对等体未通过TLS连接加入通道和错误（IP SAN错误）

Posted 2021-03-31

我正在尝试下面的结构体系结构，其中一个对等体位于第一台机器（服务器/系统）中的另一台机器上，

在将每个对等体添加到通道时创建通道后显示如下所示的日志，当我尝试使用示例网络时，该日志用于表示对等体加入了通道，同样当我检查对等体的日志时它说：

2018-02-28 06:51:23.916 UTC [ConnProducer] NewConnection - > ERRO 36b连接到138.68.138.161:7050失败，错误：x509：无法验证138.68.138.161的证书，因为它不包含任何IP SAN

网络已启用，提供了证书并设置了环境变量。

channel-setup.是

    # Channel creation
echo "========== Creating channel: "$CHANNEL_NAME" =========="
#peer channel create -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls $CORE_PEER_TLS_ENABLED --cafile /opt$

# peer0.org1 channel join
echo "========== Joining peer0.org1.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.e$
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.or$
peer channel join -b ${CHANNEL_NAME}.block
peer channel update -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/${CORE_PEER_LOCALMSPID}anchors.tx --tls $CORE_PEER_TLS$

# peer1.org1 channel join
echo "========== Joining peer1.org1.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.e$
export CORE_PEER_ADDRESS=peer1.org1.example.com:7051
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer1.or$
peer channel join -b ${CHANNEL_NAME}.block

# peer0.org2 channel join
echo "========== Joining peer0.org2.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin@org2.e$
export CORE_PEER_ADDRESS=peer0.org2.example.com:7051
export CORE_PEER_LOCALMSPID="Org2MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer1.or$
peer channel join -b ${CHANNEL_NAME}.block
peer channel update -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/${CORE_PEER_LOCALMSPID}anchors.tx --tls $CORE_PEER_TLS$

# peer1.org2 channel join
echo "========== Joining peer1.org2.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin@org2.e$
export CORE_PEER_ADDRESS=peer1.org2.example.com:7051
export CORE_PEER_LOCALMSPID="Org2MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer1.or$

答案

您遇到问题的原因是TLS证书不包含IP SAN（IP主题备用名称）。这是TLS证书中的一个字段，基本上表示：“证书颁发给其IP为<1.2.3.4>的主机”

如果使用版本v1.0的cryptogen生成证书，则不支持将IP SAN添加到证书中。但是，版本v1.1的加密版确实支持它，所以如果你使用它 - 你将在TLS证书中拥有IP SAN。

解决问题的另一种方法是使用主机名（DNS名称）而不是IP地址，并使用任何版本的加密。如果您这样做 - 证书将包含DNS SAN（所有版本的cryptogen编码证书中的DNS SAN）。