Я получаю ошибку ниже tls на пирах при запуске сети на docker рое.
Ошибка
fabric_org2peer0.1. l78v2j1pyw19@gcloud3 | [[36m2020-02-07 07: 39: 26.039 UT C [grpc] watcher -> DEBU 2f7 [[0m ccResolverWrapper: отправка новых адресов на cc: [{10.0.1.209:10051 0}]
fabric_org2peer0.1. l78v2j1pyw19@gcloud3 | [[36m2020-02-07 07: 39: 26.039 UT C [grpc] switchBalancer -> DEBU 2f8 [[0m ClientConn переключает балансировщик в «pick_first»
fabric_org2peer0.1. l78v2j1pyw19@gcloud3 | [[36m2020-02-07 07: 39: 26.039 UT C [grpc] HandleSubConnStateChange -> DEBU 2f9 [[0m pickfirstBalancer: HandleSubConnStateChange: 0xc0025ceb70, СОЕДИНЕНИЕ
fabric_org2pe: [[36m2020-02-07 07: 39: 26.042 UT C [grpc] createTransport -> DEBU 2fa [[0m grp c: addrConn.createTransport не удалось подключиться к {10.0.1.209:10051 0}. Ошибка: ошибка подключения: des c = "транспорт: сбой квитирования аутентификации: x509: невозможно проверить сертификат для 10.0.1.209, поскольку он не содержит IP-адресов SAN". Переподключение ...
fabric_org2peer0.1. l78v2j1pyw19@gcloud3 | [[36m2020-02-07 07: 39: 26.042 UT C [grpc] HandleSubConnStateChange -> DEBU 2fb [[0m pickfirstBalancer: HandleSubConnStateChange: 0xc0025ceb70, TRANSIENT_FAILURE
. [[31m2020-02-07 07: 39: 26.532 UT C [core.comm] ServerHandshake -> ERRO 2fc [[0m TLS handshake завершился ошибкой с ошибкой удаленной ошибки: tls: сбой сервера сертификатов = удаленный адрес PeerServer = 10.0.1.209: 39888
fabric_org2peer0.1. l78v2j1pyw19@gcloud3 | [[36m2020-02-07 07: 39: 26.533 UT C [grpc] handleRawConn -> DEBU 2fd [[0m grp c: Server.Serve не удалось завершить квитирование безопасности из «10.0.1.209:39888»: удаленно ошибка: tls: плохой сертификат
Эта ошибка возникает, когда мы не указали IP или hostname в SANS при создании сертификата tls (в случае fabri c, в файле crypto-config.yaml). Я добавил hostname как peer0.org2.example.com к SANS, но все еще получаю ту же ошибку.
Кроме того, я попробовал его, добавив IP-адрес экземпляра GCP к SANS в tls cert , Это тоже не сработало.
IP 10.0.1.209 - это container-IP, и оно меняется всякий раз, когда я перезагружаю сеть, поэтому я не могу добавить его в SANS. Если кто-нибудь знает какое-либо решение, пожалуйста, помогите.
HLF-Config
org2peer0
version: '3.7'
volumes:
peer0.org2.example.com:
networks:
testchain-network:
external: true
name: testchain-network
services:
org2peer0couchdb:
hostname: couchdb.peer0.org2.example.com
image: hyperledger/fabric-couchdb:0.4.18
user: "${UID}:${GID}"
environment:
- COUCHDB_USER=admin
- COUCHDB_PASSWORD=adminpw
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 5
placement:
constraints:
- node.hostname == gcloud3
ports:
- published: 7984
target: 5984
mode: host
networks:
testchain-network:
aliases:
- couchdb.peer0.org2.example.com
org2peer0:
hostname: peer0.org2.example.com
image: hyperledger/fabric-peer:1.4.4
environment:
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
# the following setting starts chaincode containers on the same
# bridge network as the peers
# https://docs.docker.com/compose/networking/
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=testchain-network
- CORE_VM_DOCKER_ATTACHSTDOUT=true
- CORE_PEER_ID=peer0.org2.example.com
- CORE_PEER_ADDRESS=peer0.org2.example.com:9051
- CORE_PEER_LISTENADDRESS=0.0.0.0:9051
- CORE_PEER_CHAINCODEADDRESS=peer0.org2.example.com:9052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:9052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1.org2.example.com:10051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org2.example.com:9051
- CORE_PEER_LOCALMSPID=Org2MSP
- FABRIC_LOGGING_SPEC=debug
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_ADDRESSAUTODETECT=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
- CORE_CHAINCODE_LOGGING_LEVEL=DEBUG
- CORE_CHAINCODE_LOGGING_SHIM=DEBUG
- CORE_LOGGING_CAUTHDSL=warning
- CORE_LOGGING_GOSSIP=warning
- CORE_LOGGING_LEDGER=info
- CORE_LOGGING_MSP=warning
- CORE_LOGGING_POLICIES=warning
- CORE_LOGGING_GRPC=error
- CORE_OPERATIONS_LISTENADDRESS=peer0.org2.example.com:9443
# Client certs
- CORE_PEER_TLS_CLIENTROOTCAS_FILES=/var/hyperledger/users/Admin@org2.example.com/tls/ca.crt
- CORE_PEER_TLS_CLIENTCERT_FILE=/var/hyperledger/users/Admin@org2.example.com/tls/client.crt
- CORE_PEER_TLS_CLIENTKEY_FILE=/var/hyperledger/users/Admin@org2.example.com/tls/client.key
# CouchDB
- CORE_LEDGER_STATE_STATEDATABASE=CouchDB
- CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=admin
- CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=adminpw
- CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb.peer0.org2.example.com:5984
- GODEBUG=netdns=go
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: peer node start
volumes:
- /var/run/:/host/var/run/:ro
- ${GOPATH}/src/github.com/testchain/networks/crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp:/etc/hyperledger/fabric/msp:ro
- ${GOPATH}/src/github.com/testchain/networks/crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls:/etc/hyperledger/fabric/tls:ro
- ${GOPATH}/src/github.com/testchain/networks/crypto-config/peerOrganizations/org2.example.com/users:/var/hyperledger/users:ro
- peer0.org2.example.com:/var/hyperledger/production:wo
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 5
placement:
constraints:
- node.hostname == gcloud3
ports:
- published: 9051
target: 9051
mode: host
- published: 9052
target: 9052
mode: host
- published: 9443
target: 9443
mode: host
networks:
testchain-network:
aliases:
- peer0.org2.example.com
org2peer1
version: '3.7'
volumes:
peer1.org2.example.com:
networks:
testchain-network:
external: true
name: testchain-network
services:
org2peer1couchdb:
hostname: couchdb.peer1.org2.example.com
image: hyperledger/fabric-couchdb:0.4.18
user: "${UID}:${GID}"
environment:
- COUCHDB_USER=admin
- COUCHDB_PASSWORD=adminpw
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 5
placement:
constraints:
- node.hostname == gcloud1
ports:
- published: 8984
target: 5984
mode: host
networks:
testchain-network:
aliases:
- couchdb.peer1.org2.example.com
org2peer1:
hostname: peer1.org2.example.com
image: hyperledger/fabric-peer:1.4.4
environment:
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
# the following setting starts chaincode containers on the same
# bridge network as the peers
# https://docs.docker.com/compose/networking/
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=testchain-network
- CORE_VM_DOCKER_ATTACHSTDOUT=true
- CORE_PEER_ID=peer1.org2.example.com
- CORE_PEER_ADDRESS=peer1.org2.example.com:10051
- CORE_PEER_LISTENADDRESS=0.0.0.0:10051
- CORE_PEER_CHAINCODEADDRESS=peer1.org2.example.com:10052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:10052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org2.example.com:9051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1.org2.example.com:10051
- CORE_PEER_LOCALMSPID=Org2MSP
- FABRIC_LOGGING_SPEC=info
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_ADDRESSAUTODETECT=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
- CORE_CHAINCODE_LOGGING_LEVEL=DEBUG
- CORE_CHAINCODE_LOGGING_SHIM=DEBUG
- CORE_LOGGING_CAUTHDSL=warning
- CORE_LOGGING_GOSSIP=warning
- CORE_LOGGING_LEDGER=info
- CORE_LOGGING_MSP=warning
- CORE_LOGGING_POLICIES=warning
- CORE_LOGGING_GRPC=error
- CORE_OPERATIONS_LISTENADDRESS=0.0.0.0:10443
# Client certs
- CORE_PEER_TLS_CLIENTROOTCAS_FILES=/var/hyperledger/users/Admin@org2.example.com/tls/ca.crt
- CORE_PEER_TLS_CLIENTCERT_FILE=/var/hyperledger/users/Admin@org2.example.com/tls/client.crt
- CORE_PEER_TLS_CLIENTKEY_FILE=/var/hyperledger/users/Admin@org2.example.com/tls/client.key
# CouchDB
- CORE_LEDGER_STATE_STATEDATABASE=CouchDB
- CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=admin
- CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=adminpw
- CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb.peer1.org2.example.com:5984
- GODEBUG=netdns=go
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: peer node start
volumes:
- /var/run/:/host/var/run/:ro
- ${GOPATH}/src/github.com/testchain/networks/crypto-config/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/msp:/etc/hyperledger/fabric/msp:ro
- ${GOPATH}/src/github.com/testchain/networks/crypto-config/peerOrganizations/org2.example.com/peers/peer1.org2.example.com/tls:/etc/hyperledger/fabric/tls:ro
- ${GOPATH}/src/github.com/testchain/networks/crypto-config/peerOrganizations/org2.example.com/users:/var/hyperledger/users:ro
- peer1.org2.example.com:/var/hyperledger/production:wo
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 5
placement:
constraints:
- node.hostname == gcloud1
ports:
- published: 10051
target: 10051
mode: host
- published: 10052
target: 10052
mode: host
- published: 10443
target: 10443
mode: host
networks:
testchain-network:
aliases:
- peer1.org2.example.com
crypto-config.yaml
OrdererOrgs:
- Name: Orderer
Domain: example.com
EnableNodeOUs: true
Specs:
- Hostname: orderer1
CommonName: orderer1.example.com
SANS:
- "orderer1.example.com"
- Hostname: orderer2
CommonName: orderer2.example.com
SANS:
- "orderer2.example.com"
- Hostname: orderer3
CommonName: orderer3.example.com
SANS:
- "orderer3.example.com"
PeerOrgs:
- Name: Org1
Domain: org1.example.com
EnableNodeOUs: true
Specs:
- Hostname: peer0
CommonName: peer0.org1.example.com
SANS:
- "peer0.org1.example.com"
- Hostname: peer1
CommonName: peer1.org1.example.com
SANS:
- "peer1.org1.example.com"
Users:
Count: 2
- Name: Org2
Domain: org2.example.com
EnableNodeOUs: true
Specs:
- Hostname: peer0
CommonName: peer0.org2.example.com
SANS:
- "peer0.org2.example.com"
- Hostname: peer1
CommonName: peer1.org2.example.com
SANS:
- "peer1.org2.example.com"
Users:
Count: 2
configtx.yaml
Organizations:
- &OrdererOrg
Name: OrdererOrg
ID: OrdererMSP
MSPDir: crypto-config/ordererOrganizations/example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Writers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Admins:
Type: Signature
Rule: "OR('OrdererMSP.admin')"
- &Org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org1
# ID to load the MSP definition as
ID: Org1MSP
MSPDir: crypto-config/peerOrganizations/org1.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('Org1MSP.member')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.member')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.admin')"
# leave this flag set to true.
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.org1.example.com
Port: 7051
- &Org2
Name: Org2
ID: Org2MSP
MSPDir: crypto-config/peerOrganizations/org2.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org2MSP.member')"
Writers:
Type: Signature
Rule: "OR('Org2MSP.member')"
Admins:
Type: Signature
Rule: "OR('Org2MSP.admin')"
AnchorPeers:
- Host: peer0.org2.example.com
Port: 9051
Capabilities:
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
Channel: &ChannelCapabilities
V1_4_3: true
V1_3: true
V1_1: false
# Orderer capabilities apply only to the orderers, and may be safely
# used with prior release peers.
# Set the value of the capability to true to require it.
Orderer: &OrdererCapabilities
V1_4_2: true
#V1_1: true
# Application capabilities apply only to the peer network, and may be safely
# used with prior release orderers.
# Set the value of the capability to true to require it.
Application: &ApplicationCapabilities
V1_4_2: true
V1_3: true
V1_2: false
V1_1: false
################################################################################
#
# SECTION: Application
#
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
#
################################################################################
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
# /Channel/Application/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "ANY Admins"
################################################################################
#
# SECTION: Orderer
#
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
#
################################################################################
Orderer: &OrdererDefaults
OrdererType: etcdraft
Addresses:
- orderer1.example.com:7050
- orderer2.example.com:8050
- orderer3.example.com:9050
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 50
AbsoluteMaxBytes: 30 MB
PreferredMaxBytes: 512 KB
EtcdRaft:
Consenters:
- Host: orderer1.example.com
Port: 7050
ClientTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/server.crt
ServerTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/server.crt
- Host: orderer2.example.com
Port: 8050
ClientTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt
ServerTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt
- Host: orderer3.example.com
Port: 9050
ClientTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.crt
ServerTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.crt
# Options to be specified for all the etcd/raft nodes. The values here
# are the defaults for all new channels and can be modified on a
# per-channel basis via configuration updates.
Options:
# TickInterval is the time interval between two Node.Tick invocations.
TickInterval: 500ms
# ElectionTick is the number of Node.Tick invocations that must pass
# between elections. That is, if a follower does not receive any
# message from the leader of current term before ElectionTick has
# elapsed, it will become candidate and start an election.
# ElectionTick must be greater than HeartbeatTick.
ElectionTick: 10
# HeartbeatTick is the number of Node.Tick invocations that must
# pass between heartbeats. That is, a leader sends heartbeat
# messages to maintain its leadership every HeartbeatTick ticks.
HeartbeatTick: 1
# MaxInflightBlocks limits the max number of in-flight append messages
# during optimistic replication phase.
MaxInflightBlocks: 5
# SnapshotIntervalSize defines number of bytes per which a snapshot is taken
SnapshotIntervalSize: 20 MB
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "ANY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Capabilities:
<<: *OrdererCapabilities
################################################################################
#
# CHANNEL
#
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
#
################################################################################
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
Policies:
# Who may invoke the 'Deliver' API
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
# By default, who may modify elements at this config level
Admins:
Type: ImplicitMeta
Rule: "ANY Admins"
Capabilities:
<<: *ChannelCapabilities
Profiles:
OrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg
Consortiums:
SampleConsortium:
Organizations:
- *Org1
- *Org2
Channel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
- *Org2
Capabilities:
<<: *ApplicationCapabilities