I am extending the first network example with raft consensus on multiple hosts. When I try to start the orderers, the first orderer starts up but, I can not start any other orderers from both the same organisation and other organisation. The error I get as follows
[common.deliver] deliverBlocks -> WARN 019 [channel:
orderersyschannel] Client authorization revoked for deliver request
from 172.18.0.5:45506: implicit policy evaluation failed - 0
sub-policies were satisfied, but this policy requires 1 of the
'Readers' sub-policies to be satisfied: permission denied 2019-09-23
07:22:52.937 UTC [comm.grpc.server] 1 -> INFO 01a streaming call
completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver
grpc.peer_address=172.18.0.5 :45506
grpc.peer_subject="CN=ord1-org2,OU=orderer,O=Hyperledger,ST=North
Carolina,C=US" grpc.code=OK grpc.call_duration=1.590709ms
2019-09-23 07:22:52.945 UTC [orderer.common.cluster.replication]
fetchLastBlockSeq -> WARN 01b Received status:FORBIDDEN from
ord1-org2.local:7050: forbidden pullin g the channel
2019-09-23 07:22:52.945 UTC [orderer.common.cluster.replication] func1
-> WARN 01c Received error of type 'forbidden pulling the channel' from {ord1-org2.local:7050
I also checked my policies in 'configtx.yaml'
In Organisations section:
Readers:
Type: Signature
Rule: "OR('org2MSP.member', 'org2MSP.admin', 'org2MSP.peer', 'org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('org2MSP.member', 'org2MSP.admin', 'org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('org2MSP.admin')"
in Orderer section I have:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
I am not sure why the policies or not met. Can anyone help me troubleshoot this?
Try by editing this block in your configtx.yaml file and regenerate genesis block.
Profiles:
TwoOrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *Org1
**- *Org2**
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *Org1
- *Org2
Related
1. Error
To update my channel config (called identitych), I fetched, translated, modified, and re-encoded channel config file by following the guide in the official document.
At the last step, I tried to submit my channel config update with the following command.
peer channel update -f config_update_in_envelope.pb -c identitych -o orderer1.common.bpl:7050 --tls --cafile /orderers/admin-ca/msp/tlscacerts/ca-cert.pem
But, I failed with the following error.
2021-09-02 12:52:53.987 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'identitych': error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/ConsensusType not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
Error message from the logs recorded by orderer1.common.bpl is like below. I could not find any relevant error messages except this message.
2021-09-02 12:52:53.993 UTC [orderer.common.broadcast] ProcessMessage -> WARN 54f6 [channel: identitych] Rejecting broadcast of config message from 10.0.1.104:54556 because of error: error applying config update to existing channel 'identitych': error authorizing update: error validating DeltaSet: policy for [Value] /Channel/Orderer/ConsensusType not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
2021-09-02 12:52:53.993 UTC [comm.grpc.server] 1 -> INFO 54f7 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Broadcast grpc.peer_address=10.0.1.104:54556 grpc.code=OK grpc.call_duration=2.028426ms
2. My setting
To use peer update command, I used a cli docker container, which had been created by the following command:
docker container run -it --rm --name cli \
--log-driver json-file --log-opt max-size=1g --log-opt max-file=1 \
-e GOPATH=/opt/gopath \
-e CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock \
-e FABRIC_LOGGING_SPEC=INFO \
-e CORE_PEER_ID=cli \
-e CORE_PEER_ADDRESS=peer3.identity.common.bpl:7051 \
-e CORE_PEER_LOCALMSPID=BPLMSP \
-e CORE_PEER_MSPCONFIGPATH=/peers/admin-org/msp \
-e CORE_PEER_TLS_ENABLED=true \
-e CORE_PEER_TLS_KEY_FILE=/peers/peer3.identity.common.bpl/tls/keystore/key.pem \
-e CORE_PEER_TLS_CERT_FILE=/peers/peer3.identity.common.bpl/tls/signcerts/cert.pem \
-e CORE_PEER_TLS_ROOTCERT_FILE=/peers/peer3.identity.common.bpl/tls/tlscacerts/ca-cert.pem \
-w="/peers" \
-v /var/run/:/host/var/run/ \
-v "$(pwd)"/peers:/peers \
-v "$(pwd)"/channel-artifacts:/channel-artifacts \
-v "$(pwd)"/chaincodes:/chaincodes \
-v "$(pwd)"/orderers:/orderers \
-v "$(pwd)"/scripts:/scripts \
--network $NETWORK \
hyperledger/fabric-tools:$VERSION /bin/bash
As you can see in the above script, this cli container starts with necessary environment variable settings(such as CORE_PEER_TLS_...) to connect the target peer. Also, CORE_PEER_MSPCONFIGPATH pointed the admin user's msp directory.
By following the answer of the previous question in stackoverflow, I checked my admin user's cert is correct.
At the root location of my admin user's msp directory, config.yaml had been placed and its content is like below:
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "client"
AdminOUIdentifier:
Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "admin"
PeerOUIdentifier:
Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "peer"
OrdererOUIdentifier:
Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "orderer"
So, its OU setting looks correct.
Then, I checked my admin user's signcerts/cert.pem using openssl command.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
...
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=KR, ST=Daejeon, O=bigpicturelabs, CN=ca.peer.common.bpl
Validity
Not Before: Sep 2 12:47:00 2021 GMT
Not After : Sep 4 04:51:00 2035 GMT
Subject: C=KR, ST=Daejeon, O=bigpicturelabs, OU=admin, CN=bpl-peer-admin
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
...
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
...
1.2.3.4.5.6.7.8.1:
{"attrs":{"hf.Affiliation":"","hf.EnrollmentID":"bpl-peer-admin","hf.Type":"admin"}}
...
From Subject section, I could confirm that its OU value had been set correctly as admin and CN also had been set correctly. So far, everything looks like good.
Then, I validated my admin user's cert against the root certificate extracted from the channel config. The way to do it was introduced at the above question in stackoverflow. And, again, I got the correct answer.
> openssl verify -CAfile root.pem ./admin-org/msp/signcerts/cert.pem
./admin-org/msp/signcerts/cert.pem: OK
Then, finally, I checked the configtx.yaml content.
Organizations:
- &BPLOrdererOrg
Name: BPLOrdererMSP
ID: BPLOrdererMSP
MSPDir: ./orderers/admin-ca/msp
Policies:
Readers:
Type: Signature
Rule: "OR('BPLOrdererMSP.member')"
Writers:
Type: Signature
Rule: "OR('BPLOrdererMSP.member')"
Admins:
Type: Signature
Rule: "OR('BPLOrdererMSP.admin')"
OrdererEndpoints:
- orderer0.common.bpl:7050
- &BPLOrg
Name: BPLMSP
ID: BPLMSP
MSPDir: ./peers/admin-ca/msp
Policies:
Readers:
Type: Signature
Rule: "OR('BPLMSP.admin', 'BPLMSP.peer', 'BPLMSP.client')"
Writers:
Type: Signature
Rule: "OR('BPLMSP.admin', 'BPLMSP.client')"
Admins:
Type: Signature
Rule: "OR('BPLMSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('BPLMSP.peer')"
AnchorPeers:
- Host: peer0.identity.common.bpl
Port: 7051
Capabilities:
Channel: &ChannelCapabilities
V2_0: true
Orderer: &OrdererCapabilities
V2_0: true
Application: &ApplicationCapabilities
V2_0: true
Application: &ApplicationDefaults
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Capabilities:
<<: *ApplicationCapabilities
Orderer: &OrdererDefaults
OrdererType: etcdraft
EtcdRaft:
Consenters:
- Host: orderer0.common.bpl
Port: 7050
ClientTLSCert: ./orderers/orderer0.common.bpl/tls/signcerts/cert.pem
ServerTLSCert: ./orderers/orderer0.common.bpl/tls/signcerts/cert.pem
- Host: orderer1.common.bpl
Port: 7050
ClientTLSCert: ./orderers/orderer1.common.bpl/tls/signcerts/cert.pem
ServerTLSCert: ./orderers/orderer1.common.bpl/tls/signcerts/cert.pem
- Host: orderer2.common.bpl
Port: 7050
ClientTLSCert: ./orderers/orderer2.common.bpl/tls/signcerts/cert.pem
ServerTLSCert: ./orderers/orderer2.common.bpl/tls/signcerts/cert.pem
BatchTimeout: 0.5s
BatchSize:
MaxMessageCount: 100
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB
Organizations:
Policies:
...
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
...
Channel: &ChannelDefaults
Policies:
...
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
...
Again, I could not find any problem from my configuration file.
3. Question
Is there any point that I'm missing? Where should I investigate to solve this problem?
Thanks.
I solved this problem by working with orderer's admin, not peer organization's admin. I'm not sure why, but it works.
I am trying to create genesis block in hyperledger fabric 2.3 using configtxgen. Please find the profile details I am using to create the gensis block in configtx.yaml file.
---
Organizations:
- &OrdererOrg
Name: OrdererOrg
# ID to load the MSP definition as
ID: OrdererMSP
MSPDir: ../organizations/ordererOrganizations/example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Writers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Admins:
Type: Signature
Rule: "OR('OrdererMSP.admin')"
OrdererEndpoints:
- orderer.example.com:7051
- orderer2.example.com:7052
- orderer3.example.com:7053
- orderer4.example.com:7054
- &Org1
Name: Org1MSP
# ID to load the MSP definition as
ID: Org1MSP
MSPDir: ../organizations/peerOrganizations/org1.example.com/msp
Policies: &Org1Policies
Readers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org1MSP.peer')"
# leave this flag set to true.
AnchorPeers:
- Host: peer0.org1.example.com
Port: 8051
- &Org2
Name: Org2MSP
# ID to load the MSP definition as
ID: Org2MSP
MSPDir: ../organizations/peerOrganizations/org2.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org2MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org2MSP.peer')"
AnchorPeers:
- Host: peer0.org2.example.com
Port: 9051
CAPABILITIES
Capabilities:
Channel: &ChannelCapabilities
V2_0: true
Orderer: &OrdererCapabilities
V2_0: true
Application: &ApplicationCapabilities
V2_0: true
APPLICATION
Application: &ApplicationDefaults
ACLs: &ACLsDefault
# ACL policy for _lifecycle's "CheckCommitReadiness" function
_lifecycle/CheckCommitReadiness: /Channel/Application/Writers
# ACL policy for _lifecycle's "CommitChaincodeDefinition" function
_lifecycle/CommitChaincodeDefinition: /Channel/Application/Writers
# ACL policy for _lifecycle's "QueryChaincodeDefinition" function
_lifecycle/QueryChaincodeDefinition: /Channel/Application/Writers
# ACL policy for _lifecycle's "QueryChaincodeDefinitions" function
_lifecycle/QueryChaincodeDefinitions: /Channel/Application/Writers
#---Lifecycle System Chaincode (lscc) function to policy mapping for access control---#
# ACL policy for lscc's "getid" function
lscc/ChaincodeExists: /Channel/Application/Readers
# ACL policy for lscc's "getdepspec" function
lscc/GetDeploymentSpec: /Channel/Application/Readers
# ACL policy for lscc's "getccdata" function
lscc/GetChaincodeData: /Channel/Application/Readers
# ACL Policy for lscc's "getchaincodes" function
lscc/GetInstantiatedChaincodes: /Channel/Application/Readers
#---Query System Chaincode (qscc) function to policy mapping for access control---#
# ACL policy for qscc's "GetChainInfo" function
qscc/GetChainInfo: /Channel/Application/Readers
# ACL policy for qscc's "GetBlockByNumber" function
qscc/GetBlockByNumber: /Channel/Application/Readers
# ACL policy for qscc's "GetBlockByHash" function
qscc/GetBlockByHash: /Channel/Application/Readers
# ACL policy for qscc's "GetTransactionByID" function
qscc/GetTransactionByID: /Channel/Application/Readers
# ACL policy for qscc's "GetBlockByTxID" function
qscc/GetBlockByTxID: /Channel/Application/Readers
#---Configuration System Chaincode (cscc) function to policy mapping for access control---#
# ACL policy for cscc's "GetConfigBlock" function
cscc/GetConfigBlock: /Channel/Application/Readers
# ACL policy for cscc's "GetChannelConfig" function
cscc/GetChannelConfig: /Channel/Application/Readers
#---Miscellaneous peer function to policy mapping for access control---#
# ACL policy for invoking chaincodes on peer
peer/Propose: /Channel/Application/Writers
# ACL policy for chaincode to chaincode invocation
peer/ChaincodeToChaincode: /Channel/Application/Writers
#---Events resource to policy mapping for access control###---#
# ACL policy for sending block events
event/Block: /Channel/Application/Readers
# ACL policy for sending filtered block events
event/FilteredBlock: /Channel/Application/Readers
# Organizations lists the orgs participating on the application side of the
# network.
Organizations:
Policies: &ApplicationDefaultPolicies
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# Capabilities describes the application level capabilities, see the
# dedicated Capabilities section elsewhere in this file for a full
# description
Capabilities:
<<: *ApplicationCapabilities
ORDERER
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
OrdererType: etcdraft
Addresses:
- orderer.example.com:7051
- orderer2.example.com:7052
- orderer3.example.com:7053
- orderer4.example.com:7054
- orderer5.example.com:7055
EtcdRaft:
Consenters:
- Host: orderer.example.com
Port: 7051
ClientTLSCert: ../organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
ServerTLSCert: ../organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
- Host: orderer2.example.com
Port: 7052
ClientTLSCert: ../organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt
ServerTLSCert: ../organizations/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt
- Host: orderer3.example.com
Port: 7053
ClientTLSCert: ../organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.crt
ServerTLSCert: ../organizations/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.crt
- Host: orderer4.example.com
Port: 7054
ClientTLSCert: ../organizations/ordererOrganizations/example.com/orderers/orderer4.example.com/tls/server.crt
ServerTLSCert: ../organizations/ordererOrganizations/example.com/orderers/orderer4.example.com/tls/server.crt
- Host: orderer5.example.com
Port: 7055
ClientTLSCert: ../organizations/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/server.crt
ServerTLSCert: ../organizations/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/server.crt
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 2s
# Batch Size: Controls the number of messages batched into a block
BatchSize:
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Orderer policies, their canonical path is
# /Channel/Orderer/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
# Capabilities describes the orderer level capabilities, see the
# dedicated Capabilities section elsewhere in this file for a full
# description
Capabilities:
<<: *OrdererCapabilities
CHANNEL
Channel: &ChannelDefaults
Policies:
# Who may invoke the 'Deliver' API
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
# By default, who may modify elements at this config level
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
PROFILES
Profiles:
SampleAppChannelEtcdRaft:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
OrdererType: etcdraft
Organizations:
- <<: *Org1
Policies:
<<: *Org1Policies
Admins:
Type: Signature
Rule: "OR('Org1.member')"
Application:
<<: *ApplicationDefaults
Organizations:
- <<: *Org1
Policies:
<<: *Org1Policies
Admins:
Type: Signature
Rule: "OR('Org1.member')"
But, when I try to create the genesis file with the command.
configtxgen -profile SampleAppChannelEtcdRaft -outputBlock genesis_block.pb -channelID channel1
I am getting below error
[common.tools.configtxgen] func1 -> PANI 005 proto: Marshal called with nil
panic: proto: Marshal called with nil [recovered]
panic: proto: Marshal called with nil
I can't comment since the reputation is low
so now..., I got the same error,so I just check the "crypto-config" folder and found out that I don't have enough certificates
so I checked the "docker-compose.yaml" file and another file (I have a custom structure in my folders) that is responisible in creating certificates.And there I found out I made a wrong entering of PORT number for one of the organizations which is not matching with the PORT number of the organization mentioned in "docker-compose.yaml".
So, I corrected it, made the file run again, got the created enough certificates,now its fine.
this worked for me, let me know if you already got any other solution
The problem can be solved by regenerating users and peers crypto credentials
exp if using crytpogen :
cryptogen generate --config=org3-crypto.yaml --output="../organizations"
in case of CA (test-network) just run ./network down
When I was conducting chain code approval, I encountered the following problem: Error: failed to send transaction: got unexpected status: NOT_FOUND -- Channel does not exist.I have successfully executed the operation of chain code packaging and chain code installation, but I cannot continue when executing the chain code approval. Have you encountered any such problems? thank you
Here is the information for the current node:
bash-5.0# peer channel list
2020-09-21 10:18:18.939 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Channels peers has joined:
example-channel
bash-5.0# peer lifecycle chaincode queryinstalled
Installed chaincodes on peer:
Package ID: mycc_1:2499940fe909cc71a661bf79a3d78523a43c4d2879f4456e6cbe4a2a5a5e5246, Label: mycc_1
========================2020-09-22===================
this is my configtx.yaml
Organizations:
- &OrdererOrg
Name: OrdererOrg
ID: OrdererMSP
MSPDir: ./crypto-config/ordererOrganizations/example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Writers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Admins:
Type: Signature
Rule: "OR('OrdererMSP.admin')"
- &Org1
Name: Org1MSP
ID: Org1MSP
MSPDir: ./crypto-config/peerOrganizations/org1.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.admin')"
AnchorPeers:
- Host: peer0.org1.example.com
Port: 7051
- &Org2
Name: Org2MSP
ID: Org2MSP
MSPDir: ./crypto-config/peerOrganizations/org2.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org2MSP.admin')"
AnchorPeers:
- Host: peer0.org2.example.com
Port: 7051
Capabilities:
Channel: &ChannelCapabilities
V2_0: true
Orderer: &OrdererCapabilities
V2_0: true
Application: &ApplicationCapabilities
V2_0: true
Application: &ApplicationDefaults
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ApplicationCapabilities
Orderer: &OrdererDefaults
OrdererType: etcdraft
Addresses: # orderer
- orderer.example.com:7050
- orderer2.example.com:7050
- orderer3.example.com:7050
- orderer4.example.com:7050
- orderer5.example.com:7050
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Profiles:
TwoOrgsChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
- *Org2
Capabilities:
<<: *ApplicationCapabilities
SampleMultiNodeEtcdRaft:
<<: *ChannelDefaults
Capabilities:
<<: *ChannelCapabilities
Orderer:
<<: *OrdererDefaults
OrdererType: etcdraft
EtcdRaft:
Consenters:
- Host: orderer.example.com
Port: 7050
ClientTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
ServerTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
- Host: orderer2.example.com
Port: 7050
ClientTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt
ServerTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer2.example.com/tls/server.crt
- Host: orderer3.example.com
Port: 7050
ClientTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.crt
ServerTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer3.example.com/tls/server.crt
- Host: orderer4.example.com
Port: 7050
ClientTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer4.example.com/tls/server.crt
ServerTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer4.example.com/tls/server.crt
- Host: orderer5.example.com
Port: 7050
ClientTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/server.crt
ServerTLSCert: ./crypto-config/ordererOrganizations/example.com/orderers/orderer5.example.com/tls/server.crt
Addresses:
- orderer.example.com:7050
- orderer2.example.com:7050
- orderer3.example.com:7050
- orderer4.example.com:7050
- orderer5.example.com:7050
Organizations:
- *OrdererOrg
Capabilities:
<<: *OrdererCapabilities
Application:
<<: *ApplicationDefaults
Organizations:
- <<: *OrdererOrg
Consortiums:
SampleConsortium:
Organizations:
- *Org1
- *Org2
this is my host list:
|order.example.com|182.23.20.1|order|
|peer0.org1.example.com|182.23.20.2|org1|
|peer1.org1.example.com|182.23.20.3|org1|
|peer0.org2.example.com|182.23.20.4|org2|
|peer1.org2.example.com|182.23.20.5|org2|
So here's how I do it
Step one:Generate certificate file
cryptogen generate --config=./crypto-config.yaml
Step two:Create system channels
configtxgen -profile SampleMultiNodeEtcdRaft -outputBlock ../channel-artifacts/orderer.genesis.block -channelID system-channel
Step three:Create application channels
configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ../channel-artifacts/example-channel.tx -channelID example-channel
Step four:Anchor node update
configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ../channel-artifacts/Org1MSPanchors.tx -channelID example-channel -asOrg Org1MSP
configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ../channel-artifacts/Org2MSPanchors.tx -channelID example-channel -asOrg Org2MSP
Step five:Create channels on nodes ,on peer0.org1 nodes
peer channel create -o orderer.example.com:7050 -c example-channel \
-f ./channel-artifacts/example-channel.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/
Step six : join channel and Anchor node update
peer channel join -b example-channel.block
#Anchor node update
peer channel update -o orderer.example.com:7050 -c example-channel -f ./channel-artifacts/Org1MSPanchors.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
This is true of other peer nodes
Step seven:chaincode manager,use fabcar
# 1:gradlew installDist
cd ~/go/src/github.com/hyperledger/example/chaincode/fabcar/java
./gradlew installDist
#2:chaincode package
peer lifecycle chaincode package mycc.tar.gz \
--path /opt/gopath/src/github.com/hyperledger/fabric/peer/chaincode/fabcar/java/build/install/fabcar \
--lang java --label mycc_1
#3:chaincode install
peer lifecycle chaincode install mycc.tar.gz
This is true for all other nodes
I tried using 'peer lifecycle chaincode queryinstalled'the command to execute on each peer and got the following results:
Installed chaincodes on peer:
Package ID: mycc_1:2499940fe909cc71a661bf79a3d78523a43c4d2879f4456e6cbe4a2a5a5e5246, Label: mycc_1
#4:chaincode approveformyorg
export CC_PACKAGE_ID=mycc_1:2499940fe909cc71a661bf79a3d78523a43c4d2879f4456e6cbe4a2a5a5e5246
# cafile path
export CF=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
# cc_name
export CC_NAME=example-channel
peer lifecycle chaincode approveformyorg -o orderer.example.com:7050 \
--channelID $CC_NAME --name mycc --version 1.0 --package-id $CC_PACKAGE_ID --sequence 1 --tls \
--cafile $CF --signature-policy "OR('Org1MSP.peer', 'Org2MSP.peer')"
When I executed the command, there was an error:
Error: failed to send transaction: got unexpected status: NOT_FOUND -- channel does not exist
Finally, there are no error messages in any of the above procedures below the supplement!
Do you have a good solution,think you !!!
Please make sure that you follow all the steps to create the channel properly.
Those steps are:
create the channel transaction artifact using configtxgen
create the channel on network using "peer channel create" command
join the peer on that channel using "peer channel join"
Now when you will give the approval, make sure you use "--channelID" flag in approval time.
It seem to be an error caused by your Orderer Service. Although you define at your configuration file configtx.yaml that you will have 5 orderer nodes, in your logs you only show one: |order.example.com|182.23.20.1|order|. So, it seems that you are not startintg up all those 5 orderers. Have you checked your order.example.com logs?
However, you could try one (or both) of the following changes?
I think that you should try removing the configuration of the rest of the orderers from your configuration files, i.e. you only should have defined the orderer.example.com. Then, you should execute all the steps again. Remember removing the docker containers and volumes created previously.
The second test could be replicating the configuration of the orderer.example.com. You would try to recplicate the definition of the orderer.example.com. Because it seems that you are not defining and starting up the rest of the orderers that you should have running.
I updated a development hyperledger fabric network from 1.4.1 to 1.4.4 and can no longer create channels or interact with the network because a channel policy fails that was not failing in v1.4.1
The following is what happens when I try to create a channel via node sdk
Errors from node sdk
error: Status: BAD_REQUEST
Info: error validating channel creation transaction for new channel 'mychannel', could not successfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
Errors from Orderer Docker container
[orderer.common.broadcast] ProcessMessage -> WARN 00e [channel: farm] Rejecting broadcast of config message from 172.18.0.1:40866 because of error: error validating channel creation transaction for new channel 'farm', could not succesfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
crypto-config section
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
# /Channel/Application/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
I think there were some Channel Policy and Channel Capability changes in 1.4.3
I solved the problem by getting the configtx.yaml from first-network the 1.4.3 fabric-samples and applying my changes (org names etc) to that new yaml file. Then generating a new genesis block etc.
After using the fabric-samples configtx.yaml for v1.4.4 as a template I found the only difference was this Capabilities section
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
# /Channel/Application/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ApplicationCapabilities
I am running a custom Hyperledger Fabric network over Kubernetes and now I am trying to automate the creation and joining of channels. The error I am getting right now is related to the creation of the channel itself.
The order I am following, related to the creation of the channels, is the following one (the example channel is named global):
Create genesis.block using configtx.yaml:
configtxgen -profile OrgsOrdererGenesis -configPath /data/config -outputBlock /data/genesis.block --channelID orderersglobal
Create channel.tx using the previously created genesis.block:
configtxgen -profile OrgsChannel -configPath /data/config -outputCreateChannelTx /data/global.tx -channelID global
Copy the channel.tx to each CLI and org
On each CLI, I enroll as admin and run the following command to create the channel block:
peer channel create -o orderer0.org1:7050 --channelID global -f /data/global.tx
However, I get this error:
2019-10-08 12:25:51.089 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: got unexpected status: BAD_REQUEST -- error validating channel creation transaction for new channel 'global', could not successfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
As a consequence, I can not continue testing the network. I initially used the same channelID for genesis.block and channel.block, but I have changed it. I have read some posts about this but nothing seems to solve my problem. I hope some of you can help me.
This is my network architecture (I am not using TLS)
org1
peer0 (anchor)
peer1
orderer0
org2
peer0 (anchor)
peer1
orderer0
org3
orderer0
This is the content of my configtx.yaml file:
Capabilities:
Global: &ChannelCapabilities
V1_3: true
Orderer: &OrdererCapabilities
V1_1: true
Application: &ApplicationCapabilities
V1_3: true
Organizations:
- &org1
Name: org1
ID: org1MSP
MSPDir: /data/orgs/org1/msp
AdminPrincipal: Role.ADMIN
Policies:
Readers:
Type: Signature
Rule: "OR('org1MSP.member')"
Writers:
Type: Signature
Rule: "OR('org1MSP.member')"
Admins:
Type: Signature
Rule: "OR('org1MSP.admin')"
AnchorPeers:
- Host: peer0.org1
Port: 7051
- &org2
Name: org2
ID: org2MSP
MSPDir: /data/orgs/org2/msp
AdminPrincipal: Role.ADMIN
Policies:
Readers:
Type: Signature
Rule: "OR('org2MSP.member')"
Writers:
Type: Signature
Rule: "OR('org2MSP.member')"
Admins:
Type: Signature
Rule: "OR('org2MSP.admin')"
AnchorPeers:
- Host: peer0.org2
Port: 7051
- &org3
Name: org3
ID: org3MSP
MSPDir: /data/orgs/org3/msp
AdminPrincipal: Role.ADMIN
Policies:
Readers:
Type: Signature
Rule: "OR('org3MSP.member')"
Writers:
Type: Signature
Rule: "OR('org3MSP.member')"
Admins:
Type: Signature
Rule: "OR('org3MSP.admin')"
Orderer: &OrdererDefaults
OrdererType: kafka
Addresses:
- orderer0.org1:7050
- orderer0.org2:7050
- orderer0.org3:7050
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 98 MB
PreferredMaxBytes: 512 KB
MaxChannels: 0
Kafka:
Brokers:
- bootstrap.kafka:9092
Organizations:
- *org1
- *org2
- *org3
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Capabilities:
<<: *OrdererCapabilities
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Application: &ApplicationDefaults
ACLs: &ACLsDefault
lscc/ChaincodeExists: /Channel/Application/Readers
lscc/GetDeploymentSpec: /Channel/Application/Readers
lscc/GetChaincodeData: /Channel/Application/Readers
lscc/GetInstantiatedChaincodes: /Channel/Application/Readers
qscc/GetChainInfo: /Channel/Application/Readers
qscc/GetBlockByNumber: /Channel/Application/Readers
qscc/GetBlockByHash: /Channel/Application/Readers
qscc/GetTransactionByID: /Channel/Application/Readers
qscc/GetBlockByTxID: /Channel/Application/Readers
cscc/GetConfigBlock: /Channel/Application/Readers
cscc/GetConfigTree: /Channel/Application/Readers
cscc/SimulateConfigTreeUpdate: /Channel/Application/Readers
peer/Propose: /Channel/Application/Writers
peer/ChaincodeToChaincode: /Channel/Application/Readers
event/Block: /Channel/Application/Readers
event/FilteredBlock: /Channel/Application/Readers
Organizations:
Policies: &ApplicationDefaultPolicies
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ApplicationCapabilities
Profiles:
OrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *org1
- *org2
- *org3
Capabilities:
<<: *OrdererCapabilities
Application:
<<: *ApplicationDefaults
Organizations:
- *org1
- *org2
- *org3
Capabilities:
<<: *ApplicationCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *org1
- *org2
OrgsChannel:
Capabilities:
<<: *ChannelCapabilities
Consortium: SampleConsortium
Application:
<<: *ApplicationDefaults
Organizations:
- *org1
- *org2
Capabilities:
<<: *ApplicationCapabilities
The most possible thing that is happening is: The certificate you are trying to use as a admin is not really an admin. Things you can check and see where you got it wrong:
In the MSP folder you used for configtx.yaml (/data/orgs/org1/msp and /data/orgs/org2/msp) this folder is a folder on your computer (actually the computer/container that is running the configtxgen command), the first thing you have to check is if the folder is being created correctly.
Is there a certificate on admincerts folder inside the MSP folder? If you do not have it, then the MSP does not have a admin.
Another thing to be kept in mind is to use the persistent volume to "pass" the certificates generated either by the Fabric CA, cryptogen or any other CA
I know for a fact that the MSPDir works with a relative path to configtx.yaml. I do not know if it works using the absolute path you are using.
Another thing you can do to check which certificate is being used for each MSP is to fetch the last config block peer channel fetch config and configtxlator proto_decode --input <channel name>_config.block --type common.Block --output config.json and then checking this JSON file