我正在使用 Hyperledger Fabric V1.4 使用 Raft 在 azure 中部署区块链,我使用 openssl 创建我的证书并使用外部 CA 对它们进行签名,并且 CA 不是根 CA 所以,我有一个中间 CA 证书.
我使用 configtx.yaml 和这个 msp 文件夹结构创建了我的创世区块:
configtx.yaml
Organizations:
- &ordererOrg
Name: orderer
ID: orderer
MSPDir: /crypto/msp
Policies:
Readers:
Type: Signature
Rule: "OR('orderer.member')"
Writers:
Type: Signature
Rule: "OR('orderer.member')"
Admins:
Type: Signature
Rule: "OR('orderer.admin')"
Capabilities:
Channel: &ChannelCapabilities
V1_4_3: true
Orderer: &OrdererCapabilities
V1_4_2: true
Application: &ApplicationCapabilities
V1_4_2: true
Application: &ApplicationDefaults
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ApplicationCapabilities
Orderer: &OrdererDefaults
OrdererType: solo
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB
Kafka:
Brokers:
- 127.0.0.1:9092
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Profiles:
SampleEtcdRaftProfile:
<<: *ChannelDefaults
Capabilities:
<<: *ChannelCapabilities
Orderer:
<<: *OrdererDefaults
OrdererType: etcdraft
Addresses:
- orderer1.xxxx.eastus.aksapp.io:443
- orderer2.xxxx.eastus.aksapp.io:443
Organizations:
- *ordererOrg
EtcdRaft:
Consenters:
- Host: orderer1
Port: 7050
ClientTLSCert: /crypto/orderers/orderer1/tls/server.crt
ServerTLSCert: /crypto/orderers/orderer1/tls/server.crt
- Host: orderer2
Port: 7050
ClientTLSCert: /crypto/orderers/orderer2/tls/server.crt
ServerTLSCert: /crypto/orderers/orderer2/tls/server.crt
Capabilities:
<<: *OrdererCapabilities
Application:
<<: *ApplicationDefaults
Organizations:
- <<: *ordererOrg
Consortiums:
SampleConsortium:
Organizations:
- *ordererOrg
MSP 文件夹结构:
+ /crypto
configtx.yaml
+ msp
+ cacerts > ca.crt
+ tlscacerts > ca.crt
+ intermediatecerts > intermediate.crt
+ tlsintermediatecerts > intermediate.crt
+ admincerts > admin.crt
+ orderers
+ orderer1/tls > server.crt
+ orderer2/tls > server.crt
我用这个创建了我的创世区块:
configtxgen -profile SampleEtcdRaftProfile -outputBlock genesis.block -channelID mychannel
在我的 orderer 中,msp 结构是这样的:
+ /var/hyperledger/orderer
genesis.block
+ msp
+ cacerts > ca.crt
+ intermediatecerts > intermediate.crt
+ admincerts > admin.crt
+ signcerts > cert.pem
+ keystore > key.pem
+ tls
server.crt
server.key
ca.crt
intermediate.crt
这些是我的环境变量:
ORDERER_GENERAL_TLS_ENABLED=true
ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
ORDERER_GENERAL_TLS_CLIENTROOTCAS=/var/hyperledger/orderer/tls/chain.crt
ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=false
ORDERER_GENERAL_TLS_CLIENTROOTCAS=/var/hyperledger/orderer/tls/chain.crt
ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/var/hyperledger/orderer/tls/server.key
ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/var/hyperledger/orderer/tls/server.crt
ORDERER_GENERAL_CLUSTER_ROOTCAS=/var/hyperledger/orderer/tls/chain.crt
我不确定为什么结构不同并且 tls 文件在其他地方,但我正在从我已经成功使用的 azure hyperledger template 复制配置。
现在我的订购者正在运行,但订购者 1 不断开始新的选举,订购者 2 成为候选者,最终因 TLS 握手错误而失败。
这些是 orderer1 中的错误日志:
2021-03-24 17:37:49.717 UTC [orderer.consensus.etcdraft] Step -> INFO a16 1 is starting a new election at term 1 channel=testchainid node=1
2021-03-24 17:37:49.717 UTC [orderer.consensus.etcdraft] becomePreCandidate -> INFO a17 1 became pre-candidate at term 1 channel=testchainid node=1
2021-03-24 17:37:49.717 UTC [orderer.consensus.etcdraft] poll -> INFO a18 1 received MsgPreVoteResp from 1 at term 1 channel=testchainid node=1
2021-03-24 17:37:49.717 UTC [orderer.consensus.etcdraft] campaign -> INFO a19 1 [logterm: 1, index: 2] sent MsgPreVote request to 2 at term 1 channel=testchainid node=1
2021-03-24 17:37:49.718 UTC [orderer.consensus.etcdraft] send -> INFO a1a Successfully sent StepRequest to 2 after failed attempt(s) channel=testchainid node=1
2021-03-24 17:37:52.406 UTC [orderer.common.cluster] func1 -> WARN a1b Certificate of unidentified node from 172.32.0.141:54008 for channel testchainid expires in less than -2562047h47m16.854775808s
2021-03-24 17:37:52.406 UTC [comm.grpc.server] 1 -> INFO a1c streaming call completed grpc.service=orderer.Cluster grpc.method=Step grpc.peer_address=172.32.0.141:54008 error="no TLS certificate sent" grpc.code=Unknown grpc.call_duration=269.221µs
这些是 orderer2 中的错误日志:
2021-03-24 21:40:51.240 UTC [orderer.consensus.etcdraft] logSendFailure -> ERRO 2e36 Failed to send StepRequest to 1, because: aborted channel=testchainid node=2
2021-03-24 21:40:52.239 UTC [orderer.consensus.etcdraft] Step -> INFO 2e37 2 is starting a new election at term 1 channel=testchainid node=2
2021-03-24 21:40:52.239 UTC [orderer.consensus.etcdraft] becomePreCandidate -> INFO 2e38 2 became pre-candidate at term 1 channel=testchainid node=2
2021-03-24 21:40:52.239 UTC [orderer.consensus.etcdraft] poll -> INFO 2e39 2 received MsgPreVoteResp from 2 at term 1 channel=testchainid node=2
2021-03-24 21:40:52.239 UTC [orderer.consensus.etcdraft] campaign -> INFO 2e3a 2 [logterm: 1, index: 2] sent MsgPreVote request to 1 at term 1 channel=testchainid node=2
2021-03-24 21:40:52.239 UTC [orderer.consensus.etcdraft] send -> INFO 2e3b Successfully sent StepRequest to 1 after failed attempt(s) channel=testchainid node=2
2021-03-24 21:40:54.042 UTC [orderer.common.cluster] func1 -> WARN 2e40 Certificate of unidentified node from 172.32.0.211:58714 for channel testchainid expires in less than -2562047h47m16.854775808s
2021-03-24 21:40:54.042 UTC [comm.grpc.server] 1 -> INFO 2e41 streaming call completed grpc.service=orderer.Cluster grpc.method=Step grpc.peer_address=172.32.0.211:58714 error="no TLS certificate sent" grpc.code=Unknown grpc.call_duration=127.311µs
我尝试传递给 ROOTCAS env 变量,仅 ca-root 证书,仅 ca-intermediate 证书,pem 格式的附加链首先是根然后是中间,以相反顺序的附加链以及 ca 和数组中间证书,在每种情况下,我都会收到“没有发送 TLS 证书”,除了只有 ca 证书的情况,这会给我一个“由未知机构签名的证书”错误。
这是我附加我的 ca 证书的方式:
-----BEGIN CERTIFICATE-----
INTERMEDIATExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ROOTCERTxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
我尝试了 openssl verify -CAfile chain.crt orderer1-tls.crt 并返回 OK。
我用 telnet 测试了我的网址,它们没问题。
我已经仔细检查了所有值,但我想如果它们不正确,订购者甚至不会运行,并遵循 azure 中的 script 创建创世块,只添加中间信息。< /p>
此外,当我正在测试时,我正在修改 /etc/hosts 文件以进行 DNS 解析,这可能是我出错的原因吗?
任何建议都会很棒。
谢谢
答案 0 :(得分:1)
问题出在这个环境变量上:
ModelIterable
我不确定为什么它在 azure 模板中被禁用,但将其更改为 true 允许订购者获得同意。