I want to run test-network in fabric sample without TLS. for that what I need to change in fabric-sample?
There are two things you should do to disable TLS of a fabric network
Disable TLS for orderers and peers
By default mode of test-network, set this to false to disable TLS of the orderer. Same as peer0.org1 and peer0.org2
Not using TLS for every script call in the folder fabric-samples/test-network/scripts. The option for TLS is --tls. You can remove this option (--tls), or set it to false by adding false after the option
For example, the update anchor peer function call
updateAnchorPeer() {
peer channel update -o orderer.example.com:7050 --ordererTLSHostnameOverride orderer.example.com -c $CHANNEL_NAME -f ${CORE_PEER_LOCALMSPID}anchors.tx --tls false --cafile "$ORDERER_CA" >&log.txt
res=$?
cat log.txt
verifyResult $res "Anchor peer update failed"
successln "Anchor peer set for org '$CORE_PEER_LOCALMSPID' on channel '$CHANNEL_NAME'"
}
Do this to every script, which use --tls option
Related
I followed the Official Fabric Test Network tutorial "Using the Fabric Test Network ", but reported some errors when I ran ./network.sh createChannel. Log and errors like this
+ peer channel create -o localhost:7050 -c mychannel --ordererTLSHostnameOverride orderer.example.com -f ./channel-artifacts/mychannel.tx --outputBlock ./channel-artifacts/mychannel.block --tls --cafile /home/centos/go/src/github.com/hyperledger/fabric-samples/test-network/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
+ res=1
Error: failed to create deliver client for orderer: orderer client failed to connect to localhost:7050: failed to create new connection: context deadline exceeded
Channel creation failed
Create channel failed
If you are first time user you can try the following to bring up network with given channel name
./network.sh down
./network.sh up createChannel -c mychannel
I used this script.It worked
./network.sh up createChannel -ca -c mychannel -s couchdb -i 2.2.0
This situation is arisen due to TLS certificate.
For example, it may happen due to "client TLS / server no TLS". So please check "--tls $CORE_PEER_TLS_ENABLED" option. "$CORE_PEER_TLS_ENABLED" should be true.
So you can see something like this in console:
+ peer channel create -o localhost:7050 -c mychannel --ordererTLSHostnameOverride orderer.example.com -f ./channel-artifacts/mychannel.tx --outputBlock ./channel-artifacts/mychannel.block --tls true --cafile /home/centos/go/src/github.com/hyperledger/fabric-samples/test-network/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
I passed "first-network", no problem.
In CLI:/opt/gopath/src/github.com/hyperledger/fabric/peer:, execute these commands:
peer chaincode install -n mycc -v 1.0 -p github.com/chaincode/chaincode_example02/go/
peer chaincode instantiate -o orderer.example.com:7050 --tls true --cafile $ORDERER_CA -C mychannel -n mycc -v 1.0 -c '{"Args":["init","a","100","b","200"]}' -P "AND('Org1MSP.peer','Org2MSP.peer')"
peer chaincode query -C mychannel -n mycc -c '{"Args":["query","a"]}'
peer chaincode invoke -o orderer.example.com:7050 --tls true --cafile $ORDERER_CA -C mychannel -n mycc -c '{"Args":["invoke","a","b","10"]}' --peerAddresses peer0.org2.example.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt --peerAddresses peer0.org1.example.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
There are no problem. But when I execute these commands in the subdirectory of the peer /opt/gopath/src/github.com/hyperledger/fabric/peer/scripts:, install、instantiate and query success, but invoke error:
Error: endorsement failure during invoke. response: status:500 message:"cannot retrieve package for chaincode mycc/1.0, error open /var/hyperledger/production/chaincodes/mycc.1.0: no such file or directory".
This happens when CLI connects to peer0.ogr1, but I find this file at peer0.ogr1:
enter image description here
I replaced the peer node through the CLI, and the same problem occurred under the same path.
The problem may arise from the path specified by chaincode install -p. The official document says that this is a path relative to $GOPATH/src, so I feel that this path should have nothing to do with the current directory.
After searching, I found two similar problems, but the reasons are completely different and cannot be used for reference. Therefore, I can only raise new problems and hope to find solutions.
two similar problems:
Install a different version of chaincode (Hyperledger fabic)
Hyperledger Fabric - How to limit Org2 to install/instantiate/upgrade the chaincode to the channel?
version: Fabric1.4.4, Ubuntu18.04
structure: one order, four peers, each distributed on five machines, there is no problem with normal transactions
I have set up a network with raft ordering service (5 orderers), 2 orgs and one peer each, the TLS and client authentication are both enabled. I have created the channel and joined it successfully, but I am getting TLS handshake failed error when updating the anchor peer from cli to orderer, and I am not able to create a second channel for the same error. Besides this TLS error why I was able to create the first channel I am very confused, surely incorrect configs causing that.
CLI Commands:
export ORDERER_CA=crypto/ordererOrganizations/example.com/tlsca/ca-chain.pem
export CLIENT_KEY_FILE=crypto/peerOrganizations/org1.example.com/users/Admin#org1.example.com/tls/client.key
export CLIENT_CERT_FILE=crypto/peerOrganizations/org1.example.com/users/Admin#org1.example.com/tls/client.pem
*Worked: peer channel create -o orderer0.example.com:7050 -c mychannel -f ./channel-artifacts/channel.tx --tls --cafile $ORDERER_CA --clientauth --keyfile $CLIENT_KEY_FILE --certfile $CLIENT_CERT_FILE
*Worked: peer channel join -b muchannel.block
*FAILED: peer channel update -o orderer0.example.com:7050 -c mychannel -f ./channel-artifacts/anchors_channel.tx --tls --cafile $ORDERER_CA --clientauth --keyfile $CLIENT_KEY_FILE --certfile $CLIENT_CERT_FILE
CLI yaml config:
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.pem
- CORE_PEER_TLS_KEY_FILE=crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=crypto/peerOrganizations/org1.example.com/tlsca/ca-chain.pem
- CORE_PEER_TLS_CLIENTAUTHREQUIRED=true
- CORE_PEER_TLS_CLIENTCERT_FILE=crypto/peerOrganizations/org1.example.com/users/Admin#org1.example.com/tls/client.pem
- CORE_PEER_TLS_CLIENTKEY_FILE=crypto/peerOrganizations/org1.example.com/users/Admin#org1.example.com/tls/client.key
Orderer yaml config:
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=crypto/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=crypto/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/server.pem
- ORDERER_GENERAL_TLS_ROOTCAS=[crypto/ordererOrganizations/example.com/tls/ca-chain.pem]
- ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=true
- ORDERER_GENERAL_TLS_CLIENTROOTCAS=[crypto/ordererOrganizations/example.com/tlsca/ca-chain.pem,crypto/peerOrganizations/org1.example.com/tlsca/ca-chain.pem,crypto/peerOrganizations/org2.example.com/tlsca/ca-chain.pem]
Try running the command with following environment in your CLI container:
export CORE_PEER_ADDRESS=orderer.example.com:7050
export CORE_PEER_LOCALMSPID=OrdererMSP
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/users/Admin#example.com/msp
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
export ORDERER_CA=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
export CHANNEL_NAME=mychannel
This is because issuing channel update transaction requires updating the channel configuration file, which according to your present policies, must be signed by an Orderer Organization admin.
I had 2 organization in Hyperledger Fabric blockchain network initially. Recently I added one more organization on a different host using swarm. When I try to invoke chaincode from 1st or 2nd organization then it's working fine and I can see the updated transaction from org3. But when I invoke a transaction from org3, I am getting the following error.
"[2019-02-06 06:44:21.895] [ERROR] invoke - The transaction was
invalid, code = ENDORSEMENT_POLICY_FAILURE"
Initially, chaincode was initiated using the following policy.
-P "OR ('Org1MSP.peer','Org2MSP.peer')"
So I think I will have to update existing endorsement policy to include org3.
Could anyone help to modify existing endorsement policy or to resolve the issue?
The way to upgrade the chaincode is as followed:
Increment the version of ccRequest containing ccPackage
Re-Install the ccRequest on all orgs in the channel.
Ex: peer chaincode install -n mycc -v 2.0 -p github.com/chaincode/chaincode_example02/go/
Create new ccPolicy with correct rules containing required orgs as endorsers.
Upgrade the chaincode by running upgradeCC command
Ex: peer chaincode upgrade -o orderer.example.com:7050 --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA -C $CHANNEL_NAME -n mycc -v 2.0 -c '{"Args":["init","a","90","b","210"]}' -P "OR ('Org1MSP.peer','Org2MSP.peer','Org3MSP.peer')"
Test with a query on chaincode with peer chaincode query -C $CHANNEL_NAME -n mycc -c '{"Args":["query","a"]}'
For more details refer docs or ask on rockerchat
Yes, you can do that using peer chaincode upgrade command.
peer chaincode upgrade -o orderer.example.com:7050 --tls --cafile
$ORDERER_CA -C mychannel -n mycc -v 1.2 -c
'{"Args":["init","a","100","b","200","c","300"]}' -P "AND
('Org1MSP.peer','Org2MSP.peer','Org3MSP.peer')"
refer : peer chaincode upgrade
I have been roughly following http://hyperledger-fabric.readthedocs.io/en/latest/build_network.html#troubleshoot to create my first network, and have executed steps involving installing, istantiating, querying a chaincode. However, I get the following error while invoking chaincode.
root#5a0be253ef6e:/opt/gopath/src/github.com/hyperledger/fabric/peer# peer chaincode invoke -o orderer.example.com:7050 --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -C testhimani123456 -n mycc --peerAddresses peer0.org1.example.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt --peerAddresses peer0.org2.example.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt -c '{"Args":["invoke","a","b","10"]}'
Error: unknown flag: --peerAddresses
Usage:
peer chaincode invoke [flags]
Flags:
-C, --channelID string The channel on which this command should be executed
-c, --ctor string Constructor message for the chaincode in JSON format (default "{}")
-n, --name string Name of the chaincode
Global Flags:
--cafile string Path to file containing PEM-encoded trusted certificate(s) for the ordering endpoint
--certfile string Path to file containing PEM-encoded X509 public key to use for mutual TLS communication with the orderer endpoint
--clientauth Use mutual TLS when communicating with the orderer endpoint
--keyfile string Path to file containing PEM-encoded private key to use for mutual TLS communication with the orderer endpoint
--logging-level string Default logging level and overrides, see core.yaml for full syntax
-o, --orderer string Ordering service endpoint
--ordererTLSHostnameOverride string The hostname override to use when validating the TLS connection to the orderer.
--tls Use TLS when communicating with the orderer endpoint
--transient string Transient map of arguments in JSON encoding
-v, --version Display current version of fabric peer server
I have ignored the part concerning environment variables. I was confused as to where to include it. I tried adding the fields that were absent in docker-compose-base.yaml file, but it gave me errors while running docker exec -it cli bash command, saying that there is no container for cli. So i decided to go with the original file, completely ignoring the step.
(finally know how to use this) Actually found the solution thanks to a friend.
The "peer chaincode invoke " doesn't have the flag "peerAddresses". The code given on the Hyperledger fabric tutorial documentation might be outdated or incorrect.
This can be seen in the Reference documentation : https://hyperledger-fabric.readthedocs.io/en/release-1.1/commands/peerchaincode.html
So removing peerAddresses and writing something like this might solve the error.
peer chaincode invoke -o orderer.example.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -C $CHANNEL_NAME -n mycc -c '{"Args":["invoke","a","b","10"]}'
Problem was resolved by changing chaincode instantiation by changing "and" to "or".
Since I had skipped the environment variables step, default was peer0.org1 (i.e. org1MSP). Nothing was set for org2MSP. Thus it was in no position to award permissions in the first place.
peer chaincode instantiate -o orderer.example.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -C $CHANNEL_NAME -n mycc -v 1.0 -c '{"Args":["init","a", "100", "b","200"]}' -P "OR ('Org1MSP.peer','Org2MSP.peer')"