This error occurs when there is a problem with the identity (consisting of MSP ID, certificate, and keys) that submitted the request. If you use the default Fabric configuration policies, channels need to be created by organization administrators. The error is produced by your identity not being able to satisfy default policy on the /Channel/Application/Admins path.
There are several reasons why the policy would reject your identity, including the use of invalid or expired certificates. You can learn more about why the request failed by looking at your orderer logs. The Ordering Service is the node that enforces the policies that create or update channels.
When you examine your orderer logs, look for an error that is similar to what was returned to your client. You may find an error from a certificate check immediately preceding the policy error (Principal deserialization failure). This implies that the channel creation was rejected because the MSP ID was not recognized as valid.
Ordering Service logs:
2019-08-06 15:31:43.589 UTC [cauthdsl] deduplicate -> ERRO 021 Principal deserialization failure
(MSP SampleOrg is unknown) for identity 0
2019-08-06 15:31:43.589 UTC [orderer.common.broadcast] ProcessMessage -> WARN 022 [channel:
testchannel] Rejecting broadcast of config message from 172.27.0.7:34750 because of error: error
validating channel creation transaction for new channel 'testchannel', could not succesfully apply
update to template configuration: error authorizing update: error validating DeltaSet: policy for
[Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies
were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
The error before the policy warning, ERRO 021 Principal deserialization failure (MSP SampleOrg is unknown) for identity 0, indicates that the MSP ID that was passed as a parameter with the request was not recognized by the ordering service. This could be a result of passing the wrong MSP ID to the command. This error may also indicate that your organization has not joined the consortium hosted by the ordering service system channel. If you are updating an application channel, this error could occur if your organization is not yet a member of the channel you are trying to update.
If the MSP ID of the identity is valid, you may encounter the following certificate validation error:
Ordering Service logs:
2019-08-06 15:34:45.730 UTC [cauthdsl] deduplicate -> ERRO 02d Principal deserialization failure
(the supplied identity is not valid: x509: certificate signed by unknown authority) for identity 0
2019-08-06 15:34:45.730 UTC [orderer.common.broadcast] ProcessMessage -> WARN 02e [channel:
testchannel] Rejecting broadcast of config message from 172.27.0.7:36214 because of error: error
validating channel creation transaction for new channel 'testchannel', could not succesfully apply
update to template configuration: error authorizing update: error validating DeltaSet: policy for
[Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies
were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
In this case, the ordering service recognized your MSP ID, but could not validate that your certificate was issued by one of your organization’s certificate authorities. If you are managing multiple organizations, this error could be the result of you using a mismatched MSP ID and certificate to submit the request. This error could also occur if your admin certificates have expired. If this is a test network that has been launched recently, you may be issuing the request from an identity that was created by a certificate authority on an older incarnation of your network.
It will be more common that your certificate has passed the validation check, but could not fulfill the channel creation policy. If that is the case, the error in your orderer logs would look like the following:
Ordering Service logs:
2019-08-06 15:36:52.307 UTC [orderer.common.broadcast] ProcessMessage -> WARN 032 [channel:
testchannel] Rejecting broadcast of config message from 172.27.0.7:37236 because of error: error
validating channel creation transaction for new channel 'testchannel', could not succesfully apply
update to template configuration: error authorizing update: error validating DeltaSet: policy for
[Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies
were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
The identity that submitted the request is a valid member of your organization, and your organization is recognized to be a member of the system channel or application channel. However, the identity did not have the permission to create a channel. You may have used the wrong identity to submit the request, and used an identity that was not your organization administrator. Submit the request from your admin identity, or create a new admin, and have the channel administrator update your organization MSP.
If you encounter this error for operations other then channel creation, your certificate may not be authorized for the correct role. Check that your client certificates and peer certificates have the client and peer OU respectively.
Additional debugging techniques
If you need additional help debugging a policy or certificate related error, you can increase the logging level related to those components:
FABRIC_LOGGING_SPEC=”WARN:cauthdsl=debug:policies=debug:msp=debug
You can also manually pull your organizations root certificate from an application or system channel and use them to verify your client side certs. Use the following command to pull the latest configuration block from your channel.
peer channel fetch config ./configupdate/config_block.pb -o <orderer_endpoint> -c <my_channel> --tls --cafile <PATH_TO_ORDERER_TLS_CERT>
Then use the following command to convert the configuration block into JSON.
configtxlator proto_decode –type=common.Block --input=config_block.pb --output=config_block.json
This allows you to pull the root certificate from the block using the following command. Replace with the MSP ID of your organization.
jq -r .data.data[0].payload.data.config.channel_group.groups.Application.groups.<MSPID>\
.values.MSP.value.config.root_certs[0] config_block.json | base64 –decode > root.pem
If your MSP defines multiple root certificates or uses intermediate certificates, you will need to adjust the jq command above to properly extract them.
You can then use tools such as OpenSSL to validate your client side admin certificate against the root certificate.
openssl verify -CAFile <root.pem> <admincert.pem>
You can also use the following command to open the certificate and examine it in plaintext. This allows you to check fields such as the expiration date, the node OU, or the issuing CA.
openssl x509 -in <admincert.pem> -text