Hyperledger fabric Orderer引导程序说:CA证书没有CA属性

Hyperledger fabric Orderer引导程序说:CA证书没有CA属性,hyperledger-fabric,hyperledger,hyperledger-fabric-ca,Hyperledger Fabric,Hyperledger,Hyperledger Fabric Ca,订购方的引导给了我以下错误: [orderer.common.server] Start -> PANI 003 Failed validating bootstrap block: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: CA Certificate did not have the CA

订购方的引导给了我以下错误:

[orderer.common.server] Start -> PANI 003 Failed validating bootstrap block: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: CA Certificate did not have the CA attribute, (SN: f8adffbd6a2debed01cd2840f1f75cd77bfdc9c)

panic: Failed validating bootstrap block: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: CA Certificate did not have the CA attribute, (SN: f8adffbd6a2debed01cd2840f1f75cd77bfdc9c)

goroutine 1 [running]:
github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc0001b1970, 0x0, 0x0, 0x0)
        /opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore/entry.go:229 +0x515
github.com/hyperledger/fabric/vendor/go.uber.org/zap.(*SugaredLogger).log(0xc0001382a0, 0xc00003d804, 0x10355b0, 0x25, 0xc00047bd10, 0x1, 0x1, 0x0, 0x0, 0x0)
        /opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:234 +0xf6
github.com/hyperledger/fabric/vendor/go.uber.org/zap.(*SugaredLogger).Panicf(0xc0001382a0, 0x10355b0, 0x25, 0xc00047bd10, 0x1, 0x1)
        /opt/gopath/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:159 +0x79
github.com/hyperledger/fabric/common/flogging.(*FabricLogger).Panicf(0xc0001382a8, 0x10355b0, 0x25, 0xc00047bd10, 0x1, 0x1)
        /opt/gopath/src/github.com/hyperledger/fabric/common/flogging/zap.go:74 +0x60
github.com/hyperledger/fabric/orderer/common/server.Start(0x1013e09, 0x5, 0xc00054f200)
        /opt/gopath/src/github.com/hyperledger/fabric/orderer/common/server/main.go:98 +0xcd
github.com/hyperledger/fabric/orderer/common/server.Main()
        /opt/gopath/src/github.com/hyperledger/fabric/orderer/common/server/main.go:91 +0x1ce
main.main()
        /opt/gopath/src/github.com/hyperledger/fabric/orderer/main.go:15 +0x20
我已检查CA证书文件,并具有以下属性:

X509v3基本约束:关键 CA:对,路径:0

我创建了genesis块,其中configtxgen指向遵循公共结构的文件夹

此外,我使用织物CA

编辑1:

因此,我一直在创建网络,而不是使用cryptogen使用fabric CA,我遵循了fabric教程中关于如何创建证书的内容,这就是我所做的:


export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/fabric-ca/clients/admin

./fabric-samples/bin/fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --tls.certfiles ./tls-cert.pem

./fabric-samples/bin/fabric-ca-client register --id.name peer0.example.com --id.type peer --id.affiliation example.operations --tls.certfiles ./tls-cert.pem

export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/crypto-config/peerOrganizations/example.com/peers/peer0

./fabric-samples/bin/fabric-ca-client enroll -u https://peer0.example.com:aTSKHAhxxrIl@localhost:7054 --tls.certfiles ./tls-cert.pem -M $FABRIC_CA_CLIENT_HOME/msp

export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/fabric-ca/clients/admin

./fabric-samples/bin/fabric-ca-client register --id.name peer1.example.com --id.type peer --id.affiliation example.operations --tls.certfiles ./tls-cert.pem

export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/crypto-config/peerOrganizations/example.com/peers/peer1

./fabric-samples/bin/fabric-ca-client enroll -u https://peer1.example.com:ptPLWOAudqNJ@localhost:7054 --tls.certfiles ./tls-cert.pem -M $FABRIC_CA_CLIENT_HOME/msp

export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/fabric-ca/clients/admin

./fabric-samples/bin/fabric-ca-client register --id.name orderer0.example.com --id.type orderer --id.affiliation example.operations --tls.certfiles ./tls-cert.pem

export FABRIC_CA_CLIENT_HOME=$HOME/Code/dockerimages/hyperledgerfabric/crypto-config/ordererOrganizations/example.com/orderers/orderer0

./fabric-samples/bin/fabric-ca-client enroll -u https://orderer0.example.com:WfEfUodXgjDI@localhost:7054 --tls.certfiles ./tls-cert.pem -M $FABRIC_CA_CLIENT_HOME/msp

在注册了所有对等方和订购方之后,我已经开始使用以下命令创建工件


export CHANNEL_NAME=examplechannel

./fabric-samples/bin/configtxgen -profile OrdererGenesis -outputBlock ./config/genesis.block -channelID $CHANNEL_NAME

./fabric-samples/bin/configtxgen -profile ExampleChannel -outputCreateChannelTx ./config/channel.tx -channelID $CHANNEL_NAME

./fabric-samples/bin/configtxgen -profile ExampleChannel -outputAnchorPeersUpdate ./config/ExampleMSPanchors.tx -channelID $CHANNEL_NAME -asOrg Example

所有这些都使用加密材料文件夹的结构,如下所示:

- ordererOrganizations
    - example.com
        - msp
          - admincerts (the certificates of the administrators of that organization)
          - cacerts (the ca certificates of the organization)
          - tlscacerts (the tls certificate)
          - signcerts
- peerOrganizations
    - example.conm
        - msp
          - admincerts (the certificates of the administrators of that organization)
          - cacerts (the ca certificates of the organization)
          - tlscacerts (the tls certificate)
          - signcerts

编辑2:

因此,它们是一些东西。我使用的是fabric CA,没有任何外部证书和启用TLS,因此,在引导时它会创建所有加密材料。 为了发现问题,我比较了cryptogen工具创建的材料和fabric ca材料的解码,我使用了这个web。 除tls证书外,所有证书都具有相同的属性。cryptogen工具创建的具有以下属性true:

X509v3基本约束:关键 CA:是的

但是由fabric ca创建的一个属性为false,那么是否存在一个属性来确定这一点,我还没有设置,或者是一个bug

编辑3:

多亏了@gari和hyperledger聊天中的人,我找到了解决方案。我把ca创建的tls和tlsca误认为是两个独立的东西

TLSCA必须在带外分发。 在ca上设置一个nginx服务器,为他们提供一个真正的公共cacert支持的http请求、scp、sneaker net等等 使用curl直接从ca服务器获取它是一种黑客行为,但它需要关闭ca检查


lets encrypt可以,但您需要一个单独的nginx服务器或等效集来服务非公共tlsca。或者您可以只为tlsca本身使用LE证书,但这很糟糕,因为每次从lets encrypt续订tlsca时,您都必须重做每个通道。

请确保
cacerts
tlscacerts
实际上都包含根证书。从您对上述布局的描述来看,您似乎没有CA证书,它位于
tlscacerts
文件夹中。

您能解释一下您是如何得到这个错误的吗?当然,我已经指定了更多,如果您能看一看的话,请@RisabhSharma,tyso在您尝试启动订购程序时,为管理员组织对等方和管理员创建MSP后,您出现了此错误?是的,它给了我该错误Hi gari,谢谢,我已在EDIT上添加了更多信息。我认为您仍在使用TLS证书,而不是签署TLS证书的CA。是的,我一直在hyperledger聊天室聊天,我必须在fabric ca之外获得一份tlsca签名。我将在这里复制我在聊天室中所说的内容,以便将来有人可以阅读。非常感谢Gari