Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional TLS troubleshooting information (backport #3346) #3347

Merged
merged 1 commit into from
Apr 22, 2022
Merged

Additional TLS troubleshooting information (backport #3346) #3347

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 14 additions & 8 deletions docs/source/enable_tls.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,21 +121,27 @@ as well:
Debugging TLS issues
--------------------

Before debugging TLS issues, it is advisable to enable ``GRPC debug`` on both the TLS client
and the server side to get additional information. To enable ``GRPC debug``, set the
environment variable ``FABRIC_LOGGING_SPEC`` to include ``grpc=debug``. For example, to
set the default logging level to ``INFO`` and the GRPC logging level to ``DEBUG``, set
the logging specification to ``grpc=debug:info``.
If you see the error message ``remote error: tls: bad certificate`` on the server side
(for example on the peer node or ordering service node when making requests from a client),
it usually means that the client is not configured to trust the signer of the server's TLS certificate.
Check the client's ``CORE_PEER_TLS_ROOTCERT_FILE`` (for connections to peer nodes)
or ``--cafile`` (for connections to orderer nodes).
The corresponding error on the client side in these cases is the handshake error ``x509: certificate signed by unknown authority``
and ultimately connection failure with ``context deadline exceeded``.

If you see the error message ``remote error: tls: bad certificate`` on the client side, it
usually means that the TLS server has enabled client authentication and the server either did
not receive the correct client certificate or it received a client certificate that it does
not trust. Make sure the client is sending its certificate and that it has been signed by one
of the CA certificates trusted by the peer or orderer node.

If you see the error message ``remote error: tls: bad certificate`` in your chaincode logs,
ensure that your chaincode has been built using the chaincode shim provided with Fabric v1.1
or newer.
To receive additional debug information, enable ``GRPC debug`` on both the TLS client
and the server side to get additional information. To enable ``GRPC debug``, set the
environment variable ``FABRIC_LOGGING_SPEC`` to include ``grpc=debug``. For example, to
set the default logging level to ``INFO`` and the GRPC logging level to ``DEBUG``, set
the logging specification to ``grpc=debug:info``.

You can check a TLS certificate against a trusted CA certificate by using the "openssl verify" command.

.. Licensed under Creative Commons Attribution 4.0 International License
https://creativecommons.org/licenses/by/4.0/