Channel Creation failed: Only 0 policies were satisfied, but needed 1 of [ OrdererOrg/Writers ]
Question
I have tried the tutorial from Hyperledger Fabric with the version 2.3, where they instantiate 2 peers (Org1 and Org2) and an orderer node (Orderer) and tried to move forward to instantiate each node on a different VM. The final goal is to multiply peer and orderer nodes with a raft consensus, with each node his own VM. I have defined the following configtx.yaml.
---
Organizations:
- &OrdererOrg
Name: OrdererOrg
ID: OrdererMSP
MSPDir: ../organizations/ordererOrganizations/example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererMSP.member','OrdererMSP.orderer')"
Writers:
Type: Signature
Rule: "OR('OrdererMSP.member','OrdererMSP.orderer')"
Admins:
Type: Signature
Rule: "OR('OrdererMSP.admin')"
OrdererEndpoints:
- orderer0.example.com:7050
- &Org1
Name: Org1MSP
ID: Org1MSP
MSPDir: ../organizations/peerOrganizations/org1.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org1MSP.peer')"
AnchorPeers:
- Host: peer0.org1.example.com
Port: 7051
- &Org2
Name: Org2MSP
ID: Org2MSP
MSPDir: ../organizations/peerOrganizations/org2.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org2MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org2MSP.peer')"
AnchorPeers:
- Host: peer0.org2.example.com
Port: 7051
Capabilities:
Channel: &ChannelCapabilities
V2_0: true
Orderer: &OrdererCapabilities
V2_0: true
Application: &ApplicationCapabilities
V2_0: true
Application: &ApplicationDefaults
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Capabilities:
<<: *ApplicationCapabilities
Orderer: &OrdererDefaults
OrdererType: etcdraft
EtcdRaft:
Consenters:
- Host: orderer0.example.com
Port: 7050
ClientTLSCert: ../organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/server.crt
ServerTLSCert: ../organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/server.crt
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Profiles:
AllOrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *Org1
- *Org2
AllOrgsChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
- *Org2
Capabilities:
<<: *ApplicationCapabilities
On node Org1, after creating the crypto-material with cryptogen, I have created the genesis block and the application channel with configtxgen.
configtxgen -profile AllOrgsOrdererGenesis -outputBlock ./channel-artifacts/genesis.block -channelID mychannel
configtxgen -profile AllOrgsChannel -outputCreateChannelTx ./channel-artifacts/mychannel.tx -channelID mychannel
Next, I have shared this item to all nodes and started associated dockers. Next step is to create the channel, so on Org1 VM, I use the following command:
peer channel create -o <IP of the ordering node>:7050 --ordererTLSHostnameOverride orderer0.example.com -c mychannel -f ./channel-artifacts/mychannel.tx --outputBlock ./channel-artifacts/mychannel.block --tls –cafile ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
I have got the following error on my shell:
2020-12-15 16:52:38.764 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: got unexpected status: FORBIDDEN -- config update for existing channel did not pass initial checks: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied
Investigated in the orderer logs gives me the following error:
[36m2020-12-15 16:52:38.780 UTC [cauthdsl] func2 -> DEBU 368 [0m 0xc000902e60 signed by 0 principal evaluation starts (used [false])
[36m2020-12-15 16:52:38.780 UTC [cauthdsl] func2 -> DEBU 369 [0m 0xc000902e60 processing identity 0 - &{Org1MSP 6ead373932c104ed8f9aa3da8431824fbe733b84eeee6d8b70a0f2ddca84a932}
[36m2020-12-15 16:52:38.782 UTC [cauthdsl] func2 -> DEBU 36a [0m 0xc000902e60 identity 0 does not satisfy principal: the identity is a member of a different MSP (expected OrdererMSP, got Org1MSP)
[36m2020-12-15 16:52:38.782 UTC [cauthdsl] func2 -> DEBU 36b [0m 0xc000902e60 principal evaluation fails
[36m2020-12-15 16:52:38.782 UTC [cauthdsl] func1 -> DEBU 36c [0m 0xc000902e60 gate 1608051158780630929 evaluation fails
[36m2020-12-15 16:52:38.782 UTC [policies] EvaluateSignedData -> DEBU 36d [0m Signature set did not satisfy policy /Channel/Orderer/OrdererOrg/Writers
[36m2020-12-15 16:52:38.782 UTC [policies] EvaluateSignedData -> DEBU 36e [0m == Done Evaluating *cauthdsl.policy Policy /Channel/Orderer/OrdererOrg/Writers
[36m2020-12-15 16:52:38.782 UTC [policies] func1 -> DEBU 36f [0m Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ OrdererOrg/Writers ]
[36m2020-12-15 16:52:38.782 UTC [policies] EvaluateSignedData -> DEBU 370 [0m Signature set did not satisfy policy /Channel/Orderer/Writers
[36m2020-12-15 16:52:38.782 UTC [policies] EvaluateSignedData -> DEBU 371 [0m == Done Evaluating *policies.ImplicitMetaPolicy Policy /Channel/Orderer/Writers
[36m2020-12-15 16:52:38.782 UTC [policies] func1 -> DEBU 372 [0m Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ Consortiums/Writers Orderer/Writers ]
[36m2020-12-15 16:52:38.782 UTC [policies] EvaluateSignedData -> DEBU 373 [0m Signature set did not satisfy policy /Channel/Writers
[36m2020-12-15 16:52:38.782 UTC [policies] EvaluateSignedData -> DEBU 374 [0m == Done Evaluating *policies.ImplicitMetaPolicy Policy /Channel/Writers
I assume that the orderer policy expects a channel creation demand from an orderer, but only a peer can make it. Maybe I have made a mistake in writing my policies. Please, could you help me to fix my platform?
EDIT: After yours comments, I complete: Some of the variable environnement of Org1 are:
export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
export CORE_PEER_MSPCONFIGPATH=${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
export CORE_PEER_ADDRESS=localhost:7051
The volume section of the orderer container's docker compose file is:
volumes:
- ../channel-artifacts/genesis.block:/var/hyperledger/orderer/orderer.genesis.block
- ../organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/msp:/var/hyperledger/orderer/msp
- ../organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/:/var/hyperledger/orderer/tls
- ../orgconfig/orderer.yaml:/etc/hyperledger/fabric/orderer.yaml
- orderer0.example.com:/var/hyperledger/production/orderer
And the Orderer config values associated to its MSP are:
General.LocalMSPDir = "/var/hyperledger/orderer/msp"
General.LocalMSPID = "OrdererMSP"
General.TLS.Enabled = true
General.TLS.PrivateKey = "/var/hyperledger/orderer/tls/server.key"
General.TLS.Certificate = "/var/hyperledger/orderer/tls/server.crt"
General.TLS.RootCAs = [/var/hyperledger/orderer/tls/ca.crt]
General.TLS.ClientAuthRequired = false
General.TLS.ClientRootCAs = []
According orderer's logs, the TLS handshake completed with no errors
1 answers
solution1
0 2020-12-16 12:06:07
The orderer logs might indicate that the certificate you have provided in the orderer's local MSP directory belongs to org1, rather than orderer org. To make sure, go in the orderer logs, and just before the lines you have provided, there must be some public certificates printed out on the logs. Copy them from the logs and throw them on a pem certificate decoder online to check which organization they belong to from the attributes of the certificate. If it is indeed the wrong certificate, make sure to include the right ones from the MSP directories for the orderer org that you have generated with cryptogen.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.