1

I'm newbie in the HyperLedger Fiber Technology and I'm following this official tutorial to build my first network. I replaced example.com with the domain of my company. After generating certificates I ran the follow command to up my network:

./byfn.sh up -c ttchannel

I get the following error during channel creation:

Error: got unexpected status: FORBIDDEN -- Failed to reach implicit threshold of 1 sub-policies, required 1 remaining: permission denied
!!!!!!!!!!!!!!! Channel creation failed !!!!!!!!!!!!!!!!

Then I verified from PEERs containers that peers are already connected with this channel (don't know why and when this connection got established), So, I restarted this network and then got the following error:

Error: failed to create deliver client: failed to load config for OrdererClient: unable to load orderer.tls.rootcert.file: open /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/vodworks.com/orderers/orderer.vodworks.com/msp/tlscacerts/tlsca.vodworks.com-cert.pem: no such file or directory
!!!!!!!!!!!!!!! Channel creation failed !!!!!!!!!!!!!!!!

And then I verified in the CLI container that crypto directory wasn't accessible so I have to restart that container to make it accessible. but still I was unable to run it.

Can anyone please suggest that what these error means and how can I run my network?

david_k
  • 4,867
  • 2
  • 7
  • 15
Bilal Ahmed Yaseen
  • 1,914
  • 1
  • 19
  • 39

2 Answers2

0

Where exactly did you change "example.com"? I'm pretty sure the setup script also creates all the crypto material based on configtx.yaml file, that has "example.com" as domain everywhere. The docker-compose files then map the created folders as volume into the container (see docker-compose-base.yml):

../crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp:/var/hyperledger/orderer/msp

So the docker-compose file also expects the certs to be in this folders. From your description I would expect that you missed to change the domain at some point.

Christian W
  • 1,056
  • 9
  • 15
  • Yes, I have verified in all yaml files and verified the crypto-config directory as well and domain names are being shown correctly. If changing domain name is the issue, then I should get some relevant error message but the message I mentioned in the questions tells some other story. – Bilal Ahmed Yaseen Mar 06 '19 at 06:46
  • And interestingly, when I run it with defaults it all works fine! – Bilal Ahmed Yaseen Mar 06 '19 at 06:46
  • Peer isn't eligible for channel ttchannel : Failed to reach implicit threshold of 1 sub-policies, required 1 remaining – Bilal Ahmed Yaseen Mar 06 '19 at 07:12
  • After running the default settings, did you properly kill the existing network via `./byfn down` or `docker-compose down --volumes --remove-orphans` ? The first message seems to tell us that the channel could not be created (the orderer does channel creation afaik). The second one tells us that the orderer does not find the correct certificate, so I think there has to be some point where either a volume or a path is wrong. – Christian W Mar 06 '19 at 12:27
  • Actually there seems some issue with release-1.4 while I'm able to run this scenario successfully on release-1.3 – Bilal Ahmed Yaseen Mar 06 '19 at 12:36
0

The Reason of this error was that network was not going down properly. All the peers were connected with the channel already as I verified by running the command peer channel list inside the container of each peer which was resulting in the following output:

Channels peers has joined:
ttchannel

And with this situation, the command peer channel create ... was actually throwing this error. So, I'm able to run the network successfully with the following command: 

**./byfn.sh restart -c ttchannel -s couchdb -t 60 -d 10**

Which actually first put the network down and then start it again.

Bilal Ahmed Yaseen
  • 1,914
  • 1
  • 19
  • 39