 -> INFO 00c streaming call completed {"grpc.start_time": "2019-03-13T09:27:29.75Z", "grpc.service": "orderer.AtomicBroadcast", "grpc.method": "Broadcast", "grpc.peer_address": "10.1.3.141:54372", "grpc.code": "OK", "grpc.call_duration": "6.3911ms"} 2019-03-13 09:27:29.790 UTC [common.deliver] Handle -> WARN 00d Error reading from 10.1.3.141:54370: rpc error: code = Canceled desc = context canceled ``` Apparently only that "magic" `Admin` user does the trick. *How can I obtain a user with the same attributes and permissions using `fabric-ca-client`?*

czar0 (Wed, 13 Mar 2019 09:55:41 GMT):
Hi all, I noticed in 1.4 we need to use the `Admin` user generated by `cryptogen` to allow a peer creating a channel: ``` CORE_PEER_MSPCONFIGPATH=/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp ``` I have tried to use directly the `fabric-ca-client` to register and enroll an `admin` user, as follows: ``` fabric-ca-client register --id.name $peer_name --id.secret $peer_secret --id.type peer --id.attrs 'admin=true:ecert' fabric-ca-client enroll -d -u http://${peer_name}:${peer_secret}@$SERVICE_DNS:${ca_port} -M ${peer_msp}_${peer_name} fabric-ca-client certificate list --id $peer_name --store msp/admincerts ``` *unfortunately, this admin user will not be able to create a channel* Peer create channel request: `peer channel create -o orderer-hlf-ord:31010 -c mychannel -f /hl_config/channel/mychannel_tx.pb` Peer log response: ``` UTC [channelCmd] InitCmdFactory -> INFO 003 Endorser and orderer connections initialized Error: got unexpected status: BAD_REQUEST -- error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining ``` Orderer log: ``` [orderer.common.broadcast] ProcessMessage -> WARN 00b [channel: mychannel] Rejecting broadcast of config message from 10.1.3.141:54372 because of error: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining 2019-03-13 09:27:29.756 UTC [comm.grpc.server] 1 -> INFO 00c streaming call completed {"grpc.start_time": "2019-03-13T09:27:29.75Z", "grpc.service": "orderer.AtomicBroadcast", "grpc.method": "Broadcast", "grpc.peer_address": "10.1.3.141:54372", "grpc.code": "OK", "grpc.call_duration": "6.3911ms"} 2019-03-13 09:27:29.790 UTC [common.deliver] Handle -> WARN 00d Error reading from 10.1.3.141:54370: rpc error: code = Canceled desc = context canceled ``` Apparently only that "magic" `Admin` user does the trick. *How can I obtain a user with the same attributes and permissions using `fabric-ca-client`?*

SahithiDyavarashetti (Wed, 13 Mar 2019 10:20:45 GMT):
Has joined the channel.

asaningmaxchain123 (Wed, 13 Mar 2019 12:05:05 GMT):
@mastersingh24 what's the function of the `Affiliation` attribute when i register a new identity

asaningmaxchain123 (Wed, 13 Mar 2019 12:05:47 GMT):
in the doc `https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/clientcli.html?highlight=affiliations` ,it just tell me how to use

asaningmaxchain123 (Wed, 13 Mar 2019 12:06:08 GMT):
but i want to know what condition i should it

asaningmaxchain123 (Wed, 13 Mar 2019 12:06:16 GMT):
thx in advance

ashutosh_kumar (Wed, 13 Mar 2019 14:37:27 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8ENeWks9dr5KkgaHA) @asaningmaxchain123 you can think of Affiliation as Role.

NasserRahal (Wed, 13 Mar 2019 16:01:44 GMT):
Has joined the channel.

gravity (Wed, 13 Mar 2019 19:58:21 GMT):
hi @skarim Is it actually reasonable to have more than one intermediate ca server? I mean, is it enough to have only one ica and scale it for better availability? thanks in advance

skarim (Wed, 13 Mar 2019 20:37:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wSGWqCcvb8isCWRWf) @gravity For HA, having multiple intermediate is necessary. Running the intermediate CAs in a cluster, they must all point to same CA cert and key and also the same database.

gravity (Wed, 13 Mar 2019 20:59:17 GMT):
@skarim according to the documentation, `cacount` is not applicable for intermediate CA's is it possible to provide several `cafiles` using the environment variables like `FABRIC_CA_SERVER_CAFILES`?

skarim (Thu, 14 Mar 2019 01:02:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=f3agedtHttzFn5BNo) @gravity yes, you can use that environment variable

asaningmaxchain123 (Thu, 14 Mar 2019 01:57:13 GMT):
@ashutosh_kumar @skarim can you provider more details about the `Affiliation`

gravity (Thu, 14 Mar 2019 10:00:51 GMT):
@skarim is it recommended to scale ca servers using `cacount` or `cafiles`? or can I scale ca servers using, for example, AWS facilities?

mrudav.shukla (Thu, 14 Mar 2019 10:15:43 GMT):
How do I retrieve fabric user/username based on the public key?

mrudav.shukla (Thu, 14 Mar 2019 11:58:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=niZ4BFmiPv7jg23jM) Figured out an npm package that helps us to read pem contents and using that. However, if there are other ways, please let me know.

skarim (Thu, 14 Mar 2019 13:32:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SZo9nwDzczq4kKFwK) @gravity I am not sure about AWS facilities, but you should use `cafiles` this allows you use to pass in custom configuration files which what you will need to do so you can specify the cert/key and database connection string

gravity (Thu, 14 Mar 2019 13:36:43 GMT):
@skarim but if I understood correctly, having a `cafiles` property, ca server will run several processes of fabric ca server in the same container (if the network is running in k8s). thus, if this container fail, all CA server instances in this container will be unavailable

ashutosh_kumar (Thu, 14 Mar 2019 13:46:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Cd4ybb3b6FcvHEhhv) @asaningmaxchain123 What is your use case ?

skarim (Thu, 14 Mar 2019 13:51:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=on4zyrPHfzG7RcYgo) @gravity oh thats right, I forgot we were talking about a cluster setup. In a cluster neither `cacount` nor `cafiles` is a valid option. You need to start separate CA servers, each server would need to have the exact same configuration file so that each server is identical. This might require moving the cert/key around, unless somehow all your containers are sharing the same volume mount.

gravity (Thu, 14 Mar 2019 14:06:55 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KnvtP6bNpgMtyA3id) thanks. that's what I wanted to clarify :) there is one more question: do I actually need to init more than one intermediate servers? I mean in the way they will have different databases and different certs/keys? or single clustered ica will be enough?

kevinkbc (Thu, 14 Mar 2019 14:18:26 GMT):
Hey everyone. I was doing some tests enrolling users using the java sdk. I want to check if everything is ok so I thought of listing the users in fabric ca. Does that make sense? I am using hyperledger fabric 1.2, official dockers (everything is still local). i went to fabric ca user guide I tried to list things inside the docker container (ca.example.com) using fabric-ca-client identity list but I got: "[ERROR] Enrollment check failed: Idemix enrollment information does not exist Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw@serverAddr:serverPort"

Kazekagegara (Thu, 14 Mar 2019 17:00:48 GMT):
Has joined the channel.

RealDeanZhao (Fri, 15 Mar 2019 07:42:10 GMT):
Has left the channel.

AshutoshGupta888 (Fri, 15 Mar 2019 08:46:50 GMT):
Can anyone tell me how to access amount field in the given code below: package main import "fmt" import "encoding/json" type PublicKey struct { Key string Amount float64 item_id string item_qty string item_unit string } func main() { keysBody := []byte(`[{"Key":"so_12345", "Record":{"amount":24134,"item_id":"21","item_qty":23,"item_unit":43}}]`) keys := make([]PublicKey,0) json.Unmarshal(keysBody, &keys) fmt.Printf("%#v", keys[0].item_id[0]) }

mastersingh24 (Fri, 15 Mar 2019 09:44:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6t4mSxbH8uw7QAQBz) @AshutoshGupta888 https://play.golang.org/p/xA9irer6sGx

npc0405 (Fri, 15 Mar 2019 10:45:45 GMT):
Anybody has configured LDAP with fabric-ca?

ashutosh_kumar (Fri, 15 Mar 2019 13:06:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=iwSFh2pQTe3yRgcq8) @npc0405 Have you looked at the fabric-ca doc ? Fab ca acts as LDAP client.

nyet (Fri, 15 Mar 2019 15:30:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=3u6s6SCfgWAkZpTGi) @czar0 I was able to reproduce this; I don't know what is going on. Still looking in to it.

mrudav.shukla (Sun, 17 Mar 2019 08:12:51 GMT):
How do I remove identities from the ca configure with MySQL?

mrudav.shukla (Sun, 17 Mar 2019 08:35:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pdau3mWiktCGEPEtP) Figured it out. Need to start the fabric-ca server with identities.allowRemove: true.

BellaAdams (Mon, 18 Mar 2019 01:45:33 GMT):
what's the swagger port of fabric ca

BellaAdams (Mon, 18 Mar 2019 01:45:34 GMT):
?

BellaAdams (Mon, 18 Mar 2019 01:48:23 GMT):
how to use swagger of fabric ca

SDChoi (Mon, 18 Mar 2019 04:45:07 GMT):
Has joined the channel.

SDChoi (Mon, 18 Mar 2019 05:04:18 GMT):
Hi, all. I have one question. Why doesn't fabric-ca set NotBefore time as current timestamp? If it isn't set and I make ecert within 5 minutes after running fabric-ca server, the ecert will be invalid as its NotBefore date is earlier than CA's NotBefore date.

SDChoi (Mon, 18 Mar 2019 05:09:58 GMT):
When I add following line in `fabric-ca/lib/serverenroll.go:117` , it doesn't have 5-min limitation : `req.NotBefore = time.Now().UTC()`

mrudav.shukla (Mon, 18 Mar 2019 06:59:55 GMT):
How do I utilise the secret that fabric-ca server provides for further requests?

reggiefelias (Mon, 18 Mar 2019 12:42:10 GMT):
Has joined the channel.

reggiefelias (Mon, 18 Mar 2019 12:46:12 GMT):
Hi good day! Question, I'm not able to enroll new ID to my fabric-ca. When i check the logs it mentions. "Certificate for 'admin' have already expired'. I'm tried online docs and sites it seems i need to renenroll the admin, but I cannot find any good sample. Is there an online reference i can follow?

skarim (Mon, 18 Mar 2019 13:46:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JXNo8LWY7exKbNed4) @reggiefelias If the certificate that you are trying to reenroll is expired, then the `reenroll` command will not work for you. At this point you will have to `enroll` again using basic auth (username/password).

reggiefelias (Mon, 18 Mar 2019 13:53:06 GMT):
Thanks @skarim let me try and update you if any issue. Thanks and have a nice day

ChinmayIngle (Mon, 18 Mar 2019 13:53:51 GMT):
I have created a separate network from scratch for three organisation and 2 peers each when I try to enroll a user m getting "Cannot read property 'curve' of the undefined" I also checked the fabric version and fabric Client version And also set the version of the images in the base.yaml file "image: hyperledger/fabric-peer:1.4.0" and also in the docker compose.yaml file for Ca for each organisation "image: hyperledger/fabric-ca:1.4.0" still the error persists ! Can anyone guide me here ? Thanks !

nyet (Mon, 18 Mar 2019 15:31:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dRKaip8wfXPbv8FFN) @SDChoi That is not good. Open a JIRA bug.

nyet (Mon, 18 Mar 2019 15:40:31 GMT):
@SDChoi Can you override that behavior by specifying a custom CSR spec?

nyet (Mon, 18 Mar 2019 15:49:23 GMT):
@SDChoi This is why I think cryptogen is not a great idea; all of the example should be using the `ca-server` to generate certs... 1) because that is how they recommend to generate certs in production 2) to catch problems like that early :/

nyet (Mon, 18 Mar 2019 15:49:23 GMT):
@SDChoi This is why I think `cryptogen` is not a great idea; all of the examples should be using the `ca-server` to generate certs... 1) because that is how they recommend to generate certs in production 2) to catch problems like that early :/

gravity (Mon, 18 Mar 2019 15:53:27 GMT):
Hi @skarim is there any way to check if enrollment certificate is expired for an identity? thanks in advance

skarim (Mon, 18 Mar 2019 16:23:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GjTEpD3rztT7mvMBM) @gravity You can use openssl: `openssl x509 -noout -text -in `. Then look at the value for `Not After`.

gravity (Mon, 18 Mar 2019 16:42:31 GMT):
@skarim ahh, sorry for misleading. I wanted to ask is there any way to check if a certificate was revoked, not expired :)

skarim (Mon, 18 Mar 2019 16:47:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=e4D6XA3bSwTgu22wh) @gravity The list certificate command might help you there. See: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#listing-certificate-information

abedsau (Mon, 18 Mar 2019 21:20:37 GMT):
Has joined the channel.

reggiefelias (Tue, 19 Mar 2019 01:41:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=KTKrXNFFa5yNj7oC7) @skarim Hi @skarim are you referring to this command? fabric-ca-client enroll -u http://adminpw@localhost:7054?

GuillaumeTong (Tue, 19 Mar 2019 06:22:10 GMT):
I want to deploy a fabric ca server contained in a docker container (in a Kubernetes context). Is there any way to make it NOT create the default affiliations? I currently have to mount a fabric-ca-server-config.yaml file into the container so that it gets read at startup, but I would much prefer a solution involving environment variables. This way, all my config regarding the CA can be written in the container config file, and I do not have to mount a file into the container.

GuillaumeTong (Tue, 19 Mar 2019 06:22:10 GMT):
Hi all, I would like to deploy a fabric ca server contained in a docker container (in a Kubernetes context). Is there any way to make it NOT create the default affiliations? I currently have to mount a fabric-ca-server-config.yaml file into the container so that it gets read at startup, but I would much prefer a solution involving environment variables. This way, all my config regarding the CA can be written in the container config file, and I do not have to mount a file into the container.

GuillaumeTong (Tue, 19 Mar 2019 06:26:15 GMT):
Most other configs in fabric-ca-server-config.yaml can be translated into environment variables, such as FABRIC_CA_SERVER_CA_NAME, FABRIC_CA_HOME and so on. But FABRIC_CA_SERVER_AFFILIATIONS does not seem to have any effect.

nyet (Tue, 19 Mar 2019 06:31:14 GMT):
You can't. The config file mechanism is kind of brain damaged. Just like the insistence that the programs write out their own config files. There are some somewhat baffling design choices. https://jira.hyperledger.org/browse/FABC-160 Note that absolutely no work has been done to address this.

nyet (Tue, 19 Mar 2019 06:31:14 GMT):
You can't. The config file mechanism is kind of brain damaged. Just like the insistence that the programs write out their own config files. There are some somewhat baffling design choices. https://jira.hyperledger.org/browse/FABC-160 illustrates one of them. Note that absolutely no work has been done to address this.

nyet (Tue, 19 Mar 2019 06:31:14 GMT):
@GuillaumeTong You can't. The config file mechanism is kind of brain damaged. Just like the insistence that the programs write out their own config files. There are some somewhat baffling design choices. https://jira.hyperledger.org/browse/FABC-160 illustrates one of them. Note that absolutely no work has been done to address this.

GuillaumeTong (Tue, 19 Mar 2019 06:51:46 GMT):
@nyet This seems quite appalling. I have voted on that issue since this should be a somewhat simple fix

reggiefelias (Tue, 19 Mar 2019 06:55:45 GMT):
Hi all, good day. Im having issue with my fabric-ca. Im not able to register new user. When I check the logs. It says, "Certificate owned by 'admin' has expired".

reggiefelias (Tue, 19 Mar 2019 07:51:54 GMT):
Im using mysql as datasource

BellaAdams (Tue, 19 Mar 2019 08:28:10 GMT):
crl

reggiefelias (Tue, 19 Mar 2019 08:38:49 GMT):
Also im using fabric-ca 1.0.1.thanks

BellaAdams (Tue, 19 Mar 2019 08:40:15 GMT):
how to use fabric crls

BellaAdams (Tue, 19 Mar 2019 08:40:41 GMT):
I user fabric ca to generate certs . when I revoke a cert and generate crls

BellaAdams (Tue, 19 Mar 2019 08:40:55 GMT):
I don't know how to use the crls

BellaAdams (Tue, 19 Mar 2019 08:48:56 GMT):
I need help

mwall (Tue, 19 Mar 2019 09:28:19 GMT):
Has joined the channel.

GuillaumeTong (Tue, 19 Mar 2019 10:20:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=c79AnpygdrqL67toL) @BellaAdams You'll have to add the CRL to the corresponding org's MSP on the channel. You can try to follow this script: https://github.com/hyperledger/fabric-samples/blob/ed81d7b9b17bce5f103ebdae97c3bb12f97cf9a5/fabric-ca/scripts/run-fabric.sh Look specifically for these sections: fetchConfigBlock, createConfigUpdatePayloadWithCRL, and updateConfigBlock

GuillaumeTong (Tue, 19 Mar 2019 10:22:06 GMT):
You can also add the CRL to a peer's msp/crls folder.

BellaAdams (Tue, 19 Mar 2019 11:46:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=a9QQLyBBod3FMnBvA) @GuillaumeTong I add the CRL to the peer's msp/crls folder.But it doesn't work .I revoke peer0's cert. For the fabric net, If it is a peer ,I need to restart the peer in order to make the new added crls work. But for the orderer, restarting doesn't work.

gravity (Tue, 19 Mar 2019 15:57:29 GMT):
hello @skarim when an enrollment certificate is revoked and crl is generated (`revoke` was called with `--gencrl`), it will contain all revoked certificates and as the next step, this CRL should be placed in `channel_group.groups.Application.groups.ORG_NAME.values.MSP.value.config.revocation_list`, where `revocation_list` is an array. in this case, what is a recommended way on how to place these CRLs in a channel config - rewrite a single entry of this array after each revocation or append a slice that contains recently revoked certificates?

nyet (Tue, 19 Mar 2019 16:08:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wB4xKW8agr2WwW3fy) @BellaAdams I really don't get how the MSP dir is meant to work; making any changes to it seemse to require restarting the peer (or orderer). Is this intended behavior?

nyet (Tue, 19 Mar 2019 16:08:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wB4xKW8agr2WwW3fy) @BellaAdams I really don't get how the MSP dir is meant to work; making any changes to it seems to require restarting the peer (or orderer). Is this intended behavior? Even something as simple as renewing TLS certs requires a restart.

siddjain (Tue, 19 Mar 2019 22:52:54 GMT):
Has joined the channel.

reggiefelias (Wed, 20 Mar 2019 01:21:51 GMT):
Hi all, good day. when i try to enroll admin, im getting post failure i/o timeout. Im having trouble with my fabric ca, im not able to register new user because admin cert have expired

reggiefelias (Wed, 20 Mar 2019 01:36:57 GMT):
If i use localhost as url it says post failure malformed response not sending

reggiefelias (Wed, 20 Mar 2019 01:46:54 GMT):
How can i renew admin account? From fabric ca container our setup does not seem to have the client folder

GuillaumeTong (Wed, 20 Mar 2019 04:25:27 GMT):
@BellaAdams @nyet Yeah I did some tests with CRL in the past and it sometimes work kinda funny. When adding CRL to the MSP folder of a node, you indeed need to restart the node. Orderers don't seem to take account of their CRLs however... Some interesting thing to keep in mind however: putting a CRL on the channel will invalidate all tx that do not meet the policy after removing the revoked cert's signature, but nodes without that CRL locally will not refuse communications from the associated identity. In order to make nodes refuse connections, you need to put the CRL in their local MSP folder, which of itself does not *invalidate* transactions by that identity.

GuillaumeTong (Wed, 20 Mar 2019 04:25:27 GMT):
@BellaAdams @nyet Yeah I did some tests with CRL in the past and it sometimes work kinda funny. When adding CRL to the MSP folder of a node, you indeed need to restart the node. Orderers don't seem to take account of their CRLs however... Some interesting thing to keep in mind however: putting a CRL on the channel will invalidate all tx that do not meet the policy after removing the revoked cert's signature, but nodes without that CRL locally will not refuse communications from the associated identity. In order to make nodes refuse connections, you need to put the CRL in their local MSP folder, which alone does not *invalidate* transactions involving that identity.

GuillaumeTong (Wed, 20 Mar 2019 04:25:27 GMT):
@BellaAdams @nyet Yeah I did some tests with CRL in the past and it sometimes work kinda funny. When adding CRL to the MSP folder of a node, you indeed need to restart the node. Orderers don't seem to take account of their CRLs however... Something interesting to keep in mind however: putting a CRL on the channel will invalidate all tx that do not meet the policy after removing the revoked cert's signature, but nodes without that CRL locally will not refuse communications from the associated identity. In order to make nodes refuse connections, you need to put the CRL in their local MSP folder, which alone does not *invalidate* transactions involving that identity.

GuillaumeTong (Wed, 20 Mar 2019 04:25:27 GMT):
@BellaAdams @nyet Yeah I did some tests with CRL in the past and it sometimes work kinda funny. When adding CRL to the MSP folder of a node, you indeed need to restart the node. Orderers don't seem to take account of their CRLs however... Something interesting to keep in mind however: putting a CRL on the channel will *invalidate *all tx that do not meet the policy after removing the revoked cert's signature, but nodes without that CRL locally will *not refuse connections* from the associated identity. In order to make nodes refuse *connections*, you need to put the CRL in their local MSP folder, which alone *does not invalidate* transactions involving that identity.

GuillaumeTong (Wed, 20 Mar 2019 04:25:27 GMT):
@BellaAdams @nyet Yeah I did some tests with CRL in the past and it sometimes work kinda funny. When adding CRL to the MSP folder of a node, you indeed need to restart the node. Orderers don't seem to take account of their CRLs however... Something interesting to keep in mind however: putting a CRL on the channel will *invalidate *all tx that do not meet the policy after removing the revoked cert's signature, but nodes without that CRL locally will *not refuse connections* from the associated identity. In order to make nodes refuse *connections*, you need to put the CRL in their local MSP folder, which alone *does not invalidate* transactions involving that identity (due to consensus requirements).

GuillaumeTong (Wed, 20 Mar 2019 04:27:20 GMT):
Also, TLS CRL is not supported

GuillaumeTong (Wed, 20 Mar 2019 04:27:52 GMT):
I did these tests in fabric 1.2 however. Maybe some things have evolved since then

reggiefelias (Wed, 20 Mar 2019 05:55:21 GMT):
Hi all, fabric-ca-client enroll localhost works if i set fabric-ca server tls to false but if i set to true im having trouble with the enroll command. When i initiate the command enroll - u https://admin:adminpw@caurl:7054

reggiefelias (Wed, 20 Mar 2019 05:56:07 GMT):
The error is dial tcp lookup i/o timeout

reggiefelias (Wed, 20 Mar 2019 06:04:55 GMT):
My problem is that admin identity certificate is already expired and because of it no new user is able to register. Im having trouble figuring out how to renew. Any help is greatly appreciated. Thank you

mrudav.shukla (Wed, 20 Mar 2019 06:08:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PxdrpXysrPx5nPKen) @reggiefelias Did you try to issue reenroll for the admin?

reggiefelias (Wed, 20 Mar 2019 06:16:04 GMT):
I tried the reenroll command - u https://admin:adminpw@caserver:7054

reggiefelias (Wed, 20 Mar 2019 06:16:21 GMT):
Error says enrollment information does not exists

reggiefelias (Wed, 20 Mar 2019 06:16:54 GMT):
Thanks @mrudav.shukla

reggiefelias (Wed, 20 Mar 2019 06:18:09 GMT):
Module is already working for a year, then this issue where admin cert expired thus no new user can be registered

chinmay213211 (Wed, 20 Mar 2019 06:19:17 GMT):
Has joined the channel.

mrudav.shukla (Wed, 20 Mar 2019 06:19:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GpiK8u2daLDbEP2rm) @reggiefelias And you are using ca server with mysql/postgres/ldap or in-memory?

reggiefelias (Wed, 20 Mar 2019 06:22:40 GMT):
Cs server with mysql

reggiefelias (Wed, 20 Mar 2019 06:22:52 GMT):
Ca server with mysql

gravity (Wed, 20 Mar 2019 06:29:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WPu4fvaGmvoEbuKva) @GuillaumeTong I've tried the next with CRL. when a users ecert was revoked, I updated a channel config by putting the generated CRL to `revocation_list` section in a channel config, but did not put the CRL to local msps. after this, every subsequent request from this user with this ecert failed with error "access denied". and now I do not understand, why it's needed to put CRL to local MSPs of peers

reggiefelias (Wed, 20 Mar 2019 06:31:39 GMT):
@mrudav.shukla im using ca server with mysql

GuillaumeTong (Wed, 20 Mar 2019 06:38:30 GMT):
@gravity putting CRL locally in peers is sometimes necessary because, for example, if a peer is revoked and the CSR is only on a channel, that peer can still receive gossip from other peers (according to my tests with fabric 1.2).

mrudav.shukla (Wed, 20 Mar 2019 06:38:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XyaKuMmhGktCwtGoc) @reggiefelias Are you able to see admin enrolment information and certificate within mysql?

reggiefelias (Wed, 20 Mar 2019 06:53:42 GMT):
@mrudav.shukla when i logged in to mysql, i can see admin in the users table.

reggiefelias (Wed, 20 Mar 2019 06:56:15 GMT):
@mrudav.shukla in the certificate table admin certificate is good but expiry already passed

reggiefelias (Wed, 20 Mar 2019 06:58:48 GMT):
Am i doing it wrong for the reenroll command?

SDChoi (Wed, 20 Mar 2019 07:44:27 GMT):
@nyet I fully agree with you. Mixing `openssl` and `fabric-ca-server` can cause this problem. (Or put `wait 5 mins` when using `openssl`' in document :innocent: )

SDChoi (Wed, 20 Mar 2019 07:44:27 GMT):
@nyet I fully agree with you. Mixing `openssl` and `fabric-ca-server` can cause this problem. (Or put `wait 5 mins when using openssl` in document :innocent: )

SDChoi (Wed, 20 Mar 2019 07:44:27 GMT):
@nyet I fully agree with you. Mixing `openssl` and `fabric-ca-server` can cause this problem. (Or put `wait 5 mins when initializing with openssl` in document :innocent: )

BellaAdams (Wed, 20 Mar 2019 09:10:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WPu4fvaGmvoEbuKva) @GuillaumeTong Thank you very much. Could you tell me how to put the CRL on the channel？

GuillaumeTong (Wed, 20 Mar 2019 09:37:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CiZFbAAGAZqA69LYA) As I said before

GuillaumeTong (Wed, 20 Mar 2019 09:41:01 GMT):
The gist of the procedure is that you need to get the config from the channel, add the crl in base64 at the appropriate section, produce a diff according to the original, then submit that diff as a channel update transaction after having all parties sign the tx.

BellaAdams (Wed, 20 Mar 2019 11:11:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nfnmxa9krLEqbRD5k) @GuillaumeTong Thank 有

BellaAdams (Wed, 20 Mar 2019 11:11:23 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nfnmxa9krLEqbRD5k) @GuillaumeTong

BellaAdams (Wed, 20 Mar 2019 11:11:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nfnmxa9krLEqbRD5k) @GuillaumeTong Thank you very much

gravity (Wed, 20 Mar 2019 15:12:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vMRKJvKLnKwBRSaqy) @GuillaumeTong but a peer should be restarted when a crl is placed to a local msp, right?

mnobilio (Wed, 20 Mar 2019 18:58:59 GMT):
Has joined the channel.

nyet (Wed, 20 Mar 2019 21:05:24 GMT):
Is it possible to create an orderer system genesis block before enrolling any peers?

nyet (Wed, 20 Mar 2019 21:05:41 GMT):
or do you have to have peer certs defined to go into the genesis block

reggiefelias (Thu, 21 Mar 2019 04:32:04 GMT):
Hi All, good day. Im still having issue with my fabric-ca, admin user cert have expired. I tried to enroll again but im having the following error. Dial tcp: lookup ca. Userorg on 127.0.0.11:53 read udp 127.0.0.1:55706-> 127.0.0.11:53 : i/o timeout

GuillaumeTong (Thu, 21 Mar 2019 05:00:13 GMT):
@gravity yes

GuillaumeTong (Thu, 21 Mar 2019 05:01:42 GMT):
@nyet from my understanding, the genesis block will need the peers' CA's cert, but not the peers' certs themselves

reggiefelias (Thu, 21 Mar 2019 05:22:36 GMT):
Hi all, i figured out the io timeout. In the docker container i need to add the hostname of ca and mapped to 127.0.0.1. To do this i use extra_hosts property of yaml file. Thanks

reggiefelias (Thu, 21 Mar 2019 05:43:52 GMT):
Hi All, i have an admin that certificate have expired. I tried to enroll and it created a new certificate but i notice in the mysql, the old certificate is still there. When i try to register a new user im still having the expired admin cert error. Anything i need to do so as fabric ca reference the new cert?

mtng (Thu, 21 Mar 2019 07:48:07 GMT):
Hi everyone, I have one question about the management of certificates and private keys when you register a new identity in the CA. The documentation says the following: _"The enroll command stores and enrollment certificate (Ecert), corresponding private key and CA certificate chain PEM file in the subdirectories of the Fabric Ca client's msp directory"_ Is this secure enough? According to the principles of PKI, the private key should be stored by the user/application in their own secure way. In this case this key is stored in the machine where the sdk is running (in the /tmp directory by default) but what happen if I want to register many users and give them their private key? Is there any implementation to return the users their private key and their certificate?

migrenaa (Thu, 21 Mar 2019 13:18:16 GMT):
Hey guys. Are you running multiple intermediate CA servers? If yes, how do you load balance?

migrenaa (Thu, 21 Mar 2019 13:18:16 GMT):
Hey guys. Are you running multiple intermediate CA servers? If yes, how do you load balance? And actually what is the expected load that the ca should handle?

migrenaa (Thu, 21 Mar 2019 14:05:01 GMT):
And actually what is the expected load that the ca should handle?

ashutosh_kumar (Thu, 21 Mar 2019 14:05:47 GMT):
why do you need CA sever to be load balanced ?

ashutosh_kumar (Thu, 21 Mar 2019 14:06:13 GMT):
this is not high traffic operation as CAs are owned by Org.

asaningmaxchain123 (Thu, 21 Mar 2019 14:40:06 GMT):
@skarim @smithbk can you tell me what's the function of the `Affiliation`

asaningmaxchain123 (Thu, 21 Mar 2019 14:40:49 GMT):
how can i to do it ,can you take a real scene

smithbk (Thu, 21 Mar 2019 14:56:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Fj7C9E8PHTYoxu7hR) @asaningmaxchain123 Imagine an affiliation hierarchy similar to: ``` - department1 - team1 - team2 - department2 - team1 ``` If your identity is associated with `department1.team1` affiliation, then you are not authorized to see or otherwise manage any identity that associated `department1.team2` or `department2.team1`. However, assuming you have the appropriate privilege bits, you are authorized to see or manage identities associated with `department1.team1`. More specifically, suppose you are associated with the `department1` affiliation AND you have the privilege to list identities. The `fabric-ca-client identities list` call would return to you identity information for identities with the following affiliations: department1, department1.team1, and department1.team2. You would NOT see any identities associated with the following affiliations: department2 or department2.team1 (or the root affiliation which is the empty string).

asaningmaxchain123 (Thu, 21 Mar 2019 14:59:00 GMT):
@smithbk so it just control the fabric-ca user, it doesn't effect fabric network

asaningmaxchain123 (Thu, 21 Mar 2019 15:00:14 GMT):
another question is `fabric-ca-client identities list` doesn't support paging

skarim (Thu, 21 Mar 2019 15:22:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=trR6ipZ3cK7fXitpp) @asaningmaxchain123 right, there is no paging support for the list command

migrenaa (Thu, 21 Mar 2019 15:41:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=mKWy4NisTxJ2XYzYu) @ashutosh_kumar In my case a single user application has a single certificate, every time when a user is registered fabric client cert is also registered and enrolled.

Daniel (Thu, 21 Mar 2019 18:00:51 GMT):
Has joined the channel.

nyet (Thu, 21 Mar 2019 19:28:38 GMT):
So there is no way to configure the multiple CA server config via environment variables?

nyet (Thu, 21 Mar 2019 19:30:01 GMT):
you can set up common things, but "different' items need to be in separate cfg files?

nyet (Thu, 21 Mar 2019 19:30:06 GMT):
https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#setting-up-multiple-cas

nyet (Thu, 21 Mar 2019 20:23:15 GMT):
in the csr->ca section, is `hosts` just `DNS:` or will it know to use `IP:` for numeric addresses?

nyet (Thu, 21 Mar 2019 20:23:15 GMT):
in the config.yaml csr section, is `hosts` just `DNS:` or will it know to use `IP:` for numeric addresses?

nyet (Thu, 21 Mar 2019 21:49:05 GMT):
If i specify two cafiles, it seems to start up THREE ca-servers, one with the default ocnfigs, and two more with the specified cafiles. is this expected behavior?

skarim (Thu, 21 Mar 2019 23:02:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=eroGkzXmCnkGeq9pw) @nyet Yes that is the expected behavior. There is always a default CA, each additional config file you pass in will be an additional CA

nyet (Thu, 21 Mar 2019 23:05:05 GMT):
@skarim thanks

nyet (Thu, 21 Mar 2019 23:11:01 GMT):
if using curl (for example, to grab the root pub ca for bootstrap), how do i specify which cn

nyet (Thu, 21 Mar 2019 23:11:36 GMT):
im doing osmething like `curl -u (host)/api/v1/cainfo`

nyet (Thu, 21 Mar 2019 23:11:36 GMT):
im doing osmething like `curl (host)/api/v1/cainfo`

nyet (Thu, 21 Mar 2019 23:11:36 GMT):
im doing osmething like `curl -sk (host)/api/v1/cainfo`

nyet (Fri, 22 Mar 2019 00:54:33 GMT):
ugh `--csr.hosts` is totally broken for TLS

nyet (Fri, 22 Mar 2019 00:54:33 GMT):
ugh `--csr.hosts` is totally broken for TLS. `--csr.hosts` can only generate `DNS:` records, it will not emit `IP:` SAN records.

nyet (Fri, 22 Mar 2019 00:58:08 GMT):
There is no way to set an IP: entry

nyet (Fri, 22 Mar 2019 00:59:08 GMT):
and the docmentation is wrong

nyet (Fri, 22 Mar 2019 00:59:08 GMT):
and the docmentation is wrong - it says space separated

nyet (Fri, 22 Mar 2019 01:00:25 GMT):
whats the differnce between `-m` and `--csr.hosts`

nyet (Fri, 22 Mar 2019 01:03:23 GMT):
`--csr.hosts` can only generate `DNS:` records, it will not emit `IP:` SAN records.

BellaAdams (Fri, 22 Mar 2019 01:56:28 GMT):
how to generate csr info using nodejs SDK

BellaAdams (Fri, 22 Mar 2019 01:57:05 GMT):
I find that we can only add common name using nodejs

nyet (Fri, 22 Mar 2019 06:16:35 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=PZNf6vkyDXtRCvHHY) @SDChoi This is killing me right now. We should likely open a bug

GuillaumeTong (Fri, 22 Mar 2019 10:32:40 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5MwPZsBxWrnAAroCc) @nyet Are you sure? It seems to be working for me

GuillaumeTong (Fri, 22 Mar 2019 10:33:26 GMT):
At the client enroll phase at least

GuillaumeTong (Fri, 22 Mar 2019 10:34:04 GMT):
Unless you mean the server init phase, in which case I haven't tried recently

mastersingh24 (Fri, 22 Mar 2019 18:44:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AKvkcsddXT3sanE5J) @mtng If you decide to register and then *enroll* on your user's behalf, you'll be responsible for giving them their key pair. If you simply register your users, you can then given them their enroll id/secret and they can enroll on their own machines, etc

SashaPESIC (Sat, 23 Mar 2019 11:27:18 GMT):
Hey guys. Check out a set of tools I have been working on for a while (https://chainrider.io/private). You can create Fabric networks and contracts in a matter of minutes (: You could also take a look at our YT channel (https://www.youtube.com/channel/UC0he04pR8q3AFS_X3mKybhQ) for cool tutorial videos. Let me know if you have any questions. Also i could hook you up with some vauchers to try out some more advanced use cases. Would be happy to receive feedback from the community.

BellaAdams (Mon, 25 Mar 2019 01:16:26 GMT):
how to import an existing cert into fabric ca?

BellaAdams (Mon, 25 Mar 2019 01:17:17 GMT):
For example, I have some certs generated by the cryptogen. Now I want to import these certs into fabric CA

BellaAdams (Mon, 25 Mar 2019 01:17:31 GMT):
What should I do?

yanli133 (Mon, 25 Mar 2019 06:50:14 GMT):
Has joined the channel.

mastersingh24 (Mon, 25 Mar 2019 08:02:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xfEDdqwEwyWMRuSJ8) @BellaAdams You cannot import existing certs

shiftby (Mon, 25 Mar 2019 09:11:08 GMT):
Has joined the channel.

shiftby (Mon, 25 Mar 2019 09:50:30 GMT):
Hello, I'm trying to configure dev network with multiple CAs, with one root CA (rootca.example.com) and multiple intermediate cas (intermediate1.example.com, intermediate2.example.com). I've configured rootca: tls, db, ldap: false, affiliations: { root: [] }, csr: {cn: fabric-ca-server, names: [{..., O: root, OU: null, ...}], ca: {pathlength: 1}} and started it. I've tried to create new identities and enroll certificates, it worked well. So I want other companies to be able to start their own intermediate CAs. So just to test how that will happen I've created config for intermediate1.example.com, filled intermediate.parentserver section (url: https://rootca.example.com), updated csr.ca.pathlength to 0 and created new identity in registry.identities with affiliation "intermediate1". Started it and it requested parentserver enrollmentId and secrets, so I've tried to create new identity in rootca (because I don't want to give admin credentials to intermediate1 organization) with following config: name: itransition-admin type: client affiliation: itransition maxenrollments: 1 attributes: - name: hf.Registrar.Roles value: 'peer,user,app,orderer' - name: hf.Registrar.DelegateRoles value: 'peer,user,app,orderer' - name: hf.Registrar.Attributes value: 'email' - name: hf.GenCRL value: true - name: hf.Revoker value: true - name: hf.AffiliationMgr value: true - name: hf.IntermediateCA value: false - name: orgAdmin value: true ecert: true

shiftby (Mon, 25 Mar 2019 10:12:07 GMT):
Hello, I'm trying to configure dev network with multiple CAs, with one root CA (rootca.example.com) and multiple intermediate CAs (intermediate1.example.com, intermediate2.example.com). I've configured rootca: `tls, db, ldap: false, affiliations: { root: [] }, csr: {cn: fabric-ca-server, names: [{..., O: root, OU: null, ...}], ca: {pathlength: 1}}` and started it. I've tried to create new identities and enroll certificates, it worked well. So I want other companies to be able to start their own intermediate CAs. So just to test how that will happen I've created config for intermediate1.example.com, filled intermediate.parentserver section (url: https://rootca.example.com), updated `csr.ca.pathlength` to 0 and created new identity in registry.identities with affiliation "intermediate1". Started it and it requested parentserver enrollmentId and secrets, so I've tried to create new identity in rootca (because I don't want to give admin credentials to intermediate1 organization) with following config: `name: intermediate1-admin secret: adminpw type: client affiliation: intermediate1 maxenrollments: 1 attributes: [ {name: hf.Registrar.Roles, value: 'peer,user,app,orderer'} {name: hf.Registrar.DelegateRoles, value: 'peer,user,app,orderer'}, {name: hf.GenCRL, value: true}, {name: hf.Revoker, value: true}, {name: hf.AffiliationMgr, value: true}, {name: hf.IntermediateCA, value: true} ]` I've used new parentserver.url https://intermediate1-admin:adminpw@intermediate1.example.com, and I was able to start server and generate new identities. But then I tried to replace `affiliation: 'intermediate1'` with `affiliation: ''` in config above. And I still was able to start server and generate identities, but now I wasn't limited by generating 'intermediate1.*'-affiliation identities, I was able to generate identities with `affiliation: 'intermediate2'`. Could you help me to configure it? I need to be sure that intermediate CAs cannot generate ANY certificate, but only for the same affiliation, so I can validate it in the chaincode. Also it would be helpful to be sure that intermediate CAs cannot add any attributes to the certificate, but only those that are specified by main organization

shiftby (Mon, 25 Mar 2019 10:12:07 GMT):
Hello, I'm trying to configure dev network with multiple CAs, with one root CA (rootca.example.com) and multiple intermediate CAs (intermediate1.example.com, intermediate2.example.com). I've configured rootca: `tls, db, ldap: false, affiliations: { root: [] }, csr: {cn: fabric-ca-server, names: [{..., O: root, OU: null, ...}], ca: {pathlength: 1}}` and started it. I've tried to create new identities and enroll certificates, it worked well. So I want other companies to be able to start their own intermediate CAs. So just to test how that will happen I've created config for intermediate1.example.com, filled intermediate.parentserver section (url: https://rootca.example.com), updated `csr.ca.pathlength` to 0 and created new identity in registry.identities with affiliation "intermediate1". Started it and it requested parentserver enrollmentId and secrets, so I've tried to create new identity in rootca (because I don't want to give admin credentials to intermediate1 organization) with following config: ` name: intermediate1-admin secret: adminpw type: client affiliation: intermediate1 maxenrollments: 1 attributes: [ {name: hf.Registrar.Roles, value: 'peer,user,app,orderer'} {name: hf.Registrar.DelegateRoles, value: 'peer,user,app,orderer'}, {name: hf.GenCRL, value: true}, {name: hf.Revoker, value: true}, {name: hf.AffiliationMgr, value: true}, {name: hf.IntermediateCA, value: true} ] ` I've used new parentserver.url https://intermediate1-admin:adminpw@intermediate1.example.com, and I was able to start server and generate new identities. But then I tried to replace `affiliation: 'intermediate1'` with `affiliation: ''` in config above. And I still was able to start server and generate identities, but now I wasn't limited by generating 'intermediate1.*'-affiliation identities, I was able to generate identities with `affiliation: 'intermediate2'`. Could you help me to configure it? I need to be sure that intermediate CAs cannot generate ANY certificate, but only for the same affiliation, so I can validate it in the chaincode. Also it would be helpful to be sure that intermediate CAs cannot add any attributes to the certificate, but only those that are specified by main organization

shiftby (Mon, 25 Mar 2019 10:12:07 GMT):
Hello, I'm trying to configure dev network with multiple CAs, with one root CA (rootca.example.com) and multiple intermediate CAs (intermediate1.example.com, intermediate2.example.com). I've configured rootca: `tls, db, ldap: false, affiliations: { root: [] }, csr: {cn: fabric-ca-server, names: [{..., O: root, OU: null, ...}], ca: {pathlength: 1}}` and started it. I've tried to create new identities and enroll certificates, it worked well. So I want other companies to be able to start their own intermediate CAs. So just to test how that will happen I've created config for intermediate1.example.com, filled intermediate.parentserver section (url: https://rootca.example.com), updated `csr.ca.pathlength` to 0 and created new identity in registry.identities with affiliation "intermediate1". Started it and it requested parentserver enrollmentId and secrets, so I've tried to create new identity in rootca (because I don't want to give admin credentials to intermediate1 organization) with following config: ` name: intermediate1-admin secret: adminpw type: client affiliation: intermediate1 maxenrollments: 1 attributes: [ {name: hf.Registrar.Roles, value: 'peer,user,app,orderer'} {name: hf.Registrar.DelegateRoles, value: 'peer,user,app,orderer'}, {name: hf.GenCRL, value: true}, {name: hf.Revoker, value: true}, {name: hf.AffiliationMgr, value: true}, {name: hf.IntermediateCA, value: true} ] ` I've used new parentserver.url https://intermediate1-admin:adminpw@intermediate1.example.com, and I was able to start server and generate new identities. But then I tried to replace `affiliation: 'intermediate1'` with `affiliation: ''` in server config. And I still was able to start server and generate identities, but now I wasn't limited by generating 'intermediate1.*'-affiliation identities, I was able to generate identities with `affiliation: 'intermediate2'`. Could you help me to configure it? I need to be sure that intermediate CAs cannot generate ANY certificate, but only for the same affiliation, so I can validate it in the chaincode. Also it would be helpful to be sure that intermediate CAs cannot add any attributes to the certificate, but only those that are specified by main organization

gravity (Mon, 25 Mar 2019 10:41:35 GMT):
is it necessary to update CSR fields like `O`, `OU` etc.?

gravity (Mon, 25 Mar 2019 10:41:35 GMT):
is it necessary to update CSR fields like `O`, `OU` etc. with some specific values?

ChinmayIngle (Mon, 25 Mar 2019 13:17:22 GMT):
"error: [FabricCAClientService.js]: Failed to enroll admin, error:%o message=Calling enrollment endpoint failed with error [Error: Parse Error], stack=Error: Calling enrollment endpoint failed with error [Error: Parse Error]" i am getting this error while enrolling the admin or running the enrollAdmin.js

nyet (Mon, 25 Mar 2019 16:45:51 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=GQPoWiStffcs7cxJW) @GuillaumeTong ```X509v3 Subject Alternative Name: DNS:orderer, DNS: orderer***, DNS: 165.227.23.219 ```

nyet (Mon, 25 Mar 2019 17:19:56 GMT):
` vendor/github.com/cloudflare/cfssl/csr/csr.go` appears to do the right thing in `Generate()` if the `Host` passes `ParseIP` ``` for i := range req.Hosts { if ip := net.ParseIP(req.Hosts[i]); ip != nil { tpl.IPAddresses = append(tpl.IPAddresses, ip) } else if email, err := mail.ParseAddress(req.Hosts[i]); err == nil && email != nil { tpl.EmailAddresses = append(tpl.EmailAddresses, email.Address) } else { tpl.DNSNames = append(tpl.DNSNames, req.Hosts[i]) } } ```

nyet (Mon, 25 Mar 2019 22:28:50 GMT):
But `ca-server` doesn't seem to use that `Generate` for making CSRs.. I can't figure out where that happens

nyet (Mon, 25 Mar 2019 22:31:53 GMT):
l see that `lib/client.go` does, but is that just for the client app?

nyet (Mon, 25 Mar 2019 22:36:47 GMT):
ah found the problem

nyet (Mon, 25 Mar 2019 22:37:39 GMT):
documentation says "space separated" but it takes comma separated, AND you can't have spaces after the comma, so `csr.host="host, 10.0.0.1"` wont work but `csr.host= "host,10.0.0.1"` will work

nyet (Tue, 26 Mar 2019 00:52:06 GMT):
sigh now back to the 5 min problem ```2019-03-26 00:51:33.652 UTC [orderer.common.server] initializeLocalMsp -> FATA 0c2 Failed to initialize local MSP: the supplied identity is not valid: x509: certificate has expired or is not yet valid```

gravity (Tue, 26 Mar 2019 08:45:28 GMT):
Hello @skarim Is there any way to set custom CSR values (O, OU, ST) except modifying ca server config? thanks in advance

skarim (Tue, 26 Mar 2019 13:30:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oxtGeCsXBbJEDkgjd) @gravity You can modify the CSR when you enroll using the client. See: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#enrolling-the-bootstrap-identity

gravity (Wed, 27 Mar 2019 09:37:39 GMT):
@skarim if I understand correctly, in this case bootstrap identity will be enrolled with custom CSR fields, but the certificate of CA server will have default values for CSR, right?

mastersingh24 (Wed, 27 Mar 2019 11:21:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yaMQpD34YyPcsRei2) @nyet submitted fixes for this on master (2.0) and for 1.4.1

mastersingh24 (Wed, 27 Mar 2019 11:21:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yaMQpD34YyPcsRei2) @nyet submitted fixes for this on master (2.0.0) and for 1.4.1

mastersingh24 (Wed, 27 Mar 2019 11:21:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yaMQpD34YyPcsRei2) @nyet Submitted fixes for this on master (2.0.0) and for 1.4.1. Docs / help were updated and it will also handle spaces now as well.

skarim (Wed, 27 Mar 2019 13:32:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ccWsnT8FswLrXZryA) @gravity Ah ok, I wasn't sure if you were talking about enrollment certificate or CA certificate. For the CA server, the only way would be through the server's configuration file. There are no flags or env vars available for O, OU, ST, etc.

gravity (Wed, 27 Mar 2019 13:34:14 GMT):
@skarim but if the CA has default CSR values, but bootstrap identity has custom CSR values, will this work properly?

skarim (Wed, 27 Mar 2019 13:35:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=qzjR6gPaXt22LBwbn) @gravity Yeah, that should not be an issue

gravity (Wed, 27 Mar 2019 13:37:09 GMT):
@skarim thanks

nyet (Wed, 27 Mar 2019 14:47:13 GMT):
Thanks @mastersingh24 ! I am working on submitting another bug report for the 5 minute bug.

nyet (Wed, 27 Mar 2019 14:48:39 GMT):
https://chat.hyperledger.org/channel/fabric-ca?msg=PZNf6vkyDXtRCvHHY

nyet (Wed, 27 Mar 2019 20:55:40 GMT):
@mastersingh24 @SDChoi Here is the date problem in a nutshell (and openssl doesn't seem to care) ``` $ for i in `sudo find msp -name \*.pem`; do ls -al $i; sudo openssl x509 -noout -dates -in $i; done -rw-r--r-- 1 enode enode 981 Mar 27 19:35 msp/signcerts/cert.pem notBefore=Mar 27 19:30:00 2019 GMT notAfter=Mar 26 19:35:00 2020 GMT -rw-r--r-- 1 enode enode 977 Mar 27 19:35 msp/cacerts/server.pem notBefore=Mar 27 19:34:14 2019 GMT notAfter=Mar 24 19:34:14 2029 GMT ``` Note that the ca cert isn't valid until `19:34`, but the other certs were created at `19:30`. The peer cares: ``` 2019-03-27 20:36:24.946 UTC [main] InitCmd -> ERRO 02e Cannot run peer because error when setting up MSP of type bccsp from directory /var/hyperledger/msp: the supplied identity is not valid: x509: certificate has expired or is not yet valid``` But openssl does not: ``` $ openssl verify -CAfile msp/cacerts/server.pem msp/signcerts/cert.pem msp/signcerts/cert.pem: OK ``` Also note that the `admincerts/cert.pem`'s `notBefore` of `19:30` is backdated from the actual file creation time of `19:35` On the server itself, it is not backdated (since it is generated by `openssl`, and not `ca-server`) ``` $ ls -al ca-cert.pem -rw-rw-r-- 1 enode enode 977 Mar 27 19:34 ca-cert.pem $ openssl x509 -noout -dates -in ca-cert.pem notBefore=Mar 27 19:34:14 2019 GMT notAfter=Mar 24 19:34:14 2029 GMT ``` One possible solution is to backdate on ca-cert creation? haven't tried it yet. Is this cert chain actually invalid? Is there anything that says the signing cert's `notBefore` can't be later than the signed `notBefore`?

nfrunza (Wed, 27 Mar 2019 21:01:43 GMT):
Hello, are they any fabric samples with Mutual TLS enabled, aka. CORE_PEER_TLS_CLIENTAUTHREQUIRED=true ?

nfrunza (Wed, 27 Mar 2019 21:01:43 GMT):
Hello, are there any fabric samples with Mutual TLS enabled, aka. CORE_PEER_TLS_CLIENTAUTHREQUIRED=true

spartucus (Thu, 28 Mar 2019 02:46:10 GMT):
Has joined the channel.

daanporon (Thu, 28 Mar 2019 11:02:28 GMT):
Has joined the channel.

daanporon (Thu, 28 Mar 2019 11:05:56 GMT):
hi, can someone explain me what the difference is between an affiliation and using the O/OU attributes inside the certificate? When should i use an affiliation and when should i use intermediate CA's? And also can i register users within one CA with different O/OU attributes, or do you need to work with intermediate certificates then?

ashutosh_kumar (Thu, 28 Mar 2019 13:51:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=umEn6z7ae69gzHXAq) @daanporon Affiliation is an attribute , which can map to Role corresponding to your Org's deptt structure. OU is to distinguish the certificate usage context , e.g. Client or Peer.

daanporon (Thu, 28 Mar 2019 17:19:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xgJcQqDkaX9hFzuYP) @ashutosh_kumar but OU (Org Unit) can also be used to reflect the Orgs dept structure no? Is it possible to access the affiliation using chaincode? because the OU is something you can access via chaincode

skarim (Thu, 28 Mar 2019 17:21:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ahfpbHy5jAcAPxLEq) @daanporon If you are using the latest version of CA, the affiliation gets inserted into the certificate as an attribute and then you can use cid library to get the value of affiliation.

ashutosh_kumar (Thu, 28 Mar 2019 17:32:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ahfpbHy5jAcAPxLEq) @daanporon What you are saying is correct , but fabric code is not written that way.

koineramitranjan (Fri, 29 Mar 2019 04:32:09 GMT):
Has joined the channel.

benjamin.verhaegen (Fri, 29 Mar 2019 07:51:48 GMT):
Has joined the channel.

mastersingh24 (Fri, 29 Mar 2019 09:24:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZHtNetJ6hgaDXtfqq) @nyet I responded to the JIRA in the comments section. Have a look and see what you think ...

nyet (Fri, 29 Mar 2019 15:19:52 GMT):
@mastersingh24 responding there accordingly.

nyet (Fri, 29 Mar 2019 15:19:57 GMT):
thanks for your attention

nyet (Fri, 29 Mar 2019 15:21:23 GMT):
Is there a way to convince openssl to backdate a cert without `faketime`

nyet (Fri, 29 Mar 2019 15:29:31 GMT):
This seems to suggest not, and suggests `faketime` https://stackoverflow.com/questions/27745161/openssl-self-signed-root-ca-certificate-set-a-start-date

nyet (Fri, 29 Mar 2019 15:30:41 GMT):
Also I don't think the `peer` should care that the signing cert's `notBefore` is after the signed cert's `notBefore`, as long as the signed cert isn't used before the latest `notBefore`...

ilyahq (Fri, 29 Mar 2019 15:45:31 GMT):
Has joined the channel.

gravity (Fri, 29 Mar 2019 16:19:52 GMT):
Hi all how to tell CA server to use custom `fabric-ca-server-config.yaml` and skip creating the default one? is parameter `cafiles`suitable for this?

nyet (Fri, 29 Mar 2019 16:20:11 GMT):
just create the one you want and it will not overwrite it

nyet (Sat, 30 Mar 2019 01:57:48 GMT):
dang it the -b admin:adminpw no longer works :/

nyet (Sat, 30 Mar 2019 01:57:51 GMT):
wtf?

nyet (Sat, 30 Mar 2019 02:00:27 GMT):
```2019/03/30 02:00:05 [DEBUG] Incorrect password entered by user 'admin' 2019/03/30 02:00:05 [INFO] 165.22.132.176:35564 POST /enroll 401 24 "Login failure: Password mismatch: crypto/bcrypt: hashedPassword is not the hash of the given password" ```

nyet (Sat, 30 Mar 2019 02:00:47 GMT):
```fabric-ca-client enroll -u https://admin:adminpw@***:7054 -H /data/tls --caname tlsca-server --tls.certfiles=/data/tls/ca.crt --enrollment.profile tls 2019/03/30 02:00:05 [INFO] TLS Enabled 2019/03/30 02:00:05 [INFO] generating key: &{A:ecdsa S:256} 2019/03/30 02:00:05 [INFO] encoded CSR Error: Response from server: Error Code: 20 - Authentication failure ```

nyet (Sat, 30 Mar 2019 02:03:09 GMT):
```~$ docker exec -ti ca-server /bin/bash -c "xargs -0 echo < /proc/1/cmdline" fabric-ca-server start --cfg.identities.allowremove --cfg.affiliations.allowremove -b admin:adminpw --cafiles ca.yaml -d ```

nyet (Sat, 30 Mar 2019 02:22:09 GMT):
ah i think i found the problem. -b does not override things in the config.yaml

nyet (Sat, 30 Mar 2019 02:30:11 GMT):
like.. secret

nyet (Sat, 30 Mar 2019 02:30:11 GMT):
like.. password

balazsprehoda (Sun, 31 Mar 2019 19:09:51 GMT):
Has joined the channel.

gravity (Mon, 01 Apr 2019 00:04:15 GMT):
Hi all. is it possible to get users affiliation in a chaincode using the `cid` library?

gravity (Mon, 01 Apr 2019 00:04:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dQJpL48dZ9kKvpETn) @nyet actually it should override

Randyshu2018 (Mon, 01 Apr 2019 03:39:26 GMT):
hi，all，is there some resource to introduce msp、fabric-ca、cryptogen and openssl more detailed?

nyet (Mon, 01 Apr 2019 04:12:56 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ieqGmxwbeFRJQupxP) @gravity It did not iirc but I will try to reproduce time permitting.

sunit.versatile (Mon, 01 Apr 2019 08:22:31 GMT):
Has joined the channel.

umamani113 (Mon, 01 Apr 2019 12:36:36 GMT):
Has joined the channel.

awattez (Mon, 01 Apr 2019 14:46:53 GMT):
Hey, is it possible to provide affiliations in docker ENV like :

awattez (Mon, 01 Apr 2019 14:46:53 GMT):
Hey, is it possible to provide affiliations in docker ENV like : `- FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/... - FABRIC_CA_SERVER_CFG_AFFILIATIONS_ALLOWREMOVE=true``

awattez (Mon, 01 Apr 2019 14:46:53 GMT):
Hey, is it possible to provide affiliations in docker ENV like : ```- FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/... - FABRIC_CA_SERVER_CFG_AFFILIATIONS_ALLOWREMOVE=true````

awattez (Mon, 01 Apr 2019 14:46:53 GMT):
Hey, is it possible to provide affiliations in docker-compose file for Docker ENV like : ```- FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/... - FABRIC_CA_SERVER_CFG_AFFILIATIONS_ALLOWREMOVE=true``` Do you know how to write it ?

luckforzhang (Tue, 02 Apr 2019 09:09:27 GMT):
I think there is not, you need to create it when the ca is on.

skarim (Tue, 02 Apr 2019 17:20:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DPhDkEXeDwCyhgsA4) @gravity If you are working of the latest version of the CA, you should have the affiliation as an attribute in your certificate. You can use the cid library to get that attribute. `val, ok, err := cid.GetAttributeValue(stub, "hf.Affiliation")`

AliciaDominic (Wed, 03 Apr 2019 04:37:43 GMT):
Has joined the channel.

adityanalgework1 (Wed, 03 Apr 2019 19:38:50 GMT):
Hi. What is this error ```Error: Response from server: Error Code: 0 - 2 rows were affected when updating the state of identity admin ```

adityanalgework1 (Wed, 03 Apr 2019 19:39:18 GMT):
I get it on trying to do simple ```fabric-ca-client enroll -u http://admin:adminpw@0.0.0.0:7055 ```

adityanalgework1 (Wed, 03 Apr 2019 19:39:45 GMT):
The reason my url is 0.0.0.0:7055 is because my CA is a docker container

adityanalgework1 (Wed, 03 Apr 2019 19:40:36 GMT):

CA Logs

adityanalgework1 (Wed, 03 Apr 2019 19:40:57 GMT):
What does Request is not for a CA signing certificate mean?

skarim (Wed, 03 Apr 2019 20:28:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=apzQXy4a67Yz2tGWn) @adityanalgework1 I am not sure how you got into this state but it seems like you have two identities registered with same name of 'admin'. The second registration should have resulted in an error. You can check your database to confirm that is indeed the case.

skarim (Wed, 03 Apr 2019 20:28:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=w5dQiepLitg8mqpBb) @adityanalgework1 It means that the request is for an enrollment certificate

stephenman (Thu, 04 Apr 2019 02:21:08 GMT):
Hi, may I know what are the different of use between peer0.org1.example.com/msp/tlscacerts and peer0.org1.example.com/tls? Thanks

AndresMartinezMelgar.itcl (Thu, 04 Apr 2019 06:26:02 GMT):
Hello, is there any way to know which users are registered in the CA? If at the moment of creating the network 2 users are created (according to the crypto-config file) and I create an additional one in the CA, I can also access those files?

stephenman (Thu, 04 Apr 2019 06:40:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BJJGQ2J5JnJavDPk2) @AndresMartinezMelgar.itcl from my understanding, the command "fabric-ca-client identity list" could print all certs generated by the ca, there would be CN in the cert

luckforzhang (Thu, 04 Apr 2019 08:10:42 GMT):
Hi all, I am coming to ask a stupid question: does the `gencrl` return all the crl that needed? For example, when I first `revoke user0` and then `revoke user1`, at this moment we `gencrl`, so will this crl contains both `user0 & user1` or ?

stephenman (Thu, 04 Apr 2019 09:04:15 GMT):
Hi all, I'm trying to use a newly generated admin cert to join channel, however, it returns error: Error: proposal failed (err: bad proposal response 500: access denied for [JoinChain][mychannel]: [Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]]) But my is generated by fabric ca, and with attributes: {"admin":"true","hf.Affiliation":"org1","hf.EnrollmentID":"Admin@org1.example.com","hf.Type":"user"}, can anyone help? Thanks!

luckforzhang (Thu, 04 Apr 2019 09:24:02 GMT):
change `"hf.Type":"user"` to `"hf.Type":"admin"`

stephenman (Thu, 04 Apr 2019 10:05:37 GMT):
thx, let me try

stephenman (Thu, 04 Apr 2019 10:40:44 GMT):
have tried to change the hf.Type from user to admin, but same error

smithbk (Thu, 04 Apr 2019 13:17:42 GMT):
@stephenman In order to function as an admin in fabric, the specific admin cert must be registered in the channel's msp/admincerts folder.

smithbk (Thu, 04 Apr 2019 13:18:58 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=YvsymmdN2rA3yYNJh) @luckforzhang Yes, it will contain certs for both user0 and user1 in the CRL

nyet (Thu, 04 Apr 2019 16:02:01 GMT):
@smithbk is this also true for orderer system genesis channel and group add for peer? Does this mean you HAVE to *pregenerate* peer certs before launching the orderer, or new peer certs have to be added every time a new one is created via enroll? Seems onerous...

nyet (Thu, 04 Apr 2019 16:02:59 GMT):
I'm trying to avoid `cryptogen` as recommended and its giving me nothing but problems using `fabric-ca-enroll` because just about every "example" uses `cryptogen`, when it shouldn't be.

smithbk (Thu, 04 Apr 2019 16:07:09 GMT):
@nyet Yes, it is also true for orderer, etc. Yes, pregenerating is easier, but you can also add a new admin to admincerts via a config update which must be executed by an existing admin

nyet (Thu, 04 Apr 2019 16:08:05 GMT):
If i choose to add it to the MSP `admincerts` do i have to restart the orderer?

smithbk (Thu, 04 Apr 2019 16:08:26 GMT):
@skarim Saad, where is the latest doc for using fabric-ca tutorial with fabric

smithbk (Thu, 04 Apr 2019 16:08:38 GMT):
@nyet No

smithbk (Thu, 04 Apr 2019 16:08:38 GMT):
@nyet No ... you do not have to restart

nyet (Thu, 04 Apr 2019 16:09:49 GMT):
@smithbk Thanks! Also, can i use `fabric-ca-client certificate` to pull the new admin cert from the ca-server on the orderer itself?

smithbk (Thu, 04 Apr 2019 16:10:07 GMT):
yes

nyet (Thu, 04 Apr 2019 16:10:17 GMT):
excellent, thank you. I think that will work for us.

smithbk (Thu, 04 Apr 2019 16:11:05 GMT):
We used to have a sample showing this but Saad converted it into a tutorial format ... I think you should find that helpful

nyet (Thu, 04 Apr 2019 16:14:06 GMT):
I would love to see any tutorials that use `fabric-ca-client` instead of `cryptogen`. My current reference is the operations guide in progress here which i have forked from the Gerrit PR https://github.com/Blockdaemon/fabric-ca/blob/gerrit-pr-29430/docs/source/operations_guide.rst

nyet (Thu, 04 Apr 2019 16:14:40 GMT):
but it too *pregenerates* the peers *before* launching the orderer, which does not fit our model, which is to be able to add peers ad hoc

czar0 (Fri, 05 Apr 2019 12:19:43 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Cn4uhQsgew3ZSi85k) @nyet Is there any updates on this issue?

czar0 (Fri, 05 Apr 2019 14:22:53 GMT):
Following this guide https://gerrit.hyperledger.org/r/#/c/29430/8/docs/source/operations_guide.rst to register and enrol an org admin user and I cannot still sort this out... ``` kubectl exec --namespace $namespace $ca_pod -- fabric-ca-client register --id.name $admin_name --id.secret $admin_secret --id.type admin --id.attrs "hf.registrar.roles=client,hf.registrar.attributes=*,hf.revoker=true,hf.gencrl=true,admin=true:ecert,abac.init=true:ecert" -u http://$SERVICE_DNS:7054 kubectl exec --namespace $namespace $ca_pod -- fabric-ca-client enroll -u http://${admin_name}:${admin_secret}@$SERVICE_DNS:7054 -M $org_msp ``` Resulting in the following errors: ``` Register the Organisation Admin identity 2019/04/05 14:13:19 [INFO] Configuration file location: /var/hyperledger/fabric-ca/fabric-ca-client-config.yaml Error: Response from server: Error Code: 71 - Authorization failure command terminated with exit code 1 Enroll the Organisation Admin identity in Org1MSP 2019/04/05 14:13:20 [INFO] generating key: &{A:ecdsa S:256} 2019/04/05 14:13:20 [INFO] encoded CSR Error: Response from server: Error Code: 20 - Authentication failure ``` @PradeepJaligama or anyone could you provide some help here? thanks

PradeepJaligama (Fri, 05 Apr 2019 14:22:55 GMT):
Has joined the channel.

charki (Fri, 05 Apr 2019 14:59:08 GMT):
Has joined the channel.

nfrunza (Fri, 05 Apr 2019 16:49:54 GMT):
any sample script to generate client certificates for MutualTSL ?

skarim (Fri, 05 Apr 2019 20:40:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TyZrtpwTySrWjZtkN) @czar0 You need to first enroll the bootstrap identity, this is the identity that was specified when you started up the CA server. After you have enrolled the bootstrap identity, you can use this identity to register other identities

nyet (Fri, 05 Apr 2019 21:09:56 GMT):
@czar0 you don't have to do the register step, you can do it all with admin and enroll to simplify things for now

gravity (Sat, 06 Apr 2019 21:24:14 GMT):
hi all why it not possible to init ca server using the `-b` option if a custom ca server config was provided? this option is simply ignored. but if config is not specified, ca server creates one and creates a user passed in `-b`

nyet (Sun, 07 Apr 2019 02:15:05 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wg4rbZzLDDvyX7Ds9) @gravity I encountered the same issue. Was going to create a bug but haven't yet. The whole "write out my config" thing that fabric does is bizarre.

gravity (Sun, 07 Apr 2019 08:55:21 GMT):
had anyone met this error before? ``` 2019/04/07 06:13:11 [FATAL] Initialization failure: Response from server: Error Code: 0 - Certificate signing failure: {"code":5300,"message":"Policy violation request"} ``` it occurs when I'm trying to initialize intermediate CA

gravity (Sun, 07 Apr 2019 08:56:24 GMT):
I thought it's related to `pathLength`, but on the root CA it is not specified, hence unlimited number of intermediate CAs can be issued

mallikarjunasai995 (Sun, 07 Apr 2019 17:59:46 GMT):
hi am reading the fabric-ca part regarding how to integrate hyperledger fabric with *LDAP* and this is the below link that am referring ... https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#prerequisites but am confused like where i have configure all the settings in my *balance-transfer app* ? does anybody have any template kind of thing for the same ...

ahy (Sun, 07 Apr 2019 22:30:59 GMT):
Has joined the channel.

ahy (Sun, 07 Apr 2019 22:39:13 GMT):
Hi. I am following the Hyperleger composer tutorial for deploying multi-org business network and Hyperledger fabric tutorial for building your first network. Does anyone have any idea why I am getting this error when I am trying to issue a new ID for a participant? This is the message I am getting from docker logs ca.org1.example.com 2019/04/07 22:25:52 [DEBUG] Received request for /api/v1/register 2019/04/07 22:25:52 [DEBUG] Caller is using a x509 certificate 2019/04/07 22:25:52 [DEBUG] Failed to verify token based on new authentication header requirements: %!s() 2019/04/07 22:25:52 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin' 2019/04/07 22:25:52 [DEBUG] DB: Get certificate by serial (256c351ad449bacfdf0ccc14c6149909fcb84ba3) and aki (8f4fc3332717b19452cc1661e578d93dd7e6d6bc5b4faa5f7c048dfd7fb9db99) 2019/04/07 22:25:52 [INFO] 172.20.0.1:32806 POST /api/v1/register 401 30 "Certificate not found with AKI '8f4fc3332717b19452cc1661e578d93dd7e6d6bc5b4faa5f7c048dfd7fb9db99' and serial '256c351ad449bacfdf0ccc14c6149909fcb84ba3'"

stephenman (Mon, 08 Apr 2019 00:53:28 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SxpNhnNYo2yjL7fHz) @smithbk Many thanks for your advice! May I get it more clarified, the channel's msp/admincerts folder means the msp/admincerts of the orderer or all nodes(orderers and peers)?

stephenman (Mon, 08 Apr 2019 00:55:23 GMT):
FYI, I have placed it to the peer's msp/admincerts, but still not working yet. Thanks in advance @smithbk !

stephenman (Mon, 08 Apr 2019 08:01:12 GMT):
Hi all, may I know if all the peers and admins in the same organization are required to use the same cert in msp/cacerts?

AndresMartinezMelgar.itcl (Mon, 08 Apr 2019 08:39:54 GMT):
Hello, there is a tutorial where you can explain step by step how to use fabric-ca

AndresMartinezMelgar.itcl (Mon, 08 Apr 2019 08:39:54 GMT):
Hello, there is a tutorial where you can explain step by step how to use fabric-ca Or how can i used it with java SDK

czar0 (Mon, 08 Apr 2019 10:16:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=msZ7hD5iMiXCyG8iB) @skarim I enrolled the bootstrap admin right before with: ``` kubectl exec --namespace $namespace $ca_pod -- bash -c 'fabric-ca-client enroll -d -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054' ``` How can I use this identity to enrol other users? Note: I am not using TLS here. Edit: this is the log on the CA container when I am trying to register the organisation admin: ``` 2019/04/08 11:09:53 [DEBUG] Received request for /register 2019/04/08 11:09:53 [DEBUG] Caller is using a x509 certificate 2019/04/08 11:09:53 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin' 2019/04/08 11:09:53 [DEBUG] DB: Get certificate by serial (240e000a914031c8ae99b29b0a36299f986a5281) and aki (1cb0c606e797436e5dba2b566f15805a283abb7e) 2019/04/08 11:09:53 [DEBUG] DB: Getting identity admin 2019/04/08 11:09:53 [DEBUG] Successful token authentication of 'admin' 2019/04/08 11:09:53 [DEBUG] Received registration request from admin: { Name:org1-admin Type:admin Secret:**** MaxEnrollments:0 Affiliation: Attributes:[{hf.registrar.roles client false} {hf.registrar.attributes * false} {hf.revoker true false} {hf.gencrl true false} {admin true true} {abac.init true true}] CAName: } 2019/04/08 11:09:53 [DEBUG] No affiliation provided in registration request, will default to using registrar's affiliation of '' 2019/04/08 11:09:53 [DEBUG] canRegister - Check to see if user 'admin' can register 2019/04/08 11:09:53 [DEBUG] Checking to see if caller 'admin' can act on type 'admin' 2019/04/08 11:09:53 [DEBUG] Checking to see if caller 'admin' is a registrar 2019/04/08 11:09:53 [DEBUG] Caller with types '[peer orderer client user]' is not authorized to act on 'admin' 2019/04/08 11:09:53 [DEBUG] Registration of 'org1-admin' failed: : scode: 403, local code: 44, local msg: Registrar does not have authority to act on type 'admin', remote code: 71, remote msg: Authorization failure 2019/04/08 11:09:53 [INFO] 127.0.0.1:46624 POST /register 403 44 "Registrar does not have authority to act on type 'admin'" ```

czar0 (Mon, 08 Apr 2019 10:16:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=msZ7hD5iMiXCyG8iB) @skarim I enrolled the bootstrap admin right before with: ``` kubectl exec --namespace $namespace $ca_pod -- bash -c 'fabric-ca-client enroll -d -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054' ``` How can I use this identity to enrol other users? Note: I am not using TLS here. *Edit: this is the log on the CA container when I am trying to register the organisation admin:* ``` 2019/04/08 11:09:53 [DEBUG] Received request for /register 2019/04/08 11:09:53 [DEBUG] Caller is using a x509 certificate 2019/04/08 11:09:53 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin' 2019/04/08 11:09:53 [DEBUG] DB: Get certificate by serial (240e000a914031c8ae99b29b0a36299f986a5281) and aki (1cb0c606e797436e5dba2b566f15805a283abb7e) 2019/04/08 11:09:53 [DEBUG] DB: Getting identity admin 2019/04/08 11:09:53 [DEBUG] Successful token authentication of 'admin' 2019/04/08 11:09:53 [DEBUG] Received registration request from admin: { Name:org1-admin Type:admin Secret:**** MaxEnrollments:0 Affiliation: Attributes:[{hf.registrar.roles client false} {hf.registrar.attributes * false} {hf.revoker true false} {hf.gencrl true false} {admin true true} {abac.init true true}] CAName: } 2019/04/08 11:09:53 [DEBUG] No affiliation provided in registration request, will default to using registrar's affiliation of '' 2019/04/08 11:09:53 [DEBUG] canRegister - Check to see if user 'admin' can register 2019/04/08 11:09:53 [DEBUG] Checking to see if caller 'admin' can act on type 'admin' 2019/04/08 11:09:53 [DEBUG] Checking to see if caller 'admin' is a registrar 2019/04/08 11:09:53 [DEBUG] Caller with types '[peer orderer client user]' is not authorized to act on 'admin' 2019/04/08 11:09:53 [DEBUG] Registration of 'org1-admin' failed: : scode: 403, local code: 44, local msg: Registrar does not have authority to act on type 'admin', remote code: 71, remote msg: Authorization failure 2019/04/08 11:09:53 [INFO] 127.0.0.1:46624 POST /register 403 44 "Registrar does not have authority to act on type 'admin'" ```

czar0 (Mon, 08 Apr 2019 10:16:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=msZ7hD5iMiXCyG8iB) @skarim I enrolled the bootstrap admin right before with: ``` kubectl exec --namespace $namespace $ca_pod -- bash -c 'fabric-ca-client enroll -d -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054' ``` How can I use this identity to enrol other users? Note: I am not using TLS here. *Edit: this is the log on the CA container when I am trying to register the organisation admin:* ``` 2019/04/08 11:09:53 [DEBUG] Received request for /register 2019/04/08 11:09:53 [DEBUG] Caller is using a x509 certificate 2019/04/08 11:09:53 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin' 2019/04/08 11:09:53 [DEBUG] DB: Get certificate by serial (240e000a914031c8ae99b29b0a36299f986a5281) and aki (1cb0c606e797436e5dba2b566f15805a283abb7e) 2019/04/08 11:09:53 [DEBUG] DB: Getting identity admin 2019/04/08 11:09:53 [DEBUG] Successful token authentication of 'admin' 2019/04/08 11:09:53 [DEBUG] Received registration request from admin: { Name:org1-admin Type:admin Secret:**** MaxEnrollments:0 Affiliation: Attributes:[{hf.registrar.roles client false} {hf.registrar.attributes * false} {hf.revoker true false} {hf.gencrl true false} {admin true true} {abac.init true true}] CAName: } 2019/04/08 11:09:53 [DEBUG] No affiliation provided in registration request, will default to using registrar's affiliation of '' 2019/04/08 11:09:53 [DEBUG] canRegister - Check to see if user 'admin' can register 2019/04/08 11:09:53 [DEBUG] Checking to see if caller 'admin' can act on type 'admin' 2019/04/08 11:09:53 [DEBUG] Checking to see if caller 'admin' is a registrar 2019/04/08 11:09:53 [DEBUG] Caller with types '[peer orderer client user]' is not authorized to act on 'admin' 2019/04/08 11:09:53 [DEBUG] Registration of 'org1-admin' failed: : scode: 403, local code: 44, local msg: Registrar does not have authority to act on type 'admin', remote code: 71, remote msg: Authorization failure 2019/04/08 11:09:53 [INFO] 127.0.0.1:46624 POST /register 403 44 "Registrar does not have authority to act on type 'admin'" ``` *Edit 2: the bootstrap identity admin has the following attributes:* ``` root@ca-hlf-ca-b485f5b8c-8m8th:/# fabric-ca-client identity list Name: admin, Type: client, Affiliation: , Max Enrollments: -1, Attributes: [{Name:hf.Registrar.Attributes Value:* ECert:false} {Name:hf.AffiliationMgr Value:1 ECert:false} {Name:hf.Registrar.Roles Value:peer,orderer,client,user ECert:false} {Name:hf.Registrar.DelegateRoles Value:peer,orderer,client,user ECert:false} {Name:hf.Revoker Value:1 ECert:false} {Name:hf.IntermediateCA Value:1 ECert:false} {Name:hf.GenCRL Value:1 ECert:false}] ```

czar0 (Mon, 08 Apr 2019 10:19:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=559a65ad-aa48-4830-85bf-4eb48fcc84df) @nyet What do you mean? This is the organisation admin not the bootstrap admin. I want to use a new admin with specific attributes to register and enrol identities instead of the bootstrap one. Is that possible?

gravity (Mon, 08 Apr 2019 11:42:22 GMT):
hi all is it correct behavior that `reenroll` issues a new enrollment certificate? if it's correct, what is the difference with `enroll`? and another question: if some ecert attributes are updated or newly added, a new enrollment certificate should be enrolled, shouldn't it?

czar0 (Mon, 08 Apr 2019 18:08:12 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7pzRWzPXMDitN2QCJ) I solved the issue as follows: - Replaced `--id.type admin` with `--id.type client` - Replaced `--id.attrs ""` with caps-sensitive ones ``` kubectl exec --namespace $namespace $ca_pod -- fabric-ca-client register --id.name $admin_name --id.secret $admin_secret --id.type client --id.attrs '"hf.Registrar.Roles=peer,user,client",hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert' -u http://$SERVICE_DNS:7054 ```

ahy (Mon, 08 Apr 2019 23:45:31 GMT):
Can someone explain to me what is the difference between cryptogen and fabric-ca? In tutorial, I used the docker-compose-e2e-template.yaml to help me start a ca server for each org in my network. I see that in the docker-compose-e2e file, it runs the command fabric-ca-server start,, and I replaced the values with the keys and certs I generated using cryptogen. That's all the tutorial for hyperledger fabric goes over for building your first network, are there any other steps I am missing to have it communicating with hyperledger composer so I can create IDs for participants? I have many questions and unsure on how to properly configure everything.

luckforzhang (Tue, 09 Apr 2019 01:06:59 GMT):
@ahy after you `replaced the values with the keys and certs`, you need to recreate ca docker by command `docker-compose -f docker-compose-e2e.yaml up -d`, and then the ca

qsmen (Tue, 09 Apr 2019 07:15:00 GMT):
Hi experts here, if dapp sends a proposal to endorsers, dapp should sign the proposal. would the dapp certificate be sent to the endorsers too? Thank you.

GuillaumeTong (Tue, 09 Apr 2019 07:21:10 GMT):
Hello, is anyone familiar with what could cause an error like this one? ```2019-04-09 07:11:12.394 UTC [core.comm] ServerHandshake -> ERRO 7f2b TLS handshake failed with error remote error: tls: internal error {"server": "PeerServer", "remote address": "***.***.***.***:*****"} 2019-04-09 07:11:12.394 UTC [grpc] handleRawConn -> DEBU 7f2c grpc: Server.Serve failed to complete security handshake from "***.***.***.***:*****": remote error: tls: internal error``` These errors appear in the log of one of my peer several times per second, so it is hard to ignore, but the peer seems to be working properly when I do transactions with it...

hexiaohu (Tue, 09 Apr 2019 08:03:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NemA2AeQD6cFvEqbH) @gravity I also found when execute reenroll, a new privatekey and publickey pair will be generated, it's actually a new digital certificate.

qsmen (Tue, 09 Apr 2019 08:54:02 GMT):
in signedproposal, the creator is the dapp user certificate.

mauricio (Tue, 09 Apr 2019 13:20:45 GMT):
Hi, How can I build the Authorization token for Fabric CA Rest API, I'm passing `YWRtaW46YWRtaW5wdw==` (base64 for admin:adminpw) to Authorization Header but it doesn't work. Thanks in advance

nyet (Tue, 09 Apr 2019 16:40:33 GMT):
Has anyone investigated autonomously distributing certificates using the `ca-server`? That is to say, have each orderer/peer constantly monitor the list of users enrolled in `ca-server`, and if they meet a certain criterion, keep their `admincerts/` directory in sync? Or is there another way to keep `admincerts/` contents up to date (again, this is part of the "avoid `cryptogen`" thing.

nyet (Tue, 09 Apr 2019 16:56:01 GMT):
This is distressing https://lists.hyperledger.org/g/fabric/topic/fabric_ca_retrieving_public/17549845?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,280,17549845

skarim (Tue, 09 Apr 2019 17:51:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=puaADFguJmwsjqiQa) @nyet If you are talking about the ability to get public certificates that has been addressed with the certificates API that allows you get public certificates. see: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#listing-certificate-information Currently there is authorization done on affiliation but I think that should be removed.

nyet (Tue, 09 Apr 2019 17:52:40 GMT):
@skarim Thanks, i think i can work around the affiliation problem. Does the overall concept i outlined make sense?

skarim (Tue, 09 Apr 2019 17:54:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=8Y8oD4oTABHiFYPmM) @nyet It does

shekharrajak (Wed, 10 Apr 2019 08:49:37 GMT):
Has joined the channel.

kariyappal (Wed, 10 Apr 2019 09:23:33 GMT):
Has joined the channel.

kariyappal (Wed, 10 Apr 2019 09:26:47 GMT):
Does anyone know why fabric-ca-peer image is discontinued from 1.4 version

vieiramanoel (Thu, 11 Apr 2019 04:02:56 GMT):
Hey guys, which fields are necessary in CSR to enroll bootstrap entity through ca's restapi? I'm having a hard time trying to achieve that

vieiramanoel (Thu, 11 Apr 2019 04:03:48 GMT):
@smithbk @skarim do you guys can help me on that?

yxuco (Thu, 11 Apr 2019 04:13:11 GMT):
Has joined the channel.

yxuco (Thu, 11 Apr 2019 04:19:03 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vaS7Xe62stucw25oA) @kariyappal I am wondering about the same thing: the fabric-ca sample is removed from fabric-samples in release 1.4. What does it mean? Should we use CA client API to generate crypto going forward?

sahilgoel (Thu, 11 Apr 2019 04:48:14 GMT):
Has joined the channel.

BellaAdams (Thu, 11 Apr 2019 09:14:17 GMT):
what's the key file nameing rule? for example 0e2fa2c564d0d07b0b20455c552b53fc32676713f0540cba3564859796b68ea6_sk what does 0e2fa2c564d0d07b0b20455c552b53fc32676713f0540cba3564859796b68ea means?

vieiramanoel (Thu, 11 Apr 2019 13:21:45 GMT):
Hey guys, I'm trying to post to /api/v1/enroll to enroll an bootstrap identity But I always got "CSR Decode failed"

vieiramanoel (Thu, 11 Apr 2019 13:21:45 GMT):
Hey guys, I'm trying to post to /api/v1/enroll to enroll a bootstrap identity But I always got "CSR Decode failed"

vieiramanoel (Thu, 11 Apr 2019 13:22:03 GMT):
I've been generating my privkey/csr using this function

vieiramanoel (Thu, 11 Apr 2019 13:22:28 GMT):
```func (c *CAComponent) createCSR(commonName string) ([]byte, error) { keyBytes, err := rsa.GenerateKey(rand.Reader, 4096) if err != nil { logger.Info("Could not generate private key, error: ", err) return nil, err } subject := pkix.Name{ CommonName: commonName, } template := x509.CertificateRequest{ Subject: subject, SignatureAlgorithm: x509.SHA256WithRSA, } csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, keyBytes) if err != nil { logger.Info("Could not create certificate request, error: ", err) return nil, err } c.privKey = keyBytes csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes}) return csr, nil }```

vieiramanoel (Thu, 11 Apr 2019 13:23:33 GMT):
Which returns me a []byte or error. When making request I convert this to a string and everything should be fine

vieiramanoel (Thu, 11 Apr 2019 13:24:03 GMT):
but instead of getting my signed certificate I got this huge NO from CA haha

vieiramanoel (Thu, 11 Apr 2019 13:24:03 GMT):
but instead of getting my signed certificate I got this huge NO! from CA haha

vieiramanoel (Thu, 11 Apr 2019 13:24:22 GMT):
I can decode generate csr using openssl :(

skarim (Thu, 11 Apr 2019 13:38:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=eNSmodT9GZFycJ4zF) @vieiramanoel How are you sending the request to the server? Are you sure that your enrollment request is correct and follows the API defined in the swagger?

vieiramanoel (Thu, 11 Apr 2019 14:16:42 GMT):
@skarim this is object sent ``` {"request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIEWDCCAkACAQAwEzERMA8GA1UEAxMIZ29sZWRnZXIwggIiMA0GCSqGSIb3DQEB\nAQUAA4ICDwAwggIKAoICAQCoKC6HpDLBPk1kuTq6wfCIUXUCiBVVH7YDYfAKLdW1\nyyxNkEa+4ThCY7mhjCKbfux9UGGvXpPsZxu7pMT2eoRkY+MrCXEnSgWUkXxQEcSF\nQSZt1QVNv/puijGqdM6C/7/fmJnZKTyQjLkMBsQNsAx7K2lnI4y03te1oqSB98jl\n82PiCPZnY2VajbRFU0sMezil++Y6B27z9f0uf8xxxpcTb8UfVmnousS3kdJt7Tdh\nipk+pdRyLEWad6HL+JDuZtRnb2xrnI1/4qN/WY7VTg8W9pVNtBVNXgEqGKL1R7Sf\n4rcfzSs3BcXQ984LvYCgx9xFJIe/ZdrHCNwQBbkUY+/WPRSoSOCv7QjfqlRnbX4w\ni0xYcb+svYbN6yUBhttIq1Q248hH2bfWeU62O/DF60k61LQABuLkCk2gted5YAe5\n0Hn1cC9r83QNKIJY4VtbG5Xc/ALDzpRm9F1HGapbrkJIDXV5bdjcA/rBIFW1qU7T\nXfWOIvm/c8v0YW35EpQvZs5je7GXGBmcSDe8wP54GFdrSSx7deQUOgPHraVT3Elx\nrEcOSFTUMNhHJdvzTpdAOqIV3yfLM12umTnayaiTi/mDv118bMOmB+/IGzVnXnBY\nAJ+wVQMS2n0ul2ldKfJOyHegjjsK74WpVDC3bARf090YghOwkr+T5uhs0bjM+WL/\nuwIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBAGblM9404xfR/sCwdzLE3j7st9Rp\n3HH7Td8EBKphpAR54uMWBJnp7c2AFvmFLOQL2A2iaoRs6yzqvmKpirr5wL2DiSJ2\niJyU6BIu92/dDMMRNLgRgl7/jjzLWzoTPoQESq3sUPwwUZiEDbMxpBwlWoW1J47/\n/hZNvgpSa6I4L/CuAFCfczoZuljmQQm0T38/aVcVJ8pi20+WTYbL834KSh0m2V9t\n5Kd2EY/7ZWhf309oWmEbRJrXHZd8vhulXWUs7s+yGshLmrcPKQgF1gDMqudbGx49\nbCEdmn7QLdDWepDYbJHyiDFERz4FAu5tLWFEI0lN9YjHyxhgW2TWHqIckn4ETamK\nIF2BOYZ0RzX9595ngl6KSoctaV0a3qyi39pwTTAKzO9USRKcBAse/7HSL0wu0zov\nvUspXaKDwn3wv62/f+XtKLLsG+J1POn5C0gPT6lpdDbaLsaNt/iVL8plDOLKm9Ut\nBNFhb64tnV9f8bWdKt8HRvU9EWr7uMDyBZV8nJ+WyxzSjlxywKuE97f0avumEj11\nEXfl4mkG5KaX+KTbFOOHLAQrlv+nJc85aXBb1127OYv6FSxA0yPeMK0ljGB14xHd\njP80ElYQhtiWG6WBWMbRuk98sYjI3s0zdOff6END9bfYMO1TN967ZE2jS6T/rHi1\n9bsVHdxzEV/USUsS\n-----END CERTIFICATE REQUEST-----\n","profile":"msp","label":"","caname":"ca.example.com"} ```

vieiramanoel (Thu, 11 Apr 2019 14:16:42 GMT):
@skarim this is the object sent ``` {"request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIEWDCCAkACAQAwEzERMA8GA1UEAxMIZ29sZWRnZXIwggIiMA0GCSqGSIb3DQEB\nAQUAA4ICDwAwggIKAoICAQCoKC6HpDLBPk1kuTq6wfCIUXUCiBVVH7YDYfAKLdW1\nyyxNkEa+4ThCY7mhjCKbfux9UGGvXpPsZxu7pMT2eoRkY+MrCXEnSgWUkXxQEcSF\nQSZt1QVNv/puijGqdM6C/7/fmJnZKTyQjLkMBsQNsAx7K2lnI4y03te1oqSB98jl\n82PiCPZnY2VajbRFU0sMezil++Y6B27z9f0uf8xxxpcTb8UfVmnousS3kdJt7Tdh\nipk+pdRyLEWad6HL+JDuZtRnb2xrnI1/4qN/WY7VTg8W9pVNtBVNXgEqGKL1R7Sf\n4rcfzSs3BcXQ984LvYCgx9xFJIe/ZdrHCNwQBbkUY+/WPRSoSOCv7QjfqlRnbX4w\ni0xYcb+svYbN6yUBhttIq1Q248hH2bfWeU62O/DF60k61LQABuLkCk2gted5YAe5\n0Hn1cC9r83QNKIJY4VtbG5Xc/ALDzpRm9F1HGapbrkJIDXV5bdjcA/rBIFW1qU7T\nXfWOIvm/c8v0YW35EpQvZs5je7GXGBmcSDe8wP54GFdrSSx7deQUOgPHraVT3Elx\nrEcOSFTUMNhHJdvzTpdAOqIV3yfLM12umTnayaiTi/mDv118bMOmB+/IGzVnXnBY\nAJ+wVQMS2n0ul2ldKfJOyHegjjsK74WpVDC3bARf090YghOwkr+T5uhs0bjM+WL/\nuwIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBAGblM9404xfR/sCwdzLE3j7st9Rp\n3HH7Td8EBKphpAR54uMWBJnp7c2AFvmFLOQL2A2iaoRs6yzqvmKpirr5wL2DiSJ2\niJyU6BIu92/dDMMRNLgRgl7/jjzLWzoTPoQESq3sUPwwUZiEDbMxpBwlWoW1J47/\n/hZNvgpSa6I4L/CuAFCfczoZuljmQQm0T38/aVcVJ8pi20+WTYbL834KSh0m2V9t\n5Kd2EY/7ZWhf309oWmEbRJrXHZd8vhulXWUs7s+yGshLmrcPKQgF1gDMqudbGx49\nbCEdmn7QLdDWepDYbJHyiDFERz4FAu5tLWFEI0lN9YjHyxhgW2TWHqIckn4ETamK\nIF2BOYZ0RzX9595ngl6KSoctaV0a3qyi39pwTTAKzO9USRKcBAse/7HSL0wu0zov\nvUspXaKDwn3wv62/f+XtKLLsG+J1POn5C0gPT6lpdDbaLsaNt/iVL8plDOLKm9Ut\nBNFhb64tnV9f8bWdKt8HRvU9EWr7uMDyBZV8nJ+WyxzSjlxywKuE97f0avumEj11\nEXfl4mkG5KaX+KTbFOOHLAQrlv+nJc85aXBb1127OYv6FSxA0yPeMK0ljGB14xHd\njP80ElYQhtiWG6WBWMbRuk98sYjI3s0zdOff6END9bfYMO1TN967ZE2jS6T/rHi1\n9bsVHdxzEV/USUsS\n-----END CERTIFICATE REQUEST-----\n","profile":"msp","label":"","caname":"ca.example.com"} ```

vieiramanoel (Thu, 11 Apr 2019 14:30:43 GMT):
this should be fine, shouldn't?

skarim (Thu, 11 Apr 2019 14:34:03 GMT):
At a quick glance it does look fine. If I were to debug this I would add some debug statements on the server side to see what the server is receiving.

vieiramanoel (Thu, 11 Apr 2019 14:37:42 GMT):
at fabric-ca??

mastersingh24 (Thu, 11 Apr 2019 14:38:01 GMT):
debug mode (-d) show show what is received

colasga (Thu, 11 Apr 2019 14:38:50 GMT):
Has joined the channel.

colasga (Thu, 11 Apr 2019 14:39:42 GMT):
Hey, i'm trying to register a user using Node SDK and the fabcar node sample. When i'm using it on my own network (with my connection.json file) i got this error : `Failed to register user "user1": Error: Calling register endpoint failed with error [Error: self signed certificate] `

vieiramanoel (Thu, 11 Apr 2019 14:40:44 GMT):
@mastersingh24 ```2019/04/11 14:38:46 [DEBUG] Received request for /api/v1/enroll 2019/04/11 14:38:46 [DEBUG] ca.Config: &{Version:1.4 Cfg:{Identities:{PasswordAttempts:10 AllowRemove:true} Affiliations:{AllowRemove:false}} CA:{Name:ca.example.com Keyfile:/etc/hyperledger/fabric-ca-server/ca-key.pem Certfile:/etc/hyperledger/fabric-ca-server/ca-cert.pem Chainfile:/etc/hyperledger/fabric-ca-server/ca-chain.pem} Signing:0xc0004a4b80 CSR:{CN:example.com Names:[{C:BR ST:BRASILIA L: O: OU: SerialNumber:}] Hosts:[ca.example.com 100.25.3.92] KeyRequest:0xc00058ce40 CA:0xc00058cec0 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:* hf.Registrar.DelegateRoles:* hf.Revoker:0] }]} Affiliations:map[org1:[department1 department2] org2:[department1]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:/etc/hyperledger/fabric-ca-server/fabric-ca-server.db TLS:{false [] { }} } CSP:0xc000320c80 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR: Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile:/etc/hyperledger/fabric-ca-server/IssuerPublicKey IssuerSecretKeyfile:/etc/hyperledger/fabric-ca-server/msp/keystore/IssuerSecretKey RevocationPublicKeyfile:/etc/hyperledger/fabric-ca-server/IssuerRevocationPublicKey RevocationPrivateKeyfile:/etc/hyperledger/fabric-ca-server/msp/keystore/IssuerRevocationPrivateKey RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}} 2019/04/11 14:38:46 [DEBUG] DB: Getting identity goledger 2019/04/11 14:38:46 [DEBUG] DB: Login user goledger with max enrollments of -1 and state of 0 2019/04/11 14:38:46 [DEBUG] DB: identity goledger successfully logged in 2019/04/11 14:38:46 [DEBUG] DB: Getting identity goledger 2019/04/11 14:38:46 [INFO] 189.40.75.202:19803 POST /api/v1/enroll 500 0 "{"code":9002,"message":"CSR Decode failed"}" ``` server output

vieiramanoel (Thu, 11 Apr 2019 14:41:25 GMT):
It doesn't have received json

vieiramanoel (Thu, 11 Apr 2019 14:42:10 GMT):
indeed my fabric-ca-server-config.yaml has `debug: true`

mastersingh24 (Thu, 11 Apr 2019 14:55:48 GMT):
fabric-ca does not support RSA ... can you try with EC / ECDSA instead?

vieiramanoel (Thu, 11 Apr 2019 15:01:44 GMT):
Oh, of course

mastersingh24 (Thu, 11 Apr 2019 15:02:18 GMT):
(not sure if that's the issue .. but at least we can rule that out ;) )

vieiramanoel (Thu, 11 Apr 2019 16:12:01 GMT):
@mastersingh24 i've changed priv key to ecdsa: `keyBytes, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)` and csr sign algo ```template := x509.CertificateRequest{ Subject: subject, SignatureAlgorithm: x509.ECDSAWithSHA256, } csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, keyBytes)```

vieiramanoel (Thu, 11 Apr 2019 16:12:01 GMT):
@mastersingh24 i've changed priv key to ecdsa: `keyBytes, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)` and the csr sign algo ```template := x509.CertificateRequest{ Subject: subject, SignatureAlgorithm: x509.ECDSAWithSHA256, } csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, keyBytes)```

vieiramanoel (Thu, 11 Apr 2019 16:12:46 GMT):
but yet: `2019/04/11 16:10:24 [INFO] 186.195.37.161:48244 POST /api/v1/enroll 500 0 "{"code":9002,"message":"CSR Decode failed"}"`

vieiramanoel (Thu, 11 Apr 2019 16:12:46 GMT):
but still: `2019/04/11 16:10:24 [INFO] 186.195.37.161:48244 POST /api/v1/enroll 500 0 "{"code":9002,"message":"CSR Decode failed"}"`

vieiramanoel (Thu, 11 Apr 2019 16:27:38 GMT):
Is it ok to have those '\n' in csr string?

vieiramanoel (Thu, 11 Apr 2019 16:27:58 GMT):
@Baha-sk can you help us on this?

Baha-sk (Thu, 11 Apr 2019 16:27:58 GMT):
Has joined the channel.

tommyjay (Thu, 11 Apr 2019 16:31:16 GMT):
Has joined the channel.

tommyjay (Thu, 11 Apr 2019 16:31:35 GMT):
Has anyone successfully setup a hardware security module: https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#hsm

tommyjay (Thu, 11 Apr 2019 16:32:21 GMT):
when the CA in an organisation generates certificates, i want to store them in the HSM and then retrieve them when making a propsal

Baha-sk (Thu, 11 Apr 2019 16:36:34 GMT):
Not sure @vieiramanoel

vieiramanoel (Thu, 11 Apr 2019 16:38:45 GMT):
:(

nyet (Thu, 11 Apr 2019 18:06:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pXRdq988TdTdH8NWK) @vieiramanoel You can use `fabric-ca-server` code as a reference... maybe that helps?

nyet (Thu, 11 Apr 2019 18:06:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=pXRdq988TdTdH8NWK) @vieiramanoel You can use `fabric-ca-client` code as a reference... maybe that helps?

nyet (Thu, 11 Apr 2019 18:58:13 GMT):
argh

nyet (Thu, 11 Apr 2019 18:58:21 GMT):
this whole writing out my config file thing is killing me

nyet (Thu, 11 Apr 2019 18:58:36 GMT):
got 1.4.1

nyet (Thu, 11 Apr 2019 18:58:47 GMT):
but my existing configs dont have metrics->provider

nyet (Thu, 11 Apr 2019 18:59:12 GMT):
and if i set FABRIC_CA_METRICS_PROVIDER in env its ignored

nyet (Thu, 11 Apr 2019 19:00:49 GMT):
`FABRIC_CA_OPERATIONS_LISTENADDRESS=:9443`

skarim (Thu, 11 Apr 2019 19:00:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=BjsP8HFSyhB8xupdj) @nyet It should work, can you try `FABRIC_CA_SERVER_METRICS_PROVIDER`

nyet (Thu, 11 Apr 2019 19:01:10 GMT):
AH

nyet (Thu, 11 Apr 2019 19:01:15 GMT):
good point

nyet (Thu, 11 Apr 2019 19:02:36 GMT):
`panic: duplicate metrics collector registration attempted`

nyet (Thu, 11 Apr 2019 19:02:38 GMT):
oh no

nyet (Thu, 11 Apr 2019 19:03:13 GMT):
so i have two instances running using `--cafiles`

nyet (Thu, 11 Apr 2019 19:03:28 GMT):
how do i disable it for one?

nyet (Thu, 11 Apr 2019 19:11:10 GMT):
i guess it can't be done in env

nyet (Thu, 11 Apr 2019 19:11:16 GMT):
it MUST be done in config?

skarim (Thu, 11 Apr 2019 19:11:42 GMT):
yeah, the env var will only work for the default CA. Any extra CAs started with `--cafiles` will require a config file change.

nyet (Thu, 11 Apr 2019 19:12:32 GMT):
dpem

nyet (Thu, 11 Apr 2019 19:12:33 GMT):
dpoesm

nyet (Thu, 11 Apr 2019 19:12:50 GMT):
doesn't env override config files?

skarim (Thu, 11 Apr 2019 19:15:01 GMT):
It does but only for the default ca, the env var settings don't carry over to other ca's running in a single server. I am not sure why you are getting that error though, the metrics is a server level configuration and not a ca level configuration. Setting the env var should have been enough.

nyet (Thu, 11 Apr 2019 19:16:17 GMT):
welp it doesn't seem to work :/

mastersingh24 (Thu, 11 Apr 2019 19:17:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=g92SAN4dbXMMj5hBR) @vieiramanoel OK ... figured it out ... there is an error in the Swagger doc ... the JSON field for the CSR is `certificate_request` not `request` ``` ``` {"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIEWDCCAkACAQAwEzERMA8GA1UEAxMIZ29sZWRnZXIwggIiMA0GCSqGSIb3DQEB\nAQUAA4ICDwAwggIKAoICAQCoKC6HpDLBPk1kuTq6wfCIUXUCiBVVH7YDYfAKLdW1\nyyxNkEa+4ThCY7mhjCKbfux9UGGvXpPsZxu7pMT2eoRkY+MrCXEnSgWUkXxQEcSF\nQSZt1QVNv/puijGqdM6C/7/fmJnZKTyQjLkMBsQNsAx7K2lnI4y03te1oqSB98jl\n82PiCPZnY2VajbRFU0sMezil++Y6B27z9f0uf8xxxpcTb8UfVmnousS3kdJt7Tdh\nipk+pdRyLEWad6HL+JDuZtRnb2xrnI1/4qN/WY7VTg8W9pVNtBVNXgEqGKL1R7Sf\n4rcfzSs3BcXQ984LvYCgx9xFJIe/ZdrHCNwQBbkUY+/WPRSoSOCv7QjfqlRnbX4w\ni0xYcb+svYbN6yUBhttIq1Q248hH2bfWeU62O/DF60k61LQABuLkCk2gted5YAe5\n0Hn1cC9r83QNKIJY4VtbG5Xc/ALDzpRm9F1HGapbrkJIDXV5bdjcA/rBIFW1qU7T\nXfWOIvm/c8v0YW35EpQvZs5je7GXGBmcSDe8wP54GFdrSSx7deQUOgPHraVT3Elx\nrEcOSFTUMNhHJdvzTpdAOqIV3yfLM12umTnayaiTi/mDv118bMOmB+/IGzVnXnBY\nAJ+wVQMS2n0ul2ldKfJOyHegjjsK74WpVDC3bARf090YghOwkr+T5uhs0bjM+WL/\nuwIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBAGblM9404xfR/sCwdzLE3j7st9Rp\n3HH7Td8EBKphpAR54uMWBJnp7c2AFvmFLOQL2A2iaoRs6yzqvmKpirr5wL2DiSJ2\niJyU6BIu92/dDMMRNLgRgl7/jjzLWzoTPoQESq3sUPwwUZiEDbMxpBwlWoW1J47/\n/hZNvgpSa6I4L/CuAFCfczoZuljmQQm0T38/aVcVJ8pi20+WTYbL834KSh0m2V9t\n5Kd2EY/7ZWhf309oWmEbRJrXHZd8vhulXWUs7s+yGshLmrcPKQgF1gDMqudbGx49\nbCEdmn7QLdDWepDYbJHyiDFERz4FAu5tLWFEI0lN9YjHyxhgW2TWHqIckn4ETamK\nIF2BOYZ0RzX9595ngl6KSoctaV0a3qyi39pwTTAKzO9USRKcBAse/7HSL0wu0zov\nvUspXaKDwn3wv62/f+XtKLLsG+J1POn5C0gPT6lpdDbaLsaNt/iVL8plDOLKm9Ut\nBNFhb64tnV9f8bWdKt8HRvU9EWr7uMDyBZV8nJ+WyxzSjlxywKuE97f0avumEj11\nEXfl4mkG5KaX+KTbFOOHLAQrlv+nJc85aXBb1127OYv6FSxA0yPeMK0ljGB14xHd\njP80ElYQhtiWG6WBWMbRuk98sYjI3s0zdOff6END9bfYMO1TN967ZE2jS6T/rHi1\n9bsVHdxzEV/USUsS\n-----END CERTIFICATE REQUEST-----\n","profile":"msp","label":"","caname":"ca.example.com"} ```

mastersingh24 (Thu, 11 Apr 2019 19:17:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=g92SAN4dbXMMj5hBR) @vieiramanoel OK ... figured it out ... there is an error in the Swagger doc ... the JSON field for the CSR is `certificate_request` not `request` ``` {"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIEWDCCAkACAQAwEzERMA8GA1UEAxMIZ29sZWRnZXIwggIiMA0GCSqGSIb3DQEB\nAQUAA4ICDwAwggIKAoICAQCoKC6HpDLBPk1kuTq6wfCIUXUCiBVVH7YDYfAKLdW1\nyyxNkEa+4ThCY7mhjCKbfux9UGGvXpPsZxu7pMT2eoRkY+MrCXEnSgWUkXxQEcSF\nQSZt1QVNv/puijGqdM6C/7/fmJnZKTyQjLkMBsQNsAx7K2lnI4y03te1oqSB98jl\n82PiCPZnY2VajbRFU0sMezil++Y6B27z9f0uf8xxxpcTb8UfVmnousS3kdJt7Tdh\nipk+pdRyLEWad6HL+JDuZtRnb2xrnI1/4qN/WY7VTg8W9pVNtBVNXgEqGKL1R7Sf\n4rcfzSs3BcXQ984LvYCgx9xFJIe/ZdrHCNwQBbkUY+/WPRSoSOCv7QjfqlRnbX4w\ni0xYcb+svYbN6yUBhttIq1Q248hH2bfWeU62O/DF60k61LQABuLkCk2gted5YAe5\n0Hn1cC9r83QNKIJY4VtbG5Xc/ALDzpRm9F1HGapbrkJIDXV5bdjcA/rBIFW1qU7T\nXfWOIvm/c8v0YW35EpQvZs5je7GXGBmcSDe8wP54GFdrSSx7deQUOgPHraVT3Elx\nrEcOSFTUMNhHJdvzTpdAOqIV3yfLM12umTnayaiTi/mDv118bMOmB+/IGzVnXnBY\nAJ+wVQMS2n0ul2ldKfJOyHegjjsK74WpVDC3bARf090YghOwkr+T5uhs0bjM+WL/\nuwIDAQABoAAwDQYJKoZIhvcNAQELBQADggIBAGblM9404xfR/sCwdzLE3j7st9Rp\n3HH7Td8EBKphpAR54uMWBJnp7c2AFvmFLOQL2A2iaoRs6yzqvmKpirr5wL2DiSJ2\niJyU6BIu92/dDMMRNLgRgl7/jjzLWzoTPoQESq3sUPwwUZiEDbMxpBwlWoW1J47/\n/hZNvgpSa6I4L/CuAFCfczoZuljmQQm0T38/aVcVJ8pi20+WTYbL834KSh0m2V9t\n5Kd2EY/7ZWhf309oWmEbRJrXHZd8vhulXWUs7s+yGshLmrcPKQgF1gDMqudbGx49\nbCEdmn7QLdDWepDYbJHyiDFERz4FAu5tLWFEI0lN9YjHyxhgW2TWHqIckn4ETamK\nIF2BOYZ0RzX9595ngl6KSoctaV0a3qyi39pwTTAKzO9USRKcBAse/7HSL0wu0zov\nvUspXaKDwn3wv62/f+XtKLLsG+J1POn5C0gPT6lpdDbaLsaNt/iVL8plDOLKm9Ut\nBNFhb64tnV9f8bWdKt8HRvU9EWr7uMDyBZV8nJ+WyxzSjlxywKuE97f0avumEj11\nEXfl4mkG5KaX+KTbFOOHLAQrlv+nJc85aXBb1127OYv6FSxA0yPeMK0ljGB14xHd\njP80ElYQhtiWG6WBWMbRuk98sYjI3s0zdOff6END9bfYMO1TN967ZE2jS6T/rHi1\n9bsVHdxzEV/USUsS\n-----END CERTIFICATE REQUEST-----\n","profile":"msp","label":"","caname":"ca.example.com"} ```

nyet (Thu, 11 Apr 2019 19:24:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=SQtAiW4wFHW36yuEy) @skarim They definitely seem to carry over. Also, disabling metrics in the 2nd ca config doesn't help (which is expected behavior since i assume env should always override config anyway)

nyet (Thu, 11 Apr 2019 19:34:50 GMT):
@skarim I can't find anyway to get metrics working with `--cafiles`

nyet (Thu, 11 Apr 2019 19:34:50 GMT):
@skarim I can't find any way to get metrics working with `--cafiles`

skarim (Thu, 11 Apr 2019 19:36:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=fr5JAbou9xP4EvaXx) @nyet Ok. i don't see anything obvious in the code as to why you would see that panic with the --cafiles flag. Please open up a JIRA bug with repro steps

nyet (Thu, 11 Apr 2019 19:36:50 GMT):
yep i will do time permitting

nyet (Thu, 11 Apr 2019 19:37:58 GMT):
You're saing if metrics is not in the configs (or set to disabled), setting the env should work?

nyet (Thu, 11 Apr 2019 19:38:22 GMT):
if not, what config SHOULD work and i will put that in the bug instead of itemizing all of the things that don't work :)

skarim (Thu, 11 Apr 2019 19:39:14 GMT):
If you disable metrics either through config or env var, I would not expect for you to see that error

nyet (Thu, 11 Apr 2019 19:39:46 GMT):
Yes, but I'm tyring to enable metrics :)

nyet (Thu, 11 Apr 2019 19:39:56 GMT):
If i disable it via env, yes, it works

skarim (Thu, 11 Apr 2019 19:41:06 GMT):
oh, with which provider type? statsd or prometheus?

nyet (Thu, 11 Apr 2019 19:41:24 GMT):
prometheus

skarim (Thu, 11 Apr 2019 19:43:34 GMT):
So, the env var is working then cause it is picking up that you want metrics enabled (prometheus). When it is trying to register the metrics with operations service is when the error is happening that is the bug we should open a jira for. The panic should not happen when using metrics, not sure if it is related to `--cafiles` or not.

vieiramanoel (Thu, 11 Apr 2019 19:43:40 GMT):
@mastersingh24 THANKS A LOT

vieiramanoel (Thu, 11 Apr 2019 19:43:52 GMT):
I'll submit a commit latter tonight on swagger

nyet (Thu, 11 Apr 2019 19:44:01 GMT):
if I omit `--cafiles` it works too

nyet (Thu, 11 Apr 2019 19:44:26 GMT):
(obviously)... the issue is starting more than one ca instance, and telling the server you only want one metrics instance

skarim (Thu, 11 Apr 2019 19:44:52 GMT):
ah, ok so metrics enabled with the --cafiles causes panic is the bug

nyet (Thu, 11 Apr 2019 19:45:01 GMT):
yep

nyet (Thu, 11 Apr 2019 19:53:40 GMT):
incidentally, i'm still having issues with `-b` bootstrap and things in the config `registry -> identities`.... 1) `-b` does not override it 2) ommitting that section in config doesn't work either

nyet (Thu, 11 Apr 2019 23:34:00 GMT):
@skarim https://jira.hyperledger.org/browse/FABC-837

vieiramanoel (Fri, 12 Apr 2019 01:36:15 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=LzojKNZ6kptyt6FSj) https://gerrit.hyperledger.org/r/#/c/30915/ pls review

haggs (Fri, 12 Apr 2019 16:00:00 GMT):
Has joined the channel.

rhall9090 (Fri, 12 Apr 2019 16:06:31 GMT):
Has joined the channel.

rhall9090 (Fri, 12 Apr 2019 16:07:20 GMT):
Hey all I'm running some unit tests using @TheLedger chaincodemockstub in node and need to replace the default cert passed in to one with my attributes, any tips on encoding a new one for testing purposes only?

vieiramanoel (Sat, 13 Apr 2019 00:01:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=HDbDEFpPWiJa69Q7q) just an up here.

mrudav.shukla (Mon, 15 Apr 2019 09:46:23 GMT):
How do we set Locality, State, Country and Organisation attributes of X509 certificates for the user identities? Using affiliation, we

mrudav.shukla (Mon, 15 Apr 2019 09:46:23 GMT):
How do we set Locality, State, Country and Organisation attributes of X509 certificates for the user identities? Using affiliation, we're able to attach OU attribute. And also Common Name(CN). But other attributes for the user remains empty. While Issuer portion of the certificate is set successfully.

nyet (Mon, 15 Apr 2019 14:40:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=eH5e4adBiAe8FbvBQ) @mrudav.shukla `--csr.names` on enroll. I'm doing something like https://github.com/Blockdaemon/hlf-database-app/blob/ca-client/ca-client/enroll.sh

nyet (Mon, 15 Apr 2019 14:40:21 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=eH5e4adBiAe8FbvBQ) @mrudav.shukla `fabric-ca-client enroll --csr.names`. I'm doing something like https://github.com/Blockdaemon/hlf-database-app/blob/ca-client/ca-client/enroll.sh

mrudav.shukla (Mon, 15 Apr 2019 14:47:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=oydzLmAXmCnLsz5Hz) @nyet Yes. I'm trying to do that using node sdk. Getting this: "stack=Error: Enrollment failed with errors [[{"code":0,"message":"{\"code\":9002,\"message\":\"CSR Decode failed\"}"}]]" error. Working on it.

JosefButts (Mon, 15 Apr 2019 15:52:53 GMT):
Has joined the channel.

yeousunn (Tue, 16 Apr 2019 07:13:44 GMT):
Has joined the channel.

mastersingh24 (Tue, 16 Apr 2019 10:37:22 GMT):
@mrudav.shukla - when using the Node SDK, the `csr` parameter is actually a PEM-encoded PKCS10 certificate request

koineramitranjan (Tue, 16 Apr 2019 11:03:29 GMT):
@mahoney1 I am using fabric client sdk to sign and submit a transaction for chaincode. I am getting following error: ValidateProposalMessage -> WARN 062 channel [firstchannel]: creator certificate is not valid: could not validate identity's OUs: the identity must be a client, a peer or an orderer identity to be valid, not a combination of them

mahoney1 (Tue, 16 Apr 2019 11:03:31 GMT):
Has joined the channel.

ShobhitSrivastava (Tue, 16 Apr 2019 12:27:47 GMT):
Hi Team

ShobhitSrivastava (Tue, 16 Apr 2019 13:09:23 GMT):
Hi Team, in fabric ca, it talks about having affiliation. I do not have any affiliations in my network. I simply have 4 orgs each has 1 peer. Can I use one CA for all of these orgs to get certificate for their peer for invoking, installing, chaincode.

ShobhitSrivastava (Tue, 16 Apr 2019 13:09:23 GMT):
Adding @nyet .Please check, in fabric ca, it talks about having affiliation. I do not have any affiliations in my network. I simply have 4 orgs each has 1 peer. Can I use one CA for all of these orgs to get certificate for their peer for invoking, installing, chaincode.

mrudav.shukla (Wed, 17 Apr 2019 05:40:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wJQkXqnJrstWS3ukS) @mastersingh24 Does it mean instead of requesting a certificate from the CA server, we create a certificate and ask CA to store that?

mrudav.shukla (Wed, 17 Apr 2019 09:42:00 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wJQkXqnJrstWS3ukS) @mastersingh24 Tried it. Is it that keys should be generated with ECDSA and not RSA? I tried one of the npm module that offered RSA keys and created a csr with it and was able to submit EnrolmentRequest. However, while creating an identity for wallet using X509WalletMixin.createIdentity(...) it throws an exception that says: "message":"Does not understand PEM contents other than ECDSA private keys and certificates".

Mayank017 (Thu, 18 Apr 2019 06:20:32 GMT):
Has joined the channel.

mrudav.shukla (Thu, 18 Apr 2019 10:09:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9adfARLf8M3uE4iNB) Solved: https://stackoverflow.com/questions/55687562/setting-pem-attributes-for-user-identities-in-hyperledger-fabric/55743781#55743781

gravity (Thu, 18 Apr 2019 12:57:07 GMT):
hi @skarim is it possible to add a new peer admin to a channel if the cert keypair of the previous one was lost?

vieiramanoel (Thu, 18 Apr 2019 13:43:54 GMT):
Hey guys, it's me again

vieiramanoel (Thu, 18 Apr 2019 13:44:57 GMT):
puting ca-root cert inside cacerts msp folder give me ``` Cannot run peer because error when setting up MSP of type bccsp from directory /etc/hyperledger/certs/msp: CA Certificate did not have the CA attribute ```

vieiramanoel (Thu, 18 Apr 2019 13:45:38 GMT):
but through openssl decoding CA field is true

vieiramanoel (Thu, 18 Apr 2019 13:48:11 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=h42Jx2o425iRjCtW4) @gravity you would need to change the channel config block and submit as a transaction to the network

vieiramanoel (Thu, 18 Apr 2019 13:49:21 GMT):
I can say to you that sdks aren't that great for doing this and you will need to use the configtxlator tool

vieiramanoel (Thu, 18 Apr 2019 13:49:21 GMT):
All I can say to you that sdks aren't that great for doing this and you will need to use the configtxlator tool, and unfortunately this is a question for #fabric-questions

gravity (Thu, 18 Apr 2019 13:51:36 GMT):
@vieiramanoel I know this. but how is it possible if the certificate of the previous peer admin is not available? to update a channel config the admin identity is needed afaik

vieiramanoel (Thu, 18 Apr 2019 13:52:11 GMT):
If I know it right you'll need another admin to ask for update

gravity (Thu, 18 Apr 2019 13:54:41 GMT):
and this is my original question: is it possible if the previous single admin cert was lost?

vieiramanoel (Thu, 18 Apr 2019 14:00:46 GMT):
I don't think so

vieiramanoel (Thu, 18 Apr 2019 14:05:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RJWf6xiKak25ZsGge) maybe msp is expecting tlscacerts to have constraint CA: true

vieiramanoel (Thu, 18 Apr 2019 14:06:07 GMT):
Which doesn't make sense to me, neither for CA, I guess. I think this is a good discussion

vieiramanoel (Thu, 18 Apr 2019 14:06:49 GMT):
Did I missunderstood something? Is this the expected behaviour for bccsp?

nyet (Thu, 18 Apr 2019 14:07:19 GMT):
Yes, all CA certs must have that constraint afaik

yacovm (Thu, 18 Apr 2019 14:07:20 GMT):
yeah you're correct

vieiramanoel (Thu, 18 Apr 2019 14:09:22 GMT):
But tls cert generated automatically by fabric-ca doesn't have that constraint

vieiramanoel (Thu, 18 Apr 2019 14:09:57 GMT):
so if you set the ca's >tls< cert [as[[[

vieiramanoel (Thu, 18 Apr 2019 14:09:57 GMT):
so if you set the ca's >tls< cert in folder tlscacerts

vieiramanoel (Thu, 18 Apr 2019 14:10:14 GMT):
you got this error above

vieiramanoel (Thu, 18 Apr 2019 14:10:21 GMT):
this is totally weird haha

Mayank017 (Thu, 18 Apr 2019 14:12:32 GMT):
HI

Mayank017 (Thu, 18 Apr 2019 14:17:20 GMT):
I am facing an issue like I am unable to override the --id.affiliation . Can anyone know whats the issue is ?

gravity (Thu, 18 Apr 2019 14:59:02 GMT):
hi all how to specify a custom config for fabric-ca-client? cannot find it in documentation

skarim (Thu, 18 Apr 2019 16:20:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=9qZT2XWAC9NJeEaSL) @gravity The config file is picked up based on the client's home directory, the client will look for the file name `fabric-ca-client-config.yaml`. So you could backup your old config and a create new `fabric-ca-client-config.yaml` with your custom configuration or use a different home directory `-H flag` with a custom `fabric-ca-client-config.yaml` file.

gravity (Thu, 18 Apr 2019 19:11:54 GMT):
@skarim thanks

gravity (Thu, 18 Apr 2019 19:24:59 GMT):
@skarim and there is one more question on this topic: is it possible to use differenct `fabric-ca-client-config.yaml` to enroll the same user identity? will these enrollment certificates be valid for calling chaincodes? for example, if the first config has `csr.names.ou=OrgUnit1` and the second config has `csr.names.ou=OrgUnit2`, will these certificate be valid and accepted by network (for calling chaincodes etc.)?

skarim (Thu, 18 Apr 2019 19:28:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ccg3N3cPHosx9qPkK) @gravity yes, in this case a single identity has multiple enrollment certificates signed by the same CA. As long as the CA is trusted, you should be able to call chaincode using either certificate.

gravity (Thu, 18 Apr 2019 19:30:15 GMT):
@skarim understood, thanks

WagnerCruz (Thu, 18 Apr 2019 20:12:17 GMT):
Has joined the channel.

nyet (Thu, 18 Apr 2019 22:36:47 GMT):
I'm still a bit confused as to what certs are required in 1) the orderer system genesis block 2) a channel genesis block The cryptogen example is misleading because it generates them all up front, but at orderer system genesis block creation time you may not have any public peer certs around (yet). I'm assuming they aren't required?

skyliulu (Fri, 19 Apr 2019 06:41:14 GMT):
Has joined the channel.

rrishmawi (Fri, 19 Apr 2019 09:03:52 GMT):
Hi experts, i have a specific scenario that i would like to know if it is possible. We have three or more organizations already with PKI setup . each organization has its own root CA. a new hyperledger fabric infrastructure is to be added where all organizations may be able to use the hyperledger fabric network apps and have access to it. we would like to keep the organizations setup intact. Is it possible to create a trust between those organizations and the hyperledger fabric ca? How to do that? PKI bridge? Cross-certifications?

mrudav.shukla (Fri, 19 Apr 2019 11:28:48 GMT):
Is it possible to register/enroll a client with multiple affiliations in fabric-ca?

vieiramanoel (Fri, 19 Apr 2019 22:01:26 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=kqkuuJPGbDzxWwykS) @nyet they aren't, inside each organization root you have a "msp" folder right?

vieiramanoel (Fri, 19 Apr 2019 22:01:48 GMT):
```msp ├── admincerts │ └── goledger@org1MSP-cert.pem ├── cacerts │ └── ca-root.pem └── tlscacerts └── ca-root.pem ```

vieiramanoel (Fri, 19 Apr 2019 22:01:48 GMT):
```msp ├── admincerts │ └── admin@org1MSP-cert.pem ├── cacerts │ └── ca-root.pem └── tlscacerts └── ca-root.pem ```

vieiramanoel (Fri, 19 Apr 2019 22:01:57 GMT):
something like this

vieiramanoel (Fri, 19 Apr 2019 22:02:23 GMT):
this folder and those certs are the ones that describes an org

nyet (Sat, 20 Apr 2019 05:29:21 GMT):
What about the private key for that admin cert? If a client (not on the orderer) needs it, it either needs to retrieve the private key from the orderer MSP `keystore` (impractical) or needs some way to upload his public key to the orderer `admincerts/`

BellaAdams (Sun, 21 Apr 2019 03:59:12 GMT):
I user fabric ca to generate certs , but some errors occur

BellaAdams (Sun, 21 Apr 2019 03:59:13 GMT):
implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied

mastersingh24 (Sun, 21 Apr 2019 08:06:16 GMT):
@nyet - There are two "flavors" MSPs: 1) *Local MSPs* - this is the identity information used by the peer or orderer node itself. For both the orderer and the peer, the keystore/signcerts "identity" is used to sign .. for the peer this would be to sign endorsements and for the orderer for signing blocks. The local MSP also requires something in the `admincerts` directory as well ... public keys go here but the implication is that you must have already generated the key pair and have access to the private key somewhere (it does not actually go in the MSP). Technically the only the peer actually leverages `admincerts` ... it uses the `admincerts` in the local MSP when checking for admin actions such as installing chaincode. There is currently no way to update local MSPs other than to add the key material to the MSP directory and restart the node. I should also mention that some of the SDKs also have the concept of MSP as well ... strictly used to sign submitted transactions. 2) *Organization MSPs* - these MSP definitions are what go in the channel configuration transactions. You should never populate the `keystore` directory (private keys) of these MSPs. As with local MSPs, you must have access to the private key(s) which correspond to the public keys in the `admincerts` directory. Organization MSPs definitions can be updated via channel config update transactions.

biksen (Sun, 21 Apr 2019 14:07:01 GMT):
Hello, I am facing the following error while starting the new peer, Please advise. `cannot be validated. No MSP found able to do that. peer1.org2.example.com | 2019-04-21 08:56:08.622 UTC [gossip.comm] GossipStream -> ERRO 8da Authentication failed: failed classifying identity: Unable to extract msp.Identity from peer Identity: Peer Identity`

GowriR (Sun, 21 Apr 2019 14:29:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=jG9xQTjrj8oY2KvCu) @biksen Hi Experts, I am facing the same issue. I am using Fabric 1.4.1. I added one more org - Org3 with 2 peers and changed docker-compose accordingly. The peer comes up but docker logs has the following error - *2019-04-21 13:55:23.765 UTC [gossip.comm] GossipStream -> ERRO bc3 Authentication failed: failed classifying identity: Unable to extract msp.Identity from peer Identity: Peer Identity [0a 07 4f 72 67 33 4d 53 50 12 aa 06 2d 2d 2d 2d 2d 42 45 47 49 4e 20 43 45 52 54 49 46 49 43 41 54 45*

GowriR (Sun, 21 Apr 2019 14:32:12 GMT):
Hi Experts, I am facing the same issue. I am using Fabric 1.4.1. I added one more org - Org3 with 2 peers and changed docker-compose accordingly. The peer comes up but docker logs has the following error - *2019-04-21 13:55:23.765 UTC [gossip.comm] GossipStream -> ERRO bc3 Authentication failed: failed classifying identity: Unable to extract msp.Identity from peer Identity: Peer Identity [0a 07 4f 72 67 33 4d 53 50 12 aa 06 2d 2d 2d 2d 2d 42 45 47 49 4e 20 43 45 52 54 49 46 49 43 41 54 45

biksen (Sun, 21 Apr 2019 14:36:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=NRf9SpeszHZpTchCD) @GowriR `[...2d 2d 2d 2d 0a] cannot be validated. No MSP found able to do that." grpc.code=Unknown grpc.call_duration=597.4▒s peer1.org2.example.com | 2019-04-21 08:56:08.621 UTC [comm.grpc.server] 1 -> INFO 8d8 unary call completed grpc.service=gossip.Gossip grpc.method=Ping grpc.request_deadline=2019-04-21T08:56:10.621Z grpc.peer_address=172.20.0.8:50202 grpc.peer_subject="CN=peer1.org1.example.com,L=San Francisco,ST=California,C=US" grpc.code=OK grpc.call_duration=149.7▒s peer1.org2.example.com | 2019-04-21 08:56:08.622 UTC [gossip.comm] authenticateRemotePeer -> WARN 8d9 Identity store rejected 172.20.0.8:50202 : failed classifying identity: Unable to extract msp.Identity from peer Identity: Peer Identity [0a 07....] cannot be validated. No MSP found able to do that. peer1.org2.example.com | 2019-04-21 08:56:08.622 UTC [gossip.comm] GossipStream -> ERRO 8da Authentication failed: failed classifying identity: Unable to extract msp.Identity from peer Identity: Peer Identity`

MohammedR (Sun, 21 Apr 2019 16:56:14 GMT):
Has joined the channel.

GKumar (Mon, 22 Apr 2019 01:24:40 GMT):
Has joined the channel.

GKumar (Mon, 22 Apr 2019 01:25:48 GMT):
Hi We are using SSO for internal systems. While coming to HLF-CA we ant to connect to blockchain using MSP. Do we need to create wallet for all our employees in CA before using the sdk to login the ledger

GKumar (Mon, 22 Apr 2019 01:25:48 GMT):
Hi We are using SSO for internal systems. While coming to HLF-CA we want to connect to blockchain using MSP through sdk. Do we need to create wallet for all our employees and memeber of MSP and CA before using the sdk to login the ledger

Randyshu2018 (Mon, 22 Apr 2019 06:53:34 GMT):
Hi，someone may think self-signed ca doesn't powerful, so is there any way to make it more powerful?

Randyshu2018 (Mon, 22 Apr 2019 09:09:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=F3p2hJbqi6Eeu7Tia) @mbanerjee hi,if you found some tutorials to bootstrap network using fabric-ca?

sahilgoel (Mon, 22 Apr 2019 09:15:17 GMT):
@Randyshu2018 can you please tell me how to generate the crypto material from fabric-ca?

Randyshu2018 (Mon, 22 Apr 2019 09:16:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DZjNs2cgbd6WWqaz7) @sahilgoel sorry,I'm also looking forward it .

Randyshu2018 (Mon, 22 Apr 2019 09:45:53 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=DZjNs2cgbd6WWqaz7) @sahilgoel you can have a look of https://github.com/hyperledger/fabric-samples/tree/release-1.1/fabric-ca

brockhager (Mon, 22 Apr 2019 14:18:18 GMT):
Has joined the channel.

ashutosh_kumar (Mon, 22 Apr 2019 14:47:22 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ZmtZmPyJXoGzWWhrh) @GKumar What is your SSO flow ? Which Protocol you are using ? It seems like , you need to create Wallet for users those will be accessing Fabric.

nyet (Mon, 22 Apr 2019 15:03:34 GMT):
Thanks for the breakdown. A few more (stupid?) questions related to the `cryptogen`-free model: What certs, specifically, are in the genesis blocks (system and channel)? Isn't all that is needed CA (and CRLs)? If there are others, why are they needed? What (ledger stored) pubkeys would be consulted and why? Isn't org affiliation verified by CA validity, as presented by the admin's private key (e.g. as generated during enroll)? As I understand it from your explanation, `admincerts/` pub certs are consulted for channel creation (on the orderer), and channel join and cc install/upgrade (on the peer). Transferring them to each orderer and peer after a new admin isn't necessary when using `crytogen` but adding newly enrolled pub certs to `admincerts` out of band is kind of a pain. Is there a recommended way of doing this in the non-`cryptogen` "operations" model? E.g. running `fabric-ca-client identity` on the peer/orderer itsef?

nyet (Mon, 22 Apr 2019 15:03:34 GMT):
@mastersingh24 Thanks for the breakdown. A few more (stupid?) questions related to the `cryptogen`-free model: What certs, specifically, are in the genesis blocks (system and channel)? Isn't all that is needed CA (and CRLs)? If there are others, why are they needed? What (ledger stored) pubkeys would be consulted and why? Isn't org affiliation verified by CA validity, as presented by the admin's private key (e.g. as generated during enroll)? As I understand it from your explanation, `admincerts/` pub certs are consulted for channel creation (on the orderer), and channel join and cc install/upgrade (on the peer). Transferring them to each orderer and peer after a new admin isn't necessary when using `crytogen` (as in that case they were pregenerated and `admincerts/` automatically populated) but adding newly enrolled pub certs to `admincerts` out of band is kind of a pain. Is there a recommended way of doing this in the non-`cryptogen` "operations" model? E.g. running `fabric-ca-client identity` on the peer/orderer itsef? Again, IMO the non-`cryptogen` workflow isn't very well documented (yet), and the work in progress (https://gerrit.hyperledger.org/r/#/c/29430/) towards that goal still needs a bit more clarity.

nyet (Mon, 22 Apr 2019 15:03:34 GMT):
@mastersingh24 Thanks for the breakdown. A few more (stupid?) questions related to the `cryptogen`-free model: What certs, specifically, are in the genesis blocks (system and channel)? Isn't all that is needed CA (and CRLs)? If there are others, why are they needed? What (ledger stored) pubkeys would be consulted and why? Isn't org affiliation verified by CA validity, as presented by the admin's private key (e.g. as generated during enroll)? As I understand it from your explanation, `admincerts/` pub certs are consulted for channel creation (on the orderer), and channel join and cc install/upgrade (on the peer). The requirement to update (for example) the system channel every time a peer is added (enrolled) seems like it would be a pain. I understand adding Orgs should require this (altering policy, adding pub CA) but are there other reasons involving certs? Transferring them to each orderer and peer after a new admin isn't necessary when using `crytogen` (as in that case they were pregenerated and `admincerts/` automatically populated) but adding newly enrolled pub certs to `admincerts` out of band is kind of a pain. Is there a recommended way of doing this in the non-`cryptogen` "operations" model? E.g. running `fabric-ca-client identity` on the peer/orderer itsef? Again, IMO the non-`cryptogen` workflow isn't very well documented (yet), and the work in progress (https://gerrit.hyperledger.org/r/#/c/29430/) towards that goal still needs a bit more clarity.

nyet (Mon, 22 Apr 2019 15:03:34 GMT):
@mastersingh24 Thanks for the breakdown. A few more (stupid?) questions related to the `cryptogen`-free model: What certs, specifically, are in the genesis blocks (system and channel)? Isn't all that is needed CA (and CRLs)? If there are others, why are they needed? What (ledger stored) pubkeys would be consulted and why? Isn't org affiliation verified by CA validity, as presented by the admin's private key (e.g. as generated during enroll)? As I understand it from your explanation, `admincerts/` pub certs are consulted for channel creation (on the orderer), and channel join and cc install/upgrade (on the peer). The requirement to update (for example) the system channel every time a peer is added (enrolled) seems like it would be a pain. I understand adding Orgs should require this (altering policy, adding pub CA) but are there other reasons involving certs? On the `admincerts/` topic: Transferring `admincerts/` destined contents to each orderer and peer after a new admin isn't necessary when using `crytogen` (as in that case they were pregenerated and `admincerts/` automatically populated) but adding newly enrolled pub certs to `admincerts` out of band is kind of a pain. Is there a recommended way of doing this in the non-`cryptogen` "operations" model? E.g. running `fabric-ca-client identity` on the peer/orderer itsef? Again, IMO the non-`cryptogen` workflow isn't very well documented (yet), and the work in progress (https://gerrit.hyperledger.org/r/#/c/29430/) towards that goal still needs a bit more clarity.

nyet (Mon, 22 Apr 2019 15:03:34 GMT):
@mastersingh24 Thanks for the breakdown. A few more (stupid?) questions related to the `cryptogen`-free model: What certs, specifically, are in the genesis blocks (system and channel)? Isn't all that is needed CA (and CRLs)? If there are others, why are they needed? What (ledger stored) pubkeys would be consulted and why? Isn't org affiliation verified by CA validity, as presented by the peer/client's private key (e.g. as generated during enroll)? As I understand it from your explanation, `admincerts/` pub certs are consulted for channel creation (on the orderer), and channel join and cc install/upgrade (on the peer). The requirement to update (for example) the system channel every time a peer is added (enrolled) seems like it would be a pain. I understand adding Orgs should require this (altering policy, adding pub CA) but are there other reasons involving certs? On the `admincerts/` topic: Transferring `admincerts/` destined contents to each orderer and peer after a new admin isn't necessary when using `crytogen` (as in that case they were pregenerated and `admincerts/` automatically populated) but adding newly enrolled pub certs to `admincerts` out of band is kind of a pain. Is there a recommended way of doing this in the non-`cryptogen` "operations" model? E.g. running `fabric-ca-client identity` on the peer/orderer itsef? Again, IMO the non-`cryptogen` workflow isn't very well documented (yet), and the work in progress (https://gerrit.hyperledger.org/r/#/c/29430/) towards that goal still needs a bit more clarity.

nyet (Mon, 22 Apr 2019 15:09:34 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=QEmZTY5sydBE7e9tf) @Randyshu2018 https://gerrit.hyperledger.org/r/#/c/29430/ is a work in progress, and that is what I am trying to do right now.

nyet (Tue, 23 Apr 2019 01:37:31 GMT):
@mastersingh24 Most importantly, do I need public certs of peers *before* I can even create a system genesis block? If so, why, if the CA pub key can be used to attest to the authenticity of a member by consulting it's CN, O, etc.

Randyshu2018 (Tue, 23 Apr 2019 02:08:25 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=XPRsTMG6pFxuBBzBe) @nyet :thumbsup:

Randyshu2018 (Tue, 23 Apr 2019 02:08:25 GMT):
I have three new questions important for me with fabric-ca: 1,How to self-certify 2,How to form certificate-chain 2,How to trace back according to the certificate signature

Randyshu2018 (Tue, 23 Apr 2019 02:19:58 GMT):
@nyet I have three new questions very important for me with fabric-ca: 1,How to self-certify(for example: I'm randy and in fabric-ca how to represent it?) 2,How to form certificate-chain(has a self-signed rootCA and then use it to sign ICA ,then use ICA to register enroll and revoke?) 2,How to trace back according to the certificate signature(every transaction has user sign and endorser sign so how to decode this sign to determine who they are)

mastersingh24 (Tue, 23 Apr 2019 10:07:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=5wBNHtKFRexDQzf22) @nyet You never actually need the peer identity certs to create / confgure channels. You can create the genesis block with just the orderer org MSP. When you create a consortium, you need need the org MSP for each org you want to add to the consortium.

nyet (Tue, 23 Apr 2019 15:27:21 GMT):
Specifically, what creds the MSP are used?

nyet (Tue, 23 Apr 2019 15:27:21 GMT):
Specifically, what creds in the MSP are used?

nyet (Tue, 23 Apr 2019 15:27:21 GMT):
Specifically, what creds in the MSP are used? For the purposes of automated network deployment, it is critical to know exactly what files need to be where and what they should contain.

nyet (Tue, 23 Apr 2019 15:41:38 GMT):
Also, what needs to be in the orderer MSP `admincerts/` to allow channel creation? Only the target client's user signcert, or peer org signcert as well? Every peer's signcert?

nyet (Tue, 23 Apr 2019 15:42:40 GMT):
Again, keep in mind that when doing automated deployment, every file that must be maintained needs to be itemized and (potentialily) given a way to add/remove

nyet (Tue, 23 Apr 2019 15:42:55 GMT):
just saying "the MSP" isn't sufficient :/

nyet (Tue, 23 Apr 2019 22:16:37 GMT):
Ok from the operations guide, I see that the sysstem config block contains ca/tlsca certs and admincerts. Now if that admin cert is created locally on the orderer on orderer creation, how can a client *not on the orderer* (e.g. via sdk) create a channel wihtout the private key for that cert? IOW, i cannot even *start* an orderer w/o an admincert pair, which *may not exist yet*

nyet (Tue, 23 Apr 2019 22:17:38 GMT):
i can create one at orderer launch time, but then that private key in the keystore needs to be extracted for any one to create a channel

nyet (Tue, 23 Apr 2019 22:18:08 GMT):
Or the orderer admin has to be enrolled from an external client *even before the orderer is started*

nyet (Tue, 23 Apr 2019 23:07:04 GMT):
@mastersingh24 Also, at system channel creation time on the orderer, it doesn't seem sufficient to have only the orderer org in the consortium, or i get a ` Attempted to include a member which is not in the consortium` error. This means that at orderer creation time, i need to ALSO create a peer msp?

nyet (Tue, 23 Apr 2019 23:49:32 GMT):
i wish this actually printed a useful error ``` consortiumGroup, ok := systemChannelGroup.Groups[channelconfig.ConsortiumsGroupKey].Groups[consortium.Name].Groups[orgName] if !ok { return nil, fmt.Errorf("Attempted to include a member which is not in the consortium") } ```

GKumar (Wed, 24 Apr 2019 02:15:24 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=nZDg9suXDwtBhYHdG) @ashutosh_kumar we are using SAML protocol for SSO. In my company most of all the users will be using our application, so it means I need to created 3K wallet?!! or shall we have a anchor wallet for each role and pass the user details as certificate attribute?

ashutosh_kumar (Wed, 24 Apr 2019 02:35:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=EhBC9W7m6Ezm8Y8XS) @GKumar Think of Fabric User as System user not End user. That might be able to solve your problem.

kakali (Wed, 24 Apr 2019 07:01:06 GMT):
Has joined the channel.

Sarath_Kumar (Wed, 24 Apr 2019 08:41:29 GMT):
Has joined the channel.

Sarath_Kumar (Wed, 24 Apr 2019 08:49:40 GMT):
Hi all, I am following balance transfer app. I am able to create a new user and do transactions, after restarting machine all peers exited and i have started the exited containers all containers working fine. when i am trying to invoke transaction an error occured like *cannot read property curve of undefined*

Sarath_Kumar (Wed, 24 Apr 2019 08:52:54 GMT):
I have checked the db file. the previous data is missing in it.

dsanchezseco (Wed, 24 Apr 2019 09:23:15 GMT):
Hi all!! now with raft we need to share even more certificates with the members of the network, now the tls of each of the orderers, but as far as i know there isn't any function to query the orgs CA and get the public material of one of its nodes unless you are a member of that org, is that right? Has anyone know of a service that works as a bulletin board to put there the certs so anyone can go and get them easily??

GKumar (Wed, 24 Apr 2019 12:32:18 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xdERG5qpYGp8koT2v) @ashutosh_kumar Yes, Now the issue is which user name we put in audit trial filer of our assets in blockchain

ashutosh_kumar (Wed, 24 Apr 2019 14:39:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wYp8kjPLEAiwLCDM5) @GKumar You need to solve it outside of Fabric. There is industry best practice on this. You can have something like Privileged Identity Management with SIEM(Security Incident and Event Management) in place. Usually (big) enterprises have this in place. Solving problem this way is much easier than solving the issue of security of wallet IMO.

SashaPESIC (Thu, 25 Apr 2019 08:01:57 GMT):
Hi guys! I was just wondering about the CA requirements and prerequisites for a HF network. Does every organization has to have a CA? Can one CA serve multiple orgs? I was having trouble finding a good reading material on the topic. Thanks in advance!

GowriR (Thu, 25 Apr 2019 08:34:50 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hn3s3354AwwfWgHcP) @SashaPESIC Each org - 1 CA is generally suggested. Yes every org needs to have a CA

mastersingh24 (Thu, 25 Apr 2019 08:40:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RsTYDKhFBNro8R9WH) @GowriR It is definitely recommended for each org to have it's own CA, but it is not strictly required. The main thing is that you need to be able to differentiate certificates used by each organization. Using CA per org makes this much simpler and does not require orgs to trust a central issuer. It is possible, however, to use a single CA for multiple organizations. If you use the same CA to issue certificates for one or more organizations, then you'll need to use OUs to differentiate the orgs. Take a look at https://hyperledger-fabric.readthedocs.io/en/release-1.4/msp.html#organizational-units to see how to define MSPs in this manner.

mastersingh24 (Thu, 25 Apr 2019 08:40:09 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RsTYDKhFBNro8R9WH) @SashaPESIC It is definitely recommended for each org to have it's own CA, but it is not strictly required. The main thing is that you need to be able to differentiate certificates used by each organization. Using CA per org makes this much simpler and does not require orgs to trust a central issuer. It is possible, however, to use a single CA for multiple organizations. If you use the same CA to issue certificates for one or more organizations, then you'll need to use OUs to differentiate the orgs. Take a look at https://hyperledger-fabric.readthedocs.io/en/release-1.4/msp.html#organizational-units to see how to define MSPs in this manner.

AbhishekDudhrejia (Thu, 25 Apr 2019 09:11:22 GMT):
Hello everyone, How to generate peer and orderer certificates using ca and how do I configure the admincerts for both of them?

caveman7 (Thu, 25 Apr 2019 09:15:36 GMT):
@AbhishekDudhrejia https://github.com/hyperledger/fabric-samples/tree/release-1.2/fabric-ca

caveman7 (Thu, 25 Apr 2019 09:15:36 GMT):
@AbhishekDudhrejia https://github.com/hyperledger/fabric-samples/tree/release-1.3/fabric-ca

AbhishekDudhrejia (Thu, 25 Apr 2019 12:10:44 GMT):
Hello, Do we need to enroll ca for each orderer and peer that we are registering or can we work with common ca container for the whole organization? As in link mentioned above installing fabric-ca-client in every orderer and peer.

nyet (Fri, 26 Apr 2019 06:05:19 GMT):
what is `-d` in `fabric-ca-client -d`? I can't find `-d` documented anywhere

superafro12 (Fri, 26 Apr 2019 08:22:53 GMT):
Has joined the channel.

superafro12 (Fri, 26 Apr 2019 08:57:40 GMT):
Hello, I'm having problem with configuring the Fabric CA client. From what I’ve understood there should be a file named fabric-ca-client-config.yaml where you can config the CA client. But I cannot seem to generate or find it. According to Fabric CA User's Guide, under Fabric CA client’s configuration file format, the command fabric-ca-client -c should create a default configuration file if the file specified doesn’t exists. They also show a print of when they run fabric-ca-client which shows the flags. One of the flags is -c for configuration file. But, when I run fabric-ca-client there are no flags about configuration files. I have found the configuration file written as a string that is placed in a go file: fabric-ca/cmd/fabric-ca-client/command/config.go Is the guide from an older version and this is the new location or what is this?

nyet (Fri, 26 Apr 2019 09:06:10 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Qqf3BymFboofbXa7L) @superafro12 The default home is `~/.fabric-ca-client`, which is where you should find the config it writes out. Alternately, you can specify `-H .`

superafro12 (Fri, 26 Apr 2019 09:08:20 GMT):
@nyet Thanks for the response! I have looked there and I now looked there again, nothing! :(

superafro12 (Fri, 26 Apr 2019 09:08:45 GMT):
Is .fabric-ca-client a folder?

nyet (Fri, 26 Apr 2019 09:08:53 GMT):
what OS? and have you tried `-d`

nyet (Fri, 26 Apr 2019 09:08:54 GMT):
yes

nyet (Fri, 26 Apr 2019 09:09:10 GMT):
it starts with a . so it is hidden unless you do `ls -a`

superafro12 (Fri, 26 Apr 2019 09:09:29 GMT):
macOS

superafro12 (Fri, 26 Apr 2019 09:10:30 GMT):
Ye I know . means hidden, thanks anyway :) No I have not tried -d, how should I use it?

superafro12 (Fri, 26 Apr 2019 09:11:24 GMT):
When is the client's config file generated? Cus the server's is generated after you start it

nyet (Fri, 26 Apr 2019 09:11:44 GMT):
when you give it a ca server to contact via -u

nyet (Fri, 26 Apr 2019 09:12:43 GMT):
just set it up so it works and it will write out a config

nyet (Fri, 26 Apr 2019 09:12:57 GMT):
via -u and --tls.certfiles

nyet (Fri, 26 Apr 2019 09:14:16 GMT):
`fabric-ca-client -d -u https://localhost getcainfo`

nyet (Fri, 26 Apr 2019 09:15:05 GMT):
you'll need -tls.certfiles and the right port

superafro12 (Fri, 26 Apr 2019 09:17:07 GMT):
okey I got errors because of what u said about the tls.certs

superafro12 (Fri, 26 Apr 2019 09:17:15 GMT):
But! The file did get generated

superafro12 (Fri, 26 Apr 2019 09:17:54 GMT):
Or.. The folder got generated

superafro12 (Fri, 26 Apr 2019 09:18:03 GMT):
I don't see the config file tho

nyet (Fri, 26 Apr 2019 09:18:25 GMT):
you can grab the tls file with `curl -sk (url)/api/v1/cainfo | jq -r ".result.CAChain" | base64 -D > cert.pem

nyet (Fri, 26 Apr 2019 09:18:25 GMT):
you can grab the tls file with `curl -sk (url)/api/v1/cainfo | jq -r ".result.CAChain" | base64 -D > cert.pem`

nyet (Fri, 26 Apr 2019 09:19:06 GMT):
you'll problaby need to `brew install curl jq` or something

nyet (Fri, 26 Apr 2019 09:20:11 GMT):
or `jq` anyway, ci think curl is std on macos

superafro12 (Fri, 26 Apr 2019 09:20:56 GMT):
I'm trying to wrap my head around this. How is it supposed to work? Shouldn't the CA server create the certfiles?

nyet (Fri, 26 Apr 2019 09:21:11 GMT):
you need to transfer the tls file out of band

nyet (Fri, 26 Apr 2019 09:21:20 GMT):
since the CA is selfsigned

nyet (Fri, 26 Apr 2019 09:21:25 GMT):
to bootstrap the PKI

nyet (Fri, 26 Apr 2019 09:21:59 GMT):
you can't trust the CA server because you don't have its public TLS CA

nyet (Fri, 26 Apr 2019 09:22:21 GMT):
and for some stupid reason there is no option for `fabric-ca-client` to not verify TLS

nyet (Fri, 26 Apr 2019 09:22:42 GMT):
(i supposed to force you to transfer the ca pub key in a trusted fashion out of band)

superafro12 (Fri, 26 Apr 2019 09:23:18 GMT):
hah okey. so I receive the msg: Error: Failed to get client TLS config: No trusted root certificates for TLS were provided because there are no certs to start with?

superafro12 (Fri, 26 Apr 2019 09:23:38 GMT):
I have to grab somewhere, your curl command for example

nyet (Fri, 26 Apr 2019 09:23:40 GMT):
yes you need the TLS CA pub key to start with

superafro12 (Fri, 26 Apr 2019 09:24:02 GMT):
where do they need to be saved?

superafro12 (Fri, 26 Apr 2019 09:24:17 GMT):
same folder as .fabric-ca-client?

superafro12 (Fri, 26 Apr 2019 09:24:23 GMT):
or can I specify this later

nyet (Fri, 26 Apr 2019 09:24:43 GMT):
you can specify it with `--tls.certs`

nyet (Fri, 26 Apr 2019 09:24:53 GMT):
you can also use openssl to retrieve the pub key

nyet (Fri, 26 Apr 2019 09:25:23 GMT):
`openssl s_client -connect the.host.name:port` > cert.pem

nyet (Fri, 26 Apr 2019 09:25:29 GMT):
or something similrar

superafro12 (Fri, 26 Apr 2019 09:25:33 GMT):
the public key of fabric ca's server?

nyet (Fri, 26 Apr 2019 09:25:36 GMT):
yes

nyet (Fri, 26 Apr 2019 09:25:48 GMT):
but you really want the CA

nyet (Fri, 26 Apr 2019 09:25:51 GMT):
not the tls key

superafro12 (Fri, 26 Apr 2019 09:28:04 GMT):
is this the correct command? curl -sk https://localhost:7054/api/v1/cainfo | jq -r ".result.CAChain" | base64 -D > cert.pem

nyet (Fri, 26 Apr 2019 09:28:16 GMT):
should be

nyet (Fri, 26 Apr 2019 09:28:44 GMT):
good thing its documented somwhere huh? :)

superafro12 (Fri, 26 Apr 2019 09:31:16 GMT):
that's just silly

superafro12 (Fri, 26 Apr 2019 09:31:42 GMT):
now I received this msg: Error: Failed to get client TLS config: Failed to process certificate from file /Users/thfl/go/cert.pem

superafro12 (Fri, 26 Apr 2019 09:32:20 GMT):
mhm my cert.pem is empty

nyet (Fri, 26 Apr 2019 09:32:34 GMT):
try each of my things one by one

nyet (Fri, 26 Apr 2019 09:32:37 GMT):
without the pipes

nyet (Fri, 26 Apr 2019 09:32:54 GMT):
curl -sk https://localhost:7054/api/v1/cainfo

nyet (Fri, 26 Apr 2019 09:33:02 GMT):
then curl -sk https://localhost:7054/api/v1/cainfo | jq .

nyet (Fri, 26 Apr 2019 09:33:05 GMT):
etc

superafro12 (Fri, 26 Apr 2019 09:34:07 GMT):
I removed the -s

superafro12 (Fri, 26 Apr 2019 09:34:08 GMT):
and got

superafro12 (Fri, 26 Apr 2019 09:34:31 GMT):
Failed to connect to localhost port 7054: Connection refused

nyet (Fri, 26 Apr 2019 09:34:39 GMT):
well i guess thats not your ca server is it

nyet (Fri, 26 Apr 2019 09:34:41 GMT):
:P

nyet (Fri, 26 Apr 2019 09:35:08 GMT):
you're going to need to start with an endpoint you know is the ca-server.

superafro12 (Fri, 26 Apr 2019 09:36:19 GMT):
lol it wasn't running

superafro12 (Fri, 26 Apr 2019 09:36:28 GMT):
I get wrong version number tho

nyet (Fri, 26 Apr 2019 09:36:49 GMT):
https://jira.hyperledger.org/projects/FABC/issues/FABC-460?filter=allopenissues

nyet (Fri, 26 Apr 2019 09:36:49 GMT):
https://jira.hyperledger.org/projects/FABC/issues/FABC-460

nyet (Fri, 26 Apr 2019 09:37:28 GMT):
I have no idea what that means

nyet (Fri, 26 Apr 2019 09:37:54 GMT):
In any case, there isn't much in the fabric-ca-client-config.yaml anyway

nyet (Fri, 26 Apr 2019 09:38:03 GMT):
you're going to want to do 99% of the stuff on the command line

nyet (Fri, 26 Apr 2019 09:38:23 GMT):
its mostly useless, except for a few shortcuts

nyet (Fri, 26 Apr 2019 09:38:34 GMT):
you definiltey never need the whole example one

superafro12 (Fri, 26 Apr 2019 09:39:22 GMT):
haha okey. I read: The Fabric CA provides 3 ways to configure settings on the Fabric CA server and client. The precedence order is: CLI flags Environment variables Configuration file In the remainder of this document, we refer to making changes to configuration files. However, configuration file changes can be overridden through environment variables or CLI flags.

superafro12 (Fri, 26 Apr 2019 09:39:32 GMT):
and therefore I thought I should go through the configuration file

nyet (Fri, 26 Apr 2019 09:40:22 GMT):
literaly the only useful settings are tls and caname

nyet (Fri, 26 Apr 2019 09:40:29 GMT):
maybe csr if you want to override things

superafro12 (Fri, 26 Apr 2019 09:40:34 GMT):
Okey so I've done like all bacis samples and tutorials for fabric but I still don't really get in which order everything should be setup. Could u just quickly explain that?

superafro12 (Fri, 26 Apr 2019 09:40:49 GMT):
like first out is to get the CA I guess, then create a MSP

superafro12 (Fri, 26 Apr 2019 09:40:54 GMT):
to create a org

nyet (Fri, 26 Apr 2019 09:41:02 GMT):
you mean using the ca-server vs cryptogen?

superafro12 (Fri, 26 Apr 2019 09:41:13 GMT):
no just setup a network

superafro12 (Fri, 26 Apr 2019 09:41:36 GMT):
while using fabric ca

nyet (Fri, 26 Apr 2019 09:41:54 GMT):
so if you are finding the xamples are not good enough for produciton you are in really big trouble

nyet (Fri, 26 Apr 2019 09:42:13 GMT):
since the examples all use `cxryptogen` and not the ca-server

nyet (Fri, 26 Apr 2019 09:42:32 GMT):
if you intend to ditch cryptogen and use the ca-server, you rae looking at a world of hurt

superafro12 (Fri, 26 Apr 2019 09:42:58 GMT):
really? :/

nyet (Fri, 26 Apr 2019 09:43:02 GMT):
yep. Really.

superafro12 (Fri, 26 Apr 2019 09:43:23 GMT):
why's that?

nyet (Fri, 26 Apr 2019 09:43:45 GMT):
because there is no documentation for starting a network without using cryptogen

nyet (Fri, 26 Apr 2019 09:44:07 GMT):
There is some sitting in a PR somewhere on gerrit

nyet (Fri, 26 Apr 2019 09:44:35 GMT):
https://gerrit.hyperledger.org/r/#/c/29430/9/docs/source/operations_guide.rst

nyet (Fri, 26 Apr 2019 09:44:38 GMT):
enjoy :)

superafro12 (Fri, 26 Apr 2019 09:44:58 GMT):
ooh thanks!

superafro12 (Fri, 26 Apr 2019 09:45:26 GMT):
but could u explain in which order things are setup?

superafro12 (Fri, 26 Apr 2019 09:45:34 GMT):
if we would use cryptogen

nyet (Fri, 26 Apr 2019 09:45:49 GMT):
you said you went through the examples ... they all use cryptogen

superafro12 (Fri, 26 Apr 2019 09:46:02 GMT):
but they all just run scripts and then everything is done

nyet (Fri, 26 Apr 2019 09:46:18 GMT):
yep. you're sup;osed to decipher it from the scripts :)

nyet (Fri, 26 Apr 2019 09:47:01 GMT):
you can look at this https://github.com/Blockdaemon/hlf-service-network

nyet (Fri, 26 Apr 2019 09:47:04 GMT):
maybe it helps

superafro12 (Fri, 26 Apr 2019 09:47:10 GMT):
haha but if you knew maybe you could just quickly tell me. very basic like 1st CA, 2nd msp, then org, and orderer into genesis block or w/e

superafro12 (Fri, 26 Apr 2019 09:47:19 GMT):
in a network with 1 org, 1 peer, 1 orderer

nyet (Fri, 26 Apr 2019 09:47:34 GMT):
it is literally not somehting i can explain in 30 seconds

superafro12 (Fri, 26 Apr 2019 09:47:50 GMT):
haha okey

nyet (Fri, 26 Apr 2019 09:47:54 GMT):
if it was that simple, the scripts would reflect that

superafro12 (Fri, 26 Apr 2019 09:48:09 GMT):
what is the 1st thing tho? could you tell me that?

superafro12 (Fri, 26 Apr 2019 09:48:16 GMT):
where do u start

nyet (Fri, 26 Apr 2019 09:48:33 GMT):
you start with cryptogen to create all the materials

superafro12 (Fri, 26 Apr 2019 09:48:50 GMT):
okey good, that was what I thought

nyet (Fri, 26 Apr 2019 09:48:54 GMT):
https://github.com/Blockdaemon/hlf-service-network/blob/master/Makefile

nyet (Fri, 26 Apr 2019 09:49:08 GMT):
but `cryptogen` is not appropriate for a production network

superafro12 (Fri, 26 Apr 2019 09:49:12 GMT):
hey, thank you so so much!

superafro12 (Fri, 26 Apr 2019 09:49:25 GMT):
been so helpful!

superafro12 (Fri, 26 Apr 2019 09:50:05 GMT):
I am really grateful!

nyet (Fri, 26 Apr 2019 09:50:13 GMT):
gl i've been struggling for months

nyet (Fri, 26 Apr 2019 09:50:24 GMT):
with pretty much very little help from devs :/

superafro12 (Fri, 26 Apr 2019 09:50:25 GMT):
exactly, that's why I want to use fabric's CA instead

nyet (Fri, 26 Apr 2019 09:50:33 GMT):
its even harder

superafro12 (Fri, 26 Apr 2019 09:50:48 GMT):
ye but I must

superafro12 (Fri, 26 Apr 2019 09:51:00 GMT):
wish me luck hah

nyet (Fri, 26 Apr 2019 09:51:07 GMT):
good luck

superafro12 (Fri, 26 Apr 2019 10:00:43 GMT):
okey if u ever get same problem. I got the version problem with curl cus I used https instead of http

HLFPOC (Sat, 27 Apr 2019 11:09:50 GMT):
Hello Team, Has anyone been able to create network by generating all the crypto material using fabric-ca (instead of cryptogen) and connect it with fabric-node-sdk to perform read/write operations ? I am struggling to get this done from past few days but facing some issues. It would be great if someone can guide me on this. Thanks !

nyet (Sat, 27 Apr 2019 15:46:13 GMT):
Same. Currently stuck on joining a channel.

nyet (Sat, 27 Apr 2019 15:46:49 GMT):
I'm using fabric-sdk-go

yacovm (Sat, 27 Apr 2019 15:46:51 GMT):
what are you struggling on?

nyet (Sat, 27 Apr 2019 15:47:51 GMT):
On trying to join a peer to a channel i get "is not an admin"

yacovm (Sat, 27 Apr 2019 15:48:18 GMT):
so put your client's certificate in the peer's admincerts folder

yacovm (Sat, 27 Apr 2019 15:48:22 GMT):
that's it....

nyet (Sat, 27 Apr 2019 15:48:26 GMT):
Yep

yacovm (Sat, 27 Apr 2019 15:48:32 GMT):
Yep ?

nyet (Sat, 27 Apr 2019 15:48:38 GMT):
Yes it is there

yacovm (Sat, 27 Apr 2019 15:49:06 GMT):
and are the MSP IDs of the peer and client SDK the same?

nyet (Sat, 27 Apr 2019 15:49:08 GMT):
Im on vacation so i can't do deeper debugging will you be around Tuesday

yacovm (Sat, 27 Apr 2019 15:49:11 GMT):
they have to be the same

nyet (Sat, 27 Apr 2019 15:49:25 GMT):
Ah i will check that

yacovm (Sat, 27 Apr 2019 15:49:27 GMT):
on rocket chat on vacation.... you're like me :rolling_eyes:

nyet (Sat, 27 Apr 2019 15:49:34 GMT):
Heh ya

nyet (Sat, 27 Apr 2019 15:50:00 GMT):
Never know if someone will be around to help

yacovm (Sat, 27 Apr 2019 15:50:31 GMT):
i see

nyet (Sat, 27 Apr 2019 15:51:29 GMT):
I wish there was better error messages lots of the time for common problems. It always seems i have to walk through code to see what went wrong

nyet (Sat, 27 Apr 2019 15:52:02 GMT):
I will check mspids on Monday

nyet (Sat, 27 Apr 2019 15:53:31 GMT):
What is the relevance of id.type=admin? There is also an admin=true in id.attrs

BChain_Dev (Sat, 27 Apr 2019 16:27:00 GMT):
Has joined the channel.

BChain_Dev (Sat, 27 Apr 2019 16:28:05 GMT):
hi....i am not able to start ca docker..i am getting below error Error: Failed to find private key for certificate in '/etc/hyperledger/fabric-ca-server-config/ca.vendor3.procurement.com-cert.pem': Could not find matching private key for SKI: Failed getting key for SKI [[86 45 66 173 217 42 9 65 58 105 112 43 122 210 163 223 200 123 25 37 213 13 152 216 59 4 87 147 234 164 59 233]]: Key with SKI 562d42add92a09413a69702b7ad2a3dfc87b1925d50d98d83b045793eaa43be9 not found in /etc/hyperledger/fabric-ca-server/msp/keystore

nyet (Sat, 27 Apr 2019 16:41:59 GMT):
Is it actually possible to have a peer with more than one mspid? What is it's relevance

nyet (Sat, 27 Apr 2019 16:41:59 GMT):
Is it actually possible to have a peer with more than one mspid? What is its relevance

BChain_Dev (Sat, 27 Apr 2019 16:49:14 GMT):
@nyet : i am following https://github.com/HyperledgerHandsOn/trade-finance-logistics/blob/master/network/docker-compose-e2e-template.yaml

BChain_Dev (Sat, 27 Apr 2019 16:49:14 GMT):
i am following https://github.com/HyperledgerHandsOn/trade-finance-logistics/blob/master/network/docker-compose-e2e-template.yaml

BChain_Dev (Sat, 27 Apr 2019 16:50:24 GMT):
i am creating 4 org and 4 channels ...one common channel and 3 channel with individual private channel...i am able to bring up all other peers except CA

pdintchev (Sat, 27 Apr 2019 17:40:05 GMT):
Has joined the channel.

nyet (Sun, 28 Apr 2019 23:58:01 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=AJkAEhC7QxvAnrmBj) @yacovm Yes, all of the MSPIDs are the same... is the "ID" in configtx also the MSPID? I can't find any documentaion as to what "Name" and "ID" are and how they are relevant

nyet (Sun, 28 Apr 2019 23:58:57 GMT):
or should the Name match MSPID? Or both?

nyet (Mon, 29 Apr 2019 00:45:56 GMT):
What should id.type and id.attr have?

abhinav10gupta (Mon, 29 Apr 2019 08:41:31 GMT):
Has joined the channel.

abhinav10gupta (Mon, 29 Apr 2019 08:44:19 GMT):
any document for implementing idemix ?

yeousunn (Tue, 30 Apr 2019 05:36:29 GMT):
Hi, can fabric-ca be used to register and enroll organization?

yeousunn (Tue, 30 Apr 2019 06:38:03 GMT):
Hi, I have gone through the fabric-ca user guide, but there is no details about creating organization msp. is there any document related to it?

Raja_Sabarish (Tue, 30 Apr 2019 09:40:26 GMT):
Has joined the channel.

Raja_Sabarish (Tue, 30 Apr 2019 09:45:36 GMT):
Hello Everyone! I am very new to Hyperledger Fabric and I am trying to setup the same in my MAC by following steps: - `brew install libtool` - `go get -u github.com/hyperledger/fabric-ca/cmd/...` And while starting fabric-ca-server by this command `fabric-ca-server start -b admin:adminpw`

Raja_Sabarish (Tue, 30 Apr 2019 09:45:36 GMT):
Hello Everyone! I am very new to Hyperledger Fabric and I am trying to setup the same in my Mac by following steps: - `brew install libtool` - `go get -u github.com/hyperledger/fabric-ca/cmd/...` And while starting fabric-ca-server by this command `fabric-ca-server start -b admin:adminpw`

Raja_Sabarish (Tue, 30 Apr 2019 09:45:54 GMT):
It says command not found.

Raja_Sabarish (Tue, 30 Apr 2019 09:46:05 GMT):
Any idea ?

Jayshree_Devan (Tue, 30 Apr 2019 09:51:53 GMT):
Hello Everyone ! I am trying with the Key-Level Endorsement Policy,

Jayshree_Devan (Tue, 30 Apr 2019 09:52:38 GMT):
func (t *SimpleChaincode) endorser(stub shim.ChaincodeStubInterface) pb.Response { EP, err := statebased.NewStateEP(nil) if err != nil { return shim.Error(err.Error()) } err = EP.AddOrgs(statebased.RoleTypeMember, "Org1MSP", "Org2MSP") if err != nil { return shim.Error(err.Error()) } epBytes, err := EP.Policy() if err != nil { return shim.Error(err.Error()) } logger.Info("Inside init ===> Before policy is set", epBytes) err = stub.SetStateValidationParameter("Cust01", epBytes) logger.Info("Inside init ===> after endorsement policy is set") if err != nil { return shim.Error(err.Error()) } return shim.Success([]byte{}) }

Jayshree_Devan (Tue, 30 Apr 2019 09:52:57 GMT):
But Facing error with this

root10 (Tue, 30 Apr 2019 15:54:27 GMT):
Has joined the channel.

RodrigoAcosta (Tue, 30 Apr 2019 17:04:20 GMT):
Has joined the channel.

RodrigoAcosta (Tue, 30 Apr 2019 20:06:00 GMT):
hello team, I'm trying to use CA as a valid way to authenticate users on the app, not only on the blockchain. From a web app, I enroll the admin and on a sign up form, I let the user specify user and password to register those on a CA with register method. and finally I enrolled with fabric client setUserContent. After validation, I then allow it to move on an eventually query fabric from the app. Is this a good practice? To use ca user/secret to validate credentials upon app login?

RodrigoAcosta (Tue, 30 Apr 2019 20:06:00 GMT):
hello team, I'm trying to use CA as a valid way to authenticate users on the app, not only on the blockchain. From a web app, I enroll the admin and, on a sign up form, I let the user specify user and password to register those on a CA with register method. and finally I enrolled with fabric client setUserContent. After validation, I then allow it to move on an eventually query fabric from the app. Is this a good practice? To use ca user/secret to validate credentials upon app login?

caveman7 (Wed, 01 May 2019 11:18:21 GMT):
hello, i'm trying to set up an external CA (using OpenSSL) as root CA and fabric ca as intermediate CA. peers and users are enrolled against the intermediate CA. however when starting the peer, there's an error ``` peer0.org1.example.com | 2019-05-01 10:54:58.244 UTC [msp.identity] newIdentity -> DEBU 030 Creating identity instance for cert -----BEGIN CERTIFICATE----- peer0.org1.example.com | MIIC4TCCAoegAwIBAgIULOPopG8pFs6Dv/M6VAwRes+KgXIwCgYIKoZIzj0EAwIw peer0.org1.example.com | WzELMAkGA1UEBhMCU0cxEjAQBgNVBAgMCVNpbmdhcG9yZTEZMBcGA1UECgwQb3Jn peer0.org1.example.com | MS5leGFtcGxlLmNvbTEdMBsGA1UEAwwUaWNhLm9yZzEuZXhhbXBsZS5jb20wHhcN peer0.org1.example.com | MTkwNTAxMTA1MDAwWhcNMjAwNDMwMTA1NTAwWjCBjzELMAkGA1UEBhMCU0cxEjAQ peer0.org1.example.com | BgNVBAgTCVNpbmdhcG9yZTESMBAGA1UEBxMJU2luZ2Fwb3JlMRkwFwYDVQQKExBv peer0.org1.example.com | cmcxLmV4YW1wbGUuY29tMRwwDQYDVQQLEwZjbGllbnQwCwYDVQQLEwRvcmcxMR8w peer0.org1.example.com | HQYDVQQDDBZBZG1pbkBvcmcxLmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZI peer0.org1.example.com | zj0DAQcDQgAE8/dVz5R8+pAlbv1ZF8odg11swU4OjiF4On9D2iZE7ihZrCBFyoeR peer0.org1.example.com | HltnhjalFsgSYRudaJioQT7vlb7c6rdE1qOB8zCB8DAOBgNVHQ8BAf8EBAMCB4Aw peer0.org1.example.com | DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUaC3G+9gk70F1WsvWYGX5Rbn0qa8wHwYD peer0.org1.example.com | VR0jBBgwFoAUYNnb8hYBA74bDFBs8tk4tdjtiwEwIQYDVR0RBBowGIEWQWRtaW5A peer0.org1.example.com | b3JnMS5leGFtcGxlLmNvbTBtBggqAwQFBgcIAQRheyJhdHRycyI6eyJoZi5BZmZp peer0.org1.example.com | bGlhdGlvbiI6Im9yZzEiLCJoZi5FbnJvbGxtZW50SUQiOiJBZG1pbkBvcmcxLmV4 peer0.org1.example.com | YW1wbGUuY29tIiwiaGYuVHlwZSI6ImNsaWVudCJ9fTAKBggqhkjOPQQDAgNIADBF peer0.org1.example.com | AiEA/ifzB29WeF3wkX7IeBDdnT05ZuuImc01HjfaEuRY/OkCIElly1xoA8izMbCV peer0.org1.example.com | ybEXfNgi4ICrbgibb6wR7m6RR/uY peer0.org1.example.com | -----END CERTIFICATE----- peer0.org1.example.com | 2019-05-01 10:54:58.244 UTC [main] InitCmd -> ERRO 031 Cannot run peer because error when setting up MSP of type bccsp from directory /etc/hyperledger/msp/peer/: the supplied identity is not valid: x509: certificate has expired or is not yet valid ``` this is not supposed to happen because the certificate is indeed valid. parsing the certificate will show the following: ``` Not Before: May 1 10:50:00 2019 GMT Not After : Apr 30 10:55:00 2020 GMT ``` i have made sure that ECDSA is used with with curve `prime256v1` and signature algorithm `ecdsa-with-SHA256` this is the commands used to generate the root ca key and cert: ``` mkdir -p rca/private rca/certs rca/newcerts touch rca/index.txt rca/serial echo 1000 > rca/serial openssl ecparam -name prime256v1 -genkey -noout -out rca/private/rca.org1.example.com.key.pem openssl req -config openssl_root.cnf -new -x509 -sha256 -extensions v3_ca -key rca/private/rca.org1.example.com.key.p8.pem -out rca/certs/rca.org1.example.com.crt.pem -days 3650 -subj "/C=SG/ST=Singapore/L=Singapore/O=org1.example.com/OU=/CN=rca.org1.example.com" ```

caveman7 (Wed, 01 May 2019 11:18:21 GMT):
hello, i'm trying to set up an external CA (using OpenSSL) as root CA and fabric ca as intermediate CA. peers and users are enrolled against the intermediate CA. however when starting the peer, there's an error ``` peer0.org1.example.com | 2019-05-01 10:54:58.244 UTC [msp.identity] newIdentity -> DEBU 030 Creating identity instance for cert -----BEGIN CERTIFICATE----- peer0.org1.example.com | MIIC4TCCAoegAwIBAgIULOPopG8pFs6Dv/M6VAwRes+KgXIwCgYIKoZIzj0EAwIw peer0.org1.example.com | WzELMAkGA1UEBhMCU0cxEjAQBgNVBAgMCVNpbmdhcG9yZTEZMBcGA1UECgwQb3Jn peer0.org1.example.com | MS5leGFtcGxlLmNvbTEdMBsGA1UEAwwUaWNhLm9yZzEuZXhhbXBsZS5jb20wHhcN peer0.org1.example.com | MTkwNTAxMTA1MDAwWhcNMjAwNDMwMTA1NTAwWjCBjzELMAkGA1UEBhMCU0cxEjAQ peer0.org1.example.com | BgNVBAgTCVNpbmdhcG9yZTESMBAGA1UEBxMJU2luZ2Fwb3JlMRkwFwYDVQQKExBv peer0.org1.example.com | cmcxLmV4YW1wbGUuY29tMRwwDQYDVQQLEwZjbGllbnQwCwYDVQQLEwRvcmcxMR8w peer0.org1.example.com | HQYDVQQDDBZBZG1pbkBvcmcxLmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZI peer0.org1.example.com | zj0DAQcDQgAE8/dVz5R8+pAlbv1ZF8odg11swU4OjiF4On9D2iZE7ihZrCBFyoeR peer0.org1.example.com | HltnhjalFsgSYRudaJioQT7vlb7c6rdE1qOB8zCB8DAOBgNVHQ8BAf8EBAMCB4Aw peer0.org1.example.com | DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUaC3G+9gk70F1WsvWYGX5Rbn0qa8wHwYD peer0.org1.example.com | VR0jBBgwFoAUYNnb8hYBA74bDFBs8tk4tdjtiwEwIQYDVR0RBBowGIEWQWRtaW5A peer0.org1.example.com | b3JnMS5leGFtcGxlLmNvbTBtBggqAwQFBgcIAQRheyJhdHRycyI6eyJoZi5BZmZp peer0.org1.example.com | bGlhdGlvbiI6Im9yZzEiLCJoZi5FbnJvbGxtZW50SUQiOiJBZG1pbkBvcmcxLmV4 peer0.org1.example.com | YW1wbGUuY29tIiwiaGYuVHlwZSI6ImNsaWVudCJ9fTAKBggqhkjOPQQDAgNIADBF peer0.org1.example.com | AiEA/ifzB29WeF3wkX7IeBDdnT05ZuuImc01HjfaEuRY/OkCIElly1xoA8izMbCV peer0.org1.example.com | ybEXfNgi4ICrbgibb6wR7m6RR/uY peer0.org1.example.com | -----END CERTIFICATE----- peer0.org1.example.com | 2019-05-01 10:54:58.244 UTC [main] InitCmd -> ERRO 031 Cannot run peer because error when setting up MSP of type bccsp from directory /etc/hyperledger/msp/peer/: the supplied identity is not valid: x509: certificate has expired or is not yet valid ``` this is not supposed to happen because the certificate is indeed valid. parsing the certificate will show the following: ``` Not Before: May 1 10:50:00 2019 GMT Not After : Apr 30 10:55:00 2020 GMT ``` i have made sure that ECDSA is used with with curve `prime256v1` and signature algorithm `ecdsa-with-SHA256` this is the commands used to generate the root ca key and cert: ``` mkdir -p rca/private rca/certs rca/newcerts touch rca/index.txt rca/serial echo 1000 > rca/serial openssl ecparam -name prime256v1 -genkey -noout -out rca/private/rca.org1.example.com.key.pem openssl req -config openssl_root.cnf -new -x509 -sha256 -extensions v3_ca -key rca/private/rca.org1.example.com.key.pem -out rca/certs/rca.org1.example.com.crt.pem -days 3650 -subj "/C=SG/ST=Singapore/L=Singapore/O=org1.example.com/OU=/CN=rca.org1.example.com" ```

caveman7 (Wed, 01 May 2019 11:18:21 GMT):
hello, i'm trying to set up an external CA (using OpenSSL) as root CA and fabric ca as intermediate CA. peers and users are enrolled against the intermediate CA. however when starting the peer, there's an error ``` peer0.org1.example.com | 2019-05-01 10:54:58.244 UTC [msp.identity] newIdentity -> DEBU 030 Creating identity instance for cert -----BEGIN CERTIFICATE----- peer0.org1.example.com | MIIC4TCCAoegAwIBAgIULOPopG8pFs6Dv/M6VAwRes+KgXIwCgYIKoZIzj0EAwIw peer0.org1.example.com | WzELMAkGA1UEBhMCU0cxEjAQBgNVBAgMCVNpbmdhcG9yZTEZMBcGA1UECgwQb3Jn peer0.org1.example.com | MS5leGFtcGxlLmNvbTEdMBsGA1UEAwwUaWNhLm9yZzEuZXhhbXBsZS5jb20wHhcN peer0.org1.example.com | MTkwNTAxMTA1MDAwWhcNMjAwNDMwMTA1NTAwWjCBjzELMAkGA1UEBhMCU0cxEjAQ peer0.org1.example.com | BgNVBAgTCVNpbmdhcG9yZTESMBAGA1UEBxMJU2luZ2Fwb3JlMRkwFwYDVQQKExBv peer0.org1.example.com | cmcxLmV4YW1wbGUuY29tMRwwDQYDVQQLEwZjbGllbnQwCwYDVQQLEwRvcmcxMR8w peer0.org1.example.com | HQYDVQQDDBZBZG1pbkBvcmcxLmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZI peer0.org1.example.com | zj0DAQcDQgAE8/dVz5R8+pAlbv1ZF8odg11swU4OjiF4On9D2iZE7ihZrCBFyoeR peer0.org1.example.com | HltnhjalFsgSYRudaJioQT7vlb7c6rdE1qOB8zCB8DAOBgNVHQ8BAf8EBAMCB4Aw peer0.org1.example.com | DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUaC3G+9gk70F1WsvWYGX5Rbn0qa8wHwYD peer0.org1.example.com | VR0jBBgwFoAUYNnb8hYBA74bDFBs8tk4tdjtiwEwIQYDVR0RBBowGIEWQWRtaW5A peer0.org1.example.com | b3JnMS5leGFtcGxlLmNvbTBtBggqAwQFBgcIAQRheyJhdHRycyI6eyJoZi5BZmZp peer0.org1.example.com | bGlhdGlvbiI6Im9yZzEiLCJoZi5FbnJvbGxtZW50SUQiOiJBZG1pbkBvcmcxLmV4 peer0.org1.example.com | YW1wbGUuY29tIiwiaGYuVHlwZSI6ImNsaWVudCJ9fTAKBggqhkjOPQQDAgNIADBF peer0.org1.example.com | AiEA/ifzB29WeF3wkX7IeBDdnT05ZuuImc01HjfaEuRY/OkCIElly1xoA8izMbCV peer0.org1.example.com | ybEXfNgi4ICrbgibb6wR7m6RR/uY peer0.org1.example.com | -----END CERTIFICATE----- peer0.org1.example.com | 2019-05-01 10:54:58.244 UTC [main] InitCmd -> ERRO 031 Cannot run peer because error when setting up MSP of type bccsp from directory /etc/hyperledger/msp/peer/: the supplied identity is not valid: x509: certificate has expired or is not yet valid ``` this is not supposed to happen because the certificate is indeed valid. parsing the certificate will show the following: ``` Not Before: May 1 10:50:00 2019 GMT Not After : Apr 30 10:55:00 2020 GMT ``` i have made sure that ECDSA is used with with curve `prime256v1` and signature algorithm `ecdsa-with-SHA256` these are the commands used to generate the root ca key and cert: ``` mkdir -p rca/private rca/certs rca/newcerts touch rca/index.txt rca/serial echo 1000 > rca/serial openssl ecparam -name prime256v1 -genkey -noout -out rca/private/rca.org1.example.com.key.pem openssl req -config openssl_root.cnf -new -x509 -sha256 -extensions v3_ca -key rca/private/rca.org1.example.com.key.pem -out rca/certs/rca.org1.example.com.crt.pem -days 3650 -subj "/C=SG/ST=Singapore/L=Singapore/O=org1.example.com/OU=/CN=rca.org1.example.com" ``` and these are the commands to generate intermediate cert: ``` openssl ecparam -name prime256v1 -genkey -noout -out $ORG_DIR/ca/ica.org1.example.com.key.pem openssl req -new -sha256 -key $ORG_DIR/ca/ica.org1.example.com.key.pem -out $ORG_DIR/ca/ica.org1.example.com.csr -subj "/C=SG/ST=Singapore/L=Singapore/O=org1.example.com/OU=/CN=ica.org1.example.com" openssl ca -batch -config openssl_root.cnf -extensions v3_intermediate_ca -days 1825 -notext -md sha256 -in $ORG_DIR/ca/ica.org1.example.com.csr -out $ORG_DIR/ca/ica.org1.example.com.crt.pem ```

mastersingh24 (Wed, 01 May 2019 12:27:00 GMT):
@caveman7 - you have a clock skew problem

caveman7 (Wed, 01 May 2019 12:31:35 GMT):
@mastersingh24 my peer clock is correct. it's within the validity period `peer0.org1.example.com | 2019-05-01 10:54:58.244 UTC`

mastersingh24 (Wed, 01 May 2019 12:32:14 GMT):
is in in sync with the fabric-ca clock?

mastersingh24 (Wed, 01 May 2019 12:32:14 GMT):
is it in sync with the fabric-ca clock?

caveman7 (Wed, 01 May 2019 12:37:15 GMT):
yes ``` peer0.org1.example.com | 2019-05-01 12:36:49.581 UTC [main] InitCmd -> ERRO 031 Cannot run peer because error when setting up MSP of type bccsp from directory /etc/hyperledger/msp/peer/: the supplied identity is not valid: x509: certificate has expired or is not yet valid peer0.org1.example.com exited with code 1 ➜ external-ca docker exec ica.org1.example.com date Wed May 1 12:36:53 UTC 2019 ```

caveman7 (Wed, 01 May 2019 12:37:15 GMT):
yes ``` peer0.org1.example.com | 2019-05-01 12:36:49.581 UTC [main] InitCmd -> ERRO 031 Cannot run peer because error when setting up MSP of type bccsp from directory /etc/hyperledger/msp/peer/: the supplied identity is not valid: x509: certificate has expired or is not yet valid peer0.org1.example.com exited with code 1 docker exec ica.org1.example.com date Wed May 1 12:36:53 UTC 2019 ``

caveman7 (Wed, 01 May 2019 13:13:44 GMT):
https://github.com/aldredb/external-ca - in case need to simulate the error

nitishbhardwaj19 (Wed, 01 May 2019 15:17:51 GMT):
Hi, I am using Node SDK to integrate my HLF network which is running over Azure. The SDK is able to connect with CA server but the Enrolment fails with an error: ``` `[2019-05-01 19:34:46.733] [DEBUG] Helper - [FabricCAClientService.js]: successfully generated key pairs [2019-05-01 19:34:46.814] [DEBUG] Helper - [FabricCAClientService.js]: successfully generated csr [2019-05-01 19:34:53.142] [ERROR] Helper - [FabricCAClientService.js]: Failed to enroll admin, error:Error: Enrollment failed with errors [[{"code":0,"message":"api/v1/enroll handler failed to initialize DB: Failed to create user registry for SQLite: Failed to create SQLite3 database: Error encountered while committing transaction: database is locked"}]] at IncomingMessage.response.on (/home/nitish/hyperledger/office/balance-transfer/node_modules/fabric-ca-client/lib/FabricCAClient.js:470:22) at emitNone (events.js:111:20) at IncomingMessage.emit (events.js:208:7) at endReadableNT (_stream_readable.js:1055:12) at _combinedTickCallback (internal/process/next_tick.js:138:11) at process._tickCallback (internal/process/next_tick.js:180:9) [2019-05-01 19:34:53.148] [ERROR] Helper - Failed to get registered user: someone with error: Error: Enrollment failed with errors [[{"code":0,"message":"api/v1/enroll handler failed to initialize DB: Failed to create user registry for SQLite: Failed to create SQLite3 database: Error encountered while committing transaction: database is locked"}]] [2019-05-01 19:34:53.148] [DEBUG] SampleWebApp - -- returned from registering the username someone for organization orga [2019-05-01 19:34:53.149] [DEBUG] SampleWebApp - Failed to register the username someone for organization orga with::failed Error: Enrollment failed with errors [[{"code":0,"message":"api/v1/enroll handler failed to initialize DB: Failed to create user registry for SQLite: Failed to create SQLite3 database: Error encountered while committing transaction: database is locked"}]] ` ```

nitishbhardwaj19 (Wed, 01 May 2019 15:17:51 GMT):
@nyet Hi, I am using Node SDK to integrate my HLF network which is running over Azure. The SDK is able to connect with CA server but the Enrolment fails with an error: ``` `[2019-05-01 19:34:46.733] [DEBUG] Helper - [FabricCAClientService.js]: successfully generated key pairs [2019-05-01 19:34:46.814] [DEBUG] Helper - [FabricCAClientService.js]: successfully generated csr [2019-05-01 19:34:53.142] [ERROR] Helper - [FabricCAClientService.js]: Failed to enroll admin, error:Error: Enrollment failed with errors [[{"code":0,"message":"api/v1/enroll handler failed to initialize DB: Failed to create user registry for SQLite: Failed to create SQLite3 database: Error encountered while committing transaction: database is locked"}]] at IncomingMessage.response.on (/home/nitish/hyperledger/office/balance-transfer/node_modules/fabric-ca-client/lib/FabricCAClient.js:470:22) at emitNone (events.js:111:20) at IncomingMessage.emit (events.js:208:7) at endReadableNT (_stream_readable.js:1055:12) at _combinedTickCallback (internal/process/next_tick.js:138:11) at process._tickCallback (internal/process/next_tick.js:180:9) [2019-05-01 19:34:53.148] [ERROR] Helper - Failed to get registered user: someone with error: Error: Enrollment failed with errors [[{"code":0,"message":"api/v1/enroll handler failed to initialize DB: Failed to create user registry for SQLite: Failed to create SQLite3 database: Error encountered while committing transaction: database is locked"}]] [2019-05-01 19:34:53.148] [DEBUG] SampleWebApp - -- returned from registering the username someone for organization orga [2019-05-01 19:34:53.149] [DEBUG] SampleWebApp - Failed to register the username someone for organization orga with::failed Error: Enrollment failed with errors [[{"code":0,"message":"api/v1/enroll handler failed to initialize DB: Failed to create user registry for SQLite: Failed to create SQLite3 database: Error encountered while committing transaction: database is locked"}]] ```` Has anyone encounter this? It would be great if someone can share their views on this. ``` ```

Antimttr (Wed, 01 May 2019 19:48:47 GMT):
Is there any reason why or how a registrar could successfully enroll a user, but then the same registrar user fails this call: `identities = ca.getHFCAIdentities(orgAdmin);` ? Got this result: `[HTTP Status Code: 401] - Error while getting all users from url 'https://localhost:8054': GET request to https://localhost:8054 failed request body . Response: {"result":"","errors":[{"code":20,"message":"Authentication failure"}` yet the same registrar user is able to register new users just fine

nyet (Wed, 01 May 2019 20:25:29 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=yLRACwfNN53bSSoiW) @caveman7 @mastersingh24 https://jira.hyperledger.org/browse/FABC-832

nyet (Wed, 01 May 2019 20:25:50 GMT):
I am forced to use faketime to work around this bug. There are no plans to fix it.

Antimttr (Wed, 01 May 2019 21:13:29 GMT):
with the command line fabric-ca-client how do you enforce the http option: `verify: false`

Antimttr (Wed, 01 May 2019 21:13:39 GMT):
I have this in my artifacts network-config.yaml

Antimttr (Wed, 01 May 2019 21:14:02 GMT):
but the client is throwing the error: `Error: POST failure of request: POST https://localhost:7054/enroll {"hosts":["mwestmct.mctlive.com"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBSjCB8QIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfdEj7z5bCgAJhP2A\nIkO/nmsuZqF5rYlYajU+MGSV8XGXi9wKJBCtzH6ht8IQvvgBDTakTm3iRjdIMh2u\nJIP116AyMDAGCSqGSIb3DQEJDjEjMCEwHwYDVR0RBBgwFoIUbXdlc3RtY3QubWN0\nbGl2ZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOSvbkcMuXOkorRlVl97/wLLaF/9\n5/S8O9+QgQcZC3diAiAMiwukQaYE0Ov07NLvsjjZW+tcMq2UZATzJz54FusAWg==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post https://localhost:7054/enroll: x509: certificate is valid for ca.org1.example.com, not localhost`

Antimttr (Wed, 01 May 2019 21:14:02 GMT):
but the client is throwing the error: `Error: POST failure of request: POST https://localhost:7054/enroll `{"hosts":["mwestmct.mctlive.com"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBSjCB8QIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfdEj7z5bCgAJhP2A\nIkO/nmsuZqF5rYlYajU+MGSV8XGXi9wKJBCtzH6ht8IQvvgBDTakTm3iRjdIMh2u\nJIP116AyMDAGCSqGSIb3DQEJDjEjMCEwHwYDVR0RBBgwFoIUbXdlc3RtY3QubWN0\nbGl2ZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAOSvbkcMuXOkorRlVl97/wLLaF/9\n5/S8O9+QgQcZC3diAiAMiwukQaYE0Ov07NLvsjjZW+tcMq2UZATzJz54FusAWg==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post https://localhost:7054/enroll: x509: certificate is valid for ca.org1.example.com, not localhost`

nyet (Wed, 01 May 2019 21:14:40 GMT):
You can't. Fix your certs...

Antimttr (Wed, 01 May 2019 21:14:47 GMT):
im in a dev environment

Antimttr (Wed, 01 May 2019 21:14:49 GMT):
not possible

nyet (Wed, 01 May 2019 21:14:59 GMT):
sure it is, you can self sign whatever you want

Antimttr (Wed, 01 May 2019 21:15:12 GMT):
im trying to use the balance-transfer demo

Antimttr (Wed, 01 May 2019 21:15:29 GMT):
it supplies the certs

nyet (Wed, 01 May 2019 21:15:41 GMT):
so add a ca.org1.example.com to your /etc/hsots and point it to 127.0.0.01

nyet (Wed, 01 May 2019 21:15:41 GMT):
so add a ca.org1.example.com to your /etc/hosts and point it to 127.0.0.1

Antimttr (Wed, 01 May 2019 21:15:55 GMT):
i can do that

Antimttr (Wed, 01 May 2019 22:18:49 GMT):
``` 2019/05/01 22:05:48 [DEBUG] Received request for /api/v1/identities?ca=ca-org2 2019/05/01 22:05:48 [DEBUG] Caller is using a x509 certificate 2019/05/01 22:05:48 [DEBUG] Failed to verify token based on new authentication header requirements: %!s() 2019/05/01 22:05:48 [DEBUG] Received identity update request from 2019/05/01 22:05:48 [INFO] 172.29.0.1:33242 GET /api/v1/identities?ca=ca-org2 401 25 "Invalid token in authorization header: Token signature validation failed" ```

Antimttr (Wed, 01 May 2019 22:19:01 GMT):
what are the new authentication header requirements?

caveman7 (Thu, 02 May 2019 00:53:52 GMT):
@nyet yeah you're right. if i wait 5 min before enrolling my peers, it works...

caveman7 (Thu, 02 May 2019 00:53:52 GMT):
@nyet yeah you're right. if i wait 5 min before enrolling my peers, it works...not sure if this is intended design..

nitishbhardwaj19 (Thu, 02 May 2019 00:57:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TcRXdPQTAiy4iRP5Q) @nyet Could you please share your views on this.

caveman7 (Thu, 02 May 2019 01:02:35 GMT):
@nitishbhardwaj19 check https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#troubleshooting `When sending multiple parallel requests to a Fabric CA Server cluster that uses shared sqlite3 databases, the server occasionally returns a ‘database locked’ error. This is most probably because the database transaction timed out while waiting for database lock (held by another cluster member) to be released. This is an invalid configuration because sqlite is an embedded database, which means the Fabric CA server cluster must share the same file via a shared file system, which introduces a SPoF (single point of failure), which contradicts the purpose of cluster topology. The best practice is to use either Postgres or MySQL databases in a cluster topology.`

nitishbhardwaj19 (Thu, 02 May 2019 01:05:39 GMT):
@cabe

nitishbhardwaj19 (Thu, 02 May 2019 01:07:23 GMT):
@caveman7 Thanks for sharing this. You saved my day :) I will reconfigure my CAs with Postgres.

nitishbhardwaj19 (Thu, 02 May 2019 01:19:12 GMT):
@caveman7 Do you have any references to use Postgres/MySQL with CA using K8s?

Antimttr (Thu, 02 May 2019 01:52:11 GMT):
what are new authentication header requirements for fabric-ca?

nyet (Thu, 02 May 2019 02:01:30 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=esGR8pAuXgJBEfpaF) @caveman7 It is intended and the only workaround not involving a delay is to use faketime to backdate your CA certs, unfortunately

caveman7 (Thu, 02 May 2019 06:16:18 GMT):
@nyet

caveman7 (Thu, 02 May 2019 06:16:18 GMT):
@nyet `faketime` does not work for me. apparently i need to disable some parameters in macOS to enable it. i went ahead and appended `backdate: 1s` to `fabric-ca-server-config.yaml` as per instruction in the JIRA issue you referred. even with this modification, i see that the peer certificate is 15-20seconds behind the signing certificate. but it's still better than 5min.

caveman7 (Thu, 02 May 2019 06:16:18 GMT):
@nyet `faketime` does not work for me. apparently i need to disable some parameters in macOS for it to run properly. i went ahead and appended `backdate: 1s` to `fabric-ca-server-config.yaml` as per instruction in the JIRA issue you referred. even with this modification, i see that the peer certificate is 15-20seconds behind the signing certificate. but it's still better than 5min.

gentios (Thu, 02 May 2019 09:02:42 GMT):
Hi, can we set the FileKeyValueStore to store the user credentials to an AWS S3 Bucket

caveman7 (Thu, 02 May 2019 09:08:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=hX8Ef97fHC99RpJy2) @gentios you need to write your own custom object storage driver

gentios (Thu, 02 May 2019 09:09:13 GMT):
@caveman7 any samples

caveman7 (Thu, 02 May 2019 09:25:51 GMT):
basically you need to override `setValue` and `getValue` functions. take a look and compare between https://github.com/hyperledger/fabric-sdk-node/blob/release-1.4/fabric-client/lib/impl/FileKeyValueStore.js and https://github.com/hyperledger/fabric-sdk-node/blob/release-1.4/fabric-client/lib/impl/CouchDBKeyValueStore.js. you'll see that they have same functions but different implementation

gentios (Thu, 02 May 2019 09:39:00 GMT):
@caveman7 thank you I understand now

gravity (Thu, 02 May 2019 09:47:54 GMT):
Hi all what happens to the Intermediate CA certificate when it expires (by default, after 15 years)? how to renew this certificate?

nasht00 (Thu, 02 May 2019 10:23:58 GMT):
Has left the channel.

vtech (Thu, 02 May 2019 11:10:42 GMT):
Hi Experts, Does fabric-ca docker image (Soft HSM) exist in any repository or if it can be build locally ?

Raja_Sabarish (Thu, 02 May 2019 13:15:14 GMT):
fabric_ca_server

Antimttr (Thu, 02 May 2019 14:49:38 GMT):
does anyone know what this error message means? [DEBUG] Failed to verify token based on new authentication header requirements: %!s()

Antimttr (Thu, 02 May 2019 14:49:38 GMT):
does anyone know what this error message means? `[DEBUG] Failed to verify token based on new authentication header requirements: %!s()`

Antimttr (Thu, 02 May 2019 14:50:02 GMT):
google comes up with nothing relevant

Antimttr (Thu, 02 May 2019 14:50:18 GMT):
anyone know where the source code is for the fabric-ca?

Antimttr (Thu, 02 May 2019 14:54:58 GMT):
why would the error be null

Antimttr (Thu, 02 May 2019 14:57:21 GMT):
found the error here, but still no reason why its happening https://github.com/hyperledger/fabric-ca/blob/55f5eb7f8b3f9b5ae9e71fdc88b69e2f66c6fa75/util/util.go

HLFPOC (Thu, 02 May 2019 17:16:22 GMT):
Hi Team, I am getting below error while enrolling a user from fabric-ca using fabric-node sdk Error : Enrollment failed with errors [[{"code":19,"message":"CA 'ica-org1' does not exist"}]] I have created intermediate CA for my org (ica-org1) and it is running as a container application. Any idea about this issue ?

mastersingh24 (Thu, 02 May 2019 18:44:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JQuS6zqW9BRKRoj4x) @vtech If you checkout the master branch of fabric-ca and run `make docker` it will be a PKCS11-enabled image

gentios (Thu, 02 May 2019 19:46:30 GMT):
For a decentralised application everything should be in the hand of the users. It's not a good idea if we save the priv/pub and X509 cert in a filesystem or in a database because of security purposes also centralisation. How we can achieve better results if we provide these to the user side, is there a way ?

nitishbhardwaj19 (Fri, 03 May 2019 06:01:07 GMT):
Hi, I have configured Fabric CA with MYSQL. The configuration is as:``` `apiVersion: extensions/v1beta1 kind: Deployment metadata: annotations: name: ca-org1-db-mysql labels: name: ca-org1-db-mysql name: ca-org1-db-mysql spec: replicas: 1 strategy: {} template: metadata: labels: name: ca-org1-db-mysql spec: containers: - args: - mysqld - --default-authentication-plugin=mysql_native_password - --sql-mode= env: - name: MYSQL_ROOT_PASSWORD value: password image: mysql:5.7.23 name: ca-org1-db-mysql ports: - containerPort: 3306 volumeMounts: - mountPath: /var/lib/mysql name: org1-org-shared subPath: cas/db/rca/mysqldb restartPolicy: Always volumes: - name: org1-org-shared persistentVolumeClaim: claimName: org1-org-pvc```` `apiVersion: v1 kind: Service metadata: name: ca-org1-db-mysql spec: selector: name: ca-org1-db-mysql ports: - name: endpoint protocol: TCP port: 3306 targetPort: 3306` ` - name: FABRIC_CA_SERVER_DB_TYPE value: mysql - name: FABRIC_CA_SERVER_DB_DATASOURCE value: root:password@tcp(orderer-org-ca-db-mysql:3306)/org-ca?parseTime=true`` ``` I am get an error: Failed to create user registry for MySQL: Failed to connect toMySQL database while I try to connect with CA and to enroll a user.``` @nyet @caveman7 ``` ``` ``` ```

nitishbhardwaj19 (Fri, 03 May 2019 06:01:07 GMT):
Hi, I have configured Fabric CA with MYSQL. The configuration is as:``` `apiVersion: extensions/v1beta1 kind: Deployment metadata: annotations: name: ca-org1-db-mysql labels: name: ca-org1-db-mysql name: ca-org1-db-mysql spec: replicas: 1 strategy: {} template: metadata: labels: name: ca-org1-db-mysql spec: containers: - args: - mysqld - --default-authentication-plugin=mysql_native_password - --sql-mode= env: - name: MYSQL_ROOT_PASSWORD value: password image: mysql:5.7.23 name: ca-org1-db-mysql ports: - containerPort: 3306 volumeMounts: - mountPath: /var/lib/mysql name: org1-org-shared subPath: cas/db/rca/mysqldb restartPolicy: Always volumes: - name: org1-org-shared persistentVolumeClaim: claimName: org1-org-pvc```` `apiVersion: v1 kind: Service metadata: name: ca-org1-db-mysql spec: selector: name: ca-org1-db-mysql ports: - name: endpoint protocol: TCP port: 3306 targetPort: 3306` ` - name: FABRIC_CA_SERVER_DB_TYPE value: mysql - name: FABRIC_CA_SERVER_DB_DATASOURCE value: root:password@tcp(orderer-org-ca-db-mysql:3306)/org-ca?parseTime=true` ``` I am get an error: Failed to create user registry for MySQL: Failed to connect toMySQL database while I try to connect with CA and to enroll a user.``` @nyet @caveman7 ``` ``` ``` ```

nitishbhardwaj19 (Fri, 03 May 2019 06:01:07 GMT):
Hi, I have configured Fabric CA with MYSQL. The configuration is as:``` `apiVersion: extensions/v1beta1 kind: Deployment metadata: annotations: name: ca-org1-db-mysql labels: name: ca-org1-db-mysql name: ca-org1-db-mysql spec: replicas: 1 strategy: {} template: metadata: labels: name: ca-org1-db-mysql spec: containers: - args: - mysqld - --default-authentication-plugin=mysql_native_password - --sql-mode= env: - name: MYSQL_ROOT_PASSWORD value: password image: mysql:5.7.23 name: ca-org1-db-mysql ports: - containerPort: 3306 volumeMounts: - mountPath: /var/lib/mysql name: org1-org-shared subPath: cas/db/rca/mysqldb restartPolicy: Always volumes: - name: org1-org-shared persistentVolumeClaim: claimName: org1-org-pvc```` `apiVersion: v1 kind: Service metadata: name: ca-org1-db-mysql spec: selector: name: ca-org1-db-mysql ports: - name: endpoint protocol: TCP port: 3306 targetPort: 3306` ` - name: FABRIC_CA_SERVER_DB_TYPE value: mysql - name: FABRIC_CA_SERVER_DB_DATASOURCE value: root:password@tcp(orderer-org-ca-db-mysql:3306)/org-ca?parseTime=true` ``` I am get an error: Failed to create user registry for MySQL: Failed to connect toMySQL database while I try to connect with CA and to enroll a user.``` @nyet @caveman7 ```

nitishbhardwaj19 (Fri, 03 May 2019 06:01:07 GMT):
Hi, I have configured Fabric CA with MYSQL. The configuration is as:``` `apiVersion: extensions/v1beta1 kind: Deployment metadata: annotations: name: ca-org1-db-mysql labels: name: ca-org1-db-mysql name: ca-org1-db-mysql spec: replicas: 1 strategy: {} template: metadata: labels: name: ca-org1-db-mysql spec: containers: - args: - mysqld - --default-authentication-plugin=mysql_native_password - --sql-mode= env: - name: MYSQL_ROOT_PASSWORD value: password image: mysql:5.7.23 name: ca-org1-db-mysql ports: - containerPort: 3306 volumeMounts: - mountPath: /var/lib/mysql name: org1-org-shared subPath: cas/db/rca/mysqldb restartPolicy: Always volumes: - name: org1-org-shared persistentVolumeClaim: claimName: org1-org-pvc```` `apiVersion: v1 kind: Service metadata: name: ca-org1-db-mysql spec: selector: name: ca-org1-db-mysql ports: - name: endpoint protocol: TCP port: 3306 targetPort: 3306` - name: FABRIC_CA_SERVER_DB_TYPE value: mysql - name: FABRIC_CA_SERVER_DB_DATASOURCE value: root:password@tcp(orderer-org-ca-db-mysql:3306)/org-ca?parseTime=true` ``` I am get an error: Failed to create user registry for MySQL: Failed to connect toMySQL database while I try to connect with CA and to enroll a user.``` @nyet @caveman7

nitishbhardwaj19 (Fri, 03 May 2019 06:01:07 GMT):
Hi, I have configured Fabric CA with MYSQL. The configuration is as:``` `apiVersion: extensions/v1beta1 kind: Deployment metadata: annotations: name: ca-org1-db-mysql labels: name: ca-org1-db-mysql name: ca-org1-db-mysql spec: replicas: 1 strategy: {} template: metadata: labels: name: ca-org1-db-mysql spec: containers: - args: - mysqld - --default-authentication-plugin=mysql_native_password - --sql-mode= env: - name: MYSQL_ROOT_PASSWORD value: password image: mysql:5.7.23 name: ca-org1-db-mysql ports: - containerPort: 3306 volumeMounts: - mountPath: /var/lib/mysql name: org1-org-shared subPath: cas/db/rca/mysqldb restartPolicy: Always volumes: - name: org1-org-shared persistentVolumeClaim: claimName: org1-org-pvc`` `apiVersion: v1 kind: Service metadata: name: ca-org1-db-mysql spec: selector: name: ca-org1-db-mysql ports: - name: endpoint protocol: TCP port: 3306 targetPort: 3306` - name: FABRIC_CA_SERVER_DB_TYPE value: mysql - name: FABRIC_CA_SERVER_DB_DATASOURCE value: root:password@tcp(orderer-org-ca-db-mysql:3306)/org-ca?parseTime=true` ``` I am get an error: Failed to create user registry for MySQL: Failed to connect toMySQL database while I try to connect with CA and to enroll a user.``` @nyet @caveman7

gravity (Fri, 03 May 2019 10:32:09 GMT):
@nitishbhardwaj19 the question was not sent to me but let comment it: as I can see you are trying to connect to the database with name org-ca

gravity (Fri, 03 May 2019 10:32:18 GMT):
I guess that is the problem

gravity (Fri, 03 May 2019 10:32:46 GMT):
because the default name for CA db is `fabriccadb`

nitishbhardwaj19 (Fri, 03 May 2019 11:15:14 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=xuJmbqGtvbENMKnvR) @gravity Thanks for sharing your thoughts. I thought we can use any DB name

gravity (Fri, 03 May 2019 11:16:51 GMT):
@nitishbhardwaj19 does it work when you changed the db name? I guess it should work only if you change db name in the `fabric-ca-server-config.yaml`

nitishbhardwaj19 (Fri, 03 May 2019 11:17:47 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gCXrTJfj3hJzbwv4Z) @gravity I haven't tried it yet. I will try it out and update you. I wish it should work.

siddjain (Fri, 03 May 2019 19:40:01 GMT):
Hello, how does one enable tls while connecting to LDAP server from hyperledger fabric ca?

nyet (Fri, 03 May 2019 23:25:03 GMT):
ok i worked out the admincerts thing. Apparenty id.type=admin is bad. Also, despite what I was told earlier, the peer DOES have to be retarted if you add to `admincerts/`. Sigh. That is going to make user management a huge pain.

nyet (Fri, 03 May 2019 23:25:03 GMT):
ok i worked out the admincerts thing. Apparenty id.type=admin is bad. Also, despite what I was told earlier, the peer DOES have to be restarted if you add to `admincerts/`. Sigh. That is going to make user management a huge pain.

jinvanstee (Sat, 04 May 2019 01:33:43 GMT):
Has joined the channel.

Randyshu2018 (Sun, 05 May 2019 01:30:40 GMT):
@nyet Is there any way to create crypto certificates meeting the requirement of best msp practice https://hyperledger-fabric.readthedocs.io/en/latest/msp.html?highlight=msp#best-practices

nyet (Sun, 05 May 2019 01:40:40 GMT):
I assume so.

nitishbhardwaj19 (Sun, 05 May 2019 06:35:20 GMT):
Hi, I am getting connection error when I try to enroll a user with CA. CA is configured with MYSQL and I have added - { name: "MYSQL_ROOT_HOST", value: "%" } in the env variables of MYSQL pod to enable access from any IP``` 2019/05/05 06:29:19 [DEBUG] Initializing 'mysql' database at '****:****@tcp(ca1st-orgb-db-mysql:3306)/ca1st-orgb?parseTime=true' 2019/05/05 06:29:19 [DEBUG] Using MySQL database, connecting to database... 2019/05/05 06:29:19 [DEBUG] Database Name: ca1st-orgb 2019/05/05 06:29:19 [DEBUG] Connecting to MySQL server, using connection string: ****:****@tcp(ca1st-orgb-db-mysql:3306)/-orgb?parseTime=true 2019/05/05 06:29:19 [INFO] 10.244.13.1:30624 POST /api/v1/enroll 500 0 "api/v1/enroll handler failed to initialize DB: Failed to create user registry for MySQL: Failed to connect to MySQL database: Error 1130: Host '10.244.13.102' is not allowed to connect to this MySQL server" ansible-dev@ansible-dev:~/hlf-k8s-deployment/fabric-deployment$ ```

nyet (Sun, 05 May 2019 06:40:00 GMT):
Do what you would normally to do debug MYSQL connection issues; this isn't really a fabric issue at all.

nyet (Sun, 05 May 2019 06:40:56 GMT):
check mysql logs, tcpdump double check permissions, firewalls, docker network configuration, k8s service configuration etc

nitishbhardwaj19 (Sun, 05 May 2019 06:42:03 GMT):
It's not really a Fabric issue. But, I thought may be someone has already faced this and knows a workaround. I have looked for this MYSQL error and I found the by adding a env parameter would allow remote host to connect with.``` `- { name: "MYSQL_ROOT_HOST", value: "%" }` ```

nyet (Sun, 05 May 2019 06:42:41 GMT):
And can you connect with a plain mysql client?

nitishbhardwaj19 (Sun, 05 May 2019 06:48:48 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=sexg5tm8MmQNauLTc) @nyet No

nyet (Sun, 05 May 2019 06:49:52 GMT):
Do you have any experience diagnosing mysql connection problems?

nyet (Sun, 05 May 2019 06:50:18 GMT):
or alternately, tcp or k8s service connection issues?

nitishbhardwaj19 (Sun, 05 May 2019 06:52:53 GMT):
No, I am new to K8s. I am trying to find and resolve issues by going through various blogs.

gravity (Sun, 05 May 2019 14:32:32 GMT):
@nitishbhardwaj19 looks like your account (possibly root) hasn't been granted permission that are required to initialize a db check this answer https://stackoverflow.com/questions/19101243/error-1130-hy000-host-is-not-allowed-to-connect-to-this-mysql-server

awattez (Mon, 06 May 2019 10:57:40 GMT):
operations

awattez (Mon, 06 May 2019 11:00:01 GMT):
Hi all, i try to add Operations Service to Fabric-CA server.

awattez (Mon, 06 May 2019 11:00:44 GMT):
Hi all, i try to add operations services to fabric-ca-server: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#prometheus

awattez (Mon, 06 May 2019 11:04:04 GMT):
Hi all, i try to add operations services to fabric-ca-server: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#prometheus I add this section to my `fabric-ca-server-config.yml` ```yml operations: # host and port for the operations server listenAddress: 127.0.0.1:9443 # TLS configuration for the operations endpoint tls: # TLS enabled enabled: false # path to PEM encoded server certificate for the operations server cert: file: tls/server.crt # path to PEM encoded server key for the operations server key: file: tls/server.key # require client certificate authentication to access all resources clientAuthRequired: false # paths to PEM encoded ca certificates to trust for client authentication clientRootCAs: files: [] # When configured, a Fabric CA Server will present a /metrics resource on the operations service. # To enable Prometheus, set the provider value in the server’s configuration file to prometheus. metrics: provider: prometheus ``` I can't access to this service, i try to curl inside container and netstat say there is nothing which listen to 9443 port. No log, Nothing. I use fabric-ca-server:1.4

awattez (Mon, 06 May 2019 11:04:04 GMT):
Hi all, i try to add operations services to fabric-ca-server: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#prometheus I add this section to my `fabric-ca-server-config.yml` ``` operations: # host and port for the operations server listenAddress: 127.0.0.1:9443 # TLS configuration for the operations endpoint tls: # TLS enabled enabled: false # path to PEM encoded server certificate for the operations server cert: file: tls/server.crt # path to PEM encoded server key for the operations server key: file: tls/server.key # require client certificate authentication to access all resources clientAuthRequired: false # paths to PEM encoded ca certificates to trust for client authentication clientRootCAs: files: [] # When configured, a Fabric CA Server will present a /metrics resource on the operations service. # To enable Prometheus, set the provider value in the server’s configuration file to prometheus. metrics: provider: prometheus ``` I can't access to this service, i try to curl inside container and netstat say there is nothing which listen to 9443 port. No log, Nothing. I use fabric-ca-server:1.4

awattez (Mon, 06 May 2019 11:58:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Rw4mpxsEotqMfN2JM) It was not the good configuration -> mistake in configuration

awattez (Mon, 06 May 2019 11:58:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Rw4mpxsEotqMfN2JM) it works only with 1.4.1

biksen (Mon, 06 May 2019 15:35:17 GMT):
Hello All, Can anyone please refer any document or link "How to generate certificates/keys using OpenSSL based on Fabric's local MSP folder structure"? Appreciate your help.

nyet (Mon, 06 May 2019 15:38:57 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6NriJAkk9Cw8ZpcN9) @biksen There's not much to document; they're just x509 certs arranged in a folder structure (which is documented). The challenge isn't really what goes in an MSP, but what MSP goes where.

biksen (Mon, 06 May 2019 15:43:20 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MwiZX4se9wEBKd6c2) @nyet Thank you! Actually I am newbie to CA and trying to generate certificates using openssl. Can you please provide or refer me basic kickstart to generate certificates using openssl?

nyet (Mon, 06 May 2019 15:44:29 GMT):
so, not using the ca-serveR?

nyet (Mon, 06 May 2019 15:44:29 GMT):
so, not using the ca-server? That could be very... painful

nyet (Mon, 06 May 2019 15:44:50 GMT):
with the ca-server you just need to generate self signed root certs

biksen (Mon, 06 May 2019 15:46:17 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wS3NFoNsJyijm5nCj) @nyet I am exploring different options. Just trying to generate bootstrap certificates using openssl instead of cryptogen

nyet (Mon, 06 May 2019 15:46:26 GMT):
which it will autogenerate actually if you dont make them yourself

nyet (Mon, 06 May 2019 15:47:29 GMT):
i'd suggest not using openssl at all. launch the ca-server(s) and let them make their own root certs, then use ca-server enroll and register/enroll to make signed certs.

nyet (Mon, 06 May 2019 15:48:30 GMT):
incidentially, what you ask isn't actually very easy either :/

nyet (Mon, 06 May 2019 15:49:32 GMT):
https://gerrit.hyperledger.org/r/#/c/29430/ mirrored here https://github.com/Blockdaemon/fabric-ca/blob/gerrit-pr-29430/docs/source/operations_guide.rst my post to the mailing list here https://lists.hyperledger.org/g/fabric/message/5716

biksen (Mon, 06 May 2019 15:49:39 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7eRGizcTW3Njykohc) @nyet So how can I generate Peer and Orderer bootstrap certificates using Fabric-CA?

nyet (Mon, 06 May 2019 15:49:57 GMT):
enroll and register/enroll

nyet (Mon, 06 May 2019 15:50:15 GMT):
enroll the boostrap user, register peer and orderer users, then enroll them

nyet (Mon, 06 May 2019 15:51:03 GMT):
I have been trying to get the dev's attention on this topic for a while, but not really received any help unfortunately.

biksen (Mon, 06 May 2019 15:52:37 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=4R4SfLKs8ty9s9xBC) @nyet Thank you very much!

nyet (Mon, 06 May 2019 15:53:07 GMT):
You're very welcome; I will try to help where I can, it is not easy to get right.

Randyshu2018 (Tue, 07 May 2019 08:24:37 GMT):

I didn't found this certificates path,any idea?

Randyshu2018 (Tue, 07 May 2019 08:24:39 GMT):

I keep learning this sample till this step,where can i find this certificate ?

abhinav10gupta (Tue, 07 May 2019 13:30:29 GMT):
identity mixer

JuanSuero (Tue, 07 May 2019 22:44:51 GMT):

Clipboard - May 7, 2019 6:44 PM

JuanSuero (Tue, 07 May 2019 22:44:58 GMT):
ive been using the balance-transfer sample code from hyperledger 1.4.1 fabric samples to serve as an API server for making chaincode calls. this works on the laptop against the byfn multi-org network. but when i push it to kubernetes i get the following error trying to call curl -s -X POST http://localhost:4000/users ``` 2019-05-07 22:14:46.909] [ERROR] Helper - Failed to get registered user: James with error: TypeError: Cannot read property 'curve' of undefined [2019-05-07 22:14:46.909] [DEBUG] SampleWebApp - -- returned from registering the username James for organization Org0 [2019-05-07 22:14:46.909] [DEBUG] SampleWebApp - Failed to register the username James for organization Org0 with::failed TypeError: Cannot read property 'curve' of undefined ``` this error doesnt happen with the same bits on my laptop. I do have 3 orgs , org0, org1, and org2 in kubernetes but byfn only has org1 and org2 . this error happens in the helper.js

JuanSuero (Tue, 07 May 2019 22:45:19 GMT):

Clipboard - May 7, 2019 6:45 PM

JuanSuero (Tue, 07 May 2019 22:48:01 GMT):
i did notice that my /tmp/fabric-client-kv-org0 directory was empty in the kubernetes container but on my laptop is full of files ending in priv and pub but there at least is the admin user inside the local fabric-client-kv-org0/ directory

nyet (Wed, 08 May 2019 03:54:30 GMT):
Is there a way to convert the output of `fabric-ca-client certificate list` to a pem?

nyet (Wed, 08 May 2019 03:56:37 GMT):
Or do i have to write something using an sdk?

nyet (Wed, 08 May 2019 04:04:02 GMT):
aha `--store`

stephenman (Wed, 08 May 2019 08:39:29 GMT):
Hi all, may I know if I am going to setup the fabric ca to connect to SQL instead of sqlite, where can I configure the DB name and DB password? or where can I find the default DB name and DB password?

mastersingh24 (Wed, 08 May 2019 08:41:59 GMT):
See https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#configuring-the-database ... it shows you the values to set for using MySQL and Postgres

yeousunn (Thu, 09 May 2019 01:57:48 GMT):
Hi, anyone able to create channel when setting up fabric-ca? I am getting this error

yeousunn (Thu, 09 May 2019 01:57:48 GMT):
Hi, anyone able to create channel when setting up fabric-ca? I am getting this error `orderer1-org0 | 2019-05-09 01:55:02.599 UTC [orderer.common.broadcast] ProcessMessage -> WARN 008 [channel: mychannel] Rejecting broadcast of config message from 172.26.0.5:41916 because of error: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining: permission denied `

kakali (Thu, 09 May 2019 02:26:35 GMT):
@yeousunn you can set EnableNodeOUs: true for PeerOrgs in crypto-config.yaml file

yeousunn (Thu, 09 May 2019 02:29:29 GMT):
Hi @kakali I am not using cryptogen to generate artifacts. I am setting up network using fabric-ca. So far I am able to start orderer and peer using the artifacts generated using fabric-ca-server.

kakali (Thu, 09 May 2019 02:45:30 GMT):
ok, you can see crypto-config directory that created by cryptogen, can find a config.yaml file in peers firectory. then, you can create config.yaml to your crypto-config directory that created by fabric-ca

kakali (Thu, 09 May 2019 02:45:37 GMT):
@yeousunn

kakali (Thu, 09 May 2019 02:47:13 GMT):
I fixed this issue by above way

yeousunn (Thu, 09 May 2019 02:47:42 GMT):
do you mean fabric-ca-client-config.yaml?

yeousunn (Thu, 09 May 2019 02:47:42 GMT):
do you mean fabric-ca-client-config.yaml? coz I don't have any crypto-config directory.

kakali (Thu, 09 May 2019 02:49:41 GMT):
no ,

kakali (Thu, 09 May 2019 02:49:41 GMT):
can you speak chinese?

yeousunn (Thu, 09 May 2019 02:50:15 GMT):
no, I can't :laughing:

kakali (Thu, 09 May 2019 02:50:29 GMT):
oh, my english is very bad

yeousunn (Thu, 09 May 2019 02:50:45 GMT):
ok I think I found it. peers/peer0.org1.example.com/msp/config.yaml

kakali (Thu, 09 May 2019 02:50:54 GMT):
yes

kakali (Thu, 09 May 2019 02:51:31 GMT):
you can edit config.yaml for your crypto-config by fabric-ca

yeousunn (Thu, 09 May 2019 02:51:44 GMT):
so, I make similar config in my msp folder of peer, that is generated by fabric-ca. will try, thank you for help :slight_smile:

kakali (Thu, 09 May 2019 02:52:37 GMT):
you are welcome

kakali (Thu, 09 May 2019 02:53:56 GMT):
If you solve the problem, I want you to tell me to make sure it's the right way, and good luck.

yeousunn (Thu, 09 May 2019 02:54:40 GMT):
yes, will definitely let you know.

yeousunn (Thu, 09 May 2019 02:54:40 GMT):
yes, will definitely let you know and thank you

kevinkbc (Thu, 09 May 2019 17:30:53 GMT):
Tried to search in old messages, and in the documentation but I did not find the answer yet. Can someone tell me: 1) Can you enroll a user in fabric-ca using a custom certificate? Or do I have to use a custom CA to use custom certificates? 2) If the first option is possible, what are the guidelines for that? 3) Has anyone here used a HSM along with hyperledger fabric?

nyet (Thu, 09 May 2019 19:00:49 GMT):
You'll have to be a bit more specific. Initial enrollment is done with a user/name password. Subsequent `register`s are done using a certpair obtained during enrollment. Subquent `enroll`ments are done doing passwords obtained on `register`

nyet (Thu, 09 May 2019 19:01:49 GMT):
So technically, there are no certificates used during `enroll`, specifically, although `enroll` retreives a certificate from the ca-server. So it depends on what you mean by "custom"

siddjain (Thu, 09 May 2019 21:14:50 GMT):
Hello, we are running a ca server with clientauth enabled. we have a node app that needs to communicate with the server. how do we specify the client cert and key in the network-config.yaml file? i.e., this file: https://github.com/hyperledger/fabric-samples/blob/release-1.4/balance-transfer/artifacts/network-config.yaml

yeousunn (Fri, 10 May 2019 00:43:44 GMT):
I found the solution. It was related to Policies in configtx.yaml file. When I removed all the policies from the configtx.yaml. I am able to create channel and join peer. however now I see warning message showing default policies are deprecated, so I guess I have to modify my policies accurately.

adityanalge (Fri, 10 May 2019 21:38:29 GMT):
Has joined the channel.

adityanalge (Fri, 10 May 2019 21:38:30 GMT):
Is there anyway to avoid having to write the Bootstrap Admin Name and Bootstrap Admin Password in the fabric-ca-server-config.yaml file?

adityanalge (Fri, 10 May 2019 21:38:30 GMT):
Is there anyway to avoid having to write the Bootstrap Admin Name and Bootstrap Admin Password in plaintext in the fabric-ca-server-config.yaml file?

adityanalge (Fri, 10 May 2019 21:38:30 GMT):
Is there anyway to avoid having to write the bootstrap_admin_name and bootstrap_admin_password in plaintext in the fabric-ca-server-config.yaml file here? ``` registry: # Maximum number of times a password/secret can be reused for enrollment # (default: -1, which means there is no limit) maxenrollments: -1 # Contains identity information which is used when LDAP is disabled identities: - name: admin pass: adminpw type: client affiliation: "" attrs: hf.Registrar.Roles: "*" hf.Registrar.DelegateRoles: "*" hf.Revoker: true hf.IntermediateCA: true hf.GenCRL: true hf.Registrar.Attributes: "*" hf.AffiliationMgr: true ```

shrivastava.amit (Sat, 11 May 2019 09:34:42 GMT):
Has joined the channel.

mastersingh24 (Sat, 11 May 2019 09:51:22 GMT):
Not currently ... but you can modify the admin pw after starting the server and enrolling the admin user: `fabric-ca-client identity modify admin --secret newsecret`

varunagarwal (Sat, 11 May 2019 10:32:48 GMT):
In this sample https://github.com/IBM/build-blockchain-insurance-app on this lines https://github.com/IBM/build-blockchain-insurance-app/blob/master/docker-images.sh#L64-L68 a peer image is pulled for the different peers in orgs. Now If I add another organization to this, what image or command would there be for the new org-ca in this?

filip.niziol (Sun, 12 May 2019 10:15:28 GMT):
Has joined the channel.

kakali (Mon, 13 May 2019 08:39:58 GMT):
@yeousunn oh, thanks

kakali (Mon, 13 May 2019 08:42:37 GMT):
Can anyone help me? I have this issue when I register a user by sdk go in fabric ca 2019/05/13 08:17:17 [DEBUG] Received request for /cainfo 2019/05/13 08:17:17 [INFO] 172.28.0.1:47926 POST /cainfo 200 0 "OK" 2019/05/13 08:17:17 [DEBUG] Received request for /register 2019/05/13 08:17:17 [DEBUG] Caller is using a x509 certificate 2019/05/13 08:17:17 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin' 2019/05/13 08:17:17 [DEBUG] DB: Get certificate by serial (5d12b5a6c5d017dd641a0f8b09a1055b49b0a86b) and aki (e0a2afd93b6c053b64ca45b2ce81aec1e6588f8d29c4e69fe903547603470bc0) 2019/05/13 08:17:17 [INFO] 172.28.0.1:47926 POST /register 401 30 "Certificate not found with AKI 'e0a2afd93b6c053b64ca45b2ce81aec1e6588f8d29c4e69fe903547603470bc0' and serial '5d12b5a6c5d017dd641a0f8b09a1055b49b0a86b'"

kakali (Mon, 13 May 2019 08:42:37 GMT):
Can anyone help me? I have this issue when I register an user by sdk go in fabric ca 2019/05/13 08:17:17 [DEBUG] Received request for /cainfo 2019/05/13 08:17:17 [INFO] 172.28.0.1:47926 POST /cainfo 200 0 "OK" 2019/05/13 08:17:17 [DEBUG] Received request for /register 2019/05/13 08:17:17 [DEBUG] Caller is using a x509 certificate 2019/05/13 08:17:17 [DEBUG] Checking for revocation/expiration of certificate owned by 'admin' 2019/05/13 08:17:17 [DEBUG] DB: Get certificate by serial (5d12b5a6c5d017dd641a0f8b09a1055b49b0a86b) and aki (e0a2afd93b6c053b64ca45b2ce81aec1e6588f8d29c4e69fe903547603470bc0) 2019/05/13 08:17:17 [INFO] 172.28.0.1:47926 POST /register 401 30 "Certificate not found with AKI 'e0a2afd93b6c053b64ca45b2ce81aec1e6588f8d29c4e69fe903547603470bc0' and serial '5d12b5a6c5d017dd641a0f8b09a1055b49b0a86b'"

nyet (Mon, 13 May 2019 15:45:16 GMT):
That admin is using a certificate that was not enrolled with the ca server.

ownspies (Mon, 13 May 2019 15:45:50 GMT):
Has joined the channel.

ownspies (Mon, 13 May 2019 15:45:54 GMT):
Hello all - I'm going through the process of adding users and have followed a few links but I have a few questions. First off, I don't understand the difference between the `admin:adminpw` user from my Docker Compose files vs the `Admin@mydomain.com` that is created when I run the `crypto-config` command. Is there documentation I can read to better understand the differences / relationship?

nyet (Mon, 13 May 2019 15:46:35 GMT):
`enroll` requires a password, generates a certificate, `register` requires a certificate, generates a password.

ownspies (Mon, 13 May 2019 15:47:05 GMT):
is that directed at me @nyet ?

nyet (Mon, 13 May 2019 15:47:07 GMT):
yes

nyet (Mon, 13 May 2019 15:47:40 GMT):
although you can specify a password for `register to use`

nyet (Mon, 13 May 2019 15:47:40 GMT):
although you can specify a password for `register` to use

ownspies (Mon, 13 May 2019 15:47:43 GMT):
so that makes sense, but I couldn't `register` a user with `Admin@mydomain.com` ... is that not possible ?

nyet (Mon, 13 May 2019 15:48:04 GMT):
you can register a user, but it requires a cert

ownspies (Mon, 13 May 2019 15:48:06 GMT):
I had to `enroll` the `admin` user, then take the certs for the `admin` user to register a regular user

ownspies (Mon, 13 May 2019 15:48:31 GMT):
Well, I have certs for the `Admin@mydomain.com` but am wondering if that user doesn't have permissions to create other users or something

nyet (Mon, 13 May 2019 15:48:34 GMT):
you can register new users with newly enrolled users if they have permissions for it

nyet (Mon, 13 May 2019 15:48:55 GMT):
yes, likely you did not give permission to enroll new users when you created the admin@domain user.

ownspies (Mon, 13 May 2019 15:49:09 GMT):
the `Admin@domain` user is created by crypto-config

ownspies (Mon, 13 May 2019 15:49:18 GMT):
so I don't have control over it (to my knowledge)

nyet (Mon, 13 May 2019 15:49:22 GMT):
thus it does not exist in the ca-server at all

nyet (Mon, 13 May 2019 15:49:29 GMT):
you cannot use it to register a user in the ca-server

ownspies (Mon, 13 May 2019 15:49:37 GMT):
any idea what the purpose of that user is then ?

nyet (Mon, 13 May 2019 15:49:40 GMT):
this is why you're not supposed to use `cryptogen` in production

nyet (Mon, 13 May 2019 15:49:55 GMT):
its annoying; all of the examples are basically useless for production.

ownspies (Mon, 13 May 2019 15:50:05 GMT):
oh... I didn't know about that fact for cryptogen

ownspies (Mon, 13 May 2019 15:50:15 GMT):
can you point me to docs on how to do this for production ?

ownspies (Mon, 13 May 2019 15:50:27 GMT):
I see this part now ... ` It is mainly meant to be used for testing environment.`

ownspies (Mon, 13 May 2019 15:50:54 GMT):
I wish they stated ` It is mainly meant to be used for testing environment. Please see for details on production setup`

nyet (Mon, 13 May 2019 15:51:42 GMT):
hold gathering some links for you

nyet (Mon, 13 May 2019 15:51:48 GMT):
yes I know it is atrocious.

ownspies (Mon, 13 May 2019 15:51:49 GMT):
thx

ownspies (Mon, 13 May 2019 15:52:03 GMT):
I know that `Admin@domain` is being used for TLS mutual auth, which we have enabled

ownspies (Mon, 13 May 2019 15:52:20 GMT):
it's annoying to use `Admin@domain` for TLS auth and `admin` for CA internal auth

ownspies (Mon, 13 May 2019 15:53:08 GMT):
next I need to figure out how to define the affiliations in the `fabric-ca-client affiliation list` command

nyet (Mon, 13 May 2019 15:53:12 GMT):
https://jira.hyperledger.org/browse/FABC-814 https://gerrit.hyperledger.org/r/#/c/29430/ mirrored here: https://github.com/Blockdaemon/fabric-ca/blob/gerrit-pr-29430/docs/source/operations_guide.rst my mailing list posting: https://lists.hyperledger.org/g/fabric/topic/using_fabric_ca_client/30552669

nyet (Mon, 13 May 2019 15:54:42 GMT):
yea i have made a ca-server with three instances

nyet (Mon, 13 May 2019 15:54:50 GMT):
one for tls, one for orderer or, one for peer org

ownspies (Mon, 13 May 2019 15:55:39 GMT):
looks like this stuff is what I need to get started, appreciate the quick responses!

nyet (Mon, 13 May 2019 15:55:56 GMT):
yea I am working on an overall flow document

nyet (Mon, 13 May 2019 15:56:02 GMT):
fwiw i have it all working

ownspies (Mon, 13 May 2019 15:57:58 GMT):
ok, I may be back to see what you've found

adityanalge (Mon, 13 May 2019 22:33:25 GMT):
Can this only be done using the cli or it can also be done using npm packages fabric-client or fabric-ca-client coupled with fabric-node-sdk?

yeousunn (Tue, 14 May 2019 08:48:59 GMT):
can anyone explain the use of ca-cert.pem and tls-cert.pem? I am thinking both are used for same thing, the only difference is that ca-cert.pem is used when tls is disabled and tls-cert.pem when tls is enabled.

rohithkumar (Tue, 14 May 2019 10:04:33 GMT):
Has joined the channel.

rohithkumar (Tue, 14 May 2019 10:04:58 GMT):
Do Fabric CA Server can be replaced? If it can be replaced, what are the other alternatives?

mauricio (Tue, 14 May 2019 12:55:57 GMT):
Of course, fabric-ca only gives you a easy way to generate certificates, you can replace it for any ca, for example: https://www.verisign.com/, https://www.vaultproject.io/docs/secrets/pki/index.html or any other PKI

smithbk (Tue, 14 May 2019 14:40:49 GMT):
tls-cert.pem is used to TLS certificates at transport layer and ca-cert.pem is used for enrollment certificates at application layer

adityanalge (Wed, 15 May 2019 00:14:08 GMT):
In fabric-sdk-nodejs, the user context contains the signingIdentity that is the name of the private key corresponding to the certificate inside the same context. Where does this name come from? How can I get it? And how is it determined?

adityanalge (Wed, 15 May 2019 00:14:13 GMT):
``` ```

adityanalge (Wed, 15 May 2019 00:14:36 GMT):
{"name":"admin","mspid":"OrdererMSP","roles":null,"affiliation":"","enrollmentSecret":"","enrollment":{"signingIdentity":"72280cfc30f8c4fbbeffa34d83df8150461853c83654e35961ed29de7dab28f5","identity":{"certificate":"-----BEGIN CERTIFICATE-----\nMIIB7DCCAZOgAwIBAgIUYJUKuGOy4zQO/SMmRM6u2ToXfXgwCgYIKoZIzj0EAwIw\najELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAoTC0h5\ncGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxHzAdBgNVBAMTFmNhLm9yZGVyZXIu\nZXhhbXBsZS5jb20wHhcNMTkwNTE1MDAwMzAwWhcNMjAwNTE0MDAwODAwWjAhMQ8w\nDQYDVQQLEwZjbGllbnQxDjAMBgNVBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZI\nzj0DAQcDQgAEYkmz6p3QO4ATUSdJbnCZtVz8fUtuqJFwEQLnvx9vkWPbPlc5S0k0\nU1NVXzRwc9dUSneiEERTiArwsw++syHzfqNgMF4wDgYDVR0PAQH/BAQDAgeAMAwG\nA1UdEwEB/wQCMAAwHQYDVR0OBBYEFIzpHhPASwgAs10KSMACO1nlMx1sMB8GA1Ud\nIwQYMBaAFMQvA/ScCSodBbyD5tzLd6+bojzBMAoGCCqGSM49BAMCA0cAMEQCIGZ1\nW5cNknCC2BJvuneMqSRfjjSN7H54pFbDOQ0RO5WPAiB+zF2EvBR7TCPaat9/5rsg\nbL5LaztjjLnyXkJHf/1k4Q==\n-----END CERTIFICATE-----\n"}}} ``` ```

yeousunn (Wed, 15 May 2019 00:36:10 GMT):
thank you for reply. When I am tls-cert.pem to enroll organization admin, I am getting message `x509: certificate signed by unknown authority`

rohithkumar (Wed, 15 May 2019 07:14:47 GMT):
Thanks for the update , do you have any tutorial handy for implementation?

nitishbhardwaj19 (Wed, 15 May 2019 15:47:35 GMT):
Hi, I just looked at `SELECT * FROM affiliations;` in MYSQL DB for Fabric-CA. CA populates the affiliations table with org1 and org2 entries, despite of having other setting in CA yaml file. My CA yaml has orga and orgb and departments associated with it. But, as soon as node sdk connects with CA to enroll new user, the affiliations table gets org1 and org2. Is it the expected behavior? Shouldn't it be populated according to the CA settings?

nitishbhardwaj19 (Wed, 15 May 2019 15:48:05 GMT):
Or are we supposed to create affiliations for orgs?

nyet (Wed, 15 May 2019 15:50:16 GMT):
https://jira.hyperledger.org/browse/FABC-160

nitishbhardwaj19 (Wed, 15 May 2019 16:06:20 GMT):
Thanks for sharing this.

lingzhiyu (Thu, 16 May 2019 07:38:29 GMT):
Has joined the channel.

Sreesha (Thu, 16 May 2019 09:39:40 GMT):
In 1.4 release there is no fabric-ca folder

Sreesha (Thu, 16 May 2019 09:40:04 GMT):
does it mean 1.4 doesnt support fabric-ca

Sreesha (Thu, 16 May 2019 09:40:06 GMT):
?

mauricio (Thu, 16 May 2019 12:45:47 GMT):
Fabric ca is a independent project, https://github.com/hyperledger/fabric-ca and it's also in the 1.4 release

qsmen (Fri, 17 May 2019 01:26:25 GMT):
in fabric-ca release doc, there are three kinds of id.type = peer, client, user. Other cocepts like admin, member and order confused me and how are they related to id.type? The defintion of id.type should depened on the funcitonality of Fabric and the definition of ACL. Could anyone give some description? I think it is too complex to understand.

qsmen (Fri, 17 May 2019 01:26:33 GMT):
Thank you

qsmen (Fri, 17 May 2019 02:38:30 GMT):
compare to permissionless blockchain, fabric

qsmen (Fri, 17 May 2019 02:38:30 GMT):
compare to permissionless blockchain, fabric is already complex.

qsmen (Fri, 17 May 2019 02:39:57 GMT):
essentially it is based on pki x509, conform to pki, should not be so complex

qsmen (Fri, 17 May 2019 02:41:41 GMT):
describing clearly what client, peer and order can do ,how to do will be ok

qsmen (Fri, 17 May 2019 02:41:41 GMT):
describing clearly role(client, peer and order)-based access control and attri-based accecc control will be ok

AbhishekDudhrejia (Fri, 17 May 2019 08:47:56 GMT):
Hey everyone, I'm trying to create a network using fabric-ca as a reference. I have tried following the configuration exactly as it is done in the fabric-ca. However, I'm getting the following error on trying to create a channel using the peer I created. Here is the log from orderer: ``` Server.Serve failed to complete security handshake from "172.24.0.6:55346": tls: failed to verify client's certificate: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca-org1") ``` And here's the error I get on executing the create channel script: ``` grpc: addrConn.createTransport failed to connect to {orderer-org0:7050 0 }. Err :connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate" Error: failed to create deliver client: orderer client failed to connect to orderer-org0:7050: failed to create new connection: context deadline exceeded ``` I have checked all the certificates and they seem to be proper. What could be the issue that causes this error?

circlespainter (Sat, 18 May 2019 07:34:30 GMT):
Has joined the channel.

maniankara (Sat, 18 May 2019 13:01:16 GMT):
Has joined the channel.

maniankara (Sat, 18 May 2019 13:02:56 GMT):
Hello guys, does anyone know why nexus repository publishes only `fabric-ca-client` but not `fabric-ca-server`? E.g. from here: https://nexus.hyperledger.org/content/repositories/releases/org/hyperledger/fabric-ca/hyperledger-fabric-ca/darwin-amd64-1.4.1/

maniankara (Sat, 18 May 2019 13:02:56 GMT):
Hello guys, does anyone know why nexus repository publishes only `fabric-ca-client` but not `fabric-ca-server` binary? E.g. from here: https://nexus.hyperledger.org/content/repositories/releases/org/hyperledger/fabric-ca/hyperledger-fabric-ca/darwin-amd64-1.4.1/

biksen (Sat, 18 May 2019 13:08:55 GMT):
Hello, I am getting this error:

biksen (Sat, 18 May 2019 13:08:57 GMT):
Initialization failure: Failed to initialize BCCSP Factories: %!s() Could not find default `pkcs11` BCCSP

biksen (Sat, 18 May 2019 13:10:36 GMT):
I checked out master branch and build fabric-ca-server binary using command "GO_TAGS=pkcs11 make fabric-ca-server"

biksen (Sat, 18 May 2019 13:11:12 GMT):
I deleted the old "SW" section and added the below lines:

biksen (Sat, 18 May 2019 13:11:26 GMT):
bccsp: default: pkcs11 pkcs11: library: /usr/local/lib/softhsm/libsofthsm2.so label: MyFirstToken-1 pin: 12345 hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: /home/ubuntu/msp/keystore

biksen (Sat, 18 May 2019 13:13:00 GMT):
I deleted and added into 'fabric-ca-server-config.yaml' file

biksen (Sat, 18 May 2019 13:13:29 GMT):
I am stuck. Please help

biksen (Sat, 18 May 2019 13:59:15 GMT):
I used the following commands:

biksen (Sat, 18 May 2019 13:59:41 GMT):
git clone https://github.com/hyperledger/fabric-ca.git

biksen (Sat, 18 May 2019 14:00:11 GMT):
GO_TAGS=pkcs11 make fabric-ca-server

biksen (Sat, 18 May 2019 14:00:34 GMT):
fabric-ca-server start -b admin:adminpw --cafiles /home/ubuntu/fabric-ca-server-config.yaml

biksen (Sat, 18 May 2019 14:01:43 GMT):
cd fabric-ca

biksen (Sat, 18 May 2019 14:01:57 GMT):
GO_TAGS=pkcs11 make fabric-ca-server

biksen (Sat, 18 May 2019 14:02:08 GMT):
fabric-ca-server start -b admin:adminpw --cafiles /home/ubuntu/fabric-ca-server-config.yaml

biksen (Sat, 18 May 2019 14:03:14 GMT):
Am I doing anything wrong??

AndresMartinezMelgar.itcl (Sun, 19 May 2019 12:07:27 GMT):
Hello, how can I retrieve a user's info directly from the CA server?

toddinpal (Sun, 19 May 2019 13:37:06 GMT):
The Fabric-CA APIs are described in this swagger file: https://github.com/hyperledger/fabric-ca/blob/release-1.4/swagger/swagger-fabric-ca.json

toddinpal (Sun, 19 May 2019 13:37:06 GMT):
@AndresMartinezMelgar.itcl The Fabric-CA APIs are described in this swagger file: https://github.com/hyperledger/fabric-ca/blob/release-1.4/swagger/swagger-fabric-ca.json

toddinpal (Sun, 19 May 2019 13:38:22 GMT):
From that you can do a GET operation on the /api/v1/identities/{id} endpoint and get the user's info

toddinpal (Sun, 19 May 2019 13:38:22 GMT):
@AndresMartinezMelgar.itcl From that you can do a GET operation on the /api/v1/identities/{id} endpoint and get the user's info

toddinpal (Sun, 19 May 2019 13:40:39 GMT):
Are there plans to allow the creation of anonymous credentials that don't leak organization unit (OU)? Being able to associate a transaction with an organization leaks a lot of information, especially transaction volumes and rates.

AndresMartinezMelgar.itcl (Sun, 19 May 2019 16:46:42 GMT):
yes, i know it, but i dont know use it ):

branh0913 (Sun, 19 May 2019 22:15:22 GMT):
Has joined the channel.

branh0913 (Sun, 19 May 2019 22:15:23 GMT):
For hyperledger fabric-ca API, what is the desired format for the token headers?

toddinpal (Sun, 19 May 2019 22:40:37 GMT):
Grab a tool like Swagger UI to play with the APIs. https://swagger.io/tools/swagger-ui/

toddinpal (Sun, 19 May 2019 22:40:37 GMT):
@AndresMartinezMelgar.itcl Grab a tool like Swagger UI to play with the APIs. https://swagger.io/tools/swagger-ui/

risc (Mon, 20 May 2019 01:58:43 GMT):
Has joined the channel.

venkycs116 (Mon, 20 May 2019 10:34:00 GMT):
Has joined the channel.

HLFPOC (Mon, 20 May 2019 18:25:17 GMT):
Hi Team, I am trying to enroll user (using node sdk ) from my org's ca, but getting below error : `POST /api/v1/enroll 401 23 "Failed to get user: : scode: 404, code: 63, msg: Failed to get User: sql: no rows in result set"`. However, same enroll method is working fine for different org . Can anyone please suggest what is the issue here ?

stephenman (Tue, 21 May 2019 04:18:25 GMT):
Hi all, may I know if the fabric-ca-client register command, the paramenter **id.type**, which is any free text, e.g. ca123, it is also correct?

JayJong (Tue, 21 May 2019 07:05:18 GMT):
Hi, does anyone knows what software is fabric-ca using to generate the keys and certs? Is it openpgp or gpg?

JayJong (Tue, 21 May 2019 07:05:18 GMT):
Hi, does anyone knows what software is fabric-ca using to generate the keys and certs? Is it openpgp or gpg? or is it the go packages?

Nammalvar (Tue, 21 May 2019 07:53:50 GMT):
Has joined the channel.

st (Tue, 21 May 2019 07:55:00 GMT):
Has joined the channel.

st (Tue, 21 May 2019 07:55:32 GMT):
Hi, I am trying to install the fabric-ca and I get the following error

st (Tue, 21 May 2019 07:55:36 GMT):
$ go get -u github.com/hyperledger/fabric-ca/cmd/... package context: unrecognized import path "context" (import path does not begin with hostname) package plugin: unrecognized import path "plugin" (import path does not begin with hostname)

st (Tue, 21 May 2019 07:55:52 GMT):
Can anyone give me some directions what can be wrong?

nitishbhardwaj19 (Tue, 21 May 2019 09:15:56 GMT):
@nyet @gravity @caveman7 Has anyone has any idea about this error? I just *rolled back from MYSQL 5.7 to 5.6* and CA is not able to connect with MYSQL at all. I have checked the host entries in MYSQL for root user, it has *%*. I am really confused why it's not able to connect``` `2019/05/18 06:10:10 [DEBUG] Initializing DB 2019/05/18 06:10:10 [DEBUG] Initializing 'mysql' database at '****:****@tcp(ca1st-orgb-db-mysql:3306)/fabriccadb?parseTime=true' 2019/05/18 06:10:10 [DEBUG] Using MySQL database, connecting to database... 2019/05/18 06:10:10 [DEBUG] Database Name: fabriccadb 2019/05/18 06:10:10 [DEBUG] Connecting to MySQL server, using connection string: ****:****@tcp(ca1st-orgb-db-mysql:3306)/?parseTime=true 2019/05/18 06:10:10 [ERROR] Error occurred initializing database: Failed to create user registry for MySQL: Failed to connect to MySQL database: dial tcp: lookup ca1st-orgb-db-mysql on 10.x.x.x:53: server misbehaving 2019/05/18 06:10:10 [DEBUG] Initializing enrollment signer 2019/05/18 06:10:10 [DEBUG] validating configuration 2019/05/18 06:10:10 [DEBUG] validate local profile 2019/05/18 06:10:10 [DEBUG] profile is valid 2019/05/18 06:10:10 [DEBUG] validate local profile 2019/05/18 06:10:10 [DEBUG] profile is valid 2019/05/18 06:10:10 [DEBUG] validate local profile 2019/05/18 06:10:10 [DEBUG] profile is valid 2019/05/18 06:10:10 [DEBUG] CA initialization successful 2019/05/18 06:10:10 [DEBUG] Initializing Idemix issuer... 2019/05/18 06:10:10 [DEBUG] Returning without initializing Idemix issuer for CA 'ca1st-orgb' as the database is not initialized 2019/05/18 06:10:10 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server-config/keyfiles/orgb/ca 2019/05/18 06:10:10 [DEBUG] 1 CA instance(s) running on server `` ```

nitishbhardwaj19 (Tue, 21 May 2019 09:15:56 GMT):
@nyet @gravity @caveman7 Has anyone has any idea about this error? I just *rolled back MYSQL from 5.7 to 5.6* and CA is not able to connect with MYSQL at all. I have checked the host entries in MYSQL for root user, it has *%*. I am really confused why it's not able to connect``` `2019/05/18 06:10:10 [DEBUG] Initializing DB 2019/05/18 06:10:10 [DEBUG] Initializing 'mysql' database at '****:****@tcp(ca1st-orgb-db-mysql:3306)/fabriccadb?parseTime=true' 2019/05/18 06:10:10 [DEBUG] Using MySQL database, connecting to database... 2019/05/18 06:10:10 [DEBUG] Database Name: fabriccadb 2019/05/18 06:10:10 [DEBUG] Connecting to MySQL server, using connection string: ****:****@tcp(ca1st-orgb-db-mysql:3306)/?parseTime=true 2019/05/18 06:10:10 [ERROR] Error occurred initializing database: Failed to create user registry for MySQL: Failed to connect to MySQL database: dial tcp: lookup ca1st-orgb-db-mysql on 10.x.x.x:53: server misbehaving 2019/05/18 06:10:10 [DEBUG] Initializing enrollment signer 2019/05/18 06:10:10 [DEBUG] validating configuration 2019/05/18 06:10:10 [DEBUG] validate local profile 2019/05/18 06:10:10 [DEBUG] profile is valid 2019/05/18 06:10:10 [DEBUG] validate local profile 2019/05/18 06:10:10 [DEBUG] profile is valid 2019/05/18 06:10:10 [DEBUG] validate local profile 2019/05/18 06:10:10 [DEBUG] profile is valid 2019/05/18 06:10:10 [DEBUG] CA initialization successful 2019/05/18 06:10:10 [DEBUG] Initializing Idemix issuer... 2019/05/18 06:10:10 [DEBUG] Returning without initializing Idemix issuer for CA 'ca1st-orgb' as the database is not initialized 2019/05/18 06:10:10 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server-config/keyfiles/orgb/ca 2019/05/18 06:10:10 [DEBUG] 1 CA instance(s) running on server `` ```

Randyshu2018 (Tue, 21 May 2019 09:52:50 GMT):
hi, why privateKey created by fabric-ca-sdk-java is not compatible with fabric-sdk-node , the private key length created by fabric-ca-client is 186 and the another is 150?

Raja_Sabarish (Tue, 21 May 2019 12:55:01 GMT):
Hello Everyone, I am running `fabric-samples/balance-transfer` So, while doing a `Login Request` by using API, I want certain params to be encoded in the certificate of the user itself. Function `getRegisteredUser` which is in helper.js contains enrollmentId, Affliation etc.., along with that I TRIED ADDING `roles` `attrs` as JSON array but i dont get the user created successfully.

nyet (Tue, 21 May 2019 15:05:07 GMT):
Looks like you have a resolver issue. `ca1st-orgb-db-mysql` is not resolving to an IP address.

adityanalge (Tue, 21 May 2019 22:46:34 GMT):
Is it possible to get the CA cert from the fabric-ca using fabric-sdk-node? I set a getTlsCACerts() function under fabric-ca-client/lib/CertificateAuthority.js but I do not see a getCACert() function?

AbhishekDudhrejia (Wed, 22 May 2019 04:34:00 GMT):
Hey everyone, I'm trying to create a network using fabric-ca as a reference. I have tried following the configuration exactly as it is done in the fabric-ca. However, I'm getting the following error on trying to create a channel using the peer I created. Here is the log from orderer: ``` Server.Serve failed to complete security handshake from "172.24.0.6:55346": tls: failed to verify client's certificate: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca-org1") ``` And here's the error I get on executing the create channel script: ``` grpc: addrConn.createTransport failed to connect to {orderer-org0:7050 0 }. Err :connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate" Error: failed to create deliver client: orderer client failed to connect to orderer-org0:7050: failed to create new connection: context deadline exceeded ``` I have checked all the certificates and they seem to be proper. What could be the issue that causes this error?

AbhishekDudhrejia (Wed, 22 May 2019 04:34:41 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=FSkJBtKjJijm2sbHN) Can somebody help me with this?

nitishbhardwaj19 (Wed, 22 May 2019 06:11:22 GMT):
@nyet Thanks for replying. I have resolved that but got another error. I have no clue about this.

nitishbhardwaj19 (Wed, 22 May 2019 06:11:37 GMT):
`2019/05/22 05:30:35 [DEBUG] Initializing enrollment signer 2019/05/22 05:30:35 [DEBUG] validating configuration 2019/05/22 05:30:35 [DEBUG] validate local profile 2019/05/22 05:30:35 [DEBUG] profile is valid 2019/05/22 05:30:35 [DEBUG] validate local profile 2019/05/22 05:30:35 [DEBUG] profile is valid 2019/05/22 05:30:35 [DEBUG] validate local profile 2019/05/22 05:30:35 [DEBUG] profile is valid 2019/05/22 05:30:35 [DEBUG] CA initialization successful 2019/05/22 05:30:35 [DEBUG] Initializing Idemix issuer... 2019/05/22 05:30:35 [DEBUG] Returning without initializing Idemix issuer for CA 'ca1st-orgb' as the database is not initialized 2019/05/22 05:30:35 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server-config/keyfiles/orgb/ca 2019/05/22 05:30:35 [DEBUG] 1 CA instance(s) running on server 2019/05/22 05:30:35 [INFO] Listening on http://0.0.0.0:7054 2019/05/22 05:54:46 [DEBUG] Received request for /api/v1/enroll 2019/05/22 05:54:46 [DEBUG] Initializing DB 2019/05/22 05:54:46 [DEBUG] Initializing 'mysql' database at '****:****@tcp(ca1st-orgb-db-mysql:3306)/fabriccadb?parseTime=true' 2019/05/22 05:54:46 [DEBUG] Using MySQL database, connecting to database... 2019/05/22 05:54:46 [DEBUG] Database Name: fabriccadb 2019/05/22 05:54:46 [DEBUG] Connecting to MySQL server, using connection string: ****:****@tcp(ca1st-orgb-db-mysql:3306)/?parseTime=true 2019/05/22 05:54:46 [DEBUG] Creating MySQL Database (fabriccadb) if it does not exist... 2019/05/22 05:54:46 [DEBUG] Connecting to database 'fabriccadb', using connection string: '****:****@tcp(ca1st-orgb-db-mysql:3306)/fabriccadb?parseTime=true' 2019/05/22 05:54:46 [DEBUG] Creating users table if it doesn't exist 2019/05/22 05:54:46 [DEBUG] Creating affiliations table if it doesn't exist 2019/05/22 05:54:46 [DEBUG] Creating index on 'name' in the affiliations table 2019/05/22 05:54:47 [DEBUG] Creating certificates table if it doesn't exist 2019/05/22 05:54:47 [INFO] 10.240.0.6:24290 POST /api/v1/enroll 500 0 "api/v1/enroll handler failed to initialize DB: Failed to create user registry for MySQL: Failed to create MySQL tables: Error creating certificates table: Error 1067: Invalid default value for 'expiry'" ansible-dev@ansible-dev:~$ kubectl run -it --rm --image=mysql:5.7.26 --restart=Never mysql-client -- mysql -h ca1st-orgb-db-mysql -ppassword If you don't see a command prompt, try pressing enter. mysql> USE fabriccadb Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> SELECT * FROM affiliations; Empty set (0.00 sec) mysql> SELECT * FROM affiliations; Empty set (0.00 sec) `

nitishbhardwaj19 (Wed, 22 May 2019 06:11:37 GMT):
`2019/05/22 05:30:35 [DEBUG] Initializing enrollment signer 2019/05/22 05:30:35 [DEBUG] validating configuration 2019/05/22 05:30:35 [DEBUG] validate local profile 2019/05/22 05:30:35 [DEBUG] profile is valid 2019/05/22 05:30:35 [DEBUG] validate local profile 2019/05/22 05:30:35 [DEBUG] profile is valid 2019/05/22 05:30:35 [DEBUG] validate local profile 2019/05/22 05:30:35 [DEBUG] profile is valid 2019/05/22 05:30:35 [DEBUG] CA initialization successful 2019/05/22 05:30:35 [DEBUG] Initializing Idemix issuer... 2019/05/22 05:30:35 [DEBUG] Returning without initializing Idemix issuer for CA 'ca1st-orgb' as the database is not initialized 2019/05/22 05:30:35 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server-config/keyfiles/orgb/ca 2019/05/22 05:30:35 [DEBUG] 1 CA instance(s) running on server 2019/05/22 05:30:35 [INFO] Listening on http://0.0.0.0:7054 2019/05/22 05:54:46 [DEBUG] Received request for /api/v1/enroll 2019/05/22 05:54:46 [DEBUG] Initializing DB 2019/05/22 05:54:46 [DEBUG] Initializing 'mysql' database at '****:****@tcp(ca1st-orgb-db-mysql:3306)/fabriccadb?parseTime=true' 2019/05/22 05:54:46 [DEBUG] Using MySQL database, connecting to database... 2019/05/22 05:54:46 [DEBUG] Database Name: fabriccadb 2019/05/22 05:54:46 [DEBUG] Connecting to MySQL server, using connection string: ****:****@tcp(ca1st-orgb-db-mysql:3306)/?parseTime=true 2019/05/22 05:54:46 [DEBUG] Creating MySQL Database (fabriccadb) if it does not exist... 2019/05/22 05:54:46 [DEBUG] Connecting to database 'fabriccadb', using connection string: '****:****@tcp(ca1st-orgb-db-mysql:3306)/fabriccadb?parseTime=true' 2019/05/22 05:54:46 [DEBUG] Creating users table if it doesn't exist 2019/05/22 05:54:46 [DEBUG] Creating affiliations table if it doesn't exist 2019/05/22 05:54:46 [DEBUG] Creating index on 'name' in the affiliations table 2019/05/22 05:54:47 [DEBUG] Creating certificates table if it doesn't exist 2019/05/22 05:54:47 [INFO] 10.240.0.6:24290 POST /api/v1/enroll 500 0 "api/v1/enroll handler failed to initialize DB: *Failed to create user registry for MySQL: Failed to create MySQL tables: Error creating certificates table: Error 1067: Invalid default value for 'expiry'"* ansible-dev@ansible-dev:~$ kubectl run -it --rm --image=mysql:5.7.26 --restart=Never mysql-client -- mysql -h ca1st-orgb-db-mysql -ppassword If you don't see a command prompt, try pressing enter. mysql> USE fabriccadb Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> SELECT * FROM affiliations; Empty set (0.00 sec) mysql> SELECT * FROM affiliations; Empty set (0.00 sec) `

nyet (Wed, 22 May 2019 06:15:40 GMT):
Looks like MYSQL doesn't like something in the schema. Does postgres work?

nitishbhardwaj19 (Wed, 22 May 2019 06:20:44 GMT):
haven't tried with POSTGRES yet

nitishbhardwaj19 (Wed, 22 May 2019 06:27:04 GMT):
I expected it to work with MYSQL. I can't use postgres

nyet (Wed, 22 May 2019 06:28:37 GMT):
Then youll have to try an earlier version of mysql or maybe edit the schema to fix the TIMESTAMP object defaults and/or open a bug on fabric jira

nyet (Wed, 22 May 2019 06:29:30 GMT):
Or disable NO_ZERO_DATE

nyet (Wed, 22 May 2019 06:31:51 GMT):
https://jira.hyperledger.org/browse/FABC-252

nitishbhardwaj19 (Wed, 22 May 2019 06:35:43 GMT):
Could you please share more information on NO_ZERO_DATE. How to disable it?

nyet (Wed, 22 May 2019 06:36:24 GMT):
I don't have a mysql server offhand. It is a mysql issue not a fabric issue, so if you are familiar with mysql you should be able to find the answer in various mysql documents.

nitishbhardwaj19 (Wed, 22 May 2019 06:36:59 GMT):
Okay, thanks. I will check that

nyet (Wed, 22 May 2019 06:37:16 GMT):
https://dev.mysql.com/doc/refman/5.7/en/sql-mode.html#sqlmode_no_zero_date

nyet (Wed, 22 May 2019 06:38:32 GMT):
depreacated in 2.7.22, you will likely have to disable strict mode

nitishbhardwaj19 (Wed, 22 May 2019 06:42:21 GMT):
I see, thanks. What if I rollback to 5.6?

nitishbhardwaj19 (Wed, 22 May 2019 06:42:58 GMT):
Fabric CA mentions that it's supported 5.7 and later

nyet (Wed, 22 May 2019 06:44:27 GMT):
I have reopened the bug

nyet (Wed, 22 May 2019 06:44:41 GMT):
you can try to change the schema yourself to the items i commented

nyet (Wed, 22 May 2019 06:45:11 GMT):
its in `lib/server/db/mysql/mysql.go`

nyet (Wed, 22 May 2019 06:46:17 GMT):
I would start by disabling strict mode

nyet (Wed, 22 May 2019 06:47:58 GMT):
https://www.linode.com/community/questions/17070/how-can-i-disable-mysql-strict-mode

nitishbhardwaj19 (Wed, 22 May 2019 07:01:25 GMT):
Thanks @nyet That resolved the issue.

nitishbhardwaj19 (Wed, 22 May 2019 07:01:40 GMT):
:)

tehsunnliu (Wed, 22 May 2019 07:06:16 GMT):
Has joined the channel.

AndresMartinezMelgar.itcl (Wed, 22 May 2019 07:37:55 GMT):
hi, i receive this error when i try to create my 2º user org.hyperledger.fabric_ca.sdk.exception.RegistrationException: Error while registering the user org.app.user.UserContext@bbc31c1 url: http://ca:7054 null When i created mi 1º all is ok, 1 second later, when i try to create my 2º user i cant because ca-server cant be found. Any idea?

Raumo0 (Wed, 22 May 2019 10:36:35 GMT):
Has joined the channel.

nyet (Wed, 22 May 2019 17:32:06 GMT):
You're very welcome.

anaswar (Thu, 23 May 2019 05:44:16 GMT):
Has joined the channel.

Raumo0 (Thu, 23 May 2019 11:56:52 GMT):
Can someone help me? I'm trying to create a new identity with custom attributes or replace a certificate with new attributes. I work with vscode (ibm blockchain platform extention). If I create identity from a plugin, then I don’t have the ability to set additional parameters in attributes. The priv key, pub key and certificate appear in the plugin directory. I tried to go inside the container docker and there did the following: ``` fabric-ca-client enroll -u http://admin:adminpw@localhost:17054 fabric-ca-client register --id.name user1 --id.secret user1pw --id.type user --id.affiliation org1 --id.attrs app1Admin=true:ecert,email=user1@gmail.com,role=builder' -u http://admin:adminpw@localhost:17054 fabric-ca-client identity list -u http://admin:adminpw@localhost:17054 ``` The last command tells me about having a new identity, but I did it inside the CA container. Now I do not know how to add identity to the plugin, since I need to specify the certificate and keys, but I do not know where to get them.

flpautot (Thu, 23 May 2019 14:28:10 GMT):
Has joined the channel.

flpautot (Thu, 23 May 2019 14:28:11 GMT):
Hi guys, i'm trying to build my own version of the CA embedding the PKCS11 support, but I am having some isses

flpautot (Thu, 23 May 2019 14:28:26 GMT):
I'm building the binary from the github 1.4 release with the following command

flpautot (Thu, 23 May 2019 14:28:38 GMT):
GO_TAGS=pkcs11 make fabric-ca-server

flpautot (Thu, 23 May 2019 14:29:02 GMT):
But when I try to launch the binary with the following command "FABRIC_CA_SERVER_BCCSP_DEFAULT=PKCS11 ./bin/fabric-ca-server init -b admin:admin -d"

flpautot (Thu, 23 May 2019 14:29:19 GMT):
I keep having this error :

flpautot (Thu, 23 May 2019 14:29:20 GMT):
2019/05/23 16:26:43 [FATAL] Initialization failure: Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP

flpautot (Thu, 23 May 2019 14:29:39 GMT):
If you guys would have insight to help me on this that would be great

Raja_Sabarish (Thu, 23 May 2019 14:33:36 GMT):
Hi Everyone! I am trying to setup Hyper ledger fabric with Kafka and I can able to see the topics are getting created for respective `channels` which is in fabric network whenever the transactions are happening in network i couldnt see those in my kafka consumer. Below id the docker file attached

Raja_Sabarish (Thu, 23 May 2019 14:36:54 GMT):

docker-compose.txt

Raumo0 (Thu, 23 May 2019 15:54:06 GMT):
Hello! Tell me please, when I use the "fabric-ca-client register" and "fabric-ca-client enroll", I create a new identity, but where can I find the private key, public key and certificates? I want to put this identity in a wallet. Or do I need to create identity in a different way?

nyet (Thu, 23 May 2019 16:31:41 GMT):
FABRIC_CA_HOME or whatever you specified in -H or the defaiult dir (~/.fabric-ca-client but i could be wrong)

nyet (Thu, 23 May 2019 16:33:24 GMT):
https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#fabric-ca-client ``` The Fabric CA client’s home directory is determined as follows: if the –home command line option is set, use its value otherwise, if the FABRIC_CA_CLIENT_HOME environment variable is set, use its value otherwise, if the FABRIC_CA_HOME environment variable is set, use its value otherwise, if the CA_CFG_PATH environment variable is set, use its value otherwise, use $HOME/.fabric-ca-client ```

kn3118 (Thu, 23 May 2019 16:35:43 GMT):
Has joined the channel.

Raumo0 (Thu, 23 May 2019 17:31:33 GMT):
If I understand correctly: My client certificate stored at /etc/hyperledger/fabric-ca-server/msp/signcerts/cert.pem (after enroll with my user) My private key stored at /etc/hyperledger/fabric-ca-server/msp/keystore/_sk

Raumo0 (Thu, 23 May 2019 17:31:33 GMT):
If I understand correctly: My client certificate stored at ``` ``` /etc/hyperledger/fabric-ca-server/msp/signcerts/cert.pem (after enroll with my user) My private key stored at /etc/hyperledger/fabric-ca-server/msp/keystore/_sk ```

Raumo0 (Thu, 23 May 2019 17:31:33 GMT):
If I understand correctly: My client certificate stored at ``` /etc/hyperledger/fabric-ca-server/msp/signcerts/cert.pem (after enroll with my user) My private key stored at /etc/hyperledger/fabric-ca-server/msp/keystore/_sk ```

Raumo0 (Thu, 23 May 2019 17:31:33 GMT):
If I understand correctly: My client certificate stored at ``` /etc/hyperledger/fabric-ca-server/msp/signcerts/cert.pem (after enroll with my user) ``` My private key stored at ``` /etc/hyperledger/fabric-ca-server/msp/keystore/_sk ```

Raumo0 (Thu, 23 May 2019 17:31:33 GMT):
If I understand correctly: My client certificate stored at (after enroll with my user): ``` /etc/hyperledger/fabric-ca-server/msp/signcerts/cert.pem ``` My private key stored at ``` /etc/hyperledger/fabric-ca-server/msp/keystore/_sk ```

Raumo0 (Thu, 23 May 2019 17:31:33 GMT):
If I understand correctly: My client certificate stored at (after enroll with my user): ``` /etc/hyperledger/fabric-ca-server/msp/signcerts/cert.pem ``` My private key stored at: ``` /etc/hyperledger/fabric-ca-server/msp/keystore/_sk ```

nyet (Thu, 23 May 2019 17:34:41 GMT):
yes, where randomdata is the SKI for the public key

Raumo0 (Thu, 23 May 2019 17:39:36 GMT):
thank you very much!

risc (Thu, 23 May 2019 18:38:12 GMT):
Guys, After I create the certs/key for a user. how can I generate the Wallet to be used by the SDK ?

nyet (Thu, 23 May 2019 18:52:18 GMT):
how did you create them

risc (Thu, 23 May 2019 19:54:46 GMT):
using fabric-ca-client enroll register, I'm able to create the wallet using NodeJS Application, but I was looking if has a way to do this using fabric commands

BhumitSheth (Thu, 23 May 2019 20:06:55 GMT):
Has joined the channel.

nyet (Thu, 23 May 2019 20:43:53 GMT):
Not sure how NodeJS works, but the MSP format should be the same as the one used in fabric-ca-client enroll

mauricio (Fri, 24 May 2019 00:50:21 GMT):
You need to use `fabric-network` module, then you can import the keys o generate new ones

mauricio (Fri, 24 May 2019 00:56:55 GMT):
You can create a wallet with this code ``` const walletPath = path.join("/tmp", "wallet") const wallet = new FileSystemWallet(walletPath) ``` After you can use `wallet.import` method with the user keys https://hyperledger-fabric.readthedocs.io/en/release-1.4/developapps/wallet.html

shrivastava.amit (Fri, 24 May 2019 18:51:32 GMT):
Hi All,

shrivastava.amit (Fri, 24 May 2019 18:52:14 GMT):
How can we configure CA server to use SHA encoding before sending password to LDAP server

shrivastava.amit (Fri, 24 May 2019 18:52:37 GMT):
I am using OpenDJ where user password is getting SHA encoded

shrivastava.amit (Fri, 24 May 2019 18:53:02 GMT):
and CA is unable to authenticate user due to password mismatch

caveman7 (Sat, 25 May 2019 11:46:18 GMT):
hello, can anybody explain what is default signer in context of idemix? i can't seem to find any information about it in idemix docs. i'm trying to interact with chaincode with idemix credentials but received the following error ``` docker exec -e "CORE_PEER_LOCALMSPTYPE=idemix" -e "CORE_PEER_LOCALMSPID=Org1IdemixMSP" -e "CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/User1@org1.example.com" cli peer chaincode query -C channel1 -n chaincode1 -c '{"Args":["query","a"]}' Error: error getting default signer: error obtaining the default signing identity: no default signer setup ```

caveman7 (Sat, 25 May 2019 11:46:18 GMT):
hello, can anybody explain what is default signer in context of idemix and how to issue it against the CA? i can't seem to find any information about it in idemix docs. i'm trying to interact with chaincode with idemix credentials but received the following error ``` docker exec -e "CORE_PEER_LOCALMSPTYPE=idemix" -e "CORE_PEER_LOCALMSPID=Org1IdemixMSP" -e "CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/User1@org1.example.com" cli peer chaincode query -C channel1 -n chaincode1 -c '{"Args":["query","a"]}' Error: error getting default signer: error obtaining the default signing identity: no default signer setup ```

AbhishekDudhrejia (Wed, 29 May 2019 03:22:26 GMT):
Hey everyone, I'm trying to create a network using CA instead of cryptogen. I have configured the system as it is done in the fabric-ca. However, I'm getting the following error on trying to create a channel using the peer I created. Here is the orderer log: ``` Server.Serve failed to complete security handshake from "172.24.0.6:55346": tls: failed to verify client's certificate: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca-org1") ``` And here's the error I get on executing the create channel script: ``` grpc: addrConn.createTransport failed to connect to {orderer-org0:7050 0 }. Err :connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate" Error: failed to create deliver client: orderer client failed to connect to orderer-org0:7050: failed to create new connection: context deadline exceeded ``` I have checked all the certificates and I think they are in order. What could be the issue that causes this error?

mastersingh24 (Wed, 29 May 2019 09:19:14 GMT):
Are you running with client TLS enabled?

mastersingh24 (Wed, 29 May 2019 09:19:47 GMT):
You can only use the Java SDK when using IdeMix

vtech (Wed, 29 May 2019 12:45:19 GMT):
Hi Experts, I have root fabric-ca(2.0.0-snapshot-b54051a) running in docker container with softhsm installed, now while starting the intermediate CA server (from another docker container) throwing the error as Intermediate server logs: ``` ... [DEBUG] Initializing client with config: &{URL:https://rca-example.com:7054 MSPDir: TLS:{Enabled:true CertFiles:[/data/example.com-ca-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name:rca-example.com-admin Secret:**** CAName: AttrReqs:[] Profile:ca Label: CSR:&{ [{US North Carolina Hyperledger Fabric }] [ica-example.com] 0xc00032f360 0xc00032f3e0 } Type:x509 } CSR:{CN: Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[ica-example.com] KeyRequest:0xc00032f360 CA:0xc00032f3e0 SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc00036bf20 Debug:false LogLevel:} ... [FATAL] Initialization failure: POST failure of request: POST https://rca-example.com:7054/enroll Post https://rca-example.com:7054/enroll: x509: certificate signed by unknown authority ``` root server log: ``` http: TLS handshake error from 172.19.0.7:40209: EOF http: TLS handshake error from 172.19.0.7:36442: remote error: tls: bad certificate ``` Can somebody please advise ?

vtech (Wed, 29 May 2019 12:45:19 GMT):
Hi Experts, I have root fabric-ca(2.0.0-snapshot-b54051a) running in docker container with softhsm installed, now while starting the intermediate CA server (from another docker container) throwing the error as Intermediate server logs: ``` ... [DEBUG] Initializing client with config: &{URL:https://rca-example.com:7054 MSPDir: TLS:{Enabled:true CertFiles:[/data/example.com-ca-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name:rca-example.com-admin Secret:**** CAName: AttrReqs:[] Profile:ca Label: CSR:&{ [{US North Carolina Hyperledger Fabric }] [ica-example.com] 0xc00032f360 0xc00032f3e0 } Type:x509 } CSR:{CN: Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[ica-example.com] KeyRequest:0xc00032f360 CA:0xc00032f3e0 SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc00036bf20 Debug:false LogLevel:} ... [FATAL] Initialization failure: POST failure of request: POST https://rca-example.com:7054/enroll Post https://rca-example.com:7054/enroll: x509: certificate signed by unknown authority ``` /data/example.com-ca-cert.pem is the certificate from root-ca server. root server log: ``` http: TLS handshake error from 172.19.0.7:40209: EOF http: TLS handshake error from 172.19.0.7:36442: remote error: tls: bad certificate ``` Can somebody please advise ?

RodrigoMedeiros (Wed, 29 May 2019 17:11:39 GMT):
Has joined the channel.

nyet (Wed, 29 May 2019 20:53:03 GMT):
https://jira.hyperledger.org/browse/FABC-837 affects statsd as well

mastersingh24 (Thu, 30 May 2019 07:24:30 GMT):
Most likely you need to pass the filename for the root CA which signed the TLS cert being used by the parent CA via the `--intermediate.tls.certfiles` flag when starting the intermediate server

donjon (Thu, 30 May 2019 09:41:10 GMT):
Has joined the channel.

vtech (Thu, 30 May 2019 12:48:33 GMT):
Thanks I am already passing the ca certificate from root CA and is available for intermediate CA during start. Also when I tried same configuration with out HSM it works fine. Is there any additional configuration required for TLS with HSM ?

Antimttr (Thu, 30 May 2019 14:54:52 GMT):
why does the fabric ca have so many different definitions of name, very confusing

Antimttr (Thu, 30 May 2019 14:55:12 GMT):
so there's the network config: ``` certificateAuthorities: ca-org1: url: https://localhost:7054 # the properties specified under this object are passed to the 'http' client verbatim when # making the request to the Fabric-CA server httpOptions: verify: false tlsCACerts: path: artifacts/channel/crypto-config/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem # Fabric-CA supports dynamic user enrollment via REST APIs. A "root" user, a.k.a registrar, is # needed to enroll and invoke new users. registrar: - enrollId: admin enrollSecret: adminpw # [Optional] The optional name of the CA. caName: caorg1 ```

Antimttr (Thu, 30 May 2019 14:55:30 GMT):
so far theres ca-org1, thats a name, then there's an "optional" name caorg1

Antimttr (Thu, 30 May 2019 14:56:02 GMT):
then in cryptogen there's another one ``` # --------------------------------------------------------------------------- # Org2: See "Org1" for full specification # --------------------------------------------------------------------------- - Name: Org2 Domain: org2.example.com CA: Hostname: ca # implicitly ca.org1.example.com ```

Antimttr (Thu, 30 May 2019 14:56:11 GMT):
hostanme different from both of the previous names

Antimttr (Thu, 30 May 2019 14:56:31 GMT):
then in docker compose theres 3 different names in use:

Antimttr (Thu, 30 May 2019 14:56:36 GMT):
``` ca.org1.example.com: image: hyperledger/fabric-ca environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca-org1 - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/0e729224e8b3f31784c8a93c5b8ef6f4c1c91d9e6e577c45c33163609fe40011_sk - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/0e729224e8b3f31784c8a93c5b8ef6f4c1c91d9e6e577c45c33163609fe40011_sk ports: - "7054:7054" command: sh -c 'fabric-ca-server start -b admin:adminpw -d' volumes: - ./channel/crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config container_name: ca_peerOrg1 ```

Antimttr (Thu, 30 May 2019 14:57:06 GMT):
so it uses the hostname (this time fqdn hostname) then it has ca server ca name, ca-org1, then container name ca-peerOrg1

Antimttr (Thu, 30 May 2019 14:57:19 GMT):
what happens if you just call all of the caorg1

Antimttr (Thu, 30 May 2019 15:05:10 GMT):
is the "optional" name an alias for the actual name?

Antimttr (Thu, 30 May 2019 15:05:51 GMT):
the only place i see the optional name in use is network config org section: ``` # [Optional]. Certificate Authorities issue certificates for identification purposes in a Fabric based # network. Typically certificates provisioning is done in a separate process outside of the # runtime network. Fabric-CA is a special certificate authority that provides a REST APIs for # dynamic certificate management (enroll, revoke, re-enroll). The following section is only for # Fabric-CA servers. certificateAuthorities: - caorg1 ```

Antimttr (Thu, 30 May 2019 15:06:07 GMT):
so i could put ca-org1 there instead?

Antimttr (Thu, 30 May 2019 15:06:09 GMT):
or not?

Antimttr (Thu, 30 May 2019 15:06:24 GMT):
if not, it doesnt seem very optional in that case

nyet (Thu, 30 May 2019 20:43:31 GMT):
i can answer some of that. `FABRIC_CA_SERVER_CA_NAME` and `caname:` and `ca: name:` (in env, fabric-ca-client.yaml, fabric-ca-server.yaml) all refer to the instance of the CA server, since more than one instance can be running in the same docker container

nyet (Thu, 30 May 2019 20:44:28 GMT):
`certificateAuthorities:` for a HLF client generally means a hostname, NOT an instance name.

Antimttr (Thu, 30 May 2019 20:45:18 GMT):
i guess the thing throwing me off the most is the difference between the ca-org1 and caorg1

Antimttr (Thu, 30 May 2019 20:45:30 GMT):
i understand the container name would need to be different

nyet (Thu, 30 May 2019 20:45:31 GMT):
what file is that last one from

nyet (Thu, 30 May 2019 20:45:35 GMT):
no its NOT the container name

nyet (Thu, 30 May 2019 20:45:41 GMT):
for sure

Antimttr (Thu, 30 May 2019 20:45:51 GMT):
the last one is from network-config.yaml

nyet (Thu, 30 May 2019 20:45:57 GMT):
well unless the container name is a hostname

Antimttr (Thu, 30 May 2019 20:46:13 GMT):
this is all from balance-transfer

nyet (Thu, 30 May 2019 20:46:20 GMT):
(e.g. you are contacting the ca-server in the same docker network)

Antimttr (Thu, 30 May 2019 20:46:22 GMT):
and none of those names are teh hostname

Antimttr (Thu, 30 May 2019 20:46:29 GMT):
the hostname is defined only as: ca

nyet (Thu, 30 May 2019 20:46:55 GMT):
I gave up on all the examples, since they're mostly useless for a real deployment :(

nyet (Thu, 30 May 2019 20:47:16 GMT):
they're all "put everything in a single docker network using certs from cryptogen"

Antimttr (Thu, 30 May 2019 20:48:29 GMT):
how are you generating your certs and crypto material?

nyet (Thu, 30 May 2019 20:48:53 GMT):
selfsigned cas on the ca-server, everything else with register/enrolll

Antimttr (Thu, 30 May 2019 20:49:08 GMT):
you're using fabric-ca?

nyet (Thu, 30 May 2019 20:49:25 GMT):
fabric-ca-server

nyet (Thu, 30 May 2019 20:49:33 GMT):
and fabric-ca-client

Antimttr (Thu, 30 May 2019 20:52:16 GMT):
fabric-ca-server runs in a docker node iirc

nyet (Thu, 30 May 2019 20:52:47 GMT):
pointless if peer and orderer run in the same docker env

nyet (Thu, 30 May 2019 20:52:48 GMT):
:)

Antimttr (Thu, 30 May 2019 20:53:04 GMT):
how come?

nyet (Thu, 30 May 2019 20:53:24 GMT):
because no real deployment will put peer and orderer and ca-server on the same docker instance

Antimttr (Thu, 30 May 2019 20:53:50 GMT):
is that due to security concerns?

nyet (Thu, 30 May 2019 20:53:52 GMT):
i mean no matter what, it runs in a docker container generaly, but in prod pontless to run alongside peer/orderers

Antimttr (Thu, 30 May 2019 20:54:11 GMT):
or fault tolerance

nyet (Thu, 30 May 2019 20:54:17 GMT):
if you have multiple organizations (or even the same one running peers) how on earth would you deploy it in the same docker env?

nyet (Thu, 30 May 2019 20:54:24 GMT):
distrubuted geographically

Antimttr (Thu, 30 May 2019 20:55:05 GMT):
i'm writing the "join an org to the hyperledger" implementation for my client right now

nyet (Thu, 30 May 2019 20:55:27 GMT):
and if you dont want to run a peer on the same physical vm?

Antimttr (Thu, 30 May 2019 20:55:29 GMT):
i was thinking i'd just generate docker or kube config files then let the user dl them and stick them wherever they want

nyet (Thu, 30 May 2019 20:55:30 GMT):
or orderer?

nyet (Thu, 30 May 2019 20:55:41 GMT):
no im talking about the demos

nyet (Thu, 30 May 2019 20:55:59 GMT):
where they all run alongside each other and share a filesystem with cryrptogen files

nyet (Thu, 30 May 2019 20:56:04 GMT):
in the same docker env

Antimttr (Thu, 30 May 2019 20:56:07 GMT):
yeah the demos seem to be aimed at devs which are using single machines

nyet (Thu, 30 May 2019 20:57:32 GMT):
and you can't really load balance peers in k8s, they are all statefull and all have sepearate creds

nyet (Thu, 30 May 2019 20:57:45 GMT):
so they can't have the same endpoint address

nyet (Thu, 30 May 2019 20:57:58 GMT):
and endorsments won't work if they all have the same creds

nyet (Thu, 30 May 2019 20:58:13 GMT):
and youy can't load balance orderers that way either, it requires 1.4.1 raft

nyet (Thu, 30 May 2019 20:58:20 GMT):
which also can't be horizontally scaled in k8s

Antimttr (Thu, 30 May 2019 20:58:44 GMT):
right i was thinking about just making enough peers with different roles that would be effectively fault tolerant

nyet (Thu, 30 May 2019 20:58:45 GMT):
in theory you can HA/load balance a ca-server but that seems pretty excessive

Antimttr (Thu, 30 May 2019 20:58:54 GMT):
wihtout actualy doing an HA setup/cluster

nyet (Thu, 30 May 2019 20:59:14 GMT):
basically all of the k8s cluster stuff isn't applicable to blockchain, its really only for web services

nyet (Thu, 30 May 2019 20:59:26 GMT):
(aside from ease of launching a pod vs vm)

Antimttr (Thu, 30 May 2019 20:59:33 GMT):
so you think its a waste to try and migrate to k8 vs docker?

nyet (Thu, 30 May 2019 20:59:49 GMT):
k8s replaces vms so thats useful

Antimttr (Thu, 30 May 2019 20:59:59 GMT):
thats interesting, i've had other people say that k8 is the only way to go

nyet (Thu, 30 May 2019 21:00:00 GMT):
other than that, no not really

nyet (Thu, 30 May 2019 21:00:15 GMT):
shrug. they are thinking stateless web services

nyet (Thu, 30 May 2019 21:00:19 GMT):
or they just like the buzzword

nyet (Thu, 30 May 2019 21:00:34 GMT):
OR they want better way to manage multiple vms

nyet (Thu, 30 May 2019 21:00:51 GMT):
just my 2 cnets

Antimttr (Thu, 30 May 2019 21:00:54 GMT):
yeah the guy i talked to was talking about management and deployment iirc

nyet (Thu, 30 May 2019 21:01:05 GMT):
hell i think containers are dumb for statically linked go binaries, but I'm apparently in the minority

nyet (Thu, 30 May 2019 21:01:19 GMT):
they're literaslly totally self contained as is

Antimttr (Thu, 30 May 2019 21:01:56 GMT):
yeah it was an interesting design decision to use docker for all the actual nodes

nyet (Thu, 30 May 2019 21:01:59 GMT):
"lets launch a vm for a statically linked binary that has its own vm and no library dependencies"

Antimttr (Thu, 30 May 2019 21:02:03 GMT):
vs native binaries

nyet (Thu, 30 May 2019 21:02:11 GMT):
well thats the way of the world for deployment

nyet (Thu, 30 May 2019 21:02:24 GMT):
whether or not it makes sense, it is universally understood

Antimttr (Thu, 30 May 2019 21:02:25 GMT):
right seems like they wanted to focus on doing this in clouds

Antimttr (Thu, 30 May 2019 21:05:34 GMT):
well k8 just adds a whole new level of complexity to my deployment that i wasnt looking forward to dealing with

Antimttr (Thu, 30 May 2019 21:06:02 GMT):
i might just stick with docker for now, generate some sort of archive package and have the user dl it and then they set their dockers up with that wherever they want

Antimttr (Thu, 30 May 2019 21:06:50 GMT):
afaict a peer will just need its ca's public cert, and its own cryptographic artifacts in order to run

Antimttr (Thu, 30 May 2019 21:07:21 GMT):
and near as i can tell the network-config.yaml file isnt referenced by any of the nodes anywhere, simply seems to be for the client to get info it needs

nyet (Thu, 30 May 2019 21:25:13 GMT):
peer also needs an admincert

nyet (Thu, 30 May 2019 21:25:30 GMT):
so when you enroll an admin yoiu need a wayu to get that key to the admincerts/ dir on the peer

nyet (Thu, 30 May 2019 21:25:50 GMT):
orderer needs all kinds of crap too. it can't start w/o a genesis block

nyet (Thu, 30 May 2019 21:25:56 GMT):
you can't generate a genesis block w/o admin creds

nyet (Thu, 30 May 2019 21:26:34 GMT):
NONE of this is really documented well anywhere, since all the examples just use cryptogen and assume all creds are made up front, INCLUDING client creds.

Antimttr (Thu, 30 May 2019 21:26:48 GMT):
you can encode the gen. block in a protobuffer though and distribute it with that

Antimttr (Thu, 30 May 2019 21:26:50 GMT):
if im not mistaken

Antimttr (Thu, 30 May 2019 21:27:00 GMT):
if you already have it that is

nyet (Thu, 30 May 2019 21:27:24 GMT):
yes but you can't launch an orderer w/o that gen block

nyet (Thu, 30 May 2019 21:27:35 GMT):
which means you cant launch and orderer until you have client creds generated

nyet (Thu, 30 May 2019 21:28:01 GMT):
assuming you dont want to create the creds on the node itself, you need to transfer either the cred or the gen block to the node before you can start the orderer

Antimttr (Thu, 30 May 2019 21:29:48 GMT):
yeah i wanted to keep my ordering setup as simple as possible

Antimttr (Thu, 30 May 2019 21:29:55 GMT):
one org doing ordering with a HA cluster

nyet (Thu, 30 May 2019 21:30:35 GMT):
you mean 1.4.1 raft?

Antimttr (Thu, 30 May 2019 21:30:35 GMT):
but my application is going to be very top down. clients are simply going to access everything through a webapp which will talk to the client via a restful api

Antimttr (Thu, 30 May 2019 21:30:47 GMT):
yeah, which for some reason is called etcdraft ?

nyet (Thu, 30 May 2019 21:30:51 GMT):
yea

Antimttr (Thu, 30 May 2019 21:30:57 GMT):
not sure what the name is different :P

nyet (Thu, 30 May 2019 21:30:58 GMT):
its RAFT using etcd

nyet (Thu, 30 May 2019 21:31:07 GMT):
it was kafka before :)

Antimttr (Thu, 30 May 2019 21:31:25 GMT):
yeah, i finaly found an example of setting up raft in first-network

Antimttr (Thu, 30 May 2019 21:31:29 GMT):
had to dig to find that

nyet (Thu, 30 May 2019 21:31:45 GMT):
thats still on my todo list, right now Poc is single orderer :/

Antimttr (Thu, 30 May 2019 21:32:07 GMT):
fortuantely it looks much more straight forward than kafka

yacovm (Thu, 30 May 2019 21:32:42 GMT):
yes. Raft is a big boy, it can manage itself

Antimttr (Thu, 30 May 2019 21:32:56 GMT):
seems like it would be a good idea to create some sort of file distribution back channel i could use to push out certs and config changes to the docker vms i need to

Antimttr (Thu, 30 May 2019 21:34:43 GMT):
that way i wont have the chicken and the egg issue (hoepfully)

nyet (Thu, 30 May 2019 21:40:52 GMT):
you can also pull certs from the ca-server

nyet (Thu, 30 May 2019 21:41:11 GMT):
so you tell the orderer vm to pull pub for admin@org

nyet (Thu, 30 May 2019 21:41:18 GMT):
create the genesis block

nyet (Thu, 30 May 2019 21:41:21 GMT):
launch the orderer

nyet (Thu, 30 May 2019 21:41:59 GMT):
same with peer.. pull the cert, put it in admincerts. @yacovm somebody claimed peer doesn't have to be restarted if a cert is added to `admincerts/` but i've found that not to be the dcase.

yacovm (Thu, 30 May 2019 21:42:19 GMT):
it has to be restarted, lol

yacovm (Thu, 30 May 2019 21:42:25 GMT):
the local MSP loads it upon startup

nyet (Thu, 30 May 2019 21:42:29 GMT):
which is crazy, using, say, ssh `authorized_keys` as as model

yacovm (Thu, 30 May 2019 21:42:37 GMT):
what is crazy?

nyet (Thu, 30 May 2019 21:42:45 GMT):
forcing it to restart :)

yacovm (Thu, 30 May 2019 21:42:53 GMT):
it's not that there is some "model"

yacovm (Thu, 30 May 2019 21:43:10 GMT):
it's just no one cares enough to support dynamic MSP updates

yacovm (Thu, 30 May 2019 21:43:12 GMT):
there is a JIRA for it

Antimttr (Thu, 30 May 2019 21:43:13 GMT):
another wayi could do it

yacovm (Thu, 30 May 2019 21:43:16 GMT):
but no one works on it

Antimttr (Thu, 30 May 2019 21:43:21 GMT):
is since i store all my certs on my client

nyet (Thu, 30 May 2019 21:43:25 GMT):
give me the JIRA ill put it on my list

Antimttr (Thu, 30 May 2019 21:43:29 GMT):
i could simply distirbute it via the client

nyet (Thu, 30 May 2019 21:43:33 GMT):
i have a list of things to fix believe it or not :)

Antimttr (Thu, 30 May 2019 21:43:41 GMT):
have an api call that pushes via sftp or something

nyet (Thu, 30 May 2019 21:43:48 GMT):
once this launch is done i will try to work through them

yacovm (Thu, 30 May 2019 21:43:57 GMT):
FWIW - @nyet I even made our TLS server support dynamic certificate updates

yacovm (Thu, 30 May 2019 21:44:04 GMT):
but nothing makes it trigger currently

yacovm (Thu, 30 May 2019 21:44:09 GMT):
but in theory it works!

nyet (Thu, 30 May 2019 21:44:15 GMT):
that is awesome, that annoys me too

nyet (Thu, 30 May 2019 21:44:28 GMT):
just about every damn tls server has to be restarted when certs change

yacovm (Thu, 30 May 2019 21:44:34 GMT):
as for the MSP JIRA - let me search

yacovm (Thu, 30 May 2019 21:45:02 GMT):
https://jira.hyperledger.org/browse/FAB-3167

Antimttr (Thu, 30 May 2019 21:46:04 GMT):
@yacovm do you know the difference or the logic behind having the two different ca names? like in balance-transfer there's a caorg1 and then there's ca-org1

Antimttr (Thu, 30 May 2019 21:46:14 GMT):
i cant for the life of me figure out why they need to be different

yacovm (Thu, 30 May 2019 21:46:35 GMT):
you should have a TLS ca and an enrollement CA

nyet (Thu, 30 May 2019 21:46:43 GMT):
@yacovm excellent thanks, watching it.

Antimttr (Thu, 30 May 2019 21:47:09 GMT):
@yacovm but those two names are for the same ca!

Antimttr (Thu, 30 May 2019 21:47:16 GMT):
just different places in the config

yacovm (Thu, 30 May 2019 21:47:45 GMT):
i don't know

yacovm (Thu, 30 May 2019 21:47:50 GMT):
don't use the balance transfer

yacovm (Thu, 30 May 2019 21:48:02 GMT):
it has been marked for deconstruction i think

Antimttr (Thu, 30 May 2019 21:48:11 GMT):
oh really?

yacovm (Thu, 30 May 2019 21:48:12 GMT):
but i don't maintain fabric-samples anymore. i opted out.

Antimttr (Thu, 30 May 2019 21:48:12 GMT):
lovely

Antimttr (Thu, 30 May 2019 21:48:21 GMT):
who does maintain it if you dont mind me asking?

Antimttr (Thu, 30 May 2019 21:48:31 GMT):
theres not like a channel for it here or anything that i've found

yacovm (Thu, 30 May 2019 21:49:05 GMT):
https://github.com/hyperledger/fabric-samples/blob/master/MAINTAINERS.md

Antimttr (Thu, 30 May 2019 21:49:08 GMT):
i liked it because it had a full client written for it so that was very helpful to get me started

Antimttr (Thu, 30 May 2019 21:50:39 GMT):
harrison and enyeart, those are the two i know of, i see them on here

yacovm (Thu, 30 May 2019 21:50:59 GMT):
yes, sadly not many developers roam here.

nyet (Thu, 30 May 2019 21:51:18 GMT):
dare I ask where they do roam

yacovm (Thu, 30 May 2019 21:51:42 GMT):
who?

yacovm (Thu, 30 May 2019 21:51:47 GMT):
the fabric developers?

nyet (Thu, 30 May 2019 21:51:49 GMT):
yea

Antimttr (Thu, 30 May 2019 21:51:58 GMT):
the halls of ibm?

Antimttr (Thu, 30 May 2019 21:51:59 GMT):
lol

nyet (Thu, 30 May 2019 21:52:01 GMT):
:/

yacovm (Thu, 30 May 2019 21:52:06 GMT):
hell

nyet (Thu, 30 May 2019 21:52:12 GMT):
grin

Antimttr (Thu, 30 May 2019 21:58:53 GMT):
so there's no actual configuration difference between a tls-ca and an enrollment CA, correct? it's just one you send enrollment requests to and the other you dont, or am i mistaken?

nyet (Thu, 30 May 2019 21:59:08 GMT):
idially you'd run sepearage instsances for each

nyet (Thu, 30 May 2019 21:59:12 GMT):
because the signing key is different

nyet (Thu, 30 May 2019 21:59:16 GMT):
or should be

Antimttr (Thu, 30 May 2019 21:59:26 GMT):
but its different for all unique ca's, right?

Antimttr (Thu, 30 May 2019 21:59:31 GMT):
no ca is going to use the cert of another ca

nyet (Thu, 30 May 2019 21:59:33 GMT):
esp if you have a separte TLS key you use for outside the fabric network

nyet (Thu, 30 May 2019 21:59:39 GMT):
correct

nyet (Thu, 30 May 2019 21:59:49 GMT):
i have 3 instances in my ca-server , tls, peer org, orderer org

nyet (Thu, 30 May 2019 22:00:02 GMT):
they all have a separate self signed key pair for each purpose

Antimttr (Thu, 30 May 2019 22:00:04 GMT):
right

nyet (Thu, 30 May 2019 22:00:27 GMT):
in thoery, the tls key pair can be used by non-fabric things

Antimttr (Thu, 30 May 2019 22:00:46 GMT):
right, like for a website or something

nyet (Thu, 30 May 2019 22:00:50 GMT):
so you ccan share tls infrastructure across your network

nyet (Thu, 30 May 2019 22:00:53 GMT):
yep

Antimttr (Thu, 30 May 2019 22:01:08 GMT):
but it better be signed by a real ca authority if you want to use it on a website

nyet (Thu, 30 May 2019 22:01:17 GMT):
you can also do it via intermediate certs

nyet (Thu, 30 May 2019 22:01:22 GMT):
yes

nyet (Thu, 30 May 2019 22:01:40 GMT):
have one root cert, and an intermediate cert for each of tls, ... orgs

nyet (Thu, 30 May 2019 22:01:53 GMT):
i opted to keep them entirely separeate since they're all self signed anwyay

Antimttr (Thu, 30 May 2019 22:02:01 GMT):
right

Antimttr (Thu, 30 May 2019 22:02:42 GMT):
i'd prefer to keep it all self signed since its not an issue with browsers rejecting the key for hyperledger, and that way the keys are entirely in my control

Antimttr (Thu, 30 May 2019 22:03:02 GMT):
dont have to go through 3rd parties, and pay them for different certs or more certs

Antimttr (Thu, 30 May 2019 22:03:54 GMT):
i always thought the cert business was/is a bit of a racket

Antimttr (Thu, 30 May 2019 22:04:24 GMT):
but then again unless you charge for it, the potential for abuse skyrockets

Antimttr (Thu, 30 May 2019 22:04:36 GMT):
although letsencrypt doesnt, so maybe that's a falacy

nyet (Thu, 30 May 2019 22:04:46 GMT):
well you can't get intermediate certs from LE

nyet (Thu, 30 May 2019 22:04:57 GMT):
and w/o those, its sort of useless for scaling

Antimttr (Thu, 30 May 2019 22:05:26 GMT):
right,

Randyshu2018 (Fri, 31 May 2019 08:49:46 GMT):
anyone know that problem when using intermediateca to sign ca certificate 'local signer certificate disallows issuing CA certificate'

VipinB (Fri, 31 May 2019 08:59:56 GMT):
Is the code for the fabric-ca ldap connector open source and in github?

VipinB (Fri, 31 May 2019 11:44:01 GMT):
I see the implementation in go https://github.com/hyperledger/fabric-ca/blob/aaee55f5a85767e78125fdab9e301d9319038515/lib/server/ldap/client.go.

Raumo0 (Sun, 02 Jun 2019 23:00:43 GMT):
Can someone tell me the work of the identity-private key-certificate mechanism? I can change certificates, but if I lose my private key, can I reassign the new private key to my identity? It seems to me impossible, but this feature is very important in the business process.

nyet (Mon, 03 Jun 2019 01:31:30 GMT):
not if you mean "public key" by "identity". Whatever your business "process" it is, it needs to be adapted to work with pki

vtech (Mon, 03 Jun 2019 04:57:16 GMT):
@mastersingh24 any thoughts on this please ?

vtech (Mon, 03 Jun 2019 06:16:28 GMT):
See if this helps or send out your configuration https://stackoverflow.com/questions/48828189/intermediate-server-enrollment-issue-local-signer-policy-disallows-issuing-ca-c

Raumo0 (Mon, 03 Jun 2019 07:18:27 GMT):
If I understand correctly: My client certificate stored at (after enroll with my user): ``` /etc/hyperledger/fabric-ca-server/msp/signcerts/cert.pem ``` My private key stored at: ``` /etc/hyperledger/fabric-ca-server/msp/keystore/_sk ```

Randyshu2018 (Mon, 03 Jun 2019 08:00:03 GMT):
thank you , I have fixed this problem

Randyshu2018 (Mon, 03 Jun 2019 08:00:49 GMT):
by set env FABRIC_CA_SERBER_CA_PATHLENGTH =2

Randyshu2018 (Mon, 03 Jun 2019 08:00:49 GMT):
by set env FABRIC_CA_SERVER_SIGNING_PROFILES_CA_CACONSTRAINT_MAXPATHLEN =2

Randyshu2018 (Mon, 03 Jun 2019 08:02:07 GMT):
any idea about 'too many intermediates for path length constraint' ?

mastersingh24 (Mon, 03 Jun 2019 10:00:38 GMT):
``` # The pathlength field is used to limit CA certificate hierarchy as described # in section 4.2.1.9 of RFC 5280. # Examples: # 1) No pathlength value means no limit is requested. # 2) pathlength == 1 means a limit of 1 is requested which is the default for # a root CA. This means the root CA can issue intermediate CA certificates, # but these intermediate CAs may not in turn issue other CA certificates # though they can still issue end entity certificates. # 3) pathlength == 0 means a limit of 0 is requested; # this is the default for an intermediate CA, which means it can not issue # CA certificates though it can still issue end entity certificates. ```

Rajatsharma (Mon, 03 Jun 2019 10:09:27 GMT):
Has joined the channel.

Rajatsharma (Mon, 03 Jun 2019 10:09:28 GMT):
We can enroll an identity using SDK and CLI, so does that mean I can create 2 certificates for the same user? I had this question because we enroll an admin using CLI as well as SDK, so does this mean I'm able to create 2 certificates for a single identity.

mastersingh24 (Mon, 03 Jun 2019 10:33:00 GMT):
Yes ... if you want to limit the number of times a user can enroll, then set max enrollments when registering the user

Rajatsharma (Mon, 03 Jun 2019 10:33:59 GMT):
No my question is can any entity have 2 certificates at a time.

mastersingh24 (Mon, 03 Jun 2019 10:35:06 GMT):
that's what I answered ... if you don't limit the number of enrollments then a user can have as many certificates up to the max enrollment limit (which is unlimited by default)

Rajatsharma (Mon, 03 Jun 2019 10:44:22 GMT):
Got your point, Thanks !!!

Randyshu2018 (Mon, 03 Jun 2019 11:16:28 GMT):
I had saw this.but I still confused by it.

Randyshu2018 (Mon, 03 Jun 2019 11:21:38 GMT):

Clipboard - June 3, 2019 7:17 PM

mastersingh24 (Mon, 03 Jun 2019 11:22:26 GMT):
coolio ;)

mastersingh24 (Mon, 03 Jun 2019 11:23:32 GMT):
Hmm ....

mastersingh24 (Mon, 03 Jun 2019 11:26:27 GMT):
So let's so you want: rootCA to issue intermediateCA1 and intermediateCA1 to issue intermediateCA2 If pathlen = 1, this will fail because it means that the length of the chain can only be 1 (which would be rootCA) if pathlen = 2, this will work because the length of the chain for intermdiateCA2 is 2: rootCA intermediateCA1

Randyshu2018 (Mon, 03 Jun 2019 11:46:58 GMT):

Clipboard - June 3, 2019 7:46 PM

mastersingh24 (Mon, 03 Jun 2019 11:49:56 GMT):
there's a typo in the variable "B" instead of "V"

Randyshu2018 (Mon, 03 Jun 2019 11:56:04 GMT):
error still exist after correct above env variable.

mastersingh24 (Mon, 03 Jun 2019 11:57:40 GMT):
`FABRIC_CA_SERVER_CSR_CA_PATHLENGTH`

mastersingh24 (Mon, 03 Jun 2019 11:58:15 GMT):
I personally prefer to use a config file but the above variable should work

Randyshu2018 (Mon, 03 Jun 2019 11:59:53 GMT):
I changed root-ca、intermediaca1 and intemediaca2's env variables.

mastersingh24 (Mon, 03 Jun 2019 12:15:20 GMT):
You are missing `CSR` in your variable

Randyshu2018 (Mon, 03 Jun 2019 12:21:32 GMT):

Clipboard - June 3, 2019 8:20 PM

Randyshu2018 (Mon, 03 Jun 2019 13:21:52 GMT):
'fabric-ca-server init -b admin:adminpw --home ./rootca --loglevel debug --csr.ca.pathlength 2 '

Randyshu2018 (Mon, 03 Jun 2019 13:24:11 GMT):
:joy: Now its ok ,thank you very much .

mastersingh24 (Mon, 03 Jun 2019 14:39:42 GMT):
great ;)

scott_boone (Mon, 03 Jun 2019 16:41:36 GMT):
Has joined the channel.

vtech (Mon, 03 Jun 2019 17:11:49 GMT):
Can somebody please provide help/feedback on this ?

nyet (Mon, 03 Jun 2019 17:20:19 GMT):
The problem is that cert errors (and in fact many errors in fabric) are not accompanied by enough useful information to debug w/o actually adding addtional debug printfs to the code manually.

vtech (Tue, 04 Jun 2019 04:58:54 GMT):
Thanks will try to debug it, I was wondering if someone has already tried it could save the time.

vtech (Tue, 04 Jun 2019 04:58:54 GMT):
Thanks will try to debug it, I was wondering if someone has already tried & it could save the time.

mastersingh24 (Tue, 04 Jun 2019 08:38:58 GMT):
are you passing a different TLS root when switching to the CA with HSM? The error definitely indicates that the client does not trust the TLS cert from the server

vtech (Tue, 04 Jun 2019 09:33:19 GMT):
No I am not, in same configuration by removing HSM part it works fine.. below are the intermediate environment configuration ``` - FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca - FABRIC_CA_SERVER_CA_NAME=ica-example.com - FABRIC_CA_SERVER_INTERMEDIATE_TLS_CERTFILES=/data/example.com-ca-cert.pem - FABRIC_CA_SERVER_CSR_HOSTS=ica-example.com - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_DEBUG=true ```

mastersingh24 (Tue, 04 Jun 2019 09:37:21 GMT):
Well fabric-ca-server will generate a new root PEM when you switch to using the HSM and will sign it's TLS certificate with the new root

mastersingh24 (Tue, 04 Jun 2019 09:37:58 GMT):
assuming you did not statically configure a TLS certificate for the fabric-ca-server

vtech (Tue, 04 Jun 2019 09:40:42 GMT):
I haven't configured TLS certificate statically ... so how should new root ( with HSM) can be passed to intermediate fabric-ca-server ?

mastersingh24 (Tue, 04 Jun 2019 09:41:53 GMT):
Where did you get `/data/example.com-ca-cert.pem` from? Is this the actual location of the file used by the parent or did you copy it here?

vtech (Tue, 04 Jun 2019 09:43:24 GMT):
yes.. this is the certificate from parent server.. $FABRIC_CA_SERVER_HOME/ca-cert.pem, I have mapped it in /data/example.com-ca-cert.pem

mastersingh24 (Tue, 04 Jun 2019 09:45:29 GMT):
hmmm .... I'll try to look at this more a bit later ... I know that we run CAs using HSMs and TLS and are able to create intermediates

vtech (Tue, 04 Jun 2019 09:48:01 GMT):
This issue I am facing inside docker container only, when I tried intermediate server with HSM with out docker it worked fine. In my configuration I am using separate HSM set up in both root & intermediate docker containers.

mastersingh24 (Tue, 04 Jun 2019 09:49:23 GMT):
somehow the intermediate container is not mapping the proper root CA which signed the TLS cert used by the CA container ... not sure why

vtech (Tue, 04 Jun 2019 09:55:11 GMT):
Can separate HSM for both containers be a issue ? In standalone mode I have also tried to use different SoftHSM labels for root & intermediate CA's and it worked well.

mastersingh24 (Tue, 04 Jun 2019 10:26:00 GMT):
should not be the issue

vtech (Tue, 04 Jun 2019 10:35:56 GMT):
I am performing below steps on intermediate CA server: 1) Initialise the SoftHSM on the docker container 2) Update the BCCSP section of fabric-ca-server-config.yaml with PKCS11 details (removing SW) 3) Start the intermediate server with above defined environment (inlcuding root CA certificates) Is there anything missing here ?

adityanalge (Tue, 04 Jun 2019 15:47:50 GMT):
Is there a way to get TLS Cert from CA Server? A get cainfo call to the CA Server only returns the CA-CERT and not the TLS-CERT

varunagarwal (Tue, 04 Jun 2019 19:37:01 GMT):
I have a fundamental question about the CA. In all the examples in `fabric-samples` and few other repos by IBM, in some cases directly `ca.enroll()` is used, whereas is some cases `ca.register()` and then `ca.enroll()` is used. Example is https://github.com/IBM/decentralized-energy-fabric-on-IBP20/blob/master/application/enrollAdmin.js#L46-L50 https://github.com/IBM/decentralized-energy-fabric-on-IBP20/blob/master/application/add-participants/registerResident.js#L56-L60

varunagarwal (Tue, 04 Jun 2019 19:37:22 GMT):
Not able to understand how both are possible.

varunagarwal (Tue, 04 Jun 2019 19:39:27 GMT):
I understand the `secret` is generatedfrom ca.register but in that scenario a `signing` identity is also passed which is usually the identity made by using `admin` and `adminpw`.

nyet (Tue, 04 Jun 2019 21:42:08 GMT):
Register creates a username and password if you have a valid MSP that is allowed to do it. Enroll gives you an MSP if all you have is a username and password

varunagarwal (Wed, 05 Jun 2019 16:38:37 GMT):
this seems like a difference based on the input more than anything else. The `ca-server-config.yaml` files have an `admin` and `adminpw` defined in them. I tried using enroll directly and tweaked it to `admin1` and it failed (expected based on your answer) as the `ca-server-config.yaml` file still had `admin` in it. Though I would expect the admin to have registrar roles such as client, user, peer, validator and auditor, but the query on the user doesn't show anything. Referring to https://github.com/IBM/build-blockchain-insurance-app/blob/master/insuranceCA/fabric-ca-server-config.yaml#L17-#L35

nyet (Wed, 05 Jun 2019 21:04:16 GMT):
You cannot enroll w/o registering first. The admin user is a special identity that can be enrolled without being registered first.

nyet (Wed, 05 Jun 2019 21:04:16 GMT):
You cannot enroll w/o registering first. The bootstrap admin user is a special identity that can be enrolled without being registered first.

nyet (Wed, 05 Jun 2019 22:41:50 GMT):
You cannot enroll w/o registering first. The bootstrap admin user is a special identity that can be enrolled without being registered first.

vtech (Thu, 06 Jun 2019 04:57:50 GMT):
I have further tried to initialise the intermediate CA (HSM is not enabled yet) on behalf of parent CA (running in a docker container with HSM enabled). I got `connection refused` error. 7054 port is already opened. ``` [FATAL] Initialization failure: POST failure of request: POST https://rca-example.com:7054/enroll {"hosts":["ica-example.com"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBaTCCARACAQAwbTELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9s\naW5hMRQwEgYDVQQKEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMR4wHAYD\nVQQDExVyY2EtZXhhbXBsZS5jb20tYWRtaW4wWTATBgcqhkjOPQIBBggqhkjOPQMB\nBwNCAARCzQvLOkVJjFcEvWGG1PRTpPMzmGT7jfGSNvVpGZBeKw3cL1/Hpytnf5Z7\n1u3zq9P+PfbT4YtU0t8D9abriBG+oEEwPwYJKoZIhvcNAQkOMTIwMDAaBgNVHREE\nEzARgg9pY2EtZXhhbXBsZS5jb20wEgYDVR0TAQH/BAgwBgEB/wIBADAKBggqhkjO\nPQQDAgNHADBEAiBZPE5eMAu4Vu9uTIO81V4DPH3CnTfZgHXFzV0DcuRnvQIgdowh\nrb4Z0+0OaUREvOViBXrgjDIjv+inOdiYblU6R+o=\n-----END CERTIFICATE REQUEST-----\n","profile":"ca","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post https://rca-example.com:7054/enroll: dial tcp 172.19.0.3:7054: *connect: connection refused* ```

FlorineDromard1 (Thu, 06 Jun 2019 09:14:34 GMT):
Has joined the channel.

vtech (Thu, 06 Jun 2019 11:14:57 GMT):
I have resolved the issue, problem was intermediate CA's AKI was not matching with root CA's SKI . It happened due to root CA was not overwritten in docker volume mapping. Thanks @mastersingh24 for the insight.

mastersingh24 (Thu, 06 Jun 2019 11:23:20 GMT):
Ah ... great ... nice work debugging!

mattremy (Thu, 06 Jun 2019 11:52:58 GMT):
I can have the CA server operate on a non TLS mode, but the communication between peers and orderers operate in a TLS mode. In that case, to create the MSP, would I still need CA servers TLS certificate ? And if yes, how do I get it ? The CAChain gives only the CA Certificate and not the TLS CA Certificate

mastersingh24 (Thu, 06 Jun 2019 14:55:45 GMT):
You don't need the TLS root from the CA unless it's the root that issued the TLS certs for the peers/orderers

root10 (Thu, 06 Jun 2019 15:00:21 GMT):
Has left the channel.

adityanalge (Thu, 06 Jun 2019 22:29:58 GMT):
how do we get the TLSCerts?

nyet (Fri, 07 Jun 2019 00:46:28 GMT):
depends if you are running seperate TLSCA and CA instances or not

adityanalge (Fri, 07 Jun 2019 00:46:55 GMT):
@nyet Nope,

adityanalge (Fri, 07 Jun 2019 00:47:41 GMT):
I am using the default fabric-ca to generate the ca cert and the tls cert. So, the ca cert I can get back through the cainfo api, but tls cert?

nyet (Fri, 07 Jun 2019 00:47:59 GMT):
the pub CA is the same for TLS and CA then

nyet (Fri, 07 Jun 2019 00:48:15 GMT):
same pub cert

adityanalge (Fri, 07 Jun 2019 00:48:23 GMT):
Why?

nyet (Fri, 07 Jun 2019 00:48:31 GMT):
because you are running a single instance

nyet (Fri, 07 Jun 2019 00:48:41 GMT):
if you want them to be different you have to run two different instances

adityanalge (Fri, 07 Jun 2019 00:48:53 GMT):
I get different certificates though

nyet (Fri, 07 Jun 2019 00:48:58 GMT):
if you run a single instance it will use the same cert to sign both TLS and endorsment keys

nyet (Fri, 07 Jun 2019 00:49:08 GMT):
different pub certs?

adityanalge (Fri, 07 Jun 2019 00:49:13 GMT):
Yes

nyet (Fri, 07 Jun 2019 00:49:34 GMT):
are they self signed by the ca-server or externally? I'm not using the ca-server automatic self-signing procedure

adityanalge (Fri, 07 Jun 2019 00:49:35 GMT):
in fabric-ca-server-config.yaml, if you do tls.enabled as true, and then do ./fabric-ca-server start, it generates different key pair for ca and tlsca

nyet (Fri, 07 Jun 2019 00:49:41 GMT):
oh i dont do that

nyet (Fri, 07 Jun 2019 00:49:51 GMT):
i generate my own keypairs and run separate instances

nyet (Fri, 07 Jun 2019 00:50:04 GMT):
in that case, you have to transfer the pub cas out of band

nyet (Fri, 07 Jun 2019 00:50:43 GMT):
i almost never trust apps to make their own CA keypairs, they usually screw things up :)

adityanalge (Fri, 07 Jun 2019 00:50:44 GMT):
do you use cryptogen?

nyet (Fri, 07 Jun 2019 00:50:46 GMT):
hope

nyet (Fri, 07 Jun 2019 00:50:46 GMT):
nope

joeljhanster (Fri, 07 Jun 2019 06:24:33 GMT):
Has joined the channel.

joeljhanster (Fri, 07 Jun 2019 06:24:36 GMT):
Is it possible for me to generate my own GPG keypair and hand my public key to Fabric CA to sign and create a certificate? Thanks

nyet (Fri, 07 Jun 2019 06:31:35 GMT):
Fabric does not use GPG keys.

mattremy (Fri, 07 Jun 2019 08:07:59 GMT):
My setup is as follows - I have a fabric-ca server started on each peer and orderer node in non TLS mode. The Fabric-ca server 's cacert is obtained through info.getChain(). So far so good. The Peers and orderers communicate over tls (as they are different machines). To do this, I would need to generate TLS certificates for each peer and orderer. As a part of their MSP, I would also need to provide the CA servers TLS certificate. As i start the CA server without TLS, it doesnt generate TLS certificates. Even if I do start it in TLS mode, I cannot get the TLS certificates as it is not a part of the CA chain. Any ideas on how to resolve this?

caveman7 (Fri, 07 Jun 2019 09:06:44 GMT):
hello all, tried to configure Fabric CA to connect to SoftHSMv2, but received the following error ``` 2019/06/07 16:04:09 [DEBUG] CA Home Directory: /Users/aldred/Workspace/samples/ca-hsm-sample 2019/06/07 16:04:09 [DEBUG] Checking configuration file version '1.4.2' against server version: '1.4.2-snapshot-8b56ee8' 2019/06/07 16:04:09 [DEBUG] Initializing BCCSP: &{ProviderName:PCKS11 SwOpts: PluginOpts: Pkcs11Opts:0xc00037f7a0} 2019/06/07 16:04:09 [DEBUG] Initializing BCCSP with PKCS11 options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc0003263a0 DummyKeystore: Library:/usr/local/Cellar/softhsm/2.5.0/lib/softhsm/libsofthsm2.so Label:ForFabric Pin:98765432 SoftVerify:false Immutable:false} 2019/06/07 16:04:09 [DEBUG] Closing server DBs Error: Failed to initialize BCCSP Factories: %!s() Could not find default `PCKS11` BCCSP ``` I built the `fabric-ca-server` binary using this command: `GO_TAGS=pkcs11 make fabric-ca-server`

mastersingh24 (Fri, 07 Jun 2019 13:18:13 GMT):
Enabling TLS for the CA endpoint/listener and using the CA to issue TLS certificates for your peer(s) and orderer(s) are actually orthogonal. By default, the CA has two profiles: default tls The default profile will generate crypto material appropriate for signing (aka enrollment certs) The tls profile will generate crypto material appropriate for using with TLS But both profiles will use the same root certificate to sign issued certs ... so you can use the same cacert file in both `cacerts` and `tlscacerts` of your MSP(s). Not sure what client you are using to actually enroll with the CA, but when enrolling for TLS certs, set the profile parameter to `tls`

KartikChauhan (Fri, 07 Jun 2019 14:01:57 GMT):
I'm trying out the wallet classes introduced in Hyperledger Fabric v1.4. All the wallet classes work fine except for `HSMWalletMixin`. I couldn't understand the working of it. There's not much info available about it in the official documentation or in sdk docs. It says in the docs > currently you should use the FileSystemWallet class in combination with the HSMWalletMixin class to manage HSM wallets. There's no working example from where I could take any help. I've no idea how to use these two classes together. Plus, isn't there any option of configuring `HSMWalletMixin` class with AWS CloudHSM currently?

mastersingh24 (Fri, 07 Jun 2019 16:51:41 GMT):
you should try the #fabric-sdk-node channel for this .... but basically, you should be able to do something like ``` const hsmWallet = new IFileSystemWallet(new HSMWalletMixin(pkcsLibPath, PKCS11_SLOT, PKCS11_PIN)); ``` You need to know the path to the PKCS11 shared library and the SLOT and PIN to use. For AWS, I'd look at https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-library-install.html

adityanalge (Fri, 07 Jun 2019 19:52:01 GMT):
Can someone help me understand how to generate the server.crt and server.key under orderer.example.com/tls? Can I generate these certs using the fabric-ca?

nyet (Fri, 07 Jun 2019 23:09:27 GMT):
https://jira.hyperledger.org/browse/FABC-60

nyet (Fri, 07 Jun 2019 23:09:45 GMT):
Good luck, its a mess.

mastersingh24 (Sat, 08 Jun 2019 09:16:23 GMT):
@nyet - not sure what you mean by "it's a mess" .... the reality is that fabric-ca was built to issue enrollment certificates not TLS certificates. fabric-ca can issue TLS certs using the `tls` profile, but generally we (or at least I) would expect companies already have some standard issuer for TLS certificates.

trinayanbhatt (Mon, 10 Jun 2019 12:26:48 GMT):
Has joined the channel.

nyet (Mon, 10 Jun 2019 15:37:40 GMT):
Just annoyed at the lack of a way to get the SKU using openssl.

nyet (Mon, 10 Jun 2019 15:37:40 GMT):
Just annoyed at the lack of a way to get the SKIusing openssl.I

nyet (Mon, 10 Jun 2019 15:37:40 GMT):
Just annoyed at the lack of a way to get the SKI using openssl.

nyet (Mon, 10 Jun 2019 16:08:22 GMT):
@mastersingh24 woot thanks for https://gerrit.hyperledger.org/r/#/c/fabric-ca/+/31790/ ... will that get backported to 1.4.1 or will it not be available until 2.x?

mastersingh24 (Mon, 10 Jun 2019 18:23:52 GMT):
We'll backport it ... I can't cherry pick it directly so once it has been reviewed and merged in master I'll backport and it should ship in 1.4.2 at the end of June / early July

adityanalge (Mon, 10 Jun 2019 20:50:49 GMT):
I agree with you @mastersingh24. Assuming the companies provide the tls certs, we have to generate the tls cert and key for the peer and orderers right? Based on my understanding, this has to be done using the fabric-ca and the tls cert provided by the companies?

adityanalge (Mon, 10 Jun 2019 20:50:49 GMT):
I agree with both you @mastersingh24 and @nyet . Assuming the companies provide the tls certs, we have to generate the tls cert and key for the peer and orderers right? Based on my understanding, this has to be done using the fabric-ca and the tls cert provided by the companies?

nyet (Mon, 10 Jun 2019 20:59:00 GMT):
you can do ALL of your TLS cert distribout out of band. here we are choosing to use the CA-server to do it because the only TLS distribution we have in our syhstem is letsencrypt based, which is insufficient for fabric.

nyet (Mon, 10 Jun 2019 20:59:00 GMT):
you can do ALL of your TLS cert distribution out of band. here we are choosing to use the CA-server to do it because the only TLS distribution we have in our system is letsencrypt based, which is insufficient for fabric.

nyet (Mon, 10 Jun 2019 21:00:45 GMT):
And the CA-server can do it just fine, it just takes a bit of scripty magic to pull certpairs out of the MSP, which is NOT designed for TLS.

adityanalge (Mon, 10 Jun 2019 21:01:20 GMT):
The main issue with using fabric-ca server to self generate the tls cert is that the tls cert generated is not self signed. It is signed by ca.example.com and it is not a root ca.

nyet (Mon, 10 Jun 2019 21:01:42 GMT):
That is a feature, not a bug :)

nyet (Mon, 10 Jun 2019 21:02:13 GMT):
fabric will not work if eyveryon has selfsigned tls certs

adityanalge (Mon, 10 Jun 2019 21:02:22 GMT):
hmmm. but cryptogen has a tls that is root tls and self signed

nyet (Mon, 10 Jun 2019 21:02:24 GMT):
they HAVE to be signed by a TLS CA

nyet (Mon, 10 Jun 2019 21:02:37 GMT):
yes, we do not use cryptogen for that reason (among many many uncountable others)

nyet (Mon, 10 Jun 2019 21:03:02 GMT):
the TLSCA is selfsigned

nyet (Mon, 10 Jun 2019 21:03:06 GMT):
the TLS key pairs ARE NOT

Antimttr (Mon, 10 Jun 2019 21:03:12 GMT):
@nyet what do you use in place of cryptogen?

nyet (Mon, 10 Jun 2019 21:03:30 GMT):
we do everything talking to the ca-server

Antimttr (Mon, 10 Jun 2019 21:04:44 GMT):
the fabric ca server that comes with hyperledger?

nyet (Mon, 10 Jun 2019 21:04:51 GMT):
yes

Antimttr (Mon, 10 Jun 2019 21:05:48 GMT):
im currently writing the routines that will generate crypto artifacts for a new org

adityanalge (Mon, 10 Jun 2019 21:05:49 GMT):
so what would be the process to genearate a tls key pair for say the orderer? - Start a fabric-ca server with tls.enabled set to true. - This generates a root ca cert and a tls cert that is not self signed. - Use ca to register and enroll the orderer (without enrollment profile as tls) and we get an orderer sign cert issued by the ca cert - Use ca to enroll the orderer with enrollment profile as tls, this will give a cert and key issued by the tls cert

adityanalge (Mon, 10 Jun 2019 21:06:03 GMT):
Am I correct in this flow so far?

Antimttr (Mon, 10 Jun 2019 21:06:05 GMT):
following this guide: https://hyperledger-fabric.readthedocs.io/en/release-1.4/channel_update_tutorial.html

Antimttr (Mon, 10 Jun 2019 21:06:19 GMT):
but maybe thats a better way

Antimttr (Mon, 10 Jun 2019 21:06:31 GMT):
just to use fabric-ca-server to generate it instead of cryptogen

nyet (Mon, 10 Jun 2019 21:06:59 GMT):
I want more control over our self signed cas so we do that ourselves, but we make three of them. 1 for TLS 2 for fabric CA orgs

Antimttr (Mon, 10 Jun 2019 21:07:10 GMT):
can you use it to generate an entire msp/artifacts directory tree like you can with cryptogen?

nyet (Mon, 10 Jun 2019 21:07:11 GMT):
then launch the ca-server with 3 instances

nyet (Mon, 10 Jun 2019 21:07:23 GMT):
orderers and peers get tls pairs by enroilling eith the tls profile

Antimttr (Mon, 10 Jun 2019 21:07:26 GMT):
or do you just break it into individual calls?

nyet (Mon, 10 Jun 2019 21:07:54 GMT):
i generaly dont trust the ca-server to autogenarate anhything, including its own config

nyet (Mon, 10 Jun 2019 21:08:09 GMT):
i dont much like the way that works so we create our own configs and our own self signed CAs

nyet (Mon, 10 Jun 2019 21:08:24 GMT):
the rest is rougly accurate above

adityanalge (Mon, 10 Jun 2019 21:08:47 GMT):
The issue that arises here is - The tls cert that is generated, and now moved to ordererOrganizations/example.com/orderers/orderer.example.com/tlscacerts is not a root cert and that's why it gives an error when the container comes up saying ca attribute missing

nyet (Mon, 10 Jun 2019 21:09:29 GMT):
i am not sure of that since we do not allow the CA server to generate its own CA pairs

nyet (Mon, 10 Jun 2019 21:09:40 GMT):
i generate them ouit of band using openssl directly

adityanalge (Mon, 10 Jun 2019 21:09:48 GMT):
both ca and tls cert?

nyet (Mon, 10 Jun 2019 21:09:52 GMT):
no

nyet (Mon, 10 Jun 2019 21:09:59 GMT):
TLSCA and 2 fabric CAs

nyet (Mon, 10 Jun 2019 21:10:07 GMT):
the tls cert is signed by the TLSCA

nyet (Mon, 10 Jun 2019 21:10:13 GMT):
(ca server tls cert)

nyet (Mon, 10 Jun 2019 21:10:26 GMT):
the orderrs get their tls pairs by enrolling with the ca server tls entity with tls profile

adityanalge (Mon, 10 Jun 2019 21:10:26 GMT):
so your cacount is 2?

nyet (Mon, 10 Jun 2019 21:10:28 GMT):
3

nyet (Mon, 10 Jun 2019 21:10:44 GMT):
the tlsca is the default ca entity

adityanalge (Mon, 10 Jun 2019 21:10:52 GMT):
the main one

nyet (Mon, 10 Jun 2019 21:10:57 GMT):
yes

adityanalge (Mon, 10 Jun 2019 21:11:16 GMT):
have you tried to bring an orderer up yet?

nyet (Mon, 10 Jun 2019 21:11:18 GMT):
i do that so we can hack getting the tlsca pub key using curl

nyet (Mon, 10 Jun 2019 21:11:20 GMT):
yes

adityanalge (Mon, 10 Jun 2019 21:11:44 GMT):
okay. my cacount is 0

nyet (Mon, 10 Jun 2019 21:11:56 GMT):
i actualy dont use cacount

nyet (Mon, 10 Jun 2019 21:12:00 GMT):
we use multiplle config arugments

nyet (Mon, 10 Jun 2019 21:12:16 GMT):
i have to go for a bit but i will be back later to answer questions

nyet (Mon, 10 Jun 2019 21:12:21 GMT):
i promise i will help as best as i can

adityanalge (Mon, 10 Jun 2019 21:12:29 GMT):
Okay sure

adityanalge (Mon, 10 Jun 2019 21:12:31 GMT):
https://stackoverflow.com/questions/53687551/hyperledger-fabric-ca-x509-certificate-is-valid-for-rca-ord-not-localhost

adityanalge (Mon, 10 Jun 2019 21:12:41 GMT):
My issue is very similar to this currently. Will talk later

peerzet3 (Tue, 11 Jun 2019 08:12:51 GMT):
Has joined the channel.

peerzet3 (Tue, 11 Jun 2019 08:12:52 GMT):
Hello, I'm forwarding the question I'm stucked and I already asked in fabric channel. I'm generating new user with Fabric-Ca SDK (role client). Then I try to create channel using fabric SDK however I always have BAD_REQUEST - expected Admin request signining.... The user I'm creating with Fabric-Ca is not Admin. My question: how can I make this user to be admin? I'm using correct ca certificates because with created user I can make query to the org1 peers, however I cannot create channel... I already tried to copy the pem certificate of newly created user to admincerts folder of the peers however I don't know if it's good approach.

yeousunn (Tue, 11 Jun 2019 08:37:52 GMT):
when registering user you have to specify the user is admin using `--id.attrs`'"hf.Registrar.Roles=peer,client",hf.Revoker=true,admin=true:ecert'

yeousunn (Tue, 11 Jun 2019 08:37:52 GMT):
when registering user you have to specify the user is admin using `--id.attrs '"hf.Registrar.Roles=peer,client",hf.Revoker=true,admin=true:ecert'`

mastersingh24 (Tue, 11 Jun 2019 08:47:16 GMT):
cryptogen generates root CAs for both enrollment and TLS. Root CAs will by definition by self-signed (unless they are intermediates issued by another root). fabric-ca does the same thing ... it creates root CAs as well (which are self-signed) if you don't specify an existing one

peerzet3 (Tue, 11 Jun 2019 08:50:31 GMT):
@yeousunn Thank you for answer. Doesn't work. No idea why. Maybe the issue is that the admin identity I use for doing registering is the one fabric-ca created (admin created by fabric-ca)...

peerzet3 (Tue, 11 Jun 2019 08:51:09 GMT):
``` const secret = await fabricCaClient.register({ enrollmentID: 'myuser', role: 'admin', attrs: [ { name: 'hf.Registrar.Roles', value: 'peer,client', ecert: false, }, { name: 'hf.Revoker', value: "true", ecert: false, }, { name: 'admin', value: 'true', ecert: true }] }, user);```

PonmudiK (Tue, 11 Jun 2019 09:03:33 GMT):
postgres

peerzet3 (Tue, 11 Jun 2019 10:15:47 GMT):
Eh this should work. No more ideas. User can query, user can make transactions, but cannot create channel.

msoelman (Tue, 11 Jun 2019 11:19:39 GMT):
Has joined the channel.

msoelman (Tue, 11 Jun 2019 11:19:41 GMT):
Hello Fabric team, I have a question regarding future developments of Idemix, with respect to generating credentials for an anonymous CA. The question was posted on the mailing list, but was not forwarded here, as it did not contain tags. The question: " According to the documentation on Idemix, the current implementation of Idemix could be extended to support anonymous Idemix-based Certificate Authorities. Assume an Idemix-based MSP generates an anonymous CA, which I think is similar to the current implementation, where an Idemix-based MSP generates an anonymous credential for a member of that MSP. Then, when such an anonymous CA has been generated, according to the docs, the anonymous CA's "certified credentials can be verified by using a unique public-key". It is unclear to me how the credentials of such an anonymous CA would be verified. What steps are required to verify this anonymous CA (on a high level)? " Link to the question on the mailing list: https://lists.hyperledger.org/g/fabric/topic/anonymous_idemix_based/31925669?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,31925669 Any help is greatly appreciated! Best Regards,

Antimttr (Tue, 11 Jun 2019 15:01:20 GMT):
This is a directory structure created by cryptogen tool: ``` └── peerOrganizations │ └── org3.example.com │ ├── ca │ │ ├── 2fd964eeaebdf6e39fe6f60d2a9dd5e33e831b66886ac5498cf60d49cd31beb1_sk │ │ └── ca.org3.example.com-cert.pem │ ├── msp │ │ ├── admincerts │ │ │ └── Admin@org3.example.com-cert.pem │ │ ├── cacerts │ │ │ └── ca.org3.example.com-cert.pem │ │ ├── config.yaml │ │ └── tlscacerts │ │ └── tlsca.org3.example.com-cert.pem │ ├── peers │ │ ├── peer0.org3.example.com │ │ │ ├── msp │ │ │ │ ├── admincerts │ │ │ │ │ └── Admin@org3.example.com-cert.pem │ │ │ │ ├── cacerts │ │ │ │ │ └── ca.org3.example.com-cert.pem │ │ │ │ ├── config.yaml │ │ │ │ ├── keystore │ │ │ │ │ └── 90e17c0c86623157f694720b0d2654a8344b0271ee84020155a0d986edaff96a_sk │ │ │ │ ├── signcerts │ │ │ │ │ └── peer0.org3.example.com-cert.pem │ │ │ │ └── tlscacerts │ │ │ │ └── tlsca.org3.example.com-cert.pem │ │ │ └── tls │ │ │ ├── ca.crt │ │ │ ├── server.crt │ │ │ └── server.key ```

Antimttr (Tue, 11 Jun 2019 15:01:56 GMT):
my question is, what is the difference between the tlscacerts in the msp directory, and the tls certs and key in the tls directory of each peer?

Antimttr (Tue, 11 Jun 2019 15:02:05 GMT):
do they represent the same certificate?

Antimttr (Tue, 11 Jun 2019 15:03:34 GMT):
ok looks like ca.org3.example.com-cert.pem == ca.crt

Antimttr (Tue, 11 Jun 2019 15:03:34 GMT):
ok looks like tlsca.org3.example.com-cert.pem == ca.crt

Antimttr (Tue, 11 Jun 2019 15:05:39 GMT):
but then what does server.crt come from

Antimttr (Tue, 11 Jun 2019 15:07:07 GMT):
it seems that the server.crt is different for each of the peers

Antimttr (Tue, 11 Jun 2019 15:07:16 GMT):
so perhaps its specific to the peer?

Antimttr (Tue, 11 Jun 2019 15:08:26 GMT):
ok decoded the x509 and that does seem to be the case: ``` Common Name: peer0.org3.example.com Subject Alternative Names: peer0.org3.example.com, peer0 Locality: San Francisco State: California Country: US Valid From: June 10, 2019 Valid To: June 7, 2029 Issuer: tlsca.org3.example.com, org3.example.com Serial Number: 76797b5d98520c7b2cfb0514933a8b83 ```

nyet (Tue, 11 Jun 2019 15:48:12 GMT):
Unfortunately, it is not very well documented what is required to be an "admin". When creating a gensis block, the pub cert for the admin needs to be in the /admincerts/ dir of the ORG msp to be an admin for that genesis block. To be an admin on a peer to request that that peer to cjoin a channel, the pub key of the admin user needs to be in the /admincerts/ directory of the local MSP on that peer. To make matters worse, due to https://jira.hyperledger.org/browse/FAB-2072 the peer has to be manually restarted every time the contents of its local MSP admincerts/ changes.

nyet (Tue, 11 Jun 2019 15:49:03 GMT):
The "role" tag on register seems useless, I am unsure about what it is supposed to do.

nyet (Tue, 11 Jun 2019 15:50:13 GMT):
A TLS server cert is very different from a TLSCA cert. The TLSCA private key is used to sign a TLS server key cert. This means that the TLS server key can be verified by anyone trusting the TLSCA public key.

Antimttr (Tue, 11 Jun 2019 16:08:46 GMT):
@nyet have you found any way of generating the material the cryptogen generates progmatically? Everything I've read says use openssl directly

Antimttr (Tue, 11 Jun 2019 16:09:20 GMT):
i know you said you used fabric-ca-server to do it. But havent found any details on how to do that either

nyet (Tue, 11 Jun 2019 16:09:31 GMT):
you can do everything with ca server eincluding the self signing

Antimttr (Tue, 11 Jun 2019 16:09:34 GMT):
was figuring using openssl library of some sort (maybe the one for php?) would be more straight forward

nyet (Tue, 11 Jun 2019 16:09:51 GMT):
i do everything but the self-signing with the ca-server

nyet (Tue, 11 Jun 2019 16:10:16 GMT):
i think the tlsca self signing might not work right with ca-server now that i think about it, but i did not try

Antimttr (Tue, 11 Jun 2019 16:10:32 GMT):
so you need to start with a tlsca self signing certificate

nyet (Tue, 11 Jun 2019 16:10:36 GMT):
i just use the openssl cli exe dire ctly

Antimttr (Tue, 11 Jun 2019 16:10:38 GMT):
and that can be generated with openssl i bleeive?

nyet (Tue, 11 Jun 2019 16:10:41 GMT):
yes

nyet (Tue, 11 Jun 2019 16:11:06 GMT):
the only trick is ecdsa, but its pretty straighforwards

Antimttr (Tue, 11 Jun 2019 16:11:20 GMT):
so ecdsa is the algo i need to use

Antimttr (Tue, 11 Jun 2019 16:11:22 GMT):
to generate it

nyet (Tue, 11 Jun 2019 16:11:23 GMT):
yes

mastersingh24 (Tue, 11 Jun 2019 16:15:13 GMT):
What's the issue with using Fabric CA? Fabric CA has starts up with two signing profiles ... default is for enrollment and `tls` is for TLS extensions. You can also modify the profile section in the config file if you want to run a Fabric CA with just the TLS profile. You can also run a multi-root CA ... and add for the second root use the TLS profile ;)

nyet (Tue, 11 Jun 2019 16:16:31 GMT):
oh i didnlt know each profile worked like that

nyet (Tue, 11 Jun 2019 16:16:43 GMT):
should i disable the tls profile if i explicitly have separate tls and non-tls instasnces?

nyet (Tue, 11 Jun 2019 16:16:52 GMT):
(in the non-tls instances)?

Antimttr (Tue, 11 Jun 2019 16:18:12 GMT):
@mastersingh24 so it seems like the fabric-ca-server is the way to go if you want to not use cryptogen to generate a new org's artifacts

mastersingh24 (Tue, 11 Jun 2019 16:18:15 GMT):
well you don't have to disable it ... but would not hurt

Antimttr (Tue, 11 Jun 2019 16:18:50 GMT):
@mastersingh24 you don't happen to know of any documentation that goes through generating artifacts via fabric-ca-server by any chance?

Antimttr (Tue, 11 Jun 2019 16:19:50 GMT):
is cryptogen just a script which calls a bunch of openssl commands?

mastersingh24 (Tue, 11 Jun 2019 16:20:27 GMT):
cryptogen uses Go crypto libraries ... I wrote it for testing

Antimttr (Tue, 11 Jun 2019 16:20:51 GMT):
i see, yeah i was thinking about how best to replace it. I was looking at the openssl libraries for php

Antimttr (Tue, 11 Jun 2019 16:21:23 GMT):
but i'm a little unclear on what parameters you'd feed to openssl to generate the ec content

Antimttr (Tue, 11 Jun 2019 16:21:47 GMT):
ecdsa seems to be the algo i'd want to use though

Antimttr (Tue, 11 Jun 2019 16:22:16 GMT):
if i was a bit more compitent with golang i might just try and modify cryptogen

mastersingh24 (Tue, 11 Jun 2019 16:26:28 GMT):
There are many options for creating TLS certs. Fabric CA should definitely be used for enrollment / identity material (unless you have a requirement to use another CA) openssl works fine for TLS .... ``` #!/bin/bash # cleanup rm -f *.cnf *.crt *.key *.csr FQDN="peer1.org1.example.com" HOSTNAME="peer1" echo ${FQDN} echo ${LOCALFQDN} # generate openssl config file cat << EOF > ca.cnf [v3_ca] subjectAltName = @alt_names subjectKeyIdentifier = hash keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth [ alt_names ] DNS.1 = $HOSTNAME DNS.2 = localhost EOF # generate CA openssl ecparam -genkey -name prime256v1 -out ca.key openssl req -new -days 3650 -nodes -x509 -subj "/CN=Certificate Authority" -key ca.key -out ca.crt # generate TLS server cert openssl ecparam -genkey -name prime256v1 -out server.key openssl req -new -sha256 -key server.key -out server.csr -subj "/CN=${FQDN}" openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 1825 -sha256 -out server.crt -extensions v3_ca -extfile ./ca.cnf ```

mastersingh24 (Tue, 11 Jun 2019 16:26:28 GMT):
There are many options for creating TLS certs. Fabric CA should definitely be used for enrollment / identity material (unless you have a requirement to use another CA) openssl works fine for TLS .... ``` #!/bin/bash # cleanup rm -f *.cnf *.crt *.key *.csr FQDN="peer1.org1.example.com" HOSTNAME="peer1" echo ${FQDN} echo ${HOSTNAME} # generate openssl config file cat << EOF > ca.cnf [v3_ca] subjectAltName = @alt_names subjectKeyIdentifier = hash keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth [ alt_names ] DNS.1 = $HOSTNAME DNS.2 = localhost EOF # generate CA openssl ecparam -genkey -name prime256v1 -out ca.key openssl req -new -days 3650 -nodes -x509 -subj "/CN=Certificate Authority" -key ca.key -out ca.crt # generate TLS server cert openssl ecparam -genkey -name prime256v1 -out server.key openssl req -new -sha256 -key server.key -out server.csr -subj "/CN=${FQDN}" openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 1825 -sha256 -out server.crt -extensions v3_ca -extfile ./ca.cnf ```

mastersingh24 (Tue, 11 Jun 2019 16:27:20 GMT):
^^^^ creates a root CA and issues a TLS cert for `peer1.org1.example.com`

Antimttr (Tue, 11 Jun 2019 16:27:31 GMT):
awesome

Antimttr (Tue, 11 Jun 2019 16:27:57 GMT):
seems like calling openssl from cli is the way to go, vs trying to do it via a language specific library

mastersingh24 (Tue, 11 Jun 2019 16:28:39 GMT):
when all else fails, `bash` to the rescue!

Antimttr (Tue, 11 Jun 2019 16:28:47 GMT):
indeed

Antimttr (Tue, 11 Jun 2019 16:30:00 GMT):
ok so thats how i'd generate peerOrganizations/org1.example.com/tlsca/* as well as the peer certs

nyet (Tue, 11 Jun 2019 16:30:14 GMT):
i use the ca-server to sign peer certs

nyet (Tue, 11 Jun 2019 16:30:25 GMT):
I ONLY use openssl to generate TLSCA/CA

Antimttr (Tue, 11 Jun 2019 16:30:41 GMT):
but the ca-server is using the TLSCA cert previously generated by openssl

nyet (Tue, 11 Jun 2019 16:30:49 GMT):
ca-server is very very convienient for creating TLS keys because it means renewal will be easiier too

Antimttr (Tue, 11 Jun 2019 16:30:54 GMT):
it needs that to function if im not mistaken

nyet (Tue, 11 Jun 2019 16:31:09 GMT):
yes but you can generate peer tls keypairs by issuing ca-server enrolls

nyet (Tue, 11 Jun 2019 16:31:24 GMT):
it will sign the crls with its TLSCA key

Antimttr (Tue, 11 Jun 2019 16:31:31 GMT):
_nods_

nyet (Tue, 11 Jun 2019 16:32:02 GMT):
also ca-server is convienent because anyone can retrieve the public tls key for a enrolled tls server

nyet (Tue, 11 Jun 2019 16:32:09 GMT):
this is super convienent for pinning if you need it

Antimttr (Tue, 11 Jun 2019 16:32:18 GMT):
right, yeah that makes sense

Antimttr (Tue, 11 Jun 2019 16:32:36 GMT):
so its the enroll command in fabric-ca-server that actualy generates the crypto material

nyet (Tue, 11 Jun 2019 16:32:40 GMT):
yes

Antimttr (Tue, 11 Jun 2019 16:32:45 GMT):
just like with enrolling users

nyet (Tue, 11 Jun 2019 16:32:48 GMT):
yes

nyet (Tue, 11 Jun 2019 16:33:02 GMT):
the only trick is extracting the correct _sk from keystore/

Antimttr (Tue, 11 Jun 2019 16:34:38 GMT):
so for onboarding a new org into the hyperledger im thinking that this will be my procedure: 1. use openssl to generate tlsca and key 2. bring the fabric-ca-server node up with the newly generated ca and key 3. generate org specific certificates and keys using the fabric-ca-server enroll command

nyet (Tue, 11 Jun 2019 16:34:53 GMT):
yep

nyet (Tue, 11 Jun 2019 16:35:13 GMT):
dont forget that you cant start an orderer until you have a admin for an org that goes in the genesis block for the system channel

nyet (Tue, 11 Jun 2019 16:35:30 GMT):
and peers cant joint a channel until they have a pub key in admincerts/

nyet (Tue, 11 Jun 2019 16:35:36 GMT):
those two gotchees killed me for a long time

nyet (Tue, 11 Jun 2019 16:36:25 GMT):
if you are an aaS like us, that is problematic because we dont want to keep end user private key materials :/

Antimttr (Tue, 11 Jun 2019 16:36:37 GMT):
right but the admin user can be enrolled as soon as the fabric-ca-server is up

Antimttr (Tue, 11 Jun 2019 16:36:40 GMT):
if im not mistaken

nyet (Tue, 11 Jun 2019 16:36:43 GMT):
yep!

Antimttr (Tue, 11 Jun 2019 16:37:15 GMT):
so i could enroll the admin in step 3 then have the entire artifacts directory structure generated prior to bringing up any peers/orderers

Antimttr (Tue, 11 Jun 2019 16:37:43 GMT):
similar to how cryptogen generates all the assets as the first step to adding a new org here: https://hyperledger-fabric.readthedocs.io/en/release-1.4/channel_update_tutorial.html

Antimttr (Tue, 11 Jun 2019 16:44:01 GMT):
what does aaS stand for? if i type it into google i get unreleated results

adityanalge (Tue, 11 Jun 2019 16:48:59 GMT):
prolly means as a Service

Antimttr (Tue, 11 Jun 2019 16:49:16 GMT):
huh, i've heard of SaaS just never aaS

adityanalge (Tue, 11 Jun 2019 16:49:53 GMT):
Has anyone tried enrolling with a TLS profile using the fabric-sdk-node?

adityanalge (Tue, 11 Jun 2019 16:50:35 GMT):
Even though the server receives a TLS profile request ( that I verified by the logs ), my certificate is being signed by the root CA cert instead of the tlsca cert

Antimttr (Tue, 11 Jun 2019 16:50:36 GMT):
i've read the balance-transfer example client code

Antimttr (Tue, 11 Jun 2019 16:50:47 GMT):
and they definitely do it in that codebase

Antimttr (Tue, 11 Jun 2019 16:51:07 GMT):
personally i'm using java as my client so i've only implemented it in the java sdk

Swhit210 (Tue, 11 Jun 2019 17:05:39 GMT):
Has joined the channel.

nyet (Tue, 11 Jun 2019 17:06:11 GMT):
just using aaS as a generic (vs XaaS) since it isn't clear what we are aaSing for :)

nyet (Tue, 11 Jun 2019 17:06:22 GMT):
BaaS, but not really either

Antimttr (Tue, 11 Jun 2019 17:07:15 GMT):
business as a software?

nyet (Tue, 11 Jun 2019 17:07:22 GMT):
also, im not strictly following the cryptogen layout

nyet (Tue, 11 Jun 2019 17:07:27 GMT):
its sort of a mix

nyet (Tue, 11 Jun 2019 17:07:37 GMT):
blockchain as a service :)

Antimttr (Tue, 11 Jun 2019 17:07:41 GMT):
oh duh

nyet (Tue, 11 Jun 2019 17:08:17 GMT):
i have a giganiic spreadsheet of cryptogen artifact layout :/

nyet (Tue, 11 Jun 2019 17:08:47 GMT):
so i have the parts needed for each component highlighjted because copyhing the whole structure to each node (or component) is a bad idea

nyet (Tue, 11 Jun 2019 17:08:52 GMT):
e.g. nobody should have the ca private keys ;)

Antimttr (Tue, 11 Jun 2019 17:09:03 GMT):
right no one but the ca

nyet (Tue, 11 Jun 2019 17:09:06 GMT):
ya

nyet (Tue, 11 Jun 2019 17:09:47 GMT):
the MAIN thing confusing me is stil what "admin" means :/

nyet (Tue, 11 Jun 2019 17:10:11 GMT):
it seems presence in admincerts/ is more important than that enroll tag

Antimttr (Tue, 11 Jun 2019 17:10:16 GMT):
i've been told there's 3 different types of admins

Antimttr (Tue, 11 Jun 2019 17:10:28 GMT):
ca admins, peer admins, registrars

Antimttr (Tue, 11 Jun 2019 17:10:32 GMT):
maybe im missing one

nyet (Tue, 11 Jun 2019 17:11:07 GMT):
the enroll tag only enables that user to register new users? it has nothign to do with admin privs in policies?

Antimttr (Tue, 11 Jun 2019 17:11:38 GMT):
not as far as i know, but i havent delved very deeply into policies yet

Antimttr (Tue, 11 Jun 2019 17:11:48 GMT):
just basic ones for chaincode updates

Antimttr (Tue, 11 Jun 2019 17:11:58 GMT):
or chaincode invocations rather

adityanalge (Tue, 11 Jun 2019 17:32:56 GMT):
Did you notice that the ca logs say ' received request for enroll ' when the request is sent from the cli using a fabric-client binary and the ca logs say ' received 'request for /api/v1/enroll' when the request is enroll request is sent using fabric node sdk

Antimttr (Tue, 11 Jun 2019 17:46:05 GMT):
i think that api/v1/enroll stuff is because its going throught he RESTFULapi on the sdk

Antimttr (Tue, 11 Jun 2019 17:46:20 GMT):
but the cli client might do that too

Antimttr (Tue, 11 Jun 2019 17:48:18 GMT):
So in the cryptogen generated artifacts directory, there is a `peerOrganizations/org3.example.com/ca/` directory and a `peerOrganizations/org3.example.com/tlsca/` directory. Both have different certificates. What is the difference between the two?

nyet (Tue, 11 Jun 2019 17:48:41 GMT):
cryptogen does not make different CA/TLSCA cdrts

nyet (Tue, 11 Jun 2019 17:48:41 GMT):
cryptogen does not make different CA/TLSCA certs

nyet (Tue, 11 Jun 2019 17:48:44 GMT):
i do

nyet (Tue, 11 Jun 2019 17:49:04 GMT):
in cryptogen directory they are copies

Antimttr (Tue, 11 Jun 2019 17:49:06 GMT):
what's confusing me even more is that in the balance-transfer example, they seem to use the same cert in both configuration options for the CA: ``` - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/0e729224e8b3f31784c8a93c5b8ef6f4c1c91d9e6e577c45c33163609fe40011_sk - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/0e729224e8b3f31784c8a93c5b8ef6f4c1c91d9e6e577c45c33163609fe40011_sk ```

Antimttr (Tue, 11 Jun 2019 17:49:12 GMT):
so thats for org1 of course

Antimttr (Tue, 11 Jun 2019 17:49:22 GMT):
but its basically saying, that the CA cert and the TLSCA cert are the same thing

Antimttr (Tue, 11 Jun 2019 17:49:24 GMT):
if im not mistaken

nyet (Tue, 11 Jun 2019 17:49:25 GMT):
there are a ton of copied files in the cryptogen tree

Antimttr (Tue, 11 Jun 2019 17:49:34 GMT):
yes, ive been comparing them

Antimttr (Tue, 11 Jun 2019 17:49:36 GMT):
to see whats a duplicate

nyet (Tue, 11 Jun 2019 17:49:43 GMT):
find . -type f | xargs md5 | sort :)

nyet (Tue, 11 Jun 2019 17:49:52 GMT):
its pretty funny

Antimttr (Tue, 11 Jun 2019 17:49:52 GMT):
and it seems that the CA/ and TLSCA/ certs are in fact different

Antimttr (Tue, 11 Jun 2019 17:49:59 GMT):
atleast that cryptogen generated

nyet (Tue, 11 Jun 2019 17:49:59 GMT):
hmm thats odd are yo usure

nyet (Tue, 11 Jun 2019 17:50:07 GMT):
lemme check my spreadsheet

Antimttr (Tue, 11 Jun 2019 17:50:19 GMT):
``` [mwest@mwestmct ca]$ cat ca.org3.example.com-cert.pem -----BEGIN CERTIFICATE----- MIICUTCCAfegAwIBAgIQKEW/s6JHKuejPQkxsXOp3jAKBggqhkjOPQQDAjBzMQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy YW5jaXNjbzEZMBcGA1UEChMQb3JnMy5leGFtcGxlLmNvbTEcMBoGA1UEAxMTY2Eu b3JnMy5leGFtcGxlLmNvbTAeFw0xOTA2MTAyMDMzMDBaFw0yOTA2MDcyMDMzMDBa MHMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBvcmczLmV4YW1wbGUuY29tMRwwGgYDVQQD ExNjYS5vcmczLmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE lWxnmWTjRLQTeLGR5QRBMMVpDtkmvWVZSPU1Llezv09Vh35WhIemRjS+qxJ8YZl1 IWUMcGRcZte+MyU9sOs48KNtMGswDgYDVR0PAQH/BAQDAgGmMB0GA1UdJQQWMBQG CCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdDgQiBCAv 2WTurr3245/m9g0qndXjPoMbZohqxUmM9g1JzTG+sTAKBggqhkjOPQQDAgNIADBF AiEA9TPIhVScF3GgCFFIMrOfHqRyddgoAB3dZNK3hUQeAosCIA10Uy9dYfUiYMrO OUPRBY8aXWMtINE5XA5ogeyW0Qxs -----END CERTIFICATE----- ```

Antimttr (Tue, 11 Jun 2019 17:50:25 GMT):
that's the CA

Antimttr (Tue, 11 Jun 2019 17:50:39 GMT):
this is TLSCA: ``` [mwest@mwestmct tlsca]$ cat tlsca.org3.example.com-cert.pem -----BEGIN CERTIFICATE----- MIICVjCCAf2gAwIBAgIQTjWv3gaMdrgZjw/B2z9XRjAKBggqhkjOPQQDAjB2MQsw CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy YW5jaXNjbzEZMBcGA1UEChMQb3JnMy5leGFtcGxlLmNvbTEfMB0GA1UEAxMWdGxz Y2Eub3JnMy5leGFtcGxlLmNvbTAeFw0xOTA2MTAyMDMzMDBaFw0yOTA2MDcyMDMz MDBaMHYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH Ew1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBvcmczLmV4YW1wbGUuY29tMR8wHQYD VQQDExZ0bHNjYS5vcmczLmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0D AQcDQgAE2xKprFF8H/RnSu83WGzUVCkX+bT0AITwqXvEAK1boetRYVkv+6+XbjZv mSqF4BQi3YuNwmGsWYt4g5JFapbvkqNtMGswDgYDVR0PAQH/BAQDAgGmMB0GA1Ud JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1Ud DgQiBCDEL9GBbMIDo52mlHvKKFv24aj4kvK/KN1on5krzqlbeDAKBggqhkjOPQQD AgNHADBEAiAupr4BSrtEB+8lcQdYbimCbQ1oLrJzv04RTPg/vYvGdQIgdj4aRwwK onYTCIso8tHBwyz7kYsqw49nfFOGHXuqneA= -----END CERTIFICATE----- ```

nyet (Tue, 11 Jun 2019 17:51:58 GMT):
oh sorry i was wrong they are different CAs

nyet (Tue, 11 Jun 2019 17:52:07 GMT):
they have different signing constraints

Antimttr (Tue, 11 Jun 2019 17:52:37 GMT):
yet in the docker config for that balance-transfer network

Antimttr (Tue, 11 Jun 2019 17:52:47 GMT):
they seemingly use the same cert for both tlsca and ca

nyet (Tue, 11 Jun 2019 17:54:13 GMT):
yea i think some demos share CAs some don't ins confusing

Antimttr (Tue, 11 Jun 2019 17:54:30 GMT):
however, also in balance-transfer the CA and TLSCA directories for a peer org do contain different certs

Antimttr (Tue, 11 Jun 2019 17:54:54 GMT):
so its like they have a seperate TLSCA certificate, but they're not using it in the docker config when launching the ca-server

Antimttr (Tue, 11 Jun 2019 17:55:07 GMT):
instead they're using the one in CA/

nyet (Tue, 11 Jun 2019 17:55:58 GMT):
yes, that is what was confusing me

nyet (Tue, 11 Jun 2019 17:56:07 GMT):
the ca-server ONLY uses the ca keypair

nyet (Tue, 11 Jun 2019 17:56:14 GMT):
it does not reference the tlsca keypair

Antimttr (Tue, 11 Jun 2019 17:56:16 GMT):
right

Antimttr (Tue, 11 Jun 2019 17:56:19 GMT):
thats confusing af

Antimttr (Tue, 11 Jun 2019 17:56:21 GMT):
:P

nyet (Tue, 11 Jun 2019 17:56:36 GMT):
yea i have a note in my spreadsheet with that same observation /)

Antimttr (Tue, 11 Jun 2019 17:56:37 GMT):
perhaps @mastersingh24 would know the logic

nyet (Tue, 11 Jun 2019 17:56:45 GMT):
i think it is just for simplicity

Antimttr (Tue, 11 Jun 2019 17:57:35 GMT):
so when you generated the tls ca cert for your ca-server, you're talking about the one in CA/ or the one in TLSCA/ ?

nyet (Tue, 11 Jun 2019 17:57:42 GMT):
tlsca

Antimttr (Tue, 11 Jun 2019 17:57:54 GMT):
and how do you generate the on in CA/ ?

Antimttr (Tue, 11 Jun 2019 17:57:58 GMT):
or do you just skip that?

nyet (Tue, 11 Jun 2019 17:57:58 GMT):
the ca-server doesn't need the tlsca in cryptogen case because it wont be used for enrolling tls certs

nyet (Tue, 11 Jun 2019 17:57:58 GMT):
the ca-server doesn't need the tlsca in cryptogen case because it is assumed it wont be used for enrolling tls certs

nyet (Tue, 11 Jun 2019 17:58:14 GMT):
i generate 3 self signed pairs

nyet (Tue, 11 Jun 2019 17:58:18 GMT):
1 tlsca and 2 or cas

nyet (Tue, 11 Jun 2019 17:58:18 GMT):
1 tlsca and 2 org cas

Antimttr (Tue, 11 Jun 2019 17:59:00 GMT):
yeah i think thats where im getting hung up because i havent seen in any of these fabric-samples them using a seperate tls-ca

Antimttr (Tue, 11 Jun 2019 17:59:00 GMT):
yeah i think thats where im getting hung up because i havent seen in any of these fabric-samples using a seperate tls-ca

Antimttr (Tue, 11 Jun 2019 17:59:04 GMT):
they only use the org ca

nyet (Tue, 11 Jun 2019 17:59:17 GMT):
the asusmption is that you are going to distribute tls certs out of band

nyet (Tue, 11 Jun 2019 17:59:27 GMT):
i THINK that is the source of the confusion

nyet (Tue, 11 Jun 2019 18:00:02 GMT):
and, in fact, that is the model i started with since we do that with letsencrypt for all other projects

nyet (Tue, 11 Jun 2019 18:00:58 GMT):
btw thanks for bringing this stuff up now i dont feel alone and i have someone else to double check my assumptions

Antimttr (Tue, 11 Jun 2019 18:01:02 GMT):
so the hirearchy you're building, you have one TLSCA that issues tls certificates to each of the org ca's?

nyet (Tue, 11 Jun 2019 18:01:19 GMT):
no think of tls as a completely independent plane

nyet (Tue, 11 Jun 2019 18:01:31 GMT):
it is ONLY for tcp encrpyttion

Antimttr (Tue, 11 Jun 2019 18:01:49 GMT):
so then for each org in your ledger, you have a tlsca, and 2 org cas?

nyet (Tue, 11 Jun 2019 18:02:03 GMT):
the tlsca is global for everyone

Antimttr (Tue, 11 Jun 2019 18:02:07 GMT):
ok

nyet (Tue, 11 Jun 2019 18:02:08 GMT):
each org gets a separate org ca

nyet (Tue, 11 Jun 2019 18:02:27 GMT):
think of it as "almost" out of band

Antimttr (Tue, 11 Jun 2019 18:02:31 GMT):
are you building your platform to work off a single domain?

nyet (Tue, 11 Jun 2019 18:02:33 GMT):
we're using it as a letsencrypt substitute

Antimttr (Tue, 11 Jun 2019 18:02:40 GMT):
or would this scenario work for different domains?

nyet (Tue, 11 Jun 2019 18:03:07 GMT):
domains as in dns? thats why im using a private tlsca so we don't ahve to deal with a 3rd party tls cert issuer

Antimttr (Tue, 11 Jun 2019 18:03:12 GMT):
i would think the tlsca would only be able to issue tls certs for the domain for which its TLS cert is issued for

nyet (Tue, 11 Jun 2019 18:03:24 GMT):
well thats why using your own tlsca is fine

nyet (Tue, 11 Jun 2019 18:03:30 GMT):
you can issue for ANY domain

Antimttr (Tue, 11 Jun 2019 18:03:34 GMT):
ahh

Antimttr (Tue, 11 Jun 2019 18:03:35 GMT):
ok

nyet (Tue, 11 Jun 2019 18:03:43 GMT):
its literally wide open

nyet (Tue, 11 Jun 2019 18:04:13 GMT):
anyone that trusts your tlsca pub can be fooled into talking to anything for better or for tworse

nyet (Tue, 11 Jun 2019 18:04:23 GMT):
thats the down side

Antimttr (Tue, 11 Jun 2019 18:04:24 GMT):
right

Antimttr (Tue, 11 Jun 2019 18:04:39 GMT):
well aslong as the certs are only being used in the context of the hyperledger

Antimttr (Tue, 11 Jun 2019 18:04:44 GMT):
and you havent exposed the keys

nyet (Tue, 11 Jun 2019 18:04:45 GMT):
thats how deep inspection works in corp MITM firewalls

Antimttr (Tue, 11 Jun 2019 18:04:47 GMT):
i think that is ok

nyet (Tue, 11 Jun 2019 18:04:50 GMT):
ya

nyet (Tue, 11 Jun 2019 18:05:35 GMT):
the idea is DO NOT add your tlsca to the external ssl trusted cas

nyet (Tue, 11 Jun 2019 18:05:38 GMT):
thats mega super ungood

nyet (Tue, 11 Jun 2019 18:05:47 GMT):
like you said, restrict it to hlf

Antimttr (Tue, 11 Jun 2019 18:05:57 GMT):
so the tlsca, is there any diferent configuration that fabric-ca-server needs to be launched with? im assuming `FABRIC_CA_SERVER_TLS_ENABLED=true`

Antimttr (Tue, 11 Jun 2019 18:06:08 GMT):
but even the org ca's have that enabled

nyet (Tue, 11 Jun 2019 18:06:12 GMT):
no thats for tls itself

nyet (Tue, 11 Jun 2019 18:06:15 GMT):
not for ca functionality

nyet (Tue, 11 Jun 2019 18:06:25 GMT):
you can run the ca server w/o any tls encrpytion

Antimttr (Tue, 11 Jun 2019 18:06:39 GMT):
so do you use the fabric-ca-server docker image for the tlsca?

nyet (Tue, 11 Jun 2019 18:06:42 GMT):
yea

Antimttr (Tue, 11 Jun 2019 18:06:45 GMT):
ok

mastersingh24 (Tue, 11 Jun 2019 18:58:59 GMT):
In the samples, the Fabric CA is only used to issue enrollment certificates

mastersingh24 (Tue, 11 Jun 2019 18:58:59 GMT):
In the samples, the Fabric CA is only used to issue enrollment certificates. The TLS CA keypair is simply provided in case someone wants to generate additional TLS certs and/or spin up and Fabric CA instance for issuing TLS certs. To be honest, I don't really like the Fabric CA for issuing TLS certs. We do use it in IBM as well, but I don't like it ;)

Antimttr (Tue, 11 Jun 2019 18:59:58 GMT):
so if i want to issue tls certificates (like for peers or orderers) then i'd need to specify a different tls cert?

Antimttr (Tue, 11 Jun 2019 19:00:05 GMT):
like the one from the tlsca/ directory?

nyet (Tue, 11 Jun 2019 19:00:33 GMT):
what do you mean by issue?

nyet (Tue, 11 Jun 2019 19:00:35 GMT):
you mean enroll?

Antimttr (Tue, 11 Jun 2019 19:00:44 GMT):
yeah like generate the artifacts i need to run them

nyet (Tue, 11 Jun 2019 19:00:49 GMT):
you have to specifiy 1) the tls instance of the ca server (if it isn't the main instance) 2) tls profile

nyet (Tue, 11 Jun 2019 19:01:28 GMT):
then you have to extract the _sk from keystore/ and the pub from signcerts/

Antimttr (Tue, 11 Jun 2019 19:01:31 GMT):
because it can fake domain names?

mastersingh24 (Tue, 11 Jun 2019 19:02:54 GMT):
Mainly because it's really designed for issuing the enrollment material for peers, client and orderers .... TLS is more of an afterthought. You might actually want to check out `cfssl`

mastersingh24 (Tue, 11 Jun 2019 19:03:15 GMT):
it was built by CloudFlare for issuing TLS certs

Antimttr (Tue, 11 Jun 2019 19:03:51 GMT):
@mastersingh24 the only reason i really care about tls certs being issued is because i thought the peers need them: ``` ├── peers │ ├── peer0.org2.example.com │ │ ├── msp │ │ │ ├── admincerts │ │ │ │ └── Admin@org2.example.com-cert.pem │ │ │ ├── cacerts │ │ │ │ └── ca.org2.example.com-cert.pem │ │ │ ├── keystore │ │ │ │ └── 0d9f72608133ee627b570b6af6877666bc8f365746f9329d6dd8a5f54e53e2ab_sk │ │ │ ├── signcerts │ │ │ │ └── peer0.org2.example.com-cert.pem │ │ │ └── tlscacerts │ │ │ └── tlsca.org2.example.com-cert.pem │ │ └── tls │ │ ├── ca.crt │ │ ├── server.crt │ │ └── server.key ```

nyet (Tue, 11 Jun 2019 19:04:02 GMT):
yes, the peers need tls certs

Antimttr (Tue, 11 Jun 2019 19:04:06 GMT):
like this for example, a peer has a tls dir and it has its own server.crt and server.key

Antimttr (Tue, 11 Jun 2019 19:04:20 GMT):
thats a tls cert if i understand correctly

mastersingh24 (Tue, 11 Jun 2019 19:04:55 GMT):
Yes ... in a real deployment, you would use TLS so the samples provide config that uses TLS

nyet (Tue, 11 Jun 2019 19:04:59 GMT):
server.crt comse from signcerts, server.key is the _sk from keystore (if you use fabric-ca-client enroll)

nyet (Tue, 11 Jun 2019 19:05:22 GMT):
or you use letsencrypt like with any other tls keypair (e.g. https server)

Antimttr (Tue, 11 Jun 2019 19:05:27 GMT):
yeah, i'm writing software for a real deployment so i guess thats why tls is important

nyet (Tue, 11 Jun 2019 19:05:42 GMT):
if you're familiar with issuing certs for https servers, its no different

Antimttr (Tue, 11 Jun 2019 19:05:51 GMT):
although my application might be a bit different, i'm aiming for a more centralized than distributed application of hyperledger fabric

nyet (Tue, 11 Jun 2019 19:05:57 GMT):
or any other tls servers (e.g. smtp, imap etc)

adityanalge (Tue, 11 Jun 2019 19:06:14 GMT):
While using the fabric-client to enroll an identity with the fabric-server, the cert that is generated is being issued by the ca-cert irrespective of the tls profile being enabled or disabled. Shouldn't the cert be issued by the tls-ca-cert if tls profile is enabled?

nyet (Tue, 11 Jun 2019 19:07:08 GMT):
no those are independent things

nyet (Tue, 11 Jun 2019 19:07:19 GMT):
the ca-instance has no way of knowing if it is a tls server or not

Antimttr (Tue, 11 Jun 2019 19:07:27 GMT):
perhaps i should just prompt the user for a tls cert for the fabric-ca-server, use that certificate, which would be a legit tls cert issued by a real authority

nyet (Tue, 11 Jun 2019 19:07:45 GMT):
you dont want the user to be uploading private keys imo

Antimttr (Tue, 11 Jun 2019 19:07:49 GMT):
i kind of like the idea of doing the certs internally though, not signed by a legit CA server

Antimttr (Tue, 11 Jun 2019 19:08:33 GMT):
@nyet why not? just because of the risk of having it on the server?

nyet (Tue, 11 Jun 2019 19:08:43 GMT):
in general i dont like the practice.

nyet (Tue, 11 Jun 2019 19:09:09 GMT):
moving private keys around should never be necessary, they should all be done autonomously

nyet (Tue, 11 Jun 2019 19:09:16 GMT):
or via some secure out of band method

nyet (Tue, 11 Jun 2019 19:09:48 GMT):
the signing service the ca-server provides is a good example, just like letsenrypt or that cloudflare service gary suggested

nyet (Tue, 11 Jun 2019 19:10:12 GMT):
its one thing to allow the user to push pub keys

nyet (Tue, 11 Jun 2019 19:10:49 GMT):
but priv keys, imo, is a recipe for disaster. then again, i'm kind of parianoid and suspicious of all the "API" key stuff providers do

nyet (Tue, 11 Jun 2019 19:11:16 GMT):
"hey download this private API key and copy/paste it into your app" ... argh!

adityanalge (Tue, 11 Jun 2019 19:11:26 GMT):
So Nyet, if you decode the signcert and server.crt, the signcert for peer0.org1.example.com is issued by ca.org1.example.com and org1.example.com. The server.crt is issued by tlsca.org1.example.com and org1.example.com.

nyet (Tue, 11 Jun 2019 19:12:19 GMT):
I would not look at tlsca's as belonging to an org at all. they are a separate plane from the rest of the hlf key infratstructure

nyet (Tue, 11 Jun 2019 19:12:57 GMT):
issuing server tls keys is a generic service, and ca-server happens have

nyet (Tue, 11 Jun 2019 19:12:57 GMT):
issuing server tls keys is a generic service, and ca-server happens to have that ability

adityanalge (Tue, 11 Jun 2019 19:13:39 GMT):
So sign cert we can get from fabric-server by enrolling the peer right without profile set to tls. Can we not get the server.crt from the fabric-server as well by setting the profile to tls?

nyet (Tue, 11 Jun 2019 19:13:40 GMT):
it just crowbars that into the MSP structure (rather inelegantly by necessity)

Antimttr (Tue, 11 Jun 2019 19:13:48 GMT):
so does that imply you could use ANY of the fabric-ca-servers to issue tls keys in that way?

nyet (Tue, 11 Jun 2019 19:13:53 GMT):
yes

nyet (Tue, 11 Jun 2019 19:14:13 GMT):
you can use any ca-server to issue a tls server key pair

nyet (Tue, 11 Jun 2019 19:14:27 GMT):
if you expect the client to trust that server, that client needs to trust the pub ca key that signed that pair

adityanalge (Tue, 11 Jun 2019 19:14:38 GMT):
yes.

adityanalge (Tue, 11 Jun 2019 19:14:53 GMT):
but the pub ca key that is signing the cert is the ca key and not the tls key

adityanalge (Tue, 11 Jun 2019 19:15:00 GMT):
as it is in cryptogen

nyet (Tue, 11 Jun 2019 19:15:26 GMT):
yes, but you dont have to do it that way. you can set up a separeate tls instance. yhou still have to use hte tls profile when enrollin g wit hthat instance though

nyet (Tue, 11 Jun 2019 19:16:07 GMT):
the profile is there because a tls key is necesarily veryu differnt from an endorsement key

nyet (Tue, 11 Jun 2019 19:16:29 GMT):
they have completeoly different functions, and the cert itself has different attrigbutes (the most obvious being SANs)

Antimttr (Tue, 11 Jun 2019 19:17:11 GMT):
so do you use the enroll command in the fabric-ca-client to get a tls cert?

nyet (Tue, 11 Jun 2019 19:17:23 GMT):
yes

adityanalge (Tue, 11 Jun 2019 19:17:31 GMT):
you use the enroll command with --enrollment.profile tls

adityanalge (Tue, 11 Jun 2019 19:17:33 GMT):
flag

nyet (Tue, 11 Jun 2019 19:17:51 GMT):
and you specify the tls instance of the ca-server you are talking to (that is a differnt thing than the profile)

nyet (Tue, 11 Jun 2019 19:18:02 GMT):
in our set up, the tls instance is the default instance

Antimttr (Tue, 11 Jun 2019 19:18:09 GMT):
and you use --csr.hosts to specify the domain name?

adityanalge (Tue, 11 Jun 2019 19:18:13 GMT):
I have only one instance

adityanalge (Tue, 11 Jun 2019 19:18:21 GMT):
that serves both ca and tls

nyet (Tue, 11 Jun 2019 19:18:54 GMT):
yes, --csr.hosts end up in the SAN section

adityanalge (Tue, 11 Jun 2019 19:19:16 GMT):
how would I go about setting a solo tls instance?

nyet (Tue, 11 Jun 2019 19:19:19 GMT):
and only applies to the tls profile

nyet (Tue, 11 Jun 2019 19:19:32 GMT):
set up another ca-server

Antimttr (Tue, 11 Jun 2019 19:19:34 GMT):
tls profile..

Antimttr (Tue, 11 Jun 2019 19:19:40 GMT):
ok i need to figure out what that is

nyet (Tue, 11 Jun 2019 19:19:42 GMT):
but why do that when yhou can just use the same container for multiple instasnces:?

adityanalge (Tue, 11 Jun 2019 19:20:13 GMT):
so assume a simple network with only one org

adityanalge (Tue, 11 Jun 2019 19:20:38 GMT):
i setup a container. It has one main tls instance. It has one more instance with tls disabled

adityanalge (Tue, 11 Jun 2019 19:20:58 GMT):
The peer sign certs come from the tls disabled instance, and the tls certs come from the main tls instance

adityanalge (Tue, 11 Jun 2019 19:21:01 GMT):
is that correct?

nyet (Tue, 11 Jun 2019 19:21:33 GMT):
yes but you dont have to actualy disable tls

nyet (Tue, 11 Jun 2019 19:21:39 GMT):
if you mean disble the tls profile

nyet (Tue, 11 Jun 2019 19:21:45 GMT):
just dont use tls profile with the non-tls instance

nyet (Tue, 11 Jun 2019 19:22:15 GMT):
the distintguishing feature between the two isntances is really only which ca pair they use

adityanalge (Tue, 11 Jun 2019 19:23:32 GMT):
what is the connection between the msp/tlscacerts/tlsca.org2.example.com-cert.pem and the tls/ca.crt ? They are the same certificate right?

nyet (Tue, 11 Jun 2019 19:23:45 GMT):
yep same cert

nyet (Tue, 11 Jun 2019 19:24:17 GMT):
its confusing because the cryptogen generated directories have dozens of copies of things

adityanalge (Tue, 11 Jun 2019 19:24:27 GMT):
and relation between msp/tlscacerts/tlsca.org2.example.com-cert.pem and msp/cacerts/ca.org2.example.com-cert.pem?

nyet (Tue, 11 Jun 2019 19:24:47 GMT):
will be different if you separate tlsca with eca

nyet (Tue, 11 Jun 2019 19:24:47 GMT):
will be different if you separate tlsca from eca

adityanalge (Tue, 11 Jun 2019 19:25:01 GMT):
eca?

adityanalge (Tue, 11 Jun 2019 19:25:12 GMT):
oh ca

Antimttr (Tue, 11 Jun 2019 19:25:24 GMT):
ahhh

nyet (Tue, 11 Jun 2019 19:25:34 GMT):
eca is endorsing ca

nyet (Tue, 11 Jun 2019 19:26:02 GMT):
eerr

nyet (Tue, 11 Jun 2019 19:26:06 GMT):
i mean tca

nyet (Tue, 11 Jun 2019 19:26:08 GMT):
transaction ca

nyet (Tue, 11 Jun 2019 19:26:08 GMT):
sorry

nyet (Tue, 11 Jun 2019 19:26:14 GMT):
eca is for enrollment didn't mean to confuse things.

adityanalge (Tue, 11 Jun 2019 19:26:34 GMT):
``` ./fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --enrollment.profile tls ```

nyet (Tue, 11 Jun 2019 19:26:36 GMT):
the ECA can also be independent

nyet (Tue, 11 Jun 2019 19:26:57 GMT):
tca not eca sorry

nyet (Tue, 11 Jun 2019 19:27:03 GMT):
transaction CA

adityanalge (Tue, 11 Jun 2019 19:27:17 GMT):
My main issue is that the certificate generated by this command is being issued by ca-cert and not the tls-cert.

Antimttr (Tue, 11 Jun 2019 19:28:00 GMT):
``` $ fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --enrollment.profile tls 2019/06/11 20:27:38 [INFO] TLS Enabled Error: Failed to get client TLS config: No trusted root certificates for TLS were provided ```

Antimttr (Tue, 11 Jun 2019 19:28:01 GMT):
interesting

adityanalge (Tue, 11 Jun 2019 19:28:22 GMT):
pass --tls.certfiles 'path/to/serverTLScert'

nyet (Tue, 11 Jun 2019 19:28:31 GMT):
look at your ca-server configs. Does it refer to the tls ca? in the examples, none of them do

nyet (Tue, 11 Jun 2019 19:28:50 GMT):
the ca-server doesn't even know the tlsca certs exist.

Antimttr (Tue, 11 Jun 2019 19:28:51 GMT):
you mean the one in docker-composer.yaml?

nyet (Tue, 11 Jun 2019 19:29:52 GMT):
ugh sorry i hate rocket chat threading :/

nyet (Tue, 11 Jun 2019 19:29:59 GMT):
not sure whre to answer that ;)

adityanalge (Tue, 11 Jun 2019 19:30:24 GMT):
It does. The debug logs state Generated TLS certificate

nyet (Tue, 11 Jun 2019 19:30:49 GMT):
thats the server cert itself, nto the tlsca

nyet (Tue, 11 Jun 2019 19:31:05 GMT):
and iirc it signs that with the ca not the tlsca

adityanalge (Tue, 11 Jun 2019 19:31:18 GMT):
so how do I get it to sign with tlsca?

nyet (Tue, 11 Jun 2019 19:31:36 GMT):
again, a spearate instance

adityanalge (Tue, 11 Jun 2019 19:31:44 GMT):
cool. so I am gonna try that

nyet (Tue, 11 Jun 2019 19:31:49 GMT):
not sure why you insist on using the single instsance example as the reference here :)

nyet (Tue, 11 Jun 2019 19:32:06 GMT):
the isngle isntance example does NOT KNOW about the tlsca certs at all

adityanalge (Tue, 11 Jun 2019 19:33:14 GMT):
how does the multiple instance one know?

nyet (Tue, 11 Jun 2019 19:33:55 GMT):
each instance gets a separate configuration file. that part is documented quite well.

Antimttr (Tue, 11 Jun 2019 19:33:59 GMT):
``` $ fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --tls.certfiles '/home/mwest/fabric-samples/fabric-samples/balance-transfer/artifacts/channel/crypto-config/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem' --enrollment.profile tls 2019/06/11 20:33:02 [INFO] TLS Enabled 2019/06/11 20:33:02 [INFO] generating key: &{A:ecdsa S:256} 2019/06/11 20:33:02 [INFO] encoded CSR Error: POST failure of request: POST https://localhost:7054/enroll {"hosts":["mwestmct.mctlive.com"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBSTCB8QIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEp958EEn4bYQHHK8c\nBtGDepOInImMa55g2aJ1EVyMESm6IUQ81/9ehJ0L0ARsDp1NxZBOZXUwIiVlwwhW\nNLD3HqAyMDAGCSqGSIb3DQEJDjEjMCEwHwYDVR0RBBgwFoIUbXdlc3RtY3QubWN0\nbGl2ZS5jb20wCgYIKoZIzj0EAwIDRwAwRAIgaFgiWBl5JQklESqz+2CGhwaKU5Je\nslmqh80secYWVI8CIEMzYXfVGsXKmS0RcnOVy4IzPe+9lv8IsN+D4JWqscGp\n-----END CERTIFICATE REQUEST-----\n","profile":"tls","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post https://localhost:7054/enroll: x509: certificate is valid for ca.org1.example.com, not localhost ```

adityanalge (Tue, 11 Jun 2019 19:34:21 GMT):
pass ca.org1.example.com instead of localhost

adityanalge (Tue, 11 Jun 2019 19:34:30 GMT):
add ca.org1.example.com to you /etc/hosts file

nyet (Tue, 11 Jun 2019 19:34:30 GMT):
or issue a cert with localhost in the SAN

nyet (Tue, 11 Jun 2019 19:34:36 GMT):
ugh no

nyet (Tue, 11 Jun 2019 19:34:38 GMT):
thats crap

nyet (Tue, 11 Jun 2019 19:34:41 GMT):
dont stouch /etc/hosts

adityanalge (Tue, 11 Jun 2019 19:34:46 GMT):
okay

nyet (Tue, 11 Jun 2019 19:34:49 GMT):
use a real DNS serfver or fix the SAN

Antimttr (Tue, 11 Jun 2019 19:34:55 GMT):
heh think i already did that

adityanalge (Tue, 11 Jun 2019 19:34:57 GMT):
what's this? -> or issue a cert with localhost in the SAN

Antimttr (Tue, 11 Jun 2019 19:35:03 GMT):
added hosts in my hosts files to use the client

nyet (Tue, 11 Jun 2019 19:35:04 GMT):
etc/hosts stuff is fragile as hell

adityanalge (Tue, 11 Jun 2019 19:35:05 GMT):
a new tls cert?

nyet (Tue, 11 Jun 2019 19:35:20 GMT):
you're asking for tons of problems if you rely on modifying /etc/hsots

adityanalge (Tue, 11 Jun 2019 19:35:28 GMT):
interesting

nyet (Tue, 11 Jun 2019 19:35:42 GMT):
its the worst common practice ever imo heh

Antimttr (Tue, 11 Jun 2019 19:35:52 GMT):
yeah im only doing it for my local dev environment

nyet (Tue, 11 Jun 2019 19:36:00 GMT):
its mostly done because nobody seems to understand DNS :/

nyet (Tue, 11 Jun 2019 19:36:42 GMT):
incidentally, i also sign the ca-server tls server keys by hand

nyet (Tue, 11 Jun 2019 19:36:47 GMT):
so i CAN modify the SAN

nyet (Tue, 11 Jun 2019 19:36:54 GMT):
the autogenerated server keys are kind of limited

nyet (Tue, 11 Jun 2019 19:37:31 GMT):
on the DNS side, the fabric-sdk-go has this whole crazy hostname mapping section

nyet (Tue, 11 Jun 2019 19:37:47 GMT):
where you can remap hosts to differnent names to get around tls issues ;/

nyet (Tue, 11 Jun 2019 19:37:54 GMT):
not sure if node sdk has that

Antimttr (Tue, 11 Jun 2019 19:44:26 GMT):
``` $ fabric-ca-client enroll -u https://admin:adminpw@ca.org1.example.com:7054 --tls.certfiles '/home/mwest/fabric-samples/fabric-samples/balance-transfer/artifacts/channel/crypto-config/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem' --enrollment.profile tls 2019/06/11 20:43:45 [INFO] TLS Enabled 2019/06/11 20:43:45 [INFO] generating key: &{A:ecdsa S:256} 2019/06/11 20:43:45 [INFO] encoded CSR Error: POST failure of request: POST https://ca.org1.example.com:7054/enroll {"hosts":["mwestmct.mctlive.com"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBSjCB8QIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpww/73X4V7EFhYTU\nIQ+08qhFEwlmZOHfpgnVJchNIQbjrE8vLCMF49rgYAh3I7vVCeXjeMaNvg4sfzzn\ni7ykDqAyMDAGCSqGSIb3DQEJDjEjMCEwHwYDVR0RBBgwFoIUbXdlc3RtY3QubWN0\nbGl2ZS5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAMFKJKJFf0PMl+VFaL8o0Zt/hbGq\nB9D8WNyPIylqDjldAiA0sBOGDj+smamSYTDuMEH5HHCOJfqGdnuniq1xyoqBpg==\n-----END CERTIFICATE REQUEST-----\n","profile":"tls","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post https://ca.org1.example.com:7054/enroll: x509: certificate signed by unknown authority ```

Antimttr (Tue, 11 Jun 2019 19:44:57 GMT):
so that would be my cert but no key, unless it sticks it somewhere else

Antimttr (Tue, 11 Jun 2019 19:49:18 GMT):
think im going to use openssl to generate the tls key/cert

Antimttr (Tue, 11 Jun 2019 19:50:20 GMT):
``` Common Name: Certificate Authority Valid From: June 11, 2019 Valid To: June 8, 2029 Serial Number: 18329021003636881046 (0xfe5dc37dd2733696) ```

Antimttr (Tue, 11 Jun 2019 19:50:27 GMT):
just need to give it some more parameters i think

Antimttr (Tue, 11 Jun 2019 19:55:15 GMT):
so the common name should be the domain of the new org i beleive

Antimttr (Tue, 11 Jun 2019 19:55:45 GMT):
nm thats organization name, common name would be the addresss of the new ca server

Antimttr (Tue, 11 Jun 2019 20:09:54 GMT):
``` openssl req -new -days 3650 -nodes -x509 -subj "/C=US/ST=California/L=San Francisco/O=org3.example.com/CN=tlsca.org3.example.com" -key ca.key -out ca.crt ```

Antimttr (Tue, 11 Jun 2019 20:09:55 GMT):
bam

Antimttr (Tue, 11 Jun 2019 20:09:59 GMT):
that does the trick

Antimttr (Tue, 11 Jun 2019 20:10:21 GMT):
thats exactly the kind of cert being issued by cryptogen

Antimttr (Tue, 11 Jun 2019 20:14:39 GMT):
And i can make it for any domain name: ``` Certificate Information: Common Name: Google Inc. Organization: www.google.com Locality: San Francisco State: California Country: US Valid From: June 11, 2019 Valid To: June 8, 2029 Issuer: Google Inc., www.google.com Serial Number: 12495611852044273492 (0xad6954c65c428754) ```

Antimttr (Tue, 11 Jun 2019 20:45:46 GMT):
seems like its very straight forward to just generate all the crypto assets in the artifacts for a new org by using openssl commands directly if i'm not mistaken

Antimttr (Tue, 11 Jun 2019 20:46:06 GMT):
of course i havent done it yet so easier said than done

Antimttr (Tue, 11 Jun 2019 20:46:09 GMT):
but im going to try it

Antimttr (Tue, 11 Jun 2019 20:47:18 GMT):
(famous last words)

Antimttr (Tue, 11 Jun 2019 20:51:01 GMT):
@nyet you said there was some sort of scoping difference between the certs in ca/ vs the ones in tlsca/ are you just talking about the Common Name difference or are there other parts of the cert that are configured differently?

adityanalge (Tue, 11 Jun 2019 20:56:39 GMT):
good question

Antimttr (Tue, 11 Jun 2019 20:56:51 GMT):
is there any particular reason the long random filename format is being used in the fabric samples for key files? example: 2fd964eeaebdf6e39fe6f60d2a9dd5e33e831b66886ac5498cf60d49cd31beb1_sk

Antimttr (Tue, 11 Jun 2019 20:57:04 GMT):
just wondering if i should adopt the same naming scheme

adityanalge (Tue, 11 Jun 2019 20:57:41 GMT):
There is. Even I have not been able to decode the relation between the secret key name and it's content.

adityanalge (Tue, 11 Jun 2019 20:58:19 GMT):
If you rename the file as say ca-private-key and pass it to the server config, it will add the secret key to msp/keystore with the original name

Antimttr (Tue, 11 Jun 2019 20:58:37 GMT):
weird

adityanalge (Tue, 11 Jun 2019 20:59:40 GMT):
This comes in handy when you work with user contexts. The key's name is stored under signing identity in the user context

adityanalge (Tue, 11 Jun 2019 21:00:17 GMT):
Open Question: How is the secret key's name derived from the secret key? ``` Key - ```

adityanalge (Tue, 11 Jun 2019 21:00:17 GMT):
Open Question: How is the secret key's name derived from the secret key? ``` -----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQghfuTJ6F03u42cCoc cBXQ32oiDFcEuBV8tYWsa17kITahRANCAARenqvZ/nXipdFaufBiNT6EJIsyn7Mt by0A4YbUICAocz3MIcepTe9nUu11ClSaZVa3UGY1zKWjfYbjpbcUK0le -----END PRIVATE KEY----- ``` ``` bbf98ed350d263e57d1294e1d46f4f0e95129c7b9cd0f1dcb7abff6b56fba768_sk ```

Antimttr (Tue, 11 Jun 2019 21:00:17 GMT):
huh maybe they're all in the same namespace

Antimttr (Tue, 11 Jun 2019 21:00:37 GMT):
could be just a hash of the key

Antimttr (Tue, 11 Jun 2019 21:01:13 GMT):
that would be my guess anyways

nyet (Tue, 11 Jun 2019 21:17:39 GMT):
https://jira.hyperledger.org/browse/FABC-60

nyet (Tue, 11 Jun 2019 21:17:39 GMT):
https://jira.hyperledger.org/browse/FABC-60 `openssl x509 -noout -pubkey -in cert.pem | openssl ec -pubin -outform d | dd ibs=26 skip=1 | openssl dgst -sha256`

nyet (Tue, 11 Jun 2019 21:17:47 GMT):
which i posted before :)

nyet (Tue, 11 Jun 2019 21:18:10 GMT):
and yes, there are vareious things you have to send to openssl to get the constraints in a way that fabric is happy about

nyet (Tue, 11 Jun 2019 21:19:55 GMT):
``` key_usage_critical: true key_usage: 'Certificate Sign,CRL Sign' basic_constraints_critical: true basic_constraints: 'CA:TRUE' ```

nyet (Tue, 11 Jun 2019 21:19:55 GMT):
For ca certs: ``` key_usage_critical: true key_usage: 'Certificate Sign,CRL Sign' basic_constraints_critical: true basic_constraints: 'CA:TRUE' ```

nyet (Tue, 11 Jun 2019 21:20:33 GMT):
getting the SKI into a signed key isn't eaasy either

nyet (Tue, 11 Jun 2019 21:20:44 GMT):
https://stackoverflow.com/questions/21179132/create-self-signed-certificate-with-subject-key-identifier

nyet (Tue, 11 Jun 2019 21:21:26 GMT):
For tls certs: ``` key_usage_critical: true key_usage: 'Digital Signature,Key Encipherment,Key Agreement' extended_key_usage: 'TLS Web Client Authentication,TLS Web Server Authentication' basic_constraints_critical: true basic_constraints: 'CA:FALSE' ```

nyet (Tue, 11 Jun 2019 21:21:26 GMT):
For tls certs: ```key_usage_critical: true key_usage: 'Digital Signature,Key Encipherment,Key Agreement' extended_key_usage: 'TLS Web Client Authentication,TLS Web Server Authentication' basic_constraints_critical: true basic_constraints: 'CA:FALSE' ```

nyet (Tue, 11 Jun 2019 21:21:43 GMT):
there are various other isssues you'll get to find them one by one :/

Antimttr (Tue, 11 Jun 2019 21:23:56 GMT):
i was playing around with the docker fabric server

Antimttr (Tue, 11 Jun 2019 21:24:07 GMT):
and it seems to create atleast the cert all by itself

Antimttr (Tue, 11 Jun 2019 21:24:21 GMT):
cert and keystore

Antimttr (Tue, 11 Jun 2019 21:24:47 GMT):
but its using generic settings:

Antimttr (Tue, 11 Jun 2019 21:24:55 GMT):
``` Certificate Information: Common Name: fabric-ca-server Organization: Hyperledger Organization Unit: Fabric State: North Carolina Country: US Valid From: June 11, 2019 Valid To: June 7, 2034 Issuer: fabric-ca-server, Hyperledger Serial Number: 39a9c6036c075966cba29fefb67097c47a0edf5c ```

Antimttr (Tue, 11 Jun 2019 21:26:06 GMT):
so what is the idea with the SKI? why would you need the ski?

nyet (Tue, 11 Jun 2019 21:27:04 GMT):
mostly so fabric can figure out which private key in keystore to use with a given public key

nyet (Tue, 11 Jun 2019 21:27:28 GMT):
also, if doing tls enroll, so you know what the name of the _sk file is to move it to server.key

nyet (Tue, 11 Jun 2019 21:27:35 GMT):
(potentially via a script)

Antimttr (Tue, 11 Jun 2019 21:28:03 GMT):
so the ski is that long random string that the keyfiles are renamed to?

nyet (Tue, 11 Jun 2019 21:28:10 GMT):
yes

Antimttr (Tue, 11 Jun 2019 21:28:31 GMT):
and do you set that using RNG? or is it some sort of hash of the key?

nyet (Tue, 11 Jun 2019 21:28:42 GMT):
its a hash of (part of) the key

nyet (Tue, 11 Jun 2019 21:29:08 GMT):
for rsa keys it is a standard and part of the pem encoding

nyet (Tue, 11 Jun 2019 21:29:15 GMT):
for ecdsa its just appended :/

nyet (Tue, 11 Jun 2019 21:29:24 GMT):
kind of frustrating

Antimttr (Tue, 11 Jun 2019 21:29:49 GMT):
ahh ok so thats why you have to use `subjectKeyIdentifier=hash` in the openssl config

nyet (Tue, 11 Jun 2019 21:30:10 GMT):
sort of, that is only part of it

nyet (Tue, 11 Jun 2019 21:30:26 GMT):
hash is actually the default iirc

nyet (Tue, 11 Jun 2019 21:30:36 GMT):
so i dont think thats strictly required

nyet (Tue, 11 Jun 2019 21:32:02 GMT):
also this will bite you in the ass eventually if you selfsign cas: https://jira.hyperledger.org/browse/FABC-832

Antimttr (Tue, 11 Jun 2019 21:36:23 GMT):
fun

Antimttr (Tue, 11 Jun 2019 21:43:32 GMT):
there''re some interesting differences between your parameters for openssl and the ones @mastersingh24 posted eaerlier, ``` keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth ```

Antimttr (Tue, 11 Jun 2019 21:43:49 GMT):
minor i suppose, like hes got no space between key and encipherment

nyet (Tue, 11 Jun 2019 21:43:57 GMT):
depends on context

Antimttr (Tue, 11 Jun 2019 21:44:06 GMT):
also his extended key usages are totaly different

nyet (Tue, 11 Jun 2019 21:44:06 GMT):
the latest ansible requires no spaces

Antimttr (Tue, 11 Jun 2019 21:44:15 GMT):
gotcha

nyet (Tue, 11 Jun 2019 21:44:29 GMT):
openssl extension syntax is different

Antimttr (Tue, 11 Jun 2019 21:45:03 GMT):
oh i thought you were pasting stuff above for openssl

Antimttr (Tue, 11 Jun 2019 21:45:08 GMT):
is that for the fabric-ca?

nyet (Tue, 11 Jun 2019 21:45:17 GMT):
that was in ansible

nyet (Tue, 11 Jun 2019 21:45:29 GMT):
not native openssl extension file paramaeter syntax

nyet (Tue, 11 Jun 2019 21:45:33 GMT):
which is different

Antimttr (Tue, 11 Jun 2019 21:45:34 GMT):
oh dont know what ansible is, let me google it

Antimttr (Tue, 11 Jun 2019 21:47:09 GMT):
huh, some sort of deployment platform

Antimttr (Tue, 11 Jun 2019 21:48:39 GMT):
well i'll say hlf is sure consistant, i havent found one part of it that isn't a huge PITA :P

Antimttr (Tue, 11 Jun 2019 21:49:10 GMT):
automating org adding is definitely the hardest part ive found so far thoug

adityanalge (Tue, 11 Jun 2019 22:06:38 GMT):
for some reason my X509v3 Subject Alternative Name only has my hostname value. Is this configurable in fabric-ca-server-config.yaml file? under the csr section?

adityanalge (Tue, 11 Jun 2019 22:08:50 GMT):
And. I get the cacount and cafiles are mutually exclusive error. Would I be correct to assume I can only pass one value at a time?

nyet (Tue, 11 Jun 2019 22:09:53 GMT):
1) is this for enrolled tls certs or something else 2) yes

nyet (Tue, 11 Jun 2019 22:10:10 GMT):
--csr.hosts should affect SAN

nyet (Tue, 11 Jun 2019 22:10:16 GMT):
(on enroll)

adityanalge (Tue, 11 Jun 2019 22:10:22 GMT):
Got It!

adityanalge (Tue, 11 Jun 2019 22:10:24 GMT):
Thanks

Antimttr (Tue, 11 Jun 2019 22:26:52 GMT):
So the CA servers have state that they track

Antimttr (Tue, 11 Jun 2019 22:27:13 GMT):
im wondering, if i enroll lets say a user, it will generate the crypto assets for that user

Antimttr (Tue, 11 Jun 2019 22:27:30 GMT):
and if i then wipe out the ca server it will not matter since i still have the artifacts

nyet (Tue, 11 Jun 2019 22:29:41 GMT):
the ca server only cares if you want to ask it for pub creds later

nyet (Tue, 11 Jun 2019 22:29:43 GMT):
thats all

nyet (Tue, 11 Jun 2019 22:30:04 GMT):
also it can keep track of revocations if you need to replay them

nyet (Tue, 11 Jun 2019 22:30:21 GMT):
its a pubkey repo is all

Antimttr (Tue, 11 Jun 2019 22:30:46 GMT):
right so its only the registration

nyet (Tue, 11 Jun 2019 22:30:48 GMT):
yes

Antimttr (Tue, 11 Jun 2019 22:30:50 GMT):
that has the state

nyet (Tue, 11 Jun 2019 22:30:52 GMT):
yes

Antimttr (Tue, 11 Jun 2019 22:30:53 GMT):
not the enrollment

nyet (Tue, 11 Jun 2019 22:30:55 GMT):
correct!

adityanalge (Tue, 11 Jun 2019 22:31:02 GMT):
where is the state stored?

nyet (Tue, 11 Jun 2019 22:31:07 GMT):
db

adityanalge (Tue, 11 Jun 2019 22:31:07 GMT):
in the reg table?

adityanalge (Tue, 11 Jun 2019 22:31:10 GMT):
got it

nyet (Tue, 11 Jun 2019 22:31:10 GMT):
yes

Antimttr (Tue, 11 Jun 2019 22:31:13 GMT):
tinydb or something

Antimttr (Tue, 11 Jun 2019 22:31:22 GMT):
its like flatfile db i think

nyet (Tue, 11 Jun 2019 22:31:33 GMT):
i want to say sqlite or leveldb or something

Antimttr (Tue, 11 Jun 2019 22:31:35 GMT):
unless you configure it to use mysql

nyet (Tue, 11 Jun 2019 22:31:39 GMT):
it can be changed to postgres or mysql

Antimttr (Tue, 11 Jun 2019 22:31:39 GMT):
yeah sqlite that was it

Antimttr (Tue, 11 Jun 2019 22:32:32 GMT):
ok thanks for the great infos today nyet, im outta here

nyet (Tue, 11 Jun 2019 22:32:46 GMT):
np glad i could help

adityanalge (Tue, 11 Jun 2019 22:32:59 GMT):
thanks a lot both nyet and antimttr

peerzet3 (Wed, 12 Jun 2019 09:53:56 GMT):
Thank you for the response. After all it works. What I did is you what you described, maybe it will help someone in future. 1. Generate the user (client role) with fabric-CA which has the CA keys generated for org1 using cryptogen. Such generated user can query, make transactions but is not yet admin. 2. Add the new user pem certficate to peer msp/admincerts folder. 3. Regenerate the genesis.block (so it includes new user certificate. 4. Restart the network, orderer will use new genesis.block and then will know that new user is admin.

nyet (Wed, 12 Jun 2019 15:50:17 GMT):
I think there needs to be much better documentation of what the various definitions of "admin" are, and how they apply to each context.

Antimttr (Wed, 12 Jun 2019 16:54:04 GMT):
it's funny, just comparing the ca/* cert to the tlsca/* cert generated by cryptogen for first-network org3. Here's the ca cert: ``` $ openssl x509 -text -noout -in ca.org3.example.com-cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 28:45:bf:b3:a2:47:2a:e7:a3:3d:09:31:b1:73:a9:de Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=California, L=San Francisco, O=org3.example.com, CN=ca.org3.example.com Validity Not Before: Jun 10 20:33:00 2019 GMT Not After : Jun 7 20:33:00 2029 GMT Subject: C=US, ST=California, L=San Francisco, O=org3.example.com, CN=ca.org3.example.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:95:6c:67:99:64:e3:44:b4:13:78:b1:91:e5:04: 41:30:c5:69:0e:d9:26:bd:65:59:48:f5:35:2e:57: b3:bf:4f:55:87:7e:56:84:87:a6:46:34:be:ab:12: 7c:61:99:75:21:65:0c:70:64:5c:66:d7:be:33:25: 3d:b0:eb:38:f0 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 2F:D9:64:EE:AE:BD:F6:E3:9F:E6:F6:0D:2A:9D:D5:E3:3E:83:1B:66:88:6A:C5:49:8C:F6:0D:49:CD:31:BE:B1 Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:f5:33:c8:85:54:9c:17:71:a0:08:51:48:32: b3:9f:1e:a4:72:75:d8:28:00:1d:dd:64:d2:b7:85:44:1e:02: 8b:02:20:0d:74:53:2f:5d:61:f5:22:60:ca:ce:39:43:d1:05: 8f:1a:5d:63:2d:20:d1:39:5c:0e:68:81:ec:96:d1:0c:6c ```

Antimttr (Wed, 12 Jun 2019 16:54:34 GMT):
and here's the tlsca cert: ``` $ openssl x509 -text -noout -in tlsca.org3.example.com-cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 4e:35:af:de:06:8c:76:b8:19:8f:0f:c1:db:3f:57:46 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=California, L=San Francisco, O=org3.example.com, CN=tlsca.org3.example.com Validity Not Before: Jun 10 20:33:00 2019 GMT Not After : Jun 7 20:33:00 2029 GMT Subject: C=US, ST=California, L=San Francisco, O=org3.example.com, CN=tlsca.org3.example.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:db:12:a9:ac:51:7c:1f:f4:67:4a:ef:37:58:6c: d4:54:29:17:f9:b4:f4:00:84:f0:a9:7b:c4:00:ad: 5b:a1:eb:51:61:59:2f:fb:af:97:6e:36:6f:99:2a: 85:e0:14:22:dd:8b:8d:c2:61:ac:59:8b:78:83:92: 45:6a:96:ef:92 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: C4:2F:D1:81:6C:C2:03:A3:9D:A6:94:7B:CA:28:5B:F6:E1:A8:F8:92:F2:BF:28:DD:68:9F:99:2B:CE:A9:5B:78 Signature Algorithm: ecdsa-with-SHA256 30:44:02:20:2e:a6:be:01:4a:bb:44:07:ef:25:71:07:58:6e: 29:82:6d:0d:68:2e:b2:73:bf:4e:11:4c:f8:3f:bd:8b:c6:75: 02:20:76:3e:1a:47:0c:0a:a2:76:13:08:8b:28:f2:d1:c1:c3: 2c:fb:91:8b:2a:c3:8f:67:7c:53:86:1d:7b:aa:9d:e0 ```

Antimttr (Wed, 12 Jun 2019 16:54:53 GMT):
they seem exactly the same configuration to me, only difference is the keys

Antimttr (Wed, 12 Jun 2019 16:55:35 GMT):
like they're basically both tlsca certs

Antimttr (Wed, 12 Jun 2019 16:56:03 GMT):
makes my life easier atleast

adityanalge (Wed, 12 Jun 2019 17:38:04 GMT):
I dunno, looks like both these certificates were generated using TLS profile enabled. Have you compared them with root CA and TLS cert of org1 or org2?

Antimttr (Wed, 12 Jun 2019 17:43:19 GMT):
let me do that

Antimttr (Wed, 12 Jun 2019 17:43:40 GMT):
i was comparing them with the cryptogen generated stuff because thats what's used in the org adding tutorial

Antimttr (Wed, 12 Jun 2019 17:43:44 GMT):
but thats a good point

Antimttr (Wed, 12 Jun 2019 17:45:32 GMT):
heres from balance transfer: ``` $ openssl x509 -text -noout -in ca.org1.example.com-cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 21:1d:8b:47:d7:da:f3:1b:39:ba:79:c9:27:d3:c5:4b Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1.example.com Validity Not Before: Jun 23 12:33:19 2017 GMT Not After : Jun 21 12:33:19 2027 GMT Subject: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1.example.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:28:85:70:85:3c:c9:ac:bc:f3:7e:42:23:fc:ef: 80:d7:c0:75:f2:4d:9c:48:a1:16:75:26:df:59:92: 29:14:94:9b:f7:2c:3c:42:81:2c:6e:d9:38:c2:3f: 49:24:3f:f0:39:26:b5:78:30:ff:a5:0a:2b:7a:30: a6:db:90:a6:05 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign X509v3 Extended Key Usage: Any Extended Key Usage X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 0E:72:92:24:E8:B3:F3:17:84:C8:A9:3C:5B:8E:F6:F4:C1:C9:1D:9E:6E:57:7C:45:C3:31:63:60:9F:E4:00:11 Signature Algorithm: ecdsa-with-SHA256 30:44:02:20:30:83:be:c8:ad:c5:6f:0b:f5:11:73:1c:b5:06: a6:e3:68:ba:44:ec:52:6a:76:80:1e:b6:d8:da:85:42:d5:f2: 02:20:2b:0c:a5:d4:92:da:46:dd:9e:d5:03:6b:28:b4:f6:fe: 3f:59:1b:42:e7:d1:31:0a:b1:e5:ae:0f:c6:5f:09:2f ```

Antimttr (Wed, 12 Jun 2019 17:45:52 GMT):
and the tls: ``` $ openssl x509 -text -noout -in tlsca.org1.example.com-cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 66:b0:ab:7f:a4:85:dd:9f:f0:ef:3d:cf:c0:23:5a:69 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=tlsca.org1.example.com Validity Not Before: Jun 23 12:33:19 2017 GMT Not After : Jun 21 12:33:19 2027 GMT Subject: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=tlsca.org1.example.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:ab:81:c7:61:bc:85:dc:ed:e2:5f:e6:ed:ee:d0: 13:36:07:6b:59:6e:86:61:75:9f:28:a2:63:b2:b8: 81:32:1b:58:af:9c:bf:b1:38:ef:83:ae:2c:67:9d: 7b:37:1f:d0:36:3d:ba:c8:a2:dd:67:db:d2:05:41: a1:01:47:de:75 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign X509v3 Extended Key Usage: Any Extended Key Usage X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 94:50:92:D9:36:F5:83:8C:5A:6F:64:84:DB:97:4D:85:79:33:70:67:37:D0:0D:04:BF:65:F7:4E:39:76:F9:F8 Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:d0:c5:3e:c0:f0:d7:87:ed:71:98:10:b4:c4: 34:ca:e3:20:f1:c0:87:8f:6e:3a:ae:1b:2b:9e:3c:1a:af:b6: 80:02:20:70:2c:6f:b8:b0:a9:d3:38:e6:be:71:e2:ba:a7:e3: e9:2a:ee:85:ab:09:2b:93:3e:bd:91:3d:59:b0:be:d2:5f ```

Antimttr (Wed, 12 Jun 2019 17:46:12 GMT):
interesting they're also the same

adityanalge (Wed, 12 Jun 2019 17:46:18 GMT):
okay

Antimttr (Wed, 12 Jun 2019 17:46:19 GMT):
but then neither of them are tls in this case

Antimttr (Wed, 12 Jun 2019 17:46:25 GMT):
even the tls one isnt tls

Antimttr (Wed, 12 Jun 2019 17:46:27 GMT):
which is wierd

Antimttr (Wed, 12 Jun 2019 17:47:00 GMT):
well by not tls i mean they dont have these extended properties: ` TLS Web Client Authentication, TLS Web Server Authentication`

Antimttr (Wed, 12 Jun 2019 17:48:11 GMT):
of course tehy have the "any" property

Antimttr (Wed, 12 Jun 2019 17:48:20 GMT):
im assuming thats just a wildcard for all extended properties?

nyet (Wed, 12 Jun 2019 17:48:42 GMT):
well for CA's it doesn't matteer much unless its going to be repurposed as a TLS key itself

nyet (Wed, 12 Jun 2019 17:48:55 GMT):
CA certs should really only be used for signing

adityanalge (Wed, 12 Jun 2019 17:49:04 GMT):
Configuration file version '1.4.2' is higher than server version '1.4.1' what does this error mean? Where do we set the server version?

Antimttr (Wed, 12 Jun 2019 17:49:28 GMT):
@nyet and TLS certs should only be used for generated new TLS identities?

nyet (Wed, 12 Jun 2019 17:49:30 GMT):
this is why i hate the factg that fabric tools output their own config files :/

Antimttr (Wed, 12 Jun 2019 17:50:23 GMT):
@adityanalge i would make sure your docker images are updated

Antimttr (Wed, 12 Jun 2019 17:50:29 GMT):
might be using 1.4.1 images still

adityanalge (Wed, 12 Jun 2019 17:50:37 GMT):
I am using the latest tag. But I will verify

nyet (Wed, 12 Jun 2019 17:50:49 GMT):
is 1.4.2 released? i thought it was still in rc

Antimttr (Wed, 12 Jun 2019 17:50:55 GMT):
yeah thats what i was wodnering

Antimttr (Wed, 12 Jun 2019 17:51:06 GMT):
he might be on 1.4.2 because he pulled from master

Antimttr (Wed, 12 Jun 2019 17:51:11 GMT):
and not from the 1.4.1 branch

adityanalge (Wed, 12 Jun 2019 17:51:59 GMT):
Yes. I got my fabric binaries from the fabric-ca github. Maybe docker images are still using 1.4.1

Antimttr (Wed, 12 Jun 2019 19:48:15 GMT):
So got my key generating just about perfectly matching what is generated for the sample-fabrics: ``` Certificate: Data: Version: 3 (0x2) Serial Number: 86:34:99:d9:bc:4f:95:72 Signature Algorithm: ecdsa-with-SHA256 Issuer: CN=ca.org3.example.com, O=org3.example.com, L=San Francisco, ST=California, C=US Validity Not Before: Jun 12 19:45:51 2019 GMT Not After : Jun 9 19:45:51 2029 GMT Subject: CN=ca.org3.example.com, O=org3.example.com, L=San Francisco, ST=California, C=US Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:f9:21:39:67:ef:7b:d4:6a:11:24:0b:e4:bf:23: 3c:71:6a:b0:7d:0c:28:91:fd:08:c4:d9:1c:fb:1d: 0d:96:7d:ee:3b:3a:3a:2b:ed:d2:26:03:96:ce:f8: ab:80:f3:7d:11:d7:bc:89:99:8d:25:b3:a9:61:66: 14:b3:16:18:55 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Subject Key Identifier: 00:FE:FF:0C:70:1B:AE:78:B8:0F:7D:5C:CE:70:08:B7:AD:E6:A5:6D X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Extended Key Usage: critical Any Extended Key Usage Signature Algorithm: ecdsa-with-SHA256 30:46:02:21:00:ef:d0:85:f0:b9:3c:b1:27:44:ab:65:d0:9e: 68:dd:15:02:f4:bc:ed:7f:6c:f9:4b:d0:73:0b:57:c4:0b:36: a7:02:21:00:d6:0c:d5:18:bd:2b:26:7b:f1:a0:3c:b6:ef:bd: a4:cc:c2:87:34:fa:ec:e7:3a:c3:8e:2a:78:7d:e6:36:70:fa ```

Antimttr (Wed, 12 Jun 2019 19:48:35 GMT):
the only discrepency i can find is that my SKI is shorter than the SKI in the cryptogen generated certs

Antimttr (Wed, 12 Jun 2019 19:48:40 GMT):
not sure if this matters or not

nyet (Wed, 12 Jun 2019 20:02:55 GMT):
the ski shown by openssl is wrong.

nyet (Wed, 12 Jun 2019 20:03:51 GMT):
@Antimttr its not the ski as calclucated by fabric (see also https://jira.hyperledger.org/browse/FABC-60)

Antimttr (Wed, 12 Jun 2019 20:04:03 GMT):
ahh yeah, i read that

Antimttr (Wed, 12 Jun 2019 20:04:26 GMT):
they're just different relative to eachother, not sure if that will reflect when i calculate it the other way as well

nyet (Wed, 12 Jun 2019 20:04:59 GMT):
the only reason i calcluate it is to find the _sk filename

nyet (Wed, 12 Jun 2019 20:05:09 GMT):
it doesn't really have any other use for us anyway

Antimttr (Wed, 12 Jun 2019 20:05:20 GMT):
is it important that i name the keys the way cryptogen names them?

nyet (Wed, 12 Jun 2019 20:05:25 GMT):
nope

nyet (Wed, 12 Jun 2019 20:05:38 GMT):
altho some clients care (fabric-sdk-go anyway)

nyet (Wed, 12 Jun 2019 20:06:04 GMT):
keystore keys should all ahve the right _sk filename though

nyet (Wed, 12 Jun 2019 20:06:10 GMT):
once enrolled leave them alone

nyet (Wed, 12 Jun 2019 20:06:33 GMT):
unless its a tls key and you need it as server.key, but usually take it out of keystore/ and put it elsewhere, since tls keys do not belong in an MSP

Antimttr (Wed, 12 Jun 2019 20:06:48 GMT):
right

Antimttr (Wed, 12 Jun 2019 20:06:54 GMT):
no keys belong in msp i thought

nyet (Wed, 12 Jun 2019 20:07:15 GMT):
sure, all endorsing keys belong in an MSP

nyet (Wed, 12 Jun 2019 20:07:20 GMT):
err transaction kesy

nyet (Wed, 12 Jun 2019 20:07:23 GMT):
and enrollment keys

Antimttr (Wed, 12 Jun 2019 20:08:33 GMT):
are you talking about the artifacts dir in general

Antimttr (Wed, 12 Jun 2019 20:08:51 GMT):
or specifically the peerorganizations/org1/msp

nyet (Wed, 12 Jun 2019 20:09:20 GMT):
you mean crypto-config? artifacts should only have genesis blocks

Antimttr (Wed, 12 Jun 2019 20:09:38 GMT):
yes crypto-config in artifacts

nyet (Wed, 12 Jun 2019 20:09:51 GMT):
the crypto-config layout is not generally required, its just the way cryptogen lays things out

nyet (Wed, 12 Jun 2019 20:09:59 GMT):
the important laout is in the msp/ directories

nyet (Wed, 12 Jun 2019 20:10:10 GMT):
all directives on containers just point to msp directories

nyet (Wed, 12 Jun 2019 20:10:22 GMT):
any given compoonent only needs one or two of them

Antimttr (Wed, 12 Jun 2019 20:10:49 GMT):
yeah i guess ive never seen any key files in /msp

nyet (Wed, 12 Jun 2019 20:10:53 GMT):
in fact, tahts the biggest problem with cryptogen, it makes it look like everyone needs the whole tree, which is super mega bad, since private keys need dto stay with whoever owns them

Antimttr (Wed, 12 Jun 2019 20:10:55 GMT):
for all the fabric-samples ive used

nyet (Wed, 12 Jun 2019 20:11:06 GMT):
.key or keystore/_sk

nyet (Wed, 12 Jun 2019 20:11:08 GMT):
big difference

Antimttr (Wed, 12 Jun 2019 20:11:13 GMT):
either

nyet (Wed, 12 Jun 2019 20:11:15 GMT):
there is no such thing as .key files except for TLS

nyet (Wed, 12 Jun 2019 20:11:20 GMT):
everything else is pem or _sk

nyet (Wed, 12 Jun 2019 20:11:34 GMT):
and .key is just a filename convention

Antimttr (Wed, 12 Jun 2019 20:11:38 GMT):
right key fille == _sk

nyet (Wed, 12 Jun 2019 20:11:38 GMT):
meaning private tls key

nyet (Wed, 12 Jun 2019 20:11:49 GMT):
keystore has at least one _sk

Antimttr (Wed, 12 Jun 2019 20:12:08 GMT):
like here's balance transfer: ``` ├── ca │ ├── 0e729224e8b3f31784c8a93c5b8ef6f4c1c91d9e6e577c45c33163609fe40011_sk │ └── ca.org1.example.com-cert.pem ├── msp │ ├── admincerts │ │ └── Admin@org1.example.com-cert.pem │ ├── cacerts │ │ └── ca.org1.example.com-cert.pem │ └── tlscacerts │ └── tlsca.org1.example.com-cert.pem ├── peers │ ├── peer0.org1.example.com │ │ ├── msp │ │ │ ├── admincerts │ │ │ │ └── Admin@org1.example.com-cert.pem │ │ │ ├── cacerts │ │ │ │ └── ca.org1.example.com-cert.pem │ │ │ ├── keystore │ │ │ │ └── 27db82c96b1482480baa1c75f80e5cce249beaab27b70c741bb0e2554355957e_sk │ │ │ ├── signcerts │ │ │ │ └── peer0.org1.example.com-cert.pem │ │ │ └── tlscacerts │ │ │ └── tlsca.org1.example.com-cert.pem │ │ └── tls │ │ ├── ca.crt │ │ ├── server.crt │ │ └── server.key │ └── peer1.org1.example.com │ ├── msp │ │ ├── admincerts │ │ │ └── Admin@org1.example.com-cert.pem │ │ ├── cacerts │ │ │ └── ca.org1.example.com-cert.pem │ │ ├── keystore │ │ │ └── fdee12a3510fde3155c37128cfec26090ae249bfbca28f884e60c21338493edd_sk │ │ ├── signcerts │ │ │ └── peer1.org1.example.com-cert.pem │ │ └── tlscacerts │ │ └── tlsca.org1.example.com-cert.pem │ └── tls │ ├── ca.crt │ ├── server.crt │ └── server.key ├── tlsca │ ├── 945092d936f5838c5a6f6484db974d857933706737d00d04bf65f74e3976f9f8_sk │ └── tlsca.org1.example.com-cert.pem └── users ├── Admin@org1.example.com │ ├── msp │ │ ├── admincerts │ │ │ └── Admin@org1.example.com-cert.pem │ │ ├── cacerts │ │ │ └── ca.org1.example.com-cert.pem │ │ ├── keystore │ │ │ └── 5890f0061619c06fb29dea8cb304edecc020fe63f41a6db109f1e227cc1cb2a8_sk │ │ ├── signcerts │ │ │ └── Admin@org1.example.com-cert.pem │ │ └── tlscacerts │ │ └── tlsca.org1.example.com-cert.pem │ └── tls │ ├── ca.crt │ ├── server.crt │ └── server.key └── User1@org1.example.com ├── msp │ ├── admincerts │ │ └── User1@org1.example.com-cert.pem │ ├── cacerts │ │ └── ca.org1.example.com-cert.pem │ ├── keystore │ │ └── 73cdc0072c7203f1ec512232c780fc84acc9752ef30ebc16be1f4666c02b614b_sk │ ├── signcerts │ │ └── User1@org1.example.com-cert.pem │ └── tlscacerts │ └── tlsca.org1.example.com-cert.pem └── tls ├── ca.crt ├── server.crt └── server.key ```

Antimttr (Wed, 12 Jun 2019 20:12:26 GMT):
ok so i guess for the identities

Antimttr (Wed, 12 Jun 2019 20:12:27 GMT):
they have keys

Antimttr (Wed, 12 Jun 2019 20:12:31 GMT):
but not the main /msp dir

nyet (Wed, 12 Jun 2019 20:15:10 GMT):
the point is, the msp structure needs to be maintained. everyhting else is just a way for cryptogen to keep things in a recognizable place, nothing else cares about that layout except the (useless for production) example hlf networks

nyet (Wed, 12 Jun 2019 20:16:51 GMT):
and like i said before, it is insane to export the ENTIRE crypto-config tree to EVERY single entity

nyet (Wed, 12 Jun 2019 20:17:01 GMT):
tahts just bad on many different levels

Antimttr (Wed, 12 Jun 2019 20:24:42 GMT):
ok got my ca and tlsca keys made, now for the fun bit, getting a docker launched that uses those keys

Antimttr (Wed, 12 Jun 2019 20:25:08 GMT):
if i understand correctly is hould simply be able to specify all the keys and configuration in the docker-compose.yaml

nyet (Wed, 12 Jun 2019 21:30:19 GMT):
yep. just keep track of who needs what, and keep it separated that way, NOT along the lines of the way cryptogen does it.

nyet (Wed, 12 Jun 2019 21:30:43 GMT):
you'll find the only tricky part is the system channel genesis block

nyet (Wed, 12 Jun 2019 21:31:18 GMT):
which (as I pointed out earlier) needs an admin pub key that nobody else really needs, except that it needs to be in peer's admincerts/

nyet (Wed, 12 Jun 2019 21:31:18 GMT):
which (as I pointed out earlier) needs an admin pub key that nobody else really needs, except that it needs to also be in peer's admincerts/

JayJong (Thu, 13 Jun 2019 03:33:30 GMT):
Hi all, im using fabric-ca to generate my msp but when i deleted my msp in the peer, it still continues to invoke as usual, is this normal?

nyet (Thu, 13 Jun 2019 03:52:47 GMT):
it will be fine untile you restart the peer

nyet (Thu, 13 Jun 2019 03:52:53 GMT):
if you do that, good luck :)

JayJong (Thu, 13 Jun 2019 04:21:23 GMT):
@nyet but i thought that invoke has an endorsement process and it uses MSP?

nyet (Thu, 13 Jun 2019 04:21:43 GMT):
the MSP is loaded on startup

nyet (Thu, 13 Jun 2019 04:21:53 GMT):
so if the peer is restarted, you lose

JayJong (Thu, 13 Jun 2019 04:49:24 GMT):
so the msp is not used during invoke?

nyet (Thu, 13 Jun 2019 05:15:58 GMT):
It is but it is loaded in memory

nyet (Thu, 13 Jun 2019 05:16:39 GMT):
It uses whatever MSP was there when the peer was started

JayJong (Thu, 13 Jun 2019 05:29:23 GMT):
@nyet thanks for clarification, why do u say its fine until i restart the peer?

nyet (Thu, 13 Jun 2019 05:29:55 GMT):
Because the MSP is loaded in memory, and when the peer is restarted, it can not find the MSP to load

nyet (Thu, 13 Jun 2019 05:30:05 GMT):
not sure why we're going in circles here..

nyet (Thu, 13 Jun 2019 05:30:22 GMT):
I don't know how to better explain it unless you have a dev background

JayJong (Thu, 13 Jun 2019 05:31:39 GMT):
oh i actually using persistent volume so it will load back the msp

nyet (Thu, 13 Jun 2019 05:39:41 GMT):
once the peer is started and the MSP is loaded, the filesystem is no longer consulted.

nyet (Thu, 13 Jun 2019 05:41:46 GMT):
https://jira.hyperledger.org/browse/FAB-2072

DamanTekchandani (Thu, 13 Jun 2019 07:56:34 GMT):
Has joined the channel.

DamanTekchandani (Thu, 13 Jun 2019 07:56:37 GMT):
Hi Everyone! I was recently working with hyperledger fabric and just needed some help with fabric ca.

DamanTekchandani (Thu, 13 Jun 2019 07:57:07 GMT):
can anyone tell me the best possible way to use a custom ca instead of using fabric ca

nyet (Thu, 13 Jun 2019 15:56:14 GMT):
Depends entirely on your motivation for not using the fabric ca server

adityanalge (Thu, 13 Jun 2019 17:33:46 GMT):
On launching two instances of fabric-ca on the same container (one for tlsca and the other for ca), the user or node has to be registered and enrolled on both the servers ?

nyet (Thu, 13 Jun 2019 17:35:55 GMT):
I'm a little confused about that myself. Our approach was to have separate users for everything. I believe there are separate user dbs for each instance, but I could be wrong

nyet (Thu, 13 Jun 2019 17:36:06 GMT):
I have not looked deeper into the db contents

krabradosty (Thu, 13 Jun 2019 19:40:52 GMT):
Hello! Do you have plans to implement queries of identities by attributes?

adityanalge (Fri, 14 Jun 2019 00:17:50 GMT):
Hey guys. I used the certificates and artifacts that I generated with the first network .byfn script. Everything works up to the last step i.e. query peer. It says check if chain code was installed. Do you have any instincts as to what could be wrong?

sakshibansal (Fri, 14 Jun 2019 06:45:39 GMT):
Has joined the channel.

sakshibansal (Fri, 14 Jun 2019 06:45:43 GMT):
Hi, I have enrolled admin and user identities into my custom network via Nodejs SDK. Then i removed the user identity from CA CLI by running this command : *fabric-ca-client identity remove user1*``` But, user1 still continues to invoke/query the ledger as usual. Can anyone of you help me out in this? ```

sakshibansal (Fri, 14 Jun 2019 06:45:43 GMT):
Hi, I have enrolled admin and user identities into my custom network via Nodejs SDK. Then i removed the user identity from CA CLI by running this command : *fabric-ca-client identity remove user1* But, user1 still continues to invoke/query the ledger as usual. Can anyone of you help me out in this?

mastersingh24 (Fri, 14 Jun 2019 07:45:32 GMT):
You will still need to generate the CRL (certificate revocation list) and then you will need to update the MSP for the Org across all channels

sakshibansal (Fri, 14 Jun 2019 08:23:47 GMT):
Thanks for your help @mastersingh24

sakshibansal (Fri, 14 Jun 2019 12:36:30 GMT):
Hi @mastersingh24 , I have updated channel configuration by running this command : cat config.json | jq '.channel_group.groups.Application.groups.Org1MSP.values.MSP.value.config.revocation_list = ["'"${crl}"'"]' > updated_config.json

sakshibansal (Fri, 14 Jun 2019 12:40:34 GMT):
Hi mastersingh24 , I have updated channel configuration by running this command : cat config.json | jq '.channel_group.groups.Application.groups.Org1MSP.values.MSP.value.config.revocation_list = ["'"${crl}"'"]' > updated_config.json Then i ran the following command after encoding json to .pb file : peer channel signconfigtx -f updated_config.pb I am getting this error : Invalid channel create transaction : bad header Can you please help me out in this?

balamcyril (Fri, 14 Jun 2019 12:48:46 GMT):
Has joined the channel.

balamcyril (Fri, 14 Jun 2019 12:48:48 GMT):
Hello, i want to know if Fabric-ca could also give Idemix credential to an admin user. In other work can i send

balamcyril (Fri, 14 Jun 2019 12:49:20 GMT):
Hello, i want to know if Fabric-ca could also give Idemix credential to an admin user. In other work can i send : ca.idemixEnroll(admin.getEnrollment(), mspID)

adityanalge (Fri, 14 Jun 2019 17:16:20 GMT):
How does enabling NodeOU's change the certificate?

adityanalge (Fri, 14 Jun 2019 17:16:45 GMT):
I keep getting an error that identity cannot be identified as peer because node ou's are disabled

mastersingh24 (Fri, 14 Jun 2019 17:38:46 GMT):
Did you read https://hyperledger-fabric.readthedocs.io/en/release-1.4/msp.html#identity-classification ? And how are you creating your crypto material?

adityanalge (Fri, 14 Jun 2019 18:16:32 GMT):
I did. Was making a silly mistake. Works now

adityanalge (Fri, 14 Jun 2019 18:16:36 GMT):
Thanks

adityanalge (Fri, 14 Jun 2019 22:47:42 GMT):
I have TLS enabled on orderer peers and cli. I have tested my certificates by running the byfn script end to end I see this error on the orderer ' 2019-06-14 22:45:52.439 UTC [grpc] handleRawConn -> DEBU 2e4 grpc: Server.Serve failed to complete security handshake from "192.168.112.16:59930": tls: first record does not look like a TLS handshake' What could I be missing? I was getting bad certificate error earlier coz I had not mapped the cert path correctly. I fixed that.

mastersingh24 (Sat, 15 Jun 2019 09:29:11 GMT):
This belongs in #fabric-questions, but somewhere TLS is not enabled

HaricharanBole (Sat, 15 Jun 2019 13:32:52 GMT):
Has joined the channel.

ahmedsajid (Sat, 15 Jun 2019 20:06:38 GMT):
Hi All. Can I get someone to help out with this? https://jira.hyperledger.org/browse/FABC-792 I have read documentation and I couldn't find any configuration related to it.

balamcyril (Mon, 17 Jun 2019 08:21:24 GMT):
hello, hw can i increase the nonce duration for idemix credential

DamanTekchandani (Mon, 17 Jun 2019 11:23:39 GMT):
@nyet I just want to use any custom ca to provide identities on my network purely for learning purposes.

DamanTekchandani (Mon, 17 Jun 2019 11:42:09 GMT):
So if you can help me to do the same?

DamanTekchandani (Mon, 17 Jun 2019 11:42:29 GMT):
I am okay with using any CA other than fabric ca

nyet (Mon, 17 Jun 2019 15:01:13 GMT):
@DamanTekchandani I don't really understand the question. If you want to emulate the ca-server, just use the ca-server. I dont think there is anything really to learn by making your own. The CA-server is really just a key signing service.

DamanTekchandani (Tue, 18 Jun 2019 04:44:08 GMT):
Okay before this If you have seen the fabcar example given in fabric-samples repository They have used cryptogen to generate crypto material beforehand but we are also deploying ca.example.com container with fabric-ca docker image Now my question is what is the use of this server in this example as we have already generated the crypto material and everyone has their msp directory?

nyet (Tue, 18 Jun 2019 04:51:04 GMT):
@DamanTekchandani Because cryptogen is pretty much useless in a production environment where you need to be able to add entities after the network is launched.

DamanTekchandani (Tue, 18 Jun 2019 05:31:46 GMT):
Correct. So you are saying for this specific example there is no use of fabric ca server we deployed on ca.example.com container

nyet (Tue, 18 Jun 2019 05:37:24 GMT):
Yes. cryptogen is not for production networks.

DamanTekchandani (Tue, 18 Jun 2019 05:56:14 GMT):
So if I not use cryptogen and want to use fabric-ca to setup my fabric network similar to fabcar's containing 1 peer and 1 orderer I am thinking of doing it this way. 1. Start the fabric-ca-server in a docker container 2. Enroll a bootstrap admin 3. Now this admin will register an orderer generating secret enrollment key. 4. Use the above enrollment key and use fabric-ca-client command from inside orderer docker container to enroll it. do similar thing for peer

DamanTekchandani (Tue, 18 Jun 2019 05:57:07 GMT):
Now my question is it neccesary to have a bootstrap admin before adding an orderer?

DamanTekchandani (Tue, 18 Jun 2019 05:58:42 GMT):
Also --id.type flag of fabric-ca-client does not have orderer as a type so how do I register an orderer?

DamanTekchandani (Tue, 18 Jun 2019 05:58:57 GMT):
Or is my flow of setting up the network is incorrect?

Bentipe (Tue, 18 Jun 2019 12:18:21 GMT):
Has joined the channel.

nyet (Tue, 18 Jun 2019 13:41:52 GMT):
Its worse than that, you can't start and orderer without at least one enrolled user for the system channel genesis block

nyet (Tue, 18 Jun 2019 13:41:52 GMT):
Its worse than that, you can't start an orderer without at least one enrolled user for the system channel genesis block

BrajeshKumar (Wed, 19 Jun 2019 08:52:52 GMT):
Has joined the channel.

root10 (Wed, 19 Jun 2019 09:00:29 GMT):
Has joined the channel.

root10 (Wed, 19 Jun 2019 09:00:29 GMT):
Hi guys. I need to enroll a user using tls. How I do it? Because I receive this error now that I set tls (I'm using LDAP) ```bash enroll failed: enroll failed: POST failure of request: POST https://ca.example.com:7054/enroll\n{\"hosts\":null,\"certificate_request\":\ "-----BEGIN CERTIFICATE REQUEST----- ... -----END CERTIFICATE REQUEST----- Post https://ca.example.com:7054/enroll: x509: certificate signed by unknown authority" ```

nyet (Wed, 19 Jun 2019 09:04:40 GMT):
@root10 your fabric ca client does not have the ca server's public ca key

root10 (Wed, 19 Jun 2019 09:20:32 GMT):
Ok...and how I set it?

root10 (Wed, 19 Jun 2019 09:23:13 GMT):
this is the ca log: ```bash http: TLS handshake error from 172.18.0.14:45006: remote error: tls: bad certificate ```

DamanTekchandani (Wed, 19 Jun 2019 10:11:58 GMT):
just copy the ca-cert.pem file it must be present in /tmp/hyperledger/tls-ca/cert.pem

DamanTekchandani (Wed, 19 Jun 2019 10:12:20 GMT):
or something similar to it

DamanTekchandani (Wed, 19 Jun 2019 10:12:52 GMT):
and provide the env variable to the cert file before doing enroll

DamanTekchandani (Wed, 19 Jun 2019 11:00:58 GMT):
And if anyone wants to have clarity on how to use fabric ca server and setup our network see the below link https://github.com/Blockdaemon/fabric-ca/blob/gerrit-pr-29430/docs/source/operations_guide.rst

DamanTekchandani (Wed, 19 Jun 2019 11:01:27 GMT):
I don't think this blog is posted anywhere in the official docs on readthedocs or anything

DamanTekchandani (Wed, 19 Jun 2019 11:15:07 GMT):
It clarified most of my doubts?

DamanTekchandani (Wed, 19 Jun 2019 11:15:07 GMT):
It clarified most of my doubts

DamanTekchandani (Wed, 19 Jun 2019 11:16:53 GMT):
@nyet and for setting up custom CA suppose I want to use onecert and I generated a private-public key pair from azure key vault And at the time of starting the CA server rather than it generates it's own key pair I provide it with the key pair I generated from azure

DamanTekchandani (Wed, 19 Jun 2019 11:18:08 GMT):
So from what I understand about CAs now my fabric ca server is now acting as a intermediate CA belonging to chain of trust of the CAs on onecert(from azure)

DamanTekchandani (Wed, 19 Jun 2019 11:23:05 GMT):
Can you tell me I am correct or not?

DamanTekchandani (Wed, 19 Jun 2019 11:23:11 GMT):
Or you want to add something

ASAPBLOCKY (Wed, 19 Jun 2019 11:32:46 GMT):
Has joined the channel.

jaswanth (Wed, 19 Jun 2019 11:35:41 GMT):
Hi all , I am struggling a lot with HSM. Can anyone please give an idea on how to setup HSM. I tried with installing fabric-ca locally but _how to connect the local instance of fabric-ca to peers in the docker containers ? _ and in fabric-ca container how to add *softHSM* , because if change the fabric-ca-server-config.yaml file like below its working ( able to enroll admin , but i dont think its using the softHSM because i never installed it in docker ) but don't know how to integrate this HSM with the node-sdk _( i got ski not found error in node-sdk with HSMWalletMixin)_ ``` default: SW sw: default: PKCS11 pkcs11: Library: /usr/local/softhsm/libsofthsm2.so Pin: 98765432 Label: ForFabric hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: msp/keystore ```

jaswanth (Wed, 19 Jun 2019 11:35:41 GMT):
Hi all , I am struggling a lot with HSM. Can anyone please give an idea on how to setup HSM. I tried with installing fabric-ca locally but _how to connect the local instance of fabric-ca to peers in the docker containers ? _ and if i use fabric-ca container how to add *softHSM* , because if change the fabric-ca-server-config.yaml file like below its working ( able to enroll admin , but i dont think its using the softHSM because i never installed it in docker ) but don't know how to integrate this HSM with the node-sdk _( i got ski not found error in node-sdk with HSMWalletMixin)_ ``` default: SW sw: default: PKCS11 pkcs11: Library: /usr/local/softhsm/libsofthsm2.so Pin: 98765432 Label: ForFabric hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: msp/keystore ```

jaswanth (Wed, 19 Jun 2019 11:35:41 GMT):
Hi all , I am struggling a lot with HSM. Can anyone please give an idea on how to setup HSM. I tried with installing fabric-ca locally but _how to connect the local instance of fabric-ca to peers in the docker containers ? _ and if i use fabric-ca container how to add *softHSM* , because i tried with changing the fabric-ca-server-config.yaml file like below its working ( able to enroll admin , but i dont think its using the softHSM because i never installed it in docker ) but don't know how to integrate this HSM with the node-sdk _( i got ski not found error in node-sdk with HSMWalletMixin)_ ``` default: SW sw: default: PKCS11 pkcs11: Library: /usr/local/softhsm/libsofthsm2.so Pin: 98765432 Label: ForFabric hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: msp/keystore ```

jaswanth (Wed, 19 Jun 2019 11:35:41 GMT):
Hi all , I am struggling a lot with HSM. Can anyone please give an idea on how to setup HSM. I tried with installing fabric-ca locally but _how to connect the local instance of fabric-ca to peers in the docker containers ? _ and if i use fabric-ca container how to add *softHSM* , *( is there any fabric-ca image with softHSM installed ? )* because i tried with changing the fabric-ca-server-config.yaml file like below its working ( able to enroll admin , but i dont think its using the softHSM because i never installed it in docker ) but don't know how to integrate this HSM with the node-sdk _( i got ski not found error in node-sdk with HSMWalletMixin)_ ``` default: SW sw: default: PKCS11 pkcs11: Library: /usr/local/softhsm/libsofthsm2.so Pin: 98765432 Label: ForFabric hash: SHA2 security: 256 filekeystore: # The directory used for the software file-based keystore keystore: msp/keystore ```

Bentipe (Wed, 19 Jun 2019 15:03:09 GMT):
Hey guys, I need help, on starting the docker container of fabric ca with my own certificates and keys it says the following:

Bentipe (Wed, 19 Jun 2019 15:03:12 GMT):
The 'cert sign' key usage is required

DamanTekchandani (Wed, 19 Jun 2019 15:04:21 GMT):
Do you have a private key and public certificate file?

Bentipe (Wed, 19 Jun 2019 15:05:24 GMT):
yes, the private key is being pointed with the keyfile on the fabric-ca-server-config.yaml

DamanTekchandani (Wed, 19 Jun 2019 15:06:40 GMT):
ca.example.com: image: hyperledger/fabric-ca environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca.example.com - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c_sk ports: - "7054:7054" command: sh -c 'fabric-ca-server start -b admin:adminpw' volumes: - ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config container_name: ca.example.com networks: - basic

DamanTekchandani (Wed, 19 Jun 2019 15:07:17 GMT):
Use a docker-compose.yml file similar to this and in this replace FABRIC_CA_SERVER_CA_CERTFILE and FABRIC_CA_SERVER_CA_KEYFILE with your certificate's path

Bentipe (Wed, 19 Jun 2019 15:07:32 GMT):
alright, will do

Bentipe (Wed, 19 Jun 2019 15:07:36 GMT):
ty daman

Bentipe (Wed, 19 Jun 2019 15:11:45 GMT):
its not working, it says the following,

Bentipe (Wed, 19 Jun 2019 15:11:48 GMT):
Error: Validation of certificate and key failed: Invalid certificate in file '/etc/hyperledger/fabric-ca-server-config/cert2.pem': The 'cert sign' key usage is required

Bentipe (Wed, 19 Jun 2019 15:32:25 GMT):
other than reading fabric ca does not need any other permission over the file right?

ahmedsajid (Wed, 19 Jun 2019 19:26:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=wb66kzbhX7wvHopAG) Can someone help with this?

DamanTekchandani (Thu, 20 Jun 2019 04:39:40 GMT):
Is your certificate is in required format i.e. it starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----

DamanTekchandani (Thu, 20 Jun 2019 04:39:57 GMT):
@Bentipe

SuneetBendre (Thu, 20 Jun 2019 09:24:22 GMT):
Has joined the channel.

SuneetBendre (Thu, 20 Jun 2019 09:24:24 GMT):
Can someone help me to create new identity with fabric-ca with nodejs sdk Post new identity i will use registerUser.js to enroll and register user with fabric-ca.

DamanTekchandani (Thu, 20 Jun 2019 10:51:06 GMT):
By creating new identity do you mean enrolling an admin user because to use fabric-ca-server you need to have an admin first who can register new users

UnaiUrkiaga (Thu, 20 Jun 2019 11:29:51 GMT):
Hi, I want to run fabric-ca-server with HSM. But I get this error: Error: Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP

gravity (Thu, 20 Jun 2019 16:57:14 GMT):
Hello. I'm facing really weird situation. I have two ECerts for a single account. Then, I've revoked one and tried to issue a chaincode call using the other Ecert (that hasn't been revoked), but I'm getting the next error on peers: `The certificate has been revoked` When a certificate was revoked and a crl was generated, this crl was included in crls dir in MSP and additionally I've put it to `$.channel_group.groups.Application.groups.ORG_NAME.values.MSP.value.config.revocation_list[]` What am I doing wrong in this case? thanks in advance

gravity (Thu, 20 Jun 2019 18:45:24 GMT):
is it possible that several ecerta have the same aki and serial number? assume there is only one intermediate ca that issues certificates.

PJHaga (Thu, 20 Jun 2019 19:02:12 GMT):
Has joined the channel.

PJHaga (Thu, 20 Jun 2019 19:02:12 GMT):
Hi all :) question, I'm starting my fabric-ca-server and let it generate a tls certificate automatically for itself. Now I need to have this certificate when I want to do a call with my fabric-ca-client to set as a trusted CA. How do I get this certificate from the fabric-ca-server into the service using the fabric-ca-client? Are there other options than copying the certificate from the fabric-ca-server container?

Antimttr (Thu, 20 Jun 2019 19:06:10 GMT):
from what i've heard it's expected that these certs get distributed out of band

Antimttr (Thu, 20 Jun 2019 19:06:33 GMT):
so you could either automate that process with a script or do it manually

mbanerjee (Thu, 20 Jun 2019 19:19:38 GMT):
Hi All, Bootadmin and the Organization admins identities(private key and certificates) are stored in the network (crypto-config). Should end users (organization user) identities be maintained within the network or should the user keep the private key/certificate? Please share your thoughts.

Antimttr (Thu, 20 Jun 2019 19:27:07 GMT):
i'm building my system so only my secured client has access to any keys/certs

Antimttr (Thu, 20 Jun 2019 19:27:25 GMT):
then the users access their resource through a secure server

Antimttr (Thu, 20 Jun 2019 19:27:25 GMT):
then the users access their resource through a secure server(web app)

Rajatsharma (Fri, 21 Jun 2019 10:02:49 GMT):
I'm trying to understand re-enroll function in fabric. It's majorly used when certificate of an entity expires and we want new certificates. But even then old certificates hold valid. I don't get the point, then what's the point of having a max_enrollment when I could actually reenroll a user multiple times and use all it's certificates. And all it's certificates will be valid.

Rajatsharma (Fri, 21 Jun 2019 10:04:17 GMT):
What I could do to mark the old certificates invalid.

Rajatsharma (Fri, 21 Jun 2019 10:04:17 GMT):
What I could do to mark the old certificates invalid?

Antimttr (Fri, 21 Jun 2019 14:48:45 GMT):
put them in a revocation list?

ASAPBLOCKY (Sat, 22 Jun 2019 14:35:19 GMT):
I'm having trouble distinguishing the components of fabric-ca. I read multiple times through the docs on Hyperledger Fabric but I still think the concepts are quite confusing. Which relation do MSP, Idemix and the PKI have? and is it mandatory to verify new actors through the SDK by using chaincode or can I handle that through the PKI ?

SatheeshNehru (Mon, 24 Jun 2019 06:34:35 GMT):
what are option available to store user private key in secure way?

Antimttr (Mon, 24 Jun 2019 14:31:56 GMT):
@SatheeshNehru afaik hlf doesnt proscribe a particular way of storing private keys, so you could store them in any of the secure ways which already exist

Antimttr (Mon, 24 Jun 2019 14:31:56 GMT):
@SatheeshNehru afaik hlf doesnt prescribe a particular way of storing private keys, so you could store them in any of the secure ways which already exist

mastersingh24 (Mon, 24 Jun 2019 16:26:07 GMT):
Use HSM with PKCS11 ;)

toddinpal (Tue, 25 Jun 2019 04:38:01 GMT):
Has anyone tried to use Microsoft Active Directory as an LDAP backend for fabric-ca?

varunagarwal (Wed, 26 Jun 2019 10:23:53 GMT):
How do I get the certificates and users for a fabric-ca using APIs. All I could find is the CLI for fabric-ca

varunagarwal (Wed, 26 Jun 2019 10:25:19 GMT):
I want to make a dashboard that gives direct access to the CA. In `composer` the `adminConnection` gave this functionality. Using `fabric-client` I am able to register and enroll new users but cant query any

Antimttr (Wed, 26 Jun 2019 17:40:02 GMT):
@varunagarwal well the javasdk has its own fabric-ca-client api inside of it. It allows you to enroll and register new users (which also provides you a copy of their certificates in the process)

Antimttr (Wed, 26 Jun 2019 17:41:04 GMT):
also lets you query the ca for stuff like lists of users and their properties

marinkovicvlado (Thu, 27 Jun 2019 11:14:27 GMT):
Has joined the channel.

marinkovicvlado (Thu, 27 Jun 2019 11:14:28 GMT):
Hi can anyone direct me to some good resource on enabling mutual TLS in Fabric? What interests me is connection profile, and submitting transactions via Gateway (using fabric-sdk-node)...

marinkovicvlado (Thu, 27 Jun 2019 11:17:45 GMT):
`const opts = { wallet: wallet, identity: 'tlsId', discovery: {enabled: false, asLocalhost: false}, clientTlsIdentity: 'tlsId' }; await gateway.connect(ccp.profile, opts);const network = await gateway.getNetwork(channelName); const contract = await network.getContract(contractName); const id = await contract.submitTransaction(functionName, ...functionArgs);`

Patriq (Thu, 27 Jun 2019 14:05:47 GMT):
Has joined the channel.

mfaisaltariq (Fri, 28 Jun 2019 07:42:42 GMT):
Has joined the channel.

mfaisaltariq (Fri, 28 Jun 2019 07:58:04 GMT):
Hi I'm getting the following error when I try to start the Fabric-ca Server with SoftHSM Steps I followed 1- Installed GO and set the GOPATH 2- Installed SoftHSM and set the SOFTHSM2_CONF 3- Intialized Token 4- go get -u github.com/hyperledger/fabric-ca/cmd/... 5- Set below variables FABRIC_CA_SERVER_BCCSP_DEFAULT=PKCS11 FABRIC_CA_SERVER_BCCSP_PKCS11_LIBRARY=/usr/local/lib/softhsm/libsofthsm2.so FABRIC_CA_SERVER_BCCSP_PKCS11_PIN=987654321 FABRIC_CA_SERVER_BCCSP_PKCS11_LABEL=ForFabric 6- ./fabric-ca-server init -b admin:adminpw Error ``` 2019/06/27 17:45:58 [INFO] Configuration file location: /Users/mfaisaltariq/fabric-ca/server/fabric-ca-server-config.yaml 2019/06/27 17:45:58 [INFO] Starting server in home directory: /Users/mfaisaltariq/fabric-ca/server 2019/06/27 17:45:58 [INFO] Server Version: 1.4.2 2019/06/27 17:45:58 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} Error: Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP ```

Bentipe (Fri, 28 Jun 2019 10:15:28 GMT):
hey guys on the bootstrapping of the orderer ives me the following error: ``` [orderer.common.server] Start -> PANI 003 Failed validating bootstrap block: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: CA Certificate did not have the CA attribute, (SN: f8adffbd6a2debed01cd2840f1f75cd77bfdc9c) panic: Failed validating bootstrap block: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: CA Certificate did not have the CA attribute, (SN: f8adffbd6a2debed01cd2840f1f75cd77bfdc9c) goroutine 1 [running]: github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc0001b1970, 0x0, 0x0, 0x0) /opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore/entry.go:229 +0x515 github.com/hyperledger/fabric/vendor/go.uber.org/zap.(*SugaredLogger).log(0xc0001382a0, 0xc00003d804, 0x10355b0, 0x25, 0xc00047bd10, 0x1, 0x1, 0x0, 0x0, 0x0) /opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:234 +0xf6 github.com/hyperledger/fabric/vendor/go.uber.org/zap.(*SugaredLogger).Panicf(0xc0001382a0, 0x10355b0, 0x25, 0xc00047bd10, 0x1, 0x1) /opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:159 +0x79 github.com/hyperledger/fabric/common/flogging.(*FabricLogger).Panicf(0xc0001382a8, 0x10355b0, 0x25, 0xc00047bd10, 0x1, 0x1) /opt/gopath/src/github.com/hyperledger/fabric/common/flogging/zap.go:74 +0x60 github.com/hyperledger/fabric/orderer/common/server.Start(0x1013e09, 0x5, 0xc00054f200) /opt/gopath/src/github.com/hyperledger/fabric/orderer/common/server/main.go:98 +0xcd github.com/hyperledger/fabric/orderer/common/server.Main() /opt/gopath/src/github.com/hyperledger/fabric/orderer/common/server/main.go:91 +0x1ce main.main() /opt/gopath/src/github.com/hyperledger/fabric/orderer/main.go:15 +0x20 ``` I have checked the CA certificate files and have the following attribute: X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 Also I am using fabric CA

nyet (Fri, 28 Jun 2019 14:21:57 GMT):
Which files have you checked? Perhaps you missed one.

adityanalge (Fri, 28 Jun 2019 18:02:55 GMT):
Is there a way to get the public root certificate from a CA using fabric-sdk-node?

montana (Fri, 28 Jun 2019 18:20:34 GMT):
You can revoke the old certificate to mark it as invalid.

KartikChauhan (Fri, 28 Jun 2019 19:47:28 GMT):
I'm running a Fabric 1.4.1 network with one peer and one orderer. I'm using Prometheus to monitor them. The targets are up and Prometheus is able to scrape the metrics. But I think I'm not getting all the metrics that are listed on https://hyperledger-fabric.readthedocs.io/en/latest/metrics_reference.html Plus many of the metrics names look different than the ones mentioned in the list. This probably could be because the documentation is of version 1.4 and I'm running a network of 1.4.1. Just want to confirm if this is the sole reason or if there could be any other reason as well.

mastersingh24 (Sat, 29 Jun 2019 13:23:21 GMT):
Can you list some examples of metrics your *not* seeing?

soumyanayak (Sat, 29 Jun 2019 15:35:13 GMT):
Has joined the channel.

KartikChauhan (Mon, 01 Jul 2019 07:18:29 GMT):
Can a newly added organization create its own channel? I know how to add an organization to a running fabric network. But can that organization create a channel of its own?

mastersingh24 (Mon, 01 Jul 2019 08:48:08 GMT):
You would need to add the new org to the consortium in the system channel

Bentipe (Mon, 01 Jul 2019 16:17:32 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=6pj5yzGQ6TLczh6YT) Hello, Im back. The problem that I had with the attribute of the CA before I think that I have found the problem, thank you @nyet for helping. So they are a couple of things. I am using fabric CA without any external certificate and TLS enabled, so, on bootstrapping it creates all the crypto material. In order to found the issue I have been comparing decoding the material created by the cryptogen tool and the fabric ca material, I have used this web https://certlogik.com/decoder/. All but the tls certificate has the same attributes. The one created by the cryptogen tool has the following property true: X509v3 Basic Constraints: critical CA:TRUE But the one created by the fabric ca has the attribute to false, so is there a property that determines this and I have not setted up or is a bug?

nyet (Mon, 01 Jul 2019 17:03:02 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=2Y9FdhrDokWMSCJCL) @Bentipe That does sound like a bug.

adityanalge (Mon, 01 Jul 2019 19:08:05 GMT):
This sounds exactly like the issue you helped me with nyet. Could be possible that @Bentipe is confusing tls cert with tlsca cert just like I did.

adityanalge (Mon, 01 Jul 2019 19:09:00 GMT):
I am getting an authentication failure on trying to retrieve a certificate from the internal non tls ca instance of my fabric-ca server.

adityanalge (Mon, 01 Jul 2019 19:11:01 GMT):
``` const client = new Client(); const registrar = await client.createUser({username:'Admin@org1.example.com', mspid: 'Org1MSP', cryptoContent: {privateKeyPEM: privateKey, signedCertPEM: certificate}, skipPersistence: true }) const caName = 'tlsca.org1.example.com'; const ca = new FabricCaClient(caInfo.url, { trustedRoots: null, verify: false }, caName); const certificateService = ca.newCertificateService(); const certificate = await certificateService.getCertificates( { id: userName }, registrar); ```

adityanalge (Mon, 01 Jul 2019 19:11:50 GMT):
The above code works if caName is 'tlsca.org1.example.com'. How can I get back the non tls certificate of a user?

adityanalge (Mon, 01 Jul 2019 19:12:52 GMT):
Basically trying to get the code to work by setting caName='ca.org1.example.com', it gives me authentication failure since the api call still goes to tlsca.org1.example.com and not ca.org1.example.com. What could I be missing?

adityanalge (Mon, 01 Jul 2019 19:31:20 GMT):
Figured it out. For anyone curious, solution is to pass the caName along with the userID in ``` const certificate = await certificateService.getCertificates( { id: userName, ca: caName }, registrar) ```

Bentipe (Tue, 02 Jul 2019 06:52:49 GMT):
it might be, because what I am using is the file called tls-cert, how can I get the tlsca cert?

Bentipe (Tue, 02 Jul 2019 07:22:28 GMT):
On the enrollments shoudnt the CA retrieve the tlsca-cert? because on bootstrapping I dont see any file corresponding to the tlsca-cert

AlbertCL (Tue, 02 Jul 2019 08:57:09 GMT):
Has joined the channel.

delao (Tue, 02 Jul 2019 12:02:13 GMT):
Has joined the channel.

delao (Tue, 02 Jul 2019 12:12:27 GMT):
Good morning everyone, I`m facing a little problem regarding revoking a certificate using fabric-ca-client. I have created a identity inside the fabric-ca container, enrolled it and transactioned with it. My problem is with revoking this cert. The steps I took were: I run the command ```fabric-ca-client revoke -e --gencrl``` and I`ve put the CRL inside the peer`s container but I`m not able to use/config the peer to use this CRL to endorse any transaction and deny the revoked identities` transaction propose. Any thoughts ?

delao (Tue, 02 Jul 2019 12:12:27 GMT):
Good morning everyone, I`m facing a little problem regarding revoking a certificate using fabric-ca-client. I have created a identity inside the fabric-ca container, enrolled it and transactioned with it. My problem is with revoking this cert. The steps I took were: I run the command ```fabric-ca-client revoke -e --gencrl``` and I've put the CRL inside the peer's container but I'm not able to use/config the peer to use this CRL to endorse any transaction and deny the revoked identities` transaction propose. Any thoughts ?

FernandaSartori (Tue, 02 Jul 2019 12:19:13 GMT):
Has joined the channel.

mastersingh24 (Tue, 02 Jul 2019 12:52:56 GMT):
You actually need to perform a channel update on all channels the Org belongs to. You'll need to update the MSP for the Org on those channels (and on the system channel for any future channels).

delao (Tue, 02 Jul 2019 13:12:40 GMT):
Thank you very much :)

nyet (Tue, 02 Jul 2019 15:41:59 GMT):
No, TLSCAs have to be distributed out of band

Bentipe (Tue, 02 Jul 2019 15:52:01 GMT):
sorry for my ignorance, how?

nyet (Tue, 02 Jul 2019 15:52:52 GMT):
however you like. set up an nginx server on the ca and serve them with a real public cacert backed http request, scp them around, sneaker net, whatver

nyet (Tue, 02 Jul 2019 15:53:14 GMT):
there is a hack to get it from the ca-server directly with curl but it requires turning off ca checking

Bentipe (Tue, 02 Jul 2019 15:57:25 GMT):
so, a lets encrypt cert would do?

nyet (Tue, 02 Jul 2019 15:58:39 GMT):
yes but you' need a separate nginx server or equivalient set to serve the non public tlsca. Or you can just use a LE cert for the tlsca itself, but that would suck because you'd have to redo every channel every time the tlsca was renewed from lets encrypte

Bentipe (Tue, 02 Jul 2019 16:02:09 GMT):
oh my, ty man, this world is all new to me, I will grab a beer

PMoura (Tue, 02 Jul 2019 16:13:13 GMT):
Has joined the channel.

PMoura (Tue, 02 Jul 2019 16:19:49 GMT):
Hello everyone. Using `fabric-ca-client` in node, is it possible to know what was the Identity Secret used to register an user? I've registered it (without saving the IdentitySecret) and after that I've revoked it and delete it from wallet. Now, I'm not able to delete the identity (Error: "Identity removal is disabled"), nor enroll it because I don't have the IdentitySecret. Any suggestions? Thanks in advance.

PMoura (Tue, 02 Jul 2019 16:19:49 GMT):
Hello everyone. Using `fabric-ca-client` in node, is it possible to know what was the Identity Secret used to register an user? I've registered it (without saving the IdentitySecret) and enrolled it, and after that I've revoked it and delete it from wallet (to disable access). Now, I'm not able to delete the identity (Error: "Identity removal is disabled"), nor enroll it because I don't have the IdentitySecret. Any suggestions? Thanks in advance.

nyet (Tue, 02 Jul 2019 17:36:32 GMT):
I could be wrong here but I think the issue isn't that you dont have the identity secret, but that the ca-server user you are using to remove the identity has insufficient permissions.

mastersingh24 (Tue, 02 Jul 2019 17:52:16 GMT):
You have to enable identity removal via a flag when you start fabric-ca-server - https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html?#removing-an-identity

PMoura (Tue, 02 Jul 2019 20:00:03 GMT):
Thanks. It works.

mattremy (Wed, 03 Jul 2019 08:19:33 GMT):
I have a basic problem with the way affiliations work. I have a fabric-ca-server.yaml file with ` identities: - name: admin pass: admin123 type: client affiliation: "org.mycompany" attrs: hf.Registrar.Roles: "*" hf.Registrar.DelegateRoles: "*" hf.Revoker: true hf.IntermediateCA: true hf.GenCRL: true hf.Registrar.Attributes: "*" hf.AffiliationMgr: true`

mattremy (Wed, 03 Jul 2019 08:22:11 GMT):
I have a basic problem with the way affiliations work. I have a fabric-ca-server.yaml with the following: ` identities: - name: admin pass: admin123 type: client affiliation: "org.mycompany" attrs: hf.Registrar.Roles: "*" hf.Registrar.DelegateRoles: "*" hf.Revoker: true hf.IntermediateCA: true hf.GenCRL: true hf.Registrar.Attributes: "*" hf.AffiliationMgr: true```` ``` This is used for the bootstrap admin. Now when i create another user in order to register entities, I try setting an affiliation as :org.mycompany.department1. However, I am getting an authorization failure. Not sure what I am doing wrong here.

mattremy (Wed, 03 Jul 2019 08:22:11 GMT):
I have a basic problem with the way affiliations work. I have a fabric-ca-server.yaml with the following: ` identities: - name: admin pass: admin123 type: client affiliation: "org.mycompany" attrs: hf.Registrar.Roles: "*" hf.Registrar.DelegateRoles: "*" hf.Revoker: true hf.IntermediateCA: true hf.GenCRL: true hf.Registrar.Attributes: "*" hf.AffiliationMgr: true```` ``` This is used for the bootstrap admin. Now when i register another user in order to register peers and users, I try setting an affiliation as :org.mycompany.department1. However, I am getting an authorization failure. Not sure what I am doing wrong here.

soumyanayak (Wed, 03 Jul 2019 08:56:09 GMT):
Hi All When starting the orderer i am getting the below error :-- 2019-07-03 14:25:21.153 IST [cauthdsl] deduplicate -> ERRO 322 Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authority) for identity 0 2019-07-03 14:25:21.154 IST [cauthdsl] func1 -> DEBU 323 0xc0003df3a0 gate 1562144121154067504 evaluation starts 2019-07-03 14:25:21.154 IST [cauthdsl] func2 -> DEBU 324 0xc0003df3a0 signed by 0 principal evaluation starts (used [false]) 2019-07-03 14:25:21.154 IST [cauthdsl] func2 -> DEBU 325 0xc0003df3a0 principal evaluation fails 2019-07-03 14:25:21.154 IST [cauthdsl] func1 -> DEBU 326 0xc0003df3a0 gate 1562144121154067504 evaluation fails 2019-07-03 14:25:21.154 IST [policies] Evaluate -> DEBU 327 Signature set did not satisfy policy /Channel/Application/Org1/Admins 2019-07-03 14:25:21.154 IST [policies] Evaluate -> DEBU 328 == Done Evaluating *cauthdsl.policy Policy /Channel/Application/Org1/Admins 2019-07-03 14:25:21.154 IST [policies] func1 -> DEBU 329 Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ Org1/Admins ] 2019-07-03 14:25:21.154 IST [policies] Evaluate -> DEBU 32a Signature set did not satisfy policy /Channel/Application/ChannelCreationPolicy 2019-07-03 14:25:21.154 IST [policies] Evaluate -> DEBU 32b == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Application/ChannelCreationPolicy

soumyanayak (Wed, 03 Jul 2019 08:58:10 GMT):
Hi All When starting the orderer i am getting the below error :-- 2019-07-03 14:25:21.153 IST [cauthdsl] deduplicate -> ERRO 322 Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authority) for identity 0 2019-07-03 14:25:21.154 IST [cauthdsl] func1 -> DEBU 323 0xc0003df3a0 gate 1562144121154067504 evaluation starts 2019-07-03 14:25:21.154 IST [cauthdsl] func2 -> DEBU 324 0xc0003df3a0 signed by 0 principal evaluation starts (used [false]) 2019-07-03 14:25:21.154 IST [cauthdsl] func2 -> DEBU 325 0xc0003df3a0 principal evaluation fails 2019-07-03 14:25:21.154 IST [cauthdsl] func1 -> DEBU 326 0xc0003df3a0 gate 1562144121154067504 evaluation fails 2019-07-03 14:25:21.154 IST [policies] Evaluate -> DEBU 327 Signature set did not satisfy policy /Channel/Application/Org1/Admins 2019-07-03 14:25:21.154 IST [policies] Evaluate -> DEBU 328 == Done Evaluating *cauthdsl.policy Policy /Channel/Application/Org1/Admins 2019-07-03 14:25:21.154 IST [policies] func1 -> DEBU 329 Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ Org1/Admins ] 2019-07-03 14:25:21.154 IST [policies] Evaluate -> DEBU 32a Signature set did not satisfy policy /Channel/Application/ChannelCreationPolicy 2019-07-03 14:25:21.154 IST [policies] Evaluate -> DEBU 32b == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Application/ChannelCreationPolicy The issue is its picking up a certificate which is not available anymore in that previous folder/path, i have mentioned a new path in configtx.yaml and generated the genesis, .tx file . After deleting orderer ledger i started the ordere still its trying to access from somewhere i am not able to locate. Can anybody please help? Regards,

dkushagra (Wed, 03 Jul 2019 08:58:20 GMT):
Has joined the channel.

KartikChauhan (Wed, 03 Jul 2019 10:32:59 GMT):
Thank you for the reply Sir. But we define the consortium configuration before starting a fabric network, right? I'm targeting on generating the org configuration in the mid of a running network, and that org should be able to create a new channel. I didn't get what exactly is 'system channel'? Could you provide any code reference, any API for that?

soumyanayak (Wed, 03 Jul 2019 11:27:34 GMT):
Hi All, Please follow the below link for fabric-ca identity generation process for the people doimg for first time. Its really helpful. i generated and made the network up. https://gerrit.hyperledger.org/r/c/fabric-ca/+/29430/8/docs/source/operations_guide.rst#602

nyet (Wed, 03 Jul 2019 15:47:42 GMT):
The system channel is on the orderer. It determines who can create channels.

soumyanayak (Thu, 04 Jul 2019 06:08:15 GMT):
Hi All,

soumyanayak (Thu, 04 Jul 2019 06:08:15 GMT):
Hi All, How can we add multiple SANS information to fabric-ca-client-config.yaml file ? Regards,

soumyanayak (Thu, 04 Jul 2019 06:08:15 GMT):
Hi All, How can we add multiple SANS information to fabric-ca-client-config.yaml file ? Regards, Soumya

abisarvepalli (Fri, 05 Jul 2019 17:40:01 GMT):
Has joined the channel.

Aar34w23 (Sat, 06 Jul 2019 19:08:51 GMT):
Has joined the channel.

PMoura (Sun, 07 Jul 2019 13:26:30 GMT):
Hello guys. Is there any way to remove an identity/user from the state store? I revoked and deleted the identity and it stills showing in the state store!

Puneeth987 (Mon, 08 Jul 2019 06:33:12 GMT):
Has joined the channel.

Puneeth987 (Mon, 08 Jul 2019 06:33:15 GMT):
{"success":false,"message":"failed Error: fabric-ca request register failed with errors [[{\"code\":0,\"message\":\"Registration of 'Puni' failed in affiliation validation: Failed getting affiliation 'org3.department1': : scode: 404, code: 63, msg: Failed to get Affiliation: sql: no rows in result set\"}]]"} i am geting this error how to solve this error

Bentipe (Mon, 08 Jul 2019 06:49:38 GMT):
is that affiliation registered? you can do it 2 ways, with the client or in the configuration file

Puneeth987 (Mon, 08 Jul 2019 07:09:38 GMT):
bentipe plese tell me how to do with client also how to do with configuration file

Bentipe (Mon, 08 Jul 2019 07:58:23 GMT):
you can see here on the commands that you can create them with the command affiliation: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/clientcli.html?highlight=affiliation

Bentipe (Mon, 08 Jul 2019 07:59:50 GMT):
also, on the configuration file you should see the section affilliations were you regster the bootstrapping affiliations:

Bentipe (Mon, 08 Jul 2019 07:59:51 GMT):
https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/serverconfig.html?highlight=affiliation

ilkan8 (Mon, 08 Jul 2019 10:45:56 GMT):
Has joined the channel.

ilkan8 (Mon, 08 Jul 2019 10:45:59 GMT):
Hello, Has anyone else come across following error message when trying to launch intermediate CA with METRICS_PROVIDER environment variable? "panic: duplicate metrics collector registration attempted". Fabric CA version: 2.0.0alpha

ilkan8 (Mon, 08 Jul 2019 10:49:46 GMT):
ROOT CA works fine with Prometheus as metric provider.

soumyanayak (Mon, 08 Jul 2019 14:21:18 GMT):
Hi All, After activating TLS on Peers and Orderers , i was trying to connect to the anchor peer using node.js through gateway.js. In the connection.yaml file -- under the orderer and peer section i have given the TLSCA certififcate path. So when i am trying to connect its giving me the below error - 2019-07-08T14:05:04.759Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://172.23.155.115:7051 2019-07-08T14:05:04.760Z - error: [Channel.js]: Error: Failed to connect before the deadline URL:grpcs://172.23.155.115:7051 2019-07-08T14:05:04.760Z - error: [Network]: _initializeInternalChannel: Unable to initialize channel. Attempted to contact 1 Peers. Last error was Error: Failed to connect before the deadline URL:grpcs://172.23.155.115:7051 Error: Unable to initialize channel. Attempted to contact 1 Peers. Last error was Error: Failed to connect before the deadline URL:grpcs://172.23.155.115:7051 at Network._initializeInternalChannel (/home/ranjan/LDBCApp/sdk/node_modules/fabric-network/lib/network.js:112:12) at at process._tickCallback (internal/process/next_tick.js:189:7) In the Peer logs i got the below error - 2019-07-08 18:58:48.608 IST [core.comm] ServerHandshake -> ERRO 034 TLS handshake failed with error tls: first record does not look like a TLS handshake server=PeerServer remoteaddress=172.23.155.122:37168 When i checked the TLSCA certififcate of the TLS server the SANS is empty -- is the SANS has to be filled with the machine names or ip addresses of the peer , orderer machines ? Or any other issues. Please help. Without TLS activation the same is working fine. Regards, Soumya

HritikGupta (Mon, 08 Jul 2019 15:41:52 GMT):
Has joined the channel.

HritikGupta (Mon, 08 Jul 2019 15:41:54 GMT):
Hi there! I am working on connecting LDAP server with a fabric network (2 orgs + 4 peers (2 each)), having 2 CAs. The process I am currently following to enroll a user is via authentication with LDAP (performed by fabric-ca server) and then assigning certificates to the enrolled user, so that it can invoke methods in chaincode. The certificates of the authenticated user get saved in hfc-key-store. What I want to achieve is as follows: I have an external CA and I have a user who is already enrolled (i.e. the user already has the certificate and priv-key). Is there a way the user can directly invoke txns, skipping the enrolling part ?

nyet (Mon, 08 Jul 2019 23:36:16 GMT):
yes if his CA is added to the channel config

ahmedsajid (Tue, 09 Jul 2019 14:13:17 GMT):
Hi @mastersingh24 , Can I get you to respond to the comments in https://jira.hyperledger.org/browse/FABC-792 ?

HritikGupta (Wed, 10 Jul 2019 05:35:02 GMT):
How does `fabric-ca-client enroll` generates the "signingIdentity" ?

nyet (Wed, 10 Jul 2019 06:11:27 GMT):
it submits a csr to the ca-server who signs it and returns a keypair to the enroller

HritikGupta (Wed, 10 Jul 2019 06:23:24 GMT):
Right, but that should ideally return a priv and pub key pair, whats with the signingIdentity hash? And does it play any role in invoking txns?

nyet (Wed, 10 Jul 2019 06:25:19 GMT):
if you are talking about the SKI, it is used to determine which private key in the keystore should be used to sign things that can be verified with the given public key.

nyet (Wed, 10 Jul 2019 06:26:41 GMT):
The specifics of the implementation are confusing and not very well documented https://jira.hyperledger.org/browse/FABC-60

HritikGupta (Wed, 10 Jul 2019 06:29:34 GMT):
`{"name":"admin","mspid":"Org1MSP","roles":null,"affiliation":"","enrollmentSecret":"","enrollment":{"signingIdentity":"0d345e225af971557b2f8727ca61a163e776fb350d5400e4026af63359400e04","identity":{"certificate":"-----BEGIN CERTIFICATE-----\nMIICHzCCAcWgAwIBAgIUM2AlfPRlN6VjtK4K4s096gvn3qMwCgYIKoZIzj0EAwIw\nczELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh\nbiBGcmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMT\nE2NhLm9yZzEuZXhhbXBsZS5jb20wHhcNMTkwNzA5MTA1MjAwWhcNMjAwNzA4MTA1\nNzAwWjA+MSwwDQYDVQQLEwZjbGllbnQwDQYDVQQLEwZmYWJyaWMwDAYDVQQLEwV1\nc2VyczEOMAwGA1UEAxMFYWRtaW4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQt\n/omGYmJZdkzq69dcTvwYQBnEpNgNlWyrsdqIyXx5H5qoZXqQXePz/quj+sD9cq3+\nZjog7PTMzpvjzdoYTxx4o2wwajAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIw\nADAdBgNVHQ4EFgQUJp1BIjflNXH6Jqa+d4JzSCfY8yIwKwYDVR0jBCQwIoAgC7ON\nMr9OEJA42O+IwWhxg8tk7Bb+WtcGYtP25ilWeWswCgYIKoZIzj0EAwIDSAAwRQIh\nANpEj0lFDFeG7oEbBELDXxeLfc4DJUVE42j6PP3hgy6+AiAZUNG4ehMBeXKg3k8F\ng++ECt7ZSOGSFuc5C2frFlLCyA==\n-----END CERTIFICATE-----\n"}}}`

HritikGupta (Wed, 10 Jul 2019 06:30:23 GMT):
On calling the enroll script, I get the priv-pub key pair along with a file, that entails the above. I'm not sure what the enrollment part denotes

HritikGupta (Wed, 10 Jul 2019 06:31:41 GMT):
I invoke the enroll script along with the userid and passwd (for any existing user in my LDAP server). The Fabric CA server (which is LDAP enabled) authenticates and generates the certificates for this user.

HritikGupta (Wed, 10 Jul 2019 07:03:35 GMT):
The doubt is with reference to this repo : https://github.com/alejandrolr/fabric-ldap-example

HritikGupta (Wed, 10 Jul 2019 07:03:35 GMT):
@nyet The doubt is with reference to this repo : https://github.com/alejandrolr/fabric-ldap-example

HritikGupta (Wed, 10 Jul 2019 07:03:56 GMT):
@nyet

soumyanayak (Wed, 10 Jul 2019 07:31:12 GMT):
Hi All,

soumyanayak (Wed, 10 Jul 2019 07:31:12 GMT):
Hi All, Does anybody has any idea like how to get the SAN details added after signing the CSR using the openssl command? I created the CSR using keytool command , and adding the SANS details, but after signing the SAN details are stripped off from the certificate. Regards, Soumya

Bentipe (Wed, 10 Jul 2019 08:35:33 GMT):
Hey guys, I am getting the following error when enrolling a user: ``` 2019/07/10 08:18:39 [INFO] TLS Enabled\n2019/07/10 08:18:39 [INFO] generating key: &{A:ecdsa S:256}\n2019/07/10 08:18:39 [INFO] encoded CSR\nError: Response from server: Error Code: 0 - 2 rows were affected when updating the state of identity ```

soumyanayak (Wed, 10 Jul 2019 11:09:11 GMT):
Hi All,

soumyanayak (Wed, 10 Jul 2019 11:09:11 GMT):
Hi All, Can anybody share me a link where i can get details of orderer and kafka brokers TLS set up . Will be very grateful. Regards, Soumya

Puneeth987 (Wed, 10 Jul 2019 13:19:11 GMT):
hi i fallow this link ** https://fabric-sdk-node.github.io/tutorial-channel-create.html

Puneeth987 (Wed, 10 Jul 2019 13:19:34 GMT):
r: , s: , recoveryParam: 0 } [2019-07-10 13:12:36.941] [ERROR] Create-Channel - Error: PEM encoded certificate is required. at new Endpoint (C:\Users\PuneethV\Desktop\deleted_balance-transfer\node_modules\fabric-client\lib\Remote.js:269:11) at new Remote (C:\Users\PuneethV\Desktop\deleted_balance-transfer\node_modules\fabric-client\lib\Remote.js:119:20) at new Orderer (C:\Users\PuneethV\Desktop\deleted_balance-transfer\node_modules\fabric-client\lib\Orderer.js:80:3) at Client.newOrderer (C:\Users\PuneethV\Desktop\deleted_balance-transfer\node_modules\fabric-client\lib\Client.js:455:10) at Object.updateChannel (C:\Users\PuneethV\Desktop\deleted_balance-transfer\app\updatechannel.js:49:24) (node:6984) [DEP0079] DeprecationWarning: Custom inspection function on Objects via .inspect() is deprecated (node:6984) UnhandledPromiseRejectionWarning: Error: Failed to initialize the channel: Error: PEM encoded certificate is required. at Object.updateChannel (C:\Users\PuneethV\Desktop\deleted_balance-transfer\app\updatechannel.js:90:9) (node:6984) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1) (node:6984) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

Puneeth987 (Wed, 10 Jul 2019 13:20:16 GMT):
this error for adding org to execting network.

K1L14N (Wed, 10 Jul 2019 15:42:48 GMT):
Has joined the channel.

HLFPOC (Wed, 10 Jul 2019 17:55:33 GMT):
Hi Team, I am trying to register peer of my organization using fabric-ca , but getting the below error: Error: Response from server: `Error Code: 20 - Authentication failure`, I checked the ca logs , error was : `POST /register 401 25 "Invalid token in authorization header: Token signature validation failed"` Can anyone please guide what could be the issue here ?

K1L14N (Thu, 11 Jul 2019 06:38:46 GMT):
Hello all, i want to know if it is possible to use the persistent storage of keys as a wallet. My issue is that i don't know how to get the priv/pub key of a client when he sends queries to my server except when i enroll the user.

K1L14N (Thu, 11 Jul 2019 06:40:35 GMT):
Looks like you are sending a wronga token when sending request

HLFPOC (Thu, 11 Jul 2019 06:44:12 GMT):
I am using the below command for registering peer identity: fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7052

HLFPOC (Thu, 11 Jul 2019 06:44:26 GMT):
not sure, how token gets appended in this request

Puneeth987 (Thu, 11 Jul 2019 07:40:52 GMT):
how to encode the mychannel.json file after adding new org to read set and write set . hi fallow the https://fabric-sdk-node.github.io/tutorial-channel-create.html but i got [*2019-07-10 13:12:36.941] [ERROR] Create-Channel - Error: PEM encoded certificate is required.*

HritikGupta (Thu, 11 Jul 2019 08:50:19 GMT):
*This is a generic CA doubt* For CA generating utils like OpenSSL, is there a way to enroll user after authentication with an external identity provider (like LDAP/Active Directory) (just similar to what fabric-ca supports) ?

HritikGupta (Thu, 11 Jul 2019 08:50:19 GMT):
*This is a generic CA doubt* For CA generating utils like OpenSSL, is there a way to enroll a user after authentication with an external identity provider (like LDAP/Active Directory) (just similar to what fabric-ca supports) ?

heenas06 (Thu, 11 Jul 2019 10:36:56 GMT):
Has joined the channel.

BAM_Mueller (Thu, 11 Jul 2019 10:44:38 GMT):
Has joined the channel.

mastersingh24 (Thu, 11 Jul 2019 12:49:30 GMT):
The only authentication options are the built-in user store and LDAP

Estebanrestrepo (Thu, 11 Jul 2019 23:39:05 GMT):
Why when I invoke "Enroll user" I get an object with null role?

Estebanrestrepo (Thu, 11 Jul 2019 23:40:35 GMT):
Like this: { "name": "user1", "mspid": "Org1MSP", "roles": null, "affiliation": "", "enrollmentSecret": "", "enrollment": { "signingIdentity": "3ed2fa17330f9f556a72a60d9c7c2469c9b43e819b4f7fb581f0953f7c28c8a1", "identity": { "certificate": "-----BEGIN CERTIFICATE-----\nMIICkzCCAjmgAwIBAgIUVPqrdeWEsG1C8d3X45tOLVhBmtkwCgYIKoZIzj0EAwIw\ndzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNh\nbiBGcmFuY2lzY28xGzAZBgNVBAoTEm9yZzEucHJvdG90aXBvLmNvbTEeMBwGA1UE\nAxMVY2Eub3JnMS5wcm90b3RpcG8uY29tMB4XDTE5MDcxMDE5NTcwMFoXDTIwMDcw\nOTIwMDIwMFowQjEwMA0GA1UECxMGY2xpZW50MAsGA1UECxMEb3JnMTASBgNVBAsT\nC2RlcGFydG1lbnQxMQ4wDAYDVQQDEwV1c2VyMTBZMBMGByqGSM49AgEGCCqGSM49\nAwEHA0IABFACsaY1Hcfws/m5HQ54q64JY7MNNcPg94/0yY6r3zUvyWGdTuW1phPG\nXjG0QSVaap40FWZOrKLwPguuxDVt/6+jgdcwgdQwDgYDVR0PAQH/BAQDAgeAMAwG\nA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKKHpc6yRAms11nEG2v2ypKKZkoWMCsGA1Ud\nIwQkMCKAINjXCCYk9052pRkBcnFECNHx54+G0VI7b7vlt/A+rwz8MGgGCCoDBAUG\nBwgBBFx7ImF0dHJzIjp7ImhmLkFmZmlsaWF0aW9uIjoib3JnMS5kZXBhcnRtZW50\nMSIsImhmLkVucm9sbG1lbnRJRCI6InVzZXIxIiwiaGYuVHlwZSI6ImNsaWVudCJ9\nfTAKBggqhkjOPQQDAgNIADBFAiEAiUHHbtEae4BdQyvgRx7iDTs2bbOZmc6jcTzG\nRvIac9kCIFfTj6LrW+YrPkq35vyjEQx7Cj1RLVFM3j1VkgEqy/zN\n-----END CERTIFICATE-----\n" } } }

HritikGupta (Fri, 12 Jul 2019 05:48:40 GMT):
Has been happening with me as well

HritikGupta (Fri, 12 Jul 2019 07:20:50 GMT):
What are the major differences in a certificate issued by fabric-ca and one issued by OpenSSL?

HritikGupta (Fri, 12 Jul 2019 08:40:46 GMT):
*A small doubt with reference to this article* https://medium.com/ibm-garage/using-3rd-party-root-cas-in-hyperledger-fabric-3cafa91d1260 Why is there a need to create an intermediate CA? Cant we directly invoke chaincode methods by using priv-pub keys and cert signed by this very root ca?

mastersingh24 (Fri, 12 Jul 2019 10:04:01 GMT):
There is no requirement to create intermediate CAs ... the article simply suggests this method as one possible option. Some people choose to create a root CA, immediately issue intermediate roots and take the root offline. This is actually what 3rd party CAs such as DigiCert and Verisign do.

HritikGupta (Fri, 12 Jul 2019 13:07:15 GMT):
Having read that SKI is calculated from the Subject and Public Key of a cert, I have also deciphered that it is SHA256 hash of some entity, can anyone help as to how one can calculate it?

ashutosh_kumar (Fri, 12 Jul 2019 14:26:40 GMT):
Why do you need it calculated ? It is alias to keys.

nyet (Fri, 12 Jul 2019 15:35:55 GMT):
I need it to figure out filenames while doing TLS enroll. It's a main

nyet (Fri, 12 Jul 2019 15:35:55 GMT):
I need it to figure out filenames while doing TLS enroll. It's a pain

nyet (Fri, 12 Jul 2019 15:36:26 GMT):
https://jira.hyperledger.org/browse/FABC-60

invaliduser (Sat, 13 Jul 2019 13:27:55 GMT):
Has joined the channel.

jyu617 (Sat, 13 Jul 2019 13:44:00 GMT):
Has joined the channel.

jyu617 (Sat, 13 Jul 2019 13:44:01 GMT):
Hello, I've recently encountered an issue with building the fabric-ca-client (release-1.4) using `make fabric-ca-client` it's failing with: "unknown field 'LabelHelp' in struct literal of type metrics.CounterOpts" I've tracked it down to this issue: https://gerrit.hyperledger.org/r/q/FABC-853

jyu617 (Sat, 13 Jul 2019 13:51:43 GMT):
Here's some additional info: ``` # github.com/hyperledger/fabric/idemix /gopath/pkg/mod/github.com/hyperledger/fabric@v1.4.1/idemix/util.go:60:11: too many arguments in call to E.ToBytes have ([]byte, bool) want ([]byte) /gopath/pkg/mod/github.com/hyperledger/fabric@v1.4.1/idemix/util.go:66:11: too many arguments in call to E.ToBytes have ([]byte, bool) want ([]byte) ```

jyu617 (Sat, 13 Jul 2019 14:00:42 GMT):
@chongxinman @sykesm

KristijanGlibo (Sun, 14 Jul 2019 14:22:20 GMT):
Hello guys! Another day in our series is online: https://medium.com/beyondi/iot-hyperledger-development-from-scratch-within-21-days-day-6-ef4a46b0710 Here we explained how and when to use crypto-config.yaml file. It is a help tool when you are in development mode. For production purposes you will generate your own certificates or you will use some 3rd party institution to do it for you to protect and bring trust in network you are building. Happy reading!

mastersingh24 (Sun, 14 Jul 2019 22:14:36 GMT):
Very nice .... maybe we can use some of the info on cryptogen in the actual Fabric docs?

umarmw (Mon, 15 Jul 2019 05:17:57 GMT):
Has joined the channel.

umarmw (Mon, 15 Jul 2019 05:17:59 GMT):
When registering a user, it generates a secret password. Where is the password used?

umarmw (Mon, 15 Jul 2019 05:17:59 GMT):
When registering a user, it generates a secret password. Where is the password used? ``` const secret = await ca.register({ affiliation: 'org1.department1', enrollmentID: 'user1', role: 'client' }, adminIdentity); ```

nyet (Mon, 15 Jul 2019 05:18:53 GMT):
@umarmw needed to enroll, which generates a key pair in the MSP

umarmw (Mon, 15 Jul 2019 05:19:45 GMT):
@nyet thanks

umarmw (Mon, 15 Jul 2019 05:54:53 GMT):
Since only the username is used for participating in the network: ``` const walletPath = path.join(process.cwd(), 'vault', organisation, 'wallet'); const wallet = new FileSystemWallet(walletPath); console.log(`Wallet path: ${walletPath}`); // Check to see if we've already enrolled the user. const userExists = await wallet.exists(user); if (!userExists) { return res.json({ status: 'error', message: user + 'does not exist in '+organisation }); } // Create a new gateway for connecting to our peer node. const gateway = new Gateway(); await gateway.connect(ccpPath, { wallet, identity: user, discovery: { enabled: true, asLocalhost: true } }); ``` If we are using a web portal to access the blockchain, then it should be secured by another authentication method? eg: using a combination of user/pass where the user is associated with a specific wallet.. is the approach correct?

HritikGupta (Mon, 15 Jul 2019 10:37:30 GMT):
Fabric CA has a notion of register and enroll, how will I incorporate this in an externally created CA?

mastersingh24 (Mon, 15 Jul 2019 10:38:45 GMT):
you can't ... if you use an external CA you will need to right your own client to obtain the certificates (or pass them around out of band)

vieiramanoel (Mon, 15 Jul 2019 15:01:46 GMT):
hey guys, has anyone experienced configure an hsm that isn't softhsm? How do I set address and user/passwd in bccsp configuration?

nyet (Mon, 15 Jul 2019 15:12:00 GMT):
Or give the externally create CA key pair to ca-server to use to sign enrollment requests.

owenlilly (Mon, 15 Jul 2019 15:45:00 GMT):
Has joined the channel.

HritikGupta (Mon, 15 Jul 2019 15:55:02 GMT):
Doesn't work; What I did was create a Root CA via openSSL, and 2 peers signed by this Root CA. In my fabric crypto-config directory, I replaced the MSP/CA of Org1 and Peer-certs. When I tried building the network (creating the channel and adding peers to the channel), it gives me "endorser client failed to connect to peer0.org1.example.com:7051: failed to create new connection: context deadline exceeded" error.

HritikGupta (Mon, 15 Jul 2019 15:55:02 GMT):
Doesn't work; What I did was create a Root CA via openSSL, and 2 peers signed by this Root CA. In my fabric crypto-config directory, I replaced the MSP/CA of Org1 and Peer-certs with the above created Certs & keys. When I tried building the network (creating the channel and adding peers to the channel), it gives me "endorser client failed to connect to peer0.org1.example.com:7051: failed to create new connection: context deadline exceeded" error.

nyet (Mon, 15 Jul 2019 15:56:07 GMT):
It does work, its what we do. There are a lot of moving parts, so something else is going wrong in your workflow.

nyet (Mon, 15 Jul 2019 15:56:31 GMT):
But we still have ca-server issue signed certs

nyet (Mon, 15 Jul 2019 15:56:43 GMT):
the only pair we self-generate is the CA itself

nyet (Mon, 15 Jul 2019 15:57:23 GMT):
"context deadline" messages are generally from network transport issues, not cert failure.

HritikGupta (Mon, 15 Jul 2019 15:57:56 GMT):
Does the above workflow seem correct to you?

nyet (Mon, 15 Jul 2019 15:58:01 GMT):
no. it doesn.t

HritikGupta (Mon, 15 Jul 2019 15:58:11 GMT):
What am I missing out?

nyet (Mon, 15 Jul 2019 15:58:34 GMT):
if you are copying them over crypto materials generated by cryptogen, none of it is going to work unless you regenreate every single cred in the tree.

nyet (Mon, 15 Jul 2019 15:58:57 GMT):
Also, the "context deadline" error is not a cred issue.

HritikGupta (Mon, 15 Jul 2019 15:59:09 GMT):
Whats cred?

nyet (Mon, 15 Jul 2019 15:59:17 GMT):
credential

HritikGupta (Mon, 15 Jul 2019 16:00:20 GMT):
I feel, its the "copying over cryptogen generated material" thats bothering here; as per my experience till now, error logs arent that helpful in debugging the issue in fabric; what do you say?

HritikGupta (Mon, 15 Jul 2019 16:00:36 GMT):
If not copying over cryptogen material, then how does one do it?

nyet (Mon, 15 Jul 2019 16:13:06 GMT):
don't use crypgoten at all, and create all materials with the ca-server

nyet (Mon, 15 Jul 2019 16:13:33 GMT):
dont use cryptogen at all, use fabric-ca-client to do all of the cert creation

HritikGupta (Mon, 15 Jul 2019 16:15:34 GMT):
Does OpenSSL works in place of fabric-ca? I am not sure if fabric-ca-client can be used to create certificates

mastersingh24 (Mon, 15 Jul 2019 16:16:11 GMT):
What are you really trying to accomplish here?

HritikGupta (Mon, 15 Jul 2019 16:21:11 GMT):
The motive is to link an external Certificate Authority with a fabric network. The user already has certificates (signed by this CA) in the form of PKI; he should be able to invoke chaincode methods by just providing his pubkey. There should be no hassle to enroll again.

nyet (Mon, 15 Jul 2019 16:23:11 GMT):
none of that will work if nobody knows about those CAs but the client.

HritikGupta (Mon, 15 Jul 2019 16:30:05 GMT):
Is this achievable?

HritikGupta (Mon, 15 Jul 2019 16:34:19 GMT):
Also, is it essential that all the entities in the network (peers of different orgs) should know about all the CAs?

mastersingh24 (Mon, 15 Jul 2019 17:01:57 GMT):
You should probably read https://hyperledger-fabric.readthedocs.io/en/release-1.4/membership/membership.html and https://hyperledger-fabric.readthedocs.io/en/release-1.4/identity/identity.html#identity

vieiramanoel (Mon, 15 Jul 2019 17:22:40 GMT):
hmmm i've found this jyra https://jira.hyperledger.org/browse/FAB-13458 and it suggests to build fabric-ca using go_tag pkcs11. in fact the make file for fabric-ca describes that it doesn't support pkcs11 for releases build, is there any fabric-ca image built for pkcs11? @mastersingh24 @smithbk

nyet (Mon, 15 Jul 2019 19:47:33 GMT):
whatever peers need to know about the CA need to know about the CA :)

nyet (Mon, 15 Jul 2019 19:47:50 GMT):
i know that is circular, but you should probably not deploy any CAs until you know who needs what credentials.

HritikGupta (Tue, 16 Jul 2019 07:10:50 GMT):
What are the authorizations an identity can possess in a network? Are these the ones? hf.Registrar.Roles hf.Registrar.DelegateRoles hf.Registrar.Attributes hf.GenCRL hf.Revoker hf.AffiliationMgr hf.IntermediateCA

donjohnny (Tue, 16 Jul 2019 09:31:22 GMT):
Hi all, I'm trying to setup softhsm with the master. But when starting the ca-server I get the following error: 2019/07/16 09:21:25 [DEBUG] CA Home Directory: /etc/hyperledger/fabric-ca-server 2019/07/16 09:21:25 [DEBUG] Checking configuration file version '2.0.0-snapshot-ab17189' against server version: '2.0.0-snapshot-ab17189' 2019/07/16 09:21:25 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts: PluginOpts: Pkcs11Opts:0xc000134d20} 2019/07/16 09:21:25 [DEBUG] Initializing BCCSP with PKCS11 options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc0004c0e10 DummyKeystore:0x1893050 Library:/usr/lib/softhsm/libsofthsm2.so Label:fabric Pin:5678 SoftVerify:false Immutable:false} 2019/07/16 09:21:25 [DEBUG] Closing server DBs Error: Failed to initialize BCCSP Factories: Failed initializing PKCS11.BCCSP %!s(): Could not initialize BCCSP PKCS11 [Failed initializing PKCS11 library /usr/lib/softhsm/libsofthsm2.so fabric: Instantiate failed [/usr/lib/softhsm/libsofthsm2.so]] Could not find default `PKCS11` BCCSP

donjohnny (Tue, 16 Jul 2019 09:41:11 GMT):
How should I correctly install softhsm, does copying the softhsm library to the container suffice? How can I find out more info on the error, which doesn't say much.....

maniankara (Tue, 16 Jul 2019 10:02:06 GMT):
Has left the channel.

ashutosh_kumar (Tue, 16 Jul 2019 13:44:20 GMT):
By user id/password , you meant PIN ?

ashutosh_kumar (Tue, 16 Jul 2019 13:45:03 GMT):
The code has been proven to work with HSM other than softHSM.

vieiramanoel (Tue, 16 Jul 2019 13:54:20 GMT):
@ashutosh_kumar I was able to set all configurations, but Everytime I start ca server it fails with error "Could not find default `PKCS11` BCCSP"

ashutosh_kumar (Tue, 16 Jul 2019 13:55:45 GMT):
is your binary file path correct

ashutosh_kumar (Tue, 16 Jul 2019 13:55:47 GMT):
?

ashutosh_kumar (Tue, 16 Jul 2019 13:56:25 GMT):
Is your binary file path correct ?

donjohnny (Tue, 16 Jul 2019 13:59:15 GMT):
In my case, I tried outside the docker container and it seems to be working fine. But inside the dockercontainer just installing the softhsm library does not seem to be sufficient.. If I move the softhsm lib then I get the same error. So either fabric-ca-server is able to open the library and there's another error that is not displayed.. OR the library cannot be read from file, and I don't know why :D

ashutosh_kumar (Tue, 16 Jul 2019 13:59:22 GMT):
something wrong in your bccsp section.

ashutosh_kumar (Tue, 16 Jul 2019 14:00:06 GMT):
try pkcs11 instead of PKCS11 OR vice versa.

donjohnny (Tue, 16 Jul 2019 14:05:34 GMT):
try with sudo

donjohnny (Tue, 16 Jul 2019 14:05:42 GMT):
Hmm, so if I run the server with sudo, then it works...

ashutosh_kumar (Tue, 16 Jul 2019 14:07:16 GMT):
I did not use sudo for softhsm. So , may be it is HSM vendor thing.

mastersingh24 (Tue, 16 Jul 2019 14:26:42 GMT):
The fabric-ca image is not built with pkcs11 enabled

mastersingh24 (Tue, 16 Jul 2019 14:27:11 GMT):
we can try to add that in for the 1.4.2 image

mastersingh24 (Tue, 16 Jul 2019 14:27:28 GMT):
or at least an option to build it with pkcs11

donjohnny (Tue, 16 Jul 2019 14:27:59 GMT):
is it enabled in the 2.0?

vieiramanoel (Tue, 16 Jul 2019 14:29:20 GMT):
It Will be wonderful. This will be a real problem here at company, our deployment is all based in docker and we can't afford change it to binaries. Any instruction to build our on image with pkcs11?

vieiramanoel (Tue, 16 Jul 2019 14:29:20 GMT):
It would be wonderful. This will be a real problem here at company, our deployment is all based in docker and we can't afford change it to binaries. Any instruction to build our on image with pkcs11?

mastersingh24 (Tue, 16 Jul 2019 14:30:31 GMT):
If you build the Docker image on fabric-ca master branch it has pkcs11 enabled

vieiramanoel (Tue, 16 Jul 2019 14:34:16 GMT):
Is there any issue if we upload this image built on master to our docker hub?

mastersingh24 (Tue, 16 Jul 2019 14:34:54 GMT):
nope ... people are free to use the code as they wish

vieiramanoel (Tue, 16 Jul 2019 14:35:16 GMT):
Thanks

AjayKalola (Wed, 17 Jul 2019 02:53:19 GMT):
Has joined the channel.

donjohnny (Wed, 17 Jul 2019 14:23:09 GMT):
Hi guys, I've configured the PKCS11 library of my HSM. After getting the configuration right (so PKCS11 interface is working).. I get stuck on the following: ``` 2019/07/17 16:02:45 [INFO] Server Version: 2.0.0-snapshot-ab17189 2019/07/17 16:02:45 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} 2019/07/17 16:02:45 [DEBUG] Making server filenames absolute 2019/07/17 16:02:45 [DEBUG] Initializing default CA in directory /home/jonathan/go/src/github.com/hyperledger/fabric-ca/bin 2019/07/17 16:02:45 [DEBUG] Init CA with home /home/jonathan/go/src/github.com/hyperledger/fabric-ca/bin and config {Version:2.0.0-snapshot-ab17189 Cfg:{Identities:{PasswordAttempts:10 AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name: Keyfile: Certfile:ca-cert.pem Chainfile:ca-chain.pem} Signing:0xc0004c6440 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[jonathan-Lenovo-U310 localhost] KeyRequest:0xc00018f0e0 CA:0xc00018f180 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.AffiliationMgr:1 hf.GenCRL:1 hf.IntermediateCA:1 hf.Registrar.Attributes:* hf.Registrar.DelegateRoles:* hf.Registrar.Roles:* hf.Revoker:1] }]} Affiliations:map[org1:[department1 department2] org2:[department1]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc00013bd40 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR: Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}} 2019/07/17 16:02:45 [DEBUG] CA Home Directory: /home/jonathan/go/src/github.com/hyperledger/fabric-ca/bin 2019/07/17 16:02:45 [DEBUG] Checking configuration file version '2.0.0-snapshot-ab17189' against server version: '2.0.0-snapshot-ab17189' 2019/07/17 16:02:45 [DEBUG] Initializing BCCSP: &{ProviderName:pkcs11 SwOpts: PluginOpts: Pkcs11Opts:0xc0001a65b0} 2019/07/17 16:02:45 [DEBUG] Initializing BCCSP with PKCS11 options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc0004c7940 DummyKeystore: Library:/lib/libadytonp11.so Label:pk-token Pin:Psx123 SoftVerify:false Immutable:false} 2019/07/17 16:02:45 [DEBUG] Closing server DBs Error: Failed to initialize BCCSP Factories: %!s() Could not find default `pkcs11` BCCSP ```

ravinayag (Wed, 17 Jul 2019 14:27:36 GMT):
Has joined the channel.

ViaSky (Wed, 17 Jul 2019 17:23:39 GMT):
Has joined the channel.

HritikGupta (Thu, 18 Jul 2019 06:38:59 GMT):
Has anyone implemented ZKAT on their network?

donjohnny (Thu, 18 Jul 2019 08:54:40 GMT):
Has anyone else had this problem? What could it be?

vieiramanoel (Thu, 18 Jul 2019 19:02:45 GMT):
@mastersigh24 the master image seems weird

vieiramanoel (Thu, 18 Jul 2019 19:06:14 GMT):
@mastersigh24 the master image seems weird, the lib initialization fails, although in miekgs's example code https://github.com/miekg/pkcs11 works well outside container, are you sure pkcs11 is enabled at master?

Swhit210 (Thu, 18 Jul 2019 19:11:50 GMT):
How do you correctly generate a ca-key.pem file?

Swhit210 (Thu, 18 Jul 2019 19:11:50 GMT):
How do you correctly generate a ca-key.pem file for an intermediate CA? Or should the root ca's ca-key.pem file be used?

Swhit210 (Thu, 18 Jul 2019 19:11:50 GMT):
I am working on trying to create a root CA with two intermediate CAs, one for each organization in the network. I am using docker with the fabric-ca:1.4.1 image. I set up the intermediate CAs through the register and enroll process for the Root CA, and now I want to init and start the intermediate CAs. Is this possible with the base fabric-ca docker image or does the default cmd (LINE 57): https://github.com/yeasy/docker-hyperledger-fabric-ca/blob/master/Dockerfile make this impossible? i.e. I would need to either create a new image or spin up a VM and run everything through the cli?

vieiramanoel (Thu, 18 Jul 2019 21:50:20 GMT):
@mastersingh24 @smithbk still about hsm I've built docker image from fabric-ca master and then: "2019/07/18 21:39:24 [FATAL] Initialization failure: Failed to initialize BCCSP Factories: Failed initializing PKCS11.BCCSP %!s(): Could not initialize BCCSP PKCS11 [Failed initializing PKCS11 library /etc/hyperledger/lib/libtacndp11.so test: Instantiate failed [/etc/hyperledger/lib/libtacndp11.so]]" this error ocurrs when [miekg's lib](https://github.com/miekg/pkcs11) method "New" returns a nil pointer. Yet if I run miekg's sample code everything works pretty well in my machine host.

vieiramanoel (Thu, 18 Jul 2019 21:54:54 GMT):
@smithbk @mastersingh24 Still about hsm and fabric-ca I've built fabric-ca image from master branch and yet the error is: ```[FATAL] Initialization failure: Failed to initialize BCCSP Factories: Failed initializing PKCS11.BCCSP %!s(): Could not initialize BCCSP PKCS11 [Failed initializing PKCS11 library /etc/hyperledger/lib/libtacndp11.so test: Instantiate failed [/etc/hyperledger/lib/libtacndp11.so]]``` Well, this refers to the line 30 at ```/home/vieirinho/fabric/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/pkcs11/pkcs11.go``` which does: ctx := pkcs11.New(lib)

vieiramanoel (Thu, 18 Jul 2019 21:54:54 GMT):
@smithbk @mastersingh24 Still about hsm and fabric-ca I've built fabric-ca image from master branch and yet the error is: ``` [FATAL] Initialization failure: Failed to initialize BCCSP Factories: Failed initializing PKCS11.BCCSP %!s(): Could not initialize BCCSP PKCS11 [Failed initializing PKCS11 library /etc/hyperledger/lib/libtacndp11.so test: Instantiate failed [/etc/hyperledger/lib/libtacndp11.so]] ``` Well, this refers to the line 30 at ``` /home/vieirinho/fabric/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/pkcs11/pkcs11.go ``` which does: ctx := pkcs11.New(lib)

vieiramanoel (Thu, 18 Jul 2019 21:54:54 GMT):
@smithbk @mastersingh24 Still about hsm and fabric-ca I've built fabric-ca image from master branch and yet the error is: ``` [FATAL] Initialization failure: Failed to initialize BCCSP Factories: Failed initializing PKCS11.BCCSP %!s(): Could not initialize BCCSP PKCS11 [Failed initializing PKCS11 library /etc/hyperledger/lib/libtacndp11.so test: Instantiate failed [/etc/hyperledger/lib/libtacndp11.so]] ``` Well, this refers to the line 30 at ``` $GOPATH/src/hypeledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/pkcs11/pkcs11.go ``` which does: ctx := pkcs11.New(lib)

vieiramanoel (Thu, 18 Jul 2019 21:54:54 GMT):
@smithbk @mastersingh24 Still about hsm and fabric-ca I've built fabric-ca image from master branch and yet the error is: ``` [FATAL] Initialization failure: Failed to initialize BCCSP Factories: Failed initializing PKCS11.BCCSP %!s(): Could not initialize BCCSP PKCS11 [Failed initializing PKCS11 library /etc/hyperledger/lib/libtacndp11.so test: Instantiate failed [/etc/hyperledger/lib/libtacndp11.so]] ``` Well, this refers to the line 30 at ``` $GOPATH/src/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/pkcs11/pkcs11.go ``` which does: ctx := pkcs11.New(lib)

vieiramanoel (Thu, 18 Jul 2019 21:54:54 GMT):
@smithbk @mastersingh24 Still about hsm and fabric-ca I've built fabric-ca image from master branch and yet the error is: ``` [FATAL] Initialization failure: Failed to initialize BCCSP Factories: Failed initializing PKCS11.BCCSP %!s(): Could not initialize BCCSP PKCS11 [Failed initializing PKCS11 library /etc/hyperledger/lib/libtacndp11.so test: Instantiate failed [/etc/hyperledger/lib/libtacndp11.so]] ``` Well, this refers to the line 30 at ``` $GOPATH/src/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/pkcs11/pkcs11.go ``` which does: `ctx := pkcs11.New(lib)` ctx is nil and therefore the error of lib instantiation is returned

vieiramanoel (Thu, 18 Jul 2019 21:56:50 GMT):
The thing goes weird now: When I run the miekg's pkcs11 sample code (the lib used by fabric)

vieiramanoel (Thu, 18 Jul 2019 21:56:50 GMT):
The thing goes weird now: When I run the [miekg's pkcs11](https://github.com/miekg/pkcs11) sample code (the lib used by fabric)

vieiramanoel (Thu, 18 Jul 2019 21:56:50 GMT):
The thing goes weird now: When I run the [miekg is pkcs11](https://github.com/miekg/pkcs11) sample code (the lib used by fabric)

vieiramanoel (Thu, 18 Jul 2019 21:56:50 GMT):
The thing goes weird now: When I run the [miekg pkcs11](https://github.com/miekg/pkcs11) sample code (the lib used by fabric)

vieiramanoel (Thu, 18 Jul 2019 21:56:50 GMT):
The thing goes weird now: When I run the [miekg pkcs11](https://github.com/miekg/pkcs11) sample code (the lib used by fabric) in my pc outside the docker everything works well and the string is digested by hsm, while inside container miekg's sample code doesn't work too, failing with same fatal error that fabric-ca reports. So the problem isn't with the vendor's lib neither with miekg lib once it runs local. My guess is that this is a problem with the ca image missing some dependency or something like that, but right now I have no ideas left to solve this

vieiramanoel (Thu, 18 Jul 2019 21:58:59 GMT):
everything works well and the string is digested by hsm, so the problem isn't with the vendor's lib neither with miekg lib. My gues is that this is a problem with the ca image missing some dependency or something like that, but right now I have no ideas left to solve this

vieiramanoel (Thu, 18 Jul 2019 22:01:48 GMT):
If you guys could give a little assistance in this, I would be very grateful.

vieiramanoel (Thu, 18 Jul 2019 22:01:48 GMT):
If you guys could give a little assistance on this, I would be very grateful.

vieiramanoel (Thu, 18 Jul 2019 22:01:48 GMT):
If you guys could give a little assistance with this, I would be very grateful.

HritikGupta (Fri, 19 Jul 2019 07:22:34 GMT):
How to authorise a user to perform private transactions?

florianc (Fri, 19 Jul 2019 08:13:28 GMT):
Has joined the channel.

mastersingh24 (Fri, 19 Jul 2019 08:29:02 GMT):
The container does not include any of the PKCS11 drivers ... so you will need to either 1) Build a container image which includes the PKCS11 driver you want to use (in your case `libtacndp11.so`) 2) Mount the PKCS11 driver using an external Docker volume

rhall9090 (Fri, 19 Jul 2019 15:14:23 GMT):
Hi all, I'm curious if anyone has experience using Hashicorp Vault for managing certificates in a network

ashutosh_kumar (Fri, 19 Jul 2019 16:09:20 GMT):
How is that relevant to Fabric ?

ashutosh_kumar (Fri, 19 Jul 2019 16:10:01 GMT):
I have exp with Vault , but not in the context of Fabric.

vieiramanoel (Fri, 19 Jul 2019 16:48:01 GMT):
the drive is mounted inside the container, yet the error persists

rhall9090 (Fri, 19 Jul 2019 16:49:35 GMT):
Should have said, managing fabric certificates with vault

ashutosh_kumar (Fri, 19 Jul 2019 17:00:01 GMT):
I do not think that support is available.

kopaygorodsky (Mon, 22 Jul 2019 08:21:18 GMT):
Hello. I have a question regarding MSP. Is it possible to have multiple MSP based on single Root CA? And is there any reason for it? Because in IBM cloud they allow it.

kopaygorodsky (Mon, 22 Jul 2019 08:21:59 GMT):
I'm creating k8s operator for managing private keys in vault.

SatheeshNehru (Mon, 22 Jul 2019 10:59:01 GMT):
is it possible to integrate hashicorp with fabric

ashutosh_kumar (Mon, 22 Jul 2019 13:47:34 GMT):
I do not think that support is available. SDK should also have that support.

ashutosh_kumar (Mon, 22 Jul 2019 13:47:34 GMT):
I do not think that support is available. SDK should also have that support , which I do not think is available.

ashutosh_kumar (Mon, 22 Jul 2019 13:48:53 GMT):
Vault with Private Key might be tricky from Private Key Generation and storage perspective.

ashutosh_kumar (Mon, 22 Jul 2019 13:49:48 GMT):
That should be possible.

kopaygorodsky (Mon, 22 Jul 2019 14:06:28 GMT):
but there is no purpose for that, right?

kopaygorodsky (Mon, 22 Jul 2019 14:07:11 GMT):
@ashutosh_kumar the problem with sdk that it does not expose serializing functionality of keys, I saw you PR regarding this issue

kopaygorodsky (Mon, 22 Jul 2019 14:07:11 GMT):
@ashutosh_kumar the problem with fabric that it does not expose serializing functionality of keys, I saw you PR regarding this issue

kopaygorodsky (Mon, 22 Jul 2019 14:07:59 GMT):
I can't even implement my own Storage outside of SDK because Key type is internal.

kopaygorodsky (Mon, 22 Jul 2019 14:07:59 GMT):
I can't even implement my own KeyStore outside of SDK because Key type is internal.

ashutosh_kumar (Mon, 22 Jul 2019 14:09:43 GMT):
You can have key created outside of your storage and import it to your keystore , but that is Key store dependent.

ashutosh_kumar (Mon, 22 Jul 2019 14:10:13 GMT):
YOU can do that at the moment.

ashutosh_kumar (Mon, 22 Jul 2019 14:11:05 GMT):
But again that is dependent of what Key Store you have and whether your company allows you to send private key to some store over Network.

ashutosh_kumar (Mon, 22 Jul 2019 14:12:34 GMT):
What I was alluding to was wrt Private Key , where if Vault is being used as Private Key store , Private Key should be generated and stored at Vault , meaning Private Key should never leave Vault.

ashutosh_kumar (Mon, 22 Jul 2019 14:13:06 GMT):
I do not know , if Vault provide that capability.

ashutosh_kumar (Mon, 22 Jul 2019 14:13:32 GMT):
HSM seems better option to me.

kopaygorodsky (Mon, 22 Jul 2019 14:45:09 GMT):
thanks for the answer

ashutosh_kumar (Mon, 22 Jul 2019 20:34:52 GMT):
you are welcome.

soumyanayak (Tue, 23 Jul 2019 10:17:18 GMT):
Hi All, is there any existing bug for the mutual TLS between orderer and peer https://jira.hyperledger.org/browse/FABN-1285 when i run on peer -- peer node status ranjan@ubuntuVMServer1:~$ peer node status 2019-07-23 15:22:57.225 IST [nodeCmd] status -> WARN 001 admin client failed to connect to 172.23.155.115:7051: failed to create new connection: connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate" status:UNKNOWN Error: admin client failed to connect to 172.23.155.115:7051: failed to create new connection: connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate" but if i disable the clientAuthRequired and run -- peer node status -- its working fine in peer these are the vars -- - CORE_PEER_TLS_CLIENTAUTHREQUIRED=true - CORE_PEER_TLS_CLIENTROOTCAS_FILES=/var/hyperledger/peer/tls-msp/tlscacerts/tls-172-23-155-113-7052.pem - CORE_PEER_TLS_CERT_FILE=/var/hyperledger/peer/tls-msp/signcerts/cert.pem - CORE_PEER_TLS_KEY_FILE=/var/hyperledger/peer/tls-msp/keystore/key.pem - CORE_PEER_TLS_ROOTCERT_FILE=/var/hyperledger/peer/tls-msp/tlscacerts/tls-172-23-155-113-7052.pem CORE_PEER_TLS_CLIENTROOTCAS_FILES and CORE_PEER_TLS_ROOTCERT_FILE both will be same right ?

mastersingh24 (Tue, 23 Jul 2019 11:27:25 GMT):
Make sure that all the proper env variables are set for the client as well (the same env variables you used for the peer should work). I just ran a quick test with 1.4.2 and did not have any issues. The `tls: bad certificate` probably means that the peer CLI is not sending over the client certificate.

soumyanayak (Tue, 23 Jul 2019 11:29:10 GMT):
ok Gari will test and let you know

soumyanayak (Tue, 23 Jul 2019 12:34:59 GMT):
Hi gari , Now the command executed succesfully. I had set the below environment variables CORE_PEER_TLS_CLIENTKEY_FILE CORE_PEER_TLS_ENABLED=true CORE_PEER_TLS_CLIENTAUTHREQUIRED CORE_PEER_MSPCONFIGPATH CORE_PEER_TLS_CLIENTCERT_FILE CORE_PEER_TLS_ROOTCERT_FILE But when i am running the invoke command peer chaincode invoke -o 172.23.155.122:7050 --tls true --cafile /home/ranjan/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-172-23-155-113-7052.pem -C legaldescriptionchannel -n ldbc -c '{"function":"AddUpdate","Args":["4","4","This is a test 4","","DBS"]}' On the orderer its throwing error Error: error getting broadcast client: orderer client failed to connect to 172.23.155.122:7050: failed to create new connection: connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate" orderer1 | 2019-07-23 12:30:18.452 UTC [core.comm] ServerHandshake -> ERRO 836 TLS handshake failed with error tls: client didn't provide a certificate server=Orderer remoteaddress=172.23.155.115:36510 orderer1 | 2019-07-23 12:30:18.452 UTC [grpc] handleRawConn -> DEBU 837 grpc: Server.Serve failed to complete security handshake from "172.23.155.115:36510": tls: client didn't provide a certificate Am i missing on soemthing?

soumyanayak (Tue, 23 Jul 2019 12:37:24 GMT):
on the orderer side in docker variables i have set the below: - ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=true - ORDERER_GENERAL_TLS_CLIENTROOTCAS=/var/hyperledger/orderer/tls-msp/tlscacerts/tls-172-23-155-113-7052.pem

soumyanayak (Tue, 23 Jul 2019 13:16:41 GMT):
Hi gari issue is resolved i missed some fo the flags

soumyanayak (Tue, 23 Jul 2019 13:16:49 GMT):
Now its working fine thank you

FernandaSartori (Tue, 23 Jul 2019 16:26:17 GMT):
renew

FernandaSartori (Tue, 23 Jul 2019 16:32:14 GMT):
renew

FernandaSartori (Tue, 23 Jul 2019 16:38:16 GMT):
Hello, I'm working with fabric CA and I had some questions: - How do I renew TLS when it expires? - How do I renew the CA certificate? I just need to run `init`? Any thoughts about it? Thanks!

Swhit210 (Tue, 23 Jul 2019 19:01:06 GMT):
How do I create tlsca certificates?

kopaygorodsky (Tue, 23 Jul 2019 19:04:37 GMT):
could you look into documentation?

Swhit210 (Tue, 23 Jul 2019 19:14:40 GMT):
Always look there first. All it says is there should be a TLSCA. Also I don't believe tlscacerts is mentioned a single time.

ownspies (Tue, 23 Jul 2019 20:03:43 GMT):
I agree the documentation on CA vs TLSCA is not easily understood... Basically in DEV you use cryptogen to build all CA and TLSCA materials

ownspies (Tue, 23 Jul 2019 20:04:34 GMT):
in PROD you would use a private CA for CA stuff and then purchase certs from a public CA for the TLS stuff

ownspies (Tue, 23 Jul 2019 20:04:51 GMT):
although ... I'm having issues using separate CAs for MSP vs TLS with etcdraft

Swhit210 (Tue, 23 Jul 2019 20:05:01 GMT):
I'll be looking at https://github.com/Blockdaemon/fabric-ca/blob/gerrit-pr-29430/docs/source/operations_guide.rst tomorrow. Seems promising.

Swhit210 (Tue, 23 Jul 2019 20:05:54 GMT):
I have a custom application with a Root CA, and two Intermediate CAs (one for each organization). The guide suggests, and HL Docs also state, a separate TLS CA should be made.

Swhit210 (Tue, 23 Jul 2019 20:06:29 GMT):
I am only using a solo orderer though, I haven't yet tried with RAFT. Good luck!

ownspies (Tue, 23 Jul 2019 20:06:49 GMT):
just spin up a separate CA instance with the name `tlsca..com`

ownspies (Tue, 23 Jul 2019 20:06:55 GMT):
that is all cryptogen does

ownspies (Tue, 23 Jul 2019 20:07:06 GMT):
or did you try that already ?

Swhit210 (Tue, 23 Jul 2019 20:08:16 GMT):
No that is my next step.

nyet (Wed, 24 Jul 2019 03:46:52 GMT):
fwiw i dont like the autogenerated TLSCAs. I want more control over them, so i create them with openssl.

nyet (Wed, 24 Jul 2019 03:47:23 GMT):
I also use openssl to create the CA server TLS keypair as well, for the same reason (more control over SANs etc).

vtech (Wed, 24 Jul 2019 09:39:19 GMT):
Hi All, I have softHSM enabled network and trying to enable the TLS. I am enrolling the orderer using fabric-ca to get the orderer tls certificate. Key is generated in the softhsm , how shall I set this key in the network (with out HSM I used to set ORDERER_GENERAL_TLS_PRIVATEKEY or General.TLS.PrivateKey) ?

ashutosh_kumar (Wed, 24 Jul 2019 14:35:20 GMT):
TLS support at HSM is not available at Fabric.

ashutosh_kumar (Wed, 24 Jul 2019 14:35:20 GMT):
TLS support at HSM is not available in Fabric.

ownspies (Wed, 24 Jul 2019 17:54:43 GMT):
Can someone point me to docs on how to use openssl to create my own TLSCA cert and the TLS server certs?

vieiramanoel (Wed, 24 Jul 2019 21:07:00 GMT):
Well, apparently the error is on alpine ??? The test i've been doing last week lead me to miekg's github to report an issue https://github.com/miekg/pkcs11/issues/120, which was replied with "don't use alpine"

vieiramanoel (Wed, 24 Jul 2019 21:07:00 GMT):
Well, apparently the error is on alpine (???) The test i've been doing last week lead me to miekg's github to report an issue https://github.com/miekg/pkcs11/issues/120, which was replied with "don't use alpine"

kopaygorodsky (Wed, 24 Jul 2019 22:24:13 GMT):
Hello, I have a question regarding TLS usage in fabric protocols. Not sure that it's the right channel to ask it, but haven't found a more suitable one. So I'm running my organization(ca, peers, orderers) under some proxy which does TLS termination and then traffic goes unsecured inside a private network. All configs for nodes have disabled TLS. In system channel config I define an external address to my orderer (since foreign peers should be able to connect as well)- Addresses: [ orderer.domain.com:443] Peers are not able to connect to this endpoint through gossip protocol because mutual TLS is required for secured endpoints, but I just want to pass proxy TLS, not mutual TLS of orderer node. I'm getting error `2019-07-24 22:13:46.686 UTC [deliveryClient] connect -> ERRO 292 Connection to orderer.mydomain.com:443 established but was unable to create gRPC stream: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: ` `Got error: rpc error: code = Unavailable desc = transport is closing , at 1 attempt` I can create PR to fix this, but don't know where to start. I checked source code and see no way to bypass it without enabling node TLS config. Could you help me with this question? @mastersingh24 @aleksandar.likic

kopaygorodsky (Wed, 24 Jul 2019 22:24:13 GMT):
Hello, I have a question regarding TLS usage in fabric protocols. Not sure that it's the right channel to ask it, but haven't found a more suitable one. So I'm running my organization(ca, peers, orderers) under some proxy which does TLS termination and then traffic goes unsecured inside a private network. All configs for nodes have disabled TLS. In system channel config I define an external address to my orderer (since foreign peers should be able to connect as well)- Addresses: [ orderer.domain.com:443] Peers are not able to connect to this endpoint through gossip protocol because mutual TLS is required for secured endpoints, but I just want to pass proxy TLS, not mutual TLS of orderer node. I'm getting error `2019-07-24 22:13:46.686 UTC [deliveryClient] connect -> ERRO 292 Connection to orderer.mydomain.com:443 established but was unable to create gRPC stream: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: ` `Got error: rpc error: code = Unavailable desc = transport is closing , at 1 attempt` The error message is not clear, but I tested it with 80 port and it works, so it's TLS problem. I can create PR to fix this, but don't know where to start. I checked source code and see no way to bypass it without enabling node TLS config. Could you help me with this question? @mastersingh24 @aleksandar.likic

kopaygorodsky (Wed, 24 Jul 2019 22:24:13 GMT):
Hello, I have a question regarding TLS usage in fabric protocols. Not sure that it's the right channel to ask it, but haven't found a more suitable one. So I'm running my organization(ca, peers, orderers) under some proxy which does TLS termination and then traffic goes unsecured inside a private network. All configs for nodes have disabled TLS. In system channel config I define an external address to my orderer (since foreign peers should be able to connect as well)- Addresses: [ orderer.domain.com:443] Peers are not able to connect to this endpoint through gossip protocol because mutual TLS is required for secured endpoints, but I just want to pass proxy TLS, not mutual TLS of orderer node. I'm getting error `2019-07-24 22:13:46.686 UTC [deliveryClient] connect -> ERRO 292 Connection to orderer.mydomain.com:443 established but was unable to create gRPC stream: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: ` `Got error: rpc error: code = Unavailable desc = transport is closing , at 1 attempt` The error message is not clear, but I tested it with 80 port and it works, so it's TLS problem. I did some debug: I can connect to the orderer node if I add certificates from SystemCertPool() to the TransportCredentials of my test grpc client. I can create PR to fix this, but don't know where to start. Could you help me with this question? @mastersingh24 @aleksandar.likic

kopaygorodsky (Wed, 24 Jul 2019 22:24:13 GMT):
Hello, I have a question regarding TLS usage in fabric protocols. Not sure that it's the right channel to ask it, but haven't found a more suitable one. So I'm running my organization(ca, peers, orderers) under some proxy which does TLS termination and then traffic goes unsecured inside a private network. All configs for nodes have disabled TLS. In system channel config I define an external address to my orderer (since foreign peers should be able to connect as well)- Addresses: [ orderer.domain.com:443] Peers are not able to connect to this endpoint through gossip protocol because mutual TLS is required for secured endpoints, but I just want to pass proxy TLS, not mutual TLS of orderer node. I'm getting error `2019-07-24 22:13:46.686 UTC [deliveryClient] connect -> ERRO 292 Connection to orderer.mydomain.com:443 established but was unable to create gRPC stream: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: ` `Got error: rpc error: code = Unavailable desc = transport is closing , at 1 attempt` The error message is not clear, but I tested it with 80 port and it works, so it's TLS problem. I did some debug: I can connect to the orderer node if I add certificates from SystemCertPool() to the TransportCredentials of my test grpc client. I can create PR to fix this, but don't know where to start. Credentials added to the client only if `peer.tls.enabled`, but I have it disabled and just wants to use system cert pool for any secured connections. https://github.com/hyperledger/fabric/blob/release-1.4/core/deliverservice/deliveryclient.go#L308 Could you help me with this question? @mastersingh24 @aleksandar.likic

kopaygorodsky (Wed, 24 Jul 2019 22:24:13 GMT):
Hello, I have a question regarding TLS usage in fabric protocols. Not sure that it's the right channel to ask it, but haven't found a more suitable one. So I'm running my organization(ca, peers, orderers) under some proxy which does TLS termination and then traffic goes unsecured inside a private network. All configs for nodes have disabled TLS. In system channel config I define an external address to my orderer (since foreign peers should be able to connect as well)- Addresses: [ orderer.domain.com:443] Peers are not able to connect to this endpoint through gossip protocol because mutual TLS is required for secured endpoints, but I just want to pass proxy TLS, not mutual TLS of orderer node. I'm getting error `2019-07-24 22:13:46.686 UTC [deliveryClient] connect -> ERRO 292 Connection to orderer.mydomain.com:443 established but was unable to create gRPC stream: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: ` `Got error: rpc error: code = Unavailable desc = transport is closing , at 1 attempt` The error message is not clear, but I tested it with 80 port and it works, so it's TLS problem. I did some debug: I can connect to the orderer node if I add certificates from SystemCertPool() to the TransportCredentials of my test grpc client. I can create PR to fix this, but don't know where to start. Credentials added to the client only if `peer.tls.enabled`, but I have it disabled and just want to use system cert pool for any secured connections. https://github.com/hyperledger/fabric/blob/release-1.4/core/deliverservice/deliveryclient.go#L308 Could you help me with this question? @mastersingh24 @aleksandar.likic

kopaygorodsky (Wed, 24 Jul 2019 22:24:13 GMT):
Hello, I have a question regarding TLS usage in fabric protocols. Not sure that it's the right channel to ask it, but haven't found a more suitable one. So I'm running my organization(ca, peers, orderers) under some proxy which does TLS termination and then traffic goes unsecured inside a private network. All configs for nodes have disabled TLS. In system channel config I define an external address to my orderer (since foreign peers should be able to connect as well)- Addresses: [ orderer.domain.com:443] Peers are not able to connect to this endpoint through gossip protocol because mutual TLS is required for secured endpoints, but I just want to pass proxy TLS, not mutual TLS of orderer node. I'm getting error `2019-07-24 22:13:46.686 UTC [deliveryClient] connect -> ERRO 292 Connection to orderer.mydomain.com:443 established but was unable to create gRPC stream: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: ` `Got error: rpc error: code = Unavailable desc = transport is closing , at 1 attempt` The error message is not clear, but I tested it with 80 port and it works, so it's TLS problem. I did some debug: I can connect to the orderer node if I add certificates from SystemCertPool() to the TransportCredentials of my test grpc client. I can create PR to fix this, but don't know where to start. Credentials added to the client only if `peer.tls.enabled`, but I have it disabled and just want to use system cert pool for any secured connections. https://github.com/hyperledger/fabric/blob/release-1.4/core/deliverservice/deliveryclient.go#L308 Could you help me with this question? @mastersingh24

kopaygorodsky (Wed, 24 Jul 2019 22:24:13 GMT):
Hello, I have a question regarding TLS usage in fabric protocols. Not sure that it's the right channel to ask it, but haven't found a more suitable one. So I'm running my organization(ca, peers, orderers) under some proxy which does TLS termination and then traffic goes unsecured inside a private network. All configs for nodes have disabled TLS. In system channel config I define an external address to my orderer (since foreign peers should be able to connect as well)- Addresses: [ orderer.domain.com:443] Peers are not able to connect to this endpoint through gossip protocol because mutual TLS is required for secured endpoints, but I just want to pass proxy TLS, not mutual TLS of orderer node. I'm getting error `2019-07-24 22:13:46.686 UTC [deliveryClient] connect -> ERRO 292 Connection to orderer.mydomain.com:443 established but was unable to create gRPC stream: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: ` `Got error: rpc error: code = Unavailable desc = transport is closing , at 1 attempt` The error message is not clear, but I tested it with 80 port and it works, so it's TLS problem. I did some debug: I can connect to the orderer node if I add certificates from SystemCertPool() to the TransportCredentials of my test grpc client. I can create PR to fix this, but don't know where to start. Credentials added to the client only if `peer.tls.enabled`, but I have it disabled and just want to use system cert pool for any secured connections. https://github.com/hyperledger/fabric/blob/release-1.4/core/deliverservice/deliveryclient.go#L308 Don't think that you would approve adding one more config param like 'core.tls.systemCertPool'. Could you help me with this question? @mastersingh24

aleksandar.likic (Wed, 24 Jul 2019 22:24:16 GMT):
Has joined the channel.

nyet (Wed, 24 Jul 2019 22:25:20 GMT):
Proxies bad. Use end to end TLS. If you must proxy, proxy to endpoint should also be TLS.

nyet (Wed, 24 Jul 2019 22:25:40 GMT):
In general, in a peer to peer network you're asking for trouble.

kopaygorodsky (Wed, 24 Jul 2019 22:27:10 GMT):
but image I have a cluster, I do some routing inside(wildcard subdomains as node name), anyway I need to terminate TLS, decode traffic

kopaygorodsky (Wed, 24 Jul 2019 22:27:10 GMT):
but image I have a cluster, I do some routing inside(wildcard subdomains as node name), anyway I need to terminate TLS, decode traffic. Or it should work with SAN?

nyet (Wed, 24 Jul 2019 22:29:21 GMT):
thats great for stateless microservices which can scale horizontally, but not for p2p protocols where every node has a different state.

nyet (Wed, 24 Jul 2019 22:29:28 GMT):
Thats wonderful for the fullstack web3.0 crowd but not great for blockchain tech.

nyet (Wed, 24 Jul 2019 22:29:57 GMT):
if you are going to terminate tls you're going to have to re-start tls at the proxy

nyet (Wed, 24 Jul 2019 22:30:30 GMT):
the k8/LB model is very much broken if that is what you are using

nyet (Wed, 24 Jul 2019 22:30:39 GMT):
its a mess, since the k8 devs can't even get internal DNS right

nyet (Wed, 24 Jul 2019 22:32:24 GMT):
The only service yhou can loadbalance is the ca-server

nyet (Wed, 24 Jul 2019 22:32:24 GMT):
orderers are HA via RAFT, peers are each their own entity

nyet (Wed, 24 Jul 2019 22:32:34 GMT):
you really want to rethink your architecture, IMO

kopaygorodsky (Wed, 24 Jul 2019 22:33:44 GMT):
I store peer's state on different attached disks by name too, so if I have peer `lol` it means I have a disk with state of this peer. So that should not be a problem

kopaygorodsky (Wed, 24 Jul 2019 22:34:15 GMT):
so to access peers in my cluster you use peerName-service.proxy.domain.com

kopaygorodsky (Wed, 24 Jul 2019 22:34:15 GMT):
to access peers in my cluster you use peerName-service.proxy.domain.com

nyet (Wed, 24 Jul 2019 22:34:21 GMT):
HAing peers is best done by just launching more peers.

nyet (Wed, 24 Jul 2019 22:34:29 GMT):
not having a bunch of redundant peers in a cluster

kopaygorodsky (Wed, 24 Jul 2019 22:34:38 GMT):
I think SSL passthrough will fix my problem, right?

nyet (Wed, 24 Jul 2019 22:34:41 GMT):
thats how bc peering is suposed to function

nyet (Wed, 24 Jul 2019 22:34:58 GMT):
ssl passthrough will likely work yes

nyet (Wed, 24 Jul 2019 22:35:11 GMT):
but i think you may be taking the wrong approach architecturally

nyet (Wed, 24 Jul 2019 22:35:31 GMT):
it makes sense for the webcentric universe (99% of services now adays) but not anywhere else

nyet (Wed, 24 Jul 2019 22:37:04 GMT):
CA servers can be arbitrarily load balanced in a cluster with proxy termination

nyet (Wed, 24 Jul 2019 22:37:12 GMT):
as long as they talk to the same sql server etc.

kopaygorodsky (Wed, 24 Jul 2019 22:37:19 GMT):
yes, agree

kopaygorodsky (Wed, 24 Jul 2019 22:37:27 GMT):
Ca is not a problem

nyet (Wed, 24 Jul 2019 22:37:35 GMT):
orderer should be set up as reft

nyet (Wed, 24 Jul 2019 22:37:38 GMT):
raft

nyet (Wed, 24 Jul 2019 22:37:43 GMT):
peer ... just launch more peers

nyet (Wed, 24 Jul 2019 22:37:59 GMT):
they should all have unique endpoints and MSPs

nyet (Wed, 24 Jul 2019 22:38:50 GMT):
discovery might not even work with ssl passthrough, depending on how you set up the LB

nyet (Wed, 24 Jul 2019 22:38:59 GMT):
the peers may advertise the wrong endpoint

nyet (Wed, 24 Jul 2019 22:39:13 GMT):
it wil ltake some gossip config tweaking

kopaygorodsky (Wed, 24 Jul 2019 22:40:07 GMT):
yes, they do. Maybe I didn't explain well what I'm doing. So I'm writing a k8s operator that manages peer nodes. They fully separated, it's just a container manager and watcher. All of them have unique endpoints, I generate MSP for each peer, etc.

kopaygorodsky (Wed, 24 Jul 2019 22:40:58 GMT):
gossip already works inside my org (with internal dns), with ssl pass it will work for external peers as well

nyet (Wed, 24 Jul 2019 22:42:17 GMT):
That will definitley work if you set up k8s to transparently present each peer with its own unique endpoint

kopaygorodsky (Wed, 24 Jul 2019 22:42:18 GMT):
you create peers on-demand from some UI. Then using API I add some state to CRD and then daemon runs it with specified identity, endpoints, msp etc

kopaygorodsky (Wed, 24 Jul 2019 22:42:29 GMT):
yes, that's exactly what I'm doing

nyet (Wed, 24 Jul 2019 22:42:51 GMT):
you will need ssl passthrough, and tls will have to go through end to end with grpc, or you can re-estasblish a new tls connection at the proxy

kopaygorodsky (Wed, 24 Jul 2019 22:43:08 GMT):
did actually, the only problem is tls. I started it testing with 2 orgs in different clusters and found the tls problem

kopaygorodsky (Wed, 24 Jul 2019 22:44:02 GMT):
good, thank you for help. btw I would like to contribute fabric, checked plenty of code, I think it will be feasible for me to deliver new features.

nyet (Wed, 24 Jul 2019 22:44:12 GMT):
i have actually done that with k8s, and it does work, and external peers (and sdk clients) can connect with it

nyet (Wed, 24 Jul 2019 22:44:12 GMT):
each peer needs a separate LB public IP addr though

kopaygorodsky (Wed, 24 Jul 2019 22:44:21 GMT):
just don't know where to start, take random ticker from public jira?

nyet (Wed, 24 Jul 2019 22:44:54 GMT):
your approach to using k8s as a vm/container manager should work, but DNS for me was a nightmare for internal peer due the one dot limitation

nyet (Wed, 24 Jul 2019 22:45:05 GMT):
but yhou said you got internal peer connectivity working

kopaygorodsky (Wed, 24 Jul 2019 22:45:18 GMT):
why? you can easily expose your peer. sec

nyet (Wed, 24 Jul 2019 22:45:31 GMT):
internally, using building coredns as is with k8s

nyet (Wed, 24 Jul 2019 22:45:31 GMT):
internally, using built in coredns as is with k8s

nyet (Wed, 24 Jul 2019 22:45:35 GMT):
i didn't want to use a hairpin

nyet (Wed, 24 Jul 2019 22:45:44 GMT):
itnernal services are all restricted to one dot

nyet (Wed, 24 Jul 2019 22:45:49 GMT):
unless you run a real DNS server

nyet (Wed, 24 Jul 2019 22:45:57 GMT):
(or hack coredns)

kopaygorodsky (Wed, 24 Jul 2019 22:46:25 GMT):
so you can access peer by podname, right? you can create service with ExternalName: podName.service and then ingress with host ExternalName from the service you just created

nyet (Wed, 24 Jul 2019 22:46:39 GMT):
except i have a heiarcy of orgs

nyet (Wed, 24 Jul 2019 22:46:51 GMT):
and k8s only allows services with ONE dot!

kopaygorodsky (Wed, 24 Jul 2019 22:46:56 GMT):
I have a constraint: 1 org - 1 cluster

nyet (Wed, 24 Jul 2019 22:46:58 GMT):
foo.bar.baz.com is not possible inside k8s

nyet (Wed, 24 Jul 2019 22:47:03 GMT):
its crazy

kopaygorodsky (Wed, 24 Jul 2019 22:47:24 GMT):
yea, was stuck with it too

nyet (Wed, 24 Jul 2019 22:47:31 GMT):
its a mess and really not good for this application imo

kopaygorodsky (Wed, 24 Jul 2019 22:47:36 GMT):
but why do you share cluster between orgs?

nyet (Wed, 24 Jul 2019 22:47:48 GMT):
i have orderer and peers in a cluster

kopaygorodsky (Wed, 24 Jul 2019 22:47:51 GMT):
it's not secure I would say

nyet (Wed, 24 Jul 2019 22:47:54 GMT):
orderer and peers are in a separate ORG

nyet (Wed, 24 Jul 2019 22:48:00 GMT):
and separate cas for each

nyet (Wed, 24 Jul 2019 22:48:03 GMT):
well i gave up on it in the end

nyet (Wed, 24 Jul 2019 22:48:10 GMT):
i am using vms from the cloud now

nyet (Wed, 24 Jul 2019 22:48:38 GMT):
so i have orderer.org1.domain.com and peer.org2.domain.com

nyet (Wed, 24 Jul 2019 22:48:40 GMT):
etc

nyet (Wed, 24 Jul 2019 22:48:56 GMT):
none of which k8s likes because it wants orderer.org1-domain-com lol

kopaygorodsky (Wed, 24 Jul 2019 22:49:00 GMT):
hah, I have peerGroup-peerName.proxy.domain.com

kopaygorodsky (Wed, 24 Jul 2019 22:49:04 GMT):
just using -

nyet (Wed, 24 Jul 2019 22:49:08 GMT):
ya ridiculous

nyet (Wed, 24 Jul 2019 22:49:14 GMT):
"lets break DNS because... not sure"

kopaygorodsky (Wed, 24 Jul 2019 22:49:19 GMT):
hah

nyet (Wed, 24 Jul 2019 22:50:02 GMT):
anyway orderer is in a different org because that org has the admin that allows channel createion

nyet (Wed, 24 Jul 2019 22:50:12 GMT):
compared to the peers, which just have admin for join etc

kopaygorodsky (Wed, 24 Jul 2019 22:50:38 GMT):
but if you have RAFT, you have orderer in each org?

nyet (Wed, 24 Jul 2019 22:50:44 GMT):
gave up on k8s

nyet (Wed, 24 Jul 2019 22:50:48 GMT):
before raft

nyet (Wed, 24 Jul 2019 22:50:53 GMT):
never got to it

nyet (Wed, 24 Jul 2019 22:50:59 GMT):
and im decent at k8s :(

nyet (Wed, 24 Jul 2019 22:51:07 GMT):
just ate up too much dev time

nyet (Wed, 24 Jul 2019 22:51:41 GMT):
someday i'll probably approach again but so many pain points

kopaygorodsky (Wed, 24 Jul 2019 22:51:41 GMT):
you used k8s api or just yaml Statefulsets?

nyet (Wed, 24 Jul 2019 22:51:50 GMT):
all yaml

nyet (Wed, 24 Jul 2019 22:52:05 GMT):
i have some of it in a pub repo

nyet (Wed, 24 Jul 2019 22:52:11 GMT):
my priv efforts are not pub

nyet (Wed, 24 Jul 2019 22:52:15 GMT):
hold yhou can look if u like

kopaygorodsky (Wed, 24 Jul 2019 22:52:39 GMT):
yea, share, please

nyet (Wed, 24 Jul 2019 22:52:48 GMT):
https://github.com/Blockdaemon/hlf-service-network/tree/master/k8s

kopaygorodsky (Wed, 24 Jul 2019 22:52:53 GMT):
I tried this approach too, same result

kopaygorodsky (Wed, 24 Jul 2019 22:53:03 GMT):
then I realized that I need CRD + operator for this CRD

kopaygorodsky (Wed, 24 Jul 2019 22:53:19 GMT):
and now it works very well, automated almost everything.

kopaygorodsky (Wed, 24 Jul 2019 22:53:44 GMT):
identity creation, msp, channels

kopaygorodsky (Wed, 24 Jul 2019 22:54:10 GMT):
fabric go sdk is a pain, especially custom config.

nyet (Wed, 24 Jul 2019 22:54:31 GMT):
the big pain for us was migrating from cryptogen to ca-server

nyet (Wed, 24 Jul 2019 22:54:35 GMT):
that took me weeks

kopaygorodsky (Wed, 24 Jul 2019 22:54:41 GMT):
+

kopaygorodsky (Wed, 24 Jul 2019 22:55:29 GMT):
I don't understand why do they expect from me all this crypto store paths, why not just let me implement interface and use my service?

nyet (Wed, 24 Jul 2019 22:55:37 GMT):
i know :(

nyet (Wed, 24 Jul 2019 22:55:43 GMT):
its crazy

kopaygorodsky (Wed, 24 Jul 2019 22:55:56 GMT):
eg SignConfigBlock

kopaygorodsky (Wed, 24 Jul 2019 22:56:12 GMT):
in SaveChannel it's possible to pass io.Reader, but in SignConfigBlock no

kopaygorodsky (Wed, 24 Jul 2019 22:56:15 GMT):
why....

kopaygorodsky (Wed, 24 Jul 2019 22:56:30 GMT):
it's golang, use io.Reader, not path to the file

kopaygorodsky (Wed, 24 Jul 2019 22:56:40 GMT):
so now I'm creating tmp file and them delete it

nyet (Wed, 24 Jul 2019 22:56:49 GMT):
well they want you to use the MSP structure everywhere

nyet (Wed, 24 Jul 2019 22:57:09 GMT):
its suposed to be a blackbox identity

kopaygorodsky (Wed, 24 Jul 2019 22:57:10 GMT):
they allow multiple MSP for org, but in SDK you can specify only one

kopaygorodsky (Wed, 24 Jul 2019 22:57:38 GMT):
I created my util for msp structure, but it's a hack

nyet (Wed, 24 Jul 2019 22:57:43 GMT):
i think the lack of io.Reader is an oversight not intentionaly

nyet (Wed, 24 Jul 2019 22:57:54 GMT):
they're good about PRs ;)

kopaygorodsky (Wed, 24 Jul 2019 22:58:37 GMT):
and the main problem, that I want to create my network with sdk, but it required CREATED NETWORK before running sdk.

kopaygorodsky (Wed, 24 Jul 2019 22:58:37 GMT):
and the main problem, that I want to create my network with sdk, but it requires CREATED NETWORK before running sdk. How can I provide admin certificate without enrolling it?

kopaygorodsky (Wed, 24 Jul 2019 22:59:03 GMT):
yea, I have a list of critical feature and going to implement it one by one in the next 2-3 monthes

kopaygorodsky (Wed, 24 Jul 2019 22:59:03 GMT):
yea, I have a list of critical features and going to implement it one by one in the next 2-3 monthes

nyet (Wed, 24 Jul 2019 22:59:45 GMT):
HOHO

nyet (Wed, 24 Jul 2019 22:59:47 GMT):
indeed :)

nyet (Wed, 24 Jul 2019 23:00:03 GMT):
and you can't even launch an orderer w/o an admin enrolled

kopaygorodsky (Wed, 24 Jul 2019 23:00:04 GMT):
at least I'll try

nyet (Wed, 24 Jul 2019 23:00:06 GMT):
literally

nyet (Wed, 24 Jul 2019 23:00:18 GMT):
you need at least one admin enrolled or no genessis block for you

kopaygorodsky (Wed, 24 Jul 2019 23:00:27 GMT):
so I'm creating an admin named 'gandalf' at the application startup

nyet (Wed, 24 Jul 2019 23:00:53 GMT):
my trick is something a bit different.. the orderer polls the ca server until it sees an admin enroll with a particualr id pattern

kopaygorodsky (Wed, 24 Jul 2019 23:01:07 GMT):
and complexity grows ...

nyet (Wed, 24 Jul 2019 23:01:14 GMT):
when it sees the admin enroll, it generates a system genesis block and launches the orderer

nyet (Wed, 24 Jul 2019 23:01:17 GMT):
for peers the same thing happens

kopaygorodsky (Wed, 24 Jul 2019 23:01:27 GMT):
you know that you can specify empty cert for admin user in sdk?

nyet (Wed, 24 Jul 2019 23:01:28 GMT):
when they see an admin show up, it goes in their admincerts/ dir

kopaygorodsky (Wed, 24 Jul 2019 23:01:34 GMT):
just need login:pwd and "" as cert

nyet (Wed, 24 Jul 2019 23:01:38 GMT):
oh interesting

kopaygorodsky (Wed, 24 Jul 2019 23:01:40 GMT):
it will pass validation

kopaygorodsky (Wed, 24 Jul 2019 23:01:42 GMT):
sek

nyet (Wed, 24 Jul 2019 23:01:45 GMT):
uh

nyet (Wed, 24 Jul 2019 23:01:48 GMT):
taht can't be intentional

kopaygorodsky (Wed, 24 Jul 2019 23:01:57 GMT):

Clipboard - July 25, 2019 2:01 AM

kopaygorodsky (Wed, 24 Jul 2019 23:02:00 GMT):
I just debugged their code

kopaygorodsky (Wed, 24 Jul 2019 23:02:40 GMT):
then it will enroll automatically your admin (registrar) at first ca call and store it in UserStore

kopaygorodsky (Wed, 24 Jul 2019 23:03:33 GMT):
and you can use CA without any enrolling of admin before

nyet (Wed, 24 Jul 2019 23:04:00 GMT):
you mean using the CA bootstrap creds?

kopaygorodsky (Wed, 24 Jul 2019 23:04:06 GMT):
yes

nyet (Wed, 24 Jul 2019 23:04:10 GMT):
i've not used any of the ca-server client code in the sdk

nyet (Wed, 24 Jul 2019 23:04:15 GMT):
i just use fabric-ca-client

kopaygorodsky (Wed, 24 Jul 2019 23:04:18 GMT):
oh

nyet (Wed, 24 Jul 2019 23:04:28 GMT):
enroll/register/enroll pattern

kopaygorodsky (Wed, 24 Jul 2019 23:04:47 GMT):
I gave up on scripting, that's why I'm in k8s

nyet (Wed, 24 Jul 2019 23:05:15 GMT):
i had 5x more scripts getting k8s going than w/o k8s heh

nyet (Wed, 24 Jul 2019 23:05:30 GMT):
now its all ansible lol

kopaygorodsky (Wed, 24 Jul 2019 23:06:04 GMT):
so many ways...)

nyet (Wed, 24 Jul 2019 23:06:12 GMT):
yah for sure

kopaygorodsky (Wed, 24 Jul 2019 23:06:53 GMT):
thanks for help, I'll configure ssl passthrough and it will be fine, I think

nyet (Wed, 24 Jul 2019 23:07:20 GMT):
yea let me know if i can help. I will say the main issue is that errors are cryptic

nyet (Wed, 24 Jul 2019 23:07:23 GMT):
for me anyway

kopaygorodsky (Wed, 24 Jul 2019 23:07:29 GMT):
what are you using for tls certs? letsencryot?

kopaygorodsky (Wed, 24 Jul 2019 23:07:29 GMT):
what are you using for tls certs? letsencrypt?

nyet (Wed, 24 Jul 2019 23:07:35 GMT):
all self signed

nyet (Wed, 24 Jul 2019 23:07:47 GMT):
openssl for initial TLSCA and hlf CA

nyet (Wed, 24 Jul 2019 23:07:55 GMT):
sign TLS with TLSCA with openssl

nyet (Wed, 24 Jul 2019 23:07:59 GMT):
everything else done on ca-server

nyet (Wed, 24 Jul 2019 23:08:06 GMT):
err sign ca-server TLS

nyet (Wed, 24 Jul 2019 23:08:14 GMT):
all other TLS keys are done via enroll with ca-server

nyet (Wed, 24 Jul 2019 23:08:29 GMT):
(i have a ton of SANS in the ca-server TLS cert)

kopaygorodsky (Wed, 24 Jul 2019 23:08:46 GMT):
it will be a nightmare to automate for me

nyet (Wed, 24 Jul 2019 23:08:56 GMT):
the only bad part is bootstrapping the TLS CA distirbution

kopaygorodsky (Wed, 24 Jul 2019 23:09:04 GMT):
need to think about easier solution

nyet (Wed, 24 Jul 2019 23:09:10 GMT):
whikch should be done out of band via ngnix + letsencrypt serving it

nyet (Wed, 24 Jul 2019 23:09:26 GMT):
but once everyone has the TLSCA its all ca-server based

nyet (Wed, 24 Jul 2019 23:09:48 GMT):
letsencrypt expiry is too short

nyet (Wed, 24 Jul 2019 23:09:57 GMT):
and renewing certs in HLF is ...

nyet (Wed, 24 Jul 2019 23:09:58 GMT):
yikes

nyet (Wed, 24 Jul 2019 23:09:59 GMT):
not fun

kopaygorodsky (Wed, 24 Jul 2019 23:10:11 GMT):
yes, you need to restart all the nods

kopaygorodsky (Wed, 24 Jul 2019 23:10:11 GMT):
yes, you need to restart all the nodes

nyet (Wed, 24 Jul 2019 23:10:14 GMT):
yep

nyet (Wed, 24 Jul 2019 23:10:26 GMT):
and reconfigure all channels

kopaygorodsky (Wed, 24 Jul 2019 23:10:27 GMT):
that's why I'm trying to avoid it

kopaygorodsky (Wed, 24 Jul 2019 23:10:29 GMT):
but not possible

nyet (Wed, 24 Jul 2019 23:10:53 GMT):
so self sign a tlsca with a really long expiry and hope by the time it expires i have a renwal process figured out

kopaygorodsky (Wed, 24 Jul 2019 23:12:25 GMT):
hah

kopaygorodsky (Wed, 24 Jul 2019 23:12:37 GMT):
a few years

kopaygorodsky (Wed, 24 Jul 2019 23:13:21 GMT):
I just don't know why fabric devs not using system cert pool if mutual TLS is disabled

kopaygorodsky (Wed, 24 Jul 2019 23:13:21 GMT):
I just don't know why fabric devs don't use system cert pool if mutual TLS is disabled

kopaygorodsky (Wed, 24 Jul 2019 23:15:19 GMT):
usually if you specify custom root ca cert, it's just appended to a copy of a system cert pool, so it should work, but no. I think there is something in grpc config for `deliveryClient`

vtech (Thu, 25 Jul 2019 04:30:49 GMT):
Thanks , is there any plan to include this in future ?

GuillaumeTong (Thu, 25 Jul 2019 06:33:38 GMT):
Hello, I just saw a quote on this page: https://hyperledger-fabric.readthedocs.io/en/release-1.4/msp.html#msp-configuration

GuillaumeTong (Thu, 25 Jul 2019 06:33:59 GMT):
"It is important to note that MSP identities never expire"

GuillaumeTong (Thu, 25 Jul 2019 06:35:20 GMT):
It this still the case? This would make cert renewal easier when switching for newer certs since channel updates are no longer needed.

GuillaumeTong (Thu, 25 Jul 2019 06:35:20 GMT):
It this still the case? This would make cert renewal easier than what I initially thought when switching for newer certs since channel updates are notneeded.

nwyee (Thu, 25 Jul 2019 06:55:52 GMT):
Has joined the channel.

ashutosh_kumar (Thu, 25 Jul 2019 15:32:16 GMT):
I am not aware.

ashutosh_kumar (Thu, 25 Jul 2019 15:32:58 GMT):
If implemented , we'll try to implement Bring Your Own Card schema.

vieiramanoel (Thu, 25 Jul 2019 18:23:47 GMT):
@mastersingh24 @nyet @smithbk sorry for bothering you guys again, I moved the topic to jyra for discussion, I've been doing a lot of research on this and could not find any solution till now https://jira.hyperledger.org/browse/FABC-858

vtech (Fri, 26 Jul 2019 04:45:30 GMT):
Does your fabric-ca image works with softHSM (with pkcs11 api)?

mastersingh24 (Fri, 26 Jul 2019 08:48:47 GMT):
test

mastersingh24 (Fri, 26 Jul 2019 08:50:52 GMT):
@vtech - can't seem to respond to the TLS/HSM thread ... please create a JIRA for this and assign to me ... we'll take a look and see what we can do here

vtech (Fri, 26 Jul 2019 09:39:17 GMT):
Thanks @mastersingh24 , I have created https://jira.hyperledger.org/browse/FAB-16102

narendranathreddy (Sat, 27 Jul 2019 14:43:12 GMT):
reenroll

madhukar_sh (Mon, 29 Jul 2019 10:30:21 GMT):
Has joined the channel.

madhukar_sh (Mon, 29 Jul 2019 10:32:53 GMT):
How can I enable NodeOU with Fabric CA? I am getting following error while checking endorsement policy -> ```identity 0 does not satisfy principal: The identity is not a [PEER] under this MSP [7sugar1MSP]: NodeOUs not activated. Cannot tell apart identities.```

Swhit210 (Mon, 29 Jul 2019 13:53:26 GMT):
If I am spinning up a TLS CA on a VM, and want to run some portion of my network on another VM, does this mean I would have to manually copy the TLS CA files from the TLS VM to the other VM once it spins up? I imagine this is the only way to use the necessary TLS CA cert file in my enroll and register commands to generate peer and orderer tlscacerts. Thoughts?

nyet (Mon, 29 Jul 2019 14:49:57 GMT):
yes, CA distribution is meant to be out of band

tommyjay (Mon, 29 Jul 2019 15:14:06 GMT):
i enrolled a user for my orderer with a fabric-ca and saved the certs in my file system. i pass this directory as a volume in the docker-compose file so that when the orderer boots up, it will use this as it's msp directory. but when the orderer starts, i see this: `2019-07-29 14:43:21.905 UTC [orderer.common.server] initializeLocalMsp -> FATA 0c7 Failed to initialize local MSP: the supplied identity is not valid: x509: certificate has expired or is not yet valid`

tommyjay (Mon, 29 Jul 2019 15:14:19 GMT):
any idea what this could be

nyet (Mon, 29 Jul 2019 15:25:11 GMT):
if scripted, it could be the backdating bug/feature

nyet (Mon, 29 Jul 2019 15:25:55 GMT):
if not, perhaps you have a time discrepancy somewhere

tommyjay (Mon, 29 Jul 2019 15:26:24 GMT):
what's the backdating bug

tommyjay (Mon, 29 Jul 2019 15:26:24 GMT):
what's the backdating bug? that doesn't seem right

madhukar_sh (Mon, 29 Jul 2019 15:26:32 GMT):
@nyet Can you please help me with the issue

nyet (Mon, 29 Jul 2019 15:26:43 GMT):
https://jira.hyperledger.org/browse/FABC-832

madhukar_sh (Mon, 29 Jul 2019 15:31:57 GMT):
@nyet can you please help with this issue?

nyet (Mon, 29 Jul 2019 15:36:32 GMT):
I have no experience with NodeOUs

madhukar_sh (Mon, 29 Jul 2019 15:36:56 GMT):
:(

madhukar_sh (Mon, 29 Jul 2019 15:39:12 GMT):
Okay, thanks

madhukar_sh (Mon, 29 Jul 2019 15:40:10 GMT):
I am not able to see any such options to enable... Over that, my fabric-ca-client.yaml files have ```OU: Fabric``` It is supposed to be peer or client :(

tommyjay (Mon, 29 Jul 2019 15:52:34 GMT):
thanks but i'm a bit confused with the resolution. should i use `faketime` to backdate my cert before the orderer tries to start

tommyjay (Mon, 29 Jul 2019 15:52:45 GMT):
that doesn't seem right

tommyjay (Mon, 29 Jul 2019 15:52:52 GMT):
or am i getting it wrong

nyet (Mon, 29 Jul 2019 15:53:04 GMT):
yes if you are using ssl to bootstrap CAs by hand

nyet (Mon, 29 Jul 2019 15:53:15 GMT):
if you aren't, the backdating should not affect you

lepar (Mon, 29 Jul 2019 17:03:43 GMT):
Hey, has anyone been able to enroll an intermediate ca using the command provided in the documentation? "fabric-ca-server start -b admin:adminpw -p 7074 --tls.enabled -u http://admin:adminpw@localhost:7054"

vieiramanoel (Mon, 29 Jul 2019 21:01:54 GMT):
the cert's organization unit must be peer/client

vieiramanoel (Mon, 29 Jul 2019 21:02:51 GMT):
change OU tag in fabric-ca-client before enrolling it and everything should be fine

madhukar_sh (Tue, 30 Jul 2019 05:48:50 GMT):
Let me try

Swhit210 (Tue, 30 Jul 2019 13:50:32 GMT):
I am getting this error when running my client code using the Node SDK:`_ Error: 2 UNKNOWN: access denied: channel [mychannel] creator org [fordMSP]_`. The only difference from this project and my previously fully working project, is that I have moved my TLS CA into an Azure VM and am running everything else on my host machine. I did need to sftp the TLS CA cert from the VM to my host machine. All the register and enroll commands against all of the CAs are working correctly. Any thoughts?

Swhit210 (Tue, 30 Jul 2019 13:50:32 GMT):
I am getting this error in the console when running my client code using the Node SDK:`_ Error: 2 UNKNOWN: access denied: channel [mychannel] creator org [fordMSP]_`. The only difference from this project and my previously fully working project, is that I have moved my TLS CA into an Azure VM and am running everything else on my host machine. I did need to sftp the TLS CA cert from the VM to my host machine. All the register and enroll commands against all of the CAs are working correctly. Any thoughts?

Swhit210 (Tue, 30 Jul 2019 13:50:32 GMT):
I am getting this error in the console when running my client code using the Node SDK:`_ Error: 2 UNKNOWN: access denied: channel [mychannel] creator org [fordMSP]_`. Within one of my peers I see this: `2019-07-30 13:43:41.070 UTC [protoutils] ValidateProposalMessage -> WARN 062 channel [mychannel]: MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority` The only difference from this project and my previously fully working project, is that I have moved my TLS CA into an Azure VM and am running everything else on my host machine. I did sftp the TLS CA cert from the VM to my host machine. All the register and enroll commands against all of the CAs are working correctly. Any thoughts?

tommyjay (Tue, 30 Jul 2019 14:46:46 GMT):
i provided the ca with my own config yaml with `backdate: 10s` in the signing section as the link above specified and it works sometimes

nyet (Tue, 30 Jul 2019 14:47:52 GMT):
Dump the certs like i did in the bug and figure out which certs have the wrong times.

tommyjay (Tue, 30 Jul 2019 14:48:04 GMT):
i tried 10s, 1s, 0s, -1s and they don't seem consistent

tommyjay (Tue, 30 Jul 2019 14:48:13 GMT):
for me, its the signing cert and admin cert

tommyjay (Tue, 30 Jul 2019 15:01:20 GMT):
``` $ ls -l ../server/tls/ec-pubCert.pem; openssl x509 -noout -dates -in ../server/tls/ec-pubCert.pem -rw-r--r-- 1 user sth 713 30 Jul 10:55 ../server/tls/ec-pubCert.pem notBefore=Jul 30 14:55:16 2019 GMT notAfter=Jul 29 14:55:16 2020 GMT $ $ for i in `find msp -name \*.pem`; do ls -al $i; openssl x509 -noout -dates -in $i; done -rw-r--r-- 1 user sth 904 30 Jul 10:56 msp/admincerts/cert0.pem notBefore=Jul 30 14:51:00 2019 GMT notAfter=Jul 29 14:55:16 2020 GMT -rw-r--r-- 1 user sth 834 30 Jul 10:56 msp/cacerts/cert0.pem notBefore=Jul 30 14:55:16 2019 GMT notAfter=Jul 29 14:55:16 2020 GMT -rw-r--r-- 1 user sth 920 30 Jul 10:56 msp/signcerts/cert0.pem notBefore=Jul 30 14:51:00 2019 GMT notAfter=Jul 29 14:55:16 2020 GMT $ ```

HritikGupta (Tue, 30 Jul 2019 15:28:59 GMT):
Trying to update the channel: `peer channel update -f diff_config_envelope.pb -c $CHANNEL_NAME -o orderer.example.com:7050 --tls --cafile $ORDERER_CA` Gives the following error: `failed to create deliver client: orderer client failed to connect to orderer.example.com:7050: failed to create new connection: context deadline exceeded` Any clue?

tommyjay (Tue, 30 Jul 2019 15:59:42 GMT):
what do the peer logs say? maybe the tls cert is bad or the url is unreachable

vtech (Tue, 30 Jul 2019 17:40:52 GMT):
Error indicates that identity has been changed when executing the code, verify those or regenerate the certificates on Azure VM directly.

vtech (Tue, 30 Jul 2019 17:47:56 GMT):
Hi All, I am instantiating the chaincode from command line but it throws below error``` Error: could not assemble transaction, err proposal response was not successful, error code 500, msg chaincode registration failed: container exited with 0 ``` Peer logs``` [endorser] SimulateProposal -> ERRO 001 [mychannel][6da63bc7] failed to invoke chaincode name:"lscc" , error: container exited with 0 github.com/hyperledger/fabric/core/chaincode.(*RuntimeLauncher).Launch.func1 /opt/gopath/src/github.com/hyperledger/fabric/core/chaincode/runtime_launcher.go:63 runtime.goexit /opt/go/src/runtime/asm_amd64.s:1333 chaincode registration failed ``` All of docker containers are up & running. Any suggestion on this please.

vtech (Tue, 30 Jul 2019 17:47:56 GMT):
Hi All, I am instantiating the chaincode from command line but it throws below error. I have generated the network artifacts using fabric-ca server.``` Error: could not assemble transaction, err proposal response was not successful, error code 500, msg chaincode registration failed: container exited with 0 ``` Peer logs``` [endorser] SimulateProposal -> ERRO 001 [mychannel][6da63bc7] failed to invoke chaincode name:"lscc" , error: container exited with 0 github.com/hyperledger/fabric/core/chaincode.(*RuntimeLauncher).Launch.func1 /opt/gopath/src/github.com/hyperledger/fabric/core/chaincode/runtime_launcher.go:63 runtime.goexit /opt/go/src/runtime/asm_amd64.s:1333 chaincode registration failed ``` All of docker containers are up & running. Any suggestion on this please.

ygnr (Wed, 31 Jul 2019 04:13:04 GMT):
Is an API to get the list of enrolled users with CA? In other words, I would like to know if a particular user is registered with CA?

HritikGupta (Wed, 31 Jul 2019 05:17:41 GMT):
`2019-07-30 11:43:30.412 UTC [comm.grpc.server] 1 -> INFO 049 streaming call completed grpc.service=protos.Deliver grpc.method=Deliver grpc.peer_address=172.22.0.11:50750 error="rpc error: code = Canceled desc = context canceled" grpc.code=Canceled grpc.call_duration=4.291499ms `

HritikGupta (Wed, 31 Jul 2019 05:18:11 GMT):
I get the same message in the orderer

HritikGupta (Wed, 31 Jul 2019 07:32:33 GMT):
Is it possibly because the anchor peer is not updated?

HritikGupta (Wed, 31 Jul 2019 07:32:33 GMT):
Is it possibly because the anchor peer is not updated for each org?

HritikGupta (Wed, 31 Jul 2019 07:33:01 GMT):
@nyet ?

metadata (Wed, 31 Jul 2019 08:25:13 GMT):
Has joined the channel.

vtech (Wed, 31 Jul 2019 12:25:48 GMT):
Any suggestion on this please ?

Swhit210 (Wed, 31 Jul 2019 13:56:00 GMT):
Interesting. When I logged in this morning and ran it everything worked fine. I then tore down the docker containers and re-upped again and am receiving the same error.

Swhit210 (Wed, 31 Jul 2019 13:59:44 GMT):
Is there any information that gets cached in unique places that needs to be deleted or removed in between spinning up and spinning down a network that uses CAs rather than cryptogen to generate certificate material?

Swhit210 (Wed, 31 Jul 2019 17:03:26 GMT):
I realize the error was with identities being cached on the client side...

Swhit210 (Wed, 31 Jul 2019 17:03:26 GMT):
I discovered the error was with identities being cached on the client side...

HritikGupta (Wed, 31 Jul 2019 17:47:05 GMT):
How to get existing channel via `channelid` in Fabric SDK? (I'm not much familiar with the syntax)

HritikGupta (Wed, 31 Jul 2019 17:47:05 GMT):
How to get the reference of existing channel via `channelid` in Fabric SDK? (I'm not much familiar with the syntax)

SatheeshNehru (Thu, 01 Aug 2019 05:29:59 GMT):
Channel channel = HFClient.newChannel(channelid);//java_sdk

HritikGupta (Thu, 01 Aug 2019 07:23:00 GMT):
Got it, thanks!

HritikGupta (Thu, 01 Aug 2019 07:32:22 GMT):
`TypeError: helper.getClientForOrg is not a function` How does one import the helper module?

HritikGupta (Thu, 01 Aug 2019 07:32:22 GMT):
`TypeError: helper.getClientForOrg is not a function` How does one import the helper module? The helper module installed via `npm install` does not contain this method clearly.

ibrahimel (Thu, 01 Aug 2019 15:15:48 GMT):
Has joined the channel.

jastisriradheshyam (Fri, 02 Aug 2019 15:20:33 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=dbuQCrtznrZbvEGXK) @HritikGupta helper file will be present in balance transfer code which is included in fabric-samples

wesleyW 2 (Sun, 04 Aug 2019 00:59:13 GMT):
Has joined the channel.

hectordufau (Mon, 05 Aug 2019 01:29:57 GMT):
Has joined the channel.

Varun2887 (Mon, 05 Aug 2019 06:22:21 GMT):
Has joined the channel.

Varun2887 (Mon, 05 Aug 2019 06:22:23 GMT):
are there any alternates of using `client.getUserContext` which expects the `public and private key` of the user on server hosting the client application. is there any way user can provide its context on the fly? which need not be stored on the client application server

mastersingh24 (Mon, 05 Aug 2019 12:05:45 GMT):
You can use https://fabric-sdk-node.github.io/release-1.4/Client.html#createUser__anchor ... you can pass PEM encoded strings via opts (UserOpts has a CryptoContent property which allows you to pass the PEM strings or the file path to PEM files)

indirajith (Wed, 07 Aug 2019 08:26:49 GMT):
Hi all, whenever I try to enroll an identiry I get the following error: "Error: Failed to create keystore directory: mkdir /tls-msp: permission denied" Even I changes the ownership of the directories but of no use. Can anyone help me?

indirajith (Wed, 07 Aug 2019 10:32:50 GMT):
When try to enroll admin to a fabric-ca-server, I get the error: 'Post https://ca-tls.inuit.local:7052/enroll: dial tcp 192.168.176.103:7052: connect: connection refused' Has anyone overcome this problem?

indirajith (Wed, 07 Aug 2019 10:33:33 GMT):
When try to enroll admin to a fabric-ca-server, I get the error: 'Post https://ca-tls.local:7052/enroll: dial tcp 192.168.176.103:7052: connect: connection refused' Has anyone overcome this problem?

mastersingh24 (Wed, 07 Aug 2019 11:04:18 GMT):
Are you using Docker and did you expose the port on the host?

indirajith (Wed, 07 Aug 2019 12:27:40 GMT):
Yes, I am using docker and have the port exposed in the docker-compose file

indirajith (Wed, 07 Aug 2019 12:39:00 GMT):
The CA server log shows the following line: 'http: TLS handshake error from 172.28.0.1:50188: remote error: tls: bad certificate'. But when I check the certificate it seems good. I don't know how to figure out the problem.

mastersingh24 (Wed, 07 Aug 2019 19:33:35 GMT):
Did you set the `--tls.certfiles` flag for the fabric-ca-client to the root certificate which issued the TLS cert for the fabric-ca-server?

vieiramanoel (Wed, 07 Aug 2019 20:28:46 GMT):
hey guys, i'm fighting over CA to use HSM

vieiramanoel (Wed, 07 Aug 2019 20:28:50 GMT):
my new error is

vieiramanoel (Wed, 07 Aug 2019 20:28:58 GMT):
` Initialization failure: Failed to create new CA certificate: {"code":9300,"message":"x509: ECDSA signature contained zero or negative values"}`

vieiramanoel (Wed, 07 Aug 2019 20:29:16 GMT):
I can't trace the function stack to see where it crashes

vieiramanoel (Wed, 07 Aug 2019 20:29:53 GMT):
the error comes from one of vendored libraries (from cloudflare, I suspect)

vieiramanoel (Wed, 07 Aug 2019 20:30:22 GMT):
but Idk what is this about. The key was generated and signed by hsm

SatheeshNehru (Thu, 08 Aug 2019 07:22:50 GMT):
attribute

Puneeth987 (Thu, 08 Aug 2019 07:35:25 GMT):
how to remove the one node in multiple nodes in a channel?

mastersingh24 (Thu, 08 Aug 2019 08:13:33 GMT):
Not sure this is a fabric-ca question ... but what exactly do you want to do here?

Puneeth987 (Thu, 08 Aug 2019 11:32:00 GMT):
I want to remove one ORG from multiple ORG in the excting channel. example A,b,c or 3 org in mychannel. i want to remove b ORG from mychannel and it is not effect to A and C ORG

paranjan (Thu, 08 Aug 2019 15:12:55 GMT):
Has joined the channel.

vieiramanoel (Thu, 08 Aug 2019 16:59:42 GMT):
well you should modify block same way you do to add an org. But this is a question for #fabric channel :)

vieiramanoel (Thu, 08 Aug 2019 17:55:48 GMT):
is your tls cert file valid for addres "ca-tls.local"? Is this adress the common name set on it?

ShrutiHK (Fri, 09 Aug 2019 00:56:52 GMT):
Has joined the channel.

ShrutiHK (Fri, 09 Aug 2019 01:02:03 GMT):
Hi, I have setup a fabric-ca server on a different machine. And while registering and enrolling a user, I want to store the certificates on another machine. For this, I am trying to set absolute path in the Connection profile of the sdk. But it always takes a path relative to the location of the current folder. How can I do that?

ShrutiHK (Fri, 09 Aug 2019 01:02:33 GMT):
Any suggestions are appreciated.

ShrutiHK (Fri, 09 Aug 2019 06:16:11 GMT):
Please let me know if there is any other way to set a path for remote credential stores, apart from the network-config.yaml file.

paranjan (Fri, 09 Aug 2019 06:18:39 GMT):
How does your absolute path look like? Can you share an example?

ShrutiHK (Fri, 09 Aug 2019 06:31:18 GMT):
http://xxx.yyy.zzz.aa/folderpath

ShrutiHK (Fri, 09 Aug 2019 06:33:30 GMT):
or a google cloud storage bucket

ShrutiHK (Fri, 09 Aug 2019 06:35:10 GMT):
http://xxx.yyy.zzz.aa/folderpath or a google cloud storage bucket url

paranjan (Fri, 09 Aug 2019 06:40:43 GMT):
I would have tried ssh or scp eg. ssh://username@servername.example.com/folder

ShrutiHK (Fri, 09 Aug 2019 06:46:41 GMT):
ok, I will try that

ShrutiHK (Fri, 09 Aug 2019 06:49:09 GMT):
thanks

ShrutiHK (Fri, 09 Aug 2019 07:10:39 GMT):
It did not work. It created a folder structure ssh/username@servername.example.com/foldername in the node app project folder

ShrutiHK (Fri, 09 Aug 2019 07:12:06 GMT):
where exactly did you suggest to include it?

ShrutiHK (Fri, 09 Aug 2019 07:12:23 GMT):
I have included it in the connection profile 'client' section

mastersingh24 (Fri, 09 Aug 2019 10:56:37 GMT):
What do you mean by "it did not work"? What error are you getting? Do things work if you actually use the file system on the same machine you are running the client?

ShrutiHK (Fri, 09 Aug 2019 11:07:21 GMT):
My requirement is that I want to store the certificates on the remote VM where fabric CA is running

ShrutiHK (Fri, 09 Aug 2019 11:08:04 GMT):
Using either http/ssh, what happens is, a folder structure gets created on the same machine where the nodejs application is'

ShrutiHK (Fri, 09 Aug 2019 11:08:36 GMT):
the folder structure is built from the individual components of the url

ShrutiHK (Fri, 09 Aug 2019 11:08:47 GMT):
1st folder - http

ShrutiHK (Fri, 09 Aug 2019 11:09:04 GMT):
internal folder - domainname

ShrutiHK (Fri, 09 Aug 2019 11:09:28 GMT):
and inside that, the certificate is stored

ShrutiHK (Fri, 09 Aug 2019 11:10:16 GMT):
so, it creates the certificates on the same machine

ShrutiHK (Fri, 09 Aug 2019 11:10:33 GMT):
not on the remote VM

mastersingh24 (Fri, 09 Aug 2019 11:17:05 GMT):
Got it ... which makes perfect sense ... the credentialStore used in the connection profile is a file-based store ( https://fabric-sdk-node.github.io/release-1.4/FileKeyValueStore.html ) ... it only supports file paths

mastersingh24 (Fri, 09 Aug 2019 11:19:05 GMT):
You can try creating your own https://fabric-sdk-node.github.io/release-1.4/module-api.KeyValueStore.html and then setting the credential store for your client

mastersingh24 (Fri, 09 Aug 2019 11:19:43 GMT):
Else, you'll need to mount the remote filesystem locally on the host where your client is running

mastersingh24 (Fri, 09 Aug 2019 11:20:36 GMT):
On Linux, you can use `sshfs` to mount folders via SSH

ShrutiHK (Fri, 09 Aug 2019 11:21:15 GMT):
okay Gari, I will try working with both the approaches

ShrutiHK (Fri, 09 Aug 2019 11:21:22 GMT):
Thanks

Calcium (Mon, 12 Aug 2019 01:05:16 GMT):
Has joined the channel.

Calcium (Mon, 12 Aug 2019 01:05:17 GMT):
Hi, i am confused about what is the different between id.type hf.Registrar.roles while using fabric ca ? What roles and types are available?

Randyshu2018 (Mon, 12 Aug 2019 07:54:14 GMT):
how about the usage of enrollmentSecret except enroll operation ?

superafro12 (Mon, 12 Aug 2019 09:15:57 GMT):
Hello! I'm using Fabric CA to generate certificates for my network. Currently I have one root CA and two intermediate CAs and already I find the MSP structure a bit messy. How do you manage certificates in a good way? Is it possible to see or get an overview of issued and revoked certificates? Thanks!

delao (Mon, 12 Aug 2019 20:43:28 GMT):
type

lepar (Tue, 13 Aug 2019 12:56:41 GMT):
Hey guys, anyone having trouble generating the ca-key.pem when running init?

lepar (Tue, 13 Aug 2019 12:57:02 GMT):
It only generates the ca-cert.pem on my end and I've been trying for 3 days

ashutosh_kumar (Tue, 13 Aug 2019 16:14:10 GMT):
Can you outline , what you did ?

ashutosh_kumar (Tue, 13 Aug 2019 16:15:29 GMT):
As the error says , the ECDSA signature has some problem.

vieiramanoel (Tue, 13 Aug 2019 18:40:32 GMT):
Well, I created a new fabric-ca image containing the vendor's lib, exported necessary env vars, configured properly the ca's config file, called ca init. Everything works until this point

ashutosh_kumar (Tue, 13 Aug 2019 18:47:31 GMT):
you changed BCCSP section with pkcs11 ?

vieiramanoel (Tue, 13 Aug 2019 18:47:37 GMT):
yes

vieiramanoel (Tue, 13 Aug 2019 18:48:16 GMT):
Even I change vendored files I can't find from where this error comes

ashutosh_kumar (Tue, 13 Aug 2019 18:48:27 GMT):
this is cfssl error.

vieiramanoel (Tue, 13 Aug 2019 18:48:33 GMT):
(I tried this kind of debug before and worked)

vieiramanoel (Tue, 13 Aug 2019 18:49:03 GMT):
But if I can't dump my signature I can't report problem to hsm vendor

vieiramanoel (Tue, 13 Aug 2019 18:49:03 GMT):
But if I can't dump my signature I can't report problem to the hsm vendor

ashutosh_kumar (Tue, 13 Aug 2019 18:55:12 GMT):
your HSM fabric config is not applicable in init command , so HSM does not play a role here.

ashutosh_kumar (Tue, 13 Aug 2019 18:56:01 GMT):
Something wrong in your vendor lib , IMO.

vieiramanoel (Tue, 13 Aug 2019 18:56:21 GMT):
But init generates fabric-ca key pair in hsm

vieiramanoel (Tue, 13 Aug 2019 18:56:34 GMT):
dont?

ashutosh_kumar (Tue, 13 Aug 2019 18:57:39 GMT):
no , I do not think so.

ashutosh_kumar (Tue, 13 Aug 2019 18:57:54 GMT):
I have to look .

ashutosh_kumar (Tue, 13 Aug 2019 18:58:00 GMT):
I am not sure.

vieiramanoel (Tue, 13 Aug 2019 18:59:16 GMT):
I'm almost sure that it generates

vieiramanoel (Tue, 13 Aug 2019 18:59:56 GMT):
Fabric-ca looks for key pair when not found requests for hsm to create it

vieiramanoel (Tue, 13 Aug 2019 19:00:21 GMT):
once generated, the certs are passed to cfssl to initca

vieiramanoel (Tue, 13 Aug 2019 19:00:25 GMT):
and then ir crashes

vieiramanoel (Tue, 13 Aug 2019 19:01:14 GMT):
I know this is an error related with my vendor's lib, but I need to dump the signature to report to they what's happening

vieiramanoel (Tue, 13 Aug 2019 19:01:14 GMT):
I know this is an error related with my vendor's lib, but I need to dump the signature to report to them what's happening

vieiramanoel (Tue, 13 Aug 2019 19:01:47 GMT):
and I simply can't find where I could do it in the source code

vieiramanoel (Tue, 13 Aug 2019 19:02:00 GMT):
There was some problems with they lib

ashutosh_kumar (Tue, 13 Aug 2019 19:02:10 GMT):
ok.

vieiramanoel (Tue, 13 Aug 2019 19:02:33 GMT):
And I could identify all of them messing with source code and debugging through ca's code

ashutosh_kumar (Tue, 13 Aug 2019 20:00:58 GMT):
Let me know what you figure out.

vieiramanoel (Tue, 13 Aug 2019 20:11:50 GMT):
ok

huxd (Wed, 14 Aug 2019 01:02:37 GMT):
Has joined the channel.

vieiramanoel (Wed, 14 Aug 2019 14:49:08 GMT):
any idea, @mastersingh24

vieiramanoel (Wed, 14 Aug 2019 14:49:08 GMT):
any idea, @mastersingh24 ?

mastersingh24 (Wed, 14 Aug 2019 17:25:20 GMT):
I missed the beginning of this and cannot see the error you are seeing

vieiramanoel (Wed, 14 Aug 2019 20:32:59 GMT):
"hey guys, i'm fighting over CA to use HSM my new error is Initialization failure: Failed to create new CA certificate: {"code":9300,"message":"x509: ECDSA signature contained zero or negative values"} I can't trace the function stack to see where it crashes the error comes from one of vendored libraries (from cloudflare, I suspect) but Idk what is this about. The key was generated and signed by hsm"

vieiramanoel (Wed, 14 Aug 2019 20:34:28 GMT):
Everything related to key generation works great, unfortunately I keep getting this "negative or zero" error, and I couldn't dump the signature

vieiramanoel (Wed, 14 Aug 2019 20:35:38 GMT):
I'd be glad to know what do I need to do to get this dump to report to hsm vendor. Without it I can't report to support :(

vieiramanoel (Wed, 14 Aug 2019 20:36:50 GMT):
Doesn't matter if I need to change anything on the code to achieve that, I've been reading and modifying it trying to debug this

vieiramanoel (Wed, 14 Aug 2019 20:36:50 GMT):
Doesn't matter if I need to change anything on the ca's code to achieve that, I've been reading and modifying it trying to debug this

vieiramanoel (Wed, 14 Aug 2019 20:37:07 GMT):
No progress until now

indirajith (Thu, 15 Aug 2019 20:25:50 GMT):
I fixed the error by providing the correct file. Thank you both fot the help. sorry for the delay.

jiwanglai (Fri, 16 Aug 2019 02:42:48 GMT):
Has joined the channel.

jiwanglai (Fri, 16 Aug 2019 02:42:51 GMT):
How to generate tls certificates by fabric-ca-client command like cryptogen do? I start the fabric-ca-server with ca.org1.example.com and tlsca.org1.example.com as multiple cas.

adineshreddy1 (Fri, 16 Aug 2019 11:41:42 GMT):
Has joined the channel.

fdromard (Fri, 16 Aug 2019 12:05:02 GMT):
Has joined the channel.

fdromard (Fri, 16 Aug 2019 12:05:03 GMT):
Hello everyone ! I am playing with the sample project that illustrate Fabric-Ca. I am not sure about something and maybe someone here can help. Let's say that I have an app that connects to the peer (in the sample, it would be the "run" container). My user connects to the app and the app verify the user's identity on my fabric-ca instance. The user is already registered. When I enroll the user, the private key and his certificate (with its public key) are sent to the app and the app use them to authenticate the user right. The same thing happens in the peer container, and the peer uses the user private key to sign the transactions that will be written to the ledger. Are those 2 statements correct ? If yes, where is persisted the private key on the peer and the run container ? I don't use HSM. Thank you in advance for your answer.

soumyanayak (Fri, 16 Aug 2019 21:41:12 GMT):
https://github.com/Blockdaemon/fabric-ca/blob/gerrit-pr-29430/docs/source/operations_guide.rst

soumyanayak (Fri, 16 Aug 2019 21:56:12 GMT):
Hi Calcium, hf.Registrar.roles -- An attribute for holding the list of roles that the registrar (admin) is allowed to manage - peer , user, client, orderer, app id.type -- individual registration type -- like registering a peer would give a id type as peer , similarly user , orderer. you can check more - https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html

soumyanayak (Fri, 16 Aug 2019 21:56:12 GMT):
Hi Calcium, As far my understanding - people in the community can correct me hf.Registrar.roles -- An attribute for holding the list of roles that the registrar (admin) is allowed to manage - peer , user, client, orderer, app id.type -- individual registration type -- like registering a peer would give a id type as peer , similarly user , orderer. you can check more - https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html

soumyanayak (Fri, 16 Aug 2019 21:59:00 GMT):
You can have a look at the commands - https://hyperledger-fabric-ca.readthedocs.io/en/latest/clientcli.html

JiTian0225 (Sat, 17 Aug 2019 08:27:07 GMT):
Has joined the channel.

tkg (Sun, 18 Aug 2019 06:34:29 GMT):
sqlite

SUBHRA7 (Sun, 18 Aug 2019 20:49:01 GMT):
Has joined the channel.

SUBHRA7 (Sun, 18 Aug 2019 20:49:02 GMT):
Hi Team, I have configured 2 CA for 2 Org(1 CA for 1 Org). I have used Port- 7054:7054 for 1st CA and Port- 8054:8054 for 2nd CA.But went I do 'docker logs for 2nd CA I am getting this- 2019/08/18 19:54:19 [INFO] Listening on http://0.0.0.0:7054 .I guess it should be 8054 as I metioned in

SUBHRA7 (Sun, 18 Aug 2019 20:49:02 GMT):
Hi Team, I have configured 2 CA for 2 Org (1 CA/1 Org). I have used Port- 7054:7054 for 1st CA and Port- 8054:8054 for 2nd CA.But when I do 'docker logs for 2nd CA I am getting this- 2019/08/18 19:54:19 [INFO] Listening on http://0.0.0.0:7054 .Is in't it should be 8054 as I configured port 8054:8054 in docker-compose file for 2nd CA.? If yes, where I am doing wrong and where should I update?

SUBHRA7 (Sun, 18 Aug 2019 20:49:02 GMT):
Hi Team, I have configured 2 CA for 2 Org (1 CA/1 Org). I have used Port- 7054:7054 for 1st CA and Port- 8054:8054 for 2nd CA.But when I do 'docker logs for 2nd CA container I am getting this- 2019/08/18 19:54:19 [INFO] Listening on http://0.0.0.0:7054 .Is in't it should be 8054 as I configured port 8054:8054 in docker-compose file for 2nd CA.? If yes, where I am doing wrong and where should I update?

Salaria_77 (Mon, 19 Aug 2019 04:36:01 GMT):
Has joined the channel.

soumyanayak (Mon, 19 Aug 2019 05:36:03 GMT):
Please post the details of docker-compose file here once

nyet (Mon, 19 Aug 2019 05:59:11 GMT):
docker doesn't tell the ca container what port to listen on. You're merely telling docker what port to forward incoming traffic to into the container. You are misunderstanding how docker networking workds.

soumyanayak (Mon, 19 Aug 2019 09:35:21 GMT):
Hi All, I was trying to do the HSM setup with the below docker based - 2.0 version version: '2' services: rca-org1: container_name: rca-org1 image: hyperledger/fabric-ca:2.0 network_mode: host command: sh -c 'fabric-ca-server start -d -b rca-org1-admin:rca-org1-adminpw --port 7054' environment: - FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_CSR_CN=rca-org1 - FABRIC_CA_SERVER_CSR_HOSTS=172.23.155.128 - FABRIC_CA_SERVER_DEBUG=true - FABRIC_CA_SERVER_BCCSP_DEFAULT=pkcs11 - FABRIC_CA_SERVER_BCCSP_PKCS11_LIBRARY=/usr/local/lib/softhsm/libsofthsm2.so - FABRIC_CA_SERVER_BCCSP_PKCS11_PIN=98765432 - FABRIC_CA_SERVER_BCCSP_PKCS11_LABEL=ForFabric volumes: - /home/ranjan/hyperledger/org1/ca:/tmp/hyperledger/fabric-ca ports: - 7054:7054 But i am getting the below error :- rca-org1 | 2019/08/19 09:11:32 [DEBUG] Home directory: /tmp/hyperledger/fabric-ca/crypto rca-org1 | 2019/08/19 09:11:32 [INFO] Configuration file location: /tmp/hyperledger/fabric-ca/crypto/fabric-ca-server-config.yaml rca-org1 | 2019/08/19 09:11:32 [INFO] Starting server in home directory: /tmp/hyperledger/fabric-ca/crypto rca-org1 | 2019/08/19 09:11:32 [DEBUG] Set log level: rca-org1 | 2019/08/19 09:11:32 [INFO] Server Version: 2.0.0-alpha rca-org1 | 2019/08/19 09:11:32 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} rca-org1 | 2019/08/19 09:11:32 [DEBUG] Making server filenames absolute rca-org1 | 2019/08/19 09:11:32 [DEBUG] Initializing default CA in directory /tmp/hyperledger/fabric-ca/crypto rca-org1 | 2019/08/19 09:11:32 [DEBUG] Init CA with home /tmp/hyperledger/fabric-ca/crypto and config {Version:2.0.0-alpha Cfg:{Identities:{PasswordAttempts:10 AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name: Keyfile: Certfile:ca-cert.pem Chainfile:ca-chain.pem} Signing:0xc0003d7570 CSR:{CN:rca-org1 Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[172.23.155.128] KeyRequest:0xc0003db8e0 CA:0xc0003db960 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:* hf.Registrar.DelegateRoles:*] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc0003d4480 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR: Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}} rca-org1 | 2019/08/19 09:11:32 [DEBUG] CA Home Directory: /tmp/hyperledger/fabric-ca/crypto rca-org1 | 2019/08/19 09:11:32 [DEBUG] Checking configuration file version '2.0.0-alpha' against server version: '2.0.0-alpha' rca-org1 | 2019/08/19 09:11:32 [DEBUG] Initializing BCCSP: &{ProviderName:pkcs11 SwOpts:0xc000456780 PluginOpts: Pkcs11Opts:} rca-org1 | 2019/08/19 09:11:32 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc0004e3100 DummyKeystore: InmemKeystore:} rca-org1 | 2019/08/19 09:11:32 [DEBUG] Closing server DBs rca-org1 | Error: Failed to initialize BCCSP Factories: %!s() rca-org1 | Could not find default `pkcs11` BCCSP rca-org1 exited with code 1

soumyanayak (Mon, 19 Aug 2019 09:35:21 GMT):
Hi All, I was trying to do the HSM setup with the below docker based - 2.0 version version: '2' services: rca-org1: container_name: rca-org1 image: hyperledger/fabric-ca:2.0 network_mode: host command: sh -c 'fabric-ca-server start -d -b rca-org1-admin:rca-org1-adminpw --port 7054' environment: - FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto - FABRIC_CA_SERVER_TLS_ENABLED=true - FABRIC_CA_SERVER_CSR_CN=rca-org1 - FABRIC_CA_SERVER_CSR_HOSTS=172.23.155.128 - FABRIC_CA_SERVER_DEBUG=true - FABRIC_CA_SERVER_BCCSP_DEFAULT=pkcs11 - FABRIC_CA_SERVER_BCCSP_PKCS11_LIBRARY=/usr/local/lib/softhsm/libsofthsm2.so - FABRIC_CA_SERVER_BCCSP_PKCS11_PIN=98765432 - FABRIC_CA_SERVER_BCCSP_PKCS11_LABEL=ForFabric volumes: - /home/ranjan/hyperledger/org1/ca:/tmp/hyperledger/fabric-ca ports: - 7054:7054 *But i am getting the below error :-* rca-org1 | 2019/08/19 09:11:32 [DEBUG] Home directory: /tmp/hyperledger/fabric-ca/crypto rca-org1 | 2019/08/19 09:11:32 [INFO] Configuration file location: /tmp/hyperledger/fabric-ca/crypto/fabric-ca-server-config.yaml rca-org1 | 2019/08/19 09:11:32 [INFO] Starting server in home directory: /tmp/hyperledger/fabric-ca/crypto rca-org1 | 2019/08/19 09:11:32 [DEBUG] Set log level: rca-org1 | 2019/08/19 09:11:32 [INFO] Server Version: 2.0.0-alpha rca-org1 | 2019/08/19 09:11:32 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} rca-org1 | 2019/08/19 09:11:32 [DEBUG] Making server filenames absolute rca-org1 | 2019/08/19 09:11:32 [DEBUG] Initializing default CA in directory /tmp/hyperledger/fabric-ca/crypto rca-org1 | 2019/08/19 09:11:32 [DEBUG] Init CA with home /tmp/hyperledger/fabric-ca/crypto and config {Version:2.0.0-alpha Cfg:{Identities:{PasswordAttempts:10 AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name: Keyfile: Certfile:ca-cert.pem Chainfile:ca-chain.pem} Signing:0xc0003d7570 CSR:{CN:rca-org1 Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[172.23.155.128] KeyRequest:0xc0003db8e0 CA:0xc0003db960 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1 hf.Registrar.Roles:* hf.Registrar.DelegateRoles:*] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****@:/ UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc0003d4480 Client: Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR: Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}} rca-org1 | 2019/08/19 09:11:32 [DEBUG] CA Home Directory: /tmp/hyperledger/fabric-ca/crypto rca-org1 | 2019/08/19 09:11:32 [DEBUG] Checking configuration file version '2.0.0-alpha' against server version: '2.0.0-alpha' rca-org1 | 2019/08/19 09:11:32 [DEBUG] Initializing BCCSP: &{ProviderName:pkcs11 SwOpts:0xc000456780 PluginOpts: Pkcs11Opts:} rca-org1 | 2019/08/19 09:11:32 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc0004e3100 DummyKeystore: InmemKeystore:} rca-org1 | 2019/08/19 09:11:32 [DEBUG] Closing server DBs rca-org1 | Error: Failed to initialize BCCSP Factories: %!s() rca-org1 | Could not find default `pkcs11` BCCSP rca-org1 exited with code 1

MohammedR (Mon, 19 Aug 2019 09:46:36 GMT):
@soumyanayak I've tried integrating CA with softhsm it works well when build fabric CA binaries but if you use docker images it throws this error

MohammedR (Mon, 19 Aug 2019 09:47:08 GMT):
you can give a try building CA binaries

soumyanayak (Mon, 19 Aug 2019 09:48:25 GMT):
Sure Thanks mohammedR will try with the binary set up.. any idea of the docker set up getting resolved or any JIRA raised for that?

MohammedR (Mon, 19 Aug 2019 09:48:47 GMT):
Nope

deepaks (Mon, 19 Aug 2019 14:03:28 GMT):
Has joined the channel.

vieiramanoel (Mon, 19 Aug 2019 22:02:28 GMT):
@soumyanayak you need to setup everything in docker image first, I suggest you to create a script and call it. In this script you need to install and setup hsm env as you've done in your local machine

galaxystar (Tue, 20 Aug 2019 01:18:04 GMT):
Has joined the channel.

bjcawanglu (Tue, 20 Aug 2019 02:02:14 GMT):
Has joined the channel.

GreatMartial (Tue, 20 Aug 2019 02:08:11 GMT):
Has joined the channel.

GreatMartial (Tue, 20 Aug 2019 02:08:12 GMT):
:grimacing:

soumyanayak (Tue, 20 Aug 2019 05:21:41 GMT):
Sure Vieiramanoel am cretaing the script to create the docker image

ahmad-raza (Tue, 20 Aug 2019 05:35:46 GMT):
Has joined the channel.

ahmad-raza (Tue, 20 Aug 2019 07:55:02 GMT):
Hi all, What happened when Root CA is expired?

ahmad-raza (Tue, 20 Aug 2019 07:55:39 GMT):
Does all certificates are null and void?

superafro12 (Tue, 20 Aug 2019 07:56:57 GMT):
Hey, I'm trying to reroll a peer's certificate that has expired, but the reenroll command always reenrolls the peer admin's certificate. How do I specify which identity I want to reroll? (I've tried with --id.name without success)

vtech (Tue, 20 Aug 2019 08:52:05 GMT):
Hello experts , While creating the channel with command ``` peer channel create --logging-level=DEBUG -c mychannel -f /data/channel.tx -o orderer1-example.com:7050 --tls --cafile /data/example.com-ca-chain.pem --clientauth --keyfile /data/tls/peer1-org1.example.com-cli-client.key --certfile /data/tls/peer1-org1.example.com-cli-client.crt ``` I am getting below error, can somebody please help on this ?``` InitCmd -> ERRO 001 Cannot run peer because error when setting up MSP of type bccsp from directory /data/orgs/org1.example.com/admin/msp: KeyMaterial not found in SigningIdentityInfo ```

soumyanayak (Wed, 21 Aug 2019 03:44:47 GMT):
please check in this path -- /data/orgs/org1.example.com/admin/msp whether you have the keystore or not?

vtech (Wed, 21 Aug 2019 05:52:47 GMT):
keystore is empty as keys are stored in HSM, peer is able to connect to HSM as I don't see any exceptions in peer logs.

vtech (Wed, 21 Aug 2019 07:18:32 GMT):
@mastersingh24 can you please advise if I am missing anything here ?

mastersingh24 (Wed, 21 Aug 2019 09:32:14 GMT):
Do you have the public key (X509 cert) in the `/data/orgs/org1.example.com/admin/msp/signcerts` folder? You also need to populate the `admincerts` folder under the MSP as well

vtech (Wed, 21 Aug 2019 09:40:53 GMT):
Yes /data/orgs/org1.example.com/admin/msp/signcerts folder contains X509 cert and same is populated under /data/orgs/org1.example.com/admin/msp/admincerts as well

paranjan (Wed, 21 Aug 2019 09:47:54 GMT):
Do you have a question or do you want to suggest something?

paranjan (Wed, 21 Aug 2019 09:49:35 GMT):
@superafro12 Have a look at this MSP structure. This might help clarify it: https://hyperledger-fabric.readthedocs.io/en/release-1.4/membership/membership.html#msp-structure

BChain_Dev (Wed, 21 Aug 2019 11:24:55 GMT):
Does anyone connected Azure AD with Fabric CA?

mastersingh24 (Wed, 21 Aug 2019 11:48:43 GMT):
Can you post the debug logs from the peer cli?

vtech (Wed, 21 Aug 2019 12:55:49 GMT):
looks like pkcs11 has been overridden... ``` 2019-08-21 12:53:26.515 UTC [msp] getSigningIdentityFromConf -> DEBU 036 Could not find SKI [26aa2f8c64bcb56246bd8d944cbfe3c6ff34a2876ffad6d9da791055935d047c], trying KeyMaterial field: Key with SKI 26aa2f8c64bcb56246bd8d944cbfe3c6ff34a2876ffad6d9da791055935d047c not found in /data/orgs/org1.example.com/admin/msp/keystore Failed getting key for SKI [[38 170 47 140 100 188 181 98 70 189 141 148 76 191 227 198 255 52 162 135 111 250 214 217 218 121 16 85 147 93 4 124]] github.com/hyperledger/fabric/bccsp/sw.(*CSP).GetKey /opt/gopath/src/github.com/hyperledger/fabric/bccsp/sw/impl.go:170 github.com/hyperledger/fabric/msp.(*bccspmsp).getSigningIdentityFromConf /opt/gopath/src/github.com/hyperledger/fabric/msp/mspimpl.go:181 github.com/hyperledger/fabric/msp.(*bccspmsp).setupSigningIdentity /opt/gopath/src/github.com/hyperledger/fabric/msp/mspimplsetup.go:267 github.com/hyperledger/fabric/msp.(*bccspmsp).preSetupV1 /opt/gopath/src/github.com/hyperledger/fabric/msp/mspimplsetup.go:413 github.com/hyperledger/fabric/msp.(*bccspmsp).setupV1 /opt/gopath/src/github.com/hyperledger/fabric/msp/mspimplsetup.go:373 github.com/hyperledger/fabric/msp.(*bccspmsp).setupV1-fm /opt/gopath/src/github.com/hyperledger/fabric/msp/mspimpl.go:112 github.com/hyperledger/fabric/msp.(*bccspmsp).Setup /opt/gopath/src/github.com/hyperledger/fabric/msp/mspimpl.go:225 github.com/hyperledger/fabric/msp/cache.(*cachedMSP).Setup /opt/gopath/src/github.com/hyperledger/fabric/msp/cache/cache.go:88 github.com/hyperledger/fabric/msp/mgmt.LoadLocalMspWithType /opt/gopath/src/github.com/hyperledger/fabric/msp/mgmt/mgmt.go:32 github.com/hyperledger/fabric/peer/common.InitCrypto /opt/gopath/src/github.com/hyperledger/fabric/peer/common/common.go:143 github.com/hyperledger/fabric/peer/common.InitCmd /opt/gopath/src/github.com/hyperledger/fabric/peer/common/common.go:309 github.com/hyperledger/fabric/peer/channel.glob..func1 /opt/gopath/src/github.com/hyperledger/fabric/peer/channel/channel.go:98 github.com/hyperledger/fabric/vendor/github.com/spf13/cobra.(*Command).execute /opt/gopath/src/github.com/hyperledger/fabric/vendor/github.com/spf13/cobra/command.go:746 github.com/hyperledger/fabric/vendor/github.com/spf13/cobra.(*Command).ExecuteC /opt/gopath/src/github.com/hyperledger/fabric/vendor/github.com/spf13/cobra/command.go:852 github.com/hyperledger/fabric/vendor/github.com/spf13/cobra.(*Command).Execute /opt/gopath/src/github.com/hyperledger/fabric/vendor/github.com/spf13/cobra/command.go:800 main.main /opt/gopath/src/github.com/hyperledger/fabric/peer/main.go:53 runtime.main /opt/go/src/runtime/proc.go:201 runtime.goexit /opt/go/src/runtime/asm_amd64.s:1333 2019-08-21 12:53:26.516 UTC [main] InitCmd -> ERRO 037 Cannot run peer because error when setting up MSP of type bccsp from directory /data/orgs/org1.example.com/admin/msp: KeyMaterial not found in SigningIdentityInfo ```

mastersingh24 (Wed, 21 Aug 2019 13:14:48 GMT):
The cli is trying to use a SW bccsp ... not PKCS11

vtech (Thu, 22 Aug 2019 05:20:21 GMT):
I have mapped the core.yaml with default BCCSP values and exported CORE_PEER_BCCSP.. variables, but now it is not able to find PKCS11 ``` 2019-08-22 05:15:40.134 UTC [viperutil] EnhancedExactUnmarshalKey -> DEBU 013 map[peer.BCCSP:map[PKCS11:map[Library:/usr/local/Cellar/softhsm/2.1.0/lib/softhsm/libsofthsm2.so Label:peer.org1.example.com Pin:123456789 Hash:SHA2 Security:256 FileKeyStore:map[KeyStore:msp/keystore]] Default:PKCS11]] 2019-08-22 05:15:40.135 UTC [bccsp] initBCCSP -> DEBU 014 Initialize BCCSP [SW] 2019-08-22 05:15:40.135 UTC [main] InitCmd -> ERRO 015 Cannot run peer because error when setting up MSP of type bccsp from directory /data/orgs/org1.example.com/admin/msp: could not initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP ```

vtech (Thu, 22 Aug 2019 05:20:21 GMT):
I have mapped the core.yaml with default BCCSP values and exported CORE_PEER_BCCSP.. variables, but now it is not able to find PKCS11. Docker images are built with GO_TAGS ( fabric version 1.4.1)``` 2019-08-22 05:15:40.134 UTC [viperutil] EnhancedExactUnmarshalKey -> DEBU 013 map[peer.BCCSP:map[PKCS11:map[Library:/usr/local/Cellar/softhsm/2.1.0/lib/softhsm/libsofthsm2.so Label:peer.org1.example.com Pin:123456789 Hash:SHA2 Security:256 FileKeyStore:map[KeyStore:msp/keystore]] Default:PKCS11]] 2019-08-22 05:15:40.135 UTC [bccsp] initBCCSP -> DEBU 014 Initialize BCCSP [SW] 2019-08-22 05:15:40.135 UTC [main] InitCmd -> ERRO 015 Cannot run peer because error when setting up MSP of type bccsp from directory /data/orgs/org1.example.com/admin/msp: could not initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP ```

shitaibin (Thu, 22 Aug 2019 12:16:12 GMT):
Has joined the channel.

vtech (Thu, 22 Aug 2019 12:45:41 GMT):
@mastersingh24 can you please advise ?

SatheeshNehru (Fri, 23 Aug 2019 07:59:38 GMT):
third party

mastersingh24 (Fri, 23 Aug 2019 12:35:23 GMT):
So you are trying to run the peer CLI from inside a container? You'll actually need to install softhsm in the container and then point to that installed library. You won't be able to use the library from your host system as it looks like your host is macOS

vtech (Fri, 23 Aug 2019 14:09:42 GMT):
Yes peer CLI is inside a container on Ubuntu 16.04 OS. Peer is running as `peer1.org1.example.com` (`fabric-peer` image) and CLI ( `fabric-tools` image). So if I install softhsm inside CLI container then how shall I be configuring the SoftHSM parameter for peer container (as it will have another HSM installation) ?

Jasonyou (Fri, 23 Aug 2019 15:30:26 GMT):
Has joined the channel.

mastersingh24 (Fri, 23 Aug 2019 17:29:08 GMT):
What exactly are you trying to accomplish with SoftHSM? Just testing / proving how things would work with a real HSM?

mastersingh24 (Fri, 23 Aug 2019 17:31:17 GMT):
I don't think it really matters if you use the same SoftHSM backend for both the peer and the cli. It's possible to do so by mounting a shared directory where softhsm will store the tokens, etc, but I think it's ok for each to have it's own SoftHSM instance as well given SoftHSM is just for testing

sarapaul (Sun, 25 Aug 2019 22:10:10 GMT):
Has joined the channel.

vtech (Mon, 26 Aug 2019 05:31:03 GMT):
I am testing with SoftHSM and then will be integrating with real HSM. I have set up the SoftHSM on peer container and then using same by mounting the directory in cli container. Peer is up and running with HSM enabled , further I have mapped the core.yaml in cli container but still I am getting error ``` InitCmd -> ERRO 015 Cannot run peer because error when setting up MSP of type bccsp from directory /data/orgs/org1.example.com/admin/msp: could not initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP ``` I am using fabric 1.4.1.

vtech (Mon, 26 Aug 2019 07:20:30 GMT):
In the log it picks the PKCS11 correctly and then again fall back to `SW` ``` EnhancedExactUnmarshalKey -> DEBU 013 map[peer.BCCSP:map[PKCS11:map[Library:/usr/local/Cellar/softhsm/2.1.0/lib/softhsm/libsofthsm2.so Label:peer.org1.example.com Pin:123456789 Hash:SHA2 Security:256 FileKeyStore:map[KeyStore:msp/keystore]] Default:PKCS11]] 2019-08-22 05:15:40.135 UTC [bccsp] initBCCSP -> DEBU 014 Initialize BCCSP [SW] ``` and then giving above error.

mastersingh24 (Mon, 26 Aug 2019 11:21:28 GMT):
The cli container is not going to have access to `/usr/local/Cellar/softhsm/2.1.0/lib/softhsm/libsofthsm2.so` but even if it did it will fail to load since that's a macOS library.

vtech (Mon, 26 Aug 2019 11:25:30 GMT):
That means that I can't test using CLI with SoftHSM or is there any other way to test it ?

mastersingh24 (Mon, 26 Aug 2019 11:27:57 GMT):
You would need to install softhsm in the CLI container as well

vtech (Mon, 26 Aug 2019 11:45:29 GMT):
Installed SoftHSM on CLI , but got the same error ``` 2019-08-26 11:43:01.224 UTC [viperutil] EnhancedExactUnmarshalKey -> DEBU 013 map[peer.BCCSP:map[pkcs11:map[Label:fabriccahsm Pin:12345678 Hash:SHA2 Security:256 FileKeyStore:map[KeyStore:msp/keystore] Library:/usr/local/lib/softhsm/libsofthsm2.so] Default:PKCS11]] 2019-08-26 11:43:01.224 UTC [bccsp] initBCCSP -> DEBU 014 Initialize BCCSP [SW] 2019-08-26 11:43:01.224 UTC [main] InitCmd -> ERRO 015 Cannot run peer because error when setting up MSP of type bccsp from directory /data/orgs/org1.example.com/admin/msp: could not initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP ```

mastersingh24 (Mon, 26 Aug 2019 12:01:22 GMT):
Sorry ... I just looked at the fabric-tools image ... there's no option to actually build this image with PKCS11 enabled

vtech (Mon, 26 Aug 2019 12:14:18 GMT):
so how shall I test the integration with HSM ?

mastersingh24 (Mon, 26 Aug 2019 12:40:00 GMT):
Well you are testing the peer, orderer and CA, correct?

mastersingh24 (Mon, 26 Aug 2019 12:40:22 GMT):
You can always build the peer binary on your host system with PKCS11 enabled

mastersingh24 (Mon, 26 Aug 2019 12:40:42 GMT):
Or you can use the PKCS11-enabled peer container and use the peer as a CLI

vtech (Mon, 26 Aug 2019 12:50:48 GMT):
yes I am testing with peer, orderer and CA. Is PKCS11 enabled peer image is published in docker hub and can I use v1.4.1 for the integration ? Also can this be tested with available sdk's ? Thanks

mastersingh24 (Mon, 26 Aug 2019 12:53:40 GMT):
All of the SDKs do support PKCS11 as well

redegade (Mon, 26 Aug 2019 17:34:53 GMT):
Has joined the channel.

redegade (Mon, 26 Aug 2019 17:40:08 GMT):
Fabric-ca will run on port 7054, that has nothing to do with docker. What you should do, however, is map the ports in the docker file to 8054:7054, which will forward the traffic to the port 8054 of your real machine, from the 7054 port of the docker container. You do this, because port 7054 of your real machine is already busy from the fabric-ca instance of org1.

ravinayag (Tue, 27 Aug 2019 09:32:22 GMT):
Hello team, I was tried to customize the CA name in docker-compose file. unfortunately i end up with errors. Can i customize my ca.org1.example.com to certauth.org1.example.com ?

razasikander (Tue, 27 Aug 2019 12:20:13 GMT):
Has joined the channel.

razasikander (Tue, 27 Aug 2019 12:20:16 GMT):
Hello Guys is it possible to use custom (3rd party) CA be used in place of the fabric CA??

iramiller (Tue, 27 Aug 2019 14:55:28 GMT):
@razasikander so long as your custom solution can set the OID attributes required by hyperledger correctly then yes it is possible to use another source of certificates.

mastersingh24 (Tue, 27 Aug 2019 19:20:22 GMT):
what errors are you seeing?

razasikander (Wed, 28 Aug 2019 03:56:46 GMT):
Do you have any links/source to see how to do it?

kelvinzhong (Wed, 28 Aug 2019 08:31:35 GMT):
@mastersingh24 hi, i'm trying to figure out when do fabric using the Certificate Revocation List to verify the transaction. and i could only find how to revoke a cert or generate the Certificate Revocation List in the documentation, please help me to understand

ravinayag (Wed, 28 Aug 2019 09:05:36 GMT):
I think i almost found issue,

ravinayag (Wed, 28 Aug 2019 09:07:22 GMT):
I was able to customize the docker names, but when i generate with cryptogen command, it creates with the name only as ca.org1.example.com

ravinayag (Wed, 28 Aug 2019 09:08:12 GMT):
Hello,

mastersingh24 (Wed, 28 Aug 2019 09:12:53 GMT):
You need to create a custom `crypto-config.yaml` and use it as input to `cryptogen`

ravinayag (Wed, 28 Aug 2019 09:13:42 GMT):
where do i see peer logs once i logged in to peer container ? currently im doing at native os side by $docker logs peer0.org1.example.com, is there any alternate way inside container ? for ex : from the native os i do ' $ docker exec -it peer0.org1.example.com bash root@e36b98503955:/opt/gopath/src/github.com/hyperledger/fabric/peer# ' No im in container, where can i search for log files.. ?

ravinayag (Wed, 28 Aug 2019 09:15:54 GMT):
does it mean like this : CaOrgs: - Name: CA Domain: example.com Specs: - Hostname: CertAuth

mastersingh24 (Wed, 28 Aug 2019 09:18:44 GMT):
``` PeerOrgs: # --------------------------------------------------------------------------- # Org1 # --------------------------------------------------------------------------- - Name: Org1 Domain: org1.example.com # --------------------------------------------------------------------------- # "CA" # --------------------------------------------------------------------------- # Uncomment this section to enable the explicit definition of the CA for this # organization. This entry is a Spec. See "Specs" section below for details. # --------------------------------------------------------------------------- CA: Hostname: certauth ```

lepar (Wed, 28 Aug 2019 12:22:08 GMT):
Yes, it just needs to be a CA that generates x509 certificates

tasree (Wed, 28 Aug 2019 14:56:53 GMT):
Has joined the channel.

tasree (Wed, 28 Aug 2019 14:56:55 GMT):
Hello Team, I am using Hyperledger Explorer v0.3.9.4, when I am trying to Register user from UI, I am getting this error "User 'testabc' did not register with CA", can someone please help me how to register user, I am newbie to this

indirajith (Thu, 29 Aug 2019 11:27:01 GMT):
Hi all, I have a doubt in MSP structure. Can anyone help me understand the following? In MSP of an organisation, under users directory admin user's msp directory only have sign certs right, as this sign cert is the admin cert of the org. But when I try to update channel config it says the provided MSP doesn't have admin cert. So should I copy the signcert of admin user to admincert directory of admin user's MSP? Thanks in advance!

RuiPanNewbie (Thu, 29 Aug 2019 19:33:21 GMT):
Has joined the channel.

soumyanayak (Fri, 30 Aug 2019 10:33:24 GMT):
Hi All , Can anybody tell me what's the below error mean and what is the change i have to do? * Cannot run peer because error when setting up MSP of type bccsp from directory /var/hyperledger/crypto/org1/admin/msp: administrators must be declared when no admin ou classification is set*

soumyanayak (Fri, 30 Aug 2019 10:33:24 GMT):
Hi All , Can anybody tell me what's the below error mean and what is the change i have to do? Fabric - v1.4.3 * Cannot run peer because error when setting up MSP of type bccsp from directory /var/hyperledger/crypto/org1/admin/msp: administrators must be declared when no admin ou classification is set*

indirajith (Fri, 30 Aug 2019 12:07:11 GMT):
I am not an expert, but can you paste the contents of ..../admin/msp directory?

soumyanayak (Fri, 30 Aug 2019 12:55:35 GMT):
the msp folder contains -- signcerts, keystore, cacerts, user folder and there are two files of IssuerPublicKey and IssuerRevocationPublicKey

indirajith (Fri, 30 Aug 2019 13:08:00 GMT):
I am not sure if the following is the reason for the error. But give it a try. As the directory is admin user's msp, create a sub directory named 'admincerts' under msp, and copy the cert file in signcerts into admincerts. See if it helps

indirajith (Fri, 30 Aug 2019 13:08:48 GMT):
It seems like all the MSPs should have admincerts directory even the admin user's MSP with thier own cert file

soumyanayak (Fri, 30 Aug 2019 13:11:15 GMT):
ok Indirajith

nyet (Sat, 31 Aug 2019 16:40:57 GMT):
"declared" is a truly bizarre way of saying "the admincerts/ directory is empty or non-existent". The error messages in HLF are so commonly bizarre though I suppose it isn't surprising.

nyet (Sat, 31 Aug 2019 16:40:57 GMT):
"not declared" is a truly bizarre way of saying "the admincerts/ directory is empty or non-existent". The error messages in HLF are so commonly bizarre though I suppose it isn't surprising.

nyet (Sat, 31 Aug 2019 16:41:49 GMT):
There is some really strange disconnect I dont fully comprehend

soumyanayak (Sat, 31 Aug 2019 16:47:30 GMT):
@nyet Also, is there any reason of manual creation of admincerts folder, when enrolling an admin. Can't it be generated as part of enroll because we are copying the certf rom signcerts into the admincerts folder. Is there any reason of keeping it a manual process?

soumyanayak (Sat, 31 Aug 2019 16:47:30 GMT):
@nyet Also, is there any reason of manual creation of admincerts folder, when enrolling an admin. Can't it be generated automatcially as part of enroll because we are copying the certs from signcerts folder into the admincerts folder. Is there any reason of keeping it a manual process?

nyet (Sat, 31 Aug 2019 16:49:40 GMT):
I have no idea, but it is only one of MANY things cryptogen does behind the scenes. I believe they spent so much time with cryptogen and everyone became so dependent on it, that nobody actually really bothered to think on what would need to be done if you aren't using it.

nyet (Sat, 31 Aug 2019 16:50:07 GMT):
there is some progress in documenting a cryptogenless environment, but documentation does not make up for shortsighted design.

nyet (Sat, 31 Aug 2019 16:50:54 GMT):
mostly though, an "admin" on the CA server is NOT an "admin" when it comes to the rest of the network

nyet (Sat, 31 Aug 2019 16:51:08 GMT):
so in theory it doesn't know when or when not to do the copying

nyet (Sat, 31 Aug 2019 16:51:08 GMT):
so in theory the ca-server-client doesn't know when or when not to do the copying

nyet (Sat, 31 Aug 2019 16:52:21 GMT):
so this isn't really a feature question, but rather a design question. Technically, ca-server-client doesn't care whether the entity enrolling is an "admin" in an MSP or not

yacovm (Sat, 31 Aug 2019 17:08:53 GMT):
@soumyanayak - either you have a definition of an admin OU in the MSP config YAML file, or you need to have admin certificates in the admicerts folder.

yacovm (Sat, 31 Aug 2019 17:11:02 GMT):
@nyet - Fabric doesn't have a CA as part of the Blockchain. There is a Fabric-CA but that doesn't mean that its really a first class citizen of a Fabric network. A Fabric network can run without a real CA, or even without x509 certificates (if you implement your own MSP, for example)

yacovm (Sat, 31 Aug 2019 17:12:18 GMT):
and also - it's easy to say that the design is improper, but keep in mind that Fabric is extremely flexible and it supports lots of use cases, for example uses cases where the admin of a peer is someone that is not even in the Fabric-CA database.

nyet (Sat, 31 Aug 2019 17:13:10 GMT):
well most of my frustration really is with the cryptic errors; i understand the separation of roles and the limited scope of what ca-server is meant to do

nyet (Sat, 31 Aug 2019 17:14:00 GMT):
OU support goes a long way to filling the gap between cryptogen and ca-server, but the errors are still cryptic :)

nyet (Sat, 31 Aug 2019 17:14:33 GMT):
there is also some nomenclature issues with the word "admin" that confuses people... again, related to the separation of roles

gentios (Sat, 31 Aug 2019 17:52:54 GMT):
Hi Everyone, wanted to ask you what kind of cert and priv/pub keys the CA generates

gentios (Sat, 31 Aug 2019 18:12:29 GMT):
In other words since I am not that good in cryptography I would like to explain the use case better: I am trying to sign a pdf using the cert and priv/pub key generated from Fabric CA, however it doesn't work. From the research I have done until now I see that the cert and priv/pub keys have a PKCS11 Interface and PDF supports a PKCS7.

gentios (Sat, 31 Aug 2019 18:13:40 GMT):
I also saw that we can change the algo for the priv/pub to use ECDSA, but this is not supported yet in pdf 1.7 only in PDF 2.0 which minor pdf editor's use it and it doesn't has a broad usage on the market

gentios (Sat, 31 Aug 2019 18:14:03 GMT):
I would really appreciate if someone can give me an alternative to this use casee

yacovm (Sat, 31 Aug 2019 18:17:02 GMT):
PKCS11 is for HSM, it has nothing to do with how to encode signatures

yacovm (Sat, 31 Aug 2019 18:18:37 GMT):
> I also saw that we can change the algo for the priv/pub to use ECDSA, but this is not supported yet in pdf 1.7 only in PDF 2.0 which minor pdf editor's use it and it doesn't has a broad usage on the market The keys generated in Fabric are Elliptic curve base keys. But no one forces you to use the same key you use to sign transactions, to also sign a PDF, right?

yacovm (Sat, 31 Aug 2019 18:19:14 GMT):
In theory you can use RSA signatures and then just put the public key of the RSA key-pair in a transaction that is signed by your Fabric user

gentios (Sat, 31 Aug 2019 18:25:14 GMT):
@yacovm thank you for the explanation, I apologies but I didn't understand this part "and then just put the public key of the RSA key-pair in a transaction that is signed by your Fabric user"

gentios (Sat, 31 Aug 2019 18:25:14 GMT):
@yacovm thank you for the explanation, I apologies but I didn't understand this part *"and then just put the public key of the RSA key-pair in a transaction that is signed by your Fabric user" *

gentios (Sat, 31 Aug 2019 18:27:32 GMT):
How can I verify the signer if I have 2 key-pairs. Do you mean to derive an RSA from the ECDSA private key ?

yacovm (Sat, 31 Aug 2019 18:49:37 GMT):
no. I mean that if you have Fabric then you can store the public RSA key

yacovm (Sat, 31 Aug 2019 18:49:40 GMT):
in Fabric

yacovm (Sat, 31 Aug 2019 18:49:57 GMT):
in case PDF supports RSA keys

gentios (Sat, 31 Aug 2019 18:52:25 GMT):
ahaaa understood now. Thank you @yacovm

gentios (Sat, 31 Aug 2019 22:46:27 GMT):
@yacovm while I was researching found in these docs: https://fabric-ca.readthedocs.io/en/latest/users-guide.html?highlight=rsa#initializing-the-server that the server is configurable to both RSA and ECDSA Algorithms. But I guess this is an old documentation since I couldn't find the same in the 1.4 docs and it's not supported anymore

nyet (Sat, 31 Aug 2019 22:57:11 GMT):
from what I can tell TLS supports RSA and ECDSA but everything else must be ECDSA. I could be wrong.

nyet (Sat, 31 Aug 2019 22:57:43 GMT):
transactions, endorsing, etc.

nyet (Sat, 31 Aug 2019 22:58:00 GMT):
last time i tried and RSA cert for anything other than TLS met with failure

nyet (Sat, 31 Aug 2019 22:58:00 GMT):
last time i tried an RSA cert for anything other than TLS met with failure

nyet (Sat, 31 Aug 2019 22:59:17 GMT):
But it could have been a lot of other things causing issues, this was some time ago when I was first trying to migrate away from cryptogen

yacovm (Sat, 31 Aug 2019 23:05:08 GMT):
well Fabric's TLS is just Golang's TLS....

yacovm (Sat, 31 Aug 2019 23:05:08 GMT):
@gentios I don't know... i never used Fabric-CA

yacovm (Sat, 31 Aug 2019 23:05:51 GMT):
@as for TLS- Fabric's TLS is just Golang's TLS

yacovm (Sat, 31 Aug 2019 23:05:51 GMT):
as for TLS- Fabric's TLS is just Golang's TLS

yacovm (Sat, 31 Aug 2019 23:06:24 GMT):
and yes indeed Fabric's BCCSP doesn't have RSA signatures

gentios (Sat, 31 Aug 2019 23:06:43 GMT):
Thank you for the explanation

yacovm (Sat, 31 Aug 2019 23:11:08 GMT):
but I think that it also doesn't generate RSA keys for signing

yacovm (Sat, 31 Aug 2019 23:11:17 GMT):
I think it uses the same BCCSP as Fabric uses too

tangross (Mon, 02 Sep 2019 06:14:47 GMT):
Has joined the channel.

tangross (Mon, 02 Sep 2019 06:14:49 GMT):
In https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html#enroll-org2-s-admin

tangross (Mon, 02 Sep 2019 06:14:49 GMT):
In documentation: a minor error: https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html#enroll-org2-s-admin

tangross (Mon, 02 Sep 2019 06:15:04 GMT):
Incorrect: export FABRIC_CA_CLIENT_TLS_CERTFILES=/Users/tangross/dev/2019/fabric-ca/org1/peer1/tls/org1-ca-cert.pem

tangross (Mon, 02 Sep 2019 06:15:04 GMT):
Incorrect: export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/tls/org1-ca-cert.pem

tangross (Mon, 02 Sep 2019 06:15:25 GMT):
Correct: export FABRIC_CA_CLIENT_TLS_CERTFILES=/Users/tangross/dev/2019/fabric-ca/org2/peer1/assets/ca/org2-ca-cert.pem

tangross (Mon, 02 Sep 2019 06:15:25 GMT):
Correct: export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org2/peer1/assets/ca/org2-ca-cert.pem

nyet (Mon, 02 Sep 2019 06:18:57 GMT):
Hmm does the operations guide really share TLS and non-TLS CAs?

nyet (Mon, 02 Sep 2019 06:19:08 GMT):
thats kind of disappointing

tangross (Mon, 02 Sep 2019 06:24:13 GMT):
I guess tls ca

migrenaa (Mon, 02 Sep 2019 08:36:13 GMT):
hey guys. Why isn't there fabric-ca-client 1.4 version? What should I use instead? I am not sure if this is the right channel to ask.. sorry for the spam if it isn't/

migrenaa (Mon, 02 Sep 2019 08:36:13 GMT):
hey guys. Why isn't there fabric-ca-client 1.4 version in docker hub? What should I use instead? I am not sure if this is the right channel to ask.. sorry for the spam if it isn't.

migrenaa (Mon, 02 Sep 2019 08:36:13 GMT):
hey guys. Why isn't there fabric-ca-tools 1.4 version in docker hub? What should I use instead? I am not sure if this is the right channel to ask.. sorry for the spam if it isn't.

gentios (Mon, 02 Sep 2019 09:00:18 GMT):
@migrenaa the fabric-ca-client is a Node.js SDK or a tooling from Hyperledger team that you can intereact with the Fabric Certificate and it't not a component of the Hyperledger Blockchain. In Docker Hub exist only the blockchain componeents such as: Orderer, Peer, CA, Kafka etc.. And you can find the Node.js sdk here: https://fabric-sdk-node.github.io/release-1.4/index.html Or if you want the fabric tools here: https://hyperledger-fabric.readthedocs.io/en/release-1.4/install.html I hope that this will help

migrenaa (Mon, 02 Sep 2019 09:30:07 GMT):
Sorry.. I meant fabric-ca-tools... I edited my question

migrenaa (Mon, 02 Sep 2019 09:30:07 GMT):
@gentios Sorry.. I meant fabric-ca-tools... I edited my question

marinkovicvlado (Mon, 02 Sep 2019 11:22:38 GMT):
there is only fabric-tools.., not sure, but you can check if it embeds the fabric-ca-tools as well

Bentipe (Mon, 02 Sep 2019 11:26:10 GMT):
Hey guys, noob question here, what is the role of the tlsca? For a network with multiple orgs, does it need to be the same tls ca server for all the network? Does on a production environment a TLS ca server need to be signed by a CA like godaddy or a big known one?

nyet (Mon, 02 Sep 2019 23:20:54 GMT):
You can set TLS up however you want to.

tangross (Tue, 03 Sep 2019 02:36:23 GMT):
Also, https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html#enroll-orderer

tangross (Tue, 03 Sep 2019 02:36:40 GMT):
Incorrect: `fabric-ca-client enroll -d -u https://orderer-org0:ordererPW@0.0.0.0:7056`

tangross (Tue, 03 Sep 2019 02:37:39 GMT):
Correct: `fabric-ca-client enroll -d -u https://orderer1-org0:ordererpw@0.0.0.0:7053`

tangross (Tue, 03 Sep 2019 02:39:17 GMT):
Incorrect: `fabric-ca-client enroll -d -u https://orderer-org0:ordererPW@0.0.0.0:7052 --enrollment.profile tls --csr.hosts orderer1-org0`

tangross (Tue, 03 Sep 2019 02:39:50 GMT):
Correct: `fabric-ca-client enroll -d -u https://orderer1-org0:ordererPW@0.0.0.0:7052 --enrollment.profile tls --csr.hosts orderer1-org0`

tangross (Tue, 03 Sep 2019 02:41:53 GMT):
Incorrect: `fabric-ca-client enroll -d -u https://orderer-org0-admin:ordererAdminPW@0.0.0.0:7056`

tangross (Tue, 03 Sep 2019 02:42:19 GMT):
Correct: `fabric-ca-client enroll -d -u https://admin-org0:org0adminpw@0.0.0.0:7053`

razasikander (Tue, 03 Sep 2019 11:00:06 GMT):
Hello guys in fabric-sample in balance transfer network-config.yaml file there is this ==> adminPrivateKey: path: artifacts/channel/crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/keystore/1995b11d6573ed3be52fcd7a5fa477bc0f183e1f5f398c8281d0ce7c2c75a076_sk signedCert: path: artifacts/channel/crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/signcerts/Admin@org2.example.com-cert.pem

razasikander (Tue, 03 Sep 2019 11:05:44 GMT):
openopenssl

juaiglesias (Tue, 03 Sep 2019 12:04:49 GMT):
Has joined the channel.

juaiglesias (Tue, 03 Sep 2019 12:04:49 GMT):
Hello folks!!! Do you know if there is any documentation on how to create a login system for the users? (using username and pwd or private keys, idc). I am using NodeJS to create the backend server. Thx!

razasikander (Tue, 03 Sep 2019 12:12:10 GMT):
when i replace the tls cert with openssl generated certs it creates error [2019-09-03 17:38:50.051] [DEBUG] Helper - [NetworkConfig101.js]: getPeer - name peer0.org1.example.com, channel_org: undefined [2019-09-03 17:38:50.052] [ERROR] Create-Channel - Error: Failed to find start line or end line of the certificate. at Object.module.exports.normalizeX509 (/home/raza/projects/test/fabric-samples/balance-transfer/node_modules/fabric-client/lib/utils.js:467:9) at getPEMfromConfig (/home/raza/projects/test/fabric-samples/balance-transfer/node_modules/fabric-client/lib/impl/NetworkConfig_1_0.js:425:19) at getTLSCACert (/home/raza/projects/test/fabric-samples/balance-transfer/node_modules/fabric-client/lib/impl/NetworkConfig_1_0.js:411:10) at NetworkConfig_1_0.getPeer (/home/raza/projects/test/fabric-samples/balance-transfer/node_modules/fabric-client/lib/impl/NetworkConfig_1_0.js:176:16) at NetworkConfig_1_0._addPeersToChannel (/home/raza/projects/test/fabric-samples/balance-transfer/node_modules/fabric-client/lib/impl/NetworkConfig_1_0.js:357:24) at NetworkConfig_1_0.getChannel (/home/raza/projects/test/fabric-samples/balance-transfer/node_modules/fabric-client/lib/impl/NetworkConfig_1_0.js:160:10) at Client.getChannel (/home/raza/projects/test/fabric-samples/balance-transfer/node_modules/fabric-client/lib/Client.js:343:36) at Client.getTargetOrderer (/home/raza/projects/test/fabric-samples/balance-transfer/node_modules/fabric-client/lib/Client.js:1796:30) at Client._createOrUpdateChannel (/home/raza/projects/test/fabric-samples/balance-transfer/node_modules/fabric-client/lib/Client.js:792:24) at Client.createChannel (/home/raza/projects/test/fabric-samples/balance-transfer/node_modules/fabric-client/lib/Client.js:756:15) (node:8949) UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 2): Error: Failed to initialize the channel: Error: Failed to find start line or end line of the certificate. (node:8949) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code. any idea how to exactly create and replace the certs

delao (Wed, 04 Sep 2019 17:38:20 GMT):
Good afternoon guys! I'm facing a problem here and I hope you can point me to the correct path. I am trying to configure a single Fabric CA server to issue both TLS and common certificates. I was able to generate all the common certificates to the point that I could invoke a transaction to a custom chaincode down the path. However, when I try to also generate TLS certificates to use Raft properly I get some errors. I can generate a TLS certificate by using the `--enrollment.profile tls --csr.hosts ` but the TLSCA cert does NOT contain the TLS Web Server Authentication, TLS Web Client Authentication inside Extended Key Usage. Any thoughts?

nyet (Wed, 04 Sep 2019 18:37:25 GMT):
How did you create the TLSCA cert? The self-signed one autogenerated by the ca-server itself should be correct. If it isn't, you can always create your own using openssl

delao (Wed, 04 Sep 2019 19:16:29 GMT):
I've started the Docker container using this command: `sh -c 'rm /etc/hyperledger/fabric-ca-server/ca-key.pem /etc/hyperledger/fabric-ca-server/ca-cert.pem /etc/hyperledger/fabric-ca-server/tls-cert.pem 2>&1 & fabric-ca-server start -c /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml'`, with `FABRIC_CA_SERVER_TLS_ENABLED=true` and the command I used for enrolling the CA admin was `fabric-ca-client enroll -u https://admin:adminpw\@ca:7054 --tls.certfiles $tlsca`

delao (Wed, 04 Sep 2019 19:17:48 GMT):
The auto generated tls-cert.pem have `CA:FALSE` on X509v3 Basic Constraints: critical

nyet (Wed, 04 Sep 2019 19:18:04 GMT):
So you are saying the self signed TLSCA cert the CA server created is bad? Could be, I don't let it create its own certs. I'd open a bug and short term, create your own TLSCA

nyet (Wed, 04 Sep 2019 19:18:29 GMT):
wait ,the TLS cert or the TLSCA cert is bad?

nyet (Wed, 04 Sep 2019 19:19:43 GMT):
ah yes, i have similar things in my create d TLS cert. ``` X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:FALSE ```

delao (Wed, 04 Sep 2019 19:20:38 GMT):
This is your TLSCA file?

nyet (Wed, 04 Sep 2019 19:20:56 GMT):
no the TLS cert provided by the ca server on enroll :(

nyet (Wed, 04 Sep 2019 19:22:31 GMT):
The one that matters is the ca-server TLS cert, which i created myself

nyet (Wed, 04 Sep 2019 19:22:55 GMT):
most fabric clients seem to not care that web server auth usage is missing

nyet (Wed, 04 Sep 2019 19:23:13 GMT):
ls

delao (Wed, 04 Sep 2019 19:24:00 GMT):
Oh, the ones generated by the ca server on enroll on my end also look like this, however, the one the enrollment server finds as tslca cert actually does not have TLS Web Server Authentication, TLS Web Client Authentication inside Extended Key Usage

nyet (Wed, 04 Sep 2019 19:24:45 GMT):
tlsca cert should only have Certificate Sign, CRL Sign anyway

delao (Wed, 04 Sep 2019 19:25:53 GMT):
Really? well.. when you think about it, it kinda makes sense.. I believe I've been running in circles ahaha

nyet (Wed, 04 Sep 2019 19:25:57 GMT):
but yea, the TLS certs issued by the ca-server on enroll are definitely bad

nyet (Wed, 04 Sep 2019 19:26:32 GMT):
i think you are on the right track but might have the wrong expectations depending on context

delao (Wed, 04 Sep 2019 19:26:57 GMT):
I'm kind of a noob when it comes about TLS

nyet (Wed, 04 Sep 2019 19:27:18 GMT):
all CA certs should only ahave Certificate Sign, CRL Sign, TLS certs should have Digital Signature, Key Encipherment, Key Agreement, TLS Web Client Authentication, TLS Web Server Authentication

nyet (Wed, 04 Sep 2019 19:27:46 GMT):
TLS certs issued by ca-server are wrong, and likely the tls cert autogeneratead by the ca-server for itself is wrong

delao (Wed, 04 Sep 2019 19:30:07 GMT):
Does it mean that I found a bug or I messed up creating the autogenerated TLSCA cert?

nyet (Wed, 04 Sep 2019 19:30:42 GMT):
you didn't mess anything up. Its a bug.

delao (Wed, 04 Sep 2019 19:31:28 GMT):
Should I report a JIRA bug?

nyet (Wed, 04 Sep 2019 19:32:12 GMT):
ya but just keep in mind that CA certs should only have Certificate Sign, CRL Sign

nyet (Wed, 04 Sep 2019 19:32:24 GMT):
the issue is with the non-CA TLS certs (afaict)

delao (Wed, 04 Sep 2019 20:55:18 GMT):
After I struggled a little more, I found out that I've been using the wrong certificate and now I just feel stupid ahahah

nyet (Wed, 04 Sep 2019 20:55:59 GMT):
HA don't the cert handling can be very confusing and the error messages cryptic

delao (Wed, 04 Sep 2019 20:56:34 GMT):
Thanks for your time/patience

aviralagrawal (Thu, 05 Sep 2019 09:00:29 GMT):
Has joined the channel.

razasikander (Thu, 05 Sep 2019 11:10:30 GMT):
good afternoon guys I'm facing issue replacing the Certificates generated by cryptogen to certificates generated by the openssl.

narendranathreddy (Thu, 05 Sep 2019 17:23:58 GMT):
expiry

soumyanayak (Fri, 06 Sep 2019 12:18:28 GMT):
Hi Team , I am getting the below error *Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw@serverAddr:serverPort* Even the fabric-ca server was started earlier and enrollment was also done and users were registered also. But after some days after setting the variables FABRIC_CA_TLS_CERTFILES FABRIC_CA_CLIENT_HOME and executing the command -- *fabric-ca-server identity list -u https://0.0.0.0:7052 * i was getting the above mentioned error.

nyetnyet (Sat, 07 Sep 2019 16:50:11 GMT):
Has joined the channel.

nyetnyet (Sat, 07 Sep 2019 16:52:44 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=7LbfjeQSezbpSyQN4) @soumyanayak

nyetnyet (Sat, 07 Sep 2019 16:54:27 GMT):
@soumyanayak looks like the ca server lost its datastore. Is it in a container? Did you set up a nonvolatile mount for it?

mrudav.shukla (Mon, 09 Sep 2019 12:10:18 GMT):
Hi, Any article on generating MSP for the components (Orderer and Peers) using CA instead of CryptoGen tool?

mastersingh24 (Mon, 09 Sep 2019 15:58:02 GMT):
https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html

nyet (Mon, 09 Sep 2019 15:58:34 GMT):
Super glad that got published!

nyet (Mon, 09 Sep 2019 16:05:35 GMT):
It will need a bit for OU support, which also solves the odd admincerts/ step

lepar (Tue, 10 Sep 2019 10:59:39 GMT):
Hey guys, has anyone been able to generate TLS using fabric-ca? Ive been trying to do a "peer channel fetch" but no cetificates seems to work, keeps returning "bad certificate" error

SarvottamKumar (Tue, 10 Sep 2019 11:56:45 GMT):
Has joined the channel.

mastersingh24 (Tue, 10 Sep 2019 12:01:15 GMT):
Yes .. it definitely works. Common errors: - not specifying the orderer CA when running the peer CLI command ( https://hyperledger-fabric.readthedocs.io/en/release-1.4/commands/peerchannel.html#peer-channel-fetch ) - not connecting to the orderer with a hostname that matches a SAN in the orderer TLS certificate

lepar (Tue, 10 Sep 2019 12:08:32 GMT):
I'm trying to connect through IP address on a different machine. It does connect to it but receiving bad certificate.

lepar (Tue, 10 Sep 2019 12:09:29 GMT):
Here's the scenario. Two different orgs. Machine 1: Orderer with generated TLS cert. Machine 2: Peer trying to do a fetch with the param "--tls --cafile $PATH_To_Second_Machines TLS_ Cert"

lepar (Tue, 10 Sep 2019 12:10:15 GMT):
I copied the TLS cert from machine 1s orderer to machine 2 from the user/Admin/tls/tlsca

mastersingh24 (Tue, 10 Sep 2019 12:10:49 GMT):
`--cafile` should point at the CA which issued the orderer TLS cert (sometimes using the exact crt will work as well)

mastersingh24 (Tue, 10 Sep 2019 12:10:49 GMT):
`--cafile` should point at the CA cert which issued the orderer TLS cert (sometimes using the exact crt will work as well)

lepar (Tue, 10 Sep 2019 12:11:23 GMT):
So I gotta get the CAs TLS cert?

mastersingh24 (Tue, 10 Sep 2019 12:11:59 GMT):
you need the root certificate the CA used to sign the orderer TLS certificate

lepar (Tue, 10 Sep 2019 12:12:32 GMT):
Can you please tell me which folder that might be at?

lepar (Tue, 10 Sep 2019 12:12:45 GMT):
After I started the server and everything

lepar (Tue, 10 Sep 2019 12:13:21 GMT):
Is it at msp/cacerts?

mastersingh24 (Tue, 10 Sep 2019 12:15:08 GMT):
Probably ... are you just using the `tls` profile to issue the TLS certs?

lepar (Tue, 10 Sep 2019 12:15:34 GMT):
Yup

lepar (Tue, 10 Sep 2019 12:16:01 GMT):
didn't work, just tried it

lepar (Tue, 10 Sep 2019 12:16:44 GMT):
When I start the CA server, tls is enabled and everything. However what I've seen and mine doesn't seem to be generating is the ca.crt file on the root of the CA path

lepar (Tue, 10 Sep 2019 12:17:41 GMT):
Do you know if he uses the _sk keystore file after being renamed to ca.crt?

lepar (Tue, 10 Sep 2019 12:27:35 GMT):
I just tried all the certificates of the root ca and none worked :/

lepar (Tue, 10 Sep 2019 12:29:32 GMT):
I ran the command "fabric-ca-server start -d -b admin:adminpw --port 7150" natively, it generated the ca.crt file. However, when running in docker, that file isn't generated

mastersingh24 (Tue, 10 Sep 2019 12:35:23 GMT):
Are you using v1.4.x?

lepar (Tue, 10 Sep 2019 12:35:40 GMT):
1.4.1

mastersingh24 (Tue, 10 Sep 2019 12:36:29 GMT):
If you don't mount your own FABRIC_CA_HOME, then it uses a root cert included in the image ( https://raw.githubusercontent.com/hyperledger/fabric-ca/release-1.4/images/fabric-ca/payload/ca-cert.pem )

mastersingh24 (Tue, 10 Sep 2019 12:37:02 GMT):
If you mount a volume at `/etc/hyperledger/fabric-ca-server`, it will generate the key pair there

lepar (Tue, 10 Sep 2019 12:37:06 GMT):
Yeah that's it then. I'm only using server home

lepar (Tue, 10 Sep 2019 12:37:31 GMT):
I'ma try it real quick

mastersingh24 (Tue, 10 Sep 2019 12:37:38 GMT):
cool

lepar (Tue, 10 Sep 2019 12:38:18 GMT):
I'll get back to u in a min

lepar (Tue, 10 Sep 2019 12:46:37 GMT):
Still no luck.

lepar (Tue, 10 Sep 2019 12:47:21 GMT):
It's def not creating the ca.crt in the docker

lepar (Tue, 10 Sep 2019 13:04:43 GMT):
When running natively, I get 2019/09/10 09:28:41 [INFO] The CA key and certificate were generated for CA 2019/09/10 09:28:41 [INFO] The key was stored by BCCSP provider 'SW' 2019/09/10 09:28:41 [INFO] The certificate is at: /test/ca-cert.pem But in the docker I get 2019/09/10 09:28:41 [INFO] The CA key and certificate were generated for CA 2019/09/10 09:28:41 [INFO] The key was stored by BCCSP provider 'SW' 2019/09/10 09:28:41 [INFO] The certificate is at: /tlsca/rca-cert.pem. It goes to a different folder. I did also try using that as the CAFILE for tLS and still not luck

anujhlf (Tue, 10 Sep 2019 13:59:43 GMT):
Has joined the channel.

mastersingh24 (Tue, 10 Sep 2019 14:08:37 GMT):
are you using some sample to set up the CA?

nyet (Tue, 10 Sep 2019 15:09:08 GMT):
Related issues: https://jira.hyperledger.org/browse/FABC-60 https://jira.hyperledger.org/browse/FABC-707

nyet (Tue, 10 Sep 2019 15:10:03 GMT):
Also --profile TLS fails to set Digital Signature, Key Encipherment, Key Agreement, TLS Web Client Authentication, TLS Web Server Authentication

lepar (Tue, 10 Sep 2019 15:24:29 GMT):
I see. I've actually been following this tutorial. It's really weird how I'm able to use the Orderers TLS --cafile with Org1 but I Can't do it with Org2

lepar (Tue, 10 Sep 2019 15:24:31 GMT):
https://github.com/rupeshtr78/fabric/tree/master/scripts

nyet (Tue, 10 Sep 2019 15:26:09 GMT):
i confess ihaven't read through the entire conversation above, but we generate our own ca certs and never let ca-server autogenerate its own

nyet (Tue, 10 Sep 2019 15:26:32 GMT):
also we are using multiple instance ca-server

nyet (Tue, 10 Sep 2019 15:27:22 GMT):
i was having a lot of problems with selfgenerated tls ca certs

lepar (Tue, 10 Sep 2019 15:27:57 GMT):
How are you generating your own?

nyet (Tue, 10 Sep 2019 15:28:02 GMT):
ended up not trusting anything the ca-server did on its own, created my own selfsigned ca and tlscas, and used tlsca to sign the ca-server's tls certs

nyet (Tue, 10 Sep 2019 15:28:27 GMT):
openssl

lepar (Tue, 10 Sep 2019 15:28:45 GMT):
I see. I think we just might have to do that too.

nyet (Tue, 10 Sep 2019 15:29:05 GMT):
I was going to open a bug for it but i never got around to figuring out what exactly was going wrong. so i gave up.

lepar (Tue, 10 Sep 2019 15:29:36 GMT):
I've been at it for 4 days, 4 people on my team has tried helping me. Can't see to get it to work.

nyet (Tue, 10 Sep 2019 15:29:55 GMT):
There is still a pretty big gap between cryptogen and real deployment

nyet (Tue, 10 Sep 2019 15:30:12 GMT):
yea it took me at least a few weeks to get it working

lepar (Tue, 10 Sep 2019 15:30:26 GMT):
There is. That's why we chose fabric-ca for production, but apparently it's not ready either

nyet (Tue, 10 Sep 2019 15:30:40 GMT):
well it is, you just can't let it do things on its own

nyet (Tue, 10 Sep 2019 15:31:03 GMT):
im using it with 3 instances in the same container, 1 tlsca 2 org cas

nyet (Tue, 10 Sep 2019 15:31:21 GMT):
the default instance is tlsca so i can grab the pub cert via curl

nyet (Tue, 10 Sep 2019 15:31:41 GMT):
working on adding nginx with a real tls cert to serve it properly

lepar (Tue, 10 Sep 2019 15:32:43 GMT):
Our model will let each org have they're own CA, we just need to add it to the channel. But what I've been having issues is using with one Orderer to test. I'ma shift to the full prod environment with Raft. That will probably solve it

nyet (Tue, 10 Sep 2019 15:33:04 GMT):
We're not using raft at all

lepar (Tue, 10 Sep 2019 15:33:12 GMT):
How come?

nyet (Tue, 10 Sep 2019 15:33:15 GMT):
even if each org has its own ca, you will want to run separte tlsca and ca instances

nyet (Tue, 10 Sep 2019 15:33:27 GMT):
waiting for BFT in 2.0 mostly

lepar (Tue, 10 Sep 2019 15:33:34 GMT):
I see

nyet (Tue, 10 Sep 2019 15:33:50 GMT):
most of our apps are still PoC anyway

lepar (Tue, 10 Sep 2019 15:33:50 GMT):
What do you mean separate tlsca and ca instances?

nyet (Tue, 10 Sep 2019 15:34:47 GMT):
multiple ca configs on same ca-server with --cafiles

nyet (Tue, 10 Sep 2019 15:35:52 GMT):
this way multiple orgs can share the same tlsca so only that has to be passed around

nyet (Tue, 10 Sep 2019 15:36:17 GMT):
(for bootstrapping)

nyet (Tue, 10 Sep 2019 15:36:28 GMT):
then pubkey distribution becomes much easier

lepar (Tue, 10 Sep 2019 15:36:31 GMT):
That's a good idea, haven't thought bout that

nyet (Tue, 10 Sep 2019 15:37:05 GMT):
just look at tls as a separate plane

nyet (Tue, 10 Sep 2019 15:37:20 GMT):
it looks a lot more complicated but it actually simplifies things

lepar (Tue, 10 Sep 2019 15:37:54 GMT):
I'ma take a look at that possibility

tangross (Tue, 10 Sep 2019 15:39:44 GMT):
No, but I am going to create one.

nyet (Tue, 10 Sep 2019 15:41:17 GMT):
You mean a UI for register/enroll?

tangross (Tue, 10 Sep 2019 15:52:18 GMT):
yes

tangross (Tue, 10 Sep 2019 15:55:07 GMT):
It took me a week, to get running code of operation guide. Hope this helps others. https://github.com/rtang03/fabric-ca-boilerplate

mastersingh24 (Tue, 10 Sep 2019 15:57:22 GMT):
actually it does ... https://github.com/hyperledger/fabric-ca/blob/release-1.4/cmd/fabric-ca-server/config.go#L314-L320

mastersingh24 (Tue, 10 Sep 2019 16:04:12 GMT):
you an also try to enable debug logging for the CLI ... I believe it will actually show additional details on the error

nyet (Tue, 10 Sep 2019 16:07:11 GMT):
@tangross Fantasic summary of the ops doc, thanks!

tangross (Tue, 10 Sep 2019 16:08:56 GMT):
But still, I cannot solve problem with anchor peer setup. And, I am not so sure if my configtx.yaml is correct. I get it running with try-by-error.

lepar (Tue, 10 Sep 2019 17:14:46 GMT):
Thanks guys, I'm gonna try

nyet (Tue, 10 Sep 2019 17:15:24 GMT):
also you should use openssl verify to see if a tlsca verifies a tls pubkey

migrenaa (Wed, 11 Sep 2019 08:28:45 GMT):
hi guys. I am having troubles changing the certificate algorithm to RSA. I set the env variables like this : ``` - FABRIC_CA_SERVER_CSR_KEYREQUEST_ALGO=rsa - FABRIC_CA_SERVER_CSR_KEYREQUEST_SIZE=2048 ``` in the CA compose files. The result is that the ca certs and admin certs are rsa certs but whenever I try to register and enroll a new identity the certificate is ECDSA. Apparently I have to change the configuration somewhere else as well but I can't find anything in the documentation. Do you have any idea?

mastersingh24 (Wed, 11 Sep 2019 08:58:46 GMT):
Fabric really does not support RSA (except for TLS certificates)

migrenaa (Wed, 11 Sep 2019 09:09:54 GMT):
I read in the Fabric CA documentation that it supports both RSA and ECDSA. The ca-cert.pem is a RSA cert. I assume that it doesn't support RSA signatures for the transactions. Is that the case?

nyet (Wed, 11 Sep 2019 09:10:08 GMT):
yes.

mastersingh24 (Wed, 11 Sep 2019 09:10:39 GMT):
correct

migrenaa (Wed, 11 Sep 2019 09:10:44 GMT):
So RSA certs can be used only for TLS, CA certs and probably orderer/peer certs?

migrenaa (Wed, 11 Sep 2019 09:12:19 GMT):
@nyet @mastersingh24 Thank you for the answers!

mastersingh24 (Wed, 11 Sep 2019 09:12:21 GMT):
We never test with RSA for any type of signing ... client transactions, peer endorsements, peer connection(s) to orderers and orderers signing blocks.

mastersingh24 (Wed, 11 Sep 2019 09:12:33 GMT):
Frankly we should just remove it all :(

migrenaa (Wed, 11 Sep 2019 09:13:17 GMT):
Okay, now I understand. Thanks a lot.

jeanp (Wed, 11 Sep 2019 10:35:28 GMT):
Has joined the channel.

jeanp (Wed, 11 Sep 2019 10:35:29 GMT):
hello there. Anyone here doing native (without docker composer) deployment on multi nodes ? I'd be happy to chat about it.

toddinpal (Wed, 11 Sep 2019 16:03:27 GMT):
Does anyone have a feeling for the future of the IDEMIX integration with fabric-ca and the ability to create anonymous credentials?

donjohnny (Thu, 12 Sep 2019 20:12:56 GMT):
Hi guys, the PKCS11 interface of my HSM currently does not support ECDSA, but the HSM does support it. What mechanisms/functions and curves does fabric use exactly so I can add them?

mastersingh24 (Thu, 12 Sep 2019 22:19:02 GMT):
What exactly are you looking for?

toddinpal (Thu, 12 Sep 2019 22:21:09 GMT):
Hi Gari, what I'm trying to determine is whether Fabric will have an anonymous credential mechanism going forward. The IDEMIX integration with Fabric-CA provides this, but I hear things (rumors?) that the full IDEMIX integration isn't necessarily going to happen.

toddinpal (Thu, 12 Sep 2019 22:21:35 GMT):
Oh, and by the way, congratulations on your TSC election.

mastersingh24 (Thu, 12 Sep 2019 22:22:06 GMT):
(thanks)

mastersingh24 (Thu, 12 Sep 2019 22:31:41 GMT):
Fabric does support idemix credentials for client transactions but the credentials do reveal the organization to which the client belongs (as you probably know). But the client can generate a new credential for each transaction .... and of course you can you entities other than the orgs running the peers actually "issuing" the initial idemix cred. Custom attributes have not been implemented in either fabric-ca or in fabric. I don't think we'd use the fabric-ca for this though ... (frankly I think the current attributes and affiliations should be removed as well) .... or perhaps it would be time to build something more dedicated for idemix .... the core team who did most of the original work has all move on (mostly to dfinity) the other interesting piece would be using some type of pseudo-anonymous credential for endorsement ... it's architecturally possible to do this with state-based endorsement and some new validation logic ... but there's not much going on in this area right now

toddinpal (Thu, 12 Sep 2019 22:33:38 GMT):
I guess my concern is based upon discussions that have taken place in the privacy and confidentiality WG. AFAIK there isn't anyway to prevent linkability of Fabric transactions which seems problematic.

mastersingh24 (Thu, 12 Sep 2019 22:45:11 GMT):
client transactions are unlinkable except for the org .... you won't be able to tell that the same client sent the transaction ... only that they are members of the same org ... which is not necessarily a problem if you use issuers that don't map to the orgs running the peers / orderers ...

toddinpal (Thu, 12 Sep 2019 22:46:16 GMT):
Still org linkability is subject to traffic analysis which can reveal a lot of information.

mastersingh24 (Thu, 12 Sep 2019 22:51:01 GMT):
You can avoid that by having issuers that don't map to the entities actually running the peers and orderers ... you can have "orgs" which don't run peers, etc

mastersingh24 (Thu, 12 Sep 2019 22:52:05 GMT):
I'm also not sure it's any worse than how most of the verifiable claims are implemented .... although some of the stuff SecureKey does is interesting

toddinpal (Thu, 12 Sep 2019 22:52:32 GMT):
Why does who run the peers/orderers make a difference? If I know the org associated with a transaction, I can perform traffic analysis and make some assumptions/conclusions.

mastersingh24 (Thu, 12 Sep 2019 22:56:16 GMT):
You can have a single issuer is my point

toddinpal (Thu, 12 Sep 2019 22:56:50 GMT):
Ahh.. ok, I get it. interesting idea.

mastersingh24 (Thu, 12 Sep 2019 23:05:28 GMT):
not a great idea ... but might be a decent idea ;)

toddinpal (Thu, 12 Sep 2019 23:13:38 GMT):
:-)

lepar (Fri, 13 Sep 2019 11:48:42 GMT):
Hey, is anyone having problems with fabric-ca-start ignoring flags? Any flag that requires -- it just completely ignores it and doesn't put it in the config file. If I pass --ca.name then it doesn't write to the config file

lepar (Fri, 13 Sep 2019 11:48:56 GMT):
fabric-ca-server*

mastersingh24 (Fri, 13 Sep 2019 13:47:48 GMT):
the flags are overrides which do not get persisted in the config

nyetnyet (Fri, 13 Sep 2019 16:22:34 GMT):
I still don't understand the logic of writing out a config...

nyetnyet (Fri, 13 Sep 2019 16:22:56 GMT):
Its unique to fabric as far as I know, is it an ibm thing?

Koushik (Fri, 13 Sep 2019 19:18:59 GMT):
Has joined the channel.

Koushik (Fri, 13 Sep 2019 23:57:04 GMT):
Hi guys can fabric-ca be used in Production with out openssl

Koushik (Sat, 14 Sep 2019 00:16:56 GMT):
Hi guys, this link was mentioned here as a good approach to setup Fabric-CA. https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html . Can someone tell me in this tutorial which is the rootCA and which is the intermediate CA

nyetnyet (Sat, 14 Sep 2019 04:44:35 GMT):
There is no intermediate CA in that example

generak (Sun, 15 Sep 2019 11:47:49 GMT):
Has joined the channel.

indirajith (Sun, 15 Sep 2019 12:13:38 GMT):
Hi all, I get the following error when trying to start orderer nodes in Raft consensus. Is there anyway how to fix this tls handshake failure error? ```2019-09-15 10:34:32.956 UTC [core.comm] ServerHandshake -> ERRO 050 TLS handshake failed with error EOF server=Orderer remoteaddress=192.168.176.105:40150 2019-09-15 12:03:53.225 UTC [core.comm] ServerHandshake -> ERRO 051 TLS handshake failed with error EOF server=Orderer remoteaddress=192.168.176.104:36410``` Thanks in Advance!

indirajith (Sun, 15 Sep 2019 12:13:38 GMT):
Hi all, I get the following error when trying to start orderer nodes in Raft consensus. Is there anyway how to troubleshoot this tls handshake failure error? ```2019-09-15 10:34:32.956 UTC [core.comm] ServerHandshake -> ERRO 050 TLS handshake failed with error EOF server=Orderer remoteaddress=192.168.176.105:40150 2019-09-15 12:03:53.225 UTC [core.comm] ServerHandshake -> ERRO 051 TLS handshake failed with error EOF server=Orderer remoteaddress=192.168.176.104:36410``` Thanks in Advance!

donjohnny (Sun, 15 Sep 2019 18:56:49 GMT):
Anyone?

mastersingh24 (Mon, 16 Sep 2019 09:24:33 GMT):
If you enable debug logging, you should see more detail on the actual error ... but this error typically means that one side of the TLS handshake aborted because it could not verify the certificate from the other side of the connection

HoneyShah (Mon, 16 Sep 2019 10:47:22 GMT):
Hello everyone, How can I modify the expiry time for signing certificate generated by fabric-ca-server?

mastersingh24 (Mon, 16 Sep 2019 11:02:52 GMT):
Are you trying to modify the expiration of the actual root CA certificate or for certificates signed by the CA?

HoneyShah (Mon, 16 Sep 2019 11:03:51 GMT):
I am trying to modify the expiration for certificates signed by CA

HoneyShah (Mon, 16 Sep 2019 11:03:51 GMT):
I am trying to modify the expiration for certificates signed by the CA

mastersingh24 (Mon, 16 Sep 2019 11:05:35 GMT):
take a look at https://github.com/hyperledger/fabric/blob/release-1.4/bccsp/pkcs11/pkcs11.go ... you'll see what is used for generating keys, signing and verifiying

mastersingh24 (Mon, 16 Sep 2019 11:06:24 GMT):
fabric supports P224, P256, P384 and P521 curves ... but the default in P256

mastersingh24 (Mon, 16 Sep 2019 11:09:49 GMT):
If you do not specify a config file when you start the server, it writes out the config so that all default values are serialized ... this is actually the proper method in order to allow default values to change in the future. But note that you can start the server with an existing config file and you can use the `init` method to generate a default config which you can then modify.

nyet (Mon, 16 Sep 2019 14:47:22 GMT):
I dont see that is the "proper" method, because the meaning of "I am not specifying a default value" from the perspective of the user can mean two things 1) do the default 2) do what *was* the default when the file happened to get written out. Generally, the user expects 1), not 2), IMO

nyet (Mon, 16 Sep 2019 14:52:02 GMT):
For example, lets say version 1 had a cache expiry or size setting that was good for version 1, and it is tunable via config file. Now for version 2, let's say that cache setting isn't appropriate. How are you going to propogate a more appropriate cache setting if the entire install base has a config file written out that that the user is completly unaware of?

nyet (Mon, 16 Sep 2019 14:52:42 GMT):
Or, even worse, due to a bug, a setting is flat out wrong?

nyet (Mon, 16 Sep 2019 14:53:47 GMT):
The only way a program can know if a user intended to *override* a default setting is if they explicitly added it to a config file somewhere. The approach of writing out a config file obscures that information.

nyet (Mon, 16 Sep 2019 14:55:18 GMT):
IMO a user needs a meaningful way to express either 1) do the reasonable thing for me, even if it changes in the future 2) absolutely positively do what I want

mastersingh24 (Mon, 16 Sep 2019 14:58:28 GMT):
forgetting about defaults for a minute, fabric-ca requires a config file ... and currently tries to be helpful by writing out a default config file if one is not present ....

mastersingh24 (Mon, 16 Sep 2019 14:59:09 GMT):
it's as simple as that

nyet (Mon, 16 Sep 2019 14:59:13 GMT):
I would say that means it DOENS'T require one since it can always create one if one isn't provided

mastersingh24 (Mon, 16 Sep 2019 14:59:33 GMT):
So if you like (and I'm fine with it), we can just remove the code which generates a config file is not present

mastersingh24 (Mon, 16 Sep 2019 14:59:33 GMT):
So if you like (and I'm fine with it), we can just remove the code which generates a config file if one is not present

mastersingh24 (Mon, 16 Sep 2019 15:00:37 GMT):
As a matter of fact, we are sorting out how to redo config for 2.0 across both fabric-ca and fabric

nyet (Mon, 16 Sep 2019 15:00:38 GMT):
Well, i wouldn't submit a PR to do that since I'm not sure if that would have unintended side effects

nyet (Mon, 16 Sep 2019 15:00:59 GMT):
And i'd probably make an option to have it spit out a ocnfig file based on whategver ENV vars are set though

nyet (Mon, 16 Sep 2019 15:01:12 GMT):
(not as a running option, maybe a oneshot)

mastersingh24 (Mon, 16 Sep 2019 15:01:12 GMT):
that's not going to happen

mastersingh24 (Mon, 16 Sep 2019 15:01:37 GMT):
part of the issue is this whole mess of config file, command line flags and env variables

mastersingh24 (Mon, 16 Sep 2019 15:01:45 GMT):
it's insane

nyet (Mon, 16 Sep 2019 15:01:52 GMT):
Agreed, it is hard to unravel sometimes

mastersingh24 (Mon, 16 Sep 2019 15:01:53 GMT):
and is abused by people

nyet (Mon, 16 Sep 2019 15:02:22 GMT):
Even I don't really know what the "right" way is supposed to be

nyet (Mon, 16 Sep 2019 15:02:45 GMT):
normally, i'd write a config file, keep it in source control

nyet (Mon, 16 Sep 2019 15:02:53 GMT):
then pull it in via a deployment tool

nyet (Mon, 16 Sep 2019 15:03:16 GMT):
but ideally that config file would ONLY contiain thigns that are different from the default

nyet (Mon, 16 Sep 2019 15:03:22 GMT):
so upstrream can change defaults

nyet (Mon, 16 Sep 2019 15:03:35 GMT):
if it is exhaustive and contains every single setting it is really ahrd to maintain in SCM

mastersingh24 (Mon, 16 Sep 2019 15:03:46 GMT):
so the goal would be to: 1) be able to start without a config file 2) have a limited set of env variable overrides (probably use the same set for CLI overrides as well). This means that not everything in the config can be overridden by env variables

nyet (Mon, 16 Sep 2019 15:04:34 GMT):
for other projects that are package distributed, you'd have adefault config file and then a way to read in addtional config files that ovveride the first

mastersingh24 (Mon, 16 Sep 2019 15:04:39 GMT):
oh ... we would not generate a config file ... just be able to start without one

nyet (Mon, 16 Sep 2019 15:04:40 GMT):
the problem with yaml is that it can't merge maps reasonably

nyet (Mon, 16 Sep 2019 15:04:56 GMT):
so the whole natural override config file structure breaks

mastersingh24 (Mon, 16 Sep 2019 15:04:59 GMT):
right

nyet (Mon, 16 Sep 2019 15:05:23 GMT):
yaml really broke a lot of things in this respect

nyet (Mon, 16 Sep 2019 15:06:21 GMT):
but ya generally i dont think config files should be writable by the program it self

nyet (Mon, 16 Sep 2019 15:06:36 GMT):
unless it has some run time settings that can be adjusted on the fly

nyet (Mon, 16 Sep 2019 15:06:52 GMT):
and user has a way to tell the program to write them out, but that opens a really big can of UI worms and bug vectors

nyet (Mon, 16 Sep 2019 15:07:33 GMT):
And then again you lose the information of "does the user want to overide or follow the default value in the future"

nyet (Mon, 16 Sep 2019 15:08:01 GMT):
also agree about the env vs config and overrides

nyet (Mon, 16 Sep 2019 15:08:21 GMT):
viper is neat but making everything overridable (kind of) is problematic .. AND you still can't override maps

mastersingh24 (Mon, 16 Sep 2019 15:08:28 GMT):
right and right

nyet (Mon, 16 Sep 2019 15:09:10 GMT):
IMO ists actually a very difficult problem to solve well, and very few projects get it right

razasikander (Tue, 17 Sep 2019 06:19:23 GMT):
u cannot modify once a certificate is generated u need to regenerate it

metadata (Tue, 17 Sep 2019 08:21:21 GMT):
Hi all, I'm getting ` Post https://localhost:7054/enroll: x509: certificate is valid for ca.seller.mytrade.com, not localhost" ` error when trying to enrol the user after searching I found out that I have to add below config in `docker-compose.yaml` file under `ca` section ``` - FABRIC_CA_SERVER_CSR_CN=ca.seller.mytrade.com - FABRIC_CA_SERVER_CSR_HOSTS=ca.seller.mytrade.com,localhost ``` but still I'm getting the same result. Please help Do I have to generate all the certs again?

Psingh (Tue, 17 Sep 2019 08:21:41 GMT):
Has joined the channel.

ahmad-raza (Tue, 17 Sep 2019 13:37:03 GMT):
1. How to increase root CA certificate expiry? 2. What if root CA certificate is expired can we re-enroll it ?

vieiramanoel (Tue, 17 Sep 2019 13:42:47 GMT):
@nyet Do you know if there's any chance for fabric-ca to sign RSA keys?

delao (Tue, 17 Sep 2019 13:49:19 GMT):
For your first question, you can change the expiry date for the root CA certificate by changing the `csr.ca.expiry` field on fabric-ca-server-config.yaml file

delao (Tue, 17 Sep 2019 13:49:43 GMT):
Which defaults for 15 years

ahmad-raza (Tue, 17 Sep 2019 13:50:13 GMT):
okay thanks

ahmad-raza (Tue, 17 Sep 2019 13:50:34 GMT):
Using cryptogen is production ready?

delao (Tue, 17 Sep 2019 13:50:57 GMT):
Cryptogen is NOT meant for production use

delao (Tue, 17 Sep 2019 13:51:56 GMT):
It provides valid certificates but they are not safe enough for production usage

ahmad-raza (Tue, 17 Sep 2019 13:52:14 GMT):
any recommended tool or way?

delao (Tue, 17 Sep 2019 13:53:50 GMT):
If you are developing and testing your network, it's ok to use crytogen, but if you are going to push it into production, you should consider using another tool like Fabric CA or even OpenSSL ( which is harder to configure to work on a Fabric network )

delao (Tue, 17 Sep 2019 13:54:35 GMT):
https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/ This is the documentation for Fabric CA which can provide WAY more information than I :)

ahmad-raza (Tue, 17 Sep 2019 13:55:53 GMT):
what are these files that ends at " _sk " in certs

delao (Tue, 17 Sep 2019 13:56:31 GMT):
Those are the Private Keys files for the certificates

ahmad-raza (Tue, 17 Sep 2019 13:57:07 GMT):
I think Fabric CA is also using certs created by cryptogen

mastersingh24 (Tue, 17 Sep 2019 13:58:33 GMT):
fabric-ca will either generate it;s own root certificate or can be started with existing crypto material (which can be generated by whatever you like including cryptogen and openssl)

ahmad-raza (Tue, 17 Sep 2019 14:04:02 GMT):
@mastersingh24 if we start fabric-ca with it's own root cert , Are we have to create certs for peers, users and for tls communication separately ?

mastersingh24 (Tue, 17 Sep 2019 15:00:25 GMT):
you can still register peers, users, etc with the fabric-ca even if you use your own root cert

metadata (Tue, 17 Sep 2019 15:32:31 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MoYHE6tiYtNf6mbFK) please help

vieiramanoel (Tue, 17 Sep 2019 15:58:10 GMT):
you can't change a certificate at runtime, it is a static file. To do so the simplier way is to regenerate rootCA with this tag set. Then CA will respond on localhost

vieiramanoel (Tue, 17 Sep 2019 15:58:46 GMT):
apparently node.js doesn't accept ecdsa-with-256 signatures as tls certs, I'm loosing my mind on this.

vieiramanoel (Tue, 17 Sep 2019 15:59:03 GMT):
change only the csr to RSA won't work too

nyet (Tue, 17 Sep 2019 16:34:54 GMT):
I don't want to speak for actual fabric devs but my understanding is that RSA will never be supported.

vieiramanoel (Tue, 17 Sep 2019 16:35:48 GMT):
we're at same boat haha fabric-ca support RSA, fabric don't. I wanted just one RSA cert signed by ca T.T

metadata (Tue, 17 Sep 2019 16:36:36 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MoYHE6tiYtNf6mbFK) @nyet Can u please help?

vieiramanoel (Tue, 17 Sep 2019 16:38:01 GMT):
you can't change a certificate at runtime, it is a static file. To do so the simplier way is to regenerate rootCA with this tag set. Then CA will respond on localhost

mastersingh24 (Tue, 17 Sep 2019 16:39:26 GMT):
NodeJS works with ECDSA certs

mastersingh24 (Tue, 17 Sep 2019 16:39:48 GMT):
Every one of our samples uses EC certs for signing and TLS

mastersingh24 (Tue, 17 Sep 2019 16:40:13 GMT):
What are you trying to do and what error are you seeing?

vieiramanoel (Tue, 17 Sep 2019 16:42:32 GMT):
so I'm trying to do this at a express api

vieiramanoel (Tue, 17 Sep 2019 16:43:22 GMT):
```const serverOptions = { key: fs.readFileSync(key, 'utf-8'), cert: fs.readFileSync(cert, 'utf-8') }; const server = https.createServer(serverOptions, App); ```

nyet (Tue, 17 Sep 2019 16:43:26 GMT):
Nothing is preventing you from deploying RSA TLS certs, however.

nyet (Tue, 17 Sep 2019 16:43:38 GMT):
Just can't be done with ca-server, and it doesn't help for ET

nyet (Tue, 17 Sep 2019 16:43:38 GMT):
Just can't be done with ca-server, and it doesn't help for non TLS certs

vieiramanoel (Tue, 17 Sep 2019 16:43:41 GMT):
where App is an express instance

vieiramanoel (Tue, 17 Sep 2019 16:45:05 GMT):
http://dontpad.com/cert.dump

vieiramanoel (Tue, 17 Sep 2019 16:45:09 GMT):
the cert dump

vieiramanoel (Tue, 17 Sep 2019 16:45:35 GMT):
and the error: ```_tls_common.js:104 c.context.setKey(options.key, options.passphrase); ^ Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag at Object.createSecureContext (_tls_common.js:104:17) at Server (_tls_wrap.js:819:25) at new Server (https.js:60:14) at Object.createServer (https.js:82:10) at Object. (/rest-server/dist/index.js:26:22) at Module._compile (module.js:653:30) at Object.Module._extensions..js (module.js:664:10) at Module.load (module.js:566:32) at tryModuleLoad (module.js:506:12) at Function.Module._load (module.js:498:3)```

vieiramanoel (Tue, 17 Sep 2019 16:46:09 GMT):
let me try something

mastersingh24 (Tue, 17 Sep 2019 16:46:10 GMT):
and what error are you seeing?

nyet (Tue, 17 Sep 2019 16:47:17 GMT):
It looks like you are trying to load a key that isn't actually a private key

mastersingh24 (Tue, 17 Sep 2019 16:47:43 GMT):
are you loading the PEM-encoded files?

mastersingh24 (Tue, 17 Sep 2019 16:49:26 GMT):
I also would not pass an encoding to readFileSync

vieiramanoel (Tue, 17 Sep 2019 16:54:21 GMT):
well I dumped private key in a whatever site and the result was http://dontpad.com/key.dump

vieiramanoel (Tue, 17 Sep 2019 16:54:45 GMT):
But I couldn't decode using openssl rsa neither openssl pkcs8

vieiramanoel (Tue, 17 Sep 2019 16:55:06 GMT):
there's some error at private key indeed

vieiramanoel (Tue, 17 Sep 2019 16:55:27 GMT):
i'm removing encoding from readFileSync

mastersingh24 (Tue, 17 Sep 2019 16:55:34 GMT):
do you have the pem file for the private key?

vieiramanoel (Tue, 17 Sep 2019 16:55:38 GMT):
yes

vieiramanoel (Tue, 17 Sep 2019 16:56:54 GMT):
http://dontpad.com/key.pem

vieiramanoel (Tue, 17 Sep 2019 16:57:03 GMT):
no problem sharing it here, its on dev haha

mastersingh24 (Tue, 17 Sep 2019 17:10:47 GMT):
how did you generate this key?

ASAPBLOCKY (Tue, 17 Sep 2019 20:05:51 GMT):
Is there are list or can somebody tell me the hf.x attributes for thr e

ASAPBLOCKY (Tue, 17 Sep 2019 20:05:51 GMT):
Is there are list or can somebody tell me the hf.x attributes for the registration process in Fabric CA ?

HoneyShah (Wed, 18 Sep 2019 05:11:21 GMT):
I am not trying to modify the expiry after the certificate after it has been generated. What I am looking for is a way to pass the changes expiry to the CA before certificate generation using some environment variable or something without having to define a config file for single property. Is it possible to do so?

HoneyShah (Wed, 18 Sep 2019 05:11:21 GMT):
I am not trying to modify the expiry of the certificate after it has been generated. What I am looking for is a way to pass the changed expiry to the CA before certificate generation using some environment variable or something without having to define a config file for a single property. Is it possible to do so?

mastersingh24 (Wed, 18 Sep 2019 09:36:00 GMT):
Do you want to do this for all certificates or on a per certificate basis?

HoneyShah (Wed, 18 Sep 2019 10:14:57 GMT):
For all the signing certificates as they are valid for one year only. I am aware about the reenroll functionality, but I want to have longer expiry before it needs to be extended.

mastersingh24 (Wed, 18 Sep 2019 10:18:25 GMT):
So you can set `signing.default.expiry` in the `fabric-ca-server-config.yaml` file I would not actually try to set this using an environment variable ... just generate the config, modify it and then start the fabric-ca-server

HoneyShah (Wed, 18 Sep 2019 10:19:00 GMT):
Alright. Thank you. Let me try and will get back to you in case of some issues.

nleut (Wed, 18 Sep 2019 15:58:42 GMT):
Has joined the channel.

Chandoo (Wed, 18 Sep 2019 17:13:14 GMT):
hi

Chandoo (Wed, 18 Sep 2019 17:14:00 GMT):
I have tls already generted currently, I am looking to add more host names to the tls certs, how can i do that using fabric-ca-client

mastersingh24 (Wed, 18 Sep 2019 17:15:49 GMT):
you cannot modify an existing certificate

indirajith (Wed, 18 Sep 2019 17:21:34 GMT):
Thanks master singh, I checked the docker-compose file, its in debug and all I get is the above error. Could you please provide more info an how to troubleshoot or the methods to narrow it down please?

Chandoo (Wed, 18 Sep 2019 17:22:55 GMT):
@mastersingh24 ; Okay, I need add more hosts during the generation process itself, that makes sense thank you

metadata (Wed, 18 Sep 2019 17:24:34 GMT):
hi all, I'm going through the `fabric-ca` readthedocs and one thing I'm not able understand is that after executing the ```fabric-ca-client enroll -u “http://admin:adminpw@localhost:7054”``` creating `msp/cacert/local-host-7054.pem` and `msp/signcert/cert.pem` certs and a `fabric-ca-client-config.yaml` file. what I'm not able to understand is that in `signcert` the `SAN` name is my machine name like below ``` X509v3 Subject Alternative Name: DNS:GHOST-RIDER Signature Algorithm: ecdsa-with-SHA256 ```

metadata (Wed, 18 Sep 2019 17:24:34 GMT):
hi all, I'm going through the `fabric-ca` readthedocs and one thing I'm not able understand is that after executing the ```fabric-ca-client enroll -u “http://admin:adminpw@localhost:7054” ``` creating `msp/cacert/local-host-7054.pem` and `msp/signcert/cert.pem` certs and a `fabric-ca-client-config.yaml` file. what I'm not able to understand is that in `signcert` the `SAN` name is my machine name like below ``` X509v3 Subject Alternative Name: DNS:GHOST-RIDER Signature Algorithm: ecdsa-with-SHA256 ``` I have changed the `hosts` section under CSR in server-side `cacert.pem` but still why i'm getting 'GHOST_RIDER' as DNS

metadata (Wed, 18 Sep 2019 17:24:34 GMT):
hi all, I'm going through the `fabric-ca` readthedocs and one thing I'm not able understand is that after executing the ```fabric-ca-client enroll -u http://admin:adminpw@localhost:7054``` creating `msp/cacert/local-host-7054.pem` and `msp/signcert/cert.pem` certs and a ```fabric-ca-client-config.yaml``` file. what I'm not able to understand is that in `signcert` the `SAN` name is my machine name like below ``` X509v3 Subject Alternative Name: DNS:GHOST-RIDER Signature Algorithm: ecdsa-with-SHA256 ``` I have changed the `hosts` section under CSR in server-side `cacert.pem` but still why i'm getting 'GHOST_RIDER' as DNS

metadata (Wed, 18 Sep 2019 17:24:34 GMT):
hi all, I'm going through the `fabric-ca` readthedocs and one thing I'm not able understand is that after executing the ```fabric-ca-client enroll -u http://admin:adminpw@localhost:7054``` creating ```msp/cacert/local-host-7054.pem``` and `msp/signcert/cert.pem` certs and a ```fabric-ca-client-config.yaml``` file. what I'm not able to understand is that in `signcert` the `SAN` name is my machine name like below ``` X509v3 Subject Alternative Name: DNS:GHOST-RIDER Signature Algorithm: ecdsa-with-SHA256 ``` I have changed the `hosts` section under CSR in server-side `cacert.pem` but still why i'm getting 'GHOST_RIDER' as DNS

metadata (Wed, 18 Sep 2019 17:24:34 GMT):
hi all, I'm going through the `fabric-ca` readthedocs and one thing I'm not able understand is that after executing the ```fabric-ca-client enroll -u http://admin:adminpw@localhost:7054``` creating `msp/cacert/local-host-7054.pem` and `msp/signcert/cert.pem` certs and a ```fabric-ca-client-config.yaml``` file. what I'm not able to understand is that in `signcert` the `SAN` name is my machine name like below ``` X509v3 Subject Alternative Name: DNS:GHOST-RIDER Signature Algorithm: ecdsa-with-SHA256 ``` I have changed the `hosts` section under CSR in server-side `cacert.pem` but still why i'm getting 'GHOST_RIDER' as DNS

metadata (Wed, 18 Sep 2019 17:24:34 GMT):
hi all, I'm going through the `fabric-ca` readthedocs and one thing I'm not able understand is that after executing the ```fabric-ca-client enroll -u http://admin:adminpw@localhost:7054``` creating msp/cacert/local-host-7054.pem and msp/signcert/cert.pem certs and a ```fabric-ca-client-config.yaml``` file. what I'm not able to understand is that in `signcert` the `SAN` name is my machine name like below ``` X509v3 Subject Alternative Name: DNS:GHOST-RIDER Signature Algorithm: ecdsa-with-SHA256 ``` I have changed the `hosts` section under CSR in server-side `cacert.pem` but still why i'm getting 'GHOST_RIDER' as DNS

metadata (Wed, 18 Sep 2019 17:24:34 GMT):
hi all, I'm going through the `fabric-ca` readthedocs and one thing I'm not able understand is that after executing the `fabric-ca-client enroll -u http://admin:adminpw@localhost:7054` creating msp/cacert/local-host-7054.pem and msp/signcert/cert.pem certs and a ```fabric-ca-client-config.yaml``` file. what I'm not able to understand is that in `signcert` the `SAN` name is my machine name like below ``` X509v3 Subject Alternative Name: DNS:GHOST-RIDER Signature Algorithm: ecdsa-with-SHA256 ``` I have changed the `hosts` section under CSR in server-side `cacert.pem` but still why i'm getting 'GHOST_RIDER' as DNS

metadata (Wed, 18 Sep 2019 17:24:34 GMT):
hi all, I'm going through the `fabric-ca` readthedocs and one thing I'm not able understand is that after executing the `fabric-ca-client enroll -u http://admin:adminpw@localhost:7054` creating ```msp/cacert/local-host-7054.pem``` and msp/signcert/cert.pem certs and a ```fabric-ca-client-config.yaml``` file. what I'm not able to understand is that in `signcert` the `SAN` name is my machine name like below ``` X509v3 Subject Alternative Name: DNS:GHOST-RIDER Signature Algorithm: ecdsa-with-SHA256 ``` I have changed the `hosts` section under CSR in server-side `cacert.pem` but still why i'm getting 'GHOST_RIDER' as DNS

metadata (Wed, 18 Sep 2019 17:24:34 GMT):
hi all, I'm going through the `fabric-ca` readthedocs and one thing I'm not able understand is that after executing the `fabric-ca-client enroll -u http://admin:adminpw@localhost:7054` creating `msp/cacert/local-host-7054.pem` and msp/signcert/cert.pem certs and a ```fabric-ca-client-config.yaml``` file. what I'm not able to understand is that in `signcert` the `SAN` name is my machine name like below ``` X509v3 Subject Alternative Name: DNS:GHOST-RIDER Signature Algorithm: ecdsa-with-SHA256 ``` I have changed the `hosts` section under CSR in server-side `cacert.pem` but still why i'm getting 'GHOST_RIDER' as DNS

metadata (Wed, 18 Sep 2019 17:24:34 GMT):
hi all, I'm going through the `fabric-ca` readthedocs and one thing I'm not able understand is that after executing the `fabric-ca-client enroll -u http://admin:adminpw@localhost:7054` creating `msp/cacert/local-host-7054.pem` and msp/signcert/cert.pem certs and a ```fabric-ca-client-config.yaml``` file. what I'm not able to understand is that in signcert the SAN name is my machine name like below ``` X509v3 Subject Alternative Name: DNS:GHOST-RIDER Signature Algorithm: ecdsa-with-SHA256 ``` I have changed the `hosts` section under CSR in server-side `cacert.pem` but still why i'm getting 'GHOST_RIDER' as DNS

metadata (Wed, 18 Sep 2019 17:24:34 GMT):
hi all, I'm going through the `fabric-ca` readthedocs and one thing I'm not able understand is that after executing the `fabric-ca-client enroll -u http://admin:adminpw@localhost:7054` creating `msp/cacert/local-host-7054.pem` and msp/signcert/cert.pem certs and a `fabric-ca-client-config.yaml` file. what I'm not able to understand is that in signcert the SAN name is my machine name like below ``` X509v3 Subject Alternative Name: DNS:GHOST-RIDER Signature Algorithm: ecdsa-with-SHA256 ``` I have changed the `hosts` section under CSR in server-side `cacert.pem` but still why i'm getting 'GHOST_RIDER' as DNS

metadata (Wed, 18 Sep 2019 17:24:34 GMT):
hi all, I'm going through the `fabric-ca` readthedocs and one thing I'm not able understand is that after executing the `fabric-ca-client enroll -u http://admin:adminpw@localhost:7054` creating `msp/cacert/local-host-7054.pem` and msp/signcert/cert.pem certs and a `fabric-ca-client-config.yaml` file. what I'm not able to understand is that in signcert the SAN name is my machine name like below ``` X509v3 Subject Alternative Name: DNS:GHOST-RIDER Signature Algorithm: ecdsa-with-SHA256 ``` I have changed the `hosts` section under CSR in server-side `cacert.pem` but still why i'm getting 'GHOST-RIDER' as DNS

indirajith (Wed, 18 Sep 2019 17:25:30 GMT):
I can start the orderers one by one right, in Raft consensus.

indirajith (Wed, 18 Sep 2019 17:35:19 GMT):
I don't have any org named 'SampleOrg' but it says ``` Principal deserialization failure (MSP SampleOrg is unknown) for identity 0. [common.deliver] deliverBlocks -> WARN 02c [channel: orderersyschannel] Client authorization revoked for deliver request from 172.21.0.6:48978: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied ``` . I even checked the decoded genesis block, it does not have any org named 'SampleOrg. '

mastersingh24 (Wed, 18 Sep 2019 18:11:35 GMT):
What about the CN / CommonName ?

mastersingh24 (Wed, 18 Sep 2019 18:12:15 GMT):
also ... that cert is not used for TLS either ... it actually should not have a SAN

mastersingh24 (Wed, 18 Sep 2019 19:13:33 GMT):
also ... that cert is not used for TLS either ... it actually should not have a SAN

metadata (Thu, 19 Sep 2019 04:47:53 GMT):
thanks @mastersingh24 I found out the solution.

metadata (Thu, 19 Sep 2019 04:53:44 GMT):
yeah I have checked the msp folders of my project and none of the cert have SAN. why it is so?

nyet (Thu, 19 Sep 2019 04:54:43 GMT):
Because those aren't TLS certs.

nyet (Thu, 19 Sep 2019 04:54:55 GMT):
MSPs are for signing, not encryption.

nyet (Thu, 19 Sep 2019 04:55:15 GMT):
You're confusing transport with signing/auth

metadata (Thu, 19 Sep 2019 05:26:26 GMT):
ok. so, TLS certs have SAN. right?

nyet (Thu, 19 Sep 2019 05:26:48 GMT):
Yes. But MSPs do not contain TLS certs.

nyet (Thu, 19 Sep 2019 05:27:33 GMT):
Yes but MSPS do not contain TLS certs

metadata (Thu, 19 Sep 2019 05:35:17 GMT):
I checked this folder ``` crypto-config/peerOrganizations/seller.mytrade.com/users/Admin@seller.mytrade.com/tls ``` and even certs under this folder don't have SAN. generated via cryptogen tool

nyet (Thu, 19 Sep 2019 05:36:29 GMT):
Cryptogen is not for production networks.

nyet (Thu, 19 Sep 2019 05:38:56 GMT):
The server certs generated by cryptogen only supply a CN to identify the endpoint identity.

metadata (Thu, 19 Sep 2019 05:56:13 GMT):
ok. thanks @nyet for all the information.

rodolfoleal (Thu, 19 Sep 2019 19:20:29 GMT):
I saw some docs that's says that fabric-CA server returns the key while enrolling, the fact of have keys being generated by a outside resource really concerned. So I decided toke a look at fabric-CA code and looks like the CA-client generates a key and CSR and just send the CSR to get it signed by the CA-server.

rodolfoleal (Thu, 19 Sep 2019 19:20:39 GMT):
I'm right?

nyet (Thu, 19 Sep 2019 19:39:17 GMT):
correct

nyet (Thu, 19 Sep 2019 19:39:33 GMT):
the ca-server is a signing service

nyet (Thu, 19 Sep 2019 19:39:56 GMT):
its completely optional, although generating keys in a way that HLF wants them with pure openssl can be challenging

nyet (Thu, 19 Sep 2019 19:40:20 GMT):
TLS, however, is easily done outside of ca-server

neha_ag (Thu, 19 Sep 2019 20:59:07 GMT):
Has joined the channel.

rodolfoleal (Fri, 20 Sep 2019 00:16:17 GMT):
Thanks @nyet

sureshtedla (Fri, 20 Sep 2019 15:35:37 GMT):
Hi All, How to use fabric-ca instead of cryptogen tool can any one share the docs for the same?

mastersingh24 (Fri, 20 Sep 2019 16:08:52 GMT):
https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html

sureshtedla (Fri, 20 Sep 2019 16:10:35 GMT):
Thanks @mastersingh24

metadata (Sat, 21 Sep 2019 16:54:27 GMT):
Hi everyone, I'm going through the fabric-ca operations guide and have a query. when we `Enrolling Org2's admin` (https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html#enroll-org2-s-admin ) then here `export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/tls/org1-ca-cert.pem` we r using `org1-ca-cert.pem` for `Org2`. I think its a typo here.

mastersingh24 (Sat, 21 Sep 2019 17:32:27 GMT):
Have you submitted a JIRA bug for this?

mastersingh24 (Sat, 21 Sep 2019 18:17:53 GMT):
I took care of this

metadata (Sun, 22 Sep 2019 03:03:39 GMT):
thanks @mastersingh24

metadata (Sun, 22 Sep 2019 08:06:49 GMT):
how can I access the SQLite3 db on docker container?

metadata (Sun, 22 Sep 2019 08:06:49 GMT):
how to access the SQLite3 db on docker container?

metadata (Mon, 23 Sep 2019 08:18:48 GMT):
In the fabric-ca operation guide there's a line ``` On the orderer’s host machine, we need to collect the MSPs for all the organizations. ``` do I have to create the `msp` folder and have to copy the certs in the msp folder? Can someone please explain? link for operation guide : https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html#create-genesis-block-and-channel-transaction

metadata (Mon, 23 Sep 2019 08:58:07 GMT):
got it.

metadata (Mon, 23 Sep 2019 09:10:16 GMT):
I'm trying to execute `fabric-ca-client getcainfo --tls.certfiles ../tls-ca/crypto/tls-ca-cert.pem` and getting below error ``` 2019/09/23 14:37:28 [INFO] Configuration file location: /home/alpha/.fabric-ca-client/fabric-ca-client-config.yaml Error: POST failure of request: POST http://localhost:7054/cainfo {}: Post http://localhost:7054/cainfo: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02\x16" ``` Below is the docker logs output `2019/09/23 09:07:54 http: TLS handshake error from 172.27.0.1:42490: tls: oversized record received with length 21536`

fdromard (Mon, 23 Sep 2019 10:33:54 GMT):
Hello ! I am rtying to compile the binaries of fabric-ca and I have the following error:

fdromard (Mon, 23 Sep 2019 10:56:43 GMT):
Hello ! I have an error when I try to compile the source of fabric-ca: ``` vendor/github.com/hyperledger/fabric/idemix/util.go:60:11 too many arguments in call to E.ToBytes have ([]byte, bool) want ([]byte) ``` My go version is go1.12.9 linux/amd64. Have you ever seen something like that?

ahmad-raza (Mon, 23 Sep 2019 11:45:03 GMT):
Hello , Anyone guide me to create/issue intermediate certificate?

ahmad-raza (Mon, 23 Sep 2019 11:45:21 GMT):
Using node sdk preferable

fdromard (Mon, 23 Sep 2019 13:09:08 GMT):
govendor sync

nyet (Mon, 23 Sep 2019 15:39:20 GMT):
Plain openssl can be used to do that.

lepar (Mon, 23 Sep 2019 19:33:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=gY43DgfiNpxq2yy73) You're using http yet your passing it as https (tls)

lepar (Mon, 23 Sep 2019 19:34:35 GMT):
Most likely TLS is disabled so you don't need the --tls.certfiles

metadata (Tue, 24 Sep 2019 06:41:28 GMT):
@mastersingh24 One more typo here https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html#id2 ``` You will issue the commands below to get Peer2 enrolled. In the commands below, we will assume the trusted root certificate of Org2 is available at `/tmp/hyperledger/org2/peer2/tls/org2-ca-cert.pem ` on Peer2’s host machine. ``` it shoud be `/tmp/hyperledger/org2/peer2/assets/ca/org2-ca-cert.pem`

juaiglesias (Tue, 24 Sep 2019 15:33:54 GMT):
Hello! Maybe someone can help me with this. I have a network with 2 organization, and one CA for each of them. I understand that each CA gives certificates to their corresponded org. But who gives the certificate for the CAs? I imagine there is a Central Root CA somewhere, where is it?

nyet (Tue, 24 Sep 2019 19:02:18 GMT):
If you don't provide a CA cert pair, the ca-server will self-sign one for itself when it is started.

metadata (Wed, 25 Sep 2019 06:40:57 GMT):
@nyet In the fabric-ca operation guide when creating the channel (https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html#create-and-join-channel) here after entering to `docker cli-org1 bash` and on using this command `export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp` and running the `peer channel ` command failed to create the channel because 'admincerts' not found in `admin/msp` folder. error ``` 2019-09-25 06:32:37.863 UTC [main] InitCmd -> ERRO 022 Cannot run peer because error when setting up MSP of type bccsp from directory /tmp/hyperledger/org1/admin/msp: could not load a valid admin certificate from directory /tmp/hyperledger/org1/admin/msp/admincerts: stat /tmp/hyperledger/org1/admin/msp/admincerts: no such file or directory ```

metadata (Wed, 25 Sep 2019 06:40:57 GMT):
@nyet In the fabric-ca operation guide when creating the channel (https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html#create-and-join-channel) here after entering to `docker cli-org1 bash` and on using this command `export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp` and running the `peer channel ` command failed to create the channel because `admincerts` not found in `admin/msp` folder. error ``` 2019-09-25 06:32:37.863 UTC [main] InitCmd -> ERRO 022 Cannot run peer because error when setting up MSP of type bccsp from directory /tmp/hyperledger/org1/admin/msp: could not load a valid admin certificate from directory /tmp/hyperledger/org1/admin/msp/admincerts: stat /tmp/hyperledger/org1/admin/msp/admincerts: no such file or directory ```

metadata (Wed, 25 Sep 2019 06:42:40 GMT):
In tutorial, we have created `admincerts` folder under `org1/peer1/msp/admincerts`

nyet (Wed, 25 Sep 2019 06:45:08 GMT):
I really dislike the dependence on docker in that guide, esp for the peer commands, which would more likely be run remotely, and not in the container itself

nyet (Wed, 25 Sep 2019 06:45:30 GMT):
in any case, yes, the running peer needs a valid cert in its MSP's admincerts folder

nyet (Wed, 25 Sep 2019 06:45:38 GMT):
(not the peer client command)

nyet (Wed, 25 Sep 2019 06:46:20 GMT):
But since that guide is using peer as a client and a server at the same time, its hard to tell whats what w/o me digging around and replicating the whole thing, which i'd rather not.

nyet (Wed, 25 Sep 2019 06:48:47 GMT):
The SERVER's MSP is `CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer1/msp`

nyet (Wed, 25 Sep 2019 06:49:09 GMT):
not `CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp`

nyet (Wed, 25 Sep 2019 06:49:36 GMT):
the client should not need an admincerts, but the server does.

nyet (Wed, 25 Sep 2019 06:49:57 GMT):
it should have been copied into `org/peer1/msp/admincerts/`

nyet (Wed, 25 Sep 2019 06:49:57 GMT):
it should have been copied into `org1/peer1/msp/admincerts/`

nyet (Wed, 25 Sep 2019 06:54:43 GMT):
That error makes no sense to me. If it is the peer server, it shouldn't even know about `org1/admin/msp`, and if it is the client, it shouldn't care that `admincerts/` is empty.

nyet (Wed, 25 Sep 2019 06:55:09 GMT):
If i had to guess that means your peer server `CORE_PEER_MSPCONFIGPATH` is wrong.

metadata (Wed, 25 Sep 2019 07:13:53 GMT):
Thanks @nyet I got it

metadata (Wed, 25 Sep 2019 10:29:27 GMT):
@nyet I'm getting below error when trying to join the channel. `CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer1/msp` fixed the `channel create` issue but unable to join the channel. ``` Error: proposal failed (err: bad proposal response 500: access denied for [JoinChain][mychannel]: [Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]]) ```

MarcoIppolito (Wed, 25 Sep 2019 13:21:27 GMT):
Has joined the channel.

MarcoIppolito (Wed, 25 Sep 2019 13:21:28 GMT):
Hi all, following the indications here: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#configuring-the-database I'm trying to understand how to correctly set Fabric-CA with a PostgreSQL-11 database in Ubuntu 18.04.02 Server Edition. I created a postgresql-11 db to which I can connect with SSL: (base) marco@pc:~$ psql --cluster 11/fabmnet -h 127.0.0.1 -d fabmnetdb -U fabmnet_admin Password for user fabmnet_admin: psql (11.5 (Ubuntu 11.5-1.pgdg18.04+1)) SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off) Type "help" for help. fabmnetdb=> \l List of databases Name | Owner | Encoding | Collate | Ctype | Access privileges -----------+---------------+----------+---------+---------+----------------------- fabmnetdb | fabmnet_admin | UTF8 | C.UTF-8 | C.UTF-8 | postgres | postgres | UTF8 | C.UTF-8 | C.UTF-8 | template0 | postgres | UTF8 | C.UTF-8 | C.UTF-8 | =c/postgres + | | | | | postgres=CTc/postgres template1 | postgres | UTF8 | C.UTF-8 | C.UTF-8 | =c/postgres + | | | | | postgres=CTc/postgres (4 rows) fabmnetdb=> but when trying to start a fabric-ca-server : (base) marco@pc:~/fabric/fabric-ca$ fabric-ca-server start -b admin:adminpw 2019/09/23 11:54:20 [INFO] Configuration file location: /home/marco/fabric/fabric-ca/fabric-ca-server-config.yaml 2019/09/23 11:54:20 [INFO] Starting server in home directory: /home/marco/fabric/fabric-ca 2019/09/23 11:54:20 [INFO] Server Version: 1.4.4 2019/09/23 11:54:20 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} 2019/09/23 11:54:20 [INFO] The CA key and certificate already exist 2019/09/23 11:54:20 [INFO] The key is stored by BCCSP provider 'SW' 2019/09/23 11:54:20 [INFO] The certificate is at: /home/marco/fabric/fabric-ca/ca-cert.pem 2019/09/23 11:54:20 [WARNING] Failed to connect to database 'fabmnetdb' 2019/09/23 11:54:20 [WARNING] Failed to connect to database 'postgres' 2019/09/23 11:54:20 [WARNING] Failed to connect to database 'template1' 2019/09/23 11:54:20 [ERROR] Error occurred initializing database: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases were tried: [fabmnetdb postgres template1]. Please create one of these database before continuing 2019/09/23 11:54:20 [INFO] Home directory for default CA: /home/marco/fabric/fabric-ca 2019/09/23 11:54:20 [INFO] Operation Server Listening on 127.0.0.1:9443 2019/09/23 11:54:20 [INFO] Listening on http://0.0.0.0:7054 This is how I set the pg_hba.conf file in the fabmnet postgresql cluster : (base) marco@pc:~$ sudo -su postgres (base) postgres@pc:~$ nano /etc/postgresql/11/fabmnet/pg_hba.conf Unable to create directory /home/marco/.local/share/nano/: Permission denied It is required for saving/loading search history or cursor positions. Press Enter to continue # TYPE DATABASE USER ADDRESS METHOD # Database administrative login by Unix domain socket local all postgres peer # TYPE DATABASE USER ADDRESS METHOD # "local" is for Unix domain socket connections only local all all peer # IPv4 local connections: host all all 127.0.0.1/32 md5 # Allow connections from 10.1.2.0/24 subnet only to fabric_ca_db for fabric_ca_user hostssl fabmnetdb fabmnet_admin 10.1.2.0/24 cert # IPv6 local connections: host all all ::1/128 md5 # Allow replication connections from localhost, by a user with the # replication privilege. local replication all peer host replication all 127.0.0.1/32 md5 host replication all ::1/128 md5 And this is the db's configuration in (base) marco@pc:~$ nano ./fabric/fabric-ca/fabric-ca-server-config.yaml : db: type: postgres datasource: host=localhost port=5433 user=fabmnet_admin password=pwd dbname=fabmnetdb sslmode=verify-full How to correctly set Fabric-CA in order to make it see and use PostgreSQL-11 database? Looking forward to your kind help Marco

nyet (Wed, 25 Sep 2019 15:52:02 GMT):
When you created the channel genesis block, did the channel MSP have the correct `admincerts/` contents? If so, is the entity creating the channel listed in that directory?

metadata (Wed, 25 Sep 2019 16:42:04 GMT):
yes, I have moved the `org/admin/msp/signcerts` to `org/peer1/msp/admincerts` folder as given in document and used `peer1/msp` as `CORE_PEER_MSPCONFIGPATH` for creating channel. cert type is `"hf.Type":"admin"`

nyet (Wed, 25 Sep 2019 16:42:37 GMT):
when you generated the config.tx was that cert in place

metadata (Wed, 25 Sep 2019 16:42:51 GMT):
yes it was

nyet (Wed, 25 Sep 2019 16:43:21 GMT):
not on the peer, but is it actually in the channel genesis block

metadata (Wed, 25 Sep 2019 16:46:09 GMT):
In the assests folder ? `/tmp/hyperledger/org1/peer1/assets/mychannel.block`

nyet (Wed, 25 Sep 2019 16:46:59 GMT):
Not sure i don't follow the ops doc, id have to look if thats the right dir

nyet (Wed, 25 Sep 2019 16:48:07 GMT):
nope its in the configtx.yaml.

metadata (Wed, 25 Sep 2019 16:48:25 GMT):
the fabric-ca operation guide is not clear for newbie.

nyet (Wed, 25 Sep 2019 16:48:40 GMT):
in configtx.yaml it says ```- &org1 Name: org1 ID: org1MSP MSPDir: /tmp/hyperledger/org1/msp AnchorPeers: - Host: peer1-org1 Port: 7051```

nyet (Wed, 25 Sep 2019 16:48:53 GMT):
that creates config.tx (genesis block)

nyet (Wed, 25 Sep 2019 16:49:06 GMT):
that needs`admincerts/`

nyet (Wed, 25 Sep 2019 16:50:06 GMT):
https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html#create-genesis-block-and-channel-transaction

nyet (Wed, 25 Sep 2019 16:50:58 GMT):
BTW you should keep track of all of the issues you have and post feedback :)

nyet (Wed, 25 Sep 2019 16:51:10 GMT):
i have not personally followed these instructions since we have our own process

metadata (Wed, 25 Sep 2019 16:51:15 GMT):
In the docs what they r doing that before creating the `genesis.block`, they r creating a `org/msp` folder and copying all the required certs in that `msp` folder

nyet (Wed, 25 Sep 2019 16:51:36 GMT):
yes that has to be captured in config.tx

nyet (Wed, 25 Sep 2019 16:52:07 GMT):
that grants admin permissions for the channel itself

metadata (Wed, 25 Sep 2019 16:53:27 GMT):
yes, but the same thing is failing when joining the channel.

nyet (Wed, 25 Sep 2019 16:53:49 GMT):
my question is, is the admin cert there

nyet (Wed, 25 Sep 2019 16:53:55 GMT):
and was it there when yhou created config.tx

metadata (Wed, 25 Sep 2019 16:56:00 GMT):
for creating the channel it is using `peer1/msp` and in the `peer1/msp/signcerts` they have copied the `org/msp/admincerts/cert.pem` so I guess it is there

metadata (Wed, 25 Sep 2019 16:56:42 GMT):
yes it was there

nyet (Wed, 25 Sep 2019 16:58:12 GMT):
Then there is someting wrong with either the peer server keystore or the peer client keystore

nyet (Wed, 25 Sep 2019 16:59:25 GMT):
make sure admincerts on the peer server contains the client keystore cert. Make sure both the peer client keystore and peer server keystore are in the peer server admincerts and config.tx genesis block

nyet (Wed, 25 Sep 2019 16:59:41 GMT):
those 3 criteria have to be met or you can't join a peer to a channel

nyet (Wed, 25 Sep 2019 17:00:18 GMT):
The worst thing about fabric is (imo) the error messages. they do not tell you at all what is actually going wrong. You literally have to dig around in the code to figure out what error means what.

Koushik (Wed, 25 Sep 2019 19:10:50 GMT):
Hi Guys, I been following this guide for the past couple of days https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html it worked with solo orderering mechanism

Koushik (Wed, 25 Sep 2019 19:11:23 GMT):
but when I tried to implement it with Raft Orderering with 1.4.2, I get this error when creating a channel

Koushik (Wed, 25 Sep 2019 19:11:45 GMT):
Error: got unexpected status: SERVICE_UNAVAILABLE -- channel testchainid is not serviced by me

Koushik (Wed, 25 Sep 2019 19:12:40 GMT):

Screenshot from 2019-09-25 12-12-24.png

metadata (Wed, 25 Sep 2019 19:12:49 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=WW5tGXMgPJ7do9DNp) thats really amazing @Koushik . even I'm following it and figured out so many typos in the docs.

Koushik (Wed, 25 Sep 2019 19:13:58 GMT):
I do not know which certs to put for the Client and Server

Koushik (Wed, 25 Sep 2019 19:14:26 GMT):
all the documentation has raft with cryptogen

metadata (Wed, 25 Sep 2019 19:18:15 GMT):
i don't think any doc available for fabric-ca with raft or kafka.

metadata (Wed, 25 Sep 2019 19:18:15 GMT):
i don't think any doc is available for fabric-ca with raft or kafka.

Koushik (Wed, 25 Sep 2019 19:18:50 GMT):
For the Client and Server Cert I put as, ClientTLSCert: /opt/stp-network/hyperledger/OrdererOrg/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem ServerTLSCert: /opt/stp-network/hyperledger/OrdererOrg/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem where OrdererOrg is Org0 in the tutorial.

Koushik (Wed, 25 Sep 2019 19:18:58 GMT):
anyone have a clue?

Koushik (Wed, 25 Sep 2019 19:27:10 GMT):
One thing I think I need to do is that

Koushik (Wed, 25 Sep 2019 19:28:36 GMT):
when I open up the certs details, I notice that the issuer is the default values for .csr can anyone point me in how I can change these values

Koushik (Wed, 25 Sep 2019 19:28:41 GMT):
Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = ca-tls

nyet (Wed, 25 Sep 2019 19:59:16 GMT):
put it in the fabric-ca-client config.yml in the csr: section, eg (in j2): ```csr: cn: admin keyrequest: algo: ecdsa size: 256 serialnumber: names: - C: {{ hlf_csr.country }} ST: "{{ hlf_csr.state }}" L: "{{ hlf_csr.locality }}" O: {{ hlf_msp_org }} OU: "{{ hlf_csr.ou }}" hosts: - localhost - {{ hlf_hostname }} # short name (orderer0, peer0)```

nyet (Wed, 25 Sep 2019 20:00:23 GMT):
when you do an enroll with `--enrollment.profile tls` it should use that.

Koushik (Wed, 25 Sep 2019 20:30:46 GMT):
@nyet I thought that fabric-ca-client config.yml gets created when the container goes up because of the bootstrap identity

Koushik (Wed, 25 Sep 2019 20:31:07 GMT):
I been doing this fabric-ca-client enroll --csr.names C=US,ST=California,L=SanFrancisco,O=Org1 -d -u https://tls-ca-admin:tls-ca-adminpw@0.0.0.0:7052

nyet (Wed, 25 Sep 2019 20:31:11 GMT):
Only if it does not exist.

nyet (Wed, 25 Sep 2019 20:31:20 GMT):
I hate the autogeneration of config files, it makes zero sense.

Koushik (Wed, 25 Sep 2019 20:32:04 GMT):
I see that the issuer certs are still the default

nyet (Wed, 25 Sep 2019 20:32:09 GMT):
since `csr.names` is an array it can't be rendered in env vars that i know of for viper consumption

nyet (Wed, 25 Sep 2019 20:32:52 GMT):
hmm thats interesting, i wonder if hyou can do the comma thing in an env for `csr.names`

Koushik (Wed, 25 Sep 2019 20:33:19 GMT):
wait so your suggestion is that I manually create the fabric-ca-config.yaml and start the container up?

nyet (Wed, 25 Sep 2019 20:33:32 GMT):
no, no, that `--csr.names` thing should work

Koushik (Wed, 25 Sep 2019 20:33:47 GMT):
Yeah it works

Koushik (Wed, 25 Sep 2019 20:33:48 GMT):
hold

Koushik (Wed, 25 Sep 2019 20:33:49 GMT):
on

Koushik (Wed, 25 Sep 2019 20:34:07 GMT):
but not for /opt/stp-network/hyperledger/OrdererOrg/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem

nyet (Wed, 25 Sep 2019 20:34:17 GMT):
ok you mean on the SERVER not the client?

Koushik (Wed, 25 Sep 2019 20:34:39 GMT):
Yeah

nyet (Wed, 25 Sep 2019 20:34:47 GMT):
i THINK you can't, csr.names on the server only applies to self signed certs that the server generates if they dont' exist

nyet (Wed, 25 Sep 2019 20:35:00 GMT):
in fact, i think i ran into that before and meant to open a jira bug but never did

nyet (Wed, 25 Sep 2019 20:35:08 GMT):
there is something in the back of my brain that is tickling me.

nyet (Wed, 25 Sep 2019 20:36:51 GMT):
iirc csr.names on the server doesn't apply to enrolled TLS certs (but i think that TLS profile stuff is funda,entally broken in a lot of other ways, eg. https://jira.hyperledger.org/browse/FABC-460 and https://jira.hyperledger.org/browse/FABC-60

nyet (Wed, 25 Sep 2019 20:37:15 GMT):
there are innumerable weird things with the TLS enrollment, i almost fell back on doing it all via openssl

Koushik (Wed, 25 Sep 2019 20:37:40 GMT):
For an example for the cert in /hyperledger/tls-ca/admin/msp/signcerts, I can see this, the issuer does not match the subject line. Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = ca-tls Validity Not Before: Sep 24 21:49:00 2019 GMT Not After : Sep 23 21:54:00 2020 GMT Subject: C = US, ST = California, L = SanFrancisco, O = Org1, OU = client, CN = tls-ca-admin

nyet (Wed, 25 Sep 2019 20:38:25 GMT):
well that is intentional and expected. There is nothing that says the issuer and subject have to match, in fact, it is a requirement that they do not have to match.

nyet (Wed, 25 Sep 2019 20:39:16 GMT):
the issuer in this case is the root/intermedaite CA, which you CAN control via --csr.names on the server

Koushik (Wed, 25 Sep 2019 20:39:16 GMT):
I am pondering why I can not create a channel using Raft

Koushik (Wed, 25 Sep 2019 20:39:23 GMT):
I get the issue

Koushik (Wed, 25 Sep 2019 20:39:36 GMT):
Error: got unexpected status: SERVICE_UNAVAILABLE -- channel testchainid is not serviced by me

nyet (Wed, 25 Sep 2019 20:39:38 GMT):
The issuer is never checked except to make sure it matches the ca

nyet (Wed, 25 Sep 2019 20:39:53 GMT):
the actual issuer value doesn't have to match subject

nyet (Wed, 25 Sep 2019 20:40:15 GMT):
that doesn't look like a TLS error

nyet (Wed, 25 Sep 2019 20:40:58 GMT):
unless you have some O/OU restrictions in your genesis block (which i dont do since its a new feature)

nyet (Wed, 25 Sep 2019 20:41:31 GMT):
in which case that is an ESCA not TLSCA issue

nyet (Wed, 25 Sep 2019 20:41:31 GMT):
in which case that is an ECA not TLSCA issue

Koushik (Wed, 25 Sep 2019 20:49:00 GMT):
I can notice that the /OrdererOrg/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem. Which is what I use for the consenters in Raft is as below. It is, Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = ca-tls Validity Not Before: Sep 24 21:48:00 2019 GMT Not After : Sep 20 21:48:00 2034 GMT Subject: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = ca-tls

Koushik (Wed, 25 Sep 2019 20:49:33 GMT):
im thinking maybe thats why I am getting the error

Koushik (Wed, 25 Sep 2019 20:50:00 GMT):
Error: got unexpected status: SERVICE_UNAVAILABLE -- channel testchainid is not serviced by me . Because the CSR values are not correct

nyet (Wed, 25 Sep 2019 20:54:55 GMT):
Unfortunately I am unfamiliar with the level of TLS authentication that RAFT does, but in general mutual TLS can be either by CA alone, or O/OU matching.

nyet (Wed, 25 Sep 2019 20:55:33 GMT):
But yes, that appears to be a TLSCA and not an ECA issue.

nyet (Wed, 25 Sep 2019 20:55:47 GMT):
(maybe)

nyet (Wed, 25 Sep 2019 20:56:02 GMT):
As usual, the fabric errors aren't that useful :(

Koushik (Wed, 25 Sep 2019 20:59:08 GMT):
Yeah, Thanks. But can you point me where I can change the issuer CSR?

Koushik (Wed, 25 Sep 2019 20:59:22 GMT):
How*? andy documentation?

Koushik (Wed, 25 Sep 2019 20:59:51 GMT):
Really appreicate it :pray:

nyet (Wed, 25 Sep 2019 21:02:01 GMT):
you mean the CA-server's selfsigned cert? That should be in the ca-server config.yml `csr.names`, but i DO NOT RELY on it because i want control over my own self signed certs. I generate those via openssl myself.

Koushik (Wed, 25 Sep 2019 21:04:32 GMT):
any documentation how I can generate my own using openssl?

Koushik (Wed, 25 Sep 2019 21:04:51 GMT):
was trying to do openssl around 2 weeks ago but I gave up

nyet (Wed, 25 Sep 2019 21:06:26 GMT):
ha ok thats a whole nother mess. I have some simple things for RSA based ones here https://github.com/Blockdaemon/cert-tools but for ECSDA there are few other steps.

Koushik (Wed, 25 Sep 2019 21:07:58 GMT):
Uhh. Honestly I rather keep it simple at this point and stick to fabric-ca

Koushik (Wed, 25 Sep 2019 21:08:29 GMT):
Will keep the community updated 😭 if I find a solution

nyet (Wed, 25 Sep 2019 21:09:00 GMT):
good luck, i will try to help if I can.

Koushik (Wed, 25 Sep 2019 21:09:08 GMT):
thanks :)

nyet (Wed, 25 Sep 2019 21:10:21 GMT):
I also have a boatload of ansible tasks that do the right thing but they aren't public. I can probably copy/paste snippets if you go that route.

juaiglesias (Wed, 25 Sep 2019 21:57:45 GMT):
Thanks for your answer. Yes, I understand that CA1 self-sign one certificate for itself and CA2 as well. But how the peers of organization 1 trust the ones of organization 2 if there is no CA authority that certifies both of them? I mean, peers of org1 are certified by CA1 and peers of org2 are certified by CA2 and there is no way that CA2 certificates are trusted by org1 peer and vice versa.

nyet (Wed, 25 Sep 2019 21:58:43 GMT):
You can install both public CA certs in everyone's CA trusted repositories.

nyet (Wed, 25 Sep 2019 21:59:06 GMT):
you can have as many public CA certs as you want there.

nyet (Wed, 25 Sep 2019 21:59:44 GMT):
The only problematic issue is for places you use command lines or env vars to specify trusted CAs, since neither properly support lists (generally)

nyet (Wed, 25 Sep 2019 22:00:04 GMT):
I don't recall which ones are limited in that regard

Koushik (Thu, 26 Sep 2019 03:57:44 GMT):
Hi Guys, I went through this article https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html multiple times, when I try creating a channel it asks gives a error of 019-09-26 03:45:27.271 UTC [main] InitCmd -> ERRO 022 Cannot run peer because error when setting up MSP of type bccsp from directory /opt/stp-network/hyperledger/Org1Name/admin/msp: could not load a valid admin certificate from directory /opt/stp-network/hyperledger/Org1Name/admin/msp/admincerts

Koushik (Thu, 26 Sep 2019 03:59:07 GMT):
In the tutorials it tells to create a admincert folder inside the peer0, and peer1, and Oderer but it does not tell us to create a admincerts folder in /opt/stp-network/hyperledger/Org1Name/admin/msp

Koushik (Thu, 26 Sep 2019 03:59:32 GMT):
I do not mind creating it as it neccessary but what do I put in it? any assistance is much obliged

nyetnyet (Thu, 26 Sep 2019 04:36:23 GMT):
That MSP should not require an admincerts dir because it should not be used to authenticate any other no id

metadata (Thu, 26 Sep 2019 05:11:19 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=RW2XNkbrGQwY2CY46) I have used `org1/peer1/msp` instead of `org1/msp ` for creating the channel and it worked. But still I am facing some issues when joining the channel.

metadata (Thu, 26 Sep 2019 05:12:07 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=ENikYR8rGydszianA) @Koushik this is the issue that i'm facing when trying to join the channel

metadata (Thu, 26 Sep 2019 05:18:38 GMT):
if we check the content of `admin/msp/signcert/cert.pem` then the `type` of this cert is user(). Even changing its type to admin didn't work. here thet r creating the `admin` but the type is `user`. Isn't it suppose to be `admn` ``` fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type user -u https://0.0.0.0:7054 ```

metadata (Thu, 26 Sep 2019 05:18:38 GMT):
if we check the content of `admin/msp/signcert/cert.pem` then the `type` of this cert is user(). Even changing its type to admin didn't work. here thet r creating the `admin` but the type is `user`. Isn't it suppose to be `admin` ``` fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type user -u https://0.0.0.0:7054 ```

metadata (Thu, 26 Sep 2019 05:18:38 GMT):
if we check the content of `admin/msp/signcert/cert.pem` then the `id.type` of this cert is user(). Even changing its `id.type` to `admin` didn't work. here thet r creating the `admin` but the type is `user`. Isn't it suppose to be `admin` ``` fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type user -u https://0.0.0.0:7054 ```

madhukar_sh (Thu, 26 Sep 2019 05:32:02 GMT):
It is not like that... There are 3 types or identities: ```--type string Type of identity being registered (e.g. 'peer, app, user') (default "user")``` Source: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/clientcli.html

madhukar_sh (Thu, 26 Sep 2019 05:33:25 GMT):
Peer is the identity for a peer (or a machine in the network) Admin will always be of type user

madhukar_sh (Thu, 26 Sep 2019 05:36:31 GMT):
This is happening because for a peer to join the network, it needs the admin permissions (Admin of organization to which peer belongs to) And one more thing -> Dont create the channel using ```org1/peer/msp``` This means channel is getting created by using the identity of the peer machine Create channel using ```org1/msp``` -> This contains admin credentials for the org1 While calling join channel for a peer, make sure you're using the Admin credentials of the admin of that org

metadata (Thu, 26 Sep 2019 06:01:37 GMT):
Ok, but then I'm facing an issue like `signcerts` dir not found because there isn't any `signcerts` dir. Even in the tutorial it is not mentioned. this is my tree structure of org1 ``` org1/msp/ ├── admincerts │ └── org1-admin-cert.pem ├── cacerts │ └── org1-ca-cert.pem ├── keystore ├── tlscacerts │ └── tls-ca-cert.pem └── users ```

metadata (Thu, 26 Sep 2019 06:05:17 GMT):
these r the lines mentioned in the doc ``` The MSP for Org0 will contain the trusted root certificate of Org0, the certificate of the Org0’s admin identity, and the trusted root certificate of the TLS CA ```

metadata (Thu, 26 Sep 2019 06:14:39 GMT):
also the `org1/admin/msp` doesn't have `admincerts` folder. tree structure ``` org1/admin/msp ├── IssuerPublicKey ├── IssuerRevocationPublicKey ├── cacerts │ └── 0-0-0-0-7054.pem ├── keystore │ └── 04b41ac9fab218f01d7526003341719df3fac1985f795f612e0ca45e042b6b82_sk ├── signcerts │ └── cert.pem └── user ```

madhukar_sh (Thu, 26 Sep 2019 06:16:30 GMT):
What tutorial are you following

metadata (Thu, 26 Sep 2019 06:16:50 GMT):
this one https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html

madhukar_sh (Thu, 26 Sep 2019 06:29:59 GMT):
You need to ccopy the signcerts from fabric-ca-server into the admincerts folder (you have to create the admincerts)

madhukar_sh (Thu, 26 Sep 2019 06:30:40 GMT):
Copy contents of ```caserver/admin/msp/signcerts/*``` to ```/org1/msp/admincerts```

madhukar_sh (Thu, 26 Sep 2019 06:30:40 GMT):
Copy contents of ```caserver/admin/msp/signcerts/* to /org1/msp/admincerts```

metadata (Thu, 26 Sep 2019 06:39:09 GMT):
r u talking about this. snippet of doc ``` cp /tmp/hyperledger/org2/admin/msp/signcerts/cert.pem /tmp/hyperledger/org2/peer1/msp/admincerts/org2-admin-cert.pem ```

madhukar_sh (Thu, 26 Sep 2019 06:39:45 GMT):
No no.. You're running Fabric CA server right

metadata (Thu, 26 Sep 2019 06:39:50 GMT):
yes

madhukar_sh (Thu, 26 Sep 2019 06:40:29 GMT):
check its folder.. it will have ```admin/msp/signcert``` folder

madhukar_sh (Thu, 26 Sep 2019 06:40:52 GMT):
copy its contents to ```org1/msp/admincerts```

metadata (Thu, 26 Sep 2019 06:43:04 GMT):
this is the snippet of `ca-org1` generated by `fabric-ca-server` command ``` ca-org1/ ├── IssuerPublicKey ├── IssuerRevocationPublicKey ├── ca-cert.pem ├── fabric-ca-server-config.yaml ├── fabric-ca-server.db ├── msp │ ├── cacerts │ ├── keystore │ │ ├── 0cce33720337baa1ba2f98f257f2fed39500773e105e3c0afee6ef7df1480ea2_sk │ │ ├── IssuerRevocationPrivateKey │ │ ├── IssuerSecretKey │ │ └── d6930bfb66bd7d05fbae5857b658e0887519e07f19f0eae086348a3fb6c3348a_sk │ ├── signcerts │ └── user └── tls-cert.pem ```

madhukar_sh (Thu, 26 Sep 2019 06:44:59 GMT):
```mkdir -p org1/msp/admincerts cp ca-org1/msp/signcerts* org1/msp/admincerts```

metadata (Thu, 26 Sep 2019 06:47:04 GMT):
but there isn't any cert available in `signcerts` in `ca-org1/msp/asigncerts`

metadata (Thu, 26 Sep 2019 06:47:17 GMT):
`signcerts` is empty

madhukar_sh (Thu, 26 Sep 2019 06:48:15 GMT):
It is very hard to debug/explain like this... Next week or so I'll make a git repo with scripts and tutorial...

madhukar_sh (Thu, 26 Sep 2019 06:48:26 GMT):
Sorry, I gtg now

metadata (Thu, 26 Sep 2019 06:50:58 GMT):
thanks @madhukar_sh . yes please create a repo with tutorial. this operation_guide isn't clear.

MarcoIppolito (Thu, 26 Sep 2019 09:42:40 GMT):
Hi everybody. Could you please me explain me what to put in this section of fabric-ca-server-config.yaml ? # Name of this CA name: # Key file (is only used to import a private key into BCCSP) keyfile: # Certificate file (default: ca-cert.pem) certfile: # Chain file chainfile:

MarcoIppolito (Thu, 26 Sep 2019 09:42:40 GMT):
Hi everybody. Could you please explain me what to put in this section of fabric-ca-server-config.yaml ? # Name of this CA name: # Key file (is only used to import a private key into BCCSP) keyfile: # Certificate file (default: ca-cert.pem) certfile: # Chain file chainfile:

jona-sc (Thu, 26 Sep 2019 10:28:25 GMT):
Has joined the channel.

juaiglesias (Thu, 26 Sep 2019 12:04:26 GMT):
Ahhhh, I understand now, thank you very much!!!!

KOttoni (Thu, 26 Sep 2019 12:55:08 GMT):
Has joined the channel.

nyet (Thu, 26 Sep 2019 15:25:43 GMT):
admin status is determined by whether or not the pub key for that admin is in a given MSP''s `admincerts/` directory

Koushik (Fri, 27 Sep 2019 02:26:01 GMT):
Hi guys, I been stuck on this problem for days :(. My orderer can not join the system channel testchainids when starting up the orderer container and thus can not create a channel, I am using Raft Consensus and HF 1.4.2. I been following this guide but customized it https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html . Below are the screen shot my log

Koushik (Fri, 27 Sep 2019 02:27:33 GMT):

Screenshot from 2019-09-26 18-39-00.png

Koushik (Fri, 27 Sep 2019 02:27:46 GMT):

Screenshot from 2019-09-26 18-40-15.png

nyet (Fri, 27 Sep 2019 02:29:30 GMT):
jeez just copy paste the text so i can grep for the string in the code :(

Koushik (Fri, 27 Sep 2019 02:29:41 GMT):
shit

Koushik (Fri, 27 Sep 2019 02:29:43 GMT):
kk

nyet (Fri, 27 Sep 2019 02:29:46 GMT):
you can use ```tripple quotes``` or `single` quotes

nyet (Fri, 27 Sep 2019 02:29:46 GMT):
you can use ```triple quotes``` or `single` quotes

nyet (Fri, 27 Sep 2019 02:31:24 GMT):
does it work in single orderer?

nyet (Fri, 27 Sep 2019 02:31:32 GMT):
i can't find an obvious reason

Koushik (Fri, 27 Sep 2019 02:35:59 GMT):
Yeah

Koushik (Fri, 27 Sep 2019 02:36:22 GMT):
I am only using a single orderer for the consenter, just for testing then will increase it

Koushik (Fri, 27 Sep 2019 02:36:30 GMT):
This works with crypto-config

Koushik (Fri, 27 Sep 2019 02:36:46 GMT):
"""

nyet (Fri, 27 Sep 2019 02:36:54 GMT):
Well the operations doc has more than few typos in it. Perhaps you got bit by one

Koushik (Fri, 27 Sep 2019 02:37:00 GMT):
``` A 2019-09-27T02:31:07.281474907Z [34m2019-09-27 02:31:07.280 UTC [orderer.common.server] extractSysChanLastConfig -> INFO 003[0m Not bootstrapping because of 1 existing channels A 2019-09-27T02:31:07.287138821Z [34m2019-09-27 02:31:07.284 UTC [orderer.common.server] extractSysChanLastConfig -> INFO 004[0m System channel: name=testchainid, height=1, last config block number=0 A 2019-09-27T02:31:07.287338408Z [34m2019-09-27 02:31:07.284 UTC [orderer.common.server] selectClusterBootBlock -> INFO 005[0m Cluster boot block is bootstrap (genesis) block; Blocks Header.Number system-channel=0, bootstrap=0 [34m2019-09-27 02:31:07.300 UTC [orderer.common.cluster] loadVerifier -> INFO 006[0m Loaded verifier for channel testchainid from config block at index 0 34m2019-09-27 02:31:07.301 UTC [orderer.common.server] initializeServerConfig -> INFO 007[0m Starting orderer with TLS enabled 34m2019-09-27 02:31:07.304 UTC [orderer.common.server] configureClusterListener -> INFO 008[0m Cluster listener is not configured, defaulting to use the general listener on port 7050 [34m2019-09-27 02:31:07.325 UTC [orderer.common.server] TrackChain -> INFO 00b[0m Adding testchainid to the set of chains to track [34m2019-09-27 02:31:07.326 UTC [orderer.commmon.multichannel] Initialize -> INFO 00c[0m Starting system channel 'testchainid' with genesis block hash 5e1b4cf45e29d41f85ee929fb19f8085d2f4fd4bcd417c3d28a0d599d3365246 and orderer type etcdraft [34m2019-09-27 02:31:17.332 UTC [orderer.common.cluster] channelsToPull -> INFO 013[0m Probing whether I should pull channel testchainid [34m2019-09-27 02:31:17.372 UTC [orderer.common.cluster] channelsToPull -> INFO 022[0m I do not belong to channel testchainid or am forbidden pulling it (not in the channel), skipping chain retrieval ```

Koushik (Fri, 27 Sep 2019 02:37:21 GMT):
So Solo works

Koushik (Fri, 27 Sep 2019 02:37:28 GMT):
but not raft hmm

mastersingh24 (Fri, 27 Sep 2019 09:50:49 GMT):
I don't think this is a CA issue per se (although as @nyet said maybe typos messed things up) How did you generate the genesis block you are using? Are you sure that the TLS certificate you are using has been added to the consenters group?

metadata (Fri, 27 Sep 2019 11:40:45 GMT):
why ``` X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication ``` is missing from the cert if using fabric-ca?

metadata (Fri, 27 Sep 2019 11:40:45 GMT):
why ``` X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication ``` is missing from the tlc ca-cert if using fabric-ca?

soumyanayak (Fri, 27 Sep 2019 11:44:33 GMT):
Did you try once running the fabric-ca-server connecting to postgres without any SSL ?? Or you are getting the above issue when the SSL is enabled on postgres?

nyet (Fri, 27 Sep 2019 15:52:20 GMT):
CA certs are signing certs not TLS certs. even if they are used to sign TLS certs.

Purbaja (Mon, 30 Sep 2019 06:48:58 GMT):
Has joined the channel.

Purbaja (Mon, 30 Sep 2019 07:08:56 GMT):
Hi guys, while trying to generate genesis block file using etcdraft profile we are getting below error: *Error:* 2019-09-30 06:38:19.235 UTC [common.tools.configtxgen] main -> INFO 001 Loading configuration 2019-09-30 06:38:19.294 UTC [common.tools.configtxgen.localconfig] completeInitialization -> INFO 002 orderer type: etcdraft 2019-09-30 06:38:19.294 UTC [common.tools.configtxgen.localconfig] completeInitialization -> INFO 003 Orderer.EtcdRaft.Options unset, setting to tick_interval:"500ms" election_tick:10 heartbeat_tick:1 max_inflight_blocks:5 snapshot_interval_size:20971520 2019-09-30 06:38:19.294 UTC [common.tools.configtxgen.localconfig] Load -> INFO 004 Loaded configuration: /home/ubuntu/hlf-network/configtx.yaml 2019-09-30 06:38:19.353 UTC [common.tools.configtxgen.localconfig] completeInitialization -> INFO 005 orderer type: solo 2019-09-30 06:38:19.353 UTC [common.tools.configtxgen.localconfig] LoadTopLevel -> INFO 006 Loaded configuration: /home/ubuntu/hlf-network/configtx.yaml 2019-09-30 06:38:19.355 UTC [common.tools.configtxgen] func1 -> PANI 007 proto: Marshal called with nil panic: proto: Marshal called with nil [recovered] panic: proto: Marshal called with nil goroutine 1 [running]: github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc000125e40, 0x0, 0x0, 0x0) /w/workspace/fabric-release-jobs-x86_64/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore/entry.go:229 +0x515 github.com/hyperledger/fabric/vendor/go.uber.org/zap.(*SugaredLogger).log(0xc0000ba248, 0xc00037d704, 0xc000034720, 0x1e, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0) /w/workspace/fabric-release-jobs-x86_64/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:234 +0xf6 github.com/hyperledger/fabric/vendor/go.uber.org/zap.(*SugaredLogger).Panicf(0xc0000ba248, 0xc000034720, 0x1e, 0x0, 0x0, 0x0) /w/workspace/fabric-release-jobs-x86_64/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:159 +0x79 github.com/hyperledger/fabric/common/flogging.(*FabricLogger).Panic(0xc0000ba250, 0xc00037d810, 0x1, 0x1) /w/workspace/fabric-release-jobs-x86_64/gopath/src/github.com/hyperledger/fabric/common/flogging/zap.go:73 +0x75 main.main.func1() /w/workspace/fabric-release-jobs-x86_64/gopath/src/github.com/hyperledger/fabric/common/tools/configtxgen/main.go:260 +0x1a9 panic(0xd9f740, 0xc0000ad0e0) /opt/go/go1.11.5.linux.amd64/src/runtime/panic.go:513 +0x1b9 github.com/hyperledger/fabric/protos/utils.MarshalOrPanic(0xf39340, 0x0, 0x0, 0xc000477a00, 0xc000477a00) /w/workspace/fabric-release-jobs-x86_64/gopath/src/github.com/hyperledger/fabric/protos/utils/commonutils.go:27 +0x83 github.com/hyperledger/fabric/common/tools/configtxgen/encoder.addValue(0xc0003a8e60, 0xf31100, 0xc0002ddd60, 0xe79e75, 0x6) /w/workspace/fabric-release-jobs-x86_64/gopath/src/github.com/hyperledger/fabric/common/tools/configtxgen/encoder/encoder.go:59 +0x75 github.com/hyperledger/fabric/common/tools/configtxgen/encoder.NewOrdererOrgGroup(0xc0001ba7e0, 0xf31100, 0xc0002dd6a0, 0xe79e75) /w/workspace/fabric-release-jobs-x86_64/gopath/src/github.com/hyperledger/fabric/common/tools/configtxgen/encoder/encoder.go:283 +0x277 github.com/hyperledger/fabric/common/tools/configtxgen/encoder.NewOrdererGroup(0xc0001ba750, 0xf31100, 0xc0002dcea0, 0xe79e75) /w/workspace/fabric-release-jobs-x86_64/gopath/src/github.com/hyperledger/fabric/common/tools/configtxgen/encoder/encoder.go:230 +0x65f github.com/hyperledger/fabric/common/tools/configtxgen/encoder.NewChannelGroup(0xc0000becc0, 0xc00037dd58, 0x1, 0x1) /w/workspace/fabric-release-jobs-x86_64/gopath/src/github.com/hyperledger/fabric/common/tools/configtxgen/encoder/encoder.go:158 +0x550 github.com/hyperledger/fabric/common/tools/configtxgen/encoder.New(0xc0000becc0, 0xc00033e850) /w/workspace/fabric-release-jobs-x86_64/gopath/src/github.com/hyperledger/fabric/common/tools/configtxgen/encoder/encoder.go:567 +0x2f main.doOutputBlock(0xc0000becc0, 0x7ffc4bfcc7ee, 0x9, 0x7ffc4bfcc805, 0x21, 0xc0000becc0, 0x62) /w/workspace/fabric-release-jobs-x86_64/gopath/src/github.com/hyperledger/fabric/common/tools/configtxgen/main.go:34 +0x40 main.main() /w/workspace/fabric-release-jobs-x86_64/gopath/src/github.com/hyperledger/fabric/common/tools/configtxgen/main.go:294 +0xb72

Purbaja (Mon, 30 Sep 2019 07:20:42 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=vtB8XpncRT2vcFzze)
configtx.txt

ShobhitSrivastava (Mon, 30 Sep 2019 12:45:19 GMT):
@madhukar_sh ..hi there, let me know once you create a git hub repo. I am able to run the network with cryptogen created certificate. But once I work with CA generated certificate, it give me access denied error.

delao (Mon, 30 Sep 2019 12:46:47 GMT):
Good morning everyone! I was hoping you guy could help me with something. I have a network up and running using Fabric CA certificates and now I'd like to add a node Client SDK application to it. I have 2 questions: 1-Is there any peculiarities to this type of certificate or a simple client type certificate should do the trick and 2- As my network is already up and running must I perform a channel update to include this newly generated certificate to the desired MSP?

sharif2008 (Mon, 30 Sep 2019 17:43:14 GMT):
Has joined the channel.

sharif2008 (Mon, 30 Sep 2019 17:43:16 GMT):
``` E0930 03:49:58.103991314 5824 ssl_transport_security.cc:1238] Handshake failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number. E0930 03:49:58.105143769 5824 ssl_transport_security.cc:1238] Handshake failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number. 2019-09-30T10:49:58.414Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://localhost:7051 2019-09-30T10:49:58.416Z - error: [Channel.js]: Error: Failed to connect before the deadline URL:grpcs://localhost:7051 2019-09-30T10:49:58.416Z - error: [Network]: _initializeInternalChannel: Unable to initialize channel. Attempted to contact 1 Peers. Last error was Error: Failed to connect before the deadline URL:grpcs://localhost:7051 Failed to evaluate transaction: Error: Unable to initialize channel. Attempted to contact 1 Peers. Last error was Error: Failed to connect before the deadline URL:grpcs://localhost:7051 ```

sharif2008 (Mon, 30 Sep 2019 17:44:00 GMT):
What can the problem? when admin and user enrollment is successful buy query shows the error

sharif2008 (Mon, 30 Sep 2019 17:44:00 GMT):
What can be the problem? when admin and user enrollment is successful but query shows the error

nyet (Mon, 30 Sep 2019 17:46:54 GMT):
TLS isn't enabled on the remote end

sharif2008 (Tue, 01 Oct 2019 03:46:02 GMT):
thanks. let me check

adarshaJha (Tue, 01 Oct 2019 07:24:36 GMT):
Has joined the channel.

adarshaJha (Tue, 01 Oct 2019 07:24:37 GMT):
i'm trying to use ldap with ca .

adarshaJha (Tue, 01 Oct 2019 07:25:05 GMT):
when i try to enroll

adarshaJha (Tue, 01 Oct 2019 07:25:12 GMT):
i'm getting this error

adarshaJha (Tue, 01 Oct 2019 07:25:13 GMT):
[FabricCAClientService.js]: Failed to enroll alejandro, error:%o message=Enrollment failed with errors [[{"code":20,"message":"Authentication failure"}]], stack=Error: Enrollment failed with errors [[{"code":20,"message":"Authentication failure"}]] at IncomingMessage.response.on (/home/adarsha/Documents/fabric-ldap-example/fabric-sdk-with-ldap/node_modules/fabric-ca-client/lib/FabricCAClient.js:465:22) at emitNone (events.js:111:20) at IncomingMessage.emit (events.js:208:7) at endReadableNT (_stream_readable.js:1064:12) at _combinedTickCallback (internal/process/next_tick.js:139:11) at process._tickCallback (internal/process/next_tick.js:181:9) Error: Enrollment failed with errors [[{"code":20,"message":"Authentication failure"}]] at IncomingMessage.response.on (/home/adarsha/Documents/fabric-ldap-example/fabric-sdk-with-ldap/node_modules/fabric-ca-client/lib/FabricCAClient.js:465:22) at emitNone (events.js:111:20) at IncomingMessage.emit (events.js:208:7) at endReadableNT (_stream_readable.js:1064:12) at _combinedTickCallback (internal/process/next_tick.js:139:11) at process._tickCallback (internal/process/next_tick.js:181:9) Failed to enroll: Error: Failed to enroll alejandro

iamdm (Tue, 01 Oct 2019 08:16:32 GMT):
Where can I download binary for Fabric CA server? There is only client binary available in Nexus

ShobhitSrivastava (Tue, 01 Oct 2019 12:26:10 GMT):
hi..have you tried.... go get -u github.com/hyperledger/fabric-ca/cmd/

iamdm (Tue, 01 Oct 2019 12:46:14 GMT):
I want to get compiled binary instead of sources

iamdm (Tue, 01 Oct 2019 12:46:41 GMT):
CA client is presented in Nexus, but server doesn't exist

nyet (Tue, 01 Oct 2019 15:13:05 GMT):
https://nexus.hyperledger.org/content/repositories/releases/org/hyperledger/fabric-ca/hyperledger-fabric-ca/${HLF_ARCH}-${HLF_VERSION}/hyperledger-fabric-ca-${HLF_ARCH}-${HLF_VERSION}.tar.gz

iamdm (Wed, 02 Oct 2019 06:22:56 GMT):
@nyet https://nexus.hyperledger.org/content/repositories/releases/org/hyperledger/fabric-ca/hyperledger-fabric-ca/linux-amd64-1.4.3/hyperledger-fabric-ca-linux-amd64-1.4.3.tar.gz - only client binary is available here

ahmad-raza (Wed, 02 Oct 2019 07:50:26 GMT):
Hi all, How can we configure fabric-ca so that we can give user its certificates public/private keys??

caveman7 (Thu, 03 Oct 2019 06:48:08 GMT):
according to https://hyperledger-fabric.readthedocs.io/en/latest/commands/cryptogen.html , cryptogen is not recommended for production use. Why is that so?

mastersingh24 (Thu, 03 Oct 2019 10:55:35 GMT):
It does not support the full PKI lifecycle ... for example you cannot create revocation lists. The crypto material generated by cryptogen is actually fine for use in production, it's just that cryptogen is designed more as a development tool. of course you can generate initial artifacts with cryptogen if you like and then import the CA key pairs into a more robust PKI management infrastructure

Purbaja (Thu, 03 Oct 2019 12:52:32 GMT):
Hi guys, After generating crypto artifacts using fabric-ca ,when i am trying to setup the network getting below error: *Failed to initialize local MSP: administrators must be declared when no admin ou classification is set*

lepar (Thu, 03 Oct 2019 12:54:29 GMT):
Yeah, you have to first register a user and then enroll to get the certificates. fabric-ca-client register register -d --id.name peer --id.secret peerpassword--id.type peer -u https://ca.example:7050 fabric-ca-client enroll -d -u https://peer:peerpassword@ca.example:7050 --csr.hosts peer -M peer/msp (-M is used for location storate)

ahmad-raza (Thu, 03 Oct 2019 13:11:45 GMT):
You got it wrong. I want to give user its certificate and public/private keys. We do not want to store their certs and keys on server. When user want to invoke chaincode . He should provide its cert

lepar (Thu, 03 Oct 2019 13:21:45 GMT):
That requires an SDK to sign the transaction on his side. There's two scenarios: 1. It's unsafe to transmit public/private keys. So if you're generating and sending, there's the risk of duplication, Man in the middle attack, etc.. from a security point of view. 2. You provide an intermediate CA for them to generate they're own certificates.

ahmad-raza (Thu, 03 Oct 2019 13:28:00 GMT):
my point of view is that we want to give user belief that nobody(also admin) cannot access its keys/certs and use them to manipulate ledger. The approach come to my mind is we do not store keys in server. Somehow keys/certs are provided to user. Next time whenever user want to update ledger/etc user have to provide certs/keys

ahmad-raza (Thu, 03 Oct 2019 13:29:22 GMT):
What you said about intermediate CA, in that case, every time they invoke transaction they have to generate new certs? am i get it right?

lepar (Thu, 03 Oct 2019 13:34:17 GMT):
"Somehow keys/certs are provided to use" this is the key point. There are ways but never 100% unless user has generated their own. What you can do is have them generate it themselves either by CA or Openssl in x509 standard and then you include their public keys in the channel. "What you said about intermediate CA, in that case, every time they invoke transaction they have to generate new certs? am i get it right?" No, they only need to generate it once. This is security engineering that varies depending on your case use. If you have one root CA, and users have ICAs then you have complete control. If each user has their own root CA that generates their certs, then you have the concern whether they are taking security precautions to prevent hacks etc...

ahmad-raza (Thu, 03 Oct 2019 14:14:59 GMT):
"Users have ICAs" we also have pass some hoe ICA's certs to user?? And let say we have thousands of users . Then there will be thousands of ICAs. Case is almost the same

ahmad-raza (Thu, 03 Oct 2019 14:14:59 GMT):
"Users have ICAs" we also have pass some how ICA's certs to user?? And let say we have thousands of users . Then there will be thousands of ICAs. Case is almost the same

lepar (Thu, 03 Oct 2019 14:47:38 GMT):
ICA = intermediate CA's. that's a certificate authority that has an identity linked to the root ca it enrolled. You can have an ICA for users so as to not expose your root ca for example

iramiller (Thu, 03 Oct 2019 19:00:09 GMT):
What you are describing for secure key and certificate creation/registration is the CSR process IMO.

mastersingh24 (Thu, 03 Oct 2019 19:31:51 GMT):
If you do not use the NodeOU capability ( see https://hyperledger-fabric.readthedocs.io/en/release-1.4/msp.html#identity-classification ), you'll need to explicitly add the X509 cert(s) of the user(s) you want to be admin(s)

yacovm (Thu, 03 Oct 2019 19:38:03 GMT):
I think by 2021 people are going to ask what role does the `admincerts` folder play if it's always empty ;)

mastersingh24 (Thu, 03 Oct 2019 19:38:34 GMT):
I was thinking more like April 12, 2020

dwelch91 (Thu, 03 Oct 2019 20:11:17 GMT):
Has joined the channel.

adarshaJha (Fri, 04 Oct 2019 09:04:30 GMT):
hi , i am working on a project for my learning and i wanted to check how to revoke certificates ( user certificates ) i have a root rca and an ica1. when i generated certificates using root rca i wasn't aware of revocation of certificates. So i far what i understood , i have to add certificates to CRL but is there any nice article or demo tutorial kind of thing for the same ?

ahmad-raza (Fri, 04 Oct 2019 10:59:42 GMT):
@iramiller What are you saying i did not get it?

mastersingh24 (Fri, 04 Oct 2019 13:00:26 GMT):
https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#revoking-a-certificate-or-identity - revoking certifictes https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#generating-a-crl-certificate-revocation-list - generating a CRL

iramiller (Fri, 04 Oct 2019 14:41:18 GMT):
The Certificate Signing Request process; generating a CSR and submitting it for signing. This is the standard way for an entity to generate a private key and create a certificate without revealing their key to anyone.

mastersingh24 (Fri, 04 Oct 2019 15:05:44 GMT):
Fabric CA DOES NOT store the private key ... just the public key which it signs

mastersingh24 (Fri, 04 Oct 2019 15:06:08 GMT):
When you use the fabric-ca-client and/or one of the SDKs to enroll, the private key is generated locally

iramiller (Fri, 04 Oct 2019 15:34:34 GMT):
(the only private key involved is the CA's which is required for signing)

VaibhavSharma (Sat, 05 Oct 2019 06:15:27 GMT):
Has joined the channel.

VaibhavSharma (Sat, 05 Oct 2019 06:16:15 GMT):

csr.png

VaibhavSharma (Sat, 05 Oct 2019 06:18:26 GMT):
@nyet you know about it?

mastersingh24 (Sat, 05 Oct 2019 09:39:12 GMT):
I'd advise not trying to set these via environment variables. You should just set them in the config file itself. In the near future we will be moving away from allowing everything to be overwritten via environment variables

JosephNguyen (Sat, 05 Oct 2019 14:34:13 GMT):
Has joined the channel.

VaibhavSharma (Mon, 07 Oct 2019 08:06:02 GMT):
so for each request i should modify the yaml file?

adarshaJha (Mon, 07 Oct 2019 08:13:48 GMT):
Hi , i want to know

adarshaJha (Mon, 07 Oct 2019 08:14:01 GMT):
i want to cluste two ldap servers

adarshaJha (Mon, 07 Oct 2019 08:14:06 GMT):
how to do that ?

adarshaJha (Mon, 07 Oct 2019 08:14:27 GMT):
because if i have only one ldap which is for prior enrolment of identities.

adarshaJha (Mon, 07 Oct 2019 08:14:51 GMT):
then in case of failure it will make my whole organization not work.

adarshaJha (Mon, 07 Oct 2019 08:15:14 GMT):
to avoid i want to use multiple hyperledger ldap.

adarshaJha (Mon, 07 Oct 2019 08:15:23 GMT):
at least two for every organization

adarshaJha (Mon, 07 Oct 2019 10:18:49 GMT):
HI, i m trying to add postgres as a db for fabric-ca. Has anyone done that ? if yes, any links or supporting docs would be appreciated

mastersingh24 (Mon, 07 Oct 2019 14:01:36 GMT):
oh ... sorry ... I did not see you were asking about the client piece ... you should have a look at the fabric-ca-client cmd line docs for the few things you can override - https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/clientcli.html

VaibhavSharma (Mon, 07 Oct 2019 14:12:45 GMT):
@mastersingh24 Thanks, got it :)

touchingsoil (Tue, 08 Oct 2019 08:25:36 GMT):
Has joined the channel.

touchingsoil (Tue, 08 Oct 2019 08:50:44 GMT):
A year ago I have created a composer network by using composer version 0.19.14. Now when I am trying to upgrade the network using following command getting this error. composer network upgrade --card admin@tutorial-network output :Error: Error trying to ping. Error: 2 UNKNOWN: identity expired I check the peer logs and ca database, yes ,the admin certifacate is expired. I have tried to modify the ca database and config file to expand the expired time, then stop/start the ca docker ,but it didn't work Is there any help?

BrettLogan (Tue, 08 Oct 2019 23:41:25 GMT):
Has joined the channel.

BrettLogan (Tue, 08 Oct 2019 23:41:26 GMT):
we dont publish the the server binary as we bake it into the fabric-ca docker image. You can always pull the code and just run `make fabric-ca-server` as long as you have Go installed

soumyanayak (Wed, 09 Oct 2019 10:12:09 GMT):
Hi Adarsha - i have just ran a single CA server with postgres and please find the docker yaml file for the same .

soumyanayak (Wed, 09 Oct 2019 10:12:55 GMT):

org0-rca.txt

soumyanayak (Wed, 09 Oct 2019 10:13:22 GMT):
working on to create the cluster of ca and will update you once done

soumyanayak (Wed, 09 Oct 2019 10:13:41 GMT):
and also this is non TLS postgres mode - once done with the SSL thing also will update

iamdm (Wed, 09 Oct 2019 10:50:42 GMT):
@BrettLogan what is reason to don't publish server binaries in nexus? Docker images contains both binaries as I remember

adarshaJha (Wed, 09 Oct 2019 11:46:33 GMT):
@soumyanayak thank you so much brother, i wanted to know as a i see the file

adarshaJha (Wed, 09 Oct 2019 11:46:48 GMT):
are you simply running a docker container of postgres too ?

adarshaJha (Wed, 09 Oct 2019 11:46:58 GMT):
ohhh sorry,

adarshaJha (Wed, 09 Oct 2019 11:47:27 GMT):
for replying late and many thanks.

adarshaJha (Wed, 09 Oct 2019 11:47:43 GMT):
please tell me when you are done with the clusterisation.

metadata (Wed, 09 Oct 2019 13:29:01 GMT):
Hi everyone, Can someone please help me with below flag used with `fabric-ca-client` ``` --id.type string Type of identity being registered (e.g. 'peer, app, user') (default "client")``` what I want to know is the difference between `peer`, `app`, `user`, `client` and how to choose

raidinesh80 (Wed, 09 Oct 2019 23:45:53 GMT):
Is their any way to set timeout for Fabric CA client in Node js sdk?

BrettLogan (Thu, 10 Oct 2019 04:37:08 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=CWikXPjGaznCKgMTJ) @iamdm

metadata (Thu, 10 Oct 2019 13:07:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Fu3X73qu8BKdG5o8N) Any help with this?

NilsPe (Thu, 10 Oct 2019 19:03:02 GMT):
Hi all, I was handed credentials to a CA's admin. I can register and enroll users, but I cannot interact with the peers because I do not know the mspid. Is there a way to query or see the mspid?

mastersingh24 (Fri, 11 Oct 2019 10:48:03 GMT):
you might want to have a look at https://stackoverflow.com/a/58282441/6160507

metadata (Fri, 11 Oct 2019 12:36:47 GMT):
thanks @mastersingh24

adarshaJha (Fri, 11 Oct 2019 13:05:15 GMT):
I am trying to user postgres with fabric-ca

adarshaJha (Fri, 11 Oct 2019 13:05:27 GMT):
i am able tu run ca and postgres container

adarshaJha (Fri, 11 Oct 2019 13:05:34 GMT):
but when i check the logs of ca

adarshaJha (Fri, 11 Oct 2019 13:05:40 GMT):
i get this error:

adarshaJha (Fri, 11 Oct 2019 13:06:05 GMT):

adarshaJha - Fri Oct 11 2019 18:35:58 GMT+0530 (India Standard Time).txt

adarshaJha (Fri, 11 Oct 2019 13:06:26 GMT):
Validation of CA certificate and key successful 2019/10/11 12:59:58 [DEBUG] Loading CN from existing enrollment information 2019/10/11 12:59:58 [DEBUG] Initializing DB 2019/10/11 12:59:58 [DEBUG] Initializing 'postgres' database at 'host=127.0.0.1 port=5432 user=**** password=**** dbname=fabriccaserver sslmode=disable' 2019/10/11 12:59:58 [DEBUG] Using postgres database, connecting to database... 2019/10/11 12:59:58 [DEBUG] Database Name: fabriccaserver 2019/10/11 12:59:58 [DEBUG] Connecting to PostgreSQL server, using connection string: host=127.0.0.1 port=5432 user=**** password=**** dbname=fabriccaserver sslmode=disable 2019/10/11 12:59:58 [WARNING] Failed to connect to database 'fabriccaserver' 2019/10/11 12:59:58 [DEBUG] Connecting to PostgreSQL server, using connection string: host=127.0.0.1 port=5432 user=**** password=**** dbname=postgres sslmode=disable 2019/10/11 12:59:58 [WARNING] Failed to connect to database 'postgres' 2019/10/11 12:59:58 [DEBUG] Connecting to PostgreSQL server, using connection string: host=127.0.0.1 port=5432 user=**** password=**** dbname=template1 sslmode=disable

benjamin.verhaegen (Mon, 14 Oct 2019 11:48:21 GMT):
Hi, anyone here with experience in implementing idemixer?

nyet (Mon, 14 Oct 2019 15:51:44 GMT):
Look on the postgres side for errors.

soumyanayak (Tue, 15 Oct 2019 09:20:32 GMT):
Can you post the postgres docker logs

madhukar_sh (Fri, 18 Oct 2019 08:45:56 GMT):
Is there any way we can delete the user after registering?

metadata (Fri, 18 Oct 2019 08:51:58 GMT):
I think you can't delete it but you can revoke it.

madhukar_sh (Fri, 18 Oct 2019 08:52:41 GMT):
Revoking still doesnt let me register the identity again :(

metadata (Sat, 19 Oct 2019 05:11:05 GMT):
Hey @madhukar_sh , I have found something in sdk-go. below is the snippet ``` // RemoveIdentity removes identity with the Fabric CA server. // Parameters: // request holds info about identity to be removed // // Returns: // Return removed identity info func (c *Client) RemoveIdentity(request *RemoveIdentityRequest) (*IdentityResponse, error) { ca, err := newCAClient(c.ctx, c.orgName, c.caID) if err != nil { return nil, err } req := &mspapi.RemoveIdentityRequest{ ID: request.ID, Force: request.Force, CAName: request.CAName, } response, err := ca.RemoveIdentity(req) if err != nil { return nil, err } return getIdentityResponse(response), nil } ```

metadata (Sat, 19 Oct 2019 05:11:25 GMT):
it means u can remove the identity from the fabric-ca

narendranathreddy (Sat, 19 Oct 2019 06:42:18 GMT):
postgres

vkblue (Sun, 20 Oct 2019 00:25:51 GMT):
Has joined the channel.

sureshtedla (Mon, 21 Oct 2019 09:28:33 GMT):
Hi All, When I am launching the orderer I am getting following Error can any one help me ?

sureshtedla (Mon, 21 Oct 2019 09:28:52 GMT):

Clipboard - October 21, 2019 2:30 AM

sureshtedla (Mon, 21 Oct 2019 09:29:56 GMT):
I am getting failed to initialize local MSP : administrators must be declared when no admin ou classification is set

redegade (Mon, 21 Oct 2019 15:18:32 GMT):
Hi, I think this has to do with the `admincerts` directory missing on the MSP of the orderer. Can you tell us more on how are you creating the identities? (crypto-config / fabric-ca)

sureshtedla (Mon, 21 Oct 2019 15:47:19 GMT):
I am creating identities by using fabric ca

sureshtedla (Mon, 21 Oct 2019 15:48:00 GMT):
I am following this docs https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html

pvrbharg (Mon, 21 Oct 2019 20:09:12 GMT):
Hello team - hope this is an easy question to answer - where would I find a documented procedure to make a hyperledger fabric sample bootstrapped with cryptogen [like first-network] tool to work with fabric-ca subsequently - using the crypto-material generated by cryptogen. For some reason I believe I found this procedure in the past and can not re-find it. Apologies for my inability to recall here on this question. Thanks.

adarshaJha (Tue, 22 Oct 2019 07:23:13 GMT):
iam trying to run fabric-ca with postgres but getting this error : - Error: Response from server: Error Code: 0 - enroll handler failed to initialize DB: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases were tried: [fabriccaserver postgres template1]. Please create one of these database before continuing

adarshaJha (Tue, 22 Oct 2019 09:24:15 GMT):
Using postgres database, connecting to database... 2019/10/22 09:21:16 [DEBUG] Database Name: fabriccaserver 2019/10/22 09:21:16 [DEBUG] Connecting to PostgreSQL server, using connection string: host=127.0.0.1 port=5432 user=**** password=**** dbname=fabriccaserver sslmode=disable 2019/10/22 09:21:16 [WARNING] Failed to connect to database 'fabriccaserver' 2019/10/22 09:21:16 [DEBUG] Connecting to PostgreSQL server, using connection string: host=127.0.0.1 port=5432 user=**** password=**** dbname=postgres sslmode=disable 2019/10/22 09:21:16 [WARNING] Failed to connect to database 'postgres' 2019/10/22 09:21:16 [DEBUG] Connecting to PostgreSQL server, using connection string: host=127.0.0.1 port=5432 user=**** password=**** dbname=template1 sslmode=disable 2019/10/22 09:21:16 [WARNING] Failed to connect to database 'template1' 2019/10/22 09:21:16 [ERROR] Error occurred initializing database: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases were tried: [fabriccaserver postgres template1]. Please create one of these database before continuing

soumyanayak (Tue, 22 Oct 2019 10:07:02 GMT):
Can you post your postgres docker container logs once?

mastersingh24 (Tue, 22 Oct 2019 10:09:06 GMT):
if you are running in Docker, 127.0.0.1 will not work to connect to a database

adarshaJha (Tue, 22 Oct 2019 10:14:59 GMT):
okay can you help

adarshaJha (Tue, 22 Oct 2019 10:15:05 GMT):
what to add ?

adarshaJha (Tue, 22 Oct 2019 10:16:19 GMT):
docker logs --follow db-postgres 2019-10-22 10:13:04.915 UTC [1] LOG: starting PostgreSQL 12.0 (Debian 12.0-2.pgdg100+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit 2019-10-22 10:13:04.915 UTC [1] LOG: listening on IPv4 address "0.0.0.0", port 5432 2019-10-22 10:13:04.915 UTC [1] LOG: listening on IPv6 address "::", port 5432 2019-10-22 10:13:05.009 UTC [1] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432" 2019-10-22 10:13:05.259 UTC [23] LOG: database system was interrupted; last known up at 2019-10-22 10:09:10 UTC 2019-10-22 10:13:05.444 UTC [23] LOG: database system was not properly shut down; automatic recovery in progress 2019-10-22 10:13:05.542 UTC [23] LOG: redo starts at 0/1647058 2019-10-22 10:13:05.542 UTC [23] LOG: invalid record length at 0/1647090: wanted 24, got 0 2019-10-22 10:13:05.542 UTC [23] LOG: redo done at 0/1647058 2019-10-22 10:13:05.866 UTC [1] LOG: database system is ready to accept connections

mastersingh24 (Tue, 22 Oct 2019 10:17:15 GMT):
You cannot use "localhost" or "127.0.0.1" to communicate between containers

mastersingh24 (Tue, 22 Oct 2019 10:17:15 GMT):
You cannot use "localhost" or "127.0.0.1" to communicate across containers

mastersingh24 (Tue, 22 Oct 2019 10:18:09 GMT):
You cannot use "localhost" or "127.0.0.1" to communicate across containers

mastersingh24 (Tue, 22 Oct 2019 10:18:44 GMT):
how are you launvhing your containers? Pure Docker, Docker Compose?

adarshaJha (Tue, 22 Oct 2019 10:19:30 GMT):
yes

mastersingh24 (Tue, 22 Oct 2019 10:19:48 GMT):
Docker Compose or Docker?

adarshaJha (Tue, 22 Oct 2019 10:20:48 GMT):
docker-compose

adarshaJha (Tue, 22 Oct 2019 10:21:37 GMT):
version: '2' networks: basic: services: db-postgres: container_name: db-postgres # network_mode: "host" image: postgres:latest environment: - POSTGRES_PASSWORD=caDbPass12345 - POSTGRES_USER=postgres - POSTGRES_DB=fabriccaserver volumes: - ./postgres-test-data:/var/lib/postgresql/data ports: - 5432:5432

mastersingh24 (Tue, 22 Oct 2019 10:22:45 GMT):
The easiest solution is to set the `container-name` property for the postgres service and then use that name instead of locahost or 127.0.0.1 in your database connection string

mastersingh24 (Tue, 22 Oct 2019 10:22:45 GMT):
The easiest solution is to set the `container_name` property for the postgres service and then use that name instead of locahost or 127.0.0.1 in your database connection string

mastersingh24 (Tue, 22 Oct 2019 10:22:45 GMT):
The easiest solution is to set the `container_name` property for the postgres service and then use that name instead of localhost or 127.0.0.1 in your database connection string

adarshaJha (Tue, 22 Oct 2019 10:23:42 GMT):
ica.consigner.xyz.io: image: hyperledger/fabric-ca:1.4.1 environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_OPERATIONS_LISTENADDRESS=127.0.0.1:8443 - FABRIC_CA_SERVER_DB_TYPE=postgres - FABRIC_CA_SERVER_DB_DATASOURCE=host=127.0.0.1 port=5432 user=postgres password=caDbPass12345 dbname=fabriccaserver sslmode=disable ports: - "7054:7054" command: sh -c 'fabric-ca-server start -b admin:adminpw -d' volumes: - ./crypto-config/peerOrganizations/consigner.xyz.io/ca/:/etc/hyperledger/fabric-ca-server-config - ./ca-config/:/etc/hyperledger/fabric-ca-server container_name: ica.consigner.xyz.io networks: - basic # depends_on: # - db-postgres

mastersingh24 (Tue, 22 Oct 2019 10:23:56 GMT):
for example: ``` services: postgres: container_name: postgres ```

adarshaJha (Tue, 22 Oct 2019 10:24:44 GMT):
yes, I'm using container name : db_postgres

adarshaJha (Tue, 22 Oct 2019 10:24:51 GMT):
but what to put in host

adarshaJha (Tue, 22 Oct 2019 10:24:53 GMT):
?

mastersingh24 (Tue, 22 Oct 2019 10:25:03 GMT):
OK ... then replace 127.0.0.1 with that in the datasource env variable

adarshaJha (Tue, 22 Oct 2019 10:25:56 GMT):
okay so in host also i show put the container name ?

adarshaJha (Tue, 22 Oct 2019 10:26:13 GMT):
in host also i should also put the container name ?

adarshaJha (Tue, 22 Oct 2019 10:27:21 GMT):
okay, so i should put the container name in host ?

adarshaJha (Tue, 22 Oct 2019 10:27:30 GMT):
let me , try .

mastersingh24 (Tue, 22 Oct 2019 10:27:36 GMT):
yep

adarshaJha (Tue, 22 Oct 2019 10:30:25 GMT):
tried it

adarshaJha (Tue, 22 Oct 2019 10:30:31 GMT):
still getting same error

adarshaJha (Tue, 22 Oct 2019 10:32:36 GMT):
Initializing DB 2019/10/22 10:29:47 [DEBUG] Initializing 'postgres' database at 'host=db-postgres port=5432 user=**** password=**** dbname=fabriccaserver sslmode=disable' 2019/10/22 10:29:47 [DEBUG] Using postgres database, connecting to database... 2019/10/22 10:29:47 [DEBUG] Database Name: fabriccaserver 2019/10/22 10:29:47 [DEBUG] Connecting to PostgreSQL server, using connection string: host=db-postgres port=5432 user=**** password=**** dbname=fabriccaserver sslmode=disable 2019/10/22 10:29:47 [WARNING] Failed to connect to database 'fabriccaserver' 2019/10/22 10:29:47 [DEBUG] Connecting to PostgreSQL server, using connection string: host=db-postgres port=5432 user=**** password=**** dbname=postgres sslmode=disable 2019/10/22 10:29:47 [WARNING] Failed to connect to database 'postgres' 2019/10/22 10:29:47 [DEBUG] Connecting to PostgreSQL server, using connection string: host=db-postgres port=5432 user=**** password=**** dbname=template1 sslmode=disable 2019/10/22 10:29:47 [WARNING] Failed to connect to database 'template1' 2019/10/22 10:29:47 [ERROR] Error occurred initializing database: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases were tried: [fabriccaserver postgres template1]. Please create one of these database before continuing 2019/10/22 10:29:47 [DEBUG] Initializing enrollment signer 2019/10/22 10:29:47 [DEBUG] validating configuration 2019/10/22 10:29:47 [DEBUG] validate local profile 2019/10/22 10:29:47 [DEBUG] profile is valid 2019/10/22 10:29:47 [DEBUG] validate local profile 2019/10/22 10:29:47 [DEBUG] profile is valid 2019/10/22 10:29:47 [DEBUG] validate local profile 2019/10/22 10:29:47 [DEBUG] profile is valid 2019/10/22 10:29:47 [DEBUG] CA initialization successful 2019/10/22 10:29:47 [DEBUG] Initializing Idemix issuer... 2019/10/22 10:29:47 [DEBUG] Returning without initializing Idemix issuer for CA 'ica.consigner.lynkit.io' as the database is not initialized 2019/10/22 10:29:47 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server 2019/10/22 10:29:47 [DEBUG] 1 CA instance(s) running on server 2019/10/22 10:29:47 [INFO] Operation Server Listening on 127.0.0.1:8443 2019/10/22 10:29:47 [INFO] Listening on http://0.0.0.0:7054

adarshaJha (Tue, 22 Oct 2019 10:34:29 GMT):
??

adarshaJha (Tue, 22 Oct 2019 10:35:05 GMT):
is there any demo link ?

adarshaJha (Tue, 22 Oct 2019 10:59:18 GMT):
HI @mastersingh24 it worked, i was doing some silly mistake after your suggestion.

adarshaJha (Tue, 22 Oct 2019 10:59:42 GMT):
thanks, your help is highly appreciated , for past 3 days i was stuck on this.

adarshaJha (Tue, 22 Oct 2019 10:59:46 GMT):
now how to add tls ?

adarshaJha (Tue, 22 Oct 2019 11:03:44 GMT):
if i have added postgres as a db in my network , why is it neccessary to use LDAP ?

adarshaJha (Tue, 22 Oct 2019 11:31:42 GMT):
how to generate peer certificates using ldap ? as for peers we have a different directory structure by default. I know that i have to make changes in converters section in fabric-ca-server-config.yaml

adarshaJha (Tue, 22 Oct 2019 11:32:19 GMT):
???

adarshaJha (Tue, 22 Oct 2019 12:06:22 GMT):
and if i am using postgres is it neccessary to use ldap ?

adarshaJha (Wed, 23 Oct 2019 06:34:07 GMT):
2019/10/23 06:32:18 [ERROR] Error occurred initializing database: No trusted root certificates for TLS were provided

adarshaJha (Wed, 23 Oct 2019 06:35:05 GMT):
I'm getting this error, when i enable TLS , without TLS i was able to connect my ica to postgres.

adarshaJha (Wed, 23 Oct 2019 11:04:42 GMT):
Initializing 'postgres' database at 'host=db-postgres port=5432 user=**** password=**** dbname=fabriccaserver sslmode=require' 2019/10/23 09:57:53 [DEBUG] Using postgres database, connecting to database... 2019/10/23 09:57:53 [DEBUG] Database Name: fabriccaserver 2019/10/23 09:57:53 [DEBUG] Connecting to PostgreSQL server, using connection string: host=db-postgres port=5432 user=**** password=**** dbname=fabriccaserver sslmode=require sslrootcert=/etc/hyperledger/fabric-ca-server/ica.consigner.lynkit.io.crt.pem sslcert=/etc/hyperledger/fabric-ca-server/root.crt sslkey=/etc/hyperledger/fabric-ca-server/root.key 2019/10/23 09:57:53 [WARNING] Failed to connect to database 'fabriccaserver' 2019/10/23 09:57:53 [DEBUG] Connecting to PostgreSQL server, using connection string: host=db-postgres port=5432 user=**** password=**** dbname=postgres sslmode=require sslrootcert=/etc/hyperledger/fabric-ca-server/ica.consigner.lynkit.io.crt.pem sslcert=/etc/hyperledger/fabric-ca-server/root.crt sslkey=/etc/hyperledger/fabric-ca-server/root.key 2019/10/23 09:57:53 [WARNING] Failed to connect to database 'postgres' 2019/10/23 09:57:53 [DEBUG] Connecting to PostgreSQL server, using connection string: host=db-postgres port=5432 user=**** password=**** dbname=template1 sslmode=require sslrootcert=/etc/hyperledger/fabric-ca-server/ica.consigner.lynkit.io.crt.pem sslcert=/etc/hyperledger/fabric-ca-server/root.crt sslkey=/etc/hyperledger/fabric-ca-server/root.key 2019/10/23 09:57:53 [WARNING] Failed to connect to database 'template1' 2019/10/23 09:57:53 [ERROR] Error occurred initializing database: Failed to connect to Postgres database. Postgres requires connecting to a specific database, the following databases were tried: [fabriccaserver postgres template1]. Please create one of these database before continuing

adarshaJha (Wed, 23 Oct 2019 11:04:58 GMT):
when i try to on sslmode it gives me this

adarshaJha (Wed, 23 Oct 2019 11:05:16 GMT):
has anyone added tls in postgresql

adarshaJha (Wed, 23 Oct 2019 11:05:18 GMT):
?

soumyanayak (Wed, 23 Oct 2019 12:17:58 GMT):
Using this link you can generate certificates for postgres server

soumyanayak (Wed, 23 Oct 2019 12:18:02 GMT):
https://www.postgresql.org/docs/9.5/ssl-tcp.html

soumyanayak (Wed, 23 Oct 2019 12:18:21 GMT):
and there are certain config files to be configured on postgres side

adarshaJha (Wed, 23 Oct 2019 12:18:58 GMT):
can you tell me ?

adarshaJha (Wed, 23 Oct 2019 12:19:10 GMT):
what to add ?

soumyanayak (Wed, 23 Oct 2019 12:19:12 GMT):
i was able to achieve till verify-ca sslmode but having issues with verify-full mode which i am currently checking

adarshaJha (Wed, 23 Oct 2019 12:19:15 GMT):
i was following the docs

adarshaJha (Wed, 23 Oct 2019 12:19:47 GMT):
but not successful

adarshaJha (Wed, 23 Oct 2019 12:20:45 GMT):
my fabric-ca-server-config looks like this

soumyanayak (Wed, 23 Oct 2019 12:20:46 GMT):

Clipboard - October 23, 2019 5:50 PM

adarshaJha (Wed, 23 Oct 2019 12:20:47 GMT):
db: db: type: postgres datasource: host=db-postgres port=5432 user=postgres password=caDbPass12345 dbname=fabriccaserver sslmode=require tls: enabled: true certfiles: ica.consigner.lynkit.io.crt.pem client: certfile: root.crt keyfile: root.key

soumyanayak (Wed, 23 Oct 2019 12:21:18 GMT):
first of all ina folder using openssl genrate the root.crt , server.crt and server.key

adarshaJha (Wed, 23 Oct 2019 12:21:27 GMT):
yes i have it

adarshaJha (Wed, 23 Oct 2019 12:21:40 GMT):
i saved it in postgresql-data

adarshaJha (Wed, 23 Oct 2019 12:21:43 GMT):
folder

soumyanayak (Wed, 23 Oct 2019 12:22:27 GMT):
yes then configure the two conf files- postgresql.conf and pg_hba.conf

soumyanayak (Wed, 23 Oct 2019 12:22:37 GMT):
in the same data foler

adarshaJha (Wed, 23 Oct 2019 12:22:54 GMT):
yes

adarshaJha (Wed, 23 Oct 2019 12:23:08 GMT):
i'm doing some mistake in these two files only

soumyanayak (Wed, 23 Oct 2019 12:23:28 GMT):
will send the screenshot what i had done

adarshaJha (Wed, 23 Oct 2019 12:25:05 GMT):
oh, thankyou so much

adarshaJha (Wed, 23 Oct 2019 12:25:15 GMT):
specially pg_hba.conf

soumyanayak (Wed, 23 Oct 2019 12:25:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=MTE9Kvf9TyFGZtxtn)
Clipboard - October 23, 2019 5:55 PM

soumyanayak (Wed, 23 Oct 2019 12:25:28 GMT):
this is postgresql.conf

adarshaJha (Wed, 23 Oct 2019 12:25:38 GMT):
yes

soumyanayak (Wed, 23 Oct 2019 12:25:54 GMT):

Clipboard - October 23, 2019 5:55 PM

adarshaJha (Wed, 23 Oct 2019 12:26:12 GMT):
one mistake i'm making is here in ssl_ca_file i'm adding my ca-certificate.

soumyanayak (Wed, 23 Oct 2019 12:27:02 GMT):
see if its going thru -- then try for verify-ca and verify-full mode

adarshaJha (Wed, 23 Oct 2019 12:27:11 GMT):
# Database and user names containing spaces, commas, quotes and other # special characters must be quoted. Quoting one of the keywords # "all", "sameuser", "samerole" or "replication" makes the name lose # its special character, and just match a database or username with # that name. # # This file is read on server startup and when the server receives a # SIGHUP signal. If you edit the file on a running system, you have to # SIGHUP the server for the changes to take effect, run "pg_ctl reload", # or execute "SELECT pg_reload_conf()". # # Put your actual configuration here # ---------------------------------- # # If you want to allow non-local connections, you need to add more # "host" records. In that case you will also need to make PostgreSQL # listen on a non-local interface via the listen_addresses # configuration parameter, or via the -i or -h command line switches. # CAUTION: Configuring the system for local "trust" authentication # allows any local user to connect as any PostgreSQL user, including # the database superuser. If you do not trust all your local users, # use another authentication method. # TYPE DATABASE USER ADDRESS METHOD # "local" is for Unix domain socket connections only local all all trust # IPv4 local connections: host all all 127.0.0.1/32 trust # IPv6 local connections: host all all ::1/128 trust # Allow replication connections from localhost, by a user with the # replication privilege. local replication all trust host replication all 127.0.0.1/32 trust host replication all ::1/128 trust host all all all md5

adarshaJha (Wed, 23 Oct 2019 12:27:19 GMT):
this is my pg_hba.conf

adarshaJha (Wed, 23 Oct 2019 12:27:31 GMT):
okay, @soumyanayak let me try what you have guided me .

adarshaJha (Wed, 23 Oct 2019 12:27:38 GMT):
and then i will confirm.

adarshaJha (Wed, 23 Oct 2019 12:27:40 GMT):
you

soumyanayak (Wed, 23 Oct 2019 12:27:48 GMT):
host all all all md5 --- this line modify it to

soumyanayak (Wed, 23 Oct 2019 12:27:53 GMT):
hostssl all all all md5

adarshaJha (Wed, 23 Oct 2019 12:27:54 GMT):
if i will be able to see with verify-full.

adarshaJha (Wed, 23 Oct 2019 12:28:02 GMT):
okay, thank you so much.

adarshaJha (Wed, 23 Oct 2019 12:28:06 GMT):
means a lot.

MKabanau (Wed, 23 Oct 2019 12:46:41 GMT):
Has joined the channel.

trinayanbhatt (Wed, 23 Oct 2019 12:52:36 GMT):
can anyone have any idea how to register peers and clients using LDAP?

trinayanbhatt (Wed, 23 Oct 2019 12:53:32 GMT):
Does anyone have registered client and peers using LDAP?

adarshaJha (Wed, 23 Oct 2019 12:57:12 GMT):
@soumyanayak can you please check my fabric-ca-server-config.yaml

adarshaJha (Wed, 23 Oct 2019 12:57:14 GMT):
db: db: type: postgres datasource: host=db-postgres port=5432 user=postgres password=caDbPass12345 dbname=fabriccaserver sslmode=require tls: enabled: true certfiles: ica.consigner.lynkit.io.crt.pem client: certfile: root.crt keyfile: root.key # depends_on:

adarshaJha (Wed, 23 Oct 2019 12:57:46 GMT):

Screenshot from 2019-10-23 18-27-21.png

adarshaJha (Wed, 23 Oct 2019 12:58:11 GMT):
in certfiles i have added my ica's certificate.

adarshaJha (Wed, 23 Oct 2019 12:58:20 GMT):
i guess here also i have to add root.crt ?

soumyanayak (Wed, 23 Oct 2019 13:08:56 GMT):
yes it should be the root.crt certificate path

adarshaJha (Wed, 23 Oct 2019 13:36:55 GMT):

Screenshot from 2019-10-23 19-06-36.png

simran (Wed, 23 Oct 2019 14:17:41 GMT):
Has joined the channel.

soumyanayak (Wed, 23 Oct 2019 16:50:44 GMT):
@adarshaJha Delete the containers and try to start the docker containers - first postgres and then the fabric-ca and see

joseph-d-p (Thu, 24 Oct 2019 02:35:16 GMT):
Has joined the channel.

simran (Thu, 24 Oct 2019 07:02:52 GMT):

Screenshot from 2019-10-23 17-42-17.png

simran (Thu, 24 Oct 2019 07:04:13 GMT):

Screenshot from 2019-10-23 17-42-17.png

simran (Thu, 24 Oct 2019 07:04:29 GMT):
`peer channel create -c mychannel -f /tmp/hyperledger/org1/peer1/peer1/assets/channel.tx -o orderer0.example.com:7050 --outputBlock /tmp/hyperledger/org1/peer1/peer1/assets/mychannel.block --tls --cafile /tmp/hyperledger/org1/peer1/peer1/assets/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem`

adarshaJha (Thu, 24 Oct 2019 07:13:55 GMT):
you have issues with your policies in configtx.yaml

adarshaJha (Thu, 24 Oct 2019 07:19:36 GMT):
can you post your configtx.yaml

soumyanayak (Thu, 24 Oct 2019 07:38:07 GMT):
@adarshaJha -- are you able to run postgres in verify-full mode?

caduellery (Thu, 24 Oct 2019 13:01:46 GMT):
Has joined the channel.

adarshaJha (Thu, 24 Oct 2019 13:04:36 GMT):
no, same error

adarshaJha (Thu, 24 Oct 2019 13:04:42 GMT):
only able to run in require yet

adarshaJha (Thu, 24 Oct 2019 13:05:11 GMT):
today didn

adarshaJha (Thu, 24 Oct 2019 13:05:18 GMT):
't get chance to work on network.

adarshaJha (Thu, 24 Oct 2019 13:05:28 GMT):
got some other work at offix.

adarshaJha (Thu, 24 Oct 2019 13:05:36 GMT):
will be doing this back tomorrow.

rmscott (Thu, 24 Oct 2019 15:47:06 GMT):
Has joined the channel.

caduellery (Thu, 24 Oct 2019 17:30:02 GMT):
Hi All! What is the recommended practice for production fabric networks regarding CA and certificate management? 1. Generate all nodes (peers, orderers) certificates and client certificates using a trusted CA, and *do not* have Fabric-CA instances in the network? 2. Each participating Org has its own Fabric-CA instance, which is initialized using a certificate issue by an trusted CA outside the network 3. A third option not listed here :-)

caduellery (Thu, 24 Oct 2019 17:30:02 GMT):
Hi All! What is the recommended practice for production fabric networks regarding CA and certificate management? 1. Generate all nodes (peers, orderers) certificates and client certificates using a trusted CA, and *do not* have Fabric-CA instances in the network? 2. Each participating Org has its own Fabric-CA instance, which is initialized using a certificate issue by a trusted CA outside the network 3. A third option not listed here :-)

caduellery (Thu, 24 Oct 2019 17:30:02 GMT):
Hi All! What is the recommended practice for production fabric networks regarding CA and certificate management? 1. Generate all nodes (peers, orderers) certificates and client certificates using a trusted CA, and *do not* have Fabric-CA instances in the network? 2. Each participating Org has its own Fabric-CA instance, which is initialized using a certificate issued by a trusted CA outside the network 3. A third option not listed here :-)

caduellery (Thu, 24 Oct 2019 17:30:02 GMT):
Hi All! What is the recommended practice for production fabric networks regarding CA and certificate management? 1. Generate all nodes (peers, orderers) certificates and client certificates using a trusted CA, and *do not* have Fabric-CA instances in the network? 2. Each participating Org has its own Fabric-CA instance, which is initialized using a certificate issued by a trusted CA outside the network? 3. A third option not listed here :-)

cenkozan (Fri, 25 Oct 2019 10:20:22 GMT):
Has joined the channel.

mastersingh24 (Fri, 25 Oct 2019 14:07:12 GMT):
1. It's very difficult to use the same trusted CA (e.g. DigiCert) to issue enrollment / signing certificates for your nodes because there is no way to diffeentiate issuers (which means you'd just need to know the MSPID of another org in order to submit / endorse transactions as that org. This is only possible if the CA can issue unique "OU" attribute for each organization. 2. It's also highly unlikley that you will find a 3rd party CA such as DigiCert which will issue intermediate CA certs that can be used by Fabric CA to sign certificates. You could choose to have a neutral 3rd party which is not DigiCert,etc issue the intermediate certificates but this would really be determined by the governance policy of your consortium members 3. The most common option is for each organization to run it's own self-signed Fabric CA

touchingsoil (Tue, 29 Oct 2019 06:33:31 GMT):
Hai, in fabric ca, if the admin's ca expired, could the register's ca issued by this admin still be available in fabric? In my understanding, the fabric will build the ca chain, and find the registar's ca expired, so the register's ca won't be available.

ahmad-raza (Tue, 29 Oct 2019 10:10:13 GMT):
Hi all. Which one is better and production ready 1. Credential Store and cryptoStore that are used in balance transfer sample 2. Wallet system that is used in fabcar sampe??

sureshtedla (Tue, 29 Oct 2019 11:21:43 GMT):
Hi All, How to check whether the called certificate has the abac.init=true or false

sureshtedla (Tue, 29 Oct 2019 12:29:11 GMT):

Clipboard - October 29, 2019 5:31 AM

delao (Tue, 29 Oct 2019 12:54:07 GMT):
you could decode the .pem file with `openssl x509 -noout -text -in ` and see if the attr is there

sureshtedla (Tue, 29 Oct 2019 12:54:33 GMT):

Clipboard - October 29, 2019 5:56 AM

sureshtedla (Tue, 29 Oct 2019 12:55:10 GMT):
at the time of instantiating the chain code I am getting abac.init is not found

sureshtedla (Tue, 29 Oct 2019 12:55:26 GMT):
But I gave abac.init as true

sureshtedla (Tue, 29 Oct 2019 12:55:49 GMT):
at the time of instantiating the chain code I am getting abac.init is not found But I gave abac.init as true

joaquimpedrooliveira (Tue, 29 Oct 2019 13:04:35 GMT):
Are self-signed certificates recommend for **production** environments?

joaquimpedrooliveira (Tue, 29 Oct 2019 13:04:35 GMT):
Are self-signed certificates recommended for **production** environments?

joaquimpedrooliveira (Tue, 29 Oct 2019 13:49:10 GMT):
Although the most common options is number 3, which one would be the best practice for real production networks?

delao (Tue, 29 Oct 2019 13:57:04 GMT):
You could use an external CA (even a OpenSSL command) to create the root certificate for your CA and then use your CA to generate all other certificates

joaquimpedrooliveira (Tue, 29 Oct 2019 13:57:53 GMT):
Thanks for your response. It's option (2) proposed above, is it correct?

caduellery (Tue, 29 Oct 2019 18:45:58 GMT):
Gari, so the option 1 would work only if each organization get their own certificates from different CAs, right?

caduellery (Tue, 29 Oct 2019 18:46:40 GMT):
In an easy way, I mean

tongli (Tue, 29 Oct 2019 20:50:48 GMT):
@smithbk I am trying to use fabric-ca-client enroll to produce cert and tls material for a peer, trying using --enrollment.profile tls but with or without that flag made no differences, can you tell me what I did wrong?

tongli (Tue, 29 Oct 2019 20:50:54 GMT):
here is the command I used.

tongli (Tue, 29 Oct 2019 20:51:21 GMT):
```fabric-ca-client enroll --id.name peer9 --enrollment.profile tls -u https://admin:adminpw@192.168.56.32:7064 --tls.certfiles $(pwd)/../cfg/tls-cert.pem -M peer9```

tongli (Tue, 29 Oct 2019 20:52:06 GMT):
with or without profile tls, the command produce same result.

mastersingh24 (Wed, 30 Oct 2019 11:39:15 GMT):
What do you mean by "same result"? Did you check the extended attributes?

tongli (Wed, 30 Oct 2019 12:50:50 GMT):
@smithbk I was expecting to see tls certs, but there is no tls certs created.

tongli (Wed, 30 Oct 2019 12:51:20 GMT):
same result means produced same number of files in the msp directory.

smithbk (Wed, 30 Oct 2019 12:53:17 GMT):
@tongli You have to move the files to the appropriate directory yourself, but the cert produced is a TLS cert when using that option. Use openssl to print the cert and you'll see a difference when using `--enrollment.profile tls`

tongli (Wed, 30 Oct 2019 12:54:22 GMT):
with the above example, are you @smithbk saying that some files wont be created in peer9 directory?

smithbk (Wed, 30 Oct 2019 13:00:52 GMT):
I'm saying that the cert and key are produced but you'll have to move them to the appropriate directory as expected by MSP for TLS certs.

smithbk (Wed, 30 Oct 2019 13:01:41 GMT):
Again, it has been over a year since I worked on fabric-ca, so perhaps something has changed

tongli (Wed, 30 Oct 2019 13:24:39 GMT):
@smithbk so where are they produced if not in peer9?

tongli (Wed, 30 Oct 2019 13:25:02 GMT):
with and without that flag, I am not seeing any difference in terms of files created in the peer9 directory.

smithbk (Wed, 30 Oct 2019 13:32:40 GMT):
@tongli They are placed in peer9 as you specified in the -M option. If you want to see which files it produces, just make sure the directory you specify with the -M option is empty before running the command and then check it after running the command

tongli (Wed, 30 Oct 2019 13:33:06 GMT):
@smithbk that is what I did.

tongli (Wed, 30 Oct 2019 13:33:18 GMT):
the directory did not even exist before I run the command.

tongli (Wed, 30 Oct 2019 13:33:38 GMT):
I used tree command to see and also openssl x509 to see their content.

tongli (Wed, 30 Oct 2019 13:33:50 GMT):
the issue is that with profile tls, I am not seeing any tls cert files.

tongli (Wed, 30 Oct 2019 13:33:56 GMT):
that was my original question.

Swhit210 (Wed, 30 Oct 2019 13:34:07 GMT):
There should only be one set of certs that are created, the TLS certs. The above command will not generate regular certs AND TLS certs. I believe it is suggested to generate regular certs using one CA and then TLS certs using a dedicated TLS CA

smithbk (Wed, 30 Oct 2019 13:34:19 GMT):
the names of the files will be the same but the content of the cert file will be different

smithbk (Wed, 30 Oct 2019 13:34:32 GMT):
as shown by printing the cert with the TLS option

smithbk (Wed, 30 Oct 2019 13:34:32 GMT):
as shown by printing the cert

tongli (Wed, 30 Oct 2019 13:35:37 GMT):
hmmm. @smithbk are you saying to get both regular cert and tls cert, I run the command twice? one with the flag, one without the flag?

smithbk (Wed, 30 Oct 2019 13:35:49 GMT):
yes

tongli (Wed, 30 Oct 2019 13:36:01 GMT):
ah, @smithbk ok, let me try that. thanks.

tongli (Wed, 30 Oct 2019 13:36:11 GMT):
I did not think it that way.

lepar (Wed, 30 Oct 2019 16:20:02 GMT):
+

adarshaJha (Thu, 31 Oct 2019 05:46:48 GMT):
I've added postgres as a db in fabric-ca

soumyanayak (Thu, 31 Oct 2019 07:23:26 GMT):
Were you able to achieve for verify-full mode with client verification?

adarshaJha (Thu, 31 Oct 2019 07:39:23 GMT):
no only using verify-ca

adarshaJha (Thu, 31 Oct 2019 07:39:28 GMT):
at the moment

adarshaJha (Thu, 31 Oct 2019 07:39:58 GMT):
as i have to meet a deadline

adarshaJha (Thu, 31 Oct 2019 09:28:57 GMT):
If I'm using fabric-ca with postgres , is it neccessary to use ldap with it ?

adarshaJha (Thu, 31 Oct 2019 09:29:05 GMT):
for production level

soumyanayak (Thu, 31 Oct 2019 10:23:09 GMT):
@smithbk Can you suggest us any link or reference or complete steps for the fabric-ca set up with postgresql for the *verify-full *SSL mode and client verification. We are able to set up till verify-ca successfully.

soumyanayak (Thu, 31 Oct 2019 10:27:16 GMT):
If using LDAP, it will be used in conjunction with MySQL/Postgres. LDAP will be used to enroll a user, but a record of the issued certificate will be stored in the database. The community can correct my understanding if i am wrong, If LDAP is enabled, this disables registration completely and means that the "registry" section of the config is ignored because LDAP is used as the registry. Registration is disabled because it is expected that your registry users uses the LDAP APIs rather than "fabric-ca-client register"; Registration goes directly to LDAP rather than through the fabric-ca-server.

adarshaJha (Thu, 31 Oct 2019 10:30:15 GMT):
i'm facing issues while mapping

adarshaJha (Thu, 31 Oct 2019 10:30:23 GMT):
attributes from fabric-ca

adarshaJha (Thu, 31 Oct 2019 10:30:54 GMT):
can i go to production without using ldap and only using postgres as db . because sqlite is not for production level development. ?

soumyanayak (Thu, 31 Oct 2019 10:31:36 GMT):
Yes i feel for production it would be good enough but let the community owners and moderators confirm on this

soumyanayak (Thu, 31 Oct 2019 10:31:44 GMT):
about the best practices

delao (Thu, 31 Oct 2019 16:32:15 GMT):
Hello guys, I am trying to use the fabric-ca-server's API to enroll an identity, and on the request's body, I need to pass on the CSR file so I have to questions: 1 - Is there a template for generating the private keys using OpenSSL? 2 - When I submit the transaction, should I include those `\n` into the CSR or should I just leave one long line?

AllanHansen (Fri, 01 Nov 2019 00:35:26 GMT):
Has joined the channel.

smithbk (Fri, 01 Nov 2019 04:26:37 GMT):
You can use postgres without using LDAP

smithbk (Fri, 01 Nov 2019 04:29:18 GMT):
@soumyanayak Yes, you are correct. If using LDAP, LDAP is used to authenticate to see if you are allowed to enroll (i.e. to get an ecert). Therefore, there is no registration of users.

Randyshu2018 (Fri, 01 Nov 2019 09:55:26 GMT):
fabric's certificate is only support ecdsa signature algorithm ?

mastersingh24 (Fri, 01 Nov 2019 10:02:05 GMT):
Correct

adarshaJha (Mon, 04 Nov 2019 06:57:08 GMT):
can anyone tell which certificate to put where db: ... tls: enabled: true certfiles: - db-server-cert.pem client: certfile: db-client-cert.pem keyfile: db-client-key.pem

adarshaJha (Mon, 04 Nov 2019 06:57:31 GMT):
db-server-cert.pem ( which certificate to put here ) ca certificate ?

adarshaJha (Mon, 04 Nov 2019 06:57:52 GMT):
: db-client-cert.pem ( ssl certificate of postgres ?)

adarshaJha (Mon, 04 Nov 2019 06:58:13 GMT):
db-client-key.pem ( ssl key certificate of postgres ? )

adarshaJha (Mon, 04 Nov 2019 07:30:59 GMT):
how to Set the clientcert parameter to 1 on the appropriate hostssl line(s) ?

adarshaJha (Mon, 04 Nov 2019 09:18:38 GMT):
HI sir

adarshaJha (Mon, 04 Nov 2019 10:24:58 GMT):
can anyone tell which certificate to put where db: ... tls: enabled: true certfiles: - db-server-cert.pem client: certfile: db-client-cert.pem keyfile: db-client-key.pem db-server-cert.pem ( which certificate to put here ) ca certificate ? : db-client-cert.pem ( ssl certificate of postgres ?) db-client-key.pem ( ssl key certificate of postgres ? )

simran (Mon, 04 Nov 2019 12:49:46 GMT):

Screenshot from 2019-11-04 18-18-52.png

adarshaJha (Mon, 04 Nov 2019 13:08:03 GMT):
has anyone successfully added postgres with sslmode = verify-ca or verify-full ? can anyone help ?

adarshaJha (Mon, 04 Nov 2019 13:14:16 GMT):
https://stackoverflow.com/questions/58694159/how-to-add-postgres-as-a-db-in-hyperledger-fabric-ca-using-sslmode-verify-ca-or

adarshaJha (Mon, 04 Nov 2019 13:48:09 GMT):
anyone in the community who can help with sslmode=verify-ca

adarshaJha (Mon, 04 Nov 2019 13:48:45 GMT):
only able to do it with sslmode=verify-full ( using postgres as a db in fabric-ca )]

tongli (Mon, 04 Nov 2019 18:25:35 GMT):
@smithbk question on the fabric-ca-client enroll. it seems to me that CN will be always admin in produced signcerts, is there anywhere to change that to something else?

tongli (Mon, 04 Nov 2019 18:29:47 GMT):
I can change the O and OU in the file fabric-ca-client-config.yaml, but changing cn in that file wont do not anything. the produced cert still shows cn to be admin (using openssl command), any idea @smithbk why it behaves like that? Thanks

tongli (Mon, 04 Nov 2019 18:30:33 GMT):
```Subject: C = US, ST = North Carolina, O = example.com, OU = client, CN = admin```

tongli (Mon, 04 Nov 2019 18:31:19 GMT):
I can change the fabric-ca-client-config.yaml file in the CSR section about C, ST, O, OU, but cn is not taking effects, any ideas?

smithbk (Mon, 04 Nov 2019 18:59:47 GMT):
The CN is always the enrollment ID

tongli (Mon, 04 Nov 2019 19:33:02 GMT):
@smithbk so what is the appropriate way to enroll a new id which is not admin?

simran (Tue, 05 Nov 2019 06:31:19 GMT):

Screenshot from 2019-11-05 11-29-44.png

adarshaJha (Tue, 05 Nov 2019 06:34:14 GMT):
nyone in the community who can help with sslmode=verify-ca only able to do it with sslmode=verify-full ( using postgres as a db in fabric-ca )]

adarshaJha (Tue, 05 Nov 2019 06:34:31 GMT):
anyone in the community who can help with sslmode=verify-ca only able to do it with sslmode=verify-full ( using postgres as a db in fabric-ca ) ???

adarshaJha (Tue, 05 Nov 2019 06:45:10 GMT):
Place certificates of the certificate authorities (CAs) you trust in the file root.crt in the PostgreSQL data directory

Randyshu2018 (Tue, 05 Nov 2019 07:03:45 GMT):
How to change the signature algorithm to RSA ?

adarshaJha (Tue, 05 Nov 2019 07:11:44 GMT):
It feels like this community is not active these days.

adarshaJha (Tue, 05 Nov 2019 07:11:56 GMT):
i see only questions and no answers

simran (Tue, 05 Nov 2019 07:12:28 GMT):
yeah i think same also no one is replying from them

adarshaJha (Tue, 05 Nov 2019 10:05:30 GMT):
anyone in the community who can help with sslmode=verify-ca only able to do it with sslmode=verify-full ( using postgres as a db in fabric-ca ) ???

adarshaJha (Tue, 05 Nov 2019 11:21:40 GMT):
how to use postgres as a db in fabric-ca ? using verify-ca mode

adarshaJha (Tue, 05 Nov 2019 11:21:42 GMT):
?

adarshaJha (Tue, 05 Nov 2019 12:21:21 GMT):
I guess everyone busy in conferences

adarshaJha (Tue, 05 Nov 2019 12:44:24 GMT):
how to use postgres as a db in fabric-ca ? using verify-ca mode ?

Raumo0 (Tue, 05 Nov 2019 15:33:02 GMT):
Hello! Please help me understand. I use the cloud (IBM Blockchain Platform) for my blockchain. In the cloud I have my wallet. When I do enroll (HFCAClient.enroll(login, pass) from the org.hyperledger.fabric_ca.sdk package) from the SDK, I only specify my username and password from identity, I do not specify private keys and I cannot understand how everything works. I have an enroll, but where is the transaction signing? The signing of transactions with a private key occurs in the wallet, which is located in the cloud, and I just connect to it remotely? ================ Found the fabric-gateway library (https://github.com/hyperledger/fabric-gateway-java). This library requires you to specify wallet. In this case, transactions must be signed with the private key located in this wallet, right? Then what about the previous scenario, how does it work?

Raumo0 (Tue, 05 Nov 2019 15:33:02 GMT):
Hello! Please help me understand. 1) I use the cloud (IBM Blockchain Platform) for my blockchain. In the cloud I have my wallet. When I do enroll (HFCAClient.enroll(login, pass) from the org.hyperledger.fabric_ca.sdk package) from the SDK, I only specify my username and password from identity, I do not specify private keys and I cannot understand how everything works. I have an enroll, but where is the transaction signing? The signing of transactions with a private key occurs in the wallet, which is located in the cloud, and I just connect to it remotely? 1) Found the fabric-gateway library (https://github.com/hyperledger/fabric-gateway-java). This library requires you to specify wallet. In this case, transactions must be signed with the private key located in this wallet, right? Then what about the previous scenario, how does it work?

Raumo0 (Tue, 05 Nov 2019 15:33:02 GMT):
Hello! Please help me understand. 1) I use the cloud (IBM Blockchain Platform) for my blockchain. In the cloud I have my wallet. When I do enroll (HFCAClient.enroll(login, pass) from the org.hyperledger.fabric_ca.sdk package) from the SDK, I only specify my username and password from identity, I do not specify private keys and I cannot understand how everything works. I have an enroll, but where is the transaction signing? The signing of transactions with a private key occurs in the wallet, which is located in the cloud, and I just connect to it remotely? 2) Found the fabric-gateway library (https://github.com/hyperledger/fabric-gateway-java). This library requires you to specify wallet. In this case, transactions must be signed with the private key located in this wallet, right? Then what about the previous scenario, how does it work?

SimranGoyal (Wed, 06 Nov 2019 05:22:43 GMT):
Has joined the channel.

Salaria_77 (Wed, 06 Nov 2019 10:00:42 GMT):
Hi All, How to enroll entity for tls profile below is my request. ca.enroll({ enrollmentID: abcName, enrollmentSecret: "abcSecret", profile: `tls` })

Salaria_77 (Wed, 06 Nov 2019 10:00:42 GMT):
Hi All, How to enroll entity for tls profile with Tls ca by fabric node sdk below is my request. ca.enroll({ enrollmentID: abcName, enrollmentSecret: "abcSecret", profile: `tls` })

adarshaJha (Wed, 06 Nov 2019 10:49:06 GMT):
has anyone successfully added postgres with sslmode = verify-ca or verify-full ? can anyone help ?

soumyanayak (Wed, 06 Nov 2019 11:15:19 GMT):
For verify-ca mode you can check the old link --> https://chat.hyperledger.org/channel/fabric-ca?msg=Dwu8Gspixnf4Hbu7q

soumyanayak (Wed, 06 Nov 2019 11:15:47 GMT):
for verify-full mode - i was not able to set up

soumyanayak (Wed, 06 Nov 2019 11:16:19 GMT):
@smithbk can you please help on this

andrewhw (Wed, 06 Nov 2019 14:08:53 GMT):
I found the following: `The ReadCertificatePair function allows any user of the blockchain to read the certificate pair of any other user of the blockchain. ` in https://openblockchain.readthedocs.io/en/latest/API/MemberServicesAPI/. 1) does the openblockchain.readthedocs.io site supersede fabric documentation in https://hyperledger-fabric.readthedocs.io/en/release-1.4/? 2) when the quotation refers to `any user of the blockchain` does it mean any user anywhere, and does this imply that there is a mechanism for distributing certificate data behind the scenes from node to node?

BrettLogan (Wed, 06 Nov 2019 14:26:56 GMT):
openblockchain.readthedocs.io is very old, you shouldn't be referencing that. It predates the Linux Foundation taking over stewardship of the Fabric project. We are trying to find out who owns it and shut it down.

BrettLogan (Wed, 06 Nov 2019 14:26:56 GMT):
openblockchain.readthedocs.io is very old, you shouldn't be referencing that. We are trying to find out who owns it and shut it down.

BrettLogan (Wed, 06 Nov 2019 14:30:24 GMT):
https://hyperledger-fabric-ca.readthedocs.io/en/latest/

BrettLogan (Wed, 06 Nov 2019 14:30:27 GMT):
This is the fabric-ca doc

andrewhw (Wed, 06 Nov 2019 17:18:34 GMT):
Good luck with that. The readthedocs project for this https://readthedocs.org/projects/openblockchain/ is owned by https://readthedocs.org/profiles/razormind/ and if you google this ID or the name Jawad Yaqub you find a very strange story.

vieiramanoel (Wed, 06 Nov 2019 18:37:16 GMT):
Hey guys, reading about certs generation using HSM the docs say that "If you are deploying Fabric nodes using an HSM, your private keys need to be generated inside the HSM rather than inside the keystore folder of the node’s local MSP folder." Right now my flow is: Create a csr -> send it to through api at "https://%s:7054/api/v1/enroll" to sign The problem is, how can I create a csr if private key will be generated at HSM? What is the correct flow? cc/ @mastersingh24 @nyet

adarshaJha (Thu, 07 Nov 2019 07:40:17 GMT):
https://stackoverflow.com/questions/58694159/how-to-add-postgres-as-a-db-in-hyperledger-fabric-ca-using-sslmode-verify-ca-or

soumyanayak (Thu, 07 Nov 2019 09:13:51 GMT):
instead of localhost in the CN -- try with 127.0.0.1

soumyanayak (Thu, 07 Nov 2019 09:14:27 GMT):
did you try with CN=db-postgres?

adarshaJha (Thu, 07 Nov 2019 09:34:25 GMT):
yes i did

adarshaJha (Thu, 07 Nov 2019 09:34:57 GMT):
127.0.0.1 at the time of generating client certificate ?

adarshaJha (Thu, 07 Nov 2019 09:36:00 GMT):
let me try this also

SimonSchuler (Thu, 07 Nov 2019 09:57:12 GMT):
Has joined the channel.

SimonSchuler (Thu, 07 Nov 2019 10:00:39 GMT):
Hello everyone. I was wondering if it is possible to configure the cryptogen tool to use ECDSA with secp521r1. Or would I have to use fabric-ca-client to generate all the certs then?

mastersingh24 (Thu, 07 Nov 2019 10:19:48 GMT):
What are you using to generate the CSR? If you use the fabric-ca-client and use the pkcs11 bccsp, then it will generate the private key in the HSM. The same holds true for the SDKs if configured to use pkcs11/HSM

glotov (Thu, 07 Nov 2019 10:28:14 GMT):
hi! Can I use `caClient.enroll({enrollmentID: username, enrollmentSecret: password})` to login a user on a host different from where I previously did `caClient.register(...)`? Yet I always get `Authentication failure` error.

mastersingh24 (Thu, 07 Nov 2019 11:17:05 GMT):
Not sure what you mean? If you don't set up an HA CA, then the CAs will be independent and the enroll call will only work with the CA on which you issued the register call

mastersingh24 (Thu, 07 Nov 2019 11:18:36 GMT):
cryptogen will only generate P256 keys

glotov (Thu, 07 Nov 2019 11:34:36 GMT):
I use the same CA of `Org1`.

vieiramanoel (Thu, 07 Nov 2019 11:36:00 GMT):
Fabric-ca with hsm set and tested, I'm not using sdk at my application for this, just call http api with the csr created locally, to keep the sign though http instead of using fabric client I'll need to generate the private key inside hsm first, right?

vieiramanoel (Thu, 07 Nov 2019 11:37:47 GMT):
(our application is written in go, by the time I was writing this part the sdk wasn't ready, yet I would like to change the minimum amount of code to achieve that)

mastersingh24 (Thu, 07 Nov 2019 11:38:10 GMT):
The fabrci-ca-client and SDKs will actually generate the private key on the HSM if configured to use the HSM

mastersingh24 (Thu, 07 Nov 2019 11:38:10 GMT):
The fabric-ca-client and SDKs will actually generate the private key on the HSM if configured to use the HSM

vieiramanoel (Thu, 07 Nov 2019 11:39:34 GMT):
Can you lead me to this part of the ca's code? I'd be grateful

mastersingh24 (Thu, 07 Nov 2019 11:53:59 GMT):
not sure what you mean here?

vieiramanoel (Thu, 07 Nov 2019 11:57:21 GMT):
Sorry. I wanted to see the fabric's implementation for creating a private key at hsm and the csr. I believe this is done at fabric-ca-client, right?

mastersingh24 (Thu, 07 Nov 2019 12:19:02 GMT):
it's in the pkcs11 package of fabric/bccsp

adarshaJha (Thu, 07 Nov 2019 12:22:58 GMT):
https://stackoverflow.com/questions/58694159/how-to-add-postgres-as-a-db-in-hyperledger-fabric-ca-using-sslmode-verify-ca-or

delao (Thu, 07 Nov 2019 13:11:10 GMT):
Hello everyone, good morning ! I'm facing a little problem regarding the fabric-ca-server's API. I'm trying to enroll a identity using `.../api/v1/enroll` route but I keep getting this message `"message": "{\"code\":9002,\"message\":\"CSR Decode failed\"}"` . Can anyone give me an example of the "request" field?

adarshaJha (Thu, 07 Nov 2019 13:24:30 GMT):
https://jira.hyperledger.org/browse/FABC-886

BrettLogan (Thu, 07 Nov 2019 14:41:19 GMT):
@adarshaJha You should be setting `ssl=require` and `sslmode=verify-ca`

BrettLogan (Thu, 07 Nov 2019 14:41:28 GMT):
They are independent of each other

BrettLogan (Thu, 07 Nov 2019 14:56:02 GMT):
@adarshaJha Whats in the CA logs when the connection fails? We have a CI test for MySQL that runs with verify-ca (and it is actually testing that verify-ca works), we don't have one for postgres as its just a smoke test. The CA logs should show us what is failing when establishing the connection

BrettLogan (Thu, 07 Nov 2019 14:56:02 GMT):
@adarshaJha Whats in the CA logs when the connection fails? We have a CI test for MySQL that runs with verify-ca (and it is actually testing that verify-ca works), we don't have one for postgres. So we know verify-ca works with the CA, but the logs should show us what is failing when establishing the connection

BrettLogan (Thu, 07 Nov 2019 14:56:02 GMT):
@adarshaJha Whats in the CA logs when the connection fails? We have a CI test for MySQL that runs with verify-ca (and it is actually testing that verify-ca works), we don't have one for postgres. The CA logs should show us what is failing when establishing the connection

vieiramanoel (Thu, 07 Nov 2019 16:39:22 GMT):
Thanks

adarshaJha (Fri, 08 Nov 2019 05:01:34 GMT):
@BrettLogan here are my ca logs :-

adarshaJha (Fri, 08 Nov 2019 05:01:55 GMT):

adarshaJha - Fri Nov 08 2019 10:31:52 GMT+0530 (India Standard Time).txt

adarshaJha (Fri, 08 Nov 2019 05:02:14 GMT):
i have also added in the above jira issue :-

adarshaJha (Fri, 08 Nov 2019 05:02:26 GMT):
https://jira.hyperledger.org/browse/FABC-886

BrettLogan (Fri, 08 Nov 2019 05:12:17 GMT):
@adarshaJha For some reason, despite you having set the tls enabled variable to true, it is parsing it out as false. Can you exec into the CA container and check it's config.yaml to see confirm the tls value in it, while in there can you do an `env` and confirm all the vars you passed in are set. I'll revisit this in my morning (US EST)

BrettLogan (Fri, 08 Nov 2019 05:12:57 GMT):
At least give you some idea to poke around with in the meantime

adarshaJha (Fri, 08 Nov 2019 05:21:22 GMT):
@BrettLogan Thank you so much for your help. Let me see the config.yaml and no problem, I will let you know what i found and will wait for your response.

Randyshu2018 (Fri, 08 Nov 2019 05:51:18 GMT):
when use rsa signature algorithm , createToken got below error : 2019/11/08 13:49:01 [INFO] [::1]:52274 GET /affiliations 401 25 "Invalid token in authorization header: Invalid token format; expecting 2 parts separated by '.'"

Randyshu2018 (Fri, 08 Nov 2019 05:51:19 GMT):

Clipboard - November 8, 2019 1:51 PM

adarshaJha (Fri, 08 Nov 2019 06:58:28 GMT):
@BrettLogan my db-postgres logs are : docker logs db-postgres 2019-11-08 06:55:52.181 UTC [1] LOG: starting PostgreSQL 12.0 (Debian 12.0-2.pgdg100+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit 2019-11-08 06:55:52.181 UTC [1] LOG: listening on IPv4 address "0.0.0.0", port 5432 2019-11-08 06:55:52.181 UTC [1] LOG: listening on IPv6 address "::", port 5432 2019-11-08 06:55:52.630 UTC [1] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432" 2019-11-08 06:55:53.110 UTC [24] LOG: database system was interrupted; last known up at 2019-11-08 06:54:10 UTC 2019-11-08 06:55:57.621 UTC [24] LOG: database system was not properly shut down; automatic recovery in progress 2019-11-08 06:55:57.835 UTC [24] LOG: redo starts at 0/1689558 2019-11-08 06:55:57.835 UTC [24] LOG: invalid record length at 0/1689590: wanted 24, got 0 2019-11-08 06:55:57.835 UTC [24] LOG: redo done at 0/1689558 2019-11-08 06:55:58.605 UTC [1] LOG: database system is ready to accept connections 2019-11-08 06:55:58.633 UTC [25] LOG: could not accept SSL connection: certificate verify failed 2019-11-08 06:55:58.732 UTC [32] LOG: could not accept SSL connection: certificate verify failed 2019-11-08 06:55:58.736 UTC [33] LOG: could not accept SSL connection: certificate verify failed

SimonSchuler (Fri, 08 Nov 2019 09:35:45 GMT):
Hello, I am having problems understanding how to get my generated certificates into the deployed ca's: my docker-compose.yaml: ca.simonschuler.de: image: hyperledger/fabric-ca environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_NAME=ca.simonschuler.de - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.simonschuler.de-cert.pem - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/f4135b1fcf8a834f9ca5e4de3c8af4c96978c8e45dac5b94d6c3b2faf702b665_sk unfortunately it displayes the error: [WARNING] &{69 The specified CA certificate file /etc/hyperledger/fabric-ca-server-config/ca.simonschuler.de-cert.pem does not exist} I generated all the certs with cryptogen and they are under ./crypto-config/ Could someone point out my mistake?

adarshaJha (Fri, 08 Nov 2019 10:14:09 GMT):
ls

adarshaJha (Fri, 08 Nov 2019 11:11:06 GMT):
https://jira.hyperledger.org/browse/FABC-887

adarshaJha (Fri, 08 Nov 2019 12:19:23 GMT):
@BrettLogan @soumyanayak

soumyanayak (Fri, 08 Nov 2019 13:31:14 GMT):
Are you mapping the certificates in the volume section of the above service - ca.simonschuler.de ?

soumyanayak (Fri, 08 Nov 2019 13:31:30 GMT):
can you post your volume mapping details

SimonSchuler (Sat, 09 Nov 2019 09:12:37 GMT):
Hey, Thanks for the help, yep that was the missing part. I Figured it out by adding `volumes: - ./crypto-config/ordererOrganizations/simonschuler.de/ca/:/etc/hyperledger/fabric-ca-server-config`

Chem (Mon, 11 Nov 2019 12:53:38 GMT):
Has joined the channel.

adarshaJha (Mon, 11 Nov 2019 13:04:22 GMT):
@BrettLogan did you find any solution for this JIRA issue ? https://jira.hyperledger.org/browse/FABC-887

ThomasBereczky (Mon, 11 Nov 2019 17:00:05 GMT):
Hey Folks

ThomasBereczky (Mon, 11 Nov 2019 17:00:13 GMT):
I'm trying to create a user with registerUser.js

ThomasBereczky (Mon, 11 Nov 2019 17:00:26 GMT):
but I'm receiving Authorization Failur

ThomasBereczky (Mon, 11 Nov 2019 17:00:33 GMT):
can anyone assist me?

ThomasBereczky (Mon, 11 Nov 2019 17:00:58 GMT):
this is what I see in the CA container:

ThomasBereczky (Mon, 11 Nov 2019 17:00:58 GMT):
2019/11/11 16:53:00 [DEBUG] Caller is using a x509 certificate 2019/11/11 16:53:00 [DEBUG] Failed to verify token based on new authentication header requirements: %!s() 2019/11/11 16:53:00 [INFO] 10.0.0.50:54200 POST /api/v1/register 401 26 "Untrusted certificate: Failed to verify certificate: x509: certificate signed by unknown authority"

ThomasBereczky (Mon, 11 Nov 2019 17:01:32 GMT):
and on the register:

ThomasBereczky (Mon, 11 Nov 2019 17:01:33 GMT):
ubuntu@field2u-node0:~/node0$ sudo docker-compose -f compose-chaincodeTests.yaml up WARNING: The Docker Engine you're using is running in swarm mode. Compose does not use swarm mode to deploy services to multiple nodes in a swarm. All containers will be scheduled on the current node. To deploy your application across the swarm, use `docker stack deploy`. WARNING: Found orphan containers (peer0.farm2plate.field2u.hyperledgerhosting.com, www.peer0.farm2plate.field2u.hyperledgerhosting.com, couchdb0.farm2plate.field2u.hyperledgerhosting.com, cli.common.field2u.hyperledgerhosting.com, cli.orderer0.field2u.hyperledgerhosting.com, orderer0.field2u.hyperledgerhosting.com, api.com, www.orderer0.field2u.hyperledgerhosting.com, production_nginx, cli.peer0.farm2plate.field2u.hyperledgerhosting.com, ca.farm2plate.field2u.hyperledgerhosting.com) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up. Starting chaincodeTests ... done Attaching to chaincodeTests chaincodeTests | npm WARN farm2fork@1.0.0 No repository field. chaincodeTests | chaincodeTests | audited 1690 packages in 2.568s chaincodeTests | found 23 vulnerabilities (1 moderate, 20 high, 2 critical) chaincodeTests | run `npm audit fix` to fix them, or `npm audit` for details chaincodeTests | Wallet path: /home/node/app/wallet chaincodeTests | An identity for the admin user "admin" already exists in the wallet chaincodeTests | Wallet path: /home/node/app/wallet chaincodeTests | Failed to register user "user1": Error: fabric-ca request register failed with errors [[{"code":20,"message":"Authentication failure"}]] chaincodeTests exited with code 1

Chem (Tue, 12 Nov 2019 05:14:52 GMT):
indy

lepar (Tue, 12 Nov 2019 11:54:47 GMT):
@ThomasBereczky did you register the admin when you started the CA?

ThomasBereczky (Tue, 12 Nov 2019 13:14:51 GMT):
Yes, I did. First I ran enrollAdmin.js

ThomasBereczky (Tue, 12 Nov 2019 13:15:41 GMT):
An identity for the admin user "admin" already exists in the wallet

ThomasBereczky (Tue, 12 Nov 2019 13:15:41 GMT):
this is on a fresh deployment

ThomasBereczky (Tue, 12 Nov 2019 13:15:41 GMT):
this is not on a fresh deployment

ThomasBereczky (Tue, 12 Nov 2019 13:15:41 GMT):
on my deployment scripts the wallet is clean

ThomasBereczky (Tue, 12 Nov 2019 13:15:42 GMT):
it starts up the EC2 instances and deploys the chain

ThomasBereczky (Tue, 12 Nov 2019 13:15:44 GMT):
then the chaincode

ThomasBereczky (Tue, 12 Nov 2019 13:16:22 GMT):
then runs these actions

lepar (Tue, 12 Nov 2019 14:03:16 GMT):
Then you gotta erase that wallet because it's for an old admin ca and re-run the enroll admin

ahmad-raza (Tue, 12 Nov 2019 14:06:09 GMT):
Hi All, How can we use fabric-node-sdk to make peer identities, Order identities , user and admin identities using Fabric-CA ?? And generate .pem files and key files to start hyperledger fabric network ?? to replace cryptogen with Fabric-CA

ahmad-raza (Tue, 12 Nov 2019 14:06:13 GMT):
???

lepar (Tue, 12 Nov 2019 17:33:18 GMT):
Take a look at this example, it does all that using fabric-ca in a production ready network https://github.com/lepar/hyperledger-fabric-generic-network

DilipManjunatha (Wed, 13 Nov 2019 13:07:04 GMT):
Has joined the channel.

SamYuan1990 (Fri, 15 Nov 2019 06:47:33 GMT):
Has joined the channel.

SatheeshNehru (Fri, 15 Nov 2019 07:58:59 GMT):
whenever ca container get started(tls enabled) there are two key in keystore :what are they?

SatheeshNehru (Fri, 15 Nov 2019 08:04:11 GMT):
is it possible to get private key named (meaningful names) instead of randomnumber_sk

Psingh (Fri, 15 Nov 2019 11:33:17 GMT):
you can change it to mykey.key using command `mv abc_sk mykey.key`

SatheeshNehru (Fri, 15 Nov 2019 11:39:14 GMT):
the problem is when i start the container there are two key inside keystore (not sure which tls-key and ca-key )

Psingh (Fri, 15 Nov 2019 11:48:02 GMT):
actually you can check it by openssl command. fetch the public key part from certificate and key and then match it

Psingh (Fri, 15 Nov 2019 11:49:38 GMT):
follow this link https://www.sslshopper.com/certificate-key-matcher.html

ownspies (Fri, 15 Nov 2019 19:12:23 GMT):
Hello - question on TLS (both in transit and mutual auth) - what is the best practice for obtaining certificates, is it to use the HLF TLSCA (so register/enroll/copy files) to obtain certs, or just generate certificates outside of HLF TLSCA (thus avoiding the register/enroll process) and distribute the files?

mastersingh24 (Fri, 15 Nov 2019 22:22:57 GMT):
I'm personally not a huge fan of using Fabric CA for TLS certificates but people do use it. But you should make sure you either run a multi-root Fabric CA and/or a separate Fabric CA for TLS certs

Swarantej (Sat, 16 Nov 2019 05:44:20 GMT):
Has joined the channel.

adarshaJha (Sat, 16 Nov 2019 09:29:04 GMT):
can anyone tell what is EnableNodeOUs ?

adarshaJha (Sat, 16 Nov 2019 09:29:42 GMT):
i am createing peer identities using ica certificate can anyone tell me how to pass EnableNodeOUs = true without using cryptogen.

adarshaJha (Sat, 16 Nov 2019 09:31:14 GMT):
I'm using external ca to create peer and orderer identities ? can anyone let me know how to pass EnableNodeOUs=true for generating these certificates.

ownspies (Sat, 16 Nov 2019 13:29:14 GMT):
Thank you - do you use a public CA or something like Vault or a Private CA as a service?

sudijovski (Sat, 16 Nov 2019 19:47:37 GMT):
hello, any idea on how to build fabric-ca docker images v1.4 with pkcs11 enabled? I've tried building it from source with: "GO_TAGS=pkcs11 make docker", but to no avail. If i build only the binaries, they works without a problem. But in my setup a docker containers are favorable.

sudijovski (Sat, 16 Nov 2019 19:47:37 GMT):
hello, any idea on how to build fabric-ca docker images v1.4 with pkcs11 enabled? I've tried building it from source with: "GO_TAGS=pkcs11 make docker", but to no avail. If i build only the binaries, they work without a problem. But in my setup docker containers are favorable.

sudijovski (Sun, 17 Nov 2019 00:26:06 GMT):
I've managed to finally get it working. I needed to edit the Makefile and add '-tags "pkcs11"' flag in build/docker/bin/% target to the go install command.

barney2k7 (Mon, 18 Nov 2019 12:42:29 GMT):
Has joined the channel.

SatheeshNehru (Tue, 19 Nov 2019 12:59:15 GMT):
when I generate enrollemnt using java fabric CAclient I get cert and key and copy to msp Is there any option to generate cert in msp Structure using fabricCAClient

Koushik (Tue, 19 Nov 2019 18:44:50 GMT):
Hi guys quick question if my fabric-ca container goes down will the network also go down

Koushik (Tue, 19 Nov 2019 18:45:54 GMT):
Or is it that I will not have The ability to revoke certs and generate new Certs until the container goes up

Koushik (Tue, 19 Nov 2019 18:46:05 GMT):
Any documentation would be helpful

barney2k7 (Wed, 20 Nov 2019 13:38:02 GMT):
Is 1.4.4 officially released yet? Asking because it is listed here https://github.com/hyperledger/fabric-ca/releases/tag/v1.4.4 but it is not available for download here https://nexus.hyperledger.org/content/repositories/releases/org/hyperledger/fabric-ca/hyperledger-fabric-ca/linux-amd64-1.4.4/hyperledger-fabric-ca-linux-amd64-1.4.4.tar.gz

barney2k7 (Wed, 20 Nov 2019 15:18:53 GMT):
In case anybody else is wondering, this has changed recently: https://jira.hyperledger.org/browse/FAB-17092 releases are now on github, and bootstrap.sh will download from there

SergioTorres (Thu, 21 Nov 2019 11:59:09 GMT):
Has joined the channel.

gentios (Thu, 21 Nov 2019 15:16:54 GMT):
Can we use Fabric CA keys with Yubico Security Keys ( https://www.yubico.com/products/yubikey-hardware/ )

mastersingh24 (Fri, 22 Nov 2019 08:44:10 GMT):
You can use https://www.yubico.com/products/yubihsm/ with the Fabric CA server and client by using the PKCS11 interface

trinayanbhatt (Fri, 22 Nov 2019 12:59:46 GMT):
Can anyone tell me why users table is not propagating with user information while registering or enrolling user in Postgres DB while I am using Postgres with LDAP? LDAP is being used for registration and Postgres for enrollment of the user.

mastersingh24 (Fri, 22 Nov 2019 20:56:30 GMT):
If you choose to use LDAP, then the users table should not be populated; only the certificates tables will be used

caduellery (Fri, 22 Nov 2019 23:12:50 GMT):
rsa

toddinpal (Sat, 23 Nov 2019 13:58:34 GMT):
Fabric-ca isn't used except for CA related operations, so your network will continue to function as the necessary certificates have already been created. However as you point out, you will not be able to generate new certs or revoke certs.

trinayanbhatt (Sat, 23 Nov 2019 17:24:28 GMT):
okay thanks @mastersingh24

gentios (Mon, 25 Nov 2019 15:15:43 GMT):
Thank you @mastersingh24

gentios (Mon, 25 Nov 2019 15:19:14 GMT):
@mastersingh24 other than that how do we secure fabric ca keys in the server

dayerra (Mon, 25 Nov 2019 17:24:02 GMT):
Has joined the channel.

mastersingh24 (Mon, 25 Nov 2019 18:14:20 GMT):
PKCS11 is the way to any HSM. Other options are basic file system encryption and limiting permissions on the files

metadata (Tue, 26 Nov 2019 05:43:51 GMT):
Can someone please help with below error? I'm using `raft` ordering service and I have generated certs using fabric-ca. Using HLF `v1.4.3`. ```panic: Failed validating bootstrap block: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: administrators must be declared when no admin ou classification is set ```

trinayanbhatt (Tue, 26 Nov 2019 06:19:03 GMT):
@metadata check for the config.yaml file in the msp directory. It must have ou defined in that file for admin, peer and client.

metadata (Tue, 26 Nov 2019 06:21:46 GMT):
Actually `fabric-ca` is not generating any config.yml file. ``` msp/ ├── IssuerPublicKey ├── IssuerRevocationPublicKey ├── admincerts │ ├── Admin@bloquelabs.com-1.pem │ │ ├── cacerts │ └── ca-bloquelabs-com-6054.pem ├── keystore ├── signcerts └── user ```

metadata (Tue, 26 Nov 2019 06:24:23 GMT):
Is there any way by which I can force `fabric-ca` to generate `config.yml` file?

trinayanbhatt (Tue, 26 Nov 2019 06:24:45 GMT):
Yes, you have to add config file in that directory while using fabric-ca. While using cryptogen it automatically creates config file with organisational identifiers.

trinayanbhatt (Tue, 26 Nov 2019 06:25:27 GMT):
I don't think there is a way to forcefully do that with fabric-ca.

metadata (Tue, 26 Nov 2019 06:25:44 GMT):
ok

trinayanbhatt (Tue, 26 Nov 2019 06:28:33 GMT):
Hey can anyone help with the postgresql cluster setup? Any resource to start with?

trinayanbhatt (Tue, 26 Nov 2019 09:19:38 GMT):
If we have implemented a solution in which we have used different CAs for different orgs then can we implement HSM for a particular org and rest organisations can still be using keystore to store private keys?

guptasndp10 (Tue, 26 Nov 2019 09:43:42 GMT):
Has joined the channel.

metadata (Tue, 26 Nov 2019 11:51:31 GMT):
not working. I'm using this file https://github.com/hyperledger/fabric/blob/release-1.4/sampleconfig/orderer.yaml

metadata (Tue, 26 Nov 2019 11:53:02 GMT):
```- FABRIC_CFG_PATH=/var/hyperledger/orderer/ordererConfig working_dir: /opt/gopath/src/github.com/hyperledger/fabric ``` ``` volumes: - ./ordererConfig:/var/hyperledger/orderer/ordererConfig ```

trinayanbhatt (Tue, 26 Nov 2019 12:39:06 GMT):
https://hyperledger-fabric.readthedocs.io/en/release-1.4/msp.html#identity-classification

trinayanbhatt (Tue, 26 Nov 2019 12:39:11 GMT):
check this out

trinayanbhatt (Tue, 26 Nov 2019 12:39:33 GMT):
https://hyperledger-fabric.readthedocs.io/en/release-1.4/msp.html#msp-setup-on-the-peer-orderer-side

trinayanbhatt (Tue, 26 Nov 2019 12:41:41 GMT):
You also have to pass OU=admin or client or peer or orderer while generating certificates using fabric-ca in the CSR of respective identities

vishantkamboj (Wed, 27 Nov 2019 04:13:05 GMT):
Has joined the channel.

xiep (Wed, 27 Nov 2019 09:32:03 GMT):
Has joined the channel.

mastersingh24 (Wed, 27 Nov 2019 12:10:06 GMT):
yes

metadata (Wed, 27 Nov 2019 16:36:32 GMT):
thanks @trinayanbhatt adding `config.yaml` file to every msp folder worked. But I have a question that I also have `admincert` under `msp/admincerts` directory. Isn't it supposed to work if `config.yaml` file isn't there?

trinayanbhatt (Thu, 28 Nov 2019 08:58:44 GMT):
Okay, thanks @mastersingh24

trinayanbhatt (Thu, 28 Nov 2019 10:32:50 GMT):
A new feature is implemented in 1.4.3 which allows you to specify an OU(organisational identifier) for admin rather than explicitly putting certificates in the admincerts folder. In crypto-config, one can set EnableNodeOUs to true and this automatically enables OUs for all supported roles. But in case of Fabric-ca you yourself have to create a config.yaml to enable node ous.

trinayanbhatt (Thu, 28 Nov 2019 12:06:30 GMT):
I am trying to add new affiliation in my network using command line but I'm getting this error only even after passing force flag into it. *Error: Response from server: Error Code: 0 - Not supported*

BranimirMalesevic (Thu, 28 Nov 2019 15:54:02 GMT):
Has joined the channel.

aleksandar.nasuovski (Thu, 28 Nov 2019 16:09:30 GMT):
Hello everyone. I'm was notice issue when making docker for fabric-ca and setting GO_TAGS=pkcs11. If we making binay fabric-ca-sever there is no issue but when make docker looks like there is problem.

aleksandar.nasuovski (Thu, 28 Nov 2019 16:09:30 GMT):
Hello everyone. I'm was notice issue when making docker for fabric-ca and setting GO_TAGS=pkcs11. If I making binay fabric-ca-sever there is no issue but when make docker looks like there is problem. Release 1.4

aleksandar.nasuovski (Thu, 28 Nov 2019 16:09:30 GMT):
Hello everyone. I'm was notice issue when making docker for fabric-ca and setting GO_TAGS=pkcs11. If I make binay fabric-ca-sever there is no issue but when make docker looks like there is problem. Release 1.4

AleksandarNasuovski (Thu, 28 Nov 2019 18:16:03 GMT):
Has joined the channel.

AleksandarNasuovski (Thu, 28 Nov 2019 18:17:09 GMT):
It was resolved.

junki (Fri, 29 Nov 2019 00:50:37 GMT):
Has joined the channel.

junki (Fri, 29 Nov 2019 01:30:10 GMT):
hello everyone.

junki (Fri, 29 Nov 2019 01:34:30 GMT):
hello everyone. I'm using fabric-ca. after few days my admin certification will expire. so, I was reenroll admin cert then update channel to my new cert. but It's not applied. when i updated channel. i got this message. "WARN De-duplication identity [orgMSP~] at index 1 in signature set" and "WARN Failed to update ordering service endpoints, due to Channel with my-channel id was not found". It's version 1.4.0. Help me pleaseㅜㅜ

karthikeyanb (Fri, 29 Nov 2019 05:57:52 GMT):
Has joined the channel.

karthikeyanb (Fri, 29 Nov 2019 05:57:53 GMT):
Hi i'm getting one error while creating a channel , Error: got unexpected status: BAD_REQUEST -- error validating channel creation transaction for new channel 'mychannel', could not succesfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied

Salaria_77 (Fri, 29 Nov 2019 10:44:45 GMT):
Can we change ca for the organisation in a running network .

mastersingh24 (Fri, 29 Nov 2019 12:43:56 GMT):
You can, but then you will need to update that org's MSP info for each channel of which they are a member. You will also want to update the org info in the consortium as well (which is an update to the system channel).

AbigailJesus (Sat, 30 Nov 2019 11:44:29 GMT):
Has joined the channel.

metadata (Sun, 01 Dec 2019 05:45:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=JHwZWHik5658LLzzy) check `CORE_PEER_MSPCONFIGPATH` is set to `admin` or not. if the ORG policies for `Writer` in configtx.yaml file is set `ORGMSP.admin` and the `CORE_PEER_MSPCONFIGPATH` is not set to admin then this issue happens. eg: ``` CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp``` community please correct me if i'm wrong.

VadimInshakov (Mon, 02 Dec 2019 09:17:14 GMT):
**Why I need affiliation for GetAllIdentities()?** I registered users (with affiliation "org1.department1") using registrar Admin (without affiliation field). Then my admin is blocked because the wrong password was entered 10 times. I'm trying to get user identities using another admin (with affiliation field). Now I get error from this code block (dbaccessor.go, 592): ``` if util.ListContains(types, "*") { // If type is '*', allowed to get back of all types for requested affiliation query := "SELECT * FROM users WHERE ((affiliation = ?) OR (affiliation LIKE ?))" rows, err := d.db.Queryx("GetFilteredUsers", d.db.Rebind(query)) if err != nil { return nil, errors.Wrapf(err, "Failed to execute query '%s' for affiliation '%s' and types '%s'", query, affiliation, types) } return rows, nil } ``` Does it mean that I can't get users, that registered admin with another affiliation, right? I need to (1) change either Admin password or (2) create new admin, but in case (1) I can't issue modifyRequest, because it require affiliation (if I change it, I will lost ability to read registered identities) and in case (2) new issued admin will have affiliation field and will not be able to get identities.

VadimInshakov (Mon, 02 Dec 2019 09:17:14 GMT):
**Why I need affiliation for GetAllIdentities()?** I registered users (with affiliation "org1.department1") using registrar Admin (without affiliation field). Then my admin is blocked because the wrong password was entered 10 times. I'm trying to get user identities using another admin (with affiliation field). Now I get error from this code block (dbaccessor.go, 592): ``` if util.ListContains(types, "*") { // If type is '*', allowed to get back of all types for requested affiliation query := "SELECT * FROM users WHERE ((affiliation = ?) OR (affiliation LIKE ?))" rows, err := d.db.Queryx("GetFilteredUsers", d.db.Rebind(query)) if err != nil { return nil, errors.Wrapf(err, "Failed to execute query '%s' for affiliation '%s' and types '%s'", query, affiliation, types) } return rows, nil } ``` Here is err message that I get: ``` 172.19.0.1:59830 GET /identities?ca=ca.rzd.wheelsets.ru 500 49 "Failed to get users by affiliation and type: Failed to execute query 'SELECT * FROM users WHERE ((affiliation = ?) OR (affiliation LIKE ?))' for affiliation 'org1.department1' and types '*': Not enough args to execute query. Expected 2, got 0." ``` Does it mean that I can't get users, that registered admin with another affiliation, right? I need to (1) change either Admin password or (2) create new admin, but in case (1) I can't issue modifyRequest, because it require affiliation (if I change it, I will lost ability to read registered identities) and in case (2) new issued admin will have affiliation field and will not be able to get identities.

dayerra (Tue, 03 Dec 2019 11:28:43 GMT):
hello there: I just made Fabric-ca client and server with pkcs11 opts (go build -tags "pkcs11"). While fabric-ca-server is doing what it is supposed to do (it stores the keys in the SoftHSM), the client throws this error: Error: Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP

dayerra (Tue, 03 Dec 2019 11:29:09 GMT):
any help will be really appreciated

indirajith (Tue, 03 Dec 2019 11:36:29 GMT):
Hi all, I get the following error when starting orderer ``` [orderer.consensus.etcdraft] logSendFailure -> ERRO 0f8 Failed to send StepRequest to 1, because: aborted channel=orderersyschannel node=2 2019-12-03 11:27:30.818 UTC [orderer.common.cluster] func1 -> WARN 0f9 Certificate of unidentified node from 192.168.176.103:48702 for channel orderersyschannel expires in less than -2562047h47m16.854775808s 2019-12-03 11:27:30.818 UTC [comm.grpc.server] 1 -> INFO 0fa streaming call completed grpc.service=orderer.Cluster grpc.method=Step grpc.peer_address=192.168.176.103:48702 error="no TLS certificate sent" grpc.code=Unknown grpc.call_duration=354.906µs ``` Is there any intuitive way to troubleshoot the errors in TLS connection?

dayerra (Tue, 03 Dec 2019 11:55:19 GMT):
Already solved, it was not an issue, but I made the configuration of the client wrong. Thank you, anyways

indirajith (Tue, 03 Dec 2019 12:04:00 GMT):
Should we include the IP address in the SAN of certificate, even if we have dns resolution to get rid of the following error? ``` TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=192.168.176.104 ``` In my case should I also include the IP 192.168.176.104 in the SAN beside the name?

Salaria_77 (Tue, 03 Dec 2019 12:45:01 GMT):
Hello all, I have implemented a custom ca server and i am able to successfully run the network including invoke and query Readers: Type: Signature Rule: "OR('abcMSP.member')" Writers: Type: Signature Rule: "OR('abcMSP.member')" Admins: Type: Signature Rule: "OR('abcMSP.member')" but i want Nodeous support and run it with Readers: Type: Signature Rule: "OR('abcMsp.admin', 'abcMsp.peer', 'abcMsp.client')" Writers: Type: Signature Rule: "OR('abcMsp.admin', 'abcMsp.client')" Admins: Type: Signature Rule: "OR('abcMsp.admin','abcMsp.client')"

Salaria_77 (Tue, 03 Dec 2019 12:45:01 GMT):
Hello all, I have implemented a custom ca server and i am able to successfully run the network including invoke and query with following configs Readers: Type: Signature Rule: "OR('abcMSP.member')" Writers: Type: Signature Rule: "OR('abcMSP.member')" Admins: Type: Signature Rule: "OR('abcMSP.member')" but i want Nodeous support and run it with Readers: Type: Signature Rule: "OR('abcMsp.admin', 'abcMsp.peer', 'abcMsp.client')" Writers: Type: Signature Rule: "OR('abcMsp.admin', 'abcMsp.client')" Admins: Type: Signature Rule: "OR('abcMsp.admin','abcMsp.client')"

Salaria_77 (Tue, 03 Dec 2019 12:45:01 GMT):
Hello all, I have implemented a custom ca server and i am able to successfully run the network including invoke and query with following configs Readers: Type: Signature Rule: "OR('abcMSP.member')" Writers: Type: Signature Rule: "OR('abcMSP.member')" Admins: Type: Signature Rule: "OR('abcMSP.member')" But i want Nodeous support the following Readers: Type: Signature Rule: "OR('abcMsp.admin', 'abcMsp.peer', 'abcMsp.client')" Writers: Type: Signature Rule: "OR('abcMsp.admin', 'abcMsp.client')" Admins: Type: Signature Rule: "OR('abcMsp.admin','abcMsp.client')"

Salaria_77 (Tue, 03 Dec 2019 12:45:01 GMT):
Hello all, I have implemented a custom ca server and i am able to successfully run the network including invoke and query with following configs Readers: Type: Signature Rule: "OR('abcMSP.member')" Writers: Type: Signature Rule: "OR('abcMSP.member')" Admins: Type: Signature Rule: "OR('abcMSP.member')" But i want Nodeous support the following Readers: Type: Signature Rule: "OR('abcMsp.admin', 'abcMsp.peer', 'abcMsp.client')" Writers: Type: Signature Rule: "OR('abcMsp.admin', 'abcMsp.client')" Admins: Type: Signature Rule: "OR('abcMsp.admin','abcMsp.client')" Ca we use certificates generated by ca server and ca client binaries as Client, Peer, admin rather than simply member. I have also tried putting config.yaml into their msp folder but not able to invoke and query.

Salaria_77 (Tue, 03 Dec 2019 12:45:01 GMT):
Hello all, I have implemented a custom ca server and i am able to successfuly run the network including invoke and query with following configs Readers: Type: Signature Rule: "OR('abcMSP.member')" Writers: Type: Signature Rule: "OR('abcMSP.member')" Admins: Type: Signature Rule: "OR('abcMSP.member')" But i want Nodeous support the following Readers: Type: Signature Rule: "OR('abcMsp.admin', 'abcMsp.peer', 'abcMsp.client')" Writers: Type: Signature Rule: "OR('abcMsp.admin', 'abcMsp.client')" Admins: Type: Signature Rule: "OR('abcMsp.admin','abcMsp.client')" Ca we use certificates generated by ca server and ca client binaries as Client, Peer, admin rather than simply member. I have also tried putting config.yaml into their msp folder but not able to invoke and query.

trinayanbhatt (Tue, 03 Dec 2019 13:51:38 GMT):
@Salaria_77 have passed OU as admin, peer or clients to the certificates that you have generated using your fabric-ca?

trinayanbhatt (Tue, 03 Dec 2019 13:51:38 GMT):
@Salaria_77 you have to pass OU as admin, peer or clients to the certificates that you have generated using your fabric-ca?

mastersingh24 (Tue, 03 Dec 2019 15:49:41 GMT):
You can do this, but you'll need to set the OU in the certificates issued by your CA (either the CA can add the OU or you need to include the OU in the CSR you send to your CA). The OUs will of course need to match whatever you have setup in the config.yaml for your MSP(s): https://hyperledger-fabric.readthedocs.io/en/release-1.4/msp.html#identity-classification

AjayKalola (Wed, 04 Dec 2019 04:18:06 GMT):
Hi, How can we regenerate certificate of user in case of unwanted deletion(in key store)?

Salaria_77 (Wed, 04 Dec 2019 04:55:28 GMT):
@mastersingh24 Thanks for reply i have added the ou in the csr. Here is the error that i am getting. Failed validating bootstrap block: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: admin 0 is invalid: The identity is not valid under this MSP [debutMSP]: could not validate identity's OUs: the identity must be a client or a peer identity to be valid, not a combination of them. OUs:

Salaria_77 (Wed, 04 Dec 2019 04:55:28 GMT):
@mastersingh24 Thanks for reply i have added the ou in the csr. Here is the error that i am getting. Failed validating bootstrap block: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: admin 0 is invalid: The identity is not valid under this MSP [abcMSP]: could not validate identity's OUs: the identity must be a client or a peer identity to be valid, not a combination of them. OUs:

mastersingh24 (Wed, 04 Dec 2019 07:23:46 GMT):
seems like you might have multiple OUs in the certificate? You can only have one of the identity OUs per certificate

Salaria_77 (Wed, 04 Dec 2019 07:25:38 GMT):
Here is the config file that i have added in the msp folder. NodeOUs: Enable: true ClientOUIdentifier: Certificate: "cacerts/ca.pem" OrganizationalUnitIdentifier: "client" PeerOUIdentifier: Certificate: "cacerts/ca.pem" OrganizationalUnitIdentifier: "peer" AdminOUIdentifier: Certificate: "cacerts/ca.pem" OrganizationalUnitIdentifier: "admin"

Salaria_77 (Wed, 04 Dec 2019 07:26:43 GMT):
As you can see it only contains the path of the root ca. How can system know about the peer ou if we are only supplying the ca certs.

Salaria_77 (Wed, 04 Dec 2019 08:34:58 GMT):
https://stackoverflow.com/questions/59171822/enabling-peer-client-admin-roles-in-the-policies-using-own-ca-server-not-crypt

Salaria_77 (Wed, 04 Dec 2019 08:36:07 GMT):
Hi all , Here is my issue related to the Ca server, please find the stack overflow link below. https://stackoverflow.com/questions/59171822/enabling-peer-client-admin-roles-in-the-policies-using-own-ca-server-not-crypt

mastersingh24 (Wed, 04 Dec 2019 08:36:57 GMT):
The way the identity check works is that it fiorst checks to see if the certificate was issued by the CA and then it checks to see if it has an OU matching one of the node identifiers

mastersingh24 (Wed, 04 Dec 2019 08:38:32 GMT):
But the issued certificate can only have one of the node OUs ... seems like the cert you are using might have multiple OUs. You can only have one of: OU=client OU=peer OU=admin in your certs

mastersingh24 (Wed, 04 Dec 2019 08:39:51 GMT):
which version of Fabric are you using?

Salaria_77 (Wed, 04 Dec 2019 08:40:10 GMT):
1.4.2

mastersingh24 (Wed, 04 Dec 2019 08:40:51 GMT):
So admin OUs were not added until 1.4.3

Salaria_77 (Wed, 04 Dec 2019 08:43:30 GMT):
But these are working with cryptogen.

mastersingh24 (Wed, 04 Dec 2019 08:44:23 GMT):
cryptogen is generating a proper admin certificate

mastersingh24 (Wed, 04 Dec 2019 08:45:03 GMT):
We'd need to see the admin certificate you are trying to use. `openssl x509 -noout -text -in admin.pem`

Salaria_77 (Wed, 04 Dec 2019 08:47:48 GMT):
Here is the output: Certificate: Data: Version: 3 (0x2) Serial Number: 5a:f8:66:c9:7c:c7:fc:f7:40:28:47:fa:08:a6:96:27:df:44:9f:d8 Signature Algorithm: ecdsa-with-SHA256 Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = tls-ca Validity Not Before: Nov 26 08:37:00 2019 GMT Not After : Nov 23 08:18:00 2029 GMT Subject: OU = user, CN = debut-admin Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:75:a7:5b:bf:02:7a:fd:3e:f6:fd:21:4f:8f:b5: 04:f3:80:d0:6b:35:23:82:a8:c7:16:70:8a:0e:bb: 52:ae:46:33:c6:5d:53:a7:a4:ba:d3:a3:97:7d:f9: 68:20:9a:dc:c1:c8:71:6e:17:46:f0:27:a0:35:a1: 95:cf:17:b2:59 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 8D:76:7D:14:C7:E8:54:22:AC:30:AD:22:3F:7D:97:52:4C:A1:2E:6F X509v3 Authority Key Identifier: keyid:14:FE:8D:A7:D7:A2:69:FF:E8:04:51:B8:EC:87:06:A8:04:78:4D:28 1.2.3.4.5.6.7.8.1: {"attrs":{"hf.Affiliation":"","hf.EnrollmentID":"debut-admin","hf.Type":"user"}} Signature Algorithm: ecdsa-with-SHA256 30:44:02:20:30:05:da:6e:3a:98:b7:79:6d:aa:52:50:2b:c3: 56:f9:ec:fe:25:0e:f5:76:0c:8e:e6:f2:f9:3e:00:75:6f:9f: 02:20:41:88:5e:b4:3a:c9:c5:7b:f5:0d:1a:54:1c:bf:ef:d2:

Salaria_77 (Wed, 04 Dec 2019 08:47:48 GMT):
Here is the output link. https://pastebin.com/g8AuckZb

Qeven (Thu, 05 Dec 2019 07:00:50 GMT):
Has joined the channel.

Salaria_77 (Thu, 05 Dec 2019 07:20:58 GMT):
@mastersingh24 i have repeated the process with the version 1.4.4 and still facing the same issue.

Salaria_77 (Thu, 05 Dec 2019 07:23:00 GMT):
Here is the admin certificates https://pastebin.com/GZBgzjWG

indirajith (Thu, 05 Dec 2019 10:41:47 GMT):
indirajith

indirajith (Thu, 05 Dec 2019 10:59:50 GMT):
re

serial-coder (Thu, 05 Dec 2019 13:42:39 GMT):
Has joined the channel.

gentios (Thu, 05 Dec 2019 19:37:58 GMT):
How to change fabric-ca signature algorithm from ECDS to RSA

yacovm (Thu, 05 Dec 2019 19:44:24 GMT):
Fabric doesn't support RSA in e-certs

gentios (Thu, 05 Dec 2019 20:39:31 GMT):
@yacovm I found it here: https://fabric-ca.readthedocs.io/en/latest/users-guide.html#initializing-the-server does this still implies ?

yacovm (Thu, 05 Dec 2019 20:40:32 GMT):
I don't know.... @mastersingh24 ?

Salaria_77 (Fri, 06 Dec 2019 04:01:01 GMT):
@mastersingh24 Does identity classification are not supported right now that why even in you ca operations guide you have not mentioned the endorsement policy and used the default policy (-P flag and policies are missing ). Here is the link below https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html#id4

Salaria_77 (Fri, 06 Dec 2019 04:01:01 GMT):
@mastersingh24 Does identity classification are not supported right now that why even in ca operations guide you have not mentioned the endorsement policy and used the default policy (-P flag and policies are missing ). Here is the link below https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html#id4

Salaria_77 (Fri, 06 Dec 2019 04:23:24 GMT):
@mastersingh24 Do i have to read the docs, is there something that i am doing wrong.

Salaria_77 (Fri, 06 Dec 2019 04:30:05 GMT):
@pankajcheema Please have a look into the issue. https://stackoverflow.com/questions/59171822/enabling-peer-client-admin-roles-in-the-policies-using-own-ca-server-not-crypt

karthiknvlr (Fri, 06 Dec 2019 05:52:26 GMT):
Has joined the channel.

ahmad-raza (Fri, 06 Dec 2019 07:05:20 GMT):
Error: Calling identities/company1?ca=ca-manafa endpoint failed, CONNECTION Timeout Hi All how can we increase timeout ????

ahmad-raza (Fri, 06 Dec 2019 07:07:25 GMT):
How can we send thousands of requests to fabric-ca simultaneously? Why fabric-ca TIMEOUTS mst of the time???

SatheeshNehru (Fri, 06 Dec 2019 07:10:13 GMT):
does fabric ca internally uses openssl ???

karthick15v (Fri, 06 Dec 2019 10:34:00 GMT):
Has joined the channel.

karthick15v (Fri, 06 Dec 2019 10:34:01 GMT):
Hi all, I am trying run fabric-ca-server natively for which I can only get *fabric-ca-client* from git releases(https://github.com/hyperledger/fabric-ca/releases/download/v1.4.4/hyperledger-fabric-ca-linux-amd64-1.4.4.tar.gz)

karthick15v (Fri, 06 Dec 2019 10:36:21 GMT):
can anyone point me the binary location of fabric-ca-server!?

ahmad-raza (Fri, 06 Dec 2019 10:40:12 GMT):
Error: Calling identities/company1?ca=ca-manafa endpoint failed, CONNECTION Timeout Hi All how can we increase timeout ???? How can we send thousands of requests to fabric-ca simultaneously? Why fabric-ca TIMEOUTS mst of the time???

mastersingh24 (Fri, 06 Dec 2019 14:13:18 GMT):
1) Why would you ever do that? 2) You will need to increase the compute resources used by the CA (and the DB is using mysql or postgres)

ahmad-raza (Fri, 06 Dec 2019 14:16:25 GMT):
1) I am keeping record of user identites in CA. And when user have to run a transaction , i am verifying by identityservice.getOne() that if user identity is existed or not if not existed it will be created. 2) what you mean by compute resources ???

mastersingh24 (Fri, 06 Dec 2019 14:18:37 GMT):
1) that should not result in 1000's of transactions per second .... clients should enroll once and your client can check to see if it has the enrollment material or not. 2) Increase the CPU, Memory, file descriptors, etc

ahmad-raza (Fri, 06 Dec 2019 14:21:03 GMT):
let say 1000s of uses access network same time? and many of them not existed and identities are to be created?

ahmad-raza (Fri, 06 Dec 2019 14:21:38 GMT):
and i ask one question regarding transactions in #fabric-questions channel , kindly give your thoughts on that also

mastersingh24 (Fri, 06 Dec 2019 14:22:41 GMT):
ok ... then you'll need to ramp up the compute resources used by the peer. I hope you do get 1000's of clients ... but that means you'll be more successful than any blockchain out there ;)

ahmad-raza (Fri, 06 Dec 2019 14:23:38 GMT):
:joy: may be i am implementing it wrong

ahmad-raza (Fri, 06 Dec 2019 14:28:34 GMT):
is it good to create every user identity? if we have 1000 of users

mastersingh24 (Fri, 06 Dec 2019 15:01:31 GMT):
it's fine to have that many users .... just have not seen people with 1000's per second ;)

gentios (Fri, 06 Dec 2019 15:35:43 GMT):
@mastersingh24

gentios (Fri, 06 Dec 2019 15:35:43 GMT):
@mastersingh24 can you check this please

karthick15v (Mon, 09 Dec 2019 07:10:39 GMT):
can anyone help me on this

karthick15v (Mon, 09 Dec 2019 07:11:20 GMT):
can anyone help me on this

mastersingh24 (Mon, 09 Dec 2019 10:49:10 GMT):
https://nexus.hyperledger.org/content/repositories/releases/org/hyperledger/fabric-ca/hyperledger-fabric-ca/

ahmad-raza (Mon, 09 Dec 2019 13:20:35 GMT):

timeout.png

ahmad-raza (Mon, 09 Dec 2019 14:48:38 GMT):

Screenshot from 2019-12-09 19-48-05.png

ahmad-raza (Mon, 09 Dec 2019 14:48:47 GMT):
??

karthick15v (Tue, 10 Dec 2019 14:14:04 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=TbLjgyphZEHkYBpy3) thanks for pointing me this link but still it only contains fabric-ca-client binaries

mastersingh24 (Tue, 10 Dec 2019 18:38:17 GMT):
oh ... that's right ... we don't actually publish the fabric-ca-server ... you'll have to build it yourself

ahmad-raza (Wed, 11 Dec 2019 12:34:09 GMT):
Is it necessary to run MYSQL in container to config with Fabric-ca-server? OR Can we use mysql install on local-machine with fabric-ca? if YES then what will be the DATASOURCE in .yaml file? datasource: root:rootpw@tcp(localhost:3306)/fabric_ca?parseTime=true&tls=custom "root" is the user "rootpw" is the password what is "tcp" after @ in this string ? "fabric_ca" will be the database name what is parseTime? and what means this tls=custom

emony2019 (Fri, 13 Dec 2019 13:12:23 GMT):
Has joined the channel.

emony2019 (Fri, 13 Dec 2019 13:24:24 GMT):
I would like to create 3 organizational units under Org2 using the first network sample and configtx. After looking online (link:https://stackoverflow.com/questions/52982952/implementation-of-organization-unit-identifier-in-peer-organisation-causes-order/52991088) I found someone who did this but was not clear as to where I need to add the OU information. I have tried adding it to the crypto-config.yaml with no luck in seeing CA's developed in the msp directory for Org2. My ultimate goal would be to change the policy for my chaincode from using -P 'AND ('\''Org1MSP.peer'\'','\''Org2MSP.peer'\'')' to something like -P 'AND ('\''Org1MSP.department2'\'','\''Org2MSP.department3'\'')'. I want to be able to decide which nodes/peers belong to which department as well. Thanks in advance for your help!

mastersingh24 (Fri, 13 Dec 2019 18:49:13 GMT):
You can't do that. Have a look at https://stackoverflow.com/a/58282441/6160507 to see the only possible "roles" based on OUs

gravity (Sat, 14 Dec 2019 14:10:48 GMT):
Hello, everyone. Could anyone give me a hint on how to renew (reenroll) signing certificates (for both root and intermediate CAs) + how to reenroll tls certs? what identity should be used in order to do this? Thanks in advance

emony2019 (Sat, 14 Dec 2019 15:04:10 GMT):
Thank you mastersingh24

Rajatsharma (Sun, 15 Dec 2019 18:03:14 GMT):
Hi, Has anyone tried configuring starting a cluster of CAs. I was going through https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#setting-up-multiple-cas but I got confused how to start this. Can anyone help me with this or share some simple material to follow.

trinayanbhatt (Mon, 16 Dec 2019 06:16:19 GMT):
@Rajatsharma here is a very basic setup of cluster of CAs: https://github.com/trinayanbhatt/LDAP-mysql-fabric

Rajatsharma (Mon, 16 Dec 2019 06:53:22 GMT):
@trinayanbhatt thanks a lot !!!

ShobhitSrivastava (Tue, 17 Dec 2019 07:28:29 GMT):
Hi All,

ShobhitSrivastava (Tue, 17 Dec 2019 07:29:53 GMT):
Hi All``` I have to work with attribute based access control, for this I have to get cid package in my chaincode. Has anyone done it? Let me know the procedure ```

Rajatsharma (Tue, 17 Dec 2019 07:32:27 GMT):
This is very easy. You can use it just like any other package.

Rajatsharma (Tue, 17 Dec 2019 07:32:27 GMT):
@ShobhitSrivastava This is very easy. You can use it just like any other package.

Rajatsharma (Tue, 17 Dec 2019 07:33:38 GMT):
I've used it in golang. To start just add some attributes to the user and fetch them using CID. You'll understand the whole plugin.

metadata (Tue, 17 Dec 2019 08:27:00 GMT):
@ShobhitSrivastava for Golang ``` import "github.com/hyperledger/fabric/core/chaincode/lib/cid" ``` then use it like: ``` userID, err := cid.GetID(stub) orgID, err := cid.GetMSPID(stub) ```

metadata (Tue, 17 Dec 2019 08:28:41 GMT):
@Rajatsharma Are you using `fabric-sdk-go` too?

Rajatsharma (Tue, 17 Dec 2019 08:29:37 GMT):
No I was using the core library. And you can use it the way you've mentioned.

ShobhitSrivastava (Tue, 17 Dec 2019 08:31:13 GMT):
Thanks for update, I have already done the code part. The issue is cid package is not in my peer. How to fetch it and package it so that it is resolved while installing and instantating chaincode

Rajatsharma (Tue, 17 Dec 2019 08:31:41 GMT):
If you're using go. You can use go dep.

ShobhitSrivastava (Tue, 17 Dec 2019 08:32:04 GMT):
getting this error "error starting container: error starting container: Failed to generate platform-specific docker build: Error returned from build: 1 "chaincode/input/src/github.com/tf/tf.go:38:3: cannot find package "github.com/hyperledger/fabric/core/chaincode/lib/cid" in any of:

Rajatsharma (Tue, 17 Dec 2019 08:32:49 GMT):
Use go dep tool. For dependency managment, if this is a user chaincode. This will work like a wonder.

metadata (Tue, 17 Dec 2019 08:32:51 GMT):
In `chaincode` directory use `dep init` to vendor the packages

ShobhitSrivastava (Tue, 17 Dec 2019 08:33:23 GMT):
okay, trying

ShobhitSrivastava (Tue, 17 Dec 2019 08:33:46 GMT):
okay, trying

ShobhitSrivastava (Tue, 17 Dec 2019 09:15:10 GMT):
I have been trying to insatll dep on my machine.But no luck. Any info on that?

metadata (Tue, 17 Dec 2019 09:17:37 GMT):
try `go mod`. `dep` isn't necessary. check `go mod` documentation. min go version is 1.11 i guess I never tried it. AFAIK it also allows you to run the go program outside the gopath

metadata (Tue, 17 Dec 2019 09:17:37 GMT):
try `go mod`. `dep` isn't necessary. check `go mod` documentation. min go version is 1.11 i guess. I never tried it. AFAIK it also allows you to run the go program outside the gopath

metadata (Tue, 17 Dec 2019 09:18:45 GMT):
for dep, follow below link https://golang.github.io/dep/docs/installation.html

ShobhitSrivastava (Tue, 17 Dec 2019 09:20:34 GMT):
okay, trying

mastersingh24 (Tue, 17 Dec 2019 09:29:13 GMT):
which version of Fabric are you using?

mastersingh24 (Tue, 17 Dec 2019 09:29:43 GMT):
In any case, you should vendor all of your dependencies with your chaincode prior to package and installing

ShobhitSrivastava (Tue, 17 Dec 2019 11:15:34 GMT):
I am using 1.4 version. I reckon my machine is having issue getting new modules or clone any new got repo. I will try first sorting this connectivity issue, then work on this packaging.

ShobhitSrivastava (Tue, 17 Dec 2019 11:15:34 GMT):
I am using 1.4 version. I reckon my machine is having issue getting new modules or clone any new git repo. I will try first sorting this connectivity issue, then work on this packaging.

metadata (Tue, 17 Dec 2019 11:36:25 GMT):
@ShobhitSrivastava for 1.4.3 and later, cid package is at `github.com/hyperledger/fabric-chaincode-go/pkg/cid` clone `fabric-chaincode-go` and `fabric-protos-go`

ShobhitSrivastava (Tue, 17 Dec 2019 13:14:39 GMT):
cool, thanks!!

DollyVolley (Tue, 17 Dec 2019 13:17:11 GMT):
Has joined the channel.

ShobhitSrivastava (Wed, 18 Dec 2019 06:29:37 GMT):
Hi @metadata @Rajatsharma ..I have manually copied cid package from fabric-chiaincode-go repo to my local machine and in docker-compose file I have mounted like "./cid/fabric-chaincode-go-master/pkg/:/opt/go/src/github.com/hyperledger/fabric/core/chaincode/lib/cid ". But still it is giving me the error

ShobhitSrivastava (Wed, 18 Dec 2019 06:30:03 GMT):
the error is /opt/go/src/github.com/hyperledger/fabric/core/chaincode/lib/cid (from $GOROOT) /chaincode/input/src/github.com/hyperledger/fabric/core/chaincode/lib/cid (from $GOPATH) /opt/gopath/src/github.com/hyperledger/fabric/core/chaincode/lib/cid

metadata (Wed, 18 Dec 2019 06:30:32 GMT):
Manually copying the packages won't work. I tried it too.

ShobhitSrivastava (Wed, 18 Dec 2019 06:30:41 GMT):
error : Failed to generate platform-specific docker build: Error returned from build: 1 "chaincode/input/src/github.com/tf/tf.go:38:3: cannot find package "github.com/hyperledger/fabric/core/chaincode/lib/cid" in any of:

ShobhitSrivastava (Wed, 18 Dec 2019 06:31:04 GMT):
okay. Is it I thought so?

Rajatsharma (Wed, 18 Dec 2019 06:31:30 GMT):
Chaincode container is not directly build in The peer container.

metadata (Wed, 18 Dec 2019 06:31:47 GMT):
check this thread. https://chat.hyperledger.org/channel/fabric?msg=7NS5FHEunxuuGJryj i asked the same question few days back

ShobhitSrivastava (Wed, 18 Dec 2019 06:31:54 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=367fe5e7-a71d-4a54-b84a-cb1f5e6da4ff) agree that!!

ShobhitSrivastava (Wed, 18 Dec 2019 06:32:16 GMT):
okay checking

Rajatsharma (Wed, 18 Dec 2019 06:32:30 GMT):
It is using a image ccenv. So it'll work if you copy in that image. But that's not recommended you should be using dep or mod.

metadata (Wed, 18 Dec 2019 06:32:46 GMT):
after vendoring it worked for me.

metadata (Wed, 18 Dec 2019 06:34:01 GMT):
Are you facing some issue with dependency management tool?

metadata (Wed, 18 Dec 2019 06:34:01 GMT):
Are you facing some issues with dependency management tool?

ShobhitSrivastava (Wed, 18 Dec 2019 06:34:58 GMT):
Thanks Rajat for info. @metadata for vendoring I will have to use dep or mod only? No other option right?

metadata (Wed, 18 Dec 2019 06:37:27 GMT):
https://github.com/golang/go/wiki/PackageManagementTools

ShobhitSrivastava (Wed, 18 Dec 2019 10:49:36 GMT):
I was just about to update you. Just got succeeded, it could have been so easy, had my machines were not behind any firewall. Any way, what I did is created a vendor folder in my chaincode folder and download the dependency in it , in the same folder structure in which they are referred. Tried and it worked...thanks for all the info!!

AbhijeetSamanta (Thu, 19 Dec 2019 04:31:48 GMT):
Has joined the channel.

ShobhitSrivastava (Thu, 19 Dec 2019 06:51:15 GMT):
Hi @Rajatsharma @metadata ..after installing/instantiating the code. I am trying to set some attribute while registering a user

ShobhitSrivastava (Thu, 19 Dec 2019 06:51:24 GMT):

Clipboard - December 19, 2019 12:21 PM

ShobhitSrivastava (Thu, 19 Dec 2019 06:52:06 GMT):
and in chaincode I am accessing it via:

ShobhitSrivastava (Thu, 19 Dec 2019 06:52:12 GMT):

Clipboard - December 19, 2019 12:22 PM

ShobhitSrivastava (Thu, 19 Dec 2019 06:52:45 GMT):
But not getting it. Do you guys sense any wrong doing in there?

metadata (Thu, 19 Dec 2019 06:57:32 GMT):
@ShobhitSrivastava I can't help you with this as I'm not using node-sdk. Sorry mate You can ask this in #fabric-sdk-node group

metadata (Thu, 19 Dec 2019 06:57:32 GMT):
@ShobhitSrivastava I can't help you with this as I'm not using node-sdk. Sorry mate. You can ask this in #fabric-sdk-node group

ShobhitSrivastava (Thu, 19 Dec 2019 07:04:28 GMT):
That is very much okay. No issue. I am using java-sdk for this. :-)

Rajatsharma (Thu, 19 Dec 2019 07:07:16 GMT):
Even I suspect there's some issue while adding the attribute. I use fabric-node-sdk, still I'll send you a code to print all the attributes in the user certificate.

karthick15v (Thu, 19 Dec 2019 07:55:33 GMT):
I am trying to a run fabric-ca cluster with mysql as backend, and recently came across this link https://github.com/trinayanbhatt/LDAP-mysql-fabric

karthick15v (Thu, 19 Dec 2019 07:55:33 GMT):
I am trying to run a fabric-ca cluster with mysql as backend, and recently came across this link https://github.com/trinayanbhatt/LDAP-mysql-fabric

karthick15v (Thu, 19 Dec 2019 07:59:30 GMT):
here both ca0 and ca1 are started with a same cert and key file, where as as --cacount 2 (as in the doc) resulting two unique instance with there own cert an key.

karthick15v (Thu, 19 Dec 2019 07:59:30 GMT):
here both ca0 and ca1 are started with a same cert and key file, where as as _fabric-ca-server start -b admin:adminpw --cacount 2_ (as in the doc) resulting two unique instance with there own cert an key.

karthick15v (Thu, 19 Dec 2019 08:03:15 GMT):
can anyone share your view on this and a proper way provision a ca-cluster

ShobhitSrivastava (Thu, 19 Dec 2019 08:46:21 GMT):
okay, that will be good mate!!

Rajatsharma (Thu, 19 Dec 2019 11:50:02 GMT):
You can use this - ``` cert, err := cid.GetX509Certificate(stub) if err != nil { attributeLogger.Debug("issue with fetching user", err) return []string{}, errors.New(res.InvalidCreator) } attrObj, err := attrmgr.New().GetAttributesFromCert(cert) if err != nil { attributeLogger.Debug("error while fetching list of attributes", err) return []string{}, errors.New(res.InvalidAttributes) } attributes := attrObj.Names() // attribute list is sorted as by default go randomly arranges map-string // so we need to sort the attributes to maintain order sort.Strings(attributes) ```

Rajatsharma (Thu, 19 Dec 2019 11:50:39 GMT):
this will display all the attributes, so you'll get to know if they were added to the certificate or not ?

Rajatsharma (Thu, 19 Dec 2019 11:51:08 GMT):
And for this you could try decoding the certificates using openssl tool too.

ShobhitSrivastava (Thu, 19 Dec 2019 13:18:17 GMT):
sure, thanks for this info!! I will try these measures!!

karthick15v (Fri, 20 Dec 2019 09:19:54 GMT):
can anyone help me on this !?

ShobhitSrivastava (Fri, 20 Dec 2019 09:25:30 GMT):
I got these as attribute

ShobhitSrivastava (Fri, 20 Dec 2019 09:25:44 GMT):
[hf.Affiliation hf.EnrollmentID hf.Type]

Rajatsharma (Fri, 20 Dec 2019 10:12:13 GMT):
your attribute was not appended. Check your code for adding attributes

ShobhitSrivastava (Fri, 20 Dec 2019 10:25:59 GMT):
Okay, I will test

Rajatsharma (Fri, 20 Dec 2019 10:42:32 GMT):
I have the javascript code to add dttributes

Rajatsharma (Fri, 20 Dec 2019 10:42:46 GMT):
If you need that let me know.

ShobhitSrivastava (Fri, 20 Dec 2019 10:54:13 GMT):
I am using java-sdk. If you can send me plz do. I will try to do the same in java manner

Rajatsharma (Fri, 20 Dec 2019 10:57:10 GMT):
The main register command is: ``` return fabric_ca_client.register({enrollmentID: 'USER_ID', affiliation: 'org1.department1',role: 'client',attrs:[{'name':'CHANNEL_NAME','value':JSON.strin gify({'accessLevel':'EL_ADMIN'}),ecert: true},{'name':'element-sys','value':JSON.stringify({'accessLevel':'EL_ADMIN'}),ecert: true},{'name':'db1','value':JSON .stringify({'accessLevel':'EL_ADMIN'}),ecert: true},{'name':'el.secret','value':JSON.stringify({'accessLevel':'EL_ADMIN'}),ecert: true}],maxEnrollments:-1}, a dmin_user); ```

ChaoLiu (Fri, 20 Dec 2019 11:51:41 GMT):
Has joined the channel.

ShobhitSrivastava (Fri, 20 Dec 2019 11:59:34 GMT):
okay. thanks

mastersingh24 (Sat, 21 Dec 2019 09:34:21 GMT):
Is there something wrong with the documentation: https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#mysql ?

karthick15v (Sat, 21 Dec 2019 09:35:33 GMT):
nope, but what is your view on that git repo

mastersingh24 (Sat, 21 Dec 2019 09:38:55 GMT):
Just took a quick look at that repo ... it seems fine to me ... I will say that if you are trying to set up soemthing for production, you'll of course need to set things up on multiple machines so the Docker Compose piece won't help there ... but overall it lays out the steps fairly well

karthick15v (Sat, 21 Dec 2019 09:45:46 GMT):
but he is using same cert&key for the both the instance, instead of starting with cacount/cafile (as mentioned in the doc)

karthick15v (Sat, 21 Dec 2019 09:46:39 GMT):
can we start a cluster like this

mastersingh24 (Sat, 21 Dec 2019 09:47:29 GMT):
it will work perfectly fine

mastersingh24 (Sat, 21 Dec 2019 09:48:52 GMT):
the one "security" thing to think about is that you might want to have an offline root CA issue an intermediate CA certificate that is used by the fabric-ca-servers in this model rather than directly using the root key .... but there is nothing wrong with multiple instances of a fabric-ca-server using the same key pair

karthick15v (Sat, 21 Dec 2019 09:49:55 GMT):
okay

ShrutiHK (Tue, 24 Dec 2019 07:04:44 GMT):
Hi All, I added a Fabric CA server in my blockchain network - with 1 Org , 2 peers, 1 Orderer on a separate VM setup. I am using java-sdk. I am able to enroll and register users to CA.

ShrutiHK (Tue, 24 Dec 2019 07:05:08 GMT):
But querying and invoking chaincodes fails with access denied error

ShrutiHK (Tue, 24 Dec 2019 07:05:17 GMT):
It is a TLS enabled network

ShrutiHK (Tue, 24 Dec 2019 07:06:12 GMT):
When I replace the identity certificate with that of Admin@org0-cert.pem, it works.

ShrutiHK (Tue, 24 Dec 2019 07:07:01 GMT):
I am unable to understand, what is the issue with my Fabric-CA generated certificates, that do not allow me to query or invoke chaincodes on Org0 peers

ShrutiHK (Tue, 24 Dec 2019 07:07:34 GMT):
Any help is greatly appreciated.

Psingh (Tue, 24 Dec 2019 09:31:31 GMT):
check the `OU` of the the cert that you have generated.

deepaksingh04 (Tue, 24 Dec 2019 13:29:39 GMT):
Has joined the channel.

deepaksingh04 (Tue, 24 Dec 2019 13:29:40 GMT):
Hello All, Can we increase number of kafka in running network?

konda.kalyan (Thu, 26 Dec 2019 05:55:13 GMT):
Has joined the channel.

pouya (Mon, 30 Dec 2019 13:57:55 GMT):
Has joined the channel.

root10 (Tue, 31 Dec 2019 14:42:56 GMT):
Has left the channel.

mastersingh24 (Fri, 03 Jan 2020 15:52:01 GMT):
Yes ... but that's outside the scope of Fabric ... you'd need to follow the Kafka docs for adding brokers ... also this should probably be posted in the fabric channel

mrudav.shukla (Fri, 03 Jan 2020 15:55:30 GMT):
Has anyone been able to spinup the CA with LetsEncrypt cert? In my case its not able to persist keyUsage and basicConstraints values that I provided in CSR. And is there any other open source public ca that could be used for generating ecdsa based certs for testing purpose other than openssl?

iramiller (Fri, 03 Jan 2020 18:07:19 GMT):
Hashicorp Vault could be a solution for you.

mastersingh24 (Fri, 03 Jan 2020 20:10:49 GMT):
see my reply in #fabric-crypto

mastersingh24 (Fri, 03 Jan 2020 20:10:49 GMT):
see my reply in #fabric-crypto - https://chat.hyperledger.org/channel/fabric-crypto?msg=7ece74CX3xFGgpxpn

Tim (Sun, 05 Jan 2020 19:02:57 GMT):
Has joined the channel.

Tim (Sun, 05 Jan 2020 19:02:57 GMT):
Hi guys quick question, when I use fabric-ca-client affiliation add org123 it works but when I try to remove it doesn't, error: Error: Response from server: Error Code: 71 - Authorization failure

roclee (Mon, 06 Jan 2020 03:02:41 GMT):
Has joined the channel.

emony2019 (Mon, 06 Jan 2020 20:07:31 GMT):
GOOD AFTERNOON, Does anyone know what information i can get from cert. Below is the code I am using: // GetCreator returns marshaled serialized identity of the client serializedID, _ := stub.GetCreator() sId := &msp.SerializedIdentity{} err := proto.Unmarshal(serializedID, sId) if err != nil { return shim.Error(fmt.Sprintf("Could not deserialize a SerializedIdentity, err %s", err)) } bl, _ := pem.Decode(sId.IdBytes) if bl == nil { return shim.Error(fmt.Sprintf("Failed to decode PEM structure")) } cert, err := x509.ParseCertificate(bl.Bytes)

GregMead (Mon, 06 Jan 2020 21:14:08 GMT):
Has joined the channel.

GregMead (Mon, 06 Jan 2020 21:14:11 GMT):
Just posted https://stackoverflow.com/questions/59619062/running-fabric-ca-natively-could-not-find-default-pkcs11-bccsp Any ideas?

pritam_01 (Tue, 07 Jan 2020 11:16:46 GMT):
Has joined the channel.

mastersingh24 (Tue, 07 Jan 2020 12:10:04 GMT):
I posted a question there in response ... I believe you need to initialize SoftHSM ... but let's carry on in SO rather than RocketChat

GregMead (Tue, 07 Jan 2020 12:48:19 GMT):
OK Thanks Gary, I'll try this morning.

GregMead (Tue, 07 Jan 2020 12:48:19 GMT):
OK Thanks Gari, I'll try this morning.

emony2019 (Tue, 07 Jan 2020 12:53:08 GMT):
If anyone has used fabric-ca-server and fabric-ca-client, do you know how I would use it with the Build Your First Network setup Hyperledger provides

emony2019 (Tue, 07 Jan 2020 12:53:08 GMT):
Good Morning, If anyone has used fabric-ca-server and fabric-ca-client, do you know how I would use it with the Build Your First Network setup Hyperledger provides? I am able to create admins and enroll clients but I don't know how I would connect the two systems yet.

GregMead (Tue, 07 Jan 2020 16:34:03 GMT):

GregMead - Tue Jan 07 2020 11:33:52 GMT-0500 (Eastern Standard Time).txt

georgi (Thu, 09 Jan 2020 07:43:18 GMT):
Has joined the channel.

biligunb (Fri, 10 Jan 2020 06:29:08 GMT):
Has joined the channel.

biligunb (Fri, 10 Jan 2020 06:37:07 GMT):
Hey guys. How can I renew TLS certificates before expiration? (root-ca, orderer, peer's cert files) Do I have to generate new ones and replace the old ones? (is there any sdk method?)

sivasakthivel (Mon, 13 Jan 2020 06:47:04 GMT):
Has joined the channel.

sivasakthivel (Mon, 13 Jan 2020 06:47:05 GMT):
We need to revoke permission for the entity (user, peer, Orderer) to perform any action if their certificates are compromised or expired (Certificates can be either cryptogen generated or issued by fabric CA or by an external CA). What is the process? What commands need to be used? Or is simply deleting or removing the certificates from the stored directory. Thanks in advance

sivasakthivel (Mon, 13 Jan 2020 06:47:05 GMT):
Reenrolling an identity Suppose your enrollment certificate is about to expire or has been compromised. You can issue the reenroll command to renew your enrollment certificate as follows. export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1 fabric-ca-client reenroll

lionelronaldo (Mon, 13 Jan 2020 08:11:49 GMT):
Has joined the channel.

sivasakthivel (Mon, 13 Jan 2020 08:53:21 GMT):
Reenrolling an identity Suppose your enrollment certificate is about to expire or has been compromised. You can issue the reenroll command to renew your enrollment certificate as follows. export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1 fabric-ca-client reenroll

lionelronaldo (Tue, 14 Jan 2020 06:50:56 GMT):
url

lionelronaldo (Tue, 14 Jan 2020 06:58:46 GMT):
Hi guys! I ran into this problem: The URL for my CA has a subpath at the end, as in example.com/ca . The goal is to run the enrollment command: `FABRIC_CA_CLIENT_HOME=./config fabric-ca-client enroll -u https://peer-admin:PeerAdminPW@example.com/ca -M ./PeerMSP` But now it seems like the fabric-cac-client binary cuts of everthing in front of /ca given this Error message: `Error: Failed posting to https://%2Fca:7054/enroll: parse https://%2Fca:7054/enroll: invalid URL escape "%2F"` Isn't it possible to use subpaths? How can I get the fabric-ca-client to work with such a path? Any help is very much appreciated :pray: :slight_smile:

ArthurYongShi (Wed, 15 Jan 2020 07:03:06 GMT):
Has joined the channel.

mastersingh24 (Wed, 15 Jan 2020 11:20:12 GMT):
It's not going to work with the fabric-ca-client and I doubt it will work with any of the SDKs. You'd have to create ytour own client and directly call the fabric-ca REST APIs in order for this to work.

Salaria_77 (Thu, 16 Jan 2020 07:03:22 GMT):
Hi all, How we can override the connection time out filed for the ca server.

Salaria_77 (Thu, 16 Jan 2020 07:03:22 GMT):
Hi all, How we can override the connection time out filed for the ca server. I am using fabric client sdk to connect with ca server, some times i get connection time out in response while registering some entities like peer, orderer.

Salaria_77 (Thu, 16 Jan 2020 07:03:22 GMT):
Hi all, How we can override the connection time out filed for the certificate authority . I am using fabric client sdk to connect with ca server, some times i get connection time out in response while registering some entities like peer, orderer.

Salaria_77 (Thu, 16 Jan 2020 07:03:22 GMT):
Hi all, How we can override the connection time out filed for the certificate authority in the connection.json . I am using fabric client sdk to connect with ca server, some times i get connection time out in response while registering some entities like peer, orderer.

rchaturv (Thu, 16 Jan 2020 07:52:56 GMT):
Has joined the channel.

lionelronaldo (Thu, 16 Jan 2020 13:17:24 GMT):
Thank you very much for your response @mastersingh24 :slight_smile:

adityasingh177 (Fri, 17 Jan 2020 16:00:44 GMT):
Has joined the channel.

davidoevans (Fri, 17 Jan 2020 18:21:30 GMT):
When I check `checkcommitreadiness`, am getting: ```{ "approvals": { "Org1MSP": false, "Org2MSP": true } }``` ...but when trying to get the other org to approve, it gives `committed with status (ENDORSEMENT_POLICY_FAILURE) at Error: transaction invalidated with status (ENDORSEMENT_POLICY_FAILURE)` I see FAB-17371 was merged but am not completely sure if that would fix this issue...and it doesn't seem to be in latest 2.0.0-beta binaries. Any suggestions on how to fix appreciated.

davidoevans (Fri, 17 Jan 2020 18:21:30 GMT):
When I check `checkcommitreadiness`, am getting: ```{ "approvals": { "Org1MSP": false, "Org2MSP": true } }``` ...but when trying to get the other org to approve, it gives ```committed with status (ENDORSEMENT_POLICY_FAILURE) at Error: transaction invalidated with status (ENDORSEMENT_POLICY_FAILURE)``` I see FAB-17371 was merged but am not completely sure if that would fix this issue...and it doesn't seem to be in latest 2.0.0-beta binaries. Any suggestions on how to fix appreciated.

darkchylde (Sun, 19 Jan 2020 07:02:48 GMT):
Has joined the channel.

darkchylde (Sun, 19 Jan 2020 07:04:12 GMT):
Hi guys, Can someone point me to the resources for getting more information on hf.Registrar.Attributes ? Thanks in advance

mastersingh24 (Sun, 19 Jan 2020 23:49:15 GMT):
Have you looked at https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#registering-a-new-identity ?

darkchylde (Sun, 19 Jan 2020 23:51:28 GMT):
Yes I have looked in to it. I would like to get list of hf reserved attributes. If you can point me to correct direction that would be great ?

mastersingh24 (Sun, 19 Jan 2020 23:59:05 GMT):
I don't know of a list of them in the actual documentation ... they pop up in the documentation in the various sections where they are needed / used. I think the full list is here though: https://github.com/hyperledger/fabric-ca/blob/release-1.4/cmd/fabric-ca-server/config.go#L168-L175

darkchylde (Mon, 20 Jan 2020 00:00:48 GMT):
Got it. Thanks.

Puneeth987 (Mon, 20 Jan 2020 07:42:40 GMT):
hi team, i am facing below error when change from sw to pkcs11 i installed softhsm and generate pin where i need to change for creating fabric-ca images. root@POCBlockchain:/etc/hyperledger/fabric# fabric-ca-server start -b admin:adminpw 2020/01/20 07:35:31 [INFO] Configuration file location: /etc/hyperledger/fabric/fabric-ca-server-config.yaml 2020/01/20 07:35:31 [INFO] Starting server in home directory: /etc/hyperledger/fabric 2020/01/20 07:35:31 [INFO] Server Version: 2.0.0 2020/01/20 07:35:31 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} Error: Failed to initialize BCCSP Factories: %!s() Could not find default `PKCS11` BCCSP

tommyjay (Mon, 20 Jan 2020 20:26:31 GMT):
who exactly is the "registrar" in the context of fabric ca and what is the purpose of "AddAffiliation"?

tommyjay (Mon, 20 Jan 2020 20:26:31 GMT):
who exactly is the "registrar" in the context of fabric ca (or normal CAs if applicable) and what is the purpose of "AddAffiliation"?

BrettLogan (Mon, 20 Jan 2020 21:03:25 GMT):
You need to build the docker image with PKCS11 enabled: `GO_TAGS=pkcs11 make docker`

mastersingh24 (Tue, 21 Jan 2020 10:44:51 GMT):
A *registrar* has permission to register new users. The permissions for a registrar can be scoped to an affiliation as well (basically they can only register users under their own affiliation). *AddAffiliation* creates a new affiliation (typically at the root of the affilitation tree) under which a registrar can register new users

mtng (Tue, 21 Jan 2020 11:32:48 GMT):
Hi team, I have been creating the certificates for an infrastructure using the Fabric CA. I have followed this tutorial https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html However, when i'm trying to create the channel I have this error in the orderer: ```` orderer1-org0 | 2020-01-21 11:18:38.923 UTC [core.comm] ServerHandshake -> ERRO 017 TLS handshake failed with error tls: first record does not look like a TLS handshake server=Orderer remoteaddress=172.22.0.10:58168 ```` The logs of the cli are the following: ```` Error: failed to create deliver client: rpc error: code = Unavailable desc = transport is closing ```` Any idea why it might fail?

mastersingh24 (Tue, 21 Jan 2020 19:55:19 GMT):
you likley do not have TLS enabled for the CLI

dineshthemacho1 (Wed, 22 Jan 2020 06:04:43 GMT):
Has joined the channel.

AbhijeetSamanta (Thu, 23 Jan 2020 07:56:58 GMT):
Hi all I am trying to implement the fabric CA in aws EKS. I want to know some architecture aspect of CA into AWS EKS. I am planning to implement like ca-root and TLSca in different pods so it will be different from each other. is it right way to do it please advise me if possible.

Antimttr (Thu, 23 Jan 2020 17:16:56 GMT):
OK, so if i wanted to generate all the crypto assets for a new org im adding to channel, if i understand correctly I can do this either with fabric-ca-server or I can do it with openssl, right?

Antimttr (Thu, 23 Jan 2020 17:17:34 GMT):
And what I need to generate is: a CA key, and a x509 cert in PEM format. and a TLS key and cert

Antimttr (Thu, 23 Jan 2020 17:18:11 GMT):
are their any advantages to using openssl to do this versus fabric-ca-server?

Antimttr (Thu, 23 Jan 2020 17:18:14 GMT):
or vice versa?

lionelronaldo (Mon, 27 Jan 2020 15:14:29 GMT):
Hi guys! I wanted to ask if it's possible to invoke fabric-ca actions from within a chaincode? :thinking:

lzaouche (Tue, 28 Jan 2020 09:17:02 GMT):
Has joined the channel.

lionelronaldo (Tue, 28 Jan 2020 15:26:38 GMT):
Another question: Is it possible to assure access control such as ABAC also for the peer nodes? If let's say an Org is running a peer themselves, they can of course access all the data that they store themselves in the ledger. If they want, they can access data that is not meant for them all they want, because they just don't care about some access control. Or am I wrong, and the data is somehow encrypted so that only permissioned entities can decrypt it? Thank you for some honest discussion :slight_smile:

mriehm (Tue, 28 Jan 2020 18:42:50 GMT):
Has joined the channel.

mriehm (Tue, 28 Jan 2020 18:42:50 GMT):
Hi. I am trying to bootstrap up with fabric-ca-client and fabric-ca-server. When the server is started for the first time, it creates some identities. For subsequent enroll/register operations, the client needs access to tls-cert.pem. How can the client gain access to this file? Our environment is Kubernetes, so we can't rely on a shared-volume approach like is used in the docker-compose environment. Ideally I'm looking for a fabric-ca-client command to retrieve the newly-created tls-cert.pem file from the server. Thanks!

Antimttr (Tue, 28 Jan 2020 22:40:33 GMT):
so for cryptogen one of the assets it needs to generate a new orgs crypto assets is the Policies section of the configtx.yaml. I am generating this via yaml_emit() native to PHP. This script for some reason does some weird stuff when you try and insert a string with quotation marks: ` Policies: Readers: Type: Signature Rule: "OR('Org3MSP.admin', 'Org3MSP.peer', 'Org3MSP.client')" Writers: Type: Signature Rule: "OR('Org3MSP.admin', 'Org3MSP.client')" Admins: Type: Signature Rule: "OR('Org3MSP.admin')" `

Antimttr (Tue, 28 Jan 2020 22:40:33 GMT):
so for cryptogen one of the assets it needs to generate a new orgs crypto assets is the Policies section of the configtx.yaml. I am generating this via yaml_emit() native to PHP. This script for some reason does some weird stuff when you try and insert a string with quotation marks: `Policies: Readers: Type: Signature Rule: "OR('Org3MSP.admin', 'Org3MSP.peer', 'Org3MSP.client')" Writers: Type: Signature Rule: "OR('Org3MSP.admin', 'Org3MSP.client')" Admins: Type: Signature Rule: "OR('Org3MSP.admin')" `

Antimttr (Tue, 28 Jan 2020 22:40:33 GMT):
so for cryptogen one of the assets it needs to generate a new orgs crypto assets is the Policies section of the configtx.yaml. I am generating this via yaml_emit() native to PHP. This script for some reason does some weird stuff when you try and insert a string with quotation marks:``` ``` ` Policies: Readers: Type: Signature Rule: "OR('Org3MSP.admin', 'Org3MSP.peer', 'Org3MSP.client')" Writers: Type: Signature Rule: "OR('Org3MSP.admin', 'Org3MSP.client')" Admins: Type: Signature Rule: "OR('Org3MSP.admin')" `

Antimttr (Tue, 28 Jan 2020 22:40:33 GMT):
so for cryptogen one of the assets it needs to generate a new orgs crypto assets is the Policies section of the configtx.yaml. I am generating this via yaml_emit() native to PHP. This script for some reason does some weird stuff when you try and insert a string with quotation marks:``` Policies: Readers: Type: Signature Rule: "OR('Org3MSP.admin', 'Org3MSP.peer', 'Org3MSP.client')" Writers: Type: Signature Rule: "OR('Org3MSP.admin', 'Org3MSP.client')" Admins: Type: Signature Rule: "OR('Org3MSP.admin')" ``` ` `

Antimttr (Tue, 28 Jan 2020 22:40:33 GMT):
so for cryptogen one of the assets it needs to generate a new orgs crypto assets is the Policies section of the configtx.yaml. I am generating this via yaml_emit() native to PHP. This script for some reason does some weird stuff when you try and insert a string with quotation marks:``` Policies: Readers: Type: Signature Rule: "OR('Org3MSP.admin', 'Org3MSP.peer', 'Org3MSP.client')" Writers: Type: Signature Rule: "OR('Org3MSP.admin', 'Org3MSP.client')" Admins: Type: Signature Rule: "OR('Org3MSP.admin')" ```

Antimttr (Tue, 28 Jan 2020 22:41:03 GMT):
but when i output it it looks like ` Policies: Readers: Type: Signature Rule: '"OR(''Org3MSP.admin'', ''Org3MSP.peer'', ''Org3MSP.client'')"' Writers: Type: Signature Rule: '"OR(''Org3MSP.admin'', ''Org3MSP.client'')"' Admins: Type: Signature Rule: '"OR(''Org3MSP.admin'')"'`

Antimttr (Tue, 28 Jan 2020 22:41:03 GMT):
but when i output it it looks like ``` Policies: Readers: Type: Signature Rule: '"OR(''Org3MSP.admin'', ''Org3MSP.peer'', ''Org3MSP.client'')"' Writers: Type: Signature Rule: '"OR(''Org3MSP.admin'', ''Org3MSP.client'')"' Admins: Type: Signature Rule: '"OR(''Org3MSP.admin'')"' ```

Antimttr (Tue, 28 Jan 2020 22:41:38 GMT):
huh why doesnt the code highlight work anymore

Antimttr (Tue, 28 Jan 2020 22:41:44 GMT):
`test code`

Antimttr (Tue, 28 Jan 2020 22:41:46 GMT):
that worked

Antimttr (Tue, 28 Jan 2020 22:44:58 GMT):
so is this going to break configtxgen?

Antimttr (Tue, 28 Jan 2020 22:48:28 GMT):
maybe ill try a regex replace on the string

Antimttr (Tue, 28 Jan 2020 22:57:46 GMT):
that seemed to work

mastersingh24 (Wed, 29 Jan 2020 19:38:48 GMT):
You really want the root certificate which issued the TLS cert used by the CA. Rather than have the CA generate it's own TLS certificate, you should do this out of band (for example using openssl to create a self-sgned CA and then issuing the TLS server cert). In either case, you'd need to provide the CA which issues the TLS cert out of band to clients. You might also want to consider using something like CertManager within Kubernetes ti generate your TLS certs. You can then mount them in your CA container using secrets. The CertManager root certificate is also available as a secret as well.

Antimttr (Fri, 31 Jan 2020 15:44:11 GMT):
@mastersingh24 what do you reccomend for expiration times for root certificates and for intermediary cas? the article im reading says 10 for the root and 5 for the intermediaries, is that what you use?

Antimttr (Fri, 31 Jan 2020 15:44:44 GMT):
also what happens in 5 years? seems like the entire chain would break down if your intermediaries are more than 5 years old

Antimttr (Fri, 31 Jan 2020 15:45:27 GMT):
i was thinking why not make it 30 years for the root ca and then do 15 or 10 for the intermediaries

mastersingh24 (Fri, 31 Jan 2020 16:23:34 GMT):
It is a fairly standard practice to use 10 years for the root and 5 for the intermediate CAs. As expiration nears, you'll need to update the MSP for the org across all channels with an updated intemediate and/or root certificate. There is no issue validating prior transactions.

Antimttr (Fri, 31 Jan 2020 16:26:31 GMT):
thanks for clarifying,

mastersingh24 (Fri, 31 Jan 2020 16:27:32 GMT):
no problem ... of course you are free to set the expiration as you see fit, but most corporate security policies will expect shorter expirations

Antimttr (Fri, 31 Jan 2020 16:29:47 GMT):
yeah that makes sense, when you renew the root ca, i read that it is just a matter of changing the expiration, or would it be better to replace the certificate entirely?

mastersingh24 (Fri, 31 Jan 2020 16:30:26 GMT):
Generally you'd replace it entirely because you'll want to generate a new private key

Antimttr (Fri, 31 Jan 2020 17:34:08 GMT):
Is it better practice to create the TLS CA with a different root ca than the Intermediate CA's? Or can they all be in the same chain?

mastersingh24 (Fri, 31 Jan 2020 18:43:22 GMT):
Given that enrollment and TLS certificates serve two different purpose and therefore following the best security practice of separation of concerns, you should use a separate root/intermediate for enrollment/signing certs and a separate one for TLS certs

Antimttr (Fri, 31 Jan 2020 22:11:43 GMT):
Is there anything different about the TLS Cert and Keyfile you use to initialize a fabric-ca-server in TLS mode compared to the cert and key used by a regular fabric-ca-server instance?

Antimttr (Fri, 31 Jan 2020 23:21:23 GMT):
looking at the tlsca certs in balance-transfer example they look identical to the ones in ca

Antimttr (Fri, 31 Jan 2020 23:21:38 GMT):
so im going to guess that they're all generated in the same fashion

Antimttr (Mon, 03 Feb 2020 18:55:45 GMT):
OK so I'm writing python scripts to bootstrap a HLF network from scratch. I have all the Root CA's, Intermediate CA, TLS CA and orderer CA/TLSCA certs and keys created properly now. Here's my question: Do i need to give the keys for each of the CA's those fancy long names? example: `a7d47efa46a6ba07730c850fed2c1375df27360d7227f48cdc2f80e505678005_sk`

Antimttr (Mon, 03 Feb 2020 18:56:19 GMT):
I remember from last year I asked about these names and apparently theres some way of generating them but for the life of me i can't remember how you do so, or what they're called now

Antimttr (Mon, 03 Feb 2020 18:56:58 GMT):
is this a critical step or just something that is used by the examples for expediance?

davidoevans (Mon, 03 Feb 2020 19:53:53 GMT):
When starting fabric-ca-server, it creates a `tls-cert.pem` and `ca-cert.pem` files. When using the CLI to enroll the admin user, I need to point to the path of the `tls-cert-pem` file -> this works `fabric-ca-client enroll -u https://admin:adminpw@localhost:8054 --caname ca-org1 --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem` However, when using the fabric-ca node client, I needed to configure the `tlsCACerts` property with the content of the `ca-cert.pem` file to perform the same enroll step. ```certificateAuthorities: ca.org1: url: https://localhost:8054 caName: ca-org1 tlsCACerts: pem: | -----BEGIN CERTIFICATE----- MIICFjCCAb2gAwIBAgIUUSO/6L0nX1KYl2R1B/x9XnF/w7kwCgYIKoZIzj0EAwIw aDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK EwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt Y2Etc2VydmVyMB4XDTIwMDIwMzE5MjYwMFoXDTM1MDEzMDE5MjYwMFowaDELMAkG A1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBl cmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMtY2Etc2Vy dmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXwpzakK6pep8S16PfaQWdh9f IV7gGmbLB9Mmd9rGDx3GR1sVbd6Dq2gUhFqyHdI1wN2Wozg4r2C8i1Ezz+e6vKNF MEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE FM2M6fFQkU0QAhDsUnuMrKjFLnlMMAoGCCqGSM49BAMCA0cAMEQCIAF7lXkYhQFO gx05zXsUZtzWEBeZeird6Eg6UYURAgIRAiAGtnOMSQBKZL00raEH3sLft+kRr0FF C7i20sZ40neaWg== -----END CERTIFICATE----- httpOptions: verify: true ``` Can anyone explain why enrol from CLI works with reference to `tls-cert.pem` while node-sdk works worth reference to `ca-cert.pem`?

randyshu (Wed, 05 Feb 2020 01:58:08 GMT):
Has joined the channel.

vieiramanoel (Wed, 05 Feb 2020 20:04:11 GMT):
@troyronda Why does this line makes sense in ca api `CSR *CSRInfo `json:"csr,omitempty" skip:"true"` // Skipping this because we pull the CSR from the CSR flags` I'm trying to fix the inability of fabric-sdk-go to add extra hosts in certificate at enrollment and this seems strange I didn't want to keep reading fabric-ca api code to find out if api will always ignore this before sending to server, can you help me with this info? https://github.com/hyperledger/fabric-ca/blob/7a01791ab6bdf535f5cbf3944e84a4412acb26d2/api/client.go#L65

vieiramanoel (Wed, 05 Feb 2020 20:04:11 GMT):
@troyronda Why does this line makes sense in ca api ```CSR *CSRInfo `json:"csr,omitempty" skip:"true"` // Skipping this because we pull the CSR from the CSR flags` I'm trying to fix the inability of fabric-sdk-go to add extra hosts in certificate at enrollment and this seems strange I didn't want to keep reading fabric-ca api code to find out if api will always ignore this before sending to server, can you help me with this info? https://github.com/hyperledger/fabric-ca/blob/7a01791ab6bdf535f5cbf3944e84a4412acb26d2/api/client.go#L65

vieiramanoel (Wed, 05 Feb 2020 20:04:11 GMT):
@troyronda Why does this line makes sense in ca api ```CSR *CSRInfo `json:"csr,omitempty" skip:"true"` // Skipping this because we pull the CSR from the CSR flags``` I'm trying to fix the inability of fabric-sdk-go to add extra hosts in certificate at enrollment and this seems strange I didn't want to keep reading fabric-ca api code to find out if api will always ignore this before sending to server, can you help me with this info? https://github.com/hyperledger/fabric-ca/blob/7a01791ab6bdf535f5cbf3944e84a4412acb26d2/api/client.go#L65

vieiramanoel (Wed, 05 Feb 2020 20:04:11 GMT):
@troyronda Why does this line makes sense in ca api ```CSR *CSRInfo `json:"csr,omitempty" skip:"true"` // Skipping this because we pull the CSR from the CSR flags``` I'm trying to fix the inability of fabric-sdk-go to add extra hosts in certificate at enrollment and this line seems strange I didn't want to keep reading fabric-ca api code to find out if api will always ignore this before sending to server, can you help me with this info? https://github.com/hyperledger/fabric-ca/blob/7a01791ab6bdf535f5cbf3944e84a4412acb26d2/api/client.go#L65

vieiramanoel (Wed, 05 Feb 2020 20:04:11 GMT):
@troyronda Why does this line make sense in ca api ```CSR *CSRInfo `json:"csr,omitempty" skip:"true"` // Skipping this because we pull the CSR from the CSR flags``` I'm trying to fix the inability of fabric-sdk-go to add extra hosts in certificate at enrollment and this line seems strange I didn't want to keep reading fabric-ca api code to find out if api will always ignore this before sending to server, can you help me with this info? https://github.com/hyperledger/fabric-ca/blob/7a01791ab6bdf535f5cbf3944e84a4412acb26d2/api/client.go#L65

Antimttr (Wed, 05 Feb 2020 21:15:11 GMT):
is it at all important that the RootCA be attached to an actual Fabric-ca-server?

Antimttr (Wed, 05 Feb 2020 21:15:38 GMT):
seems like all it does is sign the intermediateCA's cert, which you dont even need fabric-ca-server, and then best practice is to take it offline entirely

Antimttr (Wed, 05 Feb 2020 21:16:13 GMT):
related question: how important is it that an intermediateCA's "parent server" be online?

Antimttr (Wed, 05 Feb 2020 21:16:42 GMT):
what is the benefit from have a parentCA for an intermediateCA?

rbole (Thu, 06 Feb 2020 06:08:18 GMT):
@Antimttr hi, I am working on the same topic, would you like to share your findings with me? I can share my Github, if you want ?

Antimttr (Thu, 06 Feb 2020 15:37:10 GMT):
yeah i'd love to know the answers to some of these questions that involve the arcane settings that dont get talked about as much

Antimttr (Thu, 06 Feb 2020 15:38:05 GMT):
i looked through some of the sample fabric ca configurations and i haven't been able to find one that actually uses the settings i mentioned

Antimttr (Thu, 06 Feb 2020 21:14:05 GMT):
So i have a fabric-ca running in a docker instance bound to 0.0.0.0, then i nat the port out to a public ip address, but when trying to use fabric-ca-client I'm getting this error: `Post https://X.14.X.136:7150/enroll: x509: certificate is valid for 0.0.0.0, not X.14.X.136`

Antimttr (Thu, 06 Feb 2020 21:14:28 GMT):
is there a setting I can use to override the ip to the public ip address?

Antimttr (Thu, 06 Feb 2020 21:14:35 GMT):
or is this some quality of the certificate itself?

Antimttr (Thu, 06 Feb 2020 21:16:32 GMT):
or is this why we need to use hostnames not ip's when bringing the server up...

Antimttr (Thu, 06 Feb 2020 21:18:53 GMT):
googling yielded `FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0` as the possible cause, changing and retesting

Antimttr (Thu, 06 Feb 2020 21:23:29 GMT):
added my external ip but still getting same error

Antimttr (Thu, 06 Feb 2020 21:38:07 GMT):
ok removing the generated tls-cert.pem and then restarting fixed that error

Antimttr (Thu, 06 Feb 2020 21:38:16 GMT):
now its not accepting my u&p!

Antimttr (Thu, 06 Feb 2020 21:53:25 GMT):
interesting, so its using the admin user and password specified in the server config file instead of the one specified by -b command line parameter

Antimttr (Thu, 06 Feb 2020 21:53:37 GMT):
i would have thought the command line param would override the config file

Antimttr (Thu, 06 Feb 2020 21:53:48 GMT):
similar to how environment overrides config file

ownspies (Thu, 06 Feb 2020 22:52:36 GMT):
@Antimttr the design pattern I'm using is Root CA and Intermediate CA are generated via OpenSSL

ownspies (Thu, 06 Feb 2020 22:52:57 GMT):
the top level HLF CA cert is issued by the offline Intermediate CA

ownspies (Thu, 06 Feb 2020 22:53:13 GMT):
and the CA for each org is a child / intermediate under the HLF CA

ownspies (Thu, 06 Feb 2020 22:53:51 GMT):
so it is Root (offline) -> Intermediate (offline) -> HLF "root" CA -> Org1 CA, Org2 CA, Org3 CA, etc

ownspies (Thu, 06 Feb 2020 22:54:36 GMT):
with this pattern you can (in the future) replace the Root / Intermediate with AWS Private CA or some other full CA system

Antimttr (Thu, 06 Feb 2020 22:55:03 GMT):
are you using the same pattern for your TLSCA?

ownspies (Thu, 06 Feb 2020 22:55:09 GMT):
you can also use the Root -> Intermediate -> TLSCA

Antimttr (Thu, 06 Feb 2020 22:55:36 GMT):
i asked yoda about that, he said it was better to split the tls up with its own root, so thats what i ended up doing

ownspies (Thu, 06 Feb 2020 22:55:44 GMT):
we are signing the TLSCA with that Intermediate ; but we are (currently at least) keeping the TLSCA flat; in the future we will probably create a TLSCA per org

Antimttr (Thu, 06 Feb 2020 22:56:21 GMT):
for your intermediate server did you generate a chain cert?

ownspies (Thu, 06 Feb 2020 22:56:23 GMT):
yeah, it just depends, having a separate root for TLS provides extra isolation

ownspies (Thu, 06 Feb 2020 22:56:43 GMT):
Yes, I *think*, it's been a couple weeks since I looked

Antimttr (Thu, 06 Feb 2020 22:56:52 GMT):
https://medium.com/ibm-garage/using-3rd-party-root-cas-in-hyperledger-fabric-3cafa91d1260

Antimttr (Thu, 06 Feb 2020 22:56:55 GMT):
i followed this guide

ownspies (Thu, 06 Feb 2020 22:56:56 GMT):
the intermediate is signed by the root if that is what you mean

Antimttr (Thu, 06 Feb 2020 22:57:09 GMT):
well that, and it explicitly creates a chain cert

Antimttr (Thu, 06 Feb 2020 22:57:16 GMT):
which has a config file option in fabric-ca-server.yaml

ownspies (Thu, 06 Feb 2020 22:57:42 GMT):
yes using similar, except ours is Root (OpenSSL) -> Intermediate (OpenSSL) -> Intermediate (HLF CA, top level of the HLF network)

ownspies (Thu, 06 Feb 2020 22:57:42 GMT):
yes using similar, except ours is Root (OpenSSL) -> Intermediate (OpenSSL) -> Intermediate (HLF CA, top level of the HLF network) -> Intermediate (Org CA, top level for an Org)

Antimttr (Thu, 06 Feb 2020 22:58:08 GMT):
interesting

ownspies (Thu, 06 Feb 2020 22:58:34 GMT):
have to run, getting off the bus...

Antimttr (Thu, 06 Feb 2020 22:58:43 GMT):
its too bad that article doesnt go into TLS servers

Antimttr (Thu, 06 Feb 2020 22:58:46 GMT):
ok ttyl

ownspies (Thu, 06 Feb 2020 23:59:28 GMT):
not sure I can help, but let me know what questions you have about TLS

Antimttr (Fri, 07 Feb 2020 00:52:11 GMT):
its up and running and i enrolled the admin but im having trouble registering, getting cert signed by unknown CA

Antimttr (Fri, 07 Feb 2020 00:52:28 GMT):
so i think it has to do with the chaining cert i didnt put in

Antimttr (Fri, 07 Feb 2020 00:52:32 GMT):
but thats only a guess

sanket1211 (Fri, 07 Feb 2020 06:17:20 GMT):
Has joined the channel.

sanket1211 (Fri, 07 Feb 2020 06:18:17 GMT):
[FATAL] Initialization failure: Response from server: Error Code: 0 - enroll handler failed to initialize DB: Failed to open sqlite3 DB: sql: unknown driver "sqlite3" (forgotten import?)

sanket1211 (Fri, 07 Feb 2020 06:18:36 GMT):
how to solve the above error?

metadata (Fri, 07 Feb 2020 08:23:54 GMT):
Hello all, I'm facing a tls issue when deploying fabric-network with dockerswarm. https://stackoverflow.com/questions/60109519/getting-bad-tls-certificate-error-with-docker-swarm-and-hyperledger-fabric please help

jarvis26 (Fri, 07 Feb 2020 09:28:04 GMT):
Hi.. What is the purpose of `KeyEncipherment` attribut in KeyUsage given in TLS certificates issued by Fabric CA. Is this a fundamental requirement for HLF services to work? If so, how?

jarvis26 (Fri, 07 Feb 2020 09:28:04 GMT):
Hi.. What is the purpose of `KeyEncipherment` attribut in `KeyUsage` given in TLS certificates issued by Fabric CA. Is this a fundamental requirement for HLF services to work? If so, how?

ownspies (Fri, 07 Feb 2020 12:43:42 GMT):
Can you paste the command and the output you're getting (removing any sensitive info)

Antimttr (Fri, 07 Feb 2020 16:17:37 GMT):
hey, i just re did it this time with the proper chain file in place

Antimttr (Fri, 07 Feb 2020 16:17:50 GMT):
and it worked! :grin:

pvrbharg (Fri, 07 Feb 2020 16:51:48 GMT):
Hi.. What is the purpose of `KeyEncipherment` attribut in `KeyUsage` given in TLS certificates issued by Fabric CA. Is this a fundamental re

narendranathreddy (Sat, 08 Feb 2020 08:29:20 GMT):
Hello All iam proud to announce that my book `Mastering Hyperledger fabric` is now available for pre-order https://www.amazon.com/dp/B084KZP9M7?ref_=pe_3052080_276849420

narendranathreddy (Sat, 08 Feb 2020 08:29:20 GMT):
Hello All iam proud to announce that my book `Mastering Hyperledger fabric` is now available for pre-order https://amzn.to/2UI38ok

metadata (Sat, 08 Feb 2020 09:02:16 GMT):
[ ](https://chat.hyperledger.org/channel/fabric-ca?msg=Mty6ZNZighDPP63dM) @narendranathreddy Can you please help?

ChrisSargent (Mon, 10 Feb 2020 21:01:01 GMT):
Has joined the channel.

LWIH (Tue, 11 Feb 2020 15:08:24 GMT):
Has joined the channel.

Purbaja (Wed, 12 Feb 2020 10:45:09 GMT):
Hi, instead of crytogen i have used fabric-ca to generate all crypto certificates. Now when I am trying to start the orderer, I am getting below error -> 2020-02-12 10:22:42.988 UTC [orderer.common.server] Start -> PANI 003 Failed validating bootstrap block: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: administrators must be declared when no admin ou classification is set panic: Failed validating bootstrap block: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: administrators must be declared when no admin ou classification is set

ownspies (Wed, 12 Feb 2020 12:59:26 GMT):
My first guess is you have NodeOUs.Enabled = true and your TLS certificates for admin users do not have the correct `OU=admin` value, see https://hyperledger-fabric.readthedocs.io/en/release-1.4/msp.html#organizational-units for details on how this works so you can confirm if that is the issue

Antimttr (Wed, 12 Feb 2020 20:44:47 GMT):
I noticed when a peer is enrolled with a tls profile in fabric-ca-server the MSP is generated with a tlscacert which has a filename that includes a series of increasing numbers: `tls-3-14-72-136-7154.pem` What are these numbers from?

randyshu (Thu, 13 Feb 2020 08:05:11 GMT):
hi,What should I do if forgot enrollmentSecret?

Sandraks94 (Thu, 13 Feb 2020 09:02:42 GMT):
Has joined the channel.

Sandraks94 (Thu, 13 Feb 2020 09:02:47 GMT):
Hi. I have been trying out features of fabric 2.0. In the release note I found that we will get a warning when certificate i s about to expire. Can somebody please explain about this? How it is implemented?

KartikChauhan (Thu, 13 Feb 2020 11:36:31 GMT):
Hello All, Does Fabric supports chinese letters in enrollment id during enrollment? I tried to register & enroll a user with the name 苏南 on Fabric-CA. The registration is getting successful but getting below error ``` error: [FabricCAClientService.js]: Failed to enroll 苏南, error:%o message=Enrollment failed with errors [[{"code":0,"message":"asn1: invalid UTF-8 string"}]], stack=Error: Enrollment failed with errors [[{"code":0,"message":"asn1: invalid UTF-8 string"}]] ``` The error clearly says that the letters are not supported in UTF-8 encoding. Can I change the default encoding while enrolling? If yes, which enoding scheme do I've to use to support chinese letters?

BrettLogan (Thu, 13 Feb 2020 13:15:11 GMT):
An error message will start showing in the logs a week before expiration

Fiorri (Thu, 13 Feb 2020 20:31:34 GMT):
Has joined the channel.

Fiorri (Thu, 13 Feb 2020 20:31:35 GMT):
Hello! how i can create admin cert with OU=admin. when i start ca - default admin has type client and "hf.Registrar.Roles":"peer,orderer,client,user", and i cant register with --id.type 'admin' .

Antimttr (Thu, 13 Feb 2020 20:46:01 GMT):
I used the fabric-ca ops guide and it worked ok, i used this command: ``` export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/ca/crypto/ca-cert.pem export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/ca/admin fabric-ca-client enroll -d -u https://rca-org0-admin:rca-org0-adminpw@0.0.0.0:7053 fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererpw --id.type orderer -u https://0.0.0.0:7053 fabric-ca-client register -d --id.name admin-org0 --id.secret org0adminpw --id.type admin --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -u https://0.0.0.0:7053 ```

Antimttr (Thu, 13 Feb 2020 20:46:43 GMT):
ref: https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html

Sandraks94 (Fri, 14 Feb 2020 05:22:57 GMT):
But even when I am changing the time I am not getting any error in logs

Fiorri (Fri, 14 Feb 2020 06:56:05 GMT):
when I try to register a user with an attribute "--id.type admin" , i get an error: Registration of 'admin-org0' failed: : scode: 403, local code: 44, local msg: Registrar does not have authority to act on type 'admin', remote code: 71, remote msg: Authorization failure and my first admin after start CA has "hf.Registrar.Roles":"peer,orderer,client,user", I do not know how to increase his rights

dbdagr8 (Fri, 14 Feb 2020 08:36:45 GMT):
Has joined the channel.

dbdagr8 (Fri, 14 Feb 2020 08:36:46 GMT):
Hi, I was trying to create fabric network using fabric-ca. I started my 'ca-tls' container using command 'fabric-ca-client enroll -d -u https://tls-ca-admin:tls-ca-adminpw@0.0.0.0:7052' but while enrolling tls-ca-admin : 'fabric-ca-client enroll -d -u https://tls-ca-admin:tls-ca-adminpw@0.0.0.0:7052' throws authentication failure, while 'fabric-ca-client enroll -d -u https://admin:adminpw@0.0.0.0:7052' works fine. Why is it so?

mastersingh24 (Fri, 14 Feb 2020 11:11:27 GMT):
did you reigster user `tls-ca-admin` ?

mastersingh24 (Fri, 14 Feb 2020 11:11:27 GMT):
did you register user `tls-ca-admin` ?

indirajith (Fri, 14 Feb 2020 17:16:34 GMT):
Hi all, is it possible to have one org with node OU disabled ans others with nodeOU enabled option? In orderer org I have made nodeOU flase and peer orgs with nodeOU true. The problem is when the peers join a channel, the peers say other peer is not eligible for the channel eventhough they are from same org.

indirajith (Fri, 14 Feb 2020 17:19:00 GMT):
The logs say, `identity 0 does not satisfy principal: The identity is not a [PEER] under this MSP [org1MSP]: NodeOU s not activated. Cannot tell apart identities. ` Is this ecause the orderer can not verify the node OUs pn the channel as the channel policies are verified by the orderer?

indirajith (Fri, 14 Feb 2020 17:19:00 GMT):
The logs say, `identity 0 does not satisfy principal: The identity is not a [PEER] under this MSP [org1MSP]: NodeOUs not activated. Cannot tell apart identities. ` Is this because the orderer can not verify the node OUs pn the channel as the channel policies are verified by the orderer?

lionelronaldo (Sun, 16 Feb 2020 19:25:12 GMT):
My question is whether you ever got identity mixer (idemix) to work? I only got it so far, that I can read using idemix credentials, but I cannot write. More specifically I can do peer channel fetch config and peer chaincode query but not peer channel list, peer channel join or peer chaincode invoke. Best Regards

zabeth129 (Mon, 17 Feb 2020 05:27:56 GMT):
Has joined the channel.

dbdagr8 (Mon, 17 Feb 2020 05:40:57 GMT):
I was following: https://hyperledger-fabric-ca.readthedocs.io/en/latest/operations_guide.html#setup-tls-ca

Ewkoll (Mon, 17 Feb 2020 09:40:08 GMT):
Has joined the channel.

mholdmann (Mon, 17 Feb 2020 16:28:01 GMT):
Has joined the channel.

Purbaja (Tue, 18 Feb 2020 13:52:10 GMT):
Hi All, while trying to create channel from fabric-sdk client we are getting below exception : config update for existing channel did not pass initial checks: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied Any suggestion?

Antimttr (Tue, 18 Feb 2020 15:55:11 GMT):
@Purbaja the identity of the user making the invocation might be incorrect. just a guess. are you using an org admin?

Purbaja (Wed, 19 Feb 2020 05:52:54 GMT):
yes.. using admin

KartikChauhan (Wed, 19 Feb 2020 12:20:18 GMT):
Is there any use to have multiple contracts in the same chaincode instead of having single contract? Can anyone provide any use case?

PJHaga (Wed, 19 Feb 2020 13:32:22 GMT):
Has left the channel.

Antimttr (Wed, 19 Feb 2020 17:56:10 GMT):
you can do multiple chaincodes in a single channle, not really sure what you mean by multiple contracts in the single chaincode. afaik chaincode is just HLF terminology for a smart contact

barney2k7 (Fri, 21 Feb 2020 08:38:59 GMT):
Is there a difference between 'fabric-ca-client register' and 'fabric-ca-client identity add' (other than the slightly different syntax for the options)?

smithbk (Fri, 21 Feb 2020 12:16:06 GMT):
@barney2k7 No, there is no real difference; however, the`fabric-ca-client identity add` syntax was added later and is the preferred method. It was added to be consistent with the generic "