堆栈内存溢出
  繁体   English   中英

当我尝试从超级账本 java-sdk 连接到 docker 群中的区块链时,为什么会出现 TLS 握手错误?

[英]Why am i getting TLS handshake error when i try to connect from hyperledger java-sdk to a blockchain in docker swarm?

 原文  2020-07-14 14:14:41       java/ sdk/ hyperledger-fabric/ hyperledger

问题描述

我已经使用 docker swarm(经过测试,工作正常)部署了结构简单示例结构(2 个组织,2 个对等方,2 个 CA 和 1 个订购者)。 我使用专用网络将每个实体相互连接,如下所示:

networks:
  bymn:
    external:
      name: fabric

           [.  .  .]

    networks:
      bymn:
        aliases:
          - peer1.org2.example.com

我正在尝试使用此 java 代码将自己连接到区块链(通道):

 Path networkConfigPath = Paths.get("./networkConfig.json");

 Gateway.Builder builder = Gateway.createBuilder();
 builder.identity(wallet,"appUser").networkConfig(networkConfigPath).discovery(true);

 // create a gateway connection
 try (Gateway gateway = builder.connect()) {
    // get the network and contract
    Network network = gateway.getNetwork("channel");
    System.out.println("Sucsesfully created connection with blockchain with channelName: channel");
...

appUser 已正确创建,没有错误,使用织物样本 Github 中的这 2 个类: EnrollAdmin.java RegisterUser.java

networkConfig.json的内容:

{
  "name" : "umu.fabric",
  "description" : "Connection profile for umu 2orgs-fabric-blockchain test",
  "version" : "1.0.0",
  "client" : {
    "organization" : "Org1",
    "connection" : {
      "timeout" : {
        "peer" : {
          "endorser" : 3000
        },
        "orderer" : 3000
      }
    }
  },
  "channels" : {
    "channel" : {
      "orderers" : [ "orderer.example.com" ],
      "peers" : {
        "peer1.org1.example.com" : {
          "endorsingPeer" : true,
          "chaincodeQuery" : true,
          "ledgerQuery" : true,
          "eventSource" : true
        },
        "peer0.org1.example.com" : {
          "endorsingPeer" : true,
          "chaincodeQuery" : true,
          "ledgerQuery" : true,
          "eventSource" : true
        }
      }
    }
  },
  "organizations" : {
    "Org1" : {
      "mspid" : "Org1MSP",
      "peers" : [ "peer0.org1.example.com", "peer1.org1.example.com" ],
      "certificateAuthorities" : [ "ca.org1.example.com" ]
    },
    "Org2" : {
      "mspid" : "Org2MSP",
      "peers" : [ "peer0.org2.example.com", "peer1.org2.example.com" ],
      "certificateAuthorities" : [ "ca.org2.example.com" ]
    }
  },
  "orderers" : {
    "orderer.example.com" : {
      "url" : "grpcs://orderer.example.com:7050"
    }
  },
  "peers" : {
    "peer0.org1.example.com" : {
      "url" : "grpcs://peer0.org1.example.com:7051"
    },
    "peer1.org1.example.com" : {
      "url" : "grpcs://peer1.org1.example.com:7051"
    },
    "peer0.org2.example.com" : {
      "url" : "grpcs://peer0.org2.example.com:7051"
    },
    "peer1.org2.example.com" : {
      "url" : "grpcs://peer1.org2.example.com:7051"
    }
  },
  "certificateAuthorities" : {
    "ca.org2.example.com" : {
      "url" : "https://ca.org2.example.com:7054"
    },
    "ca.org1.example.com" : {
      "url" : "https://ca.org1.example.com:7054",
      "httpOptions" : {
        "verify" : false
      },
      "registrar" : [ {
        "enrollId" : "admin",
        "enrollSecret" : "adminpw"
      } ]
    }
  }
}

(很抱歉复制了整个文件,但我现在太迷路了)

我在对等日志中收到以下错误

TLS handshake failed with error remote error: tls: internal error server=PeerServer remoteaddress=X.X.X.X

这就是我从 Java 得到的:

2020-07-14T13:25:31.124894206Z Successfully enrolled user "admin" and imported it into the wallet
2020-07-14T13:25:31.414993872Z Successfully enrolled user "appUser" and imported it into the wallet
2020-07-14T13:25:32.446634370Z 13:25:32.430 [main] ERROR org.hyperledger.fabric.sdk.Channel - Channel Channel{id: 1, name: channel} Sending proposal with transaction: 3919e41a6303faf9d59a5c78d70364ef8df1a458f52cf8cd7659c7c19a2dec3c to Peer{ id: 4, name: peer0.org1.example.com, channelName: channel, url: grpcs://peer0.org1.example.com:7051, mspid: Org1MSP} failed because of: gRPC failure=Status{code=UNAVAILABLE, description=io exception
2020-07-14T13:25:32.446672215Z Channel Pipeline: [SslHandler#0, ProtocolNegotiators$ClientTlsHandler#0, WriteBufferingAndExceptionHandler#0, DefaultChannelPipeline$TailContext#0], cause=javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
2020-07-14T13:25:32.446679901Z  at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.handshakeException(ReferenceCountedOpenSslEngine.java:1735)
2020-07-14T13:25:32.446686221Z  at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.wrap(ReferenceCountedOpenSslEngine.java:775)
2020-07-14T13:25:32.446692373Z  at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:509)
[...........]

2020-07-14T13:25:32.494862402Z Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2020-07-14T13:25:32.494868350Z  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
2020-07-14T13:25:32.494873876Z  at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
2020-07-14T13:25:32.494879383Z  at sun.security.validator.Validator.validate(Validator.java:260)
2020-07-14T13:25:32.494884872Z  at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
2020-07-14T13:25:32.494890328Z  at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
2020-07-14T13:25:32.494895764Z  at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
2020-07-14T13:25:32.494901281Z  at io.netty.handler.ssl.OpenSslTlsv13X509ExtendedTrustManager.checkServerTrusted(OpenSslTlsv13X509ExtendedTrustManager.java:223)
2020-07-14T13:25:32.494906971Z  at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:255)
2020-07-14T13:25:32.494912650Z  at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:701)
2020-07-14T13:25:32.494918288Z  at io.netty.internal.tcnative.SSL.readFromSSL(Native Method)
2020-07-14T13:25:32.494927598Z  at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:594)
2020-07-14T13:25:32.494933532Z  at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1179)
2020-07-14T13:25:32.494939139Z  at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1296)
2020-07-14T13:25:32.494944788Z  at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1339)
2020-07-14T13:25:32.494950326Z  at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:206)
2020-07-14T13:25:32.494955832Z  at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1372)
2020-07-14T13:25:32.494961250Z  ... 21 more
2020-07-14T13:25:32.494966697Z Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2020-07-14T13:25:32.494972350Z  at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
2020-07-14T13:25:32.494977910Z  at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
2020-07-14T13:25:32.494983467Z  at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
2020-07-14T13:25:32.495008727Z  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
2020-07-14T13:25:32.495014147Z  ... 36 more
2020-07-14T13:25:32.495019299Z }
2020-07-14T13:25:32.495024348Z  at org.hyperledger.fabric.sdk.Channel.getConfigBlock(Channel.java:952) ~[jar.jar:?]
2020-07-14T13:25:32.495045286Z  at org.hyperledger.fabric.sdk.Channel.getConfigBlock(Channel.java:907) ~[jar.jar:?]
2020-07-14T13:25:32.495050298Z  at org.hyperledger.fabric.sdk.Channel.parseConfigBlock(Channel.java:1994) [jar.jar:?]
2020-07-14T13:25:32.495070605Z  at org.hyperledger.fabric.sdk.Channel.loadCACertificates(Channel.java:1831) [jar.jar:?]
2020-07-14T13:25:32.495075445Z  at org.hyperledger.fabric.sdk.Channel.initialize(Channel.java:1222) [jar.jar:?]
2020-07-14T13:25:32.495080259Z  at org.hyperledger.fabric.gateway.impl.NetworkImpl.initializeChannel(NetworkImpl.java:59) [jar.jar:?]
2020-07-14T13:25:32.495100248Z  at org.hyperledger.fabric.gateway.impl.NetworkImpl.<init>(NetworkImpl.java:50) [jar.jar:?]
2020-07-14T13:25:32.495105836Z  at org.hyperledger.fabric.gateway.impl.GatewayImpl.getNetwork(GatewayImpl.java:252) [jar.jar:?]
2020-07-14T13:25:32.495110888Z  at org.umu.controllers.BlockchainController.runApp(BlockchainController.java:50) [jar.jar:?]
2020-07-14T13:25:32.495115947Z  at org.umu.controllers.BlockchainController.main(BlockchainController.java:35) [jar.jar:?]
2020-07-14T13:25:32.630988706Z Sucsesfully created connection with blockchain with channelName: channel

解决方案? 我已经在几个答案中看到了将 SANS 放到同行中。 所以我这样说:

PeerOrgs:
  - Name: Org1
[.............]
    Specs:
      - Hostname: peer0
        CommonName: peer0.org1.example.com # overrides Hostname-based FQDN set above
        SANS:
          - "peer0.org1.example.com"
          - "peer0"
[.............]

使用 openssl 命令进行验证:

openssl x509 -in crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt -text -noout

[.....]
X509v3 Subject Alternative Name: 
                DNS:peer0.org1.example.com, DNS:peer0, DNS:peer0.org1.example.com, DNS:peer0, DNS:localhost, DNS:peer0.org1.example.com, DNS:peer0, DNS:peer0.org1.example.com, DNS:peer0, DNS:localhost, DNS:peer0.org1.example.com, DNS:peer0, DNS:peer0.org1.example.com, DNS:peer0, DNS:localhost, DNS:peer0.org1.example.com, DNS:peer0, DNS:peer0.org1.example.com, DNS:peer0, DNS:localhost, DNS:peer0.org1.example.com, DNS:peer0, DNS:peer0.org1.example.com, DNS:peer0, DNS:localhost
    Signature Algorithm: ecdsa-with-SHA256
[.....]

我不知道还能做什么。

1 个解决方案

解决方案1
 1  2020-07-15 10:20:07

好的,我遇到了与此线程相同的问题。

我需要将证书文件(.pem 或 .crt 文件)添加到 jvm 信任库。

sudo keytool -import -file crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt -alias peer0.org1.example.com -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -storepass changeit
sudo keytool -import -file crypto-config/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/tls/server.crt -alias peer1.org1.example.com -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -storepass changeit
sudo keytool -import -file crypto-config/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tls/server.crt -alias peer1.org2.example.com -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -storepass changeit
sudo keytool -import -file crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.crt -alias peer0.org2.example.com -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -storepass changeit
sudo keytool -import -file crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt  -alias orderer.example.com -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -storepass changeit

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 当我尝试在Studio中切换活动时,为什么会收到java.lang.NullPointerException错误? 当我尝试在 Java 中运行我的套接字程序时,为什么会出现错误? 当我尝试对来自控制台 (Java) 的输入进行标记时,为什么会收到 ArrayIndexOutOfBoundsException? 当我尝试从Jframe中的表中获取字符串时,为什么会出现错误? 为什么我在尝试读取 excel 文件时收到数据提供程序不匹配错误? 为什么我的Java SSL证书出现handhake_failure? 为什么在 Windows 7 上尝试安装 Java SDK 时会收到错误消息? 当我尝试连接到URL时,为什么会收到“HTTP版本不支持”的回复? Hyperledger Fabric - Java-SDK - 未来异常完成:sendTransaction 为什么使用try catch时会出现错误
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM