Ivan
Reputation: 313
failed to determine cluster membership from join-block: failed to validate config metadata of ordering config: duplicate consenter
I have 1 TLS CA, 1 root CA, 1 intermediate CA. My registration and enrolling of components pass successfully.
I generated application channel genesis block. My configtx.yaml:
Organizations:
- &org
Name: org
ID: orgMSP
MSPDir: org/msp
Policies:
Readers:
Type: Signature
Rule: "OR('orgMSP.member')"
Writers:
Type: Signature
Rule: "OR('orgMSP.member')"
Admins:
Type: Signature
Rule: "OR('orgMSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('orgMSP.member')"
OrdererEndpoints:
- orderer1-org:7050
- orderer2-org:7050
- orderer3-org:7050
AnchorPeers:
- Host: peer1-org
Port: 7051
Capabilities:
Channel: &ChannelCapabilities
V2_0: true
Orderer: &OrdererCapabilities
V2_0: true
Application: &ApplicationCapabilities
V2_0: true
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "ANY Admins"
Capabilities:
<<: *ChannelCapabilities
Application: &ApplicationDefaults
ACLs: &ACLsDefault
# This section provides defaults for policies for various resources
# in the system. These "resources" could be functions on system chaincodes
# (e.g., "GetBlockByNumber" on the "qscc" system chaincode) or other resources
# (e.g.,who can receive Block events). This section does NOT specify the resource's
# definition or API, but just the ACL policy for it. #
# Users can override these defaults with their own policy mapping by defining the
# mapping under ACLs in their channel definition
#---New Lifecycle System Chaincode (_lifecycle) function to policy mapping for access control--#
# ACL policy for _lifecycle's "CheckCommitReadiness" function
_lifecycle/CheckCommitReadiness: /Channel/Application/Writers
_lifecycle/CommitChaincodeDefinition: /Channel/Application/Writers
_lifecycle/QueryChaincodeDefinition: /Channel/Application/Writers
_lifecycle/QueryChaincodeDefinitions: /Channel/Application/Writers
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Capabilities:
<<: *ApplicationCapabilities
Orderer: &OrdererDefaults
OrdererType: etcdraft
Addresses:
- orderer1-org:7050
- orderer2-org:7050
- orderer3-org:7050
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 500
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 2 MB
MaxChannels: 0
EtcdRaft:
Consenters:
- Host: orderer1-org
Port: 7050
ClientTLSCert: ca-tls/orderer1-org/msp/tlscacerts/tls-ca-tls.pem
ServerTLSCert: ca-tls/orderer1-org/msp/tlscacerts/tls-ca-tls.pem
- Host: orderer2-org
Port: 7050
ClientTLSCert: ca-tls/orderer2-org/msp/tlscacerts/tls-ca-tls.pem
ServerTLSCert: ca-tls/orderer2-org/msp/tlscacerts/tls-ca-tls.pem
- Host: orderer3-org
Port: 7050
ClientTLSCert: ca-tls/orderer3-org/msp/tlscacerts/tls-ca-tls.pem
ServerTLSCert: ca-tls/orderer3-org/msp/tlscacerts/tls-ca-tls.pem
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "ANY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "ANY Admins"
Capabilities:
<<: *ChannelCapabilities
Profiles:
ChannelUsingRaft:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
OrdererType: etcdraft
EtcdRaft:
Consenters:
- Host: orderer1-org
Port: 7050
ClientTLSCert: ca-tls/orderer1-org/msp/tlscacerts/tls-ca-tls.pem
ServerTLSCert: ca-tls/orderer1-org/msp/tlscacerts/tls-ca-tls.pem
- Host: orderer2-org
Port: 7050
ClientTLSCert: ca-tls/orderer2-org/msp/tlscacerts/tls-ca-tls.pem
ServerTLSCert: ca-tls/orderer2-org/msp/tlscacerts/tls-ca-tls.pem
- Host: orderer3-org
Port: 7050
ClientTLSCert: ca-tls/orderer3-org/msp/tlscacerts/tls-ca-tls.pem
ServerTLSCert: ca-tls/orderer3-org/msp/tlscacerts/tls-ca-tls.pem
Addresses:
- orderer1-org:7050
- orderer2-org:7050
- orderer3-org:7050
Organizations:
- *org
Capabilities: *OrdererCapabilities
Application:
<<: *ApplicationDefaults
Organizations:
- *org
Capabilities:
<<: *ApplicationCapabilities
I try to create application channel with command:
export OSN_TLS_CA_ROOT_CERT=/path/crypto/ca-tls/tls-root-cert/tls-ca-cert.pem
export ADMIN_TLS_SIGN_CERT=/path/crypto/ca-tls/osnadmin1-org/msp/signcerts/cert.pem
export ADMIN_TLS_PRIVATE_KEY=/path/crypto/ca-tls/osnadmin1-org/msp/keystore/key.pem
osnadmin channel join --channelID mychannel --config-block /tmp/hyperledger/fabric-ca/crypto/mychannel.block -o orderer1-org:10443 \
--ca-file /path/crypto/ca-tls/tls-root-cert/tls-ca-cert.pem --client-cert /path/crypto/ca-tls/osnadmin1-org/msp/signcerts/cert.pem --client-key /path/crypto/ca-tls/osnadmin1-org/msp/keystore/key.pem
When I have one consenter, my command executed successfully. In other cases (2 or 3 consenters) I get next error:
Status: 400
{
"error": "cannot join: failed to determine cluster membership from join-block: failed to validate config metadata of ordering config: duplicate consenter: server cert: -----BEGIN CERTIFICATE-----\n***\n-----END CERTIFICATE-----\n, client cert: -----BEGIN CERTIFICATE-----\n***\n-----END CERTIFICATE-----\n"
}
My orderer compose file:
networks:
network:
external: true
services:
orderer1-org:
container_name: $ORDERER1_NAME
image: hyperledger/fabric-orderer:2.4
environment:
- ORDERER_HOME=/path/crypto/$CA_TLS_NAME/$ORDERER1_NAME
- ORDERER_HOST=0.0.0.0
- FABRIC_LOGGING_SPEC=INFO
- ORDERER_GENERAL_BOOTSTRAPMETHOD=none
- ORDERER_GENERAL_LOCALMSPDIR=/path/crypto/ica/$ORDERER1_NAME/msp
- ORDERER_FILELEDGER_LOCATION=/path/crypto/ica/$ORDERER1_NAME/fileledger
- ORDERER_GENERAL_LOCALMSPID=orgMSP
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_CHANNELPARTICIPATION_ENABLED=true
- ORDERER_ADMIN_LISTENADDRESS=$ORDERER1_NAME:$ORDERER1_ADMIN_PORT
- ORDERER_ADMIN_TLS_ENABLED=true
- ORDERER_ADMIN_TLS_PRIVATEKEY=/path/crypto/$CA_TLS_NAME/$ORDERER1_ADMIN_NAME/msp/keystore/key.pem
- ORDERER_ADMIN_TLS_CERTIFICATE=/path/crypto/$CA_TLS_NAME/$ORDERER1_ADMIN_NAME/msp/signcerts/cert.pem
- ORDERER_ADMIN_TLS_ROOTCAS=[/path/crypto/$CA_TLS_NAME/tls-root-cert/tls-ca-cert.pem]
- ORDERER_ADMIN_TLS_CLIENTAUTHREQUIRED=true
- ORDERER_ADMIN_TLS_CLIENTROOTCAS=[/path/crypto/$CA_TLS_NAME/tls-root-cert/tls-ca-cert.pem]
- ORDERER_GENERAL_LISTENPORT=$ORDERER_PORT
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_CERTIFICATE=/path/crypto/$CA_TLS_NAME/$ORDERER1_NAME/msp/signcerts/cert.pem
- ORDERER_GENERAL_TLS_PRIVATEKEY=/path/crypto/$CA_TLS_NAME/$ORDERER1_NAME/msp/keystore/key.pem
- ORDERER_GENERAL_TLS_ROOTCAS=[/path/crypto/$CA_TLS_NAME/$ORDERER1_NAME/msp/tlscacerts/tls-$CA_TLS_NAME.pem]
- ORDERER_GENERAL_TLS_CLIENTAUTHREQUIRED=true
- ORDERER_GENERAL_LOGLEVEL=INFO
- ORDERER_DEBUG_BROADCASTTRACEDIR=data/logs
- ORDERER_CONSENSUS_WALDIR=/path/crypto/ica/$ORDERER1_NAME/etcdraft/wal
- ORDERER_CONSENSUS_SNAPDIR=/path/crypto/ica/$ORDERER1_NAME/etcdraft/snapshot
ports:
- $ORDERER_PORT:$ORDERER_PORT
- $ORDERER1_ADMIN_PORT:$ORDERER1_ADMIN_PORT
volumes:
- $MAIN_PATH/crypto:/path/crypto
networks:
- network
Upvotes: 0
Views: 46
Answers (1)
Ivan
Reputation: 313
I solved my problem. I changed ClientTLSCert and ServerTLSCert on
ca-tls/orderer-org/msp/signcerts/cert.pem
Upvotes: 0
Related Questions
- scripts/createChannel.sh: line 40: osnadmin: command not found Channel creation failed
- Handshake failed with fatal error SSL_ERROR_SSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
- Block Committed Even After Endorsement Policy Failure In Hyperledger Fabric v1.4
- Error: got unexpected status: FORBIDDEN -- implicit policy evaluation failed
- Hyperledger Fabric channel creation failure
- Error trying to instantiate composer runtime. Error: No valid responses from any peers. for Multi organization hyperledger fabric 1.1