(一)多機-動態新增組織節點
1.背景知識
(1)Org3-crypt.yaml配置文件
該配置文件的作用是提供給cryptogen工具生成組織身份證書使用。
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs:
# ---------------------------------------------------------------------------
# Org3
# ---------------------------------------------------------------------------
- Name: SM611
# 域名
Domain: sm611.newcapec.net
# true 表示在msp目錄下生成config.yaml文件
EnableNodeOUs: true
Template:
# 節點個數
Count: 1
# 除了主機名、通用名外的主題別名
SANS:
- localhost
# 組織包含的用戶
Users:
# 普通用戶的個數,默認生成管理員用戶1個
Count: 1
(2)新節點身份證書配置
Peer對等節點需要的證書有msp 和 tls目錄。
# msp目錄,成員身份證書
- ../../organizations/peerOrganizations/sm611.newcapec.net/peers/peer0.sm611.newcapec.net/msp:/etc/hyperledger/fabric/msp
# tls目錄,通信安全證書
- ../../organizations/peerOrganizations/sm611.newcapec.net/peers/peer0.sm611.newcapec.net/tls:/etc/hyperledger/fabric/tls
路徑:
organizations/peerOrganizations/sm611.newcapec.net/peers
Peers目錄存放該組織所有節點的證書
字段詳解:
└── peer0.sm611.newcapec.net
├── msp
│ ├── admincerts 組織管理員的身份證書,作用是驗證簽名的身份是否是管理員
│ ├── cacerts 組織的根證書
│ │ └── ca.sm611.newcapec.net-cert.pem
│ ├── config.yaml
│ ├── keystore 本節點的身份私鑰,作用是簽名
│ │ └── priv_sk
│ ├── signcerts 驗證本節點簽名的證書,是組織根證書的下級證書
│ │ └── peer0.sm611.newcapec.net-cert.pem
│ └── tlscacerts 安全傳輸證書,作用通信加密
│ └── tlsca.sm611.newcapec.net-cert.pem
└── tls
├── ca.crt 組織根證書
├── server.crt 驗證本節點簽名的證書,是組織根證書的下級證書
└── server.key 本節點的身份私鑰,用來簽名
(3)MSP證書關系分析
兩個證書,組織的根證書,組織的下屬用戶證書、安全傳輸證書。
組織根證書是組織自己簽發的,自簽發證書,無上級證書。
用戶證書和安全傳輸證書都是由組織根證書簽發。
①用戶證書
-----------------------------------------------------------------------
openssl x509 -in peer0.org3.example.com-cert.pem -noout -text
證書信息:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b0:b4:27:92:66:18:3d:22:99:7a:54:da:ae:3e:78:d0
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = California, L = San Francisco, O = org3.example.com, CN = ca.org3.example.com
Validity
Not Before: Apr 8 05:31:00 2021 GMT
Not After : Apr 6 05:31:00 2031 GMT
Subject: C = US, ST = California, L = San Francisco, OU = peer, CN = peer0.org3.example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:8d:32:8b:14:ca:c5:53:8b:18:15:be:fd:c5:50:
3c:09:9c:1c:e6:7f:3b:a9:48:96:d7:30:96:36:1d:
fd:fd:25:5f:8f:df:78:58:a2:4a:85:2e:58:36:7c:
04:d1:75:13:3e:de:c6:e3:4c:39:40:22:53:8d:c8:
7e:71:bf:b8:51
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:A2:C6:17:59:76:55:A3:63:51:48:92:09:69:D4:83:5E:C6:CA:F0:76:0A:AF:E1:D7:85:D1:B3:BC:23:02:DB:7B
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:2d:ca:03:6b:f7:cc:80:a3:48:28:96:e2:72:98:
d7:d9:92:df:ac:56:88:9e:6d:d6:74:99:ab:c1:12:a9:71:13:
02:20:72:12:6f:51:2e:ae:e8:03:65:b6:4c:42:b4:17:55:d7:
7a:aa:d4:55:df:bd:f9:55:62:1c:b3:84:93:6f:db:9d
②根證書(自簽名證書)
-----------------------------------------------------------
openssl x509 -in ca.org3.example.com-cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8e:75:7d:b8:08:cc:3d:90:01:ce:56:2c:1e:7e:2b:b1
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = California, L = San Francisco, O = org3.example.com, CN = ca.org3.example.com
Validity
Not Before: Apr 8 05:31:00 2021 GMT
Not After : Apr 6 05:31:00 2031 GMT
Subject: C = US, ST = California, L = San Francisco, O = org3.example.com, CN = ca.org3.example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:07:d2:32:11:98:f5:02:ae:0f:e7:17:1b:5d:a2:
42:da:14:54:05:50:11:60:1a:9f:19:70:be:2b:9b:
e7:48:16:e3:b5:71:b3:5c:e1:57:39:07:c6:bc:8f:
69:ab:a3:43:e4:78:00:dd:49:83:34:78:76:76:a1:
80:07:a1:ae:6a
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
A2:C6:17:59:76:55:A3:63:51:48:92:09:69:D4:83:5E:C6:CA:F0:76:0A:AF:E1:D7:85:D1:B3:BC:23:02:DB:7B
Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:4e:fa:cf:fe:a0:ea:21:8c:11:67:bc:c6:d1:51:
7c:c0:51:89:3a:cf:76:fd:8a:7f:91:c1:0c:0a:ee:99:55:0b:
02:21:00:aa:b1:27:f0:ab:b3:7b:fb:00:f5:70:0c:fe:d4:0c:
75:aa:37:68:67:dd:f8:9f:6b:67:28:6c:61:64:3e:91:0c
③安全傳輸證書(TLS證書)
openssl x509 -in tlsca.org3.example.com-cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
fa:4a:ab:ab:e1:76:d9:0b:13:6a:c1:93:4a:a4:c6:b9
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = California, L = San Francisco, O = org3.example.com, CN = tlsca.org3.example.com
Validity
Not Before: Apr 8 05:31:00 2021 GMT
Not After : Apr 6 05:31:00 2031 GMT
Subject: C = US, ST = California, L = San Francisco, O = org3.example.com, CN = tlsca.org3.example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:a7:e0:39:01:fe:8b:2a:29:ac:42:50:d4:e7:2e:
23:1d:25:42:af:7f:5a:2d:07:05:1b:b4:6a:b4:ea:
91:cf:97:ad:e2:74:dc:ae:e0:cf:e7:70:c5:63:95:
54:10:4a:0d:c1:7a:1c:78:76:c3:19:36:dc:cb:3c:
b4:ce:0f:2f:13
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
E8:E8:05:F6:BC:AF:86:4D:5B:C7:3B:4F:8B:35:3D:84:CB:D9:33:80:46:B8:29:C0:4E:E0:4C:62:BB:98:6B:85
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:d6:2a:d5:2c:aa:33:3b:97:b0:50:a3:e9:ca:
a7:7b:c6:9f:1b:40:df:ef:d9:f3:2c:f8:d0:c9:53:8d:0f:c7:
d1:02:20:65:54:1e:5c:8c:ce:e4:4a:4c:2c:2d:9c:ad:da:1e:
9f:64:6b:d2:03:fa:2e:ff:fd:bf:49:4d:6e:14:9d:89:f3
(4)機構2證書
兩個證書,組織的根證書,組織的下屬用戶證書、安全傳輸證書。
組織根證書是組織自己簽發的,自簽發證書,無上級證書。
用戶證書和安全傳輸證書都是由組織根證書簽發。
①用戶證書
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
62:79:3c:e1:af:8b:ce:e6:8d:ae:5e:3f:cd:01:b5:1a:f8:e0:59:df
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = UK, ST = Hampshire, L = Hursley, O = org2.example.com, CN = ca.org2.example.com
Validity
Not Before: Apr 8 05:21:00 2021 GMT
Not After : Apr 8 05:26:00 2022 GMT
Subject: C = US, ST = North Carolina, O = Hyperledger, OU = peer, CN = peer0
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:a4:49:2b:4a:23:9c:a8:53:34:6a:b9:60:fe:af:
eb:87:1d:47:ee:fa:13:8b:0d:9f:bb:58:7d:d3:d7:
eb:c1:bf:9d:03:35:77:4c:85:b3:87:d3:3b:b1:70:
d0:12:d7:24:f5:f6:51:e7:a2:9c:d2:0b:fa:60:2a:
77:83:18:9c:00
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
20:55:92:CE:B3:7E:D7:72:D8:D5:F2:34:88:45:36:E2:7E:CF:69:ED
X509v3 Authority Key Identifier:
keyid:68:F5:C0:70:6F:A3:83:7A:88:C4:F8:4C:7F:55:46:26:0B:A9:86:3C
X509v3 Subject Alternative Name:
DNS:peer0.org2.example.com
1.2.3.4.5.6.7.8.1:
{"attrs":{"hf.Affiliation":"","hf.EnrollmentID":"peer0","hf.Type":"peer"}}
"hf.Affiliation":"" 組織單元
"hf.Type":"peer" 表示的是角色
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:57:03:17:98:41:3c:75:c2:fa:da:f2:23:8b:d2:
0e:6b:a9:24:fd:d3:f8:e4:23:29:01:5c:19:b1:4c:01:05:ca:
02:20:60:72:0f:42:50:65:00:dc:b9:5c:4e:62:d3:6c:2b:30:
78:40:fd:41:42:6d:e0:4e:a8:75:74:98:02:3d:09:76
②根證書(自簽名證書)
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
12:6a:f8:45:82:54:83:28:a8:bf:65:9f:00:bd:c9:f9:ab:e1:94:fa
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = UK, ST = Hampshire, L = Hursley, O = org2.example.com, CN = ca.org2.example.com
Validity
Not Before: Apr 8 05:21:00 2021 GMT
Not After : Apr 4 05:21:00 2036 GMT
Subject: C = UK, ST = Hampshire, L = Hursley, O = org2.example.com, CN = ca.org2.example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:44:a4:89:08:70:d8:5e:a7:57:30:47:8b:ed:2c:
97:a2:dd:c9:9a:7c:e5:b8:8c:d1:11:96:52:05:0f:
7a:36:62:b6:95:da:6f:cf:1c:3b:b5:76:fd:b5:31:
0e:6d:80:90:5c:8d:48:91:d3:40:b4:aa:9c:14:69:
df:66:ab:b0:35
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Subject Key Identifier:
68:F5:C0:70:6F:A3:83:7A:88:C4:F8:4C:7F:55:46:26:0B:A9:86:3C
Signature Algorithm: ecdsa-with-SHA256
30:44:02:21:00:c8:68:ee:a8:12:a0:51:41:91:01:fb:4a:f3:
04:a3:91:43:16:8d:e0:c5:6f:aa:81:b1:0a:0a:8e:a8:96:36:
10:02:1f:5b:1d:bb:52:b5:6b:8c:72:35:e4:7d:1f:95:81:c2:
24:c3:5c:a7:fe:f7:f4:e8:5b:f5:b2:c4:07:88:0f:97
(5)節點組織單元NodeOUs
節點組織單元,Enable設置true,表示啟用細粒度的策略控制。
NodeOUs作用是更細粒度的權限控制。
MSP中有如下角色:
1) 客戶端
2) 節點
3) 管理員
4) 排序
主角被描述為 ‘MSP.ROLE’,MSP 表示需要的 MSP ID(組織),ROLE 表示一下四種可接受的角色之一:Member、 Admin、 Client 和 Peer。角色在用戶使用 CA 登記(enroll)的時候與之關聯。
疑問:
使用crypt工具是,角色如何關聯呢? 是否已經關聯,因為在cryptgen工具生成的證書沒有看到證書的附加屬性字段。
2.操作步驟
(1)域名映射
①新節點域名映射
網絡互通,節點之間通過域名方式通信的,因為我們是測試的域名沒有在DNS注冊,所以需要手工修改主機的host文件
Docker-compose方式,增加extra_hosts字段。
②基礎網絡
現有的區塊鏈網絡上,在host文件中增加新增節點的域名映射。
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
# ------------- 組織節點,域名映射 ----------------
peer0.org3.example.com 192.168.112.22
(2)添加節點
啟動添加節點腳本,如果腳本執行成功。節點就完成了添加。
./addOrg3.sh up
3.新增節點驗證
(1)驗證手段
①腳本的執行結果
+ peer channel join -b mychannel.block
+ res=0
+ set +x
2021-04-09 03:23:31.832 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2021-04-09 03:23:32.289 UTC [channelCmd] executeJoin -> INFO 002 Successfully submitted proposal to join channel
===================== peer0.org3 joined channel 'mychannel' =====================
========= Finished adding Org3 to your test network! =========
②節點容器的日志
2021-04-09 03:23:32.739 UTC [gossip.gossip] learnAnchorPeers -> INFO 041 Learning about the configured anchor peers of Org1MSP for channel mychannel: [{peer0.org1.example.com 7051}]
2021-04-09 03:23:32.739 UTC [committer.txvalidator] Validate -> INFO 042 [mychannel] Validated block [3] in 7ms
2021-04-09 03:23:32.965 UTC [kvledger] CommitLegacy -> INFO 043 [mychannel] Committed block [3] with 1 transaction(s) in 225ms (state_validation=0ms block_and_pvtdata_commit=133ms state_commit=58ms) commitHash=[37be5332b9300ef2e301f0e0e5385a0a729d3fef5c9ea4a7bd4766bb91998a31]
2021-04-09 03:23:37.739 UTC [gossip.channel] reportMembershipChanges -> INFO 044
[[mychannel] Membership view has changed. peers went online:
[[peer0.org1.example.com:7051 ] [peer0.org2.example.com:9051 ]] ,
current view: [[peer0.org1.example.com:7051 ] [peer0.org2.example.com:9051 ]]]
③節點容器內獲取信息
# peer channel list
2021-04-09 03:26:09.830 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Channels peers has joined:
mychannel
# peer channel getinfo -c mychannel
2021-04-09 03:26:30.097 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Blockchain info: {"height":4,"currentBlockHash":"cVDbIwYWcrKShzagotlaVqmxUczKDJZDgck78Cz55HY=","previousBlockHash":"ZZZhL+hrW/RqCga6xYz/liLV38sSUVP1oOVMAhU4ojs="}
④區塊鏈瀏覽器
可以觀察到新增的節點
1.常見錯誤日志
(1)新節點啟動連接失敗 transport: Error while dialing dial tcp
①現象
新增組織機構節點啟動,但是節點容器日志顯示連接失敗
grpc: addrConn.createTransport failed to connect to {peer0.org1.example.com:7051 <nil> 0 <nil>}. Err: connection error: desc = "transport: Error while dialing dial tcp 192.168.116.46:7051: operation was canceled". Reconnecting...
②客戶端日志:
2021-04-06 02:03:29.046 UTC [grpc] Infof -> DEBU d29 Channel Connectivity change to SHUTDOWN
2021-04-06 02:03:29.046 UTC [grpc] Infof -> DEBU d2a Subchannel Connectivity change to SHUTDOWN
2021-04-06 02:03:29.047 UTC [grpc] Warningf -> DEBU d2b grpc: addrConn.createTransport failed to connect to {peer0.org1.example.com:7051 <nil> 0 <nil>}. Err: connection error: desc = "transport: Error while dialing dial tcp 192.168.116.46:7051: operation was canceled". Reconnecting...
2021-04-06 02:03:29.047 UTC [gossip.gossip] func1 -> WARN d2c Deep probe of peer0.org1.example.com:7051 for channel mychannel failed: context deadline exceeded
2021-04-06 02:03:29.047 UTC [gossip.discovery] func1 -> WARN d2d Could not connect to Endpoint: peer0.org1.example.com:7051, InternalEndpoint: peer0.org1.example.com:7051, PKI-ID: <nil>, Metadata: : context deadline exceeded
2021-04-06 02:03:29.047 UTC [grpc] Infof -> DEBU d2e Channel Connectivity change to SHUTDOWN
2021-04-06 02:03:29.047 UTC [grpc] Infof -> DEBU d2f Subchannel Connectivity change to SHUTDOWN
2021-04-06 02:03:29.047 UTC [gossip.gossip] func1 -> WARN d30 Deep probe of peer0.org2.example.com:9051 for channel mychannel failed: context deadline exceeded
2021-04-06 02:03:29.047 UTC [gossip.discovery] func1 -> WARN d31 Could not connect to Endpoint: peer0.org2.example.com:9051, InternalEndpoint: peer0.org2.example.com:9051, PKI-ID: <nil>, Metadata: : context deadline exceeded
2021-04-06 02:03:29.048 UTC [grpc] Warningf -> DEBU d32 grpc: addrConn.createTransport failed to connect to {peer0.org2.example.com:9051 <nil> 0 <nil>}. Err: connection error: desc = "transport: Error while dialing dial tcp 192.168.116.46:9051: operation was canceled". Reconnecting...
2021-04-06 02:03:29.771 UTC [gossip.discovery] InitiateSync -> DEBU d33 No peers to send to, aborting membership sync
2021-04-06 02:03:29.980 UTC [gossip.channel] publishStateInfo -> DEBU d34 Empty membership, no one to publish state info to
2021-04-06 02:03:30.804 UTC [grpc] Infof -> DEBU d35 Channel Connectivity change to SHUTDOWN
2021-04-06 02:03:30.804 UTC [grpc] Infof -> DEBU d36 Subchannel Connectivity change to SHUTDOWN
2021-04-06 02:03:30.804 UTC [peer.blocksprovider] DeliverBlocks -> WARN d37 Could not connect to ordering service: could not dial endpoint 'orderer.example.com:7050': failed to create new connection: context deadline exceeded channel=mychannel
2021-04-06 02:03:30.804 UTC [grpc] Warningf -> DEBU d38 grpc: addrConn.createTransport failed to connect to {orderer.example.com:7050 <nil> 0 <nil>}. Err: connection error: desc = "transport: error while dialing: dial tcp 192.168.116.46:7050: operation was canceled". Reconnecting...
2021-04-06 02:03:33.766 UTC [gossip.discovery] periodicalSendAlive -> DEBU d39 Empty membership, no one to send a heartbeat to
2021-04-06 02:03:33.766 UTC [gossip.discovery] periodicalSendAlive -> DEBU d3a Sleeping 5s
2021-04-06 02:03:33.771 UTC [gossip.discovery] InitiateSync -> DEBU d3b No peers to send to, aborting membership sync
2021-04-06 02:03:33.980 UTC [gossip.channel] publishStateInfo -> DEBU d3c Empty membership, no one to publish state info to
2021-04-06 02:03:33.995 UTC [gossip.privdata] run -> DEBU d3d Start reconcile missing private info
2021-04-06 02:03:33.995 UTC [pvtdatastorage] GetMissingPvtDataInfoForMostRecentBlocks -> DEBU d3e fetching missing pvtdata entries from the prioritized list
2021-04-06 02:03:33.995 UTC [leveldbhelper] GetIterator -> DEBU d3f Getting iterator for range [[]byte{0x6d, 0x79, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x0, 0x4, 0x7, 0xfb}] - [[]byte{0x6d, 0x79, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x0, 0x4, 0x8}]
2021-04-06 02:03:33.996 UTC [gossip.privdata] reconcile -> DEBU d40 Reconciliation cycle finished successfully. no items to reconcile
2021-04-06 02:03:37.772 UTC [gossip.discovery] InitiateSync -> DEBU d41 No peers to send to, aborting membership sync
2021-04-06 02:03:37.980 UTC [gossip.channel] publishStateInfo -> DEBU d42 Empty membership, no one to publish state info to
2021-04-06 02:03:38.766 UTC [gossip.discovery] periodicalSendAlive -> DEBU d43 Empty membership, no one to send a heartbeat to
2021-04-06 02:03:38.766 UTC [gossip.discovery] periodicalSendAlive -> DEBU d44 Sleeping 5s
2021-04-06 02:03:41.772 UTC [gossip.discovery] InitiateSync -> DEBU d45 No peers to send to, aborting membership sync
2021-04-06 02:03:41.980 UTC [gossip.channel] publishStateInfo -> DEBU d46 Empty membership, no one to publish state info to
2021-04-06 02:03:43.746 UTC [gossip.discovery] periodicalReconnectToDead -> DEBU d47 Sleeping 25s
2021-04-06 02:03:43.766 UTC [gossip.discovery] periodicalSendAlive -> DEBU d48 Empty membership, no one to send a heartbeat to
2021-04-06 02:03:43.766 UTC [gossip.discovery] periodicalSendAlive -> DEBU d49 Sleeping 5s
2021-04-06 02:03:45.772 UTC [gossip.discovery] InitiateSync -> DEBU d4a No peers to send to, aborting membership sync
2021-04-06 02:03:45.980 UTC [gossip.channel] publishStateInfo -> DEBU d4b Empty membership, no one to publish state info to
2021-04-06 02:03:48.767 UTC [gossip.discovery] periodicalSendAlive -> DEBU d4c Empty membership, no one to send a heartbeat to
2021-04-06 02:03:48.767 UTC [gossip.discovery] periodicalSendAlive -> DEBU d4d Sleeping 5s
③服務端日志:
2021-04-02 11:29:51.425 UTC [core.comm] ServerHandshake -> ERRO 124 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=192.168.60.26:52240
2021-04-02 11:54:09.221 UTC [core.comm] ServerHandshake -> ERRO 125 TLS handshake failed with error EOF server=Orderer remoteaddress=192.168.60.26:45437
2021-04-06 01:54:34.045 UTC [core.comm] ServerHandshake -> ERRO 126 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=192.168.60.26:36044
2021-04-06 01:54:34.320 UTC [common.deliver] Handle -> WARN 127 Error reading from 192.168.60.26:43478: rpc error: code = Canceled desc = context canceled
2021-04-06 01:54:34.320 UTC [comm.grpc.server] 1 -> INFO 128 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=192.168.60.26:43478 error="rpc error: code = Canceled desc = context canceled" grpc.code=Canceled grpc.call_duration=35.338822ms
2021-04-06 01:54:34.869 UTC [orderer.common.broadcast] ProcessMessage -> WARN 129 [channel: mychannel] Rejecting broadcast of config message from 192.168.60.26:43480 because of error: error applying config update to existing channel 'mychannel': error authorizing update: ConfigUpdate for channel '' but envelope for channel 'mychannel'
2021-04-06 01:54:34.870 UTC [comm.grpc.server] 1 -> INFO 12a streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Broadcast grpc.peer_address=192.168.60.26:43480 grpc.code=OK grpc.call_duration=2.333845ms
2021-04-06 01:54:35.052 UTC [core.comm] ServerHandshake -> ERRO 12b TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=192.168.60.26:36052
新增機構的CA服務連接失敗
2021-04-06 01:54:35.111 UTC [policies] SignatureSetToValidIdentities -> WARN 12c invalid identity: certificate subject=CN=Admin@sm611.newcapec.net,OU=admin,L=San Francisco,ST=California,C=US serialnumber=131160449042185023334132657719577325892 error="the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of \"x509: ECDSA verification failure\" while trying to verify candidate authority certificate \"ca.sm611.newcapec.net\")"
翻譯:
當嘗試通過ca.sm611.newcapec.net驗證身份證書,也許因為x509驗證失敗。提供的身份無效,x509被不認識的認證。
2021-04-06 01:54:35.112 UTC [policies] SignatureSetToValidIdentities -> WARN 12d invalid identity: certificate subject=CN=Admin@sm611.newcapec.net,OU=admin,L=San Francisco,ST=California,C=US serialnumber=131160449042185023334132657719577325892 error="the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of \"x509: ECDSA verification failure\" while trying to verify candidate authority certificate \"ca.sm611.newcapec.net\")"
2021-04-06 01:54:35.114 UTC [policies] SignatureSetToValidIdentities -> WARN 12e invalid identity: certificate subject=CN=Admin@sm611.newcapec.net,OU=admin,L=San Francisco,ST=California,C=US serialnumber=131160449042185023334132657719577325892 error="the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of \"x509: ECDSA verification failure\" while trying to verify candidate authority certificate \"ca.sm611.newcapec.net\")"
2021-04-06 01:54:35.116 UTC [policies] SignatureSetToValidIdentities -> WARN 12f invalid identity: certificate subject=CN=Admin@sm611.newcapec.net,OU=admin,L=San Francisco,ST=California,C=US serialnumber=131160449042185023334132657719577325892 error="the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of \"x509: ECDSA verification failure\" while trying to verify candidate authority certificate \"ca.sm611.newcapec.net\")"
2021-04-06 01:54:35.136 UTC [common.deliver] deliverBlocks -> WARN 130 [channel: mychannel] Client 192.168.60.26:43488 is not authorized: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2021-04-06 01:54:35.136 UTC [comm.grpc.server] 1 -> INFO 131 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=192.168.60.26:43488 grpc.code=OK grpc.call_duration=29.568683ms
2021-04-06 01:54:36.708 UTC [core.comm] ServerHandshake -> ERRO 132 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=192.168.60.26:36064
④原因分析:
連接失敗,可能是網絡不同,通過nc命令、ping命令,判斷網絡是否暢通;域名是否映射成功。
(2)獲取配置失敗Error: can't read the block: &{NOT_FOUND}
①執行腳本錯誤日志:
peer channel fetch 0 mychannel.block -o orderer.example.com:7050 --ordererTLSHostnameOverride orderer.example.com -c mychannel --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
2021-04-08 05:36:03.266 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2021-04-08 05:36:03.267 UTC [cli.common] readBlock -> INFO 002 Expect block, but got status: &{NOT_FOUND}
Error: can't read the block: &{NOT_FOUND}
翻譯: 沒有讀取到配置區塊
②排序節點日志:
2021-04-08 05:36:03.023 UTC [orderer.common.broadcast] ProcessMessage -> WARN 02a [channel: mychannel] Rejecting broadcast of config message from 172.29.0.9:59920 because of error: Failing initial channel config creation: mismatched channel IDs: '' != 'mychannel'
翻譯:
初始配置失敗,通道ID匹配失敗
(3)傳輸握手失敗transport: authentication handshake failed
新接入節點錯誤日志,transport: authentication handshake failed:
①待接入節點日志
transport: authentication handshake failed
2021-04-07 06:28:44.493 UTC [gossip.channel] publishStateInfo -> DEBU 6b0 Empty membership, no one to publish state info to
2021-04-07 06:28:44.495 UTC [gossip.privdata] run -> DEBU 6b1 Start reconcile missing private info
2021-04-07 06:28:44.495 UTC [pvtdatastorage] GetMissingPvtDataInfoForMostRecentBlocks -> DEBU 6b2 fetching missing pvtdata entries from the prioritized list
2021-04-07 06:28:44.495 UTC [leveldbhelper] GetIterator -> DEBU 6b3 Getting iterator for range [[]byte{0x6d, 0x79, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x0, 0x4, 0x7, 0xfb}] - [[]byte{0x6d, 0x79, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x0, 0x4, 0x8}]
2021-04-07 06:28:44.495 UTC [gossip.privdata] reconcile -> DEBU 6b4 Reconciliation cycle finished successfully. no items to reconcile
2021-04-07 06:28:46.700 UTC [msp.identity] Sign -> DEBU 6b5 Sign: plaintext: 0AF6060A1508051A06089EA2B5830622...05120D1A0B08FFFFFFFFFFFFFFFFFF01
2021-04-07 06:28:46.700 UTC [msp.identity] Sign -> DEBU 6b6 Sign: digest: B863CAA3DDE74329A4C7AB7AA94F58654C25A1DBBB33D6DF029A360F13C3E532
2021-04-07 06:28:46.700 UTC [grpc] Infof -> DEBU 6b7 parsed scheme: ""
2021-04-07 06:28:46.700 UTC [grpc] Infof -> DEBU 6b8 scheme "" not registered, fallback to default scheme
2021-04-07 06:28:46.700 UTC [grpc] Infof -> DEBU 6b9 ccResolverWrapper: sending update to cc: {[{orderer.example.com:7050 <nil> 0 <nil>}] <nil> <nil>}
2021-04-07 06:28:46.700 UTC [grpc] Infof -> DEBU 6ba ClientConn switching balancer to "pick_first"
2021-04-07 06:28:46.700 UTC [grpc] Infof -> DEBU 6bb Channel switches to new LB policy "pick_first"
2021-04-07 06:28:46.700 UTC [grpc] Infof -> DEBU 6bc Subchannel Connectivity change to CONNECTING
2021-04-07 06:28:46.700 UTC [grpc] Infof -> DEBU 6bd Subchannel picks a new address "orderer.example.com:7050" to connect
2021-04-07 06:28:46.700 UTC [grpc] UpdateSubConnState -> DEBU 6be pickfirstBalancer: HandleSubConnStateChange: 0xc0000fc740, {CONNECTING <nil>}
2021-04-07 06:28:46.700 UTC [grpc] Infof -> DEBU 6bf Channel Connectivity change to CONNECTING
連接失敗
2021-04-07 06:28:46.705 UTC [grpc] Warningf -> DEBU 6c0 grpc: addrConn.createTransport failed to connect to {orderer.example.com:7050 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of \"x509: ECDSA verification failure\" while trying to verify candidate authority certificate \"ca.example.com\")". Reconnecting...
2021-04-07 06:28:46.705 UTC [grpc] Infof -> DEBU 6c1 Subchannel Connectivity change to TRANSIENT_FAILURE
2021-04-07 06:28:46.705 UTC [grpc] UpdateSubConnState -> DEBU 6c2 pickfirstBalancer: HandleSubConnStateChange: 0xc0000fc740, {TRANSIENT_FAILURE connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of \"x509: ECDSA verification failure\" while trying to verify candidate authority certificate \"ca.example.com\")"}
2021-04-07 06:28:46.705 UTC [grpc] Infof -> DEBU 6c3 Channel Connectivity change to TRANSIENT_FAILURE
2021-04-07 06:28:47.705 UTC [grpc] Infof -> DEBU 6c4 Subchannel Connectivity change to CONNECTING
2021-04-07 06:28:47.705 UTC [grpc] Infof -> DEBU 6c5 Subchannel picks a new address "orderer.example.com:7050" to connect
2021-04-07 06:28:47.705 UTC [grpc] UpdateSubConnState -> DEBU 6c6 pickfirstBalancer: HandleSubConnStateChange: 0xc0000fc740, {CONNECTING <nil>}
2021-04-07 06:28:47.705 UTC [grpc] Infof -> DEBU 6c7 Channel Connectivity change to CONNECTING
2021-04-07 06:28:47.711 UTC [grpc] Warningf -> DEBU 6c8 grpc: addrConn.createTransport failed to connect to {orderer.example.com:7050 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of \"x509: ECDSA verification failure\" while trying to verify candidate authority certificate \"ca.example.com\")". Reconnecting...
2021-04-07 06:28:47.711 UTC [grpc] Infof -> DEBU 6c9 Subchannel Connectivity change to TRANSIENT_FAILURE
2021-04-07 06:28:47.711 UTC [grpc] UpdateSubConnState -> DEBU 6ca pickfirstBalancer: HandleSubConnStateChange: 0xc0000fc740, {TRANSIENT_FAILURE connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of \"x509: ECDSA verification failure\" while trying to verify candidate authority certificate \"ca.example.com\")"}
2021-04-07 06:28:47.711 UTC [grpc] Infof -> DEBU 6cb Channel Connectivity change to TRANSIENT_FAILURE
2021-04-07 06:28:48.296 UTC [gossip.discovery] InitiateSync -> DEBU 6cc No peers to send to, aborting membership sync
2021-04-07 06:28:48.493 UTC [gossip.channel] publishStateInfo -> DEBU 6cd Empty membership, no one to publish state info to
2021-04-07 06:28:49.291 UTC [gossip.discovery] periodicalReconnectToDead -> DEBU 6ce Sleeping 25s
2021-04-07 06:28:49.295 UTC [gossip.discovery] periodicalSendAlive -> DEBU 6cf Empty membership, no one to send a heartbeat to
2021-04-07 06:28:49.295 UTC [gossip.discovery] periodicalSendAlive -> DEBU 6d0 Sleeping 5s
②排序節點日志:
TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=192.168.60.26:55340
③問題分析
安全傳輸層握手失敗,證書錯誤,客戶端地址。
(4)認證更新失敗 authorizing update: ConfigUpdate for channel '' but envelope for channel 'mychannel'
新接入節點錯誤日志,transport: authentication handshake failed:
①待接入節點日志
transport: authentication handshake failed
Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'mychannel': error authorizing update: ConfigUpdate for channel '' but envelope for channel 'mychannel'
(5)讀取區塊失敗 Error: can't read the block: &{FORBIDDEN}
①客戶端現象:
2021-04-07 07:01:48.735 UTC [common.deliver] deliverBlocks -> WARN 170 [channel: mychannel] Client 192.168.60.26:59570 is not authorized: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
②排序節點日志:
接收配置交易
2021-04-07 07:03:10.712 UTC [orderer.consensus.etcdraft] run -> INFO 176
Received config transaction, pause accepting transaction till it is committed channel=mychannel node=1
寫入區塊到賬本上,mychannel通道
2021-04-07 07:03:10.713 UTC [orderer.consensus.etcdraft] writeBlock -> INFO 177
Writing block [3] (Raft index: 5) to ledger channel=mychannel node=1
③原因分析:
- 可能是使用了不恰當的用戶身份
- 通過什么手段可以查看當前使用的用戶身份
(6)查詢通道信息失敗 peer channel getinfo
①在新增節點容器內上執行
Error: received bad response, status 500: access denied for [GetChainInfo][mychannel]: [Failed evaluating policy on signed data during check policy on channel [mychannel] with policy [/Channel/Application/Readers]: [implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied]]
翻譯:
訪問拒絕,評估策略失敗,檢查讀策略,隱含策略評估失敗,0個子策略滿足,但是當前的策略要求讀策略被滿足。
單詞:
Evaluate 評估
Policy 策略
Implicit 隱含的
sub-policy 子策略
Satisfy 滿足
②分析步驟:
- 在Cli節點上,執行peer channel fetch config 得到當前網絡的配置。
- 將得到的配置pb文件轉換為json格式
- 對比Org2MSP和SM611MSP差異
③差異:
SM611MSP沒有設置錨節點AnchorPeer
peer channel fetch config config_block.pb
(7)查詢已安裝鏈碼失敗 access denied
①在新增節點容器內上執行
peer chaincode list --installed
Error: bad response: 500 - access denied for [getinstalledchaincodes]: Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [The identity is not an admin under this MSP [Org3MSP]: The identity does not contain OU [ADMIN], MSP: [Org3MSP]]
把signcerts目錄下的證書復制到admincerts后,錯誤信息發生變化:
# peer chaincode list --installed
2021-04-08 06:47:38.521 UTC [main] InitCmd -> ERRO 001 Cannot run peer because error when setting up MSP of type bccsp from directory /etc/hyperledger/fabric/msp: admin 0 is invalid [The identity does not contain OU [CLIENT], MSP: [Org3MSP],The identity does not contain OU [ADMIN], MSP: [Org3MSP]
名詞解釋:
NodeOUs
通過在組織定義中引入 NodeOUs 來實現進一步的粒度和控制。OU (Organization Units,組織單元)定義在 Fabric CA 客戶端配置文件中,當創建身份的時候就會與之關聯。在 Fabric 中, NodeOUs 提供為數字證書層級分類的功能。例如,一個指定了 NodeOUs 的組織可以讓一個 ‘Peer’ 簽名合法背書,或者組織也可以簡單設置為任何成員都可以簽名。
# cat config.yaml
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/ca.org3.example.com-cert.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/ca.org3.example.com-cert.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/ca.org3.example.com-cert.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/ca.org3.example.com-cert.pem
OrganizationalUnitIdentifier: orderer
(8)獲取配置區塊失敗 access denied
①Org3cli容器內執行
peer channel fetch config config_block.pb
-o orderer.example.com:7050
--ordererTLSHostnameOverride
orderer.example.com
-c mychannel
--tls
--cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/organizations/ordererOrganizations/example.com/orde
rers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
②錯誤日志
Error: failed to create deliver client for orderer: orderer client failed to connect to orderer.example.com:7050: failed to create new connection: context deadline exceeded
③原因分析
可能是網絡不通 或 連錯了節點。
④排查步驟
檢查IP地址、端口是否暢通。
ping orderer.example.com
結果:
# ping orderer.example.com
PING orderer.example.com (192.168.116.46): 56 data bytes
64 bytes from 192.168.116.46: seq=0 ttl=62 time=1.285 ms
64 bytes from 192.168.116.46: seq=1 ttl=62 time=1.107 ms
64 bytes from 192.168.116.46: seq=2 ttl=62 time=1.456 ms
64 bytes from 192.168.116.46: seq=3 ttl=62 time=1.183 ms
觀察IP地址是否是排序節點的IP地址。
nc -nvv orderer.example.com:7050
結果:
# nc -nvv orderer.example.com:7050
orderer.example.com:7050 (192.168.116.46:7050) open
觀察結果,提示open表示端口開放,端口通。
(9)導出區塊失敗 got status: &{SERVICE_UNAVAILABLE}
①新建網絡報錯導出區塊失敗
Expect block, but got status: &{SERVICE_UNAVAILABLE}
②原因分析
服務不可用,等待一會兒,就可以了。
(10)使用SDK調用合約報錯event service creation failed
①創建事件服務錯誤
客戶端日志(調用SDK的程序):
Failed to create new channel client: event service creation failed: could not get chConfig cache reference: QueryBlockConfig failed: QueryBlockConfig failed: queryChaincode failed: Transaction processing for endorser [peer0.org1.example.com:7051]: gRPC Transport Status Code: (2) Unknown. Description: error validating proposal: access denied: channel [chl-01] creator org [Org1MSP]
節點日志:
2021-08-18 12:15:57.445 UTC [endorser] Validate -> WARN 073 access denied: channel the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com") channel=chl-01 txID=9b6d7b41
2021-08-18 12:15:57.445 UTC [comm.grpc.server] 1 -> INFO 074 unary call completed grpc.service=protos.Endorser grpc.method=ProcessProposal grpc.request_deadline=2021-08-18T12:18:57.44Z grpc.peer_address=192.168.56.1:59754 error="error validating proposal: access denied: channel [chl-01] creator org [Org1MSP]" grpc.code=Unknown grpc.call_duration=1.063908ms
②原因分析
簽發機構和驗證機構不是同一個
(11)endorser client failed to connect to peer0.org1.example.com:7051
①現象
#peer channel list
Error: error getting endorser client for channel: endorser client failed to connect to peer0.org1.example.com:7051: failed to create new connection: context deadline exceeded
②原因分析
簽發機構和驗證機構不是同一個