I've created a network based on 2 organizations under one two CA's (one normal, and one for TLS certificates). There's one orderer and one peer per organization.
I run the network as binaries on separate virtual machines.
After I create identities for organizations, I add the signcert directory from the CA admin to their respective msp directories as admincerts. I then enroll the identities on their respective machines, and add the admincerts directory. I create the ordererchannel genesis block and run the orderer binary. Next I generate mychannel.tx sign it with the peer's identity and submit the channel creation transaction (as far as I know, admin privilages are needed to successfully run peer channel create). Then, with the same identity, I try to join my peer to mychannel with peer channel join,and I get this error:
Error: proposal failed (err: bad proposal response 500: access denied for [JoinChain][mychannel]: [Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]])
Which is weird, because I could create the channel without problems, so the identity I'm using must be an admin. This happens on both peers. I would appreciate some input on the issue.
JoinChannel checks that the submitter is an admin of the peer itself. Peer admin(s) is(are) stores in local MSP admincerts directory.
I have below queries with regards to client/user identities created by enrollment process for nodejs client. When I try to enroll identities then fabric-ca issue certificates for that particular user. Certificate issued to that client has below properties.
Certificate Information:
Common Name: admin
Organization Unit: client
Valid From: May 6, 2020
Valid To: May 6, 2021
Issuer: fabric-ca-server, Hyperledger
Now when I try to use the same identity to install and instantiate chaincode or interact with fabric runtime via TestAPI it throws below error :
2020-05-05 18:35:06.670 UTC [protoutils] ValidateProposalMessage -> WARN 0e4 channel [ichannel]: MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority
I have created crypto certificates for all organizations using cryptogen tool. These certificates have been issued by the certificate authority defined in network-config.yaml file.
I suspect that the difference in the certificate issuer it's causing identity issue. Please let me know if my understanding is correct.
If yes then how I can ensure that these nodejs client certificates are being used by the same certificate authority defined in network-config.yaml file.
I was able to resolve this issue by updating Certificate Authorities environment variables inside the docker-compose file. Earlier they were not getting picked from /etc/hyperledger/fabric-ca-server-config/ location.I did update path for below environment variables of all certificate Authorities before regenerating crypto configurations and restarting the whole network:
FABRIC_CA_SERVER_CA_KEYFILE
FABRIC_CA_SERVER_CA_CERTFILE
Note: TLS configs were disabled inside the network.
This has worked for me.
When I try to create a channel using Hyperledger Fabric, the request fails and returns the following error:
Client logs:
Error: got unexpected status: BAD_REQUEST -- error validating channel creation transaction for new
channel 'testchannel', could not succesfully apply update to template configuration: error
authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not
satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy
requires 1 of the 'Admins' sub-policies to be satisfied
This error occurs when there is a problem with the identity (consisting of MSP ID, certificate, and keys) that submitted the request. If you use the default Fabric configuration policies, channels need to be created by organization administrators. The error is produced by your identity not being able to satisfy default policy on the /Channel/Application/Admins path.
There are several reasons why the policy would reject your identity, including the use of invalid or expired certificates. You can learn more about why the request failed by looking at your orderer logs. The Ordering Service is the node that enforces the policies that create or update channels.
When you examine your orderer logs, look for an error that is similar to what was returned to your client. You may find an error from a certificate check immediately preceding the policy error (Principal deserialization failure). This implies that the channel creation was rejected because the MSP ID was not recognized as valid.
Ordering Service logs:
2019-08-06 15:31:43.589 UTC [cauthdsl] deduplicate -> ERRO 021 Principal deserialization failure
(MSP SampleOrg is unknown) for identity 0
2019-08-06 15:31:43.589 UTC [orderer.common.broadcast] ProcessMessage -> WARN 022 [channel:
testchannel] Rejecting broadcast of config message from 172.27.0.7:34750 because of error: error
validating channel creation transaction for new channel 'testchannel', could not succesfully apply
update to template configuration: error authorizing update: error validating DeltaSet: policy for
[Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies
were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
The error before the policy warning, ERRO 021 Principal deserialization failure (MSP SampleOrg is unknown) for identity 0, indicates that the MSP ID that was passed as a parameter with the request was not recognized by the ordering service. This could be a result of passing the wrong MSP ID to the command. This error may also indicate that your organization has not joined the consortium hosted by the ordering service system channel. If you are updating an application channel, this error could occur if your organization is not yet a member of the channel you are trying to update.
If the MSP ID of the identity is valid, you may encounter the following certificate validation error:
Ordering Service logs:
2019-08-06 15:34:45.730 UTC [cauthdsl] deduplicate -> ERRO 02d Principal deserialization failure
(the supplied identity is not valid: x509: certificate signed by unknown authority) for identity 0
2019-08-06 15:34:45.730 UTC [orderer.common.broadcast] ProcessMessage -> WARN 02e [channel:
testchannel] Rejecting broadcast of config message from 172.27.0.7:36214 because of error: error
validating channel creation transaction for new channel 'testchannel', could not succesfully apply
update to template configuration: error authorizing update: error validating DeltaSet: policy for
[Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies
were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
In this case, the ordering service recognized your MSP ID, but could not validate that your certificate was issued by one of your organization's certificate authorities. If you are managing multiple organizations, this error could be the result of you using a mismatched MSP ID and certificate to submit the request. This error could also occur if your admin certificates have expired. If this is a test network that has been launched recently, you may be issuing the request from an identity that was created by a certificate authority on an older incarnation of your network.
It will be more common that your certificate has passed the validation check, but could not fulfill the channel creation policy. If that is the case, the error in your orderer logs would look like the following:
Ordering Service logs:
2019-08-06 15:36:52.307 UTC [orderer.common.broadcast] ProcessMessage -> WARN 032 [channel:
testchannel] Rejecting broadcast of config message from 172.27.0.7:37236 because of error: error
validating channel creation transaction for new channel 'testchannel', could not succesfully apply
update to template configuration: error authorizing update: error validating DeltaSet: policy for
[Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies
were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
The identity that submitted the request is a valid member of your organization, and your organization is recognized to be a member of the system channel or application channel. However, the identity did not have the permission to create a channel. You may have used the wrong identity to submit the request, and used an identity that was not your organization administrator. Submit the request from your admin identity, or create a new admin, and have the channel administrator update your organization MSP.
If you encounter this error for operations other then channel creation, your certificate may not be authorized for the correct role. Check that your client certificates and peer certificates have the client and peer OU respectively.
Additional debugging techniques
If you need additional help debugging a policy or certificate related error, you can increase the logging level related to those components:
FABRIC_LOGGING_SPEC=”WARN:cauthdsl=debug:policies=debug:msp=debug
You can also manually pull your organizations root certificate from an application or system channel and use them to verify your client side certs. Use the following command to pull the latest configuration block from your channel.
peer channel fetch config ./configupdate/config_block.pb -o <orderer_endpoint> -c <my_channel> --tls --cafile <PATH_TO_ORDERER_TLS_CERT>
Then use the following command to convert the configuration block into JSON.
configtxlator proto_decode –type=common.Block --input=config_block.pb --output=config_block.json
This allows you to pull the root certificate from the block using the following command. Replace with the MSP ID of your organization.
jq -r .data.data[0].payload.data.config.channel_group.groups.Application.groups.<MSPID>\
.values.MSP.value.config.root_certs[0] config_block.json | base64 –decode > root.pem
If your MSP defines multiple root certificates or uses intermediate certificates, you will need to adjust the jq command above to properly extract them.
You can then use tools such as OpenSSL to validate your client side admin certificate against the root certificate.
openssl verify -CAFile <root.pem> <admincert.pem>
You can also use the following command to open the certificate and examine it in plaintext. This allows you to check fields such as the expiration date, the node OU, or the issuing CA.
openssl x509 -in <admincert.pem> -text
UTC [orderer.common.broadcast] ProcessMessage -> WARN 009 [channel: orgchannel] Rejecting broadcast of config message from 172.20.20.22:45668 because of error: error validating channel creation transaction for new channel 'orgchannel', could not succesfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
If you are getting aforementioned error then check your configtx file and verify below mentioned attributes. Copy paste the below section and replace capabilities section.
Capabilities:
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
Channel: &ChannelCapabilities
# V1.4.3 for Channel is a catchall flag for behavior which has been
# determined to be desired for all orderers and peers running at the v1.4.3
# level, but which would be incompatible with orderers and peers from
# prior releases.
# Prior to enabling V1.4.3 channel capabilities, ensure that all
# orderers and peers on a channel are at v1.4.3 or later.
V1_4_3: true
# V1.3 for Channel enables the new non-backwards compatible
# features and fixes of fabric v1.3
V1_3: false
# V1.1 for Channel enables the new non-backwards compatible
# features and fixes of fabric v1.1
V1_1: false
# Orderer capabilities apply only to the orderers, and may be safely
# used with prior release peers.
# Set the value of the capability to true to require it.
Orderer: &OrdererCapabilities
# V1.4.2 for Orderer is a catchall flag for behavior which has been
# determined to be desired for all orderers running at the v1.4.2
# level, but which would be incompatible with orderers from prior releases.
# Prior to enabling V1.4.2 orderer capabilities, ensure that all
# orderers on a channel are at v1.4.2 or later.
V1_4_2: true
# V1.1 for Orderer enables the new non-backwards compatible
# features and fixes of fabric v1.1
V1_1: false
# Application capabilities apply only to the peer network, and may be safely
# used with prior release orderers.
# Set the value of the capability to true to require it.
Application: &ApplicationCapabilities
# V1.4.2 for Application enables the new non-backwards compatible
# features and fixes of fabric v1.4.2.
V1_4_2: true
# V1.3 for Application enables the new non-backwards compatible
# features and fixes of fabric v1.3.
V1_3: false
# V1.2 for Application enables the new non-backwards compatible
# features and fixes of fabric v1.2 (note, this need not be set if
# later version capabilities are set)
V1_2: false
# V1.1 for Application enables the new non-backwards compatible
# features and fixes of fabric v1.1 (note, this need not be set if
# later version capabilities are set).
V1_1: false
Also check your channel name
export SYS_CHANNEL=orgchannel #should be your own system channel name
export CHANNEL_NAME=org1orgchannel #should be your own system channel name
export CHANNEL_ID=org1orgchannel #should be your own system channel name
Also remember SYS_CHANNEL value should be different from CHANNEL_NAME. CHANNEL_NAME and CHANNEL_ID should be same.
If still getting issue mail me on actachieverepeat#gmail.com.
I have created Two Node. Node1 has Peer0.org1, CA and Orderer Service and Node2 have Peer0.org2 and Peer0.org3.
I can invoke and execute a query using fabric-client from peer0.org1 but When I tried same from peer0.org2 and peer0.org3 it's not working using API and it throws MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority error. However it's working from the CLI
Can anyone help me to resolve this?
Please check the endorsement policy on the chaincode. Most of the times this error is because your org2 and org3 are not part of endorsement policy.
I am trying to config a hyperledger fabric network on aws.
I have 3 aws ubuntu instances and each is fabric-ca, fabric-orderer, fabric-peer latest docker image.
First, I started up my CA server with "start -b" command. I checked one identity is registered in CA server db.
After that, I started up my orderer server. After that enrolled CA registered identity on the orderer server and registered and enrolled orderer identity using fabric-ca-client bin. Finally I created genesis block using configtxgen bin.
The Problem is here.
I started up a peer and proceeded same steps mentioned above and created an identity type peer. After that I created admincerts directory and put a cert.pem in a ca signcerts directory. I though this certification file describes an identity created by CA.
But when I tried to create a channel to orderer, it says error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining .
How can I make administrator certification for a peer to create a channel?
channel creation has many error prone areas
1). It could be that you are passing a wrong mspID.
2) Detailed Explanation reg Admin keys
NodeJS Logs: [2018–10–04 12:19:28.548] [DEBUG] Create-Channel — response ::{“status”:”BAD_REQUEST”,”info”:”error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining”}
[2018–10–04 12:19:28.548] [ERROR] Create-Channel —
!!!!!!!!! Failed to create the channel ‘public’ !!!!!!!!!
Orderer Logs: reg channel creation error
2018–10–04 08:19:28.617 UTC [orderer/common/broadcast] Handle -> WARN 132 [channel: public] Rejecting broadcast of config message from 10.255.0.2:57714 because of error: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining
Reason: transaction is not signed with admin key
Solution: To create a channel we need admin credentials such as private key & public certificate(Ex: x.509)