Warm tip: This article is reproduced from stackoverflow.com, please click

hyperledger-fabric kubernetes minikube

error Peer channel join

发布于 2020-04-23 16:05:37

I am trying to set up the Fabric v2.0 test-network (https://hyperledger-fabric.readthedocs.io/en/release-2.0/test_network.html) on kubernetes (locally on minikube). I have an error whith peer channel join.

I created kubernetes files based on the docker-compose-test-net.yaml of the test-network. I successfully deploy the following pods:

an orderer (raft)
2 peers (peer0-org1-example-com and peer0-org2-example-com)
a fabric-tools pod.

I successfully generate the crypto material with cryptogen and configtxgen.

I successfully create the channel: when I am in the fabric-tools pod:

bash-5.0# peer channel create -o orderer-example-com:7050 -c $CHANNEL_NAME --ordererTLSHostnameOverride orderer.example.com -f /fabric/${CHANNEL_NAME}.tx --tls --cafile $ORDERER_CA
2020-02-11 08:10:14.057 CET [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2020-02-11 08:10:14.080 CET [cli.common] readBlock -> INFO 002 Expect block, but got status: &{NOT_FOUND}
...
2020-02-11 08:10:15.105 CET [cli.common] readBlock -> INFO 00c Received block: 0

But when I try for the first peer to join the channel, I have an error. I have been spending days on this, and I cannot find a solution. Your help would be much appreciated!!

in the fabric-tools pod:

bash-5.0# peer channel join -b $CHANNEL_NAME.block
Error: error getting endorser client for channel: endorser client failed to connect to peer0-org1-example-com:7051: failed to create new connection: context deadline exceeded

what I see in the peer0-org1-example-com pod logs:

[31m2020-02-11 08:11:29.945 CET [core.comm] ServerHandshake -> ERRO 1b9[0m TLS handshake failed with error remote error: tls: bad certificate server=PeerServer remoteaddress=172.17.0.6:43270
[36m2020-02-11 08:11:29.945 CET [grpc] handleRawConn -> DEBU 1ba[0m grpc: Server.Serve failed to complete security handshake from "172.17.0.6:43270": remote error: tls: bad certificate

Thank you!!

UPDATE:

If I run peer channel join directly on the peer0-org1-example-com pod, I can see that there is a certificate issue:

addrConn.createTransport failed to connect to {peer0-org1-example-com:7051 0  <nil>}. Err :connection error: desc = "transport: authentication handshake failed: x509: certificate is valid for peer0.org1.example.com, peer0, localhost, peer0.org1.example.com, peer0, localhost, peer0.org1.example.com, peer0, localhost, not peer0-org1-example-com". Reconnecting.

It seems that it would accept the connection for peer0.org1.example.com but not for peer0-org1-example-com. But in Kubernetes, it does not allow me to put dots in the names of the services and the deployments, that is why I put dashes. Do you know how to solve this? I tried to make the cryptogen tool generate certificates for peer0-org1-example-com, but it messed things up. The better would be, I think, to make kubernetes names with dots, but I can't seem to make it.

The names in peer deployments files:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: peer0-org1-example-com
spec:
  selector:
    matchLabels:
      name: peer0-org1-example-com
  replicas: 1
  template:
    metadata:
      labels:
        name: peer0-org1-example-com

The names in peer services files:

apiVersion: v1
kind: Service
metadata:
  name: peer0-org1-example-com
  labels:
    run: peer0-org1-example-com
spec:
  type: ClusterIP
  selector:
    name: peer0-org1-example-com
  ports:
  - protocol: TCP
    port: 7051
    name: grpc

Questioner

Jon - LBAB

Viewed

Chinese

Original

mirioeggmann 2020-02-11 21:43

We had a similar dot/dash certificate issue with OpenShift and solved it by setting a CommonName with dashes for each Host in our crypto-config file. Maybe this will work for you too.

Something like this:

PeerOrgs:
  - Name: Org1
    Domain: org1-example-com
    EnableNodeOUs: true
    Specs:
      - Hostname: peer0
        CommonName: "peer0-org1-example-com"
      - Hostname: peer1
        CommonName: "peer1-org1-example-com"

    CA:
      Hostname: ca
      CommonName: "ca-org1-example-com"

PeerOrgs:
  - Name: Org2
    Domain: org2-example-com
    EnableNodeOUs: true
    Specs:
      - Hostname: peer0
        CommonName: "peer0-org2-example-com"
      - Hostname: peer1
        CommonName: "peer1-org2-example-com"

    CA:
      Hostname: ca
      CommonName: "ca-org2-example-com"

OrdererOrgs:
  - Name: Orderer
    Domain: example.com
    EnableNodeOUs: true
    Specs:
      - Hostname: orderer
        CommonName: "orderer-example-com"

UPDATE: We also changed all dot addresses in the configtx.yaml like this:

Orderer: &OrdererDefaults
    ...
    EtcdRaft:
        Consenters:
        - Host: orderer-example-com
    ...
    Addresses:
        - orderer-example-com:7050

UPDATE 2: probably you have to change the csr part in the fabric-ca-server-config.yaml of each org too:

csr:
   cn: ca-example-com
   names:
      - C: US
        ST: "New York"
        L: "New York"
        O: example-com
        OU:
   hosts:
     - localhost
     - example-com
   ca:
      expiry: 131400h
      pathlength: 1

csr:
   cn: ca-org1-example-com
   names:
      - C: US
        ST: "North Carolina"
        L: "Durham"
        O: org1-example-com
        OU:
   hosts:
     - localhost
     - org1-example-com
   ca:
      expiry: 131400h
      pathlength: 1

csr:
   cn: ca-org2-example-com
   names:
      - C: UK
        ST: "Hampshire"
        L: "Hursley"
        O: org2-example-com
        OU:
   hosts:
     - localhost
     - org2-example-com
   ca:
      expiry: 131400h
      pathlength: 1

Jon - LBAB 2020-02-11 20:03:18

Thanks. I am trying to do that. Did you also do it in configtx.yaml ? For example there: ``` Orderer: &OrdererDefaults OrdererType: etcdraft EtcdRaft: Consenters: - Host: orderer.example.com Port: 7050 ClientTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt ServerTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt Addresses: - orderer.example.com:7050 ```

mirioeggmann 2020-02-11 20:28:27

Yes you are right! We also changed it in the configtx.yaml.

Jon - LBAB 2020-02-11 21:24:50

Thanks! That point seems to be working now. Thanks a lot. Now I am still block at "peer channel join", but error is "proposal failed (err: rpc error: code = Unknown desc = error validating proposal: access denied: channel [] creator org [Org1MSP]". On the peer: 'access denied: channel the supplied identity is not valid: x509: certificate signed by unknown authority.

mirioeggmann 2020-02-11 21:46:20

Great! I updated the answer once again. Maybe this will help.

Related issues

`kubectl` not found. If you need it, try: 'minikube kubectl -- get pods -A'

How to get list of pods which are "ready"?

How to properly do cron task in GKE

Configuring TLS on openshift using helm

kube-controller-manager is not logging details

Helm Umbrella Chart, dependency on remote Chart

Roll Back to Previous Version of deployment in Jenkins CI/CD

Spring Boot Kafka listener is inconsistent

gke and auto created domain for enabling http routing

EKS connection refused when trying to talk to Jaeger agent daemonset