I have set my endorsement policy as "AND ('Org1MSP.peer','OrgMainMSP.peer')" that means I need certificates of both the organizations to perform transactions successfully.
Transaction Performed as below:
peer chaincode invoke -o orderer0.org.com:7050 --tls --cafile
/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/org.com/orderers/orderer0.org.com/msp/tlscacerts/tlsca.org.com-cert.pem
-n accessControl --peerAddresses peer0.org-main.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org-main.com/peers/peer0.org-main.com/tls/ca.crt
--peerAddresses peer0.org1.com:10051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.com/peers/peer0.org1.com/tls/ca.crt
-c '{"Args":[]}'
It worked all fine. Successfully committed a new block and can be seen on the couchdb as well. But when I send the transaction removing one of the certificate as can be seen below:
"peer chaincode invoke -o orderer0.org.com:7050 --tls --cafile
/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/org.com/orderers/orderer0.org.com/msp/tlscacerts/tlsca.org.com-cert.pem
-n accessControl --peerAddresses peer0.org-main.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org-main.com/peers/peer0.org-main.com/tls/ca.crt
-c '{"Args":[]}' "
New block is committed with a transaction but marked as invalid by the committer with following error message on the logs
peer0.org-main.com | 2020-03-20 07:59:30.868 UTC [vscc] Validate ->
ERRO 094 VSCC error: stateBasedValidator.Validate failed, err
validation of endorsement policy for chaincode accessControl in tx 7:0
failed: signature set did not satisfy policy
peer0.org-main.com | 2020-03-20 07:59:30.868 UTC [valimpl]
preprocessProtoBlock -> WARN 097 Channel [myc]: Block [7] Transaction
index [0] TxId
[01246b27c11f94124aee3c4ac84a011be51a26aaa50fc28f1d6f5f5a8860c079]
marked as invalid by committer. Reason code
[ENDORSEMENT_POLICY_FAILURE]
peer0.org-main.com | 2020-03-20 07:59:31.156 UTC [kvledger]
CommitWithPvtData -> INFO 098 [myc] Committed block [7] with 1
transaction(s) in 287ms (state_validation=0ms
block_and_pvtdata_commit=220ms state_commit=17ms)
commitHash=[9d52225ddbc8f6f98edd37388cbcf369fea22666b9ec1cff1a91debdebc2d2a1]
And when I again submit the transaction passing both the certificates, It throws an error as
Error: could not assemble transaction: ProposalResponsePayloads do not
match - proposal response: version:1 response status:200 payload:...
>
The problem here is that if I mistakenly call invoke function passing only one certificate of an organization (endorsement policy failure) then I am not able to further transactions.
Transaction signed according the endorsement policy.
That's OK. Block committed and state updated.
Transaction signatures do not match the endorsement policy.
That's OK. Your client better doesn't try to commit that transaction, but if it does, a new block is committed with an invalid transaction and state is not updated.
ProposalResponsePayloads do not match.
Now the problem is different. I don't think it has relationship with previous transaction. The signatures are the expected ones, but you are composing a transaction with 2 transaction proposals that do not match. Their response or writeset is not the same. Be sure that you are not using external calls, random numbers, timestamps (other than the ones for the transaction or block) or similar values in your chaincode that might not match in both endorsements. Of course, transaction is invalidated, but a new block is committed.
Related
I Have two Orgs in My Network. I have Created a channel deployed the chaincode on both Orgs (Org1 and Org2) and received code as VALID.
Chaincode approved by both Orgs, Checked committed readiness and Committed the chaincode. log goes like...
2021-10-04 14:30:52.864 IST [chaincodeCmd] ClientWait -> INFO 001 txid [eff4729bb0fcb0ac21b6b4c4ee78de75d9fc3bc04b67fdd1cc22c9b67044d93a] committed with status (VALID) at localhost:9051
2021-10-04 14:30:52.911 IST [chaincodeCmd] ClientWait -> INFO 002 txid [eff4729bb0fcb0ac21b6b4c4ee78de75d9fc3bc04b67fdd1cc22c9b67044d93a] committed with status (VALID) at localhost:7051
=============== Commit chaincode definition Org 1 ============================== Committed chaincode definition for chaincode 'sample' on channel 'samplechannel': Version: 1, Sequence: 1, Endorsement Plugin: escc, Validation Plugin: vscc, Approvals: [Org1MSP: true, Org2MSP: true]
=============== query commited from Org 1====================`` Committed chaincode definition for chaincode 'sample' on channel 'samplechannel': Version: 1, Sequence: 1, Endorsement Plugin: escc, Validation Plugin: vscc, Approvals: [Org1MSP: true, Org2MSP: true]
I have gone through similiar issues posted and added
BlockValidation: Type: ImplicitMeta Rule: "ANY Writers" in my configtx.yaml
Transaction gets executed without any error. able to view transaction hash.
But getting ENDORSEMENT_POLICY_FAILURE in explorer.
I have added sceenshots below.
Can any one please help what is wrong / needs to be changed here ?
Thanks in advance.
Image for reference -
ENDORSEMENT_POLICY_FAILURE
Chaincode deployment
The default endorsement policy is MAJORITY. It means your transaction to be validated by a majority of channel members.
To change the endorsement policy, you can specify Channel/Application/Endorsement in configtx.yaml to ANY Endorsement. Fabric will use this config as the default endorsement policy in all chaincode.
Or you can specify the policy for each chaincode by define it when approve & commit chaincode. For example:
peer lifecycle chaincode approveformyorg --channelID mychannel --signature-policy "OR('Org1.member', 'Org2.member')" --name mycc --version 1.0 --package-id mycc_1:3a8c52d70c36313cfebbaf09d8616e7a6318ababa01c7cbe40603c373bcfe173 --sequence 1 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem --waitForEvent
peer lifecycle chaincode commit -o orderer.example.com:7050 --channelID mychannel --signature-policy "OR('Org1.member', 'Org2.member')" --name mycc --version 1.0 --sequence 1 --init-required --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem --waitForEvent --peerAddresses peer0.org1.example.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt --peerAddresses peer0.org2.example.com:9051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt
See more in Hyperledger Fabric documentation
I'm executing tutorials on Hyperledger Fabric First Network (version 1.4) and I get an unexpected error when trying to change max_message_count variable from 10 to 20 in channel configuration.
I'm using this tutorial: https://hyperledger-fabric.readthedocs.io/en/release-1.4/channel_update_tutorial.html
Obviously, I don't change the Org list to the channel as in tutorial, I only change the parameter:
cat config.json | sed 's/"max_message_count": 10/"max_message_count": 20/g' > new_config.json
Then I Execute the encoding of new and old configuration in protobuffer, compute update, decode update to json, added envelope and recode envelope to protobuffer. It is okay.
Then I sign the update with both organization and tries to update, but it gives me this error:
Error: got unexpected status: BAD_REQUEST -- error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/BatchSize not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining
This is the decoded update, as you can see is signed by both Org1MSP and Org2MSP: https://controlc.com/486d638a
These are the logs from orderer:
2020-12-10 17:28:04.282 UTC [cauthdsl] deduplicate -> WARN 01c De-duplicating identity [Org2MSPd2b5a4f881b520ad90a0ae5db7bd0b5362fae2d5916d972751da9bd35fb97f9b] at index 2 in signature set
2020-12-10 17:28:04.282 UTC [orderer.common.broadcast] ProcessMessage -> WARN 01d [channel: mychannel] Rejecting broadcast of config message from 172.20.0.7:56874 because of error: error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/BatchSize not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining
Self-Answer.
This type of modification needs the sign of the orderer:
export CORE_PEER_ADDRESS=orderer.example.com:7050
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/users/Admin\#example.com/msp/
peer channel signconfigtx -f org3_update_in_envelope.pb
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051
export CORE_PEER_LOCALMSPID=OrdererMSP
peer channel update -f org3_update_in_envelope.pb -c $CHANNEL_NAME -o orderer.example.com:7050 --tls --cafile $ORDERER_CA
My chaincode was instantiated with the following command:
peer chaincode instantiate -o orderer1.example.com:7050 --tls true --cafile <cafile> -C mychannel
-n mycc -l java -v 1.0 -c '{"Args":[]}' -P "OR ('Org1MSP.member')"
I would like to change the endorsement policy such that all peers in the organization are required for endorsement; currently I have two peers, but the number is set to increase.
What I do for now is the following procedure:
Step one: install the same chaincode with a different version name.
peer chaincode install -n mycc -v <version> -l java -p /opt/gopath/src/github.com/chaincode
Step two: upgrade the chaincode using the following command:
peer chaincode upgrade -o orderer1.example.com:7050 --tls true --cafile <cafile> -C mychannel
-n mycc -l java -v <version> -c '{"Args":[]}' -P "OutOf(2, 'Org1MSP.member')"
-peerAddresses peer1.org1.example.com:7051 -peerAddresses peer2.org1.example.com:7051
However, I am unable to achieve my desired outcome. Under the current endorsement policy, when I use my my client to submit a transaction, it is committed after a while. After I change the policy, my transaction is no longer automatically accepted, and the logs reflect this with the following error message:
VSCC error: stateBasedValidator.Validate failed, err validation of endorsement policy for chaincode
mycc in tx 132:0 failed: signature set did not satisfy policy
So while I am able to stop the auto-acceptance of transactions, now I find myself unable to validate any transaction.
The procedure I follow in changing the chaincode endorsement policy, is it correct?
Does my endorsement policy do what I intend to do?
How come I am no longer able to validate transactions?
EDIT: I changed my logging spec to the one suggested by Jason Yellick. I think I found some debug which might provide insight:
<time> [cauthdsl] func1 -> DEBU 4bd 0xc0004e4050 gate 1594275943563937246 evaluation starts
<time> [cauthdsl] func2 -> DEBU 4be 0xc0004e4050 signed by 0 principal evaluation starts (used [false])
<time> [cauthdsl] func2 -> DEBU 4bf 0xc0004e4050 processing identity 0 with bytes of 1159660
<time> [cauthdsl] func2 -> DEBU 4c0 0xc0004e4050 principal matched by identity 0
<time> [cauthdsl] func2 -> DEBU 4c1 0xc0004e4050 principal evaluation succeeds for identity 0
<time> [cauthdsl] func2 -> DEBU 4c2 0xc0004e4050 signed by 1 principal evaluation starts (used [true])
<time> [cauthdsl] func2 -> DEBU 4c3 0xc0004e4050 skipping identity 0 because it has already been used
<time> [cauthdsl] func2 -> DEBU 4c4 0xc0004e4050 principal evaluation fails
<time> [cauthdsl] func1 -> DEBU 4c5 0xc0004e4050 gate 1594275943563937246 evaluation fails
<time> [vscc] Validate -> ERRO 4c6 VSCC error: stateBasedValidator.Validate failed, err validation of endorsement policy for chaincode myteacc in tx 140:0 failed: signature set did not satisfy policy
<time> [vscc] Validate -> DEBU 4c7 block 140, namespace: myteacc, tx 0 validation results is: validation of endorsement policy for chaincode myteacc in tx 140:0 failed: signature set did not satisfy policy
<time> [committer.txvalidator] ValidateWithPlugin -> DEBU 4c8 Transaction 1d8f66a10658c3d808ad4ce0feef9fd5c13816187a39fcedc8a32ce91016df0d appears to be invalid: validation of endorsement policy for chaincode myteacc in tx 140:0 failed: signature set did not satisfy policy
<time> [committer.txvalidator] validateTx -> ERRO 4c9 VSCCValidateTx for transaction txId = 1d8f66a10658c3d808ad4ce0feef9fd5c13816187a39fcedc8a32ce91016df0d returned error: validation of endorsement policy for chaincode myteacc in tx 140:0 failed: signature set did not satisfy policy
<time> [committer.txvalidator] validateTx -> DEBU 4ca [isprintchannel] validateTx completes for block 0xc0026306c0 env 0xc00245e190 txn 0
This is with policy set to AND('Org1MSP.member','Org1MSP.member')
Your endorsement policy is unsatisfiable. In your upgrade command:
peer chaincode upgrade -o orderer1.example.com:7050 --tls true
--cafile <cafile> -C mychannel -n mycc -l java -v <version>
-c '{"Args":[]}' -P "OutOf(2, 'Org1MSP.member')"
-peerAddresses peer1.org1.example.com:7051 -peerAddresses
peer2.org1.example.com:7051
you can see that your policy is:
-P "OutOf(2, 'Org1MSP.member')"
This endorsement policy is requiring that "2 out of 1 identities must sign". This can never be satisfied, as you can never have more signatures than principles. It is essentially saying "Of 1 thing, pick 2 of them", which is a contradiction. If you really want to require two peers from the same organization, then you would want to write:
-P "OutOf(2, 'Org1MSP.member', 'Org1MSP.member')"
Or, you could have simply used the AND syntax:
-P "AND('Org1MSP.member', 'Org1MSP.member')"
I would note, it's unusual to require multiple peers from the same organization to endorse, and if you go this route, you need to be careful in your certificate management. In particular, if you are using the fabric-ca, you must ensure that the peer identity can only enroll once, otherwise it could re-enroll and now have two valid identities, and be able to pretend to be two different peers. Similarly, if the identity must be re-issued, be careful to ensure that the old certificate is revoked.
You might consider instead defining a second logical organization and writing your policies using the two distinct logical organizations such as:
-P "AND('Org1MSP.member', 'Org2MSP.member')"
This is a much more conventional way to operate Fabric.
I have a problem with instantiating chaincode in Hyperledger fabric Network with comm:
peer chaincode instantiate -o orderer.ex.com:7050 -C roaming -n chaincode -v 1.1 -c '{"Args":[]}' -P "AND ('ORG1MSP.member')" --tls --cafile /etc/hyperledger/fabric/config/ca.crt
The peer is joined the channel and chaincode is installed on it.
The log of orderer is:
ERRO 029 TLS handshake failed with error tls: oversized record received with length 64774 server=Orderer
WARN 02a Error reading from 172.16.0.81:34562: rpc error: code = Canceled desc = context canceled
INFO 02b streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.16.0.81:34562 error="rpc error: code = Canceled desc = context canceled" grpc.code=Canceled grpc.call
WARN 02c Error reading from 172.16.0.81:35318: rpc error: code = Canceled desc = context canceled
In the log of the peer - nothing interesting.
The error looks like the client is trying to communicate speak HTTP/GRPC to a server expecting HTTPS/GRPCS (or viceversa)
If your fabric network endpoints are not encrypted, remove the --tls and --cafile flags.
Otherwise, make sure to use an encrypted endpoint for the orderer (e.g. orderer.ex.com:443 if it's exposed via HTTPS with an ingress controller) and the peer as well (CORE_PEER_ADDRESS)
I have also found when enabling TLS that the following environment variables are needed in addition to the --tls and --cafile above:
CORE_PEER_TLS_ROOTCERT_FILE=/path/to/ca/pem (e.g. `letsencryptauthorityx3.pem`)
CORE_PEER_TLS_ENABLED=true
I have a little network up in Hyperledger Fabric 1.4 which is very similar to the basic-network from the examples.
It has:
One orderer organization with orderer peer
One Hospital organization with two peers.
A single channel on which the peers of the hospital are.
I tried to write a very simple demo smart contract/chaincode and have it invoked.
(The smart contract is called bananascc)
Running from the docker container cli /bin/bash associated to a peer0.hospital1.health.com peer, I successfully install and instantiate:
peer chaincode install -n bananascc -v 1.0 -l node -p /opt/gopath/src/github.com/chaincode/chaincode_bananas/node
peer chaincode instantiate -o orderer.health.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/health.com/orderers/orderer.health.com/msp/tlscacerts/tlsca.health.com-cert.pem -C hospital1channel -n bananascc -l node -v 1.0 -c '{"Args":["init","edo","100"]}' -P "OR ('Hospital1MSP.admin', 'Hospital1MSP.peer' )"
With policy -P "OR ('Hospital1MSP.admin', 'Hospital1MSP.peer' )"
But when I try to invoke the chaincode, the transaction is sent successfully but the operation is not executed, as I get a
peer0.hospital1.health.com | 2019-03-06 10:36:44.525 UTC [vscc] Validate -> ERRO 07e VSCC error: stateBasedValidator.Validate failed, err validation of endorsement policy for chaincode bananascc in tx 6:0 failed: signature set did not satisfy policy
peer0.hospital1.health.com | 2019-03-06 10:36:44.525 UTC [committer.txvalidator] validateTx -> ERRO 07f VSCCValidateTx for transaction txId = d6726e0b2daf11d0e3ef24e86fa0e7a5530f2d98dcc4ad1f0d266ca642be1ee3 returned error: validation of endorsement policy for chaincode bananascc in tx 6:0 failed: signature set did not satisfy policy
I reckon that the transaction has to be evaluated against a valid signature set, but I can't understand where I can specify this, or why it should be wrong according to VSCC.
I'd be very happy if anyone could help me figure out. I have already broadly looked for an answer which I haven't found.
Let me know if you need other information on the issue.
Thank you very much.
The problem is probably caused by the order of instantiating the policies.
Can you simply swap the declaration to:
peer chaincode instantiate -o orderer.health.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/health.com/orderers/orderer.health.com/msp/tlscacerts/tlsca.health.com-cert.pem -C hospital1channel -n bananascc -l node -v 1.0 -c '{"Args":["init","edo","100"]}' -P "OR ('Hospital1MSP.peer','Hospital1MSP.admin')"
To avoid this pitfall, identities should be specified from most privileged to least privileged in the policy identities specification, and signatures should be ordered from least privileged to most privileged in the signature set.
Read here: https://hyperledger-fabric.readthedocs.io/en/release-1.4/policies.html
If there is only one organization, does not make sense the need of a policy (only used between organizations), so I removed and it worked!
My code line:
peer chaincode instantiate -o orderer.orgX.com:7050 --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA -C $CHANNEL_NAME -n mycc -l ${LANGUAGE} -v 1.0 -c '{"Args":["init","a","100","b","200"]}' >&log.txt