How to start intermediate ca using docker-compose?

Question

The steps which I have followed:

1) started the fabric with 1-ca(which is root ca), 1-orderer, 1-peer and 1-couchdb

2) I attached the shell to ca which is root and fire the 2 commands to register the intermediate ca.

fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
  fabric-ca-client register --id.name ica --id.attrs '"hf.Registrar.Roles=user,peer",hf.Revoker=true,hf.IntermediateCA=true' --id.secret icapw
 

3) I started the ca1 container as follows:

services:
  ca1.example.com:
    image: hyperledger/fabric-ca:x86_64-1.1.0
    environment:
      - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
      - FABRIC_CA_SERVER_PORT=8054
      - FABRIC_CA_SERVER_CA_NAME=ca1.example.com
    ports:
      - "8054:8054"
    command: sh -c 'fabric-ca-server start -b admin:adminpw -u http://ica:[email protected]:7054'
    container_name: ca1.example.com
    networks:
      - basic

But it always creates default certificates so I removed all from container and then fire start command again and when I try to enrol admin using that intermediate ca it gives me following error:

signed certificate with serial number 619423114660023963149266564884451731119475746692
ca1.example.com    | 2018/09/20 06:38:53 [INFO] 127.0.0.1:47144 POST /enrol 500 0 "Certificate signing failure: Failed to insert record into database: attempt to write a read only database"

I am unsure about the process I followed. So suggest me the exact steps to follow and if the steps are correct then the cause of this error.

I have followed the documentation : https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.htm

Answer 1

Assume that you have a Topmost Fabric-CA (TCA) server which is set up and running. Now coming on to your question, we can say that you are set to enable an Intermediate Fabric-CA (ICA) server which is attached to the assumed RCA server.     

I tried the following line of commands and it worked. You should try the same as well. 

version: '2'

networks:  fabric-ca:

services:

interca:

container_name: interca

image: hyperledger/fabric-ca

command: /bin/bash -c '/scripts/start-intermediate-ca.sh 2>&1 | tee /data/logs/ica.log'

environment:

  - FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca

  - FABRIC_CA_SERVER_CA_NAME=interca

  - FABRIC_CA_SERVER_INTERMEDIATE_TLS_CERTFILES=/data/tca-ca-cert.pem

  - FABRIC_CA_SERVER_CSR_HOSTS=interca

  - FABRIC_CA_SERVER_TLS_ENABLED=true

  - FABRIC_CA_SERVER_DEBUG=true

  - BOOTSTRAP_USER_PASS=interca-admin:interca-adminpw

  - PARENT_URL=https://tca-admin:tca-adminpw@tca:7054

  - TARGET_CHAINFILE=/data/interca-ca-chain.pem

volumes:

  - ./data:/data

  - ./scripts:/scripts

  - ./data/fabric_ca_test/interca:/etc/hyperledger/fabric-ca

networks:

  - fabric-ca

ports:

  - 10.10.10.101:7055:7054

You should also note that we have been using script start-intermediate-ca.sh

#!/bin/bash

#

set -e

# Initialize intermediate CA (interca)

fabric-ca-server init -b $BOOTSTRAP_USER_PASS -u $PARENT_URL

# Copy interca certificate chain to a data directory that can be used by others

cp $FABRIC_CA_SERVER_HOME/ca-chain.pem $TARGET_CHAINFILE

# Now start the interca

fabric-ca-server start --config $FABRIC_CA_SERVER_HOME/fabric-ca-server-config.yaml