How client application connect to Hyperledger Fabric 2.2 on Amazon Managed Blockchain ?
I followed the tutorial https://docs.aws.amazon.com/ja_jp/managed-blockchain/latest/hyperledger-fabric-dev/managed-blockchain-get-started-tutorial.html and completed Step 1 to Step 7, and successfully deployed the chaincode to the network.
Here is the query result:
$ peer lifecycle chaincode queryinstalled Installed chaincodes on peer: Package ID: abctest_1.0:957504a77be8fdbcaf6fac1707822f1620442d7a93f8c5d96f8b788ddda79022, Label: abctest_1.0
fabric-ca-client tools enroll the admin and got the admin_msp like this:
$ tree
.
├── admin-msp
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── admincerts
│ │ └── cert.pem
│ ├── cacerts
│ │ └── ca-m-bz5qr6rhcveqxfjyjfrtaioe5e-n-j2ib55zmyree5fieloktt3ttim-managedblockchain-ap-northeast-1-amazonaws-com-30002.pem
│ ├── keystore
│ │ ├── 3e7e4b7f840f8a209b178afefb63e207f336cfd7101c612d8a8acefda8a59504_sk
│ │ ├── c8be8052c5888e713b82317296f0a636a07c6375fcb922cb06833f8ebffa6139_sk
│ │ └── e12f734b4044befcce7fae67c394fff9416123414814c3553dab1036b99361b9_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── fabric-ca-client-config.yaml
i try to write a client application to connect the network.
import FabricCAServices from "fabric-ca-client"; import * as config from "./config"; import { Gateway, GatewayOptions, Wallets, Wallet } from "fabric-network"; import * as path from "path"; const createWallet = async (): Promise<Wallet> => { const walletPath = path.resolve(process.cwd(), "wallet"); const wallet = await buildWallet(walletPath); return wallet; }; const buildWallet = async (walletPath: string): Promise<Wallet> => { let wallet: Wallet; if (walletPath) { wallet = await Wallets.newFileSystemWallet(walletPath); } else { wallet = await Wallets.newInMemoryWallet(); } return wallet; }; const buildCAClient = ( ccp: Record<string, any>, caHostName: string ): FabricCAServices => { // Create a new CA client for interacting with the CA. const caInfo = ccp.certificateAuthorities[caHostName]; // lookup CA details from config const caTLSCACerts = caInfo.tlsCACerts.pem; const caClient = new FabricCAServices( caInfo.url, { trustedRoots: caTLSCACerts, verify: false }, caInfo.caName ); return caClient; }; const enrollAdmin = async ( caClient: FabricCAServices, wallet: Wallet, orgMspId: string ): Promise<void> => { try { // Check to see if we've already enrolled the admin user. const identity = await wallet.get(config.adminUserId); if (identity) { return; } // Enroll the admin user, and import the new identity into the wallet. const enrollment = await caClient.enroll({ enrollmentID: config.adminUserId, enrollmentSecret: config.adminUserPasswd, }); const x509Identity = { credentials: { certificate: enrollment.certificate, privateKey: enrollment.key.toBytes(), }, mspId: orgMspId, type: "X.509", }; await wallet.put(config.adminUserId, x509Identity); console.log( "Successfully enrolled admin user and imported it into the wallet" ); } catch (error) { console.error(`Failed to enroll admin user : ${error}`); } }; const createGateway = async ( connectionProfile: Record<string, any>, identity: string, wallet: Wallet ): Promise<Gateway> => { const gateway = new Gateway(); const options: GatewayOptions = { wallet, identity, discovery: { enabled: false, asLocalhost: true }, }; await gateway.connect(connectionProfile, options); return gateway; }; async function main() { const wallet = await createWallet(); const ccp = config.connectionProfile; const caClient = buildCAClient(ccp, config.caHostName); // ca.org.SDL.aws.com await enrollAdmin(caClient, wallet, config.adminUserId); const gatewayOrg1 = await createGateway( config.connectionProfile, config.adminUserId, wallet ); } main();
Also I use this template to generate connect profile.
{ "name": "${NETWORKNAME}-${MEMBERNAME}", "version": "1.0.0", "client": { "organization": "${MEMBERNAME}", "connection": { "timeout": { "peer": { "endorser": "300" } } } }, "organizations": { "${MEMBERNAME}": { "mspid": "${MEMBERID}", "peers": ["peer0.org.${MEMBERNAME}.aws.com"], "certificateAuthorities": ["ca.org.${MEMBERNAME}.aws.com"] } }, "peers": { "peer0.org.${MEMBERNAME}.aws.com": { "url": "grpcs://${PEERSERVICEENDPOINT}", "tlsCACerts": { "pem": "${PEERPEM}" }, "grpcOptions": { "ssl-target-name-override": "peer0.org.${MEMBERNAME}.aws.com", "hostnameOverride": "peer0.org.${MEMBERNAME}.aws.com" } } }, "certificateAuthorities": { "ca.org.${MEMBERNAME}.aws.com": { "url": "https://${CASERVICEENDPOINT}", "caName": "${MEMBERID}", "tlsCACerts": { "pem": ["${CAPEM}"] }, "httpOptions": { "verify": false } } } }
the $PEERPEM = admin_msp/signcerts/cert.pem
and $CAPEM= admin_msp/signcerts/cert.pem
the finnal connect profile:
{ "name": "LocalCoinNetwork-SDL", "version": "1.0.0", "client": { "organization": "SDL", "connection": { "timeout": { "peer": { "endorser": "300" } } } }, "organizations": { "SDL": { "mspid": "m-BZ5QR6RHCVEQXFJYJFRTAIOE5E", "peers": ["peer0.org.SDL.aws.com"], "certificateAuthorities": ["ca.org.SDL.aws.com"] } }, "peers": { "peer0.org.SDL.aws.com": { "url": "grpcs://nd-wup4jgvqsvhwharbvdpg6yvr3y.m-bz5qr6rhcveqxfjyjfrtaioe5e.n-j2ib55zmyree5fieloktt3ttim.managedblockchain.ap-northeast-1.amazonaws.com:30003", "tlsCACerts": { "pem": "-----BEGIN CERTIFICATE-----\nMIIC8zCCApmgAwIBAgIUE37UHZ+ceYFu28QAwGXteREOfWEwCgYIKoZIzj0EAwIw\ngawxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdT\nZWF0dGxlMSIwIAYDVQQKExlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMSIwIAYD\nVQQLExlBbWF6b24gTWFuYWdlZCBCbG9ja2NoYWluMS4wLAYDVQQDEyVTREwgQW1h\nem9uIE1hbmFnZWQgQmxvY2tjaGFpbiBSb290IENBMB4XDTIzMDMyNzE2MzAwMFoX\nDTMzMDMyNDE2MzUwMFowaTELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENh\ncm9saW5hMRQwEgYDVQQKEwtIeXBlcmxlZGdlcjEbMAoGA1UECxMDU0RMMA0GA1UE\nCxMGY2xpZW50MQ4wDAYDVQQDEwVhZG1pbjBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABOR5XwEVuPWPFm1v9sgEtFRs847Vj4ArM7olxLBNh32DUG/ZLYETec2WJwS9\nYIXYXw8ovl+GrGbpn4rFCSDDZyyjgdowgdcwDgYDVR0PAQH/BAQDAgeAMAwGA1Ud\nEwEB/wQCMAAwHQYDVR0OBBYEFFVmufxkUSshWeZKubaR99QdMu6hMB8GA1UdIwQY\nMBaAFIeBsKCQ8SWeJS6JPxVpSm5Zwg5ZMBoGA1UdEQQTMBGCD2lwLTEwLTAtMTY4\nLTI0NzBbBggqAwQFBgcIAQRPeyJhdHRycyI6eyJoZi5BZmZpbGlhdGlvbiI6IlNE\nTCIsImhmLkVucm9sbG1lbnRJRCI6ImFkbWluIiwiaGYuVHlwZSI6ImNsaWVudCJ9\nfTAKBggqhkjOPQQDAgNIADBFAiEAvf+z1GDS9roj1XcH4yMwyJKaYpxeQK/4YTul\nu7CVX2ECIFfQvMj5lBQZUH6/C1B0T1p+5IYtukpcKf9rS4n6k1hE\n-----END CERTIFICATE-----\n" }, "grpcOptions": { "ssl-target-name-override": "peer0.org.SDL.aws.com", "hostnameOverride": "peer0.org.SDL.aws.com" } } }, "certificateAuthorities": { "ca.org.SDL.aws.com": { "url": "https://ca.m-bz5qr6rhcveqxfjyjfrtaioe5e.n-j2ib55zmyree5fieloktt3ttim.managedblockchain.ap-northeast-1.amazonaws.com:30002", "caName": "m-BZ5QR6RHCVEQXFJYJFRTAIOE5E", "tlsCACerts": { "pem": [ "-----BEGIN CERTIFICATE-----\nMIIC8zCCApmgAwIBAgIUE37UHZ+ceYFu28QAwGXteREOfWEwCgYIKoZIzj0EAwIw\ngawxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdT\nZWF0dGxlMSIwIAYDVQQKExlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMSIwIAYD\nVQQLExlBbWF6b24gTWFuYWdlZCBCbG9ja2NoYWluMS4wLAYDVQQDEyVTREwgQW1h\nem9uIE1hbmFnZWQgQmxvY2tjaGFpbiBSb290IENBMB4XDTIzMDMyNzE2MzAwMFoX\nDTMzMDMyNDE2MzUwMFowaTELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENh\ncm9saW5hMRQwEgYDVQQKEwtIeXBlcmxlZGdlcjEbMAoGA1UECxMDU0RMMA0GA1UE\nCxMGY2xpZW50MQ4wDAYDVQQDEwVhZG1pbjBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABOR5XwEVuPWPFm1v9sgEtFRs847Vj4ArM7olxLBNh32DUG/ZLYETec2WJwS9\nYIXYXw8ovl+GrGbpn4rFCSDDZyyjgdowgdcwDgYDVR0PAQH/BAQDAgeAMAwGA1Ud\nEwEB/wQCMAAwHQYDVR0OBBYEFFVmufxkUSshWeZKubaR99QdMu6hMB8GA1UdIwQY\nMBaAFIeBsKCQ8SWeJS6JPxVpSm5Zwg5ZMBoGA1UdEQQTMBGCD2lwLTEwLTAtMTY4\nLTI0NzBbBggqAwQFBgcIAQRPeyJhdHRycyI6eyJoZi5BZmZpbGlhdGlvbiI6IlNE\nTCIsImhmLkVucm9sbG1lbnRJRCI6ImFkbWluIiwiaGYuVHlwZSI6ImNsaWVudCJ9\nfTAKBggqhkjOPQQDAgNIADBFAiEAvf+z1GDS9roj1XcH4yMwyJKaYpxeQK/4YTul\nu7CVX2ECIFfQvMj5lBQZUH6/C1B0T1p+5IYtukpcKf9rS4n6k1hE\n-----END CERTIFICATE-----\n" ] }, "httpOptions": { "verify": false } } } }
The client application runing result:
D 2023-03-27T19:33:27.851Z | subchannel | (2) 10.0.138.232:30003 creating HTTP/2 session D 2023-03-27T19:33:27.857Z | subchannel | (2) 10.0.138.232:30003 connection closed with error unable to verify the first certificate D 2023-03-27T19:33:27.857Z | subchannel | (2) 10.0.138.232:30003 connection closed D 2023-03-27T19:33:27.857Z | subchannel | (2) 10.0.138.232:30003 CONNECTING -> TRANSIENT_FAILURE D 2023-03-27T19:33:27.858Z | pick_first | CONNECTING -> TRANSIENT_FAILURE D 2023-03-27T19:33:27.858Z | resolving_load_balancer | dns:nd-wup4jgvqsvhwharbvdpg6yvr3y.m-bz5qr6rhcveqxfjyjfrtaioe5e.n-j2ib55zmyree5fieloktt3ttim.managedblockchain.ap-northeast-1.amazonaws.com:30003 CONNECTING -> TRANSIENT_FAILURE D 2023-03-27T19:33:27.858Z | connectivity_state | (1) dns:nd-wup4jgvqsvhwharbvdpg6yvr3y.m-bz5qr6rhcveqxfjyjfrtaioe5e.n-j2ib55zmyree5fieloktt3ttim.managedblockchain.ap-northeast-1.amazonaws.com:30003 CONNECTING -> TRANSIENT_FAILURE 2023-03-27T19:33:29.830Z - error: [ServiceEndpoint]: Error: Failed to connect before the deadline on Endorser- name: peer0.org.SDL.aws.com, url:grpcs://nd-wup4jgvqsvhwharbvdpg6yvr3y.m-bz5qr6rhcveqxfjyjfrtaioe5e.n-j2ib55zmyree5fieloktt3ttim.managedblockchain.ap-northeast-1.amazonaws.com:30003, connected:false, connectAttempted:true 2023-03-27T19:33:29.831Z - error: [ServiceEndpoint]: waitForReady - Failed to connect to remote gRPC server peer0.org.SDL.aws.com url:grpcs://nd-wup4jgvqsvhwharbvdpg6yvr3y.m-bz5qr6rhcveqxfjyjfrtaioe5e.n-j2ib55zmyree5fieloktt3ttim.managedblockchain.ap-northeast-1.amazonaws.com:30003 timeout:3000 2023-03-27T19:33:29.832Z - info: [NetworkConfig]: buildPeer - Unable to connect to the endorser peer0.org.SDL.aws.com due to Error: Failed to connect before the deadline on Endorser- name: peer0.org.SDL.aws.com, url:grpcs://nd-wup4jgvqsvhwharbvdpg6yvr3y.m-bz5qr6rhcveqxfjyjfrtaioe5e.n-j2ib55zmyree5fieloktt3ttim.managedblockchain.ap-northeast-1.amazonaws.com:30003, connected:false, connectAttempted:true at checkState (/home/ubuntu/AMBS/cli-typescript/node_modules/@grpc/grpc-js/build/src/client.js:77:26) at Timeout._onTimeout (/home/ubuntu/AMBS/cli-typescript/node_modules/@grpc/grpc-js/build/src/channel.js:525:17) at listOnTimeout (node:internal/timers:559:17) at processTimers (node:internal/timers:502:7) { connectFailed: true } D 2023-03-27T19:33:31.029Z | subchannel | (2) 10.0.138.232:30003 TRANSIENT_FAILURE -> CONNECTING D 2023-03-27T19:33:31.030Z | pick_first | TRANSIENT_FAILURE -> CONNECTING D 2023-03-27T19:33:31.030Z | resolving_load_balancer | dns:nd-wup4jgvqsvhwharbvdpg6yvr3y.m-bz5qr6rhcveqxfjyjfrtaioe5e.n-j2ib55zmyree5fieloktt3ttim.managedblockchain.ap-northeast-1.amazonaws.com:30003 TRANSIENT_FAILURE -> CONNECTING D 2023-03-27T19:33:31.030Z | connectivity_state | (1) dns:nd-wup4jgvqsvhwharbvdpg6yvr3y.m-bz5qr6rhcveqxfjyjfrtaioe5e.n-j2ib55zmyree5fieloktt3ttim.managedblockchain.ap-northeast-1.amazonaws.com:30003 TRANSIENT_FAILURE -> CONNECTING
It seams that 10.0.138.232:30003 connection closed with error unable to verify the first certificate
cause the error.
Maybe I use the wrong certificate files for peer
and peer ca
,
Please tell me what's wrong I made and Where are the correct certificate files location?
Thanks.
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
Can you please confirm you copied the cert as per step 5:
aws s3 cp s3://MyRegion.managedblockchain/etc/managedblockchain-tls-chain.pem /home/ec2-user/managedblockchain-tls-chain.pem
- rePost-Nexyearun anno fa
Yes I already copied
managedblockchain-tls-chain.pem
to client. Also use it to enroll admin and got admin_msp.├── admin-msp │ ├── IssuerPublicKey │ ├── IssuerRevocationPublicKey │ ├── admincerts │ │ └── cert.pem │ ├── cacerts │ │ └── ca-m-bz5qr6rhcveqxfjyjfrtaioe5e-n-j2ib55zmyree5fieloktt3ttim-managedblockchain-ap-northeast-1-amazonaws-com-30002.pem │ ├── keystore │ │ ├── 3e7e4b7f840f8a209b178afefb63e207f336cfd7101c612d8a8acefda8a59504_sk │ │ ├── c8be8052c5888e713b82317296f0a636a07c6375fcb922cb06833f8ebffa6139_sk │ │ └── e12f734b4044befcce7fae67c394fff9416123414814c3553dab1036b99361b9_sk │ ├── signcerts │ │ └── cert.pem │ └── user └── fabric-ca-client-config.yaml
There are two location use tlsCACerts in application connect profile (using Fabric SDK for nodejs) .
- "peers"."peer0.org.SDL.aws.com"."tlsCACerts"."pem" # fill it with
admin_msp/signcerts/cert.pem
contents now - "certificateAuthorities"."ca.org.SDL.aws.com"."tlsCACerts"."pem" # fill it with
admin_msp/signcerts/cert.pem
contents now
I don't know how and where to use
managedblockchain-tls-chain.pem
in application connect profile json. - "peers"."peer0.org.SDL.aws.com"."tlsCACerts"."pem" # fill it with
Hello, I also encountered this problem. Did you find a solution?
Contenuto pertinente
- AWS UFFICIALEAggiornata 7 mesi fa
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 3 anni fa
- AWS UFFICIALEAggiornata un anno fa
Can you try using the managedblockchain-tls-chain.pem in the tlsCAcerts for both the cert authority and the peer?