订购者的自举出现了以下错误:
[orderer.common.server] Start -> PANI 003 Failed validating bootstrap block: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: CA Certificate did not have the CA attribute, (SN: f8adffbd6a2debed01cd2840f1f75cd77bfdc9c)
panic: Failed validating bootstrap block: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: CA Certificate did not have the CA attribute, (SN: f8adffbd6a2debed01cd2840f1f75cd77bfdc9c)
goroutine 1 [running]:
github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc0001b1970, 0x0, 0x0, 0x0)
/opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore/entry.go:229 +0x515
github.com/hyperledger/fabric/vendor/go.uber.org/zap.(*SugaredLogger).log(0xc0001382a0, 0xc00003d804, 0x10355b0, 0x25, 0xc00047bd10, 0x1, 0x1, 0x0, 0x0, 0x0)
/opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:234 +0xf6
github.com/hyperledger/fabric/vendor/go.uber.org/zap.(*SugaredLogger).Panicf(0xc0001382a0, 0x10355b0, 0x25, 0xc00047bd10, 0x1, 0x1)
/opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:159 +0x79
github.com/hyperledger/fabric/common/flogging.(*FabricLogger).Panicf(0xc0001382a8, 0x10355b0, 0x25, 0xc00047bd10, 0x1, 0x1)
/opt/gopath/src/github.com/hyperledger/fabric/common/flogging/zap.go:74 +0x60
github.com/hyperledger/fabric/orderer/common/server.Start(0x1013e09, 0x5, 0xc00054f200)
/opt/gopath/src/github.com/hyperledger/fabric/orderer/common/server/main.go:98 +0xcd
github.com/hyperledger/fabric/orderer/common/server.Main()
/opt/gopath/src/github.com/hyperledger/fabric/orderer/common/server/main.go:91 +0x1ce
main.main()
/opt/gopath/src/github.com/hyperledger/fabric/orderer/main.go:15 +0x20
我已经检查了CA证书文件,并具有以下属性:
X509v3基本约束:严重 CA:是的,pathlen:0
我已经创建了创世块,其中configtxgen指向遵循通用结构的文件夹
我也正在使用结构CA
编辑1:
因此,我一直在创建网络,而不是通过结构CA使用加密货币,我遵循了如何创建证书的结构教程,这就是我所做的:
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/fabric-ca/clients/admin
./fabric-samples/bin/fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --tls.certfiles ./tls-cert.pem
./fabric-samples/bin/fabric-ca-client register --id.name peer0.example.com --id.type peer --id.affiliation example.operations --tls.certfiles ./tls-cert.pem
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/crypto-config/peerOrganizations/example.com/peers/peer0
./fabric-samples/bin/fabric-ca-client enroll -u https://peer0.example.com:aTSKHAhxxrIl@localhost:7054 --tls.certfiles ./tls-cert.pem -M $FABRIC_CA_CLIENT_HOME/msp
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/fabric-ca/clients/admin
./fabric-samples/bin/fabric-ca-client register --id.name peer1.example.com --id.type peer --id.affiliation example.operations --tls.certfiles ./tls-cert.pem
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/crypto-config/peerOrganizations/example.com/peers/peer1
./fabric-samples/bin/fabric-ca-client enroll -u https://peer1.example.com:ptPLWOAudqNJ@localhost:7054 --tls.certfiles ./tls-cert.pem -M $FABRIC_CA_CLIENT_HOME/msp
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/fabric-ca/clients/admin
./fabric-samples/bin/fabric-ca-client register --id.name orderer0.example.com --id.type orderer --id.affiliation example.operations --tls.certfiles ./tls-cert.pem
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/crypto-config/ordererOrganizations/example.com/orderers/orderer0
./fabric-samples/bin/fabric-ca-client enroll -u https://orderer0.example.com:WfEfUodXgjDI@localhost:7054 --tls.certfiles ./tls-cert.pem -M $FABRIC_CA_CLIENT_HOME/msp
在注册了所有对等方和订购者之后,我开始使用以下命令创建工件
export CHANNEL_NAME=examplechannel
./fabric-samples/bin/configtxgen -profile OrdererGenesis -outputBlock ./config/genesis.block -channelID $CHANNEL_NAME
./fabric-samples/bin/configtxgen -profile ExampleChannel -outputCreateChannelTx ./config/channel.tx -channelID $CHANNEL_NAME
./fabric-samples/bin/configtxgen -profile ExampleChannel -outputAnchorPeersUpdate ./config/ExampleMSPanchors.tx -channelID $CHANNEL_NAME -asOrg Example
所有使用如下所示的加密材料文件夹的结构:
- ordererOrganizations
- example.com
- msp
- admincerts (the certificates of the administrators of that organization)
- cacerts (the ca certificates of the organization)
- tlscacerts (the tls certificate)
- signcerts
- peerOrganizations
- example.conm
- msp
- admincerts (the certificates of the administrators of that organization)
- cacerts (the ca certificates of the organization)
- tlscacerts (the tls certificate)
- signcerts
编辑2:
所以它们是两件事。我正在使用未启用任何外部证书和TLS的结构CA,因此在引导时会创建所有加密材料。 为了发现这个问题,我一直在比较解码由cryptogen工具创建的资料和结构ca资料,我使用了这个网站https://certlogik.com/decoder/。 除tls证书外,所有证书都具有相同的属性。 cryptogen工具创建的一个具有以下属性true:
X509v3基本约束:严重 CA:是的
但是结构ca所创建的属性的属性为false,那么是否存在确定该属性的属性,而我尚未设置,还是一个错误?
编辑3:
因此,感谢@gari以及超级账本聊天程序中的人员,我找到了解决方案。我误会了由ca创建的tls,而tlsca是2个分离的东西。
TLSCA必须带外分发。 在ca上设置nginx服务器,并使用真正的公共cacert支持的http请求为它们提供服务,将它们分散在周围,运动鞋网,无论如何 可以通过curl直接从ca服务器获取它,但是需要关闭ca检查
可以让加密完成,但是您需要单独的Nginx服务器或等效集来服务非公共tlsca。或者,您可以仅对tlsca本身使用LE证书,但这会很糟糕,因为每次从let加密更新tlsca时,您都必须重做每个通道。
答案 0 :(得分:1)
确保cacerts和tlscacerts都实际包含根证书。通过上述布局的描述,您似乎没有tlscacerts文件夹的CA证书。