启用TLS时,Hyperledger Fabric CA将错误的证书(错误的颁发者)释放到Node SDK [英] Hyperledger Fabric CA releasing wrong certificates (wrong issuer) to Node SDK when TLS enabled
问题描述
我想将我的网络从1个订购者扩展到3个订购者,因此我需要启用Raft,这需要启用TLS.我做到了,一切正常,订购者正确地选择了领导者和关注者,cli使用TLS与网络进行交互,依此类推.我还用cli查询了chaincode.我尚未启用clientAuth,因为我对使用双向TLS不感兴趣,因为我可以让3个订购者互相交谈,我只想立即进行查询,就可以从cli进行操作,但不能在Node上工作SDK.
当我简单地将SDK与:
gateway =新的Gateway();等待gateway.connect(ccp,{钱包,身份:'user1',发现:{enabled:false}});const network =等待gateway.getNetwork(channelName);合约= network.getContract('traceability'); 我得到的是:
错误:无法发现本地对等体::错误:在截止日期URL之前无法连接URL:grpcs://localhost:7051 因此,我在试图连接的peer1内部进行了查看,错误是:
2019-12-17 13:44:53.465 UTC [core.comm] ServerHandshake->ERRO 0bd TLS握手失败,错误为EOF服务器= PeerServer remoteaddress = 172.23.0.1:36174 在尝试了几次之后,我无法解决,但是我在证书中发现了一些非常奇怪的东西,这使我认为证书的生成不正确.如果我检查在第一个网络中生成的证书,则将其解码并得到:
<代码> ----- BEGIN CERTIFICATE ----- MIICjzCCAjWgAwIBAgIUbEu5crMvBdY73wBFhOI/3uSi5gIwCgYIKoZIzj0EAwIwczELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMTE2NhLm9yZzEuZXhhbXBsZS5jb20wHhcNMTkwNzE5MDgzODAwWhcNMjAwNzE4MDg0MzAwWjBCMTAwDQYDVQQLEwZjbGllbnQwCwYDVQQLEwRvcmcxMBIGA1UECxMLZGVwYXJ0bWVudDExDjAMBgNVBAMTBXVzZXIxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEM25kseg3ybw0/F2dbwJznq3SKXQ2LRpiHnIGBDhiYVBpV2bgpzPfw1XbD5U + Ea4xwKLFJgoRFSjZWRaEe1vazaOB1zCB1DAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzFVc46aR76s9R9fWIXlbKwrHf9gwKwYDVR0jBCQwIoAgdjzlEttw +/年/81K0B0HTToBKuJIikLbsaR6nOiJXegwaAYIKgMEBQYHCAEEXHsiYXR0cnMiOnsiaGYuQWZmaWxpYXRpb24iOiJvcmcxLmRlcGFydG1lbnQxIiwiaGYuRW5yb2xsbWVudElEIjoidXNlcjEiLCJoZi5UeXBlIjoiY2xpZW50In19MAoGCCqGSM49BAMCA0gAMEUCIQCEsV9tzuGPybSaOPqZKWD5jxZIHCEiTmSUHxdmB1wXBgIgOg5j9/BbVLR0oPkwndB + 8aL94CDk6KpCHwxyF/c042c = ----- END CERTIFICATE -----通用名称:user1组织单位:客户有效期自:2019年7月19日有效期至:2020年7月18日发行者:ca.org1.example.com,org1.example.com
因此,正如您从此处看到的那样,使用此证书似乎一切正常,并且让我记住这是在未启用TLS的第一个网络中生成的.
如果我现在使用TLS检查在网络中生成的证书,则会得到以下信息:
<预> <代码> ----- BEGIN CERTIFICATE ----- MIICXTCCAgSgAwIBAgIUazdK1QSe9HcoSmMJbrisPZwoCXEwCgYIKoZIzj0EAwIwfzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xHzAdBgNVBAoTFkludGVybmV0IFdpZGdldHMsIEluYy4xDDAKBgNVBAsTA1dXVzEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTkxMjE3MTEwODAwWhcNMjAxMjE2MTExMzAwWjAhMQ8wDQYDVQQLEwZjbGllbnQxDjAMBgNVBAMTBXVzZXIxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeb/0Rt9MW4yJF6/Vcai0hWf8Feeo/QJP9jUbUH00bs0nWNjN42M6v3BpWpUuK2v/8vQ9jyklGxqSejIWnF3OFaOBuzCBuDAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUNs4wu9T0QTxt16CT0NIawbZyOWgwHwYDVR0jBBgwFoAUF2dCPaqegj/ExR2fW8OZ0bWcSBAwWAYIKgMEBQYHCAEETHsiYXR0cnMiOnsiaGYuQWZmaWxpYXRpb24iOiIiLCJoZi5FbnJvbGxtZW50SUQiOiJ1c2VyMSIsImhmLlR5cGUiOiJjbGllbnQifX0wCgYIKoZIzj0EAwIDRwAwRAIgTATSxbQ2VSuNbFbT6k + e01xH/BnbtJTD0YojDHwU0EQCIGLfhELq6h0jbWi2J0dQKtGViI6BF/XgC2ooP2XRgf61 ----- END CERTIFICATE -----通用名称:user1组织单位:客户有效期自:2019年12月17日有效期至:2020年12月16日发行者:example.com,Internet Widgets,Inc.您会同意这看起来很奇怪.已经联系了我的ca,在日志中它为管理员和用户都说注册200 OK ,但是看来发行人是完全不同的,不是我的ca.就像启用了TLS一样,Node SDK会生成默认证书,因此我无法通过TLS进行身份验证而无法与对等方联系.
如何解决?
我对这里的一些细节有些困惑,但是如果您没有在本地计算机上将其作为测试网络运行,那么您将需要指定Discovery.asLocalhost的连接选项.为false,因为默认情况下将其设置为true.
gateway =新的Gateway();等待网关.connect(ccp,{钱包,身份:'user1',发现:{启用:false,asLocalhost:false}});const network =等待gateway.getNetwork(channelName);合约= network.getContract('traceability'); I want to scale my network from 1 to 3 orderers and by doing so I need to enable Raft, which requires TLS enabled. I did it and everything work correctly, orderers correctly elect leaders and followers, cli uses TLS to interact with the network, and so on and so forth. I also queried the chaincode with the cli. I have not enabled clientAuth because I am not interested in having mutual TLS, for me is just fine to have 3 orderers talking each other, I just want to make queries now and I can do it from the cli, but not working from the Node SDK.
When I simply connect the SDK with:
gateway = new Gateway();
await gateway.connect(ccp, { wallet, identity: 'user1', discovery: { enabled: false }});
const network = await gateway.getNetwork(channelName);
contract = network.getContract('traceability');
What I get is:
Error: Failed to discover local peers ::Error: Failed to connect before the deadline URL:grpcs://localhost:7051
So I had a look inside peer1, which I am trying to connect, and the error is:
2019-12-17 13:44:53.465 UTC [core.comm] ServerHandshake -> ERRO 0bd TLS handshake failed with error EOF server=PeerServer remoteaddress=172.23.0.1:36174
After several tentatives, I could not solve but I found something very strange in certificates, which makes me think that they are not generated correctly. If I inspect certificates generated in my first network, I decode it and I get this:
-----BEGIN CERTIFICATE-----MIICjzCCAjWgAwIBAgIUbEu5crMvBdY73wBFhOI/3uSi5gIwCgYIKoZIzj0EAwIwczELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMTE2NhLm9yZzEuZXhhbXBsZS5jb20wHhcNMTkwNzE5MDgzODAwWhcNMjAwNzE4MDg0MzAwWjBCMTAwDQYDVQQLEwZjbGllbnQwCwYDVQQLEwRvcmcxMBIGA1UECxMLZGVwYXJ0bWVudDExDjAMBgNVBAMTBXVzZXIxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEM25kseg3ybw0/F2dbwJznq3SKXQ2LRpiHnIGBDhiYVBpV2bgpzPfw1XbD5U+Ea4xwKLFJgoRFSjZWRaEe1vazaOB1zCB1DAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzFVc46aR76s9R9fWIXlbKwrHf9gwKwYDVR0jBCQwIoAgdjzlEttw+/yR/81K0B0HTToBKuJIikLbsaR6nOiJXegwaAYIKgMEBQYHCAEEXHsiYXR0cnMiOnsiaGYuQWZmaWxpYXRpb24iOiJvcmcxLmRlcGFydG1lbnQxIiwiaGYuRW5yb2xsbWVudElEIjoidXNlcjEiLCJoZi5UeXBlIjoiY2xpZW50In19MAoGCCqGSM49BAMCA0gAMEUCIQCEsV9tzuGPybSaOPqZKWD5jxZIHCEiTmSUHxdmB1wXBgIgOg5j9/BbVLR0oPkwndB+8aL94CDk6KpCHwxyF/c042c=-----END CERTIFICATE-----
Common Name: user1
Organization Unit: client
Valid From: July 19, 2019
Valid To: July 18, 2020
Issuer: ca.org1.example.com, org1.example.com
So, as you can see from here, everything seems fine with this certificate, and let me remember that this is generated with the first network with TLS not enabled.
If I now inspect the certificate generated in my network with TLS, I get this:
-----BEGIN CERTIFICATE-----MIICXTCCAgSgAwIBAgIUazdK1QSe9HcoSmMJbrisPZwoCXEwCgYIKoZIzj0EAwIwfzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xHzAdBgNVBAoTFkludGVybmV0IFdpZGdldHMsIEluYy4xDDAKBgNVBAsTA1dXVzEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTkxMjE3MTEwODAwWhcNMjAxMjE2MTExMzAwWjAhMQ8wDQYDVQQLEwZjbGllbnQxDjAMBgNVBAMTBXVzZXIxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeb/0Rt9MW4yJF6/Vcai0hWf8Feeo/QJP9jUbUH00bs0nWNjN42M6v3BpWpUuK2v/8vQ9jyklGxqSejIWnF3OFaOBuzCBuDAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUNs4wu9T0QTxt16CT0NIawbZyOWgwHwYDVR0jBBgwFoAUF2dCPaqegj/ExR2fW8OZ0bWcSBAwWAYIKgMEBQYHCAEETHsiYXR0cnMiOnsiaGYuQWZmaWxpYXRpb24iOiIiLCJoZi5FbnJvbGxtZW50SUQiOiJ1c2VyMSIsImhmLlR5cGUiOiJjbGllbnQifX0wCgYIKoZIzj0EAwIDRwAwRAIgTATSxbQ2VSuNbFbT6k+e01xH/BnbtJTD0YojDHwU0EQCIGLfhELq6h0jbWi2J0dQKtGViI6BF/XgC2ooP2XRgf61-----END CERTIFICATE-----
Common Name: user1
Organization Unit: client
Valid From: December 17, 2019
Valid To: December 16, 2020
Issuer: example.com, Internet Widgets, Inc.
You will agree this looks strange. My ca has been contacted, in the logs it says enroll 200 OK for both admin and user, but it seems that the issuer is quite different, and it is not my ca. It is like with TLS enabled, the Node SDK is generating default certificates so that I cannot contact my peers because I am not authenticated by TLS.
How can this be solved?
I'm a bit confused by some of the details here but if you are not running this as a test network on your local machine, then you will need to specify the connection option of discovery.asLocalhost as false, as it is set to true by default.
gateway = new Gateway();
await gateway.connect(ccp, { wallet, identity: 'user1', discovery: { enabled: false, asLocalhost: false }});
const network = await gateway.getNetwork(channelName);
contract = network.getContract('traceability');
这篇关于启用TLS时,Hyperledger Fabric CA将错误的证书(错误的颁发者)释放到Node SDK的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
