The CSR subject common name must equal the enrollment ID

Question

The CSR subject common name must equal the enrollment ID

HugoPu opened this issue 8 years ago · 4 comments

Environment

Centos 7.2
Fabric 1.0 (Followed the steps in https://github.com/yeasy/docker-compose-files/tree/master/hyperledger/1.0)

How to repeat the problem?

I built the cluster, as mentioned above, then I try to use fabric-sdk-py to connect to CA and enroll user.
The follow is my code.

import os

from hfc.api.ca.caservice import CAClient

with open(os.path.join(os.path.dirname(__file__),
                       "fixtures/ca/enroll-csr.pem")) as f:
    test_pem = f.read()

ENROLLMENT_ID = "admin"
ENROLLMENT_SECRET = "adminpw"

ca_client = CAClient("http://192.168.53.20:7054")
print(ca_client.get_cainfo())
ca_client.enroll(ENROLLMENT_ID,ENROLLMENT_SECRET,test_pem)

print(ca_client.get_cainfo()) works well,
but ca_client.enroll(ENROLLMENT_ID,ENROLLMENT_SECRET,test_pem) returned error Enrollment failed with errors [{u'message': u'The CSR subject common name must equal the enrollment ID', u'code': 0}] , I checked the log in docker, it recorded the same error. How can I get the correct CSR file? Did I use the sdk in the wrong way?

Answer 1 · 2017-06-21T12:55:09.000Z

can u report this problem to the fabric-sdk-py project?

https://jira.hyperledger.org/browse/FAB-4623?jql=project%20%3D%20FAB%20AND%20status%20in%20(%22In%20Progress%22%2C%20%22To%20Do%22)%20AND%20component%20%3D%20fabric-sdk-py

Thanks!

Answer 2 · 2017-06-22T01:39:12.000Z

Sure. But where do you want me to report it, fabric-sdk-py on github or https://jira.hyperledger.org? If it is https://jira.hyperledger.org, how can I get an account to create an issue? Since when I tried to create a new issue, I got the following message.

You are not authorized to perform this operation. Please log in.
Close this dialog and press refresh in your browser

Not a member? To request an account, please contact your JIRA administrators.

Answer 3 · 2017-06-22T09:09:47.000Z

Accroding to this website, sdk and fabric-client communicate with fabric-server through rest api, the param test_tem should be A PEM-encoded string containing the CSR (Certificate Signing Request) based on PKCS #10. Is it means that I need to register a new identity with fabric-client manually, then use this identity's private key to pem-encoded CSR, like the following string:

csr:
  cn: admin2
  names:
    - C: US
      ST: "North Carolina"
      L:
      O: Hyperledger
      OU: Fabric
  hosts:
   - hostname
  ca:
    pathlen:
    pathlenzero:
    expiry:

then use the new pem file to replace the old one?

Answer 4 · 2017-06-23T07:40:59.000Z

After reading the source code of fabric-sdk-java's unit test, it looks like fabric-sdk-python hasn't been finished yet. Generating key pair and pem are missing. Will use fabric-sdk-java instead.