在 docker 容器中创建对等通道失败:身份无效:x509:证书由未知机构签名
[英]Peer Channel Create in docker container fails with: identity is not valid: x509: certificate signed by unknown authority
问题描述
我正在学习Hyperledger Fabric 1.4 区块链培训联盟的课程。*
我正在尝试在开发测试网络上启动一个频道并不断收到以下错误:
2020-07-07 01:41:48.496 UTC [cauthdsl] deduplicate -> ERRO 34f Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authority) for identity 0
我在anjy 的一篇文章中看到网络时间同步问题可能会导致此问题。 我在容器和主机 VM 上的时间似乎确实不同,所以我在启动网络之前安装了ntpdate并在主机 VM 上运行了sudo ntpdate pool.ntp.org 。 这解决了时间问题,但上述错误仍然存在。
根据Nikhil Gupta 的帖子,此错误表示“作为请求参数传递的 MSP ID 未被排序服务识别”。
“订购服务识别了您的 MSP ID,但无法验证您的证书是由您组织的证书颁发机构之一颁发的。”
我正在使用 cryptogen 和 configtxgen 创建我的工件,如下所示:
$cryptogen generate --config=./crypto-config.yaml
然后我编辑 docker-compose.yml 以包含新生成的 sk 值并继续:
$configtxgen -profile DefaultBlockOrderingService -outputBlock ./config/genesis.block -configPath $PWD
$configtxgen -profile btaMembersOnly -outputCreateChannelTx ./config/btamembersonly.tx -channelID btamembersonly
成功创建创世块和通道交易工件后,我启动网络:
$docker-compose -f docker-compose.yml up -d Devorderer.btacoin.com Andy.BTA.btacoin.com GeneralCA.btacoin.com cli
andy@ubuntu-server:~/fabric/network$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f406f488ede5 hyperledger/fabric-peer "peer node start" 4 seconds ago Up 1 second 0.0.0.0:7051->7051/tcp, 0.0.0.0:7053->7053/tcp Andy.BTA.btacoin.com
0900795b1368 hyperledger/fabric-tools "/bin/bash" 4 seconds ago Up 2 seconds cli
c4946b315b08 hyperledger/fabric-orderer "orderer" 6 seconds ago Up 3 seconds 0.0.0.0:7050->7050/tcp Devorderer.btacoin.com
2e66b1d981f5 hyperledger/fabric-ca "sh -c 'fabric-ca-se…" 6 seconds ago Up 3 seconds 0.0.0.0:7054->7054/tcp GeneralCA.btacoin.com
然后我登录到 admin peer 并尝试启动通道:
$docker exec -it Andy.BTA.btacoin.com bash
#cd /etc/hyperledger/configtx
#export CORE_PEER_LOCALMSPID=BTAMSP
#export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin@BTA.btacoin.com/msp
#peer channel create -o Devorderer.btacoin.com:7050 -f /etc/hyperledger/configtx/btamembersonly.tx -c btamembersonly
此时,我收到以下错误:
Error: got unexpected status: BAD_REQUEST -- error validating channel creation transaction for new channel 'btamembersonly', could not succesfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
此时orderer节点日志显示出开头提到的错误:
2020-07-07 01:57:04.947 UTC [cauthdsl] deduplicate -> ERRO 34f Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authority) for identity 0
2020-07-07 01:57:04.947 UTC [cauthdsl] func1 -> DEBU 350 0xc00046e820 gate 1594087024947536840 evaluation starts
2020-07-07 01:57:04.947 UTC [cauthdsl] func2 -> DEBU 351 0xc00046e820 signed by 0 principal evaluation starts (used [false])
2020-07-07 01:57:04.947 UTC [cauthdsl] func2 -> DEBU 352 0xc00046e820 principal evaluation fails
2020-07-07 01:57:04.947 UTC [cauthdsl] func1 -> DEBU 353 0xc00046e820 gate 1594087024947536840 evaluation fails
2020-07-07 01:57:04.947 UTC [policies] Evaluate -> DEBU 354 Signature set did not satisfy policy /Channel/Application/BTAMSP/Admins
2020-07-07 01:57:04.947 UTC [policies] Evaluate -> DEBU 355 == Done Evaluating *cauthdsl.policy Policy /Channel/Application/BTAMSP/Admins
2020-07-07 01:57:04.947 UTC [policies] func1 -> DEBU 356 Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ BTAMSP/Admins ]
2020-07-07 01:57:04.947 UTC [policies] Evaluate -> DEBU 357 Signature set did not satisfy policy /Channel/Application/ChannelCreationPolicy
2020-07-07 01:57:04.947 UTC [policies] Evaluate -> DEBU 358 == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Application/ChannelCreationPolicy
2020-07-07 01:57:04.947 UTC [orderer.common.broadcast] ProcessMessage -> WARN 359 [channel: btamembersonly] Rejecting broadcast of config message from 172.18.0.4:56024 because of error: error validating channel creation transaction for new channel 'btamembersonly', could not succesfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
2020-07-07 01:57:04.947 UTC [orderer.common.server] func1 -> DEBU 35a Closing Broadcast stream
2020-07-07 01:57:04.947 UTC [comm.grpc.server] 1 -> INFO 35b streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Broadcast grpc.peer_address=172.18.0.4:56024 grpc.code=OK grpc.call_duration=12.196088ms
2020-07-07 01:57:04.960 UTC [common.deliver] Handle -> WARN 35c Error reading from 172.18.0.4:56022: rpc error: code = Canceled desc = context canceled
2020-07-07 01:57:04.961 UTC [orderer.common.server] func1 -> DEBU 35d Closing Deliver stream
2020-07-07 01:57:04.961 UTC [comm.grpc.server] 1 -> INFO 35e streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.18.0.4:56022 error="rpc error: code = Canceled desc = context canceled" grpc.code=Canceled grpc.call_duration=27.125361ms
2020-07-07 01:57:04.964 UTC [grpc] infof -> DEBU 35f transport: loopyWriter.run returning. connection error: desc = "transport is closing"
2020-07-07 01:57:04.964 UTC [grpc] infof -> DEBU 360 transport: loopyWriter.run returning. connection error: desc = "transport is closing"
我不确定下一步该去哪里进行故障排除。
我的设置如下(如果我错过了任何关键信息,请告诉我):
andy@ubuntu-server:~/fabric/network$ tree -L 2
.
├── config
│ ├── btamembersonly.tx
│ └── genesis.block
├── configtx.yaml
├── crypto-config
│ ├── ordererOrganizations
│ └── peerOrganizations
├── crypto-config.yaml
├── defaults
│ ├── core.yaml
│ └── orderer.yaml
└── docker-compose.yml
docker-compose.yml :
andy@ubuntu-server:~/fabric/network$ cat -n docker-compose.yml
1 version: '2'
2
3 networks:
4 btacoin:
5
6 services:
7 GeneralCA.btacoin.com:
8 container_name: GeneralCA.btacoin.com
9 image: hyperledger/fabric-ca
10 command: sh -c 'fabric-ca-server start -b btaCA:SimplePassword' #startup command
11 environment:
12 - FABRIC_CA_SERVER_CA_NAME=GeneralCA.btacoin.com
13 - FABRIC_LOGGING_SPEC=debug
14 - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
15 - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.BTA.btacoin.com-cert.pem
16 - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/ccb94b9473ef97a36b7d83beeb80583e9a2bda50ca5a392071b3c96185948ed7_sk
17 volumes:
18 - ./crypto-config/peerOrganizations/BTA.btacoin.com/ca/:/etc/hyperledger/fabric-ca-server-config
19 ports:
20 - 7054:7054
21 networks:
22 - btacoin
23
24 Devorderer.btacoin.com:
25 container_name: Devorderer.btacoin.com
26 image: hyperledger/fabric-orderer
27 command: orderer #startup command
28 environment:
29 - FABRIC_LOGGING_SPEC=info
30 - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
31 - ORDERER_GENERAL_GENESISMETHOD=file
32 - FABRIC_LOGGING_SPEC=debug
33 - ORDERER_GENERAL_LOCALMSPID=btacoinOrderersMSP
34 - ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/msp/orderer/msp
35 - ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
36
37 volumes:
38 - ./config/:/etc/hyperledger/configtx
39 - ./crypto-config/ordererOrganizations/btacoin.com/orderers/Devorderer.btacoin.com/:/etc/hyperledger/msp/orderer
40 - ./crypto-config/peerOrganizations/BTA.btacoin.com/peers/Andy.BTA.btacoin.com/:/etc/hyperledger/msp/BTA
41 ports:
42 - 7050:7050
43 networks:
44 - btacoin
45
46 Andy.BTA.btacoin.com:
47 container_name: Andy.BTA.btacoin.com
48 image: hyperledger/fabric-peer
49 command: peer node start #startup command
50 environment:
51 - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_btacoin
52 - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
53 - FABRIC_LOGGING_SPEC=debug
54 - CORE_PEER_ID=Andy.BTA.btacoin.com
55 - CORE_PEER_ADDRESS=Andy.BTA.btacoin.com:7051
56 - CORE_PEER_LOCALMSPID=BTAMSP
57 - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/peer/
58
59 volumes:
60 - /var/run/:/host/var/run/
61 - ./crypto-config/peerOrganizations/BTA.btacoin.com/peers/Andy.BTA.btacoin.com/msp:/etc/hyperledger/msp/peer
62 - ./crypto-config/peerOrganizations/BTA.btacoin.com/users:/etc/hyperledger/msp/users
63 - ./config:/etc/hyperledger/configtx
64 - ./../cc:/etc/hyperledger/chaincode
65 - ./chaincode:/etc/hyperledger/chaincode #Referenced in the Student Lab Guide
66 ports:
67 - 7051:7051
68 - 7053:7053
69 depends_on:
70 - Devorderer.btacoin.com
71 networks:
72 - btacoin
73
74 cli:
75 container_name: cli
76 image: hyperledger/fabric-tools
77 command: /bin/bash #startup command
78 tty: true
79 environment:
80 - GOPATH=/opt/gopath/src
81 - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
82 - FABRIC_LOGGING_SPEC=debug
83 - CORE_PEER_ID=cli
84 - CORE_PEER_ADDRESS=Andy.BTA.btacoin.com:7051
85 - CORE_PEER_LOCALMSPID=BTAMSP
86 - CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/BTA.btacoin.com/user/Admin@BTA.btacoin.com/msp
87
88 volumes:
89 - /var/run/:/host/var/run/
90 - ./../cc/:/opt/gopath/src/
91 - ./crypto-config:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/
92 # - ./cryptoconfig:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/
93 - ./config:/etc/hyperledger/configtx
94 depends_on:
95 - Devorderer.btacoin.com
96 networks:
97 - btacoin
configtx.yaml :
andy@ubuntu-server:~/fabric/network$ cat -n configtx.yaml
1 Organizations:
2 - &btacoinOrderers
3 Name: btacoinOrderersMSP
4 ID: btacoinOrderersMSP
5 MSPDir: crypto-config/ordererOrganizations/btacoin.com/msp
6 - &BTA
7 Name: BTAMSP
8 ID: BTAMSP
9 MSPDir: crypto-config/ordererOrganizations/btacoin.com/msp
10 AnchorPeers:
11 - Host: Andy.BTA.btacoin.com
12 Port: 7051
13
14 Application: &ApplicationDefaults
15 Organizations:
16
17 Orderer: &DevModeOrdering
18 OrdererType: solo
19 Addresses:
20 - Devorderer.btacoin.com:7050
21 BatchTimeout: 1s
22 BatchSize:
23 MaxMessageCount: 1
24
25 Channel:
26
27 Profiles:
28 DefaultBlockOrderingService:
29 Orderer:
30 <<: *DevModeOrdering
31 Organizations:
32 - *btacoinOrderers
33 Consortiums:
34 NetworkConsortium: #Note, in the video, this was called SampleConsortium
35 Organizations:
36 - *BTA
37 btaMembersOnly:
38 Consortium: NetworkConsortium #Note, in the video, this was called SampleConsortium
39 Application:
40 <<: *ApplicationDefaults
41 Organizations:
42 - *BTA
43
加密配置.yaml :
andy@ubuntu-server:~/fabric/network$ cat -n crypto-config.yaml
1 #Note: crypto-config is only used for development purposes, NOT for production purposes
2 #For production, you should have the Certificate Authority manage things!
3 OrdererOrgs:
4 - Name: btacoinOrderers
5 Domain: btacoin.com
6 Specs:
7 - Hostname: Devorderer
8
9 PeerOrgs:
10 - Name: BTA
11 Domain: BTA.btacoin.com
12 Specs:
13 - Hostname: Andy
14 Template:
15 Count: 1
16 Users:
17 Count: 1
docker-compose.yml 中使用的 CA 证书值:
andy@ubuntu-server:~/fabric/network$ ls ./crypto-config/peerOrganizations/BTA.btacoin.com/ca
ca.BTA.btacoin.com-cert.pem ccb94b9473ef97a36b7d83beeb80583e9a2bda50ca5a392071b3c96185948ed7_sk
orderer.yaml 和 core.yaml 来自:
https://s3.us-east-2.amazonaws.com/fabric-masterclass/orderer.yaml
https://s3.us-east-2.amazonaws.com/fabric-masterclass/core.yaml
Docker 图片来自:
docker pull hyperledger/fabric-peer
docker pull hyperledger/fabric-orderer
docker pull hyperledger/fabric-ca
docker pull hyperledger/fabric-tools
*该课程是自学的,不提供论坛或课程支持。 如果有其他渠道寻求帮助,我不会在这里发帖。 (在此处发布之前,我尝试通过电子邮件向课程创建者寻求帮助。)
2 个解决方案
解决方案1
0 2020-07-10 03:11:08
根据Nikhil Gupta 的帖子,此错误表示“作为请求参数传递的 MSP ID 未被排序服务识别”。
事实上,这不是真的。 如果你仔细阅读这篇文章,你会看到错误
ERRO 02d Principal deserialization failure
(the supplied identity is not valid: x509: certificate usigned by unknown authority)
实际上表明MSPID被系统识别,实际上是您的证书无效。 因此,MSPID 与证书不匹配,或者 CA 未在您的通道配置中为该 MSPID 适当地颁发证书。
在您的情况下,基于这是一个课程练习,而不是生产网络这一事实,我猜想网络可能已经被引导多次,但没有正确清理步骤之间的所有持久工件。 我鼓励您确保已删除所有 docker 容器,尤其是 docker 卷,并尝试在干净的环境中重新创建此故障。 您包含的 docker-compose 确实枚举了卷,您可以通过docker volume ls查看它们,您可以使用docker volume rm $(docker volume ls -q) .
解决方案2
0 已采纳 2020-07-10 14:23:54
正如我在评论中提到的,课程创建者向我发送了一份官方 YAML 文件的副本以供比较。 在将这些文件与我的文件进行比较后,我发现我在 configtx.yaml 中为对等方输入了错误的 MSP 。 我不是指向对等方的 MSP,而是指向订购者的 MSP!
原文(有错误):
6 - &BTA
7 Name: BTAMSP
8 ID: BTAMSP
9 MSPDir: crypto-config/ordererOrganizations/btacoin.com/msp
10 AnchorPeers:
11 - Host: Andy.BTA.btacoin.com
12 Port: 7051
修正线:
9 MSPDir: crypto-config/peerOrganizations/BTA.btacoin.com/msp
修复这条线后,我能够成功创建新频道。
x509:由未知机构签署的证书 - 使用 docker 和 github
[英]x509: certificate signed by unknown authority - both with docker and with github
Docker 私有注册表:x509:由未知权威签名的证书
[英]Docker Private Registry: x509: certificate signed by unknown authority
Docker-X509:Windows 7中未知权限错误签署的证书
[英]Docker - x509:certificate signed by unknown authority error in windows 7
docker 容器中的 terraform init 错误 -- x509:证书由未知机构签名
[英]Error with terraform init in a docker container -- x509: certificate signed by unknown authority
Windows docker容器中的jfrog-cli-x509:证书由未知授权机构签名
[英]jfrog-cli in windows docker container - x509: certificate signed by unknown authority
docker登录失败-> x509:证书由未知授权签署。.“ crypto / rsa:验证错误”
[英]docker login fails -> x509: certificate signed by unknown authority .. “crypto/rsa: verification error”
Windows上的docker工具箱,然后docker run hello-world获取x509:未知授权机构签名的证书
[英]docker toolbox on windows then docker run hello-world gets x509: certificate signed by unknown authority
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
码头工人错误:x509:证书由未知授权机构签名
x509:由未知机构签署的证书 - 使用 docker 和 github
Docker 私有注册表:x509:由未知权威签名的证书
Docker-X509:Windows 7中未知权限错误签署的证书
Docker登录x509:证书由未知权威签署
docker 容器中的 terraform init 错误 -- x509:证书由未知机构签名
Windows docker容器中的jfrog-cli-x509:证书由未知授权机构签名
docker登录失败-> x509:证书由未知授权签署。.“ crypto / rsa:验证错误”
Windows上的docker工具箱,然后docker run hello-world获取x509:未知授权机构签名的证书
minikube - x509:由未知权威机构签署的证书
相关标签