We are using Fabric v2.2. Our network setup has 5 channels. Org1 is a part of all the channels. Other than that each channel has 2 individual orgs. So totally 3 orgs are part of each channel. We have 5 orderers.
When we try to join a new org, say org12 to each channel, we are facing a issue during the usage of following command.
peer channel update -f org12/org12_update_in_envelope.pb -c testchannel -o orderer1.org-net:7050 --ordererTLSHostnameOverride orderer1.org-net --tls --cafile $ORDERER_CA
This is the error message we are getting
Error:
got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'testchannel': error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 2 of the 'Admins' sub-policies to be satisfied
Can anyone please suggest how can we proceed?
Related
I am trying to create a channel for my Hyperledger Fabric network using the following command:
peer channel create -o localhost:7050 -c $CHANNEL_NAME --ordererTLSHostnameOverride orderer.supplychain.com -f ../artifacts-channels/${CHANNEL_NAME}.tx --outputBlock ../artifacts-channels/${CHANNEL_NAME}.block --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA
I get as result the following error :
Error: got unexpected status: FORBIDDEN -- config update for existing channel did not pass initial checks: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied"
I get also in the docker logs of orderer container this error:
Invalid identity: certificate subject=CN=Admin#productionlaborg.supplychain.com,OU=admin,L=San Francisco,ST=California,C=US serialnumber=209542001001378907007459857235386288226 error="the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of \"x509: ECDSA verification failure\" while trying to verify candidate authority certificate \"ca.productionlaborg.supplychain.com\")"
know that I use the correct path of the "MSP folder" of the admin "Admin#productionlaborg" how created the channel.
I'm executing tutorials on Hyperledger Fabric First Network (version 1.4) and I get an unexpected error when trying to change max_message_count variable from 10 to 20 in channel configuration.
I'm using this tutorial: https://hyperledger-fabric.readthedocs.io/en/release-1.4/channel_update_tutorial.html
Obviously, I don't change the Org list to the channel as in tutorial, I only change the parameter:
cat config.json | sed 's/"max_message_count": 10/"max_message_count": 20/g' > new_config.json
Then I Execute the encoding of new and old configuration in protobuffer, compute update, decode update to json, added envelope and recode envelope to protobuffer. It is okay.
Then I sign the update with both organization and tries to update, but it gives me this error:
Error: got unexpected status: BAD_REQUEST -- error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/BatchSize not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining
This is the decoded update, as you can see is signed by both Org1MSP and Org2MSP: https://controlc.com/486d638a
These are the logs from orderer:
2020-12-10 17:28:04.282 UTC [cauthdsl] deduplicate -> WARN 01c De-duplicating identity [Org2MSPd2b5a4f881b520ad90a0ae5db7bd0b5362fae2d5916d972751da9bd35fb97f9b] at index 2 in signature set
2020-12-10 17:28:04.282 UTC [orderer.common.broadcast] ProcessMessage -> WARN 01d [channel: mychannel] Rejecting broadcast of config message from 172.20.0.7:56874 because of error: error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/BatchSize not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining
Self-Answer.
This type of modification needs the sign of the orderer:
export CORE_PEER_ADDRESS=orderer.example.com:7050
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/users/Admin\#example.com/msp/
peer channel signconfigtx -f org3_update_in_envelope.pb
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051
export CORE_PEER_LOCALMSPID=OrdererMSP
peer channel update -f org3_update_in_envelope.pb -c $CHANNEL_NAME -o orderer.example.com:7050 --tls --cafile $ORDERER_CA
I'm currently following hyperledger fabric document v1.4.6 to build first network(https://hyperledger-fabric.readthedocs.io/en/release-1.4/build_network.html#manually-generate-the-artifacts)
I first put the network down with ./byfn.sh down then tried creating the network.
However, when i go into docker cli and perform
peer channel create -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
this creates a error saying
InitCmd -> ERRO 001 Cannot run peer because cannot init crypto, folder "/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp" does not exist
So I tried again with network up (./byfn.sh up) now with the same procedure it creates different error saying
Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'mychannel': error authorizing update: error validating ReadSet: proposed update requires that key [Group] /Channel/Application/Org1MSP be at version 0, but it is currently at version 1
at the same command
First, I'm not sure whether I should be having the network up or down and second how to fix the problem.
Thank you
If you want to perform the manual steps, you need to start from here (with any previous fabric networks down/removed) and follow all the steps in the order as listed on that page.
i get an error for hyperledger fabric.
I followed the documentation and I came across his error when I ran the below command
peer channel create -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
the error being
BAD_REQUEST -- error validating channel creation transaction for new channel 'fyp', could not succesfully apply update to template configuration: error authorizing update: error validating ReadSet: existing config does not contain element for [Group] /Channel/Application/Org1MSP but was in the read set
I am migrating from kafka to raft, When I have changed state from "NORMAL" to "STATE_MAINTENANCE" and created the final expected envelope as per the procedure.
Note: We are using BYFN script
HF version: 1.4.3
My CLI pointed to Org1MSP, I signed config update transaction, later I changed CLI pointing to Org2MSP and signed, finally submitted the new channel config update to the orderer.After submission, getting a following error message.
Error on CLI: "Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'mychannel': error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/ConsensusType not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied"
Orderer log: "[channel: mychannel] Rejecting broadcast of config message from 172.21.0.13:51078 because of error: error applying config update to existing channel 'mychannel': error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/ConsensusType not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied"
Please let me know if I am doing something wrong.
Thanks in advance.
By default, cryptogen tool generate orderer admin user certificate with OU as client for 1.4.3 fabric version.
For peer admin user, it generates certificate with OU as admin which is correct(expected). In case of orderer, its creating wrong OU(Organization Unit) as client. We need to add the following part crypto-config.yaml in the orderer section.
CA:
OrganizationalUnit: admin
Once you added above part, recreate certificate and check orderer certificate OU as admin by following command
openssl x509 -in certificate.crt -text