握手失败，并出现致命错误SSL_ERROR_SSL：错误：14090086：SSL例程：ssl3_get_server_certificate：证书验证失败

Question

在尝试使用api创建频道时，我遇到了这个错误（我正在使用类似的示例来平衡布料示例的传输示例）

但是，我可以使用cli命令创建频道，安装，实例化和调用

我已经附上了错误的屏幕截图和我的网络配置文件enter image description here

  

-networkconfig.yaml-

     

＃

     

网络连接配置文件向客户端应用程序提供有关目标的信息

     应用程序与之交互所必需的

区块链网络。这些都是

     必须从带外源获取的

知识。该文件提供了这样的来源。

     

名称：“业务连接”

     

＃

     

任何带有“ x-”前缀的属性都将被视为特定于应用程序，就像命名方式一样

     HTTP标头或swagger属性中的

起作用。 SDK只会忽略这些字段并离开

     

用于处理应用程序。这是用于应用程序不同组件的机制

     

交换不属于以下描述的标准架构的信息。特别是

     

Hyperledger Composer使用以下带有“ hlfv1”值示例的“ x-type”属性

     

确定需要使用的Fabric网络的类型（v0.6与v1.0）。

     

x类型：“ hlfv1”

     

＃

     

描述目标网络是/做什么。

     

描述：“ Business connect-POC”

     

＃

     

内容的架构版本。 SDK用来应用相应的解析规则。

     

版本：“ 1.0”

     

＃

     

将在每个组织的基础上添加客户端部分，请参见org1.yaml和org2.yaml

     

＃

     

客户端：

     

＃

     

[可选]。但是大多数应用程序都会有此部分，以便可以构造通道对象

     

根据以下内容。如果某个应用正在创建频道，则可能不需要此

     

部分。

     

channels：＃通道内部通道的名称：

# Required. list of orderers designated by the application to use for transactions on this
# channel. This list can be a result of access control ("org1" can only access "ordererA"), or
# operational decisions to share loads from applications among the orderers.  The values must
# be "names" of orgs defined under "organizations/peers"
orderers:
  - orderer1-htc

# Required. list of peers from participating orgs
peers:
  peer1-accounts:
    # [Optional]. will this peer be sent transaction proposals for endorsement? The peer must
    # have the chaincode installed. The app can also use this property to decide which peers
    # to send the chaincode install request. Default: true
    endorsingPeer: true

    # [Optional]. will this peer be sent query proposals? The peer must have the chaincode
    # installed. The app can also use this property to decide which peers to send the
    # chaincode install request. Default: true
    chaincodeQuery: true

    # [Optional]. will this peer be sent query proposals that do not require chaincodes, like
    # queryBlock(), queryTransaction(), etc. Default: true
    ledgerQuery: true

    # [Optional]. will this peer be the target of the SDK's listener registration? All peers can
    # produce events but the app typically only needs to connect to one to listen to events.
    # Default: true
    eventSource: true

  peer1-mgmt:
    endorsingPeer: false
    chaincodeQuery: true
    ledgerQuery: true
    eventSource: false

  peer1-project:
    endorsingPeer: false
    chaincodeQuery: true
    ledgerQuery: true
    eventSource: true


# [Optional]. what chaincodes are expected to exist on this channel? The application can use
# this information to validate that the target peers are in the expected state by comparing
# this list with the query results of getInstalledChaincodes() and getInstantiatedChaincodes()
chaincodes:
  # the format follows the "cannonical name" of chaincodes by fabric code
  - mycontract-v0.1

     

＃

     

此网络中参与组织的列表

     

组织：htc：

mspid: htcMSP
orderer: 
  - orderer1-htc
certificateAuthorities:
  - ica-htc   accounts:
mspid: accountsMSP

peers:
  - peer1-accounts

# [Optional]. Certificate Authorities issue certificates for identification purposes in a Fabric based
# network. Typically certificates provisioning is done in a separate process outside of the
# runtime network. Fabric-CA is a special certificate authority that provides a REST APIs for
# dynamic certificate management (enroll, revoke, re-enroll). The following section is only for
# Fabric-CA servers.
certificateAuthorities:
  - ica-accounts

# [Optional]. If the application is going to make requests that are reserved to organization
# administrators, including creating/updating channels, installing/instantiating chaincodes, it
# must have access to the admin identity represented by the private key and signing certificate.
# Both properties can be the PEM string or local path to the PEM file. Note that this is mainly for
# convenience in development mode, production systems should not expose sensitive information
# this way. The SDK should allow applications to set the org admin identity via APIs, and only use
# this route as an alternative when it exists.
adminPrivateKey:
  path: network/data/orgs/accounts/admin/msp/keystore/accounts_sk
signedCert:
  path: network/data/orgs/accounts/admin/msp/signcerts/cert.pem

     

＃个人资料将包含有关组织的公共信息   除了它所属的那个。 ＃这些是必要的信息   使事务生命周期有效，包括MSP ID和＃个对等体   使用公共URL发送交易建议。该文件不会   包含保留给会员的私人＃信息   组织，例如管理密钥和证书，＃fabric-ca   注册商注册ID和机密等。mgmt：       mspid：mgmtMSP       同行：         -peer1-mgmt       certificateAuthorities：         -ica-mgmt       adminPrivateKey：         路径：网络/数据/组织/ mgmt / admin / msp / keystore / mgmt_sk       签名证书：         路径：network / data / orgs / mgmt / admin / msp / signcerts / cert.pem项目：       mspid：项目MSP       同行：         -peer1项目       certificateAuthorities：         -ICA项目       adminPrivateKey：         路径：network / data / orgs / project / admin / msp / keystore / project_sk       签名证书：         路径：network / data / orgs / project / admin / msp / signcerts / cert.pem

     

＃

     

要发送交易和频道创建/更新请求的订购者列表。暂时

     

只需要一个订购者。如果定义了多个，则

将使用哪个      

SDK是特定于实现的。请查阅每个SDK的文档以了解如何处理订单。

     

orderers：orderer1-htc：

url: grpcs://localhost:7050

# these are standard properties defined by the gRPC library
# they will be passed in as-is to gRPC client constructor
grpcOptions:
  ssl-target-name-override: orderer1-htc
tlsCACerts:
  path: network/data/htc.crt

     

＃

     

要向其发送各种请求的对等方列表，包括认可，查询

     

和事件侦听器注册。

     

peers：peer1帐户：

# this URL is used to send endorsement and query requests
url: grpcs://localhost:7051
grpcOptions:
  ssl-target-name-override: peer1-accounts
tlsCACerts:
  path: network/data/accounts.crt

     

peer1-mgmt：       网址：grpcs：// localhost：8051       grpcOptions：         ssl-target-name-override：peer1-mgmt       tlsCACerts：         路径：network / data / mgmt.crt

     

peer1-project：       网址：grpcs：// localhost：9051

grpcOptions:
  ssl-target-name-override: peer1-project
tlsCACerts:
  path: network/data/project.crt

     

＃

     

Fabric-CA是Hyperledger Fabric提供的一种特殊的证书颁发机构，它允许

     

证书管理通过REST API完成。应用程序可以选择使用标准

     

证书颁发机构而不是Fabric-CA，在这种情况下将不指定此部分。

     

certificateAuthorities：ica-htc：

url: http://localhost:1054
httpOptions:
  verify: false
tlsCACerts:
  path: network/data/htc-ca-cert.pem
registrar:
  - enrollId: ica-htc-admin
    enrollSecret: ica-htc-adminpw
# [Optional] The optional name of the CA.
caName: ica-htc   ica-accounts:
url: http://localhost:7054
# the properties specified under this object are passed to the 'http' client verbatim when
# making the request to the Fabric-CA server
httpOptions:
  verify: false
tlsCACerts:
  path: network/data/accounts-ca-chain.pem

# Fabric-CA supports dynamic user enrollment via REST APIs. A "root" user, a.k.a registrar, is
# needed to enroll and invoke new users.
registrar:
  - enrollId: ica-accounts-admin
    enrollSecret: ica-accounts-adminpw
# [Optional] The optional name of the CA.
caName: ica-accounts

     

ica-mgmt：       网址：http://localhost:8054       httpOptions：         验证：错误       tlsCACerts：         路径：network / data / mgmt-ca-chain.pem       注册商：         -enrollId：ica-mgmt-admin           秘密注册：ica-mgmt-adminpw       ＃[可选] CA的可选名称。       caName：ica-mgmt

     

ica项目：       网址：http://localhost:9054       httpOptions：         验证：错误       tlsCACerts：         路径：network / data / project-ca-chain.pem       注册商：         -enrollId：ica-project-admin           秘密注册：ica-project-adminpw       ＃[可选] CA的可选名称。       caName：ica-project

Answer 1

好像您在TLS握手中收到主机名验证错误。在您的设置中

# this URL is used to send endorsement and query requests
url: grpcs://localhost:7051
grpcOptions:
  ssl-target-name-override: peer1-accounts
tlsCACerts:
  path: network/data/accounts.crt

您正在呼叫localhost，但是将替代设置为peer1-accounts。您在URL中使用的主机名必须与对等方使用的TLS证书中的SAN之一匹配，或者为ssl-target-name-override设置的任何值都必须与TLS证书中的SAN之一匹配。

您可以使用openssl打印证书的详细信息：

openssl x509 -noout -text -in path-to-tls-cert

Answer 2

此问题与防火墙中的块有关。当我在防火墙上禁用 SSL 检查时，它又工作了，没问题