kubernetes - Hyperledger Fabric Orderer CA管理员用户注册失败

标签 kubernetes hyperledger-fabric hyperledger kubernetes-helm hyperledger-fabric-ca

我正在Kubernetes上构建Hyperledger Fabric网络。基本上,我试图模仿在docker上运行的Fabric CA Operation’s Guide。我正在使用stable/hlf-ca Helm chart 。 helm版本3-beta-2

Enroll TLS CA’s Admin:作品

kubectl create ns ca-tls

helm install ca-tls \
  --set caName=ca-tls \
  --set postgresql.enabled=true \
  --namespace ca-tls \
stable/hlf-ca

export CA_TLS_POD=$(kubectl get pods --namespace ca-tls -l "app=hlf-ca,release=ca-tls" -o jsonpath="{.items[0].metadata.name}")
kubectl -n ca-tls exec $CA_TLS_POD -- bash -c 'fabric-ca-client enroll -d -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054'

kubectl -n ca-tls cp  $CA_TLS_POD:/var/hyperledger/fabric-ca/msp/signcerts/cert.pem ./tls-ca-cert.pem

cat <<EOF | kubectl -n ca-tls exec $CA_TLS_POD -- bash
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer1-org2 --id.secret peer1PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer2-org2 --id.secret peer2PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererPW --id.type orderer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
EOF

Enroll Org1’s CA Admin:有效(org2也有效)

kubectl create ns org1

helm install rca-org1 \
  --set caName=rca-org1 \
  --set postgresql.enabled=true \
  --namespace org1 \
stable/hlf-ca

export RCA_ORG1_POD=$(kubectl get pods --namespace org1 -l "app=hlf-ca,release=rca-org1" -o jsonpath="{.items[0].metadata.name}")
kubectl -n org1 cp ./tls-ca-cert.pem $RCA_ORG1_POD:/tmp/tls-ca-cert.pem

cat <<EOF | kubectl -n org1 exec $RCA_ORG1_POD -- bash
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/ca/admin
fabric-ca-client enroll -d -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type user -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name user-org1 --id.secret org1UserPW --id.type user -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
EOF

Enroll Orderer Org’s CA Admin:失败。除了最后一行(--id.name admin-org0),所有命令都成功。

kubectl create ns org0

helm install rca-org0 \
  --set caName=rca-org0 \
  --set postgresql.enabled=true \
  --namespace org0 \
stable/hlf-ca

export RCA_ORG0_POD=$(kubectl get pods --namespace org0 -l "app=hlf-ca,release=rca-org0" -o jsonpath="{.items[0].metadata.name}")
kubectl -n org0 cp ./tls-ca-cert.pem $RCA_ORG0_POD:/tmp/tls-ca-cert.pem

cat <<EOF | kubectl -n org0 exec $RCA_ORG0_POD -- bash
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/tls-ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/ca/admin
fabric-ca-client enroll -d -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererpw --id.type orderer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name admin-org0 --id.secret org0adminpw --id.type admin --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
EOF

错误日志:

root@rca-org0-hlf-ca-5bdd58d48b-l2bbn:/# fabric-ca-client register -d --id.name admin-org0 --id.secret org0adminpw --id.type admin --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
2019/09/20 03:03:00 [DEBUG] Home directory: /tmp/hyperledger/org0/ca/admin
2019/09/20 03:03:00 [INFO] Configuration file location: /tmp/hyperledger/org0/ca/admin/fabric-ca-client-config.yaml
2019/09/20 03:03:00 [DEBUG] Checking for enrollment
2019/09/20 03:03:00 [DEBUG] Initializing client with config: &{URL:http://admin:oZsoUj2qvjRsnAT9zMH9WkMA@0.0.0.0:7054 MSPDir:msp TLS:{Enabled:false CertFiles:[/tmp/tls-ca-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509  } CSR:{CN:admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[rca-org0-hlf-ca-5bdd58d48b-l2bbn] KeyRequest:0xc4202d2ce0 CA:<nil> SerialNumber:} ID:{Name:admin-org0 Type:admin Secret:org0adminpw MaxEnrollments:0 Affiliation: Attributes:[{Name:hf.Revoker Value:true ECert:false} {Name:hf.GenCRL Value:true ECert:false} {Name:admin Value:true ECert:true} {Name:abac.init Value:true ECert:true} {Name:hf.Registrar.Roles Value:client ECert:false} {Name:hf.Registrar.Attributes Value:* ECert:false}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc4202d2540}
2019/09/20 03:03:00 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc4202dcc90 PluginOpts:<nil>}
2019/09/20 03:03:00 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42054aae0 DummyKeystore:<nil>}
2019/09/20 03:03:00 [DEBUG] CheckIdemixEnrollment - ipkFile: /tmp/hyperledger/org0/ca/admin/msp/IssuerPublicKey, idemixCredFrile: /tmp/hyperledger/org0/ca/admin/msp/user/SignerConfig
2019/09/20 03:03:00 [DEBUG] Client configuration settings: &{URL:http://admin:oZsoUj2qvjRsnAT9zMH9WkMA@0.0.0.0:7054 MSPDir:/tmp/hyperledger/org0/ca/admin/msp TLS:{Enabled:false CertFiles:[/tmp/tls-ca-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509  } CSR:{CN:admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[rca-org0-hlf-ca-5bdd58d48b-l2bbn] KeyRequest:0xc4202d2ce0 CA:<nil> SerialNumber:} ID:{Name:admin-org0 Type:admin Secret:org0adminpw MaxEnrollments:0 Affiliation: Attributes:[{Name:hf.Revoker Value:true ECert:false} {Name:hf.GenCRL Value:true ECert:false} {Name:admin Value:true ECert:true} {Name:abac.init Value:true ECert:true} {Name:hf.Registrar.Roles Value:client ECert:false} {Name:hf.Registrar.Attributes Value:* ECert:false}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc4202d2540}
2019/09/20 03:03:00 [DEBUG] Entered runRegister
2019/09/20 03:03:00 [DEBUG] Initializing client with config: &{URL:http://admin:oZsoUj2qvjRsnAT9zMH9WkMA@0.0.0.0:7054 MSPDir:/tmp/hyperledger/org0/ca/admin/msp TLS:{Enabled:false CertFiles:[/tmp/tls-ca-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509  } CSR:{CN:admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[rca-org0-hlf-ca-5bdd58d48b-l2bbn] KeyRequest:0xc4202d2ce0 CA:<nil> SerialNumber:} ID:{Name:admin-org0 Type:admin Secret:org0adminpw MaxEnrollments:0 Affiliation: Attributes:[{Name:hf.Revoker Value:true ECert:false} {Name:hf.GenCRL Value:true ECert:false} {Name:admin Value:true ECert:true} {Name:abac.init Value:true ECert:true} {Name:hf.Registrar.Roles Value:client ECert:false} {Name:hf.Registrar.Attributes Value:* ECert:false}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc4202d2540}
2019/09/20 03:03:00 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc4202dcc90 PluginOpts:<nil>}
2019/09/20 03:03:00 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42054aae0 DummyKeystore:<nil>}
2019/09/20 03:03:00 [DEBUG] Loading identity: keyFile=/tmp/hyperledger/org0/ca/admin/msp/keystore/key.pem, certFile=/tmp/hyperledger/org0/ca/admin/msp/signcerts/cert.pem
2019/09/20 03:03:00 [DEBUG] No credential found at /tmp/hyperledger/org0/ca/admin/msp/user/SignerConfig: open /tmp/hyperledger/org0/ca/admin/msp/user/SignerConfig: no such file or directory
2019/09/20 03:03:00 [DEBUG] No Idemix credential found at /tmp/hyperledger/org0/ca/admin/msp/user/SignerConfig
2019/09/20 03:03:00 [DEBUG] Register { Name:admin-org0 Type:admin Secret:**** MaxEnrollments:0 Affiliation: Attributes:[{hf.Revoker true false} {hf.GenCRL true false} {admin true true} {abac.init true true} {hf.Registrar.Roles client false} {hf.Registrar.Attributes * false}] CAName:  }
2019/09/20 03:03:00 [DEBUG] Adding token-based authorization header
2019/09/20 03:03:00 [DEBUG] Sending request
POST http://admin:oZsoUj2qvjRsnAT9zMH9WkMA@0.0.0.0:7054/register
{"id":"admin-org0","type":"admin","secret":"org0adminpw","affiliation":"","attrs":[{"name":"hf.Revoker","value":"true"},{"name":"hf.GenCRL","value":"true"},{"name":"admin","value":"true","ecert":true},{"name":"abac.init","value":"true","ecert":true},{"name":"hf.Registrar.Roles","value":"client"},{"name":"hf.Registrar.Attributes","value":"*"}]}
2019/09/20 03:03:00 [DEBUG] Received response
statusCode=403 (403 Forbidden)
Error: Response from server: Error Code: 71 - Authorization failure

我想念什么?

最佳答案

您能发布运行最后一个注册命令时遇到的错误日志吗?

关于kubernetes - Hyperledger Fabric Orderer CA管理员用户注册失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58020988/

相关文章:

blockchain - 从链代码内部调用另一个链代码的最佳方式是什么?

hyperledger - 如何使用 docker 将我的订购者和同行链接到 Fabric-CA

node.js - 如何通过 nodejs 客户端检索 hyperledger 成功负载

kubernetes - 使用 EnvoyFilter 添加 header 不起作用

testing - Hyperledger Fabric 测试网络中 channel 创建失败

apache-kafka - 如何为 Hyperledger Fabric 1.0 设置 Kafka?

hyperledger-fabric - 尝试加入 fabric 中的对等 channel 时出错

configuration - 如何解决Prometheus错误 'role missing (one of: pod, service, endpoints, node)'

kubernetes - 如何处理服务网格中的重大变化

kubernetes - NodePort与kube-apiserver hostPort冲突