握手失败，出现致命错误 SSL_ERROR_SSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed答案

【问题标题】：Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed握手失败，出现致命错误 SSL_ERROR_SSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
【发布时间】：2021-01-27 22:59:43
【问题描述】：

我在尝试使用 api 创建通道时遇到此错误（我正在使用类似的示例来平衡织物示例的传输示例）

但是，我可以使用 cli 命令创建通道、安装、实例化和调用

我已经附上了错误的截图和我的网络配置文件enter image description here

--networkconfig.yaml--

#

网络连接配置文件为客户端应用程序提供有关目标的信息

应用程序与之交互所必需的区块链网络。这些都是

必须从带外来源获得的知识。该文件提供了这样的来源。

名称：“业务连接”

#

任何带有“x-”前缀的属性都将被视为特定于应用程序，就像命名方式一样

在 HTTP 标头或 swagger 属性中起作用。 SDK 将简单地忽略这些字段并离开

它们供应用程序处理。这是针对应用程序不同组件的机制

交换不属于下述标准模式的信息。特别是，

Hyperledger Composer 使用下面带有“hlfv1”值示例的“x-type”属性来

确定需要使用的 Fabric 网络类型（v0.6 与 v1.0）。

x-type: "hlfv1"

#

描述目标网络是什么/做什么。

描述：“业务连接-POC”

#

内容的架构版本。 SDK 用于应用相应的解析规则。

版本：“1.0”

#

客户端部分将基于每个组织添加，请参阅 org1.yaml 和 org2.yaml

#

客户：

#

[可选]。但是大多数应用程序都会有这个部分，以便可以构造通道对象

基于以下内容。如果一个应用正在创建频道，那么它可能不需要这个

部分。

channels: # 频道名称 internal-channel:
# Required. list of orderers designated by the application to use for transactions on this
# channel. This list can be a result of access control ("org1" can only access "ordererA"), or
# operational decisions to share loads from applications among the orderers.  The values must
# be "names" of orgs defined under "organizations/peers"
orderers:
  - orderer1-htc

# Required. list of peers from participating orgs
peers:
  peer1-accounts:
    # [Optional]. will this peer be sent transaction proposals for endorsement? The peer must
    # have the chaincode installed. The app can also use this property to decide which peers
    # to send the chaincode install request. Default: true
    endorsingPeer: true

    # [Optional]. will this peer be sent query proposals? The peer must have the chaincode
    # installed. The app can also use this property to decide which peers to send the
    # chaincode install request. Default: true
    chaincodeQuery: true

    # [Optional]. will this peer be sent query proposals that do not require chaincodes, like
    # queryBlock(), queryTransaction(), etc. Default: true
    ledgerQuery: true

    # [Optional]. will this peer be the target of the SDK's listener registration? All peers can
    # produce events but the app typically only needs to connect to one to listen to events.
    # Default: true
    eventSource: true

  peer1-mgmt:
    endorsingPeer: false
    chaincodeQuery: true
    ledgerQuery: true
    eventSource: false

  peer1-project:
    endorsingPeer: false
    chaincodeQuery: true
    ledgerQuery: true
    eventSource: true


# [Optional]. what chaincodes are expected to exist on this channel? The application can use
# this information to validate that the target peers are in the expected state by comparing
# this list with the query results of getInstalledChaincodes() and getInstantiatedChaincodes()
chaincodes:
  # the format follows the "cannonical name" of chaincodes by fabric code
  - mycontract-v0.1
#

此网络中的参与组织列表

组织：HTC：
mspid: htcMSP
orderer: 
  - orderer1-htc
certificateAuthorities:
  - ica-htc   accounts:
mspid: accountsMSP

peers:
  - peer1-accounts

# [Optional]. Certificate Authorities issue certificates for identification purposes in a Fabric based
# network. Typically certificates provisioning is done in a separate process outside of the
# runtime network. Fabric-CA is a special certificate authority that provides a REST APIs for
# dynamic certificate management (enroll, revoke, re-enroll). The following section is only for
# Fabric-CA servers.
certificateAuthorities:
  - ica-accounts

# [Optional]. If the application is going to make requests that are reserved to organization
# administrators, including creating/updating channels, installing/instantiating chaincodes, it
# must have access to the admin identity represented by the private key and signing certificate.
# Both properties can be the PEM string or local path to the PEM file. Note that this is mainly for
# convenience in development mode, production systems should not expose sensitive information
# this way. The SDK should allow applications to set the org admin identity via APIs, and only use
# this route as an alternative when it exists.
adminPrivateKey:
  path: network/data/orgs/accounts/admin/msp/keystore/accounts_sk
signedCert:
  path: network/data/orgs/accounts/admin/msp/signcerts/cert.pem
# 个人资料将包含有关组织的公开信息除了它所属的那个。 # 这些是必要的信息使事务生命周期工作，包括 MSP ID 和 # 对等点使用公共 URL 发送交易建议。该文件不会包含为成员保留的私人 # 信息组织，例如管理员密钥和证书，# fabric-ca registrar注册ID和秘密等管理： mspid：mgmtMSP 同行： - peer1-mgmt 证书颁发机构： - ica-mgmt 管理员私钥：路径：网络/数据/orgs/mgmt/admin/msp/keystore/mgmt_sk 签名证书：路径：network/data/orgs/mgmt/admin/msp/signcerts/cert.pem 项目： mspid：项目MSP 同行： - peer1-项目证书颁发机构： - ICA项目管理员私钥：路径：network/data/orgs/project/admin/msp/keystore/project_sk 签名证书：路径：network/data/orgs/project/admin/msp/signcerts/cert.pem

#

要向其发送交易和通道创建/更新请求的订购者列表。暂时

只需要一个订购者。如果定义了多个，则使用哪个

SDK 是特定于实现的。请查阅每个 SDK 的文档以了解其对 orderers 的处理。

订购者：orderer1-htc：
url: grpcs://localhost:7050

# these are standard properties defined by the gRPC library
# they will be passed in as-is to gRPC client constructor
grpcOptions:
  ssl-target-name-override: orderer1-htc
tlsCACerts:
  path: network/data/htc.crt
#

发送各种请求的节点列表，包括背书、查询

和事件监听器注册。

peers: peer1-accounts:
# this URL is used to send endorsement and query requests
url: grpcs://localhost:7051
grpcOptions:
  ssl-target-name-override: peer1-accounts
tlsCACerts:
  path: network/data/accounts.crt
peer1-mgmt：网址：grpcs://localhost:8051 grpc选项： ssl 目标名称覆盖：peer1-mgmt tlsCACerts：路径：网络/数据/mgmt.crt

peer1-项目：网址：grpcs://localhost:9051
grpcOptions:
  ssl-target-name-override: peer1-project
tlsCACerts:
  path: network/data/project.crt
#

Fabric-CA 是 Hyperledger Fabric 提供的一种特殊的证书颁发机构，它允许

通过 REST API 完成证书管理。应用程序可以选择使用标准

证书颁发机构而不是 Fabric-CA，在这种情况下，不会指定此部分。

certificateAuthorities: ica-htc:
url: http://localhost:1054
httpOptions:
  verify: false
tlsCACerts:
  path: network/data/htc-ca-cert.pem
registrar:
  - enrollId: ica-htc-admin
    enrollSecret: ica-htc-adminpw
# [Optional] The optional name of the CA.
caName: ica-htc   ica-accounts:
url: http://localhost:7054
# the properties specified under this object are passed to the 'http' client verbatim when
# making the request to the Fabric-CA server
httpOptions:
  verify: false
tlsCACerts:
  path: network/data/accounts-ca-chain.pem

# Fabric-CA supports dynamic user enrollment via REST APIs. A "root" user, a.k.a registrar, is
# needed to enroll and invoke new users.
registrar:
  - enrollId: ica-accounts-admin
    enrollSecret: ica-accounts-adminpw
# [Optional] The optional name of the CA.
caName: ica-accounts
ica 管理：网址：http://localhost:8054 http选项：验证：假 tlsCACerts：路径：网络/数据/mgmt-ca-chain.pem 注册商： - 注册 ID：ica-mgmt-admin 注册密码：ica-mgmt-adminpw # [可选] CA 的可选名称。 caName: ica-mgmt

ica 项目：网址：http://localhost:9054 http选项：验证：假 tlsCACerts：路径：网络/数据/project-ca-chain.pem 注册商： - 注册 ID：ica-project-admin 注册密码：ica-project-adminpw # [可选] CA 的可选名称。 caName: ica-project

【问题讨论】：

握手错误通常发生在客户端和服务器端的通信协议不匹配时。仔细检查您的网络配置文件是否使用 grpcs:// 和 https:// 协议，那么您的 Fabric 网络也配置了 TLS（反之亦然）。
另一个原因可能是您的 Node 版本不受支持（与 nodejs 上的 grpc 的兼容性问题。）。文档说它应该是 8.9.x（在撰写 Fabric 1.4 时）hyperledger-fabric.readthedocs.io/en/release-1.4/prereqs.html
嗨 @paul O'Mahony 我使用的是 v8.15.0，我可以执行 balance-transfer 示例中几乎所有的 api 调用，并且我的网络配置了 tls，我的网络配置文件使用了 grpcs和 https 协议

标签： ssl-certificate hyperledger-fabric hyperledger

【解决方案1】：

您在 TLS 握手时遇到主机名验证错误。在您的设置中

# this URL is used to send endorsement and query requests
url: grpcs://localhost:7051
grpcOptions:
  ssl-target-name-override: peer1-accounts
tlsCACerts:
  path: network/data/accounts.crt

您正在调用localhost，但您将覆盖设置为peer1-accounts。您在 URL 中使用的主机名必须与对等方使用的 TLS 证书中的 SAN 之一匹配，或者您为 ssl-target-name-override 设置的任何值必须与 TLS 证书中的 SAN 之一匹配。

您可以使用 openssl 打印证书的详细信息：

openssl x509 -noout -text -in path-to-tls-cert

【讨论】：

【解决方案2】：

此问题与防火墙中的块有关。当我在防火墙上禁用 SSL 检查时，它再次工作，没问题

【讨论】：