Fabric多机部署步骤

1 Fabric CA生成

1.1 环境准备和yaml文件编写

CA 镜像装载，版本根据需求而定，本次版本是1.4.4。
CA 的yaml文件编写。

需要⚠️yaml文件有标准格式

//版本

version: '2'

//网络名称

networks:

rootchain:

//定义服务

services:

//服务名称

lzsk.ca.chain.com:

扫描二维码关注公众号，回复： 12105774 查看本文章

//容器名称

container_name: lzsk.ca.chain.com

//镜像

image: hyperledger/fabric-ca

//docer容器环境

environment:

//CA 服务端生成证书路径

- FABRIC_CA_SERVER_HOME=/etc/hyperledger/fabric-ca-server

//CA客户端生成证书路径，主要为节点和sdk所用

- FABRIC_CA_CLIENT_HOME=/etc/hyperledger/fabric-ca-client

// CA 的名字

- FABRIC_CA_SERVER_CA_NAME=lzsk.ca.chain.com

# 启用tls

- FABRIC_CA_SERVER_TLS_ENABLED=true

# 公用名称

- FABRIC_CA_SERVER_CSR_CN=ca.chain.com

#- FABRIC_CA_SERVER_CSR_HOSTS=0.0.0.0

#- FABRIC_CA_SERVER_DEBUG=true

- FABRIC_CA_SERVER_PORT=7054

# -b: 提供注册用户的名称与密码, 如果没有使用LDAP, 这个选项为必需.

# 后面两个参数表示允许删除联盟和用户

command: sh -c 'fabric-ca-server start -b lzsk_dsp:lzsk_dsp --port 7054 --cfg.affiliations.allowremove --cfg.identities.allowremove'

volumes:

// 宿机和docker 路径映射

- "./lzsk.ca.chain.com:/etc/hyperledger/fabric-ca-server"

- "./crypto-config:/etc/hyperledger/fabric-ca-client"

//启动端口

ports:

- 7054:7054

//网络名称

networks:

- rootchain

启动步骤2编写的yaml 文件。

命令为：docker-compose -f yaml文件 up -d

停止docker容器。

在步骤3启动后会生成相应的持久化文件，如步骤2中

// 宿机和docker 路径映射

- "./lzsk.ca.chain.com:/etc/hyperledger/fabric-ca-server"

- "./crypto-config:/etc/hyperledger/fabric-ca-client"

在宿机上就在./lzsk.ca.chain.com下有一个yaml文件。

进行修改文件。

version: 1.4.4

# 指定服务的监听端口

port: 7054

# 跨域资源共享(CORS)

cors:

enabled: false

origins:

- "*"

# 是否启用DEBUG模式, 输出更多的调试信息上

debug: false

# 可接受的CRL的大小限制(以字节为单位)(默认值:512000)

# 证书具有一个指定的寿命，但 CA 可通过称为证书吊销的过程来缩短这一寿命。

# CA 发布一个证书吊销列表 (CRL)，列出被认为不能再使用的证书的序列号。

crlsizelimit: 512000

#############################################################################

# 是否在服务端启用TLS,如果启用TLS后,进行身份验证的证书和签名的私钥

#############################################################################

tls:

# 是否启用TLS, 默认不启用

enabled: true

# TLS证书文件

certfile:

# TLS密钥文件

keyfile:

# 客户端验证配置

clientauth:

# 默认不进行身份验证

type: noclientcert

# 进行客户端身份验证时, 信任的证书文件列表

certfiles:

#############################################################################

# 包括实例的名称、签名私钥文件、身份验证证书和证书链文件；这些私钥和证书

# 文件会用来作为生成ECert、TCert的根证书

#############################################################################

ca:

# CA服务名称. 可以支持多个服务

name: ca.chain.com

# 密钥文件(默认: ca-key.pem)

keyfile:

# 证书文件(默认: ca-cert.pem)

certfile:

# 证书链文件(默认: chain-cert.pem)

chainfile:

#############################################################################

# The gencrl REST endpoint is used to generate a CRL that contains revoked

# certificates. This section contains configuration options that are used

# during gencrl request processing.

#############################################################################

crl:

# 为生成的CRL指定过期时间。

# 此属性指定的小时数将添加到UTC时间

# 产生的时间用于设置CRL的“下一次更新”日期。

expiry: 1h

#############################################################################

# 当fabric-ca-server自身提供用户的注册管理时使用, 此情况下需要禁用LDAP功能,

# 否则fabric-ca-server将会把注册管理数据转发到LDAP进行查询

#############################################################################

registry:

# 允许同一个用户名和密码进行enrollment的最大次数, -1为无限制, 0为不支持登记

maxenrollments: -1

# 注册的实体信息, 可以进行enroll. 只有当LDAP未启用时起作用

identities:

- name: lzsk_dsp

pass: lzsk_dsp

type: client

affiliation: ""

attrs:

hf.Registrar.Roles: "*"

hf.Registrar.DelegateRoles: "*"

hf.Revoker: true

# 该id是否是一个中间层的CA

hf.IntermediateCA: true

hf.GenCRL: true

hf.Registrar.Attributes: "*"

hf.AffiliationMgr: true

#############################################################################

# 数据库支持SQLite3、MySQL、Postgres. 默认为SQLite3类型的本地数据库.

# 如果要配置集群, 则需要选用MySQL或Postgres后端数据库,

# 并在前端部署负载均衡器(如Nginx或HAProxy)

#############################################################################

db:

type: mysql

datasource: root:tjfae_dsp@tcp(192.168.21.42:3306)/lzsk_ca?parseTime=true

tls:

# 是否启用TLS来连接到数据库

enabled: false

# PEM格式的可信根证书文件列表, 多个用逗号隔开

certfiles:

client:

# PEM格式的客户端证书文件

certfile:

# PEM格式的客户端证书私钥文件

keyfile:

#############################################################################

# 配置使用远端的LDAP来进行注册管理, 认证enrollment的用户和密码,

# 并获取用户属性信息. 此时, 服务端将按照指定的usrfilter从LDAP获取对应的用户,

# 利用其唯一识别名(distinguidhed name)和给定的密码进行验证.

# 当LDAP功能启用时, registry中的配置将被忽略

#############################################################################

ldap:

# 是否启用LDAP, 默认不启用

enabled: false

# LDAP的服务地址

url: ldap://<adminDN>:<adminPassword>@<host>:<port>/<base>

# 客户端到LDAP服务器的连接的TLS配置

tls:

# PEM格式的LDAP服务器的TLS根证书, 可以为多个, 用逗号隔开

certfiles:

client:

# PEM格式的客户端证书文件

certfile:

# PEM格式的客户端证书私钥文件

keyfile:

# Attribute related configuration for mapping from LDAP entries to Fabric CA attributes

attribute:

# 'names' is an array of strings containing the LDAP attribute names which are

# requested from the LDAP server for an LDAP identity's entry

names: ['uid','member']

# The 'converters' section is used to convert an LDAP entry to the value of

# a fabric CA attribute.

# For example, the following converts an LDAP 'uid' attribute

# whose value begins with 'revoker' to a fabric CA attribute

# named "hf.Revoker" with a value of "true" (because the boolean expression

# evaluates to true).

# converters:

# - name: hf.Revoker

# value: attr("uid") =~ "revoker*"

converters:

- name:

value:

# The 'maps' section contains named maps which may be referenced by the 'map'

# function in the 'converters' section to map LDAP responses to arbitrary values.

# For example, assume a user has an LDAP attribute named 'member' which has multiple

# values which are each a distinguished name (i.e. a DN). For simplicity, assume the

# values of the 'member' attribute are 'dn1', 'dn2', and 'dn3'.

# Further assume the following configuration.

# converters:

# - name: hf.Registrar.Roles

# value: map(attr("member"),"groups")

# maps:

# groups:

# - name: dn1

# value: peer

# - name: dn2

# value: client

# The value of the user's 'hf.Registrar.Roles' attribute is then computed to be

# "peer,client,dn3". This is because the value of 'attr("member")' is

# "dn1,dn2,dn3", and the call to 'map' with a 2nd argument of

# "group" replaces "dn1" with "peer" and "dn2" with "client".

maps:

groups:

- name:

value:

#############################################################################

# 组织结构配置

#############################################################################

affiliations:

org1:

- department1

- department2

org2:

- department1

#############################################################################

# 签发证书相关的配置包括签名方法、证书超时时间等. fabric-ca-server可以作为

# 用户证书的签发CA(默认情况下), 也可以作为根CA来进一步支持其它中间CA

#############################################################################

signing:

# 默认情况下,用于签署Ecert

default:

# 所签发证书的KeyUsage extension域

usage:

- digital signature

# 一年

expiry: 8760h

# 不同的签发配置

profiles:

# 签署中间层CA证书时的配置模板

ca:

usage:

# 所签发证书的KeyUsage extension域

- cert sign

- crl sign

expiry: 43800h

caconstraint:

isca: true

# 限制该中间层CA无法进一步签署中间层CA

maxpathlen: 0

tls:

usage:

- signing

- key encipherment

- server auth

- client auth

- key agreement

expiry: 8760h

###########################################################################

# CA自身证书的申请请求配置. 当CA作为根证书服务时, 将基于请求生成一个

# 自签名的证书; 当CA作为中间证书服务时, 将请求发送给上层的根证书进行签署

# 生成ca-cert.pem文件,是一个自签署的证书

###########################################################################

csr:

# 公用名称

cn: ca.chain.com

keyrequest:

algo: ecdsa

size: 256

names:

# 国家

- C: China

# 所在州

ST: "BeiJing"

# 位置或城市

L: BeiJing

# 机构名称

O: chain

# 机构部门名称

OU: LZSKMSP

hosts:

- lzsk.ca.chain.com

- localhost

# 配置后会加入到证书的扩展字段

ca:

# CA根证书默认15年有效

expiry: 131400h

# 允许产生的中间证书的深度

pathlength: 1

###########################################################################

# Each CA can issue both X509 enrollment certificate as well as Idemix

# Credential. This section specifies configuration for the issuer component

# that is responsible for issuing Idemix credentials.

###########################################################################

idemix:

# Specifies pool size for revocation handles. A revocation handle is an unique identifier of an

# Idemix credential. The issuer will create a pool revocation handles of this specified size. When

# a credential is requested, issuer will get handle from the pool and assign it to the credential.

# Issuer will repopulate the pool with new handles when the last handle in the pool is used.

# A revocation handle and credential revocation information (CRI) are used to create non revocation proof

# by the prover to prove to the verifier that her credential is not revoked.

rhpoolsize: 1000

# The Idemix credential issuance is a two step process. First step is to get a nonce from the issuer

# and second step is send credential request that is constructed using the nonce to the isuser to

# request a credential. This configuration property specifies expiration for the nonces. By default is

# nonces expire after 15 seconds. The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration).

nonceexpiration: 15s

# Specifies interval at which expired nonces are removed from datastore. Default value is 15 minutes.

# The value is expressed in the time.Duration format (see https://golang.org/pkg/time/#ParseDuration)

noncesweepinterval: 15m

#############################################################################

# 配置所选择的加密库

# msp/keystore中存放的BCCSP (BlockChain Crypto Service Provider)中用到的key

#############################################################################

bccsp:

default: SW

sw:

hash: SHA2

security: 256

filekeystore:

# 存放密钥文件的路径

keystore: msp/keystore

# 自动创建除了默认CA外的多个CA实例, 如ca1、ca2等

cacount:

# 可以指定多个CA配置文件路径, 每个配置文件会启动一个CA服务,注意不同配置文件之间需要避免出现冲突(如服务端口、TLS证书等)

cafiles:

#############################################################################

# 当CA作为中间层CA服务时的相关配置. 包括父CA的地址和名称、登记信息、TLS配置等.

# 注意: 当intermediate.parentserver.url非空时, 意味着本CA是中间层CA服务,

# 否则为根CA服务

#############################################################################

intermediate:

# 父CA相关信息

parentserver:

url:

caname:

# 在父CA侧的登记信息

enrollment:

# 证书主机名列表

hosts:

# 签发所用的profile

profile:

# HSM操作中的标签信息

label:

# TLS相关配置

tls:

# 信任的根CA证书

certfiles:

# 客户端验证启用时的相关文件

client:

certfile:

keyfile:

#############################################################################

# CA configuration section

# Configure the number of incorrect password attempts are allowed for

# identities. By default, the value of 'passwordattempts' is 10, which

# means that 10 incorrect password attempts can be made before an identity get

# locked out.

#############################################################################

cfg:

identities:

passwordattempts: 10

###############################################################################

# Operations section

###############################################################################

operations:

# host and port for the operations server

listenAddress: 127.0.0.1:9443

# TLS configuration for the operations endpoint

tls:

# TLS enabled

enabled: false

# path to PEM encoded server certificate for the operations server

cert:

file:

# path to PEM encoded server key for the operations server

key:

file:

# require client certificate authentication to access all resources

clientAuthRequired: false

# paths to PEM encoded ca certificates to trust for client authentication

clientRootCAs:

files: []

###############################################################################

# Metrics section

###############################################################################

metrics:

# statsd, prometheus, or disabled

provider: disabled

# statsd configuration

statsd:

# network type: tcp or udp

network: udp

# statsd server address

address: 127.0.0.1:8125

# the interval at which locally cached counters and gauges are pushsed

# to statsd; timings are pushed immediately

writeInterval: 10s

# prefix is prepended to all emitted statsd merics

prefix: server

配置完成后进行重新启动docker 容器。

1.2 在容器内操作生成证书

1.2.1 注册排序节点、peer节点管理员用户

# 创建CA管理员文件夹

1、mkdir -p ${FABRIC_CA_CLIENT_HOME}/tjfae_admin

# 生成fabric-ca admin的凭证

2、export FABRIC_CA_CLIENT_HOME=${FABRIC_CA_CLIENT_HOME}/tjfae_admin// 环境变量设定

fabric-ca-client enroll -u https://tjfae_dsp:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

# 查看联盟(使用admin用户)

3、fabric-ca-client -H ${FABRIC_CA_CLIENT_HOME} affiliation list --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

# 删除默认联盟

fabric-ca-client -H ${FABRIC_CA_CLIENT_HOME} affiliation remove --force org1 --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

⚠️一定删除干净默认的联盟

# 创建联盟

5、fabric-ca-client -H ${FABRIC_CA_CLIENT_HOME} affiliation add com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client -H ${FABRIC_CA_CLIENT_HOME} affiliation add com.chain --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client -H ${FABRIC_CA_CLIENT_HOME} affiliation add com.chain.tjfae --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client -H ${FABRIC_CA_CLIENT_HOME} affiliation add com.chain.tjfadc --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

⚠️红色为联盟的名称，应人而定

# 为每个组织准备msp同时生成节点类型分类配置文件

6、mkdir -p /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/msp

mkdir -p /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/msp

fabric-ca-client getcacert -M /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/msp --caname tjfae.ca.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client getcacert -M /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/msp --caname tjfae.ca.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

复制config.yaml到orderOrganization/chain.com/msp/config.yaml config.yaml内指定的文件名要和真实目录下的一致

复制config.yaml到peerOrganizations/tjfae.chain.com/msp/config.yaml config.yaml内指定的文件名要和真实目录下的一致

# 注册各组织管理员

fabric-ca-client enroll -u https://tjfae_dsp:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

⚠️一定要执行这步，否则会报错

7、fabric-ca-client register -u https://tjfae_dsp:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com --id.name [email protected] --id.secret tjfae_dsp --id.type admin --id.affiliation com.chain --id.attrs '"hf.Registrar.Roles=client,orderer,peer,admin","hf.Registrar.DelegateRoles=client,orderer,peer,admin",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client register -u https://tjfae_dsp:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com --id.name [email protected] --id.secret tjfae_dsp --id.type admin --id.affiliation com.chain.tjfae --id.attrs '"hf.Registrar.Roles=client,orderer,peer,admin","hf.Registrar.DelegateRoles=client,orderer,peer,admin",hf.Registrar.Attributes=*,hf.GenCRL=true,hf.Revoker=true,hf.AffiliationMgr=true,hf.IntermediateCA=true,role=admin:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

# 生成各组织管理员凭证

8、mkdir -p /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/users/[email protected]

mkdir -p /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/users/[email protected]

fabric-ca-client enroll -u https://[email protected]:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -H /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/users/[email protected] --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client enroll -u https://[email protected]:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -H /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/users/[email protected] --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

cp /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/msp/config.yaml /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/users/[email protected]/msp/config.yaml

cp /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/msp/config.yaml /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/users/[email protected]/msp/config.yaml

# 将[email protected]的证书复制到chain.com/msp/admincerts/

9、mkdir /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/msp/admincerts/

mkdir /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/msp/admincerts/

cp /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/users/[email protected]/msp/signcerts/cert.pem /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/msp/admincerts/

cp /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/users/[email protected]/msp/signcerts/cert.pem /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/msp/admincerts/

#查看联盟

fabric-ca-client -H /etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com/users/[email protected] affiliation list --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client -H /etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/users/[email protected] affiliation list --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

1.2.2 管理员账号注册排序节点普通用户

# 使用管理员账号注册以及生成凭证

17、export FABRIC_CA_CLIENT_HOME=/etc/hyperledger/fabric-ca-client/ordererOrganizations/chain.com

fabric-ca-client register -u https://[email protected]:tjfae_dsp@localhost:7054 -H ${FABRIC_CA_CLIENT_HOME}/users/[email protected] --caname tjfae.ca.chain.com --id.name orderer.chain.com --id.secret tjfae_dsp --id.type orderer --id.affiliation com.chain --id.attrs 'role=orderer:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client register -u https://[email protected]:tjfae_dsp@localhost:7054 -H ${FABRIC_CA_CLIENT_HOME}/users/[email protected] --caname tjfae.ca.chain.com --id.name orderer2.chain.com --id.secret tjfae_dsp --id.type orderer --id.affiliation com.chain --id.attrs 'role=orderer:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client register -u https://[email protected]:tjfae_dsp@localhost:7054 -H ${FABRIC_CA_CLIENT_HOME}/users/[email protected] --caname tjfae.ca.chain.com --id.name orderer3.chain.com --id.secret tjfae_dsp --id.type orderer --id.affiliation com.chain --id.attrs 'role=orderer:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

# 为刚刚创建的几个用户创建各自的文件夹用于存储证书文件

18、mkdir -p ${FABRIC_CA_CLIENT_HOME}/orderers

mkdir -p ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com

mkdir -p ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com

mkdir -p ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com

# 获取每一个Orderer节点的MSP证书文件

19、fabric-ca-client enroll -u https://orderer.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -H ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com --csr.hosts orderer.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client enroll -u https://orderer2.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -H ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com --csr.hosts orderer2.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client enroll -u https://orderer3.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -H ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com --csr.hosts orderer3.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

# 获取每一个Orderer节点的TLS证书文件

20、fabric-ca-client enroll -u https://orderer.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls --enrollment.profile tls --csr.hosts orderer.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client enroll -u https://orderer2.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls --enrollment.profile tls --csr.hosts orderer2.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client enroll -u https://orderer3.chain.com:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls --enrollment.profile tls --csr.hosts orderer3.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

# 将之前生成的节点类型分类配置文件拷贝到每一个节点的MSP文件夹

cp ${FABRIC_CA_CLIENT_HOME}/msp/config.yaml ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/msp/config.yaml

cp ${FABRIC_CA_CLIENT_HOME}/msp/config.yaml ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/msp/config.yaml

cp ${FABRIC_CA_CLIENT_HOME}/msp/config.yaml ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/msp/config.yaml

# 为每一个节点的TLS证书以及秘钥文件修改名字，方便之后的使用

21、cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/ca.crt

cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/signcerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/server.crt

cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/keystore/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/server.key

cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/ca.crt

cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/signcerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/server.crt

cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/keystore/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/server.key

cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/ca.crt

cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/signcerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/server.crt

cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/keystore/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/server.key

# 在MSP文件夹内创建tlscacerts文件夹，并将TLS文件拷贝过去

22、mkdir ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/msp/tlscacerts

mkdir ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/msp/tlscacerts

mkdir ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/msp/tlscacerts

cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem

cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem

cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem

# 复制TLS根证书

23、mkdir -p ${FABRIC_CA_CLIENT_HOME}/msp/tlscacerts

cp ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/msp/tlscacerts/tlsca.chain.com-cert.pem

# 将[email protected]的证书复制到/chain.com/orderers/orderer.chain.com/msp/admincerts

24、mkdir ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/msp/admincerts

mkdir ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/msp/admincerts

mkdir ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/msp/admincerts

cp ${FABRIC_CA_CLIENT_HOME}/users/[email protected]/msp/signcerts/cert.pem ${FABRIC_CA_CLIENT_HOME}/orderers/orderer.chain.com/msp/admincerts

cp ${FABRIC_CA_CLIENT_HOME}/users/[email protected]/msp/signcerts/cert.pem ${FABRIC_CA_CLIENT_HOME}/orderers/orderer2.chain.com/msp/admincerts

cp ${FABRIC_CA_CLIENT_HOME}/users/[email protected]/msp/signcerts/cert.pem ${FABRIC_CA_CLIENT_HOME}/orderers/orderer3.chain.com/msp/admincerts

1.2.3 管理员账号注册peer节点普通用户

# 创建子文件夹用于存储证书文件

25、export FABRIC_CA_CLIENT_HOME=/etc/hyperledger/fabric-ca-client/peerOrganizations/tjfae.chain.com/

# 注册四个用户:peer0,peer1,user1,tjfaeAdmin，其中peer是必需的，user1用于测试的，[email protected]为Admin用户，安装和实例化链码需要Admin用户的证书

26、fabric-ca-client register -u https://[email protected]:tjfae_dsp@localhost:7054 -H ${FABRIC_CA_CLIENT_HOME}/users/[email protected] --caname tjfae.ca.chain.com --id.name tjfae_peer0 --id.secret tjfae_dsp --id.type peer --id.affiliation com.chain.tjfae --id.attrs '"hf.Registrar.Roles=peer",role=peer:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client register -u https://[email protected]:tjfae_dsp@localhost:7054 -H ${FABRIC_CA_CLIENT_HOME}/users/[email protected] --caname tjfae.ca.chain.com --id.name tjfae_peer1 --id.secret tjfae_dsp --id.type peer --id.affiliation com.chain.tjfae --id.attrs '"hf.Registrar.Roles=peer",role=peer:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client register -u https://[email protected]:tjfae_dsp@localhost:7054 -H ${FABRIC_CA_CLIENT_HOME}/users/[email protected] --caname tjfae.ca.chain.com --id.name [email protected] --id.secret tjfae_dsp --id.type client --id.affiliation com.chain.tjfae --id.attrs '"hf.Registrar.Roles=client",role=client:ecert' --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

# 为刚刚创建的几个用户创建各自的文件夹用于存储证书文件

26、mkdir -p ${FABRIC_CA_CLIENT_HOME}/peers

mkdir -p ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com

mkdir -p ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com

# MSP文件

27、fabric-ca-client enroll -u https://tjfae_peer0:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/msp --csr.hosts peer0.tjfae.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client enroll -u https://tjfae_peer1:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/msp --csr.hosts peer1.tjfae.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

# TLS证书

28、fabric-ca-client enroll -u https://tjfae_peer0:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls --enrollment.profile tls --csr.hosts peer0.tjfae.chain.com --csr.hosts peer0.tjfae.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

fabric-ca-client enroll -u https://tjfae_peer1:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls --enrollment.profile tls --csr.hosts peer1.tjfae.chain.com --csr.hosts peer1.tjfae.chain.com --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

# 拷贝节点分类配置文件

29、cp ${FABRIC_CA_CLIENT_HOME}/msp/config.yaml ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/msp/config.yaml

cp ${FABRIC_CA_CLIENT_HOME}/msp/config.yaml ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/msp/config.yaml

# 修改证书以及秘钥文件，方便之后使用

30、cp ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/ca.crt

cp ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/signcerts/* ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/server.crt

cp ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/keystore/* ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/server.key

cp ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls/ca.crt

cp ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls/signcerts/* ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls/server.crt

cp ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls/keystore/* ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/tls/server.key

# 复制TLS相关证书

31、mkdir ${FABRIC_CA_CLIENT_HOME}/msp/tlscacerts

cp ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/msp/tlscacerts/ca.crt

mkdir ${FABRIC_CA_CLIENT_HOME}/tlsca

cp ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/tls/tlscacerts/* ${FABRIC_CA_CLIENT_HOME}/tlsca/tlsca.tjfae.chain.com-cert.pem

mkdir ${FABRIC_CA_CLIENT_HOME}/ca

cp ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/msp/cacerts/* ${FABRIC_CA_CLIENT_HOME}/ca/ca.tjfae.chain.com-cert.pem

# 获取user用户证书文件

32、mkdir -p ${FABRIC_CA_CLIENT_HOME}/users/[email protected]

# 获取证书文件

48、fabric-ca-client enroll -u https://[email protected]:tjfae_dsp@localhost:7054 --caname tjfae.ca.chain.com -M ${FABRIC_CA_CLIENT_HOME}/users/[email protected]/msp --tls.certfiles ${FABRIC_CA_SERVER_HOME}/tls-cert.pem

# 将[email protected]的证书复制到${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/msp/admincerts

24、mkdir ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/msp/admincerts

mkdir ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/msp/admincerts

mkdir ${FABRIC_CA_CLIENT_HOME}/users/[email protected]/msp/admincerts

cp ${FABRIC_CA_CLIENT_HOME}/users/[email protected]/msp/signcerts/cert.pem ${FABRIC_CA_CLIENT_HOME}/peers/peer0.tjfae.chain.com/msp/admincerts

cp ${FABRIC_CA_CLIENT_HOME}/users/[email protected]/msp/signcerts/cert.pem ${FABRIC_CA_CLIENT_HOME}/peers/peer1.tjfae.chain.com/msp/admincerts

cp ${FABRIC_CA_CLIENT_HOME}/users/[email protected]/msp/signcerts/cert.pem ${FABRIC_CA_CLIENT_HOME}/users/[email protected]/msp/admincerts

1.2.4生成证书完成操作

生成完证书完成后，客户端证书拷贝到各个节点路径下。

2 节点配置文件修改

version: '2'

# 对网络的声明,即该yaml配置文件中所有服务所涉及到的网络

networks:

rootchain:

# 网络使用的驱动类型。默认为bridge

driver: bridge

services:

peer0.lzsk1.chain.com:

container_name: peer0.lzsk1.chain.com

hostname: peer0.lzsk1.chain.com

image: hyperledger/fabric-peer:latest

environment:

- TZ=Asia/Shanghai

- CORE_LEDGER_STATE_STATEDATABASE=CouchDB

//couchDB端口

-CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb1:6984

//couchDB用户设置

- CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=lzsk_dsp

//couchDB 密码设置

- CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=lzsk_dsp

- CORE_PEER_ID=peer0.lzsk1.chain.com

- CORE_PEER_ADDRESS=peer0.lzsk1.chain.com:8051

# 设置或读取peer节点的监听地址。默认情况下Peer节点在所有地址上监听请求

- CORE_PEER_LISTENADDRESS=0.0.0.0:8051

# 链码连接该Peer节点的地址。

- CORE_PEER_CHAINCODEADDRESS=peer0.lzsk1.chain.com:8052

# Peer节点监听链码连接请求的地址。如果未设置该参数，将自动选择节点地址的7052端口

- CORE_PEER_CHAINCODELISTENADDRESS=peer0.lzsk1.chain.com:8052

# 向机构外的节点发布的访问端节点。如果未设置该参数，节点将不为其他机构所知。

- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.lzsk1.chain.com:8051

# 设置初始化gossip的引导节点列表，节点启动时将连接这些引导节点。

# 这里列出的引导节点必须与当前节点属于同一机构，否则连接将被拒绝。

- CORE_PEER_GOSSIP_BOOTSTRAP=peer0.lzsk1.chain.com:8051

# 本地MSP的标识ID

# 部署人员需要修改localMspId的值！尤其重要的一点是，

# localMspID的值需要匹配该节点所在通道中的某个MSP，

# 否则该节点的消息将被其他节点视为无效

- CORE_PEER_LOCALMSPID=Lzsk1MSP

- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock

- FABRIC_LOGGING_SPEC=INFO

- CORE_LEDGER_HISTORY_ENABLEHISTORYDATABASE=true

# 节点是否使用动态算法选出主导节点，该主导节点将连接

# 排序服务并使用分发协议从排序服务拉取账本区块。

# 对大型网络建议启用主导节点选举。

- CORE_PEER_GOSSIP_USELEADERELECTION=true

# 是否静态指定机构的主导节点，该节点将负责维持与排序节点的

# 连接并向机构中的其他节点分发区块。

- CORE_PEER_GOSSIP_ORGLEADER=false

- CORE_PEER_PROFILE_ENABLED=true

# 启用对服务端的TLS身份验证。

- CORE_PEER_TLS_ENABLED=true

# Peer节点的X.509证书文件路径。

- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt

# Peer节点的私钥文件路径。

- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key

# Peer节点证书的验证链根证书文件路径

- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt

working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer

command: peer node start

volumes:

- /var/run/:/host/var/run/

- ./crypto-config/peerOrganizations/lzsk1.chain.com/peers/peer0.lzsk1.chain.com/msp:/etc/hyperledger/fabric/msp

- ./crypto-config/peerOrganizations/lzsk1.chain.com/peers/peer0.lzsk1.chain.com/tls:/etc/hyperledger/fabric/tls

- /root/go/src/github.com/hyperledger/fabric-samples/lzsk/peer0.lzsk1.chain.com:/var/hyperledger/production

ports:

- "8051:8051"

- "8052:8052"

- "8053:8053"

depends_on:

- couchdb1

networks:

- rootchain

extra_hosts:

#- "orderer117.chain.com:192.168.133.117"

- "orderer.chain.com:192.168.21.42"

- "couchdb1:192.168.21.42"

container_name: couchdb1

image: hyperledger/fabric-couchdb:latest

environment:

- TZ=Asia/Shanghai

- COUCHDB_USER=lzsk_dsp

- COUCHDB_PASSWORD=lzsk_dsp

volumes:

- /root/go/src/github.com/hyperledger/fabric-samples/lzsk/couchdb1:/opt/couchdb/data

ports:

- "6984:5984"

networks:

- rootchain

cli1:

container_name: cli1

image: hyperledger/fabric-tools:latest

tty: true

environment:

- TZ=Asia/Shanghai

- GOPATH=/opt/gopath

- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock

- FABRIC_LOGGING_SPEC=INFO

- CORE_PEER_ID=cli

- CORE_PEER_ADDRESS=peer0.lzsk1.chain.com:8051

- CORE_PEER_LOCALMSPID=Lzsk1MSP

- CORE_PEER_TLS_ENABLED=true

- CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/lzsk1.chain.com/peers/peer0.lzsk1.chain.com/tls/server.crt

- CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/lzsk1.chain.com/peers/peer0.lzsk1.chain.com/tls/server.key

- CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/lzsk1.chain.com/peers/peer0.lzsk1.chain.com/tls/ca.crt

- CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/lzsk1.chain.com/users/[email protected]/msp

working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer

command: /bin/bash

volumes:

- /var/run/:/host/var/run/

- ./chaincode:/opt/gopath/src/github.com/chaincode

- ./crypto-config:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/

- ./channel-artifacts:/opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts

depends_on:

- peer0.lzsk1.chain.com

networks:

- rootchain

extra_hosts:

#- "orderer117.chain.com:192.168.133.117"

- "orderer.chain.com:192.168.21.42"

- "peer0.lzsk1.chain.com:192.168.21.42"

修改完成后，docker启动节点.

命令为：docker-compose -f yaml文件 up -d

2.1 生成创世区块和通道

# 首先进入区块链文件夹例如：cd /opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/

# 告诉configtxgen从哪里寻找configtx.yaml文件

1、export FABRIC_CFG_PATH=$PWD

# Raft方式:生成系统通道创世区块genesis.block

2、../bin/configtxgen -profile SampleMultiNodeEtcdRaft -channelID mychannel -outputBlock ./channel-artifacts/genesis.block

# 创建通道配置事务

3 ../bin/configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/mychannel.tx -channelID rootchain

# 创建更新组织TjfaeMSP、TjfadcMSP在该通道上的锚节点的事务

4、../bin/configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/TjfaeMSPanchors.tx -channelID rootchain -asOrg TjfaeMSP

../bin/configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/TjfadcMSPanchors.tx -channelID rootchain -asOrg TjfadcMSP

# 发送生成的文件到另外机器上

5、

Scp -r /opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/channel-artifacts [email protected]:/opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/

scp -r /opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/channel-artifacts [email protected]:/opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/

2.2 启动各节点

# peer客户端cli内执行：创建通道

1、peer channel create -o orderer.chain.com:7050 -c rootchain -f ./channel-artifacts/mychannel.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/chain.com/orderers/orderer.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem

# peer客户端cli内执行：加入通道(其他机器加入通道需先执行9-11步骤)

2、peer channel join -b rootchain.block

# 退出容器：从容器中拷贝生成的mychannel.block文件到宿主机

3、docker cp cli:/opt/gopath/src/github.com/hyperledger/fabric/peer/rootchain.block /opt/

# 发送mychannel.block文件到其他机器

4、scp -r /opt/rootchain.block [email protected]:/opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/channel-artifacts

# 从宿主机拷贝mychannel.block文件到容器内，使用mychannel.block文件加入通道

5、docker cp /opt/gowork/src/github.com/hyperledger/fabric-samples/rootchain/channel-artifacts/rootchain.block cli:/opt/gopath/src/github.com/hyperledger/fabric/peer

docker cp /opt/rootchain.block cli:/opt/gopath/src/github.com/hyperledger/fabric/peer

⚠️各个几点都需要拷贝mychannel.block 拷贝到启动容器内

2.3 安装链码

# peer客户端cli内执行：更新锚节点(每个组织都需要更新锚节点,各组织进入自己的peer客户端内执行)

6、peer channel update -o orderer.chain.com:7050 -c rootchain -f ./channel-artifacts/TjfaeMSPanchors.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/chain.com/orderers/orderer.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem

peer channel update -o orderer2.chain.com:7050 -c rootchain -f ./channel-artifacts/TjfadcMSPanchors.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/chain.com/orderers/orderer.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem

# 环境变量

CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/tjfae.chain.com/users/[email protected]/msp

CORE_PEER_ADDRESS=peer0.tjfae.chain.com:7051

CORE_PEER_LOCALMSPID="TjfaeMSP"CORE_PEER_LOCALMSPID="TjfaeMSP"

CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/tjfae.chain.com/peers/peer0.tjfae.chain.com/tls/ca.crt

# 在peer节点上安装链码（同一组织多个节点切换环境变量依次安装，只需在背书节点安装链码。各组织进入自己的peer客户端内执行）

7、peer chaincode install -n benefit -v 1.0 -p ../../../chaincode/benefit/ -l java

# 初始化链码（只需在其中一个背书节点执行即可。后续执行交易，其他节点收到交易请求后，会自动安装链码）

8、peer chaincode instantiate -o orderer.chain.com:7050 --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/chain.com/orderers/orderer.chain.com/msp/tlscacerts/tlsca.chain.com-cert.pem -C rootchain -n benefit -v 1.0 -c '{"Args":["init"]}' -P "AND ('TjfadcMSP.peer','TjfaeMSP.peer')"

peer chaincode query -C rootchain -n benefit -c '{"Args":["create","{\"name\":\"test\"}","10"]}'

3 常见问题分析

3.1 Mysql问题

Mysql ERROR 1067: Invalid default value for 字段

解决方案：

vi /etc/my.cnf //添加以下配置
sql_mode=ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

ERROR 1067 (42000): Invalid default value for ' '

解决方案：

3.2 镜像版本问题

3.3 容器报的错

iptabes: No chain/target/match by that name. (exit status 1)

解决方案：iptables: No chain/target/match by that name. (exit status 1)

connect error: No route to host(errno:113)

解决方案：方法一：关闭防火墙

centos关闭防火墙的操作为

systemctl stop firewalld

方法二：在防火墙上开发指定端口

firewall-cmd --zone=public --add-port=2181/tcp --perm anent

firewall-cmd --reload

Get https://registry-1.docker.io/v2/: dia tcp: lookup registry-1.docker.io: no such host

解决方案：

编辑/etc/resolv.conf 文件，增加一行dns地址，例如：nameserver 8.8.4.4

3.4 浏览器报错

sudo: psq：找不到命令