Develop Reference

In Hyperledger Fabric v2.1, in the test-network repo sample - Error in channel creation

I'm trying to create a channel from the test-network sample of Hyperledger Fabric v2.1. I have installed all the latest fabric binaries & Docker images. The channel-artifacts, 2 peers and a ordering node were successfully created.
However, the command ./network.sh createChannel gives the following error.
Error: failed to create deliver client for orderer: failed to load config for OrdererClient: unable to load orderer.tls.rootcert.file: open /home/fabric/HLF/fabric-sample: no such file or directory
!!!!!!!!!!!!!!! Channel creation failed !!!!!!!!!!!!!!!!

I believe CreateChannel is roughly 5 steps.
Generate a CreateChannel Transaction
Generate an Anchor peer transaction
Create the channel with the genesis block
Join the peers to the channel and
Update one peer in each organization to Anchor peer.
Any chance you can share the output of ./network.sh createChannel, I'd like to see how far you got before you ran into this error.

I was able to solve this issue by removing the spaces from name of parent directory in which the "fabric-samples" repo were installed. This was the final output was:
2020-05-14 16:56:04.064 IST [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2020-05-14 16:56:04.130 IST [channelCmd] update -> INFO 002 Successfully submitted channel update
===================== Anchor peers updated for org 'Org2MSP' on channel 'mychannel' =====================
========= Channel successfully joined ===========

In my opinion, The problem is with the directory fabric-samples kindly re-download the binaries and try again.
Download using curl via:
curl -sSL https://raw.githubusercontent.com/hyperledger/fabric/release-2.1/scripts/bootstrap.sh | bash -s -- 2.1.0 1.5.2
Hope this helps, otherwise see the directory structures and path exports.

How to add a new Orderer Organization to existing Hyperledger Fabric network

I am trying to add a new Orderer Organization to RAFT based existing ordering service. I am using the first-network from fabric-samples as the base network. While generating crypto-material, I have modified to generate crypto-material for 1 more orderer organization. The crypto-config.yaml looks like:
OrdererOrgs:
# ---------------------------------------------------------------------------
# Orderer
# ---------------------------------------------------------------------------
- Name: Orderer
Domain: example.com
EnableNodeOUs: true
# ---------------------------------------------------------------------------
# "Specs" - See PeerOrgs below for complete description
# ---------------------------------------------------------------------------
Specs:
- Hostname: orderer
- Hostname: orderer2
- Hostname: orderer3
- Hostname: orderer4
- Hostname: orderer5
- Name: Orderer1
Domain: example1.com
EnableNodeOUs: true
Specs:
- Hostname: orderer
- Hostname: orderer2
- Hostname: orderer3
# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs:
# ---------------------------------------------------------------------------
# Org1
# ---------------------------------------------------------------------------
- Name: Org1
Domain: org1.example.com
EnableNodeOUs: true
Template:
Count: 2
# Start: 5
# Hostname: {{.Prefix}}{{.Index}} # default
# ---------------------------------------------------------------------------
# "Users"
# ---------------------------------------------------------------------------
# Count: The number of user accounts _in addition_ to Admin
# ---------------------------------------------------------------------------
Users:
Count: 1
# ---------------------------------------------------------------------------
# Org2: See "Org1" for full specification
# ---------------------------------------------------------------------------
- Name: Org2
Domain: org2.example.com
EnableNodeOUs: true
Template:
Count: 2
Users:
Count: 1
Also, the configtx.yaml for creating new Orderer organization's MSP in JSON format is given as:
Organizations:
- &Orderer1Org
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Orderer1Org
# ID to load the MSP definition as
ID: Orderer1MSP
MSPDir: ../crypto-config/ordererOrganizations/example1.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('Orderer1MSP.member')"
Writers:
Type: Signature
Rule: "OR('Orderer1MSP.member')"
Admins:
Type: Signature
Rule: "OR('Orderer1MSP.admin')"
Then I boot up the the network using byfn.sh. Now I use the cli container to modify the system channel configuration in following steps:
First I add the organization's JSON to the Orderer group as follows and submit channel update:
jq -s '.[0] * {"channel_group":{"groups":{"Orderer":{"groups": {"Orderer1Org":.[1]}}}}}' config.json orderer1org.json > modified_config.json
Then I add organization's JSON to the Consortium group as follows and submit channel update:
jq -s '.[0] * {"channel_group":{"groups":{"Consortiums":{"groups":{"SampleConsortium":{"groups": {"Orderer1MSP":.[1]}}}}}}}' config1.json orderer1org.json > modified_config1.json
Then I add organization's orderer1 TLS certificates to Consenters section and submit channel update:
cert=`base64 ../crypto/ordererOrganizations/example1.com/orderers/orderer.example1.com/tls/server.crt | sed ':a;N;$!ba;s/\n//g'`
cat modified_config1.json | jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert'", "host": "orderer.example1.com", "port": 7050, "server_tls_cert": "'$cert'"}] ' > modified_config2.json
Then I update the system channel configuration's Application group with new Orderer Org's JSON:
jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"Orderer1Org":.[1]}}}}}' config.json orderer1org.json > modified_config.json
Then I start one of the orderers in the new organization (orderer.example1.com) but the container is failing with following error:
2020-04-09 13:09:05.600 UTC [orderer.common.cluster.replication] fetchLastBlockSeq -> WARN 0e8 Received status:FORBIDDEN from orderer.example.com:7050: forbidden pulling the cha
nnel
2020-04-09 13:09:05.600 UTC [orderer.common.cluster.replication] func1 -> WARN 0e9 Received error of type 'forbidden pulling the channel' from {orderer.example.com:7050 [certs]}
The orderer.example.com logs throw this error:
2020-04-09 13:28:59.338 UTC [cauthdsl] deduplicate -> ERRO a3c Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.338 UTC [cauthdsl] deduplicate -> ERRO a3d Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.339 UTC [cauthdsl] deduplicate -> ERRO a3e Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.340 UTC [cauthdsl] deduplicate -> ERRO a3f Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.340 UTC [common.deliver] deliverBlocks -> WARN a40 [channel: byfn-sys-channel] Client authorization revoked for deliver request from 172.25.0.15:36196: implic
it policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2020-04-09 13:28:59.341 UTC [comm.grpc.server] 1 -> INFO a41 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.25.0.15:36196
grpc.peer_subject="CN=orderer.example1.com,L=San Francisco,ST=California,C=US" grpc.code=OK grpc.call_duration=4.992078ms

I was able to extend the first-network by adding a new Orderer Organization as follows:
Start the first-network through the byfn.sh script in the fabric-samples repo in the etcdraft mode.
I generated crypto-material like described in the crypto-config.yaml in the question above.
Use the configtxgen tool to print the new orderer organization's MSP into JSON format.
Mount or docker cp this JSON file to the running cli container.
Set the environment inside the cli container corresponding to existing ordering node. Import the latest system-channel configuration. Decode it to JSON format.
Edit the system channel configuration block's Orderer section to add the new orderer organization's MSP as follows:
jq -s '.[0] * {"channel_group":{"groups":{"Orderer":{"groups": {"Orderer1Org":.[1]}}}}}' config.json orderer1org.json > config1.json
Edit the system channel configuration block's Consortiums section to add the new orderer organization's MSP as follows:
jq -s '.[0] * {"channel_group":{"groups":{"Consortiums":{"groups":{"SampleConsortium":{"groups": {"Orderer1MSP":.[1]}}}}}}}' config1.json orderer1org.json > config2.json
Edit the system channel configuration block's Consenters section to add the TLS credentials for the new orderer organization's orderer.example1.com node as follows:
cert=`base64 ../crypto/ordererOrganizations/example1.com/orderers/orderer.example1.com/tls/server.crt | sed ':a;N;$!ba;s/\n//g'`
cat config2.json | jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert'", "host": "orderer.example1.com", "port": 7050, "server_tls_cert": "'$cert'"}] ' > modified_config.json
Encode the block, find delta, create channel update transaction, encode it as protobuf envelope and submit the channel update transaction.
Fetch the latest system channel configuration block.
Start one of the orderers (the one who was added to consenters list previously) using this latest fetched system channel configuration block as it's genesis.block file.
Perform docker exec into the cli container. Using the environment of an existing orderer node, fetch the latest system channel configuration.
Edit the system channel configuration block to add the new orderer's endpoint in the OrdererAddresses section as follows:
cat config.json | jq '.channel_group.values.OrdererAddresses.value.addresses += ["orderer.example1.com:7050"] ' > modified_config.json
Encode the block, find delta, create channel update transaction, encode it as protobuf envelope and get the block signed by Orderer1Org admin to satify the mod_policy for /Channel/OrdererAddresses resource which is set to Admins policy. This implicit meta policy expects the signature of MAJORITY Admins at that level of update. So, as the number of orderer organizations are 2 now, we need both the organization's admins to sign this system channel update transaction. Set the environment corresponding to Orderer1Org admin and run the following command:
peer channel signconfigtx -f ordorg_update_in_envelope.pb
Set the environment back to OrdererOrg admin and submit the channel update transaction. The peer channel update will automatically sign the transaction on behalf of OrdererOrg admin.
peer channel update -f ordorg_update_in_envelope.pb -c $CHANNEL_NAME -o orderer.example.com:7050 --tls true --cafile $ORDERER_CA
For updating any application channel, just replace the step 7 by updating the application channel configuration block's Application section to add the new orderer organization's MSP there.
Hope this helps!

I followed above sequence of steps to add new Orderer Organization into existing network, but channel (i.e updating config change to orderer channel) update throw error like below,
2020-09-29 00:53:49.794 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'e2e-orderer-syschan': error authorizing update: error validating DeltaSet: policy for [Value] /Channel/OrdererAddresses not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
I modified-json blocks by using below setup calls (tried mix/match combination of this below json change steps)
jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"'${KL_NEW_ORDERER_NAME}'":.[1]}}}}}' config.json ${KL_NEW_ORDERER_NAME}.json > modified-config.json
jq -s '.[0] * {"channel_group":{"groups":{"Orderer":{"groups": {"'${KL_NEW_ORDERER_NAME}'":.[1]}}}}}' modified-config.json ${KL_NEW_ORDERER_NAME}.json > modified-config1.json
jq -s '.[0] * {"channel_group":{"groups":{"Consortiums":{"groups":{"'${KL_CONSORTIUM_NAME}'":{"groups": {"Orderermk01MSP":.[1]}}}}}}}' modified-config1.json ${KL_NEW_ORDERER_NAME}.json > modified-config2.json
LENGTH=$(jq '.channel_group.values.OrdererAddresses.value.addresses | length' modified-config2.json)
jq '.channel_group.values.OrdererAddresses.value.addresses['${LENGTH}'] |= "'${KL_NEW_ORDERER_URL}'"' modified-config2.json > modified-config3.json
cert=`base64 /hl-material/mk01-orderer/crypto-config/ordererOrganizations/${KL_DOMAIN}/orderers/orderer.mk01.${KL_DOMAIN}/tls/server.crt | sed ':a;N;$!ba;s/\n//g'`
cat modified-config3.json | jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert'", "host": "raft0.mk01.'${KL_DOMAIN}'", "port": 32050, "server_tls_cert": "'$cert'"}] ' > modified-config4.json
My network setup based on HLF 2.2 LTS with 5 raft nodes under K8s cluster.
I have successful setup with multi channel, multiple peer organization on 2.2 LTS (know how to get this in dynamic way without bringdown any network). But now looking for scaling orderer organization into multiple cluster/orgs dynamically. Is any tip or update needed on above steps ? Thanks again
Mariya

hyperledger fabric - problem with crytogen tool

I want to create a hyperledger fabric network and create my crypto-config.yaml. but in next step according to document I run this commans :
export FABRIC_CFG_PATH=$PWD
mkdir channel-artifacts
configtxgen -profile ThreeOrgsOrdererGenesis -outputBlock ./channel-artifacts/genesis.block
but I got this message :
2020-01-22 14:33:12.289 +0330 [common/tools/configtxgen] main -> WARN
001 Omitting the channel ID for configtxgen is deprecated. Explicitly
passing the channel ID will be required in the future, defaulting to
'testchainid'. 2020-01-22 14:33:12.289 +0330
[common/tools/configtxgen] main -> INFO 002 Loading configuration
2020-01-22 14:33:12.290 +0330 [common/tools/configtxgen/localconfig]
LoadTopLevel -> CRIT 003 Error reading configuration: Unsupported
Config Type "" 2020-01-22 14:33:12.290 +0330
[common/tools/configtxgen] func1 -> ERRO 004 Could not find
configtx.yaml. Please make sure that FABRIC_CFG_PATH or --configPath
is set to a path which contains configtx.yaml
where is my mistake? what can I do to fix it?

The configtx.yaml file is missing,as stated in the error.The path is unspecified.
You should try the command from the directory where this configtx.yaml is located.

The first warning is correct but you can avoid it.
Let's focus on
ERRO 004 Could not find configtx.yaml. Please make sure that FABRIC_CFG_PATH or --configPath is set to a path which contains configtx.yaml
The message is clear: you are missing configtx.yaml.
Do you have this file in your Fabric folder? This is mandatory to generate crypto materials.

run the below command:
export FABRIC_CFG_PATH=
After the above command, you can try the using cryptogen

How to resolve "CRIT 002 Error unmarshaling config into struct: 21 error(s)" in first-network setup?

I'm working through the Hyperledger "fabric-samples" docs and believe that I have followed all the prerequisite steps to arrive at the point where I invoke
me#TheBrick MINGW64 ~/go/src/fabric-samples (v1.1.0)
$ cd first-network/
me#TheBrick MINGW64 ~/go/src/fabric-samples/first-network (v1.1.0)
$ ./byfn.sh -m generate
The process throws back an error and I've been unable to find a solution yet.
The output:
Generating certs and genesis block for channel 'mychannel' with CLI timeout of '10' seconds and CLI delay of '3' seconds
Continue? [Y/n] y
proceeding ...
/c/Users/me.THEBRICK/go/src/fabric-samples/bin/cryptogen
##########################################################
##### Generate certificates using cryptogen tool #########
##########################################################
+ cryptogen generate --config=./crypto-config.yaml
org1.example.com
org2.example.com
+ res=0
+ set +x
/c/Users/me.THEBRICK/go/src/fabric-samples/bin/configtxgen
##########################################################
######### Generating Orderer Genesis block ##############
##########################################################
CONSENSUS_TYPE=solo
+ '[' solo == solo ']'
+ configtxgen -profile TwoOrgsOrdererGenesis -channelID byfn-sys-channel -outputBlock ./channel-artifacts/genesis.block
2019-02-01 10:17:00.647 GMT [common/configtx/tool] main -> INFO 001 Loading configuration
2019-02-01 10:17:00.675 GMT [common/configtx/tool/localconfig] Load -> CRIT 002 Error unmarshaling config into struct: 21 error(s) decoding:
* '' has invalid keys: capabilities, channel
* 'Application' has invalid keys: Capabilities, Policies
* 'Orderer' has invalid keys: Policies
* 'Organizations[0]' has invalid keys: Policies
* 'Organizations[1]' has invalid keys: Policies
* 'Organizations[2]' has invalid keys: Policies
* 'Profiles[SampleDevModeKafka]' has invalid keys: Capabilities, Policies
* 'Profiles[SampleDevModeKafka].Application' has invalid keys: Capabilities, Policies
* 'Profiles[SampleDevModeKafka].Application.Organizations[0]' has invalid keys: Policies
* 'Profiles[SampleDevModeKafka].Consortiums[SampleConsortium].Organizations[0]' has invalid keys: Policies
* 'Profiles[SampleDevModeKafka].Consortiums[SampleConsortium].Organizations[1]' has invalid keys: Policies
* 'Profiles[SampleDevModeKafka].Orderer' has invalid keys: Capabilities, Policies
* 'Profiles[SampleDevModeKafka].Orderer.Organizations[0]' has invalid keys: Policies
* 'Profiles[TwoOrgsChannel].Application' has invalid keys: Capabilities, Policies
* 'Profiles[TwoOrgsChannel].Application.Organizations[0]' has invalid keys: Policies
* 'Profiles[TwoOrgsChannel].Application.Organizations[1]' has invalid keys: Policies
* 'Profiles[TwoOrgsOrdererGenesis]' has invalid keys: Capabilities, Policies
* 'Profiles[TwoOrgsOrdererGenesis].Consortiums[SampleConsortium].Organizations[0]' has invalid keys: Policies
* 'Profiles[TwoOrgsOrdererGenesis].Consortiums[SampleConsortium].Organizations[1]' has invalid keys: Policies
* 'Profiles[TwoOrgsOrdererGenesis].Orderer' has invalid keys: Capabilities, Policies
* 'Profiles[TwoOrgsOrdererGenesis].Orderer.Organizations[0]' has invalid keys: Policies
+ res=1
+ set +x
Failed to generate orderer genesis block...
This is my reference point:
https://hyperledger-fabric.readthedocs.io/en/release-1.0/build_network.html
NB I have followed the steps to get to this point, and noted the info about "These instructions have been verified to work against the version “1.0.3” tagged Docker images". To that end I ran this
curl -sSL https://URL | bash -s 1.0.3
(the prerequisites specify 1.06)
curl -sSL https://URL | bash -s 1.0.6
I get the same result, regardless, both 1.0.3 and 1.0.6
Thanks for any tips.

peer node start throwing Could not find default pkcs11 BCCSP error

I am trying to run Hyperledger fabric peer with SoftHSM enabled. Fabric-ca-server is already running with SoftHSM enabled and all the certificates are generated with HSM enabled.
Initially, when I was trying to run fabric-ca-server it was throwing the same error Could not find defaultPKCS11BCCSP.
Then I found some people suggesting to make build from source code and it fixed that error.
Now I am facing the same error when I run peer node start command to bootstrap peer.
The BCCSP content on core.yaml is below:
# BCCSP (Blockchain crypto provider): Select which crypto implementation or
# library to use
BCCSP:
Default: PKCS11
# Settings for the SW crypto provider (i.e. when DEFAULT: SW)
SW:
# TODO: The default Hash and Security level needs refactoring to be
# fully configurable. Changing these defaults requires coordination
# SHA2 is hardcoded in several places, not only BCCSP
Hash: SHA2
Security: 256
# Location of Key Store
FileKeyStore:
# If "", defaults to 'mspConfigPath'/keystore
KeyStore:
# Settings for the PKCS#11 crypto provider (i.e. when DEFAULT: PKCS11)
PKCS11:
# Location of the PKCS11 module library
Library: /usr/local/lib/softhsm/libsofthsm2.so
# Token Label
Label: ForFabric
# User PIN
Pin: 98765432
Hash: SHA2
Security: 256
FileKeyStore:
KeyStore: /home/akshay/dev/fabric-ca/fabric-ca-client/peerOrg/msp/keystore
The error when I run peer node start:
$ peer node start
2018-12-28 14:48:50.508 IST [main] InitCmd -> ERRO 001 Cannot run peer because error when setting up MSP of type bccsp from directory /home/akshay/dev/fabric-ca/fabric-ca-client/peerOrg/msp: could not initialize BCCSP Factories: Failed initializing BCCSP.: Could not initialize BCCSP SW [Failed to initialize software key store: An invalid KeyStore path provided. Path cannot be an empty string.]
Could not find default `PKCS11` BCCSP
I am using the following peer version:
$ peer version
peer:
Version: 1.4.0
Commit SHA: 9cd9fce
Go version: go1.11.2
OS/Arch: linux/amd64
Chaincode:
Base Image Version: 0.4.14
Base Docker Namespace: hyperledger
Base Docker Label: org.hyperledger.fabric
Docker Namespace: hyperledger

There were two issues:
1) Make sure to delete the SW: section under BCCSP in core.yaml
2) By default, the peer binary and Docker image are both built without support for PCKS11. You can build the peer binary yourself using GO_TAGS=pkcs11 make peer