Fabric 链码 - 与 Vault 通信
Fabric chaincode - Communicate with Vault
我需要以某种方式与某个链代码中的 Vault 实例进行通信。
我的问题是我需要在 Vault 上使用(相互的)TLS,因此为了让链代码与其通信,它需要由适当的 CA 颁发的适当的证书。
安装链代码的节点和 Vault 实例都使用相同的根 CA。
那么,我如何才能在链代码中获取适当的证书并将它们用于对 Vault 实例发出的请求?
如果它以某种方式帮助:
当我发出请求时从链代码容器中记录:
2021-01-21T14:18:29.847Z error [c-api:_] Unhandled Rejection reason RequestError: Error: unable to verify the first certificate promise Promise {
<rejected> RequestError: Error: unable to verify the first certificate
at new RequestError (/usr/local/src/node_modules/request-promise-core/lib/errors.js:14:15)
at Request.plumbing.callback (/usr/local/src/node_modules/request-promise-core/lib/plumbing.js:87:29)
at Request.RP$callback [as _callback] (/usr/local/src/node_modules/request-promise-core/lib/plumbing.js:46:31)
at self.callback (/usr/local/src/node_modules/request/request.js:185:22)
at Request.emit (events.js:311:20)
at Request.onRequestError (/usr/local/src/node_modules/request/request.js:881:8)
at ClientRequest.emit (events.js:311:20)
at TLSSocket.socketErrorListener (_http_client.js:426:9)
at TLSSocket.emit (events.js:311:20)
at emitErrorNT (internal/streams/destroy.js:92:8) {
name: 'RequestError',
message: 'Error: unable to verify the first certificate',
cause: Error: unable to verify the first certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1473:34)
at TLSSocket.emit (events.js:311:20)
at TLSSocket._finishInit (_tls_wrap.js:916:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:686:12) {
code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
},
error: Error: unable to verify the first certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1473:34)
at TLSSocket.emit (events.js:311:20)
at TLSSocket._finishInit (_tls_wrap.js:916:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:686:12) {
code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
},
options: {
json: [Object],
resolveWithFullResponse: true,
simple: false,
strictSSL: true,
method: 'PUT',
path: '/sys/unseal',
headers: [Object],
uri: 'https://vaultinstance.com:8200/v1/sys/unseal',
callback: [Function: RP$callback],
transform: undefined,
transform2xxOnly: false
},
response: undefined
}
}
发出请求时从保管库记录:
2021-01-21T14:20:59.784Z [INFO] http: TLS handshake error from 192.168.224.1:51074: remote error: tls: unknown certificate
无法在安装时向链代码提供秘密配置信息,因此除非您将证书包含在链代码包中,这可能是个坏主意,所以我认为您的链代码将需要一个初始化事务来发送需要使用临时数据的证书。
chaincode lifecycle 文档描述了如何要求初始化事务。
If you are using the Fabric peer CLI, you can use the --init-required
flag when you approve and commit the chaincode definition to indicate
that the Init function must be called to initialize the new chaincode
version. To call Init using the Fabric peer CLI, use the peer
chaincode invoke command and pass the --isInit flag.
private data 描述了在初始化链代码时如何保护 TLS 证书。
或者,如果您不想使用初始事务或将 TLS 证书存储在 ledger/in 私有数据集合中,您可以使用瞬态数据为每个需要的事务提供 TLS 证书与保险库通信并留给客户端管理证书。
我需要以某种方式与某个链代码中的 Vault 实例进行通信。
我的问题是我需要在 Vault 上使用(相互的)TLS,因此为了让链代码与其通信,它需要由适当的 CA 颁发的适当的证书。
安装链代码的节点和 Vault 实例都使用相同的根 CA。
那么,我如何才能在链代码中获取适当的证书并将它们用于对 Vault 实例发出的请求?
如果它以某种方式帮助:
当我发出请求时从链代码容器中记录:
2021-01-21T14:18:29.847Z error [c-api:_] Unhandled Rejection reason RequestError: Error: unable to verify the first certificate promise Promise {
<rejected> RequestError: Error: unable to verify the first certificate
at new RequestError (/usr/local/src/node_modules/request-promise-core/lib/errors.js:14:15)
at Request.plumbing.callback (/usr/local/src/node_modules/request-promise-core/lib/plumbing.js:87:29)
at Request.RP$callback [as _callback] (/usr/local/src/node_modules/request-promise-core/lib/plumbing.js:46:31)
at self.callback (/usr/local/src/node_modules/request/request.js:185:22)
at Request.emit (events.js:311:20)
at Request.onRequestError (/usr/local/src/node_modules/request/request.js:881:8)
at ClientRequest.emit (events.js:311:20)
at TLSSocket.socketErrorListener (_http_client.js:426:9)
at TLSSocket.emit (events.js:311:20)
at emitErrorNT (internal/streams/destroy.js:92:8) {
name: 'RequestError',
message: 'Error: unable to verify the first certificate',
cause: Error: unable to verify the first certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1473:34)
at TLSSocket.emit (events.js:311:20)
at TLSSocket._finishInit (_tls_wrap.js:916:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:686:12) {
code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
},
error: Error: unable to verify the first certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1473:34)
at TLSSocket.emit (events.js:311:20)
at TLSSocket._finishInit (_tls_wrap.js:916:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:686:12) {
code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
},
options: {
json: [Object],
resolveWithFullResponse: true,
simple: false,
strictSSL: true,
method: 'PUT',
path: '/sys/unseal',
headers: [Object],
uri: 'https://vaultinstance.com:8200/v1/sys/unseal',
callback: [Function: RP$callback],
transform: undefined,
transform2xxOnly: false
},
response: undefined
}
}
发出请求时从保管库记录:
2021-01-21T14:20:59.784Z [INFO] http: TLS handshake error from 192.168.224.1:51074: remote error: tls: unknown certificate
无法在安装时向链代码提供秘密配置信息,因此除非您将证书包含在链代码包中,这可能是个坏主意,所以我认为您的链代码将需要一个初始化事务来发送需要使用临时数据的证书。
chaincode lifecycle 文档描述了如何要求初始化事务。
If you are using the Fabric peer CLI, you can use the --init-required flag when you approve and commit the chaincode definition to indicate that the Init function must be called to initialize the new chaincode version. To call Init using the Fabric peer CLI, use the peer chaincode invoke command and pass the --isInit flag.
private data 描述了在初始化链代码时如何保护 TLS 证书。
或者,如果您不想使用初始事务或将 TLS 证书存储在 ledger/in 私有数据集合中,您可以使用瞬态数据为每个需要的事务提供 TLS 证书与保险库通信并留给客户端管理证书。