由于未知权限签署的证书,Chaincode容器无法连接到本地对等方

时间:2017-08-23 13:52:03

标签: ssl hyperledger hyperledger-fabric hyperledger-composer root-certificate

首先,我想提一下,当没有启用TLS时,我的设置就像一个魅力。它甚至可以在AWS上的Docker Swarm中运行。

启用TLS时问题就开始了。当我通过Composer部署我的.bna文件时,我新创建的链代码容器会生成以下日志:

2017-08-23 13:14:16.389 UTC [Composer] Info -> INFO 001 Setting the Composer pool size to 8
2017-08-23 13:14:16.402 UTC [shim] userChaincodeStreamGetter -> ERRO 002 Error trying to connect to local peer: x509: certificate signed by unknown authority
Error starting chaincode: Error trying to connect to local peer: x509: certificate signed by unknown authority

有趣的是,这可以通过composer playground(当我的结构中仍然启用TLS时)部署.bna时有效...

以下是我的连接资料:

{
    "name": "test",
    "description": "test",
    "type": "hlfv1",
    "orderers": [
        {
            "url": "grpcs://orderer.company.com:7050",
            "cert": "-----BEGIN CERTIFICATE-----blabla1\n-----END CERTIFICATE-----\n"
        }
    ],
    "channel": "channelname",
    "mspID": "CompanyMSP",
    "ca": {
        "url": "https://ca.company.com:7054",
        "name": "ca-company",
        "trustedRoots": [
            "-----BEGIN CERTIFICATE-----\nblabla2\n-----END CERTIFICATE-----\n"
        ],
        "verify": true
    },
    "peers": [
        {
            "requestURL": "grpcs://peer0.company.com:7051",
            "eventURL": "grpcs://peer0.company.com:7053",
            "cert": "-----BEGIN CERTIFICATE-----\nbalbla3\n-----END CERTIFICATE-----\n"
        }
    ],
    "keyValStore": "/home/composer/.composer-credentials",
    "timeout": 300
}

我的证书由cryptogen工具生成,因此:

  • orderers.0.cert包含crypto-config/ordererOrganizations/company.com/orderers/orderer.company.com/msp/tlscacerts/tlsca.company.com-cert.pem
    • 的值
  • peers.0.cert包含crypto-config/peerOrganizations/company.com/peers/peer0.company.com/msp/tlscacerts/tlsca.company.com-cert.pem
    • 的值
  • ca.trustedRoots.0包含crypto-config/peerOrganizations/company.com/peers/peer0.company.com/tls/ca.crt

我有种感觉,我的trustedRoots证书是错误的......

更新 当我做docker inspect chaincode_container时,我可以看到它错过了ENV变量:CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/peer.crt,而通过游乐场部署的链码容器确实有它......

1 个答案:

答案 0 :(得分:0)

构建链代码图像时,用于构建受信任根的TLS证书来自rootcert

# TLS Settings

# Note that peer-chaincode connections through chaincodeListenAddress is
# not mutual TLS auth. See comments on chaincodeListenAddress for more info
tls:
    enabled:  false
    cert:
        file: tls/server.crt
    key:
        file: tls/server.key
    rootcert:
        file: tls/ca.crt

对等体用于运行gRPC服务的TLS证书是cert

顺便说一句 - 您使用的是发布分支代码,而不是主分支代码 - 这是正确的吗?

相关问题
最新问题