kubernetes - Hyperledger Fabric Orderer CA管理员用户注册失败

标签 kubernetes hyperledger-fabric hyperledger kubernetes-helm hyperledger-fabric-ca

我正在Kubernetes上构建Hyperledger Fabric网络。基本上,我试图模仿在docker上运行的Fabric CA Operation’s Guide。我正在使用stable/hlf-ca Helm chart 。 helm版本3-beta-2

Enroll TLS CA’s Admin:作品

kubectl create ns ca-tls

helm install ca-tls \
  --set caName=ca-tls \
  --set postgresql.enabled=true \
  --namespace ca-tls \
stable/hlf-ca

export CA_TLS_POD=$(kubectl get pods --namespace ca-tls -l "app=hlf-ca,release=ca-tls" -o jsonpath="{.items[0].metadata.name}")
kubectl -n ca-tls exec $CA_TLS_POD -- bash -c 'fabric-ca-client enroll -d -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054'

kubectl -n ca-tls cp  $CA_TLS_POD:/var/hyperledger/fabric-ca/msp/signcerts/cert.pem ./tls-ca-cert.pem

cat <<EOF | kubectl -n ca-tls exec $CA_TLS_POD -- bash
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer1-org2 --id.secret peer1PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer2-org2 --id.secret peer2PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererPW --id.type orderer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
EOF

Enroll Org1’s CA Admin:有效(org2也有效)

kubectl create ns org1

helm install rca-org1 \
  --set caName=rca-org1 \
  --set postgresql.enabled=true \
  --namespace org1 \
stable/hlf-ca

export RCA_ORG1_POD=$(kubectl get pods --namespace org1 -l "app=hlf-ca,release=rca-org1" -o jsonpath="{.items[0].metadata.name}")
kubectl -n org1 cp ./tls-ca-cert.pem $RCA_ORG1_POD:/tmp/tls-ca-cert.pem

cat <<EOF | kubectl -n org1 exec $RCA_ORG1_POD -- bash
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/hyperledger/org1/ca/crypto/ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org1/ca/admin
fabric-ca-client enroll -d -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type user -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name user-org1 --id.secret org1UserPW --id.type user -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
EOF

Enroll Orderer Org’s CA Admin:失败。除了最后一行(--id.name admin-org0),所有命令都成功。

kubectl create ns org0

helm install rca-org0 \
  --set caName=rca-org0 \
  --set postgresql.enabled=true \
  --namespace org0 \
stable/hlf-ca

export RCA_ORG0_POD=$(kubectl get pods --namespace org0 -l "app=hlf-ca,release=rca-org0" -o jsonpath="{.items[0].metadata.name}")
kubectl -n org0 cp ./tls-ca-cert.pem $RCA_ORG0_POD:/tmp/tls-ca-cert.pem

cat <<EOF | kubectl -n org0 exec $RCA_ORG0_POD -- bash
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/tls-ca-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/hyperledger/org0/ca/admin
fabric-ca-client enroll -d -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererpw --id.type orderer -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
fabric-ca-client register -d --id.name admin-org0 --id.secret org0adminpw --id.type admin --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
EOF

错误日志:

root@rca-org0-hlf-ca-5bdd58d48b-l2bbn:/# fabric-ca-client register -d --id.name admin-org0 --id.secret org0adminpw --id.type admin --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -u http://$CA_ADMIN:$CA_PASSWORD@$SERVICE_DNS:7054
2019/09/20 03:03:00 [DEBUG] Home directory: /tmp/hyperledger/org0/ca/admin
2019/09/20 03:03:00 [INFO] Configuration file location: /tmp/hyperledger/org0/ca/admin/fabric-ca-client-config.yaml
2019/09/20 03:03:00 [DEBUG] Checking for enrollment
2019/09/20 03:03:00 [DEBUG] Initializing client with config: &{URL:http://admin:oZsoUj2qvjRsnAT9zMH9WkMA@0.0.0.0:7054 MSPDir:msp TLS:{Enabled:false CertFiles:[/tmp/tls-ca-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509  } CSR:{CN:admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[rca-org0-hlf-ca-5bdd58d48b-l2bbn] KeyRequest:0xc4202d2ce0 CA:<nil> SerialNumber:} ID:{Name:admin-org0 Type:admin Secret:org0adminpw MaxEnrollments:0 Affiliation: Attributes:[{Name:hf.Revoker Value:true ECert:false} {Name:hf.GenCRL Value:true ECert:false} {Name:admin Value:true ECert:true} {Name:abac.init Value:true ECert:true} {Name:hf.Registrar.Roles Value:client ECert:false} {Name:hf.Registrar.Attributes Value:* ECert:false}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc4202d2540}
2019/09/20 03:03:00 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc4202dcc90 PluginOpts:<nil>}
2019/09/20 03:03:00 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42054aae0 DummyKeystore:<nil>}
2019/09/20 03:03:00 [DEBUG] CheckIdemixEnrollment - ipkFile: /tmp/hyperledger/org0/ca/admin/msp/IssuerPublicKey, idemixCredFrile: /tmp/hyperledger/org0/ca/admin/msp/user/SignerConfig
2019/09/20 03:03:00 [DEBUG] Client configuration settings: &{URL:http://admin:oZsoUj2qvjRsnAT9zMH9WkMA@0.0.0.0:7054 MSPDir:/tmp/hyperledger/org0/ca/admin/msp TLS:{Enabled:false CertFiles:[/tmp/tls-ca-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509  } CSR:{CN:admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[rca-org0-hlf-ca-5bdd58d48b-l2bbn] KeyRequest:0xc4202d2ce0 CA:<nil> SerialNumber:} ID:{Name:admin-org0 Type:admin Secret:org0adminpw MaxEnrollments:0 Affiliation: Attributes:[{Name:hf.Revoker Value:true ECert:false} {Name:hf.GenCRL Value:true ECert:false} {Name:admin Value:true ECert:true} {Name:abac.init Value:true ECert:true} {Name:hf.Registrar.Roles Value:client ECert:false} {Name:hf.Registrar.Attributes Value:* ECert:false}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc4202d2540}
2019/09/20 03:03:00 [DEBUG] Entered runRegister
2019/09/20 03:03:00 [DEBUG] Initializing client with config: &{URL:http://admin:oZsoUj2qvjRsnAT9zMH9WkMA@0.0.0.0:7054 MSPDir:/tmp/hyperledger/org0/ca/admin/msp TLS:{Enabled:false CertFiles:[/tmp/tls-ca-cert.pem] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509  } CSR:{CN:admin Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[rca-org0-hlf-ca-5bdd58d48b-l2bbn] KeyRequest:0xc4202d2ce0 CA:<nil> SerialNumber:} ID:{Name:admin-org0 Type:admin Secret:org0adminpw MaxEnrollments:0 Affiliation: Attributes:[{Name:hf.Revoker Value:true ECert:false} {Name:hf.GenCRL Value:true ECert:false} {Name:admin Value:true ECert:true} {Name:abac.init Value:true ECert:true} {Name:hf.Registrar.Roles Value:client ECert:false} {Name:hf.Registrar.Attributes Value:* ECert:false}] CAName:} Revoke:{Name: Serial: AKI: Reason: CAName: GenCRL:false} CAInfo:{CAName:} CAName: CSP:0xc4202d2540}
2019/09/20 03:03:00 [DEBUG] Initializing BCCSP: &{ProviderName:SW SwOpts:0xc4202dcc90 PluginOpts:<nil>}
2019/09/20 03:03:00 [DEBUG] Initializing BCCSP with software options &{SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore:0xc42054aae0 DummyKeystore:<nil>}
2019/09/20 03:03:00 [DEBUG] Loading identity: keyFile=/tmp/hyperledger/org0/ca/admin/msp/keystore/key.pem, certFile=/tmp/hyperledger/org0/ca/admin/msp/signcerts/cert.pem
2019/09/20 03:03:00 [DEBUG] No credential found at /tmp/hyperledger/org0/ca/admin/msp/user/SignerConfig: open /tmp/hyperledger/org0/ca/admin/msp/user/SignerConfig: no such file or directory
2019/09/20 03:03:00 [DEBUG] No Idemix credential found at /tmp/hyperledger/org0/ca/admin/msp/user/SignerConfig
2019/09/20 03:03:00 [DEBUG] Register { Name:admin-org0 Type:admin Secret:**** MaxEnrollments:0 Affiliation: Attributes:[{hf.Revoker true false} {hf.GenCRL true false} {admin true true} {abac.init true true} {hf.Registrar.Roles client false} {hf.Registrar.Attributes * false}] CAName:  }
2019/09/20 03:03:00 [DEBUG] Adding token-based authorization header
2019/09/20 03:03:00 [DEBUG] Sending request
POST http://admin:oZsoUj2qvjRsnAT9zMH9WkMA@0.0.0.0:7054/register
{"id":"admin-org0","type":"admin","secret":"org0adminpw","affiliation":"","attrs":[{"name":"hf.Revoker","value":"true"},{"name":"hf.GenCRL","value":"true"},{"name":"admin","value":"true","ecert":true},{"name":"abac.init","value":"true","ecert":true},{"name":"hf.Registrar.Roles","value":"client"},{"name":"hf.Registrar.Attributes","value":"*"}]}
2019/09/20 03:03:00 [DEBUG] Received response
statusCode=403 (403 Forbidden)
Error: Response from server: Error Code: 71 - Authorization failure

我想念什么?

最佳答案

您能发布运行最后一个注册命令时遇到的错误日志吗?

关于kubernetes - Hyperledger Fabric Orderer CA管理员用户注册失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58020988/

上一篇:android - Kotlin转换为Double?加倍

下一篇:java - 在Kotlin中:从两个 map 中求和一个公钥的两个值的一种优雅方法是什么?

相关文章:

kubernetes - Kubernetes:如何实现网络资源配额

docker - Kubernetes:管理应用程序运行环境

kubernetes - 无法在Kubernetes集群上更新Calico CNI配置

docker - 错误 : hyperledger/fabric:make gotools: unrecognized import path "golang.org/x/tools/go/gcexportdata"

docker - 没有这样的容器会出现错误:运行Hyperledger Fabric第一个网络样本时的cli

hyperledger-fabric - 即使在 Hyperledger Fabric v1.4 中的背书策略失败后也会提交 block

hyperledger-fabric - Hyperledger Fabric 中的用户注册和登录

kubernetes - 使用Kubernetes或Minikube更新到Mac版Docker后,确保套接字安全的最佳方法是什么

super 账本 SBFT 与 RBFT

hyperledger-fabric - super 账本创世区 block

©2024 IT工具网  联系我们