I have created a 2 orgs 1 peer each and one orderer and deployed in docker swarm.
Instead of using cryptogen i have used fabric-ca to generate the identities. I'm able to start the peers and orderers and able to create channel and join both the peers into the channel.
After joining the peers to channel, I could see the orderer logs:
2021-06-30 20:38:02.241 UTC [policies] SignatureSetToValidIdentities -> WARN 1ea invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:38:02.242 UTC [policies] SignatureSetToValidIdentities -> WARN 1eb invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:38:02.243 UTC [policies] SignatureSetToValidIdentities -> WARN 1ec invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:38:02.243 UTC [common.deliver] deliverBlocks -> WARN 1ed [channel: mychannel] Client 10.200.1.4:59232 is not authorized: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2021-06-30 20:38:02.243 UTC [comm.grpc.server] 1 -> INFO 1ee streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=10.200.1.4:59232 grpc.code=OK grpc.call_duration=2.409698ms
2021-06-30 20:38:49.480 UTC [policies] SignatureSetToValidIdentities -> WARN 1ef invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:38:49.481 UTC [policies] SignatureSetToValidIdentities -> WARN 1f0 invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:38:49.481 UTC [policies] SignatureSetToValidIdentities -> WARN 1f1 invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:38:49.481 UTC [common.deliver] deliverBlocks -> WARN 1f2 [channel: mychannel] Client 10.200.1.4:37920 is not authorized: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2021-06-30 20:38:49.482 UTC [comm.grpc.server] 1 -> INFO 1f3 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=10.200.1.4:37920 grpc.code=OK grpc.call_duration=2.250383ms
2021-06-30 20:40:58.639 UTC [policies] SignatureSetToValidIdentities -> WARN 1f4 invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:40:58.640 UTC [policies] SignatureSetToValidIdentities -> WARN 1f5 invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:40:58.640 UTC [policies] SignatureSetToValidIdentities -> WARN 1f6 invalid identity: certificate subject=CN=peer0.org1.example.com,OU=COP,L=San Francisco,ST=California,C=US serialnumber=268337738708423250738667250199689187829 error="the supplied identity is not valid: x509: certificate signed by unknown authority"
2021-06-30 20:40:58.641 UTC [common.deliver] deliverBlocks -> WARN 1f7 [channel: mychannel] Client 10.200.1.4:59250 is not authorized: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2021-06-30 20:40:58.641 UTC [comm.grpc.server] 1 -> INFO 1f8 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=10.200.1.4:59250 grpc.code=OK grpc.call_duration=16.793212ms
peer logs:
2021-06-30 20:40:58.641 UTC [peer.blocksprovider] DeliverBlocks -> WARN 094 Got error while attempting to receive blocks: received bad status FORBIDDEN from orderer channel=mychannel orderer-address=orderer.example.com:7050
2021-06-30 20:44:30.298 UTC [peer.blocksprovider] func1 -> WARN 095 Encountered an error reading from deliver stream: EOF channel=mychannel orderer-address=orderer.example.com:7050
2021-06-30 20:44:30.298 UTC [peer.blocksprovider] DeliverBlocks -> WARN 096 Got error while attempting to receive blocks: received bad status FORBIDDEN from orderer channel=mychannel orderer-address=orderer.example.com:7050
2021-06-30 20:48:44.848 UTC [peer.blocksprovider] DeliverBlocks -> WARN 098 Got error while attempting to receive blocks: received bad status FORBIDDEN from orderer channel=mychannel orderer-address=orderer.example.com:7050
2021-06-30 20:48:44.848 UTC [peer.blocksprovider] func1 -> WARN 097 Encountered an error reading from deliver stream: EOF channel=mychannel orderer-address=orderer.example.com:7050
2021-06-30 20:53:49.733 UTC [peer.blocksprovider] func1 -> WARN 099 Encountered an error reading from deliver stream: EOF channel=mychannel orderer-address=orderer.example.com:7050
2021-06-30 20:53:49.734 UTC [peer.blocksprovider] DeliverBlocks -> WARN 09a Got error while attempting to receive blocks: received bad status FORBIDDEN from orderer channel=mychannel orderer-address=orderer.example.com:7050
configtx.yaml file:
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
################################################################################
#
# Section: Organizations
#
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
#
################################################################################
Organizations:
# SampleOrg defines an MSP using the sampleconfig. It should never be used
# in production but may be used as a template for other definitions
- &OrdererOrg
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: OrdererOrg
# ID to load the MSP definition as
ID: OrdererMSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: /var/mynetwork/organizations/ordererOrganizations/example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Writers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Admins:
Type: Signature
Rule: "OR('OrdererMSP.admin')"
OrdererEndpoints:
- orderer.example.com:7050
- &Org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org1MSP
# ID to load the MSP definition as
ID: Org1MSP
MSPDir: /var/mynetwork/organizations/peerOrganizations/org1.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org1MSP.peer')"
- &Org2
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org2MSP
# ID to load the MSP definition as
ID: Org2MSP
MSPDir: /var/mynetwork/organizations/peerOrganizations/org2.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org2MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org2MSP.peer')"
################################################################################
#
# SECTION: Capabilities
#
# - This section defines the capabilities of fabric network. This is a new
# concept as of v1.1.0 and should not be utilized in mixed networks with
# v1.0.x peers and orderers. Capabilities define features which must be
# present in a fabric binary for that binary to safely participate in the
# fabric network. For instance, if a new MSP type is added, newer binaries
# might recognize and validate the signatures from this type, while older
# binaries without this support would be unable to validate those
# transactions. This could lead to different versions of the fabric binaries
# having different world states. Instead, defining a capability for a channel
# informs those binaries without this capability that they must cease
# processing transactions until they have been upgraded. For v1.0.x if any
# capabilities are defined (including a map with all capabilities turned off)
# then the v1.0.x peer will deliberately crash.
#
################################################################################
Capabilities:
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
Channel: &ChannelCapabilities
# V2_0 capability ensures that orderers and peers behave according
# to v2.0 channel capabilities. Orderers and peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 capability.
# Prior to enabling V2.0 channel capabilities, ensure that all
# orderers and peers on a channel are at v2.0.0 or later.
V2_0: true
# Orderer capabilities apply only to the orderers, and may be safely
# used with prior release peers.
# Set the value of the capability to true to require it.
Orderer: &OrdererCapabilities
# V2_0 orderer capability ensures that orderers behave according
# to v2.0 orderer capabilities. Orderers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 orderer capability.
# Prior to enabling V2.0 orderer capabilities, ensure that all
# orderers on channel are at v2.0.0 or later.
V2_0: true
# Application capabilities apply only to the peer network, and may be safely
# used with prior release orderers.
# Set the value of the capability to true to require it.
Application: &ApplicationCapabilities
# V2_0 application capability ensures that peers behave according
# to v2.0 application capabilities. Peers from
# prior releases would behave in an incompatible way, and are therefore
# not able to participate in channels at v2.0 application capability.
# Prior to enabling V2.0 application capabilities, ensure that all
# peers on channel are at v2.0.0 or later.
V2_0: true
################################################################################
#
# SECTION: Application
#
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
#
################################################################################
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Application policies, their canonical path is
# /Channel/Application/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Capabilities:
<<: *ApplicationCapabilities
################################################################################
#
# SECTION: Orderer
#
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
#
################################################################################
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
OrdererType: etcdraft
# Addresses used to be the list of orderer addresses that clients and peers
# could connect to. However, this does not allow clients to associate orderer
# addresses and orderer organizations which can be useful for things such
# as TLS validation. The preferred way to specify orderer addresses is now
# to include the OrdererEndpoints item in your org definition
Addresses:
- orderer.example.com:7050
EtcdRaft:
Consenters:
- Host: orderer.example.com
Port: 7050
ClientTLSCert: /var/mynetwork/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
ServerTLSCert: /var/mynetwork/organizations/ordererOrganizations/example.com/orderers/orderer.example.com/tls/server.crt
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 2s
# Batch Size: Controls the number of messages batched into a block
BatchSize:
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 10
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 KB
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Orderer policies, their canonical path is
# /Channel/Orderer/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
################################################################################
#
# CHANNEL
#
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
#
################################################################################
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
Policies:
# Who may invoke the 'Deliver' API
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
# By default, who may modify elements at this config level
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# Capabilities describes the channel level capabilities, see the
# dedicated Capabilities section elsewhere in this file for a full
# description
Capabilities:
<<: *ChannelCapabilities
################################################################################
#
# Profile
#
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
#
################################################################################
Profiles:
TwoOrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *Org1
- *Org2
TwoOrgsChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
- *Org2
Capabilities:
<<: *ApplicationCapabilities
org1 msp cert:
openssl x509 -in /var/mynetwork/organizations/peerOrganizations/org1.example.com/users/[email protected]/msp/signcerts/cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2f:f4:f1:84:51:df:a1:f1:f7:b2:6d:a2:01:5a:23:58:e3:f1:3d:53
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = fabric-ca-server
Validity
Not Before: Jun 29 17:51:00 2021 GMT
Not After : Jun 29 17:56:00 2022 GMT
Subject: C = US, ST = North Carolina, O = Hyperledger, OU = admin, CN = org1admin
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d4:19:a3:9b:d9:13:3b:37:03:55:61:46:4f:a5:
f6:ff:e3:74:0d:f8:c4:eb:d9:5b:de:d6:06:dd:36:
3a:bd:82:dc:b3:e3:a2:7e:0e:e7:45:b3:c1:3c:69:
0b:ad:30:95:bb:dc:e8:b3:9a:88:09:5c:b7:d8:79:
ba:58:b3:aa:48
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
42:19:31:0A:C0:08:48:C6:2D:5A:1D:85:FC:E6:42:02:9E:44:74:13
X509v3 Authority Key Identifier:
keyid:48:5D:23:A8:92:AE:71:00:E4:8A:2B:8D:13:D1:CA:62:28:08:5B:5C
X509v3 Subject Alternative Name:
DNS:ubuntupc
1.2.3.4.5.6.7.8.1:
{"attrs":{"hf.Affiliation":"","hf.EnrollmentID":"org1admin","hf.Type":"admin"}}
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:64:c9:28:09:8d:06:f0:b6:68:1a:60:9f:ea:ec:
aa:df:2e:1a:2e:2c:94:bd:0f:60:db:7d:fc:a8:ed:87:f0:9b:
02:20:42:93:f3:c6:b3:b8:40:d2:f7:23:c8:67:5d:ca:fd:a0:
2b:71:ac:1f:4b:f6:f9:ec:33:78:47:48:11:4a:04:eb
Not sure where I'm missing. is anchor peer mandatory for orderer communication ?