Access denied: channel [] creator org unknown, creator is malformed)

[DavidCasalod]

when I run the mychannelup.sh script, only host 1 joins. I get this error in host 2:

Logs peer0.org1:

2023-07-10 10:22:50.718 UTC [core.comm] ServerHandshake -> ERRO 091 Server TLS handshake failed in 2.660529ms with error remote error: tls: bad certificate server=PeerServer remoteaddress=10.0.2.213:42642 2023-07-10 10:22:52.917 UTC [gossip.comm] authenticateRemotePeer -> WARN 092 Identity store rejected 10.0.2.213:9051 : failed classifying identity: Unable to extract msp.Identity from peer Identity: Peer Identity {"CN":"peer0.org1.example.com","Issuer-CN":"ca.org1.example.com","Issuer-L-ST-C":"[San Francisco]-[]-[US]","Issuer-OU":["COP"],"L-ST-C":"[San Francisco]-[]-[US]","MSP":"Org2MSP","OU":["COP"]} cannot be validated. No MSP found able to do that.

Logs orderer: 2023-07-10 10:20:35.420 UTC [common.deliver] deliverBlocks -> WARN 05c [channel: mychannel] Rejecting deliver request for 10.0.2.209:55046 because of consenter error

logs peer0.org2:

2023-07-10 10:33:35.257 UTC 0159 WARN [gossip.discovery] func1 -> Could not connect to Endpoint: peer0.org1.example.com:7051, InternalEndpoint: peer0.org1.example.com:7051, PKI-ID: , Metadata: : context deadline exceeded 2023-07-10 10:33:43.340 UTC 015a INFO [comm.grpc.server] 1 -> unary call completed grpc.service=gossip.Gossip grpc.method=Ping grpc.request_deadline=2023-07-10T10:33:45.339Z grpc.peer_address=10.0.2.208:45552 grpc.peer_subject="CN=peer0.org1.example.com,L=San Francisco,ST=California,C=US" grpc.code=OK grpc.call_duration=158.375µs 2023-07-10 10:33:43.343 UTC 015b WARN [gossip.comm] authenticateRemotePeer -> Identity store rejected 10.0.2.208:45552 : failed classifying identity: Unable to extract msp.Identity from peer Identity: Peer Identity {"CN":"peer0.org1.example.com","Issuer-CN":"ca.org1.example.com","Issuer-L-ST-C":"[San Francisco]-[]-[US]","Issuer-OU":null,"L-ST-C":"[San Francisco]-[]-[US]","MSP":"Org1MSP","OU":["peer"]} cannot be validated. No MSP found able to do that. 2023-07-10 10:33:43.343 UTC 015c ERRO [gossip.comm] GossipStream -> Authentication failed: failed classifying identity: Unable to extract msp.Identity from peer Identity: Peer Identity {"CN":"peer0.org1.example.com","Issuer-CN":"ca.org1.example.com","Issuer-L-ST-C":"[San Francisco]-[]-[US]","Issuer-OU":null,"L-ST-C":"[San Francisco]-[]-[US]","MSP":"Org1MSP","OU":["peer"]} cannot be validated. No MSP found able to do that. 2023-07-10 10:33:43.343 UTC 015d INFO [comm.grpc.server] 1 -> streaming call completed grpc.service=gossip.Gossip grpc.method=GossipStream grpc.request_deadline=2023-07-10T10:33:53.341Z grpc.peer_address=10.0.2.208:45552 grpc.peer_subject="CN=peer0.org1.example.com,L=San Francisco,ST=California,C=US" error="failed classifying identity: Unable to extract msp.Identity from peer Identity: Peer Identity {\"CN\":\"peer0.org1.example.com\",\"Issuer-CN\":\"ca.org1.example.com\",\"Issuer-L-ST-C\":\"[San Francisco]-[]-[US]\",\"Issuer-OU\":null,\"L-ST-C\":\"[San Francisco]-[]-[US]\",\"MSP\":\"Org1MSP\",\"OU\":[\"peer\"]} cannot be validated. No MSP found able to do that." grpc.code=Unknown grpc.call_duration=1.453263ms

[dkanavaris]

Hello, Did you manage to find any solution to this ? I have the same problem.

[dc-atos-dev]

Hi I'm David again, No, I'm still stuck with TLS issues. Have you managed to make any progress? Any help would be appreciated, thank you!

[dkanavaris]

In host 1 issue the following command : docker execl cli peer version If the version is 2.5.3 (latest) then in the hostn.yaml files add this - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/msp as an environment variable to each peer. Alternatively when spinning up the containers try to use the 2.4.9 image instead of latest (replace latest with 2.4.9). Both of the solutions worked for me but went with the first since it uses the latest version

[dc-atos-dev]

Hi thanks for the info.

Should I modify also this in the host1.yaml?

• CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/msp

And Should I add it as an enviroment variable inside of the peers?? because I only have one cli container in the host1 and I don't have it in the rest of the hostn.yaml.

Do you have your code in a public repo?

[dkanavaris]

- CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/msp should be added in each peer not the cli in the enviroment variables. My code is not in a public repo but here is a snipper of how each peer should be configured

  peer0.org1.example.com:
    container_name: peer0.org1.example.com
    extends:
      file:  base/peer-base.yaml
      service: peer-base
    environment:
      - CORE_PEER_ID=peer0.org1.example.com
      - CORE_PEER_ADDRESS=peer0.org1.example.com:7051
      - CORE_PEER_LISTENADDRESS=0.0.0.0:7051
      - CORE_PEER_CHAINCODEADDRESS=peer0.org1.example.com:7052
      - CORE_PEER_CHAINCODELISTENADDRESS=0.0.0.0:7052
      - CORE_PEER_GOSSIP_BOOTSTRAP=peer1.org1.example.com:8051
      - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.example.com:7051
      - CORE_PEER_LOCALMSPID=Org1MSP
      - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/msp
    volumes:
      - /var/run/:/host/var/run/
      - ./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/fabric/msp
      - ./crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls:/etc/hyperledger/fabric/tls
      - peer0.org1.example.com:/var/hyperledger/production
    ports:
      - 7051:7051
    networks:
      - byfn

Notice the that - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/msp is added in the peers enviroments. That should be done for each peer even if the peer belongs to a different host

[dc-atos-dev]

Hi again,

I have added the - CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/msp to each peer. And now I use the following commands to create the channel and join it and I have a TLS or certificate problem with the second peer, as you can see here: david.casalod@bip-dev-04:~/go/src/github.com/david/fabric-samples-lastverion/hfabric_2hosts$ docker exec cli peer channel join -b mychannel.block 2023-08-24 08:43:36.979 UTC 0001 INFO [channelCmd] InitCmdFactory -> Endorser and orderer connections initialized 2023-08-24 08:43:37.314 UTC 0002 INFO [channelCmd] executeJoin -> Successfully submitted proposal to join channel david.casalod@bip-dev-04:~/go/src/github.com/david/fabric-samples-lastverion/hfabric_2hosts$ docker exec -e CORE_PEER_ADDRESS=peer0.org2.example.com:9051 -e CORE_PEER_LOCALMSPID="Org2MSP" -e CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt cli peer channel join -b mychannel.block 2023-08-24 08:54:17.068 UTC 0001 ERRO [comm.tls] ClientHandshake -> Client TLS handshake failed after 3.94643ms with error: tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "tlsca.org2.example.com") remoteaddress=10.0.2.34:9051 2023-08-24 08:54:18.083 UTC 0002 INFO [channelCmd] InitCmdFactory -> Endorser and orderer connections initialized Error: proposal failed (err: rpc error: code = Unknown desc = error validating proposal: access denied: channel [] creator org unknown, creator is malformed)

I am using this command: docker exec -e CORE_PEER_ADDRESS=peer0.org2.example.com:9051 -e CORE_PEER_LOCALMSPID="Org2MSP" -e CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt cli peer channel join -b mychannel.block

How do you create the channel and join each peer?

Thanks so much

[dkanavaris]

I would suggest regenerating the crypto materials using the version fabric runs inside the containers. Run this command docker exec cli peer version it should say 2.5.3 if you are using the latest version. Then outside the containers regenerate the crypto materials using the 2.5.3 binaries (issue the same command to check, notice you have to add the fabric binaries to path so that you can run this commands) The commands to generate the cryptos are the following.

cryptogen generate --config=./crypto-config.yaml

configtxgen -profile SampleMultiNodeEtcdRaft -channelID networkchannel -outputBlock ./channel-artifacts/genesis.block
configtxgen -profile TwoOrgsChannel -channelID mychannel -outputCreateChannelTx ./channel-artifacts/channel.tx
configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/Org1MSPanchors.tx -channelID mychannel -asOrg Org1MSP
configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./channel-artifacts/Org2MSPanchors.tx -channelID mychannel -asOrg Org2MSP

then share the crypto materials, crypto-config and channel-artifacts directories, to the other hosts bring them up and try to join the channel.

[dc-atos-dev]

Hi,

After some time, I managed to get it working using the binary version and Fabric 2.2 or 2.3. However, now I have a network of 2 hosts to which I have added CouchDB databases to be able to deploy a chaincode with private data and collections.

The problem is that this network works following the Medium tutorial, but only works with chaincodes that don't have collections. When I deploy my chaincode the following happens: it shows status 'valid' after sending for approval, but when I query to see the status it shows 'false':

ariuserbip@bippreproductionservices:~/fabric$ docker exec cli peer lifecycle chaincode approveformyorg --tls ... [rest of the command]
2023-09-13 11:13:11.978 UTC [cli.lifecycle.chaincode] setOrdererClient -> INFO 001 Retrieved channel (mychannel) orderer endpoint: orderer.example.com:7050
2023-09-13 11:13:14.189 UTC [chaincodeCmd] ClientWait -> INFO 002 txid [60197e99cbe58b5745600e1fdd1862a7e4e7dbb0f80770c026af2094cc66a8de] committed with status (VALID) at peer0.org1.example.com:7051

ariuserbip@bippreproductionservices:~/fabric$ docker exec -e CORE_PEER_MSPCONFIGPATH=... [rest of the command]
2023-09-13 11:13:29.091 UTC [cli.lifecycle.chaincode] setOrdererClient -> INFO 001 Retrieved channel (mychannel) orderer endpoint: orderer.example.com:7050
2023-09-13 11:13:31.271 UTC [chaincodeCmd] ClientWait -> INFO 002 txid [30727305a6de1af7e0f87ee2dcdf09028a97e461bc0699044576823b84df6770] committed with status (VALID) at peer0.org2.example.com:9051

ariuserbip@bippreproductionservices:~/fabric$ docker exec cli peer lifecycle chaincode checkcommitreadiness --channelID mychannel --name vdr-fabric-sc --version 1.0 --sequence 1 
Chaincode definition for chaincode 'vdr-fabric-sc', version '1.0', sequence '1' on channel 'mychannel' approval status by org:
Org1MSP: false
Org2MSP: false

Any help please?