Hyperledger Fabric: ServerHandshake TLS handshake bad certificate server=PeerServer AND ServerHandshake TLS handshake EOF

I was trying to connect my Golang backend to a running Hyperledger network using Hyperledger version 2.0.0...

I saw this ServerHandshake TLS handshake EOF error when running "docker-compose up":

peer0-org2 | 2020-06-21 04:56:29.113 UTC [core.comm] ServerHandshake -> ERRO 022 TLS handshake failed with error EOF server=PeerServer remoteaddress=172.21.0.12:51946

peer1-org1 | 2020-06-21 04:56:30.123 UTC [core.comm] ServerHandshake -> ERRO 021 TLS handshake failed with error EOF server=PeerServer remoteaddress=172.21.0.11:49860

peer0-org1 | 2020-06-21 04:56:30.547 UTC [core.comm] ServerHandshake -> ERRO 022 TLS handshake failed with error EOF server=PeerServer remoteaddress=172.21.0.9:34994

peer1-org2 | 2020-06-21 04:56:30.873 UTC [core.comm] ServerHandshake -> ERRO 021 TLS handshake failed with error EOF server=PeerServer remoteaddress=172.21.0.10:52232

then I saw a similar ServerHandshake TLS handshake error(ServerHandshake TLS handshake bad certificate) when running my Golang backend to access the chaincode... with additional error message from Golang:

--- FAIL: Test_ConnectionTest_Success (0.06s) client_test.go:30: unable to make client from channel context: event service creation failed: could not get chConfig cache reference: QueryBlockConfig failed: QueryBlockConfig failed: queryChaincode failed: Transaction processing for endorser [localhost:7051]: Endorser Client Status Code: (2) CONNECTION_FAILED. Description: dialing connection on target [localhost:7051]: connection is in TRANSIENT_FAILURE

FAIL

exit status 1

FAIL hyperledger-k8s-be/hyperledger 0.068s

------------== from the docker-compose up Hyperledger terminal

peer0-org1 | 2020-06-21 06:00:24.577 UTC [core.comm] ServerHandshake -> ERRO 090 TLS handshake failed with error remote error: tls: bad certificate server=PeerServer remoteaddress=172.20.0.1:58500

------------== it failed at here in client.go

channelClient, err := sdkchannel.New(clientContext)

if err != nil { return nil, errors.WithMessage(err, "unable to make client from channel context") }

------------== I suspect one of those three certs is not correct in docker-compose.yaml > peer0-org1 > environment

  - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
  - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
  - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt

Is my suspection correct? What is the problem?

Is docker-compose-ca.yaml incorrect because of

  hyperledger/fabric-ca:1.4.1

  the start-org1-client script to run under org1-client

  something else???

please help. Thank you

--------------== Update 2020 June 23 I can check if TLS certificates have correct SAN(Subject Alternative Name by $ openssl x509 -noout -text -in org1-ca-7054.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:3b:4f:ea:63:1a:03:b4:61:45:e9:44:1b:29:dc:ed:e6:bc:0b:76
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = fabric-ca-server
        Validity
            Not Before: Jun 21 05:14:00 2020 GMT
            Not After : Jun 18 05:14:00 2035 GMT
        Subject: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = fabric-ca-server
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:3c:3f:d9:97:7e:fc:08:e5:0a:3f:fe:b3:fe:70:
                    33:20:92:6c:88:78:19:35:08:00:98:97:17:8b:af:
                    03:44:2d:a4:4d:65:63:fc:d8:b5:4c:23:cc:e6:63:
                    55:a3:4f:04:62:72:8d:b2:fa:f1:9a:9d:14:9f:f9:
                    aa:33:ee:fe:e8
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Subject Key Identifier: 
                78:B7:6D:51:91:0C:9E:6C:31:C9:63:67:34:BD:CA:18:B5:C5:35:D1
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:6a:1a:92:cc:45:9b:c9:a5:4d:61:b9:bd:a3:94:
         b2:2c:52:7a:16:36:91:12:f9:a0:1f:fe:77:29:a3:1e:05:5d:
         02:20:7f:e0:5d:c9:03:4f:8e:b2:6d:66:a4:8f:04:fb:e0:e6:
         52:cf:e0:e9:3a:1a:36:bc:7b:98:99:f9:c4:64:c6:7e

So the response does not have SAN settings...

Solution 1:

From the error, it looks like the TLS certificate of the peer node does not have correct SAN (Subject Alternative Name) configured in it to authenticate the TLS communication correctly.

The peer TLS certificate should have the SAN configured with the container name, or IP address of the container, or localhost, whichever you are using to send requests to the node.

NOTE: There can be multiple SANs configured for single node in its TLS certificate.

Solution 2:

In the case where somebody comes across this problem while building an app which is running on the same fabric network (DEV mode), know that this problem is generally caused by a bad tls certificate or a bad connection profile. To solve the issue, try first to correctly define the following parameters, here's an example :

export FABRIC_CFG_PATH=/home/user/fabric-samples/config/
export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
export CORE_PEER_MSPCONFIGPATH=${PWD}/organizations/peerOrganizations/org1.example.com/users/[email protected]/msp
export CORE_PEER_ADDRESS=localhost:7051

then generate a new connection profile for your application (run the network). A bad connection profile would cause such a problem

Also try to change the ordered address to localhost in the call -o localhost:7050 (instead orderer.example.com:7050)