Fatal编程技术网
  • hyperledger-fabric/
  • Hyperledger fabric TLS握手失败,错误为远程错误:TLS:错误证书服务器=订购方

Hyperledger fabric TLS握手失败,错误为远程错误:TLS:错误证书服务器=订购方

hyperledger-fabric

Hyperledger fabric TLS握手失败,错误为远程错误:TLS:错误证书服务器=订购方,hyperledger-fabric,Hyperledger Fabric,我正在尝试手动在VM上设置hyperledger结构。我已经生成了所有工件并配置了order.yaml和core.yaml。我在端口127.0.0.1:7050上运行Order。当我尝试使用对等clichannel create命令创建频道时,我在对等终端上收到一条上下文截止时间已超过的消息 ./bin/peer channel create -o 127.0.0.1:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls --

我正在尝试手动在VM上设置hyperledger结构。我已经生成了所有工件并配置了
order.yaml
core.yaml
。我在端口
127.0.0.1:7050上运行Order。当我尝试使用对等cli
channel create
命令创建频道时,我在对等终端上收到一条
上下文截止时间已超过的消息


./bin/peer channel create -o 127.0.0.1:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls --cafile /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem


错误:未能创建交付客户端:订购方客户端未能连接到127.0.0.1:7050:未能创建新连接:超出上下文截止日期

在订购方终端上,我收到以下错误:

2019-04-23 09:22:03.707 EDT[core.comm]服务器握手->ERRO 01b TLS握手失败,出现错误远程错误:TLS:bad certificate server=Orderer remoteaddress=127.0.0.1:38618

2019-04-23 09:22:04.699 EDT[core.comm]服务器握手->ERRO 01c TLS握手失败,出现错误远程错误:TLS:bad certificate server=Orderer remoteaddress=127.0.0.1:38620

2019-04-23 09:22:06.187 EDT[core.comm]服务器握手->ERRO 01d TLS握手失败,出现错误远程错误:TLS:bad certificate server=Orderer remoteaddress=127.0.0.1:38622

我已经经历了几次配置,我不确定我是否遗漏了什么。以下是我的
order.yaml


General:
  LedgerType: file
  ListenAddress: 127.0.0.1
  ListenPort: 7050

  TLS:
    Enabled: true
    PrivateKey: /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.key
    Certificate: /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
    RootCAs:
      - /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
    ClientAuthRequired: true

  Keepalive:
    ServerMinInterval: 60s
    ServerInterval: 7200s
    ServerTimeout: 20s

  GenesisMethod: file

  GenesisProfile: OneOrgOrdererGenesis

  GenesisFile: channel-artifacts/genesis.block

  LocalMSPDIR: /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp

  LocalMSPID: OrdererMSP

  Authentication:
    TimeWindow: 15m

FileLedger:
  Location: /var/hyperledger/production/orderer
  Prefix: hyperledger-fabric-ordererledger



问题是订购方使用的TLS服务器证书没有与“127.0.0.1”匹配的SAN。使用cryptogen生成工件时,可以使用自定义crypto config.yaml向TLS证书添加“localhost”和/或“127.0.0.1”:


# ---------------------------------------------------------------------------
# "OrdererOrgs" - Definition of organizations managing orderer nodes
# ---------------------------------------------------------------------------
OrdererOrgs:
  # ---------------------------------------------------------------------------
  # Orderer
  # ---------------------------------------------------------------------------
  - Name: Orderer
    Domain: example.com
    EnableNodeOUs: false

    # ---------------------------------------------------------------------------
    # "Specs" - See PeerOrgs below for complete description
    # ---------------------------------------------------------------------------
    Specs:
      - Hostname: orderer
        SANS:
          - "localhost"
          - "127.0.0.1"

# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs:
  # ---------------------------------------------------------------------------
  # Org1
  # ---------------------------------------------------------------------------
  - Name: org1
    Domain: org1.example.com
    EnableNodeOUs: true
    Template:
      Count: 2
      SANS:
         - "localhost"
         - "127.0.0.1"
    Users:
      Count: 1

  - Name: org2
    Domain: org2.example.com
    EnableNodeOUs: false
    Template:
      Count: 2
      SANS:
         - "localhost"
         - "127.0.0.1"
    Users:
      Count: 1



我也面临同样的问题,在我的例子中,问题是我对本地目录文件做了一些更改,显然,在将这些文件装载回docker容器时,这些更改没有成功反映出来。是什么解决了我的问题


docker卷rm$(docker卷ls)


我重新启动了网络,没有看到更多的证书错误。值得一试。
当订购方和订购方之间发生TLS握手失败的问题时,很可能是生成TLS文件时配置参数出错

如果您是通过fabric ca向TLS注册的,则需要检查两个订购方的TLS文件中的CSR属性是否相同。您可以使用以下命令“opensslx509-in certificate.crt-text-noout”

您需要检查订购方注册的--cer.names、-m和其他参数是否重复或不正确


在TLS文件内容一致且指定了主机名的情况下,握手失败的情况很少见
awesome-很高兴听到itI仍然面临相同的错误,即使配置根据answer@GariSingh我在订购者中得到相同的错误日志。。。我正在使用fabric ca生成证书。对于非TLS网络,网络运行良好。您能帮忙吗?最好创建一篇新文章,详细介绍您的设置和错误