we are using an architecture where there is a TLS root CA and each organisation has its own intermediate TLS CA which is an immediate child to the TLS root CA (realized with fabric-ca v1.4.7). We only want to specify the TLS root CA certificate for any connection within the network (e.g. for "peer channel update --cafile") and have had some trouble achieving that in the first place. Our workaround is to append their respective intermediate TLS CA certificates to all peer/orderer TLS certificates building the proper chain of trust up to the TLS root CA certificate.
Now, when checking if we could upgrade to Hyperledger Fabric v2.1.1 (from 2.1.0), updating the system channel with a new organisation (including a new orderer) fails with the error "x509: certificate signed by unknown authority". We made sure that "tls_root_certs" and "tls_intermediate_certs" within "channel_group.groups.Orderer.groups.newOrg.values.MSP.value" both contain the correct certificates, but still faced the same error. We believe to have tracked down the problem to FAB-17733 which adds a certificate check when adding a new consenter to the raft configuration. Our configuration update for the system channel contains both the "channel_group.groups.Orderer.groups" definition for the new organisation as well as the new orderer in "channel_group.groups.Orderer.values.ConsensusType.consenters". Could this be a problem? Should we first update the orderer group definition and then add the new consenter?
Any pointers towards a fix are greatly appreciated. We would also love to learn more about how peers/orderers handle TLS connections - especially how they handle multiple CAs in their chain of trust - to be able to move away from appending intermediate TLS CA certificates to build the chain of trust manually.