Error: access denied for [JoinChain][mychannel]: [Failed verifying proposal's creator satisfies MSP policy [Admins]: [This identity is not an admin]]

Question

joinChannel.js gives the following error:

Successfully loaded peeradmin from persistence
{ block:
   { header:
      { number: [Object],
        previous_hash: [Object],
        data_hash: [Object] },
     data: { data: [Array] },
     metadata: { metadata: [Array] } } }
error: [client-utils.js]: sendPeersProposal - Promise is rejected: Error: access denied for [JoinChain][mychannel]: [Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]]
not good

Exactly, what is the error complaining about? I am having trouble pinpointing whether it's the peer admin private key, peer admin cert, peer tls cert, or some other configuration. I took the peer admin cert and added it to the IBP dashboard and did "Sync Certificates". What some things to check to make sure I am indeed specifying the correct credentials for the admin?

var Fabric_Client = require('fabric-client');
var path = require('path');
var fs = require('fs');

var fabric_client = new Fabric_Client();

var ordererTLSCert = fs.readFileSync('./orderercert.pem');

var peerAdminKey = Buffer.from(fs.readFileSync('./keystore-1.pem')).toString();
// var peerAdminCert =  Buffer.from(fs.readFileSync('./admincert-1.pem')).toString()
var peerAdminCert = Buffer.from(fs.readFileSync('./signcert-1.pem')).toString();

fabric_client.setAdminSigningIdentity(peerAdminKey, peerAdminCert, 'org2');

var channel = fabric_client.newChannel('mychannel');
var peer = fabric_client.newPeer('grpcs://169.xx.xx.xx:xxxxx', {
  pem: peerTlsCert,
  'ssl-target-name-override': null,
});
var orderer = fabric_client.newOrderer(
  'grpcs://nfxxx-orderer.us08.blockchain.ibm.com:xxxxx',
  {
    pem: Buffer.from(ordererTLSCert).toString(),
    'ssl-target-name-override': null,
  }
);

channel.addPeer(peer);
channel.addOrderer(orderer);

var tx_id = null;

tx_id = fabric_client.newTransactionID(true);
let g_request = {
  txId: tx_id,
  // orderer,
};
channel
  .getGenesisBlock(g_request)
  .then(block => {
    console.log({ block });
    tx_id = fabric_client.newTransactionID(true);
    let j_request = {
      targets: peer,
      block,
      txId: tx_id,
    };
    return channel.joinChannel(j_request, 30000);
  })
  .then(results => {
    console.log(results);
    if (results && results[0].response && results[0].response.status == 200) {
      // good
      console.log('good');
    } else {
      console.log('not good');
      // not good
    }
  })
  .catch(err => {
    console.error(err);
  });

score 2 · Accepted Answer · answered Feb 26 '19 at 08:58

2

When you join a peer to a channel, the transaction needs to be signed using the peer local admin. The local admin is identified by its certificate residing in the peer's msp/admincerts folder.

answered Feb 26 '19 at 08:58

yacovm

5,120
1
11
21

I tried to ssh into my peer and went to its `certs/msp/` folder. There I pulled out `/admincerts/admincert-1.pem` and `/keystore/keystore-1.pem`. I would imagine these would be the correct credentials for `signedCertPEM` and `privateKeyPEM`. This gives the error `error: [Orderer.js]: sendDeliver - rejecting - status:FORBIDDEN Error: Invalid results returned ::FORBIDDEN`. When I swap out the `/admincerts/admincert-1.pem` for `/signcerts/signcert-1.pem`, I get the original error `[This identity is not an admin]]`. The credentials came straight from peer, so I am wondering why it says not admin. – atkayla Feb 26 '19 at 17:49
No... the keystore contains the private key of the *peer*, not the admin ;) otherwise the peer could administer itself, right? You need the private key of the admin that corresponds to the certificate of the admin in the admincerts. Try to find the private key of the admin.... if you can't locate it i can try to help on http://chat.hyperledger.org/ – yacovm Feb 26 '19 at 19:19
1

This was a total mess, but I got it. My script generated admincert X and private key X'. I deployed my peer with admincert X. Then I made changes to my script and ran it again, and it ended up throwing away X and X' to generate new admincert Y and private key Y'. This whole time, I was trying to join the peer with attempts of X or Y with Y' (private key X' got thrown away so it was lost). I kept things straight this time and deployed a new peer with Z, and joined the peer with Z and Z', and it was successful! Thank you so much!! – atkayla Feb 26 '19 at 20:29

score 0 · Answer 2 · answered Feb 26 '19 at 11:30

0

Try this:

 tx_id = fabric_client.newTransactionID(true);

You need admin privileges to create or join to a channel

answered Feb 26 '19 at 11:30

Alexander Yammine

548
1
5
14

Unfortunately still getting `[This identity is not an admin]`. – atkayla Feb 26 '19 at 17:53

Error: access denied for [JoinChain][mychannel]: [Failed verifying proposal's creator satisfies MSP policy [Admins]: [This identity is not an admin]]

2 Answers2