Error while migrating form kafka to RAFT in Hyperledger fabirc

Question

I am migrating from kafka to raft, When I have changed state from "NORMAL" to "STATE_MAINTENANCE"  and created the final expected envelope as per the procedure.

Note: We are using BYFN script HF version: 1.4.3

My CLI pointed to Org1MSP, I signed config update transaction, later I changed CLI pointing to Org2MSP and signed, finally submitted the new channel config update to the orderer.After submission, getting a following error message.

Error on CLI: "Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'mychannel': error authorizing update: error validating DeltaSet: policy for [Value]  /Channel/Orderer/ConsensusType not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied"

Orderer log: "[channel: mychannel] Rejecting broadcast of config message from 172.21.0.13:51078 because of error: error applying config update to existing channel 'mychannel': error authorizing update: error validating DeltaSet: policy for [Value]  /Channel/Orderer/ConsensusType not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied"

Please let me know if I am doing something wrong.

Thanks in advance.

Answer 1

By default, cryptogen tool generate orderer admin user certificate with OU as client for 1.4.3 fabric version. For peer admin user, it generates certificate with OU as admin which is correct(expected). In case of orderer, its creating wrong OU(Organization Unit) as client. We need to add the following part crypto-config.yaml in the orderer section.

CA:
  OrganizationalUnit: admin

Once you added above part, recreate certificate and check orderer certificate OU as admin by following command

openssl x509 -in certificate.crt -text