小贝子编程

当我试图从超级账本javasdk连接到docker swarm中的区块链时,为什么会出现TLS握手错误



我已经使用docker swarm部署了结构简单的示例结构(2个组织,2个对等体,2个CA和1个订购者((经过测试,工作正常(。我使用了一个专用网络将每个实体相互连接,如下所示:

networks:
bymn:
external:
name: fabric
[.  .  .]
networks:
bymn:
aliases:
- peer1.org2.example.com

我正试图用这段java代码将自己连接到区块链(通道(:

Path networkConfigPath = Paths.get("./networkConfig.json");
Gateway.Builder builder = Gateway.createBuilder();
builder.identity(wallet,"appUser").networkConfig(networkConfigPath).discovery(true);
// create a gateway connection
try (Gateway gateway = builder.connect()) {
// get the network and contract
Network network = gateway.getNetwork("channel");
System.out.println("Sucsesfully created connection with blockchain with channelName: channel");
...

appUser是正确创建的,没有任何错误,使用了结构示例Github中的这两个类:注册管理员.javaRegisterUser.java

networkConfig.json:的内容

{
"name" : "umu.fabric",
"description" : "Connection profile for umu 2orgs-fabric-blockchain test",
"version" : "1.0.0",
"client" : {
"organization" : "Org1",
"connection" : {
"timeout" : {
"peer" : {
"endorser" : 3000
},
"orderer" : 3000
}
}
},
"channels" : {
"channel" : {
"orderers" : [ "orderer.example.com" ],
"peers" : {
"peer1.org1.example.com" : {
"endorsingPeer" : true,
"chaincodeQuery" : true,
"ledgerQuery" : true,
"eventSource" : true
},
"peer0.org1.example.com" : {
"endorsingPeer" : true,
"chaincodeQuery" : true,
"ledgerQuery" : true,
"eventSource" : true
}
}
}
},
"organizations" : {
"Org1" : {
"mspid" : "Org1MSP",
"peers" : [ "peer0.org1.example.com", "peer1.org1.example.com" ],
"certificateAuthorities" : [ "ca.org1.example.com" ]
},
"Org2" : {
"mspid" : "Org2MSP",
"peers" : [ "peer0.org2.example.com", "peer1.org2.example.com" ],
"certificateAuthorities" : [ "ca.org2.example.com" ]
}
},
"orderers" : {
"orderer.example.com" : {
"url" : "grpcs://orderer.example.com:7050"
}
},
"peers" : {
"peer0.org1.example.com" : {
"url" : "grpcs://peer0.org1.example.com:7051"
},
"peer1.org1.example.com" : {
"url" : "grpcs://peer1.org1.example.com:7051"
},
"peer0.org2.example.com" : {
"url" : "grpcs://peer0.org2.example.com:7051"
},
"peer1.org2.example.com" : {
"url" : "grpcs://peer1.org2.example.com:7051"
}
},
"certificateAuthorities" : {
"ca.org2.example.com" : {
"url" : "https://ca.org2.example.com:7054"
},
"ca.org1.example.com" : {
"url" : "https://ca.org1.example.com:7054",
"httpOptions" : {
"verify" : false
},
"registrar" : [ {
"enrollId" : "admin",
"enrollSecret" : "adminpw"
} ]
}
}
}

(很抱歉复制了整个文件,但我现在太迷路了(

我在对等日志上收到以下错误

TLS handshake failed with error remote error: tls: internal error server=PeerServer remoteaddress=X.X.X.X

这就是我从Java中得到的:

2020-07-14T13:25:31.124894206Z Successfully enrolled user "admin" and imported it into the wallet
2020-07-14T13:25:31.414993872Z Successfully enrolled user "appUser" and imported it into the wallet
2020-07-14T13:25:32.446634370Z 13:25:32.430 [main] ERROR org.hyperledger.fabric.sdk.Channel - Channel Channel{id: 1, name: channel} Sending proposal with transaction: 3919e41a6303faf9d59a5c78d70364ef8df1a458f52cf8cd7659c7c19a2dec3c to Peer{ id: 4, name: peer0.org1.example.com, channelName: channel, url: grpcs://peer0.org1.example.com:7051, mspid: Org1MSP} failed because of: gRPC failure=Status{code=UNAVAILABLE, description=io exception
2020-07-14T13:25:32.446672215Z Channel Pipeline: [SslHandler#0, ProtocolNegotiators$ClientTlsHandler#0, WriteBufferingAndExceptionHandler#0, DefaultChannelPipeline$TailContext#0], cause=javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
2020-07-14T13:25:32.446679901Z  at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.handshakeException(ReferenceCountedOpenSslEngine.java:1735)
2020-07-14T13:25:32.446686221Z  at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.wrap(ReferenceCountedOpenSslEngine.java:775)
2020-07-14T13:25:32.446692373Z  at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:509)
[...........]
2020-07-14T13:25:32.494862402Z Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2020-07-14T13:25:32.494868350Z  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
2020-07-14T13:25:32.494873876Z  at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
2020-07-14T13:25:32.494879383Z  at sun.security.validator.Validator.validate(Validator.java:260)
2020-07-14T13:25:32.494884872Z  at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
2020-07-14T13:25:32.494890328Z  at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
2020-07-14T13:25:32.494895764Z  at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
2020-07-14T13:25:32.494901281Z  at io.netty.handler.ssl.OpenSslTlsv13X509ExtendedTrustManager.checkServerTrusted(OpenSslTlsv13X509ExtendedTrustManager.java:223)
2020-07-14T13:25:32.494906971Z  at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:255)
2020-07-14T13:25:32.494912650Z  at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:701)
2020-07-14T13:25:32.494918288Z  at io.netty.internal.tcnative.SSL.readFromSSL(Native Method)
2020-07-14T13:25:32.494927598Z  at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:594)
2020-07-14T13:25:32.494933532Z  at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1179)
2020-07-14T13:25:32.494939139Z  at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1296)
2020-07-14T13:25:32.494944788Z  at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1339)
2020-07-14T13:25:32.494950326Z  at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:206)
2020-07-14T13:25:32.494955832Z  at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1372)
2020-07-14T13:25:32.494961250Z  ... 21 more
2020-07-14T13:25:32.494966697Z Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2020-07-14T13:25:32.494972350Z  at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
2020-07-14T13:25:32.494977910Z  at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
2020-07-14T13:25:32.494983467Z  at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
2020-07-14T13:25:32.495008727Z  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
2020-07-14T13:25:32.495014147Z  ... 36 more
2020-07-14T13:25:32.495019299Z }
2020-07-14T13:25:32.495024348Z  at org.hyperledger.fabric.sdk.Channel.getConfigBlock(Channel.java:952) ~[jar.jar:?]
2020-07-14T13:25:32.495045286Z  at org.hyperledger.fabric.sdk.Channel.getConfigBlock(Channel.java:907) ~[jar.jar:?]
2020-07-14T13:25:32.495050298Z  at org.hyperledger.fabric.sdk.Channel.parseConfigBlock(Channel.java:1994) [jar.jar:?]
2020-07-14T13:25:32.495070605Z  at org.hyperledger.fabric.sdk.Channel.loadCACertificates(Channel.java:1831) [jar.jar:?]
2020-07-14T13:25:32.495075445Z  at org.hyperledger.fabric.sdk.Channel.initialize(Channel.java:1222) [jar.jar:?]
2020-07-14T13:25:32.495080259Z  at org.hyperledger.fabric.gateway.impl.NetworkImpl.initializeChannel(NetworkImpl.java:59) [jar.jar:?]
2020-07-14T13:25:32.495100248Z  at org.hyperledger.fabric.gateway.impl.NetworkImpl.<init>(NetworkImpl.java:50) [jar.jar:?]
2020-07-14T13:25:32.495105836Z  at org.hyperledger.fabric.gateway.impl.GatewayImpl.getNetwork(GatewayImpl.java:252) [jar.jar:?]
2020-07-14T13:25:32.495110888Z  at org.umu.controllers.BlockchainController.runApp(BlockchainController.java:50) [jar.jar:?]
2020-07-14T13:25:32.495115947Z  at org.umu.controllers.BlockchainController.main(BlockchainController.java:35) [jar.jar:?]
2020-07-14T13:25:32.630988706Z Sucsesfully created connection with blockchain with channelName: channel

解决方案我在几个答案中看到了将SANS推向同行的方法。所以我这样说:

PeerOrgs:
- Name: Org1
[.............]
Specs:
- Hostname: peer0
CommonName: peer0.org1.example.com # overrides Hostname-based FQDN set above
SANS:
- "peer0.org1.example.com"
- "peer0"
[.............]

使用openssl命令进行验证:

openssl x509 -in crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt -text -noout

[.....]
X509v3 Subject Alternative Name: 
DNS:peer0.org1.example.com, DNS:peer0, DNS:peer0.org1.example.com, DNS:peer0, DNS:localhost, DNS:peer0.org1.example.com, DNS:peer0, DNS:peer0.org1.example.com, DNS:peer0, DNS:localhost, DNS:peer0.org1.example.com, DNS:peer0, DNS:peer0.org1.example.com, DNS:peer0, DNS:localhost, DNS:peer0.org1.example.com, DNS:peer0, DNS:peer0.org1.example.com, DNS:peer0, DNS:localhost, DNS:peer0.org1.example.com, DNS:peer0, DNS:peer0.org1.example.com, DNS:peer0, DNS:localhost
Signature Algorithm: ecdsa-with-SHA256
[.....]

我不知道还能做什么。

好吧,我遇到了和这个线程相同的问题。

我需要将证书文件(.pem或.crt文件(添加到jvm信任库。

sudo keytool -import -file crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt -alias peer0.org1.example.com -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -storepass changeit
sudo keytool -import -file crypto-config/peerOrganizations/org1.example.com/peers/peer1.org1.example.com/tls/server.crt -alias peer1.org1.example.com -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -storepass changeit
sudo keytool -import -file crypto-config/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tls/server.crt -alias peer1.org2.example.com -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -storepass changeit
sudo keytool -import -file crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.crt -alias peer0.org2.example.com -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -storepass changeit
sudo keytool -import -file crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt  -alias orderer.example.com -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -storepass changeit

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium