启用筏模式后,TLS握手失败

时间:2019-11-25 09:12:38

标签: ssl hyperledger-fabric hyperledger

我有一个运行了Hyperledger Fabric网络并启用了TLS和Kafka共识。现在,我一直在尝试移至Raft,并且始终在订购者中收到此消息:TLS handshake failed with error tls: first record does not look like a TLS handshake server=Orderer remoteaddress=ÌP:PORT。正如我说的那样,TLS在进行更改之前就可以正常工作。

现在,我将向您展示与RAFT和TLS连接有关的操作。首先,我修改configtx.yaml文件,正是与订购服务相关的部分。

configtx.yaml部分 

Orderer: &OrdererDefaults
  OrdererType: etcdraft
  Addresses:
  - orderer0.org1:7050
  - orderer0.org2:7050
  - orderer0.org3:7050
  EtcdRaft:
    Consenters:
    - Host: orderer0.org1
      Port: 7050
      ClientTLSCert: /data/org1/orderers/orderer0/tls/client.crt
      ServerTLSCert: /data/org1/orderers/orderer0/tls/server.crt
    - Host: orderer0.org2
      Port: 7050
      ClientTLSCert: /data/org2/orderers/orderer0/tls/client.crt
      ServerTLSCert: /data/org2/orderers/orderer0/tls/server.crt
    - Host: orderer0.org3
      Port: 7050
      ClientTLSCert: /data/org3/orderers/orderer0/tls/client.crt
      ServerTLSCert: /data/org3/orderers/orderer0/tls/server.crt
  Organizations:
  - *org1
  - *org2
  - *org3
  Policies:
    Readers:
      Type: ImplicitMeta
      Rule: "ANY Readers"
    Writers:
      Type: ImplicitMeta
      Rule: "ANY Writers"
    Admins:
      Type: ImplicitMeta
      Rule: "MAJORITY Admins"
    BlockValidation:
      Type: ImplicitMeta
      Rule: "ANY Writers"
  Capabilities:
    <<: *OrdererCapabilities

可以看出,每个组织订购者都需要TLS客户端和服务器证书,因此我在每个订购者容器中生成它们并将其上传到我用来共享的MinIO服务器中。

echo "[INFO] Generating Client TLS Key and Certificate..."
fabric-ca-client enroll -d --enrollment.profile tls -u ${ENROLLMENT_URL} -M /tmp/tls --csr.hosts ${ORDERER_HOST}

echo "[INFO] Uploading Client TLS Certificate to Minio"
python3 /scripts/minio_upload.py --url ${STORAGE_URL} --access-key ${STORAGE_ACCESS_KEY} --secret-key ${STORAGE_SECRET_KEY} --bucket-name ${ORG} --local-path ${ORDERER_GENERAL_TLS_CLIENTCERT_FILE} --remote-path orderers/${ORDERER_NAME}/tls/$(basename ${ORDERER_GENERAL_TLS_CLIENTCERT_FILE})
echo "[INFO] Client TLS Certificate uploaded"

echo "[INFO] Enrolling orderer..."
fabric-ca-client enroll -d --enrollment.profile tls -u ${ENROLLMENT_URL} -M /tmp/tls --csr.hosts ${ORDERER_HOST}

echo "[INFO] Uploading Server TLS Certificate to Minio"
python3 /scripts/minio_upload.py --url ${STORAGE_URL} --access-key ${STORAGE_ACCESS_KEY} --secret-key ${STORAGE_SECRET_KEY} --bucket-name ${ORG} --local-path ${ORDERER_GENERAL_TLS_CERTIFICATE} --remote-path orderers/${ORDERER_NAME}/tls/$(basename ${ORDERER_GENERAL_TLS_CERTIFICATE})
echo "[INFO] Server TLS Certificate uploaded"

每个订购者生成并上传其证书后,我将运行一个新容器,称为genesis,在其中下载configtx.yaml,所有订购者证书(到{{1}中定义的路径})和其他东西来生成创世块,频道tx和锚点对等更新。之后,在每个订购者中,我还将所有订购者证书(不知道是否需要这样做)下载到相同的路径,并且当然复制了创世块。

在所有已设置为configtx.yaml的订购者中,ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED和ORDERER_GENERAL_TLS_ENABLED。例如,这是true的TLS配置。

orderer0.org1

我想念什么?问题出在哪里?非常感谢。

2 个答案:

答案 0 :(得分:2)

已编辑

您缺少订购者的以下环境变量:

      - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/shared-storage/tls/orderer0/client.crt
      - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/shared-storage/tls/orderer0/client.key
      # I find strange you use org1 CA in your conf, but I trust you...
      - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/shared-storage/org1/ca-chain.pem]

答案 1 :(得分:0)

错误消息“第一条记录看起来不像TLS握手”,表明您有一个“客户端”试图打开普通(即非TLS)连接。确保所有连接都设置为在所有类型的“客户端”(即其他订购者,对等方,使用sdk的客户端应用程序等)中使用TLS。

相关问题
最新问题