Hyperledger Fabric:ServerHandshake TLS握手错误证书server = PeerServer AND ServerHandshake TLS握手EOF

时间:2020-06-21 06:26:30

标签: hyperledger-fabric hyperledger

我正在尝试使用Hyperledger 2.0.0版将Golang后端连接到正在运行的Hyperledger网络...

运行“ docker-compose up”时,我看到了ServerHandshake TLS握手EOF错误:

peer0-org2 | 2020-06-21 04:56:29.113 UTC [core.comm] ServerHandshake-> ERRO 022 TLS握手失败,错误为EOF server = PeerServer remoteaddress = 172.21.0.12:51946

peer1-org1 | 2020-06-21 04:56:30.123 UTC [core.comm] ServerHandshake-> ERRO 021 TLS握手失败,错误为EOF server = PeerServer remoteaddress = 172.21.0.11:49860

peer0-org1 | 2020-06-21 04:56:30.547 UTC [core.comm] ServerHandshake-> ERRO 022 TLS握手失败,错误为EOF server = PeerServer remoteaddress = 172.21.0.9:34994

peer1-org2 | 2020-06-21 04:56:30.873 UTC [core.comm] ServerHandshake-> ERRO 021 TLS握手失败,错误为EOF server = PeerServer remoteaddress = 172.21.0.10:52232

然后,当我运行Golang后端以访问链码时,我看到了类似的ServerHandshake TLS握手错误(ServerHandshake TLS握手错误证书)……还有来自Golang的其他错误消息:

---失败:Test_ConnectionTest_Success(0.06s) client_test.go:30:无法从通道上下文创建客户端:事件服务创建失败:无法获取chConfig缓存引用:QueryBlockConfig失败:QueryBlockConfig失败:queryChaincode失败:背书人[localhost:7051]的事务处理:背书人客户端状态代码: (2)CONNECTION_FAILED。说明:在目标[localhost:7051]上拨号连接:连接处于TRANSIENT_FAILURE

失败

退出状态1

FAIL hyperledger-k8s-be / hyperledger 0.068s

------------ ==来自docker-组成Hyperledger终端

peer0-org1 | 2020-06-21 06:00:24.577 UTC [core.comm] ServerHandshake-> ERRO 090 TLS握手失败,并显示错误远程错误:tls:错误的证书服务器= PeerServer remoteaddress = 172.20.0.1:58500

------------ ==它在client.go的此处失败

channelClient,错误:= sdkchannel.New(clientContext)

if err!= nil { 返回nil,errors.WithMessage(err,“无法从通道上下文建立客户端”) }

------------ == 我怀疑这三个证书之一在docker-compose.yaml> peer0-org1>环境中不正确

  - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
  - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
  - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt

我的怀疑正确吗?有什么问题吗?

由于docker-compose-ca.yaml错误

  hyperledger/fabric-ca:1.4.1

  the start-org1-client script to run under org1-client

  something else???

请帮助。谢谢

---------------- ==更新2020年6月23日 我可以检查TLS证书是否具有正确的SAN($ openssl x509的主题备用名称-noout -text -in org1-ca-7054.pem 

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:3b:4f:ea:63:1a:03:b4:61:45:e9:44:1b:29:dc:ed:e6:bc:0b:76
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = fabric-ca-server
        Validity
            Not Before: Jun 21 05:14:00 2020 GMT
            Not After : Jun 18 05:14:00 2035 GMT
        Subject: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = fabric-ca-server
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:3c:3f:d9:97:7e:fc:08:e5:0a:3f:fe:b3:fe:70:
                    33:20:92:6c:88:78:19:35:08:00:98:97:17:8b:af:
                    03:44:2d:a4:4d:65:63:fc:d8:b5:4c:23:cc:e6:63:
                    55:a3:4f:04:62:72:8d:b2:fa:f1:9a:9d:14:9f:f9:
                    aa:33:ee:fe:e8
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Subject Key Identifier: 
                78:B7:6D:51:91:0C:9E:6C:31:C9:63:67:34:BD:CA:18:B5:C5:35:D1
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:6a:1a:92:cc:45:9b:c9:a5:4d:61:b9:bd:a3:94:
         b2:2c:52:7a:16:36:91:12:f9:a0:1f:fe:77:29:a3:1e:05:5d:
         02:20:7f:e0:5d:c9:03:4f:8e:b2:6d:66:a4:8f:04:fb:e0:e6:
         52:cf:e0:e9:3a:1a:36:bc:7b:98:99:f9:c4:64:c6:7e

因此响应没有SAN设置...

2 个答案:

答案 0 :(得分:2)

从该错误看来,对等节点的TLS证书似乎没有在其中配置正确的SAN(主题备用名称)以正确验证TLS通信。

对等TLS证书应使用存储容器名称,存储容器的IP地址或localhost进行配置的SAN,以用于向节点发送请求的任何形式。

注意:TLS证书中可以为单个节点配置多个SAN。

答案 1 :(得分:0)

如果有人在构建应用程序时遇到此问题,请了解此问题通常是由错误的 tls 证书或错误的连接配置文件引起的。为了解决这个问题,首先尝试正确定义以下参数,这里是一个例子:

export FABRIC_CFG_PATH=/home/user/fabric-samples/config/
export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
export CORE_PEER_MSPCONFIGPATH=${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
export CORE_PEER_ADDRESS=localhost:7051

然后为您的应用程序生成一个新的连接配置文件(运行网络)。错误的连接配置文件会导致这样的问题

相关问题
最新问题