The steps which I have followed:
1) started the fabric with 1-ca(which is root ca), 1-orderer, 1-peer and 1-couchdb
2) I attached the shell to ca which is root and fire the 2 commands to register the intermediate ca.
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
fabric-ca-client register --id.name ica --id.attrs '"hf.Registrar.Roles=user,peer",hf.Revoker=true,hf.IntermediateCA=true' --id.secret icapw
3) I started the ca1 container as follows:
services:
ca1.example.com:
image: hyperledger/fabric-ca:x86_64-1.1.0
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_PORT=8054
- FABRIC_CA_SERVER_CA_NAME=ca1.example.com
ports:
- "8054:8054"
command: sh -c 'fabric-ca-server start -b admin:adminpw -u http://ica:[email protected]:7054'
container_name: ca1.example.com
networks:
- basic
But it always creates default certificates so I removed all from container and then fire start command again and when I try to enroll admin using that intermediate ca it gives me following error:
signed certificate with serial number 619423114660023963149266564884451731119475746692
ca1.example.com | 2018/09/20 06:38:53 [INFO] 127.0.0.1:47144 POST /enroll 500 0 "Certificate signing failure: Failed to insert record intodatabase: attempt to write a readonly database"
I am unsure about the process I followed. So suggest me the exact steps to follow and if the steps are correct then the cause of this error.
I have followed the documentation : https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.htm
Lets say you have a Root Fabric-CA ( lets call it RCA) server up and running.
As per my understanding, you are trying to start an Intermediate Fabric-CA server which would be attached to the RCA above.
What I tried is the following.
version: '2'
networks: fabric-ca:
services:
ica:
container_name: ica
image: hyperledger/fabric-ca
command: /bin/bash -c '/scripts/start-intermediate-ca.sh 2>&1 | tee /data/logs/ica.log'
environment:
- FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca
- FABRIC_CA_SERVER_CA_NAME=ica
- FABRIC_CA_SERVER_INTERMEDIATE_TLS_CERTFILES=/data/rca-ca-cert.pem
- FABRIC_CA_SERVER_CSR_HOSTS=ica
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_DEBUG=true
- BOOTSTRAP_USER_PASS=ica-admin:ica-adminpw
- PARENT_URL=https://rca-admin:rca-adminpw@rca:7054
- TARGET_CHAINFILE=/data/ica-ca-chain.pem
volumes:
- ./data:/data
- ./scripts:/scripts
- ./data/fabric_ca_test/ica:/etc/hyperledger/fabric-ca
networks:
- fabric-ca
ports:
- 10.10.10.101:7055:7054
Note the use of the script start-intermediate-ca.sh
#!/bin/bash
#
set -e
# Initialize the intermediate CA
fabric-ca-server init -b $BOOTSTRAP_USER_PASS -u $PARENT_URL
# Copy the intermediate CA's certificate chain to the data directory to be used by others
cp $FABRIC_CA_SERVER_HOME/ca-chain.pem $TARGET_CHAINFILE
# Start the intermediate CA
fabric-ca-server start --config $FABRIC_CA_SERVER_HOME/fabric-ca-server-config.yaml
This is also available in an example which is present in the Hyperledger Fabric Examples. Fabric CA Samples in fabric-samples github Repository
Go through it. Its a comprehensive example.
You should be able to tweak it a bit to handle your scenario.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With