Re: Update expired orderer org admin certificate and orderer certs #fabric #fabric-questions #fabric-orderer #signcerts


Mattia Bolzonella
 

Hi Ramesh,
I've managed to restore my production network but without adding new org. I think it's better if you first restore the network and then add the new organization (having an extra org involves more unwanted complexity). 
So my procedure was, i just replaced orderers MSP certs (*not TLS folder*) with new certs (had a problem of msp cert expiration), and peers certs:
  1. update orderer admin certs first in system channel then in every other application channel
  2. update peer admin certs first in system channle then in every other application channel
  3. Update orderers
Update Orderers
To update the orderer I make sure of the following:
  • At every moment in all my channels the quorum must be reached (with 3 orderers, 2 of them must communicate to reache consensum)
  • When updating orderer X, the orderer X must be on. After updating all the channels I replaced the TLS certs and restarded the node.

Update Orderer0
All the orderers had  the following parameters set:
ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS=true
ORDERER_GENERAL_TLS_TLSHANDSHAKETIMESHIFT=200h
ORDERER_GENERAL_CLUSTER_TLSHANDSHAKETIMESHIFT=200h

I updated all the channels config (consenter section) with the updated TLS cert of orderer0. Then restarded the node.

Update Orderer1
Orderer parameters : 
- Orderer0 with timeshift on (can communicate with orderer2)
- Orderer1 with timeshift
- Orderer2 without timeshift (so it can communicate with orderer0 and send update to Orderer1)

As for Orderer0, this orderer was up and running while updating all the channel configurations. Then replaced the new TLS certs and restart the orderer.
Note: when changing the orderer paramenter you need to execute docker-compose up of the orderer.

Update Orderer2
Orderer parameters : 
- Orderer0 without timeshift on 
- Orderer1 without timeshift
- Orderer2 without timeshift 


I'm not sure 100% about the timeshift combination, in any case, if the combination is wrong you will get an error on the update saying that you will lose consensum. Try other comibination and you are good to go. 

P.S. About your error:
I think you need to sign the update block with the necessary admin orgs in order to update. 


Join fabric@lists.hyperledger.org to automatically receive all group messages.