我正在kubernetes上运行HLF-(3个筏订购者和2个同伴)
现在,由于木筏需要相互TLS,因此我必须设置一些证书。
3个木筏订购者可以互相交流,因为他们正在选举一位领导者,当我放下该领导者时又可以重新选举另一位领导者。
设置对等方时,我使用相同的CA生成证书。我可以创建频道并从同行那里加入。但是,我必须在这些命令之前运行CORE_PEER_MSPCONFIGPATH=$ADMIN_MSP_PATH,否则会出现Access Denied错误。
我还被迫将以下标志附加到我运行的每个peer channel x命令中。
--tls --cafile $ORD_TLS_PATH/cacert.pem --certfile $CORE_PEER_TLS_CLIENTCERT_FILE --keyfile $CORE_PEER_TLS_CLIENTKEY_FILE --clientauth
我能够使用admin msp创建,获取和加入频道。
现在,一旦加入频道,对等端就无法与订购者建立连接,从而以某种方式给出了错误的证书。
订购者日志
使用了错误的证书吗?
2019-08-15 16:07:55.699 UTC [core.comm] ServerHandshake -> ERRO 221 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=10.130.2.148:53922
2019-08-15 16:07:55.699 UTC [grpc] handleRawConn -> DEBU 222 grpc: Server.Serve failed to complete security handshake from "10.130.2.148:53922": remote error: tls: bad certificate
对等日志
这些表明它无法使用ca.crt进行验证?
2019-08-15 16:10:17.990 UTC [grpc] DialContext -> DEBU 03a parsed scheme: ""
2019-08-15 16:10:17.990 UTC [grpc] DialContext -> DEBU 03b scheme "" not registered, fallback to default scheme
2019-08-15 16:10:17.991 UTC [grpc] watcher -> DEBU 03c ccResolverWrapper: sending new addresses to cc: [{orderer-2.hlf-orderers.svc.cluster.local:7050 0 <nil>}]
2019-08-15 16:10:17.991 UTC [grpc] switchBalancer -> DEBU 03d ClientConn switching balancer to "pick_first"
2019-08-15 16:10:17.991 UTC [grpc] HandleSubConnStateChange -> DEBU 03e pickfirstBalancer: HandleSubConnStateChange: 0xc00260b710, CONNECTING
2019-08-15 16:10:18.009 UTC [grpc] createTransport -> DEBU 03f grpc: addrConn.createTransport failed to connect to {orderer-2.hlf-orderers.svc.cluster.local:7050 0 <nil>}. Err :connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority". Reconnecting...
2019-08-15 16:10:18.012 UTC [grpc] HandleSubConnStateChange -> DEBU 040 pickfirstBalancer: HandleSubConnStateChange: 0xc00260b710, TRANSIENT_FAILURE
2019-08-15 16:10:18.991 UTC [grpc] HandleSubConnStateChange -> DEBU 041 pickfirstBalancer: HandleSubConnStateChange: 0xc00260b710, CONNECTING
2019-08-15 16:10:19.003 UTC [grpc] createTransport -> DEBU 042 grpc: addrConn.createTransport failed to connect to {orderer-2.hlf-orderers.svc.cluster.local:7050 0 <nil>}. Err :connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority". Reconnecting...
2019-08-15 16:10:19.003 UTC [grpc] HandleSubConnStateChange -> DEBU 043 pickfirstBalancer: HandleSubConnStateChange: 0xc00260b710, TRANSIENT_FAILURE
2019-08-15 16:10:20.719 UTC [grpc] HandleSubConnStateChange -> DEBU 044 pickfirstBalancer: HandleSubConnStateChange: 0xc00260b710, CONNECTING
2019-08-15 16:10:20.731 UTC [grpc] createTransport -> DEBU 045 grpc: addrConn.createTransport failed to connect to {orderer-2.hlf-orderers.svc.cluster.local:7050 0 <nil>}. Err :connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority". Reconnecting...
2019-08-15 16:10:20.733 UTC [grpc] HandleSubConnStateChange -> DEBU 046 pickfirstBalancer: HandleSubConnStateChange: 0xc00260b710, TRANSIENT_FAILURE
2019-08-15 16:10:20.990 UTC [ConnProducer] NewConnection -> ERRO 047 Failed connecting to {orderer-2.hlf-orderers.svc.cluster.local:7050 [OrdererMSP]} , error: context deadline exceeded
我生成了如下使用的证书:
订购者管理
fabric-ca-client enroll -u https://u:p@ca.example.com -M ./OrdererMSP
订购者节点X
由于我对TLS使用相同的证书,因此我在此处添加了用于TLS用途的主机
fabric-ca-client enroll -m orderer-x \
-u https://ox:px@ca.example.com \
--csr.hosts orderer-x.hlf-orderers.svc.cluster.local,orderer-x.hlf-orderers,orderer-x,localhost \
-M orderer-x-MSP
Peer Admin
fabric-ca-client enroll -u https://u:p@ca.example.com -M ./PeerMSP
对等节点X
fabric-ca-client enroll -m peer-x \
-u https://ox:px@ca.example.com \
--csr.hosts peer-x.hlf-peers.svc.cluster.local,peer-x.hlf-peers,peer-x,localhost \
-M peer-x-MSP
现在所有这些都具有相同的ca.crt(/cacerts/ca.example.com.pem)
configtx.yaml
Orderer:
<<: *OrdererDefaults
OrdererType: etcdraft
EtcdRaft:
Consenters:
- Host: orderer-1.hlf-orderers.svc.cluster.local
Port: 7050
ClientTLSCert: orderer-1-MSP/signcerts/cert.pem
ServerTLSCert: orderer-1-MSP/signcerts/cert.pem
- Host: orderer-2.hlf-orderers.svc.cluster.local
Port: 7050
ClientTLSCert: orderer-2-MSP/signcerts/cert.pem
ServerTLSCert: orderer-2-MSP/signcerts/cert.pem
- Host: orderer-3.hlf-orderers.svc.cluster.local
Port: 7050
ClientTLSCert: orderer-3-MSP/signcerts/cert.pem
ServerTLSCert: orderer-3-MSP/signcerts/cert.pem
Addresses:
- orderer-1.hlf-orderers.svc.cluster.local:7050
- orderer-2.hlf-orderers.svc.cluster.local:7050
- orderer-3.hlf-orderers.svc.cluster.local:7050
我已经多次检查了是否将正确的证书安装在正确的位置并进行了配置。
在对等方面,我确保:
CORE_PEER_TLS_CLIENTROOTCAS_FILES的设置正确,并且已挂载(正确的)文件(CORE_PEER_TLS_CLIENTROOTCAS_FILES:“ / var / hyperledger / tls / client / cert / ca.crt”)CORE_PEER_TLS_CLIENTKEY_FILE和CORE_PEER_TLS_CLIENTCERT_FILE的想法CORE_PEER_TLS_CLIENTAUTHREQUIRED设置为true 在订购方,我确保:
ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED设置为true ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE设置正确ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY设置正确ORDERER_GENERAL_TLS_CLIENTROOTCAS设置正确令我感到奇怪的是,订购者能够(当选领导人时)彼此交谈,而同行却不能这样做
答案 0 :(得分:1)
似乎您遇到了以下错误
E0923 16:30:14.963567129 31166 ssl_transport_security.cc:989] Handshake failed with fatal error SSL_ERROR_SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate.
E0923 16:30:15.964456710 31166 ssl_transport_security.cc:188] ssl_info_callback: error occured.
根据您的详细信息,一切似乎都是正确的 但是,请检查下面的
certificate signed by unknown authority -> This makes me bit doubt on your certificate mapping
确定
PEER:
订购者:
答案 1 :(得分:1)
看来,tlscacerts应该位于msp(s)目录PRIOR中,以创建创世纪/通道块。仅在运行时将它们安装在pod中是不够的
我的msp目录(用于configtx.yaml)如下:
此后一切都开始起作用