From a835f8ce5a1ab030f58f66af7b6e80f17df272e2 Mon Sep 17 00:00:00 2001 From: David Enyeart Date: Tue, 15 Oct 2024 14:16:41 -0400 Subject: [PATCH] Update Fabric docs - HSM not supported for TLS Update Fabric docs to indicate that HSM is not supported for TLS keys. Also update the error messages for missing TLS keys to indicate that the error is specific to TLS keys. This will assist with troubleshooting for users that attempt to configure TLS keys with an HSM. Signed-off-by: David Enyeart --- docs/source/hsm.md | 2 ++ orderer/common/server/main.go | 8 ++++---- orderer/common/server/main_test.go | 8 ++++---- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/docs/source/hsm.md b/docs/source/hsm.md index 78a056a443f..aca368f12fe 100644 --- a/docs/source/hsm.md +++ b/docs/source/hsm.md @@ -9,6 +9,8 @@ multiple certified HSMs from which to choose. Fabric currently leverages the PKCS11 standard to communicate with an HSM. +**Note:** Fabric can use a HSM for peer and orderer node MSP identities as documented in this topic, +however for TLS you must use file-based keys as documented in the [TLS topic](./enable_tls.html). ## Configuring an HSM diff --git a/orderer/common/server/main.go b/orderer/common/server/main.go index 12f31f83fe5..e901fe4d8a4 100644 --- a/orderer/common/server/main.go +++ b/orderer/common/server/main.go @@ -487,19 +487,19 @@ func initializeServerConfig(conf *localconfig.TopLevel, metricsProvider metrics. // load crypto material from files serverCertificate, err := os.ReadFile(conf.General.TLS.Certificate) if err != nil { - logger.Fatalf("Failed to load server Certificate file '%s' (%s)", + logger.Fatalf("Failed to load server TLS Certificate file '%s' (%s)", conf.General.TLS.Certificate, err) } serverKey, err := os.ReadFile(conf.General.TLS.PrivateKey) if err != nil { - logger.Fatalf("Failed to load PrivateKey file '%s' (%s)", + logger.Fatalf("Failed to load TLS PrivateKey file '%s' (%s)", conf.General.TLS.PrivateKey, err) } var serverRootCAs, clientRootCAs [][]byte for _, serverRoot := range conf.General.TLS.RootCAs { root, err := os.ReadFile(serverRoot) if err != nil { - logger.Fatalf("Failed to load ServerRootCAs file '%s' (%s)", + logger.Fatalf("Failed to load TLS ServerRootCAs file '%s' (%s)", err, serverRoot) } serverRootCAs = append(serverRootCAs, root) @@ -508,7 +508,7 @@ func initializeServerConfig(conf *localconfig.TopLevel, metricsProvider metrics. for _, clientRoot := range conf.General.TLS.ClientRootCAs { root, err := os.ReadFile(clientRoot) if err != nil { - logger.Fatalf("Failed to load ClientRootCAs file '%s' (%s)", + logger.Fatalf("Failed to load TLS ClientRootCAs file '%s' (%s)", err, clientRoot) } clientRootCAs = append(clientRootCAs, root) diff --git a/orderer/common/server/main_test.go b/orderer/common/server/main_test.go index 0d438797554..590edc7fa49 100644 --- a/orderer/common/server/main_test.go +++ b/orderer/common/server/main_test.go @@ -191,7 +191,7 @@ func TestInitializeServerConfig(t *testing.T) { privateKey: goodFile, rootCA: goodFile, clientRootCert: goodFile, - expectedPanic: "Failed to load server Certificate file 'does_not_exist' (open does_not_exist: no such file or directory)", + expectedPanic: "Failed to load server TLS Certificate file 'does_not_exist' (open does_not_exist: no such file or directory)", }, { name: "BadPrivateKey", @@ -199,7 +199,7 @@ func TestInitializeServerConfig(t *testing.T) { privateKey: badFile, rootCA: goodFile, clientRootCert: goodFile, - expectedPanic: "Failed to load PrivateKey file 'does_not_exist' (open does_not_exist: no such file or directory)", + expectedPanic: "Failed to load TLS PrivateKey file 'does_not_exist' (open does_not_exist: no such file or directory)", }, { name: "BadRootCA", @@ -207,7 +207,7 @@ func TestInitializeServerConfig(t *testing.T) { privateKey: goodFile, rootCA: badFile, clientRootCert: goodFile, - expectedPanic: "Failed to load ServerRootCAs file 'open does_not_exist: no such file or directory' (does_not_exist)", + expectedPanic: "Failed to load TLS ServerRootCAs file 'open does_not_exist: no such file or directory' (does_not_exist)", }, { name: "BadClientRootCertificate", @@ -215,7 +215,7 @@ func TestInitializeServerConfig(t *testing.T) { privateKey: goodFile, rootCA: goodFile, clientRootCert: badFile, - expectedPanic: "Failed to load ClientRootCAs file 'open does_not_exist: no such file or directory' (does_not_exist)", + expectedPanic: "Failed to load TLS ClientRootCAs file 'open does_not_exist: no such file or directory' (does_not_exist)", }, { name: "BadCertificate - cluster reuses server config",