search

hyperledger / fabric

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. Its modular and versatile design satisfies a broad range of industry use cases. It offers a unique approach to consensus that enables performance at scale while preserving privacy.
https://wiki.hyperledger.org/display/fabric
Apache License 2.0
15.73k stars 8.85k forks source link

Failed to create channel by local ca for grpcs error #3345

Closed favccxx closed 2 years ago

favccxx commented 2 years ago

I'm trying to generate certificate by java code, and I succeed to start orderer and peer, but I failed to create channel for grpcs error. I know there must something wrong with my tls certs. But i don't know the reason. Can you tell me the reason?

`Caused by: org.hyperledger.fabric.sdk.exception.TransactionException: Channel fucking, send transaction failed on orderer OrdererClient{id: 4, channel: fucking, name: fabric-orderer-oynp4ab7, url: grpcs://172.20.52.68:32101}. Reason: UNAVAILABLE: io exception

Channel Pipeline: [SslHandler#0, ProtocolNegotiators$ClientTlsHandler#0, WriteBufferingAndExceptionHandler#0, DefaultChannelPipeline$TailContext#0]

    at org.hyperledger.fabric.sdk.OrdererClient.sendTransaction(OrdererClient.java:240)

    at org.hyperledger.fabric.sdk.Orderer.sendTransaction(Orderer.java:166)

    at org.hyperledger.fabric.sdk.Channel.sendUpdateChannel(Channel.java:538)

    at org.hyperledger.fabric.sdk.Channel.<init>(Channel.java:249)

    at org.hyperledger.fabric.sdk.Channel.createNewInstance(Channel.java:342)

    at org.hyperledger.fabric.sdk.HFClient.newChannel(HFClient.java:297)

    at com.yonyou.iuap.bc.baas.net.manager.service.impl.ConfigGenerateServiceImpl.notifyCreateChannel(ConfigGenerateServiceImpl.java:237)

    ... 125 common frames omitted

Caused by: io.grpc.StatusRuntimeException: UNAVAILABLE: io exception

Channel Pipeline: [SslHandler#0, ProtocolNegotiators$ClientTlsHandler#0, WriteBufferingAndExceptionHandler#0, DefaultChannelPipeline$TailContext#0]

    at io.grpc.Status.asRuntimeException(Status.java:535)

    at io.grpc.stub.ClientCalls$StreamObserverToCallListenerAdapter.onClose(ClientCalls.java:479)

    at io.grpc.internal.DelayedClientCall$DelayedListener$3.run(DelayedClientCall.java:463)

    at io.grpc.internal.DelayedClientCall$DelayedListener.delayOrExecute(DelayedClientCall.java:427)

    at io.grpc.internal.DelayedClientCall$DelayedListener.onClose(DelayedClientCall.java:460)

    at io.grpc.internal.ClientCallImpl.closeObserver(ClientCallImpl.java:562)

    at io.grpc.internal.ClientCallImpl.access$300(ClientCallImpl.java:70)

    at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInternal(ClientCallImpl.java:743)

    at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInContext(ClientCallImpl.java:722)

    at io.grpc.internal.ContextRunnable.run(ContextRunnable.java:37)

    at io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:133)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

    ... 1 common frames omitted

Caused by: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem

    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.handshakeException(ReferenceCountedOpenSslEngine.java:1898)

    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.wrap(ReferenceCountedOpenSslEngine.java:822)

    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:511)

    at io.netty.handler.ssl.SslHandler.wrap(SslHandler.java:1039)

    at io.netty.handler.ssl.SslHandler.wrapNonAppData(SslHandler.java:925)

    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1407)

    at io.netty.handler.ssl.SslHandler.unwrapNonAppData(SslHandler.java:1325)

    at io.netty.handler.ssl.SslHandler.access$1800(SslHandler.java:168)

    at io.netty.handler.ssl.SslHandler$SslTasksRunner.resumeOnEventExecutor(SslHandler.java:1716)

    at io.netty.handler.ssl.SslHandler$SslTasksRunner.access$2000(SslHandler.java:1607)

    at io.netty.handler.ssl.SslHandler$SslTasksRunner$2.run(SslHandler.java:1768)

    at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164)

    at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:469)

    at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:384)

    at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)

    at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)

    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)

    ... 1 common frames omitted

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369)

    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275)

    at sun.security.validator.Validator.validate(Validator.java:271)

    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312)

    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:275)

    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:140)

    at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:234)

    at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:748)

    at io.netty.internal.tcnative.CertificateVerifierTask.runTask(CertificateVerifierTask.java:36)

    at io.netty.internal.tcnative.SSLTask.run(SSLTask.java:48)

    at io.netty.internal.tcnative.SSLTask.run(SSLTask.java:42)

    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine$TaskDecorator.run(ReferenceCountedOpenSslEngine.java:1465)

    at io.netty.handler.ssl.SslHandler$SslTasksRunner.run(SslHandler.java:1785)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

    ... 1 common frames omitted`

Some Java codes:

`public static BaasCert generateNodeCert(String nodeType, String caType, String nodeName, String orgCode, String orgDomain, String nameSpace, String nodeSubject, Date startDate, Date endDate) throws BusinessException { Security.addProvider(new BouncyCastleProvider()); try { KeyPair keyPair = KeyPairUtils.generateFabricKeyPair(); String keyPem = FabricCertService.nodeKeyToPem(keyPair.getPrivate());

        ContentSigner signer = new JcaContentSignerBuilder(SIGN_ECC)
                .setProvider(BC_PROVIDER)
                .build(keyPair.getPrivate());
        X500Name x500Name = new X500Name(nodeSubject);
        PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(x500Name, keyPair.getPublic());
        PKCS10CertificationRequest csr = csrBuilder.build(signer);
        String issuer = "";
        PrivateKey rootKey = null;
        X509Certificate rootCert = null;
        if (FabricConstants.CA.equalsIgnoreCase(caType)) {
            rootKey = RootCertUtil.getRootEKey();
            rootCert = RootCertUtil.getRootECert();
            issuer = rootCert.getSubjectDN().getName();
        } else if (FabricConstants.TLSCA.equalsIgnoreCase(caType)) {
            rootKey = RootCertUtil.getRootTKey();
            rootCert = RootCertUtil.getRootTCert();
            issuer = rootCert.getSubjectDN().getName();
        }

        BigInteger issuedCertSerialNum = FabricExtension.generateSerialNum();
        X500Name issuerSubject = new X500Name(issuer);

        X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(issuerSubject, issuedCertSerialNum, startDate, endDate, csr.getSubject(), csr.getSubjectPublicKeyInfo());
        certBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
        certBuilder.addExtension(Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifier(rootCert.getExtensionValue(Extension.authorityKeyIdentifier.getId())));
        certBuilder.addExtension(Extension.subjectKeyIdentifier, false, FabricExtension.getSubjectKeyIdentifier(keyPair.getPublic()));
        certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature));
        String registerId = new StringBuilder().append(nodeName).append(Constant.POINT).append(orgCode).append(Constant.POINT).append(orgDomain).toString();
        ASN1Encodable nodeAttrs = new DERGeneralString(FabricExtension.getNodeAttrs(orgCode, registerId, nodeType));
        certBuilder.addExtension(FabricExtension.nodeAttribute, false, nodeAttrs);
        if (FabricConstants.TLSCA.equalsIgnoreCase(caType)) {
            certBuilder.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth}));
            GeneralNames subjectAltNames = new GeneralNames(new GeneralName[]{new GeneralName(GeneralName.dNSName, nodeName), new GeneralName(GeneralName.dNSName, registerId), new GeneralName(GeneralName.dNSName, registerId.split("\\.")[0] + "." + nameSpace)});
            certBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltNames.getEncoded());
        }

        JcaContentSignerBuilder csb = new JcaContentSignerBuilder(SIGN_ECC).setProvider(BC_PROVIDER);
        ContentSigner csrContentSigner = csb.build(rootKey);
        X509CertificateHolder issuedCertHolder = certBuilder.build(csrContentSigner);
        X509Certificate certificate = new JcaX509CertificateConverter().setProvider(BC_PROVIDER).getCertificate(issuedCertHolder);
        logger.error("{}-{} cert: {}", nodeName, caType, certificate.toString());
        String certPem = FabricCertService.certToPem(certificate);
        BaasCert baasCert = new BaasCert(keyPem, certPem);
        return baasCert;
    } catch (Exception e) {
        logger.error("failed to generate {} node cert", nodeName, e);
    }
}`

public static KeyPair generateFabricKeyPair() { KeyPair keyPair; try { ECGenParameterSpec ecSpec = new ECGenParameterSpec(SECP256R1); KeyPairGenerator kf = KeyPairGenerator.getInstance("EC"); kf.initialize(256, new SecureRandom()); kf.initialize(ecSpec, new SecureRandom()); keyPair = kf.generateKeyPair(); } catch (Exception e) { return null; } return keyPair; }

Below is my certificates, Hope you can tell me the reason.

` [ [ Version: V3 Subject: C=CN, ST=Beijing, L=Haidian, OU=madong + OU=orderer, CN=fabric-orderer-iwuwcbyf.madong.madong.com Signature Algorithm: SHA256withECDSA, OID = 1.2.840.10045.4.3.2

Key: Sun EC public key, 256 bits public x coord: 28785226202240756646177718527367595238983741204018410754881037527273160040806 public y coord: 76967145626319286917147553453023685935363700217575474759376991608531270167364 parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7) Validity: [From: Thu Apr 21 20:26:05 GMT+08:00 2022, To: Wed Apr 21 20:26:05 GMT+08:00 2027] Issuer: CN=root.tlsca.xx.com, O=xxcom, L=Haidian, ST=BeiJing, C=CN SerialNumber: [ 0237977f 68fe997a ce5dbe05 945e7c3e 9aa1e909]

Certificate Extensions: 7 [1]: ObjectId: 1.2.3.4.5.6.7.8.1 Criticality=false Extension unknown: DER encoded OCTET string = 0000: 04 79 1B 77 7B 22 61 74 74 72 73 22 3A 7B 22 68 .y.w."attrs":."h 0010: 66 2E 41 66 66 69 6C 69 61 74 69 6F 6E 22 3A 22 f.Affiliation":" 0020: 6D 61 64 6F 6E 67 22 2C 22 68 66 2E 45 6E 72 6F madong","hf.Enro 0030: 6C 6C 6D 65 6E 74 49 44 22 3A 22 66 61 62 72 69 llmentID":"fabri 0040: 63 2D 6F 72 64 65 72 65 72 2D 69 77 75 77 63 62 c-orderer-iwuwcb 0050: 79 66 2E 6D 61 64 6F 6E 67 2E 6D 61 64 6F 6E 67 yf.madong.madong 0060: 2E 63 6F 6D 22 2C 22 68 66 2E 54 79 70 65 22 3A .com","hf.Type": 0070: 22 6F 72 64 65 72 65 72 22 7D 7D "orderer"..

[2]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 04 18 30 16 80 14 C0 F1 BB 2E AB 6A 70 7F 99 B1 ..0........jp... 0010: 05 CB A7 61 9C 36 60 03 8C F3 ...a.6`... ] ]

[3]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ]

[4]: ObjectId: 2.5.29.37 Criticality=true ExtendedKeyUsages [ clientAuth serverAuth ]

[5]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature ]

[6]: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: fabric-orderer-iwuwcbyf DNSName: fabric-orderer-iwuwcbyf.madong.madong.com DNSName: fabric-orderer-iwuwcbyf.35568e768fb66d2c8002 ]

[7]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: EA 4E 1A 2D 66 A9 4E 57 94 43 98 D5 59 DB 92 70 .N.-f.NW.C..Y..p 0010: 4F 3F C2 53 O?.S ] ]

] Algorithm: [SHA256withECDSA] Signature: 0000: 30 44 02 20 42 2B 5D 3D 0C BB B9 94 1B 42 D2 C2 0D. B+]=.....B.. 0010: 98 D7 19 BE BE B9 44 58 60 D9 32 E0 B7 80 4C 91 ......DX`.2...L. 0020: BC 64 04 A2 02 20 66 C6 03 BE C6 42 B1 A4 B7 6A .d... f....B...j 0030: 93 BE AB EF 94 BC B7 81 C5 66 14 6D 45 DE B1 FB .........f.mE... 0040: 13 CD 52 FF 18 A1 ..R...

]`

denyeart commented 2 years ago

These client connection errors usually means that the client is not configured with a CA certificate that matches the signer of the server's TLS certificate.

I've opened a PR to add some more TLS troubleshooting information to the Fabric docs that may help you: https://github.com/hyperledger/fabric/pull/3346 It is written from the perspective of a peer CLI client connection, but should be helpful for a Java SDK connection error as well.

What is the corresponding error in the peer log at the time of connection failure?

denyeart commented 2 years ago

No response, closing.