首先,我想提及的是,当未启用TLS时,我的设置就像一个超级按钮。即使在AWS上的Docker Swarm中也可以使用。
当我启用TLS时,问题开始。通过Composer部署.bna文件时,新创建的chaincode容器会生成以下日志:
2017-08-23 13:14:16.389 UTC [Composer] Info -> INFO 001 Setting the Composer pool size to 8
2017-08-23 13:14:16.402 UTC [shim] userChaincodeStreamGetter -> ERRO 002 Error trying to connect to local peer: x509: certificate signed by unknown authority
Error starting chaincode: Error trying to connect to local peer: x509: certificate signed by unknown authority
有趣的是,这在通过作曲家游乐场部署.bna时有效(当我的结构中仍启用TLS时)...
以下是我的连接配置文件:
{
"name": "test",
"description": "test",
"type": "hlfv1",
"orderers": [
{
"url": "grpcs://orderer.company.com:7050",
"cert": "-----BEGIN CERTIFICATE-----blabla1\n-----END CERTIFICATE-----\n"
}
],
"channel": "channelname",
"mspID": "CompanyMSP",
"ca": {
"url": "https://ca.company.com:7054",
"name": "ca-company",
"trustedRoots": [
"-----BEGIN CERTIFICATE-----\nblabla2\n-----END CERTIFICATE-----\n"
],
"verify": true
},
"peers": [
{
"requestURL": "grpcs://peer0.company.com:7051",
"eventURL": "grpcs://peer0.company.com:7053",
"cert": "-----BEGIN CERTIFICATE-----\nbalbla3\n-----END CERTIFICATE-----\n"
}
],
"keyValStore": "/home/composer/.composer-credentials",
"timeout": 300
}
我的证书是通过
cryptogen
工具生成的,因此:orderers.0.cert包含
crypto-config/ordererOrganizations/company.com/orderers/orderer.company.com/msp/tlscacerts/tlsca.company.com-cert.pem
的值peers.0.cert包含值
crypto-config/peerOrganizations/company.com/peers/peer0.company.com/msp/tlscacerts/tlsca.company.com-cert.pem
ca.trustedRoots.0包含
crypto-config/peerOrganizations/company.com/peers/peer0.company.com/tls/ca.crt
我有种感觉,我的trustRoots证书是错误的...
更新
当我执行
docker inspect chaincode_container
时,我可以看到它缺少ENV变量:CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/peer.crt
,而通过游乐场部署的chaincode容器确实具有它... 最佳答案
构建链码映像时,用于构建受信任根的TLS证书是来自以下位置的rootcert:
# TLS Settings
# Note that peer-chaincode connections through chaincodeListenAddress is
# not mutual TLS auth. See comments on chaincodeListenAddress for more info
tls:
enabled: false
cert:
file: tls/server.crt
key:
file: tls/server.key
rootcert:
file: tls/ca.crt
对等方用于运行gRPC服务的TLS证书为cert证书。
顺便说一句-您使用的是发行分支代码,而不是master分支中的代码-是否正确?
关于ssl - 由于未知授权机构签署的证书,Chaincode容器无法连接到本地对等方,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/45841679/