Welcome to the new Linux Foundation Forum!

Lab1 - Can not find CA's private key.

I am doing all the labs on my laptop not on the server, so whenever I do lab I am doing it from scratch lab1. Now I am at lab4 but, I get a new error in lab1. The CA container does not come up as it can not find its private ket for its certificate in its keystore. I think, the volume mapping does not map the keystore or the private keys are wrong. Can anyone help me troubleshoot this? Thanks in advance!
Error I get:
docker logs ca.example.com 2019/06/23 17:25:51 [INFO] Created default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml 2019/06/23 17:25:51 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server 2019/06/23 17:25:51 [INFO] Server Version: 1.4.1 2019/06/23 17:25:51 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1} Error: Failed to find private key for certificate in '/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem': Could not find matching private key for SKI: Failed getting key for SKI [[72 128 61 208 72 65 57 248 91 185 249 29 234 109 34 230 172 139 41 227 207 42 118 80 14 51 34 133 77 231 84 63]]: Key with SKI 48803dd0484139f85bb9f91dea6d22e6ac8b29e3cf2a76500e3322854de7543f not found in /etc/hyperledger/fabric-ca-server/msp/keystore

docker-compose file has the following environments and volume mapping:
`environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca.example.com
- FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
- FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c_sk

volumes:
- ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config`

Comments

  • indirajithindirajith Posts: 32

    The private key on the crypto-config directory for the CA seems to be the one corresponding to the cert. But don't know why the CA container throws an error.

  • kmyattkmyatt Posts: 31

    could you run

    ls crypto-config/peerOrganizations/org1.example.com/ca

    and paste the two keys that are in there?
    Thanks

  • indirajithindirajith Posts: 32

    In the host the key exists

    ls crypto-config/peerOrganizations/org1.example.com/ca/ ca.org1.example.com-cert.pem f38c2e15e29d2d5daa9c4ae67b89a5089f71deb7e42d7c79d57af289f1ec1f3e_sk
    Thank you !

  • indirajithindirajith Posts: 32

    The CA_SERVER cert file defined in the docker-compose file is not there in the location crypto-config/peerOrganizations/org1.example.com/ca/. And it seems to me that, it happens a lot of times. How to overcome this problem? Do we need to just try again and again create the crypto files until it generates all the keys with uncertainty?

  • indirajithindirajith Posts: 32

    I have one more doubt. When we specify the CA server's key in docker-compose.yaml file, how are we sure that the cryptogen is going to generate that particular private key? Doesn't it change every time we create new crypto files by running cryptogen generate command? How does it work in reality with other tools like if someone wants to generate keys and certificates using openssl or others? I am sorry for the naive question but, i would like to clear few things. Thank you very much @kmyatt !

  • indirajithindirajith Posts: 32

    Can anyone help me overcome this problem?

  • indirajithindirajith Posts: 32

    I have fixed the issue by updating the key file name in the docker-compose file.

  • kmyattkmyatt Posts: 31

    Hi @indirajith, if you are rerunning either the default setup script that I have you run in Lab Installation, or if you are running cryptogen more than once, then your private key (as well as the certs) will change because it is regenerating a new one every time. Run the command once, then replace the environment variable

    • FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/

    with

    • FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/

    that sk file can be found in

    ls crypto-config/peerOrganizations/org1.example.com/ca/

    like I indicated in the thread earlier.

  • kmyattkmyatt Posts: 31
    edited July 2

    @indirajith
    I have one more doubt. When we specify the CA server's key in docker-compose.yaml file, how are we sure that the cryptogen is going to generate that particular private key?Doesn't it change every time we create new crypto files by running cryptogen generate command? How does it work in reality with other tools like if someone wants to generate keys and certificates using openssl or others? I am sorry for the naive question but, i would like to clear few things. Thank you very much @kmyatt !

    ** The docker-compose.yml file just references(looks for in your sys) the CA key, Cryptogen is a binary tool that generates the crypto, but It doesn't do it on its own, you would have to rerun it every time. The Generate command resets all certificates, extend command doesn't. Therefore, since the crypto-config file is already built, I recommend you use what you have already and just reference that. But if you need to create new ones later, only use the extend command so you don't lose the already created keys you currently have. Openssl is a valid option for working/generating crypto as well and if you know what you're doing then that should be no problem, but as you will see in Lab 10, the Fabric CA tools have simplified those crypto operations as well making it faster and easier.Last note, that was not a naive question, actually a great question! **

    Hope this helps and Take care!

  • indirajithindirajith Posts: 32

    Thank you very much for your patience in explaining in a detailed manner @kmyatt! Now I understand quite well, I hope.

  • kmyattkmyatt Posts: 31

    No problem, always happy to help :) Have a great day

Sign In or Register to comment.