Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
964 views
in Technique[技术] by (71.8m points)

openssl - Fabric chaincode - Communicate with Vault

I need to, somehow, communicate with a Vault instance from some chaincode.

My issue is that I need (mutual) TLS on Vault, so in order for the chaincode to communicate with it, it needs the appropriate certificates issued by the appropriate CA.

Both the peer that the chaincode is installed on and the Vault instance, utilize the same root CA.

So, how can I acquire the appropriate certificates in the chaincode and use them for the request made to the Vault instance?

If it, somehow, helps:

log from the chaincode container when I make the request:

2021-01-21T14:18:29.847Z error [c-api:_]                                          Unhandled Rejection reason RequestError: Error: unable to verify the first certificate promise Promise {
  <rejected> RequestError: Error: unable to verify the first certificate
      at new RequestError (/usr/local/src/node_modules/request-promise-core/lib/errors.js:14:15)
      at Request.plumbing.callback (/usr/local/src/node_modules/request-promise-core/lib/plumbing.js:87:29)
      at Request.RP$callback [as _callback] (/usr/local/src/node_modules/request-promise-core/lib/plumbing.js:46:31)
      at self.callback (/usr/local/src/node_modules/request/request.js:185:22)
      at Request.emit (events.js:311:20)
      at Request.onRequestError (/usr/local/src/node_modules/request/request.js:881:8)
      at ClientRequest.emit (events.js:311:20)
      at TLSSocket.socketErrorListener (_http_client.js:426:9)
      at TLSSocket.emit (events.js:311:20)
      at emitErrorNT (internal/streams/destroy.js:92:8) {
    name: 'RequestError',
    message: 'Error: unable to verify the first certificate',
    cause: Error: unable to verify the first certificate
        at TLSSocket.onConnectSecure (_tls_wrap.js:1473:34)
        at TLSSocket.emit (events.js:311:20)
        at TLSSocket._finishInit (_tls_wrap.js:916:8)
        at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:686:12) {
      code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
    },
    error: Error: unable to verify the first certificate
        at TLSSocket.onConnectSecure (_tls_wrap.js:1473:34)
        at TLSSocket.emit (events.js:311:20)
        at TLSSocket._finishInit (_tls_wrap.js:916:8)
        at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:686:12) {
      code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
    },
    options: {
      json: [Object],
      resolveWithFullResponse: true,
      simple: false,
      strictSSL: true,
      method: 'PUT',
      path: '/sys/unseal',
      headers: [Object],
      uri: 'https://vaultinstance.com:8200/v1/sys/unseal',
      callback: [Function: RP$callback],
      transform: undefined,
      transform2xxOnly: false
    },
    response: undefined
  }
}  

log from vault when the request is made:

2021-01-21T14:20:59.784Z [INFO]  http: TLS handshake error from 192.168.224.1:51074: remote error: tls: unknown certificate
question from:https://stackoverflow.com/questions/65829471/fabric-chaincode-communicate-with-vault

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

There's no way to provide secret config information to chaincode at install time so unless you include the certificate in the chaincode package, which is probably a bad idea, so I think your chaincode will need an init transaction to send in the required certificate using transient data.

The chaincode lifecycle documentation describes how to require an init transaction.

If you are using the Fabric peer CLI, you can use the --init-required flag when you approve and commit the chaincode definition to indicate that the Init function must be called to initialize the new chaincode version. To call Init using the Fabric peer CLI, use the peer chaincode invoke command and pass the --isInit flag.

The private data describes how you can protect the TLS certificate when you initialise the chaincode.

Alternatively, if you don't want to use an init transaction or store the TLS certificate on the ledger/in a private data collection, you could provide the TLS certificate using transient data to every transaction which needs to communicate with the vault and leave it to the client to manage the certificate.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...