Hyperledger fabric Hyperledger结构连接通道返回正,但不起作用
我正在运行HyperledgerFabric 2.1,我想在多主机环境中部署一个2组织网络。 根据本教程,我将运行以下程序:Hyperledger fabric Hyperledger结构连接通道返回正,但不起作用,hyperledger-fabric,hyperledger,Hyperledger Fabric,Hyperledger,我正在运行HyperledgerFabric 2.1,我想在多主机环境中部署一个2组织网络。 根据本教程,我将运行以下程序: cryptogen generate --config=./crypto-config.yaml configtxgen -profile TwoOrgsOrdererGenesis -outputBlock ./channel-artifacts/genesis.block --channelID system-channel configtxgen -profile
cryptogen generate --config=./crypto-config.yaml
configtxgen -profile TwoOrgsOrdererGenesis -outputBlock ./channel-artifacts/genesis.block --channelID system-channel
configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/mychannel.tx -channelID mychannel
2020-06-17 15:48:07.259 UTC [peer.blocksprovider] func1 -> WARN 06b Encountered an error reading from deliver stream: EOF channel=mychannel orderer-address=orderer.ptunstad.no:7050
2020-06-17 15:48:07.259 UTC [peer.blocksprovider] DeliverBlocks -> WARN 06c Got error while attempting to receive blocks: received bad status FORBIDDEN from orderer channel=mychannel orderer-address=orderer.ptunstad.no:7050
我使用以下内容生成所有articats:
cryptogen generate --config=./crypto-config.yaml
configtxgen -profile TwoOrgsOrdererGenesis -outputBlock ./channel-artifacts/genesis.block --channelID system-channel
configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/mychannel.tx -channelID mychannel
2020-06-17 15:48:07.259 UTC [peer.blocksprovider] func1 -> WARN 06b Encountered an error reading from deliver stream: EOF channel=mychannel orderer-address=orderer.ptunstad.no:7050
2020-06-17 15:48:07.259 UTC [peer.blocksprovider] DeliverBlocks -> WARN 06c Got error while attempting to receive blocks: received bad status FORBIDDEN from orderer channel=mychannel orderer-address=orderer.ptunstad.no:7050
然后从cli(将peer0.org1设置为目标)
一切似乎都正常,即使我使用对等通道命令检查,我也会得到肯定的答案
peer channel list
2020-06-17 15:34:26.535 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Channels peers has joined:
mychannel
但是,当我检查订购方的日志时,每隔几秒钟就会收到:
2020-06-17 15:47:07.539 UTC [common.deliver] deliverBlocks -> WARN 03b [channel: mychannel] Client authorization revoked for deliver request from 10.0.1.84:50014: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2020-06-17 15:47:07.539 UTC [comm.grpc.server] 1 -> INFO 03c streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=10.0.1.84:50014 grpc.code=OK grpc.call_duration=9.310607ms
在对等日志中,我得到以下信息:
cryptogen generate --config=./crypto-config.yaml
configtxgen -profile TwoOrgsOrdererGenesis -outputBlock ./channel-artifacts/genesis.block --channelID system-channel
configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/mychannel.tx -channelID mychannel
2020-06-17 15:48:07.259 UTC [peer.blocksprovider] func1 -> WARN 06b Encountered an error reading from deliver stream: EOF channel=mychannel orderer-address=orderer.ptunstad.no:7050
2020-06-17 15:48:07.259 UTC [peer.blocksprovider] DeliverBlocks -> WARN 06c Got error while attempting to receive blocks: received bad status FORBIDDEN from orderer channel=mychannel orderer-address=orderer.ptunstad.no:7050
知道我遗漏了什么吗
编辑
我在这里添加了用于生成初始工件的配置:
crypto-config.yaml
OrdererOrgs:
- Name: Orderer
Domain: example.com
Specs:
- Hostname: orderer
PeerOrgs:
- Name: Org1
Domain: org1.example.com
Template:
Count: 2
Users:
Count: 2
- Name: Org2
Domain: org2.example.com
Template:
Count: 2
Users:
Count: 2
这里是configtx.yaml
Organizations:
- &OrdererOrg
Name: OrdererOrg
ID: OrdererMSP
MSPDir: ../crypto-config/ordererOrganizations/example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Writers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Admins:
Type: Signature
Rule: "OR('OrdererMSP.admin')"
OrdererEndpoints:
- orderer.example.com:7050
- &Org1
Name: Org1MSP
ID: Org1MSP
MSPDir: ../crypto-config/peerOrganizations/org1.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org1MSP.peer')"
AnchorPeers:
- Host: peer0.org1.example.com
Port: 7051
- &Org2
Name: Org2MSP
ID: Org2MSP
MSPDir: ../crypto-config/peerOrganizations/org2.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org2MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org2MSP.peer')"
AnchorPeers:
- Host: peer0.org2.example.com
Port: 9051
Capabilities:
Channel: &ChannelCapabilities
V2_0: true
Orderer: &OrdererCapabilities
V2_0: true
Application: &ApplicationCapabilities
V2_0: true
Application: &ApplicationDefaults
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Capabilities:
<<: *ApplicationCapabilities
Orderer: &OrdererDefaults
OrdererType: etcdraft
Addresses:
- orderer.example.com:7050
EtcdRaft:
Consenters:
- Host: orderer.example.com
Port: 7050
ClientTLSCert: ../crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
ServerTLSCert: ../crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Profiles:
TwoOrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *Org1
- *Org2
TwoOrgsChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
- *Org2
Capabilities:
<<: *ApplicationCapabilities
组织:
-&orderorg
姓名:OrderOrg
ID:ordermsp
MSPDir:../crypto-config/orderOrganizations/example.com/msp
政策:
读者:
类型:签名
规则:“或('ordermsp.member')”
作者:
类型:签名
规则:“或('ordermsp.member')”
管理员:
类型:签名
规则:“或('ordermsp.admin')”
订购点:
-order.example.com:7050
-&Org1
名称:Org1MSP
ID:Org1MSP
MSPDir:../crypto-config/peerOrganizations/org1.example.com/msp
政策:
读者:
类型:签名
规则:“或('Org1MSP.admin','Org1MSP.peer','Org1MSP.client')”
作者:
类型:签名
规则:“或('Org1MSP.admin','Org1MSP.client')”
管理员:
类型:签名
规则:“或('Org1MSP.admin')”
背书:
类型:签名
规则:“或('Org1MSP.peer')”
主持人:
-主持人:peer0.org1.example.com
港口:7051
-&Org2
名称:Org2MSP
ID:Org2MSP
MSPDir:../crypto-config/peerOrganizations/org2.example.com/msp
政策:
读者:
类型:签名
规则:“或('Org2MSP.admin','Org2MSP.peer','Org2MSP.client')”
作者:
类型:签名
规则:“或('Org2MSP.admin','Org2MSP.client')”
管理员:
类型:签名
规则:“或('Org2MSP.admin')”
背书:
类型:签名
规则:“或('Org2MSP.peer')”
主持人:
-主持人:peer0.org2.example.com
港口:9051
能力:
通道:&通道功能
V2_0:正确
订购者:&订购者能力
V2_0:正确
应用程序:&应用程序容量
V2_0:正确
应用程序:&ApplicationDefaults
组织:
政策:
读者:
类型:ImplicitMeta
规则:“任何读者”
作者:
类型:ImplicitMeta
规则:“任何作家”
管理员:
类型:ImplicitMeta
规则:“多数管理员”
生命周期声明:
类型:ImplicitMeta
规则:“多数赞成”
背书:
类型:ImplicitMeta
规则:“多数赞成”
能力:
这是组织权限中的一个问题。
以下是关于的回答,因此我更改了configtx.yaml中的权限
详情如下:
- &Org1
Name: Org1MSP
ID: Org1MSP
MSPDir: crypto-config/peerOrganizations/org1.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org1MSP.member')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.member')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.admin')"
AnchorPeers:
- Host: peer0.org1.example.com
Port: 7051
- &Org2
Name: Org2MSP
ID: Org2MSP
MSPDir: crypto-config/peerOrganizations/org2.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org2MSP.member')"
Writers:
Type: Signature
Rule: "OR('Org2MSP.member')"
Admins:
Type: Signature
Rule: "OR('Org2MSP.admin')"
AnchorPeers:
- Host: peer0.org2.example.com
Port: 9051
我希望您正在创建的频道在channel genesis块中具有对等MSP信息,或者至少您已在以下步骤中将对等组织添加到频道中。如果是这样,是否可以验证对等组织和订购方组织的通道MSP证书是否正确放置?您可以尝试获取频道最新块,将其解码为JSON并获取所有信息。@ChintanRajvir感谢您的回答。因为我不完全理解你的问题,所以我更新了问题,详细介绍了初始工件以及我是如何生成的them@ChintanRajvir请注意,如果我尝试对等通道获取
我得到Expect块,但得到状态:&{probled}
我认为问题在于对等组织TLS证书。在加密配置文件中,您提到的域名是org1.ptunstad.no
,但您对等节点的主机名如下:peer0.org1.example.com
,我确信这将使IP SAN失效。我认为您部署的节点的域与您为其颁发证书的域相同。另外,看起来您正在使用。/crypto-config/peerOrganizations/org1.example.com/msp
中的加密文件,并为org1.ptunstad.no
生成证书,这意味着,您没有选择由cryptogen
@ChintanRajvir生成的最新证书链这解决了我的问题,但是我仍然不明白为什么我以前的设置不起作用(这是细粒度的,因此更好),因为OrgMSP.member允许“OrgMSP”下的任何身份获得访问权。但是,在上述细粒度访问中,您必须在尝试执行该操作的证书中具有正确的OU标识符。@ChintanRajvir我理解,但是我不清楚如何将正确的OU设置为证书。当我在cyrpto配置中生成它时,我看不到任何设置来指定什么是peer/admin/clientcryptogen
仅用于测试环境。我想说,使用Fabric CA或外部已建立的CA进行生产环境。@AdityaArora和ChintanRajvir感谢您的有用见解。希望这次讨论能帮助社区中的其他人