Help me please! I generate need tls certificate and keys. Then I modify configtx.yaml file and create genesis block successfully. Then I modify orderer.yaml and start orderer successfully. I try to execute this command:
./bin/osnadmin channel join --channelID channel1 --config-block ./channel-artifacts/genesis_block.pb -o localhost:9443 --ca-file $OSN_TLS_CA_ROOT_CERT --client-cert $ADMIN_TLS_SIGN_CERT --client-key $ADMIN_TLS_PRIVATE_KEY
But every time I receive this error:
Status: 400
{
"error": "cannot join: failed to determine cluster membership from join-block: failed to validate config metadata of ordering config: consenter localhost:9443 has invalid certificate: verifying tls client cert with serial number {serial number}: x509: certificate signed by unknown authority"
}
We are using Fabric v2.2. Our network setup has 5 channels. Org1 is a part of all the channels. Other than that each channel has 2 individual orgs. So totally 3 orgs are part of each channel. We have 5 orderers.
When we try to join a new org, say org12 to each channel, we are facing a issue during the usage of following command.
peer channel update -f org12/org12_update_in_envelope.pb -c testchannel -o orderer1.org-net:7050 --ordererTLSHostnameOverride orderer1.org-net --tls --cafile $ORDERER_CA
This is the error message we are getting
Error:
got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'testchannel': error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 2 of the 'Admins' sub-policies to be satisfied
Can anyone please suggest how can we proceed?
I'm executing tutorials on Hyperledger Fabric First Network (version 1.4) and I get an unexpected error when trying to change max_message_count variable from 10 to 20 in channel configuration.
I'm using this tutorial: https://hyperledger-fabric.readthedocs.io/en/release-1.4/channel_update_tutorial.html
Obviously, I don't change the Org list to the channel as in tutorial, I only change the parameter:
cat config.json | sed 's/"max_message_count": 10/"max_message_count": 20/g' > new_config.json
Then I Execute the encoding of new and old configuration in protobuffer, compute update, decode update to json, added envelope and recode envelope to protobuffer. It is okay.
Then I sign the update with both organization and tries to update, but it gives me this error:
Error: got unexpected status: BAD_REQUEST -- error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/BatchSize not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining
This is the decoded update, as you can see is signed by both Org1MSP and Org2MSP: https://controlc.com/486d638a
These are the logs from orderer:
2020-12-10 17:28:04.282 UTC [cauthdsl] deduplicate -> WARN 01c De-duplicating identity [Org2MSPd2b5a4f881b520ad90a0ae5db7bd0b5362fae2d5916d972751da9bd35fb97f9b] at index 2 in signature set
2020-12-10 17:28:04.282 UTC [orderer.common.broadcast] ProcessMessage -> WARN 01d [channel: mychannel] Rejecting broadcast of config message from 172.20.0.7:56874 because of error: error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/BatchSize not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining
Self-Answer.
This type of modification needs the sign of the orderer:
export CORE_PEER_ADDRESS=orderer.example.com:7050
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/users/Admin\#example.com/msp/
peer channel signconfigtx -f org3_update_in_envelope.pb
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051
export CORE_PEER_LOCALMSPID=OrdererMSP
peer channel update -f org3_update_in_envelope.pb -c $CHANNEL_NAME -o orderer.example.com:7050 --tls --cafile $ORDERER_CA
I have a little network up in Hyperledger Fabric 1.4 which is very similar to the basic-network from the examples.
It has:
One orderer organization with orderer peer
One Hospital organization with two peers.
A single channel on which the peers of the hospital are.
I tried to write a very simple demo smart contract/chaincode and have it invoked.
(The smart contract is called bananascc)
Running from the docker container cli /bin/bash associated to a peer0.hospital1.health.com peer, I successfully install and instantiate:
peer chaincode install -n bananascc -v 1.0 -l node -p /opt/gopath/src/github.com/chaincode/chaincode_bananas/node
peer chaincode instantiate -o orderer.health.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/health.com/orderers/orderer.health.com/msp/tlscacerts/tlsca.health.com-cert.pem -C hospital1channel -n bananascc -l node -v 1.0 -c '{"Args":["init","edo","100"]}' -P "OR ('Hospital1MSP.admin', 'Hospital1MSP.peer' )"
With policy -P "OR ('Hospital1MSP.admin', 'Hospital1MSP.peer' )"
But when I try to invoke the chaincode, the transaction is sent successfully but the operation is not executed, as I get a
peer0.hospital1.health.com | 2019-03-06 10:36:44.525 UTC [vscc] Validate -> ERRO 07e VSCC error: stateBasedValidator.Validate failed, err validation of endorsement policy for chaincode bananascc in tx 6:0 failed: signature set did not satisfy policy
peer0.hospital1.health.com | 2019-03-06 10:36:44.525 UTC [committer.txvalidator] validateTx -> ERRO 07f VSCCValidateTx for transaction txId = d6726e0b2daf11d0e3ef24e86fa0e7a5530f2d98dcc4ad1f0d266ca642be1ee3 returned error: validation of endorsement policy for chaincode bananascc in tx 6:0 failed: signature set did not satisfy policy
I reckon that the transaction has to be evaluated against a valid signature set, but I can't understand where I can specify this, or why it should be wrong according to VSCC.
I'd be very happy if anyone could help me figure out. I have already broadly looked for an answer which I haven't found.
Let me know if you need other information on the issue.
Thank you very much.
The problem is probably caused by the order of instantiating the policies.
Can you simply swap the declaration to:
peer chaincode instantiate -o orderer.health.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/health.com/orderers/orderer.health.com/msp/tlscacerts/tlsca.health.com-cert.pem -C hospital1channel -n bananascc -l node -v 1.0 -c '{"Args":["init","edo","100"]}' -P "OR ('Hospital1MSP.peer','Hospital1MSP.admin')"
To avoid this pitfall, identities should be specified from most privileged to least privileged in the policy identities specification, and signatures should be ordered from least privileged to most privileged in the signature set.
Read here: https://hyperledger-fabric.readthedocs.io/en/release-1.4/policies.html
If there is only one organization, does not make sense the need of a policy (only used between organizations), so I removed and it worked!
My code line:
peer chaincode instantiate -o orderer.orgX.com:7050 --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA -C $CHANNEL_NAME -n mycc -l ${LANGUAGE} -v 1.0 -c '{"Args":["init","a","100","b","200"]}' >&log.txt
I'm new to this hyperledger and was trying to setup my first network.
I tried to create a channel transaction artifact using the command given on official docs of hyperledger :
export CHANNEL_NAME=mychannel && ../bin/configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/channel.tx -channelID $CHANNEL_NAME
But I'm getting an error:
CRIT 005 Error on outputChannelCreateTx: config update generation failure: could not parse application to application group: setting up the MSP manager failed: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com")