即使使用 TLSHandshakeTimeShift 选项，TLS 过期的 Hyperledger Fabric 排序器也无法启动

我的 Hyperledger Fabric 网络的 TLS/MSP 密钥已在 500 多小时前过期。由于过期，我的订购者在停止后无法重新启动。

我的订购者设置是：

• Hyperledger Fabric 版本 2.2
• RAFT共识

按照文档，我将

TLSHandshakeTimeShift

选项设置为

650h

并将

NoExpirationChecks

设置为

true

。我通过日志记录检查了这些值是否设置正确。

2022-05-26 06:12:11.676 UTC [orderer.common.server] prettyPrintStruct -> INFO 003 Orderer config values:
    General.ListenAddress = "0.0.0.0"
    General.ListenPort = 7050
    General.TLS.Enabled = true
    General.TLS.PrivateKey = "/artifacts/tls/keystore/key.pem"
    General.TLS.Certificate = "/artifacts/tls/signcerts/cert.pem"
    General.TLS.RootCAs = [/artifacts/tls/tlscacerts/ca-cert.pem]
    General.TLS.ClientAuthRequired = false
    General.TLS.ClientRootCAs = []
    General.Cluster.ListenAddress = ""
    General.Cluster.ListenPort = 0
    General.Cluster.ServerCertificate = ""
    General.Cluster.ServerPrivateKey = ""
    General.Cluster.ClientCertificate = "/artifacts/tls/signcerts/cert.pem"
    General.Cluster.ClientPrivateKey = "/artifacts/tls/keystore/key.pem"
    General.Cluster.RootCAs = [/artifacts/tls/tlscacerts/ca-cert.pem]
    General.Cluster.DialTimeout = 5s
    General.Cluster.RPCTimeout = 7s
    General.Cluster.ReplicationBufferSize = 20971520
    General.Cluster.ReplicationPullTimeout = 5s
    General.Cluster.ReplicationRetryTimeout = 5s
    General.Cluster.ReplicationBackgroundRefreshInterval = 5m0s
    General.Cluster.ReplicationMaxRetries = 12
    General.Cluster.SendBufferSize = 10
    General.Cluster.CertExpirationWarningThreshold = 168h0m0s
    General.Cluster.TLSHandshakeTimeShift = 650h0m0s // here
    General.Keepalive.ServerMinInterval = 1m0s
    General.Keepalive.ServerInterval = 2h0m0s
    General.Keepalive.ServerTimeout = 20s
    General.ConnectionTimeout = 0s
    General.GenesisMethod = "file"
    General.GenesisFile = "/artifacts/genesis.block"
    General.BootstrapMethod = "file"
    General.BootstrapFile = "/artifacts/genesis.block"
    General.Profile.Enabled = false
    General.Profile.Address = "0.0.0.0:6060"
    General.LocalMSPDir = "/artifacts/msp"
    General.LocalMSPID = "BPLMSP"
    General.BCCSP.ProviderName = "SW"
    General.BCCSP.SwOpts.SecLevel = 256
    General.BCCSP.SwOpts.HashFamily = "SHA2"
    General.BCCSP.SwOpts.Ephemeral = true
    General.BCCSP.SwOpts.FileKeystore.KeyStorePath = ""
    General.BCCSP.SwOpts.DummyKeystore =
    General.BCCSP.SwOpts.InmemKeystore =
    General.Authentication.TimeWindow = 15m0s
    General.Authentication.NoExpirationChecks = true // here
...

此外，我用新的

MSP

替换了旧的、过期的

MSP

。当然，两者都是由同一个 Fabric CA 服务器颁发的。

所以，现在的情况是：

• TLS 密钥：已过期（我没有替换它们，因为它们应该通过通道配置更新进行更新。）
• MSP 按键：新

问题是，当我重新启动每个orderer时，一开始看起来很好，但它突然产生：

2022-05-26 06:12:29.535 UTC [core.comm] ServerHandshake -> ERRO 0a4 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=10.0.4.45:55264

然后，它关闭并出现如下

Panic

错误：

...
2022-05-26 06:12:36.533 UTC [orderer.common.cluster.replication] func1 -> WARN 0b9 Received error of type 'failed to create new connection: context deadline exceeded' from {"CAs":[{"Expired":false,"Issuer":"self","Subject":"..."}],"Endpoint":"orderer2.bpl:7050"} channel=trust-chain-system-channel
2022-05-26 06:12:36.533 UTC [orderer.common.cluster.replication] func1 -> WARN 0ba Received error of type 'failed to create new connection: context deadline exceeded' from {"CAs":[{"Expired":false,"Issuer":"self","Subject":"..."}],"Endpoint":"orderer0.bpl:7050"} channel=trust-chain-system-channel
2022-05-26 06:12:36.533 UTC [orderer.common.cluster.replication] HeightsByEndpoints -> INFO 0bb Returning the heights of OSNs mapped by endpoints map[] channel=trust-chain-system-channel
2022-05-26 06:12:36.533 UTC [orderer.common.cluster] ReplicateChains -> PANI 0bc Failed pulling system channel: failed obtaining the latest block for channel trust-chain-system-channel
panic: Failed pulling system channel: failed obtaining the latest block for channel trust-chain-system-channel

goroutine 73 [running]:
go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc002b4e000, 0x0, 0x0, 0x0)
    /go/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore/entry.go:230 +0x545
go.uber.org/zap.(*SugaredLogger).log(0xc000820df0, 0xc00252f804, 0x101c941, 0x21, 0xc002187c40, 0x1, 0x1, 0x0, 0x0, 0x0)
    /go/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:234 +0x100
go.uber.org/zap.(*SugaredLogger).Panicf(...)
    /go/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:159
github.com/hyperledger/fabric/common/flogging.(*FabricLogger).Panicf(...)
    /go/src/github.com/hyperledger/fabric/common/flogging/zap.go:74
github.com/hyperledger/fabric/orderer/common/cluster.(*Replicator).ReplicateChains(0xc002880840, 0xc0003bf000, 0xc002591a40, 0xc002880840)
    /go/src/github.com/hyperledger/fabric/orderer/common/cluster/replication.go:166 +0x49d
github.com/hyperledger/fabric/orderer/common/onboarding.(*ReplicationInitiator).ReplicateChains(0xc000180200, 0xc0003bf000, 0xc002591840, 0x1, 0x1, 0x0, 0x0, 0x0)
    /go/src/github.com/hyperledger/fabric/orderer/common/onboarding/onboarding.go:183 +0x1e3
github.com/hyperledger/fabric/orderer/common/onboarding.(*InactiveChainReplicator).replicateDisabledChains(0xc000208a80)
    /go/src/github.com/hyperledger/fabric/orderer/common/onboarding/onboarding.go:310 +0x225
github.com/hyperledger/fabric/orderer/common/onboarding.(*InactiveChainReplicator).Run(0xc000208a80)
    /go/src/github.com/hyperledger/fabric/orderer/common/onboarding/onboarding.go:288 +0x42
created by github.com/hyperledger/fabric/orderer/common/server.initializeEtcdraftConsenter
    /go/src/github.com/hyperledger/fabric/orderer/common/server/main.go:770 +0x218

我应该从哪里去调查解决这个问题？请帮助我。

谢谢。