问题
I've got a running testnet with mutualTLS in a Kubernetes cluster. The setup works as I can flawlessly use the CLI to invoke and query chaincode.
In Node, however, I can enroll the identity but I'm not able to do a gateway.connect(...) successfully.
The error messages from client and peer are telling me quite nothing.
The script
'use strict';
const FabricCAServices = require('fabric-ca-client');
const { Wallets, Gateway } = require('fabric-network');
const fs = require('fs');
const path = require('path');
const ccp = require('../gateway/connection.json');
const caConfig = require('../gateway/ca-config.json');
const user = 'benchmark';
const userpw = 'benchmarkPW';
const mspID = 'Org1MSP';
async function createWallet() {
try {
const walletPath = path.join(process.cwd(), 'identity/wallet');
const wallet = await Wallets.newFileSystemWallet(walletPath);
return wallet;
} catch (error) {
console.error(`Error: ${error}`);
}
}
async function enrollUser(wallet) {
try {
const caInfo = ccp.certificateAuthorities[caConfig.url];
const caTLSCACerts = caInfo.tlsCACerts.pem;
let ca = new FabricCAServices(caInfo.url, { trustedRoots: caTLSCACerts, verify: false }, caInfo.caName);
// Check to see if we've already enrolled the user.
const userExists = await wallet.get(user);
if (userExists) {
console.log(`An identity for the client user "${user}" already exists in the wallet`);
} else {
// Enroll signing material
let enrollment = await ca.enroll({ enrollmentID: user, enrollmentSecret: userpw });
let x509Identity = {
credentials: {
certificate: enrollment.certificate,
privateKey: enrollment.key.toBytes(),
},
mspId: mspID,
type: 'X.509',
};
await wallet.put(user, x509Identity);
console.log(`Successfully enrolled msp for user "${user}" and imported it into the wallet`);
ca = new FabricCAServices(caInfo.url, { trustedRoots: caTLSCACerts, verify: false }, `TLS${caInfo.caName}`);
enrollment = await ca.enroll({ enrollmentID: user, enrollmentSecret: userpw, profile: 'tls' });
x509Identity = {
credentials: {
certificate: enrollment.certificate,
privateKey: enrollment.key.toBytes(),
},
mspId: mspID,
type: 'X.509',
};
await wallet.put(`${user}-tls`, x509Identity);
console.log(`Successfully enrolled tls-msp for user "${user}" and imported it into the wallet`);
}
} catch (error) {
console.error(`Error enrolling user "${user}": ${error}`);
process.exit(1);
}
}
async function startBenchmark(wallet) {
try {
const gateway = new Gateway();
const connectionOptions = {
identity: user,
clientTlsIdentity: `${user}-tls`,
wallet: wallet,
discovery: { enabled: true, asLocalhost: false },
};
await gateway.connect(ccp, connectionOptions);
gateway.disconnect();
} catch (error) {
console.error(`Got error:": ${error}`);
process.exit(1);
}
}
async function main() {
try {
const wallet = await createWallet();
await enrollUser(wallet);
await startBenchmark(wallet);
} catch (error) {
console.error(`Error: ${error}`);
process.exit(1);
}
}
main();
connection.json
{
"name": "Org1MSPprofile",
"description": "Network on OpenShift/K8s",
"version": "1.0.0",
"client": {
"organization": "Org1MSP"
},
"organizations": {
"Org1MSP": {
"mspid": "Org1MSP",
"certificateAuthorities": [
"worker2.example.com:30051"
],
"peers": [
"worker2.example.com:30151"
]
}
},
"peers": {
"worker2.example.com:30151": {
"url": "grpcs://worker2.example.com:30151",
"tlsCACerts": {
"pem": "-----BEGIN CERTIFICATE-----\nxxxx==\n-----END CERTIFICATE-----"
},
"grpcOptions": {
"ssl-target-name-override": "worker2.example.com"
}
}
},
"certificateAuthorities": {
"worker2.example.com:30051": {
"url": "https://worker2.example.com:30051",
"caName": "CA",
"tlsCACerts": {
"pem": [
"-----BEGIN CERTIFICATE-----\nxxxx==\n-----END CERTIFICATE-----"
]
},
"httpOptions": {
"verify": false
}
}
}
}
Console output
> node ./src/index.js
2020-08-06T15:00:26.046Z - debug: Successfully constructed a winston logger with configurations debug=console, info=console
2020-08-06T15:00:26.276Z - debug: [crypto_ecdsa_aes]: Hash algorithm: SHA2, hash output size: 256
2020-08-06T15:00:26.552Z - debug: [crypto_ecdsa_aes]: Hash algorithm: SHA2, hash output size: 256
2020-08-06T15:00:26.555Z - debug: [FabricCAClient.js]: Successfully constructed Fabric CA client from options - { caname: 'CA',
protocol: 'https',
hostname: 'worker2.example.com',
port: 30051,
tlsOptions:
{ trustedRoots:
[ '-----BEGIN CERTIFICATE-----\nxxxx==\n-----END CERTIFICATE-----' ],
verify: false } }
2020-08-06T15:00:26.555Z - debug: [FabricCAClientService.js]: Successfully constructed Fabric CA service client: endpoint - {"protocol":"https","hostname":"worker2.example.com","port":30051}
2020-08-06T15:00:26.682Z - debug: [crypto_ecdsa_aes]: generateKey, store.setValue
2020-08-06T15:00:26.687Z - debug: [FabricCAClientService.js]: successfully generated key pairs
2020-08-06T15:00:26.785Z - debug: [FabricCAClientService.js]: successfully generated csr
2020-08-06T15:00:26.786Z - debug: [FabricCAClient.js]: CONNECTION_TIMEOUT = 3000, SO_TIMEOUT = infinite
2020-08-06T15:00:27.103Z - debug: [FabricCAClientService.js]: successfully enrolled benchmark
Successfully enrolled msp for user "benchmark" and imported it into the wallet
2020-08-06T15:00:27.109Z - debug: [crypto_ecdsa_aes]: Hash algorithm: SHA2, hash output size: 256
2020-08-06T15:00:27.110Z - debug: [FabricCAClient.js]: Successfully constructed Fabric CA client from options - { caname: 'TLSCA',
protocol: 'https',
hostname: 'worker2.example.com',
port: 30051,
tlsOptions:
{ trustedRoots:
[ '-----BEGIN CERTIFICATE-----\nxxxx==\n-----END CERTIFICATE-----' ],
verify: false } }
2020-08-06T15:00:27.110Z - debug: [FabricCAClientService.js]: Successfully constructed Fabric CA service client: endpoint - {"protocol":"https","hostname":"worker2.example.com","port":30051}
2020-08-06T15:00:27.174Z - debug: [crypto_ecdsa_aes]: generateKey, store.setValue
2020-08-06T15:00:27.175Z - debug: [FabricCAClientService.js]: successfully generated key pairs
2020-08-06T15:00:27.255Z - debug: [FabricCAClientService.js]: successfully generated csr
2020-08-06T15:00:27.255Z - debug: [FabricCAClient.js]: CONNECTION_TIMEOUT = 3000, SO_TIMEOUT = infinite
2020-08-06T15:00:27.489Z - debug: [FabricCAClientService.js]: successfully enrolled benchmark
Successfully enrolled tls-msp for user "benchmark" and imported it into the wallet
2020-08-06T15:00:27.492Z - debug: [Gateway]: in Gateway constructor
2020-08-06T15:00:27.495Z - debug: [Gateway]: connect - start
2020-08-06T15:00:27.495Z - debug: [Gateway]: connection options: {"identity":"benchmark","tlsInfo":{"certificate":"-----BEGIN CERTIFICATE-----\nxxxx/o=\n-----END CERTIFICATE-----\n","key":"-----BEGIN PRIVATE KEY-----\r\nxxxx\r\n-----END PRIVATE KEY-----\r\n"},"wallet":{"providerRegistry":{"providers":{}},"store":{"storePath":"/home/user/test/benchmark/identity/wallet"}},"discovery":{"enabled":true,"asLocalhost":false}}
2020-08-06T15:00:27.496Z - debug: [Client]: Client.constructor[gateway client] - start
2020-08-06T15:00:27.496Z - debug: [Gateway]: connect - setting identity from wallet
2020-08-06T15:00:27.498Z - debug: [crypto_ecdsa_aes]: createKeyFromRaw - start
2020-08-06T15:00:27.500Z - debug: [crypto_ecdsa_aes]: createKeyFromRaw - have the key [Circular]
2020-08-06T15:00:27.500Z - debug: [crypto_ecdsa_aes]: createKeyFromRaw - start
2020-08-06T15:00:27.502Z - debug: [crypto_ecdsa_aes]: createKeyFromRaw - have the key [Circular]
2020-08-06T15:00:27.503Z - debug: [Gateway]: connect - setting tlsInfo
2020-08-06T15:00:27.503Z - debug: [Client]: setTlsClientCertAndKey: gateway client - start
2020-08-06T15:00:27.503Z - debug: [Gateway]: connect - NetworkConfig loading client from ccp
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: loadFromConfig - start
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: buildPeer - start - worker2.example.com:30151
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: findPeerMspid - start for worker2.example.com:30151
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: findPeerMspid - checking peer worker2.example.com:30151 in org Org1MSP
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: findPeerMspid - found mspid Org1MSP for worker2.example.com:30151
2020-08-06T15:00:27.505Z - debug: [NetworkConfig]: buildOptions - start
2020-08-06T15:00:27.505Z - debug: [Client]: newEndpoint: gateway client - start
2020-08-06T15:00:27.505Z - debug: [Client]: getConnectionOptions: gateway client - start
2020-08-06T15:00:27.506Z - debug: [Client]: newEndpoint: gateway client grpc-wait-for-ready-timeout set to 3000
2020-08-06T15:00:27.506Z - debug: [Client]: newEndpoint: gateway client - ssl_target_name_override: worker2.example.com
2020-08-06T15:00:27.507Z - debug: [Endpoint]: Endpoint.constructor - start
2020-08-06T15:00:27.508Z - debug: [Client]: new endpoint url: grpcs://worker2.example.com:30151
2020-08-06T15:00:27.508Z - debug: [NetworkConfig]: buildPeer - about to connect to endorser worker2.example.com:30151 url:grpcs://worker2.example.com:30151 mspid:Org1MSP
2020-08-06T15:00:27.508Z - debug: [Client]: getEndorser: gateway client start name:worker2.example.com:30151
2020-08-06T15:00:27.508Z - debug: [Client]: getEndorser: gateway client create endorser name:worker2.example.com:30151
2020-08-06T15:00:27.509Z - debug: [Endorser]: Endorser.constructor[worker2.example.com:30151] - start
2020-08-06T15:00:27.509Z - debug: [Client]: getEndorser: gateway client return endorser name:worker2.example.com:30151
2020-08-06T15:00:27.509Z - debug: [ServiceEndpoint]: connect[Endorser-worker2.example.com:30151] - start
2020-08-06T15:00:27.509Z - debug: [ServiceEndpoint]: connect[Endorser-worker2.example.com:30151] - create the grpc service for worker2.example.com:30151
2020-08-06T15:00:27.513Z - debug: [ServiceEndpoint]: waitForReady - start Endorser-worker2.example.com:30151 - grpcs://worker2.example.com:30151
2020-08-06T15:00:27.513Z - debug: [ServiceEndpoint]: waitForReady - promise running worker2.example.com:30151 - grpcs://worker2.example.com:30151
2020-08-06T15:00:30.514Z - error: [ServiceEndpoint]: Error: Failed to connect before the deadline on Endorser- name: worker2.example.com:30151, url:grpcs://worker2.example.com:30151, connected:false, connectAttempted:true
2020-08-06T15:00:30.514Z - error: [ServiceEndpoint]: Error: Failed to connect before the deadline on Endorser- name: worker2.example.com:30151, url:grpcs://worker2.example.com:30151, connected:false, connectAttempted:true
2020-08-06T15:00:30.514Z - error: [ServiceEndpoint]: waitForReady - Failed to connect to remote gRPC server worker2.example.com:30151 url:grpcs://worker2.example.com:30151 timeout:3000
2020-08-06T15:00:30.514Z - error: [ServiceEndpoint]: waitForReady - Failed to connect to remote gRPC server worker2.example.com:30151 url:grpcs://worker2.example.com:30151 timeout:3000
2020-08-06T15:00:30.514Z - error: [NetworkConfig]: buildPeer - Unable to connect to the endorser worker2.example.com:30151 due to Error: Failed to connect before the deadline on Endorser- name: worker2.example.com:30151, url:grpcs://worker2.example.com:30151, connected:false, connectAttempted:true
2020-08-06T15:00:30.514Z - error: [NetworkConfig]: buildPeer - Unable to connect to the endorser worker2.example.com:30151 due to Error: Failed to connect before the deadline on Endorser- name: worker2.example.com:30151, url:grpcs://worker2.example.com:30151, connected:false, connectAttempted:true
2020-08-06T15:00:30.514Z - debug: [NetworkConfig]: loadFromConfig - end
2020-08-06T15:00:30.514Z - debug: [Gateway]: connect - end
2020-08-06T15:00:30.515Z - debug: [Gateway]: in disconnect
Peer log
[36m2020-08-06 15:09:29.718 UTC [grpc] Warning -> DEBU bba5[0m grpc: Server.Serve failed to create ServerTransport: connection error: desc = "transport: http2Server.HandleStreams failed to receive the preface from client: EOF"
[36m2020-08-06 15:09:30.904 UTC [grpc] Warning -> DEBU bba6[0m grpc: Server.Serve failed to create ServerTransport: connection error: desc = "transport: http2Server.HandleStreams failed to receive the preface from client: EOF"
[36m2020-08-06 15:09:32.344 UTC [gossip.discovery] periodicalSendAlive -> DEBU bbaf[0m Sleeping 5s
[36m2020-08-06 15:09:32.743 UTC [grpc] Warning -> DEBU bbb0[0m grpc: Server.Serve failed to create ServerTransport: connection error: desc = "transport: http2Server.HandleStreams failed to receive the preface from client: EOF"
So something reaches the peer. I've got just no clue why the connection can't be established.
Checklist:
- Provided tlscacert of org1 in connection.json? check
- Enrolled TLS identity for the client? check
- Provided the TLS identity to the gateway? check
- Tried
httpOptions.verify = falsein connection.json for the peer? check - Tried both,
userand${user}-tlsas gateway identity? check
Any ideas?
Versions:
Peer: 2.1
Node - fabric-ca-client: "^2.2.0"
Node - fabric-network: "^2.2.0"
Kind regards
回答1:
The problem was at my peers TLS certificate. With export GRPC_VERBOSITY=DEBUG and export GRPC_TRACE=all I got the following from my client:
2020-08-10T16:13:52.283Z | subchannel | x.x.x.x:30151 connection closed with error Hostname/IP does not match certificate's altnames: Host: worker2.example.com. is not in the cert's altnames: DNS:org1-peer1
来源:https://stackoverflow.com/questions/63286790/node-sdk-v2-gateway-cannot-connect-to-peer