Ssl 链码容器可以';由于未知授权机构签署的证书,无法连接到本地对等方
首先,我想提到的是,在没有启用TLS的情况下,我的设置非常有效。它甚至可以在AWS上的Docker Swarm中工作 当我启用TLS时,问题开始出现。当我通过Composer部署.bna文件时,我新创建的链码容器会生成以下日志:Ssl 链码容器可以';由于未知授权机构签署的证书,无法连接到本地对等方,ssl,hyperledger,hyperledger-fabric,hyperledger-composer,root-certificate,Ssl,Hyperledger,Hyperledger Fabric,Hyperledger Composer,Root Certificate,首先,我想提到的是,在没有启用TLS的情况下,我的设置非常有效。它甚至可以在AWS上的Docker Swarm中工作 当我启用TLS时,问题开始出现。当我通过Composer部署.bna文件时,我新创建的链码容器会生成以下日志: 2017-08-23 13:14:16.389 UTC [Composer] Info -> INFO 001 Setting the Composer pool size to 8 2017-08-23 13:14:16.402 UTC [shim] userC
2017-08-23 13:14:16.389 UTC [Composer] Info -> INFO 001 Setting the Composer pool size to 8
2017-08-23 13:14:16.402 UTC [shim] userChaincodeStreamGetter -> ERRO 002 Error trying to connect to local peer: x509: certificate signed by unknown authority
Error starting chaincode: Error trying to connect to local peer: x509: certificate signed by unknown authority
有趣的是,当通过composer游乐场部署.bna时(当TLS仍然在我的结构中启用时),这一点就起作用了
以下是我的连接配置文件:
{
"name": "test",
"description": "test",
"type": "hlfv1",
"orderers": [
{
"url": "grpcs://orderer.company.com:7050",
"cert": "-----BEGIN CERTIFICATE-----blabla1\n-----END CERTIFICATE-----\n"
}
],
"channel": "channelname",
"mspID": "CompanyMSP",
"ca": {
"url": "https://ca.company.com:7054",
"name": "ca-company",
"trustedRoots": [
"-----BEGIN CERTIFICATE-----\nblabla2\n-----END CERTIFICATE-----\n"
],
"verify": true
},
"peers": [
{
"requestURL": "grpcs://peer0.company.com:7051",
"eventURL": "grpcs://peer0.company.com:7053",
"cert": "-----BEGIN CERTIFICATE-----\nbalbla3\n-----END CERTIFICATE-----\n"
}
],
"keyValStore": "/home/composer/.composer-credentials",
"timeout": 300
}
我的证书是通过cryptogen
工具生成的,因此:
- Orders.0.cert包含
加密配置/orderOrganizations/company.com/orders/order.company.com/msp/tlscacerts/tlsca.company.com-cert.pem的值
- peers.0.cert包含
加密配置/peerOrganizations/company.com/peers/peer0.company.com/msp/tlscacerts/tlsca.company.com-cert.pem的值
- ca.trustedRoots.0包含
加密配置/peerOrganizations/company.com/peers/peer0.company.com/tls/ca.crt
当我检查chaincode\u容器时,
docker会发现它遗漏了ENV变量:CORE\u PEER\u TLS\u ROOTCERT\u FILE=/etc/hyperledger/fabric/PEER.crt
,而在构建chaincode映像时,通过游乐场部署的chaincode容器确实有它…,用于构建受信任根的TLS证书来自:
对等方用于运行gRPC服务的TLS证书为
顺便问一下,您使用的是发布分支代码,而不是master中的代码,对吗?我使用docker 1.0.0版作为fabric。根据您的回答,我的根证书对ca是有效的。但是当我将peer的证书更改为您让我更改的证书时,它现在根本不起作用,我得到了以下信息:1 ssl\u传输\u安全。c:947]握手失败,出现致命错误ssl\u错误\u ssl:错误:14090086:ssl例程:ssl3\u获取服务器\u证书:证书验证失败。E0825 09:19:59.277837864 1 ssl_transport_security.c:947]握手失败,出现致命错误ssl_error_ssl:error:14090086:ssl例程:ssl3_get_server_certificate:certificate verify失败。
另外,我正在谈论hyperledger composer连接。不是织物本身。我的fabric peer有一个有效的配置:`CORE\u peer\u TLS\u CERT\u FILE=/etc/hyperledger/fabric/TLS/server.crt CORE\u peer\u TLS\u KEY\u KEY\u KEY\u KEY/server.KEY CORE\u peer\u ROOTCERT\u FILE=/etc/hyperledger/fabric/TLS/ca.crt`你找到解决方案了吗?@jmcnevin没有。一两天后我就放弃了:/
# TLS Settings
# Note that peer-chaincode connections through chaincodeListenAddress is
# not mutual TLS auth. See comments on chaincodeListenAddress for more info
tls:
enabled: false
cert:
file: tls/server.crt
key:
file: tls/server.key
rootcert:
file: tls/ca.crt