启用筏模式时，TLS握手失败。

Question

我有一个运行的Hyperledger网络，启用了TLS和Kafka的共识。现在，我一直试图转移到筏子，我总是收到这样的信息在订货人：TLS handshake failed with error tls: first record does not look like a TLS handshake server=Orderer remoteaddress=ÌP:PORT。就像我说过的，TLS在变化之前非常有效。

现在，我将向你们展示我所做的与RAFT和TLS连接相关的事情。首先，我修改了configtx.yaml文件，这正是与订购服务相关的部分。

部门configtx.yaml

Orderer: &OrdererDefaults
  OrdererType: etcdraft
  Addresses:
  - orderer0.org1:7050
  - orderer0.org2:7050
  - orderer0.org3:7050
  EtcdRaft:
    Consenters:
    - Host: orderer0.org1
      Port: 7050
      ClientTLSCert: /data/org1/orderers/orderer0/tls/client.crt
      ServerTLSCert: /data/org1/orderers/orderer0/tls/server.crt
    - Host: orderer0.org2
      Port: 7050
      ClientTLSCert: /data/org2/orderers/orderer0/tls/client.crt
      ServerTLSCert: /data/org2/orderers/orderer0/tls/server.crt
    - Host: orderer0.org3
      Port: 7050
      ClientTLSCert: /data/org3/orderers/orderer0/tls/client.crt
      ServerTLSCert: /data/org3/orderers/orderer0/tls/server.crt
  Organizations:
  - *org1
  - *org2
  - *org3
  Policies:
    Readers:
      Type: ImplicitMeta
      Rule: "ANY Readers"
    Writers:
      Type: ImplicitMeta
      Rule: "ANY Writers"
    Admins:
      Type: ImplicitMeta
      Rule: "MAJORITY Admins"
    BlockValidation:
      Type: ImplicitMeta
      Rule: "ANY Writers"
  Capabilities:
    <<: *OrdererCapabilities

可以看到，每个组织订购者都需要TLS客户端和服务器证书，因此我在每个orderer容器中生成它们，并将它们上传到用于共享的MinIO服务器。

echo "[INFO] Generating Client TLS Key and Certificate..."
fabric-ca-client enroll -d --enrollment.profile tls -u ${ENROLLMENT_URL} -M /tmp/tls --csr.hosts ${ORDERER_HOST}

echo "[INFO] Uploading Client TLS Certificate to Minio"
python3 /scripts/minio_upload.py --url ${STORAGE_URL} --access-key ${STORAGE_ACCESS_KEY} --secret-key ${STORAGE_SECRET_KEY} --bucket-name ${ORG} --local-path ${ORDERER_GENERAL_TLS_CLIENTCERT_FILE} --remote-path orderers/${ORDERER_NAME}/tls/$(basename ${ORDERER_GENERAL_TLS_CLIENTCERT_FILE})
echo "[INFO] Client TLS Certificate uploaded"

echo "[INFO] Enrolling orderer..."
fabric-ca-client enroll -d --enrollment.profile tls -u ${ENROLLMENT_URL} -M /tmp/tls --csr.hosts ${ORDERER_HOST}

echo "[INFO] Uploading Server TLS Certificate to Minio"
python3 /scripts/minio_upload.py --url ${STORAGE_URL} --access-key ${STORAGE_ACCESS_KEY} --secret-key ${STORAGE_SECRET_KEY} --bucket-name ${ORG} --local-path ${ORDERER_GENERAL_TLS_CERTIFICATE} --remote-path orderers/${ORDERER_NAME}/tls/$(basename ${ORDERER_GENERAL_TLS_CERTIFICATE})
echo "[INFO] Server TLS Certificate uploaded"

一旦每个订购者生成并上传了它的证书，我就运行一个新容器，我称之为genesis，在这里我下载configtx.yaml、所有订购者证书(到configtx.yaml中定义的路径)和其他东西来生成成因块、通道tx和锚点更新。在此之后，在每个订购者中，我还会将所有的orderers证书(不知道是否需要此证书)下载到相同的路径中，当然，我还会复制成因块。

在所有订购者中，我已设置为true、ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED和ORDERER_GENERAL_TLS_ENABLED。作为一个实例，这是orderer0.org1的TLS配置。

env:
- name: ORDERER_GENERAL_TLS_CERTIFICATE
  value: /etc/hyperledger/orderer/tls/server.crt
- name: ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED
  value: "false"
- name: ORDERER_GENERAL_TLS_CLIENTCERT_FILE  # This is exposed for TLS connections
  value: /shared-storage/tls/orderer0/client.crt
- name: ORDERER_GENERAL_TLS_CLIENTKEY_FILE  # This is exposed for TLS connections
  value: /shared-storage/tls/orderer0/client.key
- name: ORDERER_GENERAL_TLS_CLIENTROOTCAS  # Has to be the same that FABRIC_CA_CLIENT_TLS_CERTFILES
  value: '[/shared-storage/org1/ca-chain.pem]'
- name: ORDERER_GENERAL_TLS_ENABLED
  value: "true"
- name: ORDERER_GENERAL_TLS_PRIVATEKEY
  value: /etc/hyperledger/orderer/tls/server.key
- name: ORDERER_GENERAL_TLS_ROOTCAS  # Has to be the same that FABRIC_CA_CLIENT_TLS_CERTFILES
  value: '[/shared-storage/org1/ca-chain.pem]'

我遗漏了什么？问题出在哪里？非常感谢。

Answer 1

编辑的

您缺少了这些环境变量，用于订购者：

      - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/shared-storage/tls/orderer0/client.crt
      - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/shared-storage/tls/orderer0/client.key
      # I find strange you use org1 CA in your conf, but I trust you...
      - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/shared-storage/org1/ca-chain.pem]

Answer 2

错误消息“第一条记录看起来不像TLS握手”表示您有一个“客户端”试图打开一个普通(即非TLS)连接。确保将所有连接设置为在所有类型的“客户端”中使用TLS (即其他订货员、对等方、使用sdk的客户端应用程序等)。