TLS已过期的HyperLeDger Fabric订购器即使使用TLSHANDSHAKETIMESHIFT选项也无法启动
我的HyperLeDger织物网络的TLS/MSP键已超过500h。由于有效期,我的订购者在停止后无法重新启动。
我的订购器设置是:
- HyperLeDger Fabric 2.2文档
- 之后的木筏共识
,我将tlshandshaketimeshift选项设置为650H和SET noexpirationChecks a. code> true> 。我检查了这些值已通过登录正确设置。
2022-05-26 06:12:11.676 UTC [orderer.common.server] prettyPrintStruct -> INFO 003 Orderer config values:
General.ListenAddress = "0.0.0.0"
General.ListenPort = 7050
General.TLS.Enabled = true
General.TLS.PrivateKey = "/artifacts/tls/keystore/key.pem"
General.TLS.Certificate = "/artifacts/tls/signcerts/cert.pem"
General.TLS.RootCAs = [/artifacts/tls/tlscacerts/ca-cert.pem]
General.TLS.ClientAuthRequired = false
General.TLS.ClientRootCAs = []
General.Cluster.ListenAddress = ""
General.Cluster.ListenPort = 0
General.Cluster.ServerCertificate = ""
General.Cluster.ServerPrivateKey = ""
General.Cluster.ClientCertificate = "/artifacts/tls/signcerts/cert.pem"
General.Cluster.ClientPrivateKey = "/artifacts/tls/keystore/key.pem"
General.Cluster.RootCAs = [/artifacts/tls/tlscacerts/ca-cert.pem]
General.Cluster.DialTimeout = 5s
General.Cluster.RPCTimeout = 7s
General.Cluster.ReplicationBufferSize = 20971520
General.Cluster.ReplicationPullTimeout = 5s
General.Cluster.ReplicationRetryTimeout = 5s
General.Cluster.ReplicationBackgroundRefreshInterval = 5m0s
General.Cluster.ReplicationMaxRetries = 12
General.Cluster.SendBufferSize = 10
General.Cluster.CertExpirationWarningThreshold = 168h0m0s
General.Cluster.TLSHandshakeTimeShift = 650h0m0s // here
General.Keepalive.ServerMinInterval = 1m0s
General.Keepalive.ServerInterval = 2h0m0s
General.Keepalive.ServerTimeout = 20s
General.ConnectionTimeout = 0s
General.GenesisMethod = "file"
General.GenesisFile = "/artifacts/genesis.block"
General.BootstrapMethod = "file"
General.BootstrapFile = "/artifacts/genesis.block"
General.Profile.Enabled = false
General.Profile.Address = "0.0.0.0:6060"
General.LocalMSPDir = "/artifacts/msp"
General.LocalMSPID = "BPLMSP"
General.BCCSP.ProviderName = "SW"
General.BCCSP.SwOpts.SecLevel = 256
General.BCCSP.SwOpts.HashFamily = "SHA2"
General.BCCSP.SwOpts.Ephemeral = true
General.BCCSP.SwOpts.FileKeystore.KeyStorePath = ""
General.BCCSP.SwOpts.DummyKeystore =
General.BCCSP.SwOpts.InmemKeystore =
General.Authentication.TimeWindow = 15m0s
General.Authentication.NoExpirationChecks = true // here
...
另外,我用新的MSP替换了旧的MSP。当然,这两者均由同一家Fabric CA服务器发行。
因此,当前情况是:
- TLS密钥:已过期(我没有替换它们,因为它们应该通过频道配置更新进行更新。)
- MSP键:新
问题是,当我重新启动每个订单器时,首先看起来不错,但是它突然产生:
2022-05-26 06:12:29.535 UTC [core.comm] ServerHandshake -> ERRO 0a4 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=10.0.4.45:55264
然后,它使用panic错误如下:
...
2022-05-26 06:12:36.533 UTC [orderer.common.cluster.replication] func1 -> WARN 0b9 Received error of type 'failed to create new connection: context deadline exceeded' from {"CAs":[{"Expired":false,"Issuer":"self","Subject":"..."}],"Endpoint":"orderer2.bpl:7050"} channel=trust-chain-system-channel
2022-05-26 06:12:36.533 UTC [orderer.common.cluster.replication] func1 -> WARN 0ba Received error of type 'failed to create new connection: context deadline exceeded' from {"CAs":[{"Expired":false,"Issuer":"self","Subject":"..."}],"Endpoint":"orderer0.bpl:7050"} channel=trust-chain-system-channel
2022-05-26 06:12:36.533 UTC [orderer.common.cluster.replication] HeightsByEndpoints -> INFO 0bb Returning the heights of OSNs mapped by endpoints map[] channel=trust-chain-system-channel
2022-05-26 06:12:36.533 UTC [orderer.common.cluster] ReplicateChains -> PANI 0bc Failed pulling system channel: failed obtaining the latest block for channel trust-chain-system-channel
panic: Failed pulling system channel: failed obtaining the latest block for channel trust-chain-system-channel
goroutine 73 [running]:
go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc002b4e000, 0x0, 0x0, 0x0)
/go/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore/entry.go:230 +0x545
go.uber.org/zap.(*SugaredLogger).log(0xc000820df0, 0xc00252f804, 0x101c941, 0x21, 0xc002187c40, 0x1, 0x1, 0x0, 0x0, 0x0)
/go/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:234 +0x100
go.uber.org/zap.(*SugaredLogger).Panicf(...)
/go/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:159
github.com/hyperledger/fabric/common/flogging.(*FabricLogger).Panicf(...)
/go/src/github.com/hyperledger/fabric/common/flogging/zap.go:74
github.com/hyperledger/fabric/orderer/common/cluster.(*Replicator).ReplicateChains(0xc002880840, 0xc0003bf000, 0xc002591a40, 0xc002880840)
/go/src/github.com/hyperledger/fabric/orderer/common/cluster/replication.go:166 +0x49d
github.com/hyperledger/fabric/orderer/common/onboarding.(*ReplicationInitiator).ReplicateChains(0xc000180200, 0xc0003bf000, 0xc002591840, 0x1, 0x1, 0x0, 0x0, 0x0)
/go/src/github.com/hyperledger/fabric/orderer/common/onboarding/onboarding.go:183 +0x1e3
github.com/hyperledger/fabric/orderer/common/onboarding.(*InactiveChainReplicator).replicateDisabledChains(0xc000208a80)
/go/src/github.com/hyperledger/fabric/orderer/common/onboarding/onboarding.go:310 +0x225
github.com/hyperledger/fabric/orderer/common/onboarding.(*InactiveChainReplicator).Run(0xc000208a80)
/go/src/github.com/hyperledger/fabric/orderer/common/onboarding/onboarding.go:288 +0x42
created by github.com/hyperledger/fabric/orderer/common/server.initializeEtcdraftConsenter
/go/src/github.com/hyperledger/fabric/orderer/common/server/main.go:770 +0x218
我应该从哪里进行调查以解决此问题?请帮我。
谢谢。
TLS/MSP keys of My Hyperledger Fabric network were expired more than 500h ago. Becuase of the expirations, my orderers cannot be re-launched after it was stopped.
My orderer settings are:
- Hyperledger Fabric version 2.2
- RAFT Consensus
Following the documentation, I set TLSHandshakeTimeShift option as 650h and set NoExpirationChecks as true. I checked these values had been set correctly via loggings.
2022-05-26 06:12:11.676 UTC [orderer.common.server] prettyPrintStruct -> INFO 003 Orderer config values:
General.ListenAddress = "0.0.0.0"
General.ListenPort = 7050
General.TLS.Enabled = true
General.TLS.PrivateKey = "/artifacts/tls/keystore/key.pem"
General.TLS.Certificate = "/artifacts/tls/signcerts/cert.pem"
General.TLS.RootCAs = [/artifacts/tls/tlscacerts/ca-cert.pem]
General.TLS.ClientAuthRequired = false
General.TLS.ClientRootCAs = []
General.Cluster.ListenAddress = ""
General.Cluster.ListenPort = 0
General.Cluster.ServerCertificate = ""
General.Cluster.ServerPrivateKey = ""
General.Cluster.ClientCertificate = "/artifacts/tls/signcerts/cert.pem"
General.Cluster.ClientPrivateKey = "/artifacts/tls/keystore/key.pem"
General.Cluster.RootCAs = [/artifacts/tls/tlscacerts/ca-cert.pem]
General.Cluster.DialTimeout = 5s
General.Cluster.RPCTimeout = 7s
General.Cluster.ReplicationBufferSize = 20971520
General.Cluster.ReplicationPullTimeout = 5s
General.Cluster.ReplicationRetryTimeout = 5s
General.Cluster.ReplicationBackgroundRefreshInterval = 5m0s
General.Cluster.ReplicationMaxRetries = 12
General.Cluster.SendBufferSize = 10
General.Cluster.CertExpirationWarningThreshold = 168h0m0s
General.Cluster.TLSHandshakeTimeShift = 650h0m0s // here
General.Keepalive.ServerMinInterval = 1m0s
General.Keepalive.ServerInterval = 2h0m0s
General.Keepalive.ServerTimeout = 20s
General.ConnectionTimeout = 0s
General.GenesisMethod = "file"
General.GenesisFile = "/artifacts/genesis.block"
General.BootstrapMethod = "file"
General.BootstrapFile = "/artifacts/genesis.block"
General.Profile.Enabled = false
General.Profile.Address = "0.0.0.0:6060"
General.LocalMSPDir = "/artifacts/msp"
General.LocalMSPID = "BPLMSP"
General.BCCSP.ProviderName = "SW"
General.BCCSP.SwOpts.SecLevel = 256
General.BCCSP.SwOpts.HashFamily = "SHA2"
General.BCCSP.SwOpts.Ephemeral = true
General.BCCSP.SwOpts.FileKeystore.KeyStorePath = ""
General.BCCSP.SwOpts.DummyKeystore =
General.BCCSP.SwOpts.InmemKeystore =
General.Authentication.TimeWindow = 15m0s
General.Authentication.NoExpirationChecks = true // here
...
Also, I replaced old, expired MSP with new MSP. Of course, both were issued by the same Fabric CA server.
So, the current situation is:
- TLS keys: Expired (I didn't replace them because they should be updated via Channel Config Update.)
- MSP keys: New
The problem is, when I restart each orderer, it looks fine at first, but it suddenly produces:
2022-05-26 06:12:29.535 UTC [core.comm] ServerHandshake -> ERRO 0a4 TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=10.0.4.45:55264
Then, it shut down with Panic error like below:
...
2022-05-26 06:12:36.533 UTC [orderer.common.cluster.replication] func1 -> WARN 0b9 Received error of type 'failed to create new connection: context deadline exceeded' from {"CAs":[{"Expired":false,"Issuer":"self","Subject":"..."}],"Endpoint":"orderer2.bpl:7050"} channel=trust-chain-system-channel
2022-05-26 06:12:36.533 UTC [orderer.common.cluster.replication] func1 -> WARN 0ba Received error of type 'failed to create new connection: context deadline exceeded' from {"CAs":[{"Expired":false,"Issuer":"self","Subject":"..."}],"Endpoint":"orderer0.bpl:7050"} channel=trust-chain-system-channel
2022-05-26 06:12:36.533 UTC [orderer.common.cluster.replication] HeightsByEndpoints -> INFO 0bb Returning the heights of OSNs mapped by endpoints map[] channel=trust-chain-system-channel
2022-05-26 06:12:36.533 UTC [orderer.common.cluster] ReplicateChains -> PANI 0bc Failed pulling system channel: failed obtaining the latest block for channel trust-chain-system-channel
panic: Failed pulling system channel: failed obtaining the latest block for channel trust-chain-system-channel
goroutine 73 [running]:
go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc002b4e000, 0x0, 0x0, 0x0)
/go/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore/entry.go:230 +0x545
go.uber.org/zap.(*SugaredLogger).log(0xc000820df0, 0xc00252f804, 0x101c941, 0x21, 0xc002187c40, 0x1, 0x1, 0x0, 0x0, 0x0)
/go/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:234 +0x100
go.uber.org/zap.(*SugaredLogger).Panicf(...)
/go/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:159
github.com/hyperledger/fabric/common/flogging.(*FabricLogger).Panicf(...)
/go/src/github.com/hyperledger/fabric/common/flogging/zap.go:74
github.com/hyperledger/fabric/orderer/common/cluster.(*Replicator).ReplicateChains(0xc002880840, 0xc0003bf000, 0xc002591a40, 0xc002880840)
/go/src/github.com/hyperledger/fabric/orderer/common/cluster/replication.go:166 +0x49d
github.com/hyperledger/fabric/orderer/common/onboarding.(*ReplicationInitiator).ReplicateChains(0xc000180200, 0xc0003bf000, 0xc002591840, 0x1, 0x1, 0x0, 0x0, 0x0)
/go/src/github.com/hyperledger/fabric/orderer/common/onboarding/onboarding.go:183 +0x1e3
github.com/hyperledger/fabric/orderer/common/onboarding.(*InactiveChainReplicator).replicateDisabledChains(0xc000208a80)
/go/src/github.com/hyperledger/fabric/orderer/common/onboarding/onboarding.go:310 +0x225
github.com/hyperledger/fabric/orderer/common/onboarding.(*InactiveChainReplicator).Run(0xc000208a80)
/go/src/github.com/hyperledger/fabric/orderer/common/onboarding/onboarding.go:288 +0x42
created by github.com/hyperledger/fabric/orderer/common/server.initializeEtcdraftConsenter
/go/src/github.com/hyperledger/fabric/orderer/common/server/main.go:770 +0x218
From where should I investigate to solve this problem? Please help me.
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论