My orderers admin and TLS certs expired so i tried generating new certs . created a new config.pb file by adding Base64 of certs in the config.json file and after that created new config.pb and was able to successfully sign the config by reversing the time of my peer cli machine but after getting signature from all the Organization MSP's . when i try to update my new config to the channel. I'm getting this error.
Error: got unexpected status: SERVICE_UNAVAILABLE -- update of more than one consenter at a time is not supported, requested changes: add 6 node(s), remove 6 node(s)
I have added newly generated certs for all the orderers at once by simply adding them all to the config.pb . what i understand from the above message is that i need to add the newly generated certs for every orderer one by one , Am i thinking correct ?
You can only update one consenter at a time and you'll do to do this for each channel as well.
Related
I have a three ORG setup and I have installed chain code on all three ORG peers with endorsement policy OutOf(2, 'Org1MSP.member', 'Org2MSP.member', 'Org3MSP.member'). Chain code installed on ORG2 is different with ORG1 and ORG3 as it produces response with different value then ORG1 and ORG3 chaincode . One of the attribute of response is hard coded in contract of ORG2.
Now with above policy and setup, i would assume that with ORG2 response is different then ORG1 and ORG3 response ,and ORG1 and ORG3 response are identical , still the transaction should be successful as 2 out of three are satisfied . But I am getting below error when I am submitting the transaction. It works fine when I install correct chaincode on ORG2 . Can anyone please help in pointing out what am I doing wrong. For chaincode and application i am using java sdk. Please let me know if you need any specific details.
Error : The proposal responses have 2 inconsistent groups with 0 that
are invalid. Expected all to be consistent and none to be invalid
I found my mistake . I had set discovery false in my client application code . Due to which it was failing . Once i turned it on (set as true) it worked fine as expected . You can use below discovery command to check the endorsement policies applicable on chaincode installed .
discover --configFile discovery/config.yaml endorsers --channel mychannel --server peer0.org3.example.com:11051 --chaincode papercontract
I am looking to setup a simple Hyperledger Fabric network without using docker and trying to create channel by following this tutorial using Node.js.
Steps i performed:
Setup crypto-config.yaml and generated crypto-material (crypto-config)
Setup fabric-ca-server-config.yaml by updating keyfile & certfile. started CA server
Setup configtx.yaml by defining one orderer and one organization. Created genesis block and configuration transaction
Now by when i run above tutorial node.js code, i get error on order terminal & as response of node.js call:
2019-01-09 16:16:54.619 IST [msp] DeserializeIdentity -> INFO 007
Obtaining identity
2019-01-09 16:16:54.619 IST [orderer/common/broadcast] Handle -> WARN 008 [channel: firstchannel]
Rejecting broadcast of config message from 127.0.0.1:44198 because of
error: Failed to reach implicit threshold of 1 sub-policies, required
1 remaining: permission denied
I tried many changes and still getting same error. Same error also appear while creating channel through terminal using ./peer channel create -o localhost:7050 -c firstchannel -f ./channel.tx
Here is my channel.tx converted in JSON.
How this can be resolved?
I got it worked!
Actually in orderer.yaml, i set LOG to DEBUG and now i can see the problem in channel creation well descriptive.
There were multiple things which i needed to improve but main thing was that in orderer.yaml, GenesisMethod was set to file, so it was creating system channel and was looking the signature of the OrdererMSP admin. Changing GenesisMethod to provisional got channel creation worked.
I use Hyperledger Fabric 1.2 to build a blockchain cluster, which contains 3 peers and 3 orderers. I can successfully deploy and invoke the chaincode via both CLI and Java SDK. Everything works fine. However, when I notice the service discovery function and try to use it, I met two problems. First, after I build the discover tool and try to use it to get some discovered information, I can't access the peer and get the message as follow
"failed connecting to discovery service: failed to create new
connection: context deadline exceeded"
The config command is
discover --configFile conf.yaml --userKey ./crypto-config/peerOrganizations/org1.forchain.com/peers/peer0.org1.forchain.com/msp/keystore/7458b29b1fb6a89768585430dbf0e522a40ff4aefe600fc1e4fafe62c3c972e4_sk --userCert ./crypto-config/peerOrganizations/org1.forchain.com/peers/peer0.org1.forchain.com/msp/signcerts/peer0.org1.forchain.com-cert.pem --MSP Org1MSP saveConfig
The query command is
discover --configFile conf.yaml peers --channel lajiao --server localhost:6051
I guess it may be caused by the TLS config so I canceled the TLS and tried again. This time I successfully access the peer and get some messages, but I met another problem. When I use 'discover peers xxx ' command, I always get null result, in fact there are two peers in that channel. When I use 'discover endorsers xxx' command, I always get the following error message
'failed constructing descriptor for chaincodes:'
In the meantime, the peer log outputs the following message:
'Principal set computation failed: chaincode isn't installed on
sufficient organizations required by the endorsement policy 2018-08-01
10:21:50.860 UTC [discovery] chaincodeQuery -> ERRO 1441 Failed
constructing descriptor for chaincode chaincodes:
,: chaincode isn't installed on sufficient organizations required by
the endorsement policy'
I can assure that the chaincode is successfully installed in all peers. And I didn't use the endorsement policy when I instantiated the chaincode. I think it is not the policy problem because I still can invoke the chaincode and propose a transaction.
I also tried to use the Java SDK and found that I can get the orderer nodes info but I can't get the other peer nodes or chaincode info. The log always output: "Discover of chaincode names was empty.". But the chaincode is definitely instantiated and can be invoke via SDK. I refered to the test code in "org.hyperledger.fabric.sdkintegration.ServiceDiscoveryIT" and some key Java code is as follow:
channel.addPeer(peer, createPeerOptions().setPeerRoles(EnumSet.of(Peer.PeerRole.SERVICE_DISCOVERY,Peer.PeerRole.LEDGER_QUERY, Peer.PeerRole.EVENT_SOURCE,Peer.PeerRole.CHAINCODE_QUERY)));
channel.initialize();
System.out.println("================ orderer ===============");
for (Orderer orderer : channel.getOrderers()) {
System.out.println(orderer.getName());
}
System.out.println("================ peer ===============");
for (Peer p: channel.getPeers()) {
System.out.println(p.getName());
}
System.out.println("================ chaincode ===============");
for (String s: channel.getDiscoveredChaincodeNames()) {
System.out.println(s);
}
So, how can I use the 'discover' command under TLS configuration and how can I get the discovered information?
For the config command - you need to pass a TLS root CA, via --peerTLSCA. Please look at the examples in the documentation and act accordingly.
Now - for the second problem, I think that the peers might not know each other in the channel.
Make sure you have anchor peers defined in the channel and that both peers have external endpoints configured.
Feel free to bug me (yacovm) on chat.hyperledger.org if you're struggling for too long and can't solve the problem.
You must add an anchor peer from each organization in the channel, this solved the problem for me. Anchor peers are required for the service discovery since the service discovery uses gossip protocol- thanks #yacovm
I stumbled a similar error (regarding to service discovery) as below.
Go Fabric Client logs:
Failed to get endorsing peers: error getting channel response for channel [myc]:
Discovery status Code: (11) UNKNOWN. Description: error received from Discovery Server:
failed constructing descriptor for chaincodes:<name:"mycc">
Peer logs:
Failed constructing descriptor for chaincode chaincodes:<name:"mycc" > ,:
cannot satisfy any principal combination
It's fixed when I provide CORE_PEER_GOSSIP_EXTERNALENDPOINT environment attribute with a correct value on peer's configuration (in docker yaml file in my case).
As I understood since this attribute is missing, discovery services running on peers failed to communicate with each other to have a conclusion of what current network looks like.
I'm new to Hyperledger Fabric.
Can any one tell me where the endorsing policy is stored in Hyperledger Fabric?
Thanks in advance
When you specify (or modify) an endorsement policy for a chaincode within the context of a channel, it is stored in the configuration block for that channel by the orderer.
From the Hyperledger Fabric 1.1 documentation:
When the CONFIG_UPDATE is received, the orderer computes the resulting
CONFIG by doing the following:
Verifies the channel_id and read_set. All elements in the read_set must exist at the given versions.
Computes the update set by collecting all elements in the write_set which do not appear at the same version in the read_set.
Verifies that each element in the update set increments the version number of the element update by exactly 1.
Verifies that the signature set attached to the ConfigUpdateEnvelope satisfies the mod_policy for each element in the
update set.
Computes a new complete version of the config by applying the update set to the current config.
Writes the new config into a ConfigEnvelope which includes the CONFIG_UPDATE as the last_update field and the new config encoded in
the config field, along with the incremented sequence value.
Writes the new ConfigEnvelope into a Envelope of type CONFIG, and ultimately writes this as the sole transaction in a new configuration
block.
When the peer (or any other receiver for Deliver) receives this
configuration block, it should verify that the config was
appropriately validated by applying the last_update message to the
current config and verifying that the orderer-computed config field
contains the correct new configuration.
I'm really tired with this issue.
Please and Please explain how I can solve this problem to me if you know. I'm begging
I'm working on "Fabcar" sample which has 1 peer / 1 orderer / 1 ca server in the fabric-samples folder.
I wanted to add 2 more peers to the network and join them to the channel(which is called my channel)
So I've modified 3 files: crypto-config.yaml, docker-compose.yml, start.sh (in the basic-network folder) appropriately.
I'm also done producing crypto materials for the new 2 peers with the cryptogen tool.
But the thing is that when I executed "peer channel join -b myblock.block" in peer0.org1.example.com container in order to join those new peers to the channel, this error message is shown:
This error message
It says "JoinChain" request failed authorization check for channel [mychannel]: [Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]]))
I've also tried that command both inside and outside peer0.org1.example with docker exec command, and did with sudo and nothing works well.
It seems that I need to initiate the transaction with the admin's cert, but I really have no idea how to make it and how to resolve this authorization issue.
Please anyone who knows how to deal with this issue explain this to me in detail.
I've suffered from this problem for a very long time. I'm really desperate.
I'd really appreciate if you tell me how. Looking forward to your response. Thank you.
The error message is the tell: [This identity is not an admin]. You need to be using the identity of the admin for a given peer/org in order to execute the peer channel join command.
The way that cryptogen creates the crypto material is to populate a directory tree of a specific structure. For the admin certificate, you need to be using this identity:
fabric-samples/basic-network/crypto-config/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp
in order to be the admin for Org1. The script that creates the channel and joins the one peer in the default sample is done with the command here:
https://github.com/hyperledger/fabric-samples/blob/f05a132586ae9ca7ce86b9e56ae4bd3b084bc959/basic-network/start.sh#L26
This issue is due to the access level of the credentials you are using.
You need to be an admin to add a peer to a channel, so you have access to to the system chaincode cscc.
Another possible issue is that in the network configuration (usually the configtx.yaml file) there is some policy resticting your access to join the peer to the channel, if you'd like I can take a look in your configtx file and see if I can help.
As you are using the Fabcar example and it's called with Node SDK you can add the peer also using SDK.
Please try it:
Instantiate a Fabric Client object and enroll an admin user. You can do it in your script based in Fabcar's enrollAdmin.js, as I will explain
In Fabcar's enrollAdmin.js line 72 you can see this line:
console.log('Assigned the admin user to the fabric client ::' + admin_user.toString());
Start from here, inside the "then" that starts in line 71.
You have to enroll the identity as an admin usng the method
fabric_client.setAdminSigningIdentity(pk, cert, MSPID);
The pk parameter is the admin private key, cert is his certificate and the MSPID is the one you specified for his organization in the configtx.yaml file.
you can get the pk and cert using the file system module from Node addins the following:
let fs = require('fs');
let cert = fs.readFileSync(path.join(__dirname, 'PATH_TO_CERT/CERT_NAME.pem'))
let pk = fs.readFileSync(path.join(__dirname, 'PATH_TO_PK','PK_NAME'))
The usual path to the admin certificate is
/fabric-samples/basic-network/crypto-config/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp/admincerts
And to the private key is:
/fabric-samples/basic-network/crypto-config/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp/keystore
Now you just added the admin identity to your clients's instance, if everything is ok you need to create a peer instance with your peer's address as the following example:
peer=fabric_client.newPeer(grpc://localhost:7051);
Don't forget to use the grpc protocol, and if tls is enabled you have to use grpcs.
Now create a channel instance of your channel using the channel id as parameter:
let channel_i=fabric_client.newChannel('mychannel')
Then create a request to the channel genesis (config) block:
let orderer = fabric_client.newOrderer(ORDERER_URL);//the urlalso with grpc protocol
let tx_id=fabric.client.newTransactionID(true); //true means it's an administrative request
let g_request={
txId: tx_id,
orderer : orderer
}
Finally, make the block request, then use it to join the channel:
channel_i.getGenesisBlock(g_request).then((block) =>{
tx_id = fabric.client.newTransactionID(true);
let j_request = {
targets : peer,
block : block,
txId : tx_id,
};
// send genesis block to the peer
return channel_i.joinChannel(j_request, 10000).then((results) =>{
if(results[0].response.status == 200) {
// join successful
console.log("Join successful!!!");
} else {
// not good
console.log("Error:: "+ results);
throw results;
}
})
For the admin identity error, copy that identity signedcert into Org MSP admincerts folder and then generate the channel tx file.
This issue could be occurred due to wrong config of CORE_PEER_MSPCONFIGPATH
Please check yaml file. The CORE_PEER_MSPCONFIGPATH should be
/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto-config/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp
The above org1 is for sample, you can check with your org name.