I used Mac OS.
When I was running Fabric java SDK,I met this Error:New channel foo error. StatusValue 400. Status BAD_REQUEST。How to fix it?
Checking the docker logs for the orderer will help. to do this, get the containerid of the orderer by running
$ docker ps
Then, check the logs for the by running
$ docker logs <containerid>
Some potential reasons are:
that the channel name has illegal characters (e.g. channelAllowedChars = "[a-z][a-z0-9.-]*", from https://github.com/hyperledger/fabric/blob/0631ccd2b1e30f56088dd3905a78bfb73a93ed51/common/configtx/manager.go).
The client that's being used to create the channel does not have the proper user context and thus fails certificate validation (needs to be a valid peer organization user with an MSPID to allow the certifcate and key to be verified).
Related
I'm following the AWS supply chain workshop. I created an EC2 instance and set up a VPC just like the workshop said. Now I'm connected to the EC2 instance using SSH and I've already downloaded the required packages, setup Docker, downloaded fabric-ca-client. My problem is configuring the fabric-ca client.
When I run the command fabric-ca-client enroll with the required params/flags, it retuns the following error: Error: Failed to create default configuration file: Failed to parse URL 'https://$USER:=9_phK63?#$CA_ENDPOINT': parse https://user:password#ca_endpoint: invalid port ":=9_phK63?" after host
Here's the complete command I'm trying to run: fabric-ca-client enroll -u https://$USER\:$PASSWORD#$CA_ENDPOINT --tls.certfiles ~/managedblockchain-tls-chain.pem -M admin-msp -H $HOME
I'm wondering if the ? in the password is causing the problem. If so, where can I change it?
Workshop link for reference: https://catalog.us-east-1.prod.workshops.aws/workshops/ce1e960e-a811-475f-a221-2afcf57e386a/en-US/02-set-up-a-fabric-client/05-configure-client/06-create-fabric-admin
my name is Forrest and I am a Blockchain Specialist Solutions Architect at AWS. I'd be happy to help you with this.
When using passwords with special characters, these need to be URL-encoded. For example, $ equates to %24. As OP mentioned in comments below, there is a Javascript method encodeURIComponent() that can serve this function. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent
Please make sure your environment variables are all still correctly set as well:
echo $USER
echo $PASSWORD
echo $CA_ENDPOINT
Your CA endpoint should resolve to something like:
ca.m-XXXXXXXXXXXXX.n-XXXXXXXXXXXXXX.managedblockchain.<AWS_REGION>.amazonaws.com:30002
Background
We have a production fabric cluster setup and has been been running for a year. Now most of the certs expire and the cluster crash, including both tls and identity certs.
I tried to fix by completely removing old certs and private keys, generate and enroll new identities for peer, peer admin, orderer, orderer admin.
Everything works again, but I cannot instantiate/upgrade chaincode in existing channel because the channel was configured with old admin certs.
Problem
So now look like I'm stuck in a deadlock. In order to update channel config with new cert, I need to sign the update with matching old cert, which is already expired and blocked by orderer.
I find out that we can disable expired cert check in orderer using ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS=true. But now I don't have the old admin private key so I still cannot update the channel config.
Questions
I already replaced old private keys with new one so there is no way to use the old cert again.
Can I do something to resolve this channel issue?
Suggestions are greatly appreciated.
[!] What I'm suggesting is an idea. I haven't tested it.
[!] It seems to be feasible enough, but side-effect is not considered.
[!] It's just a trick, it's correct that it should never be done.
The conclusion is that the orderer and peer's binary can be artificially manipulated and updated.
For fabric, refer to $GOROOT/src/crypto when building binary.
Build in the fabric repository after artificially modifying all ecdsa verify functions in crypto to return true immediately.
cd $GOROOT/src/crypto
vi ecdsa/ecdsa.go # modify `Verify` function
cd $GOPATH/src/github.com/hyperledger/fabric
make peer
make orderer
Back up the binaries of the currently running docker container, and rerun after planting the newly built binaries in the container.
docker cp <peer_container_name>:/usr/local/bin/peer ./
docker cp $GOPATH/src/github.com/hyperledger/fabric/build/bin/peer <peer_container_name>:/usr/local/bin/peer
docker cp <orderer_container_name>:/usr/local/bin/orderer ./
docker cp $GOPATH/src/github.com/hyperledger/fabric/build/bin/orderer <orderer_container_name>:/usr/local/bin/orderer
docker-compose -f <your_docker_compose_file_path> restart
Now all verify is valid unconditionally. so, update all recent status.
Afterwards, the backed up binary is replanted into the container to solve this problem.
docker cp ./peer <peer_container_name>:/usr/local/bin/peer
docker cp ./orderer <orderer_container_name>:/usr/local/bin/orderer
docker-compose -f <your_docker_compose_file_path> restart
I'm newbie in the HyperLedger Fiber Technology and I'm following this official tutorial to build my first network. I replaced example.com with the domain of my company. After generating certificates I ran the follow command to up my network:
./byfn.sh up -c ttchannel
I get the following error during channel creation:
Error: got unexpected status: FORBIDDEN -- Failed to reach implicit threshold of 1 sub-policies, required 1 remaining: permission denied
!!!!!!!!!!!!!!! Channel creation failed !!!!!!!!!!!!!!!!
Then I verified from PEERs containers that peers are already connected with this channel (don't know why and when this connection got established), So, I restarted this network and then got the following error:
Error: failed to create deliver client: failed to load config for OrdererClient: unable to load orderer.tls.rootcert.file: open /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/vodworks.com/orderers/orderer.vodworks.com/msp/tlscacerts/tlsca.vodworks.com-cert.pem: no such file or directory
!!!!!!!!!!!!!!! Channel creation failed !!!!!!!!!!!!!!!!
And then I verified in the CLI container that crypto directory wasn't accessible so I have to restart that container to make it accessible. but still I was unable to run it.
Can anyone please suggest that what these error means and how can I run my network?
Where exactly did you change "example.com"? I'm pretty sure the setup script also creates all the crypto material based on configtx.yaml file, that has "example.com" as domain everywhere. The docker-compose files then map the created folders as volume into the container (see docker-compose-base.yml):
../crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp:/var/hyperledger/orderer/msp
So the docker-compose file also expects the certs to be in this folders. From your description I would expect that you missed to change the domain at some point.
The Reason of this error was that network was not going down properly. All the peers were connected with the channel already as I verified by running the command peer channel list inside the container of each peer which was resulting in the following output:
Channels peers has joined:
ttchannel
And with this situation, the command peer channel create ... was actually throwing this error. So, I'm able to run the network successfully with the following command:
**./byfn.sh restart -c ttchannel -s couchdb -t 60 -d 10**
Which actually first put the network down and then start it again.
I am trying to create a new identity with this command: composer identity issue -c admin#siemens-network -f administrator1.card -u Administrator1 -a "resource:org.siemens.Administrator#001"
But I get the following output:
Issue identity and create Network Card for: Administrator1
✖ Issuing identity. This may take a few seconds...
Error: fabric-ca request register failed with errors [[{"code":20,"message":"Authorization failure"}]]
Command failed
I already restarted the fabric but it still doesn't work
Please check admin#siemens-network card has existed
composer card list
If you do not have this card, access the folder containing the createPeerAdminCard.sh file and run
./createPeerAdminCard.sh
Hope it helps you.
I deleted all cards, restarted the network and reimported all cards. Now it's working
Booting up a my first Hyperledger Network on OSX with.
I installed the sample files using the script
curl -sSL http://bitlyURLThatStackoverflow won't let me us | bash -s 1.2.1
The ran
./byfn.sh up -c mychannel -s couchdb
To boot up a sample network and got the error
Error: failed to create deliver client: orderer client failed to connect to orderer.example.com:7050: failed to create new connection: context deadline exceeded
Pulled the logs from orderer.example.com:7050 and got
config requires unsupported channel capabilities: Channel capability V1_3 is required but not supported: Channel capability V1_3 is required but not supported
Any suggestion on where to start debugging
If you are just getting started, you might want to move to 1.3.0 anyway as it is now generally available.
EDIT: You should now be able to just use 1.2.1 and things should work. I pushed a new v1.2.1 tag for fabric-samples. (read below for explanation).
To answer your question, the way the script works is that it assumes that both the fabric and fabric-samples repositories have tags matching the version specified for download. It turns out that there is 1.2.1 tag for fabric-samples so if you cloned it yourself you'll end up with the default (which is 1.3.0). If you want to use the 1.2.1 images, then you can simply download them and then run git checkout v1.2.0 in your clone of fabric-samples.