You are submitting from Org1, but your log shows Org2 peer endorsed.
You need to submit the approveformyorg transaction from an Org1 admin to an Org1 peer. Then from an Org2 admin to an Org2 peer.


Dave Enyeart

"Mind" ---07/03/2020 05:19:36 AM---I have a network with 3 org. org0 is the orderer, org1 & org2 has 1 peerWhen I install the chaincod

From: "Mind" <shenbin0252@...>
To: "fabric" <fabric@...>
Date: 07/03/2020 05:19 AM
Subject: [EXTERNAL] [Hyperledger Fabric] When I run `peer lifecycle chaincode approveformyorg`, I always get the error: ENDORSEMENT_POLICY_FAILURE
Sent by: fabric@...

---

I have a network with 3 org. org0 is the orderer, org1 & org2 has 1 peer
When I install the chaincode with each peer. And I use org1’s admin identity to execute the follow common:

```
peer lifecycle chaincode approveformyorg -o localhost:7050 --ordererTLSHostnameOverride orderer1-org0 --channelID mychannel --name iotmanager --version 1.0 --package-id iot_1:5b6d649d9aaa9b19a1d03612b6a4a644574bd1632f12a0524a263fafe4b85100 --sequence 1 --tls true --cafile $PWD/tlscacerts/tls-0-0-0-0-7052.pem
```

I always get the error like this:
```
INFO 001 txid [cf6051d0a0fc825cf683394e00ada5505768bebde6688772694816e25826bcf5] committed with status (ENDORSEMENT_POLICY_FAILURE) at
Error: transaction invalidated with status (ENDORSEMENT_POLICY_FAILURE)
```

And this is the peer’s log:
```
peer1-org2 | 2020-07-03 09:07:47.445 UTC [lifecycle] ApproveChaincodeDefinitionForOrg -> INFO 056 Successfully endorsed chaincode approval with name 'iotmanager', package ID 'iot_1:5b6d649d9aaa9b19a1d03612b6a4a644574bd1632f12a0524a263fafe4b85100', on channel 'mychannel' with definition {sequence: 1, endorsement info: (version: '1.0', plugin: 'escc', init required: false), validation info: (plugin: 'vscc', policy: '12202f4368616e6e656c2f4170706c69636174696f6e2f456e646f7273656d656e74'), collections: ()}
peer1-org2 | 2020-07-03 09:07:47.445 UTC [endorser] callChaincode -> INFO 057 finished chaincode: _lifecycle duration: 1ms channel=mychannel txID=9485f26c
peer1-org2 | 2020-07-03 09:07:47.450 UTC [comm.grpc.server] 1 -> INFO 058 unary call completed grpc.service=protos.Endorser grpc.method=ProcessProposal grpc.peer_address=172.19.0.1:32864 grpc.code=OK grpc.call_duration=7.15544ms
peer1-org2 | 2020-07-03 09:07:49.471 UTC [gossip.privdata] StoreBlock -> INFO 059 [mychannel] Received block [4] from buffer
peer1-org2 | 2020-07-03 09:07:49.472 UTC [vscc] Validate -> ERRO 05a VSCC error: stateBasedValidator.Validate failed, err validation of endorsement policy for collection _implicit_org_ca-org2 chaincode _lifecycle in tx 4:0 failed: signature set did not satisfy policy
peer1-org2 | 2020-07-03 09:07:49.473 UTC [committer.txvalidator] validateTx -> ERRO 05b Dispatch for transaction txId = 9485f26c175008f5e4e2bc92234e8f3ae3d8320acf221f2bed7b685e0d9eec37 returned error: validation of endorsement policy for collection _implicit_org_ca-org2 chaincode _lifecycle in tx 4:0 failed: signature set did not satisfy policy
peer1-org2 | 2020-07-03 09:07:49.473 UTC [committer.txvalidator] Validate -> INFO 05c [mychannel] Validated block [4] in 1ms
peer1-org2 | 2020-07-03 09:07:49.473 UTC [gossip.privdata] prepareBlockPvtdata -> INFO 05d Successfully fetched all eligible collection private write sets for block [4] channel=mychannel
peer1-org2 | 2020-07-03 09:07:49.473 UTC [valimpl] preprocessProtoBlock -> WARN 05e Channel [mychannel]: Block [4] Transaction index [0] TxId [9485f26c175008f5e4e2bc92234e8f3ae3d8320acf221f2bed7b685e0d9eec37] marked as invalid by committer. Reason code [ENDORSEMENT_POLICY_FAILURE]
peer1-org2 | 2020-07-03 09:07:49.484 UTC [kvledger] CommitLegacy -> INFO 05f [mychannel] Committed block [4] with 1 transaction(s) in 10ms (state_validation=0ms block_and_pvtdata_commit=6ms state_commit=1ms) commitHash=[04cbc8cfcf0030fed952b77a2cc7d5df59a9960fec9b475819bfd98525952f9b]
peer1-org2 | 2020-07-03 09:07:49.489 UTC [comm.grpc.server] 1 -> INFO 060 streaming call completed grpc.service=protos.Deliver grpc.method=DeliverFiltered grpc.request_deadline=2020-07-03T09:08:17.454Z grpc.peer_address=172.19.0.1:32868 error="context finished before block retrieved: context canceled" grpc.code=Unknown grpc.call_duration=2.03508306s
```

This is the orderer’s log:
```
orderer1-org0 | 2020-07-03 09:07:49.459 UTC [orderer.consensus.etcdraft] propose -> INFO 056 Created block [4], there are 0 blocks in flight channel=mychannel node=1
orderer1-org0 | 2020-07-03 09:07:49.464 UTC [orderer.consensus.etcdraft] writeBlock -> INFO 057 Writing block [4] (Raft index: 6) to ledger channel=mychannel node=1
orderer1-org0 | 2020-07-03 09:07:49.491 UTC [orderer.common.broadcast] Handle -> WARN 058 Error reading from 172.19.0.1:39116: rpc error: code = Canceled desc = context canceled
orderer1-org0 | 2020-07-03 09:07:49.491 UTC [comm.grpc.server] 1 -> INFO 059 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Broadcast grpc.peer_address=172.19.0.1:39116 error="rpc error: code = Canceled desc = context canceled" grpc.code=Canceled grpc.call_duration=2.049287023s
```

I've tried everything, nothing seems to work. Can anyone
shed some light?

Thanks in advance.


Below are the configtx.yaml:
```
Organizations:
- &Org0
Name: ca-org0
ID: ca-org0
MSPDir: orderer1-org0
Policies:
Readers:
Type: Signature
Rule: "OR('ca-org0.member')"
Writers:
Type: Signature
Rule: "OR('ca-org0.member')"
Admins:
Type: Signature
Rule: "OR('ca-org0.admin')"

OrdererEndpoints:
- orderer1-org0:7050

- &Org1
Name: ca-org1
ID: ca-org1
MSPDir: peer1-org1
Policies:
Readers:
Type: Signature
Rule: "OR('ca-org1.member')"
Writers:
Type: Signature
Rule: "OR('ca-org1.member')"
Admins:
Type: Signature
Rule: "OR('ca-org1.admin')"
Endorsement:
Type: Signature
Rule: "OR('ca-org1.peer')"

AnchorPeers:
- Host: peer1-org1
Port: 7051

- &Org2
Name: ca-org2
ID: ca-org2
MSPDir: peer1-org2
Policies:
Readers:
Type: Signature
Rule: "OR('ca-org2.member')"
Writers:
Type: Signature
Rule: "OR('ca-org2.member')"
Admins:
Type: Signature
Rule: "OR('ca-org2.admin')"
Endorsement:
Type: Signature
Rule: "OR('ca-org2.peer')"

AnchorPeers:
- Host: peer1-org2
Port: 7051

Capabilities:
Channel: &ChannelCapabilities
V2_0: true
Orderer: &OrdererCapabilities
V2_0: true
Application: &ApplicationCapabilities
V2_0: true


Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "ANY Admins"

Capabilities:
<<: *ChannelCapabilities


Application: &ApplicationDefaults

Organizations:

Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"

Capabilities:
<<: *ApplicationCapabilities


Orderer: &OrdererDefaults
OrdererType: etcdraft

EtcdRaft:
Consenters:
- Host: orderer1-org0
Port: 7050
ClientTLSCert: orderer1-org0/tls-msp/signcerts/cert.pem
ServerTLSCert: orderer1-org0/tls-msp/signcerts/cert.pem

BatchTimeout: 2s

BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB

Organizations:

Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"


Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"

Capabilities:
<<: *ChannelCapabilities

Profiles:

OrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *Org0
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *Org1
- *Org2
OrgsChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
- *Org2
Capabilities:
<<: *ApplicationCapabilities
```

I think the problem here is that you are using org1’s admin identity to execute peer lifecycle chaincode approveformyorg

The approval needs to be done by a peer.

See the new channel tutorial: https://hyperledger-fabric.readthedocs.io/en/latest/create_channel/channel_policies.html#signature-policies

The Admins policy can only be satisfied by transactions submitted by an identity with an admin role, while only identities with a peer role can satisfy the Endorsement policy.

Pam

This error can also be seen if you commit chaincode BEFORE approving for each org after installation. The way the sample is written, this is easy to do because most want to install, approve, and commit before exporting the env variables for the next peer org. I made this same mistake the first time I ran the tutorial. I recommend you ./network down and then start again, following the tutorial exactly as written and it should solve your error.

On Sun, Jul 5, 2020 at 06:02 PM, David Enyeart wrote:

rk with 3 org

Hey there!

I have the same exact problem. 

My peer logs the following:

2021-12-20 13:12:54.979 UTC [vscc] Validate -> ERRO 0a4 VSCC error: stateBasedValidator.Validate failed, err validation of endorsement policy for chaincode _lifecycle in tx 9:0 failed: implicit policy evaluation failed - 1 sub-policies were satisfied, but this policy requires 3 of the 'Endorsement' sub-policies to be satisfied

2021-12-20 13:12:54.980 UTC [committer.txvalidator] validateTx -> ERRO 0a5 Dispatch for transaction txId = 59b8d20eb45ea7596a1b55c0d1838b2b12fd621d62693a4d247bc550dc8147b2 returned error: validation of endorsement policy for chaincode _lifecycle in tx 9:0 failed: implicit policy evaluation failed - 1 sub-policies were satisfied, but this policy requires 3 of the 'Endorsement' sub-policies to be satisfied