Reputation: 145
Peer Channel Create in docker container fails with: identity is not valid: x509: certificate signed by unknown authority
I'm working through a course at Blockchain Training Alliance for Hyperledger Fabric 1.4.*
I'm trying to start a channel on a dev test network and keep getting the following error:
2020-07-07 01:41:48.496 UTC [cauthdsl] deduplicate -> ERRO 34f Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authority) for identity 0
I saw in one post by anjy that network time-sync issues can cause this issue. My time did seem to be different on the containers verses the host VM, so I installed ntpdate and ran sudo ntpdate pool.ntp.org on host VM before starting the network. That fixed the time issue, but the above error was still there.
According to Nikhil Gupta's post, this error indicates that "the MSP ID that was passed as a parameter with the request was not recognized by the ordering service."
"the ordering service recognized your MSP ID, but could not validate that your certificate was issued by one of your organization's certificate authorities."
I'm using cryptogen and configtxgen to create my artifacts as follows:
$cryptogen generate --config=./crypto-config.yaml
then I edit docker-compose.yml to include the newly generated sk value and continue with:
$configtxgen -profile DefaultBlockOrderingService -outputBlock ./config/genesis.block -configPath $PWD
$configtxgen -profile btaMembersOnly -outputCreateChannelTx ./config/btamembersonly.tx -channelID btamembersonly
After succeeding to create the genesis block and channel transaction artifact, I start the network:
$docker-compose -f docker-compose.yml up -d Devorderer.btacoin.com Andy.BTA.btacoin.com GeneralCA.btacoin.com cli
andy@ubuntu-server:~/fabric/network$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f406f488ede5 hyperledger/fabric-peer "peer node start" 4 seconds ago Up 1 second 0.0.0.0:7051->7051/tcp, 0.0.0.0:7053->7053/tcp Andy.BTA.btacoin.com
0900795b1368 hyperledger/fabric-tools "/bin/bash" 4 seconds ago Up 2 seconds cli
c4946b315b08 hyperledger/fabric-orderer "orderer" 6 seconds ago Up 3 seconds 0.0.0.0:7050->7050/tcp Devorderer.btacoin.com
2e66b1d981f5 hyperledger/fabric-ca "sh -c 'fabric-ca-se…" 6 seconds ago Up 3 seconds 0.0.0.0:7054->7054/tcp GeneralCA.btacoin.com
Then I log into the admin peer and try to start the channel:
$docker exec -it Andy.BTA.btacoin.com bash
#cd /etc/hyperledger/configtx
#export CORE_PEER_LOCALMSPID=BTAMSP
#export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/[email protected]/msp
#peer channel create -o Devorderer.btacoin.com:7050 -f /etc/hyperledger/configtx/btamembersonly.tx -c btamembersonly
At this point, I get the following error:
Error: got unexpected status: BAD_REQUEST -- error validating channel creation transaction for new channel 'btamembersonly', could not succesfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
At this point, the orderer node log shows the error mentioned at the beginning:
2020-07-07 01:57:04.947 UTC [cauthdsl] deduplicate -> ERRO 34f Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authority) for identity 0
2020-07-07 01:57:04.947 UTC [cauthdsl] func1 -> DEBU 350 0xc00046e820 gate 1594087024947536840 evaluation starts
2020-07-07 01:57:04.947 UTC [cauthdsl] func2 -> DEBU 351 0xc00046e820 signed by 0 principal evaluation starts (used [false])
2020-07-07 01:57:04.947 UTC [cauthdsl] func2 -> DEBU 352 0xc00046e820 principal evaluation fails
2020-07-07 01:57:04.947 UTC [cauthdsl] func1 -> DEBU 353 0xc00046e820 gate 1594087024947536840 evaluation fails
2020-07-07 01:57:04.947 UTC [policies] Evaluate -> DEBU 354 Signature set did not satisfy policy /Channel/Application/BTAMSP/Admins
2020-07-07 01:57:04.947 UTC [policies] Evaluate -> DEBU 355 == Done Evaluating *cauthdsl.policy Policy /Channel/Application/BTAMSP/Admins
2020-07-07 01:57:04.947 UTC [policies] func1 -> DEBU 356 Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ BTAMSP/Admins ]
2020-07-07 01:57:04.947 UTC [policies] Evaluate -> DEBU 357 Signature set did not satisfy policy /Channel/Application/ChannelCreationPolicy
2020-07-07 01:57:04.947 UTC [policies] Evaluate -> DEBU 358 == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Application/ChannelCreationPolicy
2020-07-07 01:57:04.947 UTC [orderer.common.broadcast] ProcessMessage -> WARN 359 [channel: btamembersonly] Rejecting broadcast of config message from 172.18.0.4:56024 because of error: error validating channel creation transaction for new channel 'btamembersonly', could not succesfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
2020-07-07 01:57:04.947 UTC [orderer.common.server] func1 -> DEBU 35a Closing Broadcast stream
2020-07-07 01:57:04.947 UTC [comm.grpc.server] 1 -> INFO 35b streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Broadcast grpc.peer_address=172.18.0.4:56024 grpc.code=OK grpc.call_duration=12.196088ms
2020-07-07 01:57:04.960 UTC [common.deliver] Handle -> WARN 35c Error reading from 172.18.0.4:56022: rpc error: code = Canceled desc = context canceled
2020-07-07 01:57:04.961 UTC [orderer.common.server] func1 -> DEBU 35d Closing Deliver stream
2020-07-07 01:57:04.961 UTC [comm.grpc.server] 1 -> INFO 35e streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.18.0.4:56022 error="rpc error: code = Canceled desc = context canceled" grpc.code=Canceled grpc.call_duration=27.125361ms
2020-07-07 01:57:04.964 UTC [grpc] infof -> DEBU 35f transport: loopyWriter.run returning. connection error: desc = "transport is closing"
2020-07-07 01:57:04.964 UTC [grpc] infof -> DEBU 360 transport: loopyWriter.run returning. connection error: desc = "transport is closing"
I'm not really sure where to look next for troubleshooting.
My setup is as follows (please let me know if I missed any key information):
andy@ubuntu-server:~/fabric/network$ tree -L 2
.
├── config
│ ├── btamembersonly.tx
│ └── genesis.block
├── configtx.yaml
├── crypto-config
│ ├── ordererOrganizations
│ └── peerOrganizations
├── crypto-config.yaml
├── defaults
│ ├── core.yaml
│ └── orderer.yaml
└── docker-compose.yml
docker-compose.yml:
andy@ubuntu-server:~/fabric/network$ cat -n docker-compose.yml
1 version: '2'
2
3 networks:
4 btacoin:
5
6 services:
7 GeneralCA.btacoin.com:
8 container_name: GeneralCA.btacoin.com
9 image: hyperledger/fabric-ca
10 command: sh -c 'fabric-ca-server start -b btaCA:SimplePassword' #startup command
11 environment:
12 - FABRIC_CA_SERVER_CA_NAME=GeneralCA.btacoin.com
13 - FABRIC_LOGGING_SPEC=debug
14 - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
15 - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.BTA.btacoin.com-cert.pem
16 - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/ccb94b9473ef97a36b7d83beeb80583e9a2bda50ca5a392071b3c96185948ed7_sk
17 volumes:
18 - ./crypto-config/peerOrganizations/BTA.btacoin.com/ca/:/etc/hyperledger/fabric-ca-server-config
19 ports:
20 - 7054:7054
21 networks:
22 - btacoin
23
24 Devorderer.btacoin.com:
25 container_name: Devorderer.btacoin.com
26 image: hyperledger/fabric-orderer
27 command: orderer #startup command
28 environment:
29 - FABRIC_LOGGING_SPEC=info
30 - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
31 - ORDERER_GENERAL_GENESISMETHOD=file
32 - FABRIC_LOGGING_SPEC=debug
33 - ORDERER_GENERAL_LOCALMSPID=btacoinOrderersMSP
34 - ORDERER_GENERAL_LOCALMSPDIR=/etc/hyperledger/msp/orderer/msp
35 - ORDERER_GENERAL_GENESISFILE=/etc/hyperledger/configtx/genesis.block
36
37 volumes:
38 - ./config/:/etc/hyperledger/configtx
39 - ./crypto-config/ordererOrganizations/btacoin.com/orderers/Devorderer.btacoin.com/:/etc/hyperledger/msp/orderer
40 - ./crypto-config/peerOrganizations/BTA.btacoin.com/peers/Andy.BTA.btacoin.com/:/etc/hyperledger/msp/BTA
41 ports:
42 - 7050:7050
43 networks:
44 - btacoin
45
46 Andy.BTA.btacoin.com:
47 container_name: Andy.BTA.btacoin.com
48 image: hyperledger/fabric-peer
49 command: peer node start #startup command
50 environment:
51 - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_btacoin
52 - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
53 - FABRIC_LOGGING_SPEC=debug
54 - CORE_PEER_ID=Andy.BTA.btacoin.com
55 - CORE_PEER_ADDRESS=Andy.BTA.btacoin.com:7051
56 - CORE_PEER_LOCALMSPID=BTAMSP
57 - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/peer/
58
59 volumes:
60 - /var/run/:/host/var/run/
61 - ./crypto-config/peerOrganizations/BTA.btacoin.com/peers/Andy.BTA.btacoin.com/msp:/etc/hyperledger/msp/peer
62 - ./crypto-config/peerOrganizations/BTA.btacoin.com/users:/etc/hyperledger/msp/users
63 - ./config:/etc/hyperledger/configtx
64 - ./../cc:/etc/hyperledger/chaincode
65 - ./chaincode:/etc/hyperledger/chaincode #Referenced in the Student Lab Guide
66 ports:
67 - 7051:7051
68 - 7053:7053
69 depends_on:
70 - Devorderer.btacoin.com
71 networks:
72 - btacoin
73
74 cli:
75 container_name: cli
76 image: hyperledger/fabric-tools
77 command: /bin/bash #startup command
78 tty: true
79 environment:
80 - GOPATH=/opt/gopath/src
81 - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
82 - FABRIC_LOGGING_SPEC=debug
83 - CORE_PEER_ID=cli
84 - CORE_PEER_ADDRESS=Andy.BTA.btacoin.com:7051
85 - CORE_PEER_LOCALMSPID=BTAMSP
86 - CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/BTA.btacoin.com/user/[email protected]/msp
87
88 volumes:
89 - /var/run/:/host/var/run/
90 - ./../cc/:/opt/gopath/src/
91 - ./crypto-config:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/
92 # - ./cryptoconfig:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/
93 - ./config:/etc/hyperledger/configtx
94 depends_on:
95 - Devorderer.btacoin.com
96 networks:
97 - btacoin
configtx.yaml:
andy@ubuntu-server:~/fabric/network$ cat -n configtx.yaml
1 Organizations:
2 - &btacoinOrderers
3 Name: btacoinOrderersMSP
4 ID: btacoinOrderersMSP
5 MSPDir: crypto-config/ordererOrganizations/btacoin.com/msp
6 - &BTA
7 Name: BTAMSP
8 ID: BTAMSP
9 MSPDir: crypto-config/ordererOrganizations/btacoin.com/msp
10 AnchorPeers:
11 - Host: Andy.BTA.btacoin.com
12 Port: 7051
13
14 Application: &ApplicationDefaults
15 Organizations:
16
17 Orderer: &DevModeOrdering
18 OrdererType: solo
19 Addresses:
20 - Devorderer.btacoin.com:7050
21 BatchTimeout: 1s
22 BatchSize:
23 MaxMessageCount: 1
24
25 Channel:
26
27 Profiles:
28 DefaultBlockOrderingService:
29 Orderer:
30 <<: *DevModeOrdering
31 Organizations:
32 - *btacoinOrderers
33 Consortiums:
34 NetworkConsortium: #Note, in the video, this was called SampleConsortium
35 Organizations:
36 - *BTA
37 btaMembersOnly:
38 Consortium: NetworkConsortium #Note, in the video, this was called SampleConsortium
39 Application:
40 <<: *ApplicationDefaults
41 Organizations:
42 - *BTA
43
crypto-config.yaml:
andy@ubuntu-server:~/fabric/network$ cat -n crypto-config.yaml
1 #Note: crypto-config is only used for development purposes, NOT for production purposes
2 #For production, you should have the Certificate Authority manage things!
3 OrdererOrgs:
4 - Name: btacoinOrderers
5 Domain: btacoin.com
6 Specs:
7 - Hostname: Devorderer
8
9 PeerOrgs:
10 - Name: BTA
11 Domain: BTA.btacoin.com
12 Specs:
13 - Hostname: Andy
14 Template:
15 Count: 1
16 Users:
17 Count: 1
CA cert value used in docker-compose.yml:
andy@ubuntu-server:~/fabric/network$ ls ./crypto-config/peerOrganizations/BTA.btacoin.com/ca
ca.BTA.btacoin.com-cert.pem ccb94b9473ef97a36b7d83beeb80583e9a2bda50ca5a392071b3c96185948ed7_sk
orderer.yaml and core.yaml come from:
https://s3.us-east-2.amazonaws.com/fabric-masterclass/orderer.yaml
https://s3.us-east-2.amazonaws.com/fabric-masterclass/core.yaml
Docker images come from:
docker pull hyperledger/fabric-peer
docker pull hyperledger/fabric-orderer
docker pull hyperledger/fabric-ca
docker pull hyperledger/fabric-tools
*The course is self-guided and with no forum or course support available. If there was another channel for help, I wouldn't post here. (I tried emailing the course creators for help prior to posting here.)
Upvotes: 1
Views: 928
Answers (2)
Reputation: 145
As I mentioned in the comments, the course creators sent me a copy of the official YAML files for comparison. After comparing those files with mine, I discovered that I entered the wrong MSP for the peer in configtx.yaml. Instead of pointing to the peer's MSP, I was pointing to the orderer's MSP!
Original (with error):
6 - &BTA
7 Name: BTAMSP
8 ID: BTAMSP
9 MSPDir: crypto-config/ordererOrganizations/btacoin.com/msp
10 AnchorPeers:
11 - Host: Andy.BTA.btacoin.com
12 Port: 7051
Corrected line:
9 MSPDir: crypto-config/peerOrganizations/BTA.btacoin.com/msp
After fixing this line, I was able to successfully create the new channel.
Upvotes: 1
Reputation: 1624
According to Nikhil Gupta's post, this error indicates that "the MSP ID that was passed as a parameter with the request was not recognized by the ordering service."
Actually, this isn't true. If you read this post carefully, you will see that the error
ERRO 02d Principal deserialization failure
(the supplied identity is not valid: x509: certificate usigned by unknown authority)
actually indicates that the MSPID is recognized by the system, and that in fact, it is your certificate which is invalid. So, either the MSPID does not match the certificate, or, the certificate was not appropriately isseud by the CAs for that MSPID in your channel configuration.
In your case, based on the fact that this is a course exercise, and not a production network, I would guess that perhaps the network has been bootstrapped multiple times, but without properly cleaning all of the persisted artifacts in between steps. I would encourage you to ensure that all docker containers and especially docker volumes have been removed, and attempt to recreate this failure in a clean environment. The docker-compose you included does enumerate volumes, you can see them via docker volume ls, and you can remove them with a command like docker volume rm $(docker volume ls -q).
Upvotes: 1
Related Questions
- Hyperledger - MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority
- Create Channel fails with failure to generate anchor peer update transaction
- Channel creation fails due to nonexistent setting orderer.tls.clientKey.file
- peer channel creation fails in Hyperledger Fabric
- failed to load certificates while trying to create channel following Hyperledger Fabric 'First Network' Tutorial
- Error joining channel from peer: This identity is not an admin
- Error: PEM encoded certificate is required
- Error: error getting endorser client for channel
- Peer channel creation failed in Hyperledger Fabric
- Create channel on peer fails