Hyperledger Fabric Orderer CA管理员用户注册失败

时间:2019-09-20 02:24:25

标签: kubernetes hyperledger-fabric hyperledger kubernetes-helm hyperledger-fabric-ca

我正在Kubernetes上构建Hyperledger Fabric网络。基本上,我试图模仿运行在docker上的Fabric CA Operation’s Guide。我正在使用stable/hlf-ca舵图。 helm 3-beta-2版本

Enroll TLS CA’s Admin:有效

kubectl create ns ca-tls

helm install ca-tls \
  --set caName=ca-tls \
  --set postgresql.enabled=true \
  --namespace ca-tls \
stable/hlf-ca

export CA_TLS_POD=$(kubectl get pods --namespace ca-tls -l "app=hlf-ca,release=ca-tls" -o jsonpath="{.items[0].metadata.name}")
kubectl -n ca-tls exec $CA_TLS_POD -- bash -c 'fabric-ca-client enroll -d -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054'

kubectl -n ca-tls cp  $CA_TLS_POD:/var/hyperledger/fabric-ca/msp/signcerts/cert.pem ./tls-ca-cert.pem

cat <<EOF | kubectl -n ca-tls exec $CA_TLS_POD -- bash
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer1-org2 --id.secret peer1PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer2-org2 --id.secret peer2PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererPW --id.type orderer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
EOF

Enroll Org1’s CA Admin:有效(org2也有效)

kubectl create ns org1

helm install rca-org1 \
  --set caName=rca-org1 \
  --set postgresql.enabled=true \
  --namespace org1 \
stable/hlf-ca

export RCA_ORG1_POD=$(kubectl get pods --namespace org1 -l "app=hlf-ca,release=rca-org1" -o jsonpath="{.items[0].metadata.name}")
kubectl -n org1 cp ./tls-ca-cert.pem $RCA_ORG1_POD:/tmp/tls-ca-cert.pem

cat <<EOF | kubectl -n org1 exec $RCA_ORG1_POD -- bash
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/ca/admin
fabric-ca-client enroll -d -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type user -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name user-org1 --id.secret org1UserPW --id.type user -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
EOF

Enroll Orderer Org’s CA Admin失败。除了最后一行(--id.name admin-org0)以外,所有命令都成功。

kubectl create ns org0

helm install rca-org0 \
  --set caName=rca-org0 \
  --set postgresql.enabled=true \
  --namespace org0 \
stable/hlf-ca

export RCA_ORG0_POD=$(kubectl get pods --namespace org0 -l "app=hlf-ca,release=rca-org0" -o jsonpath="{.items[0].metadata.name}")
kubectl -n org0 cp ./tls-ca-cert.pem $RCA_ORG0_POD:/tmp/tls-ca-cert.pem

cat <<EOF | kubectl -n org0 exec $RCA_ORG0_POD -- bash
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/tls-ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/ca/admin
fabric-ca-client enroll -d -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererpw --id.type orderer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name admin-org0 --id.secret org0adminpw --id.type admin --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
EOF

错误日志:

root@rca-org0-hlf-ca-5bdd58d48b-l2bbn:/# fabric-ca-client register -d --id.name admin-org0 --id.secret org0adminpw --id.type admin --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
2019/09/20 03:03:00 [DEBUG] Home directory: /tmp/hyperledger/org0/ca/admin
2019/09/20 03:03:00 [INFO] Configuration file location: /tmp/hyperledger/org0/ca/admin/fabric-ca-client-config.yaml
2019/09/20 03:03:00 [DEBUG] Checking for enrollment
2019/09/20 03:03:00 [DEBUG] Initializing client with config: &{URL:http://admin:oZsoUj2qvjRsnAT9zMH9WkMA@0.0.0.0:7054 MSPDir:msp TLS:{Enabled:false CertFiles:[/tmp/tls-ca-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509  } CSR:{CN:admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[rca-org0-hlf-ca-5bdd58d48b-l2bbn] KeyRequest:0xc4202d2ce0 CA:<nil> SerialNumber:} ID:{Name:admin-org0 Type:admin Secret:org0adminpw MaxEnrollments:0 Affiliation: Attributes:[{Name:hf.Revoker Value:true ECert:false} {Name:hf.GenCRL Value:true ECert:false} {Name:admin Value:true ECert:true} {Name:abac.init Value:true ECert:true} {Name:hf.Registrar.Roles Value:client ECert:false} {Name:hf.Registrar.Attributes Value:* ECert:false}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc4202d2540}
2019/09/20 03:03:00 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc4202dcc90 PluginOpts:<nil>}
2019/09/20 03:03:00 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42054aae0 DummyKeystore:<nil>}
2019/09/20 03:03:00 [DEBUG] CheckIdemixEnrollment - ipkFile: /tmp/hyperledger/org0/ca/admin/msp/IssuerPublicKey, idemixCredFrile: /tmp/hyperledger/org0/ca/admin/msp/user/SignerConfig
2019/09/20 03:03:00 [DEBUG] Client configuration settings: &{URL:http://admin:oZsoUj2qvjRsnAT9zMH9WkMA@0.0.0.0:7054 MSPDir:/tmp/hyperledger/org0/ca/admin/msp TLS:{Enabled:false CertFiles:[/tmp/tls-ca-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509  } CSR:{CN:admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[rca-org0-hlf-ca-5bdd58d48b-l2bbn] KeyRequest:0xc4202d2ce0 CA:<nil> SerialNumber:} ID:{Name:admin-org0 Type:admin Secret:org0adminpw MaxEnrollments:0 Affiliation: Attributes:[{Name:hf.Revoker Value:true ECert:false} {Name:hf.GenCRL Value:true ECert:false} {Name:admin Value:true ECert:true} {Name:abac.init Value:true ECert:true} {Name:hf.Registrar.Roles Value:client ECert:false} {Name:hf.Registrar.Attributes Value:* ECert:false}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc4202d2540}
2019/09/20 03:03:00 [DEBUG] Entered runRegister
2019/09/20 03:03:00 [DEBUG] Initializing client with config: &{URL:http://admin:oZsoUj2qvjRsnAT9zMH9WkMA@0.0.0.0:7054 MSPDir:/tmp/hyperledger/org0/ca/admin/msp TLS:{Enabled:false CertFiles:[/tmp/tls-ca-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509  } CSR:{CN:admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[rca-org0-hlf-ca-5bdd58d48b-l2bbn] KeyRequest:0xc4202d2ce0 CA:<nil> SerialNumber:} ID:{Name:admin-org0 Type:admin Secret:org0adminpw MaxEnrollments:0 Affiliation: Attributes:[{Name:hf.Revoker Value:true ECert:false} {Name:hf.GenCRL Value:true ECert:false} {Name:admin Value:true ECert:true} {Name:abac.init Value:true ECert:true} {Name:hf.Registrar.Roles Value:client ECert:false} {Name:hf.Registrar.Attributes Value:* ECert:false}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc4202d2540}
2019/09/20 03:03:00 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc4202dcc90 PluginOpts:<nil>}
2019/09/20 03:03:00 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42054aae0 DummyKeystore:<nil>}
2019/09/20 03:03:00 [DEBUG] Loading identity: keyFile=/tmp/hyperledger/org0/ca/admin/msp/keystore/key.pem, certFile=/tmp/hyperledger/org0/ca/admin/msp/signcerts/cert.pem
2019/09/20 03:03:00 [DEBUG] No credential found at /tmp/hyperledger/org0/ca/admin/msp/user/SignerConfig: open /tmp/hyperledger/org0/ca/admin/msp/user/SignerConfig: no such file or directory
2019/09/20 03:03:00 [DEBUG] No Idemix credential found at /tmp/hyperledger/org0/ca/admin/msp/user/SignerConfig
2019/09/20 03:03:00 [DEBUG] Register { Name:admin-org0 Type:admin Secret:**** MaxEnrollments:0 Affiliation: Attributes:[{hf.Revoker true false} {hf.GenCRL true false} {admin true true} {abac.init true true} {hf.Registrar.Roles client false} {hf.Registrar.Attributes * false}] CAName:  }
2019/09/20 03:03:00 [DEBUG] Adding token-based authorization header
2019/09/20 03:03:00 [DEBUG] Sending request
POST http://admin:oZsoUj2qvjRsnAT9zMH9WkMA@0.0.0.0:7054/register
{"id":"admin-org0","type":"admin","secret":"org0adminpw","affiliation":"","attrs":[{"name":"hf.Revoker","value":"true"},{"name":"hf.GenCRL","value":"true"},{"name":"admin","value":"true","ecert":true},{"name":"abac.init","value":"true","ecert":true},{"name":"hf.Registrar.Roles","value":"client"},{"name":"hf.Registrar.Attributes","value":"*"}]}
2019/09/20 03:03:00 [DEBUG] Received response
statusCode=403 (403 Forbidden)
Error: Response from server: Error Code: 71 - Authorization failure

我想念什么?

1 个答案:

答案 0 :(得分:0)

您能否发布运行最后一个注册命令时遇到的错误日志