创建证书并在分类帐中替换它们后无法理解发生了什么问题

Unable to understand what wrong is going on after creating certifcates and replacing them in the ledger

我一直在尝试在 hyperledger fabric 1.3 fabcar 示例中使用由 openssl 生成的自定义证书,其中它使用 1 个有序网络和 1 个对等方 (1 org) 的基本网络。我已经生成了所有需要的证书并替换了它们,但我一直收到错误。

我之前曾问过问题 (),根据回答我已经尝试这样做但无法跟进并以所有错误和混乱结束。

basic-network docker logs ca.example.com -f      
2019/09/05 11:06:22 [INFO] Created default configuration file at /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
2019/09/05 11:06:22 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server
2019/09/05 11:06:22 [INFO] Server Version: 1.3.0
2019/09/05 11:06:22 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/09/05 11:06:22 [INFO] The CA key and certificate files already exist
2019/09/05 11:06:22 [INFO] Key file location: /etc/hyperledger/fabric-ca-server-config/4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c_sk
2019/09/05 11:06:22 [INFO] Certificate file location: /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
2019/09/05 11:06:26 [INFO] Initialized sqlite3 database at /etc/hyperledger/fabric-ca-server/fabric-ca-server.db
2019/09/05 11:06:26 [INFO] The issuer key was successfully stored. The public key is at: /etc/hyperledger/fabric-ca-server/IssuerPublicKey, secret key is at: /etc/hyperledger/fabric-ca-server/msp/keystore/IssuerSecretKey
2019/09/05 11:06:26 [INFO] Idemix issuer revocation public and secret keys were generated for CA 'ca.example.com'
2019/09/05 11:06:26 [INFO] The revocation key was successfully stored. The public key is at: /etc/hyperledger/fabric-ca-server/IssuerRevocationPublicKey, private key is at: /etc/hyperledger/fabric-ca-server/msp/keystore/IssuerRevocationPrivateKey
2019/09/05 11:06:26 [INFO] Home directory for default CA: /etc/hyperledger/fabric-ca-server
2019/09/05 11:06:26 [INFO] Listening on http://0.0.0.0:7054
2019/09/05 11:07:54 [INFO] 172.25.0.1:55868 POST /api/v1/register 401 26 "Untrusted certificate: Failed to verify certificate: x509: certificate signed by unknown authority"
docker logs orderer.example.com  -f
2019-09-05 11:06:22.521 UTC [localconfig] completeInitialization -> INFO 001 Kafka.Version unset, setting to 0.10.2.0
2019-09-05 11:06:22.582 UTC [orderer/common/server] prettyPrintStruct -> INFO 002 Orderer config values:
    General.LedgerType = "file"
    General.ListenAddress = "0.0.0.0"
    General.ListenPort = 7050
    General.TLS.Enabled = false
    General.TLS.PrivateKey = "/etc/hyperledger/fabric/tls/server.key"
    General.TLS.Certificate = "/etc/hyperledger/fabric/tls/server.crt"
    General.TLS.RootCAs = [/etc/hyperledger/fabric/tls/ca.crt]
    General.TLS.ClientAuthRequired = false
    General.TLS.ClientRootCAs = []
    General.Keepalive.ServerMinInterval = 1m0s
    General.Keepalive.ServerInterval = 2h0m0s
    General.Keepalive.ServerTimeout = 20s
    General.GenesisMethod = "file"
    General.GenesisProfile = "SampleInsecureSolo"
    General.SystemChannel = "test-system-channel-name"
    General.GenesisFile = "/etc/hyperledger/configtx/genesis.block"
    General.Profile.Enabled = false
    General.Profile.Address = "0.0.0.0:6060"
    General.LogLevel = "info"
    General.LogFormat = "%{color}%{time:2006-01-02 15:04:05.000 MST} [%{module}] %{shortfunc} -> %{level:.4s} %{id:03x}%{color:reset} %{message}"
    General.LocalMSPDir = "/etc/hyperledger/msp/orderer/msp"
    General.LocalMSPID = "OrdererMSP"
    General.BCCSP.ProviderName = "SW"
    General.BCCSP.SwOpts.SecLevel = 256
    General.BCCSP.SwOpts.HashFamily = "SHA2"
    General.BCCSP.SwOpts.Ephemeral = false
    General.BCCSP.SwOpts.FileKeystore.KeyStorePath = "/etc/hyperledger/msp/orderer/msp/keystore"
    General.BCCSP.SwOpts.DummyKeystore =
    General.BCCSP.PluginOpts =
    General.Authentication.TimeWindow = 15m0s
    FileLedger.Location = "/var/hyperledger/production/orderer"
    FileLedger.Prefix = "hyperledger-fabric-ordererledger"
    RAMLedger.HistorySize = 1000
    Kafka.Retry.ShortInterval = 5s
    Kafka.Retry.ShortTotal = 10m0s
    Kafka.Retry.LongInterval = 5m0s
    Kafka.Retry.LongTotal = 12h0m0s
    Kafka.Retry.NetworkTimeouts.DialTimeout = 10s
    Kafka.Retry.NetworkTimeouts.ReadTimeout = 10s
    Kafka.Retry.NetworkTimeouts.WriteTimeout = 10s
    Kafka.Retry.Metadata.RetryMax = 3
    Kafka.Retry.Metadata.RetryBackoff = 250ms
    Kafka.Retry.Producer.RetryMax = 3
    Kafka.Retry.Producer.RetryBackoff = 100ms
    Kafka.Retry.Consumer.RetryBackoff = 2s
    Kafka.Verbose = false
    Kafka.Version = 0.10.2.0
    Kafka.TLS.Enabled = false
    Kafka.TLS.PrivateKey = ""
    Kafka.TLS.Certificate = ""
    Kafka.TLS.RootCAs = []
    Kafka.TLS.ClientAuthRequired = false
    Kafka.TLS.ClientRootCAs = []
    Kafka.SASLPlain.Enabled = false
    Kafka.SASLPlain.User = ""
    Kafka.SASLPlain.Password = ""
    Kafka.Topic.ReplicationFactor = 3
    Debug.BroadcastTraceDir = ""
    Debug.DeliverTraceDir = ""
2019-09-05 11:06:22.679 UTC [fsblkstorage] newBlockfileMgr -> INFO 003 Getting block information from block storage
2019-09-05 11:06:22.758 UTC [orderer/common/multichannel] NewRegistrar -> INFO 004 Starting system channel 'testchainid' with genesis block hash bec6cc0cd2f12e6a00c0973252dc28f9eb39eca089d970f5fdbd21238c89b316 and orderer type solo
2019-09-05 11:06:22.758 UTC [orderer/common/server] Start -> INFO 005 Starting orderer:
 Version: 1.3.0
 Commit SHA: ab0a67a
 Go version: go1.10.4
 OS/Arch: linux/amd64
 Experimental features: false
2019-09-05 11:06:22.758 UTC [orderer/common/server] Start -> INFO 006 Beginning to serve requests
2019-09-05 11:06:35.414 UTC [cauthdsl] deduplicate -> ERRO 007 Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authority) for identity 0a074f7267314d5350129c052d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d4949427754434341576567417749424167494a414c654c4d58514f6a544a6a4d416f4743437147534d343942414d434d474578437a414a42674e56424159540a416d6c754d517377435159445651514944414a30637a454d4d416f47413155454277774461486c6b4d526b77467759445651514b44424276636d63784c6d56340a5957317762475575593239744d527777476759445651514444424e6a59533576636d63784c6d56345957317762475575593239744d423458445445354d446b770a4e5445784d4451774d566f58445449354d446b774d6a45784d4451774d566f775354454c4d416b474131554542684d4361573478437a414a42674e564241674d0a416e527a4d517777436759445651514844414e6f65575178487a416442674e5642414d4d466b466b62576c75514739795a7a45755a586868625842735a53356a0a623230775754415442676371686b6a4f5051494242676771686b6a4f50514d4242774e43414151396378754f786e76424b5142586b7a455a464b3848476b69570a3269636a2b454b547552793671586964434c4b42452f446c6f74414e4e686939564a6152704b527479624c3035477958484b5946682b664b484267336f7941770a486a414d42674e5648524d4241663845416a41414d41344741315564447745422f775145417749486744414b42676771686b6a4f5051514441674e49414442460a416945416a2f2b7a522b51687656484d4247347a2f6d674666484a762b494f3443756e5344657574745337394648774349464b64384d645332535733383556630a634d56344e53564259686e41665971652f446334394e66773363376a0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a
2019-09-05 11:06:35.415 UTC [orderer/common/broadcast] Handle -> WARN 008 [channel: mychannel] Rejecting broadcast of config message from 172.25.0.5:53792 because of error: error authorizing update: error validating DeltaSet: policy for [Group]  /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining
2019-09-05 11:06:35.437 UTC [common/deliver] Handle -> WARN 009 Error reading from 172.25.0.5:53791: rpc error: code = Canceled desc = context canceled

➜  basic-network docker logs peer0.org1.example.com -f
2019-09-05 11:06:25.056 UTC [nodeCmd] serve -> INFO 001 Starting peer:
 Version: 1.3.0
 Commit SHA: ab0a67a
 Go version: go1.10.4
 OS/Arch: linux/amd64
 Experimental features: false
 Chaincode:
  Base Image Version: 0.4.13
  Base Docker Namespace: hyperledger
  Base Docker Label: org.hyperledger.fabric
  Docker Namespace: hyperledger
2019-09-05 11:06:25.056 UTC [ledgermgmt] initialize -> INFO 002 Initializing ledger mgmt
2019-09-05 11:06:25.056 UTC [kvledger] NewProvider -> INFO 003 Initializing ledger provider
2019-09-05 11:06:26.133 UTC [couchdb] CreateDatabaseIfNotExist -> INFO 004 Created state database _users
2019-09-05 11:06:26.365 UTC [couchdb] CreateDatabaseIfNotExist -> INFO 005 Created state database _replicator
2019-09-05 11:06:26.482 UTC [kvledger] NewProvider -> INFO 006 ledger provider Initialized
2019-09-05 11:06:26.551 UTC [ledgermgmt] initialize -> INFO 007 ledger mgmt initialized
2019-09-05 11:06:26.551 UTC [peer] func1 -> INFO 008 Auto-detected peer address: 172.25.0.5:7051
2019-09-05 11:06:26.551 UTC [peer] func1 -> INFO 009 Returning peer0.org1.example.com:7051
2019-09-05 11:06:26.551 UTC [peer] func1 -> INFO 00a Auto-detected peer address: 172.25.0.5:7051
2019-09-05 11:06:26.552 UTC [peer] func1 -> INFO 00b Returning peer0.org1.example.com:7051
2019-09-05 11:06:26.555 UTC [nodeCmd] computeChaincodeEndpoint -> INFO 00c Entering computeChaincodeEndpoint with peerHostname: peer0.org1.example.com
2019-09-05 11:06:26.555 UTC [nodeCmd] computeChaincodeEndpoint -> INFO 00d Exit with ccEndpoint: peer0.org1.example.com:7052
2019-09-05 11:06:26.555 UTC [nodeCmd] createChaincodeServer -> WARN 00e peer.chaincodeListenAddress is not set, using peer0.org1.example.com:7052
2019-09-05 11:06:26.558 UTC [sccapi] registerSysCC -> INFO 00f system chaincode lscc(github.com/hyperledger/fabric/core/scc/lscc) registered
2019-09-05 11:06:26.558 UTC [sccapi] registerSysCC -> INFO 010 system chaincode cscc(github.com/hyperledger/fabric/core/scc/cscc) registered
2019-09-05 11:06:26.558 UTC [sccapi] registerSysCC -> INFO 011 system chaincode qscc(github.com/hyperledger/fabric/core/scc/qscc) registered
2019-09-05 11:06:26.558 UTC [sccapi] registerSysCC -> INFO 012 system chaincode +lifecycle(github.com/hyperledger/fabric/core/chaincode/lifecycle) registered
2019-09-05 11:06:26.562 UTC [gossip/service] func1 -> INFO 013 Initialize gossip with endpoint peer0.org1.example.com:7051 and bootstrap set [127.0.0.1:7051]
2019-09-05 11:06:26.569 UTC [gossip/gossip] NewGossipService -> INFO 014 Creating gossip service with self membership of { [] [127 244 94 154 101 11 2 121 70 22 20 202 230 54 63 6 156 89 121 36 41 58 233 219 9 12 195 138 101 128 9 142] peer0.org1.example.com:7051 <nil> <nil>}
2019-09-05 11:06:26.570 UTC [gossip/gossip] NewGossipService -> WARN 015 External endpoint is empty, peer will not be accessible outside of its organization
2019-09-05 11:06:26.570 UTC [gossip/gossip] start -> INFO 016 Gossip instance peer0.org1.example.com:7051 started
2019-09-05 11:06:26.570 UTC [sccapi] deploySysCC -> INFO 017 system chaincode lscc/(github.com/hyperledger/fabric/core/scc/lscc) deployed
2019-09-05 11:06:26.571 UTC [cscc] Init -> INFO 018 Init CSCC
2019-09-05 11:06:26.571 UTC [sccapi] deploySysCC -> INFO 019 system chaincode cscc/(github.com/hyperledger/fabric/core/scc/cscc) deployed
2019-09-05 11:06:26.571 UTC [qscc] Init -> INFO 01a Init QSCC
2019-09-05 11:06:26.571 UTC [sccapi] deploySysCC -> INFO 01b system chaincode qscc/(github.com/hyperledger/fabric/core/scc/qscc) deployed
2019-09-05 11:06:26.571 UTC [sccapi] deploySysCC -> INFO 01c system chaincode +lifecycle/(github.com/hyperledger/fabric/core/chaincode/lifecycle) deployed
2019-09-05 11:06:26.571 UTC [nodeCmd] serve -> INFO 01d Deployed system chaincodes
2019-09-05 11:06:26.573 UTC [discovery] NewService -> INFO 01e Created with config TLS: false, authCacheMaxSize: 1000, authCachePurgeRatio: 0.750000
2019-09-05 11:06:26.573 UTC [nodeCmd] registerDiscoveryService -> INFO 01f Discovery service activated
2019-09-05 11:06:26.574 UTC [nodeCmd] serve -> INFO 020 Starting peer with ID=[name:"peer0.org1.example.com" ], network ID=[dev], address=[peer0.org1.example.com:7051]
2019-09-05 11:06:26.574 UTC [nodeCmd] serve -> INFO 021 Started peer with ID=[name:"peer0.org1.example.com" ], network ID=[dev], address=[peer0.org1.example.com:7051]
2019-09-05 11:07:25.901 UTC [protoutils] ValidateProposalMessage -> WARN 022 channel [mychannel]: MSP error: channel doesn't exist


openssl x509 -in ca.example.com-cert.pem -text -noout 
Certificate:
    Data:Handle
        Version: 3 (0x2)
        Serial Number: 9451191818837984463 (0x832960e279ea84cf)
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=in, ST=ts, L=hyd, O=example.com, CN=ca.example.com
        Validity
            Not Before: Sep  5 10:20:51 2019 GMT
            Not After : Sep  2 10:20:51 2029 GMT
        Subject: C=in, ST=ts, L=hyd, O=example.com, CN=ca.example.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:56:fd:de:01:81:10:29:58:a9:a5:46:96:4f:f7:
                    93:93:9d:57:cf:45:67:d1:b6:ee:bb:7c:3b:9d:df:
                    05:65:1c:c9:57:bc:16:e8:26:0d:36:6d:f6:b2:55:
                    ea:75:62:2f:92:82:9e:2e:4f:e9:49:7c:c7:8e:4c:
                    49:e2:2b:3d:f7
                ASN1 OID: prime256v1
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                CD:F5:6D:31:B1:A7:EE:26:FE:46:31:BA:56:F2:A8:C3:63:98:A3:E1
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:20:21:10:7d:db:4c:40:5b:33:2d:1f:32:2f:c1:69:
         87:b1:56:ce:d8:30:37:52:4b:3d:57:76:43:e5:4b:76:ad:88:
         02:21:00:fd:b9:33:1b:25:f4:88:a7:93:cf:3d:a9:b7:98:42:
         e1:77:1b:c6:66:0a:72:ac:39:3a:9d:83:e6:0b:7a:4e:1b
admincerts openssl x509 -in Admin@example.com-cert.pem -text -noout 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 14248524582099573694 (0xc5bced9d91775bbe)
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=in, ST=ts, L=hyd, O=example.com, CN=ca.example.com
        Validity
            Not Before: Sep  5 10:29:33 2019 GMT
            Not After : Sep  2 10:29:33 2029 GMT
        Subject: C=in, ST=ts, L=hyd, O=Admin@example.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:e7:a4:3f:55:64:ab:43:6a:f9:3b:46:b3:5e:85:
                    d5:c0:f0:f9:92:82:64:0f:f0:19:1d:89:86:d8:10:
                    d3:14:b0:3f:e8:55:c1:4a:0f:41:d3:14:65:0f:79:
                    f7:9a:73:ed:41:a6:63:76:0b:cf:70:dd:05:32:9e:
                    9c:62:82:f9:d1
                ASN1 OID: prime256v1
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:20:59:41:c0:69:dc:e8:a9:32:1a:11:83:c8:fd:2f:
         cc:71:78:6f:76:8b:ad:d0:36:29:a6:c6:a6:32:23:5a:6e:cd:
         02:21:00:c8:80:aa:14:a2:d3:ea:28:1f:72:37:bb:cb:ac:84:
         c1:95:fb:a2:f0:d8:6f:f3:bb:33:83:bf:68:d4:0c:3c:9f
console log
➜  basic-network ../fabcar/startFabric.sh

# don't rewrite paths for Windows Git Bash users
export MSYS_NO_PATHCONV=1

docker-compose -f docker-compose.yml down
Stopping peer0.org1.example.com ... done
Stopping couchdb                ... done
Stopping ca.example.com         ... done
Stopping orderer.example.com    ... done
Removing peer0.org1.example.com ... done
Removing couchdb                ... done
Removing ca.example.com         ... done
Removing orderer.example.com    ... done
Removing network net_basic

docker-compose -f docker-compose.yml up -d ca.example.com orderer.example.com peer0.org1.example.com couchdb
Creating network "net_basic" with the default driver
Creating ca.example.com      ... done
Creating couchdb             ... done
Creating orderer.example.com ... done
Creating peer0.org1.example.com ... done

# wait for Hyperledger Fabric to start
# incase of errors when running later commands, issue export FABRIC_START_TIMEOUT=<larger number>
export FABRIC_START_TIMEOUT=10
#echo ${FABRIC_START_TIMEOUT}
sleep ${FABRIC_START_TIMEOUT}

# Create the channel
docker exec -e "CORE_PEER_LOCALMSPID=Org1MSP" -e "CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin@org1.example.com/msp" peer0.org1.example.com peer channel create -o orderer.example.com:7050 -c mychannel -f /etc/hyperledger/configtx/channel.tx
2019-09-05 11:28:16.837 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: got unexpected status: BAD_REQUEST -- error authorizing update: error validating DeltaSet: policy for [Group]  /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining

我正在尝试在 fabcar 示例中使用第三方证书,但无法执行,并且出现上述错误。

configtx.yaml
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#

---
################################################################################
#
#   Section: Organizations
#
#   - This section defines the different organizational identities which will
#   be referenced later in the configuration.
#
################################################################################
Organizations:

    # SampleOrg defines an MSP using the sampleconfig.  It should never be used
    # in production but may be used as a template for other definitions
    - &OrdererOrg
        # DefaultOrg defines the organization which is used in the sampleconfig
        # of the fabric.git development environment
        Name: OrdererOrg

        # ID to load the MSP definition as
        ID: OrdererMSP

        # MSPDir is the filesystem path which contains the MSP configuration
        MSPDir: crypto-config/ordererOrganizations/example.com/msp

    - &Org1
        # DefaultOrg defines the organization which is used in the sampleconfig
        # of the fabric.git development environment
        Name: Org1MSP

        # ID to load the MSP definition as
        ID: Org1MSP

        MSPDir: crypto-config/peerOrganizations/org1.example.com/msp

        AnchorPeers:
            # AnchorPeers defines the location of peers which can be used
            # for cross org gossip communication.  Note, this value is only
            # encoded in the genesis block in the Application section context
            - Host: peer0.org1.example.com
              Port: 7051

################################################################################
#
#   SECTION: Application
#
#   - This section defines the values to encode into a config transaction or
#   genesis block for application related parameters
#
################################################################################
Application: &ApplicationDefaults

    # Organizations is the list of orgs which are defined as participants on
    # the application side of the network
    Organizations:

################################################################################
#
#   SECTION: Orderer
#
#   - This section defines the values to encode into a config transaction or
#   genesis block for orderer related parameters
#
################################################################################
Orderer: &OrdererDefaults

    # Orderer Type: The orderer implementation to start
    # Available types are "solo" and "kafka"
    OrdererType: solo

    Addresses:
        - orderer.example.com:7050

    # Batch Timeout: The amount of time to wait before creating a batch
    BatchTimeout: 2s

    # Batch Size: Controls the number of messages batched into a block
    BatchSize:

        # Max Message Count: The maximum number of messages to permit in a batch
        MaxMessageCount: 10

        # Absolute Max Bytes: The absolute maximum number of bytes allowed for
        # the serialized messages in a batch.
        AbsoluteMaxBytes: 99 MB

        # Preferred Max Bytes: The preferred maximum number of bytes allowed for
        # the serialized messages in a batch. A message larger than the preferred
        # max bytes will result in a batch larger than preferred max bytes.
        PreferredMaxBytes: 512 KB

    Kafka:
        # Brokers: A list of Kafka brokers to which the orderer connects
        # NOTE: Use IP:port notation
        Brokers:
            - 127.0.0.1:9092

    # Organizations is the list of orgs which are defined as participants on
    # the orderer side of the network
    Organizations:

################################################################################
#
#   Profile
#
#   - Different configuration profiles may be encoded here to be specified
#   as parameters to the configtxgen tool
#
################################################################################
Profiles:

    OneOrgOrdererGenesis:
        Orderer:
            <<: *OrdererDefaults
            Organizations:
                - *OrdererOrg
        Consortiums:
            SampleConsortium:
                Organizations:
                    - *Org1
    OneOrgChannel:
        Consortium: SampleConsortium
        Application:
            <<: *ApplicationDefaults
            Organizations:
                - *Org1

终于可以使用openssl生成的证书了。经过大量搜索,在一个问题中找到了这个答案并纠正了我的错误 我没有清除配置内容 ==> Genisis.json 和用旧加密 material 生成的 channeltx。 删除它并再次生成配置后,我能够在自定义加密 material.

的帮助下成功 运行 网络

    ERRO 02d Principal deserialization failure (The supplied identity is not valid, Verify() returned x509: certificate signed by unknown authority) for identity

This would indicate that the certificate claims to be issued by a CA, but is not signed by the CA the orderer knows about (error type 2 above). This would commonly happen if you bootstrapped the orderer, then regenerated the crypto material for your environment without removing the orderer's storage directory.

It's important to remember that the ORDERER_GENERAL_GENESISFILE is only read if the system is not already bootstrapped, so changing the genesis block for the orderer will have no affect unless the orderer storage is also deleted

生成 Ca 自签名证书

openssl req -x509 -newkey rsa:4096 -days 365 -keyout ca-key.pem -out ca-cert.pem --subj "/C=CA/ST=Ontario/L=TORONTO/O=xdata/OU=iot/CN=iotblock/emailAddress=xys@xdata.com"

查看生成的证书详情

openssl x509 -in ca-cert.pem -noout -text

生成 tls 证书和证书签名请求

openssl req -newkey rsa:4096 -keyout tls-key.pem  -out tls-req.pem --subj "/C=CA/ST=Ontario/L=TORONTO/O=xdata/OU=iot/CN=iotblock/emailAddress=xys@xdata.com"

使用 CA 私钥签署请求

openssl x509 -req -in tls-req.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out tls-cert.pem

对于 ecdsa 证书

openssl ecparam -list_curves
openssl ecparam -name sect193r2 -genkey -noout -out ca-key.pem
openssl req -new -sha256 -key ca-key.pem -out ca-cert.csr