启用 raft 模式时 TLS 握手失败
TLS handshake fails when raft mode is enabled
我有一个 运行ning Hyperledger Fabric 网络,启用了 TLS 和 Kafka 共识。现在,我一直在尝试转移到 Raft,并且我总是在订购者中收到这条消息:TLS handshake failed with error tls: first record does not look like a TLS handshake server=Orderer remoteaddress=ÌP:PORT。正如我所说,TLS 在更改之前运行良好。
现在我将向您展示我所做的与 RAFT 和 TLS 连接相关的工作。首先,我修改 configtx.yaml 文件,正是与订购服务相关的部分。
configtx.yaml
部分
Orderer: &OrdererDefaults
OrdererType: etcdraft
Addresses:
- orderer0.org1:7050
- orderer0.org2:7050
- orderer0.org3:7050
EtcdRaft:
Consenters:
- Host: orderer0.org1
Port: 7050
ClientTLSCert: /data/org1/orderers/orderer0/tls/client.crt
ServerTLSCert: /data/org1/orderers/orderer0/tls/server.crt
- Host: orderer0.org2
Port: 7050
ClientTLSCert: /data/org2/orderers/orderer0/tls/client.crt
ServerTLSCert: /data/org2/orderers/orderer0/tls/server.crt
- Host: orderer0.org3
Port: 7050
ClientTLSCert: /data/org3/orderers/orderer0/tls/client.crt
ServerTLSCert: /data/org3/orderers/orderer0/tls/server.crt
Organizations:
- *org1
- *org2
- *org3
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Capabilities:
<<: *OrdererCapabilities
可以看出,来自每个组织订购者的 TLS 客户端和服务器证书都是必需的,因此我在每个订购者容器中生成它们并将其上传到我用来共享的 MinIO 服务器。
echo "[INFO] Generating Client TLS Key and Certificate..."
fabric-ca-client enroll -d --enrollment.profile tls -u ${ENROLLMENT_URL} -M /tmp/tls --csr.hosts ${ORDERER_HOST}
echo "[INFO] Uploading Client TLS Certificate to Minio"
python3 /scripts/minio_upload.py --url ${STORAGE_URL} --access-key ${STORAGE_ACCESS_KEY} --secret-key ${STORAGE_SECRET_KEY} --bucket-name ${ORG} --local-path ${ORDERER_GENERAL_TLS_CLIENTCERT_FILE} --remote-path orderers/${ORDERER_NAME}/tls/$(basename ${ORDERER_GENERAL_TLS_CLIENTCERT_FILE})
echo "[INFO] Client TLS Certificate uploaded"
echo "[INFO] Enrolling orderer..."
fabric-ca-client enroll -d --enrollment.profile tls -u ${ENROLLMENT_URL} -M /tmp/tls --csr.hosts ${ORDERER_HOST}
echo "[INFO] Uploading Server TLS Certificate to Minio"
python3 /scripts/minio_upload.py --url ${STORAGE_URL} --access-key ${STORAGE_ACCESS_KEY} --secret-key ${STORAGE_SECRET_KEY} --bucket-name ${ORG} --local-path ${ORDERER_GENERAL_TLS_CERTIFICATE} --remote-path orderers/${ORDERER_NAME}/tls/$(basename ${ORDERER_GENERAL_TLS_CERTIFICATE})
echo "[INFO] Server TLS Certificate uploaded"
每个订购者生成并上传其证书后,我 运行 一个新容器,我称之为 genesis,我在其中下载 configtx.yaml,所有订购者证书(到路径在 configtx.yaml 中定义)和其他东西来生成创世块、通道 tx 和锚节点更新。之后,在每个排序节点中,我还将所有排序节点的证书(不知道是否需要)下载到相同的路径,当然,还要复制创世块。
在我设置的所有排序器中 true ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED 和 ORDERER_GENERAL_TLS_ENABLED。例如,这是 orderer0.org1.
的 TLS 配置
env:
- name: ORDERER_GENERAL_TLS_CERTIFICATE
value: /etc/hyperledger/orderer/tls/server.crt
- name: ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED
value: "false"
- name: ORDERER_GENERAL_TLS_CLIENTCERT_FILE # This is exposed for TLS connections
value: /shared-storage/tls/orderer0/client.crt
- name: ORDERER_GENERAL_TLS_CLIENTKEY_FILE # This is exposed for TLS connections
value: /shared-storage/tls/orderer0/client.key
- name: ORDERER_GENERAL_TLS_CLIENTROOTCAS # Has to be the same that FABRIC_CA_CLIENT_TLS_CERTFILES
value: '[/shared-storage/org1/ca-chain.pem]'
- name: ORDERER_GENERAL_TLS_ENABLED
value: "true"
- name: ORDERER_GENERAL_TLS_PRIVATEKEY
value: /etc/hyperledger/orderer/tls/server.key
- name: ORDERER_GENERAL_TLS_ROOTCAS # Has to be the same that FABRIC_CA_CLIENT_TLS_CERTFILES
value: '[/shared-storage/org1/ca-chain.pem]'
我错过了什么?问题出在哪里?非常感谢。
错误消息 'first record does not look like a TLS handshake' 表明您 'client' 试图打开普通(即非 TLS)连接。确保所有连接都设置为在各种 'clients' 中使用 TLS(即其他订购者、同行、使用 sdk 的客户端应用程序等)。
已编辑
您缺少订购者的这些环境变量:
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/shared-storage/tls/orderer0/client.crt
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/shared-storage/tls/orderer0/client.key
# I find strange you use org1 CA in your conf, but I trust you...
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/shared-storage/org1/ca-chain.pem]
我有一个 运行ning Hyperledger Fabric 网络,启用了 TLS 和 Kafka 共识。现在,我一直在尝试转移到 Raft,并且我总是在订购者中收到这条消息:TLS handshake failed with error tls: first record does not look like a TLS handshake server=Orderer remoteaddress=ÌP:PORT。正如我所说,TLS 在更改之前运行良好。
现在我将向您展示我所做的与 RAFT 和 TLS 连接相关的工作。首先,我修改 configtx.yaml 文件,正是与订购服务相关的部分。
configtx.yaml
部分Orderer: &OrdererDefaults
OrdererType: etcdraft
Addresses:
- orderer0.org1:7050
- orderer0.org2:7050
- orderer0.org3:7050
EtcdRaft:
Consenters:
- Host: orderer0.org1
Port: 7050
ClientTLSCert: /data/org1/orderers/orderer0/tls/client.crt
ServerTLSCert: /data/org1/orderers/orderer0/tls/server.crt
- Host: orderer0.org2
Port: 7050
ClientTLSCert: /data/org2/orderers/orderer0/tls/client.crt
ServerTLSCert: /data/org2/orderers/orderer0/tls/server.crt
- Host: orderer0.org3
Port: 7050
ClientTLSCert: /data/org3/orderers/orderer0/tls/client.crt
ServerTLSCert: /data/org3/orderers/orderer0/tls/server.crt
Organizations:
- *org1
- *org2
- *org3
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Capabilities:
<<: *OrdererCapabilities
可以看出,来自每个组织订购者的 TLS 客户端和服务器证书都是必需的,因此我在每个订购者容器中生成它们并将其上传到我用来共享的 MinIO 服务器。
echo "[INFO] Generating Client TLS Key and Certificate..."
fabric-ca-client enroll -d --enrollment.profile tls -u ${ENROLLMENT_URL} -M /tmp/tls --csr.hosts ${ORDERER_HOST}
echo "[INFO] Uploading Client TLS Certificate to Minio"
python3 /scripts/minio_upload.py --url ${STORAGE_URL} --access-key ${STORAGE_ACCESS_KEY} --secret-key ${STORAGE_SECRET_KEY} --bucket-name ${ORG} --local-path ${ORDERER_GENERAL_TLS_CLIENTCERT_FILE} --remote-path orderers/${ORDERER_NAME}/tls/$(basename ${ORDERER_GENERAL_TLS_CLIENTCERT_FILE})
echo "[INFO] Client TLS Certificate uploaded"
echo "[INFO] Enrolling orderer..."
fabric-ca-client enroll -d --enrollment.profile tls -u ${ENROLLMENT_URL} -M /tmp/tls --csr.hosts ${ORDERER_HOST}
echo "[INFO] Uploading Server TLS Certificate to Minio"
python3 /scripts/minio_upload.py --url ${STORAGE_URL} --access-key ${STORAGE_ACCESS_KEY} --secret-key ${STORAGE_SECRET_KEY} --bucket-name ${ORG} --local-path ${ORDERER_GENERAL_TLS_CERTIFICATE} --remote-path orderers/${ORDERER_NAME}/tls/$(basename ${ORDERER_GENERAL_TLS_CERTIFICATE})
echo "[INFO] Server TLS Certificate uploaded"
每个订购者生成并上传其证书后,我 运行 一个新容器,我称之为 genesis,我在其中下载 configtx.yaml,所有订购者证书(到路径在 configtx.yaml 中定义)和其他东西来生成创世块、通道 tx 和锚节点更新。之后,在每个排序节点中,我还将所有排序节点的证书(不知道是否需要)下载到相同的路径,当然,还要复制创世块。
在我设置的所有排序器中 true ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED 和 ORDERER_GENERAL_TLS_ENABLED。例如,这是 orderer0.org1.
env:
- name: ORDERER_GENERAL_TLS_CERTIFICATE
value: /etc/hyperledger/orderer/tls/server.crt
- name: ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED
value: "false"
- name: ORDERER_GENERAL_TLS_CLIENTCERT_FILE # This is exposed for TLS connections
value: /shared-storage/tls/orderer0/client.crt
- name: ORDERER_GENERAL_TLS_CLIENTKEY_FILE # This is exposed for TLS connections
value: /shared-storage/tls/orderer0/client.key
- name: ORDERER_GENERAL_TLS_CLIENTROOTCAS # Has to be the same that FABRIC_CA_CLIENT_TLS_CERTFILES
value: '[/shared-storage/org1/ca-chain.pem]'
- name: ORDERER_GENERAL_TLS_ENABLED
value: "true"
- name: ORDERER_GENERAL_TLS_PRIVATEKEY
value: /etc/hyperledger/orderer/tls/server.key
- name: ORDERER_GENERAL_TLS_ROOTCAS # Has to be the same that FABRIC_CA_CLIENT_TLS_CERTFILES
value: '[/shared-storage/org1/ca-chain.pem]'
我错过了什么?问题出在哪里?非常感谢。
错误消息 'first record does not look like a TLS handshake' 表明您 'client' 试图打开普通(即非 TLS)连接。确保所有连接都设置为在各种 'clients' 中使用 TLS(即其他订购者、同行、使用 sdk 的客户端应用程序等)。
已编辑
您缺少订购者的这些环境变量:
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/shared-storage/tls/orderer0/client.crt
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/shared-storage/tls/orderer0/client.key
# I find strange you use org1 CA in your conf, but I trust you...
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/shared-storage/org1/ca-chain.pem]