Hyperledger channel creation error due to certificate issue

[qliu2022]

Hello,

Sorry to bother. I'm having trouble to create a hyperledger fabric channel due to some admin and certificate related errors.

When I tried to run the following channel creation code,

export CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/fabric/msp peer channel create -o orderer0.orgorderer1:7050 -c mychannel -f ./channel-artifacts/channel.tx;

it shows following errors:

2022-07-05 14:45:58.669 UTC 0001 WARN [main] InitCmd -> CORE_LOGGING_LEVEL is no longer supported, please use the FABRIC_LOGGING_SPEC environment variable 2022-07-05 14:45:58.690 UTC 0002 WARN [main] SetOrdererEnv -> CORE_LOGGING_LEVEL is no longer supported, please use the FABRIC_LOGGING_SPEC environment variable 2022-07-05 14:45:58.693 UTC 0003 INFO [channelCmd] InitCmdFactory -> Endorser and orderer connections initialized Error: got unexpected status: BAD_REQUEST -- error validating channel creation transaction for new channel 'mychannel', could not successfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied

When I further checked the logs from orderer, it shows following errors about certificate:

2022-07-05 14:31:09.848 UTC 02a9 WARN [policies] SignatureSetToValidIdentities -> invalid identity error="the supplied identity is not valid: x509: certificate signed by unknown authority (possibly be cause of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1")" identity="(mspid=Org1MSP subject=CN=Admin@org1,OU=admin,L=San Francisco,ST=California ,C=US issuer=CN=ca.org1,O=org1,L=San Francisco,ST=California,C=US serialnumber=245019821688761831073932777747986110919)" 2022-07-05 14:31:09.848 UTC 02aa DEBU [cauthdsl] func1 -> 0x4000325e50 gate 1657031469848949235 evaluation starts 2022-07-05 14:31:09.848 UTC 02ab DEBU [cauthdsl] func2 -> 0x4000325e50 signed by 0 principal evaluation starts (used []) 2022-07-05 14:31:09.848 UTC 02ac DEBU [cauthdsl] func2 -> 0x4000325e50 principal evaluation fails 2022-07-05 14:31:09.849 UTC 02ad DEBU [cauthdsl] func1 -> 0x4000325e50 gate 1657031469848949235 evaluation fails 2022-07-05 14:31:09.849 UTC 02ae DEBU [policies] EvaluateSignedData -> Signature set did not satisfy policy /Channel/Application/Org2MSP/Admins 2022-07-05 14:31:09.849 UTC 02af DEBU [policies] EvaluateSignedData -> == Done Evaluating *cauthdsl.policy Policy /Channel/Application/Org2MSP/Admins 2022-07-05 14:31:09.849 UTC 02b0 DEBU [policies] EvaluateSignedData -> == Evaluating *cauthdsl.policy Policy /Channel/Application/Org1MSP/Admins == 2022-07-05 14:31:09.849 UTC 02b1 DEBU [msp] DeserializeIdentity -> Obtaining identity 2022-07-05 14:31:09.849 UTC 02b2 DEBU [msp.identity] newIdentity -> Creating identity instance for cert -----BEGIN CERTIFICATE-----

also:

2022-07-05 14:31:09.849 UTC 02b3 WARN [policies] SignatureSetToValidIdentities -> invalid identity error="the supplied identity is not valid: x509: certificate signed by unknown authority (possibly be cause of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1")" identity="(mspid=Org1MSP subject=CN=Admin@org1,OU=admin,L=San Francisco,ST=California ,C=US issuer=CN=ca.org1,O=org1,L=San Francisco,ST=California,C=US serialnumber=245019821688761831073932777747986110919)" 2022-07-05 14:31:09.849 UTC 02b4 DEBU [cauthdsl] func1 -> 0x40003a6ba0 gate 1657031469849500270 evaluation starts 2022-07-05 14:31:09.849 UTC 02b5 DEBU [cauthdsl] func2 -> 0x40003a6ba0 signed by 0 principal evaluation starts (used []) 2022-07-05 14:31:09.849 UTC 02b6 DEBU [cauthdsl] func2 -> 0x40003a6ba0 principal evaluation fails 2022-07-05 14:31:09.849 UTC 02b7 DEBU [cauthdsl] func1 -> 0x40003a6ba0 gate 1657031469849500270 evaluation fails 2022-07-05 14:31:09.849 UTC 02b8 DEBU [policies] EvaluateSignedData -> Signature set did not satisfy policy /Channel/Application/Org1MSP/Admins 2022-07-05 14:31:09.849 UTC 02b9 DEBU [policies] EvaluateSignedData -> == Done Evaluating *cauthdsl.policy Policy /Channel/Application/Org1MSP/Admins 2022-07-05 14:31:09.849 UTC 02ba DEBU [policies] func1 -> Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ Org2MSP/Admins Org1MSP/Admins ] 2022-07-05 14:31:09.849 UTC 02bb DEBU [policies] EvaluateSignedData -> Signature set did not satisfy policy /Channel/Application/ChannelCreationPolicy 2022-07-05 14:31:09.849 UTC 02bc DEBU [policies] EvaluateSignedData -> == Done Evaluating *policies.ImplicitMetaPolicy Policy /Channel/Application/ChannelCreationPolicy 2022-07-05 14:31:09.849 UTC 02bd WARN [common.configtx] verifyDeltaSet -> policy not satisfied for channel configuration update key="[Group] /Channel/Application" policy="{0x40004de640 /Channel/Appli cation/ChannelCreationPolicy}" signingIdenties="(mspid=Org1MSP subject=CN=Admin@org1,OU=admin,L=San Francisco,ST=California,C=US issuer=CN=ca.org1,O=org1,L=San Francisco,ST=California,C=US serialnumbe r=245019821688761831073932777747986110919)" 2022-07-05 14:31:09.849 UTC 02be WARN [orderer.common.broadcast] ProcessMessage -> [channel: mychannel] Rejecting broadcast of config message from 10.13.136.157:56204 because of error: error validatin g channel creation transaction for new channel 'mychannel', could not successfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Cha nnel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied

I also double-checked the admin certificate for org1, which seems no issue to me.

openssl x509 -in [email protected] -noout -subject -issuer subject=C = US, ST = California, L = San Francisco, OU = admin, CN = Admin@org1 issuer=C = US, ST = California, L = San Francisco, O = org1, CN = ca.org1

Any suggestions/advice where I should look at to pinpoint the issue here? Thanks a lot!