编辑:
我使用以下代码注册用户,使用farbic节点sdk。我弄错了。我已经通过了连接json中的所有证书。我仍然面临着这个错误。请任何人都可以建议我。如何使用结构节点sdk 使用tls
[错误:无法验证第一个证书]
connection.json
{
"name": "org-example",
"version": "1.0.0",
"client": {
"organization": "Org1",
"connection": {
"timeout": {
"peer": {
"endorser": "300"
},
"orderer": "300"
}
}
},
"channels": {
"channelall": {
"orderers": [
"orderer.example.com"
],
"peers": {
"peer0.org1.example.com": {
"endorsingPeer": true,
"chaincodeQuery": true,
"ledgerQuery": true,
"eventSource": true
},
}
},
"organizations": {
"Org1": {
"mspid": "Org1MSP",
"peers": [
"peer0.org1.example.com",
"peer1.org1.example.com"
],
"certificateAuthorities": [
"ca.example.com"
],
"adminPrivateKey": {
"path": "/fabric-example/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore/{adminkey}"
},
"signedCert": {
"path": "/fabric-example/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/signcerts/Admin@org1.example.com-cert.pem"
}
},
"Org2": {
"mspid": "Org2MSP",
"peers": [
"peer0.org2.example.com",
"peer1.org2.example.com"
],
"certificateAuthorities": [
"ca1.example.com"
],
"adminPrivateKey": {
"path": "/fabric-example/crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/keystore/{adminkey}"
},
"signedCert": {
"path": "/fabric-example/crypto-config/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/signcerts/Admin@org2.example.com-cert.pem"
}
},
},
"orderers": {
"orderer.example.com": {
"url": "grpc://127.0.0.1:7050",
"grpcOptions": {
"ssl-target-name-override": "orderer.example.com"
},
"tlsCACerts": {
"path":"fabric-example/crypto-config/ordererOrganizations/example.com/tlsca/tlsca.org1.example.com-cert.pem"
}
}
},
"peers": {
"peer0.org1.example.com": {
"url": "grpcs://127.0.0.1:7051",
"grpcOptions": {
"ssl-target-name-override": "peer0.org1.example.com"
},
"tlsCACerts": {
"path": "/fabric-example/crypto-config/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem"
}
},
"peer0.org2.example.com": {
"url": "grpcs://127.0.0.1:8051",
"grpcOptions": {
"ssl-target-name-override": "peer0.org2.example.com"
},
"tlsCACerts": {
"path": "/fabric-example/crypto-config/peerOrganizations/org2.example.com/tlsca/tlsca.org2.example.com-cert.pem"
}
}
},
"certificateAuthorities": {
"ca.example.com": {
"url": "https://127.0.0.1:7054",
"tlsCACerts": {
"path": "/fabric-example/crypto-config/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem"
},
"caName": "ca.example.com"
},
"ca2.example.com": {
"url": "https://127.0.0.1:8054",
"caName": "ca1.example.com",
"tlsCACerts": {
"path": "/fabric-example/crypto-config/peerOrganizations/org2.example.com/tlsca/tlsca.org2.example.com-cert.pem"
}
}
}
}
注册用户
'use strict';
const { FileSystemWallet, Gateway, X509WalletMixin } = require('fabric-network');
const fs = require('fs');
const path = require('path');
const ccpPath = path.resolve(__dirname, '..', 'connection.json');
const ccpJSON = fs.readFileSync(ccpPath, 'utf8');
const ccp = JSON.parse(ccpJSON);
async function RegisterUser(user,password,roletype,affiliation) {
try {
// Create a new file system based wallet for managing identities.
const walletPath = path.join(process.cwd(),'wallet');
const wallet = new FileSystemWallet(walletPath);
console.log(`Wallet path: ${walletPath}`);
// Check to see if we've already enrolled the user.
const userExists = await wallet.exists(user);
if (userExists) {
console.log('An identity for the user already exists in the wallet');
return;
}
// Check to see if we've already enrolled the admin user.
const adminExists = await wallet.exists('admin');
if (!adminExists) {
console.log('An identity for the admin user "admin" does not exist in the wallet');
console.log('Run the enrollAdmin.js application before retrying');
return;
}
// Create a new gateway for connecting to our peer node.
const gateway = new Gateway();
await gateway.connect(ccpPath, { wallet, identity: 'admin',discovery: { enabled: false } });
// Get the CA client object from the gateway for interacting with the CA.
const ca = gateway.getClient().getCertificateAuthority();
const adminIdentity = gateway.getCurrentIdentity();
// Register the user, enroll the user, and import the new identity into the wallet.
const secret = await ca.register({enrollmentID:user, enrollmentSecret:password,role:roletype,affiliation:affiliation}, adminIdentity);
} catch (error) {
console.error(`Failed to register user : ${error}`);
process.exit(1);
}
}
您使用CA向订购方、对等方和用户提供MSP和TLS证书。它通常不提供自己的TLS证书(因为它最初需要在没有TLS的情况下启动(。
我发现非常奇怪的是,您对CA和节点使用相同的tlsCACerts。你确定你的CA使用那些tlsCACerts吗?您通常使用自签名证书作为CA的TLS(或来自第三个公认权威机构的证书(。
你总是可以检查。。。
openssl s_client -showcerts -connect 127.0.0.1:7054
和
openssl x509 -text -noout -in /fabric-example/crypto-config/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem
并且检查第一SSL握手的证书是否是第二证书(或者由第二证书签名(。
您还可以查看CA的日志。
编辑:
Do:
echo | openssl s_client -connect 127.0.0.1:7054 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca1.pem
openssl X509 -text -noout -in ca1.pem
并复制结果。
还复制来自的结果。。。
openssl x509 -text -noout -in /fabric-example/crypto-config/peerOrganizations/org1.example.com/tlsca/tlsca.org1.example.com-cert.pem
因此,我们可以比较您正在使用的CA TLS证书和您信任的证书。