Я использую пользовательскую сеть Hyperledger Fabri c через Kubernetes и столкнулся с проблемой, связанной со связью между ICA и RCA. Это не первый раз, когда я развертываю Hyperledger Fabri c с такой конфигурацией, поэтому я уверен, что все в конфигурации работает правильно. Однако у нас есть изменение, и оно заключается в том, что мы развернули его в новой сети подложек. Мы сделали это, чтобы создать вторичное развертывание Fabri c на новых узлах, чтобы иметь среду тестирования.
Проблема, с которой я сталкиваюсь, заключается в том, что когда я пытаюсь подключить ICA одной организации (это происходит во всех из них) к ее RCA, fabric-ca-server
не получает ответ и зависает. Соединение происходит и RCA работает отлично. Используются версии 1.4.4.
Это журнал из служб, пароли и имена организаций нормализованы:
root@ica-0:/# fabric-ca-server init -b ${BOOTSTRAP_USER_PASS} -u ${PARENT_URL}
2020/02/24 11:33:39 [DEBUG] Home directory: /etc/hyperledger/fabric-ca
2020/02/24 11:33:39 [INFO] Configuration file location: /etc/hyperledger/fabric-ca/fabric-ca-server-config.yaml
2020/02/24 11:33:39 [DEBUG] Set log level:
2020/02/24 11:33:39 [INFO] Server Version: 1.4.4
2020/02/24 11:33:39 [INFO] Server Levels: &{Identity:2 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2020/02/24 11:33:39 [DEBUG] Making server filenames absolute
2020/02/24 11:33:39 [DEBUG] Initializing default CA in directory /etc/hyperledger/fabric-ca
2020/02/24 11:33:39 [DEBUG] Init CA with home /etc/hyperledger/fabric-ca and config {Version:1.4.4 Cfg:{Identities:{PasswordAttempts:10 AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name:ica.org2 Keyfile: Certfile:ca-cert.pem Chainfile:ca-chain.pem} Signing:0xc000304290 CSR:{CN: Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[ica.org2] KeyRequest:0xc000381280 CA:0xc000381320 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.AffiliationMgr:1 hf.GenCRL:1 hf.IntermediateCA:1 hf.Registrar.Attributes:* hf.Registrar.DelegateRoles:* hf.Registrar.Roles:* hf.Revoker:1] }]} Affiliations:map[org1:[department1 department2] org2:[department1]] LDAP:{ Enabled:false URL:ldap://****:****@<host>:<port>/<base> UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc000380f80 Client:<nil> Intermediate:{ParentServer:{ URL:https://****:****@rca.org2:7054 CAName: } TLS:{Enabled:false CertFiles:[/shared-storage/ca-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}}
2020/02/24 11:33:39 [DEBUG] CA Home Directory: /etc/hyperledger/fabric-ca
2020/02/24 11:33:39 [DEBUG] Checking configuration file version '1.4.4' against server version: '1.4.4'
2020/02/24 11:33:39 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc0003f5800 PluginOpts:<nil>}
2020/02/24 11:33:39 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc0003011a0 DummyKeystore:<nil> InmemKeystore:<nil>}
2020/02/24 11:33:39 [DEBUG] Initialize key material
2020/02/24 11:33:39 [DEBUG] Making CA filenames absolute
2020/02/24 11:33:39 [WARNING] &{69 The specified CA certificate file /etc/hyperledger/fabric-ca/ca-cert.pem does not exist}
2020/02/24 11:33:39 [DEBUG] Getting CA cert; parent server URL is https://****:****@rca.org2:7054
2020/02/24 11:33:39 [DEBUG] Intermediate enrollment request: { Name: Secret:**** CAName: AttrReqs:[] Profile:ca Label: CSR:&{ [] [] <nil> 0xc00000f1e0 } Type:x509 }, CSR: &{CN: Names:[] Hosts:[] KeyRequest:<nil> CA:0xc00000f1e0 SerialNumber:}, CA: &{PathLength:0 PathLenZero:true Expiry:}
2020/02/24 11:33:39 [DEBUG] Enrolling { Name:yKGUPJ75LUh2Fytf Secret:**** CAName: AttrReqs:[] Profile:ca Label: CSR:&{ [{US North Carolina Hyperledger Fabric }] [ica.org2] 0xc000381280 0xc000381320 } Type:x509 }
2020/02/24 11:33:39 [DEBUG] Initializing client with config: &{URL:https://rca.org2:7054 MSPDir: TLS:{Enabled:true CertFiles:[/shared-storage/ca-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name:yKGUPJ75LUh2Fytf Secret:**** CAName: AttrReqs:[] Profile:ca Label: CSR:&{ [{US North Carolina Hyperledger Fabric }] [ica.org2] 0xc000381280 0xc000381320 } Type:x509 } CSR:{CN: Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[ica.org2] KeyRequest:0xc000381280 CA:0xc000381320 SerialNumber:} ID:{Name: Type: Secret: MaxEnrollments:0 Affiliation: Attributes:[] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc000380f80 Debug:false LogLevel:}
2020/02/24 11:33:39 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc0003f5800 PluginOpts:<nil>}
2020/02/24 11:33:39 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc0003011a0 DummyKeystore:<nil> InmemKeystore:<nil>}
2020/02/24 11:33:39 [INFO] TLS Enabled
2020/02/24 11:33:39 [DEBUG] CA Files: [/shared-storage/ca-cert.pem]
2020/02/24 11:33:39 [DEBUG] Client Cert File:
2020/02/24 11:33:39 [DEBUG] Client Key File:
2020/02/24 11:33:39 [DEBUG] Client TLS certificate and/or key file not provided
2020/02/24 11:33:39 [DEBUG] GenCSR &{CN: Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[ica.org2] KeyRequest:0xc000381280 CA:0xc000381320 SerialNumber:}
2020/02/24 11:33:39 [INFO] generating key: &{A:ecdsa S:256}
2020/02/24 11:33:39 [DEBUG] generate key from request: algo=ecdsa, size=256
2020/02/24 11:33:39 [INFO] encoded CSR
2020/02/24 11:33:39 [DEBUG] Sending request
POST https://rca.org2:7054/enroll
{"hosts":["ica.org2"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBcTCCARcCAQAwaDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9s\naW5hMRQwEgYDVQQKEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYD\nVQQDExB5S0dVUEo3NUxVaDJGeXRmMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n+7Et6I8nXh/hpfMs1e4Vnwmu9c1X6tMjrQucIpJ2pHrTuCudRqbQFd2yVM6sZWcn\nmzBuLsb2oJzErBx3RNcRS6BNMEsGCSqGSIb3DQEJDjE+MDwwJgYDVR0RBB8wHYIb\naWNhLnNlY29uZC1zaGlwcGluZy1jb21wYW55MBIGA1UdEwEB/wQIMAYBAf8CAQAw\nCgYIKoZIzj0EAwIDSAAwRQIhANcxCzjFDjEGL6PB9k0UPDfBtTdaevxpefLxW5KF\nstSGAiA8Y6w3+IbUESxZk43Il/cs2UhyOKRMsecHzp8NPFEWzA==\n-----END CERTIFICATE REQUEST-----\n","profile":"ca","crl_override":"","label":"","NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","CAName":""}
И он там ждет. Тайм-аут или сбой отсутствуют.
С другой стороны, вот что я вижу, если проверяю журнал RCA:
2020/02/24 11:33:39 [DEBUG] Received request for /enroll
2020/02/24 11:33:39 [DEBUG] ca.Config: &{Version:1.4.4 Cfg:{Identities:{PasswordAttempts:10 AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name: Keyfile:/etc/hyperledger/fabric-ca/ca-key.pem Certfile:/etc/hyperledger/fabric-ca/ca-cert.pem Chainfile:/etc/hyperledger/fabric-ca/ca-chain.pem} Signing:0xc00049a250 CSR:{CN:rca.org2 Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[rca.org2] KeyRequest:0xc0004a0340 CA:0xc0004a03c0 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.AffiliationMgr:1 hf.GenCRL:1 hf.IntermediateCA:1 hf.Registrar.Attributes:* hf.Registrar.DelegateRoles:* hf.Registrar.Roles:* hf.Revoker:1] }]} Affiliations:map[org1:[] org3:[] org2:[]] LDAP:{ Enabled:false URL:ldap://****:****@<host>:<port>/<base> UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:/etc/hyperledger/fabric-ca/fabric-ca-server.db TLS:{false [] { }} } CSP:0xc0004a0960 Client:<nil> Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile:/etc/hyperledger/fabric-ca/IssuerPublicKey IssuerSecretKeyfile:/etc/hyperledger/fabric-ca/msp/keystore/IssuerSecretKey RevocationPublicKeyfile:/etc/hyperledger/fabric-ca/IssuerRevocationPublicKey RevocationPrivateKeyfile:/etc/hyperledger/fabric-ca/msp/keystore/IssuerRevocationPrivateKey RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}}
2020/02/24 11:33:39 [DEBUG] DB: Getting identity yKGUPJ75LUh2Fytf
2020/02/24 11:33:39 [DEBUG] DB: Login user yKGUPJ75LUh2Fytf with max enrollments of -1 and state of 1
2020/02/24 11:33:40 [DEBUG] DB: identity yKGUPJ75LUh2Fytf successfully logged in
2020/02/24 11:33:40 [DEBUG] DB: Getting identity yKGUPJ75LUh2Fytf
2020/02/24 11:33:40 [DEBUG] Processing sign request: id=yKGUPJ75LUh2Fytf, CommonName=yKGUPJ75LUh2Fytf, Subject=<nil>
2020/02/24 11:33:40 [DEBUG] Request is for a CA signing certificate as set in profile 'ca'
2020/02/24 11:33:40 [DEBUG] getUserAttrValue identity=yKGUPJ75LUh2Fytf, attr=hf.IntermediateCA
2020/02/24 11:33:40 [DEBUG] DB: Getting identity yKGUPJ75LUh2Fytf
2020/02/24 11:33:40 [DEBUG] getUserAttrValue identity=yKGUPJ75LUh2Fytf, name=hf.IntermediateCA, value=&{hf.IntermediateCA 1 %!s(bool=false)}
2020/02/24 11:33:40 [DEBUG] Checking CSR fields to make sure that they do not exceed maximum character limits
2020/02/24 11:33:40 [DEBUG] Finished processing sign request
2020/02/24 11:33:40 [DEBUG] DB: Getting identity yKGUPJ75LUh2Fytf
2020/02/24 11:33:40 [INFO] signed certificate with serial number 224012142864517420189536198322248090122518742314
2020/02/24 11:33:40 [DEBUG] DB: Insert Certificate
2020/02/24 11:33:40 [DEBUG] Saved serial number as hex 273d0d4921d08e89b8cf9a5bf44408ad048b452a
2020/02/24 11:33:40 [DEBUG] saved certificate with serial number 224012142864517420189536198322248090122518742314
2020/02/24 11:33:40 [DEBUG] Successfully incremented state for identity yKGUPJ75LUh2Fytf to 2
2020/02/24 11:33:40 [INFO] 10.233.105.103:57380 POST /enroll 201 0 "OK"
Как вы можете видеть, это выглядит как Зачисление происходит нормально и без проблем. Что происходит потом? Почему я не получаю никакого ответа?
Я проверил сеть, и ICA и RCA могут эффективно пропинговать другую.
Большое спасибо за вашу помощь.