Hyperledger Fabric Orderer CA admin user registration fails

9/20/2019

I'm building a Hyperledger Fabric network on Kubernetes. Basically I'm trying to mimic Fabric CA Operation’s Guide which runs on docker. I'm using stable/hlf-ca helm chart. helm version 3-beta-2.

Enroll TLS CA’s Admin: works

kubectl create ns ca-tls

helm install ca-tls \
  --set caName=ca-tls \
  --set postgresql.enabled=true \
  --namespace ca-tls \
stable/hlf-ca

export CA_TLS_POD=$(kubectl get pods --namespace ca-tls -l "app=hlf-ca,release=ca-tls" -o jsonpath="{.items[0].metadata.name}")
kubectl -n ca-tls exec $CA_TLS_POD -- bash -c 'fabric-ca-client enroll -d -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054'

kubectl -n ca-tls cp  $CA_TLS_POD:/var/hyperledger/fabric-ca/msp/signcerts/cert.pem ./tls-ca-cert.pem

cat <<EOF | kubectl -n ca-tls exec $CA_TLS_POD -- bash
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer1-org2 --id.secret peer1PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer2-org2 --id.secret peer2PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererPW --id.type orderer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
EOF

Enroll Org1’s CA Admin: works (org2 works too)

kubectl create ns org1

helm install rca-org1 \
  --set caName=rca-org1 \
  --set postgresql.enabled=true \
  --namespace org1 \
stable/hlf-ca

export RCA_ORG1_POD=$(kubectl get pods --namespace org1 -l "app=hlf-ca,release=rca-org1" -o jsonpath="{.items[0].metadata.name}")
kubectl -n org1 cp ./tls-ca-cert.pem $RCA_ORG1_POD:/tmp/tls-ca-cert.pem

cat <<EOF | kubectl -n org1 exec $RCA_ORG1_POD -- bash
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/ca/admin
fabric-ca-client enroll -d -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type user -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name user-org1 --id.secret org1UserPW --id.type user -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
EOF

Enroll Orderer Org’s CA Admin: FAILS. All commands succeed except the very last line (--id.name admin-org0).

kubectl create ns org0

helm install rca-org0 \
  --set caName=rca-org0 \
  --set postgresql.enabled=true \
  --namespace org0 \
stable/hlf-ca

export RCA_ORG0_POD=$(kubectl get pods --namespace org0 -l "app=hlf-ca,release=rca-org0" -o jsonpath="{.items[0].metadata.name}")
kubectl -n org0 cp ./tls-ca-cert.pem $RCA_ORG0_POD:/tmp/tls-ca-cert.pem

cat <<EOF | kubectl -n org0 exec $RCA_ORG0_POD -- bash
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/tls-ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/ca/admin
fabric-ca-client enroll -d -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererpw --id.type orderer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name admin-org0 --id.secret org0adminpw --id.type admin --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
EOF

Error log:

root@rca-org0-hlf-ca-5bdd58d48b-l2bbn:/# fabric-ca-client register -d --id.name admin-org0 --id.secret org0adminpw --id.type admin --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
2019/09/20 03:03:00 [DEBUG] Home directory: /tmp/hyperledger/org0/ca/admin
2019/09/20 03:03:00 [INFO] Configuration file location: /tmp/hyperledger/org0/ca/admin/fabric-ca-client-config.yaml
2019/09/20 03:03:00 [DEBUG] Checking for enrollment
2019/09/20 03:03:00 [DEBUG] Initializing client with config: &{URL:http://admin:oZsoUj2qvjRsnAT9zMH9WkMA@0.0.0.0:7054 MSPDir:msp TLS:{Enabled:false CertFiles:[/tmp/tls-ca-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509  } CSR:{CN:admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[rca-org0-hlf-ca-5bdd58d48b-l2bbn] KeyRequest:0xc4202d2ce0 CA:<nil> SerialNumber:} ID:{Name:admin-org0 Type:admin Secret:org0adminpw MaxEnrollments:0 Affiliation: Attributes:[{Name:hf.Revoker Value:true ECert:false} {Name:hf.GenCRL Value:true ECert:false} {Name:admin Value:true ECert:true} {Name:abac.init Value:true ECert:true} {Name:hf.Registrar.Roles Value:client ECert:false} {Name:hf.Registrar.Attributes Value:* ECert:false}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc4202d2540}
2019/09/20 03:03:00 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc4202dcc90 PluginOpts:<nil>}
2019/09/20 03:03:00 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42054aae0 DummyKeystore:<nil>}
2019/09/20 03:03:00 [DEBUG] CheckIdemixEnrollment - ipkFile: /tmp/hyperledger/org0/ca/admin/msp/IssuerPublicKey, idemixCredFrile: /tmp/hyperledger/org0/ca/admin/msp/user/SignerConfig
2019/09/20 03:03:00 [DEBUG] Client configuration settings: &{URL:http://admin:oZsoUj2qvjRsnAT9zMH9WkMA@0.0.0.0:7054 MSPDir:/tmp/hyperledger/org0/ca/admin/msp TLS:{Enabled:false CertFiles:[/tmp/tls-ca-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509  } CSR:{CN:admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[rca-org0-hlf-ca-5bdd58d48b-l2bbn] KeyRequest:0xc4202d2ce0 CA:<nil> SerialNumber:} ID:{Name:admin-org0 Type:admin Secret:org0adminpw MaxEnrollments:0 Affiliation: Attributes:[{Name:hf.Revoker Value:true ECert:false} {Name:hf.GenCRL Value:true ECert:false} {Name:admin Value:true ECert:true} {Name:abac.init Value:true ECert:true} {Name:hf.Registrar.Roles Value:client ECert:false} {Name:hf.Registrar.Attributes Value:* ECert:false}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc4202d2540}
2019/09/20 03:03:00 [DEBUG] Entered runRegister
2019/09/20 03:03:00 [DEBUG] Initializing client with config: &{URL:http://admin:oZsoUj2qvjRsnAT9zMH9WkMA@0.0.0.0:7054 MSPDir:/tmp/hyperledger/org0/ca/admin/msp TLS:{Enabled:false CertFiles:[/tmp/tls-ca-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509  } CSR:{CN:admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[rca-org0-hlf-ca-5bdd58d48b-l2bbn] KeyRequest:0xc4202d2ce0 CA:<nil> SerialNumber:} ID:{Name:admin-org0 Type:admin Secret:org0adminpw MaxEnrollments:0 Affiliation: Attributes:[{Name:hf.Revoker Value:true ECert:false} {Name:hf.GenCRL Value:true ECert:false} {Name:admin Value:true ECert:true} {Name:abac.init Value:true ECert:true} {Name:hf.Registrar.Roles Value:client ECert:false} {Name:hf.Registrar.Attributes Value:* ECert:false}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc4202d2540}
2019/09/20 03:03:00 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc4202dcc90 PluginOpts:<nil>}
2019/09/20 03:03:00 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42054aae0 DummyKeystore:<nil>}
2019/09/20 03:03:00 [DEBUG] Loading identity: keyFile=/tmp/hyperledger/org0/ca/admin/msp/keystore/key.pem, certFile=/tmp/hyperledger/org0/ca/admin/msp/signcerts/cert.pem
2019/09/20 03:03:00 [DEBUG] No credential found at /tmp/hyperledger/org0/ca/admin/msp/user/SignerConfig: open /tmp/hyperledger/org0/ca/admin/msp/user/SignerConfig: no such file or directory
2019/09/20 03:03:00 [DEBUG] No Idemix credential found at /tmp/hyperledger/org0/ca/admin/msp/user/SignerConfig
2019/09/20 03:03:00 [DEBUG] Register { Name:admin-org0 Type:admin Secret:**** MaxEnrollments:0 Affiliation: Attributes:[{hf.Revoker true false} {hf.GenCRL true false} {admin true true} {abac.init true true} {hf.Registrar.Roles client false} {hf.Registrar.Attributes * false}] CAName:  }
2019/09/20 03:03:00 [DEBUG] Adding token-based authorization header
2019/09/20 03:03:00 [DEBUG] Sending request
POST http://admin:oZsoUj2qvjRsnAT9zMH9WkMA@0.0.0.0:7054/register
{"id":"admin-org0","type":"admin","secret":"org0adminpw","affiliation":"","attrs":[{"name":"hf.Revoker","value":"true"},{"name":"hf.GenCRL","value":"true"},{"name":"admin","value":"true","ecert":true},{"name":"abac.init","value":"true","ecert":true},{"name":"hf.Registrar.Roles","value":"client"},{"name":"hf.Registrar.Attributes","value":"*"}]}
2019/09/20 03:03:00 [DEBUG] Received response
statusCode=403 (403 Forbidden)
Error: Response from server: Error Code: 71 - Authorization failure

What am I missing?

-- moazzem
hyperledger
hyperledger-fabric
hyperledger-fabric-ca
kubernetes
kubernetes-helm

1 Answer

9/20/2019

can you please post the error logs you are getting on running the last register command

-- soumya nayak
Source: StackOverflow