0

我创建了一个 2 orgs 1 peer 每个和一个 orderer 并部署在 docker swarm 中。

我没有使用cryptogen,而是使用fabric-ca 来生成身份。我能够启动对等节点和排序节点,并能够创建通道并将两个对等节点加入通道。

将同伴加入频道后,我可以看到订购者日志:

2021-06-30 20:38:02.241 UTC [policies] SignatureSetToValidIdentities -> WARN 1ea invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:38:02.242 UTC [policies] SignatureSetToValidIdentities -> WARN 1eb invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:38:02.243 UTC [policies] SignatureSetToValidIdentities -> WARN 1ec invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:38:02.243 UTC [common.deliver] deliverBlocks -> WARN 1ed [channel: mychannel] Client 10.200.1.4:59232 is not authorized: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2021-06-30 20:38:02.243 UTC [comm.grpc.server] 1 -> INFO 1ee streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=10.200.1.4:59232 grpc.code=OK grpc.call_duration=2.409698ms
2021-06-30 20:38:49.480 UTC [policies] SignatureSetToValidIdentities -> WARN 1ef invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:38:49.481 UTC [policies] SignatureSetToValidIdentities -> WARN 1f0 invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:38:49.481 UTC [policies] SignatureSetToValidIdentities -> WARN 1f1 invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:38:49.481 UTC [common.deliver] deliverBlocks -> WARN 1f2 [channel: mychannel] Client 10.200.1.4:37920 is not authorized: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2021-06-30 20:38:49.482 UTC [comm.grpc.server] 1 -> INFO 1f3 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=10.200.1.4:37920 grpc.code=OK grpc.call_duration=2.250383ms
2021-06-30 20:40:58.639 UTC [policies] SignatureSetToValidIdentities -> WARN 1f4 invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:40:58.640 UTC [policies] SignatureSetToValidIdentities -> WARN 1f5 invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:40:58.640 UTC [policies] SignatureSetToValidIdentities -> WARN 1f6 invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:40:58.641 UTC [common.deliver] deliverBlocks -> WARN 1f7 [channel: mychannel] Client 10.200.1.4:59250 is not authorized: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2021-06-30 20:40:58.641 UTC [comm.grpc.server] 1 -> INFO 1f8 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=10.200.1.4:59250 grpc.code=OK grpc.call_duration=16.793212ms

对等日志:

2021-06-30 20:40:58.641 UTC [peer.blocksprovider] DeliverBlocks -> WARN 094 Got error while attempting to receive blocks: received bad status FORBIDDEN from orderer channel=mychannel orderer-address=orderer.example.com:7050
2021-06-30 20:44:30.298 UTC [peer.blocksprovider] func1 -> WARN 095 Encountered an error reading from deliver stream: EOF channel=mychannel orderer-address=orderer.example.com:7050
2021-06-30 20:44:30.298 UTC [peer.blocksprovider] DeliverBlocks -> WARN 096 Got error while attempting to receive blocks: received bad status FORBIDDEN from orderer channel=mychannel orderer-address=orderer.example.com:7050
2021-06-30 20:48:44.848 UTC [peer.blocksprovider] DeliverBlocks -> WARN 098 Got error while attempting to receive blocks: received bad status FORBIDDEN from orderer channel=mychannel orderer-address=orderer.example.com:7050
2021-06-30 20:48:44.848 UTC [peer.blocksprovider] func1 -> WARN 097 Encountered an error reading from deliver stream: EOF channel=mychannel orderer-address=orderer.example.com:7050
2021-06-30 20:53:49.733 UTC [peer.blocksprovider] func1 -> WARN 099 Encountered an error reading from deliver stream: EOF channel=mychannel orderer-address=orderer.example.com:7050
2021-06-30 20:53:49.734 UTC [peer.blocksprovider] DeliverBlocks -> WARN 09a Got error while attempting to receive blocks: received bad status FORBIDDEN from orderer channel=mychannel orderer-address=orderer.example.com:7050

configtx.yaml 文件:

# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#

---
################################################################################
#
#   Section: Organizations
#
#   - This section defines the different organizational identities which will
#   be referenced later in the configuration.
#
################################################################################
Organizations:

    # SampleOrg defines an MSP using the sampleconfig.  It should never be used
    # in production but may be used as a template for other definitions
    - &OrdererOrg
        # DefaultOrg defines the organization which is used in the sampleconfig
        # of the fabric.git development environment
        Name: OrdererOrg

        # ID to load the MSP definition as
        ID: OrdererMSP

        # MSPDir is the filesystem path which contains the MSP configuration
        MSPDir: /var/mynetwork/organizations/ordererOrganizations/example.com/msp

        # Policies defines the set of policies at this level of the config tree
        # For organization policies, their canonical path is usually
        #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('OrdererMSP.member')"
            Writers:
                Type: Signature
                Rule: "OR('OrdererMSP.member')"
            Admins:
                Type: Signature
                Rule: "OR('OrdererMSP.admin')"

        OrdererEndpoints:
            - orderer.example.com:7050

    - &Org1
        # DefaultOrg defines the organization which is used in the sampleconfig
        # of the fabric.git development environment
        Name: Org1MSP

        # ID to load the MSP definition as
        ID: Org1MSP

        MSPDir: /var/mynetwork/organizations/peerOrganizations/org1.example.com/msp

        # Policies defines the set of policies at this level of the config tree
        # For organization policies, their canonical path is usually
        #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
            Writers:
                Type: Signature
                Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
            Admins:
                Type: Signature
                Rule: "OR('Org1MSP.admin')"
            Endorsement:
                Type: Signature
                Rule: "OR('Org1MSP.peer')"

    - &Org2
        # DefaultOrg defines the organization which is used in the sampleconfig
        # of the fabric.git development environment
        Name: Org2MSP

        # ID to load the MSP definition as
        ID: Org2MSP

        MSPDir: /var/mynetwork/organizations/peerOrganizations/org2.example.com/msp

        # Policies defines the set of policies at this level of the config tree
        # For organization policies, their canonical path is usually
        #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
            Writers:
                Type: Signature
                Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
            Admins:
                Type: Signature
                Rule: "OR('Org2MSP.admin')"
            Endorsement:
                Type: Signature
                Rule: "OR('Org2MSP.peer')"

################################################################################
#
#   SECTION: Capabilities
#
#   - This section defines the capabilities of fabric network. This is a new
#   concept as of v1.1.0 and should not be utilized in mixed networks with
#   v1.0.x peers and orderers.  Capabilities define features which must be
#   present in a fabric binary for that binary to safely participate in the
#   fabric network.  For instance, if a new MSP type is added, newer binaries
#   might recognize and validate the signatures from this type, while older
#   binaries without this support would be unable to validate those
#   transactions.  This could lead to different versions of the fabric binaries
#   having different world states.  Instead, defining a capability for a channel
#   informs those binaries without this capability that they must cease
#   processing transactions until they have been upgraded.  For v1.0.x if any
#   capabilities are defined (including a map with all capabilities turned off)
#   then the v1.0.x peer will deliberately crash.
#
################################################################################
Capabilities:
    # Channel capabilities apply to both the orderers and the peers and must be
    # supported by both.
    # Set the value of the capability to true to require it.
    Channel: &ChannelCapabilities
        # V2_0 capability ensures that orderers and peers behave according
        # to v2.0 channel capabilities. Orderers and peers from
        # prior releases would behave in an incompatible way, and are therefore
        # not able to participate in channels at v2.0 capability.
        # Prior to enabling V2.0 channel capabilities, ensure that all
        # orderers and peers on a channel are at v2.0.0 or later.
        V2_0: true

    # Orderer capabilities apply only to the orderers, and may be safely
    # used with prior release peers.
    # Set the value of the capability to true to require it.
    Orderer: &OrdererCapabilities
        # V2_0 orderer capability ensures that orderers behave according
        # to v2.0 orderer capabilities. Orderers from
        # prior releases would behave in an incompatible way, and are therefore
        # not able to participate in channels at v2.0 orderer capability.
        # Prior to enabling V2.0 orderer capabilities, ensure that all
        # orderers on channel are at v2.0.0 or later.
        V2_0: true

    # Application capabilities apply only to the peer network, and may be safely
    # used with prior release orderers.
    # Set the value of the capability to true to require it.
    Application: &ApplicationCapabilities
        # V2_0 application capability ensures that peers behave according
        # to v2.0 application capabilities. Peers from
        # prior releases would behave in an incompatible way, and are therefore
        # not able to participate in channels at v2.0 application capability.
        # Prior to enabling V2.0 application capabilities, ensure that all
        # peers on channel are at v2.0.0 or later.
        V2_0: true

################################################################################
#
#   SECTION: Application
#
#   - This section defines the values to encode into a config transaction or
#   genesis block for application related parameters
#
################################################################################
Application: &ApplicationDefaults

    # Organizations is the list of orgs which are defined as participants on
    # the application side of the network
    Organizations:

    # Policies defines the set of policies at this level of the config tree
    # For Application policies, their canonical path is
    #   /Channel/Application/<PolicyName>
    Policies:
        Readers:
            Type: ImplicitMeta
            Rule: "ANY Readers"
        Writers:
            Type: ImplicitMeta
            Rule: "ANY Writers"
        Admins:
            Type: ImplicitMeta
            Rule: "MAJORITY Admins"
        LifecycleEndorsement:
            Type: ImplicitMeta
            Rule: "MAJORITY Endorsement"
        Endorsement:
            Type: ImplicitMeta
            Rule: "MAJORITY Endorsement"

    Capabilities:
        <<: *ApplicationCapabilities
################################################################################
#
#   SECTION: Orderer
#
#   - This section defines the values to encode into a config transaction or
#   genesis block for orderer related parameters
#
################################################################################
Orderer: &OrdererDefaults

    # Orderer Type: The orderer implementation to start
    OrdererType: etcdraft
    
    # Addresses used to be the list of orderer addresses that clients and peers
    # could connect to.  However, this does not allow clients to associate orderer
    # addresses and orderer organizations which can be useful for things such
    # as TLS validation.  The preferred way to specify orderer addresses is now
    # to include the OrdererEndpoints item in your org definition
    Addresses:
        - orderer.example.com:7050

    EtcdRaft:
        Consenters:
        - Host: orderer.example.com
          Port: 7050
          ClientTLSCert: /var/mynetwork/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
          ServerTLSCert: /var/mynetwork/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt

    # Batch Timeout: The amount of time to wait before creating a batch
    BatchTimeout: 2s

    # Batch Size: Controls the number of messages batched into a block
    BatchSize:

        # Max Message Count: The maximum number of messages to permit in a batch
        MaxMessageCount: 10

        # Absolute Max Bytes: The absolute maximum number of bytes allowed for
        # the serialized messages in a batch.
        AbsoluteMaxBytes: 99 MB

        # Preferred Max Bytes: The preferred maximum number of bytes allowed for
        # the serialized messages in a batch. A message larger than the preferred
        # max bytes will result in a batch larger than preferred max bytes.
        PreferredMaxBytes: 512 KB

    # Organizations is the list of orgs which are defined as participants on
    # the orderer side of the network
    Organizations:

    # Policies defines the set of policies at this level of the config tree
    # For Orderer policies, their canonical path is
    #   /Channel/Orderer/<PolicyName>
    Policies:
        Readers:
            Type: ImplicitMeta
            Rule: "ANY Readers"
        Writers:
            Type: ImplicitMeta
            Rule: "ANY Writers"
        Admins:
            Type: ImplicitMeta
            Rule: "MAJORITY Admins"
        # BlockValidation specifies what signatures must be included in the block
        # from the orderer for the peer to validate it.
        BlockValidation:
            Type: ImplicitMeta
            Rule: "ANY Writers"

################################################################################
#
#   CHANNEL
#
#   This section defines the values to encode into a config transaction or
#   genesis block for channel related parameters.
#
################################################################################
Channel: &ChannelDefaults
    # Policies defines the set of policies at this level of the config tree
    # For Channel policies, their canonical path is
    #   /Channel/<PolicyName>
    Policies:
        # Who may invoke the 'Deliver' API
        Readers:
            Type: ImplicitMeta
            Rule: "ANY Readers"
        # Who may invoke the 'Broadcast' API
        Writers:
            Type: ImplicitMeta
            Rule: "ANY Writers"
        # By default, who may modify elements at this config level
        Admins:
            Type: ImplicitMeta
            Rule: "MAJORITY Admins"

    # Capabilities describes the channel level capabilities, see the
    # dedicated Capabilities section elsewhere in this file for a full
    # description
    Capabilities:
        <<: *ChannelCapabilities

################################################################################
#
#   Profile
#
#   - Different configuration profiles may be encoded here to be specified
#   as parameters to the configtxgen tool
#
################################################################################
Profiles:

    TwoOrgsOrdererGenesis:
        <<: *ChannelDefaults
        Orderer:
            <<: *OrdererDefaults
            Organizations:
                - *OrdererOrg
            Capabilities:
                <<: *OrdererCapabilities
        Consortiums:
            SampleConsortium:
                Organizations:
                    - *Org1
                    - *Org2
    TwoOrgsChannel:
        Consortium: SampleConsortium
        <<: *ChannelDefaults
        Application:
            <<: *ApplicationDefaults
            Organizations:
                - *Org1
                - *Org2
            Capabilities:
                <<: *ApplicationCapabilities

org1 msp 证书:

openssl x509 -in /var/mynetwork/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/signcerts/cert.pem -noout -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2f:f4:f1:84:51:df:a1:f1:f7:b2:6d:a2:01:5a:23:58:e3:f1:3d:53
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = fabric-ca-server
        Validity
            Not Before: Jun 29 17:51:00 2021 GMT
            Not After : Jun 29 17:56:00 2022 GMT
        Subject: C = US, ST = North Carolina, O = Hyperledger, OU = admin, CN = org1admin
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:d4:19:a3:9b:d9:13:3b:37:03:55:61:46:4f:a5:
                    f6:ff:e3:74:0d:f8:c4:eb:d9:5b:de:d6:06:dd:36:
                    3a:bd:82:dc:b3:e3:a2:7e:0e:e7:45:b3:c1:3c:69:
                    0b:ad:30:95:bb:dc:e8:b3:9a:88:09:5c:b7:d8:79:
                    ba:58:b3:aa:48
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                42:19:31:0A:C0:08:48:C6:2D:5A:1D:85:FC:E6:42:02:9E:44:74:13
            X509v3 Authority Key Identifier: 
                keyid:48:5D:23:A8:92:AE:71:00:E4:8A:2B:8D:13:D1:CA:62:28:08:5B:5C

            X509v3 Subject Alternative Name: 
                DNS:ubuntupc
            1.2.3.4.5.6.7.8.1: 
                {"attrs":{"hf.Affiliation":"","hf.EnrollmentID":"org1admin","hf.Type":"admin"}}
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:64:c9:28:09:8d:06:f0:b6:68:1a:60:9f:ea:ec:
         aa:df:2e:1a:2e:2c:94:bd:0f:60:db:7d:fc:a8:ed:87:f0:9b:
         02:20:42:93:f3:c6:b3:b8:40:d2:f7:23:c8:67:5d:ca:fd:a0:
         2b:71:ac:1f:4b:f6:f9:ec:33:78:47:48:11:4a:04:eb

不知道我在哪里失踪。订购者通信必须使用锚点对等点吗?

4

0 回答 0