Develop Reference

TLS handshake failed with error remote error: tls: bad certificate server=Orderer using Raft and Intermediate certs

I see there are a lot of questions about this error, I have seen this solution Raft bad format but I doubled checked and the folders are right and the certs are in there, I also looked at Sans problem but for what I understand I don't need Sans when using Raft (I may be wrong). I think my problem its because I'm not handling the intermediate certificates correctly and I'm getting the error both creating a channel and in the Raft consensus.
So here is what I've done so far:
I created my genesis block using a configtx.yaml and this msp folder structure:
configtx.yaml
Organizations:
- &ordererOrg
Name: orderer
ID: orderer
MSPDir: /crypto/msp
Policies:
Readers:
Type: Signature
Rule: "OR('orderer.member')"
Writers:
Type: Signature
Rule: "OR('orderer.member')"
Admins:
Type: Signature
Rule: "OR('orderer.admin')"
Capabilities:
Channel: &ChannelCapabilities
V1_4_3: true
Orderer: &OrdererCapabilities
V1_4_2: true
Application: &ApplicationCapabilities
V1_4_2: true
Application: &ApplicationDefaults
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ApplicationCapabilities
Orderer: &OrdererDefaults
OrdererType: solo
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB
Kafka:
Brokers:
- 127.0.0.1:9092
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Profiles:
SampleEtcdRaftProfile:
<<: *ChannelDefaults
Capabilities:
<<: *ChannelCapabilities
Orderer:
<<: *OrdererDefaults
OrdererType: etcdraft
Addresses:
- orderer1.xxxx.eastus.aksapp.io:443
- orderer2.xxxx.eastus.aksapp.io:443
Organizations:
- *ordererOrg
EtcdRaft:
Consenters:
- Host: orderer1
Port: 7050
ClientTLSCert: /crypto/orderers/orderer1/tls/server.crt
ServerTLSCert: /crypto/orderers/orderer1/tls/server.crt
- Host: orderer2
Port: 7050
ClientTLSCert: /crypto/orderers/orderer2/tls/server.crt
ServerTLSCert: /crypto/orderers/orderer2/tls/server.crt
Capabilities:
<<: *OrdererCapabilities
Application:
<<: *ApplicationDefaults
Organizations:
- <<: *ordererOrg
Consortiums:
SampleConsortium:
Organizations:
- *ordererOrg
MSP folder structure:
+ /crypto
configtx.yaml
+ msp
+ cacerts > ca.crt
+ tlscacerts > ca.crt
+ intermediatecerts > intermediate.crt
+ tlsintermediatecerts > intermediate.crt
+ admincerts > admin.crt
+ orderers
+ orderer1/tls > server.crt
+ orderer2/tls > server.crt
I created my genesis block using this:
configtxgen -profile SampleEtcdRaftProfile -outputBlock genesis.block -channelID mychannel
Now here I have a doubt inside my orderer the msp structure is like this:
+ /var/hyperledger/orderer
genesis.block
+ msp
+ cacerts > ca.crt
+ intermediatecerts > intermediate.crt
+ admincerts > admin.crt
+ signcerts > cert.pem
+ keystore > key.pem
+ tls
server.crt
server.key
ca.crt
intermediate.crt
And these are my env variables:
ORDERER_GENERAL_TLS_ENABLED=true
ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
ORDERER_GENERAL_TLS_CLIENTROOTCAS=/var/hyperledger/orderer/tls/ca.crt
ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=false
ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/var/hyperledger/orderer/tls/server.key
ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/var/hyperledger/orderer/tls/server.crt
ORDERER_GENERAL_CLUSTER_ROOTCAS=/var/hyperledger/orderer/tls/ca.crt
I'm not sure why the structure is different and the tls files are somewhere else but I am copying the configuration from the azure hyperledger template That I have already used successfuly.
Now my orderers are running but orderer1 keeps starting a new election and orderer 2 becomes precandidate and finally fails with a TLS handshake error.
These are the error logs in orderer2:
2021-03-23 22:15:21.969 UTC [orderer.consensus.etcdraft] Step -> INFO f96 2 is starting a new election at term 1 channel=canalenergia node=2
2021-03-23 22:15:21.969 UTC [orderer.consensus.etcdraft] becomePreCandidate -> INFO f97 2 became pre-candidate at term 1 channel=canalenergia node=2
2021-03-23 22:15:21.969 UTC [orderer.consensus.etcdraft] poll -> INFO f98 2 received MsgPreVoteResp from 2 at term 1 channel=canalenergia node=2
2021-03-23 22:15:21.969 UTC [orderer.consensus.etcdraft] campaign -> INFO f99 2 [logterm: 1, index: 2] sent MsgPreVote request to 1 at term 1 channel=canalenergia node=2
2021-03-23 22:15:26.673 UTC [core.comm] ServerHandshake -> ERRO f9a TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=x.x.x.x:45472
I tried deleting intermediate.crt and mixing ca.crt and intermediate.crt into one file in ca.crt in the tls folder of the orderer like this:
-----BEGIN CERTIFICATE-----
ROOTCERTxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
INTERMEDIATExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
But it didn't work either.
I tried openssl verify -CAfile chain.crt orderer1-tls.crt and returns OK.
This is what happens when I try to create a new channel:
peer channel create -o orderer1.xxxx.eastus.aksapp.io -c testchannel -f ./channel.tx --tls --cafile /var/hyperledger/peer/msp/tlscacerts/ca.crt --clientauth --certfile /var/hyperledger/peer/tls/cert.pem --keyfile /var/hyperledger/peer/tls/key.pem
2021-03-24 00:04:40.331 UTC [comm.tls] ClientHandshake -> ERRO 001 Client TLS handshake failed after 939.077µs with error: EOF remoteaddress=x.x.x.x:443
I tested my urls with telnet and they are ok.
I created my certificates using openSSL but I don't see anything wrong in them, the only difference is that they aren't signed by a fabric-ca but by an intermediate CA from a big company.
I have double checked all the values but I guess orderer wouldn't even be running if they weren't right and followed this script from azure for the creation of the genesis block only adding the intermediate info.
Any advice would be great.
Thanks
UPDATE:
I activated the debug logs with this variable:
FABRIC_LOGGING_SPEC="grpc=debug:info"
And found the problem is this:
transport: authentication handshake failed: x509: certificate is not valid for any names, but wanted to match orderer1
My certificate has this subject:
CN=orderer1-tls#blockchain.company.com,O=Company,L=CITY,ST=STATE,C=US
Now, I don't understand why its telling me it doesn't have a name, I though the CN orderer1-tls#blockchain.company.com was the name, and, also, where did I tell the orderer that the name to search is "orderer1"?
UPDATE 2:
I changed my TLS certificates to CN=orderer.company.com and then the error was this:
x509: certificate is valid for orderer1.company.com, not orderer1
So as 李可以 says, the orderer is expecting the hostname in the certificate CN and my hostname is orderer1 so I changed it to that.
Now I'm getting a new error:
UTC [comm.grpc.server] 1 -> INFO 118 streaming call completed grpc.service=orderer.Cluster grpc.method=Step grpc.peer_address=x.x.x.x:39424 error="no TLS certificate sent" grpc.code=Unknown grpc.call_duration=161.713µs
I guess This is a new error so I'm going to open a new question. thanks!

Ana
I have same problem when i study fabric.and i have solve them,hope this can help you.
for example,when you execute in linux terminal
export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/home/www/byfn-on-k8s/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
export CORE_PEER_MSPCONFIGPATH=/home/www/byfn-on-k8s/crypto-config/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp
export CORE_PEER_ADDRESS=peer0.org1.example.com:30011
peer channe list
you will get correct result
and change CORE_PEER_ADDRESS to exmaple.com(example.com link same ip to peer0.org1.example.com,you can setup by edit /etc/hosts),
export CORE_PEER_ADDRESS=example.com:30011
peer channe list
and you will get error "TLS handshake failed with error remote error: tls: bad certificate server=PeerServer"in peer log
but this is not the only scene when you meet error "tls: bad certificate",
and i think this error is caused by the "hostname vertify"
for instance,you want to access peer peer0.org1.example.com,and this peer enable server tls,you can find the server.crt and server.key in peer env.
if you parse the server.crt,you will find the CN of this crt is "peer0.org1.example.com"
when you contact to peer "peer0.org1.example.com", the peer will send you its cert,and you find the CN of th cert is "peer0.org1.example.com",so you trust this server,
but when you contact to "example.com" (point to same IP with peer0.org1.example.com),and the peer send you its cert ,you find the CN of the cert is "peer0.org1.example.com" ,id not equal "example.com",so you dont trust this server and get error.

I think the new error "no TLS certificate sent" was caused by you have set CORE_PEER_TLS_CLIENTAUTHREQUIRED=true on your orderer env.
so I try to test when CORE_PEER_TLS_CLIENTAUTHREQUIRED=true,I meet another error "tls:bad certificate" when raft elect,so I change the orderer env like these:
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
- ORDERER_KAFKA_TOPIC_REPLICATIONFACTOR=1
- ORDERER_KAFKA_VERBOSE=true
- ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=true
- ORDERER_GENERAL_TLS_CLIENTROOTCAS=/var/hyperledger/orderer/tls/ca.crt
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/var/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/var/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
and there are no error during elect,but when I try to create channel,I did't set authclient
peer channel create -o orderer.example.com:7050 -c mychannel -f ./channel-artifacts/channel.tx --tls true --cafile /root/go/src/github.com/hyperledger/fabric-samples/first-network/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
I did't set authclient,I meet another error
TLS handshake failed with error tls: client didn't provide a certificate server=Orderer remoteaddress=192.168.192.11:57372
so I change my command
peer channel create -o orderer.example.com:7050 -c mychannel -f ./channel-artifacts/channel.tx --tls true --cafile /root/go/src/github.com/hyperledger/fabric-samples/first-network/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem --clientauth --certfile /root/go/src/github.com/hyperledger/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt --keyfile /root/go/src/github.com/hyperledger/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
and it exec success,you can see the --certfile value is peer's server.crt and --keyfile value is peer's server key.
so I think the problem you had meet is caused by client side tls,you can check the client side crt and key is correct or not.
Hope these are useful to you.

peer lifecycle chaincode approveformyorg Error: failed to send transaction: got unexpected status: NOT_FOUND -- channel does not exist

When I was conducting chain code approval, I encountered the following problem: Error: failed to send transaction: got unexpected status: NOT_FOUND -- Channel does not exist.I have successfully executed the operation of chain code packaging and chain code installation, but I cannot continue when executing the chain code approval. Have you encountered any such problems? thank you
Here is the information for the current node:
bash-5.0# peer channel list
2020-09-21 10:18:18.939 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Channels peers has joined:
example-channel
bash-5.0# peer lifecycle chaincode queryinstalled
Installed chaincodes on peer:
Package ID: mycc_1:2499940fe909cc71a661bf79a3d78523a43c4d2879f4456e6cbe4a2a5a5e5246, Label: mycc_1
========================2020-09-22===================
this is my configtx.yaml
Organizations:
- &OrdererOrg
Name: OrdererOrg
ID: OrdererMSP
MSPDir: ./crypto-config/ordererOrganizations/example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Writers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Admins:
Type: Signature
Rule: "OR('OrdererMSP.admin')"
- &Org1
Name: Org1MSP
ID: Org1MSP
MSPDir: ./crypto-config/peerOrganizations/org1.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.admin')"
AnchorPeers:
- Host: peer0.org1.example.com
Port: 7051
- &Org2
Name: Org2MSP
ID: Org2MSP
MSPDir: ./crypto-config/peerOrganizations/org2.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org2MSP.admin')"
AnchorPeers:
- Host: peer0.org2.example.com
Port: 7051
Capabilities:
Channel: &ChannelCapabilities
V2_0: true
Orderer: &OrdererCapabilities
V2_0: true
Application: &ApplicationCapabilities
V2_0: true
Application: &ApplicationDefaults
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ApplicationCapabilities
Orderer: &OrdererDefaults
OrdererType: etcdraft
Addresses: # orderer
- orderer.example.com:7050
- orderer2.example.com:7050
- orderer3.example.com:7050
- orderer4.example.com:7050
- orderer5.example.com:7050
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Profiles:
TwoOrgsChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
- *Org2
Capabilities:
<<: *ApplicationCapabilities
SampleMultiNodeEtcdRaft:
<<: *ChannelDefaults
Capabilities:
<<: *ChannelCapabilities
Orderer:
<<: *OrdererDefaults
OrdererType: etcdraft
EtcdRaft:
Consenters:
- Host: orderer.example.com
Port: 7050
ClientTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
ServerTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
- Host: orderer2.example.com
Port: 7050
ClientTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt
ServerTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt
- Host: orderer3.example.com
Port: 7050
ClientTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.crt
ServerTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.crt
- Host: orderer4.example.com
Port: 7050
ClientTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer4.example.com/tls/server.crt
ServerTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer4.example.com/tls/server.crt
- Host: orderer5.example.com
Port: 7050
ClientTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/server.crt
ServerTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/server.crt
Addresses:
- orderer.example.com:7050
- orderer2.example.com:7050
- orderer3.example.com:7050
- orderer4.example.com:7050
- orderer5.example.com:7050
Organizations:
- *OrdererOrg
Capabilities:
<<: *OrdererCapabilities
Application:
<<: *ApplicationDefaults
Organizations:
- <<: *OrdererOrg
Consortiums:
SampleConsortium:
Organizations:
- *Org1
- *Org2
this is my host list:
|order.example.com|182.23.20.1|order|
|peer0.org1.example.com|182.23.20.2|org1|
|peer1.org1.example.com|182.23.20.3|org1|
|peer0.org2.example.com|182.23.20.4|org2|
|peer1.org2.example.com|182.23.20.5|org2|
So here's how I do it
Step one:Generate certificate file
cryptogen generate --config=./crypto-config.yaml
Step two:Create system channels
configtxgen -profile SampleMultiNodeEtcdRaft -outputBlock ../channel-artifacts/orderer.genesis.block -channelID system-channel
Step three:Create application channels
configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ../channel-artifacts/example-channel.tx -channelID example-channel
Step four:Anchor node update
configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ../channel-artifacts/Org1MSPanchors.tx -channelID example-channel -asOrg Org1MSP
configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ../channel-artifacts/Org2MSPanchors.tx -channelID example-channel -asOrg Org2MSP
Step five:Create channels on nodes ,on peer0.org1 nodes
peer channel create -o orderer.example.com:7050 -c example-channel \
-f ./channel-artifacts/example-channel.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/
Step six : join channel and Anchor node update
peer channel join -b example-channel.block
#Anchor node update
peer channel update -o orderer.example.com:7050 -c example-channel -f ./channel-artifacts/Org1MSPanchors.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
This is true of other peer nodes
Step seven:chaincode manager,use fabcar
# 1:gradlew installDist
cd ~/go/src/github.com/hyperledger/example/chaincode/fabcar/java
./gradlew installDist
#2:chaincode package
peer lifecycle chaincode package mycc.tar.gz \
--path /opt/gopath/src/github.com/hyperledger/fabric/peer/chaincode/fabcar/java/build/install/fabcar \
--lang java --label mycc_1
#3:chaincode install
peer lifecycle chaincode install mycc.tar.gz
This is true for all other nodes
I tried using 'peer lifecycle chaincode queryinstalled'the command to execute on each peer and got the following results:
Installed chaincodes on peer:
Package ID: mycc_1:2499940fe909cc71a661bf79a3d78523a43c4d2879f4456e6cbe4a2a5a5e5246, Label: mycc_1
#4:chaincode approveformyorg
export CC_PACKAGE_ID=mycc_1:2499940fe909cc71a661bf79a3d78523a43c4d2879f4456e6cbe4a2a5a5e5246
# cafile path
export CF=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
# cc_name
export CC_NAME=example-channel
peer lifecycle chaincode approveformyorg -o orderer.example.com:7050 \
--channelID $CC_NAME --name mycc --version 1.0 --package-id $CC_PACKAGE_ID --sequence 1 --tls \
--cafile $CF --signature-policy "OR('Org1MSP.peer', 'Org2MSP.peer')"
When I executed the command, there was an error:
Error: failed to send transaction: got unexpected status: NOT_FOUND -- channel does not exist
Finally, there are no error messages in any of the above procedures below the supplement!
Do you have a good solution,think you !!!

Please make sure that you follow all the steps to create the channel properly.
Those steps are:
create the channel transaction artifact using configtxgen
create the channel on network using "peer channel create" command
join the peer on that channel using "peer channel join"
Now when you will give the approval, make sure you use "--channelID" flag in approval time.

It seem to be an error caused by your Orderer Service. Although you define at your configuration file configtx.yaml that you will have 5 orderer nodes, in your logs you only show one: |order.example.com|182.23.20.1|order|. So, it seems that you are not startintg up all those 5 orderers. Have you checked your order.example.com logs?
However, you could try one (or both) of the following changes?
I think that you should try removing the configuration of the rest of the orderers from your configuration files, i.e. you only should have defined the orderer.example.com. Then, you should execute all the steps again. Remember removing the docker containers and volumes created previously.
The second test could be replicating the configuration of the orderer.example.com. You would try to recplicate the definition of the orderer.example.com. Because it seems that you are not defining and starting up the rest of the orderers that you should have running.

Adding custom Node OUs with Hyperledger Fabric

I am trying to add custom Node OU in policy definition inside the configtx.yaml file. The policy definition is present in Application section of configtx.yaml file as follows:
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
ACLs: &ACLsDefault
peer/Propose: /Channel/Application/Checkous
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
# /Channel/Application/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Checkous:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.client', 'Org1MSP.dept')"
Capabilities:
<<: *ApplicationCapabilities
I already generated the crypto-material using cryptogen tool. As you can see I am also using the custom policy inside one of the ACLs.
Next, I created the orderer genesis block.
##########################################################
######### Generating Orderer Genesis block ##############
##########################################################
CONSENSUS_TYPE=solo
+ '[' solo == solo ']'
+ configtxgen -profile TwoOrgsOrdererGenesis -channelID byfn-sys-channel -outputBlock ./channel-artifacts/genesis.block
2020-02-17 05:17:01.991 UTC [common.tools.configtxgen] main -> INFO 001 Loading configuration
2020-02-17 05:17:02.150 UTC [common.tools.configtxgen.localconfig] completeInitialization -> INFO 002 orderer type: solo
2020-02-17 05:17:02.150 UTC [common.tools.configtxgen.localconfig] Load -> INFO 003 Loaded configuration: /home/chintanr11/fabric-samples/first-network/configtx.yaml
2020-02-17 05:17:02.309 UTC [common.tools.configtxgen.localconfig] completeInitialization -> INFO 004 orderer type: solo
2020-02-17 05:17:02.309 UTC [common.tools.configtxgen.localconfig] LoadTopLevel -> INFO 005 Loaded configuration: /home/chintanr11/fabric-samples/first-network/configtx.yaml
2020-02-17 05:17:02.311 UTC [common.tools.configtxgen] doOutputBlock -> INFO 006 Generating genesis block
2020-02-17 05:17:02.311 UTC [common.tools.configtxgen] doOutputBlock -> INFO 007 Writing genesis block
+ res=0
+ set +x
Followed by which, when I try to create channel configuration block, I receive the following error:
#################################################################
### Generating channel configuration transaction 'channel.tx' ###
#################################################################
+ configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/channel.tx -channelID mychannel
2020-02-17 05:17:02.346 UTC [common.tools.configtxgen] main -> INFO 001 Loading configuration
2020-02-17 05:17:02.518 UTC [common.tools.configtxgen.localconfig] Load -> INFO 002 Loaded configuration: /home/chintanr11/fabric-samples/first-network/configtx.yaml
2020-02-17 05:17:02.680 UTC [common.tools.configtxgen.localconfig] completeInitialization -> INFO 003 orderer type: solo
2020-02-17 05:17:02.680 UTC [common.tools.configtxgen.localconfig] LoadTopLevel -> INFO 004 Loaded configuration: /home/chintanr11/fabric-samples/first-network/configtx.yaml
2020-02-17 05:17:02.680 UTC [common.tools.configtxgen] doOutputChannelCreateTx -> INFO 005 Generating new channel configtx
2020-02-17 05:17:02.680 UTC [common.tools.configtxgen] main -> FATA 006 Error on outputChannelCreateTx: could not generate default config template: error parsing configuration: could not create application group: error adding policies to application group: invalid signature policy rule 'OR('Org1MSP.admin', 'Org1MSP.client', 'Org1MSP.dept')': Unable to parse numeric value '.' to float64
+ res=1
+ set +x
Failed to generate channel configuration transaction...
NOTE: I have added the definition for this OU in my config.yaml file located at: ~/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/msp. The file looks as follows:
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/ca.org1.example.com-cert.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/ca.org1.example.com-cert.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/ca.org1.example.com-cert.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/ca.org1.example.com-cert.pem
OrganizationalUnitIdentifier: orderer
DeptOUIdentifier:
Certificate: cacerts/ca.org1.example.com-cert.pem
OrganizationalUnitIdentifier: dept
What does the above error in channel block creation mean and any solution to resolve it?
How to possibly use custom Node OUs in the network using Fabric CA (and not cryptogen)?

You cannot use "custom" NodeOU identifiers. Fabric policies only support the following roles:
$MSPID.admin
$MSPID.member
$MSPID.peer
$MSPID.client
$MSPID.orderer
This means you can only use the built-in Node OU identifiers:
ClientOUIdentifier
PeerOUIdentifier
AdminOUIdentifier
OrdererOUIdentifier

Unable to spinup orderers in Raft consensus in hyperledger Fabric

I am extending the first network example with raft consensus on multiple hosts. When I try to start the orderers, the first orderer starts up but, I can not start any other orderers from both the same organisation and other organisation. The error I get as follows
[common.deliver] deliverBlocks -> WARN 019 [channel:
orderersyschannel] Client authorization revoked for deliver request
from 172.18.0.5:45506: implicit policy evaluation failed - 0
sub-policies were satisfied, but this policy requires 1 of the
'Readers' sub-policies to be satisfied: permission denied 2019-09-23
07:22:52.937 UTC [comm.grpc.server] 1 -> INFO 01a streaming call
completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver
grpc.peer_address=172.18.0.5 :45506
grpc.peer_subject="CN=ord1-org2,OU=orderer,O=Hyperledger,ST=North
Carolina,C=US" grpc.code=OK grpc.call_duration=1.590709ms
2019-09-23 07:22:52.945 UTC [orderer.common.cluster.replication]
fetchLastBlockSeq -> WARN 01b Received status:FORBIDDEN from
ord1-org2.local:7050: forbidden pullin g the channel
2019-09-23 07:22:52.945 UTC [orderer.common.cluster.replication] func1
-> WARN 01c Received error of type 'forbidden pulling the channel' from {ord1-org2.local:7050
I also checked my policies in 'configtx.yaml'
In Organisations section:
Readers:
Type: Signature
Rule: "OR('org2MSP.member', 'org2MSP.admin', 'org2MSP.peer', 'org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('org2MSP.member', 'org2MSP.admin', 'org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('org2MSP.admin')"
in Orderer section I have:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
I am not sure why the policies or not met. Can anyone help me troubleshoot this?

Try by editing this block in your configtx.yaml file and regenerate genesis block.
Profiles:
TwoOrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *Org1
**- *Org2**
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *Org1
- *Org2

Got an error while running first-network example, fabric version 1.2

Env related :
Mac OS High Sierra(version 10.13.6)
Docker version 18.06.1-ce
fabric version 1.2.0 (installed by this command :
curl https://raw.githubusercontent.com/hyperledger/fabric/master/scripts/bootstrap.sh |bash -s 1.2.0)
You will see that there is an err after calling
./byfn.sh up
Log follows:
2018-09-04 02:37:21.047 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 001 Using default escc
2018-09-04 02:37:21.047 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 002 Using default vscc
Error: could not assemble transaction, err Proposal response was not successful, error code 500, msg failed to execute transaction fc42719a6fc35ab6fbd661c80735003b55bf9d3a0d451875fbdc949dc40d05e6: error starting container: error starting container: Get https://registry-1.docker.io/v2/: net/http: TLS handshake timeout
!!!!!!!!!!!!!!! Chaincode instantiation on peer0.org2 on channel 'mychannel' failed !!!!!!!!!!!!!!!!
========= ERROR !!! FAILED to execute End-2-End Scenario ===========
ERROR !!!! Test failed
before that, when I called ./byfn.sh generate, also got some warnings which is not compatable as the tutorial https://hyperledger-fabric.readthedocs.io/en/release-1.2/build_network.html:
/Users/isme/Desktop/hpfbric/fabric-samples/first-network/../bin/configtxgen
##########################################################
######### Generating Orderer Genesis block ##############
##########################################################
+ configtxgen -profile TwoOrgsOrdererGenesis -outputBlock ./channel-artifacts/genesis.block
2018-09-04 10:23:17.293 CST [common/tools/configtxgen] main -> WARN 001 Omitting the channel ID for configtxgen is deprecated. Explicitly passing the channel ID will be required in the future, defaulting to 'testchainid'.
2018-09-04 10:23:17.293 CST [common/tools/configtxgen] main -> INFO 002 Loading configuration
2018-09-04 10:23:17.298 CST [common/tools/configtxgen/encoder] NewChannelGroup -> WARN 003 Default policy emission is deprecated, please include policy specificiations for the channel group in configtx.yaml
2018-09-04 10:23:17.298 CST [common/tools/configtxgen/encoder] NewOrdererGroup -> WARN 004 Default policy emission is deprecated, please include policy specificiations for the orderer group in configtx.yaml
2018-09-04 10:23:17.298 CST [common/tools/configtxgen/encoder] NewOrdererOrgGroup -> WARN 005 Default policy emission is deprecated, please include policy specificiations for the orderer org group OrdererOrg in configtx.yaml
2018-09-04 10:23:17.298 CST [msp] getMspConfig -> INFO 006 Loading NodeOUs
2018-09-04 10:23:17.298 CST [common/tools/configtxgen/encoder] NewOrdererOrgGroup -> WARN 007 Default policy emission is deprecated, please include policy specificiations for the orderer org group Org1MSP in configtx.yaml
2018-09-04 10:23:17.299 CST [msp] getMspConfig -> INFO 008 Loading NodeOUs
2018-09-04 10:23:17.299 CST [common/tools/configtxgen/encoder] NewOrdererOrgGroup -> WARN 009 Default policy emission is deprecated, please include policy specificiations for the orderer org group Org2MSP in configtx.yaml
2018-09-04 10:23:17.299 CST [common/tools/configtxgen] doOutputBlock -> INFO 00a Generating genesis block
2018-09-04 10:23:17.300 CST [common/tools/configtxgen] doOutputBlock -> INFO 00b Writing genesis block
+ res=0
+ set +x
#################################################################
### Generating channel configuration transaction 'channel.tx' ###
#################################################################
+ configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/channel.tx -channelID mychannel
2018-09-04 10:23:17.325 CST [common/tools/configtxgen] main -> INFO 001 Loading configuration
2018-09-04 10:23:17.330 CST [common/tools/configtxgen] doOutputChannelCreateTx -> INFO 002 Generating new channel configtx
2018-09-04 10:23:17.330 CST [common/tools/configtxgen/encoder] NewApplicationGroup -> WARN 003 Default policy emission is deprecated, please include policy specificiations for the application group in configtx.yaml
2018-09-04 10:23:17.330 CST [msp] getMspConfig -> INFO 004 Loading NodeOUs
2018-09-04 10:23:17.330 CST [common/tools/configtxgen/encoder] NewApplicationOrgGroup -> WARN 005 Default policy emission is deprecated, please include policy specificiations for the application org group Org1MSP in configtx.yaml
2018-09-04 10:23:17.330 CST [msp] getMspConfig -> INFO 006 Loading NodeOUs
2018-09-04 10:23:17.331 CST [common/tools/configtxgen/encoder] NewApplicationOrgGroup -> WARN 007 Default policy emission is deprecated, please include policy specificiations for the application org group Org2MSP in configtx.yaml
2018-09-04 10:23:17.331 CST [common/tools/configtxgen] doOutputChannelCreateTx -> INFO 008 Writing new channel tx
+ res=0
+ set +x