I'm trying to setup Idemix based on the following documentation that I found:
https://hyperledger-fabric.readthedocs.io/en/release-1.4/idemix.html
https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#getting-idemix-cri-certificate-revocation-information
https://hyperledger-fabric.readthedocs.io/en/release-1.4/idemixgen.html
But when invoking a transaction, i received the error below:
$ docker exec -e "CORE_PEER_LOCALMSPTYPE=idemix" -e "CORE_PEER_LOCALMSPID=Org1IdemixMSP" -e "CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/User1#org1.example.com" cli peer chaincode query -C channel1 -n chaincode1 -c '{"Args":["query","a"]}'
Error: error getting default signer: error obtaining the default signing identity: no default signer setup
Steps that I took:
Register a user User1#org1.example.com to fabric CA fabric-ca-client register --id.name User1#org1.example.com --id.secret mysecret --id.type client --id.affiliation org1 --id.attrs role=2 -u http://localhost:7054
Enroll the user and created an idemix identity fabric-ca-client enroll --enrollment.type idemix -u http://User1#org1.example.com:mysecret#localhost:7054
Rename $USER1_DIR/msp/IssuerRevocationPublicKey to $USER1_DIR/msp/RevocationPublicKey. During transaction invocation, the name RevocationPublicKey is expected, not IssuerRevocationPublicKey
Prepare the idemix msp. I copied IssuerPublicKey and IssuerRevocationPublicKey of the CA to the msp folder. I need to rename IssuerRevocationPublicKey to RevocationPublicKey else configtxgen will complain
In configtx.yaml, add an Idemix MSP
- &Org1Idemix
Name: Org1IdemixMSP
# ID to load the MSP definition as
ID: Org1IdemixMSP
msptype: idemix
MSPDir: crypto-config/peerOrganizations/org1idemix.example.com/
Policies: &Org1IdemixMSPPolicies
Readers:
Type: Signature
Rule: "OR('Org1IdemixMSP.member')"
Writers:
Type: Signature
Rule: "OR('Org1IdemixMSP.member')"
Admins:
Type: Signature
Rule: "OR('Org1IdemixMSP.admin')"
Create genesis block, channel block, start network etc2 (as usual)
Try to query transaction and the aforementioned error appears
I did some troubleshooting and based on idemixgen documentation, I found out that I need to put a default signer into the idemix msp i.e. in the user folder. So I placed User1#org1.example.com's SignerConfig file into the user folder and rerun configtxgen. I received the following error:
Error loading MSP configuration for org: Org1IdemixMSP: unexpected EOF
Next I did some comparing with the SignerConfig generated by idemixgen and SignerConfig of User1#org1.example.com. The one generated by idemixgen cannot be opened while the other one is a .json file (shown below), so the format is different. Running configtxgen Using the SignerConfig generated by idemixgen is successful. I want to try to invoke transactions by identities generated by idemixgen but there is no way to generate an identity except for the default signer.
{
"Cred": "CkQKIK/7Slvg7laNMv8n7urCKpRN4gTZJZ7xQUyqPQ0GskWFEiCq/aRBmXlQAnSeJLXViGEHLRoztSCoHU6PDXaft+STexJECiB1dosl0QwT5dR/iNwfj0UvWZLph5U6fTMUVjYXE3W/UhIg6U+q6S9xMZhL7SHYe/v//Vhsw7X7N+93Ha4qQiWu0OIaIKcFZamTWwD5VQppZDEdxv5nr4DZAOn/S0r3gchLFG66IiD7kc8IZFRji8ub7yS5ueK8ZcLm5o+WR9a7wAx7o6fKQCogieDBP6ZS9S2R/JDVaLcAcNbtGlnF2fRS37GyoZmxko4qIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACKiArm8Pnrt+hrBAk1PD9trARpE6XVbdfXN+27uSe9r8uxCogAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE=",
"Sk": "LwrgRX48aewbqKWrvNjo5VFfNSDIJAvdaR4brzOsnWM=",
"organizational_unit_identifier": "org1",
"enrollment_id": "User1#org1.example.com",
"credential_revocation_information": "CAESiAEKIP4MM1C0yWwgKFYPV3wokTrOHFOaEr+EPNImFraJwJ77EiBOpmBXc4rAVNta4cY32BO5JN144ofQNYnSae00o35qKxogcCBG58VCo7N2dw11Ek4+Ue/LJHWNYVhI6Qm0gb7cJ/8iIAVU47zTiMKQQu6mSSl+sp+LTL6AghqYs+ASgRFKrQSbGmgwZgIxAJRyRpR+k3SaAVRm4GM3l+zBU6V/7g73C9RQIU9kPef9XqVl0Gb+hQqrgd1HsTQ5GgIxANb6XNB+CrrQgwbt6msa0SG+aQKpSl48EeP/V7beUkshNubudBS+WjS+PRbf5aW0Nw=="
}
Repo here: https://github.com/aldredb/idemix-sample
I went deep with the code...
if you interested, you can find the GetIdemixMspConfig function in msp/configbuilder.go at fabric 1.4 release branch.
in this function, we can see it will attempt loading a signconf with proto type.
However, we enroll the msp with ca client cli and which returns us a json...
I searched some topic as Unable to unmarshal json to protobuf struct field
In my point of view, that proto Unmarshal will fail with json format.
Related
I'm trying Fabric v2.2 and keeps failed to join a peer to channel because of some policies problem (I guess). To get MSPs of orderers and peers, I used CAs of an orderer organization and a peer organization (there is one peer organization).
fabric-ca-client register -d --id.name ${PEERS[$i]} --id.secret ${PEER_ADMIN_PWS[$i]} --id.type peer -u https://$CA_NODE:7054
…
fabric-ca-client register -d --id.name $ORG_ADMIN_ID --id.secret $ORG_ADMIN_PW --id.type admin -u https://$CA_NODE:7054
….
fabric-ca-client register -d --id.name ${ORDERERS[$i]} --id.secret ${ORDERER_ADMIN_PWS[$i]} --id.type orderer -u https://$CA_NODE:7054
…
fabric-ca-client enroll -d -u https://${NODES[$i]}:${NODE_ADMIN_PWS[$i]}#$CA_NODE:7054
I think MSPs were okay because the network was up well.
Then, I launched a CLI container and create a channel called identitych. I think it worked well because I checked the identitych directory had been created under chains directory of all orderers.
After that, when I proposed to join a peer to a channel with the following command, the orderer could not deliver a block to a peer because of the permission denied and a peer could not retrieve a block from the orderer because of FORBIDDEN problem.
peer channel join -b /channel-artifacts/identitych.block
My configtx.yaml file looks like:
Organizations:
- &BPLOrdererOrg
Name: BPLOrdererMSP
ID: BPLOrdererMSP
MSPDir: ./orderers/org-msp
Policies:
Readers:
Type: Signature
Rule: "OR('BPLOrdererMSP.member')"
Writers:
Type: Signature
Rule: "OR('BPLOrdererMSP.member')"
Admins:
Type: Signature
Rule: "OR('BPLOrdererMSP.admin')"
OrdererEndpoints:
- orderer0.common.bpl:7050
- &BPLOrg
Name: BPLMSP
ID: BPLMSP
MSPDir: ./peers/org-msp
Policies:
Readers:
Type: Signature
Rule: "OR('BPLMSP.admin', 'BPLMSP.peer', 'BPLMSP.client')"
Writers:
Type: Signature
Rule: "OR('BPLMSP.admin', 'BPLMSP.client')"
Admins:
Type: Signature
Rule: "OR('BPLMSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('BPLMSP.peer')"
NodeOUs is enabled by placing config.yaml on msp directory of each orderer and peer.
# config.yaml
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "client"
AdminOUIdentifier:
Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "admin"
PeerOUIdentifier:
Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "peer"
OrdererOUIdentifier:
Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "orderer"
Repeatedly, the orderer prints the following warning:
2020-08-20 11:35:08.041 UTC [comm.grpc.server] 1 -> INFO 0c3 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.24.0.11:42642 grpc.code=OK grpc.call_duration=792.5µs
2020-08-20 11:35:15.176 UTC [common.deliver] deliverBlocks -> WARN 0c4 [channel: identitych] Client 172.24.0.8:60236 is not authorized: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
At the same time, a peer repeatedly prints the following warning too:
2020-08-20 11:34:28.604 UTC [peer.blocksprovider] DeliverBlocks -> WARN 02b Got error while attempting to receive blocks: received bad status FORBIDDEN from orderer channel=identitych orderer-address=orderer0.common.bpl:7050
2020-08-20 11:34:28.604 UTC [peer.blocksprovider] func1 -> WARN 02c Encountered an error reading from deliver stream: EOF channel=identitych orderer-address=orderer0.common.bpl:7050
I found a similar question and answer (link) and I'm curious about the following quote:
Check for the Reader policies that you have defined in your configtx.yaml this error is generated because of the policy mismatch. You have defined some specific user type(admin, peer, client) in your Reader policies but this specific user type is not passed into certificates that you have generated for your peer.
I agree with that my problem is because of the policy mismatch, but I don't understand the following mention:
but this specific user type is not passed into certificates that you have generated for your peer.
How can I solve my issue? Thanks, in advance.
It looks like you've not enabled NodeOUs for the MSP definitions included in the channel configuration.
NodeOUs is enabled by placing config.yaml on msp directory of each orderer and peer.
This will enable NodeOU support in the 'local MSP' of the peer and orderer, but for channel operations, like invoking the Deliver API, it is the channel MSP definition which is utilized.
Make sure that you have placed your config.yaml in the MSP directory referenced by your configtx.yaml (for instance, in your case under ./peers/org-msp) before generating your genesis block for the orderer system channel.
Additional notes:
You can confirm that it is NodeOU related by changing the Readers policy in your configtx.yaml to refer to member for your peer org, like you have for the orderer org. If things work with the member policy, then this is definitely NodeOU related.
You could also turn up debugging for the policy evaluation by setting FABRIC_LOGGING_SPEC=info:cauthdsl=debug:policies=debug:msp=debug. This is generally too verbose for normal operation, but will give you a more clear audit trail of exactly what's causing the failure.
I'm trying to upgrade my Hyperledger Fabric network from v1.4.7 to v2.1. Upgrading peers and orderers is done smoothly and already instantiated chaincodes work well. (Channel capabilities still remaining v1.x.) However, when I try to upgrade the new version of my chaincode, it keeps failed.
In v1.4.7, I built a server to install/instantiate/upgrade a chaincode using Fabric SDK v1.4.x. However, I found that all APIs related to installing/instantiating/upgrading a chaincode had been removed from Fabric SDK v2.1. So, as the doc said, I tried to upgrade a chaincode using peer CLI.
First, I packaged my chaincode using peer lifecycle chaincode ... command. At this time, I set FABRIC_CFG_PATH to a core.yaml in fabric-samples folder (I don't understand why I do this for only packaging a chaincode, but anyway I did what the doc said). And I set CORE_PEER_MSPCONFIGPATH to my admin user msp folder.
After I got my chaincode package, I connect to my first peer, peer0.identity.bpl, using docker exec -it peer0.identity.bpl /bin/sh command. My docker container doesn't open the port outside in the production mode, so I need to connect the container inside.
Then, I typed the following command and I got the error message:
/artifacts # peer lifecycle chaincode install identity_cc_v1.2.0.tar.gz
Error: chaincode install failed with status: 500 - Failed to authorize invocation due to failed ACL check: Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [The identity is not an admin under this MSP [BPLMSP]: The identity does not contain OU [ADMIN], MSP: [BPLMSP]]
So, I think I need some 'admin' identity, so I copied my admin msp folder to this peer. Then, I set CORE_PEER_MSPCONFIGPATH to this copied admin msp folder. Then I got:
/artifacts # export CORE_PEER_MSPCONFIGPATH=/artifacts/org-admin/msp
/artifacts # peer lifecycle chaincode install identity_cc_v1.2.0.tar.gz
2020-05-26 07:21:47.020 UTC [main] InitCmd -> ERRO 001 Cannot run peer because error when setting up MSP of type bccsp from directory /artifacts/org-admin/msp: administrators must be declared when no admin ou classification is set
Now, I thought that maybe the OU setting had some problem. So, I disabled OU setting from the config.yaml file. But, I got the same error message again.
So, I changed CORE_PEER_MSPCONFIGPATH setting to original setting again, but now it said this is not an admin identity.
/artifacts # export CORE_PEER_MSPCONFIGPATH=/artifacts/msp
/artifacts # peer lifecycle chaincode install identity_cc_v1.2.0.tar.gz
Error: chaincode install failed with status: 500 - Failed to authorize invocation due to failed ACL check: Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]
I understand. This identity is just a peer identity, not an admin identity. So, I tried to enroll admin in this peer, but this fabric-peer docker image doesn't contain fabric-ca-client binary. So, I thought I did something wrong and this is not the intended way.
At this point, how can I install and instantiate the new version of my chaincode?
After I set OU config to admin msp that is copied to peer, every problem has been solved and installing/committing a chaincode works well.
I am trying to add a new Orderer Organization to RAFT based existing ordering service. I am using the first-network from fabric-samples as the base network. While generating crypto-material, I have modified to generate crypto-material for 1 more orderer organization. The crypto-config.yaml looks like:
OrdererOrgs:
# ---------------------------------------------------------------------------
# Orderer
# ---------------------------------------------------------------------------
- Name: Orderer
Domain: example.com
EnableNodeOUs: true
# ---------------------------------------------------------------------------
# "Specs" - See PeerOrgs below for complete description
# ---------------------------------------------------------------------------
Specs:
- Hostname: orderer
- Hostname: orderer2
- Hostname: orderer3
- Hostname: orderer4
- Hostname: orderer5
- Name: Orderer1
Domain: example1.com
EnableNodeOUs: true
Specs:
- Hostname: orderer
- Hostname: orderer2
- Hostname: orderer3
# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs:
# ---------------------------------------------------------------------------
# Org1
# ---------------------------------------------------------------------------
- Name: Org1
Domain: org1.example.com
EnableNodeOUs: true
Template:
Count: 2
# Start: 5
# Hostname: {{.Prefix}}{{.Index}} # default
# ---------------------------------------------------------------------------
# "Users"
# ---------------------------------------------------------------------------
# Count: The number of user accounts _in addition_ to Admin
# ---------------------------------------------------------------------------
Users:
Count: 1
# ---------------------------------------------------------------------------
# Org2: See "Org1" for full specification
# ---------------------------------------------------------------------------
- Name: Org2
Domain: org2.example.com
EnableNodeOUs: true
Template:
Count: 2
Users:
Count: 1
Also, the configtx.yaml for creating new Orderer organization's MSP in JSON format is given as:
Organizations:
- &Orderer1Org
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Orderer1Org
# ID to load the MSP definition as
ID: Orderer1MSP
MSPDir: ../crypto-config/ordererOrganizations/example1.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('Orderer1MSP.member')"
Writers:
Type: Signature
Rule: "OR('Orderer1MSP.member')"
Admins:
Type: Signature
Rule: "OR('Orderer1MSP.admin')"
Then I boot up the the network using byfn.sh. Now I use the cli container to modify the system channel configuration in following steps:
First I add the organization's JSON to the Orderer group as follows and submit channel update:
jq -s '.[0] * {"channel_group":{"groups":{"Orderer":{"groups": {"Orderer1Org":.[1]}}}}}' config.json orderer1org.json > modified_config.json
Then I add organization's JSON to the Consortium group as follows and submit channel update:
jq -s '.[0] * {"channel_group":{"groups":{"Consortiums":{"groups":{"SampleConsortium":{"groups": {"Orderer1MSP":.[1]}}}}}}}' config1.json orderer1org.json > modified_config1.json
Then I add organization's orderer1 TLS certificates to Consenters section and submit channel update:
cert=`base64 ../crypto/ordererOrganizations/example1.com/orderers/orderer.example1.com/tls/server.crt | sed ':a;N;$!ba;s/\n//g'`
cat modified_config1.json | jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert'", "host": "orderer.example1.com", "port": 7050, "server_tls_cert": "'$cert'"}] ' > modified_config2.json
Then I update the system channel configuration's Application group with new Orderer Org's JSON:
jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"Orderer1Org":.[1]}}}}}' config.json orderer1org.json > modified_config.json
Then I start one of the orderers in the new organization (orderer.example1.com) but the container is failing with following error:
2020-04-09 13:09:05.600 UTC [orderer.common.cluster.replication] fetchLastBlockSeq -> WARN 0e8 Received status:FORBIDDEN from orderer.example.com:7050: forbidden pulling the cha
nnel
2020-04-09 13:09:05.600 UTC [orderer.common.cluster.replication] func1 -> WARN 0e9 Received error of type 'forbidden pulling the channel' from {orderer.example.com:7050 [certs]}
The orderer.example.com logs throw this error:
2020-04-09 13:28:59.338 UTC [cauthdsl] deduplicate -> ERRO a3c Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.338 UTC [cauthdsl] deduplicate -> ERRO a3d Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.339 UTC [cauthdsl] deduplicate -> ERRO a3e Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.340 UTC [cauthdsl] deduplicate -> ERRO a3f Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.340 UTC [common.deliver] deliverBlocks -> WARN a40 [channel: byfn-sys-channel] Client authorization revoked for deliver request from 172.25.0.15:36196: implic
it policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2020-04-09 13:28:59.341 UTC [comm.grpc.server] 1 -> INFO a41 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.25.0.15:36196
grpc.peer_subject="CN=orderer.example1.com,L=San Francisco,ST=California,C=US" grpc.code=OK grpc.call_duration=4.992078ms
I was able to extend the first-network by adding a new Orderer Organization as follows:
Start the first-network through the byfn.sh script in the fabric-samples repo in the etcdraft mode.
I generated crypto-material like described in the crypto-config.yaml in the question above.
Use the configtxgen tool to print the new orderer organization's MSP into JSON format.
Mount or docker cp this JSON file to the running cli container.
Set the environment inside the cli container corresponding to existing ordering node. Import the latest system-channel configuration. Decode it to JSON format.
Edit the system channel configuration block's Orderer section to add the new orderer organization's MSP as follows:
jq -s '.[0] * {"channel_group":{"groups":{"Orderer":{"groups": {"Orderer1Org":.[1]}}}}}' config.json orderer1org.json > config1.json
Edit the system channel configuration block's Consortiums section to add the new orderer organization's MSP as follows:
jq -s '.[0] * {"channel_group":{"groups":{"Consortiums":{"groups":{"SampleConsortium":{"groups": {"Orderer1MSP":.[1]}}}}}}}' config1.json orderer1org.json > config2.json
Edit the system channel configuration block's Consenters section to add the TLS credentials for the new orderer organization's orderer.example1.com node as follows:
cert=`base64 ../crypto/ordererOrganizations/example1.com/orderers/orderer.example1.com/tls/server.crt | sed ':a;N;$!ba;s/\n//g'`
cat config2.json | jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert'", "host": "orderer.example1.com", "port": 7050, "server_tls_cert": "'$cert'"}] ' > modified_config.json
Encode the block, find delta, create channel update transaction, encode it as protobuf envelope and submit the channel update transaction.
Fetch the latest system channel configuration block.
Start one of the orderers (the one who was added to consenters list previously) using this latest fetched system channel configuration block as it's genesis.block file.
Perform docker exec into the cli container. Using the environment of an existing orderer node, fetch the latest system channel configuration.
Edit the system channel configuration block to add the new orderer's endpoint in the OrdererAddresses section as follows:
cat config.json | jq '.channel_group.values.OrdererAddresses.value.addresses += ["orderer.example1.com:7050"] ' > modified_config.json
Encode the block, find delta, create channel update transaction, encode it as protobuf envelope and get the block signed by Orderer1Org admin to satify the mod_policy for /Channel/OrdererAddresses resource which is set to Admins policy. This implicit meta policy expects the signature of MAJORITY Admins at that level of update. So, as the number of orderer organizations are 2 now, we need both the organization's admins to sign this system channel update transaction. Set the environment corresponding to Orderer1Org admin and run the following command:
peer channel signconfigtx -f ordorg_update_in_envelope.pb
Set the environment back to OrdererOrg admin and submit the channel update transaction. The peer channel update will automatically sign the transaction on behalf of OrdererOrg admin.
peer channel update -f ordorg_update_in_envelope.pb -c $CHANNEL_NAME -o orderer.example.com:7050 --tls true --cafile $ORDERER_CA
For updating any application channel, just replace the step 7 by updating the application channel configuration block's Application section to add the new orderer organization's MSP there.
Hope this helps!
I followed above sequence of steps to add new Orderer Organization into existing network, but channel (i.e updating config change to orderer channel) update throw error like below,
2020-09-29 00:53:49.794 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'e2e-orderer-syschan': error authorizing update: error validating DeltaSet: policy for [Value] /Channel/OrdererAddresses not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
I modified-json blocks by using below setup calls (tried mix/match combination of this below json change steps)
jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"'${KL_NEW_ORDERER_NAME}'":.[1]}}}}}' config.json ${KL_NEW_ORDERER_NAME}.json > modified-config.json
jq -s '.[0] * {"channel_group":{"groups":{"Orderer":{"groups": {"'${KL_NEW_ORDERER_NAME}'":.[1]}}}}}' modified-config.json ${KL_NEW_ORDERER_NAME}.json > modified-config1.json
jq -s '.[0] * {"channel_group":{"groups":{"Consortiums":{"groups":{"'${KL_CONSORTIUM_NAME}'":{"groups": {"Orderermk01MSP":.[1]}}}}}}}' modified-config1.json ${KL_NEW_ORDERER_NAME}.json > modified-config2.json
LENGTH=$(jq '.channel_group.values.OrdererAddresses.value.addresses | length' modified-config2.json)
jq '.channel_group.values.OrdererAddresses.value.addresses['${LENGTH}'] |= "'${KL_NEW_ORDERER_URL}'"' modified-config2.json > modified-config3.json
cert=`base64 /hl-material/mk01-orderer/crypto-config/ordererOrganizations/${KL_DOMAIN}/orderers/orderer.mk01.${KL_DOMAIN}/tls/server.crt | sed ':a;N;$!ba;s/\n//g'`
cat modified-config3.json | jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert'", "host": "raft0.mk01.'${KL_DOMAIN}'", "port": 32050, "server_tls_cert": "'$cert'"}] ' > modified-config4.json
My network setup based on HLF 2.2 LTS with 5 raft nodes under K8s cluster.
I have successful setup with multi channel, multiple peer organization on 2.2 LTS (know how to get this in dynamic way without bringdown any network). But now looking for scaling orderer organization into multiple cluster/orgs dynamically. Is any tip or update needed on above steps ? Thanks again
Mariya
Background
I am trying to finish the Fabric CA Operations Guide tutorial in order to better understand the details of a TLS setup. However, I am stuck at the Create and Join Channel part.
A similar question was asked here at peer-channel-creation-fails-in-hyperledger-fabric, but sometimes the same errors can have different causes.
I followed the instructions at the aforementioned solution without success. The error I keep getting when I try to create the channel is:
Error: got unexpected status: BAD_REQUEST -- error validating channel creation transaction for new channel 'mychannel', could not successfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
Environment
My versions for Docker images are:
Docker engine version: 19.03.8;
Docker CA image and version: hyperledger/fabric-ca:1.4.6;
Docker Peer image and version: hyperledger/fabric-peer:2.0;
Docker Orderer image and version: hyperledger/fabric-orderer:2.0;
Docker Tools (CLI) image and version: hyperledger/fabric-tools:2.0.
Reproducing the error
I created a repository at GitHub where I put the codes referenced by the links: fabric-ca-operations-guide.
I start by executing tearup-docker-cas.sh to create all the Docker images for the CAs and consequently the directory structures at /tmp/hyperledger/:
curl -sSL https://raw.githubusercontent.com/hanesbarbosa/fabric-ca-operations-guide/master/tearup-docker-cas.sh | bash -s
When I check that every image is up and running by issuing the command docker ps I create the crypto material using setup-crypto.sh:
curl -sSL https://raw.githubusercontent.com/hanesbarbosa/fabric-ca-operations-guide/master/setup-crypto.sh | bash -s
Then I download the configtx.yaml file to my current directory:
curl -sSL https://raw.githubusercontent.com/hanesbarbosa/fabric-ca-operations-guide/master/configtx.yaml -o ./configtx.yaml
Now I am ready to set the environment variable FABRIC_CFG_PATH so that I can create the genesis block and channel transaction by the create_genesis_block_channel_tx.sh script. The artifacts will be available at /tmp/hyperledger/org0/orderer/:
curl -sSL https://raw.githubusercontent.com/hanesbarbosa/fabric-ca-operations-guide/master/create_genesis_block_channel_tx.sh | bash -s
Since the genesis block is available, now we can create the orderer image using tearup-docker-peers.sh. This script also creates all the peers and cli containers tools:
curl -sSL https://raw.githubusercontent.com/hanesbarbosa/fabric-ca-operations-guide/master/tearup-docker-peers.sh | bash -s
After the step 5 I am ready to create the channel. Therefore I use the following command to use the cli-org1 container:
docker exec -it cli-org1 bash -c "export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/admin/msp; peer channel create -c mychannel -f /tmp/hyperledger/assets/mychannel.tx -o orderer1-org0:7050 --outputBlock /tmp/hyperledger/assets/mychannel.block --tls --cafile /tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem"
At this point I get the error:
Error: got unexpected status: BAD_REQUEST -- error validating channel creation transaction for new channel 'mychannel', could not successfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
When I want to clean up everything for a fresh start I just execute:
curl -sSL https://raw.githubusercontent.com/hanesbarbosa/fabric-ca-operations-guide/master/teardown-docker.sh | bash -s
Fixing Attempts
I always try a new attempt with a fresh set of crypto materials and images, so I always run the step 6 from the Reproducing the error section before trying again;
I create the channel at the step 4 as the admin of the organization;
I make sure the orderer has the TLS root signing certificate listed (everybody is using the same CA for TLS certs);
The environment variable ORDERER_GENERAL_LOGLEVEL is set to "debug" at the orderer image, so that I can have more detailed errors;
I tried to sign the channel creation transaction (mychannel.tx) before issuing the command peer channel create to make sure it was not a lack of signature, but the error mentions a /Channel/Application group policy, that in this case is an Implicit Meta type, where the rule is "ANY Admins";
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
# /Channel/Application/<PolicyName>
Policies: &ApplicationDefaultPolicies
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "ANY Admins"
I am running the fabric ca server using the docker container and using the fabric node for enrolling and register the users. when, I enroll the admin through fabric node its works fine, its create the wallet folder. When i am trying to register the user its throw the error saying
Failed to register user : Error: Calling register endpoint failed with
error [Error: self signed certificate]
Please any suggestion would be appreciated.
The register command should look like:
fabric-ca-client register -d --id.name $ORG_ADMIN --id.secret $ORG_ADMIN_PASSWORD --id.type client --id.affiliation $ORG_AFFILIATION
The fabric-ca-client-config.yaml inside your FABRIC_CA_CLIENT_HOME should look like:
url: https://ca.org0.domain.tld:7054
mspdir: msp
tls:
certfiles: ca-tls.pem
csr:
names:
- C: US
ST: New York
L: New York
O: Org0
OU: Department0
caname: org0-ca
bccsp:
default: SW
sw:
hash: SHA2
security: 256
filekeystore:
keystore: msp/keystore
Please check url and tls.certfiles (if your CA is using TLS).
The msp directory must contain the CA administrator's credentials after enrolling it in the previous step.