Error: got unexpected status: FORBIDDEN -- Failed to reach implicit threshold of 1 sub-policies, required 1 remaining: permission denied

Question

My fabric version is 1.1.0-preview, the peer, orderer, configtxgen is newly generated.

when I execute the configtxgen tool:

configtxgen -profile SoloOrdererGenesis -outputBlock genesis.block 
configtxgen -profile mych -outputCreateChannelTx channel-artifacts/mych.tx -channelID mych

It generate the genesis.block and mych.tx with channelName is mych.

Then orderer start with genesis.block, I execute following:

peer channel create -f mych.tx -o orderer.example.com:7050 -c mych

it throw the error,

Error: got unexpected status: FORBIDDEN -- Failed to reach implicit threshold of 1 sub-policies, required 1 remaining: permission denied

which step is wrong?

my configtx.yaml file is:

---
Profiles:
    SoloOrdererGenesis:
        Orderer:
            <<: *OrdererDefaults
            Organizations:
                - *OrdererOrg
        Consortiums:
            SampleConsortium4:
                Organizations:
                    - *Org1
                    - *Org2
                    - *Org3
                    - *Org4
            SampleConsortium3:
                Organizations:
                    - *Org1
                    - *Org2
                    - *Org3
            SampleConsortium2:
                Organizations:
                    - *Org1
                    - *Org2
            SampleConsortium1:
                Organizations:
                    - *Org1
    mych4:
        Consortium: SampleConsortium4
        Application:
            <<: *ApplicationDefaults
            Organizations:
                - *Org1
                - *Org2
                - *Org3
                - *Org4
    mych3:
        Consortium: SampleConsortium3
        Application:
            <<: *ApplicationDefaults
            Organizations:
                - *Org1
                - *Org2
                - *Org3

    mych2:
        Consortium: SampleConsortium2
        Application:
            <<: *ApplicationDefaults
            Organizations:
                - *Org1
                - *Org2

    mych1:
        Consortium: SampleConsortium1
        Application:
            <<: *ApplicationDefaults
            Organizations:
                - *Org1
Organizations:
    - &OrdererOrg
        Name: OrdererOrg
        ID: OrdererMSP
        MSPDir: orderer/msp

    - &Org1
        Name: Org1MSP
        ID: Org1MSP
        MSPDir: org1/peer/msp
        AnchorPeers:
            - Host: peer.org1.example.com
              Port: 17051
    - &Org2
        Name: Org2MSP
        ID: Org2MSP
        MSPDir: org2/peer/msp
        AnchorPeers:
            - Host: peer.org2.example.com
              Port: 27051            
Orderer: &OrdererDefaults
    OrdererType: solo
    Addresses:
        - orderer.example.com:7050
    BatchTimeout: 2s
    BatchSize:
        MaxMessageCount: 10
        AbsoluteMaxBytes: 99 MB
        PreferredMaxBytes: 512 KB
    Organizations:

Application: &ApplicationDefaults
    Organizations:

Answer 1

When I got this problem my solutions was pretty simple .. I had already started my network using

/byfn.sh -m up

forgot about it and was trying to start it first by generating the crypto and then using the same command. The problem was resolved as soon as I first downed the old network using

/byfn.sh -m down

and started again with the same up command.

Answer 2

It could very well be a simple matter of the wrong path for a file. When you generated the mych.tx file, you wrote it to channel-artifacts/mych.tx but when try to create the channel, you left out the channel-artifacts directory. You could try peer channel create -f channel-artifacts/mych.tx -o orderer.example.com:7050 -c mych

That said, I just had a similar problem with the same error. I was testing a newly created genesis block and crypto. In my case, it was the result of the previous crypto and channel being stored in a Docker volume from one of my previous tests. That may not be the case with you, since you said you are creating a new peer and orderer.

You can check on that by connecting to one of the peers (or cli container if you have one) with docker exec -it <container name> bash and then running peer channel list. If you get something like this back, then that's your problem:

root@4cf873123669:/opt/gopath/src/github.com/hyperledger/fabric/peer# peer channel list
2018-04-05 14:09:40.734 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP
2018-04-05 14:09:40.734 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity
2018-04-05 14:09:40.739 UTC [channelCmd] InitCmdFactory -> INFO 003 Endorser and orderer connections initialized
2018-04-05 14:09:40.740 UTC [msp/identity] Sign -> DEBU 004 Sign: plaintext: 0AAE070A5C08031A0C08A4DC98D60510...631A0D0A0B4765744368616E6E656C73
2018-04-05 14:09:40.740 UTC [msp/identity] Sign -> DEBU 005 Sign: digest: 93EFB49DD86ABB5568DE1E2C8FC53FA99AB52929AFA24D7B317C270DE8CDC80B
Channels peers has joined:
mych
2018-04-05 14:09:40.743 UTC [main] main -> INFO 006 Exiting.....

If you don't see the mych listed under "Channels peers has joined:", then my answer is not pertinent to you. (But may be to someone else!)

Here is how you would restore your local Hyperledger Docker instance to a clean state:

docker-compose -f docker-compose.yaml down --volumes

The --volumes tells Docker to remove any volumes associated with the containers in the configuration file.

For good measure, I just wiped everything (all Docker containers and volumes - this was a test system) down to a blank slate and started the process all over:

docker-compose -f docker-compose.yaml down --volumes
docker rm $(docker ps -aq)
docker volume prune
rm genesis.block channel-artifacts/mych.tx

Once I removed those, and started the Fabric back up, I was able to create the channel without getting that error.

If it doesn't work last resort will be sudo service docker restart which will restart all the docker services like docker system, network and volumes.

Answer 3

configtxgen -profile TwoOrgsOrdererGenesis -outputBlock ./channel- 
artifacts/genesis.block -channelID $CHANNEL_NAME

while creating the genesis block you need pass the syschannelname.

while creating channel use the different channel name.

Eg: 1.sysmych 2.mych

Answer 4

It would be clearer if you share the debug log of orderer. To enable debug add

- ORDERER_GENERAL_LOGLEVEL=debug 

in your docker compose file under orderer service, and start your network again. you can then print out the log using command

docker logs CONTAINER_NAME --details

I suggest to print the log before and after running the create channel command.

Answer 5

I had the same Error got resolved as below

you may need to add

Go path also

export GOPATH=$HOME/go
export PATH=$PATH:$GOPATH/bin

echo $GOPATH

followed by /byfn.sh -m down if it is Up Earlier.
reference: https://hyperledger-fabric.readthedocs.io/en/release-1.1/prereqs.html

Answer 6

If any of the solutions on this page didn't work out for anyone then try removing your network from docker networks. View your docker networks by running docker network ls and remove your network by running docker network rm <network-name>.

Removing docker network worked out for me but I did this on a dev server.

Answer 7

In my case the problem was with the permission as well as network already being up( partially).

I had started with "./byfn.sh up" without using sudo , so i got error for first time.

Next, i did "sudo su" then ran "./byfn up", again i got error.

Referring to one of the answers here being a superuser i did "./byfn down" and then "./byfn up" now, this worked for me.

Answer 8

I encounter this issue many times, always use docker volume prune to solve it.