I was setting up hyperledger caliper to test a fabcar network and got ECONNREFUFUSED error multiple times. It said that it failed to enroll admin.
I setup the test network using ./startFabric.sh javascript in fabcar repo of fabric-samples.
Then I used docker-compose to start caliper( used docker-compose up in caliper-benchmarks ).
This is the docker-compose file that I used:
version: '2'
services:
caliper:
container_name: caliper
image: hyperledger/caliper:0.3.2
command: launch master --caliper-flow-only-test --caliper-fabric-gateway-usegateway --caliper-fabric-gateway-discovery
environment:
- CALIPER_BIND_SUT=fabric:2.1.0
- CALIPER_BENCHCONFIG=benchmarks/samples/fabric/fabcar/config1.yaml
- CALIPER_NETWORKCONFIG=networks/fabric/network-config.yaml
volumes:
- ~/caliper-benchmarks:/hyperledger/caliper/workspace
networks:
- net_test
networks:
net_test:
external: "true"
This was my network-config.yaml file:
name: Fabric
version: "1.0"
mutual-tls: false
caliper:
blockchain: fabric
#command:
#start: export FABRIC_VERSION=2.1.0;export FABRIC_CA_VERSION=1.4.4;docker-compose -f networks/fabric/naman/docker-compose/2org1peercouchdb_solo_raft/docker-compose-tls.yaml up -d;sleep 3s
#end: docker-compose -f networks/fabric/naman/docker-compose/2org1peercouchdb_solo_raft/docker-compose-tls.yaml down;(test -z \"$(docker ps -aq)\") || docker rm $(docker ps -aq);(test -z \"$(docker images dev* -q)\") || docker rmi $(docker images dev* -q);rm -rf /tmp/hfc-*
info:
Version: 2.1.0
Size: 2 Orgs with 1 Peer
Orderer: Raft
Distribution: Single Host
StateDB: CouchDB
clients:
admin.Org1:
client:
organization: Org1
connection:
timeout:
peer:
endorser: 300
orderer: 300
#credentialStore:
#path: /tmp/hfc-kvs/org1
#cryptoStore:
#path: /tmp/hfc-cvs/org1
#clientPrivateKey:
#path: networks/fabric/naman/peerOrganizations/org1.example.com/users/User1#org1.example.com/msp/keystore/40fa9f923f527b11be8c05bb1a2d166a5c2cc43ee2d425b53cdb82836479206d_sk
#clientSignedCert:
#path: networks/fabric/naman/peerOrganizations/org1.example.com/users/User1#org1.example.com/msp/signcerts/cert.pem
admin.Org2:
client:
organization: Org2
connection:
timeout:
peer:
endorser: 300
orderer: 300
#credentialStore:
#path: /tmp/hfc-kvs/org2
#cryptoStore:
#path: /tmp/hfc-cvs/org2
#clientPrivateKey:
#path: networks/fabric/naman/peerOrganizations/org2.example.com/users/User1#org2.example.com/msp/keystore/cdc22e2ec274bf9d5ec0700b420c5e7423a2be73112f3bdc6565d7d45f9ae643_sk
#clientSignedCert:
#path: networks/fabric/naman/peerOrganizations/org2.example.com/users/User1#org2.example.com/msp/signcerts/cert.pem
User1:
client:
organization: Org1
connection:
timeout:
peer:
endorser: 300
orderer: 300
User2:
client:
organization: Org2
connection:
timeout:
peer:
endorser: 300
orderer: 300
wallet: networks/wallet
channels:
mychannel:
configBinary: networks/mychannel.tx
created: true
#definition:
#capabilities: []
#consortium: 'SampleConsortium'
#msps: ['Org1MSP', 'Org2MSP']
#version: 0
orderers:
- orderer.example.com
peers:
peer0.org1.example.com:
eventSource: true
peer0.org2.example.com:
eventSource: true
#peer1.org1.example.com:
#eventSource: true
#peer1.org2.example.com:
#eventSource: true
chaincodes:
#- id: marbles
# version: v0
#language: node
#path: src/fabric/naman/samples/marbles/node
#metadataPath: src/fabric/naman/samples/marbles/node/metadata
- id: fabcar_1
version: "1.0"
language: node
path: src/fabric/samples/fabcar/javascript1
organizations:
Org1:
mspid: Org1MSP
peers:
- peer0.org1.example.com
certificateAuthorities:
- ca.org1.example.com
adminPrivateKey:
path: networks/fabric/naman/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp/keystore/5f63f8056561fdd7e62566d62d3f3fddeff12836e3151ec160ef228df008e56b_sk
signedCert:
path: networks/fabric/naman/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp/signcerts/cert.pem
Org2:
mspid: Org2MSP
peers:
- peer0.org2.example.com
#- peer1.org2.example.com
certificateAuthorities:
- ca.org2.example.com
adminPrivateKey:
path: networks/fabric/naman/peerOrganizations/org2.example.com/users/Admin#org2.example.com/msp/keystore/fc78c38deead140e8164625a839c44966371fcb17608362c2c78a506670bd290_sk
signedCert:
path: networks/fabric/naman/peerOrganizations/org2.example.com/users/Admin#org2.example.com/msp/signcerts/cert.pem
orderers:
orderer.example.com:
url: grpcs://localhost:7050
grpcOptions:
ssl-target-name-override: orderer.example.com
tlsCACerts:
path: networks/fabric/naman/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
peers:
peer0.org1.example.com:
url: grpcs://localhost:7051
tlsCACerts:
pem: |
-----BEGIN CERTIFICATE-----
MIICJjCCAc2gAwIBAgIUOKOEL9yThPFiI22Rj2ehP2/8BpEwCgYIKoZIzj0EAwIw
cDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMQ8wDQYDVQQH
EwZEdXJoYW0xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMTE2Nh
Lm9yZzEuZXhhbXBsZS5jb20wHhcNMjAwNjMwMDcxNjAwWhcNMzUwNjI3MDcxNjAw
WjBwMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExDzANBgNV
BAcTBkR1cmhhbTEZMBcGA1UEChMQb3JnMS5leGFtcGxlLmNvbTEcMBoGA1UEAxMT
Y2Eub3JnMS5leGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHeO
KBmJfaW5TmEVYDJPFUuibx8O+ju3qhHIXFbCnfjz91WnoIUhQXxtfs2Ajyr2ywWk
N9T15plIKgGBe5YZB6+jRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG
AQH/AgEBMB0GA1UdDgQWBBQYlGorkJ3HFJu/uGPNy753+gbMmDAKBggqhkjOPQQD
AgNHADBEAiAe2nP1fUp4UtqMqVEyd9yzMPNbMBjVA3pFtsw5AThu6AIgPF30jUUm
Ey2vOMKY6mmfZalsJIcyp6ysxPfDaMnq09I=
-----END CERTIFICATE-----
grpcOptions:
ssl-target-name-override: peer0.org1.example.com
hostnameOverride: peer0.org1.example.com
peer0.org2.example.com:
url: grpcs://localhost:9051
tlsCACerts:
pem: |
-----BEGIN CERTIFICATE-----
MIICHzCCAcWgAwIBAgIUGyDeO2bl0XWI29+/h+MNiybkdaowCgYIKoZIzj0EAwIw
bDELMAkGA1UEBhMCVUsxEjAQBgNVBAgTCUhhbXBzaGlyZTEQMA4GA1UEBxMHSHVy
c2xleTEZMBcGA1UEChMQb3JnMi5leGFtcGxlLmNvbTEcMBoGA1UEAxMTY2Eub3Jn
Mi5leGFtcGxlLmNvbTAeFw0yMDA2MzAwNzE2MDBaFw0zNTA2MjcwNzE2MDBaMGwx
CzAJBgNVBAYTAlVLMRIwEAYDVQQIEwlIYW1wc2hpcmUxEDAOBgNVBAcTB0h1cnNs
ZXkxGTAXBgNVBAoTEG9yZzIuZXhhbXBsZS5jb20xHDAaBgNVBAMTE2NhLm9yZzIu
ZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlkzwJM7JneAQo
VVrvGGJSzhIryum1oXjNEx01rlc0IawgRzMZdeD10kPIFc0xnTyfCwIJCoVNnS/B
cCuU/WvFo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAd
BgNVHQ4EFgQUG68pu74VjkUe6MxLutjnBKC0VvowCgYIKoZIzj0EAwIDSAAwRQIh
AKH17YHSHWrGSbwHMNt7TtnQo/IpKyr2P10jHKIVgEoKAiBNic1oFFzyO/xV74ju
8Al0TaGFj222ThdzyT3JrZyGqw==
-----END CERTIFICATE-----
grpcOptions:
ssl-target-name-override: peer0.org2.example.com
hostnameOverride: peer0.org2.example.com
certificateAuthorities:
ca.org1.example.com:
url: https://localhost:7054
caName: ca-org1
tlsCACerts:
pem: |
-----BEGIN CERTIFICATE-----
MIICJjCCAc2gAwIBAgIUOKOEL9yThPFiI22Rj2ehP2/8BpEwCgYIKoZIzj0EAwIw
cDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMQ8wDQYDVQQH
EwZEdXJoYW0xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMTE2Nh
Lm9yZzEuZXhhbXBsZS5jb20wHhcNMjAwNjMwMDcxNjAwWhcNMzUwNjI3MDcxNjAw
WjBwMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExDzANBgNV
BAcTBkR1cmhhbTEZMBcGA1UEChMQb3JnMS5leGFtcGxlLmNvbTEcMBoGA1UEAxMT
Y2Eub3JnMS5leGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHeO
KBmJfaW5TmEVYDJPFUuibx8O+ju3qhHIXFbCnfjz91WnoIUhQXxtfs2Ajyr2ywWk
N9T15plIKgGBe5YZB6+jRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG
AQH/AgEBMB0GA1UdDgQWBBQYlGorkJ3HFJu/uGPNy753+gbMmDAKBggqhkjOPQQD
AgNHADBEAiAe2nP1fUp4UtqMqVEyd9yzMPNbMBjVA3pFtsw5AThu6AIgPF30jUUm
Ey2vOMKY6mmfZalsJIcyp6ysxPfDaMnq09I=
-----END CERTIFICATE-----
httpOptions:
verify: false
registrar:
- enrollId: admin
enrollSecret: adminpw
ca.org2.example.com:
url: https://localhost:8054
caName: ca-org2
tlsCACerts:
pem: |
-----BEGIN CERTIFICATE-----
MIICHzCCAcWgAwIBAgIUGyDeO2bl0XWI29+/h+MNiybkdaowCgYIKoZIzj0EAwIw
bDELMAkGA1UEBhMCVUsxEjAQBgNVBAgTCUhhbXBzaGlyZTEQMA4GA1UEBxMHSHVy
c2xleTEZMBcGA1UEChMQb3JnMi5leGFtcGxlLmNvbTEcMBoGA1UEAxMTY2Eub3Jn
Mi5leGFtcGxlLmNvbTAeFw0yMDA2MzAwNzE2MDBaFw0zNTA2MjcwNzE2MDBaMGwx
CzAJBgNVBAYTAlVLMRIwEAYDVQQIEwlIYW1wc2hpcmUxEDAOBgNVBAcTB0h1cnNs
ZXkxGTAXBgNVBAoTEG9yZzIuZXhhbXBsZS5jb20xHDAaBgNVBAMTE2NhLm9yZzIu
ZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQlkzwJM7JneAQo
VVrvGGJSzhIryum1oXjNEx01rlc0IawgRzMZdeD10kPIFc0xnTyfCwIJCoVNnS/B
cCuU/WvFo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAd
BgNVHQ4EFgQUG68pu74VjkUe6MxLutjnBKC0VvowCgYIKoZIzj0EAwIDSAAwRQIh
AKH17YHSHWrGSbwHMNt7TtnQo/IpKyr2P10jHKIVgEoKAiBNic1oFFzyO/xV74ju
8Al0TaGFj222ThdzyT3JrZyGqw==
-----END CERTIFICATE-----
httpOptions:
verify: false
registrar:
- enrollId: admin
enrollSecret: adminpw
This is the benchmark-config file used:
---
test:
workers:
type: local
number: 1
rounds:
- label: Query all cars.
txDuration: 30
rateControl:
type: fixed-backlog
opts:
unfinished_per_client: 5
arguments:
assets: 10
startKey: '1'
endKey: '50'
callback: benchmarks/samples/fabric/fabcar/queryAllCars.js
- label: Query a car.
txDuration: 30
rateControl:
type: fixed-backlog
opts:
unfinished_per_client: 5
arguments:
assets: 10
callback: benchmarks/samples/fabric/fabcar/queryCar.js
- label: Create a car.
txDuration: 30
rateControl:
type: fixed-backlog
opts:
unfinished_per_client: 5
callback: benchmarks/samples/fabric/fabcar/createCar.js
monitor:
type:
- docker
docker:
name:
- all
interval: 1
This is the error I was getting:
aliper | 2020-06-26T14:15:31.749Z - error: [FabricCAClientService.js]: Failed to enroll admin, error:%o message=Calling enrollment endpoint failed with error [Error: connect ECONNREFUSED 127.0.0.1:7054], stack=Error: Calling enrollment endpoint failed with error [Error: connect ECONNREFUSED 127.0.0.1:7054]
caliper | at ClientRequest.request.on (/home/node/.npm-global/lib/node_modules/fabric-ca-client/lib/FabricCAClient.js:484:12)
caliper | at ClientRequest.emit (events.js:198:13)
caliper | at TLSSocket.socketErrorListener (_http_client.js:392:9)
caliper | at TLSSocket.emit (events.js:198:13)
caliper | at emitErrorNT (internal/streams/destroy.js:91:8)
caliper | at emitErrorAndCloseNT (internal/streams/destroy.js:59:3)
caliper | at process._tickCallback (internal/process/next_tick.js:63:19)
I was using fabric 2.1.0 and caliper 0.3.2. I specified net-test in docker-compose to make sure caliper container is in the same network as fabric.
Can someone please help?
Related
Help me please! I have hyperledger fabric network with configuration:
ca-tls
rca-org0
rca-org1
rca-org2
orderer1-org0 (solo)
peer1-org1
peer2-org1
peer1-org2
peer2-org2
I have this config.yaml file:
name: "Network"
version: "1.0"
channels:
mychannel:
orderers:
- orderer1-org0
peers:
peer1-org1:
endorsingPeer: true
chaincodeQuery: true
ledgerQuery: true
eventSource: true
discover: true
peer2-org1:
endorsingPeer: false
chaincodeQuery: true
ledgerQuery: true
eventSource: true
discover: false
peer1-org2:
endorsingPeer: true
chaincodeQuery: true
ledgerQuery: true
eventSource: true
discover: true
peer2-org2:
endorsingPeer: false
chaincodeQuery: true
ledgerQuery: true
eventSource: true
discover: false
organizations:
org0:
mspid: org0MSP
orderers:
- orderer1-org0
certificateAuthorities:
- rca-org0
adminPrivateKey:
path: path/to/org0/admin/msp/keystore/key.pem
signCert:
path: path/to/org0/admin/msp/signcerts/cert.pem
org1:
mspid: org1MSP
peers:
- peer1-org1
# - peer2-org1
certificateAuthorities:
- rca-org1
adminPrivateKey:
path: path/to/org1/admin/msp/keystore/key.pem
signedCert:
path: path/to/org1/admin/msp/signcerts/cert.pem
org2:
mspid: org2MSP
peers:
- peer1-org2
# - peer2-org2
certificateAuthorities:
- rca-org2
adminPrivateKey:
path: path/to/org2/admin/msp/keystore/key.pem
signedCert:
path: path/to/org2/admin/msp/signcerts/cert.pem
orderers:
orderer1-org0:
url: grpcs://orderer1-org0:7050
grpcOptions:
ssl-target-name-override: orderer1-org0
grpc-max-send-message-length: 4194304
tlsCACerts:
path: path/to/org0/msp/tlscacerts/tls-ca-cert.pem
peers:
peer1-org1:
url: grpcs://172.19.0.9:7051
grpcOptions:
ssl-target-name-override: peer1-org1
grpc.keepalive_time_ms: 600000
tlsCACerts:
path: path/to/org0/msp/tlscacerts/tls-ca-cert.pem
peer2-org1:
url: grpcs://172.19.0.9:7051
grpcOptions:
ssl-target-name-override: peer2-org1
grpc.keepalive_time_ms: 600000
tlsCACerts:
path: path/to/org0/msp/tlscacerts/tls-ca-cert.pem
peer1-org2:
url: grpcs://172.19.0.9:7051
grpcOptions:
ssl-target-name-override: peer1-org2
grpc.keepalive_time_ms: 600000
tlsCACerts:
path: path/to/org0/msp/tlscacerts/tls-ca-cert.pem
peer2-org2:
url: grpcs://172.19.0.9:7051
grpcOptions:
ssl-target-name-override: peer2-org2
grpc.keepalive_time_ms: 600000
tlsCACerts: path/to/org0/msp/tlscacerts/tls-ca-cert.pem
certificateAuthorities:
ca-tls:
url: https://0.0.0.0:7062
httpOptions:
verify: false
tlsCACerts:
path: path/to/org0/msp/tlscacerts/tls-ca-cert.pem
registrar:
- enrollId: tls-ca-admin
enrollSecret: tls-ca-adminpw
caName: ca-tls
rca-org0:
url: https://0.0.0.0:7063
httpOptions:
verify: false
tlsCACerts:
path: path/to/org0/msp/tlscacerts/tls-ca-cert.pem
registrar:
- enrollId: rca-org0-admin
enrollSecret: rca-org0-adminpw
caName: rca-org0
rca-org1:
url: https://0.0.0.0:7064
httpOptions:
verify: false
tlsCACerts:
path: path/to/org0/msp/tlscacerts/tls-ca-cert.pem
registrar:
- enrollId: rca-org1-admin
enrollSecret: rca-org1-adminpw
caName: rca-org1
rca-org2:
url: https://0.0.0.0:7065
httpOptions:
verify: false
tlsCACerts:
path: path/to/org0/msp/tlscacerts/tls-ca-cert.pem
registrar:
- enrollId: rca-org2-admin
enrollSecret: rca-org2-adminpw
caName: rca-org2
My API code below:
// create mychannel instance
let channel = new Channel('mychannel', client1);
// get certificates from couchdb wallet
let couchdbWallet = await Wallets.newCouchDBWallet("http://xxxxx:xxxxxxx#localhost:5984");
let user5 = await couchdbWallet.get('user5');
if (user5) {
let user5Cert = user5.credentials.certificate;
let user5Key = user5.credentials.privateKey;
let mspId = 'org1MSP';
await client1.initCredentialStores();
let cryptoSuite = client1.getCryptoSuite();
let keyObj = await cryptoSuite.importKey(user5Key);
let user5PubKey = keyObj._key.pubKeyHex;
let user5PrvKeyHex = keyObj._key.prvKeyHex;
let signer = new Signer(cryptoSuite, keyObj);
// create instance of signing identity
let signingIdentity = new SigningIdentity(
user5Cert,
user5PubKey,
'org1MSP',
cryptoSuite,
signer
);
// 1. generate unsigned transaction proposal
let transactionProposal = {
fcn: 'Mint',
args: ['1000'],
chaincodeId: 'token-erc-20',
channelId: 'mychannel'
}
let { proposal, txId } = await channel.generateUnsignedProposal(
transactionProposal,
mspId,
user5Cert,
true
);
console.log('*******proposal*****:\n', proposal);
console.log('*******Tx Id******\n', txId);
// now we have the 'unsigned proposal' for this tx
// 2. calculate the hash of the tx proposal bytes
let proposalBytes = proposal.toBuffer(); // the proposal comes from step 1
// 3. calculate the signature for this tx proposal
let signedProposal = signingIdentity.sign(proposalBytes);
console.log('********signedProposal********\n:', signedProposal);
// 4. send the signed tx proposal to peer(s)
let tlscaRootCert = readFileSync(tlscaRootCertPATH, { encoding: 'utf-8' });
console.log('tlscaRootCert: ', typeof tlscaRootCert);
let peer1org1 = client1.newPeer('grpcs://172.19.0.9:7051',
{
pem: tlscaRootCert,
}
);
let targets = new Array();
targets.push(peer1org1);
let sendSignedProposalReq = { signedProposal, targets };
let proposalResponses = await channel.sendSignedProposal(sendSignedProposalReq);
// check the proposal responces, if all good, commit the tx
// 5. similar to step 1, generate an unsigned tx
let commitReq = {
proposalResponses,
proposal,
};
let commitProposal = await channel.generateUnsignedTransaction(commitReq);
/// 6. similar to step 3, sign the unsigned tx with the user's private key
let commitProposalBytes = commitProposal.toBuffer();
let signedCommitProposal = signingIdentity.sign(commitProposalBytes);
// 7. commit the signed tx
let response = await channel.sendSignedTransaction({
signedTransaction: signedCommitProposal,
request: commitReq,
});
console.log('**********response from orderer after commit signed tx********\n', response);
// response.status should be 'SUCCESS' if the commit succeed
if (response.status === 'SUCCESS') {
// connect to event channel hub
let eventChannelHub = new ChannelEventHub(channel);
// 8. similar to step 1, generate an unsigned eventHub registration for the ChannelEventHub
let unsigneEvent = eventChannelHub.generateUnsignedRegistration({
certificate: user5Cert,
mspId
});
// 9. similar to step 3, sign the unsigned eventhub registration with the user's private key
let unsignEventBytes = unsigneEvent.toBuffer();
let signedEvent = signingIdentity.sign(unsignEventBytes);
// 10. register this ChannelEventHub at peer
let connectEventChannel = eventChannelHub.connect({ signedEvent });
console.log('***********connectEventChannel*********\n', connectEventChannel);
}
}
I try to submit transaction.
But every time I receive this error:
docker-compose.yaml logs
2022-09-21T11:36:52.296Z - error: [Channel.js]: Error: 14 UNAVAILABLE: failed to connect to all addresses
peer1-org1 container logs:
2022-09-21 11:25:08.606 UTC 0062 WARN [endorser] ProcessProposal -> Failed to preProcess proposal error="error validating proposal: access denied: channel [mychannel] creator org [org1MSP]"
2022-09-21 11:25:08.606 UTC 0063 INFO [comm.grpc.server] 1 -> unary call completed grpc.service=protos.Endorser grpc.method=ProcessProposal grpc.peer_address=172.19.0.1:59086 error="error validating proposal: access denied: channel [mychannel] creator org [org1MSP]" grpc.code=Unknown grpc.call_duration=15.47295ms
Also I receive this error now:
2022-09-21T13:01:10.858Z - error: [Channel.js]: sendTransaction - no valid endorsements found
How can I resolve this problem?
From peer logs, it seems like transaction submitter is not having access to the channel. Make sure the user identify is valid and the user's organization joined the channel. This error may come also if the MSP name given is wrong. MSP name is case sensitive.
Based on Hyperldeger Fabric is created a network on which there are:1 orderer, 1 ca, 1 couchdb, 1 cli, 1 peer
Afterwards, is added a new org with: 1 peer, 1 couchdb and 1 cli
Until this stage there is no error. All the containers are running. Then is enrolled the ca admin. Still no problem. The admin is connected with no problem. I want to create admin for the new organization.
enrollandregisterNewAdmin.js
const gateway = new Gateway();
await gateway.connect(ccpPath, { wallet, identity: 'admin', discovery: { enabled: true, asLocalhost: true } });
const ca = gateway.getClient().getCertificateAuthority();
const adminIdentity = gateway.getCurrentIdentity();
const secret = await ca.register({
affiliation: 'org1.department1',
enrollmentID: 'adminOrg3',
role: 'client',
attrs: [ {"name": "hf.Registrar.Roles", "value": "client"},
{"name": "hf.Registrar.DelegateRoles", "value": "client"},
{"name": "hf.Revoker", "value": "true"},
{"name": "hf.IntermediateCA", "value": "true"},
{"name": "hf.GenCRL", "value": "true"},
{"name": "hf.AffiliationMgr", "value": "true"},
{"name": "hf.Registrar.Attributes", "value": "hf.Registrar.Roles,hf.Registrar.DelegateRoles,hf.Revoker,hf.IntermediateCA,hf.GenCRL,hf.Registrar.Attributes,hf.AffiliationMgr"} ] }
, adminIdentity);
const enrollment = await ca.enroll({ enrollmentID: 'adminOrg3', enrollmentSecret: secret});
const userIdentity = X509WalletMixin.createIdentity('Org3MSP', enrollment.certificate, enrollment.key.toBytes());
await wallet.import('adminOrg3', userIdentity);
Finally the certificates of 'adminOrg3' are imported to the wallet with no error. But when I am trying to invoke/query with the 'adminOrg3'. I receive this error:
[Channel.js]: Channel:byfn received discovery error:access denied
[Channel.js]: Error: Channel:byfn Discovery error:access denied
error: [Network]: _initializeInternalChannel: Unable to initialize channel. Attempted to contact 1 Peers. Last error was Error: Channel:byfn Discovery error:access denied
This is a common error when the wallet exists from a previous deployment. But the wallet is deleted each time the network is restarted.
docker logs peer0.org3.example.com
2021-02-22 10:21:09.588 UTC [cauthdsl] deduplicate -> ERRO 082 Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authority) for identity 0
My config file for new org
docker-compose-org3.yaml
version: '2'
volumes:
peer0.org3.example.com:
networks:
byfn:
services:
peer0.org3.example.com:
container_name: peer0.org3.example.com
extends:
file: base/peer-base.yaml
service: peer-base
environment:
- CORE_PEER_ID=peer0.org3.example.com
- CORE_PEER_ADDRESS=peer0.org3.example.com:11051
- CORE_PEER_LISTENADDRESS=0.0.0.0:11051
- CORE_PEER_CHAINCODEADDRESS=peer0.org3.example.com:11052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:11052
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org3.example.com:11051
- CORE_PEER_LOCALMSPID=Org3MSP
volumes:
- /var/run/:/host/var/run/
- ./org3-artifacts/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/msp:/etc/hyperledger/fabric/msp
- ./org3-artifacts/crypto-config/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls:/etc/hyperledger/fabric/tls
- peer0.org3.example.com:/var/hyperledger/production
ports:
- 11051:11051
networks:
- byfn
Org3cli:
container_name: Org3cli
image: hyperledger/fabric-tools:$IMAGE_TAG
tty: true
stdin_open: true
environment:
- GOPATH=/opt/gopath
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- FABRIC_LOGGING_SPEC=INFO
#- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_ID=Org3cli
- CORE_PEER_ADDRESS=peer0.org3.example.com:11051
- CORE_PEER_LOCALMSPID=Org3MSP
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/ca.crt
- CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/users/Admin#org3.example.com/msp
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: /bin/bash
volumes:
- /var/run/:/host/var/run/
- ./../chaincode/:/opt/gopath/src/github.com/chaincode
- ./org3-artifacts/crypto-config:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/
- ./crypto-config/peerOrganizations/org1.example.com:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com
-./scripts:/opt/gopath/src/github.com/hyperledger/fabric/peer/scripts/
depends_on:
- peer0.org3.example.com
networks:
- byfn
Is it possible under the same affiliation to exist different MSPs?
Is needed any change to the configuration files?
Just to clarify few things ...
did you add the new org on the channel before trying to connect with the new org user?
are you running the peers in docker containers and use volumes for the peer file system mapping? - It may happen that the peers still load the content of the old channels...
-Tsvetan
I am trying to create intermediate CA for my project, I have one root CA and one intermediate CA with Intermediate CA config file as shown below. I am facing issue to create keypairs/MSP and tls cert for intermediate CA & unable to pass the config file to intermediate CA. Steps I followed
Running the Root CA container with bootstrapping admin.
Enrol the admin which generate the MSP for CA admin for org1
fabric-ca-client enroll -u https://admin:adminpw#localhost:7054 --caname ca-org1 --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
Register the Intermediate CA to root CA using below command
fabric-ca-client register --caname ca-org1 --id.name ica --id.attrs '"hf.Registrar.Roles=user,peer",hf.Revoker=true,hf.IntermediateCA=true' --id.secret icapw --tls.certfiles ${PWD}/organizations/fabric-ca/org1/tls-cert.pem
Run the Intermediate CA container as shown below with using the below config file.
Enrol the Intermediate CA
fabric-ca-client enroll -u https://icaadmin:icaadminpw#localhost:6054 --caname ica-org1 --tls.certfiles ${PWD}/organizations/fabric-ca/icaOrg1/tls-cert.pem
Root CA
version: "2"
networks:
test:
services:
ca_org1:
image: hyperledger/fabric-ca:$IMAGE_TAG
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org1
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_PORT=7054
ports:
- "7054:7054"
command: sh -c 'fabric-ca-server start -b admin:adminpw -d'
volumes:
- ../organizations/fabric-ca/org1:/etc/hyperledger/fabric-ca-server
container_name: ca_org1
networks:
- test
Intermidate CA
version: "2"
networks:
test:
services:
ica-org1:
image: hyperledger/fabric-ca
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ica-org1
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_LOGGING_SPEC=debug
- FABRIC_CA_SERVER_PORT=6054
ports:
- "6054:6054"
command: sh -c 'fabric-ca-server start -b icaadmin:icaadminpw -u -d http://ica:icapw#ca-org1:7054'
volumes:
- ../organizations/fabric-ca/icaOrg1:/etc/hyperledger/fabric-ca-server
container_name: ica-org1
networks:
- test
ICA Fabric Config file
# Version of config file
version: 1.2.0
# Server's listening port (default: 7054)
port: 7054
# Enables debug logging (default: false)
debug: false
# Size limit of an acceptable CRL in bytes (default: 512000)
crlsizelimit: 512000
tls:
# Enable TLS (default: false)
enabled: true
# TLS for the server's listening port
certfile:
keyfile:
clientauth:
type: noclientcert
certfiles:
ca:
# Name of this CA
name: ica.org1.example.com
# Key file (is only used to import a private key into BCCSP)
keyfile:
# Certificate file (default: ca-cert.pem)
certfile:
# Chain file
chainfile:
crl:
# Specifies expiration for the generated CRL. The number of hours
# specified by this property is added to the UTC time, the resulting time
# is used to set the 'Next Update' date of the CRL.
expiry: 24h
registry:
# Maximum number of times a password/secret can be reused for enrollment
# (default: -1, which means there is no limit)
maxenrollments: -1
# Contains identity information which is used when LDAP is disabled
identities:
- name: icaadmin
pass: icaadminpw
type: client
affiliation: ""
attrs:
hf.Registrar.Roles: "client,peer,user,member"
hf.Registrar.DelegateRoles: "client,peer,user,member"
hf.Revoker: true
hf.IntermediateCA: true
hf.GenCRL: true
hf.Registrar.Attributes: "*"
hf.AffiliationMgr: true
db:
type: sqlite3
datasource: fabric-ca-server.db
tls:
enabled: false
certfiles:
client:
certfile:
keyfile:
ldap:
# Enables or disables the LDAP client (default: false)
# If this is set to true, the "registry" section is ignored.
enabled: false
# The URL of the LDAP server
url: ldap://<adminDN>:<adminPassword>#<host>:<port>/<base>
# TLS configuration for the client connection to the LDAP server
tls:
certfiles:
client:
certfile:
keyfile:
# Attribute related configuration for mapping from LDAP entries to Fabric CA attributes
attribute:
names: ["uid", "member"]
converters:
- name:
value:
maps:
groups:
- name:
value:
affiliations:
org1:
- department1
- department2
signing:
default:
usage:
- digital signature
expiry: 8760h
profiles:
ca:
usage:
- cert sign
- crl sign
expiry: 43800h
caconstraint:
isca: true
maxpathlen: 0
tls:
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
expiry: 8760h
csr:
cn: ica.org1.example.com
names:
- C: US
ST: "North Carolina"
L: "Durham"
O: org1.example.com
OU:
hosts:
- localhost
- org1.example.com
ca:
expiry: 131400h
pathlength: 1
#############################################################################
# BCCSP (BlockChain Crypto Service Provider) section is used to select which
# crypto library implementation to use
#############################################################################
bccsp:
default: SW
sw:
hash: SHA2
security: 256
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
cacount:
cafiles:
intermediate:
parentserver:
url: https://ca-org1:7054
caname: ca.org1.example.com
enrollment:
hosts: localhost
profile:
label:
tls:
certfiles:
client:
certfile:
keyfile:
Since you configured your CAs as TLS enabled, root TLS certificate must be used by intermediate CA. Check your intermediate CA file's corresponding section.
The certfiles attribute's value /tmp/root-ca-cert.pem is the same file of root CA's file: /tmp/hyperledger/fabric-ca/crypto/ca-cert.pem
intermediate:
parentserver:
url: https://admin:admin#root.ca.example.com:7054
caname: root.ca.example.com
enrollment:
hosts:
- ca1.example.com
profile: ca
label:
tls:
certfiles:
- /tmp/root-ca-cert.pem
client:
certfile:
keyfile:
Background:
I have modified the first-network files (to a network with 2 Orgs and 1 peer in each of them) and installed my own chaincode on it. Additionally I have made a connection.yaml file to interact with the network.
Problem:
But when I try to get the network channel & establish the gateway from nodeSDK, I encounter this error:
error: [Network]: _initializeInternalChannel: Unable to initialize
channel. Attempted to contact 2 Peers. Last error was Error: 2
UNKNOWN: Stream removed
Failed to evaluate transaction: Error: Unable to initialize channel.
Attempted to contact 2 Peers. Last error was Error: 2 UNKNOWN: Stream
removed
Below you can find the code on my client side. The error probably arises when gateway.getNetwork('mychannel') is executed.
let connectionProfile = yaml.safeLoad(fs.readFileSync('./connection.yaml', 'utf8'));
// Create a new gateway for connecting to our peer node.
const gateway = new Gateway();
await gateway.connect(connectionProfile, { wallet, identity: 'user1', discovery: { enabled: false } });
// Get the network (channel) our contract is deployed to.
const network = await gateway.getNetwork('mychannel');
// Get the contract from the network.
const contract = network.getContract('bankpeerContract');
var result = await contract.evaluateTransaction('queryAllStamps');
This is my connection.yaml file:
---
name: mychannel.firstnetwork.connectionprofile
x-type: "hlfv1"
description: "BankPeerContract methods will be used through this profile"
version: "1.0"
channels:
mychannel:
orderers:
- orderer.example.com
peers:
peer0.org1.example.com:
endorsingPeer: true
chaincodeQuery: true
ledgerQuery: true
eventSource: true
peer0.org2.example.com:
endorsingPeer: true
chaincodeQuery: true
ledgerQuery: true
eventSource: true
organizations:
Org1:
mspid: Org1MSP
peers:
- peer0.org1.example.com
certificateAuthorities:
- certificate-authority-org1
adminPrivateKey:
path: ../first-network/crypto-config/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp/keystore/63145b12cd86abb07b6b5797c5e9506faa8f799e81d3c71d11a6a60840e3b6ae_sk
signedCert:
path: ../first-network/crypto-config/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp/signcerts/Admin#org1.example.com-cert.pem
Org2:
mspid: Org2MSP
peers:
- peer0.org2.example.com
certificateAuthorities:
- certificate-authority-org2
adminPrivateKey:
path: ../first-network/crypto-config/peerOrganizations/org2.example.com/users/Admin#org2.example.com/msp/keystore/4d9b19fdcce70620b45760f5d62c7c877200ab38553b7a8b85245b04ca0e8bdd_sk
signedCert:
path: ../first-network/crypto-config/peerOrganizations/org2.example.com/users/Admin#org2.example.com/msp/signcerts/Admin#org2.example.com-cert.pem
orderers:
orderer.example.com:
url: grpc://localhost:7050
grpcOptions:
ssl-target-name-override: orderer.example.com
tlsCACerts:
path: ../first-network/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
peers:
peer0.org1.example.com:
url: grpc://localhost:7051
grpcOptions:
ssl-target-name-override: peer0.org1.example.com
request-timeout: 120001
tlsCACerts:
path: ../first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/tlscacerts/tlsca.org1.example.com-cert.pem
peer0.org2.example.com:
url: grpc://localhost:9051
grpcOptions:
ssl-target-name-override: peer0.org2.example.com
request-timeout: 120001
tlsCACerts:
path: ../first-network/crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp/tlscacerts/tlsca.org2.example.com-cert.pem
certificateAuthorities:
ca-org1:
url: http://localhost:7054
httpOptions:
verify: false
tlsCACerts:
path: ../first-network/crypto-config/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem
registrar:
- enrollId: admin
enrollSecret: adminpw
caName: certificate-authority-org1
ca-org2:
url: http://localhost:8054
httpOptions:
verify: false
tlsCACerts:
path: ../first-network/crypto-config/peerOrganizations/org2.example.com/ca/ca.org2.example.com-cert.pem
registrar:
- enrollId: admin
enrollSecret: adminpw
caName: certificate-authority-org2
I have been unable to figure out whether there is some problem with connection.yaml file or there is something wrong within the network.
BYFN/EFYN enable TLS on all of the Fabric nodes (peers, orderers, certificate authorities) to secure communications. Your connection profile has "grpc://" and "http://" URLs - these should be changed to "grpcs://" and "https://". It looks like the TLS CA certificates are correct.
I am trying to enforce simple endorsement policy for 2 org network. Here is my crypto-config.yaml
OrdererOrgs:
- Name: Orderer
Domain: example.com
Specs:
- Hostname: orderer
PeerOrgs:
- Name: Org1
Domain: org1.example.com
EnableNodeOUs: true
# CA:
# OrganizationalUnit: peer
Template:
Count: 1
Users:
Count: 1
- Name: Org2
Domain: org2.example.com
EnableNodeOUs: true
# CA:
# OrganizationalUnit: peer
Template:
Count: 1
Users:
Count: 1
And i can see OU as peer in both peers.
peer0.org2.example.com
Identity: peer0.org2.example.com
Verified by: ca.org2.example.com
Expires: Saturday 23 December 2028
Subject Name
C (Country): US
ST (State): California
L (Locality): San Francisco
OU (Organizational Unit): peer
CN (Common Name): peer0.org2.example.com
endorsement policy for member check works
peer chaincode instantiate -o orderer.example.com:7050 -C mychannel -n chaincode -l node -v v0 -c '{"args":["init"]}' -P "AND('Org1MSP.member', 'Org2MSP.member')"
but endorsement policy for peer check not working
peer chaincode instantiate -o orderer.example.com:7050 -C mychannel -n chaincode -l node -v v0 -c '{"args":["init"]}' -P "AND('Org1MSP.peer', 'Org2MSP.peer')"
When i invoke any function.
Transaction failed to be committed to the ledger due to ::ENDORSEMENT_POLICY_FAILURE
even "OR('Org1MSP.peer', 'Org2MSP.peer')" not working
PeerOrgs:
- Name: Org1
Domain: org1.example.com
EnableNodeOUs: true
# CA:
# OrganizationalUnit: peer
Template:
Count: 1
Users:
Count: 1
......... TEMPLATE COUNT s/b changed to 2 as there are now 2 Orgs