Develop Reference

TLS handshake failed with error tls: first record does not look like a TLS handshake server=Orderer remoteaddress=172.24.0.1:41096

I create network files automatically through node.js.
I am building a test network with 1 orderer, 1 org and 1 peer, 1 cli and 1 ca for test.
When I create the channel using createChannel.sh based on the hyperledger fabric 2.2.1, I get some TLS-related errors inside my order container:
TLS handshake failed with error tls: first record does not look like
a TLS handshake server=Orderer remoteaddress=172.26.0.1:48124
I don't understand if the problem is in the yaml files or in another file.
Every help is welcome.
Here is my files:
createChannel.sh
# # imports
. envVar.sh
. utils.sh
CHANNEL_NAME="$1"
DELAY="$2"
MAX_RETRY="$3"
VERBOSE="$4"
: ${CHANNEL_NAME:="canal"}
: ${DELAY:="3"}
: ${MAX_RETRY:="5"}
: ${VERBOSE:="false"}
createChannel() {
setGlobals 1
# Poll in case the raft leader is not set yet
local rc=1
local COUNTER=1
while [ $rc -ne 0 -a $COUNTER -lt $MAX_RETRY ] ; do
sleep $DELAY
set -x
../bin/peer channel create -o localhost:7050 -c $CHANNEL_NAME --ordererTLSHostnameOverride orderer.example.com -f ./channel-artifacts/${CHANNEL_NAME}.tx --outputBlock $BLOCKFILE --tls --cafile $ORDERER_CA >&log.txt
res=$?
{ set +x; } 2>/dev/null
let rc=$res
COUNTER=$(expr $COUNTER + 1)
done
cat log.txt
verifyResult $res "Channel creation failed"
}
FABRIC_CFG_PATH=${PWD}/rede
infoln "Creating channel ${CHANNEL_NAME}"
createChannel
successln "Channel '$CHANNEL_NAME' created"
crypto-config.yaml
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
# ---------------------------------------------------------------------------
# "OrdererOrgs" - Definition of organizations managing orderer nodes
# ---------------------------------------------------------------------------
OrdererOrgs:
- Name: Orderer
Domain: example.com
Specs:
- Hostname: orderer
# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs:
# ---------------------------------------------------------------------------
# Org2: See "Org1" for full specification
# ---------------------------------------------------------------------------
- Name: org1
Domain: org1.com
Template:
Count: 1
EnableNodeOUs: true
SANS:
- "localhost"
Users:
Count: 1
configtx.yaml
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
################################################################################
#
# Section: Organizations
#
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
#
################################################################################
Organizations:
# SampleOrg defines an MSP using the sampleconfig. It should never be used
# in production but may be used as a template for other definitions
- &OrdererOrg
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: OrdererOrg
# ID to load the MSP definition as
ID: OrdererMSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: crypto-config/ordererOrganizations/example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Writers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Admins:
Type: Signature
Rule: "OR('OrdererMSP.admin')"
- &org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: org1MSP
# ID to load the MSP definition as
ID: org1MSP
MSPDir: crypto-config/peerOrganizations/org1.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('org1MSP.admin', 'org1MSP.peer', 'org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('org1MSP.admin', 'org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('org1MSP.peer')"
# leave this flag set to true.
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.org1.example.com
Port: 7051
################################################################################
#
# SECTION: Capabilities
#
# - This section defines the capabilities of fabric network. This is a new
# concept as of v1.1.0 and should not be utilized in mixed networks with
# v1.0.x peers and orderers. Capabilities define features which must be
# present in a fabric binary for that binary to safely participate in the
# fabric network. For instance, if a new MSP type is added, newer binaries
# might recognize and validate the signatures from this type, while older
# binaries without this support would be unable to validate those
# transactions. This could lead to different versions of the fabric binaries
# having different world states. Instead, defining a capability for a channel
# informs those binaries without this capability that they must cease
# processing transactions until they have been upgraded. For v1.0.x if any
# capabilities are defined (including a map with all capabilities turned off)
# then the v1.0.x peer will deliberately crash.
#
################################################################################
Capabilities:
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
Channel: &ChannelCapabilities
# V2_0 capability ensures that orderers and peers behave according
# to v2.0 channel capabilities. Orderers and peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 capability.
# Prior to enabling V2.0 channel capabilities, ensure that all
# orderers and peers on a channel are at v2.0.0 or later.
V2_0: true
# Orderer capabilities apply only to the orderers, and may be safely
# used with prior release peers.
# Set the value of the capability to true to require it.
Orderer: &OrdererCapabilities
# V2_0 orderer capability ensures that orderers behave according
# to v2.0 orderer capabilities. Orderers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 orderer capability.
# Prior to enabling V2.0 orderer capabilities, ensure that all
# orderers on channel are at v2.0.0 or later.
V2_0: true
# Application capabilities apply only to the peer network, and may be safely
# used with prior release orderers.
# Set the value of the capability to true to require it.
Application: &ApplicationCapabilities
# V2_0 application capability ensures that peers behave according
# to v2.0 application capabilities. Peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 application capability.
# Prior to enabling V2.0 application capabilities, ensure that all
# peers on channel are at v2.0.0 or later.
V2_0: true
################################################################################
#
# SECTION: Application
#
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
#
################################################################################
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
# /Channel/Application/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Capabilities:
<<: *ApplicationCapabilities
################################################################################
#
# SECTION: Orderer
#
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
#
################################################################################
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
OrdererType: solo
Addresses:
- orderer.example.com:7050
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 2s
# Batch Size: Controls the number of messages batched into a block
BatchSize:
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 10
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 KB
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Orderer policies, their canonical path is
# /Channel/Orderer/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
################################################################################
#
# CHANNEL
#
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
#
################################################################################
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
Policies:
# Who may invoke the 'Deliver' API
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
# By default, who may modify elements at this config level
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# Capabilities describes the channel level capabilities, see the
# dedicated Capabilities section elsewhere in this file for a full
# description
Capabilities:
<<: *ChannelCapabilities
################################################################################
#
# Profile
#
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
#
################################################################################
Profiles:
canal:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *org1
Capabilities:
<<: *ApplicationCapabilities
SampleOrgs:
<<: *ChannelDefaults
Capabilities:
<<: *ChannelCapabilities
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg
Capabilities:
<<: *OrdererCapabilities
Application:
<<: *ApplicationDefaults
Organizations:
- <<: *OrdererOrg
Consortiums:
SampleConsortium:
Organizations:
- *org1
base.yaml
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
version: '2'
services:
peer-base:
image: hyperledger/fabric-peer
dns_search: .
environment:
- GODEBUG=netdns=go
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
# the following setting starts chaincode containers on the same
# bridge network as the peers
# https://docs.docker.com/compose/networking/
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=rede
- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
# The following setting skips the gossip handshake since we are
# are not doing mutual TLS
- CORE_PEER_GOSSIP_SKIPHANDSHAKE=true
- CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/crypto/peer/msp
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/crypto/peer/tls/server.key
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/crypto/peer/tls/server.crt
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/crypto/peer/tls/ca.crt
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: peer node start
volumes:
- /var/run/:/host/var/run/
docker-compose.yaml
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
version: '2'
networks:
rede:
services:
orderer.example.com:
container_name: orderer.example.com
image: hyperledger/fabric-orderer
environment:
- FABRIC_LOGGING_SPEC=INFO
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_LISTENPORT=7050
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/var/hyperledger/orderer/genesis.block
- ORDERER_GENERAL_LOCALMSPID=OrdererMSP
- ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp
# enabled TLS
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
- ORDERER_KAFKA_TOPIC_REPLICATIONFACTOR=1
- ORDERER_KAFKA_VERBOSE=true
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/var/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/var/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
- CORE_PEER_TLS_ENABLED=true
working_dir: /opt/gopath/src/github.com/hyperledger/fabric
command: orderer
volumes:
- ./channel-artifacts/genesis.block:/var/hyperledger/orderer/genesis.block
- ./crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp:/var/hyperledger/orderer/msp
- ./crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/:/var/hyperledger/orderer/tls
ports:
- 7050:7050
networks:
- rede
ca_org1:
image: hyperledger/fabric-ca
environment:
- FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
- FABRIC_CA_SERVER_CA_NAME=ca-org1
- FABRIC_CA_SERVER_TLS_ENABLED=true
- FABRIC_CA_SERVER_PORT=9055
ports:
- "9055:9055"
command: sh -c 'fabric-ca-server start -b admin:adminpw -d'
volumes:
- ./crypto-config/peerOrganizations/org1.com/ca/:/etc/hyperledger/fabric-ca-server
container_name: ca_org1
networks:
- rede
couchdb0:
container_name: couchdb0
image: couchdb:3.1.1
# Populate the COUCHDB_USER and COUCHDB_PASSWORD to set an admin user and password
# for CouchDB. This will prevent CouchDB from operating in an "Admin Party" mode.
environment:
- COUCHDB_USER=admin
- COUCHDB_PASSWORD=adminpw
# Comment/Uncomment the port mapping if you want to hide/expose the CouchDB service,
# for example map it to utilize Fauxton User Interface in dev environments.
ports:
- "5984:5984"
networks:
- rede
peer0.org1.com:
container_name: peer0.org1.com
image: hyperledger/fabric-peer
environment:
#Generic peer variables
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
# the following setting starts chaincode containers on the same
# bridge network as the peers
# https://docs.docker.com/compose/networking/
- FABRIC_LOGGING_SPEC=INFO
#- FABRIC_LOGGING_SPEC=DEBUG
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
# Peer specific variabes
- CORE_PEER_ID=peer0.org1.com
- CORE_PEER_ADDRESS=peer0.org1.com:7051
- CORE_PEER_LISTENADDRESS=0.0.0.0:7051
- CORE_PEER_CHAINCODEADDRESS=peer0.org1.com:7052
- CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052
- CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org1.com:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.com:7051
- CORE_PEER_LOCALMSPID=org1MSP
- CORE_LEDGER_STATE_STATEDATABASE=CouchDB
- CORE_LEDGER_STATE_COUCHDBCONFIG_COUCHDBADDRESS=couchdb0:5984
# The CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME and CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD
# provide the credentials for ledger to connect to CouchDB. The username and password must
# match the username and password set for the associated CouchDB.
- CORE_LEDGER_STATE_COUCHDBCONFIG_USERNAME=admin
- CORE_LEDGER_STATE_COUCHDBCONFIG_PASSWORD=adminpw
depends_on:
- couchdb0
volumes:
- /var/run/docker.sock:/host/var/run/docker.sock
- ./crypto-config/peerOrganizations/org1.com/peers/peer0.org1.com/msp:/etc/hyperledger/fabric/msp
- ./crypto-config/peerOrganizations/org1.com/peers/peer0.org1.com/tls:/etc/hyperledger/fabric/tls
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: peer node start
ports:
- 7051:7051
- 7080:7053
networks:
- rede
cli:
container_name: cli
image: hyperledger/fabric-tools
tty: true
stdin_open: true
environment:
- GOPATH=/opt/gopath
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
- FABRIC_LOGGING_SPEC=INFO
#- FABRIC_LOGGING_SPEC=DEBUG
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: /bin/bash
volumes:
- /var/run/:/host/var/run/
- ./crypto-config/:/opt/gopath/src/github.com/hyperledger/fabric/peer/organizations
depends_on:
- peer0.org1.com
networks:
- rede
networkconfig.yaml
---
#
# Copyright Fujitsu Australia Software Technology, IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
#
# The network connection profile provides client applications the information about the target
# blockchain network that are necessary for the applications to interact with it. These are all
# knowledge that must be acquired from out-of-band sources. This file provides such a source.
#
name: "rede"
#
# Any properties with an "x-" prefix will be treated as application-specific, exactly like how naming
# in HTTP headers or swagger properties work. The SDK will simply ignore these fields and leave
# them for the applications to process. This is a mechanism for different components of an application
# to exchange information that are not part of the standard schema described below. In particular,
# the "x-type" property with the "hlfv1" value example below is used by Hyperledger Composer to
# determine the type of Fabric networks (v0.6 vs. v1.0) it needs to work with.
#
x-type: "canal"
#
# Describe what the target network is/does.
#
description: "desc rede"
#
# Schema version of the content. Used by the SDK to apply the corresponding parsing rules.
#
version: 1.0.0
client:
# Which organization does this application instance belong to? The value must be the name of an org
# defined under "organizations"
organization: org1
# Some SDKs support pluggable KV stores, the properties under "credentialStore"
# are implementation specific
credentialStore:
# [Optional]. Specific to FileKeyValueStore.js or similar implementations in other SDKs. Can be others
# if using an alternative impl. For instance, CouchDBKeyValueStore.js would require an object
# here for properties like url, db name, etc.
path: "/tmp/hfc-kvs"
# [Optional]. Specific to the CryptoSuite implementation. Software-based implementations like
# CryptoSuite_ECDSA_AES.js in node SDK requires a key store. PKCS#11 based implementations does
# not.
cryptoStore:
# Specific to the underlying KeyValueStore that backs the crypto key store.
path: "/tmp/hfc-cvs"
# [Optional]. Specific to Composer environment
wallet: wallet-name
#
# [Optional]. But most apps would have this section so that channel objects can be constructed
# based on the content below. If an app is creating channels, then it likely will not need this
# section.
#
channels:
# name of the channel
canal:
# Required. list of orderers designated by the application to use for transactions on this
# channel. This list can be a result of access control ("org1" can only access "ordererA"), or
# operational decisions to share loads from applications among the orderers. The values must
# be "names" of orgs defined under "organizations/peers"
orderers:
- orderer.example.com
# Required. list of peers from participating orgs
peers:
peer0.org1.com:
endorsingPeer: true
chaincodeQuery: true
ledgerQuery: true
eventSource: true
# [Optional]. what chaincodes are expected to exist on this channel? The application can use
# this information to validate that the target peers are in the expected state by comparing
# this list with the query results of getInstalledChaincodes() and getInstantiatedChaincodes()
chaincodes:
# the format follows the "cannonical name" of chaincodes by fabric code
- blockflow-app:v0.1
#
# list of participating organizations in this network
#
organizations:
org1:
mspid: org1
peers:
- peer0.org1.com
# [Optional]. Certificate Authorities issue certificates for identification purposes in a Fabric based
# network. Typically certificates provisioning is done in a separate process outside of the
# runtime network. Fabric-CA is a special certificate authority that provides a REST APIs for
# dynamic certificate management (enroll, revoke, re-enroll). The following section is only for
# Fabric-CA servers.
certificateAuthorities:
- ca-org1
# [Optional]. If the application is going to make requests that are reserved to organization
# administrators, including creating/updating channels, installing/instantiating chaincodes, it
# must have access to the admin identity represented by the private key and signing certificate.
# Both properties can be the PEM string or local path to the PEM file. Note that this is mainly for
# convenience in development mode, production systems should not expose sensitive information
# this way. The SDK should allow applications to set the org admin identity via APIs, and only use
# this route as an alternative when it exists.
adminPrivateKey:
path: ./crypto-config/peerOrganizations/org1.com/users/Admin#org1.com/msp/keystore/priv_sk
signedCert:
path: ./crypto-config/peerOrganizations/org1.com/users/Admin#org1.com/msp/signcerts/Admin#org1.com-cert.pem
#
# List of orderers to send transaction and channel create/update requests to. For the time
# being only one orderer is needed. If more than one is defined, which one get used by the
# SDK is implementation specific. Consult each SDK's documentation for its handling of orderers.
#
orderers:
orderer.example.com:
url: grpc://localhost:7050
# these are standard properties defined by the gRPC library
# they will be passed in as-is to gRPC client constructor
grpcOptions:
ssl-target-name-override: orderer.example.com
# sslProvider: openSSL
# negotiationType: TLS
# hostnameOverride: orderer.example.com
# grpc-max-send-message-length: -1
# grpc.keepalive_time_ms: 360000
# grpc.keepalive_timeout_ms: 180000
# grpc.keepalive_without_calls: true
peers:
peer0.org1.com:
url: grpc://localhost:7082
grpcOptions:
grpc.http2.keepalive_time: 15
# ssl-target-name-override: peer0.org1.com
# negotiationType: TLS
# sslProvider: openSSL
# hostnameOverride: peer1.org1.com
tlsCACerts:
path: ./crypto-config/peerOrganizations/org1.com/peers/peer0.org1.com/tls/server.crt
#
# Fabric-CA is a special kind of Certificate Authority provided by Hyperledger Fabric which allows
# certificate management to be done via REST APIs. Application may choose to use a standard
# Certificate Authority instead of Fabric-CA, in which case this section would not be specified.
#
certificateAuthorities:
ca-org1:
url: http://localhost:9054
# the properties specified under this object are passed to the 'http' client verbatim when
# making the request to the Fabric-CA server
httpOptions:
verify: true
tlsCACerts:
path: ./crypto-config/peerOrganizations/org1.com/ca/ca.org1.com-cert.pem
# Fabric-CA supports dynamic user enrollment via REST APIs. A "root" user, a.k.a registrar, is
# needed to enroll and invoke new users.
registrar: # as an array.
- enrollId: admin
enrollSecret: adminpw
# [Optional] The optional name of the CA.
## caName: ca0 no ca name!

The issue could be the TLS field is missing in the docker-compose file of the CLI service. Add the following field if you are using CLI for installing and invoking the chaincode.
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org.com/peers/peer0.com/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org.com/peers/peer0.com/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org.com/peers/peer0.com/tls/ca.crt

../bin/peer channel create -o localhost:7050 -c $CHANNEL_NAME --ordererTLSHostnameOverride orderer.example.com -f ./channel-artifacts/${CHANNEL_NAME}.tx --outputBlock $BLOCKFILE --tls --cafile $ORDERER_CA >&log.txt
Make sure $BLOCKFILE variable is set to
BLOCKFILE="/channel-artifacts/${CHANNEL_NAME}.block"
And also check you have ./channel-artifacts/${CHANNEL_NAME}.tx channel configuration file, if not you need to generate that using the below command before you create channel. You can read more about configaration transaction generator here
../bin/configtxgen -profile canal -outputCreateChannelTx ./channel-artifacts/${CHANNEL_NAME}.tx -channelID $CHANNEL_NAME

hyperledger fabric, can`t start orderer via docker

I could not start fabric-orderer via docker .
the docker-compose file
// code placeholder
networks:
fabric-ca:
external:
name: fabric-ca
services:
orderer1-org0:
container_name: orderer1-org0
image: hyperledger/fabric-orderer:2.2.1
environment:
- ORDERER_HOST=orderer1-org0
- ORDERER_GENERAL_PROFILE_ENABLED=false
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_LISTENPORT=7050
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/orderer/orderer.genesis.block
- ORDERER_GENERAL_LOCALMSPID=org0MSP
- ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/org0/orderer/msp
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/etc/hyperledger/org0/orderer/tls-msp/keystore/key.pem
- ORDERER_GENERAL_TLS_CERTIFICATE=/etc/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
- ORDERER_GENERAL_TLS_ROOTCAS=[/etc/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
- ORDERER_KAFKA_TOPIC_REPLICATIONFACTOR=1
- ORDERER_KAFKA_VERBOSE=true
- ORDERER_GENERAL_CLUSTER_CLIENTCERTIFICATE=/etc/hyperledger/org0/orderer/tls-msp/signcerts/cert.pem
- ORDERER_GENERAL_CLUSTER_CLIENTPRIVATEKEY=/etc/hyperledger/org0/orderer/tls-msp/keystore/key.pem
- ORDERER_GENERAL_CLUSTER_ROOTCAS=[/etc/hyperledger/org0/orderer/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem]
- ORDERER_GENERAL_LOGLEVEL=debug
- ORDERER_DEBUG_BROADCASTTRACEDIR=data/logs
working_dir: /opt/gopath/src/github.com/hyperledger/fabric
command: orderer
volumes:
- /opt/hyperledger/org0/orderer:/etc/hyperledger/org0/orderer/
- /opt/hyperledger/configtx/system-genesis-block/genesis.block:/etc/hyperledger/orderer/orderer.genesis.block
networks:
- fabric-ca
when I use it to start docker. the error code is.
failed to parse config: Error reading configuration: Unsupported Config Type ""
but when I add this line to the environment.
- FABRIC_CFG_PATH=/etc/hyperledger/org0/orderer
and add a orderer.yaml to the /opt/hyperledger/org0/orderer floder, the error code is
* '' has invalid keys: admin
and when I remove the
Admin:
# host and port for the admin server
ListenAddress: 127.0.0.1:9443 # TLS configuration for the admin endpoint
TLS:
# TLS enabled
Enabled: false # Certificate is the location of the PEM encoded TLS certificate
Certificate: # PrivateKey points to the location of the PEM-encoded key
PrivateKey: # Most admin service endpoints require client authentication when TLS
# is enabled. ClientAuthRequired requires client certificate authentication
# at the TLS layer to access all resources.
#
# NOTE: When TLS is enabled, the admin endpoint requires mutual TLS. The
# orderer will panic on startup if this value is set to false.
ClientAuthRequired: true # Paths to PEM encoded ca certificates to trust for client authentication
ClientRootCAs: []
block from orderer.yaml
the error code is
panic: Failed validating bootstrap block: initializing channelconfig failed: could not create channel Consortiums sub-group config: setting up the MSP manager failed: administrators must be declared when no admin ou classification is set
so, is there a right way to start a fabric-orderer docker ?
Thanks a lot.

[YOUR SECOND ERROR]
Admin is an invalid config value.
It needs to be changed to General. Please refer to the link below
sampleconfig/orderer.yaml
[YOUR FIRST ERROR]
Try adding FABRIC_CFG_PATH parameter in docker-compose.yaml
FABRIC_CFG_PATH is the directory path where the orderer.yaml file exists.
~~~
orderer1-org0:
container_name: orderer1-org0
image: hyperledger/fabric-orderer:2.2.1
environment:
- FABRIC_CFG_PATH=/etc/hyperledger/org0/orderer/
~~~
Additionally, check the GENERAL_GENESISFILE value in orderer.yaml.
When you see the configuration you have written, it should be written as below in orderer.yaml.
~~~
GenesisFile: /etc/hyperledger/orderer/orderer.genesis.block
~~~

Error when installing channel: "Error: got unexpected status: BAD_REQUEST -- Unknown consortium name: SampleConsortium"

When I try to install a channel it gives me the following error:
Error: got unexpected status: BAD_REQUEST -- Unknown consortium name: SampleConsortium
On the orderer I get the following WARN:
Rejecting broadcast of config message from 172.18.0.3:57490 because of error:Unknown consortium name: SampleConsortium
I am not referencing sample consortium In any way, I cant find it In any of the generated channel artifacts and on the logs of, peer, orderer, and cli does not appear any other feedback.
I am using version 1.4
I will be happy to share more info.
EDIT1:
I see something weird when using the command create on the cli I get the following feedback:
[common.tools.configtxgen.localconfig] Load -> INFO 002 Loaded configuration: /etc/hyperledger/fabric/configtx.yaml
And when seeing that config Is a default template of the configtx file. Why is it doing this?

The consortium is defined in the file called configtx.yaml (specifically in the Profile section) , this is the file is used to create orderer genesis block and is embedded in docker-compose yaml file in orderer config section.
When you do docker-compose up this block is hardcoded into the orderer along with a system channel called testchainid. To verify the same, look up the docker logs by docker logs -f <orderer.example.com or whatever the url is>.
Looks like you have misconfigured configtx file, refer this file for better reference.
Specifically, You probably wrote something like
Profiles:
mychannel:
Consortium: SampleConsortium
Application:
...
And missed defining the SampleConsortium in the genesis profile like
Profile:
TwoOrgGenesis:
Consortiums:
SampleConsortium:
Organizations:
- <<: *org1
Policies:
....
After making required modifications in the configtx file, recreate the artifacts including genesis.block, channel.tx, anchors.tx before restarting the network.

After changing name & domain of orderer & peers user is not getting enrolled in hyperledger fabric

i am new to hyperledger & trying to modify existing balance transfer example in fabric sample. Here change i am doing is changing the name & domain of orderer & peers in cryptogen.yaml file. Also made changes accordingly in configtx.yaml & docker-compose.yaml files. Here is the change in cryptogen.yaml file :
OrdererOrgs:
- Name: Orderer
Domain: say.com
Specs:
- Hostname: orderer
PeerOrgs:
- Name: Customer1
Domain: customer1.say.com
CA:
Hostname: ca
Template:
Count: 2
SANS:
- "localhost"
Users:
Count: 1
- Name: Customer2
Domain: customer2.say.com
CA:
Hostname: ca
Template:
Count: 2
SANS:
- "localhost"
Users:
Count: 1
Here is configtx.yaml file :
Profiles:
TwoOrgsOrdererGenesis:
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg
Consortiums:
SampleConsortium:
Organizations:
- *Customer1
- *Customer2
TwoOrgsChannel:
Consortium: SampleConsortium
Application:
<<: *ApplicationDefaults
Organizations:
- *Customer1
- *Customer2
Organizations:
- &OrdererOrg
Name: OrdererMSP
ID: OrdererMSP
MSPDir: crypto-config/ordererOrganizations/say.com/msp
- &Customer1
Name: Customer1MSP
ID: Customer1MSP
MSPDir: crypto-config/peerOrganizations/customer1.say.com/msp
AnchorPeers:
- Host: peer0.customer1.say.com
Port: 7051
- &Customer2
Name: Customer2MSP
ID: Customer2MSP
MSPDir: crypto-config/peerOrganizations/customer2.say.com/msp
AnchorPeers:
- Host: peer0.customer2.say.com
Port: 7051
Orderer: &OrdererDefaults
OrdererType: solo
Addresses:
- orderer.say.com:7050
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 98 MB
PreferredMaxBytes: 512 KB
Kafka:
Brokers:
- 127.0.0.1:9092
Organizations:
Application: &ApplicationDefaults
Organizations:
I am able to generate crypto materials using cryptogen tool & container is getting up. Using docker ps i can see all the containers. At the time of enrolling user getting following error :
[DEBUG] Helper - [FileKeyValueStore.js]: FileKeyValueStore.js -
constructor [ERROR] Helper - Failed to get registered user: Jim,
error: TypeError: Cannot read property 'setStateStore' of undefined
at hfc.newDefaultKeyValueStore.then (/home/ubuntu/fabric-samples/balance-transfer/app/helper.js:208:9)
Please let me know what is the reason i am getting this issue.

according to app/helper.js file (line number 38),
which is if (key.indexOf('org') === 0) {
the org name must begin with 'org' keyword.
for example, org name can be orgDemo but can not be Demo

I don't know balance transfer, but most of the examples mount local directories for the docker containers in the docker configs to point to the crypto on the local file system. You'll need to either modify those to point to your new crypto paths or copy your new crypto into the existing dirs.
Additionally, the genesis block and channel creation must be created with the same organizations and crypto. I don't know if balance transfer will recreate the genesis block and channel to match or not. There's also often a couple peer and domain names specified in the docker definitions that need to match those in the configtx.yaml.
Users must be registered with the CA before they can enroll. Even if all the above is correct you may still need to register Jim manually if the scripts don't do that for you.
Either Jim is not registered, or you're not pointing to the correct CA container names or crypto paths, or the genesis block is still using the original Org names and crypto paths, etc. You can use
configtxgen -inspectBlock genesisblockfilename and
configtxgen -inspectChannelCreateTx channelfilename to see what Orgs are included.

What steps are necessary to add a new peer to an organization of hyperledger fabric?

I’m learning to build a network with Hyperlegder Fabric because I have developed a network with Hyperledger Composer and the next step is to build the production network. I have started to build the first-network sample and works. I have added Org3 with 2 peers to sample and it works.
And now I want to add more peers, for example peer2.org1.example.com so I have edited files in order to create the peer2 and it is created, but when the script.sh tries to join to channel, it launches an error:
Error: Error getting endorser client channel: PER:404 - Error trying to connect to local peer
Caused by: x509: certificate is valid for peer1.org1.example.com, peer1, not peer2.org1.example.com
So, What have I done incorrectly? Thank you

When you adding a new peer to the network you need to make sure to properly setup all related crypto material underlined for that new peer. First of all make sure to add information about new peer into crypto-config.yaml file and to use cryptogen tool to generate keys and certificates for new peer. Next you need to setup configuration before starting the peer to point to the relevant crypto material for example configuration for peer0 of org2:
peer0.org2.example.com:
container_name: peer0.org2.example.com
extends:
file: peer-base.yaml
service: peer-base
environment:
- CORE_PEER_ID=peer0.org2.example.com
- CORE_PEER_ADDRESS=peer0.org2.example.com:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org2.example.com:7051
- CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org2.example.com:7051
where it's inherited from base/peer-base.yaml file:
services:
peer-base:
image: hyperledger/fabric-peer
environment:
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
# the following setting starts chaincode containers on the same
# bridge network as the peers
# https://docs.docker.com/compose/networking/
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_byfn
#- CORE_LOGGING_LEVEL=ERROR
- CORE_LOGGING_LEVEL=DEBUG
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: peer node start
- CORE_PEER_LOCALMSPID=Org2MSP
volumes:
- /var/run/:/host/var/run/
- ../crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/msp:/etc/hyperledger/fabric/msp
- ../crypto-config/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls:/etc/hyperledger/fabric/tls
ports:
- 9051:7051
- 9053:7053
to wrap it up, you need to make sure to config proper MSP ID and path to tls certificates. In your case your new peer simply tries to reuse crypto material of another peer.

You can achieve this by generating the crypto material (using cryptogen extends) for the new peer, spawning the new peer and made that peer to join the existing channel on the network to sync-up.
You can find the complete guide at
Extending Hyperledger Fabric Network: Adding a new peer