fabric2.2 tls和签名认证证书过期解决方案

已于 2022-03-04 16:10:02 修改
阅读量1.6k 收藏 4
点赞数 3
分类专栏: fabric 文章标签: fabric
于 2022-02-21 13:23:39 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_40325516/article/details/123045153
版权

1. fabric证书过期替换

1.1 记录需要修改目录

## 记录需要修改目录
fabric-ca/ordererOrg/tls-cert.pem

fabric-ca/org1/tls-cert.pem

fabric-ca/org1/tls-cert.pem

organizations/ordererOrganizations/example.com/msp/signcerts/cert.pem
organizations/ordererOrganizations/example.com/msp/keystore

organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/signcerts/cert.pem
organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/keystore

organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.key

organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/signcerts/cert.pem
organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/keystore

organizations/ordererOrganizations/example.com/users/Admin@example.com/msp/signcerts/cert.pem
organizations/ordererOrganizations/example.com/users/Admin@example.com/msp/keystore

organizations/peerOrganizations/org2.example.com/msp/signcerts/cert.pem
organizations/peerOrganizations/org2.example.com/msp/keystore

organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp/signcerts/cert.pem
organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/keystore

organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key

organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/signcerts/cert.pem
organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/keystore

organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp/signcerts/cert.pem
organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp/keystore

organizations/peerOrganizations/org2.example.com/users/User2@org1.example.com/msp/signcerts/cert.pem
organizations/peerOrganizations/org1.example.com/users/User@org1.example.com/msp/keystore

1.2 系统通道配置和普通通道配置证书对应关系

## org1
write-> fabric_node_ous-> admin_ou_identifier-> certificate=org1.example.com/peers/peer0.org1.example.com/msp/cacerts/localhost-7054-ca-org1.pem

write-> fabric_node_ous-> client_ou_identifier-> certificate=org1.example.com/peers/peer0.org1.example.com/msp/cacerts/localhost-7054-ca-org1.pem

write-> fabric_node_ous-> orderer_ou_identifier-> certificate=org1.example.com/peers/peer0.org1.example.com/msp/cacerts/localhost-7054-ca-org1.pem

write-> fabric_node_ous-> peer_ou_identifier-> certificate=org1.example.com/peers/peer0.org1.example.com/msp/cacerts/localhost-7054-ca-org1.pem

write->root_certs=org1.example.com/peers/peer0.org1.example.com/msp/cacerts/localhost-7054-ca-org1.pem
write->tls_root_certs=org1.example.com/peers/peer0.org1.example.com/msp/cacerts/localhost-7054-ca-org1.pem


## org2 
write-> fabric_node_ous-> admin_ou_identifier-> certificate=org2.example.com/peers/peer0.org2.example.com/msp/cacerts/localhost-8054-ca-org2.pem

write-> fabric_node_ous-> client_ou_identifier-> certificate=org2.example.com/peers/peer0.org2.example.com/msp/cacerts/localhost-8054-ca-org2.pem

write-> fabric_node_ous-> orderer_ou_identifier-> certificate=org2.example.com/peers/peer0.org2.example.com/msp/cacerts/localhost-8054-ca-org2.pem

write-> fabric_node_ous-> peer_ou_identifier-> certificate=org2.example.com/peers/peer0.org2.example.com/msp/cacerts/localhost-8054-ca-org2.pem

write->root_certs=org2.example.com/peers/peer0.org2.example.com/msp/cacerts/localhost-8054-ca-org2.pem
write->tls_root_certs=org2.example.com/peers/peer0.org2.example.com/msp/cacerts/localhost-8054-ca-org2.pem

## orderer 
msp->write->下的所有证书路径都是
orderer.example.com/msp/cacerts/localhost-9054-ca-orderer.pem
## 不同地方
consenters->client_tls_cert=orderer.example.com/tls/server.crt

consenters->server_tls_cert=orderer.example.com/tls/server.crt

## org2
signatures -> creator -> id_bytes =org2.example.com/users/Admin@org2.example.com/msp/signcerts/cert.pem

## orderer
signatures -> creator -> id_bytes =example.com/orderers/orderer.example.com/msp/signcerts

1.3 证书服务和节点签名和tls证书过期复原操作过程

## 背景
fabic-ca-server的tls-cert.pem证书过期
orderer peer里的所有msp目录下 keystore signcerts证书过期 
orderer peer里的所有tls目录下 keystore signcerts server.crt server.key证书过期 
并且其他证书没有过期
1.3.1 证书备份
## 1. 一定把过期的证书备份 后边还需要用到
sudo cp -r organizations organizations.bak
1.3.2 更新fabric-server的tls-cert.pem证书
1.3.2.1 移除fabric-server的tls-cert.pem证书
# ordererOrg org1 org2的tls-cert.pem都需要移除
## ordererorg
cd organizations/fabric-ca/ordererOrg
mv tls-cert.pem tls-cert.pem.bak
## org1
cd organizations/fabric-ca/org1
mv tls-cert.pem tls-cert.pem.bak
## org2
cd organizations/fabric-ca/org2
mv tls-cert.pem tls-cert.pem.bak
1.3.2.2 删掉所有fabric-server容器
docker stop ca_orderer
docker rm -f ca_orderer

docker stop ca_org1
docker rm -f ca_org1

docker stop ca_org2
docker rm -f ca_org2
1.3.2.3 重新启动所有fabric-server容器 生成新的tls-cert.pem
## 注意 这里只要没有删除tls-cert.pem其他目录,重启启动只有tls-cert.pem文件变了,其他文件都不变
## 这里是启动所有 如果你是每一个ca一个yaml都要启动 
docker-compose -f docke/docker-compose-ca.yaml up -d
1.3.3 更新节点过期证书
1.3.3.1 删除orderer过期证书
##### ##切记 一定把原来旧过期证书整体备份一下
## 1. 
cd organizations/ordererOrganizations/example.com/msp
rm -rf keystore/ signcerts/
## 2. 
cd organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp
rm -rf keystore/ signcerts/
## 3. 
cd organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls
rm -rf keystore/ signcerts/ server.crt server.key
## 4. 
cd organizations/ordererOrganizations/example.com/users/Admin@example.com/msp
rm -rf keystore/ signcerts/
1.3.3.2 删除org1 过期证书
## 1.
cd organizations/peerOrganizations/org1.example.com/msp
rm -rf keystore/ signcerts/
## 2.
cd organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp
rm -rf keystore/ signcerts/
## 3. 
cd organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls
rm -rf keystore/ signcerts/ server.crt server.key
## 4. 
cd organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
rm -rf keystore/ signcerts/
## 5. 
cd organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp
rm -rf keystore/ signcerts/
1.3.3.3 删除org2过期证书
## 1.
cd organizations/peerOrganizations/org2.example.com/msp
rm -rf keystore/ signcerts/
## 2.
cd organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp
rm -rf keystore/ signcerts/
## 3. 
cd organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls
rm -rf keystore/ signcerts/ server.crt server.key
## 4. 
cd organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp
rm -rf keystore/ signcerts/
## 5. 
cd organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/msp
rm -rf keystore/ signcerts/
1.3.3.4 设置系统时间
## 此时间设置过期内的并临近过期时间,是为了生成证书在通道配置更新的时候,能够识别证书时间 
## 就是两套证书时间有个交集
## 或者当前系统时间生成证书有效期限包含过期时间,可以不需要设置过去系统时间
## 如果不确定设不设置,可以先执行重新生成证书,一旦证书不对,可以重新执行删除原先过期证书目录和文件,再确定设不设置,然后执行重新生成证书
sudo timedatectl set-ntp no
sudo date -s "2022-02-18 18:00:00"
1.3.3.5 重新生成过期的证书
## 脚本内容如下 就可以吧以上删除文件重新生成 并且原来没过期CA不变
## 脚本放在single目录下

#!/bin/bash

################ orderer ###############################

 export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/ordererOrganizations/example.com


# orderer organizations/ordererOrganizations/example.com/msp
./bin/fabric-ca-client enroll -u https://admin:adminpw@localhost:9054 --caname ca-orderer --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem


## orderer organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp
 ./bin/fabric-ca-client enroll -u https://orderer:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp --csr.hosts orderer.example.com --csr.hosts localhost --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem


## orderer organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls
./bin/fabric-ca-client enroll -u https://orderer:ordererpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls --enrollment.profile tls --csr.hosts orderer.example.com --csr.hosts localhost --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem

## orderer  organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt server.key
  cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/signcerts/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
  cp ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/keystore/* ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.key

## orderer organizations/ordererOrganizations/example.com/users/Admin@example.com/msp
./bin/fabric-ca-client enroll -u https://ordererAdmin:ordererAdminpw@localhost:9054 --caname ca-orderer -M ${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/msp --tls.certfiles ${PWD}/organizations/fabric-ca/ordererOrg/tls-cert.pem


################# org1 peer0 ###################

export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org1.example.com/

## peer organizations/peerOrganizations/org1.example.com/msp
./bin/fabric-ca-client enroll -u https://admin:adminpw@localhost:7054 --caname ca-org1 --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem

## peer organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp
./bin/fabric-ca-client enroll -u https://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp --csr.hosts peer0.org1.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem

## peer  organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls
./bin/fabric-ca-client enroll -u https://peer0:peer0pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls --enrollment.profile tls --csr.hosts peer0.org1.example.com --csr.hosts localhost --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem

## peer organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt server.key
  cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
  cp ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key

## peer organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
./bin/fabric-ca-client enroll -u https://org1admin:org1adminpw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem

## peer organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp
./bin/fabric-ca-client enroll -u https://user1:user1pw@localhost:7054 --caname ca-org1 -M ${PWD}/organizations/peerOrganizations/org1.example.com/users/User1@org1.example.com/msp --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem



##################### org2 peer0 ###################

export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org2.example.com/

## peer organizations/peerOrganizations/org2.example.com/msp
./bin/fabric-ca-client enroll -u https://admin:adminpw@localhost:8054 --caname ca-org2 --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem

## peer organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp
./bin/fabric-ca-client enroll -u https://peer0:peer0pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp --csr.hosts peer0.org2.example.com --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem

## peer organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls
./bin/fabric-ca-client enroll -u https://peer0:peer0pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls --enrollment.profile tls --csr.hosts peer0.org2.example.com --csr.hosts localhost --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem

## peer  organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.crt server.key
cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/signcerts/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.crt
cp ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/keystore/* ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/server.key

## peer organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp
./bin/fabric-ca-client enroll -u https://org2admin:org2adminpw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/Admin@org2.example.com/msp --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem

## peer organizations/peerOrganizations/org2.example.com/users/User2@org1.example.com/msp
./bin/fabric-ca-client enroll -u https://user1:user1pw@localhost:8054 --caname ca-org2 -M ${PWD}/organizations/peerOrganizations/org2.example.com/users/User1@org2.example.com/msp --tls.certfiles ${PWD}/organizations/fabric-ca/org2/tls-cert.pem
1.3.4 新的证书备份
mv  organizations organizations.new
1.3.5 改回旧的证书,调整系统时间回到证书没有过期时间
1.3.5.1 证书回归
cp organizations.bak organizations
1.3.5.2 设置系统时间
## 查看系统时间是否是过期证书有效期内 没有的话需要设置
sudo timedatectl set-ntp no
sudo date -s "2022-02-18 18:00:00"
1.3.6 重启停掉orderer peer容器
docker start orderer.example.com
docker start peer0.org1.example.com
docker start peer0.org2.example.com
1.3.7 修改系统通道过期证书
# system-channel
## 1. 环境变量 系统通道需要orderer 管理员身份修改
export FABRIC_CFG_PATH=${PWD}/config
export CORE_PEER_LOCALMSPID=OrdererMSP
export CORE_PEER_ADDRESS=localhost:7050
export CORE_PEER_TLS_ROOTCERT_FILE=${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
export CORE_PEER_MSPCONFIGPATH=${PWD}/organizations/ordererOrganizations/example.com/users/Admin@example.com/msp

export CHANNEL_NAME=system-channel

## 2. 拉取配置块
./bin/peer channel fetch config config_block.pb -o orderer.example.com:7050 --ordererTLSHostnameOverride orderer.example.com -c system-channel --tls --cafile ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem

## 3. 解析配置块成json
./bin/configtxlator proto_decode --input config_block.pb --type common.Block | jq .data.data[0].payload.data.config > Sconfig.json

## 4. 
cp Sconfig.json  Modififid_config.json

## 5. 修改配置里证书
vim Modififid_config.json
修改证书,都是经过base64编码放入配置中的
### 具体对应 这些不用修改
Org1Msp.values.msp.value.config里的证书都是org1.example.com/peers/peer0.org1.example.com/msp/cacerts/localhost-7054-ca-org1.pem  的base64编码的

Org1Msp.values.msp.value.config里的证书都是org2.example.com/peers/peer0.org2.example.com/msp/cacerts/localhost-8054-ca-org2.pem  的base64编码的

orderer.group.values.msp.value.config里的证书都是orderer.example.com/msp/cacerts/localhost-9054-ca-orderer.pem 的base64编码的

### 要修改地方 是使用新的证书 经过base64编码替换相应位置的
配置里的orderer.group.values.ConsensusType里的证书都是
organizations/ordererOrganizations/example.com/orderers、orderer.example.com/tls/server.crt的base64编码的

## 6. 
./bin/configtxlator proto_encode --input Sconfig.json --type common.Config >original_config.pb

## 7. 
./bin/configtxlator proto_encode --input Modififid_config.json --type common.Config >Smodified_config.pb

## 8.
./bin/configtxlator compute_update --channel_id system-channel --original original_config.pb --updated Smodified_config.pb >Sconfig_update.pb

## 9.
./bin/configtxlator proto_decode --input Sconfig_update.pb --type common.ConfigUpdate >Sconfig_update.json

## 10.
echo '{"payload":{"header":{"channel_header":{"channel_id":"system-channel", "type":2}},"data":{"config_update":'$(cat Sconfig_update.json)'}}}' | jq . >Sconfig_update_in_envelope.json

## 11.
./bin/configtxlator proto_encode --input Sconfig_update_in_envelope.json --type common.Envelope >Sconfig_update_in_envelope.pb

##12. 统一用orderer身体提交即可
./bin/peer channel update -f Sconfig_update_in_envelope.pb -c system-channel -o orderer.example.com:7050 --ordererTLSHostnameOverride orderer.example.com --tls --cafile ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem

## 出现以下结果就可
2022-02-18 19:19:49.882 CST [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2022-02-18 19:19:49.900 CST [channelCmd] update -> INFO 002 Successfully submitted channel update
1.3.8 修改普通通道过期证书
# hxyz
## 1. 设置org1 peer0环境变量
export FABRIC_CFG_PATH=${PWD}/config
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
export CORE_PEER_MSPCONFIGPATH=${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
export CORE_PEER_ADDRESS=localhost:7051
export CHANNEL_NAME=hxyz

## 2.使用peer0 org1拉取普通通道区块配置
./bin/peer channel fetch config config_block.pb -o orderer.example.com:7050 --ordererTLSHostnameOverride orderer.example.com -c hxyz --tls --cafile ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem

## 3. 
./bin/configtxlator proto_decode --input config_block.pb --type common.Block | jq .data.data[0].payload.data.config > config.json

## 4. 
cp config.json  Modififid_config.json

## 5. 替换证书
vim Modififid_config.json
修改证书,都是经过base64编码放入配置中的
### 具体对应
Org1Msp.values.msp.value.config里的证书都是org1.example.com/peers/peer0.org1.example.com/msp/cacerts/localhost-7054-ca-org1.pem  的base64编码的

Org1Msp.values.msp.value.config里的证书都是org2.example.com/peers/peer0.org2.example.com/msp/cacerts/localhost-8054-ca-org2.pem  的base64编码的

orderer.group.values.msp.value.config里的证书都是orderer.example.com/msp/cacerts/localhost-9054-ca-orderer.pem 的base64编码的

### 要修改地方 使用新的证书 base64编码替换相应位置
orderer.group.values.ConsensusType里的证书都是
organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt的base64编码的

## 6.
./bin/configtxlator proto_encode --input config.json --type common.Config >original_config.pb

## 7. 
./bin/configtxlator proto_encode --input Modififid_config.json --type common.Config >modified_config.pb

## 8.
./bin/configtxlator compute_update --channel_id hxyz --original original_config.pb --updated modified_config.pb >config_update.pb

## 9.
./bin/configtxlator proto_decode --input config_update.pb --type common.ConfigUpdate >config_update.json

## 10.
echo '{"payload":{"header":{"channel_header":{"channel_id":"hxyz", "type":2}},"data":{"config_update":'$(cat config_update.json)'}}}' | jq . >config_update_in_envelope.json

## 11.
./bin/configtxlator proto_encode --input config_update_in_envelope.json --type common.Envelope >config_update_in_envelope.pb

## 12 .
### org1 签名
./bin/peer channel signconfigtx -f config_update_in_envelope.pb


##13. 使用orderer身份提交 不再是org1或者org2 Admin身份提交了
./bin/peer channel update -f config_update_in_envelope.pb -c hxyz -o orderer.example.com:7050 --ordererTLSHostnameOverride orderer.example.com --tls --cafile ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem

## 出现以下结果就可
2022-02-18 19:19:49.882 CST [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2022-02-18 19:19:49.900 CST [channelCmd] update -> INFO 002 Successfully submitted channel update
1.3.9 停掉容器
docker stop orderer.example.com
docker stop peer0.org1.example.com
docker stop peer0.org2.example.com
1.3.10 重新使用新的证书
rm -rf organizations
cp -r organizations.new organizations
1.3.11 重新启动容器
docker start orderer.example.com
docker start peer0.org1.example.com
docker start peer0.org2.example.com
1.3.12 验证链码读写数据
1.3.13 恢复系统数据自动检查配置
timedatectl set-ntp yes
心若留念
关注
  • 3
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 3
    评论
专栏目录
TLS单、双向认证资料
11-27
TLS单向认证、双向认证wireshark抓包、单、双向认证客户端log、证书生成脚本、TLS客户端、服务器创建脚本
4.生成fabric身份信息文件(证书
baidu_ymh的博客
07-04 96
hyperledger fabric 网络搭建部署; 1.hyperledger-fabric 介绍和资料整理 2.服务环境准备 3.安装fabric 二进制源码程序 4.生成fabric身份信息文件(证书) 5.生成系统通道初始区块文件 6.启动配置网络节点 docker-compose启动文件 7.将组织加入通道 8.安装合约
802.1x EAP-TLS认证证书
09-12
802.1x EAP-TLS认证证书
远程密钥服务器是在分布式系统中管理TLS私钥和证书解决方案-Golang开发
05-26
集中式密钥服务器,用于管理TLS证书和私钥并分发给边缘服务器远程密钥服务器(RKS)集中式密钥服务器,用于管理TLS证书和私钥并分发给边缘服务器什么是远程密钥服务器远程密钥服务器是一个解决方案,用于存储TLS证书和私钥,并为远程节点提供对这些机密的安全访问。 主要用例是使分布式服务器能够在确保TLS密钥存储和传递的同时提供HTTPS流量。 以下是一些卖点:与使用私钥的推送模式不同
mbedtls实现RSA签名验签(数字证书)demo
最新发布
02-22
mbedtls实现RSA签名验签(数字证书)demo 文章见 https://blog.csdn.net/anjiyufei/article/details/135355292
代码签名数字证书(含私钥)_过期证书_过期数字签名强制签名工具_数字签名_证书
09-10
可强制签名过期数字签名,这是成品exe,若容查杀没毒
Fabric证书过期问题
baijiafan的博客
11-18 1525
小心了,fabirc默认配置,一年之后证书就失效,快来看看
fabric-ca服务构建及证书生成
冰血ANG的博客
07-31 3586
前言: 1、为了保证在网络通信过程中信息的安全性,fabric可以设置tls网络通信模式,这就需要我们来生成相关的数字签名证书。关于tls通信需要数字证书的原因以及通信过程,见tls安全网络传输 2、之前fabric的相关证书是我们手动用cryptogen命令来生成的,但是在实际的应用场景中,如果新增用户,这种方式肯定是不行的,我们需要用fabric-ca的方式来生成相关证书。 一、fabric-ca服务的启动 1、fabric-ca镜像 在这里,我们使用docker的方式来启动...
时间戳签名和或证书无法验证或已损坏(已解决)
热门推荐
qq_34100267的博客
05-22 4万+
时间戳签名和或证书无法验证或已损坏 代码:0x80096005
Win10 如何给Inf驱动文件签名
9527的博客
02-02 8019
Win10 给INF驱动签名
docker部署rancher证书过期问题解决方案
04-24
docker部署rancher证书过期问题解决方案,网上有挺多解决方案,基本都是一部分一部分的,不连续
windows下WDK创建免费的测试证书,并签名windows驱动文件(附带测试效果)
khqnlg的博客
04-04 4458
微软免费签名过程分享,内有命令行代码,下载链接及展示效果。
Fabric证书相关处理流程
baijiafan的博客
12-23 1357
fabic test-network启动顺序介绍
动态添加orderer节点_(4条消息) (三)Fabric2.0启动网络脚本配置剖析
weixin_42509888的博客
01-12 503
根据HyperLedger Fabric 2.0-release测试网络部署可知fabric网络启动主要依赖脚本./byfn.sh up接下针对这个脚本进行剖析,研究fabric2.0 first-network的启动过程。1.byfn.sh查看byfn.sh找到up模式主要做了什么,如下图可见,执行networkUp这个function来实现fabric网络启动。接下来进入networkUp详细...
实战:fabric 用户证书吊销操作流程
BSN_yanxishe的博客
07-04 1408
背景:在fabric框架中,Orderer、Peer、客户端SDK、CLI接口等操作都需要用到证书,用户在非授权的情况下不得接入区块链。但是由于现实多种原因(证书泄露、员工离职等)需要撤销用户证书。 请注意,被撤销的证书证书过期完全不同。撤销的证书尚未过期,按其他方式来说,它们是完全有效的证书。......
受微软信任的交叉证书将在2021年4月到期,代码签名证书将无法签内核驱动,安信教你如何才能再给驱动签名
Anxinenen的博客
03-31 634
微软列出所有受信任CA交叉证书到期的列表,都在2021年的2月份和4月到期: 已经签名的驱动程序会出现什么情况? 在中级证书到期前有时间戳的签名驱动包,还会继续有效。 是否可以创建驱动程序包不提交给微软公司? 不可,所有创建的驱动程序包都必须提交给微软公司签名。 每个更新版本的驱动程序包是否都需要交给微软签名? 是的,每个版本的更新都需要交给微软公司签名。 2021年4月之后是否可以用现有的第三方代码签名证书对非内核驱动程序进行签名? 可以用现有的证书对非内核驱动程序进行签名,使用这些证书签名的代码将只能
Hyperledger Fabric CA中文文档
ling的专栏
06-09 2286
Fabric CA
SSL/TLS证书过期了怎么办?
安全
05-12 926
3、接入SSL/TLS证书:可以直接Gworg申请DV证书,可以在证书过期前申请并接入到您的网站中。2、关闭HTTPS协议:如果您的网站只是展示一些公共信息,而没有涉及到用户的个人隐私数据等敏感信息,那么可以考虑在证书过期前关闭HTTPS协议,使用HTTP协议进行访问。1、更新证书:最直接的方法是更新证书,可以Gworg颁发机构进行证书续费或者申请新的证书。4、使用CDN服务:一些CDN服务商提供自带SSL/TLS证书的服务,可以通过将网站接入CDN来解决证书过期问题。
Fabric系列 - TLS身份验证
搬砖魁首的博客
03-21 621
所有组织(orderer组织与加入该channel的peer组织)的根证书都会被写入channel的创世块(确切的说是channel配置块)中(没配置开启TLS也会写入), 每个组织的锚节点地址也会被写入。故要增加、删除组织,修改锚节点地址等操作都需要修改创世块参考:区块链知识系列密码学系列零知识证明系列共识系列公链调研系列BTC系列以太坊系列EOS系列Filecoin系列联盟链系列Fabric系列智能合约系列Token系列。
在ssl和tls中用数字签名认证通信双方
06-03
SSL和TLS都使用数字证书认证通信双方。 在SSL/TLS握手过程中,服务器会向客户端发送数字证书,用于证明服务器的身份和公钥。数字证书中包含了服务器的公钥和一些服务器的信息,并且数字证书是由数字证书认证机构(CA)签名的,具有一定的可信度。 客户端在收到数字证书后,会验证数字证书的合法性。验证过程包括以下几个步骤: 1. 验证数字证书是否由受信任的CA签发,即数字证书的根证书是否在客户端的信任列表中。 2. 验证数字证书中包含的服务器信息是否与客户端连接的服务器一致,例如域名、IP地址等。 3. 验证数字证书的有效期是否过期。 如果数字证书验证通过,客户端就可以获得服务器的公钥,并使用公钥来加密通信数据。服务器收到客户端发送的加密数据后,使用自己的私钥进行解密。 通过数字证书认证,SSL/TLS可以保证通信双方的身份和通信数据的机密性。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 3
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值