[英]fabric-ca-server connect to mysql with ssl
I read this doc https://hyperledger-fabric-ca.readthedocs.io/en/release-1.0/users-guide.html#mysql-ssl-configuration to set fabric-ca-server connect to mysql with ssl. 我阅读了此文档https://hyperledger-fabric-ca.readthedocs.io/en/release-1.0/users-guide.html#mysql-ssl-configuration来设置fabric-ca-server使用ssl连接到mysql。 I use openssl generate the CA files, and copy client side files to the fabric-ca-server(by volumns in docker-compose) 我使用openssl生成CA文件,并将客户端文件复制到fabric-ca-server(通过docker-compose中的卷)
here is the variables about tls in fabric-ca-server: 这是fabric-ca-server中有关tls的变量:
- FABRIC_CA_SERVER_DB_TLS_CERTFILES=/etc/hyperledger/fabric-ca-server-config/mysql-ssl/ca.pem
- FABRIC_CA_SERVER_DB_TLS_CLIENT_CERTFILE=/etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-cert.pem
- FABRIC_CA_SERVER_DB_TLS_CLIENT_KEYFILE=/etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-key.pem
I get logs in fabric-ca containers: 我在fabric-ca容器中获取日志:
CA Files: [/etc/hyperledger/fabric-ca-server-config/mysql-ssl/ca.pem] 2018/05/23 08:20:32 [DEBUG] Client Cert File: /etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-cert.pem 2018/05/23 08:20:32 [DEBUG] Client Key File: /etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-key.pem 2018/05/23 08:20:32 [DEBUG] Check client TLS certificate for valid dates 2018/05/23 08:20:32 [DEBUG] Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: CSP:500 - Failed getting key for SKI [[250 75 118 17 13 151 30 107 89 252 20 23 73 26 157 142 242 68 135 173 169 174 26 220 55 109 100 221 107 41 99 135]] /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw/impl.go:257 github.com/hyperledger/fabric-ca/vendor/github.com/hyperledger/fabric/bccsp/sw.(*impl).GetKey /opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:218 github.com/hyperledger/fabric-ca/util.GetSignerFromCert /opt/gopath/src/github.com/hyperledger/fabric-ca/util/csp.go:340 github.com/hyperledger/fabric-ca/util.LoadX509KeyPair /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/tls/tls.go:78 github.com/hyperledger/fabric-ca/lib/tls.GetClientTLSConfig /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/dbutil/dbutil.go:182 github.com/hyperledger/fabric-ca/lib/dbutil.NewUserRegistryMySQL /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/ca.go:539 github.com/hyperledger/fabric-ca/lib.(*CA).initDB /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/ca.go:155 github.com/hyperledger/fabric-ca/lib.(*CA).init /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/ca.go:126 github.com/hyperledger/fabric-ca/lib.initCA /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:266 github.com/hyperledger/fabric-ca/lib.(*Server).initDefaultCA /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:97 github.com/hyperledger/fabric-ca/lib.(*Server).Init /opt/gopath/src/github.com/hyperledger/fabric-ca/lib/server.go:116 github.com/hyperledger/fabric-ca/lib.(*Server).Start /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/start.go:41 main.runStart /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:643 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).execute /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:734 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).ExecuteC /opt/gopath/src/github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra/command.go:692 github.com/hyperledger/fabric-ca/vendor/github.com/spf13/cobra.(*Command).Execute /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:95 main.RunMain /opt/gopath/src/github.com/hyperledger/fabric-ca/cmd/fabric-ca-server/main.go:82 main.main /opt/go/src/runtime/proc.go:192 runtime.main /opt/go/src/runtime/asm_amd64.s:2087 runtime.goexit Caused by: Key type not recognized 2018/05/23 08:20:32 [DEBUG] Attempting fallback with certfile /etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-cert.pem and keyfile /etc/hyperledger/fabric-ca-server-config/mysql-ssl/client-key.pem
I also use other ways to connect to the mysql:one is starting a another mysql container as a client to connect to mysql server with ssl ;another is using MySQLWorkbench in my host machine with ssl by exposing mysql server port to my host machine. 我还使用其他方式连接到mysql:一种是作为客户端启动另一个mysql容器,以使用ssl连接到mysql服务器;另一种是通过将mysql服务器端口暴露在我的主机上,在带ssl的主机中使用MySQLWorkbench。
with this state SELECT sbt.variable_value AS tls_version, t2.variable_value AS cipher, processlist_user AS user, processlist_host AS host FROM performance_schema.status_by_thread AS sbt JOIN performance_schema.threads AS t ON t.thread_id = sbt.thread_id JOIN performance_schema.status_by_thread AS t2 ON t2.thread_id = t.thread_id WHERE sbt.variable_name = 'Ssl_version' and t2.variable_name = 'Ssl_cipher' ORDER BY tls_version;
状态为SELECT sbt.variable_value AS tls_version, t2.variable_value AS cipher, processlist_user AS user, processlist_host AS host FROM performance_schema.status_by_thread AS sbt JOIN performance_schema.threads AS t ON t.thread_id = sbt.thread_id JOIN performance_schema.status_by_thread AS t2 ON t2.thread_id = t.thread_id WHERE sbt.variable_name = 'Ssl_version' and t2.variable_name = 'Ssl_cipher' ORDER BY tls_version;
enter image description here 在此处输入图片说明
so , I wonder the certification I generated works, but something wrong in the fabric-ca code ? 因此,我想知道我生成的认证是否有效,但是fabric-ca代码有问题吗?
with help and trying many times, I find the solution: 在很多次的帮助下,我找到了解决方案:
first, the environment of ca in docker-compose.yml must set as 首先,必须将docker-compose.yml中的ca环境设置为
FABRIC_CA_SERVER_DB_DATASOURCE=****:****@tcp(mysql_ca:3306)/fabric_ca?parseTime=true&tls=custom FABRIC_CA_SERVER_DB_DATASOURCE = ****:**** @ tcp(mysql_ca:3306)/ fabric_ca?parseTime = true&tls = custom
the mysql_ca is name of mysql container, and the &tls=custom must be added. mysql_ca是mysql容器的名称,必须添加&tls = custom 。
second , while generating the ssl cert, the common name must be same as the name of mysql container.also, the common name can be specified in cli: 其次 ,在生成ssl cert时,通用名称必须与mysql容器的名称相同。此外,通用名称可以在cli中指定:
openssl req -newkey rsa:2048 -days 3600 \\ -nodes -keyout server-key.pem -subj /CN=mysql_ca -out server-req.pem openssl req -newkey rsa:2048 -days 3600 \\ -nodes -keyout server-key.pem -subj / CN = mysql_ca -out server-req.pem
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.