SSL Handshake failure after ClientHello - ssl

I am using openJdk version 11.28 at the client side. While calling a web service deployed over https, I am getting Handshake failure. Nmap command for the web service provides below result:
I have enabled ssl,handshake logging in my java which is producing below logs:
15:02:04,638 ERROR javax.net.ssl|DEBUG|D2|SupportedGroupsExtension.java:831|Ignore inactive or disabled named group: secp256r1
15:02:04,638 ERROR javax.net.ssl|DEBUG|D2|SupportedGroupsExtension.java:831|Ignore inactive or disabled named group: secp384r1
15:02:04,639 ERROR javax.net.ssl|DEBUG|D2|SupportedGroupsExtension.java:831|Ignore inactive or disabled named group: secp521r1
15:02:04,639 ERROR javax.net.ssl|DEBUG|D2|SupportedGroupsExtension.java:831|Ignore inactive or disabled named group: sect283k1
15:02:04,640 ERROR javax.net.ssl|DEBUG|D2|SupportedGroupsExtension.java:831|Ignore inactive or disabled named group: sect283r1
15:02:04,640 ERROR javax.net.ssl|DEBUG|D2|SupportedGroupsExtension.java:831|Ignore inactive or disabled named group: sect409k1
15:02:04,641 ERROR javax.net.ssl|DEBUG|D2|SupportedGroupsExtension.java:831|Ignore inactive or disabled named group: sect409r1
15:02:04,641 ERROR javax.net.ssl|DEBUG|D2|SupportedGroupsExtension.java:831|Ignore inactive or disabled named group: secp256k1
15:02:04,648 ERROR javax.net.ssl|WARNING|D2|SignatureScheme.java:282|Signature algorithm, ed25519, is not supported by the underlying providers
15:02:04,648 ERROR javax.net.ssl|WARNING|D2|SignatureScheme.java:282|Signature algorithm, ed448, is not supported by the underlying providers
15:02:04,663 ERROR javax.net.ssl|INFO|D2|AlpnExtension.java:161|No available application protocols
15:02:04,664 ERROR javax.net.ssl|DEBUG|D2|SSLExtensions.java:235|Ignore, context unavailable extension: application_layer_protocol_negotiation
15:02:04,666 ERROR javax.net.ssl|DEBUG|D2|SSLExtensions.java:235|Ignore, context unavailable extension: renegotiation_info
15:02:04,668 ERROR javax.net.ssl|DEBUG|D2|ClientHello.java:633|Produced ClientHello handshake message (
15:02:04,668 ERROR "ClientHello": {
15:02:04,668 ERROR "client version" : "TLSv1.2",
15:02:04,669 ERROR "random" : "EE F5 C2 80 02 39 44 E5 C4 0E 65 EC 49 FF D0 38 A1 C7 2F 80 EA 5A F5 43 DC A1 4E C3 CB 42 7E 81",
15:02:04,669 ERROR "session id" : "",
15:02:04,669 ERROR "cipher suites" : "[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
15:02:04,669 ERROR "compression methods" : "00",
15:02:04,669 ERROR "extensions" : [
15:02:04,670 ERROR "server_name (0)": {
15:02:04,670 ERROR type=host_name (0), value=mydomain.com
15:02:04,670 ERROR },
15:02:04,670 ERROR "status_request (5)": {
15:02:04,670 ERROR "certificate status type": ocsp
15:02:04,671 ERROR "OCSP status request": {
15:02:04,671 ERROR "responder_id": <empty>
15:02:04,671 ERROR "request extensions": {
15:02:04,671 ERROR <empty>
15:02:04,671 ERROR }
15:02:04,672 ERROR }
15:02:04,672 ERROR },
15:02:04,672 ERROR "supported_groups (10)": {
15:02:04,672 ERROR "versions": [sect571k1, sect571r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
15:02:04,672 ERROR },
15:02:04,673 ERROR "ec_point_formats (11)": {
15:02:04,673 ERROR "formats": [uncompressed]
15:02:04,673 ERROR },
15:02:04,673 ERROR "signature_algorithms (13)": {
15:02:04,673 ERROR "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
15:02:04,674 ERROR },
15:02:04,674 ERROR "signature_algorithms_cert (50)": {
15:02:04,674 ERROR "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
15:02:04,674 ERROR },
15:02:04,674 ERROR "status_request_v2 (17)": {
15:02:04,675 ERROR "cert status request": {
15:02:04,675 ERROR "certificate status type": ocsp_multi
15:02:04,675 ERROR "OCSP status request": {
15:02:04,675 ERROR "responder_id": <empty>
15:02:04,675 ERROR "request extensions": {
15:02:04,676 ERROR <empty>
15:02:04,676 ERROR }
15:02:04,676 ERROR }
15:02:04,676 ERROR }
15:02:04,677 ERROR },
15:02:04,677 ERROR "extended_master_secret (23)": {
15:02:04,677 ERROR <empty>
15:02:04,677 ERROR },
15:02:04,677 ERROR "supported_versions (43)": {
15:02:04,678 ERROR "versions": [TLSv1.2]
15:02:04,678 ERROR }
15:02:04,678 ERROR ]
15:02:04,678 ERROR }
15:02:04,678 ERROR )
15:02:04,693 ERROR javax.net.ssl|DEBUG|D2|2020-05-16 15:02:04.692|Alert.java:232|Received alert message (
15:02:04,693 ERROR "Alert": {
15:02:04,693 ERROR "level" : "fatal",
15:02:04,693 ERROR "description": "handshake_failure"
15:02:04,693 ERROR }
15:02:04,694 ERROR )
15:02:04,696 ERROR javax.net.ssl|ERROR|D2|2020-05-16 15:02:04.695| : Received fatal alert: handshake_failure (
15:02:04,696 ERROR "throwable" : {
15:02:04,696 ERROR javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
15:02:04,696 ERROR at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
I am unable to find out the reason behind Handshake failure. Please help to identify where the things have gone wrong during Handshake. Thank you.

This seems to be cipher suite conflict at the web service end. It does not support tue ciphers which are enabled at the client side. Kindly capture the packets using wireshark to get a clear picture.

Later in our analysis, we found that issue was the openJdk version we were using. There were no common security groups between the client and server although there were matching cipher suites.
Below liink provides the information about the same thing.
https://bugs.openjdk.java.net/browse/JDK-8208698
Bug was fixed in version 12 and marked "jdk11u-critical-yes". Therefore we simply updated our JDK and issue got resolved.

Related

Got the Error "SSL Error: Certificate Authority is not trusted"

I have below identity server authorization endpoint to get access token. It is hosted in virtual machine(accessible only intranet).
https://productdev.co:30200/user/connect/authorize?client_id=<client_id>&redirect_uri=https://productdev.co:30200/apm/ui/signin-callback.html&response_type=token&scope=customscope
I got below error when access using "Expo Go" inside Android Simulator after include this above URL in react-native-web-view(version: ^11.2.3).
But not getting this error, when I am accessing through browser inside Android Simulator.
Encountered an error loading page, Object {
"canGoBack": false,
"canGoForward": false,
"code": 3,
"description": "SSL error: The certificate authority is not trusted",
"loading": false,
"target": 3,
"title": "",
"url": "https://productdev.co:30200/user/connect/authorize?client_id=<client_id>&redirect_uri=https://productdev.co:30200/apm/ui/signin-callback.html&response_type=token&scope=customscope" ,
}

How do you connect to a external deployed Hyperledger Fabric network?

I downloaded and installed and started the fabcar example on a VM on Azure. By following the tutorial enrollAdmin, registerUser and invoke work when I execute it on the VM itself.
However when I try to execute invoke on my local machine (copied the generated conenction profile and replaced localhost with the vm's domain) and try to connect to the network I get the error:
2020-02-05T13:45:37.287Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://peer1.org2.example.com:10051 timeout:3000
2020-02-05T13:45:37.291Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G1:1 - endorsement failed - Error: Failed to connect before the deadline URL:grpcs://peer1.org2.example.com:10051 timeout:3000
2020-02-05T13:45:37.301Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://peer0.org1.example.com:7051 timeout:3000
2020-02-05T13:45:37.305Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G0:0 - endorsement failed - Error: Failed to connect before the deadline URL:grpcs://peer0.org1.example.com:7051 timeout:3000
2020-02-05T13:45:40.301Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://peer0.org2.example.com:9051 timeout:3000
2020-02-05T13:45:40.304Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G1:1 - endorsement failed - Error: Failed to connect before the deadline URL:grpcs://peer0.org2.example.com:9051 timeout:3000
2020-02-05T13:45:40.338Z - error: [Remote.js]: Error: Failed to connect before the deadline URL:grpcs://peer1.org1.example.com:8051 timeout:3000
2020-02-05T13:45:40.341Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G0:0 - endorsement failed - Error: Failed to connect before the deadline URL:grpcs://peer1.org1.example.com:8051 timeout:3000
2020-02-05T13:45:40.368Z - error: [DiscoveryEndorsementHandler]: _endorse - endorsement failed::Error: Endorsement has failed
And the log on the peer0.org1 is:
2020-02-05 13:45:40.389 UTC [grpc] warningf -> DEBU 0f0 transport: http2Server.HandleStreams failed to read frame: read tcp 172.25.0.13:7051->88.217.234.75:62583: read: connection reset by peer
2020-02-05 13:45:40.390 UTC [grpc] infof -> DEBU 0f1 transport: loopyWriter.run returning. connection error: desc = "transport is closing"
I made sure that all the ports are open (configured in Azure) and disabled the ufw.
So what am I missing? Is there any tutorial on how to set up a production network which does not rely on the examples, because those always rely on the fact that everything happens locally or in the docker network?
[edit]
Connection profile:
"name": "first-network-org1",
"version": "1.0.0",
"client": {
"organization": "Org1",
"connection": {
"timeout": {
"peer": {
"endorser": "3000"
}
}
}
},
"organizations": {
"Org1": {
"mspid": "Org1MSP",
"peers": [
"peer0.org1.example.com",
"peer1.org1.example.com"
],
"certificateAuthorities": [
"ca.org1.example.com"
]
}
},
"peers": {
"peer0.org1.example.com": {
"url": "grpc://host.westeurope.cloudapp.azure.com:7051",
"grpcOptions": {
"hostnameOverride": "peer0.org1.example.com",
"request-timeout": 120001
}
},
"peer1.org1.example.com": {
"url": "grpc://host.westeurope.cloudapp.azure.com:8051",
"grpcOptions": {
"hostnameOverride": "peer1.org1.example.com",
"request-timeout": 120001
}
}
},
"certificateAuthorities": {
"ca.org1.example.com": {
"url": "http://host.westeurope.cloudapp.azure.com:7054",
"caName": "ca-org1",
"tlsCACerts": {
"pem": "-----BEGIN CERTIFICATE-----\nMIICUDCCAfegAwIBAgIQK3F95KrKLaFAQc2FxbmA/DAKBggqhkjOPQQDAjBzMQsw\nCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy\nYW5jaXNjbzEZMBcGA1UEChMQb3JnMS5leGFtcGxlLmNvbTEcMBoGA1UEAxMTY2Eu\nb3JnMS5leGFtcGxlLmNvbTAeFw0yMDAyMDcwOTM0MDBaFw0zMDAyMDQwOTM0MDBa\nMHMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBvcmcxLmV4YW1wbGUuY29tMRwwGgYDVQQD\nExNjYS5vcmcxLmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nj9KqxqKh7hIjDJJcV1qqBPj3KRXJjW6tAcIw/5gNwCcIqe2PyAQdPZsAJdOmFca5\nrtYcjrUgh9lAdLDKY0/qh6NtMGswDgYDVR0PAQH/BAQDAgGmMB0GA1UdJQQWMBQG\nCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdDgQiBCAA\nsJtyWNpuNWlzwdO6dPm4NcjY0vLK1+bNZ/1DmVA0+zAKBggqhkjOPQQDAgNHADBE\nAiAUm1qU7haU9mvHUL7XjyTrQGBgA4fXVuSFvAPAQUlX0QIgPQMvlC3DpW10Xwl0\nCZahvAgVnx4PjbPU4gxr9sRyDUE=\n-----END CERTIFICATE-----\n"
},
"httpOptions": {
"verify": false
}
}
}
}
The docker-compose-files are from the sample which you can find here
Connection profile for java client:
---
name: first-network-org1
version: 1.0.0
client:
organization: Org1
connection:
timeout:
peer:
endorser: '300'
organizations:
Org1:
mspid: Org1MSP
peers:
- peer0.org1.example.com
- peer1.org1.example.com
certificateAuthorities:
- ca.org1.example.com
peers:
peer0.org1.example.com:
url: grpc://host.westeurope.cloudapp.azure.com:7051
grpcOptions:
hostnameOverride: peer0.org1.example.com
peer1.org1.example.com:
url: grpc://host.westeurope.cloudapp.azure.com:8051
grpcOptions:
hostnameOverride: peer1.org1.example.com
certificateAuthorities:
ca.org1.example.com:
url: http://host.westeurope.cloudapp.azure.com:7054
caName: ca-org1
tlsCACerts:
pem: |
-----BEGIN CERTIFICATE-----
MIICUTCCAfigAwIBAgIRAOQg6uxnfvgg3yqAMZweQYAwCgYIKoZIzj0EAwIwczEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
cmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMTE2Nh
Lm9yZzEuZXhhbXBsZS5jb20wHhcNMjAwMjA3MDk1MjAwWhcNMzAwMjA0MDk1MjAw
WjBzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN
U2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQb3JnMS5leGFtcGxlLmNvbTEcMBoGA1UE
AxMTY2Eub3JnMS5leGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
BCy2SE6qr2epo6P+aAH0j5ujopYEN2CzIemCZ+otF1DVuMQXS7eGCSzzuIXnYxS7
tXD8LCUgWBoAmC1bw9EzvUqjbTBrMA4GA1UdDwEB/wQEAwIBpjAdBgNVHSUEFjAU
BggrBgEFBQcDAgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zApBgNVHQ4EIgQg
Dh/n8cBOMOCgmnwLHdmym+lVomH2IeCPb9mrBR7QM7IwCgYIKoZIzj0EAwIDRwAw
RAIgWyr53EneGSvlRyiMR+OMeGY3S2Mli7i1kfUTdLMsVC8CIBJh06he30d6DrKS
c/XSsRmtOxLIo+SCyebzBzVnqaYL
-----END CERTIFICATE-----
httpOptions:
verify: false

nextcloud onlyoffice integration Document Server [GetConvertedUri on check error, Error while downloading the document file to be converted]

Versions : nextcloud v15, onlyoffice-DocumentServer v5.2,connector 2.4 onlyoffice and The servers are working on Centos 7.
Works correctly without HTPPS
Now I have the following error when integrating Document Server to NextCloud by HTTPS in the nextcloud logs:
app "onlyoffice" Message "GetConvertedUri on check error: An error
occurred in the document service: Error while downloading the document
file to be converted." with
app "onlyoffice" Message "Download empty without jwt"
nextcloud and onlyoffice-documentServers are configured by the same wildcard certificate and browsers accept it correctly
onlyoffice-DocumentServer logs:
[2019-07-29T13:26:40.160] [ERROR] nodeJS - error downloadFile:url=https://mydomain/index.php/apps/onlyoffic e/empty?doc=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhY3Rpb24iOiJlbXB0eSJ9.k09JPfgibOWBTZGmYfPU47O8HeUGh6Q_FHuUQYJRGY4 ;attempt=3;code:null;connect:null;(id=conv_check_908902956_docx)
Error: Error response: statusCode:403 ;body:
{"message":"Access denied"}
at Request._callback (/var/www/onlyoffice/documentserver/server/Common/sources/utils.js:250:18)
at Request.self.callback (/var/www/onlyoffice/documentserver/server/Common/node_modules/request/request.js:185:22
at emitTwo (events.js:126:13)
at Request.emit (events.js:214:7)
at Request.<anonymous> (/var/www/onlyoffice/documentserver/server/Common/node_modules/request/request.js:1161:10)
at emitOne (events.js:116:13)
at Request.emit (events.js:211:7)
at IncomingMessage.<anonymous> (/var/www/onlyoffice/documentserver/server/Common/node_modules/request/request.js: 1083:12)
at Object.onceWrapper (events.js:313:30)
at emitNone (events.js:111:20)
at IncomingMessage.emit (events.js:208:7)
at endReadableNT (_stream_readable.js:1064:12)
at _combinedTickCallback (internal/process/next_tick.js:139:11)
at process._tickCallback (internal/process/next_tick.js:181:9)
The document server works correctly if you work without authentication by token in http, but if I change the configuration to work by token it does not work.
I have tried the following configuration...
config.php Nexcloud add lines code:
'onlyoffice' =>
array (
'jwt_secret' => 'mysecret',
'jwt_header' => 'test',
),
local.json OnlyOffice-DocumentServer add lines code:
"token": {
"enable": {
"request": {
"inbox": true,
"outbox": true
},
"browser": true
},
"inbox": {
"header": "test"
},
"outbox": {
"header": "test"
}
},
"secret": {
"inbox": {
"string": "mysecret"
},
"outbox": {
"string": "mysecret"
},
"session": {
"string": "mysecret"
thanks for any help
DocumentServer v5.2
We would recommend using the latest version of the DocumentServer (5.3.4.3)
Please try using default configuration of the DocumentServer without changing the header when enabling JWT.
You only need to specify the address of the DocumentServer and a secret in the NC admin panel (Settings -> Administration -> ONLYOFFICE)
Please do not forget to restart DocumentServer services after editing the local.json file:
supervisorctl restart all
Thanks ibnpetr, is true, what you say, the config.php doesn't need any configuration for additional ssl
now this Work it!
The problem is that the intermediate organization that issues the certificate does not automatically recognize it in the operating system as if it is chorme or mozilla and validates it, in this case you need to enter the entity’s certificate to its list to validate it if it is given If you do not have it, we check that with the wget command https: // if there is an error you have to do it manually as I said before.
Thankss

SSL Error: Handshake failed with fatal error - Querying fabric-sdk-rest server on a Fabric Network with TLS enabled

I started a Multi-Host Fabric Network usind docker swarm made up of 1 CA-server, 1 Orderer, 2 Peers (both in Org1, one on PC1 and one on PC2), 2 CouchBD (one for each Peer) with fabric-sdk-rest running on PC2.
Now if I disable TLS in the Fabric Network, everything works fine. But if i enable the TLS in the network, the SDK cannot connect to the peers failing to query.
Here I show the configuration of the network and the fabric-sdk-rest:
(crypto-config.yaml)
OrdererOrgs:
- Name: Orderer
Domain: example.com
Specs:
- Hostname: orderer
PeerOrgs:
- Name: Org1
Domain: org1.example.com
Template:
Count: 2
Users:
Count: 0
(datasources.json)
{
"db": {
"name": "db",
"connector": "memory"
},
"fabricDataSource": {
"name": "fabricDataSource",
"connector": "fabric",
"keyStoreFile": "/tmp/fabricSDKStore",
"fabricUser": {
"username": "Admin#org1.example.com",
"mspid": "Org1MSP",
"cryptoContent": {
"privateKey":"$HOME/mynetwork/crypto-config/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp/keystore/KEY_sk",
"signedCert":"$HOME/mynetwork/crypto-config/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp/signcerts/Admin#org1.example.com-cert.pem"
}
},
"COMMENT_orgs":"Referenced by peers to avoid having to configure the same file location multiple times. Change CACertFile locations for your fabric",
"orgs": [
{ "name":"org1", "CACertFile":"$HOME/mynetwork/crypto-config/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem"}
],
"COMMENT_peers" : "Configured array is for use with the fabric-sample when running it in a local docker set up. eventURL and publicCertFile not currently used.",
"peers": [
{ "requestURL":"grpcs://peer1.org1.example.com:7051", "eventURL":"grpcs://peer1.org1.example.com:7053", "orgIndex":"0", "publicCertFile":"$HOME/mynetwork/crypto-config/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/msp/signcerts/peer1.org1.example.com-cert.pem", "hostname":"peer1" }
],
"COMMENT_peers_secure" : "UNUSED. This is a copy of the above with grpcs URLs. Replace peers content with this if grpcs urls are needed.",
"peers-secure": [
{ "requestURL":"grpcs://peer1.org1.example.com:7051", "eventURL":"grpcs://peer1.org1.example.com:7053", "orgIndex":"0", "publicCertFile":"$HOME/mynetwork/crypto-config/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/msp/signcerts/peer1.org1.example.com-cert.pem", "hostname":"peer1" }
],
"orderers": [
{ "url":"grpcs://orderer.example.com:7050", "CACertFile":"$HOME/mynetwork/crypto-config/ordererOrganizations/example.com/ca/ca.example.com-cert.pem", "publicCertFile": "$HOME/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp/signcerts/orderer.example.com-cert.pem", "hostname":"orderer"}
],
"COMMENT_orderers_secure" : "UNUSED. This is a copy of the above with grpcs URLs. Replace orderers content with this if grpcs urls are needed.",
"orderers-secure": [
{ "url":"grpcs://orderer.example.com:7050", "CACertFile":"$HOME/mynetwork/crypto-config/ordererOrganizations/example.com/ca/ca.example.com-cert.pem", "publicCertFile": "$HOME/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp/signcerts/orderer.example.com-cert.pem", "hostname":"orderer"}
],
"COMMENT_channels":"fabric-sdk-node Client class requires channel information to be configured during bootstrap.",
"channels": [
{ "name":"mychannel", "peersIndex":[0], "orderersIndex":[0] }
],
"channels-first-network": [
{ "name":"mychannel", "peersIndex":[0,1,2,3], "orderersIndex":[0] }
]
}
}
Once started the Hyperledger Fabric SDK REST server at https://0.0.0.0:3000, when I try to make the GET channels query from the explorer, I get the following error:
error: [fabricconnector.js]: Failed to queryChannels: Error: 14 UNAVAILABLE: Connect Failed
Error not handled for the GET request /api/fabric/1_0/channels: Error: 14 UNAVAILABLE: Connect Failed
at Object.exports.createStatusError ($HOME/mynetwork/fabric-sdk-rest/packages/loopback-connector-fabric/node_modules/grpc/src/common.js:87:15)
at Object.onReceiveStatus ($HOME/mynetwork/fabric-sdk-rest/packages/loopback-connector-fabric/node_modules/grpc/src/client_interceptors.js:1214:28)
at InterceptingListener._callNext ($HOME/mynetwork/fabric-sdk-rest/packages/loopback-connector-fabric/node_modules/grpc/src/client_interceptors.js:590:42)
at InterceptingListener.onReceiveStatus ($HOME/mynetwork/fabric-sdk-rest/packages/loopback-connector-fabric/node_modules/grpc/src/client_interceptors.js:640:8)
at callback ($HOME/mynetwork/fabric-sdk-rest/packages/loopback-connector-fabric/node_modules/grpc/src/client_interceptors.js:867:24)
E0510 10:51:04.780559355 12247 ssl_transport_security.cc:989] Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed.
Has anyone ever seen this error? Can anyone help me get through this, please?

Chaincode container can't connect to the local peer due to certificate signed by unknown authority

First of all I'd like to mention, that my setup works like a charm when there's no TLS enabled. It works even in Docker Swarm on AWS.
The problem starts when I enable TLS. When I deploy my .bna file via Composer, my newly created chaincode container produces the following logs:
2017-08-23 13:14:16.389 UTC [Composer] Info -> INFO 001 Setting the Composer pool size to 8
2017-08-23 13:14:16.402 UTC [shim] userChaincodeStreamGetter -> ERRO 002 Error trying to connect to local peer: x509: certificate signed by unknown authority
Error starting chaincode: Error trying to connect to local peer: x509: certificate signed by unknown authority
Funny thing is, that this works when deploying .bna via the composer playground (when the TLS is still enabled in my fabric)...
Below is my connection profile:
{
"name": "test",
"description": "test",
"type": "hlfv1",
"orderers": [
{
"url": "grpcs://orderer.company.com:7050",
"cert": "-----BEGIN CERTIFICATE-----blabla1\n-----END CERTIFICATE-----\n"
}
],
"channel": "channelname",
"mspID": "CompanyMSP",
"ca": {
"url": "https://ca.company.com:7054",
"name": "ca-company",
"trustedRoots": [
"-----BEGIN CERTIFICATE-----\nblabla2\n-----END CERTIFICATE-----\n"
],
"verify": true
},
"peers": [
{
"requestURL": "grpcs://peer0.company.com:7051",
"eventURL": "grpcs://peer0.company.com:7053",
"cert": "-----BEGIN CERTIFICATE-----\nbalbla3\n-----END CERTIFICATE-----\n"
}
],
"keyValStore": "/home/composer/.composer-credentials",
"timeout": 300
}
My certs have been generated by cryptogen tool, hence:
orderers.0.cert contains value of crypto-config/ordererOrganizations/company.com/orderers/orderer.company.com/msp/tlscacerts/tlsca.company.com-cert.pem
peers.0.cert contains value of crypto-config/peerOrganizations/company.com/peers/peer0.company.com/msp/tlscacerts/tlsca.company.com-cert.pem
ca.trustedRoots.0 contains crypto-config/peerOrganizations/company.com/peers/peer0.company.com/tls/ca.crt
I've got the feeling, that my trustedRoots certificate is wrong...
UPDATE
When I do docker inspect chaincode_container I can see that it misses ENV variable: CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/peer.crt, while the chaincode container deployed via playground does have it...
When the chaincode image is built, the TLS certificate that it uses to build the trusted roots is the rootcert from:
# TLS Settings
# Note that peer-chaincode connections through chaincodeListenAddress is
# not mutual TLS auth. See comments on chaincodeListenAddress for more info
tls:
enabled: false
cert:
file: tls/server.crt
key:
file: tls/server.key
rootcert:
file: tls/ca.crt
The TLS certificate that the peer uses to run the gRPC service is the cert one.
By the way - You're using the release branch code, not the one in master - is that correct?