![](/img/trans.png)
[英]TLS handshake fails intermittently when using HAProxy Ingress Controller
[英]TLS handshake fails when raft mode is enabled
我有一個正在運行的 Hyperledger Fabric 網絡,支持 TLS 和 Kafka 共識。 現在,我一直在嘗試轉移到 Raft,我總是在訂購者中收到此消息: TLS handshake failed with error tls: first record does not look like a TLS handshake server=Orderer remoteaddress=ÌP:PORT
。 正如我所說,TLS 在更改之前完美運行。
現在我將向您展示我所做的與 RAFT 和 TLS 連接相關的工作。 首先,我修改了configtx.yaml
文件,正是與 Ordering Service 相關的部分。
configtx.yaml 部分
Orderer: &OrdererDefaults
OrdererType: etcdraft
Addresses:
- orderer0.org1:7050
- orderer0.org2:7050
- orderer0.org3:7050
EtcdRaft:
Consenters:
- Host: orderer0.org1
Port: 7050
ClientTLSCert: /data/org1/orderers/orderer0/tls/client.crt
ServerTLSCert: /data/org1/orderers/orderer0/tls/server.crt
- Host: orderer0.org2
Port: 7050
ClientTLSCert: /data/org2/orderers/orderer0/tls/client.crt
ServerTLSCert: /data/org2/orderers/orderer0/tls/server.crt
- Host: orderer0.org3
Port: 7050
ClientTLSCert: /data/org3/orderers/orderer0/tls/client.crt
ServerTLSCert: /data/org3/orderers/orderer0/tls/server.crt
Organizations:
- *org1
- *org2
- *org3
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Capabilities:
<<: *OrdererCapabilities
可以看出,每個組織訂購者的 TLS 客戶端和服務器證書都是必需的,因此我在每個訂購者容器中生成它們並將其上傳到我用來共享的 MinIO 服務器。
echo "[INFO] Generating Client TLS Key and Certificate..."
fabric-ca-client enroll -d --enrollment.profile tls -u ${ENROLLMENT_URL} -M /tmp/tls --csr.hosts ${ORDERER_HOST}
echo "[INFO] Uploading Client TLS Certificate to Minio"
python3 /scripts/minio_upload.py --url ${STORAGE_URL} --access-key ${STORAGE_ACCESS_KEY} --secret-key ${STORAGE_SECRET_KEY} --bucket-name ${ORG} --local-path ${ORDERER_GENERAL_TLS_CLIENTCERT_FILE} --remote-path orderers/${ORDERER_NAME}/tls/$(basename ${ORDERER_GENERAL_TLS_CLIENTCERT_FILE})
echo "[INFO] Client TLS Certificate uploaded"
echo "[INFO] Enrolling orderer..."
fabric-ca-client enroll -d --enrollment.profile tls -u ${ENROLLMENT_URL} -M /tmp/tls --csr.hosts ${ORDERER_HOST}
echo "[INFO] Uploading Server TLS Certificate to Minio"
python3 /scripts/minio_upload.py --url ${STORAGE_URL} --access-key ${STORAGE_ACCESS_KEY} --secret-key ${STORAGE_SECRET_KEY} --bucket-name ${ORG} --local-path ${ORDERER_GENERAL_TLS_CERTIFICATE} --remote-path orderers/${ORDERER_NAME}/tls/$(basename ${ORDERER_GENERAL_TLS_CERTIFICATE})
echo "[INFO] Server TLS Certificate uploaded"
一旦每個訂購者生成並上傳了它的證書,我就會運行一個新的容器,我稱之為genesis
,在那里我下載configtx.yaml
、所有訂購者證書(到configtx.yaml
定義的路徑)和其他東西來生成創世塊、通道tx 和錨點對等更新。 之后,在每個 orderer 中,我還將所有 orderer 證書(不知道是否需要)下載到相同的路徑,當然,復制創世塊。
在我已設置為true
所有訂購者中,ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED 和 ORDERER_GENERAL_TLS_ENABLED。 例如,這是orderer0.org1
的 TLS 配置。
env:
- name: ORDERER_GENERAL_TLS_CERTIFICATE
value: /etc/hyperledger/orderer/tls/server.crt
- name: ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED
value: "false"
- name: ORDERER_GENERAL_TLS_CLIENTCERT_FILE # This is exposed for TLS connections
value: /shared-storage/tls/orderer0/client.crt
- name: ORDERER_GENERAL_TLS_CLIENTKEY_FILE # This is exposed for TLS connections
value: /shared-storage/tls/orderer0/client.key
- name: ORDERER_GENERAL_TLS_CLIENTROOTCAS # Has to be the same that FABRIC_CA_CLIENT_TLS_CERTFILES
value: '[/shared-storage/org1/ca-chain.pem]'
- name: ORDERER_GENERAL_TLS_ENABLED
value: "true"
- name: ORDERER_GENERAL_TLS_PRIVATEKEY
value: /etc/hyperledger/orderer/tls/server.key
- name: ORDERER_GENERAL_TLS_ROOTCAS # Has to be the same that FABRIC_CA_CLIENT_TLS_CERTFILES
value: '[/shared-storage/org1/ca-chain.pem]'
我錯過了什么? 問題出在哪兒? 非常感謝。
已編輯
您缺少訂購者的這些環境變量:
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/shared-storage/tls/orderer0/client.crt
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/shared-storage/tls/orderer0/client.key
# I find strange you use org1 CA in your conf, but I trust you...
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/shared-storage/org1/ca-chain.pem]
錯誤消息“第一條記錄看起來不像 TLS 握手”表明您有一個“客戶端”試圖打開一個普通(即非 TLS)連接。 確保所有連接都設置為在所有類型的“客戶端”中使用 TLS(即其他排序節點、節點、使用 sdk 的客戶端應用程序等)。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.