Expired certificates and orderers not running using handshake time shift #fabric-questions #hyperledger-fabric #tls #signcerts
I'm having a problem with expired certificates, I'm running a cluster with several channels and I updated the certificates on time for most of them, but I forgot about a channel that was created and used only during the first initialization of the cluster.
So today in my test environment the orderers got restarted and now they don't start, my production environment has the same problem but as they haven't been restarted they are running as if nothing has changed, for now.
So, I did as it is said, in this issue and changed these environment variables:
- ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS: "true"
- ORDERER_GENERAL_CLUSTER_TLSHANDSHAKETIMESHIFT: 96h
- ORDERER_GENERAL_TLS_TLSHANDSHAKETIMESHIFT: 96h
- ORDERER_OPERATIONS_TLS_TLSHANDSHAKETIMESHIFT: 96h
- ORDERER_ADMIN_TLS_TLSHANDSHAKETIMESHIFT: 96h
The only handshake time shift still missing is the one from kafta that I don't use, I'm using Raft, but still, I'm getting this error trying to run the orderers:
PANI 00d Error creating ledger resources: error creating channelconfig bundle: initializing channelconfig failed: could not create channel Orderer sub-group config: setting up the MSP manager failed: CA Certificate is not valid, (SN: 512917139581241201287378615618194486727802882): could not obtain certification chain: the supplied identity is not valid: x509: certificate has expired or is not yet valid: current time 2022-02-17T14:28:20Z is after 2022-02-16T16:41:01Z
I didn't change the public keys of any of the certificates, just created new ones with a new expiration date, and I have already updated them in the msp folders, the thing was that my ICA certificate was also updated, but the old one in the channel configuration is still valid, the ones that expired are not any of the CA ones.
Things were working yesterday even restarted the environment a couple of times so a time shift of 96 hours should work, I'm not sure what else to change.
What else can I change to be able to update the channel configuration and at least be able to run my orderers?
Thank you very much
Ana Maria Franco
Tech Leader Ceiba Software