我的 Hyperledger Fabric 网络的 TLS/MSP 密钥已在 500 多小时前过期。由于过期,我的订购者在停止后无法重新启动。
我的订购者设置是:
按照文档,我将
TLSHandshakeTimeShift
选项设置为 650h
并将 NoExpirationChecks
设置为 true
。我通过日志记录检查了这些值是否设置正确。
2022-05-26 06:12:11.676 UTC [orderer.common.server] prettyPrintStruct -> INFO 003 Orderer config values:
General.ListenAddress = "0.0.0.0"
General.ListenPort = 7050
General.TLS.Enabled = true
General.TLS.PrivateKey = "/artifacts/tls/keystore/key.pem"
General.TLS.Certificate = "/artifacts/tls/signcerts/cert.pem"
General.TLS.RootCAs = [/artifacts/tls/tlscacerts/ca-cert.pem]
General.TLS.ClientAuthRequired = false
General.TLS.ClientRootCAs = []
General.Cluster.ListenAddress = ""
General.Cluster.ListenPort = 0
General.Cluster.ServerCertificate = ""
General.Cluster.ServerPrivateKey = ""
General.Cluster.ClientCertificate = "/artifacts/tls/signcerts/cert.pem"
General.Cluster.ClientPrivateKey = "/artifacts/tls/keystore/key.pem"
General.Cluster.RootCAs = [/artifacts/tls/tlscacerts/ca-cert.pem]
General.Cluster.DialTimeout = 5s
General.Cluster.RPCTimeout = 7s
General.Cluster.ReplicationBufferSize = 20971520
General.Cluster.ReplicationPullTimeout = 5s
General.Cluster.ReplicationRetryTimeout = 5s
General.Cluster.ReplicationBackgroundRefreshInterval = 5m0s
General.Cluster.ReplicationMaxRetries = 12
General.Cluster.SendBufferSize = 10
General.Cluster.CertExpirationWarningThreshold = 168h0m0s
General.Cluster.TLSHandshakeTimeShift = 650h0m0s // here
General.Keepalive.ServerMinInterval = 1m0s
General.Keepalive.ServerInterval = 2h0m0s
General.Keepalive.ServerTimeout = 20s
General.ConnectionTimeout = 0s
General.GenesisMethod = "file"
General.GenesisFile = "/artifacts/genesis.block"
General.BootstrapMethod = "file"
General.BootstrapFile = "/artifacts/genesis.block"
General.Profile.Enabled = false
General.Profile.Address = "0.0.0.0:6060"
General.LocalMSPDir = "/artifacts/msp"
General.LocalMSPID = "BPLMSP"
General.BCCSP.ProviderName = "SW"
General.BCCSP.SwOpts.SecLevel = 256
General.BCCSP.SwOpts.HashFamily = "SHA2"
General.BCCSP.SwOpts.Ephemeral = true
General.BCCSP.SwOpts.FileKeystore.KeyStorePath = ""
General.BCCSP.SwOpts.DummyKeystore =
General.BCCSP.SwOpts.InmemKeystore =
General.Authentication.TimeWindow = 15m0s
General.Authentication.NoExpirationChecks = true // here
...
此外,我用新的
MSP
替换了旧的、过期的 MSP
。当然,两者都是由同一个 Fabric CA 服务器颁发的。
所以,现在的情况是:
问题是,当我重新启动每个orderer时,一开始看起来很好,但它突然产生:
2022-05-26 06:12:29.535 UTC [core.comm] ServerHandshake -> ERRO 0a4 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=10.0.4.45:55264
然后,它关闭并出现如下
Panic
错误:
...
2022-05-26 06:12:36.533 UTC [orderer.common.cluster.replication] func1 -> WARN 0b9 Received error of type 'failed to create new connection: context deadline exceeded' from {"CAs":[{"Expired":false,"Issuer":"self","Subject":"..."}],"Endpoint":"orderer2.bpl:7050"} channel=trust-chain-system-channel
2022-05-26 06:12:36.533 UTC [orderer.common.cluster.replication] func1 -> WARN 0ba Received error of type 'failed to create new connection: context deadline exceeded' from {"CAs":[{"Expired":false,"Issuer":"self","Subject":"..."}],"Endpoint":"orderer0.bpl:7050"} channel=trust-chain-system-channel
2022-05-26 06:12:36.533 UTC [orderer.common.cluster.replication] HeightsByEndpoints -> INFO 0bb Returning the heights of OSNs mapped by endpoints map[] channel=trust-chain-system-channel
2022-05-26 06:12:36.533 UTC [orderer.common.cluster] ReplicateChains -> PANI 0bc Failed pulling system channel: failed obtaining the latest block for channel trust-chain-system-channel
panic: Failed pulling system channel: failed obtaining the latest block for channel trust-chain-system-channel
goroutine 73 [running]:
go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc002b4e000, 0x0, 0x0, 0x0)
/go/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore/entry.go:230 +0x545
go.uber.org/zap.(*SugaredLogger).log(0xc000820df0, 0xc00252f804, 0x101c941, 0x21, 0xc002187c40, 0x1, 0x1, 0x0, 0x0, 0x0)
/go/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:234 +0x100
go.uber.org/zap.(*SugaredLogger).Panicf(...)
/go/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:159
github.com/hyperledger/fabric/common/flogging.(*FabricLogger).Panicf(...)
/go/src/github.com/hyperledger/fabric/common/flogging/zap.go:74
github.com/hyperledger/fabric/orderer/common/cluster.(*Replicator).ReplicateChains(0xc002880840, 0xc0003bf000, 0xc002591a40, 0xc002880840)
/go/src/github.com/hyperledger/fabric/orderer/common/cluster/replication.go:166 +0x49d
github.com/hyperledger/fabric/orderer/common/onboarding.(*ReplicationInitiator).ReplicateChains(0xc000180200, 0xc0003bf000, 0xc002591840, 0x1, 0x1, 0x0, 0x0, 0x0)
/go/src/github.com/hyperledger/fabric/orderer/common/onboarding/onboarding.go:183 +0x1e3
github.com/hyperledger/fabric/orderer/common/onboarding.(*InactiveChainReplicator).replicateDisabledChains(0xc000208a80)
/go/src/github.com/hyperledger/fabric/orderer/common/onboarding/onboarding.go:310 +0x225
github.com/hyperledger/fabric/orderer/common/onboarding.(*InactiveChainReplicator).Run(0xc000208a80)
/go/src/github.com/hyperledger/fabric/orderer/common/onboarding/onboarding.go:288 +0x42
created by github.com/hyperledger/fabric/orderer/common/server.initializeEtcdraftConsenter
/go/src/github.com/hyperledger/fabric/orderer/common/server/main.go:770 +0x218
我应该从哪里去调查解决这个问题?请帮助我。
谢谢。
要续订 TLS 和注册证书(TLS 和 MSP 签名证书),我们可以重新注册所有组件。
如https://github.com/hyperledger/fabric-ca/releases/tag/v1.5.1中所示,新版本的 CA 使我们能够使用现有密钥重新注册,即使证书已过期。 能够做到:
- FABRIC_CA_SERVER_CA_REENROLLIGNORECERTEXPIRY = true
REENROLLIGNORECERTEXPIRY:false
将其更改为 true 来更改容器内的相同值。--ca.reenrollignorecertexpiry
的重新注册命令。或者将 reenroll.sh 和 renewal.sh 复制到 /test-network 并运行renewal.sh