Hyperledger - MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority

Question

I am currently working from the hyperledger fabric-samples. I've successfully run first-network and fabcar based on available tutorials. I'm now trying to combine the two to make a network with 3 peers in a single org and use the node sdk to query, etc. A repo of my current fabric-samples dir is available here. I've been able to use byfn.sh to build the network, enrollAdmin.js, and registerUser.js. When attempting to query or invoke I have run into this issue:

Store path:/home/victor/fabric-samples/first-network/hfc-key-store
Successfully loaded user1 from persistence
Assigning transaction_id:  bc0240f672d075de2f84d50b292ed0e2214dacc0ef2888d0fa7e25d872a99b03
error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: 2 UNKNOWN: access denied: channel [mychannel] creator org [Org1MSP]
    at new createStatusError (/home/victor/fabric-samples/first-network/node_modules/grpc/src/client.js:64:15)
    at /home/victor/fabric-samples/first-network/node_modules/grpc/src/client.js:583:15
error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: 2 UNKNOWN: access denied: channel [mychannel] creator org [Org1MSP]
    at new createStatusError (/home/victor/fabric-samples/first-network/node_modules/grpc/src/client.js:64:15)
    at /home/victor/fabric-samples/first-network/node_modules/grpc/src/client.js:583:15
error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: 2 UNKNOWN: access denied: channel [mychannel] creator org [Org1MSP]
    at new createStatusError (/home/victor/fabric-samples/first-network/node_modules/grpc/src/client.js:64:15)
    at /home/victor/fabric-samples/first-network/node_modules/grpc/src/client.js:583:15
HERE
Transaction proposal was bad
Failed to send Proposal or receive valid response. Response null or status is not 200. exiting...
Failed to invoke successfully :: Error: Failed to send Proposal or receive valid response. Response null or status is not 200. exiting...

Using docker logs I looked at the logs for one of the peers and found this:

2018-04-24 19:05:09.370 UTC [msp] getMspConfig -> INFO 001 Loading NodeOUs
2018-04-24 19:05:09.392 UTC [nodeCmd] serve -> INFO 002 Starting peer:
 Version: 1.1.0
 Go version: go1.9.2
 OS/Arch: linux/amd64
 Experimental features: false
 Chaincode:
  Base Image Version: 0.4.6
  Base Docker Namespace: hyperledger
  Base Docker Label: org.hyperledger.fabric
  Docker Namespace: hyperledger

2018-04-24 19:05:09.392 UTC [ledgermgmt] initialize -> INFO 003 Initializing ledger mgmt
2018-04-24 19:05:09.393 UTC [kvledger] NewProvider -> INFO 004 Initializing ledger provider
2018-04-24 19:05:12.811 UTC [couchdb] CreateDatabaseIfNotExist -> INFO 005 Created state database _users
2018-04-24 19:05:13.215 UTC [couchdb] CreateDatabaseIfNotExist -> INFO 006 Created state database _replicator
2018-04-24 19:05:14.086 UTC [couchdb] CreateDatabaseIfNotExist -> INFO 007 Created state database _global_changes
2018-04-24 19:05:14.433 UTC [kvledger] NewProvider -> INFO 008 ledger provider Initialized
2018-04-24 19:05:14.433 UTC [ledgermgmt] initialize -> INFO 009 ledger mgmt initialized
2018-04-24 19:05:14.433 UTC [peer] func1 -> INFO 00a Auto-detected peer address: 172.18.0.9:7051
2018-04-24 19:05:14.433 UTC [peer] func1 -> INFO 00b Returning peer0.org1.example.com:7051
2018-04-24 19:05:14.433 UTC [peer] func1 -> INFO 00c Auto-detected peer address: 172.18.0.9:7051
2018-04-24 19:05:14.434 UTC [peer] func1 -> INFO 00d Returning peer0.org1.example.com:7051
2018-04-24 19:05:14.435 UTC [nodeCmd] computeChaincodeEndpoint -> INFO 00e Entering computeChaincodeEndpoint with peerHostname: peer0.org1.example.com
2018-04-24 19:05:14.436 UTC [nodeCmd] computeChaincodeEndpoint -> INFO 00f Exit with ccEndpoint: peer0.org1.example.com:7052
2018-04-24 19:05:14.436 UTC [nodeCmd] createChaincodeServer -> WARN 010 peer.chaincodeListenAddress is not set, using peer0.org1.example.com:7052
2018-04-24 19:05:14.436 UTC [eventhub_producer] start -> INFO 011 Event processor started
2018-04-24 19:05:14.437 UTC [chaincode] NewChaincodeSupport -> INFO 012 Chaincode support using peerAddress: peer0.org1.example.com:7052
2018-04-24 19:05:14.438 UTC [sccapi] registerSysCC -> INFO 013 system chaincode cscc(github.com/hyperledger/fabric/core/scc/cscc) registered
2018-04-24 19:05:14.438 UTC [sccapi] registerSysCC -> INFO 014 system chaincode lscc(github.com/hyperledger/fabric/core/scc/lscc) registered
2018-04-24 19:05:14.438 UTC [sccapi] registerSysCC -> INFO 015 system chaincode escc(github.com/hyperledger/fabric/core/scc/escc) registered
2018-04-24 19:05:14.438 UTC [sccapi] registerSysCC -> INFO 016 system chaincode vscc(github.com/hyperledger/fabric/core/scc/vscc) registered
2018-04-24 19:05:14.438 UTC [sccapi] registerSysCC -> INFO 017 system chaincode qscc(github.com/hyperledger/fabric/core/chaincode/qscc) registered
2018-04-24 19:05:14.440 UTC [gossip/service] func1 -> INFO 018 Initialize gossip with endpoint peer0.org1.example.com:7051 and bootstrap set [peer1.org1.example.com:7051]
2018-04-24 19:05:14.442 UTC [msp] DeserializeIdentity -> INFO 019 Obtaining identity
2018-04-24 19:05:14.444 UTC [gossip/discovery] NewDiscoveryService -> INFO 01a Started {peer0.org1.example.com:7051 [] [98 55 107 77 184 123 189 240 183 227 157 211 146 161 226 74 43 48 67 169 32 99 66 147 109 71 222 49 249 172 59 136] peer0.org1.example.com:7051 <nil>} incTime is 1524596714444440316
2018-04-24 19:05:14.444 UTC [gossip/gossip] NewGossipService -> INFO 01b Creating gossip service with self membership of {peer0.org1.example.com:7051 [] [98 55 107 77 184 123 189 240 183 227 157 211 146 161 226 74 43 48 67 169 32 99 66 147 109 71 222 49 249 172 59 136] peer0.org1.example.com:7051 <nil>}
2018-04-24 19:05:14.447 UTC [gossip/gossip] start -> INFO 01c Gossip instance peer0.org1.example.com:7051 started
2018-04-24 19:05:14.449 UTC [cscc] Init -> INFO 01d Init CSCC
2018-04-24 19:05:14.449 UTC [sccapi] deploySysCC -> INFO 01e system chaincode cscc/(github.com/hyperledger/fabric/core/scc/cscc) deployed
2018-04-24 19:05:14.449 UTC [sccapi] deploySysCC -> INFO 01f system chaincode lscc/(github.com/hyperledger/fabric/core/scc/lscc) deployed
2018-04-24 19:05:14.450 UTC [escc] Init -> INFO 020 Successfully initialized ESCC
2018-04-24 19:05:14.450 UTC [sccapi] deploySysCC -> INFO 021 system chaincode escc/(github.com/hyperledger/fabric/core/scc/escc) deployed
2018-04-24 19:05:14.450 UTC [sccapi] deploySysCC -> INFO 022 system chaincode vscc/(github.com/hyperledger/fabric/core/scc/vscc) deployed
2018-04-24 19:05:14.451 UTC [qscc] Init -> INFO 023 Init QSCC
2018-04-24 19:05:14.451 UTC [sccapi] deploySysCC -> INFO 024 system chaincode qscc/(github.com/hyperledger/fabric/core/chaincode/qscc) deployed
2018-04-24 19:05:14.451 UTC [nodeCmd] initSysCCs -> INFO 025 Deployed system chaincodes
2018-04-24 19:05:14.451 UTC [nodeCmd] serve -> INFO 026 Starting peer with ID=[name:"peer0.org1.example.com" ], network ID=[dev], address=[peer0.org1.example.com:7051]
2018-04-24 19:05:14.452 UTC [nodeCmd] serve -> INFO 027 Started peer with ID=[name:"peer0.org1.example.com" ], network ID=[dev], address=[peer0.org1.example.com:7051]
2018-04-24 19:05:14.452 UTC [nodeCmd] func7 -> INFO 028 Starting profiling server with listenAddress = 0.0.0.0:6060
2018-04-24 19:05:16.371 UTC [ledgermgmt] CreateLedger -> INFO 029 Creating ledger [mychannel] with genesis block
2018-04-24 19:05:16.409 UTC [fsblkstorage] newBlockfileMgr -> INFO 02a Getting block information from block storage
2018-04-24 19:05:16.757 UTC [couchdb] CreateDatabaseIfNotExist -> INFO 02b Created state database mychannel_
2018-04-24 19:05:16.945 UTC [kvledger] CommitWithPvtData -> INFO 02c Channel [mychannel]: Committed block [0] with 1 transaction(s)
2018-04-24 19:05:17.557 UTC [ledgermgmt] CreateLedger -> INFO 02d Created ledger [mychannel] with genesis block
2018-04-24 19:05:17.626 UTC [cscc] Init -> INFO 02e Init CSCC
2018-04-24 19:05:17.627 UTC [sccapi] deploySysCC -> INFO 02f system chaincode cscc/mychannel(github.com/hyperledger/fabric/core/scc/cscc) deployed
2018-04-24 19:05:17.628 UTC [sccapi] deploySysCC -> INFO 030 system chaincode lscc/mychannel(github.com/hyperledger/fabric/core/scc/lscc) deployed
2018-04-24 19:05:17.628 UTC [escc] Init -> INFO 031 Successfully initialized ESCC
2018-04-24 19:05:17.628 UTC [sccapi] deploySysCC -> INFO 032 system chaincode escc/mychannel(github.com/hyperledger/fabric/core/scc/escc) deployed
2018-04-24 19:05:17.629 UTC [sccapi] deploySysCC -> INFO 033 system chaincode vscc/mychannel(github.com/hyperledger/fabric/core/scc/vscc) deployed
2018-04-24 19:05:17.629 UTC [qscc] Init -> INFO 034 Init QSCC
2018-04-24 19:05:17.629 UTC [sccapi] deploySysCC -> INFO 035 system chaincode qscc/mychannel(github.com/hyperledger/fabric/core/chaincode/qscc) deployed
2018-04-24 19:05:27.629 UTC [deliveryClient] try -> WARN 036 Got error: rpc error: code = Canceled desc = context canceled , at 1 attempt. Retrying in 1s
2018-04-24 19:05:27.629 UTC [blocksProvider] DeliverBlocks -> WARN 037 [mychannel] Receive error: Client is closing
2018-04-24 19:05:28.925 UTC [gossip/service] updateEndpoints -> WARN 038 Failed to update ordering service endpoints, due to Channel with mychannel id was not found
2018-04-24 19:05:29.302 UTC [kvledger] CommitWithPvtData -> INFO 039 Channel [mychannel]: Committed block [1] with 1 transaction(s)
2018-04-24 19:05:33.013 UTC [couchdb] CreateDatabaseIfNotExist -> INFO 03a Created state database mychannel_lscc
2018-04-24 19:05:33.016 UTC [lscc] executeInstall -> INFO 03b Installed Chaincode [fabcar] Version [1.0] to peer
2018-04-24 19:05:34.803 UTC [golang-platform] GenerateDockerBuild -> INFO 03c building chaincode with ldflagsOpt: '-ldflags "-linkmode external -extldflags '-static'"'
2018-04-24 19:05:34.804 UTC [golang-platform] GenerateDockerBuild -> INFO 03d building chaincode with tags: 
2018-04-24 19:06:06.351 UTC [cceventmgmt] HandleStateUpdates -> INFO 03e Channel [mychannel]: Handling LSCC state update for chaincode [fabcar]
2018-04-24 19:06:06.868 UTC [couchdb] CreateDatabaseIfNotExist -> INFO 03f Created state database mychannel_fabcar
2018-04-24 19:06:07.278 UTC [kvledger] CommitWithPvtData -> INFO 040 Channel [mychannel]: Committed block [2] with 1 transaction(s)
2018-04-24 19:06:15.476 UTC [protoutils] ValidateProposalMessage -> WARN 041 channel [mychannel]: MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority
2018-04-24 19:06:15.689 UTC [protoutils] ValidateProposalMessage -> WARN 042 channel [mychannel]: MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority

These errors lead me to believe I have the certificates configured incorrectly, but searching for information on the issue hasn't been fruitful so far. How can I locate the source of this error? I'll post my docker-compose-cli.yaml here:

# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#

version: '2'

volumes:
  orderer.example.com:
  ca.example.com:
  peer0.org1.example.com:
  peer1.org1.example.com:
  peer2.org1.example.com:

networks:
  byfn:

services:

  ca.example.com:
    image: hyperledger/fabric-ca:x86_64-1.1.0
    environment:
      - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server
      - FABRIC_CA_SERVER_CA_NAME=ca.example.com
      - FABRIC_CA_SERVER_CA_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.example.com-cert.pem
      - FABRIC_CA_SERVER_CA_KEYFILE=/etc/hyperledger/fabric-ca-server-config/4239aa0dcd76daeeb8ba0cda701851d14504d31aad1b2ddddbac6a57365e497c_sk
    ports:
      - "7054:7054"
    command: sh -c 'fabric-ca-server start -b admin:adminpw -d'
    volumes:
      - ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config
    container_name: ca.example.com
    networks:
      - byfn

  orderer.example.com:
    extends:
      file:   base/docker-compose-base.yaml
      service: orderer.example.com
    container_name: orderer.example.com
    networks:
      - byfn

  peer0.org1.example.com:
    container_name: peer0.org1.example.com
    extends:
      file:  base/docker-compose-base.yaml
      service: peer0.org1.example.com
    depends_on:
      - orderer.example.com
      - couchdb0
    networks:
      - byfn

  peer1.org1.example.com:
    container_name: peer1.org1.example.com
    extends:
      file:  base/docker-compose-base.yaml
      service: peer1.org1.example.com
    depends_on:
      - orderer.example.com
      - couchdb1
    networks:
      - byfn

  peer2.org1.example.com:
    container_name: peer2.org1.example.com
    extends:
      file:  base/docker-compose-base.yaml
      service: peer2.org1.example.com
    depends_on:
      - orderer.example.com
      - couchdb2
    networks:
      - byfn

  couchdb0:
    container_name: couchdb0
    image: hyperledger/fabric-couchdb
    # Populate the COUCHDB_USER and COUCHDB_PASSWORD to set an admin user and password
    # for CouchDB.  This will prevent CouchDB from operating in an "Admin Party" mode.
    environment:
      - COUCHDB_USER=
      - COUCHDB_PASSWORD=
    ports:
      - 5984:5984
    networks:
      - byfn

  couchdb1:
    container_name: couchdb1
    image: hyperledger/fabric-couchdb
    # Populate the COUCHDB_USER and COUCHDB_PASSWORD to set an admin user and password
    # for CouchDB.  This will prevent CouchDB from operating in an "Admin Party" mode.
    environment:
      - COUCHDB_USER=
      - COUCHDB_PASSWORD=
    ports:
      - 6984:5984
    networks:
      - byfn

  couchdb2:
    container_name: couchdb2
    image: hyperledger/fabric-couchdb
    # Populate the COUCHDB_USER and COUCHDB_PASSWORD to set an admin user and password
    # for CouchDB.  This will prevent CouchDB from operating in an "Admin Party" mode.
    environment:
      - COUCHDB_USER=
      - COUCHDB_PASSWORD=
    ports:
      - 7984:5984
    networks:
      - byfn            

  cli:
    container_name: cli
    image: hyperledger/fabric-tools:$IMAGE_TAG
    tty: true
    stdin_open: true
    environment:
      - GOPATH=/opt/gopath
      - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
      #- CORE_LOGGING_LEVEL=DEBUG
      - CORE_LOGGING_LEVEL=INFO
      - CORE_PEER_ID=cli
      - CORE_PEER_ADDRESS=peer0.org1.example.com:7051
      - CORE_PEER_LOCALMSPID=Org1MSP
      - CORE_PEER_TLS_ENABLED=false
      - CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
      - CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
      - CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
      - CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
    working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
    command: /bin/bash
    volumes:
        - /var/run/:/host/var/run/
        - ./../chaincode/:/opt/gopath/src/github.com/chaincode
        - ./crypto-config:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/
        - ./scripts:/opt/gopath/src/github.com/hyperledger/fabric/peer/scripts/
        - ./channel-artifacts:/opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts
    depends_on:
      - orderer.example.com
      - peer0.org1.example.com
      - peer1.org1.example.com
      - peer2.org1.example.com
    networks:
      - byfn

Answer 1

your sdk is getting certificate from a CA which is not configured properly.

Suggestions:

1-> Check that your CA server is getting started with correct pem file.

2-> Correct _sk (private key)

If you are using cryptogen then both of the above file you will get inside corresponding organisation folder provide the correct file to bootstrap CA . It will work fine.

Answer 2

You must go to the container that is complaining about that certificates, open the corresponding terminal and add the CA authorities certificate to the system's trusted CA repository like this, for example.

In ubuntu:

1. Go to /usr/local/share/ca-certificates/
2. Create a new folder, i.e. "sudo mkdir HyperledgerCerts"
3. Copy the .crt file into the "HyperledgerCerts" folder
4. Make sure the permissions are OK (755 for the folder, 644 for the file)
5. Run "sudo update-ca-certificates"

This should solve the problem.
Hope this helps

Answer 3

Make sure that FABRIC_CA_CLIENT_HOME is set to the correct directory, especially when using fabric-ca-client outside docker containers.

For example, before calling fabric-ca-client register or fabric-ca-client enroll, you should set

export FABRIC_CA_CLIENT_HOME=/path/to/organizations/peerOrganizations/org1.example.com/