Develop Reference

TLS handshake failed with error remote error: tls: bad certificate server=Orderer

I am trying to set up a hyperledger fabric on a VM manually. I have generated all the artifacts and configured the orderer.yaml and core.yaml. I have orderer running on port 127.0.0.1:7050. When I try to create channel using the peer cli channel create command I am getting a context deadline exceeded message on peer terminal.
./bin/peer channel create -o 127.0.0.1:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls --cafile /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
Error: failed to create deliver client: orderer client failed to connect to 127.0.0.1:7050: failed to create new connection: context deadline exceeded
On the orderer terminal I am getting the following error:
2019-04-23 09:22:03.707 EDT [core.comm] ServerHandshake -> ERRO 01b TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=127.0.0.1:38618
2019-04-23 09:22:04.699 EDT [core.comm] ServerHandshake -> ERRO 01c TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=127.0.0.1:38620
2019-04-23 09:22:06.187 EDT [core.comm] ServerHandshake -> ERRO 01d TLS handshake failed with error remote error: tls: bad certificate server=Orderer remoteaddress=127.0.0.1:38622
I have gone through the configurations a few time, I am not sure if I am missing something. Following is my orderer.yaml
General:
LedgerType: file
ListenAddress: 127.0.0.1
ListenPort: 7050
TLS:
Enabled: true
PrivateKey: /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.key
Certificate: /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
RootCAs:
- /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/ca.crt
ClientAuthRequired: true
Keepalive:
ServerMinInterval: 60s
ServerInterval: 7200s
ServerTimeout: 20s
GenesisMethod: file
GenesisProfile: OneOrgOrdererGenesis
GenesisFile: channel-artifacts/genesis.block
LocalMSPDIR: /home/fabric-release/mynetwork/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp
LocalMSPID: OrdererMSP
Authentication:
TimeWindow: 15m
FileLedger:
Location: /var/hyperledger/production/orderer
Prefix: hyperledger-fabric-ordererledger

The issue is that the TLS server certificate used by the orderer does not have a SAN matching "127.0.0.1". You can add "localhost" and/or "127.0.0.1" to you TLS certificates by using a custom crypto-config.yaml when generating your artifacts with cryptogen:
# ---------------------------------------------------------------------------
# "OrdererOrgs" - Definition of organizations managing orderer nodes
# ---------------------------------------------------------------------------
OrdererOrgs:
# ---------------------------------------------------------------------------
# Orderer
# ---------------------------------------------------------------------------
- Name: Orderer
Domain: example.com
EnableNodeOUs: false
# ---------------------------------------------------------------------------
# "Specs" - See PeerOrgs below for complete description
# ---------------------------------------------------------------------------
Specs:
- Hostname: orderer
SANS:
- "localhost"
- "127.0.0.1"
# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs:
# ---------------------------------------------------------------------------
# Org1
# ---------------------------------------------------------------------------
- Name: org1
Domain: org1.example.com
EnableNodeOUs: true
Template:
Count: 2
SANS:
- "localhost"
- "127.0.0.1"
Users:
Count: 1
- Name: org2
Domain: org2.example.com
EnableNodeOUs: false
Template:
Count: 2
SANS:
- "localhost"
- "127.0.0.1"
Users:
Count: 1

I also faced the same problem and in my case, the issue was that I made some changes to the local directory files and apparently those changes were not successfully reflected while mounting those files back into the docker containers. What fixed the problem for me was
docker volume rm $(docker volume ls)
I restarted the network again and didn't see any more certificate errors. Worth a try.

when the problem of TLS handshake failed occurs between the orderer and orderer, it is most likely that there is an error in the configuration parameters when generating the TLS file.
if you are registered with TLS via fabric-ca, then you need to check whether the CSR properties in the TLS files of the two orderer are the same. You can use the following command "openssl x509 -in certificate.crt -text -noout".
The following you need to check whether the --cer.names, -m and other parameters of the orderer enroll are duplicate or incorrect.
In cases where the contents of the TLS file are consistent and the HostName specified, it is rare for the handshake to fail

What is the use of TLS concept in the first network of fabric samples of hyperledger?

How can we implement TLS in first-network?i have tried by adding the below section in peers.What is the need to configure peers by Tls?
CORE_PEER_TLS_ENABLED=true
CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
I am working on multi organisation network setup using first network of fabric samples.one of the organisation say org1 has created a channel by passing tls certs of orderer ,the other organisation org2 has to fetch the channel created by org1 and join the peers into the channel.when i do fetch action using peer channel fetch by passing tls certs of orderer ,i got the error like
peer channel fetch config-o orderer.example.com:7050 -c channelone1 -f --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
connection error: desc = "transport: Error while dialing dial tcp 98.124.199.121:7050: connect: connection refused". Reconnecting...
and in orderer logs ,i got error as :
TLS handshake failed with error tls: client didn't provide a certificate {"server": "Orderer", "remote address": "172.24.0.4:49608"}
Created the channel using:
peer channel create -o orderer.example.com:7050 -c channelone1 -f ./channel-artifacts/channel-one.tx --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
Output is: Received block is 0

By default the first-network will start with TLS enabled.
The four environment variables you refer to are included in the file base/peer-base.yaml the the peer-base file is "included" by use of the extends: and file: base/docker-compose-base.yaml

Hyperledger Fabric peer join fails with "bad proposal response"

I am having trouble setting up simple Hyperledger Fabric v1.2.0 network.The network I am trying to build consists of one orderer and a single organisation with one peer. I did work through the build-your-first-network tutorial successfully and wanted to start over from scratch. However, I always run into an error when joining the peer to the channel.
docker exec -e "CORE_PEER_LOCALMSPID=FooMSP" -e "CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin#foo.bcn.org/msp" -e "CORE_PEER_ADDRESS=peer0.foo.bcn.org:7051" peer0.foo.bcn.org peer channel join -b /etc/hyperledger/configtx/genesis.block
2018-08-25 17:50:18.970 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: proposal failed (err: bad proposal response 500)
Neither the orderer's, nor the peer's log show some revealing information (at least to me).
logs peer0.foo.bcn.org
2018-08-25 17:50:13.676 UTC [nodeCmd] serve -> INFO 01d Started peer with ID=[name:"peer0.foo.bcn.org" ], network ID=[dev], address=[peer0.foo.bcn.org:7051]
2018-08-25 17:50:18.972 UTC [endorser] ProcessProposal -> ERRO 01e [][20e127e8] simulateProposal() resulted in chaincode name:"cscc" response status 500 for txid: 20e127e8af5dc8f513da9ea287b1ae2940df834be0f1b0404560b3e94e94627a
logs orderer.bcn.org
The orderer's logs show nothing suspicious to me apart from the following line.
2018-08-25 17:50:18.784 UTC [common/deliver] Handle -> WARN 2fc Error reading from 172.18.0.3:50860: rpc error: code = Canceled desc = context canceled
The commands that led me to the error were straight forward, generating the channel artifacts and connecting to the peer to create & join the channel.
# generate crypto material
cryptogen generate --config=./crypto-config.yaml
# generate genesis block for orderer
configtxgen -profile OrdererGenesis -outputBlock ./channel-artifacts/genesis.block
# generate channel configuration transaction
configtxgen -profile OrgChannel -outputCreateChannelTx ./channel-artifacts/channel.tx -channelID bcnchannel
docker-compose -f docker-compose.yaml up -d
# Create the channel
docker exec -e "CORE_PEER_LOCALMSPID=FooMSP" -e "CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin#foo.bcn.org/msp" -e "CORE_PEER_ADDRESS=peer0.foo.bcn.org:7051" peer0.foo.bcn.org peer channel create -o orderer.bcn.org:7050 -c bcnchannel -f /etc/hyperledger/configtx/channel.tx
# Join peer to the channel.
docker exec -e "CORE_PEER_LOCALMSPID=FooMSP" -e "CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin#foo.bcn.org/msp" -e "CORE_PEER_ADDRESS=peer0.foo.bcn.org:7051" peer0.foo.bcn.org peer channel join -b /etc/hyperledger/configtx/genesis.block
Any ideas what could cause this problem and how to resolve it?
Thanks in advance!
crypto-config.yaml
OrdererOrgs:
- Name: Orderer
Domain: bcn.org
Specs:
- Hostname: orderer
PeerOrgs:
- Name: Foo
Domain: foo.bcn.org
Template:
Count: 1
Start: 0
Users:
Count: 1
configtx.yaml
Organizations:
- &OrdererOrg
Name: BCNOrdererOrg
ID: BCNOrdererMSP
AdminPrincipal: Role.ADMIN
MSPDir: crypto-config/ordererOrganizations/bcn.org/msp
- &Org1
Name: Foo
ID: FooMSP
AdminPrincipal: Role.ADMIN
MSPDir: crypto-config/peerOrganizations/foo.bcn.org/msp
AnchorPeers:
- Host: peer0.foo.bcn.org
Port: 7051
Application: &ApplicationDefaults
Organizations:
Orderer: &OrdererDefaults
OrdererType: solo
Addresses:
- orderer.bcn.org:7050
BatchTimeout: 2s
MaxChannels: 0
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB
Organizations:
Profiles:
OrdererGenesis:
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg
Consortiums:
BCNConsortium:
Organizations:
- *Org1
OrgChannel:
Consortium: BCNConsortium
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
docker-compose.yaml
version: '2'
networks:
bcn-net:
services:
orderer.bcn.org:
container_name: orderer.bcn.org
image: hyperledger/fabric-orderer
environment:
- ORDERER_GENERAL_LOGLEVEL=debug
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
- ORDERER_GENERAL_LOCALMSPID=BCNOrdererMSP
- ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/msp/orderer/msp
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/orderer
command: orderer
ports:
- 7050:7050
volumes:
- ./channel-artifacts/:/etc/hyperledger/configtx
- ./crypto-config/ordererOrganizations/bcn.org/orderers/orderer.bcn.org/:/etc/hyperledger/msp/orderer
networks:
- bcn-net
peer0.foo.bcn.org:
container_name: peer0.foo.bcn.org
image: hyperledger/fabric-peer
environment:
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- CORE_PEER_ID=peer0.foo.bcn.org
- CORE_LOGGING_PEER=debug
- CORE_CHAINCODE_LOGGING_LEVEL=debug
- CORE_PEER_LOCALMSPID=FooMSP
- CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/peer/
- CORE_PEER_ADDRESS=peer0.foo.bcn.org:7051
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_bcn-net
working_dir: /opt/gopath/src/github.com/hyperledger/fabric
command: peer node start
ports:
- 7051:7051
- 7053:7053
volumes:
- /var/run/:/host/var/run/
- ./crypto-config/peerOrganizations/foo.bcn.org/peers/peer0.foo.bcn.org/msp:/etc/hyperledger/msp/peer
- ./crypto-config/peerOrganizations/foo.bcn.org/users:/etc/hyperledger/msp/users
- ./channel-artifacts:/etc/hyperledger/configtx
depends_on:
- orderer.bcn.org
networks:
- bcn-net

After countless of hours checking my configuration files I finally found were I messed up.
The problem resides from using the wrong block file when joining the channel.
For joining the channel I used the genesis block of the orderer instead of the one creating during "peer channel create".
So after creating the channel with
peer channel create -o orderer.bcn.org:7050 -c bcnchannel -f /etc/hyperledger/configtx/channel.tx
I should have used
peer channel join -b bcnchannel.block
instead of
peer channel join -b /etc/hyperledger/configtx/genesis.block

Unable to create channel - Attempted to include a member which is not in the consortium

I am facing an issue on creation of channel:
Channel 1 consortium - Org 1, Org2, Org4, Org5
Channel 2 consortium - Org2, Org3, Org4, Org5
Orderer Genesis consortium - Org1, Org2, Org3, Org4, Org5.
From Cli peer ( Org2) - when i am trying to create channel 1 or 2, i am getting below issue:
> peer channel create -o orderer.clm.com:7050 -c $CHANNEL_ONE_NAME -f ./channel-artifacts/channelone.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/clm.com/orderers/orderer.clm.com/msp/tlscacerts/tlsca.clm.com-cert.pem
2018-07-15 01:13:08.240 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser
and orderer connections initialized
Error: got unexpected status: BAD_REQUEST -- Attempted to include a member
which is not in the consortium
configtx.yaml File
Organizations:
- &OrdererOrg
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: OrdererOrg
# ID to load the MSP definition as
ID: OrdererMSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: crypto-config/ordererOrganizations/clm.com/msp
AdminPrincipal: Role.MEMBER
- &Org2
Name: Bdc1MSP
ID: Bdc1MSP
MSPDir: crypto-config/peerOrganizations/bdc1.clm.com/msp
AdminPrincipal: Role.MEMBER
AnchorPeers:
- Host: peer0.bdc1.clm.com
Port: 7051
- &Org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Cp1MSP
# ID to load the MSP definition as
ID: Cp1MSP
MSPDir: crypto-config/peerOrganizations/cp1.clm.com/msp
AdminPrincipal: Role.MEMBER
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.cp1.clm.com
Port: 7051
- &Org3
Name: Adp1MSP
ID: Adp1MSP
MSPDir: crypto-config/peerOrganizations/adp1.clm.com/msp
AdminPrincipal: Role.MEMBER
AnchorPeers:
- Host: peer0.adp1.clm.com
Port: 7051
- &Org4
Name: Ottp1MSP
ID: Ottp1MSP
MSPDir: crypto-config/peerOrganizations/ottp1.clm.com/msp
AdminPrincipal: Role.MEMBER
AnchorPeers:
- Host: peer0.ottp1.clm.com
Port: 7051
- &Org5
Name: RegMSP
ID: RegMSP
MSPDir: crypto-config/peerOrganizations/reg.clm.com/msp
AdminPrincipal: Role.MEMBER
AnchorPeers:
- Host: peer0.reg.clm.com
Port: 7051
Capabilities:
Global: &ChannelCapabilities
V1_1: true
Orderer: &OrdererCapabilities
V1_1: true
Application: &ApplicationCapabilities
V1_2: true
Application: &ApplicationDefaults
Organizations:
Orderer: &OrdererDefaults
OrdererType: solo
Addresses:
- orderer.clm.com:7050
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 2s
# Batch Size: Controls the number of messages batched into a block
BatchSize:
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 10
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 KB
Kafka:
# Brokers: A list of Kafka brokers to which the orderer connects
# NOTE: Use IP:port notation
Brokers:
- 127.0.0.1:9092
Organizations:
Profiles:
FiveOrgsOrdererGenesis:
Capabilities:
<<: *ChannelCapabilities
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *Org2
- *Org1
- *Org3
- *Org4
- *Org5
ChannelOne:
Consortium: SampleConsortium
Application:
<<: *ApplicationDefaults
Organizations:
- *Org2
- *Org1
- *Org5
- *Org4
Capabilities:
<<: *ApplicationCapabilities
ChannelTwo:
Consortium: SampleConsortium
Application:
<<: *ApplicationDefaults
Organizations:
- *Org2
- *Org3
- *Org5
- *Org4
Capabilities:
<<: *ApplicationCapabilities
docker compose cli
cli:
container_name: cli
image: hyperledger/fabric-tools:$IMAGE_TAG
tty: true
stdin_open: true
environment:
- GOPATH=/opt/gopath
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
#- CORE_LOGGING_LEVEL=DEBUG
- CORE_LOGGING_LEVEL=INFO
- CORE_PEER_ID=cli
- CORE_PEER_ADDRESS=peer0.bdc1.clm.com:7051
- CORE_PEER_LOCALMSPID=Bdc1MSP
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/bdc1.clm.com/peers/peer0.bdc1.clm.com/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/bdc1.clm.com/peers/peer0.bdc1.clm.com/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/bdc1.clm.com/peers/peer0.bdc1.clm.com/tls/ca.crt
- CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/bdc1.clm.com/users/Admin#bdc1.clm.com/msp
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: /bin/bash
volumes:
- /var/run/:/host/var/run/
- ./../chaincode/:/opt/gopath/src/github.com/chaincode
- ./crypto-config:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/
- ./scripts:/opt/gopath/src/github.com/hyperledger/fabric/peer/scripts/
- ./channel-artifacts:/opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts
depends_on:
- orderer.clm.com
- peer0.bdc1.clm.com
networks:
- byfn
Env variables from CLI container :
root#6a67b1de8f57:/opt/gopath/src/github.com/hyperledger/fabric/peer# env
HOSTNAME=6a67b1de8f57
TERM=xterm
CORE_PEER_TLS_ROOTCERT_FILE=
/opt/gopath/src/github.com/hyperledger/
fabric/peer/crypto/peerOrganizations/bdc1.clm.com/peers/
peer0.bdc1.clm.com/tls/ca.crt
CORE_PEER_TLS_KEY_FILE=
/opt/gopath/src/github.com/hyperledger/fabric/peer/
crypto/peerOrganizations/bdc1.clm.com/peers/
peer0.bdc1.clm.com/tls/server.key
LS_COLORS=REMOVED
CORE_PEER_LOCALMSPID=Bdc1MSP
CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/
fabric/peer/crypto/peerOrganizations/
bdc1.clm.com/peers/peer0.bdc1.clm.com/tls/server.crt
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
:/sbin:/bin:/opt/go/bin:/opt/gopath/bin
PWD=/opt/gopath/src/github.com/hyperledger/fabric/peer
CORE_PEER_TLS_ENABLED=true
CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/
fabric/peer/crypto/peerOrganizations/
bdc1.clm.com/users/Admin#bdc1.clm.com/msp
CORE_PEER_ID=cli
SHLVL=1
HOME=/root
GOROOT=/opt/go
CORE_LOGGING_LEVEL=INFO
FABRIC_CFG_PATH=/etc/hyperledger/fabric
CORE_PEER_ADDRESS=peer0.bdc1.clm.com:7051
LESSOPEN=| /usr/bin/lesspipe %s
GOPATH=/opt/gopath
CHANNEL_ONE_NAME=channelone
LESSCLOSE=/usr/bin/lesspipe %s %s
_=/usr/bin/env

In my case, I forgot to export CHANNEL_NAME:
root#e8daa001f461:/opt/gopath/src/github.com/hyperledger/fabric/peer# echo $CHANNEL_NAME
root#e8daa001f461:/opt/gopath/src/github.com/hyperledger/fabric/peer# peer channel create -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
2018-12-07 18:07:18.375 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2018-12-07 18:07:18.636 UTC [common/tools/configtxgen/localconfig] Load -> INFO 002 Loaded configuration: /etc/hyperledger/fabric/configtx.yaml
Error: got unexpected status: BAD_REQUEST -- Attempted to include a member which is not in the consortium
After exporting:
root#e8daa001f461:/opt/gopath/src/github.com/hyperledger/fabric/peer# export CHANNEL_NAME=mychannel
root#e8daa001f461:/opt/gopath/src/github.com/hyperledger/fabric/peer# peer channel create -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
2018-12-07 18:03:29.985 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2018-12-07 18:03:30.028 UTC [cli/common] readBlock -> INFO 002 Received block: 0

#arnabkaycee
Looks like shutting down docket containers with removal of volumes and orphans , resolved.
I recreated cryptos, channel artifacts again, which resolved it. Not sure, if any of my previous work had a conflict with it. Still clueless but resolved :)

I faced the same issue today. After a while i found why this happens. Turns out if the channelXXXXXX.tx and anchorXXXX.tx files are not in the same folder this will error out even if everything you have done is correct as its not able to link to the anchor peers.
In my case i had multiple channels defined with their individual folders. I was making the mistake of placing the channelXXXXXX.tx outside its folder and got the error.

This generally occurs when a member is not in the consortium is added to the channel.
Please post your configtx.yaml for more details.
You can refer to this answer for more details.
How can I add two orderers to the same channel?
EDIT
Check your environment in cli container :
$ env
Then check these variables are exported properly, if not, do them.
export CORE_PEER_LOCALMSPID="Org2MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/users/Admin#org2.example.com/msp
export CORE_PEER_ADDRESS=peer0.org2.example.com:7051

I experienced this error in Node-SDK while creating a new channel.
Whenever we update the consortium we must generate the new transaction file for the channel.
In my case, I forgot to generate the respective one and hence got the error.
I generated a new transaction file mychannel.tx
And it resolved my issue.

Error: got unexpected status: FORBIDDEN -- Failed to reach implicit threshold of 1 sub-policies, required 1 remaining: permission denied

My fabric version is 1.1.0-preview, the peer, orderer, configtxgen is newly generated.
when I execute the configtxgen tool:
configtxgen -profile SoloOrdererGenesis -outputBlock genesis.block
configtxgen -profile mych -outputCreateChannelTx channel-artifacts/mych.tx -channelID mych
It generate the genesis.block and mych.tx with channelName is mych.
Then orderer start with genesis.block, I execute following:
peer channel create -f mych.tx -o orderer.example.com:7050 -c mych
it throw the error,
Error: got unexpected status: FORBIDDEN -- Failed to reach implicit threshold of 1 sub-policies, required 1 remaining: permission denied
which step is wrong?
my configtx.yaml file is:
---
Profiles:
SoloOrdererGenesis:
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg
Consortiums:
SampleConsortium4:
Organizations:
- *Org1
- *Org2
- *Org3
- *Org4
SampleConsortium3:
Organizations:
- *Org1
- *Org2
- *Org3
SampleConsortium2:
Organizations:
- *Org1
- *Org2
SampleConsortium1:
Organizations:
- *Org1
mych4:
Consortium: SampleConsortium4
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
- *Org2
- *Org3
- *Org4
mych3:
Consortium: SampleConsortium3
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
- *Org2
- *Org3
mych2:
Consortium: SampleConsortium2
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
- *Org2
mych1:
Consortium: SampleConsortium1
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
Organizations:
- &OrdererOrg
Name: OrdererOrg
ID: OrdererMSP
MSPDir: orderer/msp
- &Org1
Name: Org1MSP
ID: Org1MSP
MSPDir: org1/peer/msp
AnchorPeers:
- Host: peer.org1.example.com
Port: 17051
- &Org2
Name: Org2MSP
ID: Org2MSP
MSPDir: org2/peer/msp
AnchorPeers:
- Host: peer.org2.example.com
Port: 27051
Orderer: &OrdererDefaults
OrdererType: solo
Addresses:
- orderer.example.com:7050
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB
Organizations:
Application: &ApplicationDefaults
Organizations:

When I got this problem my solutions was pretty simple .. I had already started my network using
/byfn.sh -m up
forgot about it and was trying to start it first by generating the crypto and then using the same command.
The problem was resolved as soon as I first downed the old network using
/byfn.sh -m down
and started again with the same up command.

It could very well be a simple matter of the wrong path for a file. When you generated the mych.tx file, you wrote it to channel-artifacts/mych.tx but when try to create the channel, you left out the channel-artifacts directory. You could try peer channel create -f channel-artifacts/mych.tx -o orderer.example.com:7050 -c mych
That said, I just had a similar problem with the same error. I was testing a newly created genesis block and crypto. In my case, it was the result of the previous crypto and channel being stored in a Docker volume from one of my previous tests. That may not be the case with you, since you said you are creating a new peer and orderer.
You can check on that by connecting to one of the peers (or cli container if you have one) with docker exec -it <container name> bash and then running peer channel list. If you get something like this back, then that's your problem:
root#4cf873123669:/opt/gopath/src/github.com/hyperledger/fabric/peer# peer channel list
2018-04-05 14:09:40.734 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP
2018-04-05 14:09:40.734 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity
2018-04-05 14:09:40.739 UTC [channelCmd] InitCmdFactory -> INFO 003 Endorser and orderer connections initialized
2018-04-05 14:09:40.740 UTC [msp/identity] Sign -> DEBU 004 Sign: plaintext: 0AAE070A5C08031A0C08A4DC98D60510...631A0D0A0B4765744368616E6E656C73
2018-04-05 14:09:40.740 UTC [msp/identity] Sign -> DEBU 005 Sign: digest: 93EFB49DD86ABB5568DE1E2C8FC53FA99AB52929AFA24D7B317C270DE8CDC80B
Channels peers has joined:
mych
2018-04-05 14:09:40.743 UTC [main] main -> INFO 006 Exiting.....
If you don't see the mych listed under "Channels peers has joined:", then my answer is not pertinent to you. (But may be to someone else!)
Here is how you would restore your local Hyperledger Docker instance to a clean state:
docker-compose -f docker-compose.yaml down --volumes
The --volumes tells Docker to remove any volumes associated with the containers in the configuration file.
For good measure, I just wiped everything (all Docker containers and volumes - this was a test system) down to a blank slate and started the process all over:
docker-compose -f docker-compose.yaml down --volumes
docker rm $(docker ps -aq)
docker volume prune
rm genesis.block channel-artifacts/mych.tx
Once I removed those, and started the Fabric back up, I was able to create the channel without getting that error.
If it doesn't work last resort will be sudo service docker restart which will restart all the docker services like docker system, network and volumes.

configtxgen -profile TwoOrgsOrdererGenesis -outputBlock ./channel-
artifacts/genesis.block -channelID $CHANNEL_NAME
while creating the genesis block you need pass the syschannelname.
while creating channel use the different channel name.
Eg:
1.sysmych
2.mych

It would be clearer if you share the debug log of orderer. To enable debug add
- ORDERER_GENERAL_LOGLEVEL=debug
in your docker compose file under orderer service, and start your network again. you can then print out the log using command
docker logs CONTAINER_NAME --details
I suggest to print the log before and after running the create channel command.

I had the same Error got resolved as below
you may need to add
Go path also
export GOPATH=$HOME/go
export PATH=$PATH:$GOPATH/bin
echo $GOPATH
followed by /byfn.sh -m down if it is Up Earlier.
reference:
https://hyperledger-fabric.readthedocs.io/en/release-1.1/prereqs.html

If any of the solutions on this page didn't work out for anyone then try removing your network from docker networks. View your docker networks by running docker network ls and remove your network by running docker network rm <network-name>.
Removing docker network worked out for me but I did this on a dev server.

In my case the problem was with the permission as well as network already being up( partially).
I had started with "./byfn.sh up" without using sudo , so i got error for first time.
Next, i did "sudo su" then ran "./byfn up", again i got error.
Referring to one of the answers here being a superuser i did "./byfn down" and then "./byfn up" now, this worked for me.

I encounter this issue many times, always use docker volume prune to solve it.