I am getting below error when I network up. I have not changed anything in the first network code.
Error creating channelconfig bundle: initializing channelconfig
failed: could not create channel Consortiums sub-group config: setting
up the MSP manager failed: admin 0 is invalid: The identity is not
valid under this MSP [Org1MSP]: could not validate identity's OUs:
none of the identity's organizational units [[0xc420418960]] are in
MSP Org1MSP orderer.example.com | panic: Error creating
channelconfig bundle: initializing channelconfig failed: could not
create channel Consortiums sub-group config: setting up the MSP
manager failed: admin 0 is invalid: The identity is not valid under
this MSP [Org1MSP]: could not validate identity's OUs: none of the
identity's organizational units [[0xc420418960]] are in MSP Org1MSP
I think the answer to the question is that you use --id.type client while registering admin with CA, and if it doesnt work just put the config.yml file in the msp of every organisation with the contenet similar to
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/org2-ca-cert.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/org2-ca-cert.pem
OrganizationalUnitIdentifier: peer
i haven't tried id.type admin it might also work!
Related
Help me please! I generate need tls certificate and keys. Then I modify configtx.yaml file and create genesis block successfully. Then I modify orderer.yaml and start orderer successfully. I try to execute this command:
./bin/osnadmin channel join --channelID channel1 --config-block ./channel-artifacts/genesis_block.pb -o localhost:9443 --ca-file $OSN_TLS_CA_ROOT_CERT --client-cert $ADMIN_TLS_SIGN_CERT --client-key $ADMIN_TLS_PRIVATE_KEY
But every time I receive this error:
Status: 400
{
"error": "cannot join: failed to determine cluster membership from join-block: failed to validate config metadata of ordering config: consenter localhost:9443 has invalid certificate: verifying tls client cert with serial number {serial number}: x509: certificate signed by unknown authority"
}
I'm trying Fabric v2.2 and keeps failed to join a peer to channel because of some policies problem (I guess). To get MSPs of orderers and peers, I used CAs of an orderer organization and a peer organization (there is one peer organization).
fabric-ca-client register -d --id.name ${PEERS[$i]} --id.secret ${PEER_ADMIN_PWS[$i]} --id.type peer -u https://$CA_NODE:7054
…
fabric-ca-client register -d --id.name $ORG_ADMIN_ID --id.secret $ORG_ADMIN_PW --id.type admin -u https://$CA_NODE:7054
….
fabric-ca-client register -d --id.name ${ORDERERS[$i]} --id.secret ${ORDERER_ADMIN_PWS[$i]} --id.type orderer -u https://$CA_NODE:7054
…
fabric-ca-client enroll -d -u https://${NODES[$i]}:${NODE_ADMIN_PWS[$i]}#$CA_NODE:7054
I think MSPs were okay because the network was up well.
Then, I launched a CLI container and create a channel called identitych. I think it worked well because I checked the identitych directory had been created under chains directory of all orderers.
After that, when I proposed to join a peer to a channel with the following command, the orderer could not deliver a block to a peer because of the permission denied and a peer could not retrieve a block from the orderer because of FORBIDDEN problem.
peer channel join -b /channel-artifacts/identitych.block
My configtx.yaml file looks like:
Organizations:
- &BPLOrdererOrg
Name: BPLOrdererMSP
ID: BPLOrdererMSP
MSPDir: ./orderers/org-msp
Policies:
Readers:
Type: Signature
Rule: "OR('BPLOrdererMSP.member')"
Writers:
Type: Signature
Rule: "OR('BPLOrdererMSP.member')"
Admins:
Type: Signature
Rule: "OR('BPLOrdererMSP.admin')"
OrdererEndpoints:
- orderer0.common.bpl:7050
- &BPLOrg
Name: BPLMSP
ID: BPLMSP
MSPDir: ./peers/org-msp
Policies:
Readers:
Type: Signature
Rule: "OR('BPLMSP.admin', 'BPLMSP.peer', 'BPLMSP.client')"
Writers:
Type: Signature
Rule: "OR('BPLMSP.admin', 'BPLMSP.client')"
Admins:
Type: Signature
Rule: "OR('BPLMSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('BPLMSP.peer')"
NodeOUs is enabled by placing config.yaml on msp directory of each orderer and peer.
# config.yaml
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "client"
AdminOUIdentifier:
Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "admin"
PeerOUIdentifier:
Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "peer"
OrdererOUIdentifier:
Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "orderer"
Repeatedly, the orderer prints the following warning:
2020-08-20 11:35:08.041 UTC [comm.grpc.server] 1 -> INFO 0c3 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.24.0.11:42642 grpc.code=OK grpc.call_duration=792.5µs
2020-08-20 11:35:15.176 UTC [common.deliver] deliverBlocks -> WARN 0c4 [channel: identitych] Client 172.24.0.8:60236 is not authorized: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
At the same time, a peer repeatedly prints the following warning too:
2020-08-20 11:34:28.604 UTC [peer.blocksprovider] DeliverBlocks -> WARN 02b Got error while attempting to receive blocks: received bad status FORBIDDEN from orderer channel=identitych orderer-address=orderer0.common.bpl:7050
2020-08-20 11:34:28.604 UTC [peer.blocksprovider] func1 -> WARN 02c Encountered an error reading from deliver stream: EOF channel=identitych orderer-address=orderer0.common.bpl:7050
I found a similar question and answer (link) and I'm curious about the following quote:
Check for the Reader policies that you have defined in your configtx.yaml this error is generated because of the policy mismatch. You have defined some specific user type(admin, peer, client) in your Reader policies but this specific user type is not passed into certificates that you have generated for your peer.
I agree with that my problem is because of the policy mismatch, but I don't understand the following mention:
but this specific user type is not passed into certificates that you have generated for your peer.
How can I solve my issue? Thanks, in advance.
It looks like you've not enabled NodeOUs for the MSP definitions included in the channel configuration.
NodeOUs is enabled by placing config.yaml on msp directory of each orderer and peer.
This will enable NodeOU support in the 'local MSP' of the peer and orderer, but for channel operations, like invoking the Deliver API, it is the channel MSP definition which is utilized.
Make sure that you have placed your config.yaml in the MSP directory referenced by your configtx.yaml (for instance, in your case under ./peers/org-msp) before generating your genesis block for the orderer system channel.
Additional notes:
You can confirm that it is NodeOU related by changing the Readers policy in your configtx.yaml to refer to member for your peer org, like you have for the orderer org. If things work with the member policy, then this is definitely NodeOU related.
You could also turn up debugging for the policy evaluation by setting FABRIC_LOGGING_SPEC=info:cauthdsl=debug:policies=debug:msp=debug. This is generally too verbose for normal operation, but will give you a more clear audit trail of exactly what's causing the failure.
AFAIK, hyperledger fabric 1.4.4 allow "NodeOUs" by creating a config.yaml file inside of a msp directory.
I am trying to join the network with local peer msp. But the network always return below error.
Error: proposal failed (err: bad proposal response 500: access denied for [JoinChain][myorg]: [Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [The identity is not an admin under this MSP [MYORG]: The identity does not contain OU [ADMIN], MSP: [MYORG]]])
Also the structure of my peer's local msp directory have
msp
`- admincerts
`- cacerts
`- ca-cert.pem
`- signcerts
`- signcert.pem
`- keystore
`- secret
`- config.yaml
The contents of msp/config.yaml is like below.
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/ca-cert.pem
OrganizationalUnitIdentifier: orderer
My guess is NodeOUs is worked because there is no problem booting up the peer without admincerts. So I think I need to configure channel join policies but I cannot find out any policy references.
Check for organization policies in your configtx.yaml which would be quite similar to this:
1. For orderer:
Readers:
Type: Signature
Rule: "OR('ordererMSP.member')"
Writers:
Type: Signature
Rule: "OR('ordererMSP.member')"
Admins:
Type: Signature
Rule: "OR('ordererMSP.member')"
2. For MYORG:
Readers:
Type: Signature
Rule: "OR('MYORGMsp.admin', 'MYORGMsp.peer', 'MYORGMsp.client')"
Writers:
Type: Signature
Rule: "OR('MYORGMsp.admin', 'MYORGMsp.client')"
Admins:
Type: Signature
Rule: "OR('MYORGMsp.admin','MYORGMsp.client')"
Now because the policies for orderer are generic so the genesis block creation works well. But the problem starts while peers try to join channel as the policies for the peer orgs are specific to user types which are either admin, peer or client.
So to resolve this you have to pass OU as either admin, peer, client or orderer to your certificates while enrolling them with Fabric-CA. Then only the certificate will be valid for doing particular operations using those certificates. Here is an example for generating admin certificate:
fabric-ca-client enroll --caname ca.example.com --csr.names C=SG,ST=Singapore,L=Singapore,O=$ORG_NAME,OU=admin -m admin -u http://admin:adminpw#localhost:$PORT
Check that the configtx.yaml you used has (at least):
Capabilities:
Channel: &ChannelCapabilities
V1_4_3: true
V1_1: true
In the client that you are using to join the peer, run (check the certificate path):
openssl x509 -text -noout -in $CORE_PEER_MSPCONFIGPATH/signcerts/signcert.pem
Check that OU includes admin.
You can also check that the certificate is signed by myorg's CA:
openssl verify -CAfile path-to-myorg-msp-as-specified-in-configtx-yaml/cacerts/ca-cert.pem $CORE_PEER_MSPCONFIGPATH/signcerts/signcert.pem
More information here: https://hyperledger-fabric.readthedocs.io/en/release-1.4/msp.html#identity-classification
I'm getting this error when i am trying to create a channel by running .
peer channel create -o orderer.aj.io:7050 -c channel1 -f /config/channel1.tx
Here are my logs ------------
2019-10-21 05:50:13.950 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: got unexpected status: FORBIDDEN -- implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied
What this error means is that the user you are using to create the channel does not have 'Write' permissions, in other words is not an Admin.
In most cases this happens when you use the peers cryptographic material to create the channel instead of the Admins (check where the CORE_PEER_MSPCONFIGPATH environment variable points).
As another user mentioned in another post: there is a new feature in 1.4.3 which allows you to specify an OU for admin rather than explicitly putting certificates in the admincerts folder.
In your crypto-config, you set EnableNodeOUs: true and this automatically enables OUs for all supported roles.
You'll see something like
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/ca.sampleorg-cert.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/ca.sampleorg-cert.pem
OrganizationalUnitIdentifier: peer
AdminOUIdentifier:
Certificate: cacerts/ca.sampleorg-cert.pem
OrganizationalUnitIdentifier: admin
OrdererOUIdentifier:
Certificate: cacerts/ca.sampleorg-cert.pem
OrganizationalUnitIdentifier: orderer
in the msp/config.yaml file ( in your case in crypto-config/peerorganisation/org1.example.com/msp/crypto.yaml).
Note the AdminOUIdentifier field. This means that any cert issued by the CA for your org which contains an OU=admin is now considered an admin. The certificate generated for the admin user under your org MSP is also generated with OU=admin (e.g. Subject: C=US, ST=California, L=San Francisco, OU=admin, CN=Admin#sampleorg ).
Another reason could be that in your configtx.yaml you haven't set properly your policies for each section(that was my problem).
Check the configtx.yaml file from the first-network sample and try to set them accordingly
I'm trying to setup Idemix based on the following documentation that I found:
https://hyperledger-fabric.readthedocs.io/en/release-1.4/idemix.html
https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#getting-idemix-cri-certificate-revocation-information
https://hyperledger-fabric.readthedocs.io/en/release-1.4/idemixgen.html
But when invoking a transaction, i received the error below:
$ docker exec -e "CORE_PEER_LOCALMSPTYPE=idemix" -e "CORE_PEER_LOCALMSPID=Org1IdemixMSP" -e "CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/User1#org1.example.com" cli peer chaincode query -C channel1 -n chaincode1 -c '{"Args":["query","a"]}'
Error: error getting default signer: error obtaining the default signing identity: no default signer setup
Steps that I took:
Register a user User1#org1.example.com to fabric CA fabric-ca-client register --id.name User1#org1.example.com --id.secret mysecret --id.type client --id.affiliation org1 --id.attrs role=2 -u http://localhost:7054
Enroll the user and created an idemix identity fabric-ca-client enroll --enrollment.type idemix -u http://User1#org1.example.com:mysecret#localhost:7054
Rename $USER1_DIR/msp/IssuerRevocationPublicKey to $USER1_DIR/msp/RevocationPublicKey. During transaction invocation, the name RevocationPublicKey is expected, not IssuerRevocationPublicKey
Prepare the idemix msp. I copied IssuerPublicKey and IssuerRevocationPublicKey of the CA to the msp folder. I need to rename IssuerRevocationPublicKey to RevocationPublicKey else configtxgen will complain
In configtx.yaml, add an Idemix MSP
- &Org1Idemix
Name: Org1IdemixMSP
# ID to load the MSP definition as
ID: Org1IdemixMSP
msptype: idemix
MSPDir: crypto-config/peerOrganizations/org1idemix.example.com/
Policies: &Org1IdemixMSPPolicies
Readers:
Type: Signature
Rule: "OR('Org1IdemixMSP.member')"
Writers:
Type: Signature
Rule: "OR('Org1IdemixMSP.member')"
Admins:
Type: Signature
Rule: "OR('Org1IdemixMSP.admin')"
Create genesis block, channel block, start network etc2 (as usual)
Try to query transaction and the aforementioned error appears
I did some troubleshooting and based on idemixgen documentation, I found out that I need to put a default signer into the idemix msp i.e. in the user folder. So I placed User1#org1.example.com's SignerConfig file into the user folder and rerun configtxgen. I received the following error:
Error loading MSP configuration for org: Org1IdemixMSP: unexpected EOF
Next I did some comparing with the SignerConfig generated by idemixgen and SignerConfig of User1#org1.example.com. The one generated by idemixgen cannot be opened while the other one is a .json file (shown below), so the format is different. Running configtxgen Using the SignerConfig generated by idemixgen is successful. I want to try to invoke transactions by identities generated by idemixgen but there is no way to generate an identity except for the default signer.
{
"Cred": "CkQKIK/7Slvg7laNMv8n7urCKpRN4gTZJZ7xQUyqPQ0GskWFEiCq/aRBmXlQAnSeJLXViGEHLRoztSCoHU6PDXaft+STexJECiB1dosl0QwT5dR/iNwfj0UvWZLph5U6fTMUVjYXE3W/UhIg6U+q6S9xMZhL7SHYe/v//Vhsw7X7N+93Ha4qQiWu0OIaIKcFZamTWwD5VQppZDEdxv5nr4DZAOn/S0r3gchLFG66IiD7kc8IZFRji8ub7yS5ueK8ZcLm5o+WR9a7wAx7o6fKQCogieDBP6ZS9S2R/JDVaLcAcNbtGlnF2fRS37GyoZmxko4qIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACKiArm8Pnrt+hrBAk1PD9trARpE6XVbdfXN+27uSe9r8uxCogAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE=",
"Sk": "LwrgRX48aewbqKWrvNjo5VFfNSDIJAvdaR4brzOsnWM=",
"organizational_unit_identifier": "org1",
"enrollment_id": "User1#org1.example.com",
"credential_revocation_information": "CAESiAEKIP4MM1C0yWwgKFYPV3wokTrOHFOaEr+EPNImFraJwJ77EiBOpmBXc4rAVNta4cY32BO5JN144ofQNYnSae00o35qKxogcCBG58VCo7N2dw11Ek4+Ue/LJHWNYVhI6Qm0gb7cJ/8iIAVU47zTiMKQQu6mSSl+sp+LTL6AghqYs+ASgRFKrQSbGmgwZgIxAJRyRpR+k3SaAVRm4GM3l+zBU6V/7g73C9RQIU9kPef9XqVl0Gb+hQqrgd1HsTQ5GgIxANb6XNB+CrrQgwbt6msa0SG+aQKpSl48EeP/V7beUkshNubudBS+WjS+PRbf5aW0Nw=="
}
Repo here: https://github.com/aldredb/idemix-sample
I went deep with the code...
if you interested, you can find the GetIdemixMspConfig function in msp/configbuilder.go at fabric 1.4 release branch.
in this function, we can see it will attempt loading a signconf with proto type.
However, we enroll the msp with ca client cli and which returns us a json...
I searched some topic as Unable to unmarshal json to protobuf struct field
In my point of view, that proto Unmarshal will fail with json format.