Hyperledger fabric peer update failed: signature set did not satisfy policy

Question

I am having HLF network with two orgs (one peer each) and 3 order nodes with order type as a raft. For the first org joining and the peer, updates work without any problem, but for the second org I am getting some troubles in the peer update

Here is the command i've used for the peer update

peer channel update \
    -o orderer1.base.order:7050 \
    -c basechannel \
    -f ./channel-artifacts/BaseRightOrg.tx \
    --tls \
    --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/base.order/orderers/orderer1.base.order/msp/tlscacerts/tlsca.base.order-cert.pem

The error I am getting is

Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'basechannel': error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application/RightOrgMSP not satisfied: signature set did not satisfy policy

Here is the configtx section of the above org

 - &Org2
        Name: RightOrgMSP
        ID: RightOrgMSP
        MSPDir: crypto-config/peerOrganizations/base.right/msp
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('RightOrgMSP.admin', 'RightOrgMSP.peer', 'RightOrgMSP.client','RightOrgMSP.member')"
            Writers:
                Type: Signature
                Rule: "OR('RightOrgMSP.admin','RightOrgMSP.peer', 'RightOrgMSP.client','RightOrgMSP.member')"
            Admins:
                Type: Signature
                Rule: "OR('LeftOrgMSP.admin','RightOrgMSP.peer')"
            Endorsement:
                Type: Signature
                Rule: "OR('RightOrgMSP.peer')"     

        AnchorPeers:
            - Host: peer1.base.right
              Port: 9051       

Answer 1

The file (./channel-artifacts/BaseRightOrg.tx) should be signed by all/majority of admins of the organizations that are part of the channel sequentially(that is one after other the same file). Then only the update will be success.

Try using below command with every peer of the channel:

peer channel signconfigtx -f ./channel-artifacts/BaseRightOrg.tx

After signing, you can update the channel.

Answer 2

In your configtx under organisation you should only specify the admin for that organisation not both.

 &Org2
    Name: RightOrgMSP
    ID: RightOrgMSP
    MSPDir: crypto-config/peerOrganizations/base.right/msp
    Policies:
        Readers:
            Type: Signature
            Rule: "OR('RightOrgMSP.admin', 'RightOrgMSP.peer', 'RightOrgMSP.client','RightOrgMSP.member')"
        Writers:
            Type: Signature
            Rule: "OR('RightOrgMSP.admin','RightOrgMSP.peer', 'RightOrgMSP.client','RightOrgMSP.member')"
        Admins:
            Type: Signature
            Rule: "OR('RightOrgMSP.admin')"
        Endorsement:
            Type: Signature
            Rule: "OR('RightOrgMSP.peer')"     

    AnchorPeers:
        - Host: peer1.base.right
          Port: 9051   

Problem is not with this though check your channel application policy section, if it is MAJORITY Admins under admins that this channel update must be signed by both the organisations. Once signed by all the transaction which is majority in this case your update will work.

Application: &ApplicationDefaults

# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:

# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
#   /Channel/Application/<PolicyName>
Policies:
    Readers:
        Type: ImplicitMeta
        Rule: "ANY Readers"
    Writers:
        Type: ImplicitMeta
        Rule: "ANY Writers"
    Admins:
        Type: ImplicitMeta
        Rule: "MAJORITY Admins"

If you are still not able to perform it then share your complete configtx.

Answer 3

cafile

/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/base.order/orderers/orderer1.base.order/msp/tlscacerts/tlsca.base.order-cert.pem

In above line change the certificate location and key.