我们有一个应用程序,该应用程序在单个主机上部署时运行良好,但在多主机网络上部署时,尝试启动订购器时出现错误。
启动订购者的脚本:
fabric-ca-client enroll -d -u $ENROLLMENT_URL -M $ORDERER_GENERAL_LOCALMSPDIR
# Start the orderer
orderer
注册结果:
2019/01/21 23:21:26 [DEBUG] newEnrollmentResponse orderer1-ord
2019/01/21 23:21:26 [INFO] Stored client certificate at /etc/hyperledger/orderer/msp/signcerts/cert.pem
2019/01/21 23:21:26 [INFO] Stored root CA certificate at /etc/hyperledger/orderer/msp/cacerts/ica-ord-7054.pem
2019/01/21 23:21:26 [INFO] Stored intermediate CA certificates at /etc/hyperledger/orderer/msp/intermediatecerts/ica-ord-7054.pem
但是当orderer开始时:
2019-01-21 23:29:48.564 UTC [orderer/common/server] initializeLocalMsp -> CRIT 01a Failed to initialize local MSP: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "rca-ord-admin")
完成here上的登录。我们已验证所有必需的证书确实存在。以下是完整的链条:
订购者orderer1-ord的证书:
root@ad8682ced829:/etc/hyperledger/orderer# openssl x509 -in msp/signcerts/cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
30:3e:e8:bb:10:3f:d1:f6:cc:93:55:c0:4d:ee:7c:ad:2d:e5:94:41
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=client, CN=rca-ord-admin
Validity
Not Before: Jan 21 23:16:00 2019 GMT
Not After : Jan 21 23:21:00 2020 GMT
Subject: C=US, ST=North Carolina, O=Hyperledger, OU=orderer, CN=orderer1-ord
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:da:f1:e6:a5:14:cc:5d:45:23:7f:45:9c:c1:68:
1c:5c:9e:b5:8d:59:a0:22:1c:68:66:b8:43:4d:bf:
01:a8:f6:42:fb:de:2c:f0:10:4c:3b:93:37:96:df:
20:24:a2:8d:5c:62:24:83:65:72:a3:5e:9c:cc:44:
b1:e4:eb:40:23
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
E7:7E:2C:84:F7:B6:10:09:9F:5A:03:E1:47:8C:5A:EF:34:A4:CA:E5
X509v3 Authority Key Identifier:
keyid:9F:48:37:E9:03:06:CB:29:06:5D:C4:AC:AA:1C:2B:31:70:54:FD:1B
X509v3 Subject Alternative Name:
DNS:ad8682ced829
1.2.3.4.5.6.7.8.1:
{"attrs":{"hf.Affiliation":"","hf.EnrollmentID":"orderer1-ord","hf.Type":"orderer"}}
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:2d:38:1f:bf:a0:8a:e2:6c:6a:11:1e:7c:ca:7f:
f6:97:bd:a5:62:9a:27:90:a1:13:32:0e:00:a0:20:98:d4:c0:
02:20:1b:31:00:3a:a5:8f:7a:b8:21:5b:2f:a9:7d:a5:11:51:
5b:27:de:0a:8c:52:05:b4:d7:21:c2:b6:e3:6b:ab:7e
orderer1-ord的发行者的证书:
root@ad8682ced829:/etc/hyperledger/orderer# openssl x509 -in msp/intermediatecerts/ica-ord-7054.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
16:c6:47:e8:f4:2e:87:4f:72:47:cf:d1:5b:2b:94:cf:55:7d:5d:b3
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=rca-ord
Validity
Not Before: Jan 21 23:16:00 2019 GMT
Not After : Jan 20 23:21:00 2024 GMT
Subject: C=US, ST=North Carolina, O=Hyperledger, OU=client, CN=rca-ord-admin
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:2c:5c:cf:f8:a2:56:df:4a:27:64:b5:34:9f:4a:
be:a8:77:99:c1:88:85:25:56:f4:8a:e3:2a:77:27:
8d:3f:85:67:9e:77:eb:0c:fd:b4:b6:71:4d:41:ed:
c6:6f:6e:db:78:00:2e:b7:8c:b0:aa:19:a7:e7:4b:
a4:8d:b6:2c:8f
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
9F:48:37:E9:03:06:CB:29:06:5D:C4:AC:AA:1C:2B:31:70:54:FD:1B
X509v3 Authority Key Identifier:
keyid:AD:8B:9D:26:C5:F2:B3:00:98:58:D9:62:D9:D0:7E:BE:B2:39:EF:D9
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:7c:83:78:ea:3a:d1:8a:69:e9:a4:09:10:9f:a3:
f2:a5:58:7a:66:f2:3e:1a:15:c9:84:ec:7d:0c:26:bd:f6:02:
02:20:5e:d7:aa:b2:f2:c9:e6:2b:4a:9e:45:df:79:8d:db:0e:
93:c8:64:af:a3:73:bb:22:ad:b2:d9:e0:5e:4a:62:0e
根权限证书:
root@ad8682ced829:/etc/hyperledger/orderer# openssl x509 -in msp/cacerts/ica-ord-7054.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
70:e3:d3:f2:4c:09:4f:be:d5:2f:4e:fb:bf:d1:a3:87:58:f1:b4:1d
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=rca-ord
Validity
Not Before: Jan 21 23:16:00 2019 GMT
Not After : Jan 17 23:16:00 2034 GMT
Subject: C=US, ST=North Carolina, O=Hyperledger, OU=Fabric, CN=rca-ord
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:27:8c:b4:c7:9b:79:73:30:71:c9:cf:e0:7a:e0:
2b:93:49:a0:09:fb:ff:fb:d3:e0:c0:50:fb:d7:57:
08:a1:5b:32:d6:cc:df:ac:80:48:78:9b:00:bb:13:
8f:67:df:2b:cd:64:1c:da:70:ac:59:d6:a2:7c:90:
be:20:fd:a9:72
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Subject Key Identifier:
AD:8B:9D:26:C5:F2:B3:00:98:58:D9:62:D9:D0:7E:BE:B2:39:EF:D9
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:a3:21:3e:54:99:a7:8d:fc:78:17:5a:8e:29:
b4:b2:bf:7a:f8:63:97:16:7b:b1:2b:2d:20:c6:c7:80:40:c6:
1a:02:20:1c:d9:13:35:e5:8f:6d:48:6f:74:ae:a9:b4:ef:5d:
77:98:7d:d8:12:5a:1a:66:d6:f7:27:dd:8c:33:89:53:ff
请问该如何解决?为什么抱怨呢? Link到失败的源代码。
答案 0 :(得分:0)
这里的问题原来是过时的证书。导致该错误的代码路径如下。在setup-fabric.sh的第87行:
<meta http-equiv="content-security-policy">if [ $ADMINCERTS ]; then
switchToAdminIdentity
fi
该代码由if检查来保护,该检查检查目录是否已存在。我们进行了一次全新的运行,但没有删除该目录(从先前的运行中删除),结果导致管理证书未更新,并导致上述错误。