Re: Update expired orderer org admin certificate and orderer certs #fabric-questions #fabric-orderer #signcerts #fabric

Mattia Bolzonella

Hi Chris,
Thank you for the quick reply. I will illustrate my situation, it's the worst possible scenario (production environment). So I'm on Fabric 2.2.2 with all my components except Fabric CAs which is 1.4.6 version.
I generated all my certs Orderer org and peer org with 2 separate CA but now i found out that *all* the certs are expired (except fo root CAs certs). So my situation is:
  • all admin certs (Orderer org and peer org) expired;
  • all MSP certs (singcerts I think it's how they are called) of both orgs of every components (I have 3 orderers and 2 peers) expired;
  • all TLS Certs expired;
I followed the Jira Issue which helped to start the orderers, even with the flag of ignoring TLS cert expiration date they were not starting. To resolve I had to generate new certs for the orderers MSP, i kept the expired TLS.
I generated new certs for the peer organization and started them pointing at the new certs. Plus to that peer cli has visibility on the expired MSP (and TLS) of orderer Org so in this way I managed to fetch the system-channel config block.

So now what I have to do (I think): 
  • Update orderer admin certs in the *system-channel* but with section of the block i have to modify? Channel, Application, Consortium or Orderer?
  • Update cosenter certs with updated certs for orderer org, in this case i know that i have to do one update at a time but same as before: which section?
  • Repeat previous steps for all "normal" channels
Is this the right procedure? 
I really appreciate your help, thank you!

Il giorno mer 5 mag 2021 alle ore 15:06 Chris Gabriel <alaskadd@...> ha scritto:
Hi Mattia,

Happy to help you.  Can you please provide a bit more detail about your environment?  For example, are you on Fabric 1.4 with a solo orderer, raft, etc.?
Beyond the above question, here are the relevant sections from the Fabric documentation to follow

To figure out what you have to edit, in the docs at the link above, pay close attention to the ‘Channel parameters that can be updated’ section as this contains a sample de-coded configuration with a section for each org msp and the orderer (click the dropdown where it says ‘click here to see the config’).  In the example, you will note that all certs are converted to base64 from pem so you will have to do this when you paste the new certs into the configuration.  Also, the example only shows a single raft node consenter, so it you have more you will have to update for each.

At a high level, the steps are to:
Set the environment variables for the org you are acting as
Pull and decode the configuration (to human readable form in the form of a json file. If you copy and paste the commands from the docs you will end up with a file called ‘modified_config.json’ which you will edit in a text editor or VSCode, etc.)
Modify (edit) the configuration
Re-encode the configuration reflecting your updated certs
Submit the update using the ‘peer channel update’ command
Get the necessary signatures according to your policies (note you will have to sign using your old certs before the update can happen)

I hope this helps,

On May 5, 2021, at 6:02 AM, Mattia Bolzonella <mattia.bolzonella@...> wrote:

Hi, i need to update the orderer org admin of the system channel, it's expired but i managed to start the orderer and peer following FAB-18384. Now i need to update the channel configuration but I have no clue on what to modify and how, can someone help me?


Mattia Bolzonella

Software Developer


Via G. Medici 9/a - 35138 Padova (PD)

+39 049 500 1 500

IFIN SISTEMI S.R.L. a socio unico

Via G. Medici 9/a
35138 Padova 

Le informazioni, i dati e le notizie contenute nella presente comunicazione e i relativi allegati sono di natura privata e come tali possono essere riservate e sono, comunque, destinate esclusivamente ai destinatari sopra indicati. La diffusione, la distribuzione e/o la copiatura del documento trasmesso da parte di qualsiasi soggetto diverso dal destinatario è proibita, sia ai sensi dell’art. 616 c.p., sia ai sensi del D.Lgs. 196/2003 e Regolamento UE 2016/679. Se avete ricevuto questo messaggio per errore, vi preghiamo di distruggerlo e di darcene immediata comunicazione anche inviando un messaggio di ritorno all'indirizzo e-mail del mittente. L’interessato può esercitare tutti i diritti previsti ai sensi degli articoli degli articoli 13, comma 2, lettere (b) e (d), 15-21 del Regolamento UE 2016/679, inviando un messaggio all'indirizzo e-mail del mittente o telefonando allo 049 500 1 500. Si prega di leggere Privacy Policy presente in

Join to automatically receive all group messages.