问题描述
当我尝试使用Hyperledger Fabric创建频道时,请求失败并返回以下错误:
When I try to create a channel using Hyperledger Fabric, the request fails and returns the following error:
客户日志:
推荐答案
提交请求的身份(由MSP ID,证书和密钥组成)存在问题时,将发生此错误.如果使用默认的Fabric配置策略,则组织管理员需要创建通道.该错误是由于您的身份无法满足/Channel/Application/Admins路径上的默认策略而产生的.
This error occurs when there is a problem with the identity (consisting of MSP ID, certificate, and keys) that submitted the request. If you use the default Fabric configuration policies, channels need to be created by organization administrators. The error is produced by your identity not being able to satisfy default policy on the /Channel/Application/Admins path.
政策会拒绝您的身份有多种原因,包括使用无效或过期的证书.您可以通过查看订购者日志来了解有关请求失败原因的更多信息.订购服务是执行创建或更新渠道策略的节点.
There are several reasons why the policy would reject your identity, including the use of invalid or expired certificates. You can learn more about why the request failed by looking at your orderer logs. The Ordering Service is the node that enforces the policies that create or update channels.
检查订购者日志时,查找与返回给客户的错误类似的错误.在策略错误(主体反序列化失败)之前,您可能会从证书检查中发现错误.这意味着由于MSP ID没有被识别为有效,因此拒绝了通道创建.
When you examine your orderer logs, look for an error that is similar to what was returned to your client. You may find an error from a certificate check immediately preceding the policy error (Principal deserialization failure). This implies that the channel creation was rejected because the MSP ID was not recognized as valid.
订购服务日志:
2019-08-06 15:31:43.589 UTC [cauthdsl] deduplicate -> ERRO 021 Principal deserialization failure
(MSP SampleOrg is unknown) for identity 0
2019-08-06 15:31:43.589 UTC [orderer.common.broadcast] ProcessMessage -> WARN 022 [channel:
testchannel] Rejecting broadcast of config message from 172.27.0.7:34750 because of error: error
validating channel creation transaction for new channel 'testchannel', could not succesfully apply
update to template configuration: error authorizing update: error validating DeltaSet: policy for
[Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies
were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
策略警告之前的错误,标识0的ERRO 021主体反序列化失败(MSP SampleOrg未知),指示订购服务未识别出作为请求参数传递的MSP ID.这可能是由于将错误的MSP ID传递给命令造成的.此错误也可能表明您的组织尚未加入由订购服务系统渠道托管的联盟.如果您要更新应用程序频道,那么如果您的组织还不是您要更新的频道的成员,则可能会发生此错误.
The error before the policy warning, ERRO 021 Principal deserialization failure (MSP SampleOrg is unknown) for identity 0, indicates that the MSP ID that was passed as a parameter with the request was not recognized by the ordering service. This could be a result of passing the wrong MSP ID to the command. This error may also indicate that your organization has not joined the consortium hosted by the ordering service system channel. If you are updating an application channel, this error could occur if your organization is not yet a member of the channel you are trying to update.
如果身份的MSP ID有效,则可能会遇到以下证书验证错误:
If the MSP ID of the identity is valid, you may encounter the following certificate validation error:
订购服务日志:
2019-08-06 15:34:45.730 UTC [cauthdsl] deduplicate -> ERRO 02d Principal deserialization failure
(the supplied identity is not valid: x509: certificate signed by unknown authority) for identity 0
2019-08-06 15:34:45.730 UTC [orderer.common.broadcast] ProcessMessage -> WARN 02e [channel:
testchannel] Rejecting broadcast of config message from 172.27.0.7:36214 because of error: error
validating channel creation transaction for new channel 'testchannel', could not succesfully apply
update to template configuration: error authorizing update: error validating DeltaSet: policy for
[Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies
were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
在这种情况下,订购服务可以识别您的MSP ID,但无法验证您的证书是由组织的证书颁发机构之一颁发的.如果您要管理多个组织,则可能是由于使用不匹配的MSP ID和证书来提交请求而导致的.如果您的管理员证书已过期,也可能发生此错误.如果这是最近启动的测试网络,则您可能是通过证书颁发机构在您网络的较早版本中创建的身份发出请求的.
In this case, the ordering service recognized your MSP ID, but could not validate that your certificate was issued by one of your organization's certificate authorities. If you are managing multiple organizations, this error could be the result of you using a mismatched MSP ID and certificate to submit the request. This error could also occur if your admin certificates have expired. If this is a test network that has been launched recently, you may be issuing the request from an identity that was created by a certificate authority on an older incarnation of your network.
您的证书已通过验证检查,但不符合渠道创建政策,这是很常见的情况.如果是这种情况,您的订购者日志中的错误将类似于以下内容:
It will be more common that your certificate has passed the validation check, but could not fulfill the channel creation policy. If that is the case, the error in your orderer logs would look like the following:
订购服务日志:
2019-08-06 15:36:52.307 UTC [orderer.common.broadcast] ProcessMessage -> WARN 032 [channel:
testchannel] Rejecting broadcast of config message from 172.27.0.7:37236 because of error: error
validating channel creation transaction for new channel 'testchannel', could not succesfully apply
update to template configuration: error authorizing update: error validating DeltaSet: policy for
[Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies
were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
提交请求的身份是您组织的有效成员,并且您的组织被识别为系统通道或应用程序通道的成员.但是,该标识没有创建频道的权限.您可能使用了错误的身份来提交请求,并且使用的身份不是您的组织管理员.以管理员身份提交请求,或创建新管理员,然后让渠道管理员更新您的组织MSP.
The identity that submitted the request is a valid member of your organization, and your organization is recognized to be a member of the system channel or application channel. However, the identity did not have the permission to create a channel. You may have used the wrong identity to submit the request, and used an identity that was not your organization administrator. Submit the request from your admin identity, or create a new admin, and have the channel administrator update your organization MSP.
如果您在创建频道以外的其他操作中遇到此错误,则可能未授权您的证书具有正确的角色.检查您的客户端证书和对等证书分别具有客户端和对等OU.
If you encounter this error for operations other then channel creation, your certificate may not be authorized for the correct role. Check that your client certificates and peer certificates have the client and peer OU respectively.
其他调试技术
如果您需要其他有关调试与策略或证书相关的错误的帮助,则可以提高与这些组件相关的日志记录级别:
If you need additional help debugging a policy or certificate related error, you can increase the logging level related to those components:
FABRIC_LOGGING_SPEC="WARN:cauthdsl=debug:policies=debug:msp=debug
您还可以从应用程序或系统通道中手动提取组织的根证书,并使用它们来验证客户端证书.使用以下命令从您的频道中获取最新的配置块.
You can also manually pull your organizations root certificate from an application or system channel and use them to verify your client side certs. Use the following command to pull the latest configuration block from your channel.
peer channel fetch config ./configupdate/config_block.pb -o <orderer_endpoint> -c <my_channel> --tls --cafile <PATH_TO_ORDERER_TLS_CERT>
然后使用以下命令将配置块转换为JSON.
Then use the following command to convert the configuration block into JSON.
configtxlator proto_decode –type=common.Block --input=config_block.pb --output=config_block.json
这允许您使用以下命令从块中提取根证书.替换为您组织的MSP ID.
This allows you to pull the root certificate from the block using the following command. Replace with the MSP ID of your organization.
jq -r .data.data[0].payload.data.config.channel_group.groups.Application.groups.<MSPID>\
.values.MSP.value.config.root_certs[0] config_block.json | base64 –decode > root.pem
如果您的MSP定义了多个根证书或使用中间证书,则需要调整上面的jq命令以正确提取它们.
If your MSP defines multiple root certificates or uses intermediate certificates, you will need to adjust the jq command above to properly extract them.
然后,您可以使用诸如OpenSSL之类的工具根据根证书来验证客户端管理证书.
You can then use tools such as OpenSSL to validate your client side admin certificate against the root certificate.
openssl verify -CAFile <root.pem> <admincert.pem>
您还可以使用以下命令打开证书并以纯文本形式对其进行检查.这样,您可以检查诸如到期日期,节点OU或颁发CA的字段.
You can also use the following command to open the certificate and examine it in plaintext. This allows you to check fields such as the expiration date, the node OU, or the issuing CA.
openssl x509 -in <admincert.pem> -text
这篇关于当我尝试使用Hyperledger Fabric创建频道时,请求失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!