Error - “Too many intermediates for path length constraint” when register new identity

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP



Error - “Too many intermediates for path length constraint” when register new identity



In hyperledger fabric-ca, I create chain of CAs like:



Root CA - Intermediate CA 1 - Intermediate CA 2 - Intermediate CA 3



With these CAs, in "signing" part of fabric-ca-config.yaml file I set "maxpathlen:5", and in "csr" part I set "pathlength:5"

It's mean my chain is valid for at least 4 Intermediate CA and I can register new identity in Intermediate CA 3.



In fact, I can enroll admin of Intermediate CA 3, however, when I register new identity, I have this error:



/register 401 26 "Untrusted certificate: Failed to verify certificate: x509: too many intermediates for path length constraint"



What wrong I have done, and how to config this value

My config file


# Version of config file
version: 1.1.0

# Server's listening port (default: 7054)
port: 7054

# Enables debug logging (default: false)
debug: false

# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000

tls:
# Enable TLS (default: false)
enabled: false
# TLS for the server's listening port
certfile:
keyfile:
clientauth:
type: noclientcert
certfiles:

ca:
# Name of this CA
name:
# Key file (is only used to import a private key into BCCSP)
keyfile:
# Certificate file (default: ca-cert.pem)
certfile:
# Chain file
chainfile:

crl:
# Specifies expiration for the generated CRL. The number of hours
# specified by this property is added to the UTC time, the resulting time
# is used to set the 'Next Update' date of the CRL.
expiry: 24h

registry:
# Maximum number of times a password/secret can be reused for enrollment
# (default: -1, which means there is no limit)
maxenrollments: -1

# Contains identity information which is used when LDAP is disabled
identities:
- name: Admin
pass: adminpw
type: client
affiliation:
attrs:
hf.Registrar.Roles: "*"
hf.Registrar.DelegateRoles: "*"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true

affiliations:
org1:
- department1
- department2
org2:
- department1

signing:
default:
usage:
- digital signature
expiry: 8760h
profiles:
ca:
usage:
- cert sign
- crl sign
expiry: 43800h
caconstraint:
isca: true
maxpathlen: 5
tls:
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
expiry: 8760h

csr:
cn: fabric-ca-server
names:
- C: US
ST: "California"
L:
O: Hyperledger
OU: Fabric
hosts:
- ca
- localhost
ca:
expiry: 131400h
pathlength: 5





So are you trying to enroll "Intermediate CA 3"? It would be helpful if could post the commands and/or code that you are running. I suspect that you are trying to actually enroll "Intermediate CA 3" using the fabric-ca-client? In that case, you need to make sure that you pass in the --enrollment.profile "ca" flag
– Gari Singh
Aug 3 at 10:07


--enrollment.profile "ca"





I can enroll Admin user of Intermediate CA 3, but after that I can't register new identity in "Intermediate CA 3", it always throw above error
– Huy Tran
Aug 3 at 11:10





can you post your fabric-ca-config.yaml file or at least the ca profiles section?
– Gari Singh
Aug 3 at 12:34


fabric-ca-config.yaml





I update config file in my question, thanks :)
– Huy Tran
Aug 6 at 3:08




1 Answer
1



I found the root cause is simple because when initialize network, I don't create cert/key by myself and config it so that Fabric-CA use itself key/cert which config default set maxpathlen=1.

If I create cert/key by myself and in cert config pathlength > 3 then my network will be ok.






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

make 2 or more post in bootsrap

Image
Clash Royale CLAN TAG #URR8PPP make 2 or more post in bootsrap I am making a CMS and I want to add two or more content post in every row, I can made one post in one columns, please see my code below. I am using PHP , HTML and bootstrap . CMS PHP HTML bootstrap How can I add two or more content post in every row? Code: <div class="container"> <div class="row"> <!-- Post Content Column --> <div class="col-lg-4 border border-dark rounded"> <?php $query = "SELECT * FROM POSTS"; $run_query_post = mysqli_query($connection, $query); while ($row = mysqli_fetch_assoc($run_query_post)) $post_id = $row['post_id']; $post_title = $row['post_title']; $post_author = $row['post_author']; $post_date = $row['post_date']; $post_image = $row['post_image']; $post_content = substr($row['post_content'], 0, 50); $post_status = $row['post_status']; if ($post_status !=...
Read more

Store custom data using WC_Cart add_to_cart() method in Woocommerce 3

Image
Clash Royale CLAN TAG #URR8PPP Store custom data using WC_Cart add_to_cart() method in Woocommerce 3 I am creating a membership site and totally created static pages for each Membership plans (have only 3 plans). However, I have added products for each plan and when I hit SELECT PLAN button I redirect to some custom form where I ask users range of info we are going to use to fulfil the plan (same as sneakertub.com). I have written code into the PHP page which will handle SUBMIT action of the form. This PHP file, infopage.php , will process POST data I sent via POST call and stores these all data into WC session. infopage.php $customer_name = $_POST["customer_name"]; $customer_email = $_POST["customer_email"]; $customer_sex = $_POST["customer_sex"]; $customer_age = $_POST["customer_age"]; $product_id = $_POST["product_id"]; global $wp_session; $data = array( 'customer_name' => $customer_name, 'customer_email' =...
Read more

Firebase Auth - with Email and Password - Check user already registered

Image
Clash Royale CLAN TAG #URR8PPP Firebase Auth - with Email and Password - Check user already registered I want to check when a user attempts to signup with createUserWithEmailAndPassword() in Firebase user Authentication method, this user is already registered with my app. createUserWithEmailAndPassword() 8 Answers 8 To detect whether a user with that email address already exists, you can detect when the call to createUserWithEmailAndPassword () fails with auth/email-already-in-use . I see that @Srinivasan just posted an answer for this. createUserWithEmailAndPassword () auth/email-already-in-use Alternatively, you can detect that an email address is already used by calling fetchSignInMethodsForEmail() (previous called fetchProvidersForEmail() ). fetchSignInMethodsForEmail() fetchProvidersForEmail() When the user trying to create an user with same email address, the task response will be "Response: The email address is already in use by another account." mFirebas...
Read more