订购者 bootstrap 说:CA 证书没有 CA 属性
Orderer bootstrap says: CA Certificate did not have the CA attribute
订购者的引导给我以下错误:
[orderer.common.server] Start -> PANI 003 Failed validating bootstrap block: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: CA Certificate did not have the CA attribute, (SN: f8adffbd6a2debed01cd2840f1f75cd77bfdc9c)
panic: Failed validating bootstrap block: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: CA Certificate did not have the CA attribute, (SN: f8adffbd6a2debed01cd2840f1f75cd77bfdc9c)
goroutine 1 [running]:
github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc0001b1970, 0x0, 0x0, 0x0)
/opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore/entry.go:229 +0x515
github.com/hyperledger/fabric/vendor/go.uber.org/zap.(*SugaredLogger).log(0xc0001382a0, 0xc00003d804, 0x10355b0, 0x25, 0xc00047bd10, 0x1, 0x1, 0x0, 0x0, 0x0)
/opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:234 +0xf6
github.com/hyperledger/fabric/vendor/go.uber.org/zap.(*SugaredLogger).Panicf(0xc0001382a0, 0x10355b0, 0x25, 0xc00047bd10, 0x1, 0x1)
/opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:159 +0x79
github.com/hyperledger/fabric/common/flogging.(*FabricLogger).Panicf(0xc0001382a8, 0x10355b0, 0x25, 0xc00047bd10, 0x1, 0x1)
/opt/gopath/src/github.com/hyperledger/fabric/common/flogging/zap.go:74 +0x60
github.com/hyperledger/fabric/orderer/common/server.Start(0x1013e09, 0x5, 0xc00054f200)
/opt/gopath/src/github.com/hyperledger/fabric/orderer/common/server/main.go:98 +0xcd
github.com/hyperledger/fabric/orderer/common/server.Main()
/opt/gopath/src/github.com/hyperledger/fabric/orderer/common/server/main.go:91 +0x1ce
main.main()
/opt/gopath/src/github.com/hyperledger/fabric/orderer/main.go:15 +0x20
我检查了 CA 证书文件并具有以下属性:
X509v3 基本约束:关键
CA:TRUE、pathlen:0
我创建了创世块,其中 configtxgen 指向遵循通用结构的文件夹
我也在使用结构 CA
编辑 1:
所以我一直在创建网络而不是使用 fabric CA 来使用 cryptogen,我已经按照 fabric 的教程学习如何创建证书,这就是我所做的:
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/fabric-ca/clients/admin
./fabric-samples/bin/fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --tls.certfiles ./tls-cert.pem
./fabric-samples/bin/fabric-ca-client register --id.name peer0.example.com --id.type peer --id.affiliation example.operations --tls.certfiles ./tls-cert.pem
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/crypto-config/peerOrganizations/example.com/peers/peer0
./fabric-samples/bin/fabric-ca-client enroll -u https://peer0.example.com:aTSKHAhxxrIl@localhost:7054 --tls.certfiles ./tls-cert.pem -M $FABRIC_CA_CLIENT_HOME/msp
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/fabric-ca/clients/admin
./fabric-samples/bin/fabric-ca-client register --id.name peer1.example.com --id.type peer --id.affiliation example.operations --tls.certfiles ./tls-cert.pem
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/crypto-config/peerOrganizations/example.com/peers/peer1
./fabric-samples/bin/fabric-ca-client enroll -u https://peer1.example.com:ptPLWOAudqNJ@localhost:7054 --tls.certfiles ./tls-cert.pem -M $FABRIC_CA_CLIENT_HOME/msp
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/fabric-ca/clients/admin
./fabric-samples/bin/fabric-ca-client register --id.name orderer0.example.com --id.type orderer --id.affiliation example.operations --tls.certfiles ./tls-cert.pem
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/crypto-config/ordererOrganizations/example.com/orderers/orderer0
./fabric-samples/bin/fabric-ca-client enroll -u https://orderer0.example.com:WfEfUodXgjDI@localhost:7054 --tls.certfiles ./tls-cert.pem -M $FABRIC_CA_CLIENT_HOME/msp
在注册所有节点和排序节点后,我开始使用以下命令创建工件
export CHANNEL_NAME=examplechannel
./fabric-samples/bin/configtxgen -profile OrdererGenesis -outputBlock ./config/genesis.block -channelID $CHANNEL_NAME
./fabric-samples/bin/configtxgen -profile ExampleChannel -outputCreateChannelTx ./config/channel.tx -channelID $CHANNEL_NAME
./fabric-samples/bin/configtxgen -profile ExampleChannel -outputAnchorPeersUpdate ./config/ExampleMSPanchors.tx -channelID $CHANNEL_NAME -asOrg Example
所有使用加密 material 文件夹的结构,如下所示:
- ordererOrganizations
- example.com
- msp
- admincerts (the certificates of the administrators of that organization)
- cacerts (the ca certificates of the organization)
- tlscacerts (the tls certificate)
- signcerts
- peerOrganizations
- example.conm
- msp
- admincerts (the certificates of the administrators of that organization)
- cacerts (the ca certificates of the organization)
- tlscacerts (the tls certificate)
- signcerts
编辑 2:
所以它们是一对夫妇。我正在使用没有启用任何外部证书和 TLS 的结构 CA,因此,在引导时它会创建所有加密 material。
为了找到问题,我一直在比较解码由 cryptogen 工具创建的 material 和 fabric ca material,我使用了这个网站 https://certlogik.com/decoder/。
除 tls 证书外,所有证书都具有相同的属性。由 cryptogen 工具创建的具有以下 属性 true:
X509v3 基本约束:关键
CA:TRUE
但是fabric ca创建的那个属性为false,所以是有属性决定这个我没有设置还是bug?
编辑 3:
感谢@gari 以及超级账本聊天室的人们,我找到了解决方案。我误以为 ca 创建的 tls 和 tlsca 是两个分开的东西。
TLSCA 必须带外分发。
在 ca 上设置一个 nginx 服务器,并为它们提供一个真正的 public cacert 支持的 http 请求,scp 它们,sneaker net 等等
有一个 hack 可以直接使用 curl 从 ca-server 获取它,但它需要关闭 ca 检查
A lets encrypt 可以,但您需要一个单独的 nginx 服务器或等效集来为非 public tlsca 提供服务。或者您可以只为 tlsca 本身使用 LE 证书,但这会很糟糕,因为每次从 lets encrypt 更新 tlsca 时您都必须重做每个通道。
确保 cacerts 和 tlscacerts 都包含根证书。根据您对上述布局的描述,您似乎没有 CA 证书是 tlscacerts 文件夹。
订购者的引导给我以下错误:
[orderer.common.server] Start -> PANI 003 Failed validating bootstrap block: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: CA Certificate did not have the CA attribute, (SN: f8adffbd6a2debed01cd2840f1f75cd77bfdc9c)
panic: Failed validating bootstrap block: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: CA Certificate did not have the CA attribute, (SN: f8adffbd6a2debed01cd2840f1f75cd77bfdc9c)
goroutine 1 [running]:
github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc0001b1970, 0x0, 0x0, 0x0)
/opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore/entry.go:229 +0x515
github.com/hyperledger/fabric/vendor/go.uber.org/zap.(*SugaredLogger).log(0xc0001382a0, 0xc00003d804, 0x10355b0, 0x25, 0xc00047bd10, 0x1, 0x1, 0x0, 0x0, 0x0)
/opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:234 +0xf6
github.com/hyperledger/fabric/vendor/go.uber.org/zap.(*SugaredLogger).Panicf(0xc0001382a0, 0x10355b0, 0x25, 0xc00047bd10, 0x1, 0x1)
/opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:159 +0x79
github.com/hyperledger/fabric/common/flogging.(*FabricLogger).Panicf(0xc0001382a8, 0x10355b0, 0x25, 0xc00047bd10, 0x1, 0x1)
/opt/gopath/src/github.com/hyperledger/fabric/common/flogging/zap.go:74 +0x60
github.com/hyperledger/fabric/orderer/common/server.Start(0x1013e09, 0x5, 0xc00054f200)
/opt/gopath/src/github.com/hyperledger/fabric/orderer/common/server/main.go:98 +0xcd
github.com/hyperledger/fabric/orderer/common/server.Main()
/opt/gopath/src/github.com/hyperledger/fabric/orderer/common/server/main.go:91 +0x1ce
main.main()
/opt/gopath/src/github.com/hyperledger/fabric/orderer/main.go:15 +0x20
我检查了 CA 证书文件并具有以下属性:
X509v3 基本约束:关键 CA:TRUE、pathlen:0
我创建了创世块,其中 configtxgen 指向遵循通用结构的文件夹
我也在使用结构 CA
编辑 1:
所以我一直在创建网络而不是使用 fabric CA 来使用 cryptogen,我已经按照 fabric 的教程学习如何创建证书,这就是我所做的:
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/fabric-ca/clients/admin
./fabric-samples/bin/fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --tls.certfiles ./tls-cert.pem
./fabric-samples/bin/fabric-ca-client register --id.name peer0.example.com --id.type peer --id.affiliation example.operations --tls.certfiles ./tls-cert.pem
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/crypto-config/peerOrganizations/example.com/peers/peer0
./fabric-samples/bin/fabric-ca-client enroll -u https://peer0.example.com:aTSKHAhxxrIl@localhost:7054 --tls.certfiles ./tls-cert.pem -M $FABRIC_CA_CLIENT_HOME/msp
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/fabric-ca/clients/admin
./fabric-samples/bin/fabric-ca-client register --id.name peer1.example.com --id.type peer --id.affiliation example.operations --tls.certfiles ./tls-cert.pem
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/crypto-config/peerOrganizations/example.com/peers/peer1
./fabric-samples/bin/fabric-ca-client enroll -u https://peer1.example.com:ptPLWOAudqNJ@localhost:7054 --tls.certfiles ./tls-cert.pem -M $FABRIC_CA_CLIENT_HOME/msp
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/fabric-ca/clients/admin
./fabric-samples/bin/fabric-ca-client register --id.name orderer0.example.com --id.type orderer --id.affiliation example.operations --tls.certfiles ./tls-cert.pem
export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/crypto-config/ordererOrganizations/example.com/orderers/orderer0
./fabric-samples/bin/fabric-ca-client enroll -u https://orderer0.example.com:WfEfUodXgjDI@localhost:7054 --tls.certfiles ./tls-cert.pem -M $FABRIC_CA_CLIENT_HOME/msp
在注册所有节点和排序节点后,我开始使用以下命令创建工件
export CHANNEL_NAME=examplechannel
./fabric-samples/bin/configtxgen -profile OrdererGenesis -outputBlock ./config/genesis.block -channelID $CHANNEL_NAME
./fabric-samples/bin/configtxgen -profile ExampleChannel -outputCreateChannelTx ./config/channel.tx -channelID $CHANNEL_NAME
./fabric-samples/bin/configtxgen -profile ExampleChannel -outputAnchorPeersUpdate ./config/ExampleMSPanchors.tx -channelID $CHANNEL_NAME -asOrg Example
所有使用加密 material 文件夹的结构,如下所示:
- ordererOrganizations
- example.com
- msp
- admincerts (the certificates of the administrators of that organization)
- cacerts (the ca certificates of the organization)
- tlscacerts (the tls certificate)
- signcerts
- peerOrganizations
- example.conm
- msp
- admincerts (the certificates of the administrators of that organization)
- cacerts (the ca certificates of the organization)
- tlscacerts (the tls certificate)
- signcerts
编辑 2:
所以它们是一对夫妇。我正在使用没有启用任何外部证书和 TLS 的结构 CA,因此,在引导时它会创建所有加密 material。 为了找到问题,我一直在比较解码由 cryptogen 工具创建的 material 和 fabric ca material,我使用了这个网站 https://certlogik.com/decoder/。 除 tls 证书外,所有证书都具有相同的属性。由 cryptogen 工具创建的具有以下 属性 true:
X509v3 基本约束:关键 CA:TRUE
但是fabric ca创建的那个属性为false,所以是有属性决定这个我没有设置还是bug?
编辑 3:
感谢@gari 以及超级账本聊天室的人们,我找到了解决方案。我误以为 ca 创建的 tls 和 tlsca 是两个分开的东西。
TLSCA 必须带外分发。 在 ca 上设置一个 nginx 服务器,并为它们提供一个真正的 public cacert 支持的 http 请求,scp 它们,sneaker net 等等 有一个 hack 可以直接使用 curl 从 ca-server 获取它,但它需要关闭 ca 检查
A lets encrypt 可以,但您需要一个单独的 nginx 服务器或等效集来为非 public tlsca 提供服务。或者您可以只为 tlsca 本身使用 LE 证书,但这会很糟糕,因为每次从 lets encrypt 更新 tlsca 时您都必须重做每个通道。
确保 cacerts 和 tlscacerts 都包含根证书。根据您对上述布局的描述,您似乎没有 CA 证书是 tlscacerts 文件夹。