首先,我想提及的是,当未启用TLS时,我的设置就像一个超级按钮。即使在AWS上的Docker Swarm中也可以使用。

当我启用TLS时,问题开始。通过Composer部署.bna文件时,新创建的chaincode容器会生成以下日志:

2017-08-23 13:14:16.389 UTC [Composer] Info -> INFO 001 Setting the Composer pool size to 8
2017-08-23 13:14:16.402 UTC [shim] userChaincodeStreamGetter -> ERRO 002 Error trying to connect to local peer: x509: certificate signed by unknown authority
Error starting chaincode: Error trying to connect to local peer: x509: certificate signed by unknown authority


有趣的是,这在通过作曲家游乐场部署.bna时有效(当我的结构中仍启用TLS时)...

以下是我的连接配置文件:

{
    "name": "test",
    "description": "test",
    "type": "hlfv1",
    "orderers": [
        {
            "url": "grpcs://orderer.company.com:7050",
            "cert": "-----BEGIN CERTIFICATE-----blabla1\n-----END CERTIFICATE-----\n"
        }
    ],
    "channel": "channelname",
    "mspID": "CompanyMSP",
    "ca": {
        "url": "https://ca.company.com:7054",
        "name": "ca-company",
        "trustedRoots": [
            "-----BEGIN CERTIFICATE-----\nblabla2\n-----END CERTIFICATE-----\n"
        ],
        "verify": true
    },
    "peers": [
        {
            "requestURL": "grpcs://peer0.company.com:7051",
            "eventURL": "grpcs://peer0.company.com:7053",
            "cert": "-----BEGIN CERTIFICATE-----\nbalbla3\n-----END CERTIFICATE-----\n"
        }
    ],
    "keyValStore": "/home/composer/.composer-credentials",
    "timeout": 300
}


我的证书是通过cryptogen工具生成的,因此:


orderers.0.cert包含crypto-config/ordererOrganizations/company.com/orderers/orderer.company.com/msp/tlscacerts/tlsca.company.com-cert.pem的值
peers.0.cert包含值crypto-config/peerOrganizations/company.com/peers/peer0.company.com/msp/tlscacerts/tlsca.company.com-cert.pem
ca.trustedRoots.0包含crypto-config/peerOrganizations/company.com/peers/peer0.company.com/tls/ca.crt


我有种感觉,我的trustRoots证书是错误的...

更新
当我执行docker inspect chaincode_container时,我可以看到它缺少ENV变量:CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/peer.crt,而通过游乐场部署的chaincode容器确实具有它...

最佳答案

构建链码映像时,用于构建受信任根的TLS证书是来自以下位置的rootcert

# TLS Settings

# Note that peer-chaincode connections through chaincodeListenAddress is
# not mutual TLS auth. See comments on chaincodeListenAddress for more info
tls:
    enabled:  false
    cert:
        file: tls/server.crt
    key:
        file: tls/server.key
    rootcert:
        file: tls/ca.crt


对等方用于运行gRPC服务的TLS证书为cert证书。

顺便说一句-您使用的是发行分支代码,而不是master分支中的代码-是否正确?

关于ssl - 由于未知授权机构签署的证书,Chaincode容器无法连接到本地对等方,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/45841679/

10-16 18:34