在Hyperledger网络中,我同时启用了TLS和CLIENTAUTH(在同级和订购者上,而不在CA上)。但是当涉及通过fabric-sdk-node库提交事务时,在验证客户证书的过程中我总是遇到错误。
我还尝试过显式设置TLS客户端证书,但是没有运气。 https://fabric-sdk-node.github.io/tutorial-mutual-tls.html
对等/订单.yaml
- name: CORE_PEER_TLS_ENABLED
value: "true"
- name: CORE_PEER_TLS_CERT_FILE
value: /shared/crypto-config/peerOrganizations/org1.example.com/peers/blockchain-org1peer2.org1.example.com/tls/server.crt
- name: CORE_PEER_TLS_KEY_FILE
value: /shared/crypto-config/peerOrganizations/org1.example.com/peers/blockchain-org1peer2.org1.example.com/tls/server.key
- name: CORE_PEER_TLS_ROOTCERT_FILE
value: /shared/crypto-config/peerOrganizations/org1.example.com/peers/blockchain-org1peer2.org1.example.com/tls/ca.crt
- name: CORE_PEER_TLS_CLIENTAUTHREQUIRED
value: "true"
- name: CORE_PEER_TLS_CLIENTROOTCAS_FILES
value: /shared/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/ca.crt
- name: CORE_PEER_TLS_CLIENTCERT_FILE
value: /shared/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.crt
- name: CORE_PEER_TLS_CLIENTKEY_FILE
value: /shared/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.key
connection.json
{
"name": "bam-ticketing-network",
"version": "1.0.0",
"client": {
"organization": "Org1",
"connection": {
"timeout": {
"peer": {
"endorser": "300"
},
"orderer": "300"
}
},
"credentialStore": {
"path": "./local_fabric/tmp/hfc-kvs",
"cryptoStore": {
"path": "./local_fabric/tmp/hfc-cvs"
},
"wallet": "wallet"
},
"tlsCerts": {
"systemCertPool": true,
"client": {
"key": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.key"
},
"cert": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.crt"
}
}
}
},
"channels": {
"channel1": {
"orderers": [
"blockchain-orderer1",
"blockchain-orderer2",
"blockchain-orderer3"
],
"peers": {
"blockchain-org1peer1": {
"endorsingPeer": true,
"chaincodeQuery": true,
"ledgerQuery": true,
"eventSource": true
},
"blockchain-org1peer2": {
"endorsingPeer": true,
"chaincodeQuery": true,
"ledgerQuery": true,
"eventSource": true
}
}
}
},
"organizations": {
"Org1": {
"mspid": "Org1MSP",
"peers": [
"blockchain-org1peer1",
"blockchain-org1peer2"
],
"certificateAuthorities": [
"blockchain-ca"
],
"adminPrivateKey": [
"./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/key.pem"
],
"signedCert": [
"./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/signcerts/Admin@org1.example.com-cert.pem"
]
}
},
"orderers": {
"blockchain-orderer1": {
"url": "grpcs://192.168.99.130:31011",
"grpcOptions": {
"ssl-target-name-override": "blockchain-orderer1",
"grpc-max-send-message-length": 4194304
},
"tlsCACerts": {
"path": "./local_fabric/certs/crypto-config/ordererOrganizations/example.com/orderers/blockchain-orderer1.example.com/tls/ca.crt"
}
},
"blockchain-orderer2": {
"url": "grpcs://192.168.99.130:31012",
"grpcOptions": {
"ssl-target-name-override": "blockchain-orderer2",
"grpc-max-send-message-length": 4194304
},
"tlsCACerts": {
"path": "./local_fabric/certs/crypto-config/ordererOrganizations/example.com/orderers/blockchain-orderer2.example.com/tls/ca.crt"
}
},
"blockchain-orderer3": {
"url": "grpcs://192.168.99.130:31013",
"grpcOptions": {
"ssl-target-name-override": "blockchain-orderer3",
"grpc-max-send-message-length": 4194304
},
"tlsCACerts": {
"path": "./local_fabric/certs/crypto-config/ordererOrganizations/example.com/orderers/blockchain-orderer3.example.com/tls/ca.crt"
}
}
},
"peers": {
"blockchain-org1peer1": {
"url": "grpcs://192.168.99.130:30110",
"grpcOptions": {
"ssl-target-name-override": "blockchain-org1peer1",
"grpc.keepalive_time_ms": 600000
},
"clientKey": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.key"
},
"clientCert": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.crt"
},
"tlsCACerts": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/peers/blockchain-org1peer1.org1.example.com/tls/ca.crt"
}
},
"blockchain-org1peer2": {
"url": "grpcs://192.168.99.130:30210",
"grpcOptions": {
"ssl-target-name-override": "blockchain-org1peer2",
"grpc.keepalive_time_ms": 600000
},
"clientKey": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.key"
},
"clientCert": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.crt"
},
"tlsCACerts": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/peers/blockchain-org1peer2.org1.example.com/tls/ca.crt"
}
}
},
"certificateAuthorities": {
"blockchain-ca": {
"url": "https://192.168.99.130:30054",
"registrar": {
"enrollmentID": "admin",
"enrollmentSecret": "adminpw",
"profile": "tls"
},
"httpOptions": {
"verify": false
},
"tlsCACerts": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem",
"client": {
"key": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.key"
},
"cert": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.crt"
}
}
}
}
}
}
我不断收到此错误:
在对等方上:ERRO 1587b [0m TLS握手失败,错误tls:无法验证客户端的证书:x509:未知授权服务器签名的证书= PeerServer remoteaddress = 172.17.0.1:62440
在nodejs应用程序上:ERRO 11347 [0m TLS握手失败,错误tls:无法验证客户端的证书:x509:未知授权服务器签名的证书= PeerServer remoteaddress = 172.17.0.1:6156
我希望光纤网络客户端或网关可以提供一些选项来支持双向TLS或一些connection.json示例。
答案 0 :(得分:0)
在故障排除期间,我发现Fabric-client出于某种原因未为相互TLS加载正确的证书。加载的证书内容与客户端配置的“ tlsCerts”部分中分隔的证书内容不同。 (有关更多详细信息,bug report)
无论如何,我已经设法通过以下变通方法来解决加载适当的证书的问题,在该变通方法中,我将此密钥和证书显式设置给客户端:
const clientKey = fs.readFileSync(path.join(__dirname, './local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.key'));
const clientCert = fs.readFileSync(path.join(__dirname, './local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.crt'));
const gateway = new Gateway();
const caName = ccp.getCertificatAuthoritiesForOrg(orgName)[0];
const opts = {
wallet: wallet,
identity: identityID,
discovery: {enabled: false, asLocalhost: false},
clientTlsIdentity: 'tlsId'
};
await gateway.connect(ccp.profile, opts);
//set TLS certs for CLIENTAUTH
const client = await gateway.getClient();
client.setTlsClientCertAndKey(Buffer.from(clientCert).toString(), Buffer.from(clientKey).toString());