如何在 Hyperledger Fabric 1.0 中为组织中的新节点生成证书

how to generate certificates for new peers in Organization in Hyperledger Fabric 1.0

我正在使用 Hyperledger Fabric 1.0 fabric-node-sdk 教程 (https://github.com/hyperledger/fabric-sdk-node/test).
我已经设置了两个组织,每个组织 1 与对等(org1 中的 peer0 和 org2 中的 peer2)。
我的要求是在每个组织中再添加一个对等点(Org1 中的 peer1 和 Org2 中的 peer3)。
我认为需要在 \tls 文件夹中创建 peer1 和 peer3 文件夹并放置一些“.pem”文件
示例:
"src\github.com\hyperledger\fabric-sdk-node\test\fixtures\tls\peers\peer1"
"src\github.com\hyperledger\fabric-sdk-node\test\fixtures\tls\peers\peer3"
"ca-cert.pem"
"cert.pem"
"key.pem"

并且还需要创建 admincerts、cacerts、keystore、signcerts 文件夹和相应的“.pem”,以对应以下文件夹中的对应节点

"fabric-sdk-node\test\fixtures\channel\crypto-config\peerOrganizations\org1.example.com\peers\peer1.org1.example.com"
"fabric-sdk-node/test/fixtures/channel/crypto-config/peerOrganizations/org2.example.com/peers/peer3.org2.example.com"

能否请您帮助我了解生成这些证书文件并将这些新对等点注册到网络的步骤。

我已尝试向 CA 客户端注册并注册对等点到 peerOrg1

fabric-ca-client register --id.name peer3 --id.type peer --id.affiliation org1.department1 --id.secret peer3pw  
fabric-ca-client enroll -u http://peer3:peer3pw@localhost:7054 -M $FABRIC_CA_HOME/msp

但是出现错误:

2017/05/03 09:18:30 http: TLS handshake error from [::1]:55890: tls: oversized record received with length 21536   
2017/05/03 09:19:04 http: TLS handshake error from 192.168.132.17:53220: tls: first record does not look like a TLS handshake
2017/05/03 09:19:04 http: TLS handshake error from 192.168.132.17:53221: tls: first record does not look like a TLS handshake
2017/05/03 09:20:25 http: TLS handshake error from [::1]:55891: tls: oversized record received with length 21536

我按照以下步骤在 org1 中添加了新的对等节点

1) 在 CA 容器中 (ca_peerOrg1)

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/admin
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
fabric-ca-client register --id.name peer1 --id.type peer --id.affiliation org1.department1 --id.secret peer1pw
export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1
fabric-ca-client enroll -u http://peer1:peer1pw@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/msp

我正在处理错误:

Post failure [Post http://localhost:7054/enroll : malformed HTTP response "\x15\x03\x01\x00\x02\x02\x16"] ; not sending

2) 我在执行命令时将主机名替换为容器 ID (e2598895c822),仍然出现相同的错误

3) ca_peerOrg1 容器日志中的错误:

error : ca_peerOrg1 | 2017/05/03 11:43:02 http: TLS handshake error from [::1]:55913: tls: oversized record received with length 21536

4) 我观察到 docker 组成的 yaml 文件正在用命令标签 (sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/org2.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/464d550fe9bf9e7d8976cdf59d1a5d472598f54c058c3546317c5c5fb0ddfd6e_sk -b admin:adminpw' -d)

盯着 ca_peerOrg1 容器

我在 docker compose 文件中添加了一个 CA 服务器详细信息,命令标记为 (sh -c 'fabric-ca-server start -b admin:adminpw) 作为:

fabric-ca-server: 图片:hyperledger/fabric-ca container_name: fabric-ca-server 端口: - “9054:7054”
环境: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-服务器 卷: - “./fabric-ca-server:/etc/hyperledger/fabric-ca-server” 命令:sh -c 'fabric-ca-server start -b admin:adminpw'

5) 然后我登录到 fabric-ca-server 容器并执行以下命令

fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
    fabric-ca-client register --id.name peer1 --id.type peer --id.affiliation org1.department1 --id.secret peer1pw
    export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1
    fabric-ca-client enroll -u http://peer1:peer1pw@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/msp

And this time it was successful. And MSP folder got created (with cacert,keystore,signcerts) in container.

6) 因为我尝试在 org1 中添加 Peer,所以我再次登录到容器 ca_peerOrg1 并使用以下命令从 fabric-ca-server 获得证书

export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1
    fabric-ca-client getcacert -u http://2f67d7031c3f:7054 -M $FABRIC_CA_CLIENT_HOME/msp

And observed that msp folder got imported to ca_peerOrg1.

7) 在 hyperledger\fabric-sdk-node\test\fixtures\tls\peers\ 中创建了一个文件夹 peer1 并用证书复制新创建的 cacert、keystore、signcerts 文件夹。并将 /cacert/3002372bba75.pem 重命名为 /cacert/ca-cert.pem 我从 peer0 文件夹复制的 admincerts 文件夹 8)另外 5) 在“\hyperledger\fabric-sdk-node\test\fixtures\channel\crypto-config\peerOrganizations\org1.example.com\peers\”中创建了一个文件夹 "peer1.org1.example.com" 并复制了 cacert、keystore、signcerts、admincerts 文件夹。

9) 用 org1

中的 peer2 条目更新了 /hyperledger/fabric-sdk-node/test/integration/e2e/config.json 
{
        "test-network": {
                "orderer": {
                        "url": "grpcs://localhost:7050",
                        "server-hostname": "orderer0",
                        "tls_cacerts": "../../fixtures/tls/orderer/ca-cert.pem"
                },
                "org1": {
                        "name": "peerOrg1",
                        "mspid": "Org1MSP",
                        "ca": "https://localhost:7054",
                        "peer1": {
                                "requests": "grpcs://localhost:7051",
                                "events": "grpcs://localhost:7053",
                                "server-hostname": "peer0",
                                "tls_cacerts": "../../fixtures/tls/peers/peer0/ca-cert.pem"
                        },
                        "peer2": {
                                "requests": "grpcs://localhost:9051",
                                "events": "grpcs://localhost:9053",
                                "server-hostname": "peer1",
                                "tls_cacerts": "../../fixtures/tls/peers/peer1/ca-cert.pem"
                        }

                },
                "org2": {
                        "name": "peerOrg2",
                        "mspid": "Org2MSP",
                        "ca": "https://localhost:8054",
                        "peer1": {
                                "requests": "grpcs://localhost:8051",
                                "events": "grpcs://localhost:8053",
                                "server-hostname": "peer2",
                                "tls_cacerts": "../../fixtures/tls/peers/peer2/ca-cert.pem"
                        }
                }
        }
}

10) 又创建了一个 docker 文件“docker-compose_peer1.yaml”,其中仅包含 peer1 的详细信息 并开始 docker 撰写,现在这些容器已启动 (ca_peerOrg2,ca_peerOrg1,orderer0,couchdb,peer2,peer0,peer1,fabric-ca-server)

11) 在 comaands 下执行并失败 cd /hyperledger1.0.0/gopath/src/github.com/hyperledger/fabric-sdk-node/test/integration/e2e 节点创建-channel.js 节点加入-channel.js

routines:ssl3_get_server_certificate:certificate verify failed.
events.js:160
      throw er; // Unhandled 'error' event
      ^

Error: Connect Failed
    at ClientDuplexStream._emitStatusIfDone (/root/hyperledger1.0.0/gopath/src/github.com/hyperledger/fabric-sdk-node/node_modules/grpc/src/node/src/client.js:201:19)
    at ClientDuplexStream._readsDone (/root/hyperledger1.0.0/gopath/src/github.com/hyperledger/fabric-sdk-node/node_modules/grpc/src/node/src/client.js:

你能帮我看看我遵循的步骤是正确的吗?请帮我添加新的同行。

当您在 URL 中为 fabric-ca-client 指定 "http" 时发生错误 "tls: oversized record received with length 21536",但 fabric-ca-server 是在启用 TLS 的情况下启动的,因此正在收听 "https"。 但是由于它在登录容器时在 fabric-ca-client 上使用 http 工作,但在您的主机上不起作用,我的猜测是您的主机上还有另一个 fabric-ca-server 运行 实例并且有已启用 TLS。

要为新节点生成加密 material(使用 cryptogen extends),您需要编辑 crypto-config.yaml 文件,然后执行:

cryptogen extend --config=./crypto-config.yaml

您可以在

找到完整的指南

Extending Hyperledger Fabric Network: Adding a new peer