【发布时间】:2019-06-26 13:55:32
【问题描述】:
在 Hyperledger 网络中,我启用了 TLS 和 CLIENTAUTH(在对等节点和排序节点上,而不是在 CA 上)。但是在通过fabric-sdk-node 库提交交易时,我在验证客户端证书时不断出错。
我也尝试过明确设置 TLS 客户端证书,但没有成功。 https://fabric-sdk-node.github.io/tutorial-mutual-tls.html
同行/订单.yaml
- name: CORE_PEER_TLS_ENABLED
value: "true"
- name: CORE_PEER_TLS_CERT_FILE
value: /shared/crypto-config/peerOrganizations/org1.example.com/peers/blockchain-org1peer2.org1.example.com/tls/server.crt
- name: CORE_PEER_TLS_KEY_FILE
value: /shared/crypto-config/peerOrganizations/org1.example.com/peers/blockchain-org1peer2.org1.example.com/tls/server.key
- name: CORE_PEER_TLS_ROOTCERT_FILE
value: /shared/crypto-config/peerOrganizations/org1.example.com/peers/blockchain-org1peer2.org1.example.com/tls/ca.crt
- name: CORE_PEER_TLS_CLIENTAUTHREQUIRED
value: "true"
- name: CORE_PEER_TLS_CLIENTROOTCAS_FILES
value: /shared/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/ca.crt
- name: CORE_PEER_TLS_CLIENTCERT_FILE
value: /shared/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.crt
- name: CORE_PEER_TLS_CLIENTKEY_FILE
value: /shared/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.key
connection.json
{
"name": "bam-ticketing-network",
"version": "1.0.0",
"client": {
"organization": "Org1",
"connection": {
"timeout": {
"peer": {
"endorser": "300"
},
"orderer": "300"
}
},
"credentialStore": {
"path": "./local_fabric/tmp/hfc-kvs",
"cryptoStore": {
"path": "./local_fabric/tmp/hfc-cvs"
},
"wallet": "wallet"
},
"tlsCerts": {
"systemCertPool": true,
"client": {
"key": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.key"
},
"cert": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.crt"
}
}
}
},
"channels": {
"channel1": {
"orderers": [
"blockchain-orderer1",
"blockchain-orderer2",
"blockchain-orderer3"
],
"peers": {
"blockchain-org1peer1": {
"endorsingPeer": true,
"chaincodeQuery": true,
"ledgerQuery": true,
"eventSource": true
},
"blockchain-org1peer2": {
"endorsingPeer": true,
"chaincodeQuery": true,
"ledgerQuery": true,
"eventSource": true
}
}
}
},
"organizations": {
"Org1": {
"mspid": "Org1MSP",
"peers": [
"blockchain-org1peer1",
"blockchain-org1peer2"
],
"certificateAuthorities": [
"blockchain-ca"
],
"adminPrivateKey": [
"./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/key.pem"
],
"signedCert": [
"./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/signcerts/Admin@org1.example.com-cert.pem"
]
}
},
"orderers": {
"blockchain-orderer1": {
"url": "grpcs://192.168.99.130:31011",
"grpcOptions": {
"ssl-target-name-override": "blockchain-orderer1",
"grpc-max-send-message-length": 4194304
},
"tlsCACerts": {
"path": "./local_fabric/certs/crypto-config/ordererOrganizations/example.com/orderers/blockchain-orderer1.example.com/tls/ca.crt"
}
},
"blockchain-orderer2": {
"url": "grpcs://192.168.99.130:31012",
"grpcOptions": {
"ssl-target-name-override": "blockchain-orderer2",
"grpc-max-send-message-length": 4194304
},
"tlsCACerts": {
"path": "./local_fabric/certs/crypto-config/ordererOrganizations/example.com/orderers/blockchain-orderer2.example.com/tls/ca.crt"
}
},
"blockchain-orderer3": {
"url": "grpcs://192.168.99.130:31013",
"grpcOptions": {
"ssl-target-name-override": "blockchain-orderer3",
"grpc-max-send-message-length": 4194304
},
"tlsCACerts": {
"path": "./local_fabric/certs/crypto-config/ordererOrganizations/example.com/orderers/blockchain-orderer3.example.com/tls/ca.crt"
}
}
},
"peers": {
"blockchain-org1peer1": {
"url": "grpcs://192.168.99.130:30110",
"grpcOptions": {
"ssl-target-name-override": "blockchain-org1peer1",
"grpc.keepalive_time_ms": 600000
},
"clientKey": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.key"
},
"clientCert": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.crt"
},
"tlsCACerts": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/peers/blockchain-org1peer1.org1.example.com/tls/ca.crt"
}
},
"blockchain-org1peer2": {
"url": "grpcs://192.168.99.130:30210",
"grpcOptions": {
"ssl-target-name-override": "blockchain-org1peer2",
"grpc.keepalive_time_ms": 600000
},
"clientKey": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.key"
},
"clientCert": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.crt"
},
"tlsCACerts": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/peers/blockchain-org1peer2.org1.example.com/tls/ca.crt"
}
}
},
"certificateAuthorities": {
"blockchain-ca": {
"url": "https://192.168.99.130:30054",
"registrar": {
"enrollmentID": "admin",
"enrollmentSecret": "adminpw",
"profile": "tls"
},
"httpOptions": {
"verify": false
},
"tlsCACerts": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem",
"client": {
"key": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.key"
},
"cert": {
"path": "./local_fabric/certs/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/client.crt"
}
}
}
}
}
}
我不断收到此错误:
对等点:ERRO 1587b[0m TLS 握手失败,错误 tls:验证客户端证书失败:x509:证书由未知权威服务器签名=PeerServer remoteaddress=172.17.0.1:62440
在 nodejs 应用上:ERRO 11347[0m TLS 握手失败,出现错误 tls:无法验证客户端证书:x509:证书由未知权威服务器签名=PeerServer remoteaddress=172.17.0.1:6156
我希望结构客户端或网关可以提供一些选项来支持双向 TLS 或一些 connection.json 示例。
【问题讨论】:
标签: hyperledger-fabric hyperledger