Hyperledger Fabric 2.3连接问题
Hyperledger Fabric 2.3连接问题
提问于 2021-02-27 01:57:34
查询账本时遇到问题。下面是我们的网络的布局。在公司网络内的kubernetes集群上有2个org,在网络内的azure vm上也有一个docker群。azure vm节点和k8s集群节点通过nginx服务器相互通信。现在,这种精心设置背后的原因是因为我们的供应链使用案例需要来自不同公司的合作伙伴加入我们的网络。因此,为了模拟公司网络外部的外部合作伙伴,我们使用了azure vm。由于我们计划生产实现,我们不能使用Fabric crypto config生成证书,并使用我们公司的中间证书和根证书颁发新证书。现在,在此网络设置上安装了链码,并启用了背书策略,可以在所有3个节点上完美地工作。我们使用Fabric 2.3.0
现在,我遇到的第一个问题是在connection.json文件中使用的TLS证书。这是通过链接证书来解决的,如SO post here中所述。当前的问题是nodejs代码能够连接到orgs,但不能执行任何读或写操作。在下面的JS代码中,如果我取消注释channel.getPeer()响应的控制台日志,它会正确地打印整个对等对象。
这是我的connection.json。所有10.100.xx.xx ips均为k8s集群中的pod,public.ip.address为nginx服务器的pod
{
"name": "byfn",
"version": "1.0.0",
"client": {
"organization": "ORG2MSP",
"connection": {
"timeout": {
"peer": {
"endorser": "10000"
},
"orderer": "10000"
}
}
},
"channels": {
"supplychain": {
"orderers": [
"ord1.orderers.org1.com",
"ord2.orderers.org1.com",
"ord3.orderers.org1.com"
],
"peers": {
"peer1.peers.org1.com": {
"endorsingPeer": true,
"chaincodeQuery": true,
"ledgerQuery": true,
"eventSource": true
},
"peer1.peers.org3.com": {
"endorsingPeer": true,
"chaincodeQuery": true,
"ledgerQuery": true,
"eventSource": true
},
"peer1.peers.org2.com": {
"endorsingPeer": true,
"chaincodeQuery": true,
"ledgerQuery": true,
"eventSource": true
}
}
}
},
"organizations": {
"ORG2MSP": {
"mspid": "ORG2MSP",
"peers": [
"peer1.peers.org2.com",
"peer2.peers.org2.com"
]
}
},
"orderers": {
"ord1.orderers.org1.com": {
"url": "grpcs://10.100.xxx.xxx:7050",
"grpcOptions": {
"ssl-target-name-override": "ord1.orderers.org1.com",
"request-timeout": 12000
},
"tlsCACerts": {
"path": "temp.pem"
}
},
"ord2.orderers.org1.com": {
"url": "grpcs://10.100.xxx.xxx:7050",
"grpcOptions": {
"ssl-target-name-override": "ord2.orderers.org1.com",
"request-timeout": 12000
},
"tlsCACerts": {
"path": "temp.pem"
}
},
"ord3.orderers.org1.com": {
"url": "grpcs://10.100.xxx.xxx:7050",
"grpcOptions": {
"ssl-target-name-override": "ord3.orderers.org1.com",
"request-timeout": 12000
},
"tlsCACerts": {
"path": "temp.pem"
}
}
},
"peers": {
"peer1.peers.org1.com": {
"url": "grpcs://10.100.xxx.xxx:7051",
"grpcOptions": {
"ssl-target-name-override": "peer1.peers.org1.com",
"request-timeout": 12000,
"grpc.keepalive_time_ms": 600000
},
"tlsCACerts": {
"path": "temp.pem"
}
},
"peer1.peers.org3.com": {
"url": "grpcs://public.ip.address:7051",
"grpcOptions": {
"ssl-target-name-override": "peer1.peers.org3.com",
"request-timeout": 12000,
"grpc.keepalive_time_ms": 600000
},
"tlsCACerts": {
"path": "temp.pem"
}
},
"peer1.peers.org2.com": {
"url": "grpcs://10.100.xxx.xxx:7051",
"grpcOptions": {
"ssl-target-name-override": "peer1.peers.org2.com",
"request-timeout": 12000,
"grpc.keepalive_time_ms": 600000
},
"tlsCACerts": {
"path": "temp.pem"
}
}
}
}以下是我的代码
'use strict';
const { Wallets, Gateway } = require('fabric-network');
const fs = require('fs');
const path = require('path');
const ccpPath = path.resolve(__dirname,'connection.json');
const ccpJSON = fs.readFileSync(ccpPath, 'utf8');
const ccp = JSON.parse(ccpJSON);
async function main(){
try {
// const walletPath = path.join(process.cwd(), 'wallet');
const wallet = await Wallets.newFileSystemWallet('wallet');
// console.log(`Wallet path: ${walletPath}`);
// Check to see if we've already enrolled the user.
const userExists = await wallet.get('usernew');
const tlsExists = await wallet.get('tlsid');
if (!userExists) {
console.log('An identity for the user "usernew" does not exist in the wallet');
return;
}
if (!tlsExists) {
console.log('An identity for the user "tls" does not exist in the wallet');
return;
}
console.log("Here");
// Create a new gateway for connecting to our peer node.
const gateway = new Gateway();
await gateway.connect(ccp, { wallet, identity: 'usernew', discovery: { enabled: false, asLocalhost: false }, clientTlsIdentity: 'tlsid' });
console.log("Here1");
// Get the network (channel) our contract is deployed to.
const network = await gateway.getNetwork('supplychain');
console.log("Here2");
//Get the channel object to fetch out peers
const channel = network.getChannel();
console.log("Here3");
//Get peers for endorsement
//channel.getEndorsers();
const org1Peer = channel.getPeer('peer1.peers.org1.com');
//console.log(org1Peer);
const org2Peer = channel.getPeer('peer1.peers.org2.com');
//console.log(org2Peer);
const org3Peer = channel.getPeer('peer1.peers.org3.com');
//console.log(org3Peer);
// All the above logs print correct information
// Get the contract from the network.
const contract = network.getContract('mycontract');
const result = await contract.evaluateTransaction('queryAllObjects');
console.log(`Transaction has been evaluated, result is: ${result.toString()}`);
} catch (error) {
console.error(`Failed to evaluate transaction: ${error}`);
}
}
main()这是加密文件夹树
C:.
├───peers.org1.com
│ └───users
│ ├───Admin@peers.org1.com
│ │ ├───msp
│ │ │ ├───admincerts
│ │ │ ├───cacerts
│ │ │ ├───intermediatecerts
│ │ │ ├───keystore
│ │ │ ├───signcerts
│ │ │ ├───tlscacerts
│ │ │ └───tlsintermediatecerts
│ │ └───tls
│ └───User1@peers.org1.com
│ ├───msp
│ │ ├───admincerts
│ │ ├───cacerts
│ │ ├───intermediatecerts
│ │ ├───keystore
│ │ ├───signcerts
│ │ ├───tlscacerts
│ │ └───tlsintermediatecerts
│ └───tls
├───peers.org2.com
│ └───users
│ ├───Admin@peers.org2.com
│ │ ├───msp
│ │ │ ├───admincerts
│ │ │ ├───cacerts
│ │ │ ├───intermediatecerts
│ │ │ ├───keystore
│ │ │ ├───signcerts
│ │ │ ├───tlscacerts
│ │ │ └───tlsintermediatecerts
│ │ └───tls
│ └───User1@peers.org2.com
│ ├───msp
│ │ ├───admincerts
│ │ ├───cacerts
│ │ ├───intermediatecerts
│ │ ├───keystore
│ │ ├───signcerts
│ │ ├───tlscacerts
│ │ └───tlsintermediatecerts
│ └───tls
└───peers.org3.com
└───users
├───Admin@peers.org3.com
│ ├───msp
│ │ ├───admincerts
│ │ ├───cacerts
│ │ ├───intermediatecerts
│ │ ├───keystore
│ │ ├───signcerts
│ │ ├───tlscacerts
│ │ └───tlsintermediatecerts
│ └───tls
└───User1@peers.org3.com
├───msp
│ ├───admincerts
│ ├───cacerts
│ ├───intermediatecerts
│ ├───keystore
│ ├───signcerts
│ ├───tlscacerts
│ └───tlsintermediatecerts
└───tls上面连接文件中使用的temp.pem是通过添加如下所示的ica.pem和ca.pem来准备的。下面是cerificates对于Org2的样子。其他2个组织看起来类似。msp/tlscacerts/ca.pem
Issuer: C=XX, ST=XXXX, L=XXXX, O=MyCompany, OU=Cybersecurity, CN=MyCompany Root Certificate Authority 2018
Validity
Not Before: Jul 23 17:07:45 2018 GMT
Not After : Jul 23 17:17:44 2043 GMT
Subject: C=XX, ST=XXXX, L=XXXX, O=MyCompany, OU=Cybersecurity, CN=MyCompany Root Certificate Authoritymsp/tlsintermediatecerts/ica.pem
Issuer: C=XX, ST=XXXX, L=XXXX, O=MyCompany, OU=Cybersecurity, CN=MyCompany Root Certificate Authority 2018
Validity
Not Before: Nov 14 21:26:35 2018 GMT
Not After : Nov 14 21:36:35 2025 GMT
Subject: C=XX, ST=XXXX, L=XXXX, O=MyCompany, CN=MyCompany Issuing CA 101tls/server.crt
Issuer: C=XX, ST=XXXX, L=XXXX, O=MyCompany, CN=MyCompany Issuing CA 101
Validity
Not Before: Jan 18 20:30:30 2021 GMT
Not After : Jan 18 20:30:30 2023 GMT
Subject: C=XX, ST=XXXX, L=XXXX, O=MyCompany Inc., OU=org2client, CN=*.peers.org2.com
.
.
.
X509v3 Subject Alternative Name:
DNS:*.peers.org2.comOrg2 NodeJs日志
2021-02-25T10:21:33.736Z - error: [Endorser]: sendProposal[peer1.peers.org2.com] - Received error response from: grpcs://10.100.xxx.xxx:7051 error: Error: 2 UNKNOWN: error validating proposal: access denied: channel [supplychain] creator org [ORG2MSP]
2021-02-25T10:21:33.738Z - error: [Endorser]: sendProposal[peer1.peers.org2.com] - rejecting with: Error: 2 UNKNOWN: error validating proposal: access denied: channel [supplychain] creator org [ORG2MSP]
2021-02-25T10:21:33.738Z - error: [SingleQueryHandler]: evaluate: message=Query failed. Errors: ["Error: 2 UNKNOWN: error validating proposal: access denied: channel [supplychain] creator org [ORG2MSP]"], stack=FabricError: Query failed. Errors: ["Error: 2 UNKNOWN: error validating proposal: access denied: channel [supplychain] creator org [ORG2MSP]"]
at SingleQueryHandler.evaluate (/fabric23/node_modules/fabric-network/lib/impl/query/singlequeryhandler.js:47:23)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at async Transaction.evaluate (/fabric23/node_modules/fabric-network/lib/transaction.js:276:25)
at async main (/fabric23/test.js:67:25), name=FabricError
Failed to evaluate transaction: FabricError: Query failed. Errors: ["Error: 2 UNKNOWN: error validating proposal: access denied: channel [supplychain] creator org [ORG2MSP]"]Org2对等日志
2021-02-25 10:21:33.732 UTC [endorser] Validate -> WARN 08f access denied: creator's signature over the proposal is not valid: The signature is invalid channel=supplychain txID=01bde838 mspID=ORG2MSP
2021-02-25 10:21:33.732 UTC [comm.grpc.server] 1 -> INFO 090 unary call completed grpc.service=protos.Endorser grpc.method=ProcessProposal grpc.peer_address=172.23.238.200:40928 grpc.peer_subject="CN=*.peers.org3.com,OU=org3client,O=MyCompany Inc.,L=XXXX,ST=XXXX,C=XX" error="error validating proposal: access denied: channel [supplychain] creator org [ORG2MSP]" grpc.code=Unknown grpc.call_duration=12.335491msOrg3对等日志
2021-02-26 13:42:26.081 UTC [gossip.channel] publishStateInfo -> DEBU 6155d8 Empty membership, no one to publish state info to
2021-02-26 13:42:26.493 UTC [core.comm] ServerHandshake -> DEBU 6155d9 Server TLS handshake completed in 49.605106ms server=PeerServer remoteaddress=public.ip.address:291542021-02-26 13:42:26.597 UTC [grpc] InfoDepth -> DEBU 6155da [transport]transport: loopyWriter.run returning. connection error: desc = "transport is closing"
2021-02-26 13:42:26.927 UTC [gossip.channel] publishStateInfo -> DEBU 6155db Empty membership, no one to publish state info to我还尝试在azure vm上的docker swarm上部署相同的代码。但它给出的错误与我使用SO post here中给出的错误证书时得到的错误相同
回答 1
Stack Overflow用户
发布于 2021-03-01 05:13:14
您可以检查以下几点:
通道的对等服务器TLS证书应该有一个替代名称,如"*.ip.adress"?
- the
- org3 3 org3,对吧?从org2的日志中,我看到"creator's see over the proposal is not valid“
- 检查用户身份"usernew”PKI (而不是TLS),以确保颁发证书的CA是通道上的CA MSP之一。如果您使用中间CA,这些CA证书也应该在通道上。
致以最好的问候,茨维坦
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/66390671
复制相关文章
相似问题
腾讯云开发者
