TLS握手失败，并显示远程错误:tls:证书服务器错误=订购者 [英] TLS handshake failed with error remote error: tls: bad certificate server=Orderer

问题描述

我正在尝试在VM上手动设置超级账本结构.我已经生成了所有工件，并配置了orderer.yaml和core.yaml.我有在端口127.0.0.1:7050上运行的订购程序.当我尝试使用peer cli channel create命令创建频道时，在对等终端上收到一条context deadline exceeded消息.

I am trying to set up a hyperledger fabric on a VM manually. I have generated all the artifacts and configured the orderer.yaml and core.yaml. I have orderer running on port 127.0.0.1:7050. When I try to create channel using the peer cli channel create command I am getting a context deadline exceeded message on peer terminal.

./bin/peer channel create -o 127.0.0.1:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls --cafile /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem

错误:无法创建交付客户端:订购者客户端无法连接到127.0.0.1:7050:无法创建新连接:超出了上下文期限

Error: failed to create deliver client: orderer client failed to connect to 127.0.0.1:7050: failed to create new connection: context deadline exceeded

在订购者终端上，出现以下错误:

On the orderer terminal I am getting the following error:

2019-04-23 09:22:03.707 EDT [core.comm] ServerHandshake-> ERRO 01b TLS握手失败，并出现错误远程错误:tls:错误的证书server = Orderer remoteaddress = 127.0.0.1:38618

2019-04-23 09:22:03.707 EDT [core.comm] ServerHandshake -> ERRO 01b TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=127.0.0.1:38618

2019-04-23 09:22:04.699 EDT [core.comm] ServerHandshake-> ERRO 01c TLS握手失败，并显示错误远程错误:tls:错误的证书服务器=订购者remoteaddress = 127.0.0.1:38620

2019-04-23 09:22:04.699 EDT [core.comm] ServerHandshake -> ERRO 01c TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=127.0.0.1:38620

2019-04-23 09:22:06.187 EDT [core.comm] ServerHandshake-> ERRO 01d TLS握手失败，并显示错误远程错误:tls:证书错误服务器=订购者remoteaddress = 127.0.0.1:38622

2019-04-23 09:22:06.187 EDT [core.comm] ServerHandshake -> ERRO 01d TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=127.0.0.1:38622

我已经完成了几次配置，不确定是否丢失了某些内容.以下是我的orderer.yaml

I have gone through the configurations a few time, I am not sure if I am missing something. Following is my orderer.yaml

General:
  LedgerType: file
  ListenAddress: 127.0.0.1
  ListenPort: 7050

  TLS:
    Enabled: true
    PrivateKey: /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.key
    Certificate: /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
    RootCAs:
      - /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
    ClientAuthRequired: true

  Keepalive:
    ServerMinInterval: 60s
    ServerInterval: 7200s
    ServerTimeout: 20s

  GenesisMethod: file

  GenesisProfile: OneOrgOrdererGenesis

  GenesisFile: channel-artifacts/genesis.block

  LocalMSPDIR: /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp

  LocalMSPID: OrdererMSP

  Authentication:
    TimeWindow: 15m

FileLedger:
  Location: /var/hyperledger/production/orderer
  Prefix: hyperledger-fabric-ordererledger

推荐答案

问题是订购者使用的TLS服务器证书没有与"127.0.0.1"匹配的SAN.在使用cryptogen生成工件时，可以通过使用自定义 crypto-config.yaml 向TLS证书中添加"localhost"和/或"127.0.0.1":

The issue is that the TLS server certificate used by the orderer does not have a SAN matching "127.0.0.1". You can add "localhost" and/or "127.0.0.1" to you TLS certificates by using a custom crypto-config.yaml when generating your artifacts with cryptogen:

# ---------------------------------------------------------------------------
# "OrdererOrgs" - Definition of organizations managing orderer nodes
# ---------------------------------------------------------------------------
OrdererOrgs:
  # ---------------------------------------------------------------------------
  # Orderer
  # ---------------------------------------------------------------------------
  - Name: Orderer
    Domain: example.com
    EnableNodeOUs: false

    # ---------------------------------------------------------------------------
    # "Specs" - See PeerOrgs below for complete description
    # ---------------------------------------------------------------------------
    Specs:
      - Hostname: orderer
        SANS:
          - "localhost"
          - "127.0.0.1"

# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs:
  # ---------------------------------------------------------------------------
  # Org1
  # ---------------------------------------------------------------------------
  - Name: org1
    Domain: org1.example.com
    EnableNodeOUs: true
    Template:
      Count: 2
      SANS:
         - "localhost"
         - "127.0.0.1"
    Users:
      Count: 1

  - Name: org2
    Domain: org2.example.com
    EnableNodeOUs: false
    Template:
      Count: 2
      SANS:
         - "localhost"
         - "127.0.0.1"
    Users:
      Count: 1

这篇关于TLS握手失败，并显示远程错误:tls:证书服务器错误=订购者的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！