我读了这篇文档https://hyperledger-fabric-ca.readthedocs.io/en/release-1.0/users-guide.html#mysql-ssl-configuration,用ssl设置fabric-ca-server连接到mysql。 我使用openssl生成CA文件,并将客户端文件复制到fabric-ca-server(通过docker-compose中的volumns)
这是关于fabric-ca-server中tls的变量:
- FABRIC_CA_SERVER_DB_TLS_CERTFILES=/etc/hyperledger/fabric-ca-server-config/mysql-ssl/ca.pem
- FABRIC_CA_SERVER_DB_TLS_CLIENT_CERTFILE=/etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-cert.pem
- FABRIC_CA_SERVER_DB_TLS_CLIENT_KEYFILE=/etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-key.pem
我在fabric-ca容器中获取日志:
CA Files: [/etc/hyperledger/fabric-ca-server-config/mysql-ssl/ca.pem]
2018/05/23 08:20:32 [DEBUG] Client Cert File: /etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-cert.pem
2018/05/23 08:20:32 [DEBUG] Client Key File: /etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-key.pem
2018/05/23 08:20:32 [DEBUG] Check client TLS certificate for valid dates
2018/05/23 08:20:32 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting key for SKI [[250 75 118 17 13 151 30 107 89 252 20 23 73 26 157 142 242 68 135 173 169 174 26 220 55 109 100 221 107 41 99 135]]
/opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw.(*impl).GetKey
/opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:218 github.com/hyperledger/fabric-ca/util.GetSignerFromCert
/opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:340 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/tls/tls.go:78 github.com/hyperledger/fabric-ca/lib/tls.GetClientTLSConfig
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/dbutil/dbutil.go:182 github.com/hyperledger/fabric-ca/lib/dbutil.NewUserRegistryMySQL
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/ca.go:539 github.com/hyperledger/fabric-ca/lib.(*CA).initDB
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/ca.go:155 github.com/hyperledger/fabric-ca/lib.(*CA).init
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/ca.go:126 github.com/hyperledger/fabric-ca/lib.initCA
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:266 github.com/hyperledger/fabric-ca/lib.(*Server).initDefaultCA
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:97 github.com/hyperledger/fabric-ca/lib.(*Server).Init
/opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:116 github.com/hyperledger/fabric-ca/lib.(*Server).Start
/opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/start.go:41 main.runStart
/opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute
/opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC
/opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute
/opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:95 main.RunMain
/opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:82 main.main
/opt/go/src/runtime/proc.go:192 runtime.main
/opt/go/src/runtime/asm_amd64.s:2087 runtime.goexit
Caused by: Key type not recognized
2018/05/23 08:20:32 [DEBUG] Attempting fallback with certfile /etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-cert.pem and keyfile /etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-key.pem
我还使用其他方式连接到mysql:一个是启动另一个mysql容器作为客户端用ssl连接到mysql服务器;另一个是在我的主机上使用MySQLWorkbench和ssl通过将mysql服务器端口暴露给我的主机机。
使用此状态SELECT sbt.variable_value AS tls_version, t2.variable_value AS cipher, processlist_user AS user, processlist_host AS host FROM performance_schema.status_by_thread AS sbt JOIN performance_schema.threads AS t ON t.thread_id = sbt.thread_id JOIN performance_schema.status_by_thread AS t2 ON t2.thread_id = t.thread_id WHERE sbt.variable_name = 'Ssl_version' and t2.variable_name = 'Ssl_cipher' ORDER BY tls_version;
所以,我想知道我生成的认证是否有效,但是在Fabric-ca代码中出了什么问题?
答案 0 :(得分:0)
在帮助下尝试多次,我找到了解决方案:
首先 docker-compose.yml 中的ca环境必须设置为
FABRIC_CA_SERVER_DB_DATASOURCE = ****:**** @ TCP(mysql_ca:3306)/ fabric_ca分析时=真安培; TLS =定制
?
mysql_ca是mysql容器的名称,必须添加& tls = custom 。
second ,在生成ssl证书时,公用名必须与mysql容器的名称相同。也就是说,可以在cli中指定公用名:
openssl req -newkey rsa:2048 -days 3600 \ -nodes -keyout server-key.pem -subj / CN = mysql_ca -out server-req.pem
