Welcome to the new Linux Foundation Forum!

Lab1 - Can not find CA's private key.

I am doing all the labs on my laptop not on the server, so whenever I do lab I am doing it from scratch lab1. Now I am at lab4 but, I get a new error in lab1. The CA container does not come up as it can not find its private ket for its certificate in its keystore. I think, the volume mapping does not map the keystore or the private keys are wrong. Can anyone help me troubleshoot this? Thanks in advance!
Error I get:
docker logs ca.example.com 2019/06/23 17:25:51 [INFO] Created default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml 2019/06/23 17:25:51 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server 2019/06/23 17:25:51 [INFO] Server Version: 1.4.1 2019/06/23 17:25:51 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} Error: Failed to find private key for certificate in '/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem': Could not find matching private key for SKI: Failed getting key for SKI [[72 128 61 208 72 65 57 248 91 185 249 29 234 109 34 230 172 139 41 227 207 42 118 80 14 51 34 133 77 231 84 63]]: Key with SKI 48803dd0484139f85bb9f91dea6d22e6ac8b29e3cf2a76500e3322854de7543f not found in /etc/hyperledger/fabric-ca-server/msp/keystore

docker-compose file has the following environments and volume mapping:
`environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca.example.com
- FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
- FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c_sk

volumes:
- ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config`

Comments

  • indirajithindirajith Posts: 42

    The private key on the crypto-config directory for the CA seems to be the one corresponding to the cert. But don't know why the CA container throws an error.

  • kmyattkmyatt Posts: 39

    could you run

    ls crypto-config/peerOrganizations/org1.example.com/ca

    and paste the two keys that are in there?
    Thanks

  • indirajithindirajith Posts: 42

    In the host the key exists

    ls crypto-config/peerOrganizations/org1.example.com/ca/ ca.org1.example.com-cert.pem f38c2e15e29d2d5daa9c4ae67b89a5089f71deb7e42d7c79d57af289f1ec1f3e_sk
    Thank you !

  • indirajithindirajith Posts: 42

    The CA_SERVER cert file defined in the docker-compose file is not there in the location crypto-config/peerOrganizations/org1.example.com/ca/. And it seems to me that, it happens a lot of times. How to overcome this problem? Do we need to just try again and again create the crypto files until it generates all the keys with uncertainty?

  • indirajithindirajith Posts: 42

    I have one more doubt. When we specify the CA server's key in docker-compose.yaml file, how are we sure that the cryptogen is going to generate that particular private key? Doesn't it change every time we create new crypto files by running cryptogen generate command? How does it work in reality with other tools like if someone wants to generate keys and certificates using openssl or others? I am sorry for the naive question but, i would like to clear few things. Thank you very much @kmyatt !

  • indirajithindirajith Posts: 42

    Can anyone help me overcome this problem?

  • indirajithindirajith Posts: 42

    I have fixed the issue by updating the key file name in the docker-compose file.

  • kmyattkmyatt Posts: 39

    Hi @indirajith, if you are rerunning either the default setup script that I have you run in Lab Installation, or if you are running cryptogen more than once, then your private key (as well as the certs) will change because it is regenerating a new one every time. Run the command once, then replace the environment variable

    • FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/

    with

    • FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/

    that sk file can be found in

    ls crypto-config/peerOrganizations/org1.example.com/ca/

    like I indicated in the thread earlier.

  • kmyattkmyatt Posts: 39
    edited July 2019

    @indirajith
    I have one more doubt. When we specify the CA server's key in docker-compose.yaml file, how are we sure that the cryptogen is going to generate that particular private key?Doesn't it change every time we create new crypto files by running cryptogen generate command? How does it work in reality with other tools like if someone wants to generate keys and certificates using openssl or others? I am sorry for the naive question but, i would like to clear few things. Thank you very much @kmyatt !

    ** The docker-compose.yml file just references(looks for in your sys) the CA key, Cryptogen is a binary tool that generates the crypto, but It doesn't do it on its own, you would have to rerun it every time. The Generate command resets all certificates, extend command doesn't. Therefore, since the crypto-config file is already built, I recommend you use what you have already and just reference that. But if you need to create new ones later, only use the extend command so you don't lose the already created keys you currently have. Openssl is a valid option for working/generating crypto as well and if you know what you're doing then that should be no problem, but as you will see in Lab 10, the Fabric CA tools have simplified those crypto operations as well making it faster and easier.Last note, that was not a naive question, actually a great question! **

    Hope this helps and Take care!

  • indirajithindirajith Posts: 42

    Thank you very much for your patience in explaining in a detailed manner @kmyatt! Now I understand quite well, I hope.

  • kmyattkmyatt Posts: 39

    No problem, always happy to help :) Have a great day

  • etrelzetrelz Posts: 29

    I hate to be this guy..but i'm having the same issue. I ran the ls crypto-config/peerOrganizations/org1.example.com/ca/

    This is my result:
    :~/Desktop/fabric-samples/startFiles$ ls crypto-config/peerOrganizations/org1.example.com/ca/
    8986bfd326449c8e0cdd5347d3809b7c61486e0ddc5d1738358ef48e8d485ca4_sk
    ca.org1.example.com-cert.pem

    I replaced the _sk in docker-compose.yml with the above _sk

    I then run: docker logs ca.example.com

    and get this error:
    Error: Failed to find private key for certificate in '/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem': Could not find matching private key for SKI: Failed getting key for SKI [[137 134 191 211 38 68 156 142 12 221 83 71 211 128 155 124 97 72 110 13 220 93 23 56 53 142 244 142 141 72 92 164]]: Key with SKI 8986bfd326449c8e0cdd5347d3809b7c61486e0ddc5d1738358ef48e8d485ca4 not found in /etc/hyperledger/fabric-ca-server/msp/keystore
    2019/12/18 02:35:52 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
    2019/12/18 02:35:52 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server
    2019/12/18 02:35:52 [INFO] Server Version: 1.4.4
    2019/12/18 02:35:52 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
    Error: Failed to find private key for certificate in '/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem': Could not find matching private key for SKI: Failed getting key for SKI [[137 134 191 211 38 68 156 142 12 221 83 71 211 128 155 124 97 72 110 13 220 93 23 56 53 142 244 142 141 72 92 164]]: Key with SKI 8986bfd326449c8e0cdd5347d3809b7c61486e0ddc5d1738358ef48e8d485ca4 not found in /etc/hyperledger/fabric-ca-server/msp/keystore
    2019/12/19 16:33:08 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
    2019/12/19 16:33:08 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server
    2019/12/19 16:33:08 [INFO] Server Version: 1.4.4
    2019/12/19 16:33:08 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
    Error: Failed to find private key for certificate in '/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem': Could not find matching private key for SKI: Failed getting key for SKI [[137 134 191 211 38 68 156 142 12 221 83 71 211 128 155 124 97 72 110 13 220 93 23 56 53 142 244 142 141 72 92 164]]: Key with SKI 8986bfd326449c8e0cdd5347d3809b7c61486e0ddc5d1738358ef48e8d485ca4 not found in /etc/hyperledger/fabric-ca-server/msp/keystore

    How do i correct this error because i'm not able to start my ca.example container.

    Thank you

  • @etrelz said:
    I hate to be this guy..but i'm having the same issue. I ran the ls crypto-config/peerOrganizations/org1.example.com/ca/

    This is my result:
    :~/Desktop/fabric-samples/startFiles$ ls crypto-config/peerOrganizations/org1.example.com/ca/
    8986bfd326449c8e0cdd5347d3809b7c61486e0ddc5d1738358ef48e8d485ca4_sk
    ca.org1.example.com-cert.pem

    I replaced the _sk in docker-compose.yml with the above _sk

    I then run: docker logs ca.example.com

    and get this error:
    Error: Failed to find private key for certificate in '/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem': Could not find matching private key for SKI: Failed getting key for SKI [[137 134 191 211 38 68 156 142 12 221 83 71 211 128 155 124 97 72 110 13 220 93 23 56 53 142 244 142 141 72 92 164]]: Key with SKI 8986bfd326449c8e0cdd5347d3809b7c61486e0ddc5d1738358ef48e8d485ca4 not found in /etc/hyperledger/fabric-ca-server/msp/keystore
    2019/12/18 02:35:52 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
    2019/12/18 02:35:52 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server
    2019/12/18 02:35:52 [INFO] Server Version: 1.4.4
    2019/12/18 02:35:52 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
    Error: Failed to find private key for certificate in '/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem': Could not find matching private key for SKI: Failed getting key for SKI [[137 134 191 211 38 68 156 142 12 221 83 71 211 128 155 124 97 72 110 13 220 93 23 56 53 142 244 142 141 72 92 164]]: Key with SKI 8986bfd326449c8e0cdd5347d3809b7c61486e0ddc5d1738358ef48e8d485ca4 not found in /etc/hyperledger/fabric-ca-server/msp/keystore
    2019/12/19 16:33:08 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
    2019/12/19 16:33:08 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server
    2019/12/19 16:33:08 [INFO] Server Version: 1.4.4
    2019/12/19 16:33:08 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
    Error: Failed to find private key for certificate in '/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem': Could not find matching private key for SKI: Failed getting key for SKI [[137 134 191 211 38 68 156 142 12 221 83 71 211 128 155 124 97 72 110 13 220 93 23 56 53 142 244 142 141 72 92 164]]: Key with SKI 8986bfd326449c8e0cdd5347d3809b7c61486e0ddc5d1738358ef48e8d485ca4 not found in /etc/hyperledger/fabric-ca-server/msp/keystore

    How do i correct this error because i'm not able to start my ca.example container.

    Thank you

    Hi @etrelz , seems like your pathting to the key in docker-compose is wrong? The error says: Error: Failed to find private key for certificate in '/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem':

    But the path to the _sk is ls crypto-config/peerOrganizations/org1.example.com/ca/

    Please double check that, and let me know.

Sign In or Register to comment.