I have the CA for my organization. This is setting for CA's docker container:
version: '2'
services:
ca.org1.example.com:
container_name: ca.org1.example.com
image: hyperledger/fabric-ca
command: /bin/bash -c 'fabric-ca-server start -b rca-org-admin:rca-org-adminpw --port 6053'
environment:
- FABRIC_CA_SERVER_HOME=/tmp/hyperledger/fabric-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=ca.org1.example.com
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_DEBUG=true
- ADMIN_CREDS=rca-org-admin:rca-org-adminpw
- PORT=6053
volumes:
- /home/user/go/src/network/crypto-config/org1/ca/server:/tmp/hyperledger/fabric-ca
ports:
- 6053:6053
networks:
- basic
networks:
basic:
I have a connectionProfile.yaml with url and TLS certificate of my CA:
certificateAuthorities:
ca.org1.examlple.com:
url: https://localhost:6053
tlsCACerts:
pem: |
-----BEGIN CERTIFICATE-----
MIICMzCCAdqgAwIBAgIUYj0f4V+ms+xjSSx73MYurypAwGUwCgYIKoZIzj0EAwIw
bjELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK
EwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMR8wHQYDVQQDExZjYS5xcHIu
Zm9vdGJhbGxuZXQuY29tMB4XDTIwMDUwNjA5NTgwMFoXDTM1MDUwMzA5NTgwMFow
bjELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK
EwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMR8wHQYDVQQDExZjYS5xcHIu
Zm9vdGJhbGxuZXQuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2q06YuK7
L6K2kwl5HPwW1exdxBoEwiQ+denvNtoq1hvo4f6zwtlD6+aVwfnu9CvLlriPEJy3
KSbM8/IuszlKyqNWMFQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
AQEwHQYDVR0OBBYEFG4G17iqYS0wCNskmsFC8pUtXf8zMA8GA1UdEQQIMAaHBAAA
AAAwCgYIKoZIzj0EAwIDRwAwRAIgZMIAjEyB9aeqSJuvBqPBkJAddOCTEdsPwbzb
Bql46DICIAl998KlBM23r4iRYPoZTX8/8njPfXpi5a8lX85Skpme
-----END CERTIFICATE-----
httpOptions:
verify: false
I load this connectionProfile.yaml to my nodeJS application and try to enroll user. See code below:
const caInfo = ccp.certificateAuthorities['ca.org1.example.com'];
const caTLSCACerts = caInfo.tlsCACerts.pem;
const ca = new FabricCAServices(caInfo.url, { trustedRoots: caTLSCACerts, verify: false }, caInfo.caName);
// Create a new file system based wallet for managing identities.
const walletPath = path.join(process.cwd(), 'wallet');
const wallet = new FileSystemWallet(`${__dirname}/../hyperledger/wallet`);
console.log(`Wallet path: ${walletPath}`);
// Check to see if we've already enrolled the admin user.
const identityLabel = 'admin.org1.example.com'
const identity = await wallet.exists(identityLabel);
if (!identity) {
// Enroll the admin user, and import the new identity into the wallet.
const enrollment = await ca.enroll({ enrollmentID: 'rca-org-admin', enrollmentSecret: 'rca-org-adminpw' });
const x509Identity = {
certificate: enrollment.certificate,
privateKey: enrollment.key.toBytes(),
mspId: 'org1MSP',
type: 'X.509',
};
await wallet.import('admin.org1.example.com', x509Identity);
console.log('Successfully enrolled admin user "admin" and imported it into the wallet');
}
I guess tlsCACerts.pem needs for TLS connection with CA. User enroll was successful by this code. But if I change this certificate(tlsCACerts.pem) to some other one(any certificate, even randomly generated) and clean my wallet and try to make an enroll, it will still succeed. Logs of the container CA confirm this. It seems to me that it does not use this TLS certificate, but why, if the TLS certification is turned on on the CA server.
Version of fabric-ca-server is 1.4.6
Version of Fabric SDK for Node is 1.4.8
Maybe someone has thoughts on this issue. Maybe I'm doing something wrong?
Despite the fact that the question is 4 months old and you probably found the solution I try to answer.
I think the problem is on the line 3 of your code:
const ca = new FabricCAServices(caInfo.url, { trustedRoots: caTLSCACerts, verify: false }, caInfo.caName);
TLS option verify
is false
, so certificate is not actually verifying.
Try to set verify
to true
, I think this should work:
const ca = new FabricCAServices(caInfo.url, { trustedRoots: caTLSCACerts, verify: true }, caInfo.caName);
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.