If you want to turn on TLS, you just need to set the TLS attribute of orderer, peer, CLI and Ca to true, and configure the file address such as certificate and key. These are the following attributes:

CORE_ PEER_ TLS_ ENABLED=trueCORE_ PEER_ TLS_ CERT_ FILE=xxx/tls/ server.crtCORE_ PEER_ TLS_ KEY_ FILE=xxx/tls/ server.keyCORE_ PEER_ TLS_ ROOTCERT_ FILE=xxx/tls/ ca.crt
After that, start the container to enter the CLI. It should be noted that after the TLS mode is turned on, the command to create a channel is different from that when the TLS mode is not turned on. When the TLS mode is not turned on, the command to create a channel is as follows:

peer channel create -o orderer.scf.com:7050 -c mychannel -t 50 -f ./channel-artifacts/ mychannel.tx
After opening TLS, the TLS parameter and the certificate file address of the sorting service should be added when creating the channel

peer channel create -o orderer.scf.com:7050 -c mychannel -t 50 –tls –cafile /opt/gopath/src/ github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/scf .com/orderers/ orderer.scf.com/msp/tlscacerts/tlsca . scf.com – cert.pem -f ./channel-artifacts/ mychannel.tx
If you still use the command when TLS is not turned on to create a channel, the following error will be reported in the CLI:

2019-04-11 17:31:48.661 UTC [grpc] Printf -> DEBU 010 transport: http2 Client.notifyError got notified that the client transport was broken unexpected EOF.
2019-04-11 17:31:48.667 UTC [grpc] Printf -> DEBU 011 transport: http2 Client.notifyError got notified that the client transport was broken unexpected EOF.
2019-04-11 17:31:48.668 UTC [grpc] Printf -> DEBU 012 transport: http2 Client.notifyError got notified that the client transport was broken read tcp 172.18.0.10:59602-> 172.18.0.2:7050: read: connection reset by peer

orderer.scf.com | 2019-04-11 17:31:48.654 UTC [grpc] Printf -> DEBU 3da grpc: Server.Serve failed to complete security handshake from “172.18.0.10:59598”: tls: first record does not look like a TLS handshake
Next, the commands for peer to add channel, install chain code and query are the same as when TLS is not turned on. However, when instantiating chain code and calling invoke, you need to add parameters such as TLS in the command as when creating channel, otherwise the above error will be reported.

In other words, if TLS mode is enabled, as long as communication with orderer is involved, two parameters – TLS and – cafile need to be added to the command line parameters. Cafile parameter corresponds to the corresponding file of orderer module.