fetch config block of system-channel returns &{FORBIDDEN} #fabric-orderer #fabric-questions


Yueming Xu
 

I can get config block of normal app channels, and previously I can also get the config block of the system-channel, but now after upgraded to v2.2, the following command returned error on system-channel.  What am I missing here?

CORE_PEER_LOCALMSPID=${ORDERER_MSP} CORE_PEER_ADDRESS=${ORDERER_URL} CORE_PEER_TLS_ROOTCERT_FILE=${ORDERER_CA} peer channel fetch config syschannel.pb -c sys-channel -o ${ORDERER_URL} --tls --cafile ${ORDERER_CA}
2020-11-23 22:31:28.312 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2020-11-23 22:31:28.315 UTC [cli.common] readBlock -> INFO 002 Expect block, but got status: &{FORBIDDEN}
Error: can't read the block: &{FORBIDDEN} 

But the same command for app channel worked fine:

peer channel fetch config mychannel.pb -c mychannel -o ${ORDERER_URL} --tls --cafile ${ORDERER_CA}
2020-11-23 22:29:52.904 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2020-11-23 22:29:52.911 UTC [cli.common] readBlock -> INFO 002 Received block: 0
2020-11-23 22:29:52.913 UTC [channelCmd] fetch -> INFO 003 Retrieving last config block: 0
2020-11-23 22:29:52.917 UTC [cli.common] readBlock -> INFO 004 Received block: 0


Yueming Xu
 

Here are some details of my cli container added to the test-network to run this test.  Same problem:

CORE_PEER_LOCALMSPID=Org1MSP
CORE_PEER_ID=cli
CORE_PEER_ADDRESS=peer0.org1.example.com:7051
CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/test-network/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/test-network/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/test-network/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/test-network/organizations/peerOrganizations/org1.example.com/users/Admin@.../msp
CORE_PEER_TLS_ENABLED=true
ORDERER_CA=/etc/hyperledger/test-network/organizations/ordererOrganizations/example.com/msp/tlscacerts/tlsca.example.com-cert.pem
ORDERER_URL=orderer.example.com:7050

It failed for system channel.  I guess that I missed some env vars here, although it used to work for release v1.4.  Or maybe it now works differently?  I just wanted to export the config block so I can add more orderer nodes to the config.

CORE_PEER_LOCALMSPID=OrdererMSP CORE_PEER_ADDRESS=${ORDERER_URL} CORE_PEER_TLS_ROOTCERT_FILE=${ORDERER_CA} peer channel fetch config syschannel.pb -c system-channel -o ${ORDERER_URL} --tls --cafile ${ORDERER_CA}
2020-11-23 23:28:11.518 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2020-11-23 23:28:11.521 UTC [cli.common] readBlock -> INFO 002 Expect block, but got status: &{FORBIDDEN}
Error: can't read the block: &{FORBIDDEN}

But it still works for app channel:
peer channel fetch config mychannel.pb -c mychannel -o ${ORDERER_URL} --tls --cafile ${ORDERER_CA}
2020-11-23 23:31:40.546 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2020-11-23 23:31:40.548 UTC [cli.common] readBlock -> INFO 002 Received block: 2
2020-11-23 23:31:40.548 UTC [channelCmd] fetch -> INFO 003 Retrieving last config block: 2
2020-11-23 23:31:40.551 UTC [cli.common] readBlock -> INFO 004 Received block: 2
 


Nicholas Leonardi
 

Hey Yueming,
The problem is that the system-channel can only be fetched using the identity/MSP of the orderer. So in your CLI you gotta
use CORE_PEER_ADDRESS and CORE_PEER_LOCALMSPID as the OrdererMSP 

Regards,
Nick

Em segunda-feira, 23 de novembro de 2020 20:36:58 BRT, Yueming Xu <yxucolo@...> escreveu:


Here are some details of my cli container added to the test-network to run this test.  Same problem:

CORE_PEER_LOCALMSPID=Org1MSP
CORE_PEER_ID=cli
CORE_PEER_ADDRESS=peer0.org1.example.com:7051
CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/test-network/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/test-network/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/test-network/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/test-network/organizations/peerOrganizations/org1.example.com/users/Admin@.../msp
CORE_PEER_TLS_ENABLED=true
ORDERER_CA=/etc/hyperledger/test-network/organizations/ordererOrganizations/example.com/msp/tlscacerts/tlsca.example.com-cert.pem
ORDERER_URL=orderer.example.com:7050

It failed for system channel.  I guess that I missed some env vars here, although it used to work for release v1.4.  Or maybe it now works differently?  I just wanted to export the config block so I can add more orderer nodes to the config.

CORE_PEER_LOCALMSPID=OrdererMSP CORE_PEER_ADDRESS=${ORDERER_URL} CORE_PEER_TLS_ROOTCERT_FILE=${ORDERER_CA} peer channel fetch config syschannel.pb -c system-channel -o ${ORDERER_URL} --tls --cafile ${ORDERER_CA}
2020-11-23 23:28:11.518 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2020-11-23 23:28:11.521 UTC [cli.common] readBlock -> INFO 002 Expect block, but got status: &{FORBIDDEN}
Error: can't read the block: &{FORBIDDEN}

But it still works for app channel:
peer channel fetch config mychannel.pb -c mychannel -o ${ORDERER_URL} --tls --cafile ${ORDERER_CA}
2020-11-23 23:31:40.546 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2020-11-23 23:31:40.548 UTC [cli.common] readBlock -> INFO 002 Received block: 2
2020-11-23 23:31:40.548 UTC [channelCmd] fetch -> INFO 003 Retrieving last config block: 2
2020-11-23 23:31:40.551 UTC [cli.common] readBlock -> INFO 004 Received block: 2