对等点未加入通道和 TLS 连接错误(IP SAN 错误)
peers not joining channel and error with TLS connection (IP SANs error)
我在结构中尝试以下架构,其中一个对等体在另一台机器上,网络的其余部分在第一台机器上设置(server/system),
在创建通道并将每个对等点添加到通道后显示如下日志,当我尝试示例网络时不是这种情况,该日志过去常常说对等点加入通道,当我检查对等点的日志时也是如此说:
2018-02-28 06:51:23.916 UTC [ConnProducer] NewConnection -> ERRO 36b
Failed connecting to 138.68.138.161:7050 , error: x509: cannot
validate certificate for 138.68.138.161 because it doesn't contain any
IP SANs
网络已启用 tls,提供了 tls 证书并设置了环境变量。
频道-setup.sh
# Channel creation
echo "========== Creating channel: "$CHANNEL_NAME" =========="
#peer channel create -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls $CORE_PEER_TLS_ENABLED --cafile /opt$
# peer0.org1 channel join
echo "========== Joining peer0.org1.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.e$
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.or$
peer channel join -b ${CHANNEL_NAME}.block
peer channel update -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/${CORE_PEER_LOCALMSPID}anchors.tx --tls $CORE_PEER_TLS$
# peer1.org1 channel join
echo "========== Joining peer1.org1.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.e$
export CORE_PEER_ADDRESS=peer1.org1.example.com:7051
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer1.or$
peer channel join -b ${CHANNEL_NAME}.block
# peer0.org2 channel join
echo "========== Joining peer0.org2.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin@org2.e$
export CORE_PEER_ADDRESS=peer0.org2.example.com:7051
export CORE_PEER_LOCALMSPID="Org2MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer1.or$
peer channel join -b ${CHANNEL_NAME}.block
peer channel update -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/${CORE_PEER_LOCALMSPID}anchors.tx --tls $CORE_PEER_TLS$
# peer1.org2 channel join
echo "========== Joining peer1.org2.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin@org2.e$
export CORE_PEER_ADDRESS=peer1.org2.example.com:7051
export CORE_PEER_LOCALMSPID="Org2MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer1.or$
您遇到问题的原因是 TLS 证书不包含 IP SAN(IP 主题备用名称)。
这是 TLS 证书中的一个字段,基本上表示:"The certificate was issued to a host that its IP is: <1.2.3.4>"
如果您使用 v1.0 版的 cryptogen 生成证书,它不支持将 IP SAN 添加到证书中。
但是,v1.1 版的 cryptogen 确实支持它,因此如果您使用它 - 您将在 TLS 证书中拥有 IP SAN。
另一种解决问题的方法是使用主机名(DNS 名称)而不是 IP 地址,并使用任何版本的 cryptogen。
如果你这样做 - 证书将包含 DNS SAN(所有版本的 cryptogen 都在证书中编码 DNS SAN)。
我在结构中尝试以下架构,其中一个对等体在另一台机器上,网络的其余部分在第一台机器上设置(server/system),
在创建通道并将每个对等点添加到通道后显示如下日志,当我尝试示例网络时不是这种情况,该日志过去常常说对等点加入通道,当我检查对等点的日志时也是如此说:
2018-02-28 06:51:23.916 UTC [ConnProducer] NewConnection -> ERRO 36b Failed connecting to 138.68.138.161:7050 , error: x509: cannot validate certificate for 138.68.138.161 because it doesn't contain any IP SANs
网络已启用 tls,提供了 tls 证书并设置了环境变量。
频道-setup.sh
# Channel creation
echo "========== Creating channel: "$CHANNEL_NAME" =========="
#peer channel create -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls $CORE_PEER_TLS_ENABLED --cafile /opt$
# peer0.org1 channel join
echo "========== Joining peer0.org1.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.e$
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.or$
peer channel join -b ${CHANNEL_NAME}.block
peer channel update -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/${CORE_PEER_LOCALMSPID}anchors.tx --tls $CORE_PEER_TLS$
# peer1.org1 channel join
echo "========== Joining peer1.org1.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.e$
export CORE_PEER_ADDRESS=peer1.org1.example.com:7051
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer1.or$
peer channel join -b ${CHANNEL_NAME}.block
# peer0.org2 channel join
echo "========== Joining peer0.org2.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin@org2.e$
export CORE_PEER_ADDRESS=peer0.org2.example.com:7051
export CORE_PEER_LOCALMSPID="Org2MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer1.or$
peer channel join -b ${CHANNEL_NAME}.block
peer channel update -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/${CORE_PEER_LOCALMSPID}anchors.tx --tls $CORE_PEER_TLS$
# peer1.org2 channel join
echo "========== Joining peer1.org2.example.com to channel mychannel =========="
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin@org2.e$
export CORE_PEER_ADDRESS=peer1.org2.example.com:7051
export CORE_PEER_LOCALMSPID="Org2MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer1.or$
您遇到问题的原因是 TLS 证书不包含 IP SAN(IP 主题备用名称)。 这是 TLS 证书中的一个字段,基本上表示:"The certificate was issued to a host that its IP is: <1.2.3.4>"
如果您使用 v1.0 版的 cryptogen 生成证书,它不支持将 IP SAN 添加到证书中。 但是,v1.1 版的 cryptogen 确实支持它,因此如果您使用它 - 您将在 TLS 证书中拥有 IP SAN。
另一种解决问题的方法是使用主机名(DNS 名称)而不是 IP 地址,并使用任何版本的 cryptogen。 如果你这样做 - 证书将包含 DNS SAN(所有版本的 cryptogen 都在证书中编码 DNS SAN)。