I have created Two Node. Node1 has Peer0.org1, CA and Orderer Service and Node2 have Peer0.org2 and Peer0.org3.
I can invoke and execute a query using fabric-client from peer0.org1 but When I tried same from peer0.org2 and peer0.org3 it's not working using API and it throws MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority error. However it's working from the CLI
Can anyone help me to resolve this?
Please check the endorsement policy on the chaincode. Most of the times this error is because your org2 and org3 are not part of endorsement policy.
Related
I'm trying to create a channel for my hyperledger fabric network but I've been stuck for over two weeks with this error :
[policies] SignatureSetToValidIdentities -> WARN 00d invalid identity: certificate subject=CN=Admin#productionlaborg.supplychain.com,OU=admin,L=San Francisco,ST=California,C=US serialnumber=332150209750411695579251324251304242011 error="the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.productionlaborg.supplychain.com")"
know that I export the correct path of the "MSP folder" of the admin "Admin#productionlaborg" how created the channel.
Please I need Help
I created a test network which has 2 orgs (each with one peer), 1 orderer in kubernetes using BAF. Orgs are joined in the channel called testchannel. Orderer msp, peer msp and tls certs expired within 1 day. Before it expired, I renewed all the certs using dcm tool and kept it in my local. First I updated the orderer tls cert in system channel and in application channel from orderer cli, by fetching the channel config, decoded, updated renewed orderer tls certs under consenters, encoded and updated the channel config using peer channel update command. I received a successfully submitted message.
Later replaced orderer msp, peer msp and tls certs in the vault and restarted all the services. When I checked the orderer logs, it didn't show any expiry error.
Now my network's previous certificate expired. Now it is using renewed certs. I am able to invoke and query transactions.
Now I want to add a new org called org3 to the existing (testchannel).
I created a new org (org3). When I tried to join that org to the channel, during peer channel update it failed. It shows the following error,
Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'testchannel': error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 2 of the 'Admins' sub-policies to be satisfied
This error is because of wrong admin certs. Then only I found that during certificate renewal, I updated only orderer tls certs. But the channel config also contains each org's admin certs and cacerts. Now the channel config contains expired certs. But the orgs and vault contain renewed certs.
This is the cause for the above mentioned error.
Can anyone suggest a way to resolve this? How can we update org's admin certificate in the channel config which has expired certificate?
Thanks in advance......
I have below queries with regards to client/user identities created by enrollment process for nodejs client. When I try to enroll identities then fabric-ca issue certificates for that particular user. Certificate issued to that client has below properties.
Certificate Information:
Common Name: admin
Organization Unit: client
Valid From: May 6, 2020
Valid To: May 6, 2021
Issuer: fabric-ca-server, Hyperledger
Now when I try to use the same identity to install and instantiate chaincode or interact with fabric runtime via TestAPI it throws below error :
2020-05-05 18:35:06.670 UTC [protoutils] ValidateProposalMessage -> WARN 0e4 channel [ichannel]: MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority
I have created crypto certificates for all organizations using cryptogen tool. These certificates have been issued by the certificate authority defined in network-config.yaml file.
I suspect that the difference in the certificate issuer it's causing identity issue. Please let me know if my understanding is correct.
If yes then how I can ensure that these nodejs client certificates are being used by the same certificate authority defined in network-config.yaml file.
I was able to resolve this issue by updating Certificate Authorities environment variables inside the docker-compose file. Earlier they were not getting picked from /etc/hyperledger/fabric-ca-server-config/ location.I did update path for below environment variables of all certificate Authorities before regenerating crypto configurations and restarting the whole network:
FABRIC_CA_SERVER_CA_KEYFILE
FABRIC_CA_SERVER_CA_CERTFILE
Note: TLS configs were disabled inside the network.
This has worked for me.
I get this error when I am starting an orderer.
Failed to initialize local MSP: admin 0 is invalid: could not obtain certification chain: An X509 certificate with Basic Constraint: Certificate Authority equals true cannot be used as an identity
How can I resolve this?
I have the orderer running on a separate node from where I have generated the admin certs.
Possible this means that the admin certs on the orderer are invalid, or doesn't exist. For me it was expected to be in the following folder: [orderer org]/msp/admincerts/cert.pem but was not.
Ensure that admin certs generated for your orderer are correct, whether they are generated by cryptogen or with fabric-ca.
I'm trying to add a new org called Org4 in the fabric network generated by the script byfn. I'm following this tutorial http://hyperledger-fabric.readthedocs.io/en/latest/channel_update_tutorial.html
But I met an error when I try to do the "peer channel update" :
could not create channel Application sub-group config: setting up the MSP manager failed: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org4.example.com"
I don't know why the certificate is not valid because I generated it the same way I did and succeed with Org3. Using cryptogen and I changed the config files by replacing 'Org3' to 'Org4'.
First I thought it was because I had already three orgs, but then I create a new network and try to add Org4. It didn't work, but if i try again to add Org3 it will work. So I'm confused about how just changing the name of the Org can impact the process.
Best Regards