values.yaml文件中用于设置订购者和同伴的部分:
orderers:
# cert/key pair generated by Letsencrypt for a single orderer
# DNS name (e.g. ord0.network.example.com)
# ORDERER_GENERAL_TLS_CERTIFICATE & ORDERER_GENERAL_TLS_PRIVATEKEY
# mounted on /var/hyperledger/tls/server/pair/tls.crt
# mounted on /var/hyperledger/tls/server/pair/tls.key
tls: <k8s secret holding both tls.crt and tls.key>
# ORDERER_GENERAL_TLS_ROOTCAS
# mounted on /var/hyperledger/tls/server/cert/cert.pem
tlsRootCert: <k8s holding the letsencrypt x3 cross-signed certificate>
# ORDERER_GENERAL_TLS_CLIENTROOTCAS
# same as tlsRootCert
# mounted on /var/hyperledger/tls/client/cert/cert.pem
tlsClientRootCert: <k8s holding the letsencrypt x3 cross-signed certificate>
# cert/key generated by fabric-ca-client enroll for the
# NON admin identity "ord0"
# mounted on /var/hyperledger/msp/signcerts
cert: ord0-idcert
# mounted on /var/hyperledger/msp/keystore
key: ord0-idkey
# also generated by fabric-ca-client enroll for the
# NON admin identity "ord0"
# mounted on /var/hyperledger/admin_msp/cacerts/cert.pem
caCert: ord-ca-cert
与双向TLS身份验证相关的其他订单环境变量:
ORDERER_GENERAL_TLS_ENABLED=true
ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=true
peers:
# cert/key pair generated by Letsencrypt for a single peer
# e.g. peer0.org1.network.example.com
# CORE_PEER_TLS_CERT_FILE & CORE_PEER_TLS_KEY_FILE
# mounted on /var/hyperledger/tls/server/pair/tls.crt
# mounted on /var/hyperledger/tls/server/pair/tls.key
tls: <k8s secret holding both tls.crt and tls.key>
# CORE_PEER_TLS_ROOTCERT_FILE
# mounted on /var/hyperledger/tls/server/cert/cert.pem
tlsRootCert: <k8s holding the letsencrypt x3 cross-signed certificate>
# CORE_PEER_TLS_CLIENTROOTCAS_FILES
# same as tlsRootCert
# mounted on /var/hyperledger/tls/client/cert/cert.pem
tlsClientRootCert: <k8s holding the letsencrypt x3 cross-signed certificate>
# CORE_PEER_TLS_CLIENTCERT_FILE & CORE_PEER_TLS_CLIENTKEY_FILE
# mounted on /var/hyperledger/tls/client/pair/tls.crt
# mounted on /var/hyperledger/tls/client/pair/tls.key
tlsClient: <k8s secret holding both tls.crt and tls.key>
# cert/key generated by fabric-ca-client enroll for the
# NON admin identity "peer0"
# mounted on /var/hyperledger/msp/signcerts
cert: peer0-idcert
# mounted on /var/hyperledger/msp/keystore
key: peer0-idkey
# also generated by fabric-ca-client enroll for the
# NON admin identity "peer0"
caCert: peer-ca-cert
与TLS相互认证有关的其他环境变量:
CORE_PEER_TLS_ENABLED=true
CORE_PEER_TLS_CLIENTAUTHREQUIRED=true
从peer0 POD发出涉及与一个订购者(即ord0)通信的命令时,我们会收到bad certificate错误:
对等频道加入完整命令:
CORE_PEER_MSPCONFIGPATH=/var/hyperledget/admin_msp \
peer channel join -o ord0.network.example.com:443 \
-b /var/hyperledger/mychannel.block \
--tls \
--cafile /var/hyperledger/tls/server/cert/cert.pem \
--certfile /var/hyperledger/tls/server/cert/cert.pem \
--keyfile /var/hyperledger/tls/client/pair/tls.key \
--clientauth
订购者的记录行:
2019-07-03 14:04:09.717 UTC [core.comm] ServerHandshake -> ERRO 68c TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=10.0.3.97:43398
2019-07-03 14:04:09.717 UTC [grpc] handleRawConn -> DEBU 68d grpc: Server.Serve failed to complete security handshake from "10.0.3.97:43398": remote error: tls: bad certificate
2019-07-03 14:04:10.599 UTC [core.comm] ServerHandshake -> ERRO 68e TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=10.0.3.97:43404
2019-07-03 14:04:10.599 UTC [grpc] handleRawConn -> DEBU 68f grpc: Server.Serve failed to complete security handshake from "10.0.3.97:43404": remote error: tls: bad certificate
2019-07-03 14:04:12.274 UTC [core.comm] ServerHandshake -> ERRO 690 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=10.0.3.97:43420
注意:10.0.3.97是入口控制器的POD IP。