TLS handshake failed when setting up etcdRaft

Home Messages Hashtags Subgroups

#7380

TLS handshake failed when setting up etcdRaft

Howin Ho #7380 Hi all, I am trying to setup 5 Orderers Raft on local machine but the orderers keep complaining "TLS handshake failed". Wondering if anyone has any insight on this problem? Many thanks in advance!! My conigtx.yaml looks like this: OrdererType: etcdraft Addresses: - orderer1-org0:7050 - orderer2-org0:7050 - orderer3-org0:7050 - orderer4-org0:7050 - orderer5-org0:7050 EtcdRaft: Consenters: - Host: orderer1-org0 Port: 7050 ClientTLSCert: ./hyperledger/crypto-config/org0/orderer1/tls-msp/signcerts/cert.pem ServerTLSCert: ./hyperledger/crypto-config/org0/orderer1/tls-msp/signcerts/cert.pem - Host: orderer2-org0 Port: 7050 ClientTLSCert: ./hyperledger/crypto-config/org0/orderer2/tls-msp/signcerts/cert.pem ServerTLSCert: ./hyperledger/crypto-config/org0/orderer2/tls-msp/signcerts/cert.pem - Host: orderer3-org0 Port: 7050 ClientTLSCert: ./hyperledger/crypto-config/org0/orderer3/tls-msp/signcerts/cert.pem ServerTLSCert: ./hyperledger/crypto-config/org0/orderer3/tls-msp/signcerts/cert.pem - Host: orderer4-org0 Port: 7050 ClientTLSCert: ./hyperledger/crypto-config/org0/orderer4/tls-msp/signcerts/cert.pem ServerTLSCert: ./hyperledger/crypto-config/org0/orderer4/tls-msp/signcerts/cert.pem - Host: orderer5-org0 Port: 7050 ClientTLSCert: ./hyperledger/crypto-config/org0/orderer5/tls-msp/signcerts/cert.pem ServerTLSCert: ./hyperledger/crypto-config/org0/orderer5/tls-msp/signcerts/cert.pem My orderer.yaml looks like this: General: LedgerType: file ListenAddress: 127.0.0.1 ListenPort: 7050 TLS: Enabled: true PrivateKey: /var/hyperledger/crypto-config/org0/orderer1/tls-msp/keystore/key.pem Certificate: /var/hyperledger/crypto-config/org0/orderer1/tls-msp/signcerts/cert.pem RootCAs: - /var/hyperledger/crypto-config/org0/orderer1/tls-msp/tlscacerts/tls-0-0-0-0-6052.pem ClientAuthRequired: true ClientRootCAs: My docker-compose.yaml looks like this: orderer1-org0: extends: file: nodebase.yaml service: orderer container_name: orderer1-org0 environment: - ORDERER_HOST=orderer1-org0 - ORDERER_HOME=/var/hyperledger/orderer - ORDERER_GENERAL_LOCALMSPID=org0MSP - ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/crypto-config/org0/orderer1/msp - ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/crypto-config/org0/orderer1/tls-msp/signcerts/cert.pem - ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/crypto-config/org0/orderer1/tls-msp/keystore/key.pem - ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/crypto-config/org0/orderer1/tls-msp/tlscacerts/tls-0-0-0-0-6052.pem] - ORDERER_GENERAL_GENESISFILE=/var/hyperledger/crypto-config/org0/orderer1/genesis.block - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/var/hyperledger/crypto-config/org0/orderer1/tls-msp/signcerts/cert.pem - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/var/hyperledger/crypto-config/org0/orderer1/tls-msp/keystore/key.pem - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/var/hyperledger/crypto-config/org0/orderer1/tls-msp/tlscacerts/tls-0-0-0-0-6052.pem] volumes: - ./hyperledger/production/org0/orderer1:/var/hyperledger/production - ./hyperledger/crypto-config/org0/orderer1:/var/hyperledger/crypto-config/org0/orderer1 ports: - 7050:7050 extra_hosts: - "orderer1-org0:0.0.0.0" - "orderer2-org0:0.0.0.0" - "orderer3-org0:0.0.0.0" - "orderer4-org0:0.0.0.0" - "orderer5-org0:0.0.0.0" nodebase.yaml orderer: image: hyperledger/fabric-orderer:1.4.4 environment: - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0 - ORDERER_OPERATIONS_LISTENADDRESS=0.0.0.0:8443 - ORDERER_GENERAL_GENESISMETHOD=file - ORDERER_GENERAL_TLS_ENABLED=true - ORDERER_GENERAL_LOGLEVEL=debug - ORDERER_DEBUG_BROADCASTTRACEDIR=/var/hyperledger/orderer/data/logs networks: - fabric The way I enroll orderer TLS is like this. I specifically added 127.0.0.1 in the csr hosts. # Enroll for org0 orderer1 export FABRIC_CA_CLIENT_MSPDIR=tls-msp export FABRIC_CA_CLIENT_HOME=/var/hyperledger/crypto-config/org0/orderer1 export FABRIC_CA_CLIENT_TLS_CERTFILES=/var/hyperledger/crypto-config/org0/orderer1/assets/tls-ca/tls-ca-cert.pem fabric-ca-client enroll -d -u https://orderer1-org0:ordererPW@0.0.0.0:6052 --enrollment.profile tls --csr.hosts orderer1-org0 --csr.hosts 127.0.0.1 The way I create genesis block and channel artifacts configtxgen -profile OrgsOrdererGenesis -outputBlock genesis.block -channelID ordererchannel configtxgen -profile OrgsChannel -outputCreateChannelTx channel.tx -channelID mychannel After the orderers are up, here is the log for orderer1-org0 2019-12-12 03:23:31.538 UTC [localconfig] completeInitialization -> INFO 001 Kafka.Version unset, setting to 0.10.2.0 2019-12-12 03:23:31.587 UTC [orderer.common.server] prettyPrintStruct -> INFO 002 Orderer config values: General.LedgerType = "file" General.ListenAddress = "0.0.0.0" General.ListenPort = 7050 General.TLS.Enabled = true General.TLS.PrivateKey = "/var/hyperledger/crypto-config/org0/orderer1/tls-msp/keystore/key.pem" General.TLS.Certificate = "/var/hyperledger/crypto-config/org0/orderer1/tls-msp/signcerts/cert.pem" General.TLS.RootCAs = [/var/hyperledger/crypto-config/org0/orderer1/tls-msp/tlscacerts/tls-0-0-0-0-6052.pem] General.TLS.ClientAuthRequired = false General.TLS.ClientRootCAs = [] General.Cluster.ListenAddress = "" General.Cluster.ListenPort = 0 General.Cluster.ServerCertificate = "" General.Cluster.ServerPrivateKey = "" General.Cluster.ClientCertificate = "/var/hyperledger/crypto-config/org0/orderer1/tls-msp/signcerts/cert.pem" General.Cluster.ClientPrivateKey = "/var/hyperledger/crypto-config/org0/orderer1/tls-msp/keystore/key.pem" General.Cluster.RootCAs = [/var/hyperledger/crypto-config/org0/orderer1/tls-msp/tlscacerts/tls-0-0-0-0-6052.pem] General.Cluster.DialTimeout = 5s General.Cluster.RPCTimeout = 7s General.Cluster.ReplicationBufferSize = 20971520 General.Cluster.ReplicationPullTimeout = 5s General.Cluster.ReplicationRetryTimeout = 5s General.Cluster.ReplicationBackgroundRefreshInterval = 5m0s General.Cluster.ReplicationMaxRetries = 12 General.Cluster.SendBufferSize = 10 General.Cluster.CertExpirationWarningThreshold = 168h0m0s General.Cluster.TLSHandshakeTimeShift = 0s General.Keepalive.ServerMinInterval = 1m0s General.Keepalive.ServerInterval = 2h0m0s General.Keepalive.ServerTimeout = 20s General.ConnectionTimeout = 0s General.GenesisMethod = "file" General.GenesisProfile = "SampleInsecureSolo" General.SystemChannel = "test-system-channel-name" General.GenesisFile = "/var/hyperledger/crypto-config/org0/orderer1/genesis.block" General.Profile.Enabled = false General.Profile.Address = "0.0.0.0:6060" General.LocalMSPDir = "/var/hyperledger/crypto-config/org0/orderer1/msp" General.LocalMSPID = "org0MSP" General.BCCSP.ProviderName = "SW" General.BCCSP.SwOpts.SecLevel = 256 General.BCCSP.SwOpts.HashFamily = "SHA2" General.BCCSP.SwOpts.Ephemeral = false General.BCCSP.SwOpts.FileKeystore.KeyStorePath = "/var/hyperledger/crypto-config/org0/orderer1/msp/keystore" General.BCCSP.SwOpts.DummyKeystore = General.BCCSP.SwOpts.InmemKeystore = General.BCCSP.PluginOpts = General.Authentication.TimeWindow = 15m0s General.Authentication.NoExpirationChecks = false FileLedger.Location = "/var/hyperledger/production/orderer" FileLedger.Prefix = "hyperledger-fabric-ordererledger" RAMLedger.HistorySize = 1000 Kafka.Retry.ShortInterval = 5s Kafka.Retry.ShortTotal = 10m0s Kafka.Retry.LongInterval = 5m0s Kafka.Retry.LongTotal = 12h0m0s Kafka.Retry.NetworkTimeouts.DialTimeout = 10s Kafka.Retry.NetworkTimeouts.ReadTimeout = 10s Kafka.Retry.NetworkTimeouts.WriteTimeout = 10s Kafka.Retry.Metadata.RetryMax = 3 Kafka.Retry.Metadata.RetryBackoff = 250ms Kafka.Retry.Producer.RetryMax = 3 Kafka.Retry.Producer.RetryBackoff = 100ms Kafka.Retry.Consumer.RetryBackoff = 2s Kafka.Verbose = false Kafka.Version = 0.10.2.0 Kafka.TLS.Enabled = false Kafka.TLS.PrivateKey = "" Kafka.TLS.Certificate = "" Kafka.TLS.RootCAs = [] Kafka.TLS.ClientAuthRequired = false Kafka.TLS.ClientRootCAs = [] Kafka.SASLPlain.Enabled = false Kafka.SASLPlain.User = "" Kafka.SASLPlain.Password = "" Kafka.Topic.ReplicationFactor = 3 Debug.BroadcastTraceDir = "/var/hyperledger/orderer/data/logs" Debug.DeliverTraceDir = "" Consensus = map[SnapDir:/var/hyperledger/production/orderer/etcdraft/snapshot WALDir:/var/hyperledger/production/orderer/etcdraft/wal] Operations.ListenAddress = "0.0.0.0:8443" Operations.TLS.Enabled = false Operations.TLS.PrivateKey = "" Operations.TLS.Certificate = "" Operations.TLS.RootCAs = [] Operations.TLS.ClientAuthRequired = false Operations.TLS.ClientRootCAs = [] Metrics.Provider = "disabled" Metrics.Statsd.Network = "udp" Metrics.Statsd.Address = "127.0.0.1:8125" Metrics.Statsd.WriteInterval = 30s Metrics.Statsd.Prefix = "" 2019-12-12 03:23:31.632 UTC [orderer.common.server] extractSysChanLastConfig -> INFO 003 Bootstrapping because no existing channels 2019-12-12 03:23:31.664 UTC [orderer.common.server] initializeServerConfig -> INFO 004 Starting orderer with TLS enabled 2019-12-12 03:23:31.665 UTC [orderer.common.server] configureClusterListener -> INFO 005 Cluster listener is not configured, defaulting to use the general listener on port 7050 2019-12-12 03:23:31.680 UTC [fsblkstorage] newBlockfileMgr -> INFO 006 Getting block information from block storage 2019-12-12 03:23:31.710 UTC [orderer.consensus.etcdraft] HandleChain -> INFO 007 EvictionSuspicion not set, defaulting to 10m0s 2019-12-12 03:23:31.718 UTC [orderer.consensus.etcdraft] createOrReadWAL -> INFO 008 No WAL data found, creating new WAL at path '/var/hyperledger/production/orderer/etcdraft/wal/ordererchannel' channel=ordererchannel node=1 2019-12-12 03:23:31.762 UTC [orderer.commmon.multichannel] Initialize -> INFO 009 Starting system channel 'ordererchannel' with genesis block hash 0e3614c5ad40cadc840b917c1bede969ce973f381f9ea9f6e892e82b7eaf8e5b and orderer type etcdraft : : 2019-12-12 03:54:31.735 UTC [orderer.common.cluster.puller] fetchLastBlockSeq -> INFO 13b4 orderer1-org0:7050 is at block sequence of 0 2019-12-12 03:54:31.736 UTC [comm.grpc.server] 1 -> INFO 13b5 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=127.0.0.1:48122 grpc.peer_subject="CN=orderer1-org0,OU=orderer,O=Hyperledger,ST=North Carolina,C=US" error="context finished before block retrieved: context canceled" grpc.code=Unknown grpc.call_duration=6.3672ms 2019-12-12 03:54:32.728 UTC [core.comm] ServerHandshake -> ERRO 13b7 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=127.0.0.1:48170 2019-12-12 03:54:32.728 UTC [core.comm] ServerHandshake -> ERRO 13b6 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=127.0.0.1:48166 2019-12-12 03:54:32.728 UTC [core.comm] ServerHandshake -> ERRO 13b8 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=127.0.0.1:48168 : : 2019-12-12 03:54:34.606 UTC [orderer.consensus.etcdraft] Step -> INFO 13be 1 is starting a new election at term 1 channel=ordererchannel node=1 2019-12-12 03:54:34.607 UTC [orderer.consensus.etcdraft] becomePreCandidate -> INFO 13bf 1 became pre-candidate at term 1 channel=ordererchannel node=1 2019-12-12 03:54:34.607 UTC [orderer.consensus.etcdraft] poll -> INFO 13c0 1 received MsgPreVoteResp from 1 at term 1 channel=ordererchannel node=1 2019-12-12 03:54:34.607 UTC [orderer.consensus.etcdraft] campaign -> INFO 13c1 1 [logterm: 1, index: 5] sent MsgPreVote request to 2 at term 1 channel=ordererchannel node=1 2019-12-12 03:54:34.607 UTC [orderer.consensus.etcdraft] campaign -> INFO 13c2 1 [logterm: 1, index: 5] sent MsgPreVote request to 3 at term 1 channel=ordererchannel node=1 2019-12-12 03:54:34.607 UTC [orderer.consensus.etcdraft] campaign -> INFO 13c3 1 [logterm: 1, index: 5] sent MsgPreVote request to 4 at term 1 channel=ordererchannel node=1 2019-12-12 03:54:34.607 UTC [orderer.consensus.etcdraft] campaign -> INFO 13c4 1 [logterm: 1, index: 5] sent MsgPreVote request to 5 at term 1 channel=ordererchannel node=1 2019-12-12 03:54:34.647 UTC [core.comm] ServerHandshake -> ERRO 13c5 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=127.0.0.1:48222 : : 2019-12-12 03:54:36.694 UTC [orderer.common.cluster.puller] func1 -> WARN 13c7 Received error of type 'failed to create new connection: context deadline exceeded' from {orderer3-org0:7050... 2019-12-12 03:54:36.694 UTC [orderer.common.cluster.puller] probeEndpoint -> WARN 13c8 Failed connecting to {orderer2-org0:7050... 2019-12-12 03:54:36.695 UTC [orderer.common.cluster.puller] HeightsByEndpoints -> INFO 13ce Returning the heights of OSNs mapped by endpoints map[orderer1-org0:7050:1] 2019-12-12 03:54:36.702 UTC [orderer.consensus.etcdraft] confirmSuspicion -> INFO 13cf Last config block was found to be block [0] channel=ordererchannel node=1 2019-12-12 03:54:36.703 UTC [orderer.consensus.etcdraft] confirmSuspicion -> INFO 13d0 Our height is higher or equal than the height of the orderer we pulled the last block from, aborting. channel=ordererchannel node=1 Cheers Howin.
More All Messages By This Member

View All 2 Messages In Topic

#7380

Join {fabric@lists.hyperledger.org to automatically receive all group messages.

Home Hashtags Subgroups Terms