0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied - hyperledger-fabric

I am facing an issue bringing up my fabric network.
Error: got unexpected status: FORBIDDEN -- implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied
I cannot see how to solve.
The configuration is very simple but the problem seems related to policies.
I already tried to bring down the network and up, I tried removing volumes and everything that is said under other threads, but cannot solve.
I bringed up a network many times but never faced issue like this.
Also, the certificates have been regenerated from scratch, the sk file has been modified into the yml file, and the config file contains the artefacts for the network.
Essentially, I can bring down all the dockers but as soon as the script run this command
docker exec -e $CORE_PEER_LOCALMSPID -e $CORE_MSP_CONFIG_PATH $CLI peer channel create -o $ORDERER1:7050 -c $CHANNEL_NAME -f /etc/hyperledger/configtx/channel.tx
so it tries to create the channel, it fails.
I share also the configtx file that should be involved in the issue>
# Section: Organizations
# SPDX-License-Identifier: Apache-2.0
# Section: Organizations
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
# SampleOrg defines an MSP using the sampleconfig. It should never be used
# in production but may be used as a template for other definitions
- &OrdererOrg
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: OrdererOrg
# ID to load the MSP definition as
ID: OrdererMSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: crypto-config/ordererOrganizations/example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('OrdererMSP.member')"
Type: Signature
Rule: "OR('OrdererMSP.member')"
Type: Signature
Rule: "OR('OrdererMSP.admin')"
- &Org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org1MSP
# ID to load the MSP definition as
MSPDir: crypto-config/peerOrganizations/org1.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
Type: Signature
Rule: "OR('Org1MSP.admin')"
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.org1.example.com
Port: 7051
- Host: peer1.org1.example.com
Port: 8051
# SECTION: Application
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
# Readers:
# Type: ImplicitMeta
# Rule: "ANY Readers"
# Writers:
# Type: ImplicitMeta
# Rule: "ANY Writers"
# Admins:
# Type: ImplicitMeta
# Rule: "MAJORITY Admins"
# SECTION: Orderer
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
# Available types are "solo" and "kafka"
OrdererType: solo
- orderer.example.com:7050
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 500ms
# Batch Size: Controls the number of messages batched into a block
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 15
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 kb
# Brokers: A list of Kafka brokers to which the orderer connects
# NOTE: Use IP:port notation
# -
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
# Readers:
# Type: ImplicitMeta
# Rule: "ANY Readers"
# Writers:
# Type: ImplicitMeta
# Rule: "ANY Writers"
# Admins:
# Type: ImplicitMeta
# Rule: "MAJORITY Admins"
# # BlockValidation specifies what signatures must be included in the block
# # from the orderer for the peer to validate it.
# BlockValidation:
# Type: ImplicitMeta
# Rule: "ANY Writers"
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
# # Who may invoke the 'Deliver' API
# Readers:
# Type: ImplicitMeta
# Rule: "ANY Readers"
# # Who may invoke the 'Broadcast' API
# Writers:
# Type: ImplicitMeta
# Rule: "ANY Writers"
# # By default, who may modify elements at this config level
# Admins:
# Type: ImplicitMeta
# Rule: "MAJORITY Admins"
# Profile
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
<<: *OrdererDefaults
- *OrdererOrg
- *Org1
Consortium: SampleConsortium
<<: *ChannelDefaults
<<: *ApplicationDefaults
- *Org1
Updated confixtx after your comments:
# Section: Organizations
# SPDX-License-Identifier: Apache-2.0
# Section: Organizations
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
# SampleOrg defines an MSP using the sampleconfig. It should never be used
# in production but may be used as a template for other definitions
- &OrdererOrg
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: OrdererOrg
# ID to load the MSP definition as
ID: OrdererMSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: crypto-config/ordererOrganizations/example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('OrdererMSP.member')"
Type: Signature
Rule: "OR('OrdererMSP.member')"
Type: Signature
Rule: "OR('OrdererMSP.admin')"
- &Org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org1MSP
# ID to load the MSP definition as
MSPDir: crypto-config/peerOrganizations/org1.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('Org1MSP.member')"
Type: Signature
Rule: "OR('Org1MSP.member')"
Type: Signature
Rule: "OR('Org1MSP.member')"
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.org1.example.com
Port: 7051
- Host: peer1.org1.example.com
Port: 8051
# SECTION: Application
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Type: ImplicitMeta
Rule: "ANY Readers"
Type: ImplicitMeta
Rule: "ANY Writers"
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# SECTION: Orderer
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
# Available types are "solo" and "kafka"
OrdererType: solo
- orderer.example.com:7050
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 500ms
# Batch Size: Controls the number of messages batched into a block
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 15
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 kb
# Kafka:
# Brokers: A list of Kafka brokers to which the orderer connects
# NOTE: Use IP:port notation
# Brokers:
# -
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
Type: ImplicitMeta
Rule: "ANY Readers"
Type: ImplicitMeta
Rule: "ANY Writers"
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
Type: ImplicitMeta
Rule: "ANY Writers"
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
# Who may invoke the 'Deliver' API
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Type: ImplicitMeta
Rule: "ANY Writers"
# By default, who may modify elements at this config level
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# Profile
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
<<: *ChannelDefaults
<<: *OrdererDefaults
- *OrdererOrg
- *Org1
<<: *ChannelDefaults
Consortium: SampleConsortium
<<: *ApplicationDefaults
- *Org1

Is your client an administrator of Org1?
Have you configured NodeOUs (https://hyperledger-fabric.readthedocs.io/en/release-1.4/msp.html#identity-classification)?
You can try without NodeOUs, which is less restrictive, by changing your Org1 policies to...
Type: Signature
Rule: "OR('Org1MSP.member')"
Type: Signature
Rule: "OR('Org1MSP.member')"
Type: Signature
Rule: "OR('Org1MSP.admin')"
...and regenerating the required stuff (genesis block, channel transactions, etc.).
You can uncomment the rest of policies.

OK. From your logs (when something fails, look at the logs):
2019-11-20 15:45:04.331 UTC [policies] Evaluate -> DEBU 2e7 == Evaluating *cauthdsl.policy Policy /Channel/Orderer/OrdererOrg/Writers ==
Thus /Channel/Orderer/OrdererOrg/Writers is being evaluated.
The certificate signing the request is:
So lets decode it:
openssl x509 -text -noout -in cert.pem
Version: 3 (0x2)
Serial Number:
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = California, L = San Francisco, O = org1.example.com, CN = ca.org1.example.com
Not Before: Nov 20 15:33:00 2019 GMT
Not After : Nov 17 15:33:00 2029 GMT
Subject: C = US, ST = California, L = San Francisco, CN = Admin#org1.example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
ASN1 OID: prime256v1
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Basic Constraints: critical
X509v3 Authority Key Identifier:
Signature Algorithm: ecdsa-with-SHA256
It looks good, but the most important thing is the message:
2019-11-20 15:45:04.332 UTC [cauthdsl] deduplicate -> ERRO 2ea Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authority) for identity 0
The orderer is not recognising the CA signing your request. Are you totally sure that your client's certificate (the one received above) is signed by the same CA that was configured into your configtx.yaml (crypto-config/peerOrganizations/org1.example.com/msp/cacerts/whateveritiscalled.pem) before executing configtxgen commands to generate the genesis block (and other stuff) and running your orderer. I bet it is not. At some time you have run cryptogen again and your client's certificate is signed by other (a newer or older) CA than the one specified for the Org1 MSP in the configtx.yaml at the time of generating the genesis block used by your orderer.

I had to add the ChannelDefaults to the genesis block something like this:
<<: *ChannelDefaults
<<: *OrdererDefaults


FORBIDDEN -- config update for existing channel did not pass initial checks: implicit policy evaluation failed

I'm trying to create an application channel for a hyperledger fabric network which consists of:
certificate authority for all participants
TLS certificate authority for ordering nodes and peers
one ordering node
one peer node
Below is my configtx.yaml:
# Section: Organizations
# SPDX-License-Identifier: Apache-2.0
# Section: Organizations
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
# SampleOrg defines an MSP using the sampleconfig. It should never be used
# in production but may be used as a template for other definitions
- &OrdererOrg
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: OrdererOrg
# ID to load the MSP definition as
ID: OrdererMSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: path/to/orderers/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies: &SampleOrgPolicies
Type: Signature
Rule: "OR('OrdererMSP.member')"
Type: Signature
Rule: "OR('OrdererMSP.member')"
Type: Signature
Rule: "OR('OrdererMSP.admin')"
- "localhost:7050"
# Anchor node (Anchor Peer): Each organization can specify Anchor Peer, Nodes of other organizations can Gossip Message sent to this Anchor Peer On , , in turn, Anchor Peer Will get the whole network information , Block broadcast to the organization ;
- Host: localhost
Port: 7051
- &Org1
Name: Org1MSP
MSPDir: path/to/peer1/msp
Policies: &Org1Policies
Type: Signature
Rule: "OR('Org1MSP.member')"
Type: Signature
Rule: "OR('Org1MSP.member')"
Type: Signature
Rule: "OR('Org1MSP.admin')"
Type: Signature
Rule: "OR('Org1MSP.peer')"
- &Org2
Name: Org2MSP
MSPDir: path/to/peer2/msp
Policies: &Org2Policies
Type: Signature
Rule: "OR('Org2MSP.member')"
Type: Signature
Rule: "OR('Org2MSP.member')"
Type: Signature
Rule: "OR('Org2MSP.admin')"
Type: Signature
Rule: "OR('Org2MSP.peer')"
# AnchorPeers:
# - Host: localhost
# Port: 7051
# SECTION: Capabilities
# - This section defines the capabilities of fabric network. This is a new
# concept as of v1.1.0 and should not be utilized in mixed networks with
# v1.0.x peers and orderers. Capabilities define features which must be
# present in a fabric binary for that binary to safely participate in the
# fabric network. For instance, if a new MSP type is added, newer binaries
# might recognize and validate the signatures from this type, while older
# binaries without this support would be unable to validate those
# transactions. This could lead to different versions of the fabric binaries
# having different world states. Instead, defining a capability for a channel
# informs those binaries without this capability that they must cease
# processing transactions until they have been upgraded. For v1.0.x if any
# capabilities are defined (including a map with all capabilities turned off)
# then the v1.0.x peer will deliberately crash.
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
Channel: &ChannelCapabilities
# V2_0 capability ensures that orderers and peers behave according
# to v2.0 channel capabilities. Orderers and peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 capability.
# Prior to enabling V2.0 channel capabilities, ensure that all
# orderers and peers on a channel are at v2.0.0 or later.
V2_0: true
# Orderer capabilities apply only to the orderers, and may be safely
# used with prior release peers.
# Set the value of the capability to true to require it.
Orderer: &OrdererCapabilities
# V2_0 orderer capability ensures that orderers behave according
# to v2.0 orderer capabilities. Orderers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 orderer capability.
# Prior to enabling V2.0 orderer capabilities, ensure that all
# orderers on channel are at v2.0.0 or later.
V2_0: true
# Application capabilities apply only to the peer network, and may be safely
# used with prior release orderers.
# Set the value of the capability to true to require it.
Application: &ApplicationCapabilities
# V2_0 application capability ensures that peers behave according
# to v2.0 application capabilities. Peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 application capability.
# Prior to enabling V2.0 application capabilities, ensure that all
# peers on channel are at v2.0.0 or later.
V2_0: true
# SECTION: Application
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
# /Channel/Application/<PolicyName>
Policies: &ApplicationPolicies
Type: ImplicitMeta
Rule: "ANY Readers"
Type: ImplicitMeta
Rule: "ANY Writers"
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
<<: *ApplicationCapabilities
# SECTION: Orderer
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
OrdererType: etcdraft
# Addresses used to be the list of orderer addresses that clients and peers
# could connect to. However, this does not allow clients to associate orderer
# addresses and orderer organizations which can be useful for things such
# as TLS validation. The preferred way to specify orderer addresses is now
# to include the OrdererEndpoints item in your org definition
- localhost:7050
- Host: raft0
Port: 7050
ClientTLSCert: path/to/signcerts/raft0-tls-cert.pem
ServerTLSCert: path/to/signcerts/raft0-tls-cert.pem
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 2s
# Batch Size: Controls the number of messages batched into a block
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 10
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 KB
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
# Policies defines the set of policies at this level of the config tree
# For Orderer policies, their canonical path is
# /Channel/Orderer/<PolicyName>
Policies: &OrdererPolicies
Type: ImplicitMeta
Rule: "ANY Readers"
Type: ImplicitMeta
Rule: "ANY Writers"
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
Type: ImplicitMeta
Rule: "ANY Writers"
<<: *OrdererCapabilities
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
# Who may invoke the 'Deliver' API
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Type: ImplicitMeta
Rule: "ANY Writers"
# By default, who may modify elements at this config level
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# Capabilities describes the channel level capabilities, see the
# dedicated Capabilities section elsewhere in this file for a full
# description
<<: *ChannelCapabilities
# Profile
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
<<: *ChannelDefaults
<<: *OrdererDefaults
- *OrdererOrg
Capabilities: *OrdererCapabilities
<<: *ApplicationDefaults
- *Org1
- *Org2
Capabilities: *ApplicationCapabilities
First, I create a genesis block with the following command:
./bin/configtxgen -profile TwoOrgsApplicationGenesis -configPath ./testConfigs -outputBlock ./channel-artifacts/genesis_block.pb -channelID mychannel
Next, I create a transaction to create an application channel:
./bin/osnadmin channel join --channelID $CHANNEL_NAME --config-block ./channel-artifacts/genesis_block.pb -o localhost:7050 --ca-file "$ORDERER_CA" --client-cert "$ORDERER_ADMIN_TLS_SIGN_CERT" --client-key "$ORDERER_ADMIN_TLS_PRIVATE_KEY"
Every time I create an app channel, I get the following error:
Error: Post "https://localhost:7050/participation/v1/channels": net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x00\x00\x06\x04\x00\x00\x00\x00\x00\x00\x05\x00\x00#\x00"
Please tell me what is wrong?
The symptom for my problem was the same:
"Error: Post "https://localhost:7050/participation/v1/channels": net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x00\x00\x06\x04\x00\x00\x00\x00\x00\x00\x05\x00\x00#\x00"
What I did wrong was to connect to the Orderer on its general listen address and missed to configure the Admin.* settings as described here.
Once I connected to the Admin Listenaddress the osnadmin command worked correctly. The general port serves GRPC while the Admin one uses http(s). I think this explains the malformed error.

Error: transaction invalidated with status (ENDORSEMENT_POLICY_FAILURE)

I'm trying to commit Fabcar to my HF network, composed by 4 Orgs,with 2 peers each. I packaged the chaincode, installed it on peer0org1, peer0org2, peer0org3 and peer0org4, and approved for all orgs. In fact, checking the commit readiness, i get this:
"approvals": {
"Org1MSP": true,
"Org2MSP": true,
"Org3MSP": true,
"Org4MSP": true
But when I try to launch:
peer lifecycle chaincode commit -o localhost:7050 --ordererTLSHostnameOverride orderer.example.com \
--channelID $CHANNEL_NAME --name ${CC_NAME} \
--collections-config $PRIVATE_DATA_CONFIG \
--peerAddresses localhost:7051 --tlsRootCertFiles $PEER0_ORG1_CA \
--peerAddresses localhost:9051 --tlsRootCertFiles $PEER0_ORG2_CA \
--peerAddresses localhost:11051 --tlsRootCertFiles $PEER0_ORG3_CA \
--peerAddresses localhost:13051 --tlsRootCertFiles $PEER0_ORG4_CA \
--version ${VERSION} --sequence ${VERSION} --init-required
I get this:
2021-11-18 12:34:33.941 CET [chaincodeCmd] ClientWait -> INFO 002 txid [7f5d2a2d8f0c1a4082f11eca4c228beb1a01b3a3a50c3bbbe45bf91eb9844577] committed with status (ENDORSEMENT_POLICY_FAILURE) at localhost:13051
2021-11-18 12:34:33.941 CET [chaincodeCmd] ClientWait -> INFO 001 txid [7f5d2a2d8f0c1a4082f11eca4c228beb1a01b3a3a50c3bbbe45bf91eb9844577] committed with status (ENDORSEMENT_POLICY_FAILURE) at localhost:7051
2021-11-18 12:34:33.950 CET [chaincodeCmd] ClientWait -> INFO 003 txid [7f5d2a2d8f0c1a4082f11eca4c228beb1a01b3a3a50c3bbbe45bf91eb9844577] committed with status (ENDORSEMENT_POLICY_FAILURE) at localhost:11051
2021-11-18 12:34:33.962 CET [chaincodeCmd] ClientWait -> INFO 004 txid [7f5d2a2d8f0c1a4082f11eca4c228beb1a01b3a3a50c3bbbe45bf91eb9844577] committed with status (ENDORSEMENT_POLICY_FAILURE) at localhost:9051
Error: transaction invalidated with status (ENDORSEMENT_POLICY_FAILURE)
Here is my configtx.yaml with the policies, in case it was useful to understand the problem:
# Section: Organizations
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
# SampleOrg defines an MSP using the sampleconfig. It should never be used
# in production but may be used as a template for other definitions
- &OrdererOrg
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: OrdererOrg
# ID to load the MSP definition as
ID: OrdererMSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: crypto-config/ordererOrganizations/example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('OrdererMSP.member')"
Type: Signature
Rule: "OR('OrdererMSP.member')"
Type: Signature
Rule: "OR('OrdererMSP.admin')"
- &Org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org1MSP
# ID to load the MSP definition as
MSPDir: crypto-config/peerOrganizations/org1.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
Type: Signature
Rule: "OR('Org1MSP.admin')"
Type: Signature
Rule: "OR('Org1MSP.peer')"
# leave this flag set to true.
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.org1.example.com
Port: 7051
- &Org2
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org2MSP
# ID to load the MSP definition as
MSPDir: crypto-config/peerOrganizations/org2.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
Type: Signature
Rule: "OR('Org2MSP.admin')"
Type: Signature
Rule: "OR('Org2MSP.peer')"
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.org2.example.com
Port: 9051
- &Org3
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org3MSP
# ID to load the MSP definition as
MSPDir: crypto-config/peerOrganizations/org3.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('Org3MSP.admin', 'Org3MSP.peer', 'Org3MSP.client')"
Type: Signature
Rule: "OR('Org3MSP.admin', 'Org3MSP.client')"
Type: Signature
Rule: "OR('Org3MSP.admin')"
Type: Signature
Rule: "OR('Org3MSP.peer')"
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.org3.example.com
Port: 11051
- &Org4
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org4MSP
# ID to load the MSP definition as
MSPDir: crypto-config/peerOrganizations/org4.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('Org4MSP.admin', 'Org4MSP.peer', 'Org4MSP.client')"
Type: Signature
Rule: "OR('Org4MSP.admin', 'Org4MSP.client')"
Type: Signature
Rule: "OR('Org4MSP.admin')"
Type: Signature
Rule: "OR('Org4MSP.peer')"
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.org4.example.com
Port: 13051
# SECTION: Capabilities
# - This section defines the capabilities of fabric network. This is a new
# concept as of v1.1.0 and should not be utilized in mixed networks with
# v1.0.x peers and orderers. Capabilities define features which must be
# present in a fabric binary for that binary to safely participate in the
# fabric network. For instance, if a new MSP type is added, newer binaries
# might recognize and validate the signatures from this type, while older
# binaries without this support would be unable to validate those
# transactions. This could lead to different versions of the fabric binaries
# having different world states. Instead, defining a capability for a channel
# informs those binaries without this capability that they must cease
# processing transactions until they have been upgraded. For v1.0.x if any
# capabilities are defined (including a map with all capabilities turned off)
# then the v1.0.x peer will deliberately crash.
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
Channel: &ChannelCapabilities
# V2_0 capability ensures that orderers and peers behave according
# to v2.0 channel capabilities. Orderers and peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 capability.
# Prior to enabling V2.0 channel capabilities, ensure that all
# orderers and peers on a channel are at v2.0.0 or later.
V2_0: true
# Orderer capabilities apply only to the orderers, and may be safely
# used with prior release peers.
# Set the value of the capability to true to require it.
Orderer: &OrdererCapabilities
# V2_0 orderer capability ensures that orderers behave according
# to v2.0 orderer capabilities. Orderers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 orderer capability.
# Prior to enabling V2.0 orderer capabilities, ensure that all
# orderers on channel are at v2.0.0 or later.
V2_0: true
# Application capabilities apply only to the peer network, and may be safely
# used with prior release orderers.
# Set the value of the capability to true to require it.
Application: &ApplicationCapabilities
# V2_0 application capability ensures that peers behave according
# to v2.0 application capabilities. Peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 application capability.
# Prior to enabling V2.0 application capabilities, ensure that all
# peers on channel are at v2.0.0 or later.
V2_0: true
# SECTION: Application
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
# /Channel/Application/<PolicyName>
Type: ImplicitMeta
Rule: "ANY Readers"
Type: ImplicitMeta
Rule: "ANY Writers"
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
<<: *ApplicationCapabilities
# SECTION: Orderer
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
OrdererType: etcdraft
- Host: orderer.example.com
Port: 7050
ClientTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
ServerTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
- orderer.example.com:7050
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 2s
# Batch Size: Controls the number of messages batched into a block
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 10
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 KB
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
# Policies defines the set of policies at this level of the config tree
# For Orderer policies, their canonical path is
# /Channel/Orderer/<PolicyName>
Type: ImplicitMeta
Rule: "ANY Readers"
Type: ImplicitMeta
Rule: "ANY Writers"
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
Type: ImplicitMeta
Rule: "ANY Writers"
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
# Who may invoke the 'Deliver' API
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Type: ImplicitMeta
Rule: "ANY Writers"
# By default, who may modify elements at this config level
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# Capabilities describes the channel level capabilities, see the
# dedicated Capabilities section elsewhere in this file for a full
# description
<<: *ChannelCapabilities
# Profile
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
Consortium: SampleConsortium
<<: *ChannelDefaults
<<: *ApplicationDefaults
- *Org1
- *Org2
- *Org3
- *Org4
<<: *ApplicationCapabilities
<<: *ChannelDefaults
<<: *ChannelCapabilities
<<: *OrdererDefaults
OrdererType: etcdraft
- Host: orderer.example.com
Port: 7050
ClientTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
ServerTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
- Host: orderer2.example.com
Port: 8050
ClientTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt
ServerTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt
- Host: orderer3.example.com
Port: 9050
ClientTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.crt
ServerTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.crt
# - Host: orderer4.example.com
# Port: 10050
# ClientTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer4.example.com/tls/server.crt
# ServerTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer4.example.com/tls/server.crt
# - Host: orderer5.example.com
# Port: 11050
# ClientTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/server.crt
# ServerTLSCert: crypto-config/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/server.crt
- orderer.example.com:7050
- orderer2.example.com:8050
- orderer3.example.com:9050
# - orderer4.example.com:10050
# - orderer5.example.com:11050
- *OrdererOrg
<<: *OrdererCapabilities
- *Org1
- *Org2
- *Org3
- *Org4
Thanks a lot!
Endorsement was not defined in ChannelDefaults in configtx.yaml

Hyperledger fabric 2.0-Error in chaincode commit step(ENDORSEMENT_POLICY_FAILURE)

I am trying to install chaincode (Using a new chaincode life cycle) in hyper ledger fabric 2.0.
Fabric image versions: 2.1.0
In my network I have
Two organization (two peers each)
3 Orders (Raft as order service)
During the commit chaincode step, i m getting the following error
2021-08-04 06:36:29.803 UTC [chaincodeCmd] ClientWait -> INFO 001 txid [ebca06fc317ef078d896182e7814f3d9e847266b2fa4a80ae443e17a9ad976da] committed with status (ENDORSEMENT_POLICY_FAILURE) at peer1.base.left:8003
2021-08-04 06:36:29.816 UTC [chaincodeCmd] ClientWait -> INFO 002 txid [ebca06fc317ef078d896182e7814f3d9e847266b2fa4a80ae443e17a9ad976da] committed with status (ENDORSEMENT_POLICY_FAILURE) at peer1.base.right:8004
Error: transaction invalidated with status (ENDORSEMENT_POLICY_FAILURE)
While inspecting the peer logs i can see the following error
2021-08-04 06:36:29.755 UTC [committer.txvalidator] validateTx -> ERRO 004 Dispatch for transaction txId = ebca06fc317ef078d896182e7814f3d9e847266b2fa4a80ae443e17a9ad976da returned error: validation of endorsement policy for chaincode _lifecycle in tx 8:0 failed: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 2 of the 'Endorsement' sub-policies to be satisfied
Not sure why this is happening
UPDATE configtx.yaml file
# Section: Organizations
# SPDX-License-Identifier: Apache-2.0
# Section: Organizations
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
# SampleOrg defines an MSP using the sampleconfig. It should never be used
# in production but may be used as a template for other definitions
- &OrdererOrg
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: OrdererOrg
# ID to load the MSP definition as
ID: OrdererMSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: crypto-config/ordererOrganizations/base.order/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('OrdererMSP.member')"
Type: Signature
Rule: "OR('OrdererMSP.member')"
Type: Signature
Rule: "OR('OrdererMSP.admin')"
- orderer1.base.order:8000
- &Org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: LeftOrgMSP
# ID to load the MSP definition as
ID: LeftOrgMSP
MSPDir: crypto-config/peerOrganizations/base.left/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('LeftOrgMSP.admin', 'LeftOrgMSP.peer', 'LeftOrgMSP.client')"
Type: Signature
Rule: "OR('LeftOrgMSP.admin', 'LeftOrgMSP.client')"
Type: Signature
Rule: "OR('LeftOrgMSP.admin')"
Type: Signature
Rule: "OR('LeftOrgMSP.peer')"
- &Org2
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: RightOrgMSP
# ID to load the MSP definition as
ID: RightOrgMSP
MSPDir: crypto-config/peerOrganizations/base.right/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('RightOrgMSP.admin', 'RightOrgMSP.peer', 'RightOrgMSP.client')"
Type: Signature
Rule: "OR('RightOrgMSP.admin', 'RightOrgMSP.client')"
Type: Signature
Rule: "OR('RightOrgMSP.admin')"
Type: Signature
Rule: "OR('RightOrgMSP.peer')"
# SECTION: Capabilities
# - This section defines the capabilities of fabric network. This is a new
# concept as of v1.1.0 and should not be utilized in mixed networks with
# v1.0.x peers and orderers. Capabilities define features which must be
# present in a fabric binary for that binary to safely participate in the
# fabric network. For instance, if a new MSP type is added, newer binaries
# might recognize and validate the signatures from this type, while older
# binaries without this support would be unable to validate those
# transactions. This could lead to different versions of the fabric binaries
# having different world states. Instead, defining a capability for a channel
# informs those binaries without this capability that they must cease
# processing transactions until they have been upgraded. For v1.0.x if any
# capabilities are defined (including a map with all capabilities turned off)
# then the v1.0.x peer will deliberately crash.
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
Channel: &ChannelCapabilities
# V2_0 capability ensures that orderers and peers behave according
# to v2.0 channel capabilities. Orderers and peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 capability.
# Prior to enabling V2.0 channel capabilities, ensure that all
# orderers and peers on a channel are at v2.0.0 or later.
V2_0: true
# Orderer capabilities apply only to the orderers, and may be safely
# used with prior release peers.
# Set the value of the capability to true to require it.
Orderer: &OrdererCapabilities
# V2_0 orderer capability ensures that orderers behave according
# to v2.0 orderer capabilities. Orderers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 orderer capability.
# Prior to enabling V2.0 orderer capabilities, ensure that all
# orderers on channel are at v2.0.0 or later.
V2_0: true
# Application capabilities apply only to the peer network, and may be safely
# used with prior release orderers.
# Set the value of the capability to true to require it.
Application: &ApplicationCapabilities
# V2_0 application capability ensures that peers behave according
# to v2.0 application capabilities. Peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 application capability.
# Prior to enabling V2.0 application capabilities, ensure that all
# peers on channel are at v2.0.0 or later.
V2_0: true
# SECTION: Application
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
# /Channel/Application/<PolicyName>
Type: ImplicitMeta
Rule: "ANY Readers"
Type: ImplicitMeta
Rule: "ANY Writers"
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
<<: *ApplicationCapabilities
# SECTION: Orderer
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
OrdererType: etcdraft
# Addresses used to be the list of orderer addresses that clients and peers
# could connect to. However, this does not allow clients to associate orderer
# addresses and orderer organizations which can be useful for things such
# as TLS validation. The preferred way to specify orderer addresses is now
# to include the OrdererEndpoints item in your org definition
- orderer1.base.order:8000
- orderer2.base.order:8000
- orderer3.base.order:8000
- Host: orderer1.base.order
Port: 8000
ClientTLSCert: crypto-config/ordererOrganizations/base.order/orderers/orderer1.base.order/tls/server.crt
ServerTLSCert: crypto-config/ordererOrganizations/base.order/orderers/orderer1.base.order/tls/server.crt
- Host: orderer2.base.order
Port: 8000
ClientTLSCert: crypto-config/ordererOrganizations/base.order/orderers/orderer2.base.order/tls/server.crt
ServerTLSCert: crypto-config/ordererOrganizations/base.order/orderers/orderer2.base.order/tls/server.crt
- Host: orderer3.base.order
Port: 8000
ClientTLSCert: crypto-config/ordererOrganizations/base.order/orderers/orderer3.base.order/tls/server.crt
ServerTLSCert: crypto-config/ordererOrganizations/base.order/orderers/orderer3.base.order/tls/server.crt
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 2s
# Batch Size: Controls the number of messages batched into a block
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 10
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 KB
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
# Policies defines the set of policies at this level of the config tree
# For Orderer policies, their canonical path is
# /Channel/Orderer/<PolicyName>
Type: ImplicitMeta
Rule: "ANY Readers"
Type: ImplicitMeta
Rule: "ANY Writers"
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
Type: ImplicitMeta
Rule: "ANY Writers"
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Type: ImplicitMeta
Rule: "ANY Endorsement"
# Who may invoke the 'Deliver' API
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Type: ImplicitMeta
Rule: "ANY Writers"
# By default, who may modify elements at this config level
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# Capabilities describes the channel level capabilities, see the
# dedicated Capabilities section elsewhere in this file for a full
# description
<<: *ChannelCapabilities
# Profile
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
<<: *ChannelDefaults
<<: *OrdererDefaults
- *OrdererOrg
Capabilities: *OrdererCapabilities
<<: *ApplicationDefaults
- *Org1
- *Org2
Capabilities: *ApplicationCapabilities
- *Org1
- *Org2
<<: *ChannelDefaults
Consortium: BaseConsortium
<<: *ApplicationDefaults
- *Org1
- *Org2
You need to collect endorsement from a peer from both Orgs in order to meet the LifeCycle endorsement policy. This error could be because you are not targeting either peer, or because your orgs have not approved the same chaincode definition as the one you are trying to commit
In your config.tx file you have mentioned LifecycleEndorsement as MAJORITY Endorsement that means your transaction should be endorse by a peer from both organizations.
to achive this make sure
your chaincode is approved by both the organizations
while running commit command pass the peer connection parameters (--peerAddresses $CORE_PEER_ADDRESS --tlsRootCertFiles $CORE_PEER_TLS_ROOTCERT_FILE) for any peer from both organizations.

Implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied

I am trying to create a channel from the CLI container,
I have set correct values for CORE_PEER_LOCALMSPID = Org1MSP and CORE_PEER_MSPCONFIGPATH = /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.com/users/Admin#org1.com/msp .
But when trying to create the channel I am getting below error from orderer log
identity 0 does not satisfy principal: This identity is not an admin
and the response message is
error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
Please find the configtx.yaml file below,
# Section: Organizations
# SPDX-License-Identifier: Apache-2.0
# Section: Organizations
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
# SampleOrg defines an MSP using the sampleconfig. It should never be used
# in production but may be used as a template for other definitions
- &OrdererOrg
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: OrdererOrg
# ID to load the MSP definition as
ID: OrdererMSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: crypto-config/ordererOrganizations/org1.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('OrdererMSP.member')"
Type: Signature
Rule: "OR('OrdererMSP.member')"
Type: Signature
Rule: "OR('OrdererMSP.admin')"
- &Org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org1MSP
# ID to load the MSP definition as
MSPDir: crypto-config/peerOrganizations/org1.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
Type: Signature
Rule: "OR('Org1MSP.admin')"
# leave this flag set to true.
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.org1.com
Port: 7051
- &Org2
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org2MSP
# ID to load the MSP definition as
MSPDir: crypto-config/peerOrganizations/org2.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
Type: Signature
Rule: "OR('Org2MSP.admin')"
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.org2.com
Port: 9051
# SECTION: Capabilities
# - This section defines the capabilities of fabric network. This is a new
# concept as of v1.1.0 and should not be utilized in mixed networks with
# v1.0.x peers and orderers. Capabilities define features which must be
# present in a fabric binary for that binary to safely participate in the
# fabric network. For instance, if a new MSP type is added, newer binaries
# might recognize and validate the signatures from this type, while older
# binaries without this support would be unable to validate those
# transactions. This could lead to different versions of the fabric binaries
# having different world states. Instead, defining a capability for a channel
# informs those binaries without this capability that they must cease
# processing transactions until they have been upgraded. For v1.0.x if any
# capabilities are defined (including a map with all capabilities turned off)
# then the v1.0.x peer will deliberately crash.
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
Channel: &ChannelCapabilities
# V1.3 for Channel is a catchall flag for behavior which has been
# determined to be desired for all orderers and peers running at the v1.3.x
# level, but which would be incompatible with orderers and peers from
# prior releases.
# Prior to enabling V1.3 channel capabilities, ensure that all
# orderers and peers on a channel are at v1.3.0 or later.
V1_3: true
# Orderer capabilities apply only to the orderers, and may be safely
# used with prior release peers.
# Set the value of the capability to true to require it.
Orderer: &OrdererCapabilities
# V1.1 for Orderer is a catchall flag for behavior which has been
# determined to be desired for all orderers running at the v1.1.x
# level, but which would be incompatible with orderers from prior releases.
# Prior to enabling V1.1 orderer capabilities, ensure that all
# orderers on a channel are at v1.1.0 or later.
V1_1: true
# Application capabilities apply only to the peer network, and may be safely
# used with prior release orderers.
# Set the value of the capability to true to require it.
Application: &ApplicationCapabilities
# V1.3 for Application enables the new non-backwards compatible
# features and fixes of fabric v1.3.
V1_3: true
# V1.2 for Application enables the new non-backwards compatible
# features and fixes of fabric v1.2 (note, this need not be set if
# later version capabilities are set)
V1_2: false
# V1.1 for Application enables the new non-backwards compatible
# features and fixes of fabric v1.1 (note, this need not be set if
# later version capabilities are set).
V1_1: false
# SECTION: Application
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
# /Channel/Application/<PolicyName>
Type: ImplicitMeta
Rule: "ANY Readers"
Type: ImplicitMeta
Rule: "ANY Writers"
Type: ImplicitMeta
Rule: "ANY Admins"
<<: *ApplicationCapabilities
# SECTION: Orderer
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
# Available types are "solo" and "kafka"
OrdererType: solo
- orderer.org1.com:7050
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 2s
# Batch Size: Controls the number of messages batched into a block
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 10
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 KB
# Brokers: A list of Kafka brokers to which the orderer connects
# NOTE: Use IP:port notation
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
# Policies defines the set of policies at this level of the config tree
# For Orderer policies, their canonical path is
# /Channel/Orderer/<PolicyName>
Type: ImplicitMeta
Rule: "ANY Readers"
Type: ImplicitMeta
Rule: "ANY Writers"
Type: ImplicitMeta
Rule: "ANY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
Type: ImplicitMeta
Rule: "ANY Writers"
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
# Who may invoke the 'Deliver' API
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Type: ImplicitMeta
Rule: "ANY Writers"
# By default, who may modify elements at this config level
Type: ImplicitMeta
Rule: "ANY Admins"
# Capabilities describes the channel level capabilities, see the
# dedicated Capabilities section elsewhere in this file for a full
# description
<<: *ChannelCapabilities
# Profile
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
Consortium: SampleConsortium
<<: *ChannelDefaults
<<: *ApplicationDefaults
- *Org1
- *Org2
<<: *ApplicationCapabilities
<<: *ChannelDefaults
<<: *ChannelCapabilities
<<: *OrdererDefaults
OrdererType: etcdraft
- Host: orderer.org1.com
Port: 7050
ClientTLSCert: crypto-config/ordererOrganizations/org1.com/orderers/orderer.org1.com/tls/server.crt
ServerTLSCert: crypto-config/ordererOrganizations/org1.com/orderers/orderer.org1.com/tls/server.crt
- Host: orderer2.org1.com
Port: 7050
ClientTLSCert: crypto-config/ordererOrganizations/org1.com/orderers/orderer2.org1.com/tls/server.crt
ServerTLSCert: crypto-config/ordererOrganizations/org1.com/orderers/orderer2.org1.com/tls/server.crt
- Host: orderer3.org1.com
Port: 7050
ClientTLSCert: crypto-config/ordererOrganizations/org1.com/orderers/orderer3.org1.com/tls/server.crt
ServerTLSCert: crypto-config/ordererOrganizations/org1.com/orderers/orderer3.org1.com/tls/server.crt
- Host: orderer4.org1.com
Port: 7050
ClientTLSCert: crypto-config/ordererOrganizations/org1.com/orderers/orderer4.org1.com/tls/server.crt
ServerTLSCert: crypto-config/ordererOrganizations/org1.com/orderers/orderer4.org1.com/tls/server.crt
- Host: orderer5.org1.com
Port: 7050
ClientTLSCert: crypto-config/ordererOrganizations/org1.com/orderers/orderer5.org1.com/tls/server.crt
ServerTLSCert: crypto-config/ordererOrganizations/org1.com/orderers/orderer5.org1.com/tls/server.crt
- orderer.org1.com:7050
- orderer2.org1.com:7050
- orderer3.org1.com:7050
- orderer4.org1.com:7050
- orderer5.org1.com:7050
- *OrdererOrg
<<: *OrdererCapabilities
<<: *ApplicationDefaults
- <<: *OrdererOrg
- *Org1
- *Org2
I resolved the issue, the issue was because there was a version mismatch in fabric images.
Versions of fabric that you defined in Capabilities Section doesn't compare with versions of your fabric docker images.

My endorsement policy does not work correctly?

I have created a fabric network which consists of six organization which contains two peers per each. After successfully starting the network I install and instantiate the fabcar chaincode. This is the command which I used to instantiate the chaincode.
peer chaincode instantiate -o orderer.example.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -n fabcar -l node -v 1.0 -c '{"Args":["init"]}' -C mychannel -P "AND ('Org2MSP.peer','Org1MSP.peer','Org3MSP.peer','Org4MSP.peer','Org5MSP.peer','Org6MSP.peer')"
After instantiating successfully I tried to invoke the first transaction and it leaves me this error on the peer.
2019-05-13 04:10:33.465 UTC [vscc] Validate -> ERRO 170 VSCC error:
stateBasedValidator.Validate failed, err validation of endorsement
policy for chaincode fabcar in tx 8:0 failed: signature set did not
satisfy policy 2019-05-13 04:10:33.465 UTC [committer.txvalidator]
validateTx -> ERRO 171 VSCCValidateTx for transaction txId =
returned error: validation of endorsement policy for chaincode fabcar
in tx 8:0 failed: signature set did not satisfy policy
If I replace the AND in the policy with OR, If I replace the policy with -p "AND ('Org2MSP.peer')".It was worked successfully without leaving the error. I install the chaincode on one peer of each organization and instantiated the network on org2 peer0.
This is my configtx.yaml file.
# Section: Organizations
# SPDX-License-Identifier: Apache-2.0
# Section: Organizations
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
# SampleOrg defines an MSP using the sampleconfig. It should never be used
# in production but may be used as a template for other definitions
- &OrdererOrg
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: OrdererOrg
# ID to load the MSP definition as
ID: OrdererMSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: crypto-config/ordererOrganizations/example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('OrdererMSP.member')"
Type: Signature
Rule: "OR('OrdererMSP.member')"
Type: Signature
Rule: "OR('OrdererMSP.admin')"
- &Org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org1MSP
# ID to load the MSP definition as
MSPDir: crypto-config/peerOrganizations/org1.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer')"
Type: Signature
Rule: "OR('Org1MSP.admin')"
# leave this flag set to true.
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.org1.example.com
Port: 7051
- &Org2
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org2MSP
# ID to load the MSP definition as
MSPDir: crypto-config/peerOrganizations/org2.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
Type: Signature
Rule: "OR('Org2MSP.admin','Org2MSP.peer', 'Org2MSP.client')"
Type: Signature
Rule: "OR('Org2MSP.admin')"
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.org2.example.com
Port: 9051
- &Org3
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org3MSP
# ID to load the MSP definition as
MSPDir: crypto-config/peerOrganizations/org3.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('Org3MSP.admin', 'Org3MSP.peer', 'Org3MSP.client')"
Type: Signature
Rule: "OR('Org3MSP.admin','Org3MSP.peer', 'Org3MSP.client')"
Type: Signature
Rule: "OR('Org3MSP.admin')"
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.org3.example.com
Port: 11051
- &Org4
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org4MSP
# ID to load the MSP definition as
MSPDir: crypto-config/peerOrganizations/org4.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('Org4MSP.admin', 'Org4MSP.peer', 'Org4MSP.client')"
Type: Signature
Rule: "OR('Org4MSP.admin','Org4MSP.peer', 'Org4MSP.client')"
Type: Signature
Rule: "OR('Org4MSP.admin')"
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.org4.example.com
Port: 13051
- &Org5
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org5MSP
# ID to load the MSP definition as
MSPDir: crypto-config/peerOrganizations/org5.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('Org5MSP.admin', 'Org5MSP.peer', 'Org5MSP.client')"
Type: Signature
Rule: "OR('Org5MSP.admin','Org5MSP.peer')"
Type: Signature
Rule: "OR('Org5MSP.admin')"
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.org5.example.com
Port: 15051
- &Org6
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org6MSP
# ID to load the MSP definition as
MSPDir: crypto-config/peerOrganizations/org6.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Type: Signature
Rule: "OR('Org6MSP.admin', 'Org6MSP.peer', 'Org6MSP.client')"
Type: Signature
Rule: "OR('Org6MSP.admin','Org6MSP.peer')"
Type: Signature
Rule: "OR('Org6MSP.admin')"
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.org6.example.com
Port: 17051
# SECTION: Capabilities
# - This section defines the capabilities of fabric network. This is a new
# concept as of v1.1.0 and should not be utilized in mixed networks with
# v1.0.x peers and orderers. Capabilities define features which must be
# present in a fabric binary for that binary to safely participate in the
# fabric network. For instance, if a new MSP type is added, newer binaries
# might recognize and validate the signatures from this type, while older
# binaries without this support would be unable to validate those
# transactions. This could lead to different versions of the fabric binaries
# having different world states. Instead, defining a capability for a channel
# informs those binaries without this capability that they must cease
# processing transactions until they have been upgraded. For v1.0.x if any
# capabilities are defined (including a map with all capabilities turned off)
# then the v1.0.x peer will deliberately crash.
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
Channel: &ChannelCapabilities
# V1.3 for Channel is a catchall flag for behavior which has been
# determined to be desired for all orderers and peers running at the v1.3.x
# level, but which would be incompatible with orderers and peers from
# prior releases.
# Prior to enabling V1.3 channel capabilities, ensure that all
# orderers and peers on a channel are at v1.3.0 or later.
V1_3: true
# Orderer capabilities apply only to the orderers, and may be safely
# used with prior release peers.
# Set the value of the capability to true to require it.
Orderer: &OrdererCapabilities
# V1.1 for Orderer is a catchall flag for behavior which has been
# determined to be desired for all orderers running at the v1.1.x
# level, but which would be incompatible with orderers from prior releases.
# Prior to enabling V1.1 orderer capabilities, ensure that all
# orderers on a channel are at v1.1.0 or later.
V1_1: true
# Application capabilities apply only to the peer network, and may be safely
# used with prior release orderers.
# Set the value of the capability to true to require it.
Application: &ApplicationCapabilities
# V1.3 for Application enables the new non-backwards compatible
# features and fixes of fabric v1.3.
V1_3: true
# V1.2 for Application enables the new non-backwards compatible
# features and fixes of fabric v1.2 (note, this need not be set if
# later version capabilities are set)
V1_2: false
# V1.1 for Application enables the new non-backwards compatible
# features and fixes of fabric v1.1 (note, this need not be set if
# later version capabilities are set).
V1_1: false
# SECTION: Application
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
# /Channel/Application/<PolicyName>
Type: ImplicitMeta
Rule: "ANY Readers"
Type: ImplicitMeta
Rule: "ANY Writers"
Type: ImplicitMeta
Rule: "MAJORITY Admins"
<<: *ApplicationCapabilities
# SECTION: Orderer
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
# Available types are "solo" and "kafka"
OrdererType: solo
- orderer.example.com:7050
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 2s
# Batch Size: Controls the number of messages batched into a block
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 10
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 KB
# Brokers: A list of Kafka brokers to which the orderer connects
# NOTE: Use IP:port notation
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
# Policies defines the set of policies at this level of the config tree
# For Orderer policies, their canonical path is
# /Channel/Orderer/<PolicyName>
Type: ImplicitMeta
Rule: "ANY Readers"
Type: ImplicitMeta
Rule: "ANY Writers"
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
Type: ImplicitMeta
Rule: "ANY Writers"
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
# Who may invoke the 'Deliver' API
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Type: ImplicitMeta
Rule: "ANY Writers"
# By default, who may modify elements at this config level
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# Capabilities describes the channel level capabilities, see the
# dedicated Capabilities section elsewhere in this file for a full
# description
<<: *ChannelCapabilities
# Profile
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
<<: *ChannelDefaults
<<: *OrdererDefaults
- *OrdererOrg
<<: *OrdererCapabilities
- *Org1
- *Org2
- *Org3
- *Org4
- *Org5
- *Org6
Consortium: SampleConsortium
<<: *ChannelDefaults
<<: *ApplicationDefaults
- *Org1
- *Org2
- *Org3
- *Org4
- *Org5
- *Org6
<<: *ApplicationCapabilities
Can someone help me to solve this problem? Thank you!
In the invoke command you are not specifying the --peerAddresses and --tlsRootCertFiles(if you have enabled tls) of the respective anchor peers to connect to. try adding these feilds:
--peerAddresses peer0.org1.example.com:9051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
--peerAddresses peer0.org2.example.com:9051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt
... similarly for org 3..6
peer chaincode invoke -o orderer.example.com:7050 --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -C $CHANNEL_NAME -n mycc --peerAddresses peer0.org1.example.com:9051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt --peerAddresses peer0.org2.example.com:9051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt -c '{"Args":["invoke","a","b","10"]}'
you can refer to: Invoke command
