Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add troubleshooting document, include initial examples - ledger connection, out-of-sync RevReg #1818

Merged
merged 4 commits into from
Jun 21, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions DevReadMe.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ See the [README](README.md) for details about this repository and information ab
- [Developing](#developing)
- [Prerequisites](#prerequisites)
- [Running Locally](#running-locally)
- [Logging](#logging)
- [Running Tests](#running-tests)
- [Running Aries Agent Test Harness Tests](#running-aries-agent-test-harness-tests)
- [Development Workflow](#development-workflow)
Expand Down
13 changes: 13 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,19 @@ An ACA-Py instance puts together an OpenAPI-documented REST interface based on t

Technical note: the administrative API exposed by the agent for the controller to use must be protected with an API key (using the --admin-api-key command line arg) or deliberately left unsecured using the --admin-insecure-mode command line arg. The latter should not be used other than in development if the API is not otherwise secured.

## Troubleshooting

There are a number of resources for getting help with ACA-Py and troubleshooting
any problems you might run into. The [Troubleshooting](Troubleshooting.md)
document contains some guidance about issues that have been experienced in the
past. Feel free to submit PRs to supplement the troubleshooting document!
Searching the [ACA-Py GitHub
issues](https://github.com/hyperledger/aries-cloudagent-python/issues) will
often uncover challenges that others have experienced, often with answers to
solving those challenges. As well, there is the "aries-cloudagent-python"
channel on the Hyperledger Discord chat server ([invitation
here](https://discord.gg/hyperledger)).

## Credit

The initial implementation of ACA-Py was developed by the Government of British Columbia’s Digital Trust Team in Canada. To learn more about what’s happening with decentralized identity and digital trust in British Columbia, a new website will be launching and the link will be made available here.
Expand Down
109 changes: 109 additions & 0 deletions Troubleshooting.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
# Troubleshooting Aries Cloud Agent Python <!-- omit in toc -->

This document contains some troubleshooting information that contributors to the
community think may be helpful. Most of the content here assumes the reader has
gotten started with ACA-Py and has arrived here because of an issue that came up
in their use of ACA-Py.

Contributions (via pull request) to this document are welcome. Topics added here
will mostly come from reported issues that contributors think would be helpful
to the larger community.

## Table of Contents <!-- omit in toc -->

- [Unable to Connect to Ledger](#unable-to-connect-to-ledger)
- [Local ledger running?](#local-ledger-running)
- [Any Firewalls](#any-firewalls)
- [Damaged, Unpublishable Revocation Registry](#damaged-unpublishable-revocation-registry)

## Unable to Connect to Ledger

The most common issue hit by first time users is getting an error on startup "unable to connect to ledger". Here are a list of things to check when you see that error.

### Local ledger running?

Unless you specify via startup parameters or environment variables that you are using a public Hyperledger Indy ledger, ACA-Py assumes that you are running a local ledger -- an instance of [von-network](https://github.com/bcgov/von-network).
If that is the cause -- have you started your local ledger, and did it startup properly. Things to check:

- Any errors in the startup of von-network?
- Is the von-network webserver (usually at `https:/localhost:9000`) accessible? If so, can you click on and see the Genesis File?
- Do you even need a local ledger? If not, you can use a public sandbox ledger,
such as the [Dev Greenlight ledger](), likely by just prefacing your ACA-Py
command with `LEDGER_URL=http://dev.greenlight.bcovrin.vonx.io`. For example,
when running the Alice-Faber demo in the [demo](demo) folder, you can run (for
example), the Faber agent using the command:
`LEDGER_URL=http://dev.greenlight.bcovrin.vonx.io ./run_demo faber`

### Any Firewalls

Do you have any firewalls in play that might be blocking the ports that are used by the ledger, notably 9701-9708? To access a ledger
the ACA-Py instance must be able to get to those ports of the ledger, regardless if the ledger is local or remote.

## Damaged, Unpublishable Revocation Registry

We have discovered that in the ACA-Py AnonCreds implementation, it is possible
to get into a state where the publishing of updates to a Revocation Registry
(RevReg) is impossible. This can happen where ACA-Py starts to publish an update
to the RevReg, but the write transaction to the Hyperledger Indy ledger fails
for some reason. When a credential revocation is published, aca-py (via indy-sdk
or askar/credx) updates the revocation state in the wallet as well as on the
ledger. The revocation state is dependant on whatever the previous revocation
state is/was, so if the ledger and wallet are mis-matched the publish will fail.
(Andrew/s PR # 1804 (merged) should mitigate but probably won't completely
eliminate this from happening).

For example, in case we've seen, the write RevRegEntry transaction failed at the
ledger because there was a problem with accepting the TAA (Transaction Author
Agreement). Once the error occurred, the RevReg state held by the ACA-Py agent,
and the RevReg state on the ledger were different. Even after the ability to
write to the ledger was restored, the RevReg could still not be published
because of the differences in the RevReg state. Such a situation can now be
corrected, as follows:

To address this issue, some new endpoints were added to ACA-Py in Release 0.7.4,
as follows:

- GET `/revocation/registry/<id>/issued` - counts of the number of issued/revoked
within a registry
- GET `/revocation/registry/<id>/issued/details` - details of all credentials
issued/revoked within a registry
- GET `/revocation/registry/<id>/issued/indy_recs` - calculated rev_reg_delta from
the ledger
- This is used to compare ledger revoked vs wallet revoked credentials, which
is essentially the state of the RevReg on the ledger and in ACA-Py. Where
there is a difference, we have an error.
- PUT `/revocation/registry/<id>/fix-revocation-entry-state` - publish an update
to the RevReg state on the ledger to bring it into alignment with what is in
the ACA-Py instance.
- There is a boolean parameter (`apply_ledger_update`) to control whether the
ledger entry actually gets published so, if you are so inclined, you can
call the endpoint to see what the transaction would be, before you actually
try to do a ledger update. This will return:
- `rev_reg_delta` - same as the ".../indy_recs" endpoint
- `accum_calculated` - transaction to write to ledger
- `accum_fixed` - If `apply_ledger_update`, the transaction actually written
to the ledger

Note that there is (currently) a backlog item to prevent the wallet and ledger
from getting out of sync (e.g. don't update the ACA-Py RevReg state if the
ledger write fails), but even after that change is made, having this ability
will be retained for use if needed.

We originally ran into this due to the TAA acceptance getting lost when
switching to multi-ledger (as described
[here](https://github.com/hyperledger/aries-cloudagent-python/blob/main/Multiledger.md#a-special-warning-for-taa-acceptance).
Note that this is one reason how this "out of sync" scenario can occur, but
there may be others.

We add an integration test that demonstrates/tests this issue [here](https://github.com/hyperledger/aries-cloudagent-python/blob/main/demo/features/taa-txn-author-acceptance.feature#L67).

To run the scenario either manually or using the integration tests, you can do the following:

- Start von-network in TAA mode:
- `./manage start --taa-sample --logs`
- Start the tails server as usual:
- `./manage start --logs`
- To run the scenario manually, start faber and let the agent know it needs to TAA-accept before doing any ledger writes:
- `./run_demo faber --revocation --taa-accept`, and then you can run through all the transactions using the Swagger page.
- To run the scenario via an integration test, run:
- `./run_bdd -t @taa_required`