注意:以Fabric CA构建证书素材,注意每次enroll,证书都会更换
一、OrdererOrg的证书
1.启动节点和账号的Fabric ca server
启动ca server,用于构建OrdererOrg的证书及client用户
server目录及启动如下
cd ~/work/example/ca/order/ca
fabric-ca-server start -b admin:adminpw --port 7054
2.登陆admin客户端
cd ~/work/example/ca/order/ca_client
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
3.注册账号
#orderer节点
fabric-ca-client register -d --id.name orderer.example.com --id.secret orderPW --id.type orderer -u http://0.0.0.0:7054
#OrdererOrg的组织管理员
fabric-ca-client register -d --id.name admin1 --id.secret orderPW --id.type client -u http://0.0.0.0:7054
4.获取orderer节点和管理员admin1的证书
orderer节点
cd ~/work/example/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://orderer.example.com:orderPW@0.0.0.0:7054 -M .
admin账号
cd ~/work/example/organizations/ordererOrganizations/example.com/users/admin1/msp
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://admin1:orderPW@0.0.0.0:7054 -M .
mkdir admincerts
cp signcerts/cert.pem admincerts/
将admin放入orderer中
cd ~/work/example/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp
mkdir admincerts
cp ../../../users/admin1/msp/signcerts/cert.pem admincerts/
5.生成OrdererOrg的msp
cd ~/work/example/organizations/ordererOrganizations/example.com/msp/admincerts/
cp ../users/admin1/msp/signcerts/cert.pem .
cd ~/work/example/organizations/ordererOrganizations/example.com/msp/cacerts
cp ~/work/example/ca/order/ca/ca-cert.pem .
6.启动tls server
cd ~/work/example/ca/order/tls
fabric-ca-server start -b admin:adminpw --port 7055
7.注册tls账号
cd ~/work/example/ca/order/tls_client
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://admin:adminpw@localhost:7055
fabric-ca-client register -d --id.name orderer.example.com --id.secret orderPW --id.type orderer -u http://0.0.0.0:7055
fabric-ca-client register -d --id.name admin1 --id.secret orderPW --id.type client -u http://0.0.0.0:7055
8.获取tls证书
首先完善OrdererOrg的msp
cd ~/work/example/organizations/ordererOrganizations/example.com/msp/tlscacerts
cp ~/work/example/ca/order/tls/ca-cert.pem .
分别获取orderer和admin的tls证书
cd ~/work/example/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls
export FABRIC_CA_CLIENT_HOME=$PWD
#注意下面务必加--csr.hosts,否则tls证书会出问题
fabric-ca-client enroll -u http://orderer.example.com:orderPW@0.0.0.0:7055 -M $FABRIC_CA_CLIENT_HOME --csr.hosts orderer.example.com
mv keystore/* keystore/server.key
cd ~/work/example/organizations/ordererOrganizations/example.com/users/admin1/tls
export FABRIC_CA_CLIENT_HOME=$PWD
#注意加--csr.hosts
fabric-ca-client enroll -u http://admin1:orderPW@0.0.0.0:7055 -M $FABRIC_CA_CLIENT_HOME --csr.hosts orderer.example.com
mv keystore/* keystore/server.key
二、Org1的证书
1.启动节点和账号的Fabric ca server
cd ~/work/example/ca/org1/ca
fabric-ca-server start -b admin:adminpw --port 7056
2.登陆admin并注册账号
cd ~/work/example/ca/org1/ca_client
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://admin:adminpw@localhost:7056
fabric-ca-client register -d --id.name peer0.org1.example.com --id.secret peerPW --id.type peer --id.attrs "hf.GenCRL=true:ecert" -u http://0.0.0.0:7056
fabric-ca-client register -d --id.name Admin@org1.example.com --id.secret peerPW --id.type client --id.attrs "hf.GenCRL=true:ecert" -u http://0.0.0.0:7056
3.获取peer节点和管理员证书
cd ~/work/example/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://peer0.org1.example.com:peerPW@0.0.0.0:7056 -M .
cd ~/work/example/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://Admin@org1.example.com:peerPW@0.0.0.0:7056 -M .
mkdir admincerts
cp signcerts/cert.pem admincerts/
在peer的msp中加入admin
cd ~/work/example/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp
mkdir admincerts
cp ../../../users/Admin@org1.example.com/msp/signcerts/cert.pem admincerts/
4.创建org1的msp
cd ~/work/example/organizations/peerOrganizations/org1.example.com/msp
mkdir admincerts cacerts tlscacerts
cp ../users/Admin@org1.example.com/msp/signcerts/cert.pem admincerts/
cp ~/work/example/ca/org1/ca/ca-cert.pem cacerts/
5.启动org1的tls Fabric CA server
cd ~/work/example/ca/org1/tls
fabric-ca-server start -b admin:adminpw --port 7057
6.登陆tls server的admin并注册账号
cd ~/work/example/ca/org1/tls_client
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://admin:adminpw@localhost:7057
fabric-ca-client register -d --id.name peer0.org1.example.com --id.secret peerPW --id.type peer --id.attrs "hf.GenCRL=true:ecert" -u http://0.0.0.0:7057
fabric-ca-client register -d --id.name Admin@org1.example.com --id.secret peerPW --id.type client --id.attrs "hf.GenCRL=true:ecert" -u http://0.0.0.0:7057
7.获取账号的tls
cd ~/work/example/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://peer0.org1.example.com:peerPW@0.0.0.0:7057 -M . --csr.hosts peer0.org1.example.com
mv keystore/* keystore/server.key
cd ~/work/example/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls
export FABRIC_CA_CLIENT_HOME=$PWD
fabric-ca-client enroll -u http://Admin@org1.example.com:peerPW@0.0.0.0:7057 -M . --csr.hosts peer0.org1.example.com
mv keystore/* keystore/server.key
8.完善org1的msp
cd ~/work/example/organizations/peerOrganizations/org1.example.com/msp/tlscacerts
cp ~/work/example/ca/org1/tls/ca-cert.pem .
三.在各个msp中增加config.yaml
如果msp中没有config.yaml,可能导致peer和orderer通信不成功
1.排序组织的config.yaml
cd ~/work/example/organizations/ordererOrganizations/example.com/msp
vim config.yaml
内容如下
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: orderer
2.排序组织的orderer节点中
cd ~/work/example/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp
vim config.yaml
内容如下
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/0-0-0-0-7054.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/0-0-0-0-7054.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/0-0-0-0-7054.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/0-0-0-0-7054.pem
OrganizationalUnitIdentifier: orderer
3.组织org1的msp
cd ~/work/example/organizations/peerOrganizations/org1.example.com/msp
vim config.yaml
内容如下
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: orderer
4.组织org1的peer节点
cd ~/work/example/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp
vim config.yaml
内容如下
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/0-0-0-0-7056.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/0-0-0-0-7056.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/0-0-0-0-7056.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/0-0-0-0-7056.pem
OrganizationalUnitIdentifier: orderer
四、cli与链码等交互时的环境变量
export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=${PWD}/../organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/tls/cacerts/0-0-0-0-7057.pem
export CORE_PEER_MSPCONFIGPATH=${PWD}/../organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051
export ORDERER_TLSCA=${PWD}/../organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/cacerts/0-0-0-0-7055.pem