Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS Certificate chain not accepted when registering #4813

Open
jeanmarc opened this issue Apr 11, 2024 · 1 comment
Open

TLS Certificate chain not accepted when registering #4813

jeanmarc opened this issue Apr 11, 2024 · 1 comment
Labels
bug

Comments

@jeanmarc
Copy link

Description

When joining an iSHARE Test Network (which is based on HLF Fabric), the provided certificate chain for TLS certificates that will be used by the peer nodes is being rejected. This is caused by the start/end date of one of the intermediates being wider than the start/end date of its issuer.
The certificate has been bought from a commercial vendor (Sectigo), so we can expect that they deliver a valid certificate + validation chain.
Running openssl verify ... against the certificate + ca chain shows OK responses for each certificate.

Is it correct and expected that Hyperledger considers this chain invalid, or should Hyperledger work in line with the way browsers and openssl verify works, and accept this certificate chain as valid for TLS connections?

Details of the certificate + chain (DNS names redacted):

../scripts/summarizePem.sh fullChain.pem
Inspecting fullChain.pem

cert_0.pem contains:
subject=CN=<redacted>
issuer=C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA
notBefore=Apr  4 00:00:00 2024 GMT
notAfter=Apr  5 23:59:59 2025 GMT

cert_1.pem contains:
subject=C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA
issuer=C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
notBefore=Nov  2 00:00:00 2018 GMT
notAfter=Dec 31 23:59:59 2030 GMT

cert_2.pem contains:
subject=C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
issuer=C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
notBefore=Mar 12 00:00:00 2019 GMT
notAfter=Dec 31 23:59:59 2028 GMT

cert_3.pem contains:
subject=C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
issuer=C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
notBefore=Jan  1 00:00:00 2004 GMT
notAfter=Dec 31 23:59:59 2028 GMT

Steps to reproduce

No response
@jeanmarc jeanmarc added the bug label Apr 11, 2024
@yacovm
Copy link
Contributor

yacovm commented Apr 11, 2024

When joining an iSHARE Test Network (which is based on HLF Fabric)

what's an iSHARE test network? Please don't tell me BlackRock uses Fabric too... :-)

Does the certificate chain work with a simple test using a Golang web server that uses TLS? I'm asking because Fabric doesn't do anything special to the TLS intermediate and root certificates once it's up and running.

Also can you tell the Fabric version?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeanmarc @yacovm