Enable tls in fabric network

If you want to enable tls, you only need to set the tls property of orderer, peer, cli, ca to true, and configure the file addresses such as certificate and key. These are the following attributes:

- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=xxx/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=xxx/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=xxx/tls/ca.crt

After starting the container to enter cli, it should be noted that the command to create a channel after tls mode is turned on is different from that when tls mode is not turned on. When tls is not turned on, the command to create a channel is:

peer channel create -o orderer.scf.com:7050 -c mychannel -t 50 -f ./channel-artifacts/mychannel.tx

After tls is enabled, the tls parameter and the certificate file address of the sorting service should be added when creating the channel. The specific command is:

peer channel create -o orderer.scf.com:7050 -c mychannel -t 50 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/scf.com/orderers/orderer.scf.com/msp/tlscacerts/tlsca.scf.com-cert.pem -f ./channel-artifacts/mychannel.tx

If you still use the command when tls is not turned on to create a channel, the following error will be reported in cli:

2019-04-11 17:31:48.661 UTC [grpc] Printf -> DEBU 010 transport: http2Client.notifyError got notified that the client transport was broken unexpected EOF.
2019-04-11 17:31:48.667 UTC [grpc] Printf -> DEBU 011 transport: http2Client.notifyError got notified that the client transport was broken unexpected EOF.
2019-04-11 17:31:48.668 UTC [grpc] Printf -> DEBU 012 transport: http2Client.notifyError got notified that the client transport was broken read tcp 172.18.0.10:59602->172.18.0.2:7050: read: connection reset by peer.
Error: rpc error: code = Unavailable desc = transport is closing

The log of orderer service will show the following contents:

orderer.scf.com    | 2019-04-11 17:31:48.654 UTC [grpc] Printf -> DEBU 3da grpc: Server.Serve failed to complete security handshake from "172.18.0.10:59598": tls: first record does not look like a TLS handshake

 

Tags: github

Posted on Fri, 29 Nov 2019 12:42:55 -0800 by Birch