0

I am running HyperledgerFabric 2.1 and I would like to deploy a 2 organizations network in a multi-hostenvironment. Following the tutorial I am running the following:

I generate all the articats with the following:

cryptogen generate --config=./crypto-config.yaml
configtxgen -profile TwoOrgsOrdererGenesis -outputBlock ./channel-artifacts/genesis.block --channelID system-channel
configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/mychannel.tx -channelID mychannel

Then from cli (setting peer0.org1 as target)

peer channel create -t 10s -o <orderer_host>:7050 -c mychannel -f ./channel-artifacts/channel.tx --outputBlock ./channel-artifacts/${CHANNEL_NAME}.block --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA

And this returns as expected (even in the orderer logs everything is ok). After that I try to join with the same peer the newly created channel:

CORE_PEER_LOCALMSPID=Org1MSP
CORE_PEER_ID=cli
CORE_PEER_ADDRESS=peer0.org1.example.com:7051
CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
CORE_PEER_TLS_ENABLED=true
CORE_VM_DOCKER_HOSTCONFIG_MEMORY=536870912
peer channel join -b ./channel-artifacts/mychannel.block
2020-06-17 15:33:13.592 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2020-06-17 15:33:13.745 UTC [channelCmd] executeJoin -> INFO 002 Successfully submitted proposal to join channel

Everything seems ok, and even if I check with the peer channel command I get a positive answer

peer channel list
2020-06-17 15:34:26.535 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Channels peers has joined: 
mychannel

However when I inspect the logs from the orderer I get every couple of seconds:

2020-06-17 15:47:07.539 UTC [common.deliver] deliverBlocks -> WARN 03b [channel: mychannel] Client authorization revoked for deliver request from 10.0.1.84:50014: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2020-06-17 15:47:07.539 UTC [comm.grpc.server] 1 -> INFO 03c streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=10.0.1.84:50014 grpc.code=OK grpc.call_duration=9.310607ms

While in the peer logs I get the following:

2020-06-17 15:48:07.259 UTC [peer.blocksprovider] func1 -> WARN 06b Encountered an error reading from deliver stream: EOF channel=mychannel orderer-address=orderer.ptunstad.no:7050
2020-06-17 15:48:07.259 UTC [peer.blocksprovider] DeliverBlocks -> WARN 06c Got error while attempting to receive blocks: received bad status FORBIDDEN from orderer channel=mychannel orderer-address=orderer.ptunstad.no:7050

Any idea what I might be missing?

EDIT

I add here configs used to generate initial artifacts:

crypto-config.yaml

OrdererOrgs:
  - Name: Orderer
    Domain: example.com
    Specs:
      - Hostname: orderer
PeerOrgs:
  - Name: Org1
    Domain: org1.example.com
    Template:
      Count: 2 
    Users:
      Count: 2
  - Name: Org2
    Domain: org2.example.com
    Template:
      Count: 2
    Users:
      Count: 2

Here is configtx.yaml

Organizations:
    - &OrdererOrg
        Name: OrdererOrg

        ID: OrdererMSP

        MSPDir: ../crypto-config/ordererOrganizations/example.com/msp

        Policies:
            Readers:
                Type: Signature
                Rule: "OR('OrdererMSP.member')"
            Writers:
                Type: Signature
                Rule: "OR('OrdererMSP.member')"
            Admins:
                Type: Signature
                Rule: "OR('OrdererMSP.admin')"

        OrdererEndpoints:
            - orderer.example.com:7050

    - &Org1
        Name: Org1MSP

        ID: Org1MSP

        MSPDir: ../crypto-config/peerOrganizations/org1.example.com/msp

        Policies:
            Readers:
                Type: Signature
                Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
            Writers:
                Type: Signature
                Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
            Admins:
                Type: Signature
                Rule: "OR('Org1MSP.admin')"
            Endorsement:
                Type: Signature
                Rule: "OR('Org1MSP.peer')"

        AnchorPeers:
            - Host: peer0.org1.example.com
              Port: 7051

    - &Org2
        Name: Org2MSP

        ID: Org2MSP

        MSPDir: ../crypto-config/peerOrganizations/org2.example.com/msp

        Policies:
            Readers:
                Type: Signature
                Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
            Writers:
                Type: Signature
                Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
            Admins:
                Type: Signature
                Rule: "OR('Org2MSP.admin')"
            Endorsement:
                Type: Signature
                Rule: "OR('Org2MSP.peer')"

        AnchorPeers:
            - Host: peer0.org2.example.com
              Port: 9051

Capabilities:
    Channel: &ChannelCapabilities
        V2_0: true

    Orderer: &OrdererCapabilities
        V2_0: true

    Application: &ApplicationCapabilities
        V2_0: true

Application: &ApplicationDefaults

    Organizations:

    Policies:
        Readers:
            Type: ImplicitMeta
            Rule: "ANY Readers"
        Writers:
            Type: ImplicitMeta
            Rule: "ANY Writers"
        Admins:
            Type: ImplicitMeta
            Rule: "MAJORITY Admins"
        LifecycleEndorsement:
            Type: ImplicitMeta
            Rule: "MAJORITY Endorsement"
        Endorsement:
            Type: ImplicitMeta
            Rule: "MAJORITY Endorsement"

    Capabilities:
        <<: *ApplicationCapabilities

Orderer: &OrdererDefaults

    OrdererType: etcdraft

    Addresses:
        - orderer.example.com:7050

    EtcdRaft:
        Consenters:
        - Host: orderer.example.com
          Port: 7050
          ClientTLSCert: ../crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
          ServerTLSCert: ../crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
    BatchTimeout: 2s
    BatchSize:

        MaxMessageCount: 10

        AbsoluteMaxBytes: 99 MB

        PreferredMaxBytes: 512 KB

    Organizations:


    Policies:
        Readers:
            Type: ImplicitMeta
            Rule: "ANY Readers"
        Writers:
            Type: ImplicitMeta
            Rule: "ANY Writers"
        Admins:
            Type: ImplicitMeta
            Rule: "MAJORITY Admins"
        BlockValidation:
            Type: ImplicitMeta
            Rule: "ANY Writers"

Channel: &ChannelDefaults
    Policies:
        Readers:
            Type: ImplicitMeta
            Rule: "ANY Readers"
        Writers:
            Type: ImplicitMeta
            Rule: "ANY Writers"
        Admins:
            Type: ImplicitMeta
            Rule: "MAJORITY Admins"
    Capabilities:
        <<: *ChannelCapabilities

Profiles:

    TwoOrgsOrdererGenesis:
        <<: *ChannelDefaults
        Orderer:
            <<: *OrdererDefaults
            Organizations:
                - *OrdererOrg
            Capabilities:
                <<: *OrdererCapabilities
        Consortiums:
            SampleConsortium:
                Organizations:
                    - *Org1
                    - *Org2
    TwoOrgsChannel:
        Consortium: SampleConsortium
        <<: *ChannelDefaults
        Application:
            <<: *ApplicationDefaults
            Organizations:
                - *Org1
                - *Org2
            Capabilities:
                <<: *ApplicationCapabilities
rakwaht
  • 3,666
  • 3
  • 28
  • 45
  • I hope the channel you are creating has the peer MSP information in the channel genesis block, or at least you have added the peer organization to channel in the following step. If that is so, could verify the channel MSP certificates for peer organization and orderer organization are correctly placed? You can try and fetch the channel latest block, decode it to JSON and get all of that info. – Chintan Rajvir Jun 18 '20 at 11:18
  • @ChintanRajvir thanks for your answer. Since I dont compleatly understand your question I updated the question with details on the initial artifacts and how I generated them – rakwaht Jun 18 '20 at 12:33
  • @ChintanRajvir notice that if I try to `peer channel fetch` I get `Expect block, but got status: &{FORBIDDEN}` – rakwaht Jun 18 '20 at 13:12
  • I think the issue is with peer organization TLS certificates. In the crypto-config file you mentioned the domain name to be `org1.ptunstad.no` but your host name for peer node looks like: `peer0.org1.example.com` which will invalidate the IP SANs as far I am sure. I think you deploy nodes with same domain as that for which you are issuing the certificates. – Chintan Rajvir Jun 18 '20 at 13:21
  • Plus, looks like, you are using crypto-files from `../crypto-config/peerOrganizations/org1.example.com/msp` and generating certificates for `org1.ptunstad.no` which means, you are not picking the latest certificate chain generated by `cryptogen`. – Chintan Rajvir Jun 18 '20 at 13:23
  • Sorry @ChintanRajvir, I edited now. This error is due to a poor sanitization of the code to be pasted on SO. Now everything is ok (I ensure you I generated certificates with the correct name) – rakwaht Jun 18 '20 at 13:26

1 Answers1

1

It is a problem in the organization permission. Following this answer on SO I changed my permissions in the configtx.yaml as follow:

- &Org1
    Name: Org1MSP

    ID: Org1MSP

    MSPDir: crypto-config/peerOrganizations/org1.example.com/msp

    Policies:
        Readers:
            Type: Signature
            Rule: "OR('Org1MSP.member')"
        Writers:
            Type: Signature
            Rule: "OR('Org1MSP.member')"
        Admins:
            Type: Signature
            Rule: "OR('Org1MSP.admin')"

    AnchorPeers:
        - Host: peer0.org1.example.com
          Port: 7051

- &Org2
    Name: Org2MSP

    ID: Org2MSP

    MSPDir: crypto-config/peerOrganizations/org2.example.com/msp

    Policies:
        Readers:
            Type: Signature
            Rule: "OR('Org2MSP.member')"
        Writers:
            Type: Signature
            Rule: "OR('Org2MSP.member')"
        Admins:
            Type: Signature
            Rule: "OR('Org2MSP.admin')"

    AnchorPeers:
        - Host: peer0.org2.example.com
          Port: 9051
rakwaht
  • 3,666
  • 3
  • 28
  • 45
  • @ChintanRajvir this solves my problem, however I still dont get why my previous setup doesnt work (which was fine-grained and therefore better) – rakwaht Jun 18 '20 at 13:46
  • Because OrgMSP.member allows any identity under the "OrgMSP" to get the access. However, in the above fine-grained access, you must have the correct OU identifier in the certificate that is trying to perform that operation. – Chintan Rajvir Jun 18 '20 at 14:22
  • @ChintanRajvir I understand that, however is not clear to me how I can set the correct OU to the certificates. When I generate it in the cyrpto-config I dont see any setting to specify what is a peer/admin/client – rakwaht Jun 18 '20 at 14:42
  • @rakwaht try generating certificate using openssl. There you can mention the correct OUs as well. – Aditya Arora Jun 19 '20 at 11:27
  • 1
    `cryptogen` is only for testing environments. I would say go with Fabric CA or an external established CA for production environments. – Chintan Rajvir Jun 19 '20 at 11:39
  • 1
    @AdityaArora and ChintanRajvir thanks for your useful insight. Hopefully this discussion will help others in the community – rakwaht Jun 19 '20 at 12:36