首页 > 其他分享 >SDK连接节点失败排查思路

SDK连接节点失败排查思路

时间:2022-12-28 03:33:31浏览次数:60  
标签:netty java 排查 io secp256k1 security sdk 节点 SDK

https://fisco-bcos-documentation.readthedocs.io/zh_CN/latest/docs/faq/connect.html

 

Important: 前置说明

1. jdk版本支持

JavaSDK原则上支持从jdk 1.8到jdk 15的OracleJDKOpenJDK,但中间有部分版本禁用或者不支持secp256k1曲线,会导致sdk与节点之间握手失败,请首先检查当前使用的jdk是否支持secp256k1曲线,目前已经覆盖测试的jdk版本如下,推荐大家使用:

  • OracleJDK:

    • 1.8.0_141

    • 1.8.0_202

    • 11.0.2

    • 14.0.2

    • 15.0.2

  • OpenJDK:

    • 11.0.2

    • 14.0.2

    • 15.0.2

  • jdk下载链接:

    • OracleJDK官网:

      • https://www.oracle.com/java/technologies/downloads/archive/

    • 国内镜像:

      • http://www.codebaoku.com/jdk/jdk-oracle.html

      • http://www.codebaoku.com/jdk/jdk-openjdk.html

若使用的jdk禁用了secp256k1曲线(注意: 如果jdk不支持secp256k1曲线,不适用该方法),可以参考 #issue 470通过手动修改java.security属性的方式重新启用secp256k1曲线.

2. JavaSDK版本说明

JavaSDK 2.8.1优化了sdk连接失败的日志和报错提示,欢迎使用2.8.1及以上版本的sdk,更便于定位错误问题。

maven方式

<dependencies>
      <dependency>
            <groupId>io.netty</groupId>
            <artifactId>netty-all</artifactId>
            <version>4.1.53.Final</version>
        </dependency>
 	<dependency>
            <groupId>org.fisco-bcos.java-sdk</groupId>
            <artifactId>fisco-bcos-java-sdk</artifactId>
            <version>2.9.0</version>
            <exclusions>
                <exclusion>
                    <groupId>org.slf4j</groupId>
                    <artifactId>slf4j-log4j12</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>io.netty</groupId>
                    <artifactId>netty-all</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
</dependencies>
Copy to clipboard

gradle方式

dependencies {
    compile ('org.fisco-bcos.java-sdk:fisco-bcos-java-sdk:2.9.0')
}
configurations.all {
    resolutionStrategy {
        force 'io.netty:netty-all:4.1.53.Final'
    }
}
Copy to clipboard

排查步骤

JavaSDK启动失败时会有类似于如下的异常信息:

* TRACE INFORMATION:
----------------------------
====> STEP1: try to connect nodes with ecdsa context...
<==== STEP1 Result: try to connect nodes with ecdsa context failed for cert missing
* Missed certificates: [conf/ca.crt,conf/sdk.crt,conf/sdk.key,]
currentPath: /Users/octopus/fisco/asset-app/dist

----------------------------
====> STEP2: connect nodes with ecdsa context failed, try to connect nodes with sm-context...
<==== STEP2 Result: connect with sm context failed for cert missing.
* Missed certificates:
[conf/gm/gmca.crt,conf/gm/gmsdk.crt,conf/gm/gmsdk.key,conf/gm/gmensdk.key,conf/gm/gmensdk.crt,]
currentPath: /Users/octopus/fisco/asset-app/dist
----------------------------
<====> Error: try to connect nodes with both ecdsa and sm context failed <====>
<====> Please refer to github issue: https://github.com/FISCO-BCOS/java-sdk/issues/536
<====> Please refer to fisco-docs: https://fisco-bcos-documentation.readthedocs.io/zh_CN/latest/docs/faq/connect.html
----------------------------
* FISCO BCOS Java SDK Version: 2.8.1
* Support secp256k1 : true
* Java Version : 15.0.2
* JDK Disabled NamedCurves : null
* JDK DisableNative Option : null
* OS Name : Mac OS X
* OS Arch : x86_64
* OS Version : 10.16
* JVM Version : 15.0.2+7-27
* JVM Vendor : Oracle Corporation
* JVM Vendor URL : https://java.oracle.com/
Copy to clipboard

不同的项目对错误的处理方式不同,这段错误信息可能会重复显示多次,用户从最后的RACE INFORMATION:开始排查即可。

step1:检查是否拷贝证书

若sdk同时抛出下面两个错误,说明没有拷贝证书,需要将证书拷贝到src/main/resources/conf子目录或conf子目录下:

<==== STEP1 Result: try to connect nodes with ecdsa context failed for cert missing
* Missed certificates: xxxxxx

<==== STEP2 Result: connect with sm context failed for cert missing.
* Missed certificates: xxxxxx
Copy to clipboard

证书拷贝步骤可参考FISCO BCOS文档:搭建第一个区块链网络


step2: 检查节点是否启动或者SDK与节点之间网络是否连通

若SDK抛出如下错误,说明SDK与节点之间网络不连通,或者节点没有启动:

* TRACE INFORMATION:
----------------------------
====> STEP1: try to connect nodes with ecdsa context...
<==== STEP1-1: Load certificates for ecdsa context success...
<==== connect nodes failed, reason:
Failed to connect to all the nodes!
* connect to 127.0.0.1:20200 failed! Please make sure the nodes have been started, and the network between the SDK and the nodes are connected normally.reason: Connection refused: /127.0.0.1:20200

* connect to 127.0.0.1:20201 failed! Please make sure the nodes have been started, and the network between the SDK and the nodes are connected normally.reason: Connection refused: /127.0.0.1:20201
Copy to clipboard

通过ps命令检查节点进程是否启动:

# 到节点所在机器运行ps命令
ps aux |grep -i fisco-bcos
Copy to clipboard

通过telnet命令检查sdk到节点的网络是否连通:

telnet ${节点ip} ${节点channel_listen_port}
Copy to clipboard

注意:channel_listen_port,在节点config.ini配置文件中:

$ cat node0/config.ini | egrep channel_listen
   channel_listen_ip=0.0.0.0
   channel_listen_port=20208
Copy to clipboard

step3: 检查证书是否拷贝正确

保证项目打开java-sdk日志,在日志中grepSSLHandshakeExceptionValidatorException或者secp256k1`:

 grep -iE 'SSLHandshakeException|ValidatorException|secp256k1' sdk.log
Copy to clipboard

若输出如下错误说明放置在SDK中的证书错误,需要重新配置证书:

...
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
	Suppressed: javax.net.ssl.SSLHandshakeException: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
...
Copy to clipboard

Note: 若这里输出disable secp256k1的日志,说明握手失败是由于jdk禁用secp256k1曲线导致的,可继续转step4排查。


step4: 非国密区块链-检查jdk是否支持secp256k1曲线

Note: 国密区块链且采用国密SSL连接可跳过本检查步骤。

FISCO BCOS非国密默认采用secp256k1曲线,但随着jdk版本的升级,secp256k1曲线逐渐被弃用(因此2.9.0版本在保证向下兼容的同时,非国密连接采用RSA曲线),对于采用非国密SSL的区块链(节点的config.ini配置sm_channel_crypto=false),在SDK日志中grep关键字disable.*secp256k1

cat sdk.log|grep -i 'disable.*secp256k1'
Copy to clipboard

若有如下输出,说明当前jdk不支持secp256k1曲线,则需要参考#issue 470 手动修改java.security属性启用secp256k1曲线或者替换到支持secp256k1曲线的jdk版本:

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on disabled algorithm: secp256k1
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on disabled algorithm: secp256k1
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on disabled algorithm: secp256k1
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on disabled algorithm: secp256k1
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on disabled algorithm: secp256k1
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on disabled algorithm: secp256k1
Copy to clipboard

Note: jdk曲线的变更均会记录在release notes中,具体可参考 https://www.oracle.com/java/technologies/javase/jdk-relnotes-index.html。


step5: 国密区块链 && 启用国密SSL连接 — 检查netty库是否冲突

Note: 非国密区块链或者国密区块链但没有开启国密SSL连接可跳过本检查步骤。

FISCO BCOS国密区块链若开启国密SSL连接(节点的config.ini配置sm_channel_crypto=true),可能因为netty库冲突,导致sdk连接节点失败。

Java SDK默认的netty库版本是netty-4.1.53.Final,Spring-boot等其他组件若和Java SDK一起使用,会引入高版本或者低版本的netty,从而因netty冲突导致sdk连接节点失败。

对于本情况,可在SDK日志中grep关键字NoSuchMethodErrornetty关键字:

cat sdk.log|grep -E 'NoSuchMethodError|netty'
Copy to clipboard

若输出如下日志,说明netty库冲突:(这里的示例是spring采用了高版本的netty-4.1.60.Final,java-sdk不支持该版本的netty)。

	at io.netty.handler.ssl.SslHandler.channelInactive(SslHandler.java:1113) ~[netty-all-4.1.60.Final.jar:4.1.60.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:262) ~[netty-all-4.1.60.Final.jar:4.1.60.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:248) ~[netty-all-4.1.60.Final.jar:4.1.60.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelInactive(AbstractChannelHandlerContext.java:241) ~[netty-all-4.1.60.Final.jar:4.1.60.Final]
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelInactive(DefaultChannelPipeline.java:1405) ~[netty-all-4.1.60.Final.jar:4.1.60.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:262) ~[netty-all-4.1.60.Final.jar:4.1.60.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:248) ~[netty-all-4.1.60.Final.jar:4.1.60.Final]
	...

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'bcosSDK' defined in class path resource [applicationContext.xml]: Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.fisco.bcos.sdk.BcosSDK]: Constructor threw exception; nested exception is java.lang.NoSuchMethodError: 'void io.netty.handler.ssl.OpenSslContext.<init>(java.lang.Iterable, io.netty.handler.ssl.CipherSuiteFilter, io.netty.handler.ssl.ApplicationProtocolConfig, long, long, int, java.security.cert.Certificate[], io.netty.handler.ssl.ClientAuth, java.lang.String[], boolean, boolean)'
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.fisco.bcos.sdk.BcosSDK]: Constructor threw exception; nested exception is java.lang.NoSuchMethodError: 'void io.netty.handler.ssl.OpenSslContext.<init>(java.lang.Iterable, io.netty.handler.ssl.CipherSuiteFilter, io.netty.handler.ssl.ApplicationProtocolConfig, long, long, int, java.security.cert.Certificate[], io.netty.handler.ssl.ClientAuth, java.lang.String[], boolean, boolean)'
Caused by: java.lang.NoSuchMethodError: 'void io.netty.handler.ssl.OpenSslContext.<init>(java.lang.Iterable, io.netty.handler.ssl.CipherSuiteFilter, io.netty.handler.ssl.ApplicationProtocolConfig, long, long, int, java.security.cert.Certificate[], io.netty.handler.ssl.ClientAuth, java.lang.String[], boolean, boolean)'
Copy to clipboard

此时参考#issue 332,指定netty版本为4.1.53解决冲突,大致写法如下:

<dependency>
		<groupId>io.netty</groupId>
		<artifactId>netty-all</artifactId>
		<version>4.1.53.Final</version>
	</dependency>

	<dependency>
		<groupId>org.fisco-bcos.java-sdk</groupId>
		<artifactId>fisco-bcos-java-sdk</artifactId>
		<version>2.9.0</version>
		<exclusions>
			<exclusion>
				<groupId>io.netty</groupId>
				<artifactId>netty-all</artifactId>
			</exclusion>
		</exclusions>
	</dependency>
Copy to clipboard

spring + java-sdk 构建应用,强烈推荐参考应用spring-boot-crud:

标签:netty,java,排查,io,secp256k1,security,sdk,节点,SDK
From: https://www.cnblogs.com/exmyth/p/17009336.html

相关文章

  • 美颜sdk中的人脸美型实现流程详解
    在之前的文章中,小编讲了许多美颜sdk的功能实现流程,有一些是热门功能,例如美白、磨皮等,但是有一个功能小编遗漏没有讲到,虽然不常提起,但是它的热度并不低,这个功能就是——“人......
  • 使用kubeadm搭建多节点k8s集群(chrono《kubernetes入门实战课》笔记整理)
     通过使用minikube,做完了k8s的基础学习和练习,今天开始,使用kubeadm,来搭建更复杂更贴合实际工作的k8s集群。 【集群架构】  多节点集群,应该有大于等于2台node,实验......
  • 谷歌为iOS开发者推出地图服务SDK
    12月13日消息,谷歌没有满足于在iOS平台推出一个独立的地图应用,他们希望其他开发人员能把谷歌地图服务整合他们自己的应用中去。因此,谷歌推出了一个地图服务SDK,它通过URL方......
  • Centos7下单节点部署etcd服务
    一台Centos7的服务器,我的IP:172.16.4.67登陆到服务器,切换到root用户#cd/tmp下载安装包,下载地址:https://github.com/etcd-io/etcd/releases#wget https://github.com/......
  • 记一次cpu飙升问题排查
    前言首先问题是这样的,周五正在写文档,突然收到了线上报警,发现cpu占用达到了90多,上平台监控系统查看容器,在jvm监控中发现有一个pod在两个小时内产生了61次youngGc一次fullGc,这......
  • node节点选择器
    百度网盘链接:https://pan.baidu.com/s/15t_TSH5RRpCFXV-93JHpNw?pwd=8od35node节点选择器我们在创建pod资源的时候,pod会根据schduler进行调度,那么默认会调度到随机的一......
  • MySql 问题排查
    1、servicemysqldrestartSETGLOBALevent_scheduler=OFF;showvariableslike'slow_query_log';--setglobalslow_query_log='ON';showvariableslike'slow......
  • 11g rac数据库节点1启动异常,告警ORA-16188
    问题描述:11grac数据库节点1启动异常,告警ORA-16188,如下所示:环境介绍:该rac环境此前搭建过dg,将dg拆除后,一次系统重启便出现节点1数据库无法正常启动,告警ORA-16188.1、异常重现......
  • 我对《Mysql死锁排查:insert on duplicate死锁一次排查分析过程 - 少说点话 - 博客园》
    原文在这里:Mysql死锁排查:insertonduplicate死锁一次排查分析过程 比较菜,看了一遍还是不懂死锁是怎么形成的。绕了很多圈才全理解。特此记录。 关于mysql版本我先......
  • 支付接口的API什么?SDK是什么?
    随着移动支付的发展速度越来越快,各第三方支付和第四方支付成为移动支付的中流砥柱,而面向市场需求,需要不断的提高自己的技术水平,特别是现在商户对于支付安全、支付便捷的需求......