使用fabric-ca服务端生成证书对接工具生成的现有网络
版权声明:学习中。。。 https://blog.csdn.net/fangdengfu123/article/details/80915927
参考链接:fabric-ca应用篇
https://www.jianshu.com/p/de04cbc4d3dc
Docs » Fabric设计 » CA
https://hyperledgercn.github.io/hyperledgerDocs/ca-setup_zh/#_2
Fabric CA 官方用户指南(中文版)
https://blog.csdn.net/greedystar/article/details/80344984
写的很烂,看不下去的可以参考上面的链接。。
0、准备工作
首先解释现有网络,反正就是工具生成证书搭建的fabric网络 -.-~!。
由于某些特殊需求,现在将使用ca来代替工具的功能,负责管理后续证书的作用周期。
首先了解工具生成的目录结构,以及我们需要用到的证书(这里之后,需要每个组织自己去维护管理自己的节点证书,此处以组织1为例)。
ca目录是生成msp证书的根证书,tlsca是生成tls证书的根证书。
1、启动ca服务端(此处演示原生启动,docker启动官方案例中就有,替换文件即可)
安装libtool
sudo apt install libtool libltdl-dev编译server和client
go get -u github.com/hyperledger/fabric-ca/cmd/...如果上一步失败,可以去git上下载源码手动编译,一下是github地址:
https://github.com/hyperledger/fabric-ca编译成功后,将工具添加到path中(我这里偷懒,直接找path中包含的bin目录,吧工具丢进去了)。
启动msp证书颁发服务:
然后创建文件路径,作为msp service 的目录:
mkdir -p /root/go/src/github.com/hyperledger/ca/server-msp使用工具自带的初始化命令,获得启动服务所需的配置文件:
fabric-ca-server init -b admin:adminpw初始化成功后,删除不需要的文件:
rm -rf ca-cert.pem fabric-ca-server.db msp/将现有网络的msp根证书复制过来:
cp -r /root/go/src/github.com/hyperledger/fabric-samples/first-network/crypto-config/peerOrganizations/org1.wnzx.com/ca ./修改配置文件,引用现有的根证书文件:
其它配置,按需配置。
启动msp证书服务:
fabric-ca-server start -c fabric-ca-server-config.yaml出现下图所示,表示启动成功:
同理启动tls证书颁发服务。。(注意端口错开)
2、注册新peer所需证书
注册msp证书
mkdir -p /root/go/src/github.com/hyperledger/ca/client-msp
# 设置client操作目录
export FABRIC_CA_CLIENT_HOME=$PWD
# 登记admin用户,并获得admin证书
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
# 注册msp证书
fabric-ca-client register --id.name fang --id.type peer --id.affiliation org1.department1 --id.secret fang
# 创建文件夹,用于存放注册msp证书
mkdir fang
# 用注册的msp身份进行登录,获得msp证书
# -c 指定配置(可能会需要改一些msp证书的配置时需要,也可不用,看情况)
# -M 指定msp证书存放位置
fabric-ca-client enroll -u http://fang:fang@localhost:7054 -c fabric-ca-client-config.yaml -M ./fang注册tls证书
mkdir -p /root/go/src/github.com/hyperledger/ca/client-tls
# 设置client操作目录
export FABRIC_CA_CLIENT_HOME=$PWD
# 登记admin用户,并获得admin证书
fabric-ca-client enroll -u http://admin:adminpw@localhost:7064
# 注册tls证书
fabric-ca-client register --id.name fang --id.type peer --id.affiliation org1.department1 --id.secret fang
# 创建文件夹,用于存放注册msp证书
mkdir fang
# 用注册的msp身份进行登录,获得msp证书
# -c 指定配置(可能会需要改一些msp证书的配置时需要,也可不用,看情况)
# -M 指定msp证书存放位置
fabric-ca-client enroll -d --enrollment.profile tls -u http://fang:fang@localhost:7064 -c fabric-ca-client-config.yaml -M ./fang
############################################
cd fang
# 创建tls文件夹
mkdir tls
# 构建tls文件
mv tlscacerts/tls-*-7064.pem ./tls/ca.crt
mv signcerts/cert.pem ./tls/server.crt
mv keystore/*_sk ./tls/server.key
# 由于msp目录需要tls服务端文件,所以将该文件复制到msp目录中
cp tls/ca.crt ../msp/tlscacerts/
# 由于cli操作需要管理员证书,所以,找对等节点的相同目录复制一份过来即可(放置于admincerts目录中)3、启动新增peer
编写docker-compose-peer.yaml 配置文件(添加并修改):
version: '2'
volumes: #orderer.example.com: #peer0.org1.example.com: #peer1.org1.example.com: peer2.org1.wnzx.com: #peer0.org2.example.com: #peer1.org2.example.com: networks: byfn: services: peer2.org1.wnzx.com: container_name: peer2.org1.wnzx.com extends: file: base/docker-compose-base.yaml service: peer2.org1.wnzx.com extra_hosts: - "orderer.wnzx.com:192.168.3.94" - "peer0.org1.wnzx.com:192.168.3.94" - "peer1.org1.wnzx.com:192.168.3.94" - "peer0.org2.wnzx.com:192.168.3.94" - "peer1.org2.wnzx.com:192.168.3.94" networks: - byfn cli1: container_name: cli1 image: hyperledger/fabric-tools:$IMAGE_TAG tty: true stdin_open: true environment: - GOPATH=/opt/gopath - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock - CORE_LOGGING_LEVEL=DEBUG #- CORE_LOGGING_LEVEL=INFO - CORE_PEER_ID=cli - CORE_PEER_ADDRESS=peer2.org1.wnzx.com:7051 - CORE_PEER_LOCALMSPID=Org1MSP - CORE_PEER_TLS_ENABLED=true - CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.wnzx.com/peers/peer2.org1.wnzx.com/tls/server.crt - CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.wnzx.com/peers/peer2.org1.wnzx.com/tls/server.key - CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.wnzx.com/peers/peer2.org1.wnzx.com/tls/ca.crt - CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.wnzx.com/users/Admin@org1.wnzx.com/msp working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer command: /bin/bash volumes: - /var/run/:/host/var/run/ - ./../chaincode/:/opt/gopath/src/github.com/chaincode - ./crypto-config:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ - ./scripts:/opt/gopath/src/github.com/hyperledger/fabric/peer/scripts/ - ./channel-artifacts:/opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts extra_hosts: - "orderer.wnzx.com:192.168.3.94" - "peer0.org1.wnzx.com:192.168.3.94" - "peer1.org1.wnzx.com:192.168.3.94" - "peer2.org1.wnzx.com:192.168.3.231" - "peer0.org2.wnzx.com:192.168.3.94" - "peer1.org2.wnzx.com:192.168.3.94" networks: - byfnbase/docker-compose-base.yaml(添加):
peer2.org1.wnzx.com:
container_name: peer2.org1.wnzx.com
extends:
file: peer-base.yaml
service: peer-base
environment:
- CORE_PEER_ID=peer2.org1.wnzx.com
- CORE_PEER_ADDRESS=peer2.org1.wnzx.com:7051
- CORE_PEER_GOSSIP_BOOTSTRAP=peer2.org1.wnzx.com:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer2.org1.wnzx.com:7051
- CORE_PEER_LOCALMSPID=Org1MSP
volumes:
- /var/run/:/host/var/run/
- ../crypto-config/peerOrganizations/org1.wnzx.com/peers/peer2.org1.wnzx.com/msp:/etc/hyperledger/fabric/msp
- ../crypto-config/peerOrganizations/org1.wnzx.com/peers/peer2.org1.wnzx.com/tls:/etc/hyperledger/fabric/tls
- peer2.org1.wnzx.com:/var/hyperledger/production
ports:
- 7051:7051
- 7053:7053base/peer-base.yaml(没变):
version: '2'
services: peer-base: image: hyperledger/fabric-peer:$IMAGE_TAG environment: - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock # the following setting starts chaincode containers on the same # bridge network as the peers # https://docs.docker.com/compose/networking/ - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_byfn #- CORE_LOGGING_LEVEL=INFO - CORE_LOGGING_LEVEL=DEBUG - CORE_PEER_TLS_ENABLED=true - CORE_PEER_GOSSIP_USELEADERELECTION=true - CORE_PEER_GOSSIP_ORGLEADER=false - CORE_PEER_PROFILE_ENABLED=true - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer command: peer node startdocker-compose-couch.yaml(添加):
version: '2'
networks: byfn: services: couchdb4: container_name: couchdb4 image: hyperledger/fabric-couchdb environment: - COUCHDB_USER= - COUCHDB_PASSWORD= ports: - "5984:5984" networks: - byfn peer2.org1.wnzx.com: environment: - CORE_LEDGER_STATE_STATEDATABASE=CouchDB - CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb4:5984 - CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME= - CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD= depends_on: - couchdb4从现有网络中复制相关证书至新添的peer节点对应目录中。
启动peer:
docker-compose -f docker-compose-peer.yaml -f docker-compose-couch.yaml up -d启动完peer后,进入cli容器,操作该peer加入通道等。。
查看日志,无报错以及核心警告,大概是成功了。。。。
小提示:
如果替换证书或修改配置,没必要重启peer,直接docker stop image_id (couchdb没必要重启)
替换文件后,重启即可:docker-compose -f docker-compose-peer.yaml up -d --force-recreate
更多精彩内容
