-
Notifications
You must be signed in to change notification settings - Fork 8.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS Certificate chain not accepted when registering #4813
Labels
Comments
what's an iSHARE test network? Please don't tell me BlackRock uses Fabric too... :-) Does the certificate chain work with a simple test using a Golang web server that uses TLS? I'm asking because Fabric doesn't do anything special to the TLS intermediate and root certificates once it's up and running. Also can you tell the Fabric version? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
When joining an iSHARE Test Network (which is based on HLF Fabric), the provided certificate chain for TLS certificates that will be used by the peer nodes is being rejected. This is caused by the start/end date of one of the intermediates being wider than the start/end date of its issuer.
The certificate has been bought from a commercial vendor (Sectigo), so we can expect that they deliver a valid certificate + validation chain.
Running
openssl verify ...
against the certificate + ca chain showsOK
responses for each certificate.Is it correct and expected that Hyperledger considers this chain invalid, or should Hyperledger work in line with the way browsers and openssl verify works, and accept this certificate chain as valid for TLS connections?
Details of the certificate + chain (DNS names redacted):
Steps to reproduce
No response
The text was updated successfully, but these errors were encountered: