1

我在 Kubernetes 集群中有一个正在运行的带有双向 TLS 的测试网。该设置工作正常,因为我可以完美地使用 CLI 调用和查询链代码。

但是,在 Node 中,我可以注册身份,但无法gateway.connect(...)成功注册。来自客户端和对等方的错误消息并没有告诉我什么。

剧本

'use strict';

const FabricCAServices = require('fabric-ca-client');
const { Wallets, Gateway } = require('fabric-network');
const fs = require('fs');
const path = require('path');

const ccp = require('../gateway/connection.json');
const caConfig = require('../gateway/ca-config.json');

const user = 'benchmark';
const userpw = 'benchmarkPW';
const mspID = 'Org1MSP';

async function createWallet() {
  try {
    const walletPath = path.join(process.cwd(), 'identity/wallet');
    const wallet = await Wallets.newFileSystemWallet(walletPath);
    return wallet;
  } catch (error) {
    console.error(`Error: ${error}`);
  }
}

async function enrollUser(wallet) {
  try {
    const caInfo = ccp.certificateAuthorities[caConfig.url];
    const caTLSCACerts = caInfo.tlsCACerts.pem;
    let ca = new FabricCAServices(caInfo.url, { trustedRoots: caTLSCACerts, verify: false }, caInfo.caName);

    // Check to see if we've already enrolled the user.
    const userExists = await wallet.get(user);
    if (userExists) {
      console.log(`An identity for the client user "${user}" already exists in the wallet`);
    } else {
      // Enroll signing material
      let enrollment = await ca.enroll({ enrollmentID: user, enrollmentSecret: userpw });
      let x509Identity = {
        credentials: {
          certificate: enrollment.certificate,
          privateKey: enrollment.key.toBytes(),
        },
        mspId: mspID,
        type: 'X.509',
      };
      await wallet.put(user, x509Identity);
      console.log(`Successfully enrolled msp for user "${user}" and imported it into the wallet`);

      ca = new FabricCAServices(caInfo.url, { trustedRoots: caTLSCACerts, verify: false }, `TLS${caInfo.caName}`);
      enrollment = await ca.enroll({ enrollmentID: user, enrollmentSecret: userpw, profile: 'tls' });
      x509Identity = {
        credentials: {
          certificate: enrollment.certificate,
          privateKey: enrollment.key.toBytes(),
        },
        mspId: mspID,
        type: 'X.509',
      };
      await wallet.put(`${user}-tls`, x509Identity);
      console.log(`Successfully enrolled tls-msp for user "${user}" and imported it into the wallet`);
    }
  } catch (error) {
    console.error(`Error enrolling user "${user}": ${error}`);
    process.exit(1);
  }
}

async function startBenchmark(wallet) {
  try {
    const gateway = new Gateway();

    const connectionOptions = {
      identity: user,
      clientTlsIdentity: `${user}-tls`,
      wallet: wallet,
      discovery: { enabled: true, asLocalhost: false },
    };

    await gateway.connect(ccp, connectionOptions);

    gateway.disconnect();
  } catch (error) {
    console.error(`Got error:": ${error}`);
    process.exit(1);
  }
}

async function main() {
  try {
    const wallet = await createWallet();
    await enrollUser(wallet);
    await startBenchmark(wallet);
  } catch (error) {
    console.error(`Error: ${error}`);
    process.exit(1);
  }
}

main();

连接.json

{
    "name": "Org1MSPprofile",
    "description": "Network on OpenShift/K8s",
    "version": "1.0.0",
    "client": {
        "organization": "Org1MSP"
    },
    "organizations": {
        "Org1MSP": {
            "mspid": "Org1MSP",
            "certificateAuthorities": [
                "worker2.example.com:30051"
            ],
            "peers": [
                "worker2.example.com:30151"
            ]
        }
    },
    "peers": {
        "worker2.example.com:30151": {
            "url": "grpcs://worker2.example.com:30151",
            "tlsCACerts": {
                "pem": "-----BEGIN CERTIFICATE-----\nxxxx==\n-----END CERTIFICATE-----"
            },
            "grpcOptions": {
                "ssl-target-name-override": "worker2.example.com"
            }
        }
    },
    "certificateAuthorities": {
        "worker2.example.com:30051": {
            "url": "https://worker2.example.com:30051",
            "caName": "CA",
            "tlsCACerts": {
                "pem": [
                    "-----BEGIN CERTIFICATE-----\nxxxx==\n-----END CERTIFICATE-----"
                ]
            },
            "httpOptions": {
                "verify": false
            }
        }
    }
}

控制台输出

> node ./src/index.js

2020-08-06T15:00:26.046Z - debug: Successfully constructed a winston logger with configurations debug=console, info=console
2020-08-06T15:00:26.276Z - debug: [crypto_ecdsa_aes]: Hash algorithm: SHA2, hash output size: 256
2020-08-06T15:00:26.552Z - debug: [crypto_ecdsa_aes]: Hash algorithm: SHA2, hash output size: 256
2020-08-06T15:00:26.555Z - debug: [FabricCAClient.js]: Successfully constructed Fabric CA client from options - { caname: 'CA',
  protocol: 'https',
  hostname: 'worker2.example.com',
  port: 30051,
  tlsOptions:
   { trustedRoots:
      [ '-----BEGIN CERTIFICATE-----\nxxxx==\n-----END CERTIFICATE-----' ],
     verify: false } }
2020-08-06T15:00:26.555Z - debug: [FabricCAClientService.js]: Successfully constructed Fabric CA service client: endpoint - {"protocol":"https","hostname":"worker2.example.com","port":30051}
2020-08-06T15:00:26.682Z - debug: [crypto_ecdsa_aes]: generateKey, store.setValue
2020-08-06T15:00:26.687Z - debug: [FabricCAClientService.js]: successfully generated key pairs
2020-08-06T15:00:26.785Z - debug: [FabricCAClientService.js]: successfully generated csr
2020-08-06T15:00:26.786Z - debug: [FabricCAClient.js]: CONNECTION_TIMEOUT = 3000, SO_TIMEOUT = infinite
2020-08-06T15:00:27.103Z - debug: [FabricCAClientService.js]: successfully enrolled benchmark
Successfully enrolled msp for user "benchmark" and imported it into the wallet
2020-08-06T15:00:27.109Z - debug: [crypto_ecdsa_aes]: Hash algorithm: SHA2, hash output size: 256
2020-08-06T15:00:27.110Z - debug: [FabricCAClient.js]: Successfully constructed Fabric CA client from options - { caname: 'TLSCA',
  protocol: 'https',
  hostname: 'worker2.example.com',
  port: 30051,
  tlsOptions:
   { trustedRoots:
      [ '-----BEGIN CERTIFICATE-----\nxxxx==\n-----END CERTIFICATE-----' ],
     verify: false } }
2020-08-06T15:00:27.110Z - debug: [FabricCAClientService.js]: Successfully constructed Fabric CA service client: endpoint - {"protocol":"https","hostname":"worker2.example.com","port":30051}
2020-08-06T15:00:27.174Z - debug: [crypto_ecdsa_aes]: generateKey, store.setValue
2020-08-06T15:00:27.175Z - debug: [FabricCAClientService.js]: successfully generated key pairs
2020-08-06T15:00:27.255Z - debug: [FabricCAClientService.js]: successfully generated csr
2020-08-06T15:00:27.255Z - debug: [FabricCAClient.js]: CONNECTION_TIMEOUT = 3000, SO_TIMEOUT = infinite
2020-08-06T15:00:27.489Z - debug: [FabricCAClientService.js]: successfully enrolled benchmark
Successfully enrolled tls-msp for user "benchmark" and imported it into the wallet
2020-08-06T15:00:27.492Z - debug: [Gateway]: in Gateway constructor
2020-08-06T15:00:27.495Z - debug: [Gateway]: connect - start
2020-08-06T15:00:27.495Z - debug: [Gateway]: connection options: {"identity":"benchmark","tlsInfo":{"certificate":"-----BEGIN CERTIFICATE-----\nxxxx/o=\n-----END CERTIFICATE-----\n","key":"-----BEGIN PRIVATE KEY-----\r\nxxxx\r\n-----END PRIVATE KEY-----\r\n"},"wallet":{"providerRegistry":{"providers":{}},"store":{"storePath":"/home/user/test/benchmark/identity/wallet"}},"discovery":{"enabled":true,"asLocalhost":false}}
2020-08-06T15:00:27.496Z - debug: [Client]: Client.constructor[gateway client] - start
2020-08-06T15:00:27.496Z - debug: [Gateway]: connect - setting identity from wallet
2020-08-06T15:00:27.498Z - debug: [crypto_ecdsa_aes]: createKeyFromRaw - start
2020-08-06T15:00:27.500Z - debug: [crypto_ecdsa_aes]: createKeyFromRaw - have the key [Circular]
2020-08-06T15:00:27.500Z - debug: [crypto_ecdsa_aes]: createKeyFromRaw - start
2020-08-06T15:00:27.502Z - debug: [crypto_ecdsa_aes]: createKeyFromRaw - have the key [Circular]
2020-08-06T15:00:27.503Z - debug: [Gateway]: connect - setting tlsInfo
2020-08-06T15:00:27.503Z - debug: [Client]: setTlsClientCertAndKey: gateway client - start
2020-08-06T15:00:27.503Z - debug: [Gateway]: connect - NetworkConfig loading client from ccp
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: loadFromConfig - start
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: buildPeer - start - worker2.example.com:30151
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: findPeerMspid - start for worker2.example.com:30151
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: findPeerMspid - checking peer worker2.example.com:30151 in org Org1MSP
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: findPeerMspid - found mspid Org1MSP for worker2.example.com:30151
2020-08-06T15:00:27.505Z - debug: [NetworkConfig]: buildOptions - start
2020-08-06T15:00:27.505Z - debug: [Client]: newEndpoint: gateway client - start
2020-08-06T15:00:27.505Z - debug: [Client]: getConnectionOptions: gateway client - start
2020-08-06T15:00:27.506Z - debug: [Client]: newEndpoint: gateway client grpc-wait-for-ready-timeout set to 3000
2020-08-06T15:00:27.506Z - debug: [Client]: newEndpoint: gateway client - ssl_target_name_override: worker2.example.com
2020-08-06T15:00:27.507Z - debug: [Endpoint]: Endpoint.constructor - start
2020-08-06T15:00:27.508Z - debug: [Client]: new endpoint url: grpcs://worker2.example.com:30151
2020-08-06T15:00:27.508Z - debug: [NetworkConfig]: buildPeer - about to connect to endorser worker2.example.com:30151 url:grpcs://worker2.example.com:30151 mspid:Org1MSP
2020-08-06T15:00:27.508Z - debug: [Client]: getEndorser: gateway client start name:worker2.example.com:30151
2020-08-06T15:00:27.508Z - debug: [Client]: getEndorser: gateway client create endorser name:worker2.example.com:30151
2020-08-06T15:00:27.509Z - debug: [Endorser]: Endorser.constructor[worker2.example.com:30151] - start
2020-08-06T15:00:27.509Z - debug: [Client]: getEndorser: gateway client return endorser name:worker2.example.com:30151
2020-08-06T15:00:27.509Z - debug: [ServiceEndpoint]: connect[Endorser-worker2.example.com:30151] - start
2020-08-06T15:00:27.509Z - debug: [ServiceEndpoint]: connect[Endorser-worker2.example.com:30151] - create the grpc service for worker2.example.com:30151
2020-08-06T15:00:27.513Z - debug: [ServiceEndpoint]: waitForReady - start Endorser-worker2.example.com:30151 - grpcs://worker2.example.com:30151
2020-08-06T15:00:27.513Z - debug: [ServiceEndpoint]: waitForReady - promise running worker2.example.com:30151 - grpcs://worker2.example.com:30151
2020-08-06T15:00:30.514Z - error: [ServiceEndpoint]: Error: Failed to connect before the deadline on Endorser- name: worker2.example.com:30151, url:grpcs://worker2.example.com:30151, connected:false, connectAttempted:true
2020-08-06T15:00:30.514Z - error: [ServiceEndpoint]: Error: Failed to connect before the deadline on Endorser- name: worker2.example.com:30151, url:grpcs://worker2.example.com:30151, connected:false, connectAttempted:true
2020-08-06T15:00:30.514Z - error: [ServiceEndpoint]: waitForReady - Failed to connect to remote gRPC server worker2.example.com:30151 url:grpcs://worker2.example.com:30151 timeout:3000
2020-08-06T15:00:30.514Z - error: [ServiceEndpoint]: waitForReady - Failed to connect to remote gRPC server worker2.example.com:30151 url:grpcs://worker2.example.com:30151 timeout:3000
2020-08-06T15:00:30.514Z - error: [NetworkConfig]: buildPeer - Unable to connect to the endorser worker2.example.com:30151 due to Error: Failed to connect before the deadline on Endorser- name: worker2.example.com:30151, url:grpcs://worker2.example.com:30151, connected:false, connectAttempted:true
2020-08-06T15:00:30.514Z - error: [NetworkConfig]: buildPeer - Unable to connect to the endorser worker2.example.com:30151 due to Error: Failed to connect before the deadline on Endorser- name: worker2.example.com:30151, url:grpcs://worker2.example.com:30151, connected:false, connectAttempted:true
2020-08-06T15:00:30.514Z - debug: [NetworkConfig]: loadFromConfig - end
2020-08-06T15:00:30.514Z - debug: [Gateway]: connect - end
2020-08-06T15:00:30.515Z - debug: [Gateway]: in disconnect

对等日志

[36m2020-08-06 15:09:29.718 UTC [grpc] Warning -> DEBU bba5[0m grpc: Server.Serve failed to create ServerTransport: connection error: desc = "transport: http2Server.HandleStreams failed to receive the preface from client: EOF"
[36m2020-08-06 15:09:30.904 UTC [grpc] Warning -> DEBU bba6[0m grpc: Server.Serve failed to create ServerTransport: connection error: desc = "transport: http2Server.HandleStreams failed to receive the preface from client: EOF"
[36m2020-08-06 15:09:32.344 UTC [gossip.discovery] periodicalSendAlive -> DEBU bbaf[0m Sleeping 5s
[36m2020-08-06 15:09:32.743 UTC [grpc] Warning -> DEBU bbb0[0m grpc: Server.Serve failed to create ServerTransport: connection error: desc = "transport: http2Server.HandleStreams failed to receive the preface from client: EOF"

所以有些东西到达了对等点。我只是不知道为什么无法建立连接。

清单:

  • 在 connection.json 中提供了 org1 的 tlscacert?查看
  • 为客户端注册了 TLS 身份?查看
  • 向网关提供了 TLS 身份?查看
  • httpOptions.verify = false在对等方的 connection.json 中尝试过?查看
  • 两者都试过了,user作为${user}-tls网关身份?查看

有任何想法吗?

版本:
对等点:2.1
节点 - fabric-ca-client:“^2.2.0”
节点 - 结构网络:“^2.2.0”

亲切的问候

4

1 回答 1

1

问题出在我的同行 TLS 证书上。我从我的客户那里得到了以下信息export GRPC_VERBOSITY=DEBUGexport GRPC_TRACE=all

2020-08-10T16:13:52.283Z | subchannel | x.x.x.x:30151 connection closed with error Hostname/IP does not match certificate's altnames: Host: worker2.example.com. is not in the cert's altnames: DNS:org1-peer1

于 2020-08-10T17:06:03.597 回答