Hyperledger Fabric v2.0 CA组件
目的: 通过CA服务生成msp证书和tls证书,并启动fabric网络
由于使用CA生成证书时,需要注册为各个组织生成证书,为了便于理解,所以我将官网示例中的peer0.org1.exampl.com,peer1.org1.exampl.com,peer0.org2.exampl.com,peer1.org2.exampl.com,orderer.exampl.com等叫做组件,将peer0,peer1,orderder等叫做节点.最终我们是为 peer,order生成msp证书和tls证书
fabric网络说明:
network: dev 如果不适用network也是可以的,由于我的fabric网络是在dev的network下运行的,所以我将ca服务也加入到dev的网络中
服务器: CentOS7, (x86架构)组织使用颜色进行区分
其中 每个组织下的 admin-x 是管理员账号,证书存放路径为 /usr/local/home/xxx/ca/admin
目录
前言
fabric版本为v2.0.0, 服务器系统为CentOS7(x86架构),全部使用docker镜像部署,镜像拉取的是官方镜像,配合使用docker-compose进行部署,运行于dev自定义的network下
提示:以下是本篇文章正文内容,下面案例可供参考
一、环境准备
离线安装go
[通过go中文官网下载golang1.14.4压缩包](https://studygolang.com/dl), 将压缩上传至服务器 /usr/local/go-tar 进入压缩包所在目录cd /usr/local/go-tar
tar -zxvf go1.14.4.linux-amd64.tar.gz
将解压后的目录移动到 /usr/local 下
mv ./go ../go 或 mv ./go /usr/local
配置go的环境变量
在 /etc/profile 文件的最后面添加配置, 编辑文件
vim /etc/profile
添加配置
export GOROOT=/usr/local/go export GOPATH=/root/go export
FABRIC_CA_SERVER_HOME=/root/fabric-ca-server export
FABRIC_CA_CLIENT_HOME=/root/fabric-ca-client export
PATH=$PATH:$GOROOT/bin:$GOPATH/bin
保存退出
使配置文件生效
source /etc/profile
输入 go version 查看go的版本信息
go version
输出 go的版本信息
go version go1.14.4 linux/amd64
说明安装成功
获取fabric-ca-client可执行文件
由于需要用fabric-ca-client客户端组件,所以我们需要获取到fabric-ca-client的可执行文件,获取的方式可以通过fabric源码进行编译,可是我通过源码进行编译时总会卡在请求google官网链接超时,配置过代理后也无法编译,后来经过翻阅资料使用在线编译(个人理解应该是在线编译的),通过以下命令可以获取到二进制的可执行文件,配置环境变量后就可以使用了.go get -u github.com/hyperledger/fabric-ca/cmd/fabric-ca-client
获取到configtxgen工具
go get -u github.com/hyperledger/fabric/cmd/configtxgen
使用上述方法,获取工具的过程比较长,请耐心等待.
二、部署CA服务端
在前面有过介绍,我的fabric网络中,共有3个组织, 分别为 org0,org1,org2,所以一共需要4个ca服务,分别为 tls-ca,org0-ca,org1-ca,org2-ca
编写ca服务的docker-compose文件并启动服务
进入服务器的 /usr/local/home 目录下,没有home文件夹的自行创建
创建home目录
mkdir -p /usr/local/home
进入home目录
cd /usr/local/home
创建docker-compose.yaml文件
touch cas.yaml
将配置粘贴 cas.yaml,并保存,
启动ca服务之前的/usr/local/home的目录结构
.
└── cas.yml
ca服务的配置文件
version: '2'
networks:
byfn:
external:
name: dev
services:
# tls-ca 服务端, 用于为整个fabric网络中注册,生成tls通信证书
ca-tls:
container_name: ca-tls
image: hyperledger/fabric-ca
# 默认端口是7054 tls-ca-admin:tls-ca-adminpw 管理员的账号:密码
# 可以使用mysql数据库,但是每个ca服务端都必须配置一个单独的db(尚未尝试)
command: sh -c 'fabric-ca-server start -d -b tls-ca-admin:tls-ca-adminpw'
environment:
- FABRIC_CA_SERVER_HOME=/usr/local/home/tls-ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=ca-tls
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_PORT=7054
- FABRIC_CA_SERVER_DEBUG=true
volumes:
# 容器启动后在宿主机目录下,生成 crypto文件夹,是tls-ca服务端证书
# 在/usr/local/home/fabric-ca-tls/crypto/路径下的ca-cert.pem文件
# 是TLS CA服务器的签名根证书,目的是用来对CA的TLS证书进行验证,
# 同时也需要持有这个证书才可以进行证书的颁发
- /usr/local/home/tls-ca:/usr/local/home/tls-ca
networks:
- byfn
ports:
- 7052:7054
# order所在组织的ca服务端,用于为order所在的组织内所有成员,注册生成msp证书包括admin证书,此处的admin和org0-admin不是一个概念
org0:
container_name: org0
image: hyperledger/fabric-ca
command: sh -c 'fabric-ca-server start -d -b org0-admin:org0-adminpw'
environment:
- FABRIC_CA_SERVER_HOME=/usr/local/home/org0/ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=org0
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_PORT=7054
- FABRIC_CA_SERVER_DEBUG=true
volumes:
# 容器启动后在宿主机/usr/local/home/org0/ca/crypto目录下,生成 crypto文件夹并获取order所在组织ca服务端的根证书
- /usr/local/home/org0/ca:/usr/local/home/org0/ca
networks:
- byfn
ports:
- 7053:7054
# org1组织的ca服务端,用于为org1的组织内所有成员,注册生成msp证书包括admin证书,此处的admin和org1-admin不是一个概念
org1:
container_name: org1
image: hyperledger/fabric-ca
command: sh -c 'fabric-ca-server start -d -b org1-admin:org1-adminpw'
environment:
- FABRIC_CA_SERVER_HOME=/usr/local/home/org1/ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=org1
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_PORT=7054
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /usr/local/home/org1/ca:/usr/local/home/org1/ca
networks:
- byfn
ports:
- 7054:7054
# org2组织的ca服务端,用于为org2的组织内所有成员,注册生成msp证书包括admin证书,此处的admin和org2-admin不是一个概念
org2:
container_name: org2
image: hyperledger/fabric-ca
command: sh -c 'fabric-ca-server start -d -b org2-admin:org2-adminpw'
environment:
- FABRIC_CA_SERVER_HOME=/usr/local/home/org2/ca/crypto
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_CSR_CN=org2
- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0
- FABRIC_CA_SERVER_PORT=7054
- FABRIC_CA_SERVER_DEBUG=true
volumes:
- /usr/local/home/org2/ca:/usr/local/home/org2/ca
networks:
- byfn
ports:
- 7055:7054
启动服务,根据docker-compose 将会启动 ca-tls,org0,org1,org2 四个服务
docker-compose -f cas.yml up -d
查看启动的容器
docker ps -a
4个CA服务全部启动
启动后 /usr/local/home 的目录结构
.
├── cas.yml
├── org0
│ └── ca
│ └── crypto
│ ├── ca-cert.pem
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── 04fe49a7ef908fb53a94085b2087e350892f3500d407b081ac1f4bf4c67f5c2d_sk
│ │ │ ├── 443cc62b23cab4be54df8bca0dfcc958f31d6345e366aaac6653c48e2de5ed37_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
├── org1
│ └── ca
│ └── crypto
│ ├── ca-cert.pem
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── 568f0629c2d146d6488686549508591d3e3e3525b25314db50d57318cea3da88_sk
│ │ │ ├── cdecdf3f3922b76f5665c31d89fe812b229dca7020c9b16f81bfa4e6bd6498ae_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
├── org2
│ └── ca
│ └── crypto
│ ├── ca-cert.pem
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── 0992fc79998546ebef0c7833e81a6ba2ea1f37340d4166fb749c64aa6cfcd1d7_sk
│ │ │ ├── ccba8383967abbfd4b67005445be4c8992e3eb4ccca071e9974788eb84636d29_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
└── tls-ca
└── crypto
├── ca-cert.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp
│ ├── cacerts
│ ├── keystore
│ │ ├── 0f0707d2175ef88d6d02567b864394bb70d9a5a1daa23937869c737b5199d885_sk
│ │ ├── 5c23c7434b0798c2c085249fa6b491878cc2e5f86ed0d0965e0563be1283b10d_sk
│ │ ├── IssuerRevocationPrivateKey
│ │ └── IssuerSecretKey
│ ├── signcerts
│ └── user
└── tls-cert.pem
登录各个CA服务并注册
在此提前说明一下 我们将使用到的命令的含义
fabric-ca-client enroll 使用账号登录到服务器
fabric-ca-client register 将账号注册到服务器
在命令中我们会使用到几个参数:
–id.name 使用的账号
–id.secret 使用账号的密码
–id.type 注册的的类型, 可选的有 peer,orderer,admin,user 四类
-u https://0.0.0.0:7052 目标服务器地址
-d 这个参数并没研究明白是干什么用的
此处的 -u 参数地址, 是与ca.yaml(服务的docker-compose)配置文件中的FABRIC_CA_SERVER_CSR_HOSTS 参数对应的,必须保持一致
注意: 启动服务后,并没有生成用于启动fabric 网络的任何证书,启动服务后生成的crypto目录的证书,全部是fabric-ca-client 与服务端登录注册操作时使用的证书
登录tls-ca服务并注册所有组件
进入 /usr/local/home/tls-ca 服务端目录
cd /usr/local/home/tls-ca
查看登录tls-ca服务之前的目录结构
.
└── crypto
├── ca-cert.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp
│ ├── cacerts
│ ├── keystore
│ │ ├── 0f0707d2175ef88d6d02567b864394bb70d9a5a1daa23937869c737b5199d885_sk
│ │ ├── 5c23c7434b0798c2c085249fa6b491878cc2e5f86ed0d0965e0563be1283b10d_sk
│ │ ├── IssuerRevocationPrivateKey
│ │ └── IssuerSecretKey
│ ├── signcerts
│ └── user
└── tls-cert.pem
设置环境变量
# /usr/local/home/tls-ca/crypto/ca-cert.pem 是tls-ca服务端启动后生成的tls-ca根证书
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/tls-ca/crypto/ca-cert.pem
# 保存tls-ca 证书的路径
export FABRIC_CA_CLIENT_HOME=/usr/local/home/tls-ca/admin
# 使用管理员账号登录tls-ca服务器,这里的账号密码与ca.yaml配置文件中的 command 参数对应
fabric-ca-client enroll -d -u https://tls-ca-admin:[email protected]:7052
成功登陆界面
登录后,会在/usr/local/home/tls-ca 目录下 生成admin文件夹,/usr/local/home/tls-ca 目录结构如下:
.
├── admin # 登录后生成的admin证书跟目录
│ ├── fabric-ca-client-config.yaml
│ └── msp # tls-ca的admin账户的证书目录
│ ├── cacerts
│ │ └── 0-0-0-0-7052.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 9546a747a4ff6164d8a4cad81ba40249e87fc6f1fb944c495a2d34a41527e612_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── crypto # tls-ca服务启动后生成证书的根目录
├── ca-cert.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp # tls-ca服务启动后生成的证书目录
│ ├── cacerts
│ ├── keystore
│ │ ├── 55ef60857f89f1293b385b747492fe5f5db1f64d8b08048c72493a9a48ae8cb6_sk
│ │ ├── b9f6b6ff8dc0ff4de3717ccf23d2a794ab6c697e43f6dce08fa57d1ab3f2769a_sk
│ │ ├── IssuerRevocationPrivateKey
│ │ └── IssuerSecretKey
│ ├── signcerts
│ └── user
└── tls-cert.pem
接下来注册整个fabric网络中所有节点,其中包含org1和org2的 管理员admin的账户, 但是order节点所在组织不需要注册admin账户,在注册时, 注册成功的标识为在输出的log的倒数第二行,显示为:
The register request completed successfully
最后一行显示为注册账户的密码,
后面所有的注册过程都是如此,将不再赘述
# 为各个组件(组件指的是 peer,order和管理员)注册TLS证书,仅仅是注册了身份,并没有获取到证书;
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name peer1-org2 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name peer2-org2 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7052
# 注册org1的admin管理员
fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type admin -u https://0.0.0.0:7052
# 注册org2的admin管理员
fabric-ca-client register -d --id.name admin-org2 --id.secret org2AdminPW --id.type admin -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererPW --id.type orderer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name orderer2-org0 --id.secret ordererPW --id.type orderer -u https://0.0.0.0:7052
fabric-ca-client register -d --id.name orderer3-org0 --id.secret ordererPW --id.type orderer -u https://0.0.0.0:7052
登录org0的CA服务并注册组件
进入 /usr/local/home/org0目录,org0的目录结构如下:
.
└── ca
└── crypto
├── ca-cert.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp
│ ├── cacerts
│ ├── keystore
│ │ ├── 70c8853cdcda0cb4061d6ed9cd86b830c901e489181e3510b2b1f510c76bc98f_sk
│ │ ├── a84b5c9a97377bbd34504cefba9b0a5d804facf586612e99b377967f0342213d_sk
│ │ ├── IssuerRevocationPrivateKey
│ │ └── IssuerSecretKey
│ ├── signcerts
│ └── user
└── tls-cert.pem
设置环境变量
# /usr/local/home/org0/ca/crypto/ca-cert.pem 是服务器启动后生成的org0组织的根证书,登录时需要使用此证书
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org0/ca/crypto/ca-cert.pem
# 登录后会在/usr/local/home/org0/ca/admin下生成服务器admin管理员根证书
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org0/ca/admin
# 使用管理员账号密码 org0-admin:org0-adminpw 登录服务器
fabric-ca-client enroll -d -u https://org0-admin:[email protected]:7053
成功登陆界面
登录成功后会在 /usr/local/home/org0/ca 目录下生成admin文件夹, /usr/local/home/org0其目录结构为
.
└── ca
├── admin # 管理员证书的根目录
│ ├── fabric-ca-client-config.yaml
│ └── msp # 管理员的证书目录
│ ├── cacerts
│ │ └── 0-0-0-0-7053.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 658456acd1a7a08203fd207930cee026b10246fb462730a35b8f3151a2bb0009_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── crypto
├── ca-cert.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp
│ ├── cacerts
│ ├── keystore
│ │ ├── 70c8853cdcda0cb4061d6ed9cd86b830c901e489181e3510b2b1f510c76bc98f_sk
│ │ ├── a84b5c9a97377bbd34504cefba9b0a5d804facf586612e99b377967f0342213d_sk
│ │ ├── IssuerRevocationPrivateKey
│ │ └── IssuerSecretKey
│ ├── signcerts
│ └── user
└── tls-cert.pem
注册org0内所有组件,包含 orderer1, orderer2 , orderer3 和 管理员admin-org0,但是 admin-org0与超级管理员org0-admin 不是一个概念,admin-org0是客户端管理员,而org0-admin服务器管理员
# 注册 两个身份 一个是orderer1-org0 另一个是 admin-org0 但是 admin-org0与超级管理员org0-admin 不是一个概念,admin-org0是客户端管理员,而org0-admin服务器管理员
# **---**注意:注册仅仅是注册而已并未获取到任何证书**---**
# 注册order1用户
fabric-ca-client register -d --id.name orderer1-org0 --id.secret ordererpw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' -u https://0.0.0.0:7053
# 注册order2用户
fabric-ca-client register -d --id.name orderer2-org0 --id.secret ordererpw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' -u https://0.0.0.0:7053
# 注册order3用户
fabric-ca-client register -d --id.name orderer3-org0 --id.secret ordererpw --id.type orderer --id.attrs '"hf.Registrar.Roles=orderer"' -u https://0.0.0.0:7053
# 注册admin用户
fabric-ca-client register -d --id.name admin-org0 --id.secret org0adminpw --id.type admin --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert" -u https://0.0.0.0:7053
登录org1的CA服务并注册组件
进入 /usr/local/home/org1目录,其目录结构如下
.
└── ca
└── crypto # org1-ca 启动后生成的服务端根目录
├── ca-cert.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp # org1-ca 服务端的证书目录
│ ├── cacerts
│ ├── keystore
│ │ ├── a9ec05e494517b53b868dd2aa6baa79cf77d2c51bb1047ca1c927e040230644b_sk
│ │ ├── b8149331cf7d5c68a5daea27eed324d1ae89edbbf6bcef23d483d1ebfb50f47e_sk
│ │ ├── IssuerRevocationPrivateKey
│ │ └── IssuerSecretKey
│ ├── signcerts
│ └── user
└── tls-cert.pem
设置环境变量并登陆到org1-ca服务
# /usr/local/home/org1/ca/crypto/ca-cert.pem 是启动服务后 生成的org1组织的根证书,登录时需要使用此证书
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org1/ca/crypto/ca-cert.pem
# 登录后会在/usr/local/home/org0/ca/admin下生成服务器超级管理员根证书
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org1/ca/admin
# 使用超级管理员账号密码 org1-admin:org1-adminpw 登录服务器
fabric-ca-client enroll -d -u https://org1-admin:[email protected]:7054 --tls.certfiles /usr/local/home/org1/ca/crypto/ca-cert.pem
登录成功后会在 /usr/local/home/org1/ca目录下生成admin文件夹, /usr/local/home/org1目录结构如下:
.
└── ca
├── admin
│ ├── fabric-ca-client-config.yaml
│ └── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7054.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── a3a09d947dd91e90aaaab90e6ebe5dc72ab9087f3317f2695841993fd2e3ab6f_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── crypto
├── ca-cert.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp
│ ├── cacerts
│ ├── keystore
│ │ ├── 568f0629c2d146d6488686549508591d3e3e3525b25314db50d57318cea3da88_sk
│ │ ├── cdecdf3f3922b76f5665c31d89fe812b229dca7020c9b16f81bfa4e6bd6498ae_sk
│ │ ├── IssuerRevocationPrivateKey
│ │ └── IssuerSecretKey
│ ├── signcerts
│ └── user
└── tls-cert.pem
注册org1组织内所有节点,包含peer1,peer2和admin,这里暂时不注册user用户
# 注意type值的变化
fabric-ca-client register -d --id.name peer1-org1 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7054
fabric-ca-client register -d --id.name peer2-org1 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7054
fabric-ca-client register -d --id.name admin-org1 --id.secret org1AdminPW --id.type admin -u https://0.0.0.0:7054
登录org2的CA服务并注册组件
进入/usr/local/home/org2目录下,其目录结构如下:
.
└── ca
└── crypto # org2-ca启动后生成证书的根目录
├── ca-cert.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp # org2-ca的证书目录
│ ├── cacerts
│ ├── keystore
│ │ ├── 5ab7241ba82e0dd0621dff84ddafd77ad93d6eee268e9a47a0ce12025a238db6_sk
│ │ ├── c514754c5f5bc290751d719dcad5fb98ad6e6a115c37dc735e00ae2bfe2f70e3_sk
│ │ ├── IssuerRevocationPrivateKey
│ │ └── IssuerSecretKey
│ ├── signcerts
│ └── user
└── tls-cert.pem
设置环境变量
# 使用org2的服务证书,在org2-ca启动后就会生成该证书
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org2/ca/crypto/ca-cert.pem
# 设置管理员证书的根目录
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org2/ca/admin
# 登录到org2服务
fabric-ca-client enroll -d -u https://org2-admin:[email protected]:7055 --tls.certfiles /usr/local/home/org2/ca/crypto/ca-cert.pem
登录后/usr/local/home/org2/ca下将生成admin文件夹, 其目录结构为:
.
└── ca
├── admin # org2 的管理员证书的根目录
│ ├── fabric-ca-client-config.yaml
│ └── msp # org2 管理员的证书目录
│ ├── cacerts
│ │ └── 0-0-0-0-7055.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── ba32d4e32fea5517273e5060c7898b0ff9079fbbd0f9dfb1481f1b0b11cbd258_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── crypto
├── ca-cert.pem
├── fabric-ca-server-config.yaml
├── fabric-ca-server.db
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── msp
│ ├── cacerts
│ ├── keystore
│ │ ├── 5ab7241ba82e0dd0621dff84ddafd77ad93d6eee268e9a47a0ce12025a238db6_sk
│ │ ├── c514754c5f5bc290751d719dcad5fb98ad6e6a115c37dc735e00ae2bfe2f70e3_sk
│ │ ├── IssuerRevocationPrivateKey
│ │ └── IssuerSecretKey
│ ├── signcerts
│ └── user
└── tls-cert.pem
注册org2内所有节点,包含peer1,peer2和admin
# 注册 org2组织内的所有节点, 包含 peer1,peer2,admin,注意admin和peer的type值是不同的
fabric-ca-client register -d --id.name peer1-org2 --id.secret peer1PW --id.type peer -u https://0.0.0.0:7055
fabric-ca-client register -d --id.name peer2-org2 --id.secret peer2PW --id.type peer -u https://0.0.0.0:7055
fabric-ca-client register -d --id.name admin-org2 --id.secret org2AdminPW --id.type admin -u https://0.0.0.0:7055
注意:至此,我们仅仅是注册了各个组件内的节点,并未获取到证书
三、通过客户端为所有节点生成msp证书和tls证书
由于制作order的证书稍微麻烦一些,所以先为org1和org2内的peer节点生成证书
为org1内的peer节点制作证书
peer1-org1的msp证书
设置环境变量
# peer1-org1 保存证书的根目录
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org1/peer1
# 与org1-ca通讯的tls证书,使用的是org1服务启动时生成的证书
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org1/ca/crypto/ca-cert.pem
# 用于保存peer1-org1的msp证书的目录
export FABRIC_CA_CLIENT_MSPDIR=msp
使用peer1-org1账户登录到org1-ca服务端,会在/usr/local/home/org1目录下生成peer1文件夹
fabric-ca-client enroll -d -u https://peer1-org1:[email protected]:7054
成功登陆界面
登录后,/usr/local/home/org1/的目录结构如下:
.
├── ca
│ ├── admin
│ │ ├── fabric-ca-client-config.yaml
│ │ └── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7054.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ ├── 435bb292c0d908aef5cec5c91987de935c344425214d69dc157a257a8ea25a7e_sk
│ │ │ └── a3a09d947dd91e90aaaab90e6ebe5dc72ab9087f3317f2695841993fd2e3ab6f_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── crypto
│ ├── ca-cert.pem
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── 568f0629c2d146d6488686549508591d3e3e3525b25314db50d57318cea3da88_sk
│ │ │ ├── cdecdf3f3922b76f5665c31d89fe812b229dca7020c9b16f81bfa4e6bd6498ae_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
└── peer1 # 登录后生成的peer1-org1的证书根目录
├── fabric-ca-client-config.yaml
└── msp # peer1-org1的证书目录
├── cacerts
│ └── 0-0-0-0-7054.pem
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 084a2f4a2c58bed13a059b8fcfc71bf8b5098bc6bb4aa9ebfcdc79e1a2b6f55f_sk
├── signcerts
│ └── cert.pem
└── user
peer1-org1的tls证书
设置环境变量
# 保存peer1-org1的tls证书目录
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
# 使用tls-ca的根证书访问 tls-ca 服务器
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/tls-ca/crypto/ca-cert.pem
使用peer1-org1账号,登录到tls-ca服务器,会在 /usr/local/home/org1/peer1下,生成tls-msp目录
# 使用节点账号登录,获取节点的 tls 证书
fabric-ca-client enroll -d -u https://peer1-org1:[email protected]:7052 --enrollment.profile tls --csr.hosts peer1-org1
登录后,/usr/local/home/org1/的目录结构如下,增生成了/peer1/tls-msp目录
.
├── ca
│ ├── admin
│ │ ├── fabric-ca-client-config.yaml
│ │ └── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7054.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ ├── 435bb292c0d908aef5cec5c91987de935c344425214d69dc157a257a8ea25a7e_sk
│ │ │ └── a3a09d947dd91e90aaaab90e6ebe5dc72ab9087f3317f2695841993fd2e3ab6f_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── crypto
│ ├── ca-cert.pem
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── 568f0629c2d146d6488686549508591d3e3e3525b25314db50d57318cea3da88_sk
│ │ │ ├── cdecdf3f3922b76f5665c31d89fe812b229dca7020c9b16f81bfa4e6bd6498ae_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
└── peer1
├── fabric-ca-client-config.yaml
├── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7054.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 084a2f4a2c58bed13a059b8fcfc71bf8b5098bc6bb4aa9ebfcdc79e1a2b6f55f_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
│ └── 0-0-0-0-7052.pem
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ ├── 61fcf823d0068d9b89ab5e8284bd9eab1cc0ec41c3527d79a02e74fd769ea230_sk
│ ├── 845dedfcb545b4ecd21cfade0e93872a39f8c68d49ee98ac83d44263586931e4_sk
│ └── c918732d66fd239f80e0e619e9a1e70ed314b725c7b9009d3ca88638d44a52a4_sk
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
修改私钥名称,因为私钥名称是不规则的,至于为何修改文件类型,就不清楚了
mv /usr/local/home/org1/peer1/tls-msp/keystore/*_sk /usr/local/home/org1/peer1/tls-msp/keystore/key.pem
peer2-org1的msp证书
设置环境变量
# 保存peer2-org1证书的根目录
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org1/peer2
# 使用org1-ca服务启动时生成的证书,用于与org1-ca通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org1/ca/crypto/ca-cert.pem
# 保存peer2-org1的msp证书目录
export FABRIC_CA_CLIENT_MSPDIR=msp
使用peer2-org1账号登录到org1-ca服务,会在/usr/local/home/org1/目录下生成peer2文件夹
fabric-ca-client enroll -d -u https://peer2-org1:[email protected]:7054
登录后,/usr/local/home/org1的目录结构,新生成了peer2文件夹
.
├── ca
│ ├── admin
│ │ ├── fabric-ca-client-config.yaml
│ │ └── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7054.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ ├── 435bb292c0d908aef5cec5c91987de935c344425214d69dc157a257a8ea25a7e_sk
│ │ │ └── a3a09d947dd91e90aaaab90e6ebe5dc72ab9087f3317f2695841993fd2e3ab6f_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── crypto
│ ├── ca-cert.pem
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── 568f0629c2d146d6488686549508591d3e3e3525b25314db50d57318cea3da88_sk
│ │ │ ├── cdecdf3f3922b76f5665c31d89fe812b229dca7020c9b16f81bfa4e6bd6498ae_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
├── peer1
│ ├── fabric-ca-client-config.yaml
│ ├── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7054.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── 62852a8e9a2786290197cfb5b1be96438ff4de0b650c636897015b9c04f7e210_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── tls-msp
│ ├── cacerts
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── key.pem
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ │ └── tls-0-0-0-0-7052.pem
│ └── user
└── peer2
├── fabric-ca-client-config.yaml
└── msp
├── cacerts
│ └── 0-0-0-0-7054.pem
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 8832dbb1ad8cca55bf43ce20db346830ca37093d7ede20463001b3c546a118da_sk
├── signcerts
│ └── cert.pem
└── user
peer2-org1的tls证书
设置环境变量
# 保存peer2-org1的tls证书目录
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
# 使用tls-ca服务启动时生成证书,用于与tls-ca进行通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/tls-ca/crypto/ca-cert.pem
登录到tls-ca服务器,会在/usr/local/home/org1/peer2/下生成tls-msp目录
fabric-ca-client enroll -d -u https://peer2-org1:[email protected]:7052 --enrollment.profile tls --csr.hosts peer2-org1
登录后,/usr/local/home/org1的目录结构,新生成了peer2/tls-msp目录
.
├── ca
│ ├── admin
│ │ ├── fabric-ca-client-config.yaml
│ │ └── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7054.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ ├── 435bb292c0d908aef5cec5c91987de935c344425214d69dc157a257a8ea25a7e_sk
│ │ │ └── a3a09d947dd91e90aaaab90e6ebe5dc72ab9087f3317f2695841993fd2e3ab6f_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── crypto
│ ├── ca-cert.pem
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── 568f0629c2d146d6488686549508591d3e3e3525b25314db50d57318cea3da88_sk
│ │ │ ├── cdecdf3f3922b76f5665c31d89fe812b229dca7020c9b16f81bfa4e6bd6498ae_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
├── peer1
│ ├── fabric-ca-client-config.yaml
│ ├── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7054.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── 62852a8e9a2786290197cfb5b1be96438ff4de0b650c636897015b9c04f7e210_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── tls-msp
│ ├── cacerts
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── key.pem
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ │ └── tls-0-0-0-0-7052.pem
│ └── user
└── peer2
├── fabric-ca-client-config.yaml
├── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7054.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 8832dbb1ad8cca55bf43ce20db346830ca37093d7ede20463001b3c546a118da_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
│ └── 0-0-0-0-7052.pem
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 66d4c09f3bda6745e19f4c9f2f6b36601e010e2c58bea092c002c2cf32a06429_sk
├── signcerts
│ └── cert.pem
└── user
修改私钥名称
mv /usr/local/home/org1/peer2/tls-msp/keystore/*_sk /usr/local/home/org1/peer2/tls-msp/keystore/key.pem
org1管理员admin的msp证书
设置环境变量
# 设置org1的管理员admin保存证书的根目录
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org1/admin
# 使用org1-ca的证书用于与org1-ca服务器通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org1/ca/crypto/ca-cert.pem
# 设置org1的管理员admin的证书目录
export FABRIC_CA_CLIENT_MSPDIR=msp
登录到org1-ca服务器,会在/usr/local/home/org1目录下生成admin文件夹
fabric-ca-client enroll -d -u https://admin-org1:[email protected]:7054
登录后,/usr/local/home/org1的目录结构,新生成了admin文件夹
.
├── admin
│ ├── fabric-ca-client-config.yaml
│ └── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7054.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 1d3ecb725982da164a15a1cd7e6e34332868cb871b919b7f7ea9f1cb4e949ca8_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
├── ca
│ ├── admin
│ │ ├── fabric-ca-client-config.yaml
│ │ └── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7054.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ ├── 435bb292c0d908aef5cec5c91987de935c344425214d69dc157a257a8ea25a7e_sk
│ │ │ └── a3a09d947dd91e90aaaab90e6ebe5dc72ab9087f3317f2695841993fd2e3ab6f_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── crypto
│ ├── ca-cert.pem
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── 568f0629c2d146d6488686549508591d3e3e3525b25314db50d57318cea3da88_sk
│ │ │ ├── cdecdf3f3922b76f5665c31d89fe812b229dca7020c9b16f81bfa4e6bd6498ae_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
├── peer1
│ ├── fabric-ca-client-config.yaml
│ ├── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7054.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── 62852a8e9a2786290197cfb5b1be96438ff4de0b650c636897015b9c04f7e210_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── tls-msp
│ ├── cacerts
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── key.pem
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ │ └── tls-0-0-0-0-7052.pem
│ └── user
└── peer2
├── fabric-ca-client-config.yaml
├── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7054.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 8832dbb1ad8cca55bf43ce20db346830ca37093d7ede20463001b3c546a118da_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
│ └── 0-0-0-0-7052.pem
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 66d4c09f3bda6745e19f4c9f2f6b36601e010e2c58bea092c002c2cf32a06429_sk
├── signcerts
│ └── cert.pem
└── user
org1管理员admin的tls证书
设置环境变量
# 指定admin-org1的tls证书目录
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
# 使用tls-ca服务启动时生成的证书,用于与tls-ca服务器通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/tls-ca/crypto/ca-cert.pem
登录后会再/usr/local/home/org1/admin目录下生成tls-msp目录
fabric-ca-client enroll -d -u https://admin-org1:[email protected]:7052 --enrollment.profile tls --csr.hosts admin-org1
登录后,/usr/local/home/org1的目录结构,新生成/admin/tls-msp目录
.
├── admin
│ ├── fabric-ca-client-config.yaml
│ ├── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7054.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── 1d3ecb725982da164a15a1cd7e6e34332868cb871b919b7f7ea9f1cb4e949ca8_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── tls-msp
│ ├── cacerts
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 41b200fc228bb15899bfcb2966edf5be8923924bb3e55b6cb6d29f6389a39a3e_sk
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ │ └── tls-0-0-0-0-7052.pem
│ └── user
├── ca
│ ├── admin
│ │ ├── fabric-ca-client-config.yaml
│ │ └── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7054.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ ├── 435bb292c0d908aef5cec5c91987de935c344425214d69dc157a257a8ea25a7e_sk
│ │ │ └── a3a09d947dd91e90aaaab90e6ebe5dc72ab9087f3317f2695841993fd2e3ab6f_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── crypto
│ ├── ca-cert.pem
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── 568f0629c2d146d6488686549508591d3e3e3525b25314db50d57318cea3da88_sk
│ │ │ ├── cdecdf3f3922b76f5665c31d89fe812b229dca7020c9b16f81bfa4e6bd6498ae_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
├── peer1
│ ├── fabric-ca-client-config.yaml
│ ├── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7054.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── 62852a8e9a2786290197cfb5b1be96438ff4de0b650c636897015b9c04f7e210_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── tls-msp
│ ├── cacerts
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── key.pem
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ │ └── tls-0-0-0-0-7052.pem
│ └── user
└── peer2
├── fabric-ca-client-config.yaml
├── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7054.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 8832dbb1ad8cca55bf43ce20db346830ca37093d7ede20463001b3c546a118da_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
│ └── 0-0-0-0-7052.pem
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 66d4c09f3bda6745e19f4c9f2f6b36601e010e2c58bea092c002c2cf32a06429_sk
├── signcerts
│ └── cert.pem
└── user
修改私钥名称
mv /usr/local/home/org1/admin/tls-msp/keystore/*_sk /usr/local/home/org1/admin/tls-msp/keystore/key.pem
颁发peer1-org1的管理员证书
将 admin-org1的msp的身份证书,颁发给peer1-org1,并将证书名称命名为 org1-admin.cert.pem
颁发前,/usr/local/home/org1/peer1的目录结构
.
├── fabric-ca-client-config.yaml
├── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7054.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 321df369b465a4d15e943ac305c2582fd336d90d7b8de7ebf89b22418f6d8c47_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── key.pem
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
mkdir -p /usr/local/home/org1/peer1/msp/admincerts && cp /usr/local/home/org1/admin/msp/signcerts/cert.pem /usr/local/home/org1/peer1/msp/admincerts/org1-admin-cert.pem
颁发后,新增了/msp/admincerts文件夹,/usr/local/home/org1/peer1目录结构
.
├── fabric-ca-client-config.yaml
├── msp
│ ├── admincerts
│ │ └── org1-admin-cert.pem
│ ├── cacerts
│ │ └── 0-0-0-0-7054.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 321df369b465a4d15e943ac305c2582fd336d90d7b8de7ebf89b22418f6d8c47_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── key.pem
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
颁发peer2-org1的管理员证书
将 admin-org1的msp的身份证书,颁发给peer2-org1,并将证书名称命名为 org1-admin.cert.pem
颁发前,/usr/local/home/org1/peer2的目录结构
.
├── fabric-ca-client-config.yaml
├── msp
│ ├── cacerts
│ ├── keystore
│ ├── signcerts
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── key.pem
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
颁发管理员证书
mkdir -p /usr/local/home/org1/peer2/msp/admincerts && cp /usr/local/home/org1/admin/msp/signcerts/cert.pem /usr/local/home/org1/peer2/msp/admincerts/org1-admin-cert.pem
颁发后,新增了/msp/admincerts文件夹, /usr/local/home/org1/peer2的目录结构
.
├── fabric-ca-client-config.yaml
├── msp
│ ├── admincerts
│ │ └── org1-admin-cert.pem
│ ├── cacerts
│ │ └── 0-0-0-0-7054.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 9eb4c1642da9408003ac0a66bf489dccb98da14140aae10a9596bee6b832f6cb_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── key.pem
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
注意: admincerts文件夹必须在peer的msp目录下,并且文件夹名称不可以修改,必须是admincerts
为org2内的peer节点制作证书
org2的证书制作过程与org1的过程是一样的,所以org2的证书将命令合并在一起,可以直接复制粘贴到服务器上执行;peer1-org2和 peer2-org2的msp和tls证书
peer1-org2的msp和tls证书
设置peer1-org2的环境变量后,使用peer1-org2账号登录到org2服务器,获取peer1-org2的msp证书
# 设置peer1-org2的证书根目录
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org2/peer1
# 使用org2-ca服务器的根证书与org2-ca服务器通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org2/ca/crypto/ca-cert.pem
# 设置peer1-org2的msp的证书目录
export FABRIC_CA_CLIENT_MSPDIR=msp
# 使用peer1-org2 账号登录到org2-ca服务器
fabric-ca-client enroll -d -u https://peer1-org2:[email protected]:7055
设置peer1-org2的环境后,使用peer1-org2登录到tls-ca服务器,获取到peer1-org2的tls证书
# 设置peer1-org2的tls证书目录
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
# 使用tls-ca服务器的根证书与tls-ca服务器通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/tls-ca/crypto/ca-cert.pem
fabric-ca-client enroll -d -u https://peer1-org2:[email protected]:7052 --enrollment.profile tls --csr.hosts peer1-org2
不要忘记修改私钥文件名
mv /usr/local/home/org2/peer1/tls-msp/keystore/*_sk /usr/local/home/org2/peer1/tls-msp/keystore/key.pem
peer2-org2的msp和tls证书
设置peer2-org2的环境变量后,使用peer2-org2账号登录到org2服务器,获取peer2-org2的msp证书
# 设置peer2-org2的证书根目录
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org2/peer2
# 使用org2-ca服务器的根证书与org2-ca服务器通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org2/ca/crypto/ca-cert.pem
# 设置peer2-org2的msp的证书目录
export FABRIC_CA_CLIENT_MSPDIR=msp
# 使用peer2-org2 账号登录到org2-ca服务器
fabric-ca-client enroll -d -u https://peer2-org2:[email protected]:7055
设置peer2-org2的环境后,使用peer2-org2登录到tls-ca服务器,获取到peer2-org2的tls证书
# 设置peer2-org2的tls证书目录
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
# 使用tls-ca服务器的根证书与tls-ca服务器通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/tls-ca/crypto/ca-cert.pem
fabric-ca-client enroll -d -u https://peer2-org2:[email protected]:7052 --enrollment.profile tls --csr.hosts peer2-org2
不要忘记修改私钥文件名
mv /usr/local/home/org2/peer2/tls-msp/keystore/*_sk /usr/local/home/org2/peer2/tls-msp/keystore/key.pem
admin-org2的msp和tls证书
设置admin-org2的环境变量后,使用admin-org2账号登录到org2服务器,获取admin-org2的msp证书
# 设置admin-org2的证书根目录
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org2/admin
# 使用org2-ca服务器的根证书与org2-ca服务器通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org2/ca/crypto/ca-cert.pem
# 设置admin-org2的msp的证书目录
export FABRIC_CA_CLIENT_MSPDIR=msp
# 使用admin-org2 账号登录到org2-ca服务器
fabric-ca-client enroll -d -u https://admin-org2:[email protected]:7055
设置admin-org2的环境后,使用admin-org2登录到tls-ca服务器,获取到admin-org2的tls证书
# 设置admin-org2的tls证书目录
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
# 使用tls-ca服务器的根证书与tls-ca服务器通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/tls-ca/crypto/ca-cert.pem
fabric-ca-client enroll -d -u https://admin-org2:[email protected]:7052 --enrollment.profile tls --csr.hosts peer2-org2
不要忘记修改私钥文件名
mv /usr/local/home/org2/admin/tls-msp/keystore/*_sk /usr/local/home/org2/admin/tls-msp/keystore/key.pem
将org2的管理证书颁发给peer1和peer2
将 admin-org2的msp的身份证书,颁发给peer1-org2和peer2-org2,并将证书名称命名为 org2-admin.cert.pem
mkdir -p /usr/local/home/org2/peer1/msp/admincerts && cp /usr/local/home/org2/admin/msp/signcerts/cert.pem /usr/local/home/org2/peer1/msp/admincerts/org2-admin-cert.pem && mkdir -p /usr/local/home/org2/peer2/msp/admincerts && cp /usr/local/home/org2/admin/msp/signcerts/cert.pem /usr/local/home/org2/peer2/msp/admincerts/org2-admin-cert.pem
至此,2个组织的4个peer节点6个账户的msp证书和tls证书全部制作完毕,可以通过docker-compose文件启动两个组织的4个peer节点,我为了保持docker-compose配置文件的完整性,没有拆分出peer节点的配置,如果想验证自己生成的证书是否可以正常启动peer节点,先去后面找到deploy.yml配置文件中,从第一行复制到peer2-org2的最后一行,粘贴到新的docker-compose.yml配置文件中即可通过docker-compose -f 文件名.yml up -d 启动peer节点
为org0内的orderer节点制作证书
在/usr/local/home/org0目录下创建orderers文件夹,用于作为orderer1,orderer2,orderer3的证书根目录
mkdir -p /usr/local/home/org0/orderers
此时的/usr/local/home/org0目录结构
.
├── ca
│ ├── admin
│ │ ├── fabric-ca-client-config.yaml
│ │ └── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7053.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── ab09d345e16cd347a131398d0766caafeed67ab881a2184011de5ca951c0712e_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── crypto
│ ├── ca-cert.pem
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── c267daf08ac85a1ec4444715550ae281ed8f4e856ed346c03e3bde0e099018cd_sk
│ │ │ ├── c3fd32170976f29b92fb9814712bb92f1933ebd39952b70e1a7919e29e0a98aa_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
└── orderers
orderer1-org0的msp证书
设置orderer1-org0的环境变量
# 设置orderer1-org0的msp证书根目录
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org0/orderers/orderer1-org0
# 使用org0-ca服务器的证书
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org0/ca/crypto/ca-cert.pem
# 设置orderer1-org0的msp证书目录
export FABRIC_CA_CLIENT_MSPDIR=msp
使用order1-org0账号登录到 org0-ca服务器
fabric-ca-client enroll -d -u https://orderer1-org0:[email protected]:7053
登录后在/usr/local/home/org0/orderers目录下,会生成orderer1-org0目录,/usr/local/home/org0/orderers目录结构:
.
└── orderer1-org0
├── fabric-ca-client-config.yaml
└── msp
├── cacerts
│ └── 0-0-0-0-7053.pem
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 0f38fc4270e4992029e98f148ada34ac709740ba9c38c63d768a102dab4c4841_sk
├── signcerts
│ └── cert.pem
└── user
orderer1-org0的tls证书
设置orderer1-org0的环境变量
# 设置orderer1-org0的tls证书根目录
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org0/orderers/orderer1-org0
# 设置orderer1-org0的tls证书目录
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
# 使用tls-ca服务器启动时生成的证书与tls-ca服务器通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/tls-ca/crypto/ca-cert.pem
使用orderer1-org0账号登录到tls-ca服务器
fabric-ca-client enroll -d -u https://orderer1-org0:[email protected]:7052 --enrollment.profile tls --csr.hosts orderer1-org0
登录后在/usr/local/home/org0/orderers/orderer1-org0目录会生成tls-msp目录,/usr/local/home/org0/orderers的目录结构:
.
└── orderer1-org0
├── fabric-ca-client-config.yaml
├── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7053.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 0f38fc4270e4992029e98f148ada34ac709740ba9c38c63d768a102dab4c4841_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── 47b4888bdc493bb24559d2cc67b34699ac33ba873311f96c7ae8e176f42f0202_sk
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
修改私钥文件名称
mv /usr/local/home/org0/orderers/orderer1-org0/tls-msp/keystore/*_sk /usr/local/home/org0/orderers/orderer1-org0/tls-msp/keystore/key.pem
admin-org0的msp证书
设置admin-org0的环境变量
# 设置admin-org0的证书根目录
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org0/admin
# 使用org0-ca服务器启动时生成的证书与org0-ca服务器通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org0/ca/crypto/ca-cert.pem
# 设置admin-org0的msp证书目录
export FABRIC_CA_CLIENT_MSPDIR=msp
使用amdin-org0账号登录到org0-ca服务器
fabric-ca-client enroll -d -u https://admin-org0:[email protected]:7053
成功登录后,会在/usr/local/home/org0目录下生成admin文件夹,/usr/local/home/org0的目录结构:
注意查看的目录,此时的目录是 org0 而不再是org/orderers
.
├── admin
│ ├── fabric-ca-client-config.yaml
│ └── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7053.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ ├── dd207032f6bf26a6503f3400c8b3e64e33e4a85557b624cef2e8c36a9f8ba6e7_sk
│ │ └── e3c44df4249dcf406558e78649e296354bac7536515ed00fbf69074b0db05cae_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
├── ca
│ ├── admin
│ │ ├── fabric-ca-client-config.yaml
│ │ └── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7053.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── ab09d345e16cd347a131398d0766caafeed67ab881a2184011de5ca951c0712e_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── crypto
│ ├── ca-cert.pem
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── c267daf08ac85a1ec4444715550ae281ed8f4e856ed346c03e3bde0e099018cd_sk
│ │ │ ├── c3fd32170976f29b92fb9814712bb92f1933ebd39952b70e1a7919e29e0a98aa_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
└── orderers
└── orderer1-org0
├── fabric-ca-client-config.yaml
├── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7053.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 0f38fc4270e4992029e98f148ada34ac709740ba9c38c63d768a102dab4c4841_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── key.pem
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
颁发orderer1-org0的管理员证书
将org0的admin下的ms的身份证书,复制给orderer1-org0,文件夹名称必须为admincerts,并且必须在msp目录下
颁发前, /usr/local/home/org0/orderers/orderer1-org0的目录结构
.
├── fabric-ca-client-config.yaml
├── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7053.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 0f38fc4270e4992029e98f148ada34ac709740ba9c38c63d768a102dab4c4841_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── key.pem
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
颁发证书
mkdir /usr/local/home/org0/orderers/orderer1-org0/msp/admincerts
cp /usr/local/home/org0/admin/msp/signcerts/cert.pem /usr/local/home/org0/orderers/orderer1-org0/msp/admincerts/orderer-admin-cert.pem
颁发后,在/usr/local/home/org0/orderers/orderer1-org0目录下新增admincerts文件夹, /usr/local/home/org0/orderers/orderer1-org0目录结构
.
├── fabric-ca-client-config.yaml
├── msp
│ ├── admincerts
│ │ └── orderer-admin-cert.pem
│ ├── cacerts
│ │ └── 0-0-0-0-7053.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 0f38fc4270e4992029e98f148ada34ac709740ba9c38c63d768a102dab4c4841_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── key.pem
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
注意: 与peer不同的是,order所在组织的admin账号没有生成tls证书
orderer2-org0和orderer3-org0的msp和tls证书
设置orderer2-org0的环境变量
# 设置orderer2-org0的msp证书根目录
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org0/orderers/orderer2-org0
# 使用org0-ca服务器的证书
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org0/ca/crypto/ca-cert.pem
# 设置orderer2-org0的msp证书目录
export FABRIC_CA_CLIENT_MSPDIR=msp
使用orderer2-org0账号登录到 org0-ca服务器
fabric-ca-client enroll -d -u https://orderer2-org0:[email protected]:7053
设置orderer2-org0的环境变量
# 设置orderer2-org0的tls证书根目录
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org0/orderers/orderer2-org0
# 设置orderer2-org0的tls证书目录
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
# 使用tls-ca服务器启动时生成的证书与tls-ca服务器通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/tls-ca/crypto/ca-cert.pem
使用orderer2-org0账号登录到tls-ca服务器
fabric-ca-client enroll -d -u https://orderer2-org0:[email protected]:7052 --enrollment.profile tls --csr.hosts orderer2-org0
修改私钥文件名称
mv /usr/local/home/org0/orderers/orderer2-org0/tls-msp/keystore/*_sk /usr/local/home/org0/orderers/orderer2-org0/tls-msp/keystore/key.pem
将org0的admin下的ms的身份证书,复制给orderer2-org0
mkdir /usr/local/home/org0/orderers/orderer2-org0/msp/admincerts
cp /usr/local/home/org0/admin/msp/signcerts/cert.pem /usr/local/home/org0/orderers/orderer2-org0/msp/admincerts/orderer-admin-cert.pem
设置orderer3-org0的环境变量
# 设置orderer3-org0的msp证书根目录
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org0/orderers/orderer3-org0
# 使用org0-ca服务器的证书
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/org0/ca/crypto/ca-cert.pem
# 设置orderer3-org0的msp证书目录
export FABRIC_CA_CLIENT_MSPDIR=msp
使用orderer3-org0账号登录到 org0-ca服务器
fabric-ca-client enroll -d -u https://orderer3-org0:[email protected]:7053
设置orderer3-org0的环境变量
# 设置orderer3-org0的tls证书根目录
export FABRIC_CA_CLIENT_HOME=/usr/local/home/org0/orderers/orderer3-org0
# 设置orderer3-org0的tls证书目录
export FABRIC_CA_CLIENT_MSPDIR=tls-msp
# 使用tls-ca服务器启动时生成的证书与tls-ca服务器通讯
export FABRIC_CA_CLIENT_TLS_CERTFILES=/usr/local/home/tls-ca/crypto/ca-cert.pem
使用orderer3-org0账号登录到tls-ca服务器
fabric-ca-client enroll -d -u https://orderer3-org0:[email protected]:7052 --enrollment.profile tls --csr.hosts orderer2-org0
修改私钥文件名称
mv /usr/local/home/org0/orderers/orderer3-org0/tls-msp/keystore/*_sk /usr/local/home/org0/orderers/orderer3-org0/tls-msp/keystore/key.pem
将org0的admin下的ms的身份证书,复制给orderer3-org0
mkdir /usr/local/home/org0/orderers/orderer3-org0/msp/admincerts
cp /usr/local/home/org0/admin/msp/signcerts/cert.pem /usr/local/home/org0/orderers/orderer3-org0/msp/admincerts/orderer-admin-cert.pem
至此org0的3个order和admin账户的证书全部制作完成,/usr/local/home/org0的目录结构如下:
.
├── admin
│ ├── fabric-ca-client-config.yaml
│ └── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7053.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ ├── dd207032f6bf26a6503f3400c8b3e64e33e4a85557b624cef2e8c36a9f8ba6e7_sk
│ │ └── e3c44df4249dcf406558e78649e296354bac7536515ed00fbf69074b0db05cae_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
├── ca
│ ├── admin
│ │ ├── fabric-ca-client-config.yaml
│ │ └── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7053.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── ab09d345e16cd347a131398d0766caafeed67ab881a2184011de5ca951c0712e_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── crypto
│ ├── ca-cert.pem
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── c267daf08ac85a1ec4444715550ae281ed8f4e856ed346c03e3bde0e099018cd_sk
│ │ │ ├── c3fd32170976f29b92fb9814712bb92f1933ebd39952b70e1a7919e29e0a98aa_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
└── orderers
├── orderer1-org0
│ ├── fabric-ca-client-config.yaml
│ ├── msp
│ │ ├── admincerts
│ │ │ └── orderer-admin-cert.pem
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7053.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── 0f38fc4270e4992029e98f148ada34ac709740ba9c38c63d768a102dab4c4841_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── tls-msp
│ ├── cacerts
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── key.pem
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ │ └── tls-0-0-0-0-7052.pem
│ └── user
├── orderer2-org0
│ ├── fabric-ca-client-config.yaml
│ ├── msp
│ │ ├── admincerts
│ │ │ └── orderer-admin-cert.pem
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7053.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── 5c5e68d9e1f896aecb8d8d4458c3cd44c82b9a998bb01656bf69b716c915272a_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── tls-msp
│ ├── cacerts
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── key.pem
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ │ └── tls-0-0-0-0-7052.pem
│ └── user
└── orderer3-org0
├── fabric-ca-client-config.yaml
├── msp
│ ├── admincerts
│ │ └── orderer-admin-cert.pem
│ ├── cacerts
│ │ └── 0-0-0-0-7053.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── b311dbb19e2d0b57c57d8b1b6a62132327728a9b1211255c17d158ec06972139_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── key.pem
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
编写config.yaml配置文件
config.yaml文件需要复制每个组织下的所有msp目录下
为了便于区分,我将名称修改组织-config.yaml 在复制时需要注意修改文件名为config.yaml
org0-config.yaml
NodeOUs:
Enable: true
ClientOUIdentifier:
#修改为 本组内的证书, 具体每个证书是什么,还不知道
Certificate: cacerts/0-0-0-0-7053.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/0-0-0-0-7053.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/0-0-0-0-7053.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/0-0-0-0-7053.pem
OrganizationalUnitIdentifier: orderer
org1-config.yaml
NodeOUs:
Enable: true
ClientOUIdentifier:
#修改为 本组内的证书, 具体每个证书是什么,还不知道
Certificate: cacerts/0-0-0-0-7054.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/0-0-0-0-7054.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/0-0-0-0-7054.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/0-0-0-0-7054.pem
OrganizationalUnitIdentifier: orderer
org2-config.yaml
NodeOUs:
Enable: true
ClientOUIdentifier:
#修改为 本组内的证书, 具体每个证书是什么,还不知道
Certificate: cacerts/0-0-0-0-7055.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/0-0-0-0-7055.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/0-0-0-0-7055.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/0-0-0-0-7055.pem
OrganizationalUnitIdentifier: orderer
示例
将org1-config.yaml组织到org0下所有的msp目录下,3个组织中的config.yaml都需要复制到对应组织下所有的msp目录下
复制前的/usr/local/home/org1的目录结构:
.
├── admin
│ ├── fabric-ca-client-config.yaml
│ ├── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7054.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── de45e7764c8d26eba5d8e96d2d366d043ad07d5ddbe4b2bbd48272ab2fdcea57_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── tls-msp
│ ├── cacerts
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 2125e110e9526886be581851285312781bbec79bb8a4757d2748b9d7166ccb6c_sk
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ │ └── tls-0-0-0-0-7052.pem
│ └── user
├── ca
│ ├── admin
│ │ ├── fabric-ca-client-config.yaml
│ │ └── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7054.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── da98c6740625dc08de5563b747ba87630f397271aebf41137c87d4ed58be27d1_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── crypto
│ ├── ca-cert.pem
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── 3881cf477449382af36b807feb0a29d19f57c17046a86be98930804b10594028_sk
│ │ │ ├── f25bf07673eb115b037c728163dc893ce2c007cb55933803fe61acd429e7749c_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
├── peer1
│ ├── fabric-ca-client-config.yaml
│ ├── msp
│ │ ├── admincerts
│ │ │ └── org1-admin-cert.pem
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7054.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── aedbae5b445aee11f5cd0a1ce71283e384a1743aef78ec410ce4f4d29d34f0c3_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── tls-msp
│ ├── cacerts
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── key.pem
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ │ └── tls-0-0-0-0-7052.pem
│ └── user
└── peer2
├── fabric-ca-client-config.yaml
├── msp
│ ├── admincerts
│ │ └── org1-admin-cert.pem
│ ├── cacerts
│ │ └── 0-0-0-0-7054.pem
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 9eb4c1642da9408003ac0a66bf489dccb98da14140aae10a9596bee6b832f6cb_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── key.pem
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
复制后的/usr/local/home/org1目录下的 admin,peer1,peer2子目录中的msp 中 都增加了config.yaml文件
.
├── admin
│ ├── fabric-ca-client-config.yaml
│ ├── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7054.pem
│ │ ├── config.yaml
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── de45e7764c8d26eba5d8e96d2d366d043ad07d5ddbe4b2bbd48272ab2fdcea57_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── tls-msp
│ ├── cacerts
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 2125e110e9526886be581851285312781bbec79bb8a4757d2748b9d7166ccb6c_sk
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ │ └── tls-0-0-0-0-7052.pem
│ └── user
├── ca
│ ├── admin
│ │ ├── fabric-ca-client-config.yaml
│ │ └── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7054.pem
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── da98c6740625dc08de5563b747ba87630f397271aebf41137c87d4ed58be27d1_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── crypto
│ ├── ca-cert.pem
│ ├── fabric-ca-server-config.yaml
│ ├── fabric-ca-server.db
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── msp
│ │ ├── cacerts
│ │ ├── keystore
│ │ │ ├── 3881cf477449382af36b807feb0a29d19f57c17046a86be98930804b10594028_sk
│ │ │ ├── f25bf07673eb115b037c728163dc893ce2c007cb55933803fe61acd429e7749c_sk
│ │ │ ├── IssuerRevocationPrivateKey
│ │ │ └── IssuerSecretKey
│ │ ├── signcerts
│ │ └── user
│ └── tls-cert.pem
├── peer1
│ ├── fabric-ca-client-config.yaml
│ ├── msp
│ │ ├── admincerts
│ │ │ └── org1-admin-cert.pem
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7054.pem
│ │ ├── config.yaml
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── aedbae5b445aee11f5cd0a1ce71283e384a1743aef78ec410ce4f4d29d34f0c3_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ └── user
│ └── tls-msp
│ ├── cacerts
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── key.pem
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ │ └── tls-0-0-0-0-7052.pem
│ └── user
└── peer2
├── fabric-ca-client-config.yaml
├── msp
│ ├── admincerts
│ │ └── org1-admin-cert.pem
│ ├── cacerts
│ │ └── 0-0-0-0-7054.pem
│ ├── config.yaml
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 9eb4c1642da9408003ac0a66bf489dccb98da14140aae10a9596bee6b832f6cb_sk
│ ├── signcerts
│ │ └── cert.pem
│ └── user
└── tls-msp
├── cacerts
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ └── key.pem
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
各个组织的admin证书整合
整合org0的admin证书
在/usr/local/home/目录下创建configtx文件夹,
注意:后续创建的文件夹及目录结构都不可以更改
mkdir -p /usr/local/home/configtx/org0
创建目录后的 /usr/local/home/configtx/的目录结构
.
└── org0
将/usr/local/home/org0/admin/msp 目录,全部复制到 /usr/local/home/configtx/org0中
cp -r /usr/local/home/org0/admin/msp /usr/local/home/configtx/org0
在 /usr/local/home/configtx/org0/msp下创建tlscacerts
mkdir /usr/local/home/configtx/org0/msp/tlscacerts
将orderer的tls证书复制到此目录下
cp /usr/local/home/org0/orderers/orderer1-org0/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem /usr/local/home/configtx/org0/msp/tlscacerts
整合org0的admin证书后的/usr/local/home/confittx目录结构
.
└── org0
└──msp
├── cacerts
│ └── 0-0-0-0-7053.pem
├── config.yaml
├── IssuerPublicKey
├── IssuerRevocationPublicKey
├── keystore
│ ├── dd207032f6bf26a6503f3400c8b3e64e33e4a85557b624cef2e8c36a9f8ba6e7_sk
│ └── e3c44df4249dcf406558e78649e296354bac7536515ed00fbf69074b0db05cae_sk
├── signcerts
│ └── cert.pem
├── tlscacerts
│ └── tls-0-0-0-0-7052.pem
└── user
整合org1的admin证书
在 /usr/local/home/configtx目录下创建org1文件夹,并将org1的admin/msp目录全部复制过来
mkdir -p /usr/local/home/configtx/org1 && cp -r /usr/local/home/org1/admin/msp /usr/local/home/configtx/org1/
在/usr/local/home/configtx/org1/msp目录下创建tlscacerts目录并将/org1/admin/tls-msp/tlscacerts证书复制过来
mkdir -p /usr/local/home/configtx/org1/msp/tlscacerts && cp /usr/local/home/org1/admin/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem /usr/local/home/configtx/org1/tlscacerts
整合后的/usr/local/home/configtx目录结构
.
├── org0
│ └── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7053.pem
├── config.yaml
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ ├── dd207032f6bf26a6503f3400c8b3e64e33e4a85557b624cef2e8c36a9f8ba6e7_sk
│ │ └── e3c44df4249dcf406558e78649e296354bac7536515ed00fbf69074b0db05cae_sk
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ │ └── tls-0-0-0-0-7052.pem
│ └── user
└── org1
├── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7054.pem
│ ├── config.yaml
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── de45e7764c8d26eba5d8e96d2d366d043ad07d5ddbe4b2bbd48272ab2fdcea57_sk
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ └── user
└── tlscacerts
整合org2的admin证书
在 /usr/local/home/configtx目录下创建org2文件夹,并将org2的admin/msp目录全部复制过来
mkdir -p /usr/local/home/configtx/org2 && cp -r /usr/local/home/org2/admin/msp /usr/local/home/configtx/org2/
在/usr/local/home/configtx/org2/msp目录下创建tlscacerts目录并将/org2/admin/tls-msp/tlscacerts证书复制过来
mkdir -p /usr/local/home/configtx/org2/msp/tlscacerts && cp /usr/local/home/org2/admin/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem /usr/local/home/configtx/org2/tlscacerts
整合后的 /usr/local/home/configtx目录结构
.
├── org0
│ └── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7053.pem
├── config.yaml
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ ├── dd207032f6bf26a6503f3400c8b3e64e33e4a85557b624cef2e8c36a9f8ba6e7_sk
│ │ └── e3c44df4249dcf406558e78649e296354bac7536515ed00fbf69074b0db05cae_sk
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ │ └── tls-0-0-0-0-7052.pem
│ └── user
├── org1
│ ├── msp
│ │ ├── cacerts
│ │ │ └── 0-0-0-0-7054.pem
│ │ ├── config.yaml
│ │ ├── IssuerPublicKey
│ │ ├── IssuerRevocationPublicKey
│ │ ├── keystore
│ │ │ └── de45e7764c8d26eba5d8e96d2d366d043ad07d5ddbe4b2bbd48272ab2fdcea57_sk
│ │ ├── signcerts
│ │ │ └── cert.pem
│ │ ├── tlscacerts
│ │ └── user
│ └── tlscacerts
└── org2
├── msp
│ ├── cacerts
│ │ └── 0-0-0-0-7055.pem
│ ├── config.yaml
│ ├── IssuerPublicKey
│ ├── IssuerRevocationPublicKey
│ ├── keystore
│ │ └── 16c915c779994205ccf0de9f97ff98d134b060a8567cd99f2db02021bfc8d8c8_sk
│ ├── signcerts
│ │ └── cert.pem
│ ├── tlscacerts
│ └── user
└── tlscacerts
编写configtx.yaml文件
在/usr/local/home/configtx目录下创建configtx.yaml文件
cd /usr/local/home/configtx && touch configtx.yaml
将配置粘贴进configtx.yaml中
---
Organizations:
# 组织
- &org0
# 组织名称
Name: org0MSP
# 组织id
ID: org0MSP
# 整合后的org0的admin/msp路径
MSPDir: /usr/local/home/configtx/org0/msp
# 策略,不能注释掉,注释掉报错找不到策略配置
Policies:
Readers:
Type: Signature
Rule: "OR('org0MSP.member')"
Writers:
Type: Signature
Rule: "OR('org0MSP.member')"
Admins:
Type: Signature
Rule: "OR('org0MSP.admin')"
# order组织的主order地址
OrdererEndpoints:
- orderer1-org0:7050
- &org1
# 组织名称
Name: org1MSP
# 组织id
ID: org1MSP
# org1组织整合后的admin/msp路径
MSPDir: /usr/local/home/configtx/org1/msp
# 策略
Policies:
Readers:
Type: Signature
Rule: "OR('org1MSP.admin', 'org1MSP.peer', 'org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('org1MSP.admin', 'org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org1MSP.peer')"
AnchorPeers:
- Host: peer1-org1
Port: 7051
- &org2
Name: org2MSP
ID: org2MSP
MSPDir: /usr/local/home/configtx/org2/msp
Policies:
Readers:
Type: Signature
Rule: "OR('org2MSP.admin', 'org2MSP.peer', 'org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('org2MSP.admin', 'org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('org2MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org2MSP.peer')"
AnchorPeers:
- Host: peer1-org2
Port: 9051
Capabilities:
Channel: &ChannelCapabilities
V2_0: true
Orderer: &OrdererCapabilities
V2_0: true
Application: &ApplicationCapabilities
V2_0: true
Application: &ApplicationDefaults
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Capabilities:
<<: *ApplicationCapabilities
Orderer: &OrdererDefaults
OrdererType: etcdraft
EtcdRaft:
# 所有order组织的地址
Consenters:
- Host: orderer1-org0
Port: 7050
# 整合后的admin 的tls证书
ClientTLSCert: /usr/local/home/org0/orderers/orderer1-org0/tls-msp/signcerts/cert.pem
ServerTLSCert: /usr/local/home/org0/orderers/orderer1-org0/tls-msp/signcerts/cert.pem
- Host: orderer2-org0
Port: 8050
ClientTLSCert: /usr/local/home/org0/orderers/orderer2-org0/tls-msp/signcerts/cert.pem
ServerTLSCert: /usr/local/home/org0/orderers/orderer2-org0/tls-msp/signcerts/cert.pem
- Host: orderer3-org0
Port: 9050
ClientTLSCert: /usr/local/home/org0/orderers/orderer3-org0/tls-msp/signcerts/cert.pem
ServerTLSCert: /usr/local/home/org0/orderers/orderer3-org0/tls-msp/signcerts/cert.pem
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Profiles:
TwoOrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *org0
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *org1
- *org2
TwoOrgsChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *org1
- *org2
Capabilities:
<<: *ApplicationCapabilities
制作创世区块
在/usr/local/home/configtx目录下创建 用于保存创世区块的目录block 和用于保存通道配置的channel-artifacts目录
mkdir -p /usr/local/home/configtx/{
block,channel-artifacts}
生成创世区块
configtxgen -profile TwoOrgsOrdererGenesis -channelID system-channel -outputBlock /usr/local/home/configtx/block/genesis.block
成功生成创世区块的界面
制作通道配置文件
设置环境变量
# 通道名称
export CHANNEL_NAME=mychannel
制作通道配置
configtxgen -profile TwoOrgsChannel -outputCreateChannelTx /usr/local/home/configtx/channel-artifacts/${CHANNEL_NAME}.tx -channelID ${CHANNEL_NAME}
成功生成通道配置界面
更新背书节点配置
# 设置org1配置
export orgmsp=org1MSP
configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate /usr/local/home/configtx/channel-artifacts/${orgmsp}anchors.tx -channelID ${CHANNEL_NAME} -asOrg ${orgmsp}
# 设置org2配置
export orgmsp=org2MSP
configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate /usr/local/home/configtx/channel-artifacts/${orgmsp}anchors.tx -channelID ${CHANNEL_NAME} -asOrg ${orgmsp}
成功更新的界面
至此所有的准备工作全部准备完毕,配置docker-compose启动fabric网络
四、启动fabric网络
编写docker-compose文件
在/usr/local/home/下创建deploy.yaml文件
cd /usr/local/home && touch deploy.yaml
deploy.yaml 配置
version: '2'
volumes:
peer1-org1:
peer2-org1:
peer1-org2:
peer2-org2:
orderer1-org0:
networks:
byfn:
external:
name: dev
services:
peer1-org1:
container_name: peer1-org1
image: hyperledger/fabric-peer:latest
environment:
- CORE_PEER_ID=peer1-org1
- CORE_PEER_ADDRESS=peer1-org1:7051
- CORE_PEER_LISTENADDRESS=0.0.0.0:7051
- CORE_PEER_CHAINCODEADDRESS=peer1-org1:7052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org1:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1-org1:7051
- CORE_PEER_LOCALMSPID=org1MSP
# msp证书路径
- CORE_PEER_MSPCONFIGPATH=/usr/local/home/org1/peer1/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
# 网络模式
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=dev
- FABRIC_LOGGING_SPEC=debug
- CORE_PEER_TLS_ENABLED=true
# tls签名证书路径
- CORE_PEER_TLS_CERT_FILE=/usr/local/home/org1/peer1/tls-msp/signcerts/cert.pem
# tls私钥证书路径
- CORE_PEER_TLS_KEY_FILE=/usr/local/home/org1/peer1/tls-msp/keystore/key.pem
# tls服务端的根证书路径
- CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1/peer1
volumes:
- /var/run:/host/var/run
- /usr/local/home:/usr/local/home
networks:
- byfn
ports:
- 7051:7051
peer2-org1:
container_name: peer2-org1
image: hyperledger/fabric-peer:latest
environment:
- CORE_PEER_ID=peer2-org1
- CORE_PEER_ADDRESS=peer2-org1:8051
- CORE_PEER_LISTENADDRESS=0.0.0.0:8051
- CORE_PEER_CHAINCODEADDRESS=peer2-org1:8052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:8052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org1:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer2-org1:8051
- CORE_PEER_LOCALMSPID=org1MSP
- CORE_PEER_MSPCONFIGPATH=/usr/local/home/org1/peer2/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=dev
- FABRIC_LOGGING_SPEC=debug
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/usr/local/home/org1/peer2/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/usr/local/home/org1/peer2/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org1/peer2/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1/peer2
volumes:
- /var/run:/host/var/run
- /usr/local/home:/usr/local/home/
networks:
- byfn
ports:
- 8051:8051
peer1-org2:
container_name: peer1-org2
image: hyperledger/fabric-peer:latest
environment:
- CORE_PEER_ID=peer1-org2
- CORE_PEER_ADDRESS=peer1-org2:9051
- CORE_PEER_LISTENADDRESS=0.0.0.0:9051
- CORE_PEER_CHAINCODEADDRESS=peer1-org2:9052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:9052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org2:9051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1-org2:9051
- CORE_PEER_LOCALMSPID=org2MSP
- CORE_PEER_MSPCONFIGPATH=/usr/local/home/org2/peer1/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=dev
- FABRIC_LOGGING_SPEC=debug
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/usr/local/home/org2/peer1/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/usr/local/home/org2/peer1/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2/peer1
volumes:
- /var/run:/host/var/run
- /usr/local/home:/usr/local/home
networks:
- byfn
ports:
- 9051:9051
peer2-org2:
container_name: peer2-org2
image: hyperledger/fabric-peer:latest
environment:
- CORE_PEER_ID=peer2-org2
- CORE_PEER_ADDRESS=peer2-org2:10051
- CORE_PEER_LISTENADDRESS=0.0.0.0:10051
- CORE_PEER_CHAINCODEADDRESS=peer2-org2:10052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:10052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1-org2:9051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer2-org2:10051
- CORE_PEER_LOCALMSPID=org2MSP
- CORE_PEER_MSPCONFIGPATH=/usr/local/home/org2/peer2/msp
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=dev
- FABRIC_LOGGING_SPEC=debug
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/usr/local/home/org2/peer2/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/usr/local/home/org2/peer2/tls-msp/keystore/key.pem
- CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org2/peer2/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
- CORE_PEER_PROFILE_ENABLED=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org2/peer2
volumes:
- /var/run:/host/var/run
- /usr/local/home:/usr/local/home
networks:
- byfn
ports:
- 10051:10051
orderer1-org0:
container_name: orderer1-org0
image: hyperledger/fabric-orderer:latest
environment:
- ORDERER_HOME=/usr/local/home/orderer
- ORDERER_HOST=orderer1-org0
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_LISTENPORT=7050
- ORDERER_GENERAL_GENESISMETHOD=file
# 创世区块路径
- ORDERER_GENERAL_GENESISFILE=/usr/local/home/configtx/block/genesis.block
- ORDERER_GENERAL_LOCALMSPID=org0MSP
- ORDERER_GENERAL_LOCALMSPDIR=/usr/local/home/org0/orderers/orderer1-org0/msp
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/usr/local/home/org0/orderers/orderer1-org0/tls-msp/keystore/key.pem
- ORDERER_GENERAL_TLS_CERTIFICATE=/usr/local/home/org0/orderers/orderer1-org0/tls-msp/signcerts/cert.pem
- ORDERER_GENERAL_TLS_ROOTCAS=[/usr/local/home/org0/orderers/orderer1-org0/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
- ORDERER_KAFKA_TOPIC_REPLICATIONFACTOR=1
- ORDERER_KAFKA_VERBOSE=true
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/usr/local/home/org0/orderers/orderer1-org0/tls-msp/signcerts/cert.pem
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/usr/local/home/org0/orderers/orderer1-org0/tls-msp/keystore/key.pem
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/usr/local/home/org0/orderers/orderer1-org0/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
- ORDERER_GENERAL_LOGLEVEL=debug
- ORDERER_DEBUG_BROADCASTTRACEDIR=data/logs
volumes:
- /usr/local/home:/usr/local/home
ports:
- 7050:7050
networks:
- byfn
orderer2-org0:
container_name: orderer2-org0
image: hyperledger/fabric-orderer:latest
environment:
- ORDERER_HOME=/usr/local/home/orderer
- ORDERER_HOST=orderer2-org0
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_LISTENPORT=8050
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/usr/local/home/configtx/system-genesis-block/genesis.block
- ORDERER_GENERAL_LOCALMSPID=org0MSP
- ORDERER_GENERAL_LOCALMSPDIR=/usr/local/home/org0/orderers/orderer2-org0/msp
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/usr/local/home/org0/orderers/orderer2-org0/tls-msp/keystore/key.pem
- ORDERER_GENERAL_TLS_CERTIFICATE=/usr/local/home/org0/orderers/orderer2-org0/tls-msp/signcerts/cert.pem
- ORDERER_GENERAL_TLS_ROOTCAS=[/usr/local/home/org0/orderers/orderer2-org0/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
- ORDERER_KAFKA_TOPIC_REPLICATIONFACTOR=1
- ORDERER_KAFKA_VERBOSE=true
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/usr/local/home/org0/orderers/orderer2-org0/tls-msp/signcerts/cert.pem
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/usr/local/home/org0/orderers/orderer2-org0/tls-msp/keystore/key.pem
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/usr/local/home/org0/orderers/orderer2-org0/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
- ORDERER_GENERAL_LOGLEVEL=debug
- ORDERER_DEBUG_BROADCASTTRACEDIR=data/logs
volumes:
- /usr/local/home:/usr/local/home
ports:
- 8050:8050
networks:
- byfn
orderer3-org0:
container_name: orderer3-org0
image: hyperledger/fabric-orderer:latest
environment:
- ORDERER_HOME=/usr/local/home/orderer
- ORDERER_HOST=orderer3-org0
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_LISTENPORT=9050
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/usr/local/home/configtx/system-genesis-block/genesis.block
- ORDERER_GENERAL_LOCALMSPID=org0MSP
- ORDERER_GENERAL_LOCALMSPDIR=/usr/local/home/org0/orderers/orderer3-org0/msp
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/usr/local/home/org0/orderers/orderer3-org0/tls-msp/keystore/key.pem
- ORDERER_GENERAL_TLS_CERTIFICATE=/usr/local/home/org0/orderers/orderer3-org0/tls-msp/signcerts/cert.pem
- ORDERER_GENERAL_TLS_ROOTCAS=[/usr/local/home/org0/orderers/orderer3-org0/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
- ORDERER_KAFKA_TOPIC_REPLICATIONFACTOR=1
- ORDERER_KAFKA_VERBOSE=true
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/usr/local/home/org0/orderers/orderer3-org0/tls-msp/signcerts/cert.pem
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/usr/local/home/org0/orderers/orderer3-org0/tls-msp/keystore/key.pem
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/usr/local/home/org0/orderers/orderer3-org0/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
- ORDERER_GENERAL_LOGLEVEL=debug
- ORDERER_DEBUG_BROADCASTTRACEDIR=data/logs
volumes:
- /usr/local/home:/usr/local/home
ports:
- 9050:9050
networks:
- byfn
cli:
container_name: cli-org1
image: hyperledger/fabric-tools:latest
tty: true
stdin_open: true
environment:
- SYS_CHANNEL=testchainid
- GOPATH=/opt/gopath
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_ID=cli-org1
- CORE_PEER_ADDRESS=peer1-org1:7051
- CORE_PEER_LOCALMSPID=org1MSP
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
- CORE_PEER_TLS_CERT_FILE=/usr/local/home/org1/peer1/tls-msp/signcerts/cert.pem
- CORE_PEER_TLS_KEY_FILE=/usr/local/home/org1/peer1/tls-msp/keystore/key.pem
- CORE_PEER_MSPCONFIGPATH=/usr/local/home/org1/peer1/msp
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/org1
command: /bin/bash
depends_on:
- peer1-org1
volumes:
- /usr/local/home:/usr/local/home
networks:
- byfn
保存退出
启动fabric
启动fabric网络
docker-compose -f deploy.yaml up -d
查看网络
docker ps -a
五、部署链码
部署链码的步骤
- 创建通道
- peer1-org1加入通道
- 指定peer1-org1为背书节点(与configtx.yaml中的AnchorPeers对应的节点)
- peer2-org1加入通道
- peer1-org2加入通道
- 指定peer1-org2为背书节点
- peer2-org2加入通道
- 打包链码
- peer1-org2 安装链码
- peer1-org2 审批链码
- peer1-org1 安装链码
- peer1-org 审批链码
- 提交链码
- 实例化链码
创建通道
进入cli容器,通道和链码都依赖于cli容器
中途不要退出容器,因为下面的章节之间是延续上一个操作的环境变量,如果退出容器后,需要重新设置环境变量,而本文对环境变量并没有特别详细的说明,所以一旦退出后,需要从此处开始一路设置环境变量
# 进入cli
docker exec -it cli-org1 bash
#进入工作目录,我的工作目录在/usr/local/home/configtx下
cd /usr/local/home/configtx
# 设置 peer1-org1 证书的环境变量
# org1的管理员msp证书目录
CORE_PEER_MSPCONFIGPATH=/usr/local/home/org1/admin/msp
# peer1-org1的地址
CORE_PEER_ADDRESS=peer1-org1:7051
# org1的身份id
CORE_PEER_LOCALMSPID="org1MSP"
# peer1-org1的tls证书目录
CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
# 将通道名称设置为环境变量
export CHANNEL_NAME=mychannel
# order主节点的tls证书
export ORDERPEM=/usr/local/home/org0/orderers/orderer1-org0/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
# 创建通道
peer channel create -o orderer1-org0:7050 -c $CHANNEL_NAME -f ./channel-artifacts/${CHANNEL_NAME}.tx --tls true --cafile $ORDERPEM
org1加入通道
# 继续上面的peer1-org1的环境变量,将peer1-org1 加入通道
peer channel join -b $CHANNEL_NAME.block
# 将peer1-org1 设置为背书节点
peer channel update -o orderer1-org0:7050 -c $CHANNEL_NAME -f ./channel-artifacts/${CORE_PEER_LOCALMSPID}anchors.tx --tls true --cafile $ORDERPEM
# 切换 peer2-org1 的证书
CORE_PEER_ADDRESS=peer2-org1:8051
CORE_PEER_TLS_CERT_FILE=/usr/local/home/org1/peer2/tls-msp/signcerts/cert.pem
CORE_PEER_TLS_KEY_FILE=/usr/local/home/org1/peer2/tls-msp/keystore/key.pem
CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org1/peer2/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
# peer2-org1加入通道
peer channel join -b $CHANNEL_NAME.block
org2加入通道
# 切换peer2-org2的证书
CORE_PEER_LOCALMSPID=org2MSP
CORE_PEER_ADDRESS=peer1-org2:9051
CORE_PEER_MSPCONFIGPATH=/usr/local/home/org2/admin/msp
CORE_PEER_TLS_CERT_FILE=/usr/local/home/org2/peer1/tls-msp/signcerts/cert.pem
CORE_PEER_TLS_KEY_FILE=/usr/local/home/org2/peer1/tls-msp/keystore/key.pem
CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
# 加入通道
peer channel join -b $CHANNEL_NAME.block
# 将peer1-org2设置为背书节点
peer channel update -o orderer1-org0:7050 -c $CHANNEL_NAME -f ./channel-artifacts/${CORE_PEER_LOCALMSPID}anchors.tx --tls true --cafile $ORDERPEM
# 切换 peer2-org2 的证书
CORE_PEER_ADDRESS=peer2-org2:10051
CORE_PEER_TLS_CERT_FILE=/usr/local/home/org2/peer2/tls-msp/signcerts/cert.pem
CORE_PEER_TLS_KEY_FILE=/usr/local/home/org2/peer2/tls-msp/keystore/key.pem
CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org2/peer2/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
# 加入通道
peer channel join -b $CHANNEL_NAME.block
pee1-org2安装链码
- 安装链码前需要将自己开发的链码上传到服务器的/usr/local/home目录下, 也可以放置到别的位置,需要注意的是链码的目录是否映射进了cli容器中,我的链码放置于/usr/local/home/chaincode中
- 链码需要安装于每个组织的背书节点上
- /usr/local/home/chaincode 目录结构
.
├── pom.xml
└── src
└── main
└── java
├── com
│ └── sxkj
│ ├── ChainCode.java
│ └── common
│ ├── demo
│ │ ├── Craft.java
│ │ ├── PeterData.java
│ │ └── ProcessName.java
│ └── TimeUtil.java
└── reademe.txt
如果已经从cli容器中跳出了,需要再次进入cli容器
# 回到工作目录下
cd /usr/local/home
# 链码的目录
export CC_SRC_PATH=/usr/local/home/chaincode
# 链码的开发语言 可以使用go node java
export CC_RUNTIME_LANGUAGE=java
# 通道名称
export CHANNEL_NAME=mychannel
# 链码版本号,可以随意定义
export VERSION=1
# 链码提交次数,这个参数必须从1开始,每次部署链码时,必须加1
export SEQUENCE=1
# order的tls证书
export ORDERPEM=/usr/local/home/org0/orderers/orderer1-org0/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
# peer1-org2 的证书 org2组织的背书节点
CORE_PEER_LOCALMSPID=org2MSP
CORE_PEER_ADDRESS=peer1-org2:9051
CORE_PEER_MSPCONFIGPATH=/usr/local/home/org2/admin/msp
CORE_PEER_TLS_CERT_FILE=/usr/local/home/org2/peer1/tls-msp/signcerts/cert.pem
CORE_PEER_TLS_KEY_FILE=/usr/local/home/org2/peer1/tls-msp/keystore/key.pem
CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
# 打包链码
peer lifecycle chaincode package chaincode.tar.gz --path ${CC_SRC_PATH} --lang ${CC_RUNTIME_LANGUAGE} --label mycc_${VERSION}
# 安装链码
peer lifecycle chaincode install chaincode.tar.gz
链码安装成功后,会返回链码的版本号和哈希值
注意:复制你的
mycc_1:571b965b0420526654952fe71d68a1bdc6c539f1b7519b90312154d67646ab37
因为每次安装都会发生变化,所以将其设置为环境变量
# 将链码id设置变量,便于我们后面的使用
export CC_PACKAGE_ID=mycc_1:571b965b0420526654952fe71d68a1bdc6c539f1b7519b90312154d67646ab37
peer1-org2审核链码
# peer-org2 审批链码
peer lifecycle chaincode approveformyorg -o orderer1-org0:7050 --channelID $CHANNEL_NAME --name mycc --version $VERSION --init-required --package-id $CC_PACKAGE_ID --sequence $SEQUENCE --tls true --cafile $ORDERPEM
# 查询链码审批状态
peer lifecycle chaincode checkcommitreadiness --channelID $CHANNEL_NAME --name mycc --version $VERSION --init-required --sequence $SEQUENCE --tls true --cafile $ORDERPEM --output json
审核状态,只有org2 通过了审核
peer1-org1安装链码
# 切换peer1-org1的证书
CORE_PEER_MSPCONFIGPATH=/usr/local/home/org1/admin/msp
CORE_PEER_ADDRESS=peer1-org1:7051
CORE_PEER_LOCALMSPID="org1MSP"
CORE_PEER_TLS_ROOTCERT_FILE=/usr/local/home/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
# 因为前面已经将链码打包过了,所以这里可以直接安装链码
peer lifecycle chaincode install chaincode.tar.gz
# 查询已经安装的链码
peer lifecycle chaincode queryinstalled
# peer1-org1审批链码,链码的id在前已经设置过了,所以不需要再次设置链码id的环境变量了
peer lifecycle chaincode approveformyorg -o orderer1-org0:7050 --channelID $CHANNEL_NAME --name mycc --version $VERSION --init-required --package-id $CC_PACKAGE_ID --sequence $SEQUENCE --tls true --cafile $ORDERPEM
# 查询链码审批状态
peer lifecycle chaincode checkcommitreadiness --channelID $CHANNEL_NAME --name mycc --version $VERSION --init-required --sequence $SEQUENCE --tls true --cafile $ORDERPEM --output json
此时链码的审核状态
提交链码
- 只有在两个组织都通过审批的情况下才可以提交链码
- 两个组织中,任意一个组织提交链码即可,也就是说,链码只提交一次即可
# 环境变量依然使用上面步骤的环境变量
# 提交链码
peer lifecycle chaincode commit -o orderer1-org0:7050 --channelID $CHANNEL_NAME --name mycc --version $VERSION --sequence $SEQUENCE --init-required --tls true --cafile $ORDERPEM --peerAddresses peer1-org1:7051 --tlsRootCertFiles /usr/local/home/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem --peerAddresses peer1-org2:9051 --tlsRootCertFiles /usr/local/home/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
# 查询已经提交的链码
peer lifecycle chaincode querycommitted --channelID $CHANNEL_NAME --name mycc
查询提交的链码结果
实例化链码
我的链码是自己开发的所以实例化的时候,-c参数是空参,如果使用官方的版本,自行查询一下实例化的默认参数
# 延续使用上次步骤的环境变量
# 链码实例化
peer chaincode invoke -o orderer1-org0:7050 --isInit --tls true --cafile $ORDERPEM -C $CHANNEL_NAME -n mycc --peerAddresses peer1-org1:7051 --tlsRootCertFiles /usr/local/home/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem --peerAddresses peer1-org2:9051 --tlsRootCertFiles /usr/local/home/org2/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem -c '{"Args":["Init", ""]}' --waitForEvent
实例化成功
六、总结
本文只是将fabric网络启动,并没有创建通道和部署链码,同时数据没有外挂,因为是用于研究,所以并没有将其复杂化,对于fabric-ca组件,据说是可以使用sdk进行生成的,尚未尝试,ca也可以使用mysql,但每个ca服务端需要单独配置一个数据库,所以相对来说有些麻烦,后续会进行优化的,另外ca组件是可以使用集群部署,一个root-ca,多个中间ca,每个组织内还有ca,有些复杂,暂时也没有研究,后续补充;
在研究fabric-ca的过程中遇到过很多问题,也无从下手,尤其对ca架构的理解,我觉得还没有完全理解到位,问题多数出现版本差异上,略微的不同就会导致无法制作证书,本地有记录异常和处理方式,后续会出单独出一篇fabric问题汇总及解答来进行阐述