Hyperledger 結構:TLS 握手失敗,使用中間 CA 證書出現錯誤“未發送 TLS 證書”
[英]Hyperledger fabric: TLS Handshake fails with error “no TLS certificate sent” using intermediate CA certificate
問題描述
我正在使用 Hyperledger Fabric V1.4 使用 Raft 在 azure 中部署區塊鏈,我使用 openssl 創建了我的證書並使用外部 CA 對它們進行了簽名,並且 CA 不是根 CA,所以我有一個中間 CA 證書。
我使用 configtx.yaml 和這個 msp 文件夾結構創建了我的創世塊:
configtx.yaml
Organizations:
- &ordererOrg
Name: orderer
ID: orderer
MSPDir: /crypto/msp
Policies:
Readers:
Type: Signature
Rule: "OR('orderer.member')"
Writers:
Type: Signature
Rule: "OR('orderer.member')"
Admins:
Type: Signature
Rule: "OR('orderer.admin')"
Capabilities:
Channel: &ChannelCapabilities
V1_4_3: true
Orderer: &OrdererCapabilities
V1_4_2: true
Application: &ApplicationCapabilities
V1_4_2: true
Application: &ApplicationDefaults
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ApplicationCapabilities
Orderer: &OrdererDefaults
OrdererType: solo
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB
Kafka:
Brokers:
- 127.0.0.1:9092
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Profiles:
SampleEtcdRaftProfile:
<<: *ChannelDefaults
Capabilities:
<<: *ChannelCapabilities
Orderer:
<<: *OrdererDefaults
OrdererType: etcdraft
Addresses:
- orderer1.xxxx.eastus.aksapp.io:443
- orderer2.xxxx.eastus.aksapp.io:443
Organizations:
- *ordererOrg
EtcdRaft:
Consenters:
- Host: orderer1
Port: 7050
ClientTLSCert: /crypto/orderers/orderer1/tls/server.crt
ServerTLSCert: /crypto/orderers/orderer1/tls/server.crt
- Host: orderer2
Port: 7050
ClientTLSCert: /crypto/orderers/orderer2/tls/server.crt
ServerTLSCert: /crypto/orderers/orderer2/tls/server.crt
Capabilities:
<<: *OrdererCapabilities
Application:
<<: *ApplicationDefaults
Organizations:
- <<: *ordererOrg
Consortiums:
SampleConsortium:
Organizations:
- *ordererOrg
MSP 文件夾結構:
+ /crypto
configtx.yaml
+ msp
+ cacerts > ca.crt
+ tlscacerts > ca.crt
+ intermediatecerts > intermediate.crt
+ tlsintermediatecerts > intermediate.crt
+ admincerts > admin.crt
+ orderers
+ orderer1/tls > server.crt
+ orderer2/tls > server.crt
我使用這個創建了我的創世塊:
configtxgen -profile SampleEtcdRaftProfile -outputBlock genesis.block -channelID mychannel
在我的 orderer 中,msp 結構是這樣的:
+ /var/hyperledger/orderer
genesis.block
+ msp
+ cacerts > ca.crt
+ intermediatecerts > intermediate.crt
+ admincerts > admin.crt
+ signcerts > cert.pem
+ keystore > key.pem
+ tls
server.crt
server.key
ca.crt
intermediate.crt
這些是我的環境變量:
ORDERER_GENERAL_TLS_ENABLED=true
ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
ORDERER_GENERAL_TLS_CLIENTROOTCAS=/var/hyperledger/orderer/tls/chain.crt
ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=false
ORDERER_GENERAL_TLS_CLIENTROOTCAS=/var/hyperledger/orderer/tls/chain.crt
ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/var/hyperledger/orderer/tls/server.key
ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/var/hyperledger/orderer/tls/server.crt
ORDERER_GENERAL_CLUSTER_ROOTCAS=/var/hyperledger/orderer/tls/chain.crt
我不確定為什么結構不同並且 tls 文件在其他地方,但我正在從我已經成功使用的azure 超級賬本模板復制配置。
現在我的訂購者正在運行,但訂購者 1 繼續開始新的選舉,訂購者 2 成為候選者,最終因 TLS 握手錯誤而失敗。
這些是 orderer1 中的錯誤日志:
2021-03-24 17:37:49.717 UTC [orderer.consensus.etcdraft] Step -> INFO a16 1 is starting a new election at term 1 channel=testchainid node=1
2021-03-24 17:37:49.717 UTC [orderer.consensus.etcdraft] becomePreCandidate -> INFO a17 1 became pre-candidate at term 1 channel=testchainid node=1
2021-03-24 17:37:49.717 UTC [orderer.consensus.etcdraft] poll -> INFO a18 1 received MsgPreVoteResp from 1 at term 1 channel=testchainid node=1
2021-03-24 17:37:49.717 UTC [orderer.consensus.etcdraft] campaign -> INFO a19 1 [logterm: 1, index: 2] sent MsgPreVote request to 2 at term 1 channel=testchainid node=1
2021-03-24 17:37:49.718 UTC [orderer.consensus.etcdraft] send -> INFO a1a Successfully sent StepRequest to 2 after failed attempt(s) channel=testchainid node=1
2021-03-24 17:37:52.406 UTC [orderer.common.cluster] func1 -> WARN a1b Certificate of unidentified node from 172.32.0.141:54008 for channel testchainid expires in less than -2562047h47m16.854775808s
2021-03-24 17:37:52.406 UTC [comm.grpc.server] 1 -> INFO a1c streaming call completed grpc.service=orderer.Cluster grpc.method=Step grpc.peer_address=172.32.0.141:54008 error="no TLS certificate sent" grpc.code=Unknown grpc.call_duration=269.221µs
這些是 orderer2 中的錯誤日志:
2021-03-24 21:40:51.240 UTC [orderer.consensus.etcdraft] logSendFailure -> ERRO 2e36 Failed to send StepRequest to 1, because: aborted channel=testchainid node=2
2021-03-24 21:40:52.239 UTC [orderer.consensus.etcdraft] Step -> INFO 2e37 2 is starting a new election at term 1 channel=testchainid node=2
2021-03-24 21:40:52.239 UTC [orderer.consensus.etcdraft] becomePreCandidate -> INFO 2e38 2 became pre-candidate at term 1 channel=testchainid node=2
2021-03-24 21:40:52.239 UTC [orderer.consensus.etcdraft] poll -> INFO 2e39 2 received MsgPreVoteResp from 2 at term 1 channel=testchainid node=2
2021-03-24 21:40:52.239 UTC [orderer.consensus.etcdraft] campaign -> INFO 2e3a 2 [logterm: 1, index: 2] sent MsgPreVote request to 1 at term 1 channel=testchainid node=2
2021-03-24 21:40:52.239 UTC [orderer.consensus.etcdraft] send -> INFO 2e3b Successfully sent StepRequest to 1 after failed attempt(s) channel=testchainid node=2
2021-03-24 21:40:54.042 UTC [orderer.common.cluster] func1 -> WARN 2e40 Certificate of unidentified node from 172.32.0.211:58714 for channel testchainid expires in less than -2562047h47m16.854775808s
2021-03-24 21:40:54.042 UTC [comm.grpc.server] 1 -> INFO 2e41 streaming call completed grpc.service=orderer.Cluster grpc.method=Step grpc.peer_address=172.32.0.211:58714 error="no TLS certificate sent" grpc.code=Unknown grpc.call_duration=127.311µs
我嘗試傳遞給 ROOTCAS env 變量,僅 ca-root 證書,僅 ca-intermediate 證書,pem 格式的附加鏈首先根然后是中間,附加鏈以相反的順序以及 ca 和中間證書的數組,在每種情況下,我都會收到“未發送 TLS 證書”,除了只有 ca 證書的情況,這給了我一個“由未知機構簽名的證書”錯誤。
這就是我附加我的 ca 證書的方式:
-----BEGIN CERTIFICATE-----
INTERMEDIATExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ROOTCERTxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
我試過 openssl verify -CAfile chain.crt orderer1-tls.crt 並返回 OK。
我用 telnet 測試了我的網址,它們沒問題。
我已經仔細檢查了所有的值,但我猜如果它們不正確,orderer 甚至不會運行,並遵循 azure 中的這個腳本來創建創世塊,只添加中間信息。
另外,當我在測試時,我正在修改 /etc/hosts 文件以獲得 DNS 分辨率,這可能是我錯誤的原因嗎?
任何建議都會很棒。
謝謝
1 個解決方案
解決方案1
1 2021-03-25 02:45:06
問題出在這個環境變量上:
ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=false
我不確定為什么它在 azure 模板中被禁用,但將其更改為 true 可以讓訂購者獲得共識。
使用initContainer加載的證書/密鑰設置NGINX TLS
[英]Setting NGINX TLS with certificate/key loaded by initContainer
創建 Azure 事件網格 webhook 訂閱失敗 TLS 握手
[英]Creating Azure Event Grid webhook subscription fails TLS handshake
如何使用 Python 將自定義 TLS/SSL 證書綁定到 Azure App Service 應用程序?
[英]How to bind a custom TLS/SSL certificate to an Azure App Service app using Python?
Azure Web 作業無法與客戶端證書建立 SSL/TLS 連接
[英]Azure Web Job not able to establish SSL/TLS connection with client certificate
將上傳到 Azure 門戶的 TLS 證書加載到 Linux 應用服務容器中
[英]Loading a TLS certificate uploaded to the Azure portal into a Linux app service container
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
Azure TLS 證書更改
Azure TLS 證書更改說明
azure iothub sdk mqtt樣本-錯誤的tls證書
使用initContainer加載的證書/密鑰設置NGINX TLS
如何為 azure vm 創建 TLS 證書?
創建 Azure 事件網格 webhook 訂閱失敗 TLS 握手
數百個 Service Fabric 證書錯誤
如何使用 Python 將自定義 TLS/SSL 證書綁定到 Azure App Service 應用程序?
Azure Web 作業無法與客戶端證書建立 SSL/TLS 連接
將上傳到 Azure 門戶的 TLS 證書加載到 Linux 應用服務容器中
相關標簽