hyperledger-fabric: 无法从bootstrap块创建puller配置：无法解码TLS证书PEM

hyperledger fabric 2.2 添加新的 Raft 节点，在新节点日志中出现如下报错：
createReplicator -> PANI 009 Failed creating puller config from bootstrap block: unable to decode TLS certificate PEM

问题描述

使用 cryptogen 工具生成新的证书后，更新现有通道配置后使用新导出的配置块启动新 orderer 节点，日志提示报错如下：

logs

orderer.blockchain.example.com    | 2020-09-29 13:46:58.453 CST [orderer.common.server] reuseListener -> INFO 008 Cluster listener is not configured, defaulting to use the general listener on port 7050
orderer.blockchain.example.com    | 2020-09-29 13:46:58.454 CST [orderer.common.cluster] createReplicator -> PANI 009 Failed creating puller config from bootstrap block: unable to decode TLS certificate PEM:
orderer.blockchain.example.com    | panic: Failed creating puller config from bootstrap block: unable to decode TLS certificate PEM:
orderer.blockchain.example.com    |
orderer.blockchain.example.com    | goroutine 1 [running]:
orderer.blockchain.example.com    | go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc000150f20, 0x0, 0x0, 0x0)
orderer.blockchain.example.com    | 	/go/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/zapcore/entry.go:230 +0x545
orderer.blockchain.example.com    | go.uber.org/zap.(*SugaredLogger).log(0xc00061a940, 0x4, 0x1113380, 0x36, 0xc0001cf320, 0x1, 0x1, 0x0, 0x0, 0x0)
orderer.blockchain.example.com    | 	/go/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:234 +0x100
orderer.blockchain.example.com    | go.uber.org/zap.(*SugaredLogger).Panicf(...)
orderer.blockchain.example.com    | 	/go/src/github.com/hyperledger/fabric/vendor/go.uber.org/zap/sugar.go:159
orderer.blockchain.example.com    | github.com/hyperledger/fabric/common/flogging.(*FabricLogger).Panicf(...)
orderer.blockchain.example.com    | 	/go/src/github.com/hyperledger/fabric/common/flogging/zap.go:74
orderer.blockchain.example.com    | github.com/hyperledger/fabric/orderer/common/onboarding.(*ReplicationInitiator).createReplicator(0xc0000fa200, 0xc00014c3c0, 0x1131f48, 0xc00064b4a8)
orderer.blockchain.example.com    | 	/go/src/github.com/hyperledger/fabric/orderer/common/onboarding/onboarding.go:123 +0x334
orderer.blockchain.example.com    | github.com/hyperledger/fabric/orderer/common/onboarding.(*ReplicationInitiator).replicateNeededChannels(0xc0000fa200, 0xc00014c3c0)
orderer.blockchain.example.com    | 	/go/src/github.com/hyperledger/fabric/orderer/common/onboarding/onboarding.go:152 +0x69
orderer.blockchain.example.com    | github.com/hyperledger/fabric/orderer/common/onboarding.(*ReplicationInitiator).ReplicateIfNeeded(0xc0000fa200, 0xc00014c3c0)
orderer.blockchain.example.com    | 	/go/src/github.com/hyperledger/fabric/orderer/common/onboarding/onboarding.go:107 +0x9a
orderer.blockchain.example.com    | github.com/hyperledger/fabric/orderer/common/server.Main()
orderer.blockchain.example.com    | 	/go/src/github.com/hyperledger/fabric/orderer/common/server/main.go:196 +0x185c
orderer.blockchain.example.com    | main.main()
orderer.blockchain.example.com    | 	/go/src/github.com/hyperledger/fabric/cmd/orderer/main.go:15 +0x20

解决办法

后续查看官方示例 sampleconfig/orderer.yaml 发现如下配置项：

orderer.yaml

# Cluster settings for ordering service nodes that communicate with other ordering service nodes
# such as Raft based ordering service.
Cluster:
  # SendBufferSize is the maximum number of messages in the egress buffer.
  # Consensus messages are dropped if the buffer is full, and transaction
  # messages are waiting for space to be freed.
  SendBufferSize: 10
  # ClientCertificate governs the file location of the client TLS certificate
  # used to establish mutual TLS connections with other ordering service nodes.
  ClientCertificate:
  # ClientPrivateKey governs the file location of the private key of the client TLS certificate.
  ClientPrivateKey:
  # The below 4 properties should be either set together, or be unset together.
  # If they are set, then the orderer node uses a separate listener for intra-cluster
  # communication. If they are unset, then the general orderer listener is used.
  # This is useful if you want to use a different TLS server certificates on the
  # client-facing and the intra-cluster listeners.

同时对比自己启动的 docker-compose.yml 脚本，发现确实缺少了该配置，在脚本环境变量中添加如下配置：

- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key

示例脚本：

docker-compose.yml >folded

version: '3'

networks:
  default:
    external:
      name: blockchain

volumes:
  prod-orderer: {}

services:
  orderer.blockchain.example.com:
    image: harbor.jayxiam.com/blockchain/orderer:2.3.0
    container_name: orderer.blockchain.example.com
    restart: always
    working_dir: /opt/orderer
    command: orderer
    environment:
      - TZ=Asia/Shanghai
      - FABRIC_LOGGING_SPEC=INFO
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_LISTENPORT=7050
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_BOOTSTRAPFILE=/var/hyperledger/orderer/genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP
      - ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/orderer/msp
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/orderer/tls/ca.crt]
      - ORDERER_KAFKA_TOPIC_REPLICATIONFACTOR=1
      - ORDERER_KAFKA_VERBOSE=true
      - ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/orderer/tls/server.key
      # 国密
      - ORDERER_GENERAL_BCCSP_DEFAULT=GM
      - ORDERER_GENERAL_BCCSP_SW_HASH=GMSM3
      - ORDERER_GENERAL_BCCSP_SW_SECURITY=256
    volumes:
      - $PWD/channel-artifacts/genesis.block:/var/hyperledger/orderer/genesis.block
      - $PWD/crypto-config/ordererOrganizations/blockchain.example.com/orderers/orderer.blockchain.example.com:/etc/hyperledger/orderer
      - prod-orderer:/var/hyperledger/production/
    ports:
      - "7050:7050"
    logging:
      driver: json-file
      options:
        max-size: "512m"

添加该证书设置后，重新搭建区块链后即可解决该问题