(一)多机-动态新增组织节点
1.背景知识
(1)Org3-crypt.yaml配置文件
该配置文件的作用是提供给cryptogen工具生成组织身份证书使用。
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs:
# ---------------------------------------------------------------------------
# Org3
# ---------------------------------------------------------------------------
- Name: SM611
# 域名
Domain: sm611.newcapec.net
# true 表示在msp目录下生成config.yaml文件
EnableNodeOUs: true
Template:
# 节点个数
Count: 1
# 除了主机名、通用名外的主题别名
SANS:
- localhost
# 组织包含的用户
Users:
# 普通用户的个数,默认生成管理员用户1个
Count: 1
(2)新节点身份证书配置
Peer对等节点需要的证书有msp 和 tls目录。
# msp目录,成员身份证书
- ../../organizations/peerOrganizations/sm611.newcapec.net/peers/peer0.sm611.newcapec.net/msp:/etc/hyperledger/fabric/msp
# tls目录,通信安全证书
- ../../organizations/peerOrganizations/sm611.newcapec.net/peers/peer0.sm611.newcapec.net/tls:/etc/hyperledger/fabric/tls
路径:
organizations/peerOrganizations/sm611.newcapec.net/peers
Peers目录存放该组织所有节点的证书
字段详解:
└── peer0.sm611.newcapec.net
├── msp
│ ├── admincerts 组织管理员的身份证书,作用是验证签名的身份是否是管理员
│ ├── cacerts 组织的根证书
│ │ └── ca.sm611.newcapec.net-cert.pem
│ ├── config.yaml
│ ├── keystore 本节点的身份私钥,作用是签名
│ │ └── priv_sk
│ ├── signcerts 验证本节点签名的证书,是组织根证书的下级证书
│ │ └── peer0.sm611.newcapec.net-cert.pem
│ └── tlscacerts 安全传输证书,作用通信加密
│ └── tlsca.sm611.newcapec.net-cert.pem
└── tls
├── ca.crt 组织根证书
├── server.crt 验证本节点签名的证书,是组织根证书的下级证书
└── server.key 本节点的身份私钥,用来签名
(3)MSP证书关系分析
两个证书,组织的根证书,组织的下属用户证书、安全传输证书。
组织根证书是组织自己签发的,自签发证书,无上级证书。
用户证书和安全传输证书都是由组织根证书签发。
①用户证书
-----------------------------------------------------------------------
openssl x509 -in peer0.org3.example.com-cert.pem -noout -text
证书信息:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b0:b4:27:92:66:18:3d:22:99:7a:54:da:ae:3e:78:d0
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = California, L = San Francisco, O = org3.example.com, CN = ca.org3.example.com
Validity
Not Before: Apr 8 05:31:00 2021 GMT
Not After : Apr 6 05:31:00 2031 GMT
Subject: C = US, ST = California, L = San Francisco, OU = peer, CN = peer0.org3.example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:8d:32:8b:14:ca:c5:53:8b:18:15:be:fd:c5:50:
3c:09:9c:1c:e6:7f:3b:a9:48:96:d7:30:96:36:1d:
fd:fd:25:5f:8f:df:78:58:a2:4a:85:2e:58:36:7c:
04:d1:75:13:3e:de:c6:e3:4c:39:40:22:53:8d:c8:
7e:71:bf:b8:51
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:A2:C6:17:59:76:55:A3:63:51:48:92:09:69:D4:83:5E:C6:CA:F0:76:0A:AF:E1:D7:85:D1:B3:BC:23:02:DB:7B
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:2d:ca:03:6b:f7:cc:80:a3:48:28:96:e2:72:98:
d7:d9:92:df:ac:56:88:9e:6d:d6:74:99:ab:c1:12:a9:71:13:
02:20:72:12:6f:51:2e:ae:e8:03:65:b6:4c:42:b4:17:55:d7:
7a:aa:d4:55:df:bd:f9:55:62:1c:b3:84:93:6f:db:9d
②根证书(自签名证书)
-----------------------------------------------------------
openssl x509 -in ca.org3.example.com-cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8e:75:7d:b8:08:cc:3d:90:01:ce:56:2c:1e:7e:2b:b1
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = California, L = San Francisco, O = org3.example.com, CN = ca.org3.example.com
Validity
Not Before: Apr 8 05:31:00 2021 GMT
Not After : Apr 6 05:31:00 2031 GMT
Subject: C = US, ST = California, L = San Francisco, O = org3.example.com, CN = ca.org3.example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:07:d2:32:11:98:f5:02:ae:0f:e7:17:1b:5d:a2:
42:da:14:54:05:50:11:60:1a:9f:19:70:be:2b:9b:
e7:48:16:e3:b5:71:b3:5c:e1:57:39:07:c6:bc:8f:
69:ab:a3:43:e4:78:00:dd:49:83:34:78:76:76:a1:
80:07:a1:ae:6a
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
A2:C6:17:59:76:55:A3:63:51:48:92:09:69:D4:83:5E:C6:CA:F0:76:0A:AF:E1:D7:85:D1:B3:BC:23:02:DB:7B
Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:4e:fa:cf:fe:a0:ea:21:8c:11:67:bc:c6:d1:51:
7c:c0:51:89:3a:cf:76:fd:8a:7f:91:c1:0c:0a:ee:99:55:0b:
02:21:00:aa:b1:27:f0:ab:b3:7b:fb:00:f5:70:0c:fe:d4:0c:
75:aa:37:68:67:dd:f8:9f:6b:67:28:6c:61:64:3e:91:0c
③安全传输证书(TLS证书)
openssl x509 -in tlsca.org3.example.com-cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
fa:4a:ab:ab:e1:76:d9:0b:13:6a:c1:93:4a:a4:c6:b9
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = California, L = San Francisco, O = org3.example.com, CN = tlsca.org3.example.com
Validity
Not Before: Apr 8 05:31:00 2021 GMT
Not After : Apr 6 05:31:00 2031 GMT
Subject: C = US, ST = California, L = San Francisco, O = org3.example.com, CN = tlsca.org3.example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:a7:e0:39:01:fe:8b:2a:29:ac:42:50:d4:e7:2e:
23:1d:25:42:af:7f:5a:2d:07:05:1b:b4:6a:b4:ea:
91:cf:97:ad:e2:74:dc:ae:e0:cf:e7:70:c5:63:95:
54:10:4a:0d:c1:7a:1c:78:76:c3:19:36:dc:cb:3c:
b4:ce:0f:2f:13
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
E8:E8:05:F6:BC:AF:86:4D:5B:C7:3B:4F:8B:35:3D:84:CB:D9:33:80:46:B8:29:C0:4E:E0:4C:62:BB:98:6B:85
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:d6:2a:d5:2c:aa:33:3b:97:b0:50:a3:e9:ca:
a7:7b:c6:9f:1b:40:df:ef:d9:f3:2c:f8:d0:c9:53:8d:0f:c7:
d1:02:20:65:54:1e:5c:8c:ce:e4:4a:4c:2c:2d:9c:ad:da:1e:
9f:64:6b:d2:03:fa:2e:ff:fd:bf:49:4d:6e:14:9d:89:f3
(4)机构2证书
两个证书,组织的根证书,组织的下属用户证书、安全传输证书。
组织根证书是组织自己签发的,自签发证书,无上级证书。
用户证书和安全传输证书都是由组织根证书签发。
①用户证书
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
62:79:3c:e1:af:8b:ce:e6:8d:ae:5e:3f:cd:01:b5:1a:f8:e0:59:df
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = UK, ST = Hampshire, L = Hursley, O = org2.example.com, CN = ca.org2.example.com
Validity
Not Before: Apr 8 05:21:00 2021 GMT
Not After : Apr 8 05:26:00 2022 GMT
Subject: C = US, ST = North Carolina, O = Hyperledger, OU = peer, CN = peer0
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:a4:49:2b:4a:23:9c:a8:53:34:6a:b9:60:fe:af:
eb:87:1d:47:ee:fa:13:8b:0d:9f:bb:58:7d:d3:d7:
eb:c1:bf:9d:03:35:77:4c:85:b3:87:d3:3b:b1:70:
d0:12:d7:24:f5:f6:51:e7:a2:9c:d2:0b:fa:60:2a:
77:83:18:9c:00
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
20:55:92:CE:B3:7E:D7:72:D8:D5:F2:34:88:45:36:E2:7E:CF:69:ED
X509v3 Authority Key Identifier:
keyid:68:F5:C0:70:6F:A3:83:7A:88:C4:F8:4C:7F:55:46:26:0B:A9:86:3C
X509v3 Subject Alternative Name:
DNS:peer0.org2.example.com
1.2.3.4.5.6.7.8.1:
{"attrs":{"hf.Affiliation":"","hf.EnrollmentID":"peer0","hf.Type":"peer"}}
"hf.Affiliation":"" 组织单元
"hf.Type":"peer" 表示的是角色
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:57:03:17:98:41:3c:75:c2:fa:da:f2:23:8b:d2:
0e:6b:a9:24:fd:d3:f8:e4:23:29:01:5c:19:b1:4c:01:05:ca:
02:20:60:72:0f:42:50:65:00:dc:b9:5c:4e:62:d3:6c:2b:30:
78:40:fd:41:42:6d:e0:4e:a8:75:74:98:02:3d:09:76
②根证书(自签名证书)
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
12:6a:f8:45:82:54:83:28:a8:bf:65:9f:00:bd:c9:f9:ab:e1:94:fa
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = UK, ST = Hampshire, L = Hursley, O = org2.example.com, CN = ca.org2.example.com
Validity
Not Before: Apr 8 05:21:00 2021 GMT
Not After : Apr 4 05:21:00 2036 GMT
Subject: C = UK, ST = Hampshire, L = Hursley, O = org2.example.com, CN = ca.org2.example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:44:a4:89:08:70:d8:5e:a7:57:30:47:8b:ed:2c:
97:a2:dd:c9:9a:7c:e5:b8:8c:d1:11:96:52:05:0f:
7a:36:62:b6:95:da:6f:cf:1c:3b:b5:76:fd:b5:31:
0e:6d:80:90:5c:8d:48:91:d3:40:b4:aa:9c:14:69:
df:66:ab:b0:35
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Subject Key Identifier:
68:F5:C0:70:6F:A3:83:7A:88:C4:F8:4C:7F:55:46:26:0B:A9:86:3C
Signature Algorithm: ecdsa-with-SHA256
30:44:02:21:00:c8:68:ee:a8:12:a0:51:41:91:01:fb:4a:f3:
04:a3:91:43:16:8d:e0:c5:6f:aa:81:b1:0a:0a:8e:a8:96:36:
10:02:1f:5b:1d:bb:52:b5:6b:8c:72:35:e4:7d:1f:95:81:c2:
24:c3:5c:a7:fe:f7:f4:e8:5b:f5:b2:c4:07:88:0f:97
(5)节点组织单元NodeOUs
节点组织单元,Enable设置true,表示启用细粒度的策略控制。
NodeOUs作用是更细粒度的权限控制。
MSP中有如下角色:
1) 客户端
2) 节点
3) 管理员
4) 排序
主角被描述为 ‘MSP.ROLE’,MSP 表示需要的 MSP ID(组织),ROLE 表示一下四种可接受的角色之一:Member、 Admin、 Client 和 Peer。角色在用户使用 CA 登记(enroll)的时候与之关联。
疑问:
使用crypt工具是,角色如何关联呢? 是否已经关联,因为在cryptgen工具生成的证书没有看到证书的附加属性字段。
2.操作步骤
(1)域名映射
①新节点域名映射
网络互通,节点之间通过域名方式通信的,因为我们是测试的域名没有在DNS注册,所以需要手工修改主机的host文件
Docker-compose方式,增加extra_hosts字段。
②基础网络
现有的区块链网络上,在host文件中增加新增节点的域名映射。
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
# ------------- 组织节点,域名映射 ----------------
peer0.org3.example.com 192.168.112.22
(2)添加节点
启动添加节点脚本,如果脚本执行成功。节点就完成了添加。
./addOrg3.sh up
3.新增节点验证
(1)验证手段
①脚本的执行结果
+ peer channel join -b mychannel.block
+ res=0
+ set +x
2021-04-09 03:23:31.832 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2021-04-09 03:23:32.289 UTC [channelCmd] executeJoin -> INFO 002 Successfully submitted proposal to join channel
===================== peer0.org3 joined channel 'mychannel' =====================
========= Finished adding Org3 to your test network! =========
②节点容器的日志
2021-04-09 03:23:32.739 UTC [gossip.gossip] learnAnchorPeers -> INFO 041 Learning about the configured anchor peers of Org1MSP for channel mychannel: [{peer0.org1.example.com 7051}]
2021-04-09 03:23:32.739 UTC [committer.txvalidator] Validate -> INFO 042 [mychannel] Validated block [3] in 7ms
2021-04-09 03:23:32.965 UTC [kvledger] CommitLegacy -> INFO 043 [mychannel] Committed block [3] with 1 transaction(s) in 225ms (state_validation=0ms block_and_pvtdata_commit=133ms state_commit=58ms) commitHash=[37be5332b9300ef2e301f0e0e5385a0a729d3fef5c9ea4a7bd4766bb91998a31]
2021-04-09 03:23:37.739 UTC [gossip.channel] reportMembershipChanges -> INFO 044
[[mychannel] Membership view has changed. peers went online:
[[peer0.org1.example.com:7051 ] [peer0.org2.example.com:9051 ]] ,
current view: [[peer0.org1.example.com:7051 ] [peer0.org2.example.com:9051 ]]]
③节点容器内获取信息
# peer channel list
2021-04-09 03:26:09.830 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Channels peers has joined:
mychannel
# peer channel getinfo -c mychannel
2021-04-09 03:26:30.097 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Blockchain info: {"height":4,"currentBlockHash":"cVDbIwYWcrKShzagotlaVqmxUczKDJZDgck78Cz55HY=","previousBlockHash":"ZZZhL+hrW/RqCga6xYz/liLV38sSUVP1oOVMAhU4ojs="}
④区块链浏览器
可以观察到新增的节点
1.常见错误日志
(1)新节点启动连接失败 transport: Error while dialing dial tcp
①现象
新增组织机构节点启动,但是节点容器日志显示连接失败
grpc: addrConn.createTransport failed to connect to {peer0.org1.example.com:7051 <nil> 0 <nil>}. Err: connection error: desc = "transport: Error while dialing dial tcp 192.168.116.46:7051: operation was canceled". Reconnecting...
②客户端日志:
2021-04-06 02:03:29.046 UTC [grpc] Infof -> DEBU d29 Channel Connectivity change to SHUTDOWN
2021-04-06 02:03:29.046 UTC [grpc] Infof -> DEBU d2a Subchannel Connectivity change to SHUTDOWN
2021-04-06 02:03:29.047 UTC [grpc] Warningf -> DEBU d2b grpc: addrConn.createTransport failed to connect to {peer0.org1.example.com:7051 <nil> 0 <nil>}. Err: connection error: desc = "transport: Error while dialing dial tcp 192.168.116.46:7051: operation was canceled". Reconnecting...
2021-04-06 02:03:29.047 UTC [gossip.gossip] func1 -> WARN d2c Deep probe of peer0.org1.example.com:7051 for channel mychannel failed: context deadline exceeded
2021-04-06 02:03:29.047 UTC [gossip.discovery] func1 -> WARN d2d Could not connect to Endpoint: peer0.org1.example.com:7051, InternalEndpoint: peer0.org1.example.com:7051, PKI-ID: <nil>, Metadata: : context deadline exceeded
2021-04-06 02:03:29.047 UTC [grpc] Infof -> DEBU d2e Channel Connectivity change to SHUTDOWN
2021-04-06 02:03:29.047 UTC [grpc] Infof -> DEBU d2f Subchannel Connectivity change to SHUTDOWN
2021-04-06 02:03:29.047 UTC [gossip.gossip] func1 -> WARN d30 Deep probe of peer0.org2.example.com:9051 for channel mychannel failed: context deadline exceeded
2021-04-06 02:03:29.047 UTC [gossip.discovery] func1 -> WARN d31 Could not connect to Endpoint: peer0.org2.example.com:9051, InternalEndpoint: peer0.org2.example.com:9051, PKI-ID: <nil>, Metadata: : context deadline exceeded
2021-04-06 02:03:29.048 UTC [grpc] Warningf -> DEBU d32 grpc: addrConn.createTransport failed to connect to {peer0.org2.example.com:9051 <nil> 0 <nil>}. Err: connection error: desc = "transport: Error while dialing dial tcp 192.168.116.46:9051: operation was canceled". Reconnecting...
2021-04-06 02:03:29.771 UTC [gossip.discovery] InitiateSync -> DEBU d33 No peers to send to, aborting membership sync
2021-04-06 02:03:29.980 UTC [gossip.channel] publishStateInfo -> DEBU d34 Empty membership, no one to publish state info to
2021-04-06 02:03:30.804 UTC [grpc] Infof -> DEBU d35 Channel Connectivity change to SHUTDOWN
2021-04-06 02:03:30.804 UTC [grpc] Infof -> DEBU d36 Subchannel Connectivity change to SHUTDOWN
2021-04-06 02:03:30.804 UTC [peer.blocksprovider] DeliverBlocks -> WARN d37 Could not connect to ordering service: could not dial endpoint 'orderer.example.com:7050': failed to create new connection: context deadline exceeded channel=mychannel
2021-04-06 02:03:30.804 UTC [grpc] Warningf -> DEBU d38 grpc: addrConn.createTransport failed to connect to {orderer.example.com:7050 <nil> 0 <nil>}. Err: connection error: desc = "transport: error while dialing: dial tcp 192.168.116.46:7050: operation was canceled". Reconnecting...
2021-04-06 02:03:33.766 UTC [gossip.discovery] periodicalSendAlive -> DEBU d39 Empty membership, no one to send a heartbeat to
2021-04-06 02:03:33.766 UTC [gossip.discovery] periodicalSendAlive -> DEBU d3a Sleeping 5s
2021-04-06 02:03:33.771 UTC [gossip.discovery] InitiateSync -> DEBU d3b No peers to send to, aborting membership sync
2021-04-06 02:03:33.980 UTC [gossip.channel] publishStateInfo -> DEBU d3c Empty membership, no one to publish state info to
2021-04-06 02:03:33.995 UTC [gossip.privdata] run -> DEBU d3d Start reconcile missing private info
2021-04-06 02:03:33.995 UTC [pvtdatastorage] GetMissingPvtDataInfoForMostRecentBlocks -> DEBU d3e fetching missing pvtdata entries from the prioritized list
2021-04-06 02:03:33.995 UTC [leveldbhelper] GetIterator -> DEBU d3f Getting iterator for range [[]byte{0x6d, 0x79, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x0, 0x4, 0x7, 0xfb}] - [[]byte{0x6d, 0x79, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x0, 0x4, 0x8}]
2021-04-06 02:03:33.996 UTC [gossip.privdata] reconcile -> DEBU d40 Reconciliation cycle finished successfully. no items to reconcile
2021-04-06 02:03:37.772 UTC [gossip.discovery] InitiateSync -> DEBU d41 No peers to send to, aborting membership sync
2021-04-06 02:03:37.980 UTC [gossip.channel] publishStateInfo -> DEBU d42 Empty membership, no one to publish state info to
2021-04-06 02:03:38.766 UTC [gossip.discovery] periodicalSendAlive -> DEBU d43 Empty membership, no one to send a heartbeat to
2021-04-06 02:03:38.766 UTC [gossip.discovery] periodicalSendAlive -> DEBU d44 Sleeping 5s
2021-04-06 02:03:41.772 UTC [gossip.discovery] InitiateSync -> DEBU d45 No peers to send to, aborting membership sync
2021-04-06 02:03:41.980 UTC [gossip.channel] publishStateInfo -> DEBU d46 Empty membership, no one to publish state info to
2021-04-06 02:03:43.746 UTC [gossip.discovery] periodicalReconnectToDead -> DEBU d47 Sleeping 25s
2021-04-06 02:03:43.766 UTC [gossip.discovery] periodicalSendAlive -> DEBU d48 Empty membership, no one to send a heartbeat to
2021-04-06 02:03:43.766 UTC [gossip.discovery] periodicalSendAlive -> DEBU d49 Sleeping 5s
2021-04-06 02:03:45.772 UTC [gossip.discovery] InitiateSync -> DEBU d4a No peers to send to, aborting membership sync
2021-04-06 02:03:45.980 UTC [gossip.channel] publishStateInfo -> DEBU d4b Empty membership, no one to publish state info to
2021-04-06 02:03:48.767 UTC [gossip.discovery] periodicalSendAlive -> DEBU d4c Empty membership, no one to send a heartbeat to
2021-04-06 02:03:48.767 UTC [gossip.discovery] periodicalSendAlive -> DEBU d4d Sleeping 5s
③服务端日志:
2021-04-02 11:29:51.425 UTC [core.comm] ServerHandshake -> ERRO 124 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=192.168.60.26:52240
2021-04-02 11:54:09.221 UTC [core.comm] ServerHandshake -> ERRO 125 TLS handshake failed with error EOF server=Orderer remoteaddress=192.168.60.26:45437
2021-04-06 01:54:34.045 UTC [core.comm] ServerHandshake -> ERRO 126 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=192.168.60.26:36044
2021-04-06 01:54:34.320 UTC [common.deliver] Handle -> WARN 127 Error reading from 192.168.60.26:43478: rpc error: code = Canceled desc = context canceled
2021-04-06 01:54:34.320 UTC [comm.grpc.server] 1 -> INFO 128 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=192.168.60.26:43478 error="rpc error: code = Canceled desc = context canceled" grpc.code=Canceled grpc.call_duration=35.338822ms
2021-04-06 01:54:34.869 UTC [orderer.common.broadcast] ProcessMessage -> WARN 129 [channel: mychannel] Rejecting broadcast of config message from 192.168.60.26:43480 because of error: error applying config update to existing channel 'mychannel': error authorizing update: ConfigUpdate for channel '' but envelope for channel 'mychannel'
2021-04-06 01:54:34.870 UTC [comm.grpc.server] 1 -> INFO 12a streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Broadcast grpc.peer_address=192.168.60.26:43480 grpc.code=OK grpc.call_duration=2.333845ms
2021-04-06 01:54:35.052 UTC [core.comm] ServerHandshake -> ERRO 12b TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=192.168.60.26:36052
新增机构的CA服务连接失败
2021-04-06 01:54:35.111 UTC [policies] SignatureSetToValidIdentities -> WARN 12c invalid identity: certificate subject=CN=Admin@sm611.newcapec.net,OU=admin,L=San Francisco,ST=California,C=US serialnumber=131160449042185023334132657719577325892 error="the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.sm611.newcapec.net")"
翻译:
当尝试通过ca.sm611.newcapec.net验证身份证书,也许因为x509验证失败。提供的身份无效,x509被不认识的认证。
2021-04-06 01:54:35.112 UTC [policies] SignatureSetToValidIdentities -> WARN 12d invalid identity: certificate subject=CN=Admin@sm611.newcapec.net,OU=admin,L=San Francisco,ST=California,C=US serialnumber=131160449042185023334132657719577325892 error="the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.sm611.newcapec.net")"
2021-04-06 01:54:35.114 UTC [policies] SignatureSetToValidIdentities -> WARN 12e invalid identity: certificate subject=CN=Admin@sm611.newcapec.net,OU=admin,L=San Francisco,ST=California,C=US serialnumber=131160449042185023334132657719577325892 error="the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.sm611.newcapec.net")"
2021-04-06 01:54:35.116 UTC [policies] SignatureSetToValidIdentities -> WARN 12f invalid identity: certificate subject=CN=Admin@sm611.newcapec.net,OU=admin,L=San Francisco,ST=California,C=US serialnumber=131160449042185023334132657719577325892 error="the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.sm611.newcapec.net")"
2021-04-06 01:54:35.136 UTC [common.deliver] deliverBlocks -> WARN 130 [channel: mychannel] Client 192.168.60.26:43488 is not authorized: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2021-04-06 01:54:35.136 UTC [comm.grpc.server] 1 -> INFO 131 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=192.168.60.26:43488 grpc.code=OK grpc.call_duration=29.568683ms
2021-04-06 01:54:36.708 UTC [core.comm] ServerHandshake -> ERRO 132 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=192.168.60.26:36064
④原因分析:
连接失败,可能是网络不同,通过nc命令、ping命令,判断网络是否畅通;域名是否映射成功。
(2)获取配置失败Error: can't read the block: &{NOT_FOUND}
①执行脚本错误日志:
peer channel fetch 0 mychannel.block -o orderer.example.com:7050 --ordererTLSHostnameOverride orderer.example.com -c mychannel --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
2021-04-08 05:36:03.266 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2021-04-08 05:36:03.267 UTC [cli.common] readBlock -> INFO 002 Expect block, but got status: &{NOT_FOUND}
Error: can't read the block: &{NOT_FOUND}
翻译: 没有读取到配置区块
②排序节点日志:
2021-04-08 05:36:03.023 UTC [orderer.common.broadcast] ProcessMessage -> WARN 02a [channel: mychannel] Rejecting broadcast of config message from 172.29.0.9:59920 because of error: Failing initial channel config creation: mismatched channel IDs: '' != 'mychannel'
翻译:
初始配置失败,通道ID匹配失败
(3)传输握手失败transport: authentication handshake failed
新接入节点错误日志,transport: authentication handshake failed:
①待接入节点日志
transport: authentication handshake failed
2021-04-07 06:28:44.493 UTC [gossip.channel] publishStateInfo -> DEBU 6b0 Empty membership, no one to publish state info to
2021-04-07 06:28:44.495 UTC [gossip.privdata] run -> DEBU 6b1 Start reconcile missing private info
2021-04-07 06:28:44.495 UTC [pvtdatastorage] GetMissingPvtDataInfoForMostRecentBlocks -> DEBU 6b2 fetching missing pvtdata entries from the prioritized list
2021-04-07 06:28:44.495 UTC [leveldbhelper] GetIterator -> DEBU 6b3 Getting iterator for range [[]byte{0x6d, 0x79, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x0, 0x4, 0x7, 0xfb}] - [[]byte{0x6d, 0x79, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x0, 0x4, 0x8}]
2021-04-07 06:28:44.495 UTC [gossip.privdata] reconcile -> DEBU 6b4 Reconciliation cycle finished successfully. no items to reconcile
2021-04-07 06:28:46.700 UTC [msp.identity] Sign -> DEBU 6b5 Sign: plaintext: 0AF6060A1508051A06089EA2B5830622...05120D1A0B08FFFFFFFFFFFFFFFFFF01
2021-04-07 06:28:46.700 UTC [msp.identity] Sign -> DEBU 6b6 Sign: digest: B863CAA3DDE74329A4C7AB7AA94F58654C25A1DBBB33D6DF029A360F13C3E532
2021-04-07 06:28:46.700 UTC [grpc] Infof -> DEBU 6b7 parsed scheme: ""
2021-04-07 06:28:46.700 UTC [grpc] Infof -> DEBU 6b8 scheme "" not registered, fallback to default scheme
2021-04-07 06:28:46.700 UTC [grpc] Infof -> DEBU 6b9 ccResolverWrapper: sending update to cc: {[{orderer.example.com:7050 <nil> 0 <nil>}] <nil> <nil>}
2021-04-07 06:28:46.700 UTC [grpc] Infof -> DEBU 6ba ClientConn switching balancer to "pick_first"
2021-04-07 06:28:46.700 UTC [grpc] Infof -> DEBU 6bb Channel switches to new LB policy "pick_first"
2021-04-07 06:28:46.700 UTC [grpc] Infof -> DEBU 6bc Subchannel Connectivity change to CONNECTING
2021-04-07 06:28:46.700 UTC [grpc] Infof -> DEBU 6bd Subchannel picks a new address "orderer.example.com:7050" to connect
2021-04-07 06:28:46.700 UTC [grpc] UpdateSubConnState -> DEBU 6be pickfirstBalancer: HandleSubConnStateChange: 0xc0000fc740, {CONNECTING <nil>}
2021-04-07 06:28:46.700 UTC [grpc] Infof -> DEBU 6bf Channel Connectivity change to CONNECTING
连接失败
2021-04-07 06:28:46.705 UTC [grpc] Warningf -> DEBU 6c0 grpc: addrConn.createTransport failed to connect to {orderer.example.com:7050 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.example.com")". Reconnecting...
2021-04-07 06:28:46.705 UTC [grpc] Infof -> DEBU 6c1 Subchannel Connectivity change to TRANSIENT_FAILURE
2021-04-07 06:28:46.705 UTC [grpc] UpdateSubConnState -> DEBU 6c2 pickfirstBalancer: HandleSubConnStateChange: 0xc0000fc740, {TRANSIENT_FAILURE connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.example.com")"}
2021-04-07 06:28:46.705 UTC [grpc] Infof -> DEBU 6c3 Channel Connectivity change to TRANSIENT_FAILURE
2021-04-07 06:28:47.705 UTC [grpc] Infof -> DEBU 6c4 Subchannel Connectivity change to CONNECTING
2021-04-07 06:28:47.705 UTC [grpc] Infof -> DEBU 6c5 Subchannel picks a new address "orderer.example.com:7050" to connect
2021-04-07 06:28:47.705 UTC [grpc] UpdateSubConnState -> DEBU 6c6 pickfirstBalancer: HandleSubConnStateChange: 0xc0000fc740, {CONNECTING <nil>}
2021-04-07 06:28:47.705 UTC [grpc] Infof -> DEBU 6c7 Channel Connectivity change to CONNECTING
2021-04-07 06:28:47.711 UTC [grpc] Warningf -> DEBU 6c8 grpc: addrConn.createTransport failed to connect to {orderer.example.com:7050 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.example.com")". Reconnecting...
2021-04-07 06:28:47.711 UTC [grpc] Infof -> DEBU 6c9 Subchannel Connectivity change to TRANSIENT_FAILURE
2021-04-07 06:28:47.711 UTC [grpc] UpdateSubConnState -> DEBU 6ca pickfirstBalancer: HandleSubConnStateChange: 0xc0000fc740, {TRANSIENT_FAILURE connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.example.com")"}
2021-04-07 06:28:47.711 UTC [grpc] Infof -> DEBU 6cb Channel Connectivity change to TRANSIENT_FAILURE
2021-04-07 06:28:48.296 UTC [gossip.discovery] InitiateSync -> DEBU 6cc No peers to send to, aborting membership sync
2021-04-07 06:28:48.493 UTC [gossip.channel] publishStateInfo -> DEBU 6cd Empty membership, no one to publish state info to
2021-04-07 06:28:49.291 UTC [gossip.discovery] periodicalReconnectToDead -> DEBU 6ce Sleeping 25s
2021-04-07 06:28:49.295 UTC [gossip.discovery] periodicalSendAlive -> DEBU 6cf Empty membership, no one to send a heartbeat to
2021-04-07 06:28:49.295 UTC [gossip.discovery] periodicalSendAlive -> DEBU 6d0 Sleeping 5s
②排序节点日志:
TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=192.168.60.26:55340
③问题分析
安全传输层握手失败,证书错误,客户端地址。
(4)认证更新失败 authorizing update: ConfigUpdate for channel '' but envelope for channel 'mychannel'
新接入节点错误日志,transport: authentication handshake failed:
①待接入节点日志
transport: authentication handshake failed
Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'mychannel': error authorizing update: ConfigUpdate for channel '' but envelope for channel 'mychannel'
(5)读取区块失败 Error: can't read the block: &{FORBIDDEN}
①客户端现象:
2021-04-07 07:01:48.735 UTC [common.deliver] deliverBlocks -> WARN 170 [channel: mychannel] Client 192.168.60.26:59570 is not authorized: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
②排序节点日志:
接收配置交易
2021-04-07 07:03:10.712 UTC [orderer.consensus.etcdraft] run -> INFO 176
Received config transaction, pause accepting transaction till it is committed channel=mychannel node=1
写入区块到账本上,mychannel通道
2021-04-07 07:03:10.713 UTC [orderer.consensus.etcdraft] writeBlock -> INFO 177
Writing block [3] (Raft index: 5) to ledger channel=mychannel node=1
③原因分析:
- 可能是使用了不恰当的用户身份
- 通过什么手段可以查看当前使用的用户身份
(6)查询通道信息失败 peer channel getinfo
①在新增节点容器内上执行
Error: received bad response, status 500: access denied for [GetChainInfo][mychannel]: [Failed evaluating policy on signed data during check policy on channel [mychannel] with policy [/Channel/Application/Readers]: [implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied]]
翻译:
访问拒绝,评估策略失败,检查读策略,隐含策略评估失败,0个子策略满足,但是当前的策略要求读策略被满足。
单词:
Evaluate 评估
Policy 策略
Implicit 隐含的
sub-policy 子策略
Satisfy 满足
②分析步骤:
- 在Cli节点上,执行peer channel fetch config 得到当前网络的配置。
- 将得到的配置pb文件转换为json格式
- 对比Org2MSP和SM611MSP差异
③差异:
SM611MSP没有设置锚节点AnchorPeer
peer channel fetch config config_block.pb
(7)查询已安装链码失败 access denied
①在新增节点容器内上执行
peer chaincode list --installed
Error: bad response: 500 - access denied for [getinstalledchaincodes]: Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [The identity is not an admin under this MSP [Org3MSP]: The identity does not contain OU [ADMIN], MSP: [Org3MSP]]
把signcerts目录下的证书复制到admincerts后,错误信息发生变化:
# peer chaincode list --installed
2021-04-08 06:47:38.521 UTC [main] InitCmd -> ERRO 001 Cannot run peer because error when setting up MSP of type bccsp from directory /etc/hyperledger/fabric/msp: admin 0 is invalid [The identity does not contain OU [CLIENT], MSP: [Org3MSP],The identity does not contain OU [ADMIN], MSP: [Org3MSP]
名词解释:
NodeOUs
通过在组织定义中引入 NodeOUs 来实现进一步的粒度和控制。OU (Organization Units,组织单元)定义在 Fabric CA 客户端配置文件中,当创建身份的时候就会与之关联。在 Fabric 中, NodeOUs 提供为数字证书层级分类的功能。例如,一个指定了 NodeOUs 的组织可以让一个 ‘Peer’ 签名合法背书,或者组织也可以简单设置为任何成员都可以签名。
# cat config.yaml
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/ca.org3.example.com-cert.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/ca.org3.example.com-cert.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/ca.org3.example.com-cert.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/ca.org3.example.com-cert.pem
OrganizationalUnitIdentifier: orderer
(8)获取配置区块失败 access denied
①Org3cli容器内执行
peer channel fetch config config_block.pb
-o orderer.example.com:7050
--ordererTLSHostnameOverride
orderer.example.com
-c mychannel
--tls
--cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/organizations/ordererOrganizations/example.com/orde
rers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
②错误日志
Error: failed to create deliver client for orderer: orderer client failed to connect to orderer.example.com:7050: failed to create new connection: context deadline exceeded
③原因分析
可能是网络不通 或 连错了节点。
④排查步骤
检查IP地址、端口是否畅通。
ping orderer.example.com
结果:
# ping orderer.example.com
PING orderer.example.com (192.168.116.46): 56 data bytes
64 bytes from 192.168.116.46: seq=0 ttl=62 time=1.285 ms
64 bytes from 192.168.116.46: seq=1 ttl=62 time=1.107 ms
64 bytes from 192.168.116.46: seq=2 ttl=62 time=1.456 ms
64 bytes from 192.168.116.46: seq=3 ttl=62 time=1.183 ms
观察IP地址是否是排序节点的IP地址。
nc -nvv orderer.example.com:7050
结果:
# nc -nvv orderer.example.com:7050
orderer.example.com:7050 (192.168.116.46:7050) open
观察结果,提示open表示端口开放,端口通。
(9)导出区块失败 got status: &{SERVICE_UNAVAILABLE}
①新建网络报错导出区块失败
Expect block, but got status: &{SERVICE_UNAVAILABLE}
②原因分析
服务不可用,等待一会儿,就可以了。
(10)使用SDK调用合约报错event service creation failed
①创建事件服务错误
客户端日志(调用SDK的程序):
Failed to create new channel client: event service creation failed: could not get chConfig cache reference: QueryBlockConfig failed: QueryBlockConfig failed: queryChaincode failed: Transaction processing for endorser [peer0.org1.example.com:7051]: gRPC Transport Status Code: (2) Unknown. Description: error validating proposal: access denied: channel [chl-01] creator org [Org1MSP]
节点日志:
2021-08-18 12:15:57.445 UTC [endorser] Validate -> WARN 073 access denied: channel the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com") channel=chl-01 txID=9b6d7b41
2021-08-18 12:15:57.445 UTC [comm.grpc.server] 1 -> INFO 074 unary call completed grpc.service=protos.Endorser grpc.method=ProcessProposal grpc.request_deadline=2021-08-18T12:18:57.44Z grpc.peer_address=192.168.56.1:59754 error="error validating proposal: access denied: channel [chl-01] creator org [Org1MSP]" grpc.code=Unknown grpc.call_duration=1.063908ms
②原因分析
签发机构和验证机构不是同一个
(11)endorser client failed to connect to peer0.org1.example.com:7051
①现象
#peer channel list
Error: error getting endorser client for channel: endorser client failed to connect to peer0.org1.example.com:7051: failed to create new connection: context deadline exceeded
②原因分析
签发机构和验证机构不是同一个