Chaincode container can't connect to the local peer due to certificate signed by unknown authority

Question

First of all I'd like to mention, that my setup works like a charm when there's no TLS enabled. It works even in Docker Swarm on AWS.

The problem starts when I enable TLS. When I deploy my .bna file via Composer, my newly created chaincode container produces the following logs:

2017-08-23 13:14:16.389 UTC [Composer] Info -> INFO 001 Setting the Composer pool size to 8
2017-08-23 13:14:16.402 UTC [shim] userChaincodeStreamGetter -> ERRO 002 Error trying to connect to local peer: x509: certificate signed by unknown authority
Error starting chaincode: Error trying to connect to local peer: x509: certificate signed by unknown authority

Funny thing is, that this works when deploying .bna via the composer playground (when the TLS is still enabled in my fabric)...

Below is my connection profile:

{
    "name": "test",
    "description": "test",
    "type": "hlfv1",
    "orderers": [
        {
            "url": "grpcs://orderer.company.com:7050",
            "cert": "-----BEGIN CERTIFICATE-----blabla1\n-----END CERTIFICATE-----\n"
        }
    ],
    "channel": "channelname",
    "mspID": "CompanyMSP",
    "ca": {
        "url": "https://ca.company.com:7054",
        "name": "ca-company",
        "trustedRoots": [
            "-----BEGIN CERTIFICATE-----\nblabla2\n-----END CERTIFICATE-----\n"
        ],
        "verify": true
    },
    "peers": [
        {
            "requestURL": "grpcs://peer0.company.com:7051",
            "eventURL": "grpcs://peer0.company.com:7053",
            "cert": "-----BEGIN CERTIFICATE-----\nbalbla3\n-----END CERTIFICATE-----\n"
        }
    ],
    "keyValStore": "/home/composer/.composer-credentials",
    "timeout": 300
}

My certs have been generated by cryptogen tool, hence:

• orderers.0.cert contains value of crypto-config/ordererOrganizations/company.com/orderers/orderer.company.com/msp/tlscacerts/tlsca.company.com-cert.pem
• peers.0.cert contains value of crypto-config/peerOrganizations/company.com/peers/peer0.company.com/msp/tlscacerts/tlsca.company.com-cert.pem
• ca.trustedRoots.0 contains crypto-config/peerOrganizations/company.com/peers/peer0.company.com/tls/ca.crt

I've got the feeling, that my trustedRoots certificate is wrong...

UPDATE When I do docker inspect chaincode_container I can see that it misses ENV variable: CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/peer.crt, while the chaincode container deployed via playground does have it...

Answer 1

When the chaincode image is built, the TLS certificate that it uses to build the trusted roots is the rootcert from:

# TLS Settings

# Note that peer-chaincode connections through chaincodeListenAddress is
# not mutual TLS auth. See comments on chaincodeListenAddress for more info
tls:
    enabled:  false
    cert:
        file: tls/server.crt
    key:
        file: tls/server.key
    rootcert:
        file: tls/ca.crt

The TLS certificate that the peer uses to run the gRPC service is the cert one.

By the way - You're using the release branch code, not the one in master - is that correct?