fabric问题汇总

发表于 | 分类于 | 浏览

安装部署

fabric测试项目安装问题

1
2
npm install probuf的时候报的错
fabric依赖的sdk需要依赖c++的编译库,windows也许windows-tools,linux也需要支持的gc++,gc

fabric-ca-server 存储私钥么

1
从mysql中不存储私钥

启动order遇到问题

1
2
3
Failed to initialize local MSP: the supplied identity is not valid: x509: certificate signed by unknown authority

原因:实体的证书不是组织的证书签发的

docker-compose创建报错

1
2
3
[blocksProvider] DeliverBlocks -> ERRO 039 [vaccinechannel] Got error &{FORBIDDEN}

解决办法: 需要在组织的msp中增加config.yaml

应用过程中问题

Peer或者Orderer不通

当不通的时候,先确认域名对应的IP是否正确,然后用telnet检查服务端口:

1
2
ping peer0.org1.example.com
telnet peer0.org1.example.com 7051

如果不通,检查一下/etc/hosts中是否设置了域名和IP的对应关系是否正确。

如果还是不通,看一下系统有没有防火墙,7051端口有没有被防火墙禁止。

目标Peer上的Docker没有启动,导致合约实例化失败

实例化合约时出错:

1
./peer.sh chaincode instantiate -o orderer.example.com:7050 --tls true --cafile ./tlsca.example.com-cert.pem -C mychannel -n demo -v 0.0.1 -c '{"Args":["init"]}' -P "OR('Org1MSP.member','Org2MSP.member')"

错误如下:

1
Error: Error endorsing chaincode: rpc error: code = Unknown desc = error starting container: Post http://unix.sock/containers/create?name=dev-peer1.org1.example.com-demo-0.0.1: dial unix /var/run/docker.sock: connect: no such file or directory

这是目标peer上的docker没有启动造成的。

genesisblock中admin证书错误导致orderer panic: x509: ECDSA verification failure

orderer在启动的时候报错,直接panic:

1
2
3
4
5
6
7
8
9
-----END CERTIFICATE-----
2018-06-22 14:27:30.462 UTC [orderer/commmon/multichannel] newLedgerResources -> CRIT 04d Error creating channelconfig bundle: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com")
panic: Error creating channelconfig bundle: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com")

goroutine 1 [running]:
github.com/hyperledger/fabric/vendor/github.com/op/go-logging.(*Logger).Panicf(0xc4201ee120, 0x108668e, 0x27, 0xc42026af50, 0x1, 0x1)
	/w/workspace/fabric-binaries-x86_64/gopath/src/github.com/hyperledger/fabric/vendor/github.com/op/go-logging/logger.go:194 +0x134
github.com/hyperledger/fabric/orderer/common/multichannel.(*Registrar).newLedgerResources(0xc42010a380, 0xc420138840, 0xc420138840)
	/w/workspace/fabric-binaries-x86_64/gopath/src/github.com/hyperledger/fabric/orderer/common/multichannel/registrar.go:253 +0x391

怀疑是创世块的原因,用下面的命令将创始块解开:

1
./bin/configtxgen -profile TwoOrgsOrdererGenesis -outputBlock ./genesisblock

发现比较奇怪的地方,Org1的Admin证书有两个:

1
2
3
4
5
6
7
8
9
10
11
12
"groups": {
  "Org1MSP": {
  "mod_policy": "Admins",
  ...
  "mod_policy": "Admins",
  "value": {
  "config": {
  "admins": [
  "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNHVENDQWIrZ0F3SUJBZ0lRVXRxQWxlZENzWkErWStWdlZMUTZQakFLQmdncWhrak9QUVFEQWpCek1Rc3cKQ1FZRFZRUUdFd0pWVXpFVE1CRUdBMVVFQ0JNS1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRUJ4TU5VMkZ1SUVaeQpZVzVqYVhOamJ6RVpNQmNHQTFVRUNoTVFiM0puTVM1bGVHRnRjR3hsTG1OdmJURWNNQm9HQTFVRUF4TVRZMkV1CmIzSm5NUzVsZUdGdGNHeGxMbU52YlRBZUZ3MHhPREEyTWpFd05qVTNNekJhRncweU9EQTJNVGd3TmpVM016QmEKTUZzeEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUlFd3BEWVd4cFptOXlibWxoTVJZd0ZBWURWUVFIRXcxVApZVzRnUm5KaGJtTnBjMk52TVI4d0hRWURWUVFEREJaQlpHMXBia0J2Y21jeExtVjRZVzF3YkdVdVkyOXRNRmt3CkV3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFRVp3cUhTVmxxRGNKNC9aVSt0YnB5RVBSTkl5ellMdTMKRGlRVUZOMklBZm5vVGhjTjRmY3Y4c2dsdXUxcnpJYUVHSFRFLzd0TC9EdEg2U3Fjd2tOQkthTk5NRXN3RGdZRApWUjBQQVFIL0JBUURBZ2VBTUF3R0ExVWRFd0VCL3dRQ01BQXdLd1lEVlIwakJDUXdJb0FnbkpjYVVLVFlseVJxCjcyckk4QXNINHNVZHB0ZytWY3IvbHkxZlp3QndrOEF3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUsvRXh6NlYKRVYwUFl4M1BQbitPMysvODQrdXFEVkZ2Q1ZRUEVNcU1yV3dkQWlBNVVqTDcyb2drTHB3UUtGZ1ptdTJqRmtPWApSVnhpY0htLzZCR3htelFRc1E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==",
  "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNGVENDQWJ5Z0F3SUJBZ0lRU3E0VzJ1SEVqbHdXZHdGY21WNUlpekFLQmdncWhrak9QUVFEQWpCek1Rc3cKQ1FZRFZRUUdFd0pWVXpFVE1CRUdBMVVFQ0JNS1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRUJ4TU5VMkZ1SUVaeQpZVzVqYVhOamJ6RVpNQmNHQTFVRUNoTVFiM0puTVM1bGVHRnRjR3hsTG1OdmJURWNNQm9HQTFVRUF4TVRZMkV1CmIzSm5NUzVsZUdGdGNHeGxMbU52YlRBZUZ3MHhPREEyTWpFd056VXdNVEZhRncweU9EQTJNVGd3TnpVd01URmEKTUZneEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUlFd3BEWVd4cFptOXlibWxoTVJZd0ZBWURWUVFIRXcxVApZVzRnUm5KaGJtTnBjMk52TVJ3d0dnWURWUVFERXhOallTNXZjbWN4TG1WNFlXMXdiR1V1WTI5dE1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVxNHl6K0tqSTR2ZmtObzQ0bWp0Q25HQ2cwLzA3L2Y5VW1sZlEKMlpSZWtHN2lyVm1QY0N6YnRVVEcvTFJjbndVemgyaFMvZkg5cGxvZEM4a1pwSlpXQzZOTk1Fc3dEZ1lEVlIwUApBUUgvQkFRREFnZUFNQXdHQTFVZEV3RUIvd1FDTUFBd0t3WURWUjBqQkNRd0lvQWdPc1NNQ2VqcnBOMnBhNEZSCnBOMVE2eXJkVHJleXNGY0Q1Ym9TcVNzSnFLNHdDZ1lJS29aSXpqMEVBd0lEUndBd1JBSWdCQWo1Q3l2cEFhU0kKaTh4anpVVHZxbUt5dmxSOFFPeExBUTAvVi9jRGpTNENJRVg3V1lnZzYwTFUwTy9LNEpmVVpiQmoyNHRBbTkxcgpkQmczN21IZHZVcSsKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
  ],
  ...

将上面的两大行字符串分别用base64解码得到证书,然后用openssl命令查看:

1
2
echo "LS0tLS1CRUdJTiBDRVJUSU....tLS0tCg==" |base64 -D >a.cert
openssl x509 -in a.cert -text

第一个证书正确:

1
2
3
...
 Subject: C=US, ST=California, L=San Francisco, CN=Admin@org1.example.com
...

查看第二行:

1
2
echo "LS0tLS1CRUdJTi....tLS0tLQo=" |base64 -D >b.cert
openssl x509 -in b.cert -text

发现第二个证书是CA证书,不是用户证书!

1
Subject: C=US, ST=California, L=San Francisco, CN=ca.org1.example.com

检查生成genesisblock时使用的configtx.yaml文件,发现configtx.yaml中配置的msp目录:

1
MSPDir: ./certs/peerOrganizations/org1.example.com/msp

msp的admincerts子目录中,多出了一个ca证书:

1
2
$ ls ./certs/peerOrganizations/org1.example.com/msp/admincerts/
Admin@org1.example.com-cert.pem ca.org1.example.com-cert.pem

把多出的ca证书删除。

残留数据导致orderer启动失败

启动orderer的时候报错,orderer直接panic:

1
2
2018-06-21 11:01:47.892 CST [orderer/commmon/multichannel] newLedgerResources -> CRIT 052 Error creating channelconfig bundle: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.example.com")
panic: Error creating channelconfig bundle: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.example.com")

排查发现,部署orderer的机器上以前部署过orderer,并且orderer.yaml中配置的数据路径/opt/app/fabric/orderer/data中残留了以前的数据。

将/opt/app/fabric/orderer/data中的文件都删除后,问题解决。

Donate