Hyperledger Fabric:[订购者/公共/服务器] initializeLocalMsp-> CRIT 01a无法初始化本地MSP:提供的标识无效

时间:2019-01-22 00:54:56

标签: hyperledger-fabric

我们有一个应用程序,该应用程序在单个主机上部署时运行良好,但在多主机网络上部署时,尝试启动订购器时出现错误。

启动订购者的脚本:

fabric-ca-client enroll -d -u $ENROLLMENT_URL -M $ORDERER_GENERAL_LOCALMSPDIR

# Start the orderer
orderer

注册结果:

2019/01/21 23:21:26 [DEBUG] newEnrollmentResponse orderer1-ord
2019/01/21 23:21:26 [INFO] Stored client certificate at /etc/hyperledger/orderer/msp/signcerts/cert.pem
2019/01/21 23:21:26 [INFO] Stored root CA certificate at /etc/hyperledger/orderer/msp/cacerts/ica-ord-7054.pem
2019/01/21 23:21:26 [INFO] Stored intermediate CA certificates at /etc/hyperledger/orderer/msp/intermediatecerts/ica-ord-7054.pem

但是当orderer开始时:

2019-01-21 23:29:48.564 UTC [orderer/common/server] initializeLocalMsp -> CRIT 01a Failed to initialize local MSP: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "rca-ord-admin")

完成here上的登录。我们已验证所有必需的证书确实存在。以下是完整的链条:

订购者orderer1-ord的证书:

root@ad8682ced829:/etc/hyperledger/orderer# openssl x509 -in msp/signcerts/cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            30:3e:e8:bb:10:3f:d1:f6:cc:93:55:c0:4d:ee:7c:ad:2d:e5:94:41
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=client, CN=rca-ord-admin
        Validity
            Not Before: Jan 21 23:16:00 2019 GMT
            Not After : Jan 21 23:21:00 2020 GMT
        Subject: C=US, ST=North Carolina, O=Hyperledger, OU=orderer, CN=orderer1-ord
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:da:f1:e6:a5:14:cc:5d:45:23:7f:45:9c:c1:68:
                    1c:5c:9e:b5:8d:59:a0:22:1c:68:66:b8:43:4d:bf:
                    01:a8:f6:42:fb:de:2c:f0:10:4c:3b:93:37:96:df:
                    20:24:a2:8d:5c:62:24:83:65:72:a3:5e:9c:cc:44:
                    b1:e4:eb:40:23
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                E7:7E:2C:84:F7:B6:10:09:9F:5A:03:E1:47:8C:5A:EF:34:A4:CA:E5
            X509v3 Authority Key Identifier: 
                keyid:9F:48:37:E9:03:06:CB:29:06:5D:C4:AC:AA:1C:2B:31:70:54:FD:1B

            X509v3 Subject Alternative Name: 
                DNS:ad8682ced829
            1.2.3.4.5.6.7.8.1: 
                {"attrs":{"hf.Affiliation":"","hf.EnrollmentID":"orderer1-ord","hf.Type":"orderer"}}
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:2d:38:1f:bf:a0:8a:e2:6c:6a:11:1e:7c:ca:7f:
         f6:97:bd:a5:62:9a:27:90:a1:13:32:0e:00:a0:20:98:d4:c0:
         02:20:1b:31:00:3a:a5:8f:7a:b8:21:5b:2f:a9:7d:a5:11:51:
         5b:27:de:0a:8c:52:05:b4:d7:21:c2:b6:e3:6b:ab:7e

orderer1-ord的发行者的证书:

root@ad8682ced829:/etc/hyperledger/orderer# openssl x509 -in msp/intermediatecerts/ica-ord-7054.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            16:c6:47:e8:f4:2e:87:4f:72:47:cf:d1:5b:2b:94:cf:55:7d:5d:b3
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=rca-ord
        Validity
            Not Before: Jan 21 23:16:00 2019 GMT
            Not After : Jan 20 23:21:00 2024 GMT
        Subject: C=US, ST=North Carolina, O=Hyperledger, OU=client, CN=rca-ord-admin
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:2c:5c:cf:f8:a2:56:df:4a:27:64:b5:34:9f:4a:
                    be:a8:77:99:c1:88:85:25:56:f4:8a:e3:2a:77:27:
                    8d:3f:85:67:9e:77:eb:0c:fd:b4:b6:71:4d:41:ed:
                    c6:6f:6e:db:78:00:2e:b7:8c:b0:aa:19:a7:e7:4b:
                    a4:8d:b6:2c:8f
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Subject Key Identifier: 
                9F:48:37:E9:03:06:CB:29:06:5D:C4:AC:AA:1C:2B:31:70:54:FD:1B
            X509v3 Authority Key Identifier: 
                keyid:AD:8B:9D:26:C5:F2:B3:00:98:58:D9:62:D9:D0:7E:BE:B2:39:EF:D9

    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:7c:83:78:ea:3a:d1:8a:69:e9:a4:09:10:9f:a3:
         f2:a5:58:7a:66:f2:3e:1a:15:c9:84:ec:7d:0c:26:bd:f6:02:
         02:20:5e:d7:aa:b2:f2:c9:e6:2b:4a:9e:45:df:79:8d:db:0e:
         93:c8:64:af:a3:73:bb:22:ad:b2:d9:e0:5e:4a:62:0e

根权限证书:

root@ad8682ced829:/etc/hyperledger/orderer# openssl x509 -in msp/cacerts/ica-ord-7054.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            70:e3:d3:f2:4c:09:4f:be:d5:2f:4e:fb:bf:d1:a3:87:58:f1:b4:1d
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=rca-ord
        Validity
            Not Before: Jan 21 23:16:00 2019 GMT
            Not After : Jan 17 23:16:00 2034 GMT
        Subject: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=rca-ord
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:27:8c:b4:c7:9b:79:73:30:71:c9:cf:e0:7a:e0:
                    2b:93:49:a0:09:fb:ff:fb:d3:e0:c0:50:fb:d7:57:
                    08:a1:5b:32:d6:cc:df:ac:80:48:78:9b:00:bb:13:
                    8f:67:df:2b:cd:64:1c:da:70:ac:59:d6:a2:7c:90:
                    be:20:fd:a9:72
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Subject Key Identifier: 
                AD:8B:9D:26:C5:F2:B3:00:98:58:D9:62:D9:D0:7E:BE:B2:39:EF:D9
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:a3:21:3e:54:99:a7:8d:fc:78:17:5a:8e:29:
         b4:b2:bf:7a:f8:63:97:16:7b:b1:2b:2d:20:c6:c7:80:40:c6:
         1a:02:20:1c:d9:13:35:e5:8f:6d:48:6f:74:ae:a9:b4:ef:5d:
         77:98:7d:d8:12:5a:1a:66:d6:f7:27:dd:8c:33:89:53:ff

请问该如何解决?为什么抱怨呢? Link到失败的源代码。

1 个答案:

答案 0 :(得分:0)

这里的问题原来是过时的证书。导致该错误的代码路径如下。在setup-fabric.sh的第87行:

<meta http-equiv="content-security-policy">

在功能switchToAdminIdentity中:

if [ $ADMINCERTS ]; then
         switchToAdminIdentity
      fi

该代码由if检查来保护,该检查检查目录是否已存在。我们进行了一次全新的运行,但没有删除该目录(从先前的运行中删除),结果导致管理证书未更新,并导致上述错误。