我在 Kubernetes 集群中有一个正在运行的带有双向 TLS 的测试网。该设置工作正常,因为我可以完美地使用 CLI 调用和查询链代码。
但是,在 Node 中,我可以注册身份,但无法gateway.connect(...)
成功注册。来自客户端和对等方的错误消息并没有告诉我什么。
剧本
'use strict';
const FabricCAServices = require('fabric-ca-client');
const { Wallets, Gateway } = require('fabric-network');
const fs = require('fs');
const path = require('path');
const ccp = require('../gateway/connection.json');
const caConfig = require('../gateway/ca-config.json');
const user = 'benchmark';
const userpw = 'benchmarkPW';
const mspID = 'Org1MSP';
async function createWallet() {
try {
const walletPath = path.join(process.cwd(), 'identity/wallet');
const wallet = await Wallets.newFileSystemWallet(walletPath);
return wallet;
} catch (error) {
console.error(`Error: ${error}`);
}
}
async function enrollUser(wallet) {
try {
const caInfo = ccp.certificateAuthorities[caConfig.url];
const caTLSCACerts = caInfo.tlsCACerts.pem;
let ca = new FabricCAServices(caInfo.url, { trustedRoots: caTLSCACerts, verify: false }, caInfo.caName);
// Check to see if we've already enrolled the user.
const userExists = await wallet.get(user);
if (userExists) {
console.log(`An identity for the client user "${user}" already exists in the wallet`);
} else {
// Enroll signing material
let enrollment = await ca.enroll({ enrollmentID: user, enrollmentSecret: userpw });
let x509Identity = {
credentials: {
certificate: enrollment.certificate,
privateKey: enrollment.key.toBytes(),
},
mspId: mspID,
type: 'X.509',
};
await wallet.put(user, x509Identity);
console.log(`Successfully enrolled msp for user "${user}" and imported it into the wallet`);
ca = new FabricCAServices(caInfo.url, { trustedRoots: caTLSCACerts, verify: false }, `TLS${caInfo.caName}`);
enrollment = await ca.enroll({ enrollmentID: user, enrollmentSecret: userpw, profile: 'tls' });
x509Identity = {
credentials: {
certificate: enrollment.certificate,
privateKey: enrollment.key.toBytes(),
},
mspId: mspID,
type: 'X.509',
};
await wallet.put(`${user}-tls`, x509Identity);
console.log(`Successfully enrolled tls-msp for user "${user}" and imported it into the wallet`);
}
} catch (error) {
console.error(`Error enrolling user "${user}": ${error}`);
process.exit(1);
}
}
async function startBenchmark(wallet) {
try {
const gateway = new Gateway();
const connectionOptions = {
identity: user,
clientTlsIdentity: `${user}-tls`,
wallet: wallet,
discovery: { enabled: true, asLocalhost: false },
};
await gateway.connect(ccp, connectionOptions);
gateway.disconnect();
} catch (error) {
console.error(`Got error:": ${error}`);
process.exit(1);
}
}
async function main() {
try {
const wallet = await createWallet();
await enrollUser(wallet);
await startBenchmark(wallet);
} catch (error) {
console.error(`Error: ${error}`);
process.exit(1);
}
}
main();
连接.json
{
"name": "Org1MSPprofile",
"description": "Network on OpenShift/K8s",
"version": "1.0.0",
"client": {
"organization": "Org1MSP"
},
"organizations": {
"Org1MSP": {
"mspid": "Org1MSP",
"certificateAuthorities": [
"worker2.example.com:30051"
],
"peers": [
"worker2.example.com:30151"
]
}
},
"peers": {
"worker2.example.com:30151": {
"url": "grpcs://worker2.example.com:30151",
"tlsCACerts": {
"pem": "-----BEGIN CERTIFICATE-----\nxxxx==\n-----END CERTIFICATE-----"
},
"grpcOptions": {
"ssl-target-name-override": "worker2.example.com"
}
}
},
"certificateAuthorities": {
"worker2.example.com:30051": {
"url": "https://worker2.example.com:30051",
"caName": "CA",
"tlsCACerts": {
"pem": [
"-----BEGIN CERTIFICATE-----\nxxxx==\n-----END CERTIFICATE-----"
]
},
"httpOptions": {
"verify": false
}
}
}
}
控制台输出
> node ./src/index.js
2020-08-06T15:00:26.046Z - debug: Successfully constructed a winston logger with configurations debug=console, info=console
2020-08-06T15:00:26.276Z - debug: [crypto_ecdsa_aes]: Hash algorithm: SHA2, hash output size: 256
2020-08-06T15:00:26.552Z - debug: [crypto_ecdsa_aes]: Hash algorithm: SHA2, hash output size: 256
2020-08-06T15:00:26.555Z - debug: [FabricCAClient.js]: Successfully constructed Fabric CA client from options - { caname: 'CA',
protocol: 'https',
hostname: 'worker2.example.com',
port: 30051,
tlsOptions:
{ trustedRoots:
[ '-----BEGIN CERTIFICATE-----\nxxxx==\n-----END CERTIFICATE-----' ],
verify: false } }
2020-08-06T15:00:26.555Z - debug: [FabricCAClientService.js]: Successfully constructed Fabric CA service client: endpoint - {"protocol":"https","hostname":"worker2.example.com","port":30051}
2020-08-06T15:00:26.682Z - debug: [crypto_ecdsa_aes]: generateKey, store.setValue
2020-08-06T15:00:26.687Z - debug: [FabricCAClientService.js]: successfully generated key pairs
2020-08-06T15:00:26.785Z - debug: [FabricCAClientService.js]: successfully generated csr
2020-08-06T15:00:26.786Z - debug: [FabricCAClient.js]: CONNECTION_TIMEOUT = 3000, SO_TIMEOUT = infinite
2020-08-06T15:00:27.103Z - debug: [FabricCAClientService.js]: successfully enrolled benchmark
Successfully enrolled msp for user "benchmark" and imported it into the wallet
2020-08-06T15:00:27.109Z - debug: [crypto_ecdsa_aes]: Hash algorithm: SHA2, hash output size: 256
2020-08-06T15:00:27.110Z - debug: [FabricCAClient.js]: Successfully constructed Fabric CA client from options - { caname: 'TLSCA',
protocol: 'https',
hostname: 'worker2.example.com',
port: 30051,
tlsOptions:
{ trustedRoots:
[ '-----BEGIN CERTIFICATE-----\nxxxx==\n-----END CERTIFICATE-----' ],
verify: false } }
2020-08-06T15:00:27.110Z - debug: [FabricCAClientService.js]: Successfully constructed Fabric CA service client: endpoint - {"protocol":"https","hostname":"worker2.example.com","port":30051}
2020-08-06T15:00:27.174Z - debug: [crypto_ecdsa_aes]: generateKey, store.setValue
2020-08-06T15:00:27.175Z - debug: [FabricCAClientService.js]: successfully generated key pairs
2020-08-06T15:00:27.255Z - debug: [FabricCAClientService.js]: successfully generated csr
2020-08-06T15:00:27.255Z - debug: [FabricCAClient.js]: CONNECTION_TIMEOUT = 3000, SO_TIMEOUT = infinite
2020-08-06T15:00:27.489Z - debug: [FabricCAClientService.js]: successfully enrolled benchmark
Successfully enrolled tls-msp for user "benchmark" and imported it into the wallet
2020-08-06T15:00:27.492Z - debug: [Gateway]: in Gateway constructor
2020-08-06T15:00:27.495Z - debug: [Gateway]: connect - start
2020-08-06T15:00:27.495Z - debug: [Gateway]: connection options: {"identity":"benchmark","tlsInfo":{"certificate":"-----BEGIN CERTIFICATE-----\nxxxx/o=\n-----END CERTIFICATE-----\n","key":"-----BEGIN PRIVATE KEY-----\r\nxxxx\r\n-----END PRIVATE KEY-----\r\n"},"wallet":{"providerRegistry":{"providers":{}},"store":{"storePath":"/home/user/test/benchmark/identity/wallet"}},"discovery":{"enabled":true,"asLocalhost":false}}
2020-08-06T15:00:27.496Z - debug: [Client]: Client.constructor[gateway client] - start
2020-08-06T15:00:27.496Z - debug: [Gateway]: connect - setting identity from wallet
2020-08-06T15:00:27.498Z - debug: [crypto_ecdsa_aes]: createKeyFromRaw - start
2020-08-06T15:00:27.500Z - debug: [crypto_ecdsa_aes]: createKeyFromRaw - have the key [Circular]
2020-08-06T15:00:27.500Z - debug: [crypto_ecdsa_aes]: createKeyFromRaw - start
2020-08-06T15:00:27.502Z - debug: [crypto_ecdsa_aes]: createKeyFromRaw - have the key [Circular]
2020-08-06T15:00:27.503Z - debug: [Gateway]: connect - setting tlsInfo
2020-08-06T15:00:27.503Z - debug: [Client]: setTlsClientCertAndKey: gateway client - start
2020-08-06T15:00:27.503Z - debug: [Gateway]: connect - NetworkConfig loading client from ccp
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: loadFromConfig - start
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: buildPeer - start - worker2.example.com:30151
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: findPeerMspid - start for worker2.example.com:30151
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: findPeerMspid - checking peer worker2.example.com:30151 in org Org1MSP
2020-08-06T15:00:27.504Z - debug: [NetworkConfig]: findPeerMspid - found mspid Org1MSP for worker2.example.com:30151
2020-08-06T15:00:27.505Z - debug: [NetworkConfig]: buildOptions - start
2020-08-06T15:00:27.505Z - debug: [Client]: newEndpoint: gateway client - start
2020-08-06T15:00:27.505Z - debug: [Client]: getConnectionOptions: gateway client - start
2020-08-06T15:00:27.506Z - debug: [Client]: newEndpoint: gateway client grpc-wait-for-ready-timeout set to 3000
2020-08-06T15:00:27.506Z - debug: [Client]: newEndpoint: gateway client - ssl_target_name_override: worker2.example.com
2020-08-06T15:00:27.507Z - debug: [Endpoint]: Endpoint.constructor - start
2020-08-06T15:00:27.508Z - debug: [Client]: new endpoint url: grpcs://worker2.example.com:30151
2020-08-06T15:00:27.508Z - debug: [NetworkConfig]: buildPeer - about to connect to endorser worker2.example.com:30151 url:grpcs://worker2.example.com:30151 mspid:Org1MSP
2020-08-06T15:00:27.508Z - debug: [Client]: getEndorser: gateway client start name:worker2.example.com:30151
2020-08-06T15:00:27.508Z - debug: [Client]: getEndorser: gateway client create endorser name:worker2.example.com:30151
2020-08-06T15:00:27.509Z - debug: [Endorser]: Endorser.constructor[worker2.example.com:30151] - start
2020-08-06T15:00:27.509Z - debug: [Client]: getEndorser: gateway client return endorser name:worker2.example.com:30151
2020-08-06T15:00:27.509Z - debug: [ServiceEndpoint]: connect[Endorser-worker2.example.com:30151] - start
2020-08-06T15:00:27.509Z - debug: [ServiceEndpoint]: connect[Endorser-worker2.example.com:30151] - create the grpc service for worker2.example.com:30151
2020-08-06T15:00:27.513Z - debug: [ServiceEndpoint]: waitForReady - start Endorser-worker2.example.com:30151 - grpcs://worker2.example.com:30151
2020-08-06T15:00:27.513Z - debug: [ServiceEndpoint]: waitForReady - promise running worker2.example.com:30151 - grpcs://worker2.example.com:30151
2020-08-06T15:00:30.514Z - error: [ServiceEndpoint]: Error: Failed to connect before the deadline on Endorser- name: worker2.example.com:30151, url:grpcs://worker2.example.com:30151, connected:false, connectAttempted:true
2020-08-06T15:00:30.514Z - error: [ServiceEndpoint]: Error: Failed to connect before the deadline on Endorser- name: worker2.example.com:30151, url:grpcs://worker2.example.com:30151, connected:false, connectAttempted:true
2020-08-06T15:00:30.514Z - error: [ServiceEndpoint]: waitForReady - Failed to connect to remote gRPC server worker2.example.com:30151 url:grpcs://worker2.example.com:30151 timeout:3000
2020-08-06T15:00:30.514Z - error: [ServiceEndpoint]: waitForReady - Failed to connect to remote gRPC server worker2.example.com:30151 url:grpcs://worker2.example.com:30151 timeout:3000
2020-08-06T15:00:30.514Z - error: [NetworkConfig]: buildPeer - Unable to connect to the endorser worker2.example.com:30151 due to Error: Failed to connect before the deadline on Endorser- name: worker2.example.com:30151, url:grpcs://worker2.example.com:30151, connected:false, connectAttempted:true
2020-08-06T15:00:30.514Z - error: [NetworkConfig]: buildPeer - Unable to connect to the endorser worker2.example.com:30151 due to Error: Failed to connect before the deadline on Endorser- name: worker2.example.com:30151, url:grpcs://worker2.example.com:30151, connected:false, connectAttempted:true
2020-08-06T15:00:30.514Z - debug: [NetworkConfig]: loadFromConfig - end
2020-08-06T15:00:30.514Z - debug: [Gateway]: connect - end
2020-08-06T15:00:30.515Z - debug: [Gateway]: in disconnect
对等日志
[36m2020-08-06 15:09:29.718 UTC [grpc] Warning -> DEBU bba5[0m grpc: Server.Serve failed to create ServerTransport: connection error: desc = "transport: http2Server.HandleStreams failed to receive the preface from client: EOF"
[36m2020-08-06 15:09:30.904 UTC [grpc] Warning -> DEBU bba6[0m grpc: Server.Serve failed to create ServerTransport: connection error: desc = "transport: http2Server.HandleStreams failed to receive the preface from client: EOF"
[36m2020-08-06 15:09:32.344 UTC [gossip.discovery] periodicalSendAlive -> DEBU bbaf[0m Sleeping 5s
[36m2020-08-06 15:09:32.743 UTC [grpc] Warning -> DEBU bbb0[0m grpc: Server.Serve failed to create ServerTransport: connection error: desc = "transport: http2Server.HandleStreams failed to receive the preface from client: EOF"
所以有些东西到达了对等点。我只是不知道为什么无法建立连接。
清单:
- 在 connection.json 中提供了 org1 的 tlscacert?查看
- 为客户端注册了 TLS 身份?查看
- 向网关提供了 TLS 身份?查看
httpOptions.verify = false
在对等方的 connection.json 中尝试过?查看- 两者都试过了,
user
作为${user}-tls
网关身份?查看
有任何想法吗?
版本:
对等点:2.1
节点 - fabric-ca-client:“^2.2.0”
节点 - 结构网络:“^2.2.0”
亲切的问候