证书颁发机构 (CA) 服务器的复制容器不工作
Replicated container of Certificate Authority (CA) server is not working
我正在尝试维护证书颁发机构 (CA) 服务器的高可用性 (HA)(不使用像 K8 这样的容器编排技术)。为此,我使用了 YAML 锚点和合并语法。两个容器 运行 并监听服务器端口。
这里出现的问题是,只有一台服务器像以前一样正常工作,而另一台使用合并和锚点复制的服务器不工作。它在使用 SDK 向复制的服务器发送请求时抛出错误。
我使用 fabcar 提供的 enrollAdmin.js 执行了 enrollAdmin 操作(由 hyperledger fabric 提供的样本)。错误代码如下:
gopal@gopal:~/Dappdev/first/fabric-samples/fabcar/javascript$ node enrollAdmin.js
Wallet path: /home/gopal/Dappdev/first/fabric-samples/fabcar/javascript/wallet
Enroll the admin user, and import the new identity into the wallet
2021-01-12T08:42:03.572Z - error: [FabricCAClientService.js]: Failed to enroll admin, error:%o message=Calling enrollment endpoint failed with error [Error: write EPROTO 139961596319552:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:
], stack=Error: Calling enrollment endpoint failed with error [Error: write EPROTO 139961596319552:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:
]
at ClientRequest.request.on (/home/gopal/Dappdev/first/fabric-samples/fabcar/javascript/node_modules/fabric-ca-client/lib/FabricCAClient.js:487:12)
at ClientRequest.emit (events.js:198:13)
at TLSSocket.socketErrorListener (_http_client.js:401:9)
at TLSSocket.emit (events.js:198:13)
at errorOrDestroy (internal/streams/destroy.js:107:12)
at onwriteError (_stream_writable.js:436:5)
at onwrite (_stream_writable.js:461:5)
at _destroy (internal/streams/destroy.js:49:7)
at TLSSocket.Socket._destroy (net.js:614:3)
at TLSSocket.destroy (internal/streams/destroy.js:37:8)
Failed to enroll admin user "admin": Error: Calling enrollment endpoint failed with error [Error: write EPROTO 139961596319552:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:
]
gopal@gopal:~/Dappdev/first/fabric-samples/fabcar/javascript$
此外,为了说明更多,我添加了如下的CA配置文件。
version: '2'
networks:
byfn:
services:
ca0: &name-me
image: hyperledger/fabric-ca:$IMAGE_TAG
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org1
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/key.pem
- FABRIC_CA_SERVER_PORT=7054
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/key.pem -b admin:adminpw -d'
volumes:
- ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
container_name: ca_server01
networks:
- byfn
# Replicated CA
ca01:
<<: *name-me # <- this is a merge (<<) with an alias (*name-me)
# keys below merge notation override those that declared under anchor
# so this:
ports:
- "8054:8054"
container_name: ca_server02
environment:
- FABRIC_CA_SERVER_PORT=8054
此外,为了确认配置,我已经为这个 CA 添加了一个连接配置文件。
"certificateAuthorities": {
"ca.org1.example.com": {
"url": "https://localhost:8054",
"caName": "ca-org1",
"tlsCACerts": {
"pem": "-----BEGIN CERTIFICATE-----\nMIICUDCCAfegAwIBAgIQWmpv94Te6dBKBjMEJrZ/RDAKBggqhkjOPQQDAjBzMQsw\nCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy\nYW5jaXNjbzEZMBcGA1UEChMQb3JnMS5leGFtcGxlLmNvbTEcMBoGA1UEAxMTY2Eu\nb3JnMS5leGFtcGxlLmNvbTAeFw0yMDEyMDQwODI1MDBaFw0zMDEyMDIwODI1MDBa\nMHMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBvcmcxLmV4YW1wbGUuY29tMRwwGgYDVQQD\nExNjYS5vcmcxLmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nvhAwa7BeZTdV+Sevx0LEg+dptt1GIaQpukOhiEGmstF7Re8okIQXhQw/WjTVWlv8\nGccHPcoUuVe6nBklpHEL/qNtMGswDgYDVR0PAQH/BAQDAgGmMB0GA1UdJQQWMBQG\nCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdDgQiBCBJ\n/ICyRsXWQVxtcPI0+8+ZtAYHGXb0z4VBd5yvvmv64zAKBggqhkjOPQQDAgNHADBE\nAiBYadQuHePis5gPkEoLR3yVaYzEADap31XcSg9P1L6akAIgMoxWuq58zpQrIY0X\nh4zC6aHdSt2u4hJtXLB+8JNzVy8=\n-----END CERTIFICATE-----\n"
},
"httpOptions": {
"verify": false
}
}
Is there a better way to solve this issue of replicated docker container not working for CA server replication?
上述CA服务器复制容器不工作的问题通过在复制容器上添加如下环境变量解决:
services:
ca0: &name-me
#ca0:
image: hyperledger/fabric-ca:$IMAGE_TAG
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org1
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/key.pem
- FABRIC_CA_SERVER_PORT=7054
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/key.pem -b admin:adminpw -d'
volumes:
- ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
container_name: ca_server01
networks:
- byfn
# Replicated CA
ca01:
<<: *name-me # <- this is a merge (<<) with an alias (*name-me)
# keys below merge notation override those that declared under anchor
# so this:
ports:
- "8054:8054"
container_name: ca_server02
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org1
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/key.pem
- FABRIC_CA_SERVER_PORT=8054
这样CA服务器的复制容器就可以了
我正在尝试维护证书颁发机构 (CA) 服务器的高可用性 (HA)(不使用像 K8 这样的容器编排技术)。为此,我使用了 YAML 锚点和合并语法。两个容器 运行 并监听服务器端口。 这里出现的问题是,只有一台服务器像以前一样正常工作,而另一台使用合并和锚点复制的服务器不工作。它在使用 SDK 向复制的服务器发送请求时抛出错误。 我使用 fabcar 提供的 enrollAdmin.js 执行了 enrollAdmin 操作(由 hyperledger fabric 提供的样本)。错误代码如下:
gopal@gopal:~/Dappdev/first/fabric-samples/fabcar/javascript$ node enrollAdmin.js
Wallet path: /home/gopal/Dappdev/first/fabric-samples/fabcar/javascript/wallet
Enroll the admin user, and import the new identity into the wallet
2021-01-12T08:42:03.572Z - error: [FabricCAClientService.js]: Failed to enroll admin, error:%o message=Calling enrollment endpoint failed with error [Error: write EPROTO 139961596319552:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:
], stack=Error: Calling enrollment endpoint failed with error [Error: write EPROTO 139961596319552:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:
]
at ClientRequest.request.on (/home/gopal/Dappdev/first/fabric-samples/fabcar/javascript/node_modules/fabric-ca-client/lib/FabricCAClient.js:487:12)
at ClientRequest.emit (events.js:198:13)
at TLSSocket.socketErrorListener (_http_client.js:401:9)
at TLSSocket.emit (events.js:198:13)
at errorOrDestroy (internal/streams/destroy.js:107:12)
at onwriteError (_stream_writable.js:436:5)
at onwrite (_stream_writable.js:461:5)
at _destroy (internal/streams/destroy.js:49:7)
at TLSSocket.Socket._destroy (net.js:614:3)
at TLSSocket.destroy (internal/streams/destroy.js:37:8)
Failed to enroll admin user "admin": Error: Calling enrollment endpoint failed with error [Error: write EPROTO 139961596319552:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:
]
gopal@gopal:~/Dappdev/first/fabric-samples/fabcar/javascript$
此外,为了说明更多,我添加了如下的CA配置文件。
version: '2'
networks:
byfn:
services:
ca0: &name-me
image: hyperledger/fabric-ca:$IMAGE_TAG
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org1
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/key.pem
- FABRIC_CA_SERVER_PORT=7054
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/key.pem -b admin:adminpw -d'
volumes:
- ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
container_name: ca_server01
networks:
- byfn
# Replicated CA
ca01:
<<: *name-me # <- this is a merge (<<) with an alias (*name-me)
# keys below merge notation override those that declared under anchor
# so this:
ports:
- "8054:8054"
container_name: ca_server02
environment:
- FABRIC_CA_SERVER_PORT=8054
此外,为了确认配置,我已经为这个 CA 添加了一个连接配置文件。
"certificateAuthorities": {
"ca.org1.example.com": {
"url": "https://localhost:8054",
"caName": "ca-org1",
"tlsCACerts": {
"pem": "-----BEGIN CERTIFICATE-----\nMIICUDCCAfegAwIBAgIQWmpv94Te6dBKBjMEJrZ/RDAKBggqhkjOPQQDAjBzMQsw\nCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy\nYW5jaXNjbzEZMBcGA1UEChMQb3JnMS5leGFtcGxlLmNvbTEcMBoGA1UEAxMTY2Eu\nb3JnMS5leGFtcGxlLmNvbTAeFw0yMDEyMDQwODI1MDBaFw0zMDEyMDIwODI1MDBa\nMHMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T\nYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBvcmcxLmV4YW1wbGUuY29tMRwwGgYDVQQD\nExNjYS5vcmcxLmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nvhAwa7BeZTdV+Sevx0LEg+dptt1GIaQpukOhiEGmstF7Re8okIQXhQw/WjTVWlv8\nGccHPcoUuVe6nBklpHEL/qNtMGswDgYDVR0PAQH/BAQDAgGmMB0GA1UdJQQWMBQG\nCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdDgQiBCBJ\n/ICyRsXWQVxtcPI0+8+ZtAYHGXb0z4VBd5yvvmv64zAKBggqhkjOPQQDAgNHADBE\nAiBYadQuHePis5gPkEoLR3yVaYzEADap31XcSg9P1L6akAIgMoxWuq58zpQrIY0X\nh4zC6aHdSt2u4hJtXLB+8JNzVy8=\n-----END CERTIFICATE-----\n"
},
"httpOptions": {
"verify": false
}
}
Is there a better way to solve this issue of replicated docker container not working for CA server replication?
上述CA服务器复制容器不工作的问题通过在复制容器上添加如下环境变量解决:
services:
ca0: &name-me
#ca0:
image: hyperledger/fabric-ca:$IMAGE_TAG
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org1
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/key.pem
- FABRIC_CA_SERVER_PORT=7054
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/key.pem -b admin:adminpw -d'
volumes:
- ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
container_name: ca_server01
networks:
- byfn
# Replicated CA
ca01:
<<: *name-me # <- this is a merge (<<) with an alias (*name-me)
# keys below merge notation override those that declared under anchor
# so this:
ports:
- "8054:8054"
container_name: ca_server02
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org1
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem
- FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/key.pem
- FABRIC_CA_SERVER_PORT=8054
这样CA服务器的复制容器就可以了