Peer channel creation failed in Hyperledger Fabric

Question

I use CA to create a fabric network.

This is My Code ,

When I create a channel in cli (Using run-bootstrap.sh ), it will report the following error:

+ peer channel create --logging-level=DEBUG -c mychannel -f /data/channel.tx -o orderer1-org0:7050 --tls --cafile /data/org0-ca-chain.pem --clientauth --keyfile /data/tls/peer1-org1-cli-client.key --certfile /data/tls/peer1-org1-cli-client.crt
2018-05-19 02:49:52.296 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP
2018-05-19 02:49:52.296 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity
2018-05-19 02:49:52.302 UTC [channelCmd] InitCmdFactory -> INFO 003 Endorser and orderer connections initialized
2018-05-19 02:49:52.303 UTC [msp] GetLocalMSP -> DEBU 004 Returning existing local MSP
2018-05-19 02:49:52.303 UTC [msp] GetDefaultSigningIdentity -> DEBU 005 Obtaining default signing identity
2018-05-19 02:49:52.303 UTC [msp] GetLocalMSP -> DEBU 006 Returning existing local MSP
2018-05-19 02:49:52.303 UTC [msp] GetDefaultSigningIdentity -> DEBU 007 Obtaining default signing identity
2018-05-19 02:49:52.303 UTC [msp/identity] Sign -> DEBU 008 Sign: plaintext: 0AA2080A076F7267314D53501296082D...53616D706C65436F6E736F727469756D 
2018-05-19 02:49:52.303 UTC [msp/identity] Sign -> DEBU 009 Sign: digest: AFCB3764EA16712F5DD3D56491753AA17C062107BB371788AFB177C05D9CD709 
2018-05-19 02:49:52.304 UTC [msp] GetLocalMSP -> DEBU 00a Returning existing local MSP
2018-05-19 02:49:52.304 UTC [msp] GetDefaultSigningIdentity -> DEBU 00b Obtaining default signing identity
2018-05-19 02:49:52.304 UTC [msp] GetLocalMSP -> DEBU 00c Returning existing local MSP
2018-05-19 02:49:52.304 UTC [msp] GetDefaultSigningIdentity -> DEBU 00d Obtaining default signing identity
2018-05-19 02:49:52.304 UTC [msp/identity] Sign -> DEBU 00e Sign: plaintext: 0AD9080A1508021A0608D0A1FED70522...4DB934071B4655355F2BA0A72ABA54FD 
2018-05-19 02:49:52.304 UTC [msp/identity] Sign -> DEBU 00f Sign: digest: 545FE64385AEB4E8B4D1D3F8F815A3CA44953FE37ED5CBA43BBF3B616B74A720 
Error: got unexpected status: BAD_REQUEST -- error authorizing update: error validating DeltaSet: policy for [Group]  /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining
Usage:
  peer channel create [flags]

Flags:
  -c, --channelID string   In case of a newChain command, the channel ID to create.
  -f, --file string        Configuration transaction file generated by a tool such as configtxgen for submitting to orderer
  -t, --timeout int        Channel creation timeout (default 5)

Global Flags:
      --cafile string                       Path to file containing PEM-encoded trusted certificate(s) for the ordering endpoint
      --certfile string                     Path to file containing PEM-encoded X509 public key to use for mutual TLS communication with the orderer endpoint
      --clientauth                          Use mutual TLS when communicating with the orderer endpoint
      --keyfile string                      Path to file containing PEM-encoded private key to use for mutual TLS communication with the orderer endpoint
      --logging-level string                Default logging level and overrides, see core.yaml for full syntax
  -o, --orderer string                      Ordering service endpoint
      --ordererTLSHostnameOverride string   The hostname override to use when validating the TLS connection to the orderer.
      --tls                                 Use TLS when communicating with the orderer endpoint
  -v, --version                             Display current version of fabric peer server

As you can see, I use the following command to create channel:

peer channel create --logging-level=DEBUG -c mychannel -f /data/channel.tx -o orderer1-org0:7050 --tls --cafile /data/org0-ca-chain.pem --clientauth --keyfile /data/tls/peer1-org1-cli-client.key --certfile /data/tls/peer1-org1-cli-client.crt

The certificate directory is as follows:

data/
├── channel.tx
├── logs
│   ├── run.fail
│   ├── run.log
│   └── run.sum
├── org0-ca-chain.pem
├── org1-anchors.tx
├── org1-ca-chain.pem
├── org2-anchors.tx
├── org2-ca-chain.pem
├── orgs
│   └── org1
│       ├── admin
│       │   ├── fabric-ca-client-config.yaml
│       │   └── msp
│       │       ├── admincerts
│       │       │   └── cert.pem
│       │       ├── cacerts
│       │       │   └── ica-org1-7054.pem
│       │       ├── intermediatecerts
│       │       │   └── ica-org1-7054.pem
│       │       ├── keystore
│       │       │   └── 5c24090c568fe1ea99c9cc138cfa40cb291fbf45bf101a5a84b088a651bce9ca_sk
│       │       └── signcerts
│       │           └── cert.pem
│       └── msp
│           └── admincerts
│               └── cert.pem
└── tls
    ├── peer1-org1-cli-client.crt
    ├── peer1-org1-cli-client.key
    ├── peer1-org2-cli-client.crt
    ├── peer1-org2-cli-client.key
    ├── peer2-org1-cli-client.crt
    ├── peer2-org1-cli-client.key
    ├── peer2-org2-cli-client.crt
    └── peer2-org2-cli-client.key

And，the Orderer logs:

2018-05-19 02:49:52.329 UTC [cauthdsl] func2 -> DEBU 2bf 0xc42000ed38 identity 0 does not satisfy principal: the identity is a member of a different MSP (expected org2MSP, got org1MSP)
2018-05-19 02:49:52.329 UTC [cauthdsl] func2 -> DEBU 2c0 0xc42000ed38 principal evaluation fails
2018-05-19 02:49:52.329 UTC [cauthdsl] func1 -> DEBU 2c1 0xc42000ed38 gate 1526698192329854685 evaluation fails
2018-05-19 02:49:52.329 UTC [policies] Evaluate -> DEBU 2c2 Signature set did not satisfy policy /Channel/Application/org2/Admins
2018-05-19 02:49:52.329 UTC [policies] Evaluate -> DEBU 2c3 == Done Evaluating *cauthdsl.policy Policy /Channel/Application/org2/Admins
2018-05-19 02:49:52.330 UTC [policies] func1 -> DEBU 2c4 Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ org1.Admins org2.Admins ]
2018-05-19 02:49:52.330 UTC [policies] Evaluate -> DEBU 2c5 Signature set did not satisfy policy /Channel/Application/ChannelCreationPolicy
2018-05-19 02:49:52.330 UTC [policies] Evaluate -> DEBU 2c6 == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Application/ChannelCreationPolicy
2018-05-19 02:49:52.330 UTC [orderer/common/broadcast] Handle -> WARN 2c7 [channel: mychannel] Rejecting broadcast of config message from 120.92.210.105:38776 because of error: error authorizing update: error validating DeltaSet: policy for [Group]  /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining
2018-05-19 02:49:52.330 UTC [orderer/common/server] func1 -> DEBU 2c8 Closing Broadcast stream
2018-05-19 02:49:52.334 UTC [common/deliver] Handle -> WARN 2c9 Error reading from 120.92.210.105:38774: rpc error: code = Canceled desc = context canceled
2018-05-19 02:49:52.334 UTC [orderer/common/server] func1 -> DEBU 2ca Closing Deliver stream

Why?

Answer 1

Typically /Channel/Application not satisfied: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining indicates that the certificate used to authorize the channel creation does not have admin rights.

I would try to set CORE_PEER_MSPCONFIGPATH to /data/orgs/org1/msp/admincerts/cert.pem and see if that will satisfy that sub-policy threshold.

Answer 2

我已经解决了，这个问题是由于CA反复注册以获得证书而引起的，它应该使用先前获得的证书。