Hyperledger Fabric CA:x509:证书对 rca-ord 有效,对本地主机无效
Hyperledger Fabric CA: x509: certificate is valid for rca-ord, not localhost
我们已经在 docker-compose.yml
中使用以下设置启动了一个 fabric-ca-server 实例
version: '2'
networks:
test:
services:
myservice:
container_name: my-container
image: hyperledger/fabric-ca
command: /bin/bash -c "fabric-ca-server start -b admin:adminpw"
environment:
- FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=rca-ord
- FABRIC_CA_SERVER_CSR_HOSTS=rca-ord
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- ./scripts:/scripts
- ./data:/data
networks:
- test
ports:
- 7054:7054
但是当我们尝试使用以下命令针对此服务器注册用户时:
root@fd85cc416f52:/# fabric-ca-client enroll -u https://user:userpw@localhost:7054 --tls.certfiles $FABRIC_CA_SERVER_HOME/tls-cert.pem
我们得到以下错误:
2018/12/08 22:18:03 [INFO] TLS Enabled
2018/12/08 22:18:03 [INFO] generating key: &{A:ecdsa S:256}
2018/12/08 22:18:03 [INFO] encoded CSR
Error: POST failure of request: POST https://localhost:7054/enroll
{"hosts":["fd85cc416f52"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBQDCB6AIBADBcMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDTALBgNV\nBAMTBHVzZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATREdPvOeaWG9TzaEyk\nhFXRnJFJouDXShr0D1745bCt/0n3qjpqviZiApd1t62VrpMX0j8DBa6tkF7C+rEr\nRvwnoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxmZDg1Y2M0MTZmNTIw\nCgYIKoZIzj0EAwIDRwAwRAIgASXupobxJia/FFlLiwYzYpacvSA6RiIc/LR/kvdB\nT8ICIA1nJ2RfHrwMhOWocxMAIuLUsBvKS3S5DIwCHp0/gBpn\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post https://localhost:7054/enroll: x509: certificate is valid for rca-ord, not localhost
在服务器端我们可以看到发送请求时打印出如下信息:
my-container | 2018/12/08 22:18:03 http: TLS handshake error from 127.0.0.1:56518: remote error: tls: bad certificate
我们也尝试过:
root@fd85cc416f52:/# ls $FABRIC_CA_SERVER_HOME
IssuerPublicKey IssuerRevocationPublicKey ca-cert.pem fabric-ca-server-config.yaml fabric-ca-server.db msp tls-cert.pem
root@fd85cc416f52:/# fabric-ca-client enroll -u https://user:userpw@localhost:7054 --tls.certfiles $FABRIC_CA_SERVER_HOME/ca-cert.pem
结果相同
想知道是否有人可以帮助我们这里出了什么问题,我们该如何解决?谢谢
您已使用 FABRIC_CA_SERVER_CSR_HOSTS=rca-ord 在服务器上生成了 TLS 证书,但随后您在注册命令中指定的 URL 中将请求发送到 localhost。
要使其正常工作,您应该将环境变量更改为也包含 'localhost'。例如:FABRIC_CA_SERVER_CSR_HOSTS=rca-ord,localhost。
删除旧的 TLS 证书并生成一个新证书,它应该可以工作。
我们已经在 docker-compose.yml
中使用以下设置启动了一个 fabric-ca-server 实例version: '2'
networks:
test:
services:
myservice:
container_name: my-container
image: hyperledger/fabric-ca
command: /bin/bash -c "fabric-ca-server start -b admin:adminpw"
environment:
- FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=rca-ord
- FABRIC_CA_SERVER_CSR_HOSTS=rca-ord
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- ./scripts:/scripts
- ./data:/data
networks:
- test
ports:
- 7054:7054
但是当我们尝试使用以下命令针对此服务器注册用户时:
root@fd85cc416f52:/# fabric-ca-client enroll -u https://user:userpw@localhost:7054 --tls.certfiles $FABRIC_CA_SERVER_HOME/tls-cert.pem
我们得到以下错误:
2018/12/08 22:18:03 [INFO] TLS Enabled
2018/12/08 22:18:03 [INFO] generating key: &{A:ecdsa S:256}
2018/12/08 22:18:03 [INFO] encoded CSR
Error: POST failure of request: POST https://localhost:7054/enroll
{"hosts":["fd85cc416f52"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBQDCB6AIBADBcMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDTALBgNV\nBAMTBHVzZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATREdPvOeaWG9TzaEyk\nhFXRnJFJouDXShr0D1745bCt/0n3qjpqviZiApd1t62VrpMX0j8DBa6tkF7C+rEr\nRvwnoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxmZDg1Y2M0MTZmNTIw\nCgYIKoZIzj0EAwIDRwAwRAIgASXupobxJia/FFlLiwYzYpacvSA6RiIc/LR/kvdB\nT8ICIA1nJ2RfHrwMhOWocxMAIuLUsBvKS3S5DIwCHp0/gBpn\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post https://localhost:7054/enroll: x509: certificate is valid for rca-ord, not localhost
在服务器端我们可以看到发送请求时打印出如下信息:
my-container | 2018/12/08 22:18:03 http: TLS handshake error from 127.0.0.1:56518: remote error: tls: bad certificate
我们也尝试过:
root@fd85cc416f52:/# ls $FABRIC_CA_SERVER_HOME
IssuerPublicKey IssuerRevocationPublicKey ca-cert.pem fabric-ca-server-config.yaml fabric-ca-server.db msp tls-cert.pem
root@fd85cc416f52:/# fabric-ca-client enroll -u https://user:userpw@localhost:7054 --tls.certfiles $FABRIC_CA_SERVER_HOME/ca-cert.pem
结果相同
想知道是否有人可以帮助我们这里出了什么问题,我们该如何解决?谢谢
您已使用 FABRIC_CA_SERVER_CSR_HOSTS=rca-ord 在服务器上生成了 TLS 证书,但随后您在注册命令中指定的 URL 中将请求发送到 localhost。
要使其正常工作,您应该将环境变量更改为也包含 'localhost'。例如:FABRIC_CA_SERVER_CSR_HOSTS=rca-ord,localhost。
删除旧的 TLS 证书并生成一个新证书,它应该可以工作。