我遵循了本教程Fabric CA Operations Guide,并做了一个小的更改,即删除了org2。当我尝试引导订购者(startOrder())时,出现此问题:
orderer1-org0 | Metrics.Statsd.Address = "127.0.0.1:8125"
orderer1-org0 | Metrics.Statsd.WriteInterval = 30s
orderer1-org0 | Metrics.Statsd.Prefix = ""
orderer1-org0 | 2020-01-17 08:38:42.755 UTC [orderer.common.server] Start -> PANI 003 Failed validating bootstrap block: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: CA Certificate did not have the CA attribute, (SN: 333bd2e7c3a72c1cde58a74d599487437e053834)
orderer1-org0 | panic: Failed validating bootstrap block: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: CA Certificate did not have the CA attribute, (SN: 333bd2e7c3a72c1cde58a74d599487437e053834)
orderer1-org0 |
orderer1-org0 | goroutine 1 [running]:
orderer1-org0 | github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc000189970, 0x0, 0x0, 0x0)
orderer1-org0 | /opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore/entry.go:229 +0x546
orderer1-org0 | github.com/hyperledger/fabric/vendor/go.uber.org/zap.(*SugaredLogger).log(0xc000010188, 0x16ab104, 0x1552904, 0x25, 0xc000173cd0, 0x1, 0x1, 0x0, 0x0, 0x0)
orderer1-org0 | /opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:234 +0x101
orderer1-org0 | github.com/hyperledger/fabric/vendor/go.uber.org/zap.(*SugaredLogger).Panicf(...)
orderer1-org0 | /opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:159
orderer1-org0 | github.com/hyperledger/fabric/common/flogging.(*FabricLogger).Panicf(...)
orderer1-org0 | /opt/gopath/src/github.com/hyperledger/fabric/common/flogging/zap.go:74
orderer1-org0 | github.com/hyperledger/fabric/orderer/common/server.Start(0x15309fe, 0x5, 0xc00069c900)
orderer1-org0 | /opt/gopath/src/github.com/hyperledger/fabric/orderer/common/server/main.go:98 +0xe5
orderer1-org0 | github.com/hyperledger/fabric/orderer/common/server.Main()
orderer1-org0 | /opt/gopath/src/github.com/hyperledger/fabric/orderer/common/server/main.go:91 +0x208
orderer1-org0 | main.main()
orderer1-org0 | /opt/gopath/src/github.com/hyperledger/fabric/orderer/main.go:15 +0x20
orderer1-org0 exited with code 2
我重试了服务时间,但遇到了同样的问题。我想知道应该在什么地方提供CA属性?
bash shell:
function rootca() {
docker-compose -f dp-scecochain-ca.yaml up -d ca-tls
echo "wait for 10s to start ca-tls"
sleep 5
mkdir -p "/tmp/hyperledger/tls-ca/crypto/"
cp /tmp/hyperledger/tls/ca/crypto/ca-cert.pem /tmp/hyperledger/tls-ca/crypto/tls-ca-cert.pem
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/tls-ca/crypto/tls-ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/tls-ca/admin
fabric-ca-client enroll -d -u https://tls-ca-admin:[email protected]:7052
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name peer1-org2 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name peer2-org2 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererPW --id.type orderer -u https://0.0.0.0:7052
}
function org0ca {
docker-compose -f dp-scecochain-ca.yaml up -d rca-org0
sleep 5
#mkdir -p "/tmp/hyperledger/org0/ca/crypto/"
#cp /tmp/hyperledger/tls/ca/crypto/ca-cert.pem /tmp/hyperledger/org0/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/ca/admin
fabric-ca-client enroll -d -u https://rca-org0-admin:[email protected]:7053
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererpw --id.type orderer -u https://0.0.0.0:7053
fabric-ca-client register -d --id.name admin-org0 --id.secret org0adminpw --id.type admin --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -u https://0.0.0.0:7053
}
function org1ca() {
docker-compose -f dp-scecochain-ca.yaml up -d rca-org1
sleep 5
#mkdir -p "/tmp/hyperledger/org1/ca/crypto/"
#cp /tmp/hyperledger/tls/ca/crypto/ca-cert.pem /tmp/hyperledger/org1/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/ca/admin
fabric-ca-client enroll -d -u https://rca-org1-admin:[email protected]:7054
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7054
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7054
fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type user -u https://0.0.0.0:7054
fabric-ca-client register -d --id.name user-org1 --id.secret org1UserPW --id.type user -u https://0.0.0.0:7054
}
function startPeer() {
mkdir -p "/tmp/hyperledger/org1/peer1/assets/ca/"
cp /tmp/hyperledger/org1/ca/crypto/ca-cert.pem /tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/peer1
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem
fabric-ca-client enroll -d -u https://peer1-org1:[email protected]:7054
mkdir -p "/tmp/hyperledger/org1/peer1/assets/tls-ca/"
cp /tmp/hyperledger/tls/ca/crypto/tls-cert.pem /tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/assets/tls-ca/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://peer1-org1:[email protected]:7052 --enrollment.profile tls --csr.hosts peer1-org1
mkdir -p "/tmp/hyperledger/org1/peer2/assets/ca/"
cp /tmp/hyperledger/org1/ca/crypto/ca-cert.pem /tmp/hyperledger/org1/peer2/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/peer2
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer2/assets/ca/org1-ca-cert.pem
fabric-ca-client enroll -d -u https://peer2-org1:[email protected]:7054
mkdir -p "/tmp/hyperledger/org1/peer2/assets/tls-ca/"
cp /tmp/hyperledger/tls/ca/crypto/tls-cert.pem /tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer2/assets/tls-ca/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://peer2-org1:[email protected]:7052 --enrollment.profile tls --csr.hosts peer2-org1
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/admin
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer1/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://admin-org1:[email protected]:7054
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org2/admin
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/peer2/assets/ca/org1-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
fabric-ca-client enroll -d -u https://admin-org1:[email protected]:7054
mkdir /tmp/hyperledger/org1/peer1/msp/admincerts
mkdir /tmp/hyperledger/org1/peer2/msp/admincerts
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/peer1/msp/admincerts/org1-admin-cert.pem
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/peer2/msp/admincerts/org1-admin-cert.pem
#rename to /tmp/hyperledger/org1/peer2/tls-msp/keystore key.pem
mv /tmp/hyperledger/org1/peer1/tls-msp/keystore/*_sk /tmp/hyperledger/org1/peer1/tls-msp/keystore/key.pem
mv /tmp/hyperledger/org1/peer2/tls-msp/keystore/*_sk /tmp/hyperledger/org1/peer2/tls-msp/keystore/key.pem
docker-compose -f dp-scecochain-ca.yaml up -d peer1-org1
docker-compose -f dp-scecochain-ca.yaml up -d peer2-org1
}
function genesis() {
mkdir -p "/tmp/hyperledger/org0/orderer/assets/ca"
cp /tmp/hyperledger/org0/ca/crypto/ca-cert.pem /tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=msp
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/orderer
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
fabric-ca-client enroll -d -u https://orderer1-org0:[email protected]:7053
mkdir -p "/tmp/hyperledger/org0/orderer/assets/tls-ca/"
cp /tmp/hyperledger/tls/ca/crypto/tls-cert.pem /tmp/hyperledger/org0/orderer/assets/tls-ca/tls-ca-cert.pem
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderer/assets/tls-ca/tls-ca-cert.pem
fabric-ca-client enroll -d -u https://orderer1-org0:[email protected]:7052 --enrollment.profile tls --csr.hosts orderer1-org0
mv /tmp/hyperledger/org0/orderer/tls-msp/keystore/*_sk /tmp/hyperledger/org0/orderer/tls-msp/keystore/key.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/admin
export FABRIC_CA_CLIENT_MSPDIR=msp
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem
fabric-ca-client enroll -d -u https://admin-org0:[email protected]:7053
mkdir /tmp/hyperledger/org0/orderer/msp/admincerts
cp /tmp/hyperledger/org0/admin/msp/signcerts/cert.pem /tmp/hyperledger/org0/orderer/msp/admincerts/orderer-admin-cert.pem
mkdir /tmp/hyperledger/org0/msp
mkdir /tmp/hyperledger/org0/msp/admincerts
mkdir /tmp/hyperledger/org0/msp/cacerts
mkdir /tmp/hyperledger/org0/msp/tlscacerts
cp /tmp/hyperledger/org0/admin/msp/signcerts/cert.pem /tmp/hyperledger/org0/msp/admincerts/orderer-admin-cert.pem
cp /tmp/hyperledger/org0/orderer/assets/ca/org0-ca-cert.pem /tmp/hyperledger/org0/msp/cacerts/org0-ca-cert.pem
cp /tmp/hyperledger/org0/orderer/assets/tls-ca/tls-ca-cert.pem /tmp/hyperledger/org0/msp/tlscacerts/tls-ca-cert.pem
mkdir /tmp/hyperledger/org1/msp
mkdir /tmp/hyperledger/org1/msp/admincerts
mkdir /tmp/hyperledger/org1/msp/cacerts
mkdir /tmp/hyperledger/org1/msp/tlscacerts
cp /tmp/hyperledger/org1/admin/msp/signcerts/cert.pem /tmp/hyperledger/org1/msp/admincerts/admin-org1-cert.pem
cp /tmp/hyperledger/org1/ca/crypto/ca-cert.pem /tmp/hyperledger/org1/msp/cacerts/org0-ca-cert.pem
cp /tmp/hyperledger/tls-ca/crypto/tls-ca-cert.pem /tmp/hyperledger/org1/msp/tlscacerts/tls-ca-cert.pem
configtxgen -profile OrgsOrdererGenesis -outputBlock /tmp/hyperledger/org0/orderer/genesis.block
configtxgen -profile OrgsChannel -outputCreateChannelTx /tmp/hyperledger/org0/orderer/channel.tx -channelID mychannel
}
function startOrder(){
docker-compose -f dp-scecochain-ca.yaml up orderer1-org0
}
function networkDown() {
docker-compose -f dp-scecochain-ca.yaml down
sleep 10
docker volume prune -f
rm -rf /tmp/hyperledger/*
}
和configtx.yaml
################################################################################
#
# Section: Organizations
#
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
#
################################################################################
Organizations:
- &org0
Name: org0
# ID to load the MSP definition as
ID: org0MSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: /tmp/hyperledger/org0/msp
- &org1
Name: org1
# ID to load the MSP definition as
ID: org1MSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: /tmp/hyperledger/org1/msp
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer1-org1
Port: 7051
################################################################################
#
# CAPABILITIES
#
# This section defines the capabilities of fabric network. This is a new
# concept as of v1.1.0 and should not be utilized in mixed networks with
# v1.0.x peers and orderers. Capabilities define features which must be
# present in a fabric binary for that binary to safely participate in the
# fabric network. For instance, if a new MSP type is added, newer binaries
# might recognize and validate the signatures from this type, while older
# binaries without this support would be unable to validate those
# transactions. This could lead to different versions of the fabric binaries
# having different world states. Instead, defining a capability for a channel
# informs those binaries without this capability that they must cease
# processing transactions until they have been upgraded. For v1.0.x if any
# capabilities are defined (including a map with all capabilities turned off)
# then the v1.0.x peer will deliberately crash.
#
################################################################################
Capabilities:
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
# Note that setting a later Channel version capability to true will also
# implicitly set prior Channel version capabilities to true. There is no need
# to set each version capability to true (prior version capabilities remain
# in this sample only to provide the list of valid values).
Channel: &ChannelCapabilities
# V1.4.3 for Channel is a catchall flag for behavior which has been
# determined to be desired for all orderers and peers running at the v1.4.3
# level, but which would be incompatible with orderers and peers from
# prior releases.
# Prior to enabling V1.4.3 channel capabilities, ensure that all
# orderers and peers on a channel are at v1.4.3 or later.
V1_4_3: true
# V1.3 for Channel enables the new non-backwards compatible
# features and fixes of fabric v1.3
V1_3: false
# V1.1 for Channel enables the new non-backwards compatible
# features and fixes of fabric v1.1
V1_1: false
# Orderer capabilities apply only to the orderers, and may be safely
# used with prior release peers.
# Set the value of the capability to true to require it.
# Note that setting a later Orderer version capability to true will also
# implicitly set prior Orderer version capabilities to true. There is no need
# to set each version capability to true (prior version capabilities remain
# in this sample only to provide the list of valid values).
Orderer: &OrdererCapabilities
# V1.4.2 for Orderer is a catchall flag for behavior which has been
# determined to be desired for all orderers running at the v1.4.2
# level, but which would be incompatible with orderers from prior releases.
# Prior to enabling V1.4.2 orderer capabilities, ensure that all
# orderers on a channel are at v1.4.2 or later.
V1_4_2: true
# V1.1 for Orderer enables the new non-backwards compatible
# features and fixes of fabric v1.1
V1_1: false
# Application capabilities apply only to the peer network, and may be safely
# used with prior release orderers.
# Set the value of the capability to true to require it.
# Note that setting a later Application version capability to true will also
# implicitly set prior Application version capabilities to true. There is no need
# to set each version capability to true (prior version capabilities remain
# in this sample only to provide the list of valid values).
Application: &ApplicationCapabilities
# V1.4.2 for Application enables the new non-backwards compatible
# features and fixes of fabric v1.4.2
V1_4_2: true
# V1.3 for Application enables the new non-backwards compatible
# features and fixes of fabric v1.3.
V1_3: false
# V1.2 for Application enables the new non-backwards compatible
# features and fixes of fabric v1.2 (note, this need not be set if
# later version capabilities are set)
V1_2: false
# V1.1 for Application enables the new non-backwards compatible
# features and fixes of fabric v1.1 (note, this need not be set if
# later version capabilities are set).
V1_1: false
################################################################################
#
# SECTION: Application
#
# This section defines the values to encode into a config transaction or
# genesis block for application related parameters
#
################################################################################
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:
################################################################################
#
# Profile
#
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
#
################################################################################
Profiles:
OrgsOrdererGenesis:
Orderer:
# Orderer Type: The orderer implementation to start
# Available types are "solo" and "kafka"
OrdererType: solo
Addresses:
- orderer1-org0:7050
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 2s
# Batch Size: Controls the number of messages batched into a block
BatchSize:
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 10
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 KB
# Kafka:
# # Brokers: A list of Kafka brokers to which the orderer connects
# # NOTE: Use IP:port notation
# Brokers:
# - 127.0.0.1:9092
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
Organizations:
- *org0
Consortiums:
SampleConsortium:
Organizations:
- *org1
OrgsChannel:
Consortium: SampleConsortium
Application:
<<: *ApplicationDefaults
Organizations:
- *org1
您的CA根(或中间)证书必须包括:
Certificate:
Data:
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
如果您检查org1-ca-cert.pem ...
openssl x509 -text -noout -in org1-ca-cert.pem
...我敢打赌,您会看到它不包含该属性。
我不知道您是如何创建CA的证书的,但是如果您配置了不存在的文件名,则Fabric-CA在创建时会自动创建其合适的根证书。