My chaincode was instantiated with the following command:
peer chaincode instantiate -o orderer1.example.com:7050 --tls true --cafile <cafile> -C mychannel
-n mycc -l java -v 1.0 -c '{"Args":[]}' -P "OR ('Org1MSP.member')"
I would like to change the endorsement policy such that all peers in the organization are required for endorsement; currently I have two peers, but the number is set to increase.
What I do for now is the following procedure:
Step one: install the same chaincode with a different version name.
peer chaincode install -n mycc -v <version> -l java -p /opt/gopath/src/github.com/chaincode
Step two: upgrade the chaincode using the following command:
peer chaincode upgrade -o orderer1.example.com:7050 --tls true --cafile <cafile> -C mychannel
-n mycc -l java -v <version> -c '{"Args":[]}' -P "OutOf(2, 'Org1MSP.member')"
-peerAddresses peer1.org1.example.com:7051 -peerAddresses peer2.org1.example.com:7051
However, I am unable to achieve my desired outcome. Under the current endorsement policy, when I use my my client to submit a transaction, it is committed after a while. After I change the policy, my transaction is no longer automatically accepted, and the logs reflect this with the following error message:
VSCC error: stateBasedValidator.Validate failed, err validation of endorsement policy for chaincode
mycc in tx 132:0 failed: signature set did not satisfy policy
So while I am able to stop the auto-acceptance of transactions, now I find myself unable to validate any transaction.
The procedure I follow in changing the chaincode endorsement policy, is it correct?
Does my endorsement policy do what I intend to do?
How come I am no longer able to validate transactions?
EDIT: I changed my logging spec to the one suggested by Jason Yellick. I think I found some debug which might provide insight:
<time> [cauthdsl] func1 -> DEBU 4bd 0xc0004e4050 gate 1594275943563937246 evaluation starts
<time> [cauthdsl] func2 -> DEBU 4be 0xc0004e4050 signed by 0 principal evaluation starts (used [false])
<time> [cauthdsl] func2 -> DEBU 4bf 0xc0004e4050 processing identity 0 with bytes of 1159660
<time> [cauthdsl] func2 -> DEBU 4c0 0xc0004e4050 principal matched by identity 0
<time> [cauthdsl] func2 -> DEBU 4c1 0xc0004e4050 principal evaluation succeeds for identity 0
<time> [cauthdsl] func2 -> DEBU 4c2 0xc0004e4050 signed by 1 principal evaluation starts (used [true])
<time> [cauthdsl] func2 -> DEBU 4c3 0xc0004e4050 skipping identity 0 because it has already been used
<time> [cauthdsl] func2 -> DEBU 4c4 0xc0004e4050 principal evaluation fails
<time> [cauthdsl] func1 -> DEBU 4c5 0xc0004e4050 gate 1594275943563937246 evaluation fails
<time> [vscc] Validate -> ERRO 4c6 VSCC error: stateBasedValidator.Validate failed, err validation of endorsement policy for chaincode myteacc in tx 140:0 failed: signature set did not satisfy policy
<time> [vscc] Validate -> DEBU 4c7 block 140, namespace: myteacc, tx 0 validation results is: validation of endorsement policy for chaincode myteacc in tx 140:0 failed: signature set did not satisfy policy
<time> [committer.txvalidator] ValidateWithPlugin -> DEBU 4c8 Transaction 1d8f66a10658c3d808ad4ce0feef9fd5c13816187a39fcedc8a32ce91016df0d appears to be invalid: validation of endorsement policy for chaincode myteacc in tx 140:0 failed: signature set did not satisfy policy
<time> [committer.txvalidator] validateTx -> ERRO 4c9 VSCCValidateTx for transaction txId = 1d8f66a10658c3d808ad4ce0feef9fd5c13816187a39fcedc8a32ce91016df0d returned error: validation of endorsement policy for chaincode myteacc in tx 140:0 failed: signature set did not satisfy policy
<time> [committer.txvalidator] validateTx -> DEBU 4ca [isprintchannel] validateTx completes for block 0xc0026306c0 env 0xc00245e190 txn 0
This is with policy set to AND('Org1MSP.member','Org1MSP.member')
Your endorsement policy is unsatisfiable. In your upgrade command:
peer chaincode upgrade -o orderer1.example.com:7050 --tls true
--cafile <cafile> -C mychannel -n mycc -l java -v <version>
-c '{"Args":[]}' -P "OutOf(2, 'Org1MSP.member')"
-peerAddresses peer1.org1.example.com:7051 -peerAddresses
peer2.org1.example.com:7051
you can see that your policy is:
-P "OutOf(2, 'Org1MSP.member')"
This endorsement policy is requiring that "2 out of 1 identities must sign". This can never be satisfied, as you can never have more signatures than principles. It is essentially saying "Of 1 thing, pick 2 of them", which is a contradiction. If you really want to require two peers from the same organization, then you would want to write:
-P "OutOf(2, 'Org1MSP.member', 'Org1MSP.member')"
Or, you could have simply used the AND syntax:
-P "AND('Org1MSP.member', 'Org1MSP.member')"
I would note, it's unusual to require multiple peers from the same organization to endorse, and if you go this route, you need to be careful in your certificate management. In particular, if you are using the fabric-ca, you must ensure that the peer identity can only enroll once, otherwise it could re-enroll and now have two valid identities, and be able to pretend to be two different peers. Similarly, if the identity must be re-issued, be careful to ensure that the old certificate is revoked.
You might consider instead defining a second logical organization and writing your policies using the two distinct logical organizations such as:
-P "AND('Org1MSP.member', 'Org2MSP.member')"
This is a much more conventional way to operate Fabric.
Related
I'm executing tutorials on Hyperledger Fabric First Network (version 1.4) and I get an unexpected error when trying to change max_message_count variable from 10 to 20 in channel configuration.
I'm using this tutorial: https://hyperledger-fabric.readthedocs.io/en/release-1.4/channel_update_tutorial.html
Obviously, I don't change the Org list to the channel as in tutorial, I only change the parameter:
cat config.json | sed 's/"max_message_count": 10/"max_message_count": 20/g' > new_config.json
Then I Execute the encoding of new and old configuration in protobuffer, compute update, decode update to json, added envelope and recode envelope to protobuffer. It is okay.
Then I sign the update with both organization and tries to update, but it gives me this error:
Error: got unexpected status: BAD_REQUEST -- error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/BatchSize not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining
This is the decoded update, as you can see is signed by both Org1MSP and Org2MSP: https://controlc.com/486d638a
These are the logs from orderer:
2020-12-10 17:28:04.282 UTC [cauthdsl] deduplicate -> WARN 01c De-duplicating identity [Org2MSPd2b5a4f881b520ad90a0ae5db7bd0b5362fae2d5916d972751da9bd35fb97f9b] at index 2 in signature set
2020-12-10 17:28:04.282 UTC [orderer.common.broadcast] ProcessMessage -> WARN 01d [channel: mychannel] Rejecting broadcast of config message from 172.20.0.7:56874 because of error: error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/BatchSize not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining
Self-Answer.
This type of modification needs the sign of the orderer:
export CORE_PEER_ADDRESS=orderer.example.com:7050
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/users/Admin\#example.com/msp/
peer channel signconfigtx -f org3_update_in_envelope.pb
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051
export CORE_PEER_LOCALMSPID=OrdererMSP
peer channel update -f org3_update_in_envelope.pb -c $CHANNEL_NAME -o orderer.example.com:7050 --tls --cafile $ORDERER_CA
I have set my endorsement policy as "AND ('Org1MSP.peer','OrgMainMSP.peer')" that means I need certificates of both the organizations to perform transactions successfully.
Transaction Performed as below:
peer chaincode invoke -o orderer0.org.com:7050 --tls --cafile
/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/org.com/orderers/orderer0.org.com/msp/tlscacerts/tlsca.org.com-cert.pem
-n accessControl --peerAddresses peer0.org-main.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org-main.com/peers/peer0.org-main.com/tls/ca.crt
--peerAddresses peer0.org1.com:10051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.com/peers/peer0.org1.com/tls/ca.crt
-c '{"Args":[]}'
It worked all fine. Successfully committed a new block and can be seen on the couchdb as well. But when I send the transaction removing one of the certificate as can be seen below:
"peer chaincode invoke -o orderer0.org.com:7050 --tls --cafile
/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/org.com/orderers/orderer0.org.com/msp/tlscacerts/tlsca.org.com-cert.pem
-n accessControl --peerAddresses peer0.org-main.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org-main.com/peers/peer0.org-main.com/tls/ca.crt
-c '{"Args":[]}' "
New block is committed with a transaction but marked as invalid by the committer with following error message on the logs
peer0.org-main.com | 2020-03-20 07:59:30.868 UTC [vscc] Validate ->
ERRO 094 VSCC error: stateBasedValidator.Validate failed, err
validation of endorsement policy for chaincode accessControl in tx 7:0
failed: signature set did not satisfy policy
peer0.org-main.com | 2020-03-20 07:59:30.868 UTC [valimpl]
preprocessProtoBlock -> WARN 097 Channel [myc]: Block [7] Transaction
index [0] TxId
[01246b27c11f94124aee3c4ac84a011be51a26aaa50fc28f1d6f5f5a8860c079]
marked as invalid by committer. Reason code
[ENDORSEMENT_POLICY_FAILURE]
peer0.org-main.com | 2020-03-20 07:59:31.156 UTC [kvledger]
CommitWithPvtData -> INFO 098 [myc] Committed block [7] with 1
transaction(s) in 287ms (state_validation=0ms
block_and_pvtdata_commit=220ms state_commit=17ms)
commitHash=[9d52225ddbc8f6f98edd37388cbcf369fea22666b9ec1cff1a91debdebc2d2a1]
And when I again submit the transaction passing both the certificates, It throws an error as
Error: could not assemble transaction: ProposalResponsePayloads do not
match - proposal response: version:1 response status:200 payload:...
>
The problem here is that if I mistakenly call invoke function passing only one certificate of an organization (endorsement policy failure) then I am not able to further transactions.
Transaction signed according the endorsement policy.
That's OK. Block committed and state updated.
Transaction signatures do not match the endorsement policy.
That's OK. Your client better doesn't try to commit that transaction, but if it does, a new block is committed with an invalid transaction and state is not updated.
ProposalResponsePayloads do not match.
Now the problem is different. I don't think it has relationship with previous transaction. The signatures are the expected ones, but you are composing a transaction with 2 transaction proposals that do not match. Their response or writeset is not the same. Be sure that you are not using external calls, random numbers, timestamps (other than the ones for the transaction or block) or similar values in your chaincode that might not match in both endorsements. Of course, transaction is invalidated, but a new block is committed.
I have a little network up in Hyperledger Fabric 1.4 which is very similar to the basic-network from the examples.
It has:
One orderer organization with orderer peer
One Hospital organization with two peers.
A single channel on which the peers of the hospital are.
I tried to write a very simple demo smart contract/chaincode and have it invoked.
(The smart contract is called bananascc)
Running from the docker container cli /bin/bash associated to a peer0.hospital1.health.com peer, I successfully install and instantiate:
peer chaincode install -n bananascc -v 1.0 -l node -p /opt/gopath/src/github.com/chaincode/chaincode_bananas/node
peer chaincode instantiate -o orderer.health.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/health.com/orderers/orderer.health.com/msp/tlscacerts/tlsca.health.com-cert.pem -C hospital1channel -n bananascc -l node -v 1.0 -c '{"Args":["init","edo","100"]}' -P "OR ('Hospital1MSP.admin', 'Hospital1MSP.peer' )"
With policy -P "OR ('Hospital1MSP.admin', 'Hospital1MSP.peer' )"
But when I try to invoke the chaincode, the transaction is sent successfully but the operation is not executed, as I get a
peer0.hospital1.health.com | 2019-03-06 10:36:44.525 UTC [vscc] Validate -> ERRO 07e VSCC error: stateBasedValidator.Validate failed, err validation of endorsement policy for chaincode bananascc in tx 6:0 failed: signature set did not satisfy policy
peer0.hospital1.health.com | 2019-03-06 10:36:44.525 UTC [committer.txvalidator] validateTx -> ERRO 07f VSCCValidateTx for transaction txId = d6726e0b2daf11d0e3ef24e86fa0e7a5530f2d98dcc4ad1f0d266ca642be1ee3 returned error: validation of endorsement policy for chaincode bananascc in tx 6:0 failed: signature set did not satisfy policy
I reckon that the transaction has to be evaluated against a valid signature set, but I can't understand where I can specify this, or why it should be wrong according to VSCC.
I'd be very happy if anyone could help me figure out. I have already broadly looked for an answer which I haven't found.
Let me know if you need other information on the issue.
Thank you very much.
The problem is probably caused by the order of instantiating the policies.
Can you simply swap the declaration to:
peer chaincode instantiate -o orderer.health.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/health.com/orderers/orderer.health.com/msp/tlscacerts/tlsca.health.com-cert.pem -C hospital1channel -n bananascc -l node -v 1.0 -c '{"Args":["init","edo","100"]}' -P "OR ('Hospital1MSP.peer','Hospital1MSP.admin')"
To avoid this pitfall, identities should be specified from most privileged to least privileged in the policy identities specification, and signatures should be ordered from least privileged to most privileged in the signature set.
Read here: https://hyperledger-fabric.readthedocs.io/en/release-1.4/policies.html
If there is only one organization, does not make sense the need of a policy (only used between organizations), so I removed and it worked!
My code line:
peer chaincode instantiate -o orderer.orgX.com:7050 --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA -C $CHANNEL_NAME -n mycc -l ${LANGUAGE} -v 1.0 -c '{"Args":["init","a","100","b","200"]}' >&log.txt
I am trying to build Hyperledger network like balanace-transfer from fabric-samples.
I have error
status: 'BAD_REQUEST',
- info: 'Error authorizing update: Error validating DeltaSet: Policy for [Groups] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining'
docker logs orderer.exmaple.com output
.
-2018-06-26 14:41:04.631 UTC [policies] Evaluate -> DEBU 120 Signature set did not satisfy policy /Channel/Application/Gov1MSP/Admins
-2018-06-26 14:41:04.631 UTC [policies] Evaluate -> DEBU 121 == Done Evaluating *cauthdsl.policy Policy /Channel/Application/Gov1MSP/
-2018-06-26 14:41:04.631 UTC [policies] func1 -> DEBU 122 Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ Gov1MSP.Admins ]
-2018-06-26 14:41:04.631 UTC [policies] Evaluate -> DEBU 123 Signature set did not satisfy policy /Channel/Application/ChannelCreationPolicy
-2018-06-26 14:41:04.631 UTC [policies] Evaluate -> DEBU 124 == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Application/ChannelCreationPolicy
-2018-06-26 14:41:04.631 UTC [orderer/common/broadcast] Handle -> WARN 125 [channel: usachannel] Rejecting broadcast of config message from 172.18.0.1:46638 because of error: Error authorizing update: Error validating DeltaSet: Policy for [Groups] /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining
-2018-06-26 14:41:04.631 UTC [orderer/common/server] func1 -> DEBU 126 Closing Broadcast stream
I generate artifacts with cryptogen and configtxgen
I know that this error comes with wrong certificates when trying to create a channel
I can create channel, join peer, add new peers and add new channels with cli, e.g. same step with cli
docker exec -e "CORE_PEER_LOCALMSPID=Org1MSP" -e "CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin#org1.example.com/msp" peer0.org1.example.com peer channel create -o orderer.example.com:7050 -c usachannel -f /etc/hyperledger/configtx/channel.tx works properly
Thank you for your help
I am running hyper-ledger fabric on an ubuntu VM on a Mac OSX running Parallels, downloaded docker, got everything setup, but when running the first network example (command ./byfn.sh -m up) I am getting this error
===================== Chaincode is installed on remote peer PEER2 =====================
Instantiating chaincode on org2/peer2...
CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt
CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
CORE_PEER_LOCALMSPID=Org2MSP
CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
CORE_PEER_TLS_ENABLED=true
CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin#org2.example.com/msp
CORE_PEER_ID=cli
CORE_LOGGING_LEVEL=DEBUG
CORE_PEER_ADDRESS=peer0.org2.example.com:7051
2017-09-07 20:15:16.984 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP
2017-09-07 20:15:16.984 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity
2017-09-07 20:15:16.987 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 003 Using default escc
2017-09-07 20:15:16.987 UTC [chaincodeCmd] checkChaincodeCmdParams -> INFO 004 Using default vscc
2017-09-07 20:15:16.988 UTC [msp/identity] Sign -> DEBU 005 Sign: plaintext: 0A91070A6708031A0C08D4D1C6CD0510...324D53500A04657363630A0476736363
2017-09-07 20:15:16.988 UTC [msp/identity] Sign -> DEBU 006 Sign: digest: 17D7F0C37473394040F19251CCA253B1ECA95F7AD65AF27EFA92DE1F10D94A9B
Error: Error endorsing chaincode: rpc error: code = Unknown desc = Error starting container: Get https://registry-1.docker.io/v2/hyperledger/fabric-baseos/manifests/x86_64-0.3.2: dial tcp: lookup registry-1.docker.io on 127.0.1.1:53: read udp 127.0.0.1:54547->127.0.1.1:53: i/o timeout
Usage:
peer chaincode instantiate [flags]
Flags:
-C, --channelID string The channel on which this command should be executed (default "testchainid")
-c, --ctor string Constructor message for the chaincode in JSON format (default "{}")
-E, --escc string The name of the endorsement system chaincode to be used for this chaincode
-l, --lang string Language the chaincode is written in (default "golang")
-n, --name string Name of the chaincode
-P, --policy string The endorsement policy associated to this chaincode
-v, --version string Version of the chaincode specified in install/instantiate/upgrade commands
-V, --vscc string The name of the verification system chaincode to be used for this chaincode
Global Flags:
--cafile string Path to file containing PEM-encoded trusted certificate(s) for the ordering endpoint
--logging-level string Default logging level and overrides, see core.yaml for full syntax
-o, --orderer string Ordering service endpoint
--test.coverprofile string Done (default "coverage.cov")
--tls Use TLS when communicating with the orderer endpoint
!!!!!!!!!!!!!!! Chaincode instantiation on PEER2 on channel 'mychannel' failed !!!!!!!!!!!!!!!!
========= ERROR !!! FAILED to execute End-2-End Scenario ===========
Error: Error endorsing chaincode: rpc error: code = Unknown desc = Error starting container: Get https://registry-1.docker.io/v2/hyperledger/fabric-baseos/manifests/x86_64-0.3.2: dial tcp: lookup registry-1.docker.io on 127.0.1.1:53: read udp 127.0.0.1:54547->127.0.1.1:53: i/o timeout
Like it says in the error you have a connectivity problem from your VM, seems connection to external IPs is lagging.