diff --git a/docs/source/hsm.md b/docs/source/hsm.md index 78a056a443f..aca368f12fe 100644 --- a/docs/source/hsm.md +++ b/docs/source/hsm.md @@ -9,6 +9,8 @@ multiple certified HSMs from which to choose. Fabric currently leverages the PKCS11 standard to communicate with an HSM. +**Note:** Fabric can use a HSM for peer and orderer node MSP identities as documented in this topic, +however for TLS you must use file-based keys as documented in the [TLS topic](./enable_tls.html). ## Configuring an HSM diff --git a/orderer/common/server/main.go b/orderer/common/server/main.go index 12f31f83fe5..e901fe4d8a4 100644 --- a/orderer/common/server/main.go +++ b/orderer/common/server/main.go @@ -487,19 +487,19 @@ func initializeServerConfig(conf *localconfig.TopLevel, metricsProvider metrics. // load crypto material from files serverCertificate, err := os.ReadFile(conf.General.TLS.Certificate) if err != nil { - logger.Fatalf("Failed to load server Certificate file '%s' (%s)", + logger.Fatalf("Failed to load server TLS Certificate file '%s' (%s)", conf.General.TLS.Certificate, err) } serverKey, err := os.ReadFile(conf.General.TLS.PrivateKey) if err != nil { - logger.Fatalf("Failed to load PrivateKey file '%s' (%s)", + logger.Fatalf("Failed to load TLS PrivateKey file '%s' (%s)", conf.General.TLS.PrivateKey, err) } var serverRootCAs, clientRootCAs [][]byte for _, serverRoot := range conf.General.TLS.RootCAs { root, err := os.ReadFile(serverRoot) if err != nil { - logger.Fatalf("Failed to load ServerRootCAs file '%s' (%s)", + logger.Fatalf("Failed to load TLS ServerRootCAs file '%s' (%s)", err, serverRoot) } serverRootCAs = append(serverRootCAs, root) @@ -508,7 +508,7 @@ func initializeServerConfig(conf *localconfig.TopLevel, metricsProvider metrics. for _, clientRoot := range conf.General.TLS.ClientRootCAs { root, err := os.ReadFile(clientRoot) if err != nil { - logger.Fatalf("Failed to load ClientRootCAs file '%s' (%s)", + logger.Fatalf("Failed to load TLS ClientRootCAs file '%s' (%s)", err, clientRoot) } clientRootCAs = append(clientRootCAs, root) diff --git a/orderer/common/server/main_test.go b/orderer/common/server/main_test.go index 0d438797554..590edc7fa49 100644 --- a/orderer/common/server/main_test.go +++ b/orderer/common/server/main_test.go @@ -191,7 +191,7 @@ func TestInitializeServerConfig(t *testing.T) { privateKey: goodFile, rootCA: goodFile, clientRootCert: goodFile, - expectedPanic: "Failed to load server Certificate file 'does_not_exist' (open does_not_exist: no such file or directory)", + expectedPanic: "Failed to load server TLS Certificate file 'does_not_exist' (open does_not_exist: no such file or directory)", }, { name: "BadPrivateKey", @@ -199,7 +199,7 @@ func TestInitializeServerConfig(t *testing.T) { privateKey: badFile, rootCA: goodFile, clientRootCert: goodFile, - expectedPanic: "Failed to load PrivateKey file 'does_not_exist' (open does_not_exist: no such file or directory)", + expectedPanic: "Failed to load TLS PrivateKey file 'does_not_exist' (open does_not_exist: no such file or directory)", }, { name: "BadRootCA", @@ -207,7 +207,7 @@ func TestInitializeServerConfig(t *testing.T) { privateKey: goodFile, rootCA: badFile, clientRootCert: goodFile, - expectedPanic: "Failed to load ServerRootCAs file 'open does_not_exist: no such file or directory' (does_not_exist)", + expectedPanic: "Failed to load TLS ServerRootCAs file 'open does_not_exist: no such file or directory' (does_not_exist)", }, { name: "BadClientRootCertificate", @@ -215,7 +215,7 @@ func TestInitializeServerConfig(t *testing.T) { privateKey: goodFile, rootCA: goodFile, clientRootCert: badFile, - expectedPanic: "Failed to load ClientRootCAs file 'open does_not_exist: no such file or directory' (does_not_exist)", + expectedPanic: "Failed to load TLS ClientRootCAs file 'open does_not_exist: no such file or directory' (does_not_exist)", }, { name: "BadCertificate - cluster reuses server config",