Peer certificate expired
subhasisbanik opened this issue · 7 comments
I am facing an issue while trying to install a new chaincode in my peer:
Server TLS handshake failed with error: tls: bad certificate server=PeerServer
My peer is running a TLSCA and a CA-Server and,
Peer version: 2.4.4
fabric-ca: latest
TLSCA: 1.5.0
I am getting the above error from organizations/peerOrganizations/organization.com/users/Admin@organization.com/msp
I have also checked the signcerts/cert.pem and found that it has actually expired. Also the cert.pem in signcerts of the peer has also expired.
Is there any document which I can follow for renewing the certificates for my peer?
There is information on certificate renewal and how to accomplish this when certificates have already expired here:
https://hyperledger-fabric.readthedocs.io/en/latest/certs_management.html#certificate-renewal
Thanks for the information.
I have tried running the below :
fabric-ca-client reenroll --csr.keyrequest.reusekey --mspdir organizations/peerOrganizations/org.com/users/User1@org.com/msp/keystore/ -u https://admin:adminpw@localhost:7056 --tls.certfiles /opt/docker/hyperledger/org/organizations/peerOrganizations/org.com/tlsca/tlsca.org.com-cert.pem
But I am getting the below error though my ca admin is already enrolled:
Could you please help as to what I am missing?
Hello @bestbeforetoday ,
I have tried the below:
- Log into the Server running the CA Server
- Update the fabric-ca-client-config.yaml on /opt/docker/hyperledger/org1/organizations/peerOrganizations/org1.com with the hostname of the peer
- Run the below:
export FABRIC_CA_CLIENT_HOME=/opt/docker/hyperledger/org1/organizations/peerOrganizations/org1.com
export FABRIC_CA_CLIENT_TLS_CERTFILES=/opt/docker/hyperledger/org1/organizations/peerOrganizations/org1.com/peers/peer0.org1.com/tls/ca.crt
export MSP_DIR=/opt/docker/hyperledger/org1/organizations/peerOrganizations/org1.com/peers/peer0.org1.com/msp
export CA_SERVER=https://admin:adminpw@0.0.0.0:7056
-
Check fabric client identity:
fabric-ca-client identity list -u https://admin:adminpw@0.0.0.0:7056/ --tls.certfiles $FABRIC_CA_CLIENT_TLS_CERTFILES -
Reenroll the certificate:
fabric-ca-client reenroll --csr.keyrequest.reusekey --caname ca-org1 --mspdir $MSP_DIR -u $CA_SERVER --tls.certfiles $FABRIC_CA_CLIENT_TLS_CERTFILES -
Copy /opt/docker/hyperledger/org1/organizations/peerOrganizations/org1.com/peers/peer0.org1.com/msp/signcerts/cert.pem to the destination vm in peer directory.
-
Restart Peer
Now for restart, I ran docker-compose down and then docker-compose up.
After running docker-compose up, I am facing a panic error as below now:
2023-05-24 13:05:58.870 UTC 043b WARN [lifecycle] handleMetadataUpdatesForChannel -> no metadata found on channel 'testchannel': could not get channel config for channel 'testchannel'
2023-05-24 13:05:58.870 UTC 043c DEBU [lockbasedtxmgr] invokeNamespaceListeners -> Invoking listener for state changes:lifecycle cache listener
2023-05-24 13:05:58.870 UTC 043d DEBU [cceventmgmt] HandleStateUpdates -> Channel [testchannel]: Handling state updates in LSCC namespace - stateUpdates=map[string][]*kvrwset.KVWrite{"_lifecycle":[]*kvrwset.KVWrite{(*kvrwset.KVWrite)(0xc003d534f0), (*kvrwset.KVWrite)(0xc003d53540)}}
2023-05-24 13:05:58.870 UTC 043e INFO [cceventmgmt] HandleStateUpdates -> Channel [testchannel]: Handling deploy or update of chaincode [msgchaincode-exp-llp]
2023-05-24 13:05:58.870 UTC 043f DEBU [statecouchdb] GetState -> GetState(). ns=_lifecycle, key=namespaces/metadata/msgchaincode-exp-llp
2023-05-24 13:05:58.871 UTC 0440 DEBU [statecouchdb] GetState -> GetState(). ns=_lifecycle, key=namespaces/fields/msgchaincode-exp-llp/EndorsementInfo
2023-05-24 13:05:58.871 UTC 0441 DEBU [statecouchdb] GetState -> GetState(). ns=_lifecycle, key=namespaces/fields/msgchaincode-exp-llp/Collections
2023-05-24 13:05:58.871 UTC 0442 DEBU [cceventmgmt] HandleChaincodeDeploy -> Channel [testchannel]: Handling chaincode deploy event for chaincode [[]]
2023-05-24 13:05:58.871 UTC 0443 DEBU [lockbasedtxmgr] invokeNamespaceListeners -> Invoking listener for state changes:lscc state listener
2023-05-24 13:05:58.871 UTC 0444 DEBU [statecouchdb] GetState -> GetState(). ns=_lifecycle, key=namespaces/metadata/msgchaincode-exp-llp
2023-05-24 13:05:58.871 UTC 0445 DEBU [statecouchdb] GetState -> GetState(). ns=_lifecycle, key=namespaces/fields/msgchaincode-exp-llp/Sequence
2023-05-24 13:05:58.871 UTC 0446 DEBU [statecouchdb] GetState -> GetState(). ns=_lifecycle, key=namespaces/fields/msgchaincode-exp-llp/EndorsementInfo
2023-05-24 13:05:58.871 UTC 0447 DEBU [statecouchdb] GetState -> GetState(). ns=_lifecycle, key=namespaces/fields/msgchaincode-exp-llp/ValidationInfo
2023-05-24 13:05:58.871 UTC 0448 DEBU [statecouchdb] GetState -> GetState(). ns=_lifecycle, key=namespaces/fields/msgchaincode-exp-llp/Collections
2023-05-24 13:05:58.871 UTC 0449 DEBU [statecouchdb] GetState -> GetState(). ns=_lifecycle, key=namespaces/metadata/msgchaincode-exp-llp
2023-05-24 13:05:58.871 UTC 044a DEBU [statecouchdb] GetState -> GetState(). ns=_lifecycle, key=namespaces/fields/msgchaincode-exp-llp/EndorsementInfo
2023-05-24 13:05:58.871 UTC 044b DEBU [statecouchdb] GetState -> GetState(). ns=_lifecycle, key=namespaces/fields/msgchaincode-exp-llp/Collections
2023-05-24 13:05:58.871 UTC 044c INFO [gossip.gossip] Stop -> Stopping gossip
2023-05-24 13:05:58.871 UTC 044d DEBU [gossip.gossip] handlePresumedDead -> Exiting
2023-05-24 13:05:58.871 UTC 044e DEBU [gossip.gossip] acceptMessages -> Exiting
2023-05-24 13:05:58.871 UTC 044f DEBU [gossip.discovery] handleMessages -> Stopped
2023-05-24 13:05:58.871 UTC 0450 INFO [gossip.discovery] Stop -> Stopping
2023-05-24 13:05:58.871 UTC 0451 INFO [gossip.discovery] Stop -> Stopped
2023-05-24 13:05:58.871 UTC 0452 DEBU [gossip.discovery] handleEvents -> Stopped
2023-05-24 13:05:58.871 UTC 0453 INFO [gossip.comm] Stop -> Stopping
2023-05-24 13:05:58.871 UTC [grpc] InfoDepth -> DEBU 01c [core]Channel Connectivity change to SHUTDOWN
2023-05-24 13:05:58.871 UTC 0454 DEBU [gossip.comm] serviceConnection -> Closing reading from stream
2023-05-24 13:05:58.871 UTC [grpc] InfoDepth -> DEBU 01d [core]Subchannel Connectivity change to SHUTDOWN
2023-05-24 13:05:58.871 UTC 0455 DEBU [gossip.comm] writeToStream -> Closing writing to stream
2023-05-24 13:05:58.871 UTC 0456 DEBU [gossip.comm] Stop -> Shut down connection store, connection count: 0
2023-05-24 13:05:58.871 UTC 0457 DEBU [gossip.comm] readFromStream -> Got error, aborting: rpc error: code = Canceled desc = context canceled
2023-05-24 13:05:58.871 UTC [grpc] InfoDepth -> DEBU 01e [transport]transport: loopyWriter.run returning. connection error: desc = "transport is closing"
2023-05-24 13:05:58.871 UTC 0458 DEBU [gossip.comm] func1 -> Exiting Accept() loop
2023-05-24 13:05:58.871 UTC 0459 INFO [gossip.comm] Stop -> Stopped
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x1056c06]
goroutine 1 [running]:
github.com/hyperledger/fabric/common/policies.SignatureSetToValidIdentities({0xc0000117b8, 0x1, 0x9d90e7?}, {0x0, 0x0})
/go/src/github.com/hyperledger/fabric/common/policies/policy.go:368 +0x126
github.com/hyperledger/fabric/common/cauthdsl.(*policy).EvaluateSignedData(0xc003e92f00, {0xc0000117b8?, 0x0?, 0x9?})
/go/src/github.com/hyperledger/fabric/common/cauthdsl/policy.go:91 +0xa5
github.com/hyperledger/fabric/core/common/privdata.(*MembershipProvider).AmMemberOf(0xc00026a770, {0xc0037c2f10?, 0xc00251dfa8?}, 0xc003e966c0)
/go/src/github.com/hyperledger/fabric/core/common/privdata/membershipinfo.go:60 +0x20e
github.com/hyperledger/fabric/core/ledger/kvledger.(*collElgNotifier).elgEnabled(0xc000314cc0, {0xc0037c2f10, 0xc}, 0x14?, 0xa?)
/go/src/github.com/hyperledger/fabric/core/ledger/kvledger/coll_elg_notifier.go:132 +0x39
github.com/hyperledger/fabric/core/ledger/kvledger.(*collElgNotifier).elgEnabledCollNames(0xc000287350?, {0xc0037c2f10, 0xc}, 0xc003d2e462?, 0xc003e9c0c0?)
/go/src/github.com/hyperledger/fabric/core/ledger/kvledger/coll_elg_notifier.go:117 +0x258
github.com/hyperledger/fabric/core/ledger/kvledger.(*collElgNotifier).HandleStateUpdates(0xc000314cc0, 0xc003d21c00)
/go/src/github.com/hyperledger/fabric/core/ledger/kvledger/coll_elg_notifier.go:70 +0x2f3
github.com/hyperledger/fabric/core/ledger/kvledger/txmgmt/txmgr.(*LockBasedTxMgr).invokeNamespaceListeners(0xc0003fbc00)
/go/src/github.com/hyperledger/fabric/core/ledger/kvledger/txmgmt/txmgr/lockbased_txmgr.go:470 +0x3e7
github.com/hyperledger/fabric/core/ledger/kvledger/txmgmt/txmgr.(*LockBasedTxMgr).ValidateAndPrepare(0xc0003fbc00, 0xc003d24408, 0x0?)
/go/src/github.com/hyperledger/fabric/core/ledger/kvledger/txmgmt/txmgr/lockbased_txmgr.go:183 +0x38d
github.com/hyperledger/fabric/core/ledger/kvledger/txmgmt/txmgr.(*LockBasedTxMgr).CommitLostBlock(0xc0003029a0?, 0xc003d24408)
/go/src/github.com/hyperledger/fabric/core/ledger/kvledger/txmgmt/txmgr/lockbased_txmgr.go:584 +0xc6
github.com/hyperledger/fabric/core/ledger/kvledger.(*kvLedger).recommitLostBlocks(0x16cbb60?, 0x44, 0x44, {0xc003d29530?, 0x1, 0x1})
/go/src/github.com/hyperledger/fabric/core/ledger/kvledger/kv_ledger.go:481 +0x2db
github.com/hyperledger/fabric/core/ledger/kvledger.(*kvLedger).syncStateAndHistoryDBWithBlockstore(0xc0003029a0)
/go/src/github.com/hyperledger/fabric/core/ledger/kvledger/kv_ledger.go:409 +0x3c5
github.com/hyperledger/fabric/core/ledger/kvledger.(*kvLedger).recoverDBs(0xc0003029a0?)
/go/src/github.com/hyperledger/fabric/core/ledger/kvledger/kv_ledger.go:354 +0x5c
github.com/hyperledger/fabric/core/ledger/kvledger.newKVLedger(0xc0003028f0)
/go/src/github.com/hyperledger/fabric/core/ledger/kvledger/kv_ledger.go:164 +0x5de
github.com/hyperledger/fabric/core/ledger/kvledger.(*Provider).open(0xc00026a8c0, {0xc0037c2f10, 0xc}, 0x0, 0x0)
/go/src/github.com/hyperledger/fabric/core/ledger/kvledger/kv_ledger_provider.go:378 +0x4a6
github.com/hyperledger/fabric/core/ledger/kvledger.(*Provider).Open(0xc00026a8c0, {0xc0037c2f10, 0xc})
/go/src/github.com/hyperledger/fabric/core/ledger/kvledger/kv_ledger_provider.go:330 +0x127
github.com/hyperledger/fabric/core/ledger/ledgermgmt.(*LedgerMgr).OpenLedger(0xc000296e80, {0xc0037c2f10, 0xc})
/go/src/github.com/hyperledger/fabric/core/ledger/ledgermgmt/ledger_mgmt.go:211 +0x193
github.com/hyperledger/fabric/core/peer.(*Peer).Initialize(0xc0000001e0, 0xc0037e8120, 0x1973c7e?, {0x1b4dbc0?, 0xc0037bb8f0}, {0x1b5cec8, 0xc000287350}, {0x1b4bd60, 0xc0027435e0}, {0x1b50460, ...}, ...)
/go/src/github.com/hyperledger/fabric/core/peer/peer.go:512 +0x269
github.com/hyperledger/fabric/internal/peer/node.serve({0x1430ac0?, 0xc000215d18?, 0xc000215cf0?})
/go/src/github.com/hyperledger/fabric/internal/peer/node/start.go:770 +0x4e9a
github.com/hyperledger/fabric/internal/peer/node.glob..func6(0x23a3cc0?, {0x2437948?, 0x0?, 0x0?})
/go/src/github.com/hyperledger/fabric/internal/peer/node/start.go:129 +0x56
github.com/spf13/cobra.(*Command).execute(0x23a3cc0, {0x2437948, 0x0, 0x0})
/go/src/github.com/hyperledger/fabric/vendor/github.com/spf13/cobra/command.go:762 +0x67c
github.com/spf13/cobra.(*Command).ExecuteC(0x23a4640)
/go/src/github.com/hyperledger/fabric/vendor/github.com/spf13/cobra/command.go:852 +0x2dc
github.com/spf13/cobra.(*Command).Execute(...)
/go/src/github.com/hyperledger/fabric/vendor/github.com/spf13/cobra/command.go:800
main.main()
/go/src/github.com/hyperledger/fabric/cmd/peer/main.go:56 +0x392
I have enabled FABRIC_CA_SERVER_CA_REENROLLIGNORECERTEXPIRY as true for CA-Server and my CA-Server is of version 1.5.5 but still while reenrolling I am getting the below error:
Error: Failed to reenroll 'peer0': POST failure of request: POST https://0.0.0.0:8054/reenroll
{"hosts":["peer0.org1.com","0.0.0.0"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBCDCBrwIBADAQMQ4wDAYDVQQDEwVwZWVyMDBZMBMGByqGSM49AgEGCCqGSM49\nAwEHA0IABCwVvW+GXz0fkiz4fNsOyoYwRQ7iVwHo+bhqZ6Hq7VsOURWY4Yi9zUBi\nleXwdNqQVBD2g+fZVUV8goHwuRXGyAagPTA7BgkqhkiG9w0BCQ4xLjAsMCoGA1Ud\nEQQjMCGCGXBlZXIwLmN1c3RvbXNjbGllbnQwNS5jb22HBAAAAAAwCgYIKoZIzj0E\nAwIDSAAwRQIhAIHL5+uL76aDMdbrgBOEvJSb9g3BofFGofAx1gNB7edOAiA7hQh3\n/G1bv73lzKuYwR9WL72LJ7uHN0tPQptRYGua0Q==\n-----END CERTIFICATE REQUEST-----\n","profile":"tls","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":"tlsca-org1"}: Post https://0.0.0.0:8054/reenroll: x509: certificate has expired or is not yet valid
Please help!
This problem is solved. Looked like that the TLS CA Certs and CA Certs, all of them had expired and needed renewal. Hence closing this ticket.
@subhasisbanik I got a simaila issue as u faced -- fabric-ca-client reenroll --mspdir "/etc/hyperledger/fabric-ca-server/msp/" --tls.certfiles "/etc/hyperledger/fabric-ca-server/tls-cert.pem" --csr.keyrequest.reusekey
2023/12/04 12:39:28 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-client-config.yaml
2023/12/04 12:39:28 [INFO] TLS Enabled
2023/12/04 12:39:29 [INFO] TLS Enabled
2023/12/04 12:39:29 [INFO] encoded CSR
Error: Failed to reenroll 'fabric_admin': POST failure of request: POST https://emsd-ca-service:7054/reenroll
{"hosts":["start-emsd-ca-client-mlmw7"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBVjCB/gIBADBkMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxFTATBgNV\nBAMMDGZhYnJpY19hZG1pbjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL4K56Ly\nEdz5piVDdiAjnnT84SUTXbnrqVFl0RNgX8dJCY2OnlruAhOBL3uKLpzeX/CPDRdf\nZsUmsoFeIetlNxSgODA2BgkqhkiG9w0BCQ4xKTAnMCUGA1UdEQQeMByCGnN0YXJ0\nLWVtc2QtY2EtY2xpZW50LW1sbXc3MAoGCCqGSM49BAMCA0cAMEQCIGzZVLUZg7D8\ne2jCJkrui5Sp08zgQHaSWG6r8yNp+RQ1AiAX8uQP4hRP9c198sjTWCkjVLUNVOS1\nXVsa3xFTHbOZIA==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","ReturnPrecert":false,"CAName":""}: Post "https://emsd-ca-service:7054/reenroll": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2023-12-04T12:39:29+08:00 is after 2023-11-29T09:09:00Z --- Can u share u method for help
Hey @elohffa I think you are pointing to the wrong certs.
I have written a whole article on how to renew the certificates.
Please have a look:
https://subhasisbanik.medium.com/renew-hyperledger-fabric-peer-certificates-f7c09221a6ce