我们已经定制了fabric-ca示例,以删除env.sh中的下面的行
export FABRIC_CA_CLIENT_ID_AFFILIATION=org1
,然后在对--id.affiliation $ORG.OU或fabric-ca-client register的所有呼叫中添加enroll。示例:
scripts/env.sh: fabric-ca-client enroll -d --enrollment.profile tls -u $ENROLLMENT_URL -M /tmp/tls --csr.hosts $HOST_NAME --csr.names O=$ORG --id.affiliation $ORG.OU
scripts/env.sh: fabric-ca-client enroll -d -u https://$ADMIN_NAME:$ADMIN_PASS@$CA_HOST:7054 --csr.names O=$ORG --id.affiliation $ORG.OU
scripts/env.sh: fabric-ca-client enroll -d -u https://$USER_NAME:$USER_PASS@$CA_HOST:7054 --csr.names O=$ORG --id.affiliation $ORG.OU
scripts/setup-fabric.sh: fabric-ca-client register -d --id.name $ORDERER_NAME --id.secret $ORDERER_PASS --id.type orderer --id.affiliation $ORG.OU
scripts/setup-fabric.sh: fabric-ca-client register -d --id.name $ADMIN_NAME --id.secret $ADMIN_PASS --id.attrs "admin=true:ecert" --id.affiliation $ORG.OU
scripts/setup-fabric.sh: fabric-ca-client register -d --id.name $PEER_NAME --id.secret $PEER_PASS --id.type peer --id.affiliation $ORG.OU
scripts/setup-fabric.sh: fabric-ca-client register -d --id.name $ADMIN_NAME --id.secret $ADMIN_PASS --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert" --id.affiliation $ORG.OU
scripts/setup-fabric.sh: fabric-ca-client register -d --id.name $USER_NAME --id.secret $USER_PASS --id.affiliation $ORG.OU
scripts/setup-fabric.sh: fabric-ca-client getcacert -d -u https://$CA_HOST:7054 -M $ORG_MSP_DIR --id.affiliation $ORG.OU
scripts/start-orderer.sh:fabric-ca-client enroll -d --enrollment.profile tls -u $ENROLLMENT_URL -M /tmp/tls --csr.hosts $ORDERER_HOST --csr.names O=$ORG --id.affiliation $ORG.OU
scripts/start-orderer.sh:fabric-ca-client enroll -d -u $ENROLLMENT_URL -M $ORDERER_GENERAL_LOCALMSPDIR --csr.names O=$ORG --id.affiliation $ORG.OU
scripts/start-peer.sh:fabric-ca-client enroll -d --enrollment.profile tls -u $ENROLLMENT_URL -M /tmp/tls --csr.hosts $PEER_HOST --csr.names O=$ORG --id.affiliation $ORG.OU
scripts/start-peer.sh:fabric-ca-client enroll -d -u $ENROLLMENT_URL -M $CORE_PEER_MSPCONFIGPATH --csr.names O=$ORG --id.affiliation $ORG.OU
执行此操作时,我们会在setup.log中看到此错误:
Error: Response from server: Error Code: 0 - Registration of 'orderer1-ord' failed in affiliation validation: Failed getting affiliation 'ord.OU': : scode: 404, code: 63, msg: Failed to get Affiliation: sql: no rows in result set
如果我们修改enrollCAADmin以添加:
# https://stackoverflow.com/a/48840929/147530
fabric-ca-client affiliation add $1
我们现在看到此错误:
Error: Response from server: Error Code: 60 - Affiliation already exists
我们如何解决这个问题?
答案 0 :(得分:0)
添加$ORG.OU的从属关系失败,但是添加$ORG的从属关系是可行的。在setup-fabric.sh中,函数registerPeerIdentities
fabric-ca-client register -d --id.name $ADMIN_NAME --id.secret $ADMIN_PASS --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" --id.affiliation=$ORG
log "Registering user identity with $CA_NAME"
fabric-ca-client register -d --id.name $USER_NAME --id.secret $USER_PASS --id.affiliation=$ORG
请注意$FABRIC_CA_SERVER_HOME/fabric-ca-server-config.yaml的{{1}}中的以下部分
rca-myorg1来自https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#registering-a-new-identity
注册服务机构的隶属关系必须等于或 所注册身份的从属关系。例如, 附有“ a.b”的注册商可以向 “ a.b.c”的从属关系,但不得向 “ a.c”的从属关系。如果身份需要具有根隶属关系, 那么从属关系请求应该是一个点(“。”)和注册商 还必须具有根隶属关系。如果在 注册请求,将向正在注册的身份提供 注册商的附属机构。
因此不确定为什么将隶属关系设置为root@cad23a1fb013:/etc/hyperledger/fabric-ca# cat fabric-ca-server-config.yaml
affiliations:
ord: []
myorg1: []
myorg2: []
myorg3: []
org1:
- department1
- department2
org2:
- department1
,但是$ORG无效