Hyperledger Fabric相互TLS身份验证导致订购者错误:“ tls:错误的证书”

时间:2019-07-03 16:41:17

标签: ssl hyperledger-fabric hyperledger

values.yaml文件中用于设置订购者和同伴的部分:

orderers:
    # cert/key pair generated by Letsencrypt for a single orderer
    # DNS name (e.g. ord0.network.example.com)
    # ORDERER_GENERAL_TLS_CERTIFICATE & ORDERER_GENERAL_TLS_PRIVATEKEY
    # mounted on /var/hyperledger/tls/server/pair/tls.crt
    # mounted on /var/hyperledger/tls/server/pair/tls.key
    tls: <k8s secret holding both tls.crt and tls.key>

    # ORDERER_GENERAL_TLS_ROOTCAS
    # mounted on /var/hyperledger/tls/server/cert/cert.pem
    tlsRootCert: <k8s holding the letsencrypt x3 cross-signed certificate>

    # ORDERER_GENERAL_TLS_CLIENTROOTCAS
    # same as tlsRootCert
    # mounted on /var/hyperledger/tls/client/cert/cert.pem
    tlsClientRootCert: <k8s holding the letsencrypt x3 cross-signed certificate>

    # cert/key generated by fabric-ca-client enroll for the
    # NON admin identity "ord0"
    # mounted on /var/hyperledger/msp/signcerts
    cert: ord0-idcert
    # mounted on /var/hyperledger/msp/keystore
    key: ord0-idkey

    # also generated by fabric-ca-client enroll for the
    # NON admin identity "ord0"
    # mounted on /var/hyperledger/admin_msp/cacerts/cert.pem
    caCert: ord-ca-cert

与双向TLS身份验证相关的其他订单环境变量:

ORDERER_GENERAL_TLS_ENABLED=true
ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=true
peers:
    # cert/key pair generated by Letsencrypt for a single peer
    # e.g. peer0.org1.network.example.com
    # CORE_PEER_TLS_CERT_FILE & CORE_PEER_TLS_KEY_FILE
    # mounted on /var/hyperledger/tls/server/pair/tls.crt
    # mounted on /var/hyperledger/tls/server/pair/tls.key
    tls: <k8s secret holding both tls.crt and tls.key>

    # CORE_PEER_TLS_ROOTCERT_FILE
    # mounted on /var/hyperledger/tls/server/cert/cert.pem
    tlsRootCert: <k8s holding the letsencrypt x3 cross-signed certificate>

    # CORE_PEER_TLS_CLIENTROOTCAS_FILES
    # same as tlsRootCert
    # mounted on /var/hyperledger/tls/client/cert/cert.pem
    tlsClientRootCert: <k8s holding the letsencrypt x3 cross-signed certificate>

    # CORE_PEER_TLS_CLIENTCERT_FILE & CORE_PEER_TLS_CLIENTKEY_FILE
    # mounted on /var/hyperledger/tls/client/pair/tls.crt
    # mounted on /var/hyperledger/tls/client/pair/tls.key
    tlsClient: <k8s secret holding both tls.crt and tls.key>

    # cert/key generated by fabric-ca-client enroll for the
    # NON admin identity "peer0"
    # mounted on /var/hyperledger/msp/signcerts
    cert: peer0-idcert
    # mounted on /var/hyperledger/msp/keystore
    key: peer0-idkey

    # also generated by fabric-ca-client enroll for the
    # NON admin identity "peer0"
    caCert: peer-ca-cert

与TLS相互认证有关的其他环境变量:

CORE_PEER_TLS_ENABLED=true
CORE_PEER_TLS_CLIENTAUTHREQUIRED=true

peer0 POD发出涉及与一个订购者(即ord0)通信的命令时,我们会收到bad certificate错误:

对等频道加入完整命令:

CORE_PEER_MSPCONFIGPATH=/var/hyperledget/admin_msp \
    peer channel join -o ord0.network.example.com:443 \
    -b /var/hyperledger/mychannel.block \
    --tls \
    --cafile /var/hyperledger/tls/server/cert/cert.pem \
    --certfile /var/hyperledger/tls/server/cert/cert.pem \
    --keyfile /var/hyperledger/tls/client/pair/tls.key  \
    --clientauth

订购者的记录行:

2019-07-03 14:04:09.717 UTC [core.comm] ServerHandshake -> ERRO 68c TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=10.0.3.97:43398
2019-07-03 14:04:09.717 UTC [grpc] handleRawConn -> DEBU 68d grpc: Server.Serve failed to complete security handshake from "10.0.3.97:43398": remote error: tls: bad certificate
2019-07-03 14:04:10.599 UTC [core.comm] ServerHandshake -> ERRO 68e TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=10.0.3.97:43404
2019-07-03 14:04:10.599 UTC [grpc] handleRawConn -> DEBU 68f grpc: Server.Serve failed to complete security handshake from "10.0.3.97:43404": remote error: tls: bad certificate
2019-07-03 14:04:12.274 UTC [core.comm] ServerHandshake -> ERRO 690 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=10.0.3.97:43420

注意:10.0.3.97是入口控制器的POD IP。

0 个答案:

没有答案