2

首先我想提一下,当没有启用 TLS 时,我的设置就像一个魅力。它甚至可以在 AWS 上的 Docker Swarm 中工作。

当我启用 TLS 时问题就开始了。当我通过 Composer 部署我的 .bna 文件时,我新创建的链码容器会生成以下日志:

2017-08-23 13:14:16.389 UTC [Composer] Info -> INFO 001 Setting the Composer pool size to 8
2017-08-23 13:14:16.402 UTC [shim] userChaincodeStreamGetter -> ERRO 002 Error trying to connect to local peer: x509: certificate signed by unknown authority
Error starting chaincode: Error trying to connect to local peer: x509: certificate signed by unknown authority

有趣的是,这在通过作曲家游乐场部署 .bna 时有效(当我的结构中仍然启用 TLS 时)...

以下是我的连接配置文件:

{
    "name": "test",
    "description": "test",
    "type": "hlfv1",
    "orderers": [
        {
            "url": "grpcs://orderer.company.com:7050",
            "cert": "-----BEGIN CERTIFICATE-----blabla1\n-----END CERTIFICATE-----\n"
        }
    ],
    "channel": "channelname",
    "mspID": "CompanyMSP",
    "ca": {
        "url": "https://ca.company.com:7054",
        "name": "ca-company",
        "trustedRoots": [
            "-----BEGIN CERTIFICATE-----\nblabla2\n-----END CERTIFICATE-----\n"
        ],
        "verify": true
    },
    "peers": [
        {
            "requestURL": "grpcs://peer0.company.com:7051",
            "eventURL": "grpcs://peer0.company.com:7053",
            "cert": "-----BEGIN CERTIFICATE-----\nbalbla3\n-----END CERTIFICATE-----\n"
        }
    ],
    "keyValStore": "/home/composer/.composer-credentials",
    "timeout": 300
}

我的证书是由cryptogen工具生成的,因此:

  • orderers.0.cert 包含的值为crypto-config/ordererOrganizations/company.com/orderers/orderer.company.com/msp/tlscacerts/tlsca.company.com-cert.pem
  • peers.0.cert 包含的值为crypto-config/peerOrganizations/company.com/peers/peer0.company.com/msp/tlscacerts/tlsca.company.com-cert.pem
  • ca.trustedRoots.0 包含crypto-config/peerOrganizations/company.com/peers/peer0.company.com/tls/ca.crt

我有一种感觉,我的trustedRoots 证书是错误的......

更新 当我这样做时,docker inspect chaincode_container我可以看到它错过了 ENV 变量:CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/peer.crt,而通过游乐场部署的链码容器确实有它......

4

1 回答 1

0

构建链码映像时,它用于构建受信任根的 TLS 证书是来自以下位置的rootcert

# TLS Settings

# Note that peer-chaincode connections through chaincodeListenAddress is
# not mutual TLS auth. See comments on chaincodeListenAddress for more info
tls:
    enabled:  false
    cert:
        file: tls/server.crt
    key:
        file: tls/server.key
    rootcert:
        file: tls/ca.crt

对等方用于运行 gRPC 服务的 TLS 证书是证书之一。

顺便说一句-您使用的是发布分支代码,而不是 master 中的代码-对吗?

于 2017-08-23T19:08:26.183 回答