版权声明:本文为博主原创文章,转载请注明出处! https://blog.csdn.net/ASN_forever/article/details/89245968
如果要开启tls,只需要将orderer、peer、cli、ca的tls属性设置为true,并配置证书、密钥等文件地址即可。也就是下面这几个属性:
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=xxx/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=xxx/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=xxx/tls/ca.crt之后启动容器进入cli,需要注意的是,开启tls模式之后在创建通道时的命令与未开启tls模式时有所区别,没开启tls时,创建通道的命令为:
peer channel create -o orderer.scf.com:7050 -c mychannel -t 50 -f ./channel-artifacts/mychannel.tx而开启tls后,创建通道时应加上tls参数及排序服务的证书文件地址,具体命令为:
peer channel create -o orderer.scf.com:7050 -c mychannel -t 50 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/scf.com/orderers/orderer.scf.com/msp/tlscacerts/tlsca.scf.com-cert.pem -f ./channel-artifacts/mychannel.tx如果仍然使用未开启tls时的命令创建通道的话,则cli中会报下面的错误:
2019-04-11 17:31:48.661 UTC [grpc] Printf -> DEBU 010 transport: http2Client.notifyError got notified that the client transport was broken unexpected EOF.
2019-04-11 17:31:48.667 UTC [grpc] Printf -> DEBU 011 transport: http2Client.notifyError got notified that the client transport was broken unexpected EOF.
2019-04-11 17:31:48.668 UTC [grpc] Printf -> DEBU 012 transport: http2Client.notifyError got notified that the client transport was broken read tcp 172.18.0.10:59602->172.18.0.2:7050: read: connection reset by peer.
Error: rpc error: code = Unavailable desc = transport is closing而orderer服务的日志会出现以下内容:
orderer.scf.com | 2019-04-11 17:31:48.654 UTC [grpc] Printf -> DEBU 3da grpc: Server.Serve failed to complete security handshake from "172.18.0.10:59598": tls: first record does not look like a TLS handshake接下来peer加入通道、安装链码、query查询的命令都与未开启tls时一样,但是实例化链码以及调用invoke时,需要像创建通道时一样在命令中加上tls等参数值,否则也会报上述错误。
也就是说,如果开启了tls模式,那么只要涉及到与orderer通信,就需要在命令行参数中添加--tls和--cafile两个参数,其中cafile参数对应的就是orderer模块的对应文件。