How to start intermediate ca using docker-compose?

Question

The steps which I have followed:

1) started the fabric with 1-ca(which is root ca), 1-orderer, 1-peer and 1-couchdb

2) I attached the shell to ca which is root and fire the 2 commands to register the intermediate ca.

  fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
  fabric-ca-client register --id.name ica --id.attrs '"hf.Registrar.Roles=user,peer",hf.Revoker=true,hf.IntermediateCA=true' --id.secret icapw

3) I started the ca1 container as follows:

services:
  ca1.example.com:
    image: hyperledger/fabric-ca:x86_64-1.1.0
    environment:
      - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
      - FABRIC_CA_SERVER_PORT=8054
      - FABRIC_CA_SERVER_CA_NAME=ca1.example.com
    ports:
      - "8054:8054"
    command: sh -c 'fabric-ca-server start -b admin:adminpw -u http://ica:icapw@ca.example.com:7054'
    container_name: ca1.example.com
    networks:
      - basic

But it always creates default certificates so I removed all from container and then fire start command again and when I try to enroll admin using that intermediate ca it gives me following error:

signed certificate with serial number 619423114660023963149266564884451731119475746692
ca1.example.com    | 2018/09/20 06:38:53 [INFO] 127.0.0.1:47144 POST /enroll 500 0 "Certificate signing failure: Failed to insert record intodatabase: attempt to write a readonly database"

I am unsure about the process I followed. So suggest me the exact steps to follow and if the steps are correct then the cause of this error.

I have followed the documentation : https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.htm

score 3 · Accepted Answer · answered Oct 08 '18 at 11:49

Lets say you have a Root Fabric-CA ( lets call it RCA) server up and running.

As per my understanding, you are trying to start an Intermediate Fabric-CA server which would be attached to the RCA above.

What I tried is the following.

version: '2'
networks:  fabric-ca:

services:

ica:
container_name: ica
image: hyperledger/fabric-ca
command: /bin/bash -c '/scripts/start-intermediate-ca.sh 2>&1 | tee /data/logs/ica.log'
environment:
  - FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca
  - FABRIC_CA_SERVER_CA_NAME=ica
  - FABRIC_CA_SERVER_INTERMEDIATE_TLS_CERTFILES=/data/rca-ca-cert.pem
  - FABRIC_CA_SERVER_CSR_HOSTS=ica
  - FABRIC_CA_SERVER_TLS_ENABLED=true
  - FABRIC_CA_SERVER_DEBUG=true
  - BOOTSTRAP_USER_PASS=ica-admin:ica-adminpw
  - PARENT_URL=https://rca-admin:rca-adminpw@rca:7054
  - TARGET_CHAINFILE=/data/ica-ca-chain.pem
volumes:
  - ./data:/data
  - ./scripts:/scripts
  - ./data/fabric_ca_test/ica:/etc/hyperledger/fabric-ca
networks:
  - fabric-ca
ports:
  - 10.10.10.101:7055:7054

Note the use of the script start-intermediate-ca.sh

#!/bin/bash
#
set -e

# Initialize the intermediate CA
fabric-ca-server init -b $BOOTSTRAP_USER_PASS -u $PARENT_URL

# Copy the intermediate CA's certificate chain to the data directory to be used by others
cp $FABRIC_CA_SERVER_HOME/ca-chain.pem $TARGET_CHAINFILE

# Start the intermediate CA
fabric-ca-server start --config $FABRIC_CA_SERVER_HOME/fabric-ca-server-config.yaml

This is also available in an example which is present in the Hyperledger Fabric Examples. Fabric CA Samples in fabric-samples github Repository

Go through it. Its a comprehensive example.

You should be able to tweak it a bit to handle your scenario.

score 0 · Answer 2 · answered Oct 06 '18 at 17:21

Well first of all, if you are having that kind of troubles I highly recommend to stop and clean all of the containers, running the following docker commands:

docker stop $(docker ps -a -q)
docker rm $(docker ps -a -q)

I will be base my explanation on the basic-network example.

After that you must start your containers calling you start.sh ir startFabric.sh that script usually has the docker-compose up who is responsable of starting your docker containers.

I'm not sure that you mean with default certificates, but if you have problem with those you can regenerate them. You probably have an generate.sh script that one generate the new crypto-config and the genesis.block and config, this one is based in two files configtx.yaml and crypto-config.yaml.

Be sure that your version of your crytogen tool is the same as the version that you are using, is very common to be pointing to an older version of the cryptogen tool this generates corruped certificates that won't work.

Well, if any of these solutions doesn't work, maybe you should start over, I wrote a guide based in that example (basic-network) of how to setup an Hyperledger Fabric in multiple physical hosts, maybe you can check it.

Setup Hyperledger Fabric in multiple physical machines

I can start basic-network from the beginning. My question is not about that, I want to set up an intermediate ca which is not a part of any tutorial. You can refer to this here https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#enrolling-an-intermediate-ca — Honey Shah, Oct 08 '18 at 04:01

How to start intermediate ca using docker-compose?

2 Answers2