Hyperledger Fabric CA: x509: certificate is valid for rca-ord, not localhost

Question

we have started an instance of fabric-ca-server with following settings in docker-compose.yml

version: '2'

networks:
  test:

services:

  myservice:
    container_name: my-container
    image: hyperledger/fabric-ca
    command: /bin/bash -c "fabric-ca-server start -b admin:adminpw"
    environment:
      - FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca
      - FABRIC_CA_SERVER_TLS_ENABLED=true
      - FABRIC_CA_SERVER_CSR_CN=rca-ord
      - FABRIC_CA_SERVER_CSR_HOSTS=rca-ord
      - FABRIC_CA_SERVER_DEBUG=true
    volumes:
      - ./scripts:/scripts
      - ./data:/data
    networks:
      - test
    ports:
      - 7054:7054

but when we try to enroll a user against this server using the command below:

root@fd85cc416f52:/# fabric-ca-client enroll -u https://user:userpw@localhost:7054 --tls.certfiles $FABRIC_CA_SERVER_HOME/tls-cert.pem

we get the error below:

2018/12/08 22:18:03 [INFO] TLS Enabled
2018/12/08 22:18:03 [INFO] generating key: &{A:ecdsa S:256}
2018/12/08 22:18:03 [INFO] encoded CSR
Error: POST failure of request: POST https://localhost:7054/enroll
{"hosts":["fd85cc416f52"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBQDCB6AIBADBcMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDTALBgNV\nBAMTBHVzZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATREdPvOeaWG9TzaEyk\nhFXRnJFJouDXShr0D1745bCt/0n3qjpqviZiApd1t62VrpMX0j8DBa6tkF7C+rEr\nRvwnoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxmZDg1Y2M0MTZmNTIw\nCgYIKoZIzj0EAwIDRwAwRAIgASXupobxJia/FFlLiwYzYpacvSA6RiIc/LR/kvdB\nT8ICIA1nJ2RfHrwMhOWocxMAIuLUsBvKS3S5DIwCHp0/gBpn\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post https://localhost:7054/enroll: x509: certificate is valid for rca-ord, not localhost

on the server-side we can see following message printed out when the request is sent:

my-container | 2018/12/08 22:18:03 http: TLS handshake error from 127.0.0.1:56518: remote error: tls: bad certificate

we have also tried:

root@fd85cc416f52:/# ls $FABRIC_CA_SERVER_HOME
IssuerPublicKey  IssuerRevocationPublicKey  ca-cert.pem  fabric-ca-server-config.yaml  fabric-ca-server.db  msp  tls-cert.pem
root@fd85cc416f52:/# fabric-ca-client enroll -u https://user:userpw@localhost:7054 --tls.certfiles $FABRIC_CA_SERVER_HOME/ca-cert.pem

with same result

wondering if someone can help us what is wrong here and how can we fix it? thanks

score 0 · Accepted Answer · answered Dec 18 '18 at 21:24

0

You have generated a TLS certificate on the server using FABRIC_CA_SERVER_CSR_HOSTS=rca-ord, but then you are sending your request to localhost in the URL you specify in the enroll command.

To get this to work, you should change your environment variable to also include 'localhost'. For example: FABRIC_CA_SERVER_CSR_HOSTS=rca-ord,localhost.

Delete the old TLS certificate and generate a new one, and it should work.

answered Dec 18 '18 at 21:24

Saad Karim

229
2
10

tried and doesn't work. the error this time is my-container | 2018/12/19 21:53:09 [INFO] 127.0.0.1:57750 POST /enroll 401 23 "Failed to get user: : scode: 404, code: 63, msg: Failed to get User: sql: no rows in result set". why is it trying to get a user when we are asking it to enroll one for the first time? – morpheus Dec 19 '18 at 21:55
That seems like a separate issue. Adding the localhost has gotten past you the TLS handshake error that your original post was about. – Saad Karim Dec 21 '18 at 16:06
@morpheus did u find any solution? I'm facing the same issue of `certificate is valid for rca-ord, not localhost ` – metadata Sep 17 '19 at 09:49
I've added `FABRIC_CA_SERVER_CSR_HOSTS` in my `docker-compose.yaml` file under `ca-server` section but it is not working. I haven't generated the new certs. – metadata Sep 17 '19 at 11:40
@alpha generate new cert and make sure the SAN (Subject Alternative Name) in the cert matches the string you are using to connect to the server. see https://stackoverflow.com/a/5937270/147530: Update: as per RFC 6125, published in '2011 the validator must check SAN first, and if SAN exists, then CN should not be checked. – morpheus Sep 17 '19 at 16:31
Thanks, @morpheus I have a question that when I'm running the ``` fabric-ca-client enroll -u "http://admin:adminpw@localhost:7054" ``` command resulting in some cacerts and signcerts. when I checked the `CN` and `SAN` in signcerts then they both are different. `CN` is `admin` and `SAN` is `MY-MACHINE-NAME` . I have added `localhost` and `abc.com` under `hosts` in `CSR` section of `fabric-ca-server` config file. is there any way to change the `SAN` to `abc.com` – metadata Sep 18 '19 at 17:53
use the --csr.hosts flag when running fabric-ca-client enroll to set the SAN. https://jira.hyperledger.org/browse/FABC-831 – morpheus Sep 18 '19 at 21:21

Hyperledger Fabric CA: x509: certificate is valid for rca-ord, not localhost

1 Answers1