申请证书

修改配置

获取配置文件

配置环境变量，需要使用Orderer节点的身份信息:

export CORE_PEER_LOCALMSPID="OrdererMSP"
export ORDERER_CA=${PWD}/crypto/orderOrganization/example.com/orderers/orderer1.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
export CORE_PEER_TLS_ROOTCERT_FILE=${PWD}/crypto/ordererOrganization/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/orderOrganization/example.com/users/Admin@example.com/msp
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051

获取系统通道配置文件:

peer channel fetch config channel-artifacts/config_block.pb -o orderer.example.com:7050 -c system-channel --tls --cafile $ORDERER_CA

解码该配置文件:

configtxlator proto_decode --input channel-artifacts/config_block.pb --type common.Block | jq .data.data[0].payload.data.config > channel-artifacts/config.json

添加配置信息

赋值config.json为update_config.json，修改update_config.json文件

1.在以下位置加入

  {
                    "client_tls_cert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNtVENDQWtDZ0F3SUJBZ0lVQ01jMWV6Yms2ME1PU24rZUZvS2xmRWNCTlNBd0NnWUlLb1pJemowRUF3SXcKSERFYU1CZ0dBMVVFQXhNUmRHeHpZMkV1WlhoaGJYQnNaUzVqYjIwd0hoY05NakF3TkRFd01EY3hNekF3V2hjTgpNakV3TkRFd01EY3hPREF3V2pCaU1Rc3dDUVlEVlFRR0V3SlZVekVYTUJVR0ExVUVDQk1PVG05eWRHZ2dRMkZ5CmIyeHBibUV4RkRBU0JnTlZCQW9UQzBoNWNHVnliR1ZrWjJWeU1SQXdEZ1lEVlFRTEV3ZHZjbVJsY21WeU1SSXcKRUFZRFZRUURFd2x2Y21SbGNtVnlNVEV3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVRFMlIwdwpsL3ZHcFdNTkpFMDRyS2ZlS0VSRDNjeGtDdHZQSVhiUlVGbW9pUUJDVm91QWd5NnRFYUw5RGRBSmRocEpPNFBjCjZLdXM2Z3JMMWVmZnMzYzNvNElCR0RDQ0FSUXdEZ1lEVlIwUEFRSC9CQVFEQWdPb01CMEdBMVVkSlFRV01CUUcKQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlR4QytxUQpnTUFCYncvSHBaNk9SSVl2T1ZYVnd6QWZCZ05WSFNNRUdEQVdnQlFVOGNTREQwQ2RKRE40OGxJc3Q5SEpoNHVkCk5EQTJCZ05WSFJFRUx6QXRnaFJ2Y21SbGNtVnlNUzVsZUdGdGNHeGxMbU52YllJSmJHOWpZV3hvYjNOMGh3Ui8KQUFBQmh3VEFxQnFDTUYwR0NDb0RCQVVHQndnQkJGRjdJbUYwZEhKeklqcDdJbWhtTGtGbVptbHNhV0YwYVc5dQpJam9pSWl3aWFHWXVSVzV5YjJ4c2JXVnVkRWxFSWpvaWIzSmtaWEpsY2pFeElpd2lhR1l1Vkhsd1pTSTZJbTl5ClpHVnlaWElpZlgwd0NnWUlLb1pJemowRUF3SURSd0F3UkFJZ0pMZWtOdUtaVFdpREQrOWY0R0c0Mkw4T0o2VkgKMDVYNTRiSnJkVVg5M3o4Q0lEbHUvRnM0dWtzZzA4SFQyTXNhU2M3UjJTODZEdzMvOFRRayswVXhDaEk0Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K",
                    "host": "orderer1.example.com",
                    "port": 8050,
                    "server_tls_cert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNtVENDQWtDZ0F3SUJBZ0lVQ01jMWV6Yms2ME1PU24rZUZvS2xmRWNCTlNBd0NnWUlLb1pJemowRUF3SXcKSERFYU1CZ0dBMVVFQXhNUmRHeHpZMkV1WlhoaGJYQnNaUzVqYjIwd0hoY05NakF3TkRFd01EY3hNekF3V2hjTgpNakV3TkRFd01EY3hPREF3V2pCaU1Rc3dDUVlEVlFRR0V3SlZVekVYTUJVR0ExVUVDQk1PVG05eWRHZ2dRMkZ5CmIyeHBibUV4RkRBU0JnTlZCQW9UQzBoNWNHVnliR1ZrWjJWeU1SQXdEZ1lEVlFRTEV3ZHZjbVJsY21WeU1SSXcKRUFZRFZRUURFd2x2Y21SbGNtVnlNVEV3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVRFMlIwdwpsL3ZHcFdNTkpFMDRyS2ZlS0VSRDNjeGtDdHZQSVhiUlVGbW9pUUJDVm91QWd5NnRFYUw5RGRBSmRocEpPNFBjCjZLdXM2Z3JMMWVmZnMzYzNvNElCR0RDQ0FSUXdEZ1lEVlIwUEFRSC9CQVFEQWdPb01CMEdBMVVkSlFRV01CUUcKQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlR4QytxUQpnTUFCYncvSHBaNk9SSVl2T1ZYVnd6QWZCZ05WSFNNRUdEQVdnQlFVOGNTREQwQ2RKRE40OGxJc3Q5SEpoNHVkCk5EQTJCZ05WSFJFRUx6QXRnaFJ2Y21SbGNtVnlNUzVsZUdGdGNHeGxMbU52YllJSmJHOWpZV3hvYjNOMGh3Ui8KQUFBQmh3VEFxQnFDTUYwR0NDb0RCQVVHQndnQkJGRjdJbUYwZEhKeklqcDdJbWhtTGtGbVptbHNhV0YwYVc5dQpJam9pSWl3aWFHWXVSVzV5YjJ4c2JXVnVkRWxFSWpvaWIzSmtaWEpsY2pFeElpd2lhR1l1Vkhsd1pTSTZJbTl5ClpHVnlaWElpZlgwd0NnWUlLb1pJemowRUF3SURSd0F3UkFJZ0pMZWtOdUtaVFdpREQrOWY0R0c0Mkw4T0o2VkgKMDVYNTRiSnJkVVg5M3o4Q0lEbHUvRnM0dWtzZzA4SFQyTXNhU2M3UjJTODZEdzMvOFRRayswVXhDaEk0Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
                  },

client_tls_cert 和 server_tls_cert 对应 ordererOrganizations/example.com/orderers/orderer5.example.com/tls/server.crt 的base64编码

cat ordererOrganizations/example.com/orderers/orderer5.example.com/tls/server.crt | base64 > cert.txt

2.在以下位置加入 orderer1.example.com:8050

   "OrdererAddresses": {
        "mod_policy": "/Channel/Orderer/Admins",
        "value": {
          "addresses": [
            "orderer.example.com:7050",
            "orderer1.example.com:8050"
          ]
        },
        "version": "0"
    }

更新配置信息

对原有的配置文件与更新的配置文件进行编码:

configtxlator proto_encode --input channel-artifacts/config.json --type common.Config > channel-artifacts/config.pb
configtxlator proto_encode --input channel-artifacts/update_config.json --type common.Config > channel-artifacts/config_update.pb

计算出两个文件的差异:

configtxlator compute_update --channel_id system-channel --original channel-artifacts/config.pb --updated channel-artifacts/config_update.pb > channel-artifacts/updated.pb

对该文件进行解码，并添加用于更新配置的头部信息:

configtxlator proto_decode --input channel-artifacts/updated.pb --type common.ConfigUpdate > channel-artifacts/updated.json
echo '{"payload":{"header":{"channel_header":{"channel_id":"system-channel", "type":2}},"data":{"config_update":'$(cat channel-artifacts/updated.json)'}}}' | jq . > channel-artifacts/updated_envelope.json

编码为Envelope格式的文件:

configtxlator proto_encode --input channel-artifacts/updated_envelope.json --type common.Envelope > channel-artifacts/updated_envelope.pb

对该文件进行签名操作，用于更新配置:

peer channel signconfigtx -f channel-artifacts/updated_envelope.pb

提交更新通道配置交易:

peer channel update -f channel-artifacts/updated_envelope.pb -c system-channel -o orderer.example.com:7050 --tls true --cafile $ORDERER_CA

启动节点

编辑新的orderer的docker-compose文件

version: '2'

volumes:
  orderer1.example.com:

networks:
  elec:

services:

  orderer1.example.com:
    container_name: orderer1.example.com
    image: hyperledger/fabric-orderer:$IMAGE_TAG
    environment:
      - FABRIC_LOGGING_SPEC=INFO
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/var/hyperledger/orderer/orderer.genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP
      - ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp
      # enabled TLS
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
      - ORDERER_KAFKA_TOPIC_REPLICATIONFACTOR=1
      - ORDERER_KAFKA_VERBOSE=true
      - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/var/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/var/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_CLUSTER_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
    working_dir: /opt/gopath/src/github.com/hyperledger/fabric
    command: orderer
    volumes:
      - ../system-genesis-block/genesis.block:/var/hyperledger/orderer/orderer.genesis.block
      - ../organizations/ordererOrganizations/example.com/orderers/orderer1.example.com/msp:/var/hyperledger/orderer/msp
      - ../organizations/ordererOrganizations/example.com/orderers/orderer1.example.com/tls/:/var/hyperledger/orderer/tls
      - orderer1.example.com:/var/hyperledger/production/orderer
    ports:
      - 8050:8050
    networks:
      - elec
    extra_hosts:
      - peer0.org1.example.com:192.168.26.128
      - peer0.org2.example.com:192.168.26.129
      - peer0.org3.example.com:192.168.26.130

启动

docker-compose -f docker-compose-addOrderer1.yaml up -d

注意：需要在每个通道上进行上面的配置操作，否则无法操作通道