Hyperledger fabric TLS握手失败,错误为远程错误:TLS:错误证书服务器=订购方
我正在尝试手动在VM上设置hyperledger结构。我已经生成了所有工件并配置了Hyperledger fabric TLS握手失败,错误为远程错误:TLS:错误证书服务器=订购方,hyperledger-fabric,Hyperledger Fabric,我正在尝试手动在VM上设置hyperledger结构。我已经生成了所有工件并配置了order.yaml和core.yaml。我在端口127.0.0.1:7050上运行Order。当我尝试使用对等clichannel create命令创建频道时,我在对等终端上收到一条上下文截止时间已超过的消息 ./bin/peer channel create -o 127.0.0.1:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls --
order.yaml
和core.yaml
。我在端口127.0.0.1:7050上运行Order。当我尝试使用对等clichannel create
命令创建频道时,我在对等终端上收到一条上下文截止时间已超过的消息
./bin/peer channel create -o 127.0.0.1:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls --cafile /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
错误:未能创建交付客户端:订购方客户端未能连接到127.0.0.1:7050:未能创建新连接:超出上下文截止日期
在订购方终端上,我收到以下错误:
2019-04-23 09:22:03.707 EDT[core.comm]服务器握手->ERRO 01b TLS握手失败,出现错误远程错误:TLS:bad certificate server=Orderer remoteaddress=127.0.0.1:38618
2019-04-23 09:22:04.699 EDT[core.comm]服务器握手->ERRO 01c TLS握手失败,出现错误远程错误:TLS:bad certificate server=Orderer remoteaddress=127.0.0.1:38620
2019-04-23 09:22:06.187 EDT[core.comm]服务器握手->ERRO 01d TLS握手失败,出现错误远程错误:TLS:bad certificate server=Orderer remoteaddress=127.0.0.1:38622
我已经经历了几次配置,我不确定我是否遗漏了什么。以下是我的order.yaml
General:
LedgerType: file
ListenAddress: 127.0.0.1
ListenPort: 7050
TLS:
Enabled: true
PrivateKey: /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.key
Certificate: /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
RootCAs:
- /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
ClientAuthRequired: true
Keepalive:
ServerMinInterval: 60s
ServerInterval: 7200s
ServerTimeout: 20s
GenesisMethod: file
GenesisProfile: OneOrgOrdererGenesis
GenesisFile: channel-artifacts/genesis.block
LocalMSPDIR: /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp
LocalMSPID: OrdererMSP
Authentication:
TimeWindow: 15m
FileLedger:
Location: /var/hyperledger/production/orderer
Prefix: hyperledger-fabric-ordererledger
问题是订购方使用的TLS服务器证书没有与“127.0.0.1”匹配的SAN。使用cryptogen生成工件时,可以使用自定义crypto config.yaml向TLS证书添加“localhost”和/或“127.0.0.1”:
# ---------------------------------------------------------------------------
# "OrdererOrgs" - Definition of organizations managing orderer nodes
# ---------------------------------------------------------------------------
OrdererOrgs:
# ---------------------------------------------------------------------------
# Orderer
# ---------------------------------------------------------------------------
- Name: Orderer
Domain: example.com
EnableNodeOUs: false
# ---------------------------------------------------------------------------
# "Specs" - See PeerOrgs below for complete description
# ---------------------------------------------------------------------------
Specs:
- Hostname: orderer
SANS:
- "localhost"
- "127.0.0.1"
# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs:
# ---------------------------------------------------------------------------
# Org1
# ---------------------------------------------------------------------------
- Name: org1
Domain: org1.example.com
EnableNodeOUs: true
Template:
Count: 2
SANS:
- "localhost"
- "127.0.0.1"
Users:
Count: 1
- Name: org2
Domain: org2.example.com
EnableNodeOUs: false
Template:
Count: 2
SANS:
- "localhost"
- "127.0.0.1"
Users:
Count: 1
我也面临同样的问题,在我的例子中,问题是我对本地目录文件做了一些更改,显然,在将这些文件装载回docker容器时,这些更改没有成功反映出来。是什么解决了我的问题
docker卷rm$(docker卷ls)
我重新启动了网络,没有看到更多的证书错误。值得一试。当订购方和订购方之间发生TLS握手失败的问题时,很可能是生成TLS文件时配置参数出错
如果您是通过fabric ca向TLS注册的,则需要检查两个订购方的TLS文件中的CSR属性是否相同。您可以使用以下命令“opensslx509-in certificate.crt-text-noout”
您需要检查订购方注册的--cer.names、-m和其他参数是否重复或不正确
在TLS文件内容一致且指定了主机名的情况下,握手失败的情况很少见awesome-很高兴听到itI仍然面临相同的错误,即使配置根据answer@GariSingh我在订购者中得到相同的错误日志。。。我正在使用fabric ca生成证书。对于非TLS网络,网络运行良好。您能帮忙吗?最好创建一篇新文章,详细介绍您的设置和错误