Hyperledger Fabric 2.3 連接問題
[英]Hyperledger Fabric 2.3 connection issue
問題描述
查詢分類帳時遇到問題。 這是我們的網絡的布局方式。 corp 網絡內的 kubernetes 集群上有 2 個組織,網絡內的 azure vm 上的 docker 集群上也有一個。 azure vm 節點和 k8s 集群節點通過 nginx 服務器相互通信。 現在,這種精心設置背后的原因是因為我們的供應鏈用例需要來自不同公司的合作伙伴加入我們的網絡。 因此,為了模擬公司網絡之外的外部合作伙伴,我們使用 azure vm。 由於我們計划將實現生產化,因此我們無法使用 Fabric 加密配置生成的證書並獲得使用我們公司的中間證書和根證書頒發的新證書。 現在在這個網絡設置上安裝了鏈碼,啟用了背書策略,可以在所有 3 個節點上完美運行。 我們正在使用 Fabric 2.3.0
現在我遇到的第一個問題是在 connection.json 文件中使用的 TLS 證書。 這已通過鏈接此處的 SO 帖子中描述的證書來解決。 當前的問題是 nodejs 代碼能夠連接到組織,但無法執行任何讀取或寫入操作。 在下面的 JS 代碼中,如果我取消注釋 channel.getPeer() 響應的控制台日志,它會正確打印整個對等 object。
這是我的連接。json。 10.100.xx.xx ip都是k8s集群的pods,public.ip.address是nginx服務器的ip
{
"name": "byfn",
"version": "1.0.0",
"client": {
"organization": "ORG2MSP",
"connection": {
"timeout": {
"peer": {
"endorser": "10000"
},
"orderer": "10000"
}
}
},
"channels": {
"supplychain": {
"orderers": [
"ord1.orderers.org1.com",
"ord2.orderers.org1.com",
"ord3.orderers.org1.com"
],
"peers": {
"peer1.peers.org1.com": {
"endorsingPeer": true,
"chaincodeQuery": true,
"ledgerQuery": true,
"eventSource": true
},
"peer1.peers.org3.com": {
"endorsingPeer": true,
"chaincodeQuery": true,
"ledgerQuery": true,
"eventSource": true
},
"peer1.peers.org2.com": {
"endorsingPeer": true,
"chaincodeQuery": true,
"ledgerQuery": true,
"eventSource": true
}
}
}
},
"organizations": {
"ORG2MSP": {
"mspid": "ORG2MSP",
"peers": [
"peer1.peers.org2.com",
"peer2.peers.org2.com"
]
}
},
"orderers": {
"ord1.orderers.org1.com": {
"url": "grpcs://10.100.xxx.xxx:7050",
"grpcOptions": {
"ssl-target-name-override": "ord1.orderers.org1.com",
"request-timeout": 12000
},
"tlsCACerts": {
"path": "temp.pem"
}
},
"ord2.orderers.org1.com": {
"url": "grpcs://10.100.xxx.xxx:7050",
"grpcOptions": {
"ssl-target-name-override": "ord2.orderers.org1.com",
"request-timeout": 12000
},
"tlsCACerts": {
"path": "temp.pem"
}
},
"ord3.orderers.org1.com": {
"url": "grpcs://10.100.xxx.xxx:7050",
"grpcOptions": {
"ssl-target-name-override": "ord3.orderers.org1.com",
"request-timeout": 12000
},
"tlsCACerts": {
"path": "temp.pem"
}
}
},
"peers": {
"peer1.peers.org1.com": {
"url": "grpcs://10.100.xxx.xxx:7051",
"grpcOptions": {
"ssl-target-name-override": "peer1.peers.org1.com",
"request-timeout": 12000,
"grpc.keepalive_time_ms": 600000
},
"tlsCACerts": {
"path": "temp.pem"
}
},
"peer1.peers.org3.com": {
"url": "grpcs://public.ip.address:7051",
"grpcOptions": {
"ssl-target-name-override": "peer1.peers.org3.com",
"request-timeout": 12000,
"grpc.keepalive_time_ms": 600000
},
"tlsCACerts": {
"path": "temp.pem"
}
},
"peer1.peers.org2.com": {
"url": "grpcs://10.100.xxx.xxx:7051",
"grpcOptions": {
"ssl-target-name-override": "peer1.peers.org2.com",
"request-timeout": 12000,
"grpc.keepalive_time_ms": 600000
},
"tlsCACerts": {
"path": "temp.pem"
}
}
}
}
這是我的代碼
'use strict';
const { Wallets, Gateway } = require('fabric-network');
const fs = require('fs');
const path = require('path');
const ccpPath = path.resolve(__dirname,'connection.json');
const ccpJSON = fs.readFileSync(ccpPath, 'utf8');
const ccp = JSON.parse(ccpJSON);
async function main(){
try {
// const walletPath = path.join(process.cwd(), 'wallet');
const wallet = await Wallets.newFileSystemWallet('wallet');
// console.log(`Wallet path: ${walletPath}`);
// Check to see if we've already enrolled the user.
const userExists = await wallet.get('usernew');
const tlsExists = await wallet.get('tlsid');
if (!userExists) {
console.log('An identity for the user "usernew" does not exist in the wallet');
return;
}
if (!tlsExists) {
console.log('An identity for the user "tls" does not exist in the wallet');
return;
}
console.log("Here");
// Create a new gateway for connecting to our peer node.
const gateway = new Gateway();
await gateway.connect(ccp, { wallet, identity: 'usernew', discovery: { enabled: false, asLocalhost: false }, clientTlsIdentity: 'tlsid' });
console.log("Here1");
// Get the network (channel) our contract is deployed to.
const network = await gateway.getNetwork('supplychain');
console.log("Here2");
//Get the channel object to fetch out peers
const channel = network.getChannel();
console.log("Here3");
//Get peers for endorsement
//channel.getEndorsers();
const org1Peer = channel.getPeer('peer1.peers.org1.com');
//console.log(org1Peer);
const org2Peer = channel.getPeer('peer1.peers.org2.com');
//console.log(org2Peer);
const org3Peer = channel.getPeer('peer1.peers.org3.com');
//console.log(org3Peer);
// All the above logs print correct information
// Get the contract from the network.
const contract = network.getContract('mycontract');
const result = await contract.evaluateTransaction('queryAllObjects');
console.log(`Transaction has been evaluated, result is: ${result.toString()}`);
} catch (error) {
console.error(`Failed to evaluate transaction: ${error}`);
}
}
main()
這是加密文件夾樹
C:.
├───peers.org1.com
│ └───users
│ ├───Admin@peers.org1.com
│ │ ├───msp
│ │ │ ├───admincerts
│ │ │ ├───cacerts
│ │ │ ├───intermediatecerts
│ │ │ ├───keystore
│ │ │ ├───signcerts
│ │ │ ├───tlscacerts
│ │ │ └───tlsintermediatecerts
│ │ └───tls
│ └───User1@peers.org1.com
│ ├───msp
│ │ ├───admincerts
│ │ ├───cacerts
│ │ ├───intermediatecerts
│ │ ├───keystore
│ │ ├───signcerts
│ │ ├───tlscacerts
│ │ └───tlsintermediatecerts
│ └───tls
├───peers.org2.com
│ └───users
│ ├───Admin@peers.org2.com
│ │ ├───msp
│ │ │ ├───admincerts
│ │ │ ├───cacerts
│ │ │ ├───intermediatecerts
│ │ │ ├───keystore
│ │ │ ├───signcerts
│ │ │ ├───tlscacerts
│ │ │ └───tlsintermediatecerts
│ │ └───tls
│ └───User1@peers.org2.com
│ ├───msp
│ │ ├───admincerts
│ │ ├───cacerts
│ │ ├───intermediatecerts
│ │ ├───keystore
│ │ ├───signcerts
│ │ ├───tlscacerts
│ │ └───tlsintermediatecerts
│ └───tls
└───peers.org3.com
└───users
├───Admin@peers.org3.com
│ ├───msp
│ │ ├───admincerts
│ │ ├───cacerts
│ │ ├───intermediatecerts
│ │ ├───keystore
│ │ ├───signcerts
│ │ ├───tlscacerts
│ │ └───tlsintermediatecerts
│ └───tls
└───User1@peers.org3.com
├───msp
│ ├───admincerts
│ ├───cacerts
│ ├───intermediatecerts
│ ├───keystore
│ ├───signcerts
│ ├───tlscacerts
│ └───tlsintermediatecerts
└───tls
上面連接文件中使用的 temp.pem 是通過附加如下所示的 ica.pem 和 ca.pem 來准備的。 這是證書如何查找 Org2。 其他 2 個組織看起來相似。 msp/tlscacerts/ca.pem
Issuer: C=XX, ST=XXXX, L=XXXX, O=MyCompany, OU=Cybersecurity, CN=MyCompany Root Certificate Authority 2018
Validity
Not Before: Jul 23 17:07:45 2018 GMT
Not After : Jul 23 17:17:44 2043 GMT
Subject: C=XX, ST=XXXX, L=XXXX, O=MyCompany, OU=Cybersecurity, CN=MyCompany Root Certificate Authority
msp/tlsintermediatecerts/ica.pem
Issuer: C=XX, ST=XXXX, L=XXXX, O=MyCompany, OU=Cybersecurity, CN=MyCompany Root Certificate Authority 2018
Validity
Not Before: Nov 14 21:26:35 2018 GMT
Not After : Nov 14 21:36:35 2025 GMT
Subject: C=XX, ST=XXXX, L=XXXX, O=MyCompany, CN=MyCompany Issuing CA 101
tls/server.crt
Issuer: C=XX, ST=XXXX, L=XXXX, O=MyCompany, CN=MyCompany Issuing CA 101
Validity
Not Before: Jan 18 20:30:30 2021 GMT
Not After : Jan 18 20:30:30 2023 GMT
Subject: C=XX, ST=XXXX, L=XXXX, O=MyCompany Inc., OU=org2client, CN=*.peers.org2.com
.
.
.
X509v3 Subject Alternative Name:
DNS:*.peers.org2.com
Org2 NodeJs 日志
2021-02-25T10:21:33.736Z - error: [Endorser]: sendProposal[peer1.peers.org2.com] - Received error response from: grpcs://10.100.xxx.xxx:7051 error: Error: 2 UNKNOWN: error validating proposal: access denied: channel [supplychain] creator org [ORG2MSP]
2021-02-25T10:21:33.738Z - error: [Endorser]: sendProposal[peer1.peers.org2.com] - rejecting with: Error: 2 UNKNOWN: error validating proposal: access denied: channel [supplychain] creator org [ORG2MSP]
2021-02-25T10:21:33.738Z - error: [SingleQueryHandler]: evaluate: message=Query failed. Errors: ["Error: 2 UNKNOWN: error validating proposal: access denied: channel [supplychain] creator org [ORG2MSP]"], stack=FabricError: Query failed. Errors: ["Error: 2 UNKNOWN: error validating proposal: access denied: channel [supplychain] creator org [ORG2MSP]"]
at SingleQueryHandler.evaluate (/fabric23/node_modules/fabric-network/lib/impl/query/singlequeryhandler.js:47:23)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at async Transaction.evaluate (/fabric23/node_modules/fabric-network/lib/transaction.js:276:25)
at async main (/fabric23/test.js:67:25), name=FabricError
Failed to evaluate transaction: FabricError: Query failed. Errors: ["Error: 2 UNKNOWN: error validating proposal: access denied: channel [supplychain] creator org [ORG2MSP]"]
Org2 對等日志
2021-02-25 10:21:33.732 UTC [endorser] Validate -> WARN 08f access denied: creator's signature over the proposal is not valid: The signature is invalid channel=supplychain txID=01bde838 mspID=ORG2MSP
2021-02-25 10:21:33.732 UTC [comm.grpc.server] 1 -> INFO 090 unary call completed grpc.service=protos.Endorser grpc.method=ProcessProposal grpc.peer_address=172.23.238.200:40928 grpc.peer_subject="CN=*.peers.org3.com,OU=org3client,O=MyCompany Inc.,L=XXXX,ST=XXXX,C=XX" error="error validating proposal: access denied: channel [supplychain] creator org [ORG2MSP]" grpc.code=Unknown grpc.call_duration=12.335491ms
Org3 對等日志
2021-02-26 13:42:26.081 UTC [gossip.channel] publishStateInfo -> DEBU 6155d8 Empty membership, no one to publish state info to
2021-02-26 13:42:26.493 UTC [core.comm] ServerHandshake -> DEBU 6155d9 Server TLS handshake completed in 49.605106ms server=PeerServer remoteaddress=public.ip.address:291542021-02-26 13:42:26.597 UTC [grpc] InfoDepth -> DEBU 6155da [transport]transport: loopyWriter.run returning. connection error: desc = "transport is closing"
2021-02-26 13:42:26.927 UTC [gossip.channel] publishStateInfo -> DEBU 6155db Empty membership, no one to publish state info to
我還嘗試在 azure vm 上的 docker 群上部署相同的代碼。 但是,當我使用此處的 SO 帖子中給出的錯誤證書時,它給出了與我得到的相同的錯誤
1 個解決方案
解決方案1
0 2021-02-28 21:13:13
您可以檢查的一些要點:
- 您的 org3 的對等服務器 TLS 證書應該有一個替代名稱,如“*.ip.adress”?
- 該頻道擁有所有 3 個組織,對嗎? 從 org2 的日志中,我看到“創建者對提案的簽名無效”
- 檢查用戶身份“usernew”PKI(不是 TLS)以確保頒發證書的 CA 是通道上的 CA MSP 之一。 如果您使用中間 CA,那么這些 CA 證書也應該在通道上。
最好的問候, 茨維坦
Hyperledger Fabric 2.3 錯誤:無法在 Endorser-name 的截止日期前連接:
[英]Hyperledger Fabric 2.3 Error: Failed to connect before the deadline on Endorser- name:
在 Hyperledger 結構中的 peer 和 orderers 的連接配置文件中配置 grpc 超時
[英]Configure grpc timeout in connection profile for peers and orderers in Hyperledger fabric
有沒有辦法在 Hyperledger Fabric 中自動生成連接配置文件(使用 CLI)?
[英]Is there a way to generate Connection Profile in Hyperledger Fabric automatically (with CLI)?
同一組織的Hyperledger Fabric 2對等節點導致Chaincode和Couchdb問題
[英]Hyperledger Fabric 2 peers of same organisation causing issue with chaincode and couchdb
Hyperledger Fabric Node.js SDK:離線交易簽名問題
[英]Hyperledger Fabric Node.js SDK: Issue with offline transaction signatures
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
超級賬本結構設置問題
Hyperledger Fabric NodeJS客戶端grpc問題
Hyperledger Fabric 1.0 Ubuntu 16.04安裝問題
Hyperledger Fabric 2.3 錯誤:無法在 Endorser-name 的截止日期前連接:
在 Hyperledger 結構中的 peer 和 orderers 的連接配置文件中配置 grpc 超時
有沒有辦法在 Hyperledger Fabric 中自動生成連接配置文件(使用 CLI)?
同一組織的Hyperledger Fabric 2對等節點導致Chaincode和Couchdb問題
Hyperledger Fabric Node.js SDK:離線交易簽名問題
超賬結構認證
Hyperledger Fabric - Fabcar 性能
相關標簽