Unable to Enroll user after being unEnrolled - ECA.db user state need to be reset

[ghost]

When un-enrolling a User using REST API: DELETE host:port/resgistrar/{enrollmentID}

and trying to re-enroll it using the new enrollSecret (fetched from the eca.db ,table :Users) i get the following failure notification: certificate creation token expired

Upon investigation is seems that the "state" field in the "Users" table is not being reset to 0.

@diegomasini @muralisrini

Thanks.

[mastersingh24]

@teddyhitti - this is an interesting one. The REST API on the peer does not actually unregister a user from member services. All it actually does is delete the credentials from the peer hosting the API (think of the peer as being a wallet for the user's credentials).

We should think about what we really should be doing here

[muralisrini]

@mastersingh24 @diegomasini thought this was curious too. Will request him to chime in with his thoughts as well.

[diegomasini]

@mastersingh24 @muralisrini I was looking at the code. As @teddyhitti mentioned the REST call doesn't reset the state in the table users of eca.db. It remains in the state 2, which means that the user was fully enrolled. And additional call to the CreateCertificatePair() function in eca.go while in that state will trigger an error with this message "Invalid (=expired) certificate creation token provided." I imagine two options (could be more), one is to reset the state to 0, but that will generate a new enrollment certificate. The other option is to extend the logic so, if the user is fully enrolled and additional call to this function will be handled by calling the ReadCertificatePair().

[angrbrd]

@diegomasini @mastersingh24 my understanding was that the enrollment process was supposed to work only once with a given enrollID/enrollSecret. Therefore, I am not sure if a new enrollment certificate pair should be generated in this case.

And yes, @mastersingh24 is right on the reasoning as to why this was put in place. We had initially imagined the devops service (which stores the credentials on the local peer node) serving as a wallet for the client. Though now, since we are reworking this concept into the client SDK, this would need more discussion.

[diegomasini]

@angrbrd you are right, it should run only once for a given enrollment ID. Changing the state back to 0 will generate a new certificate pair, and that is not the desired behavior. It should return the existing certificate. The question is if that functionality should be part of the client SDK or part of the ECA. As you said, this need more discussion.

[smithbk]

@mastersingh24 @diegomasini I think the behavior should be to remove the ID completely as if it had never been registered or enrolled. We should NOT support any kind of partial rollback of a ID's state until/unless it is a requirement.

Who should be allowed to perform this operation? a) The ID itself b) The registrar that registered the ID. This would need to be stored in the DB as it is not currently. c) A registrar with deleteRoles for the identity type. The 'deleteRoles' doesn't currently exist, but would be similar to roles and delegateRoles.

This requires work in member services and in the node SDK. It should only be supported via the node SDK.

Comments/Thoughts?

[gromeroar]

hi @srderson could you assign to me this issue? Thanks!!

[echenrunner]

Hi guys, last week to reported that I can't enroll a user after I corrected the password and was getting "Failed checking signing enrollment certificate for signing: [x509: certificate signed by unknown authority] ''

If there are no fix for this I would like to post this fix for review Thank you

[angrbrd]

Hi @echenrunner

Can you please elaborate as to how you are running into this issue? What version of the Fabric network you are using? How are you running it? How are you connecting it to? If though the SDK, please state which version of the hfc package you are using.

Thanks.

[echenrunner]

Hi,

 Fabric peer server version 0.1.0
 I'm running  in develop environment in a stand alone machine no

network outside of the server and No DOCKER. The problem occur when you register with incorrect "enrollSecret" and then re-register again with correct the "enrollSecret" value I will then get " Failed checking signing enrollment certificate for signing: [x509: certificate signed by unknown authority]"

      curl -d "@login.json"  -H "Content-Type: application/json" -X

POST http://localhost:5000/registrar

{
      "enrollId": "alice",
     "enrollSecret": "CMS10pEQlB16"
}

16:36:20.245 [rest] Register -> INFO 0de REST client login... 16:36:20.246 [rest] Register -> INFO 0df Local data store for client loginToken: /var/hyperledger/production/client/ 16:36:20.247 [rest] Register -> INFO 0e0 Logging in user 'alice' on REST interface... 16:36:20.247 [crypto] RegisterClient -> INFO 0e1 Registering client [alice] with name [alice]... 16:36:20.295 [crypto] Debugf -> DEBU 0e2 [client.alice] Data will be stored at [/var/hyperledger/production/crypto/client/alice] 16:36:20.306 [crypto] Debugf -> DEBU 0e3 [client.alice] Keystore path [/var/hyperledger/production/crypto/client/alice/ks] missing false: [] 16:36:20.307 [crypto] Debugf -> DEBU 0e4 [client.alice] Keystore [/var/hyperledger/production/crypto/client/alice/ks/db] missing

16:36:20.307 [crypto] Debugf -> DEBU 0e5 [client.alice] Keystore opened at [/var/hyperledger/production/crypto/client/alice/ks]...done 16:36:20.307 [crypto] Debug -> DEBU 0e6 [client.alice] Registering node crypto engine... 16:36:20.307 [crypto] Debug -> DEBU 0e7 [client.alice] Initiliazing TLS... 16:36:20.308 [crypto] Debugf -> DEBU 0e8 [client.alice] Loading external certificate at [/var/hyperledger/production/.membersrvc/tlsca.cert]... 16:36:20.314 [crypto] Debug -> DEBU 0e9 [client.alice] Initiliazing TLS...Done 16:36:20.315 [crypto] Debug -> DEBU 0ea [client.alice] Getting ECA client... 16:36:20.316 [crypto] Debugf -> DEBU 0eb [client.alice] Dial to addr:[localhost:50051], with serverName:[tlsca]... 16:36:20.318 [crypto] Debug -> DEBU 0ec [client.alice] TLS enabled... 16:36:20.345 [crypto] Debug -> DEBU 0ed [client.alice] Getting ECA client...done 16:36:20.511 [crypto] Debugf -> DEBU 0ee [client.alice] Enrollment certificate for signing [00 61 36 f8 c5 5c c3 a6 8a 30 db d2 04 15 6e 07 22 a1 84 20 64 6f 2b 1c 8e 7c 5a d5 7f 50 8f 4e] 16:36:20.609 [crypto] Errorf -> ERRO 0ef [client.alice] Failed checking signing enrollment certificate for signing: [x509: certificate signed by unknown authority] 16:36:20.611 [crypto] Errorf -> ERRO 0f0 [client.alice] Failed getting enrollment certificate [id=alice]: [x509: certificate signed by unknown authority] 16:36:20.611 [crypto] Errorf -> ERRO 0f1 [client.alice] Failed retrieving enrollment data [x509: certificate signed by unknown authority]. 16:36:20.612 [crypto] Errorf -> ERRO 0f2 [client.alice] Failed registering node crypto engine [x509: certificate signed by unknown authority]. 16:36:20.612 [crypto] Errorf -> ERRO 0f3 [client.alice] Failed registering client [alice]: [x509: certificate signed by unknown authority] 16:36:20.612 [crypto] RegisterClient -> ERRO 0f4 Failed registering client [alice] with name [alice] [x509: certificate signed by unknown authority]. 16:36:20.612 [rest] Register -> ERRO 0f5 Error on client login: x509: certificate signed by unknown authority {"Error":"x509: certificate signed by unknown authority"}

On Mon, Sep 19, 2016 at 12:15 PM, Mr. Angry [email protected] wrote:

Hi @echenrunner https://github.com/echenrunner

Can you please elaborate as to how you are running into this issue? What version of the Fabric network you are using? How are you running it? How are you connecting it to? If though the SDK, please state which version of the hfc package you are using.

Thanks.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/hyperledger-archives/fabric/issues/1620#issuecomment-248039917, or mute the thread https://github.com/notifications/unsubscribe-auth/ATQsN0wG7zh_RDZC1W71CKmD1joVXWtEks5qrrU6gaJpZM4IoEm3 .