I'm executing tutorials on Hyperledger Fabric First Network (version 1.4) and I get an unexpected error when trying to change max_message_count variable from 10 to 20 in channel configuration.
I'm using this tutorial: https://hyperledger-fabric.readthedocs.io/en/release-1.4/channel_update_tutorial.html
Obviously, I don't change the Org list to the channel as in tutorial, I only change the parameter:
cat config.json | sed 's/"max_message_count": 10/"max_message_count": 20/g' > new_config.json
Then I Execute the encoding of new and old configuration in protobuffer, compute update, decode update to json, added envelope and recode envelope to protobuffer. It is okay.
Then I sign the update with both organization and tries to update, but it gives me this error:
Error: got unexpected status: BAD_REQUEST -- error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/BatchSize not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining
This is the decoded update, as you can see is signed by both Org1MSP and Org2MSP: https://controlc.com/486d638a
These are the logs from orderer:
2020-12-10 17:28:04.282 UTC [cauthdsl] deduplicate -> WARN 01c De-duplicating identity [Org2MSPd2b5a4f881b520ad90a0ae5db7bd0b5362fae2d5916d972751da9bd35fb97f9b] at index 2 in signature set
2020-12-10 17:28:04.282 UTC [orderer.common.broadcast] ProcessMessage -> WARN 01d [channel: mychannel] Rejecting broadcast of config message from 172.20.0.7:56874 because of error: error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/BatchSize not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining
Self-Answer.
This type of modification needs the sign of the orderer:
export CORE_PEER_ADDRESS=orderer.example.com:7050
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/users/Admin\#example.com/msp/
peer channel signconfigtx -f org3_update_in_envelope.pb
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051
export CORE_PEER_LOCALMSPID=OrdererMSP
peer channel update -f org3_update_in_envelope.pb -c $CHANNEL_NAME -o orderer.example.com:7050 --tls --cafile $ORDERER_CA
Related
I am trying to create a channel for my Hyperledger Fabric network using the following command:
peer channel create -o localhost:7050 -c $CHANNEL_NAME --ordererTLSHostnameOverride orderer.supplychain.com -f ../artifacts-channels/${CHANNEL_NAME}.tx --outputBlock ../artifacts-channels/${CHANNEL_NAME}.block --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA
I get as result the following error :
Error: got unexpected status: FORBIDDEN -- config update for existing channel did not pass initial checks: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied"
I get also in the docker logs of orderer container this error:
Invalid identity: certificate subject=CN=Admin#productionlaborg.supplychain.com,OU=admin,L=San Francisco,ST=California,C=US serialnumber=209542001001378907007459857235386288226 error="the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of \"x509: ECDSA verification failure\" while trying to verify candidate authority certificate \"ca.productionlaborg.supplychain.com\")"
know that I use the correct path of the "MSP folder" of the admin "Admin#productionlaborg" how created the channel.
We are using Fabric v2.2. Our network setup has 5 channels. Org1 is a part of all the channels. Other than that each channel has 2 individual orgs. So totally 3 orgs are part of each channel. We have 5 orderers.
When we try to join a new org, say org12 to each channel, we are facing a issue during the usage of following command.
peer channel update -f org12/org12_update_in_envelope.pb -c testchannel -o orderer1.org-net:7050 --ordererTLSHostnameOverride orderer1.org-net --tls --cafile $ORDERER_CA
This is the error message we are getting
Error:
got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'testchannel': error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 2 of the 'Admins' sub-policies to be satisfied
Can anyone please suggest how can we proceed?
My chaincode was instantiated with the following command:
peer chaincode instantiate -o orderer1.example.com:7050 --tls true --cafile <cafile> -C mychannel
-n mycc -l java -v 1.0 -c '{"Args":[]}' -P "OR ('Org1MSP.member')"
I would like to change the endorsement policy such that all peers in the organization are required for endorsement; currently I have two peers, but the number is set to increase.
What I do for now is the following procedure:
Step one: install the same chaincode with a different version name.
peer chaincode install -n mycc -v <version> -l java -p /opt/gopath/src/github.com/chaincode
Step two: upgrade the chaincode using the following command:
peer chaincode upgrade -o orderer1.example.com:7050 --tls true --cafile <cafile> -C mychannel
-n mycc -l java -v <version> -c '{"Args":[]}' -P "OutOf(2, 'Org1MSP.member')"
-peerAddresses peer1.org1.example.com:7051 -peerAddresses peer2.org1.example.com:7051
However, I am unable to achieve my desired outcome. Under the current endorsement policy, when I use my my client to submit a transaction, it is committed after a while. After I change the policy, my transaction is no longer automatically accepted, and the logs reflect this with the following error message:
VSCC error: stateBasedValidator.Validate failed, err validation of endorsement policy for chaincode
mycc in tx 132:0 failed: signature set did not satisfy policy
So while I am able to stop the auto-acceptance of transactions, now I find myself unable to validate any transaction.
The procedure I follow in changing the chaincode endorsement policy, is it correct?
Does my endorsement policy do what I intend to do?
How come I am no longer able to validate transactions?
EDIT: I changed my logging spec to the one suggested by Jason Yellick. I think I found some debug which might provide insight:
<time> [cauthdsl] func1 -> DEBU 4bd 0xc0004e4050 gate 1594275943563937246 evaluation starts
<time> [cauthdsl] func2 -> DEBU 4be 0xc0004e4050 signed by 0 principal evaluation starts (used [false])
<time> [cauthdsl] func2 -> DEBU 4bf 0xc0004e4050 processing identity 0 with bytes of 1159660
<time> [cauthdsl] func2 -> DEBU 4c0 0xc0004e4050 principal matched by identity 0
<time> [cauthdsl] func2 -> DEBU 4c1 0xc0004e4050 principal evaluation succeeds for identity 0
<time> [cauthdsl] func2 -> DEBU 4c2 0xc0004e4050 signed by 1 principal evaluation starts (used [true])
<time> [cauthdsl] func2 -> DEBU 4c3 0xc0004e4050 skipping identity 0 because it has already been used
<time> [cauthdsl] func2 -> DEBU 4c4 0xc0004e4050 principal evaluation fails
<time> [cauthdsl] func1 -> DEBU 4c5 0xc0004e4050 gate 1594275943563937246 evaluation fails
<time> [vscc] Validate -> ERRO 4c6 VSCC error: stateBasedValidator.Validate failed, err validation of endorsement policy for chaincode myteacc in tx 140:0 failed: signature set did not satisfy policy
<time> [vscc] Validate -> DEBU 4c7 block 140, namespace: myteacc, tx 0 validation results is: validation of endorsement policy for chaincode myteacc in tx 140:0 failed: signature set did not satisfy policy
<time> [committer.txvalidator] ValidateWithPlugin -> DEBU 4c8 Transaction 1d8f66a10658c3d808ad4ce0feef9fd5c13816187a39fcedc8a32ce91016df0d appears to be invalid: validation of endorsement policy for chaincode myteacc in tx 140:0 failed: signature set did not satisfy policy
<time> [committer.txvalidator] validateTx -> ERRO 4c9 VSCCValidateTx for transaction txId = 1d8f66a10658c3d808ad4ce0feef9fd5c13816187a39fcedc8a32ce91016df0d returned error: validation of endorsement policy for chaincode myteacc in tx 140:0 failed: signature set did not satisfy policy
<time> [committer.txvalidator] validateTx -> DEBU 4ca [isprintchannel] validateTx completes for block 0xc0026306c0 env 0xc00245e190 txn 0
This is with policy set to AND('Org1MSP.member','Org1MSP.member')
Your endorsement policy is unsatisfiable. In your upgrade command:
peer chaincode upgrade -o orderer1.example.com:7050 --tls true
--cafile <cafile> -C mychannel -n mycc -l java -v <version>
-c '{"Args":[]}' -P "OutOf(2, 'Org1MSP.member')"
-peerAddresses peer1.org1.example.com:7051 -peerAddresses
peer2.org1.example.com:7051
you can see that your policy is:
-P "OutOf(2, 'Org1MSP.member')"
This endorsement policy is requiring that "2 out of 1 identities must sign". This can never be satisfied, as you can never have more signatures than principles. It is essentially saying "Of 1 thing, pick 2 of them", which is a contradiction. If you really want to require two peers from the same organization, then you would want to write:
-P "OutOf(2, 'Org1MSP.member', 'Org1MSP.member')"
Or, you could have simply used the AND syntax:
-P "AND('Org1MSP.member', 'Org1MSP.member')"
I would note, it's unusual to require multiple peers from the same organization to endorse, and if you go this route, you need to be careful in your certificate management. In particular, if you are using the fabric-ca, you must ensure that the peer identity can only enroll once, otherwise it could re-enroll and now have two valid identities, and be able to pretend to be two different peers. Similarly, if the identity must be re-issued, be careful to ensure that the old certificate is revoked.
You might consider instead defining a second logical organization and writing your policies using the two distinct logical organizations such as:
-P "AND('Org1MSP.member', 'Org2MSP.member')"
This is a much more conventional way to operate Fabric.
I have set my endorsement policy as "AND ('Org1MSP.peer','OrgMainMSP.peer')" that means I need certificates of both the organizations to perform transactions successfully.
Transaction Performed as below:
peer chaincode invoke -o orderer0.org.com:7050 --tls --cafile
/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/org.com/orderers/orderer0.org.com/msp/tlscacerts/tlsca.org.com-cert.pem
-n accessControl --peerAddresses peer0.org-main.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org-main.com/peers/peer0.org-main.com/tls/ca.crt
--peerAddresses peer0.org1.com:10051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.com/peers/peer0.org1.com/tls/ca.crt
-c '{"Args":[]}'
It worked all fine. Successfully committed a new block and can be seen on the couchdb as well. But when I send the transaction removing one of the certificate as can be seen below:
"peer chaincode invoke -o orderer0.org.com:7050 --tls --cafile
/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/org.com/orderers/orderer0.org.com/msp/tlscacerts/tlsca.org.com-cert.pem
-n accessControl --peerAddresses peer0.org-main.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org-main.com/peers/peer0.org-main.com/tls/ca.crt
-c '{"Args":[]}' "
New block is committed with a transaction but marked as invalid by the committer with following error message on the logs
peer0.org-main.com | 2020-03-20 07:59:30.868 UTC [vscc] Validate ->
ERRO 094 VSCC error: stateBasedValidator.Validate failed, err
validation of endorsement policy for chaincode accessControl in tx 7:0
failed: signature set did not satisfy policy
peer0.org-main.com | 2020-03-20 07:59:30.868 UTC [valimpl]
preprocessProtoBlock -> WARN 097 Channel [myc]: Block [7] Transaction
index [0] TxId
[01246b27c11f94124aee3c4ac84a011be51a26aaa50fc28f1d6f5f5a8860c079]
marked as invalid by committer. Reason code
[ENDORSEMENT_POLICY_FAILURE]
peer0.org-main.com | 2020-03-20 07:59:31.156 UTC [kvledger]
CommitWithPvtData -> INFO 098 [myc] Committed block [7] with 1
transaction(s) in 287ms (state_validation=0ms
block_and_pvtdata_commit=220ms state_commit=17ms)
commitHash=[9d52225ddbc8f6f98edd37388cbcf369fea22666b9ec1cff1a91debdebc2d2a1]
And when I again submit the transaction passing both the certificates, It throws an error as
Error: could not assemble transaction: ProposalResponsePayloads do not
match - proposal response: version:1 response status:200 payload:...
>
The problem here is that if I mistakenly call invoke function passing only one certificate of an organization (endorsement policy failure) then I am not able to further transactions.
Transaction signed according the endorsement policy.
That's OK. Block committed and state updated.
Transaction signatures do not match the endorsement policy.
That's OK. Your client better doesn't try to commit that transaction, but if it does, a new block is committed with an invalid transaction and state is not updated.
ProposalResponsePayloads do not match.
Now the problem is different. I don't think it has relationship with previous transaction. The signatures are the expected ones, but you are composing a transaction with 2 transaction proposals that do not match. Their response or writeset is not the same. Be sure that you are not using external calls, random numbers, timestamps (other than the ones for the transaction or block) or similar values in your chaincode that might not match in both endorsements. Of course, transaction is invalidated, but a new block is committed.
I am getting an error when following the tutorial for adding an new organization in the channel .
The command I typed is
./eyfn.sh up
The output below is the error I got.
+ res=1
+ set +x
+ peer channel join -b mychannel.block
CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/ca.crt
CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/server.key
CORE_PEER_LOCALMSPID=Org3MSP
CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/server.crt
CORE_PEER_TLS_ENABLED=true
CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/users/Admin#org3.example.com/msp
CORE_PEER_ID=Org3cli
CORE_LOGGING_LEVEL=INFO
CORE_PEER_ADDRESS=peer0.org3.example.com:7051
2018-06-19 22:08:40.019 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: proposal failed (err: rpc error: code = Unknown desc = chaincode error (status: 500, message: Cannot create ledger from genesis block, due to LedgerID already exists))
Usage:
peer channel join [flags]
Flags:
-b, --blockpath string Path to file containing genesis block
Global Flags:
--cafile string Path to file containing PEM-encoded trusted certificate(s) for the ordering endpoint
--certfile string Path to file containing PEM-encoded X509 public key to use for mutual TLS communication with the orderer endpoint
--clientauth Use mutual TLS when communicating with the orderer endpoint
--keyfile string Path to file containing PEM-encoded private key to use for mutual TLS communication with the orderer endpoint
--logging-level string Default logging level and overrides, see core.yaml for full syntax
-o, --orderer string Ordering service endpoint
--ordererTLSHostnameOverride string The hostname override to use when validating the TLS connection to the orderer.
--tls Use TLS when communicating with the orderer endpoint
-v, --version Display current version of fabric peer server
peer0.org3 failed to join the channel, Retry after 3 seconds
Specifically the error in the outputs seems to be this,
Error: proposal failed (err: rpc error: code = Unknown desc = chaincode error (status: 500, message: Cannot create ledger from genesis block, due to LedgerID already exists))
I am following instructions from the http://hyperledger-fabric.readthedocs.io/en/release-1.1/channel_update_tutorial.html.
Any guidance seem to be helpful.
Run this command
./byfn.sh -m down
And then run
./eyfn.sh up
Hope this help!