Failed to Register Public DID: did:sov:CkkrKzWFycQuwL3gjmF1NM Not Posted to Ledger

[Zephyrsailor]

Description

I’m encountering an issue while attempting to register a public DID for the IssuerAgent in a von-network setup. Despite following the standard procedure, the DID registration fails with a 404 Not Found error indicating that the DID has not been posted to the ledger.

Steps to Reproduce

1. Start the von-network Locally

./manage start --logs

2. Launch the Endorser Agent Based on von-network’s Seed

python3 -m acapy_agent start \
  --label EndorserAgent \
  --inbound-transport http 0.0.0.0 8040 \
  --outbound-transport http \
  --admin 0.0.0.0 8041 \
  --admin-insecure-mode \
  --endpoint http://127.0.0.1:8040 \
  --wallet-type askar \
  --wallet-name endorser_wallet \
  --wallet-key endorser_wallet_key \
  --auto-provision \
  --seed "000000000000000000000000Trustee1" \
  --genesis-file ../genesis.txn \
  --trace-target log \
  --trace-label EndorserTrace \
  --auto-ping-connection \
  --auto-accept-invites \
  --auto-accept-requests \
  --auto-respond-credential-proposal \
  --auto-respond-credential-offer \
  --auto-respond-credential-request \
  --auto-store-credential \
  --auto-respond-messages \
  --log-level debug \
  --endorser-protocol-role endorser \
  --auto-endorse-transactions

3. Start the Issuer Agent Using the Endorser’s Invitation Link

python3 -m acapy_agent start \
  --label IssuerAgent \
  --inbound-transport http 0.0.0.0 8020 \
  --outbound-transport http \
  --admin 0.0.0.0 8031 \
  --admin-insecure-mode \
  --endpoint http://127.0.0.1:8020 \
  --wallet-type askar \
  --wallet-name issuer_wallet \
  --wallet-key issuer_wallet_key \
  --auto-provision \
  --genesis-file ../genesis \
  --trace-target log \
  --trace-label IssuerTrace \
  --auto-ping-connection \
  --auto-accept-invites \
  --auto-accept-requests \
  --auto-respond-credential-proposal \
  --auto-respond-credential-offer \
  --auto-respond-credential-request \
  --auto-store-credential \
  --auto-respond-messages \
  --log-level debug \
  --endorser-protocol-role author \
  --endorser-alias faber \
  --endorser-public-did "did:sov:V4SGRU86Z58d6TV7PBUe6f" \
  --endorser-invitation '{"connection_id": "8a734256-a29e-4681-8671-cd24777bfae9", "invitation": {"@type": "https://didcomm.org/connections/1.0/invitation", "@id": "a42eb0cc-ed28-400c-bcf2-ee500a78e615", "label": "EndorserAgent", "recipientKeys": ["DdLLgSXFrzaFKQk3V14qT8YvnMTrkk1zmSaTUVMi1RQQ"], "serviceEndpoint": "http://127.0.0.1:8040"}, "invitation_url": "http://127.0.0.1:8040?c_i=eyJAdHlwZSI6ICJodHRwczovL2RpZGNvbW0ub3JnL2Nvbm5lY3Rpb25zLzEuMC9pbnZpdGF0aW9uIiwgIkBpZCI6ICJhNDJlYjBjYy1lZDI4LTQwMGMtYmNmMi1lZTUwMGE3OGU2MTUiLCAibGFiZWwiOiAiRW5kb3JzZXJBZ2VudCIsICJyZWNpcGllbnRLZXlzIjogWyJEZExMZ1NYRnJ6YUZLUWszVjE0cVQ4WXZuTVRya2sxem1TYVRVVk1pMVJRUSJdLCAic2VydmljZUVuZHBvaW50IjogImh0dHA6Ly8xMjcuMC4wLjE6ODA0MCJ9"}'

4. Create a Local DID for the IssuerAgent

curl -X POST http://localhost:8031/wallet/did/create \
  -H "Content-Type: application/json" \
  -d '{
        "method": "sov"
      }'

•	Response:

{
  "result": {
    "did": "CkkrKzWFycQuwL3gjmF1NM",
    "verkey": "7Qaer42dQnfnfwoQF6sAYzuvNzw1owTG9TFnpKoxAqhq",
    "posture": "wallet_only",
    "key_type": "ed25519",
    "method": "sov",
    "metadata": {}
  }
}

5. Attempt to Register the IssuerAgent’s DID as a Public DID

curl -X POST "http://localhost:8031/wallet/did/public?did=did:sov:CkkrKzWFycQuwL3gjmF1NM" \
  -H "Content-Type: application/json"

• Error Encountered:

404: DID did:sov:CkkrKzWFycQuwL3gjmF1NM is not posted to the ledger

Expected Behavior

The IssuerAgent’s DID (did:sov:CkkrKzWFycQuwL3gjmF1NM) should be successfully registered as a public DID on the ledger without any errors.

Actual Behavior

Attempting to register the DID as a public DID results in a 404 Not Found error, indicating that the DID has not been posted to the ledger.

Error Message

404: DID did:sov:CkkrKzWFycQuwL3gjmF1NM is not posted to the ledger

Environment

•	Operating System: macOS 15.3
•	Python Version: Python 3.11
•	ACA-Py Version: master
•	von-network Version: master
•	Additional Tools: askar wallet

If the entire process is incorrect, please let me know. I primarily want to manually complete the creation of the Issuer. According to the guidelines, a public DID is required, and I am currently stuck at this step.

[ff137]

You'll see in the response for creating a DID, it shows "posture": "wallet_only". That means it exists only in the wallet, and is not yet posted to the ledger.

To register the DID on the ledger: see the POST /ledger/register-nym endpoint. It requires the did and the verkey as query params, with optional query params: alias, conn_id, create_transaction_for_endorser.

After registering the DID on the ledger, you can set it as the wallet's public did, with POST /wallet/did/public.

[Zephyrsailor]

You'll see in the response for creating a DID, it shows "posture": "wallet_only". That means it exists only in the wallet, and is not yet posted to the ledger.

To register the DID on the ledger: see the POST /ledger/register-nym endpoint. It requires the did and the verkey as query params, with optional query params: alias, conn_id, create_transaction_for_endorser.

After registering the DID on the ledger, you can set it as the wallet's public did, with POST /wallet/did/public.

I executed the corresponding command, but it was not successful.

http://localhost:8031/ledger/register-nym?did=did%3Asov%3ADHgRur7TJUiZYUP9ZaFWZ1&verkey=7hSDR41fydAHLzjVGKaMRRtkMFVrP8VXVZZucu8kFKVz&alias=Faber&conn_id=f2666642-9380-41ab-9efb-c45b646bc059&create_transaction_for_endorser=true&role=TRUSTEE

The response :

{
  "success": false,
  "txn": {
    "signed_txn": "{\"did\": \"did:sov:DHgRur7TJUiZYUP9ZaFWZ1\", \"verkey\": \"7hSDR41fydAHLzjVGKaMRRtkMFVrP8VXVZZucu8kFKVz\", \"alias\": \"Faber\", \"role\": \"TRUSTEE\"}"
  }
}

I reviewed the logs from aca-py (issuer agent), and it appears to be a connection issue. However, I’m unsure whether the problem lies with the endorser or Indy. Below are the relevant log excerpts:

2025-01-14 21:54:36,457 aries_askar.native.askar_storage.backend.db_utils DEBUG 	askar-storage/src/backend/db_utils.rs:104 | Acquire pool connection
2025-01-14 21:54:36,457 aries_askar.native.aries_askar.ffi.store DEBUG 	src/ffi/store.rs:643 | Started session SessionHandle(78) on store StoreHandle(1) (txn: false)
2025-01-14 21:54:36,457 aries_askar.native.sqlx.query DEBUG 	/Users/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/sqlx-core-0.7.3/src/logger.rs:120 | slow statement: execution time exceeded alert threshold summary="SELECT COUNT(*) FROM profiles …" db.statement="\n\nSELECT\n  COUNT(*)\nFROM\n  profiles\nWHERE\n  id = $1\n" rows_affected=1 rows_returned=1 elapsed=30.25µs slow_threshold=0ns
2025-01-14 21:54:36,458 aries_askar.native.askar_storage.backend.db_utils DEBUG 	askar-storage/src/backend/db_utils.rs:305 | Start transaction
2025-01-14 21:54:36,458 aries_askar.native.sqlx.query DEBUG 	/Users/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/sqlx-core-0.7.3/src/logger.rs:120 | slow statement: execution time exceeded alert threshold summary="DELETE FROM config WHERE …" db.statement="\n\nDELETE FROM\n  config\nWHERE\n  0\n" rows_affected=0 rows_returned=0 elapsed=17.709µs slow_threshold=0ns
2025-01-14 21:54:36,458 aries_askar.native.sqlx.query DEBUG 	/Users/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/sqlx-core-0.7.3/src/logger.rs:120 | slow statement: execution time exceeded alert threshold summary="INSERT OR IGNORE INTO …" db.statement="\n\nINSERT\n  OR IGNORE INTO items (profile_id, kind, category, name, value, expiry)\nVALUES\n  (?1, ?2, ?3, ?4, ?5, ?6)\n" rows_affected=1 rows_returned=0 elapsed=24.792µs slow_threshold=0ns
2025-01-14 21:54:36,458 aries_askar.native.sqlx.query DEBUG 	/Users/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/sqlx-core-0.7.3/src/logger.rs:120 | slow statement: execution time exceeded alert threshold summary="INSERT INTO items_tags (item_id, …" db.statement="\n\nINSERT INTO\n  items_tags (item_id, name, value, plaintext)\nVALUES\n  (?1, ?2, ?3, ?4)\n" rows_affected=1 rows_returned=0 elapsed=18.417µs slow_threshold=0ns
2025-01-14 21:54:36,459 aries_askar.native.sqlx.query DEBUG 	/Users/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/sqlx-core-0.7.3/src/logger.rs:120 | slow statement: execution time exceeded alert threshold summary="INSERT INTO items_tags (item_id, …" db.statement="\n\nINSERT INTO\n  items_tags (item_id, name, value, plaintext)\nVALUES\n  (?1, ?2, ?3, ?4)\n" rows_affected=1 rows_returned=0 elapsed=11.5µs slow_threshold=0ns
2025-01-14 21:54:36,459 aries_askar.native.askar_storage.backend.db_utils DEBUG 	askar-storage/src/backend/db_utils.rs:341 | Commit transaction
2025-01-14 21:54:36,460 acapy_agent.core.event_bus DEBUG Notifying subscribers: <Event topic=acapy::record::endorse_transaction::transaction_created, payload={'state': 'transaction_created', 'created_at': '2025-01-14T13:54:36.457887Z', 'updated_at': '2025-01-14T13:54:36.457887Z', 'trace': False, 'transaction_id': '2218a692-d2e5-4a1b-ab41-c5b7b7f17f9f', 'signature_request': [], 'signature_response': [], 'timing': {}, 'formats': [{'attach_id': '41bbcbb2-9453-49b3-9daa-557813440974', 'format': 'dif/endorse-transaction/request@v1.0'}], 'messages_attach': [{'@id': '41bbcbb2-9453-49b3-9daa-557813440974', 'mime-type': 'application/json', 'data': {'json': '{"did": "did:sov:DHgRur7TJUiZYUP9ZaFWZ1", "verkey": "7hSDR41fydAHLzjVGKaMRRtkMFVrP8VXVZZucu8kFKVz", "alias": "Faber", "role": "TRUSTEE"}'}}], 'meta_data': {'did': 'did:sov:DHgRur7TJUiZYUP9ZaFWZ1', 'verkey': '7hSDR41fydAHLzjVGKaMRRtkMFVrP8VXVZZucu8kFKVz', 'alias': 'Faber', 'role': 'TRUSTEE'}, 'connection_id': 'f2666642-9380-41ab-9efb-c45b646bc059'}>
2025-01-14 21:54:36,461 aries_askar.native.aries_askar.ffi.store DEBUG 	src/ffi/store.rs:1118 | Closed session SessionHandle(78)
2025-01-14 21:54:36,461 aries_askar.native.askar_storage.backend.db_utils DEBUG 	askar-storage/src/backend/db_utils.rs:179 | Dropped pool connection
2025-01-14 21:54:36,461 aiohttp.access INFO 127.0.0.1 [14/Jan/2025:21:54:36 +0800] "POST /ledger/register-nym?did=did%3Asov%3ADHgRur7TJUiZYUP9ZaFWZ1&verkey=7hSDR41fydAHLzjVGKaMRRtkMFVrP8VXVZZucu8kFKVz&alias=Faber&conn_id=f2666642-9380-41ab-9efb-c45b646bc059&create_transaction_for_endorser=true&role=TRUSTEE HTTP/1.1" 200 509 "http://localhost:8031/api/doc" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
2025-01-14 21:54:41,458 acapy_agent.ledger.indy_vdr DEBUG Closing pool ledger after timeout```

[ff137]

http://localhost:8031/ledger/register-nym?did=did%3Asov%3ADHgRur7TJUiZYUP9ZaFWZ1&verkey=7hSDR41fydAHLzjVGKaMRRtkMFVrP8VXVZZucu8kFKVz&alias=Faber&conn_id=f2666642-9380-41ab-9efb-c45b646bc059&create_transaction_for_endorser=true&role=TRUSTEE

In the above request, you specified create_transaction_for_endorser=true. This means that the request to write to ledger must first be approved by an endorser agent. You'll want to retry the request with create_transaction_for_endorser=false (which is the default). I'm not familiar with doing these requests without an endorser, but I hope it just works.

[jamshale]

Do you actually want to use an endorser? If yes.

• Make sure there is a connection between the endorser and author agent.
• The endorser-invitation argument expects and url encoded value such as http://localhost:9030?oob=eyJAdHlwZSI6ICJodHRwczovL2RpZGNvbW0ub3JnL291dC1vZi1iYW5kLzEuMS9pbnZpdGF0aW9uIiwgIkBpZCI6ICI2YmE2N2Q2NS00NzA3LTQxNzgtYTA0Mi01MzAxMDY3M2I2YTAiLCAibGFiZWwiOiAiZW5kb3JzZXIiLCAiaGFuZHNoYWtlX3Byb3RvY29scyI6IFsiaHR0cHM6Ly9kaWRjb21tLm9yZy9kaWRleGNoYW5nZS8xLjAiXSwgInNlcnZpY2VzIjogW3siaWQiOiAiI2lubGluZSIsICJ0eXBlIjogImRpZC1jb21tdW5pY2F0aW9uIiwgInJlY2lwaWVudEtleXMiOiBbImRpZDprZXk6ejZNa2lOcFNHQlk2c1lzVlVOYVhNY0o2TDhQUHpVcXNRY01aUXIzZWZWaTVkTnI4I3o2TWtpTnBTR0JZNnNZc1ZVTmFYTWNKNkw4UFB6VXFzUWNNWlFyM2VmVmk1ZE5yOCJdLCAic2VydmljZUVuZHBvaW50IjogImh0dHA6Ly9sb2NhbGhvc3Q6OTAzMCJ9XX0

I don't think you have the endorser <--> author connection setup right. There should be information in the logs on author startup or when you try and post a did to the ledger.

[Zephyrsailor]

http://localhost:8031/ledger/register-nym?did=did%3Asov%3ADHgRur7TJUiZYUP9ZaFWZ1&verkey=7hSDR41fydAHLzjVGKaMRRtkMFVrP8VXVZZucu8kFKVz&alias=Faber&conn_id=f2666642-9380-41ab-9efb-c45b646bc059&create_transaction_for_endorser=true&role=TRUSTEE

In the above request, you specified create_transaction_for_endorser=true. This means that the request to write to ledger must first be approved by an endorser agent. You'll want to retry the request with create_transaction_for_endorser=false (which is the default). I'm not familiar with doing these requests without an endorser, but I hope it just works.

It has failed again. I think I still have misconceptions about this role and its permission structure. I need to further study this aspect. On the other hand, I will dive deeper into the code to understand the logic behind this method.

[Zephyrsailor]

Do you actually want to use an endorser? If yes.

• Make sure there is a connection between the endorser and author agent.
• The endorser-invitation argument expects and url encoded value such as http://localhost:9030?oob=eyJAdHlwZSI6ICJodHRwczovL2RpZGNvbW0ub3JnL291dC1vZi1iYW5kLzEuMS9pbnZpdGF0aW9uIiwgIkBpZCI6ICI2YmE2N2Q2NS00NzA3LTQxNzgtYTA0Mi01MzAxMDY3M2I2YTAiLCAibGFiZWwiOiAiZW5kb3JzZXIiLCAiaGFuZHNoYWtlX3Byb3RvY29scyI6IFsiaHR0cHM6Ly9kaWRjb21tLm9yZy9kaWRleGNoYW5nZS8xLjAiXSwgInNlcnZpY2VzIjogW3siaWQiOiAiI2lubGluZSIsICJ0eXBlIjogImRpZC1jb21tdW5pY2F0aW9uIiwgInJlY2lwaWVudEtleXMiOiBbImRpZDprZXk6ejZNa2lOcFNHQlk2c1lzVlVOYVhNY0o2TDhQUHpVcXNRY01aUXIzZWZWaTVkTnI4I3o2TWtpTnBTR0JZNnNZc1ZVTmFYTWNKNkw4UFB6VXFzUWNNWlFyM2VmVmk1ZE5yOCJdLCAic2VydmljZUVuZHBvaW50IjogImh0dHA6Ly9sb2NhbGhvc3Q6OTAzMCJ9XX0

I don't think you have the endorser <--> author connection setup right. There should be information in the logs on author startup or when you try and post a did to the ledger.

My initial goal was to build various roles from scratch, progressing from generating DIDs to providing verifiable credentials. Regarding the necessity of an endorser, I’ve learned that for a standard ACA-Py agent to become an issuer, a public DID is required. There are several ways to generate a public DID:
1. Built using a trustee, which operates at a lower-level.
2. Requires an endorser.

In practical scenarios, issuers need to write schemas and verifiable presentations (VPs) to the ledger, making it reasonable for an issuer to require an endorser.

Finally, I need more resources and research to better understand the implementation of multi-role setups in ACA-Py and their permission structures.

[Zephyrsailor]

After multiple attempts and deeper understanding, I found that within the mechanism involving endorsing nodes, the endorser needs to first register the DID on the ledger by calling http://test.bcovrin.vonx.io/register, and then make the DID public. For issuers, when using the nym interface to register a DID, they are required to provide the signature of the public DID identity. This is to establish a trust chain, as all core operations need to be signed by relevant parties and recorded on the ledger. In subsequent calls to the /ledger/register-nym interface, both the signature of the issuer’s public DID and the endorser’s signature are needed to complete the trust verification process.