kubernetes (minikube) 中的 Fabric v2.0 - 错误 Peer channel join - TLS issue because of pod's names
Fabric v2.0 in kubernetes (minikube) - error Peer channel join - TLS issue because of pod's names
我正在尝试在 kubernetes(在 minikube 本地)上设置 Fabric v2.0 测试网络 (https://hyperledger-fabric.readthedocs.io/en/release-2.0/test_network.html)。 peer channel join.
我有一个错误
我根据测试网络的 docker-compose-test-net.yaml 创建了 kubernetes 文件。我成功部署了以下 pods:
- 订货人(筏)
- 2 个对等点(peer0-org1-example-com 和 peer0-org2-example-com)
- 一个织物工具舱。
我使用 cryptogen 和 configtxgen 成功生成了密码 material。
我成功创建了频道:
当我在 fabric-tools pod 中时:
bash-5.0# peer channel create -o orderer-example-com:7050 -c $CHANNEL_NAME --ordererTLSHostnameOverride orderer.example.com -f /fabric/${CHANNEL_NAME}.tx --tls --cafile $ORDERER_CA
2020-02-11 08:10:14.057 CET [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2020-02-11 08:10:14.080 CET [cli.common] readBlock -> INFO 002 Expect block, but got status: &{NOT_FOUND}
...
2020-02-11 08:10:15.105 CET [cli.common] readBlock -> INFO 00c Received block: 0
但是当我尝试让第一个节点加入频道时,我有一个错误。我已经花了几天时间解决这个问题,但找不到解决方案。非常感谢您的帮助!!
在 fabric-tools pod 中:
bash-5.0# peer channel join -b $CHANNEL_NAME.block
Error: error getting endorser client for channel: endorser client failed to connect to peer0-org1-example-com:7051: failed to create new connection: context deadline exceeded
我在 peer0-org1-example-com pod 日志中看到的内容:
[31m2020-02-11 08:11:29.945 CET [core.comm] ServerHandshake -> ERRO 1b9[0m TLS handshake failed with error remote error: tls: bad certificate server=PeerServer remoteaddress=172.17.0.6:43270
[36m2020-02-11 08:11:29.945 CET [grpc] handleRawConn -> DEBU 1ba[0m grpc: Server.Serve failed to complete security handshake from "172.17.0.6:43270": remote error: tls: bad certificate
谢谢!!
更新:
如果我 运行 peer 频道直接加入 peer0-org1-example-com pod,我可以看到存在证书问题:
addrConn.createTransport failed to connect to {peer0-org1-example-com:7051 0 <nil>}. Err :connection error: desc = "transport: authentication handshake failed: x509: certificate is valid for peer0.org1.example.com, peer0, localhost, peer0.org1.example.com, peer0, localhost, peer0.org1.example.com, peer0, localhost, not peer0-org1-example-com". Reconnecting.
它似乎会接受 peer0 的连接。org1.example.com 但不会接受 peer0-org1-example-com 的连接。但是在 Kubernetes 中,它不允许我在服务和部署的名称中加上点,这就是我加破折号的原因。你知道如何解决这个问题吗?
我试图让 cryptogen 工具为 peer0-org1-example-com 生成证书,但它把事情搞砸了。我认为最好是用点来制作 kubernetes 名称,但我似乎做不到。
对等部署文件中的名称:
apiVersion: apps/v1
kind: Deployment
metadata:
name: peer0-org1-example-com
spec:
selector:
matchLabels:
name: peer0-org1-example-com
replicas: 1
template:
metadata:
labels:
name: peer0-org1-example-com
对等服务文件中的名称:
apiVersion: v1
kind: Service
metadata:
name: peer0-org1-example-com
labels:
run: peer0-org1-example-com
spec:
type: ClusterIP
selector:
name: peer0-org1-example-com
ports:
- protocol: TCP
port: 7051
name: grpc
我们与 OpenShift 有类似的 dot/dash 证书问题,并通过在我们的加密配置文件中为每个主机设置一个带有破折号的 CommonName 来解决它。也许这对你也有用。
像这样:
PeerOrgs:
- Name: Org1
Domain: org1-example-com
EnableNodeOUs: true
Specs:
- Hostname: peer0
CommonName: "peer0-org1-example-com"
- Hostname: peer1
CommonName: "peer1-org1-example-com"
CA:
Hostname: ca
CommonName: "ca-org1-example-com"
PeerOrgs:
- Name: Org2
Domain: org2-example-com
EnableNodeOUs: true
Specs:
- Hostname: peer0
CommonName: "peer0-org2-example-com"
- Hostname: peer1
CommonName: "peer1-org2-example-com"
CA:
Hostname: ca
CommonName: "ca-org2-example-com"
OrdererOrgs:
- Name: Orderer
Domain: example.com
EnableNodeOUs: true
Specs:
- Hostname: orderer
CommonName: "orderer-example-com"
更新:
我们还像这样更改了 configtx.yaml 中的所有点地址:
Orderer: &OrdererDefaults
...
EtcdRaft:
Consenters:
- Host: orderer-example-com
...
Addresses:
- orderer-example-com:7050
更新 2:
可能您也必须更改每个组织的 fabric-ca-server-config.yaml 中的 csr 部分:
csr:
cn: ca-example-com
names:
- C: US
ST: "New York"
L: "New York"
O: example-com
OU:
hosts:
- localhost
- example-com
ca:
expiry: 131400h
pathlength: 1
csr:
cn: ca-org1-example-com
names:
- C: US
ST: "North Carolina"
L: "Durham"
O: org1-example-com
OU:
hosts:
- localhost
- org1-example-com
ca:
expiry: 131400h
pathlength: 1
csr:
cn: ca-org2-example-com
names:
- C: UK
ST: "Hampshire"
L: "Hursley"
O: org2-example-com
OU:
hosts:
- localhost
- org2-example-com
ca:
expiry: 131400h
pathlength: 1
我正在尝试在 kubernetes(在 minikube 本地)上设置 Fabric v2.0 测试网络 (https://hyperledger-fabric.readthedocs.io/en/release-2.0/test_network.html)。 peer channel join.
我根据测试网络的 docker-compose-test-net.yaml 创建了 kubernetes 文件。我成功部署了以下 pods:
- 订货人(筏)
- 2 个对等点(peer0-org1-example-com 和 peer0-org2-example-com)
- 一个织物工具舱。
我使用 cryptogen 和 configtxgen 成功生成了密码 material。
我成功创建了频道: 当我在 fabric-tools pod 中时:
bash-5.0# peer channel create -o orderer-example-com:7050 -c $CHANNEL_NAME --ordererTLSHostnameOverride orderer.example.com -f /fabric/${CHANNEL_NAME}.tx --tls --cafile $ORDERER_CA
2020-02-11 08:10:14.057 CET [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2020-02-11 08:10:14.080 CET [cli.common] readBlock -> INFO 002 Expect block, but got status: &{NOT_FOUND}
...
2020-02-11 08:10:15.105 CET [cli.common] readBlock -> INFO 00c Received block: 0
但是当我尝试让第一个节点加入频道时,我有一个错误。我已经花了几天时间解决这个问题,但找不到解决方案。非常感谢您的帮助!!
在 fabric-tools pod 中:
bash-5.0# peer channel join -b $CHANNEL_NAME.block
Error: error getting endorser client for channel: endorser client failed to connect to peer0-org1-example-com:7051: failed to create new connection: context deadline exceeded
我在 peer0-org1-example-com pod 日志中看到的内容:
[31m2020-02-11 08:11:29.945 CET [core.comm] ServerHandshake -> ERRO 1b9[0m TLS handshake failed with error remote error: tls: bad certificate server=PeerServer remoteaddress=172.17.0.6:43270
[36m2020-02-11 08:11:29.945 CET [grpc] handleRawConn -> DEBU 1ba[0m grpc: Server.Serve failed to complete security handshake from "172.17.0.6:43270": remote error: tls: bad certificate
谢谢!!
更新:
如果我 运行 peer 频道直接加入 peer0-org1-example-com pod,我可以看到存在证书问题:
addrConn.createTransport failed to connect to {peer0-org1-example-com:7051 0 <nil>}. Err :connection error: desc = "transport: authentication handshake failed: x509: certificate is valid for peer0.org1.example.com, peer0, localhost, peer0.org1.example.com, peer0, localhost, peer0.org1.example.com, peer0, localhost, not peer0-org1-example-com". Reconnecting.
它似乎会接受 peer0 的连接。org1.example.com 但不会接受 peer0-org1-example-com 的连接。但是在 Kubernetes 中,它不允许我在服务和部署的名称中加上点,这就是我加破折号的原因。你知道如何解决这个问题吗? 我试图让 cryptogen 工具为 peer0-org1-example-com 生成证书,但它把事情搞砸了。我认为最好是用点来制作 kubernetes 名称,但我似乎做不到。
对等部署文件中的名称:
apiVersion: apps/v1
kind: Deployment
metadata:
name: peer0-org1-example-com
spec:
selector:
matchLabels:
name: peer0-org1-example-com
replicas: 1
template:
metadata:
labels:
name: peer0-org1-example-com
对等服务文件中的名称:
apiVersion: v1
kind: Service
metadata:
name: peer0-org1-example-com
labels:
run: peer0-org1-example-com
spec:
type: ClusterIP
selector:
name: peer0-org1-example-com
ports:
- protocol: TCP
port: 7051
name: grpc
我们与 OpenShift 有类似的 dot/dash 证书问题,并通过在我们的加密配置文件中为每个主机设置一个带有破折号的 CommonName 来解决它。也许这对你也有用。
像这样:
PeerOrgs:
- Name: Org1
Domain: org1-example-com
EnableNodeOUs: true
Specs:
- Hostname: peer0
CommonName: "peer0-org1-example-com"
- Hostname: peer1
CommonName: "peer1-org1-example-com"
CA:
Hostname: ca
CommonName: "ca-org1-example-com"
PeerOrgs:
- Name: Org2
Domain: org2-example-com
EnableNodeOUs: true
Specs:
- Hostname: peer0
CommonName: "peer0-org2-example-com"
- Hostname: peer1
CommonName: "peer1-org2-example-com"
CA:
Hostname: ca
CommonName: "ca-org2-example-com"
OrdererOrgs:
- Name: Orderer
Domain: example.com
EnableNodeOUs: true
Specs:
- Hostname: orderer
CommonName: "orderer-example-com"
更新: 我们还像这样更改了 configtx.yaml 中的所有点地址:
Orderer: &OrdererDefaults
...
EtcdRaft:
Consenters:
- Host: orderer-example-com
...
Addresses:
- orderer-example-com:7050
更新 2: 可能您也必须更改每个组织的 fabric-ca-server-config.yaml 中的 csr 部分:
csr:
cn: ca-example-com
names:
- C: US
ST: "New York"
L: "New York"
O: example-com
OU:
hosts:
- localhost
- example-com
ca:
expiry: 131400h
pathlength: 1
csr:
cn: ca-org1-example-com
names:
- C: US
ST: "North Carolina"
L: "Durham"
O: org1-example-com
OU:
hosts:
- localhost
- org1-example-com
ca:
expiry: 131400h
pathlength: 1
csr:
cn: ca-org2-example-com
names:
- C: UK
ST: "Hampshire"
L: "Hursley"
O: org2-example-com
OU:
hosts:
- localhost
- org2-example-com
ca:
expiry: 131400h
pathlength: 1