I am migrating from kafka to raft, When I have changed state from "NORMAL" to "STATE_MAINTENANCE" and created the final expected envelope as per the procedure.
Note: We are using BYFN script
HF version: 1.4.3
My CLI pointed to Org1MSP, I signed config update transaction, later I changed CLI pointing to Org2MSP and signed, finally submitted the new channel config update to the orderer.After submission, getting a following error message.
Error on CLI: "Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'mychannel': error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/ConsensusType not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied"
Orderer log: "[channel: mychannel] Rejecting broadcast of config message from 172.21.0.13:51078 because of error: error applying config update to existing channel 'mychannel': error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/ConsensusType not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied"
Please let me know if I am doing something wrong.
Thanks in advance.
By default, cryptogen tool generate orderer admin user certificate with OU as client for 1.4.3 fabric version.
For peer admin user, it generates certificate with OU as admin which is correct(expected). In case of orderer, its creating wrong OU(Organization Unit) as client. We need to add the following part crypto-config.yaml in the orderer section.
CA:
OrganizationalUnit: admin
Once you added above part, recreate certificate and check orderer certificate OU as admin by following command
openssl x509 -in certificate.crt -text
Related
I am trying to create a channel for my Hyperledger Fabric network using the following command:
peer channel create -o localhost:7050 -c $CHANNEL_NAME --ordererTLSHostnameOverride orderer.supplychain.com -f ../artifacts-channels/${CHANNEL_NAME}.tx --outputBlock ../artifacts-channels/${CHANNEL_NAME}.block --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA
I get as result the following error :
Error: got unexpected status: FORBIDDEN -- config update for existing channel did not pass initial checks: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied"
I get also in the docker logs of orderer container this error:
Invalid identity: certificate subject=CN=Admin#productionlaborg.supplychain.com,OU=admin,L=San Francisco,ST=California,C=US serialnumber=209542001001378907007459857235386288226 error="the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of \"x509: ECDSA verification failure\" while trying to verify candidate authority certificate \"ca.productionlaborg.supplychain.com\")"
know that I use the correct path of the "MSP folder" of the admin "Admin#productionlaborg" how created the channel.
We are using Fabric v2.2. Our network setup has 5 channels. Org1 is a part of all the channels. Other than that each channel has 2 individual orgs. So totally 3 orgs are part of each channel. We have 5 orderers.
When we try to join a new org, say org12 to each channel, we are facing a issue during the usage of following command.
peer channel update -f org12/org12_update_in_envelope.pb -c testchannel -o orderer1.org-net:7050 --ordererTLSHostnameOverride orderer1.org-net --tls --cafile $ORDERER_CA
This is the error message we are getting
Error:
got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'testchannel': error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 2 of the 'Admins' sub-policies to be satisfied
Can anyone please suggest how can we proceed?
I'm executing tutorials on Hyperledger Fabric First Network (version 1.4) and I get an unexpected error when trying to change max_message_count variable from 10 to 20 in channel configuration.
I'm using this tutorial: https://hyperledger-fabric.readthedocs.io/en/release-1.4/channel_update_tutorial.html
Obviously, I don't change the Org list to the channel as in tutorial, I only change the parameter:
cat config.json | sed 's/"max_message_count": 10/"max_message_count": 20/g' > new_config.json
Then I Execute the encoding of new and old configuration in protobuffer, compute update, decode update to json, added envelope and recode envelope to protobuffer. It is okay.
Then I sign the update with both organization and tries to update, but it gives me this error:
Error: got unexpected status: BAD_REQUEST -- error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/BatchSize not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining
This is the decoded update, as you can see is signed by both Org1MSP and Org2MSP: https://controlc.com/486d638a
These are the logs from orderer:
2020-12-10 17:28:04.282 UTC [cauthdsl] deduplicate -> WARN 01c De-duplicating identity [Org2MSPd2b5a4f881b520ad90a0ae5db7bd0b5362fae2d5916d972751da9bd35fb97f9b] at index 2 in signature set
2020-12-10 17:28:04.282 UTC [orderer.common.broadcast] ProcessMessage -> WARN 01d [channel: mychannel] Rejecting broadcast of config message from 172.20.0.7:56874 because of error: error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/BatchSize not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining
Self-Answer.
This type of modification needs the sign of the orderer:
export CORE_PEER_ADDRESS=orderer.example.com:7050
export CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/users/Admin\#example.com/msp/
peer channel signconfigtx -f org3_update_in_envelope.pb
export CORE_PEER_ADDRESS=peer0.org1.example.com:7051
export CORE_PEER_LOCALMSPID=OrdererMSP
peer channel update -f org3_update_in_envelope.pb -c $CHANNEL_NAME -o orderer.example.com:7050 --tls --cafile $ORDERER_CA
I'm getting this error when i am trying to create a channel by running .
peer channel create -o orderer.aj.io:7050 -c channel1 -f /config/channel1.tx
Here are my logs ------------
2019-10-21 05:50:13.950 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: got unexpected status: FORBIDDEN -- implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied
What this error means is that the user you are using to create the channel does not have 'Write' permissions, in other words is not an Admin.
In most cases this happens when you use the peers cryptographic material to create the channel instead of the Admins (check where the CORE_PEER_MSPCONFIGPATH environment variable points).
As another user mentioned in another post: there is a new feature in 1.4.3 which allows you to specify an OU for admin rather than explicitly putting certificates in the admincerts folder.
In your crypto-config, you set EnableNodeOUs: true and this automatically enables OUs for all supported roles.
You'll see something like
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/ca.sampleorg-cert.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/ca.sampleorg-cert.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/ca.sampleorg-cert.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/ca.sampleorg-cert.pem
OrganizationalUnitIdentifier: orderer
in the msp/config.yaml file ( in your case in crypto-config/peerorganisation/org1.example.com/msp/crypto.yaml).
Note the AdminOUIdentifier field. This means that any cert issued by the CA for your org which contains an OU=admin is now considered an admin. The certificate generated for the admin user under your org MSP is also generated with OU=admin (e.g. Subject: C=US, ST=California, L=San Francisco, OU=admin, CN=Admin#sampleorg ).
Another reason could be that in your configtx.yaml you haven't set properly your policies for each section(that was my problem).
Check the configtx.yaml file from the first-network sample and try to set them accordingly
I first generate crypto materials using cryptogen and then start, for example, org1 CA server like so:
fabric-ca-server start --ca.certfile $(ls crypto-config/peerOrganizations/org1/ca/*.pem) --ca.keyfile $(ls crypto-config/peerOrganizations/org1/ca/*_sk) -d -b admin:adminpw --port 7054
From NodeJS SDK I can enroll admin and register (and enroll) new users. But when I try to access Fabric network with these new user credentials or even admin credentials, I get the below error on SDK console:
root#peer0:/var/hyperledger/api# ts-node src/invoke.ts
Wallet path: /var/hyperledger/api/wallet
2019-10-08T13:32:17.819Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G0:0 - endorsement failed - Error: 2 UNKNOWN: access denied: channel [private-channel] creator org [Org1MSP]
2019-10-08T13:32:17.826Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G0:0 - endorsement failed - Error: 2 UNKNOWN: access denied: channel [private-channel] creator org [Org1MSP]
2019-10-08T13:32:17.833Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G1:0 - endorsement failed - Error: 2 UNKNOWN: access denied: channel [private-channel] creator org [Org1MSP]
2019-10-08T13:32:17.841Z - warn: [DiscoveryEndorsementHandler]: _build_endorse_group_member >> G1:0 - endorsement failed - Error: 2 UNKNOWN: access denied: channel [private-channel] creator org [Org1MSP]
Failed to submit transaction: Error: Endorsement has failed
peer log says:
MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority.
I'm using exactly the same credentials in peer CLI container and SDK. I can do all chaincode operations from CLI, but why peers don't accept connection from SDK?
Does FABRIC_CA_SERVER_CA_NAME has anything to do with it? Does cryptogen also create a FABRIC_CA_SERVER_CA_NAME for the CA server? If so, are peer credentials associated with the CA name? In NodeJS SDK, I tried caName=ca-org1 as well as caName=ca.org1, but still getting same error.
I ran into this (or something very simalar) and managed to resolve it. The issue for me was incorrect paths to my .pem and private key files in the fabric-ca-server start command.
If the paths are incorrect, when the CA container starts it will be unable to locate your files (generated by cryptogen) so will generate its own.
The enroll and register scripts generate identities based on your cryptogen material, which is correct, but they're not the certs your CA has decided to generate for you.
To check if this is what's happening, have a look at the CA logs:
docker logs <your ca container>
Near the top where the server starts up, look for messages referring to missing keys, or messages about generating files.
Hope that helps.