运行 启用了 TLS 的中间 CA:与根 CA 的连接被拒绝
Run intermediate CA with TLS enabled: connection to root CA refused
因此,我正在尝试创建一个具有根 CA 和多个中间 CA(每个组织一个)的结构网络,所有内容都启用了 TLS 和自签名证书(无加密)。 运行 设置根 CA 后,我为其注册管理员,并使用标志 hf.IntermediateCA=true 为中间 CA 创建从属关系并注册身份。然后我将 tls-cert.pem 从根 CA 复制到要由中间 CA 使用的卷,然后我尝试启动中间 CA 发行:
fabric-ca-server start -b admin:adminpw -u https://<registered-identity>:<pw>@ca-root:7054 --tls.certfile /path/to/copied/tls-cert.pem
我得到以下答案:
[lots of things...]
Post https://ca-root:7054/enroll: dial tcp 10.111.83.239:7054: connect: connection refused
不知道连接被拒绝的原因。检查根 CA 的日志看起来好像什么都没发生。我也知道这不是连接问题(我在 minikube 上,从日志中可以看出,DNS 正在正确解析 - 仔细检查)。我尝试使用 env 变量而不是 CLI 标志,还尝试使用标志 --intermediate.tls.certfiles 和相同的证书,还尝试了 ca-root-cert.pem 而不是 tls-cert.pem (我认为这也应该有效),所有结果都相同。
重要的是,如果我在所有地方禁用 TLS,我已经能够毫无问题地启动中间 CA,但我确实需要启用它。
我正在使用 fabric 1.4.2 图像。
我错过了什么?谢谢!
编辑: 回答@kekomal 问题:我对 TLS 证书和启用调试模式都使用了两个标志。这是完整的中级 CA 日志:
2019/10/25 08:22:56 [DEBUG] Home directory: /etc/hyperledger/fabric-ca-server
2019/10/25 08:22:56 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
2019/10/25 08:22:56 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server
2019/10/25 08:22:56 [DEBUG] Set log level:
2019/10/25 08:22:56 [INFO] Server Version: 1.4.2
2019/10/25 08:22:56 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/10/25 08:22:56 [DEBUG] Making server filenames absolute
2019/10/25 08:22:56 [DEBUG] Initializing default CA in directory /etc/hyperledger/fabric-ca-server
2019/10/25 08:22:56 [DEBUG] Init CA with home /etc/hyperledger/fabric-ca-server and config {Version:1.4.2 Cfg:{Identities:{PasswordAttempts:10 AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name:ca-corp Keyfile: Certfile:ca-cert.pem Chainfile:ca-chain.pem} Signing:0xc000220870 CSR:{CN: Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[0.0.0.0 ca-corp ca-corp.blockchain-alm-ns.svc localhost] KeyRequest:0xc00022cfe0 CA:0xc00022d060 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Registrar.Roles:* hf.Registrar.DelegateRoles:* hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1] }]} Affiliations:map[org1:[department1 department2] org2:[department1]] LDAP:{ Enabled:false URL:ldap://****:****@<host>:<port>/<base> UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc00022d100 Client:<nil> Intermediate:{ParentServer:{ URL:https://****:****@ca-root:7054 CAName: } TLS:{Enabled:false CertFiles:[/etc/hyperledger/fabric-ca-server/tls-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}}
2019/10/25 08:22:56 [DEBUG] CA Home Directory: /etc/hyperledger/fabric-ca-server
2019/10/25 08:22:56 [DEBUG] Checking configuration file version '1.4.2' against server version: '1.4.2'
2019/10/25 08:22:56 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc0001d0500 PluginOpts:<nil>}
2019/10/25 08:22:56 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc00022f4b0 DummyKeystore:<nil> InmemKeystore:<nil>}
2019/10/25 08:22:56 [DEBUG] Initialize key material
2019/10/25 08:22:56 [DEBUG] Making CA filenames absolute
2019/10/25 08:22:56 [WARNING] &{69 The specified CA certificate file /etc/hyperledger/fabric-ca-server/ca-cert.pem does not exist}
2019/10/25 08:22:56 [DEBUG] Getting CA cert; parent server URL is https://****:****@ca-root:7054
2019/10/25 08:22:56 [DEBUG] Intermediate enrollment request: { Name: Secret:**** CAName: AttrReqs:[] Profile:ca Label: CSR:&{ [] [] <nil> 0xc00022d5a0 } Type:x509 }, CSR: &{CN: Names:[] Hosts:[] KeyRequest:<nil> CA:0xc00022d5a0 SerialNumber:}, CA: &{PathLength:0 PathLenZero:true Expiry:}
2019/10/25 08:22:56 [DEBUG] Enrolling { Name:ca-corp Secret:**** CAName: AttrReqs:[] Profile:ca Label: CSR:&{ [{US North Carolina Hyperledger Fabric }] [0.0.0.0 ca-corp ca-corp.blockchain-alm-ns.svc localhost] 0xc00022cfe0 0xc00022d060 } Type:x509 }
2019/10/25 08:22:56 [DEBUG] Initializing client with config: &{URL:https://ca-root:7054 MSPDir: TLS:{Enabled:true CertFiles:[/etc/hyperledger/fabric-ca-server/tls-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name:ca-corp Secret:**** CAName: AttrReqs:[] Profile:ca Label: CSR:&{ [{US North Carolina Hyperledger Fabric }] [0.0.0.0 ca-corp ca-corp.blockchain-alm-ns.svc localhost] 0xc00022cfe0 0xc00022d060 } Type:x509 } CSR:{CN: Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[0.0.0.0 ca-corp ca-corp.blockchain-alm-ns.svc localhost] KeyRequest:0xc00022cfe0 CA:0xc00022d060 SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc00022d100 Debug:false LogLevel:}
2019/10/25 08:22:56 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc0001d0500 PluginOpts:<nil>}
2019/10/25 08:22:56 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc00022f4b0 DummyKeystore:<nil> InmemKeystore:<nil>}
2019/10/25 08:22:56 [INFO] TLS Enabled
2019/10/25 08:22:56 [DEBUG] CA Files: [/etc/hyperledger/fabric-ca-server/tls-cert.pem]
2019/10/25 08:22:56 [DEBUG] Client Cert File:
2019/10/25 08:22:56 [DEBUG] Client Key File:
2019/10/25 08:22:56 [DEBUG] Client TLS certificate and/or key file not provided
2019/10/25 08:22:56 [DEBUG] GenCSR &{CN: Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[0.0.0.0 ca-corp ca-corp.blockchain-alm-ns.svc localhost] KeyRequest:0xc00022cfe0 CA:0xc00022d060 SerialNumber:}
2019/10/25 08:22:56 [INFO] generating key: &{A:ecdsa S:256}
2019/10/25 08:22:56 [DEBUG] generate key from request: algo=ecdsa, size=256
2019/10/25 08:22:56 [INFO] encoded CSR
2019/10/25 08:22:56 [DEBUG] Sending request
POST https://ca-root:7054/enroll
{"hosts":["0.0.0.0","ca-corp","ca-corp.blockchain-alm-ns.svc","localhost"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBgzCCASoCAQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9s\naW5hMRQwEgYDVQQKEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRAwDgYD\nVQQDEwdjYS1jb3JwMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEws3abjcupN/X\nVa53vjv9Cdv1oVT/fDF4wNLGrNs6gMazFKN+0FCBQIywQxbdqszAxwl0Wh1yYzm5\np4E17FPPnqBpMGcGCSqGSIb3DQEJDjFaMFgwQgYDVR0RBDswOYIHY2EtY29ycIId\nY2EtY29ycC5ibG9ja2NoYWluLWFsbS1ucy5zdmOCCWxvY2FsaG9zdIcEAAAAADAS\nBgNVHRMBAf8ECDAGAQH/AgEAMAoGCCqGSM49BAMCA0cAMEQCIHvXuMelMU9gVgWu\nb0tURDxJ/W5yvwikVEiMjAFma9tpAiBl3YQ1pbcNH53QAhn/4TjLaQLKeVDrK4a9\nX3/4HvG8iw==\n-----END CERTIFICATE REQUEST-----\n","profile":"ca","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}
2019/10/25 08:22:57 [DEBUG] Closing server DBs
Error: POST failure of request: POST https://ca-root:7054/enroll
{"hosts":["0.0.0.0","ca-corp","ca-corp.blockchain-alm-ns.svc","localhost"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBgzCCASoCAQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9s\naW5hMRQwEgYDVQQKEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRAwDgYD\nVQQDEwdjYS1jb3JwMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEws3abjcupN/X\nVa53vjv9Cdv1oVT/fDF4wNLGrNs6gMazFKN+0FCBQIywQxbdqszAxwl0Wh1yYzm5\np4E17FPPnqBpMGcGCSqGSIb3DQEJDjFaMFgwQgYDVR0RBDswOYIHY2EtY29ycIId\nY2EtY29ycC5ibG9ja2NoYWluLWFsbS1ucy5zdmOCCWxvY2FsaG9zdIcEAAAAADAS\nBgNVHRMBAf8ECDAGAQH/AgEAMAoGCCqGSM49BAMCA0cAMEQCIHvXuMelMU9gVgWu\nb0tURDxJ/W5yvwikVEiMjAFma9tpAiBl3YQ1pbcNH53QAhn/4TjLaQLKeVDrK4a9\nX3/4HvG8iw==\n-----END CERTIFICATE REQUEST-----\n","profile":"ca","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post https://ca-root:7054/enroll: dial tcp 10.110.28.98:7054: connect: connection refused
来自 CA 根的日志:
2019/10/25 08:18:21 [DEBUG] DB: Getting identity admin
2019/10/25 08:18:21 [DEBUG] Successful token authentication of 'admin'
2019/10/25 08:18:21 [DEBUG] Received registration request from admin: { Name:ca-corp Type:client Secret:**** MaxEnrollments:0 Affiliation: Attributes:[{hf.IntermediateCA true false}] CAName: }
2019/10/25 08:18:21 [DEBUG] No affiliation provided in registration request, will default to using registrar's affiliation of ''
2019/10/25 08:18:21 [DEBUG] canRegister - Check to see if user 'admin' can register
2019/10/25 08:18:21 [DEBUG] Checking to see if caller 'admin' can act on type 'client'
2019/10/25 08:18:21 [DEBUG] Checking to see if caller 'admin' is a registrar
2019/10/25 08:18:21 [DEBUG] Validating affiliation:
2019/10/25 08:18:21 [DEBUG] Checking to see if affiliation '' contains caller's affiliation ''
2019/10/25 08:18:21 [DEBUG] Caller has root affiliation
2019/10/25 08:18:21 [DEBUG] Checking to see if registrar can register the requested attributes: [{Name:hf.IntermediateCA Value:true ECert:false}]
2019/10/25 08:18:21 [DEBUG] Validating that registrar with the following values for hf.Registrar.Attributes '*' is authorized to register the requested attribute '&{Name:hf.IntermediateCA Value:true ECert:false}'
2019/10/25 08:18:21 [DEBUG] Checking if registrar can register attribute: hf.IntermediateCA
2019/10/25 08:18:21 [DEBUG] Performing authorization check...
2019/10/25 08:18:21 [DEBUG] Checking if caller is authorized to register attribute 'hf.IntermediateCA' with the requested value of 'true'
2019/10/25 08:18:21 [DEBUG] Requested attribute type is boolean
2019/10/25 08:18:21 [DEBUG] Registering user id: ca-corp
2019/10/25 08:18:21 [DEBUG] Max enrollment value verification - User specified max enrollment: 0, CA max enrollment: -1
2019/10/25 08:18:21 [DEBUG] DB: Getting identity ca-corp
2019/10/25 08:18:21 [DEBUG] DB: Add identity ca-corp
2019/10/25 08:18:21 [DEBUG] Successfully added identity ca-corp to the database
2019/10/25 08:18:21 [INFO] 127.0.0.1:34862 POST /register 201 0 "OK"
2019/10/25 08:30:30 [DEBUG] Cleaning up expired nonces for CA 'ca-root'
这里可以看到之前启动中间CA时注册应该注册的身份的过程。但是没有显示任何注册过程(拒绝连接)。
关于您的评论:您说我还应该在启动中间 CA 时发送 --tls.keyfile。我不明白这一点...私钥应始终由所有者(在本例中为根 CA)保存,我是否也应该将其复制到中间 CA 的卷中?为什么?这有意义吗?
编辑 2: 最后 @kekomal 的回答给了我线索:添加有关父 CA 的 CN 的信息让我更进一步。工作指令为:
fabric-ca-server start -b admin:adminpw -u https://<registered-identity>:<pw>@ca-root:7054 --intermediate.parentserver.caname ca-root --tls.certfile /path/to/copied/tls-cert.pem
其中新部分是 --intermediate.parentserver.caname ca-root。但是...发出此命令在中间 CA 的日志中给了我一个新错误:
Error: Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: Failed getting key for SKI [[167 199 194 85 105 166 191 99 62 19 149 57 140 61 6 182 134 104 105 223 132 142 13 221 99 68 170 0 45 246 28 17]]: Key with SKI a7c7c25569a6bf633e1395398c3d06b6866869df848e0ddd6344aa002df61c11 not found in /etc/hyperledger/fabric-ca-server/msp/keystore
按照错误提示,我把根CA的私钥复制到/etc/hyperledger/fabric-ca-server/msp/keystore里面的中间CA,就在这之后,中间CA终于启动了。
但为什么需要将此 PK 从根 CA 复制到中间 CA?我真的很困惑,因为我们正在使用非对称密码学。这是一个错误吗?还是我遗漏了什么重要的东西?
编辑 3: 好的,再更新一次:正如@kekomal 所建议的,我尝试在中间 CA 中不启用 tls 的情况下发出命令。所以我停止了网络,删除了中间 CA 的持久性,并按照建议发出了命令。令我惊讶的是,结果又是 connection refused 消息。然后我再次尝试了 fabric-ca-server start 的所有变体,但没有成功(相同的连接被拒绝消息)。最后我意识到它最后一次工作时,我首先发出了一个没有参数的 fabric-ca-server start(将其作为独立服务器启动),停止它,然后发送带有参数的命令。所以,我这次做的是先发送一个 fabric-ca-server init -b admin:adminpw,然后发送 fabric-ca-server start -b admin:adminpw -u https://ca-corp:NdckmlUAhTUP@ca-root:7054 --tls.enabled --intermediate.parentserver.caname ca-root --intermediate.tls.certfiles /etc/hyperledger/fabric-ca-server/tls-cert.pem(是的,用 --tls.enabled,因为我希望整个 CAs 网络与tls 启用,而不仅仅是根 CA),是的!中间 CA 现在正在工作,是的!,不需要复制根 CA 的 PK。我的结62=] 至少在启用 TLS 时才能正常工作。
嗯...父根CA TLS证书(受信任的根证书)应该用--intermediate.tls.certfiles指定。 --tls.certfile 和 --tls.keyfile 定义中间 CA TLS 证书及其 children/clients 的密钥。
设置--loglevel debug获取更多信息(并分享)。
编辑: 回复你的版面(我没有资格评论你的post),当你谈论--tls.keyfile。我并不是说你必须使用它。我的意思是,如果您使用 --tls.certfile,您还必须使用 --tls.keyfile,因为它们旨在通过 TLS 为您的中间 CA 服务提供服务,而不是信任您的父根 CA 的 TLS 证书。为了您的目的,您有 --intermediate.tls.certfiles。
您的命令应如下所示:
fabric-ca-server start -b admin:adminpw -u https://<registered-identity>:<pw>@ca-root:7054 --intermediate.parentserver.caname ca-root --intermediate.tls.certfiles /path/to/copied/tls-cert.pem
我能想到的可能错误:
ca-root 没有指向您的根 CA。- 某些防火墙规则或类似规则会阻止您的请求。
- 您的中间 CA 的端口与您的根 CA 的端口冲突。
- /path/to/copied/tls-cert.pem 不是您的根 CA 证书。
- 您的根 CA 的 TLS 证书的 CN 或 SAN 都不匹配域
ca-root。
- 您的根 CA 的配置在 TLS 握手期间强制执行 client/mutual 身份验证,而您的中间证书未使用它。
如果您说它在根 CA 不使用 TLS 时有效,并且您在更改期间没有破坏任何其他东西,它可以是 4-6 之一...
rootca的TLS- cert.pem直接复制到对应组织的文件夹下。相应的组织启动时,会生成同名的TLS,因为TLS也启动了link-cert.pem文件,但不覆盖从rootca复制过来的TLS-cert.pem文件。组织重启时,实际使用的是根CA的TLS-cert.pem因此会报错私钥与证书不匹配
因此,我正在尝试创建一个具有根 CA 和多个中间 CA(每个组织一个)的结构网络,所有内容都启用了 TLS 和自签名证书(无加密)。 运行 设置根 CA 后,我为其注册管理员,并使用标志 hf.IntermediateCA=true 为中间 CA 创建从属关系并注册身份。然后我将 tls-cert.pem 从根 CA 复制到要由中间 CA 使用的卷,然后我尝试启动中间 CA 发行:
fabric-ca-server start -b admin:adminpw -u https://<registered-identity>:<pw>@ca-root:7054 --tls.certfile /path/to/copied/tls-cert.pem
我得到以下答案:
[lots of things...]
Post https://ca-root:7054/enroll: dial tcp 10.111.83.239:7054: connect: connection refused
不知道连接被拒绝的原因。检查根 CA 的日志看起来好像什么都没发生。我也知道这不是连接问题(我在 minikube 上,从日志中可以看出,DNS 正在正确解析 - 仔细检查)。我尝试使用 env 变量而不是 CLI 标志,还尝试使用标志 --intermediate.tls.certfiles 和相同的证书,还尝试了 ca-root-cert.pem 而不是 tls-cert.pem (我认为这也应该有效),所有结果都相同。
重要的是,如果我在所有地方禁用 TLS,我已经能够毫无问题地启动中间 CA,但我确实需要启用它。
我正在使用 fabric 1.4.2 图像。
我错过了什么?谢谢!
编辑: 回答@kekomal 问题:我对 TLS 证书和启用调试模式都使用了两个标志。这是完整的中级 CA 日志:
2019/10/25 08:22:56 [DEBUG] Home directory: /etc/hyperledger/fabric-ca-server
2019/10/25 08:22:56 [INFO] Configuration file location: /etc/hyperledger/fabric-ca-server/fabric-ca-server-config.yaml
2019/10/25 08:22:56 [INFO] Starting server in home directory: /etc/hyperledger/fabric-ca-server
2019/10/25 08:22:56 [DEBUG] Set log level:
2019/10/25 08:22:56 [INFO] Server Version: 1.4.2
2019/10/25 08:22:56 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2019/10/25 08:22:56 [DEBUG] Making server filenames absolute
2019/10/25 08:22:56 [DEBUG] Initializing default CA in directory /etc/hyperledger/fabric-ca-server
2019/10/25 08:22:56 [DEBUG] Init CA with home /etc/hyperledger/fabric-ca-server and config {Version:1.4.2 Cfg:{Identities:{PasswordAttempts:10 AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name:ca-corp Keyfile: Certfile:ca-cert.pem Chainfile:ca-chain.pem} Signing:0xc000220870 CSR:{CN: Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[0.0.0.0 ca-corp ca-corp.blockchain-alm-ns.svc localhost] KeyRequest:0xc00022cfe0 CA:0xc00022d060 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Registrar.Roles:* hf.Registrar.DelegateRoles:* hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1] }]} Affiliations:map[org1:[department1 department2] org2:[department1]] LDAP:{ Enabled:false URL:ldap://****:****@<host>:<port>/<base> UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc00022d100 Client:<nil> Intermediate:{ParentServer:{ URL:https://****:****@ca-root:7054 CAName: } TLS:{Enabled:false CertFiles:[/etc/hyperledger/fabric-ca-server/tls-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}}
2019/10/25 08:22:56 [DEBUG] CA Home Directory: /etc/hyperledger/fabric-ca-server
2019/10/25 08:22:56 [DEBUG] Checking configuration file version '1.4.2' against server version: '1.4.2'
2019/10/25 08:22:56 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc0001d0500 PluginOpts:<nil>}
2019/10/25 08:22:56 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc00022f4b0 DummyKeystore:<nil> InmemKeystore:<nil>}
2019/10/25 08:22:56 [DEBUG] Initialize key material
2019/10/25 08:22:56 [DEBUG] Making CA filenames absolute
2019/10/25 08:22:56 [WARNING] &{69 The specified CA certificate file /etc/hyperledger/fabric-ca-server/ca-cert.pem does not exist}
2019/10/25 08:22:56 [DEBUG] Getting CA cert; parent server URL is https://****:****@ca-root:7054
2019/10/25 08:22:56 [DEBUG] Intermediate enrollment request: { Name: Secret:**** CAName: AttrReqs:[] Profile:ca Label: CSR:&{ [] [] <nil> 0xc00022d5a0 } Type:x509 }, CSR: &{CN: Names:[] Hosts:[] KeyRequest:<nil> CA:0xc00022d5a0 SerialNumber:}, CA: &{PathLength:0 PathLenZero:true Expiry:}
2019/10/25 08:22:56 [DEBUG] Enrolling { Name:ca-corp Secret:**** CAName: AttrReqs:[] Profile:ca Label: CSR:&{ [{US North Carolina Hyperledger Fabric }] [0.0.0.0 ca-corp ca-corp.blockchain-alm-ns.svc localhost] 0xc00022cfe0 0xc00022d060 } Type:x509 }
2019/10/25 08:22:56 [DEBUG] Initializing client with config: &{URL:https://ca-root:7054 MSPDir: TLS:{Enabled:true CertFiles:[/etc/hyperledger/fabric-ca-server/tls-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name:ca-corp Secret:**** CAName: AttrReqs:[] Profile:ca Label: CSR:&{ [{US North Carolina Hyperledger Fabric }] [0.0.0.0 ca-corp ca-corp.blockchain-alm-ns.svc localhost] 0xc00022cfe0 0xc00022d060 } Type:x509 } CSR:{CN: Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[0.0.0.0 ca-corp ca-corp.blockchain-alm-ns.svc localhost] KeyRequest:0xc00022cfe0 CA:0xc00022d060 SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc00022d100 Debug:false LogLevel:}
2019/10/25 08:22:56 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc0001d0500 PluginOpts:<nil>}
2019/10/25 08:22:56 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc00022f4b0 DummyKeystore:<nil> InmemKeystore:<nil>}
2019/10/25 08:22:56 [INFO] TLS Enabled
2019/10/25 08:22:56 [DEBUG] CA Files: [/etc/hyperledger/fabric-ca-server/tls-cert.pem]
2019/10/25 08:22:56 [DEBUG] Client Cert File:
2019/10/25 08:22:56 [DEBUG] Client Key File:
2019/10/25 08:22:56 [DEBUG] Client TLS certificate and/or key file not provided
2019/10/25 08:22:56 [DEBUG] GenCSR &{CN: Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[0.0.0.0 ca-corp ca-corp.blockchain-alm-ns.svc localhost] KeyRequest:0xc00022cfe0 CA:0xc00022d060 SerialNumber:}
2019/10/25 08:22:56 [INFO] generating key: &{A:ecdsa S:256}
2019/10/25 08:22:56 [DEBUG] generate key from request: algo=ecdsa, size=256
2019/10/25 08:22:56 [INFO] encoded CSR
2019/10/25 08:22:56 [DEBUG] Sending request
POST https://ca-root:7054/enroll
{"hosts":["0.0.0.0","ca-corp","ca-corp.blockchain-alm-ns.svc","localhost"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBgzCCASoCAQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9s\naW5hMRQwEgYDVQQKEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRAwDgYD\nVQQDEwdjYS1jb3JwMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEws3abjcupN/X\nVa53vjv9Cdv1oVT/fDF4wNLGrNs6gMazFKN+0FCBQIywQxbdqszAxwl0Wh1yYzm5\np4E17FPPnqBpMGcGCSqGSIb3DQEJDjFaMFgwQgYDVR0RBDswOYIHY2EtY29ycIId\nY2EtY29ycC5ibG9ja2NoYWluLWFsbS1ucy5zdmOCCWxvY2FsaG9zdIcEAAAAADAS\nBgNVHRMBAf8ECDAGAQH/AgEAMAoGCCqGSM49BAMCA0cAMEQCIHvXuMelMU9gVgWu\nb0tURDxJ/W5yvwikVEiMjAFma9tpAiBl3YQ1pbcNH53QAhn/4TjLaQLKeVDrK4a9\nX3/4HvG8iw==\n-----END CERTIFICATE REQUEST-----\n","profile":"ca","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}
2019/10/25 08:22:57 [DEBUG] Closing server DBs
Error: POST failure of request: POST https://ca-root:7054/enroll
{"hosts":["0.0.0.0","ca-corp","ca-corp.blockchain-alm-ns.svc","localhost"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBgzCCASoCAQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9s\naW5hMRQwEgYDVQQKEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRAwDgYD\nVQQDEwdjYS1jb3JwMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEws3abjcupN/X\nVa53vjv9Cdv1oVT/fDF4wNLGrNs6gMazFKN+0FCBQIywQxbdqszAxwl0Wh1yYzm5\np4E17FPPnqBpMGcGCSqGSIb3DQEJDjFaMFgwQgYDVR0RBDswOYIHY2EtY29ycIId\nY2EtY29ycC5ibG9ja2NoYWluLWFsbS1ucy5zdmOCCWxvY2FsaG9zdIcEAAAAADAS\nBgNVHRMBAf8ECDAGAQH/AgEAMAoGCCqGSM49BAMCA0cAMEQCIHvXuMelMU9gVgWu\nb0tURDxJ/W5yvwikVEiMjAFma9tpAiBl3YQ1pbcNH53QAhn/4TjLaQLKeVDrK4a9\nX3/4HvG8iw==\n-----END CERTIFICATE REQUEST-----\n","profile":"ca","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}: Post https://ca-root:7054/enroll: dial tcp 10.110.28.98:7054: connect: connection refused
来自 CA 根的日志:
2019/10/25 08:18:21 [DEBUG] DB: Getting identity admin
2019/10/25 08:18:21 [DEBUG] Successful token authentication of 'admin'
2019/10/25 08:18:21 [DEBUG] Received registration request from admin: { Name:ca-corp Type:client Secret:**** MaxEnrollments:0 Affiliation: Attributes:[{hf.IntermediateCA true false}] CAName: }
2019/10/25 08:18:21 [DEBUG] No affiliation provided in registration request, will default to using registrar's affiliation of ''
2019/10/25 08:18:21 [DEBUG] canRegister - Check to see if user 'admin' can register
2019/10/25 08:18:21 [DEBUG] Checking to see if caller 'admin' can act on type 'client'
2019/10/25 08:18:21 [DEBUG] Checking to see if caller 'admin' is a registrar
2019/10/25 08:18:21 [DEBUG] Validating affiliation:
2019/10/25 08:18:21 [DEBUG] Checking to see if affiliation '' contains caller's affiliation ''
2019/10/25 08:18:21 [DEBUG] Caller has root affiliation
2019/10/25 08:18:21 [DEBUG] Checking to see if registrar can register the requested attributes: [{Name:hf.IntermediateCA Value:true ECert:false}]
2019/10/25 08:18:21 [DEBUG] Validating that registrar with the following values for hf.Registrar.Attributes '*' is authorized to register the requested attribute '&{Name:hf.IntermediateCA Value:true ECert:false}'
2019/10/25 08:18:21 [DEBUG] Checking if registrar can register attribute: hf.IntermediateCA
2019/10/25 08:18:21 [DEBUG] Performing authorization check...
2019/10/25 08:18:21 [DEBUG] Checking if caller is authorized to register attribute 'hf.IntermediateCA' with the requested value of 'true'
2019/10/25 08:18:21 [DEBUG] Requested attribute type is boolean
2019/10/25 08:18:21 [DEBUG] Registering user id: ca-corp
2019/10/25 08:18:21 [DEBUG] Max enrollment value verification - User specified max enrollment: 0, CA max enrollment: -1
2019/10/25 08:18:21 [DEBUG] DB: Getting identity ca-corp
2019/10/25 08:18:21 [DEBUG] DB: Add identity ca-corp
2019/10/25 08:18:21 [DEBUG] Successfully added identity ca-corp to the database
2019/10/25 08:18:21 [INFO] 127.0.0.1:34862 POST /register 201 0 "OK"
2019/10/25 08:30:30 [DEBUG] Cleaning up expired nonces for CA 'ca-root'
这里可以看到之前启动中间CA时注册应该注册的身份的过程。但是没有显示任何注册过程(拒绝连接)。
关于您的评论:您说我还应该在启动中间 CA 时发送 --tls.keyfile。我不明白这一点...私钥应始终由所有者(在本例中为根 CA)保存,我是否也应该将其复制到中间 CA 的卷中?为什么?这有意义吗?
编辑 2: 最后 @kekomal 的回答给了我线索:添加有关父 CA 的 CN 的信息让我更进一步。工作指令为:
fabric-ca-server start -b admin:adminpw -u https://<registered-identity>:<pw>@ca-root:7054 --intermediate.parentserver.caname ca-root --tls.certfile /path/to/copied/tls-cert.pem
其中新部分是 --intermediate.parentserver.caname ca-root。但是...发出此命令在中间 CA 的日志中给了我一个新错误:
Error: Could not load TLS certificate with BCCSP: Could not find matching private key for SKI: Failed getting key for SKI [[167 199 194 85 105 166 191 99 62 19 149 57 140 61 6 182 134 104 105 223 132 142 13 221 99 68 170 0 45 246 28 17]]: Key with SKI a7c7c25569a6bf633e1395398c3d06b6866869df848e0ddd6344aa002df61c11 not found in /etc/hyperledger/fabric-ca-server/msp/keystore
按照错误提示,我把根CA的私钥复制到/etc/hyperledger/fabric-ca-server/msp/keystore里面的中间CA,就在这之后,中间CA终于启动了。
但为什么需要将此 PK 从根 CA 复制到中间 CA?我真的很困惑,因为我们正在使用非对称密码学。这是一个错误吗?还是我遗漏了什么重要的东西?
编辑 3: 好的,再更新一次:正如@kekomal 所建议的,我尝试在中间 CA 中不启用 tls 的情况下发出命令。所以我停止了网络,删除了中间 CA 的持久性,并按照建议发出了命令。令我惊讶的是,结果又是 connection refused 消息。然后我再次尝试了 fabric-ca-server start 的所有变体,但没有成功(相同的连接被拒绝消息)。最后我意识到它最后一次工作时,我首先发出了一个没有参数的 fabric-ca-server start(将其作为独立服务器启动),停止它,然后发送带有参数的命令。所以,我这次做的是先发送一个 fabric-ca-server init -b admin:adminpw,然后发送 fabric-ca-server start -b admin:adminpw -u https://ca-corp:NdckmlUAhTUP@ca-root:7054 --tls.enabled --intermediate.parentserver.caname ca-root --intermediate.tls.certfiles /etc/hyperledger/fabric-ca-server/tls-cert.pem(是的,用 --tls.enabled,因为我希望整个 CAs 网络与tls 启用,而不仅仅是根 CA),是的!中间 CA 现在正在工作,是的!,不需要复制根 CA 的 PK。我的结62=] 至少在启用 TLS 时才能正常工作。
嗯...父根CA TLS证书(受信任的根证书)应该用--intermediate.tls.certfiles指定。 --tls.certfile 和 --tls.keyfile 定义中间 CA TLS 证书及其 children/clients 的密钥。
设置--loglevel debug获取更多信息(并分享)。
编辑: 回复你的版面(我没有资格评论你的post),当你谈论--tls.keyfile。我并不是说你必须使用它。我的意思是,如果您使用 --tls.certfile,您还必须使用 --tls.keyfile,因为它们旨在通过 TLS 为您的中间 CA 服务提供服务,而不是信任您的父根 CA 的 TLS 证书。为了您的目的,您有 --intermediate.tls.certfiles。
您的命令应如下所示:
fabric-ca-server start -b admin:adminpw -u https://<registered-identity>:<pw>@ca-root:7054 --intermediate.parentserver.caname ca-root --intermediate.tls.certfiles /path/to/copied/tls-cert.pem
我能想到的可能错误:
ca-root没有指向您的根 CA。- 某些防火墙规则或类似规则会阻止您的请求。
- 您的中间 CA 的端口与您的根 CA 的端口冲突。
- /path/to/copied/tls-cert.pem 不是您的根 CA 证书。
- 您的根 CA 的 TLS 证书的 CN 或 SAN 都不匹配域
ca-root。 - 您的根 CA 的配置在 TLS 握手期间强制执行 client/mutual 身份验证,而您的中间证书未使用它。
如果您说它在根 CA 不使用 TLS 时有效,并且您在更改期间没有破坏任何其他东西,它可以是 4-6 之一...
rootca的TLS- cert.pem直接复制到对应组织的文件夹下。相应的组织启动时,会生成同名的TLS,因为TLS也启动了link-cert.pem文件,但不覆盖从rootca复制过来的TLS-cert.pem文件。组织重启时,实际使用的是根CA的TLS-cert.pem因此会报错私钥与证书不匹配