2

我正在尝试以下架构中的架构,其中一个对等方位于另一台机器上,其余的网络设置在第一台机器(服务器/系统)中,

在此处输入图像描述

在将每个对等点添加到通道时创建通道后显示如下日志,当我尝试示例网络时不是这种情况,日志曾经说对等方加入通道,当我检查对等点的日志时它说:

2018-02-28 06:51:23.916 UTC [ConnProducer] NewConnection -> ERRO 36b 连接到 138.68.138.161:7050 失败,错误:x509:无法验证 138.68.138.161 的证书,因为它不包含任何 IP SAN

网络启用了 tls,提供了 tls 证书并设置了环境变量。

频道-setup.sh

    # Channel creation
echo "========== Creating channel: "$CHANNEL_NAME" =========="
#peer channel create -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls $CORE_PEER_TLS_ENABLED --cafile /opt$

# peer0.org1 channel join
echo "========== Joining peer0.org1.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.e$
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.or$
peer channel join -b ${CHANNEL_NAME}.block
peer channel update -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/${CORE_PEER_LOCALMSPID}anchors.tx --tls $CORE_PEER_TLS$

# peer1.org1 channel join
echo "========== Joining peer1.org1.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.e$
export CORE_PEER_ADDRESS=peer1.org1.example.com:7051
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer1.or$
peer channel join -b ${CHANNEL_NAME}.block

# peer0.org2 channel join
echo "========== Joining peer0.org2.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin@org2.e$
export CORE_PEER_ADDRESS=peer0.org2.example.com:7051
export CORE_PEER_LOCALMSPID="Org2MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer1.or$
peer channel join -b ${CHANNEL_NAME}.block
peer channel update -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/${CORE_PEER_LOCALMSPID}anchors.tx --tls $CORE_PEER_TLS$

# peer1.org2 channel join
echo "========== Joining peer1.org2.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin@org2.e$
export CORE_PEER_ADDRESS=peer1.org2.example.com:7051
export CORE_PEER_LOCALMSPID="Org2MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer1.or$

在此处输入图像描述

4

1 回答 1

3

您的问题的原因是 TLS 证书不包含 IP SAN(IP 主题备用名称)。这是 TLS 证书中的一个字段,基本上说:“证书已颁发给其 IP 为的主机:<1.2.3.4>”

如果您使用 v1.0 版本的 cryptogen 生成证书,它不支持将 IP SAN 添加到证书中。但是,v1.1 版本的 cryptogen 确实支持它,所以如果您使用它 - 您将在 TLS 证书中拥有 IP SAN。

解决问题的另一种方法是使用主机名(DNS 名称)而不是 IP 地址,并使用任何版本的 cryptogen。如果您这样做 - 证书将包含 DNS SAN(所有版本的 cryptogen 在证书中编码 DNS SAN)。

于 2018-02-28T07:53:09.383 回答