Re: Update expired orderer org admin certificate and orderer certs #fabric #fabric-questions #fabric-orderer #signcerts


Mattia Bolzonella
 

Hi Chris,
Thanks for the advice, the certs are correct. I will explain better the situation:

Currently I have 2 channels, 3 orderers with the TLS certs expired. 

  • the system channel
  • an application channel, called 'mychannel'
I've updated the admins of orderer and peer organization (2 separate orgs) in the system channel, and after that I executed a channel config update to change the certs of the first orderer (called ord0).

After that i restart the orderer and now I have:
  • In mychannel ord0 cannot partecipate in the consensus, as expected since the channel config is not updated
  • in the system channel i continuosly have TLS handshake error with the others orderers (ord1 & ord2)


The configuration of the orderer containers are the following:

ORD0
ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS=true

ORD1 & ORD2

ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS=true
ORDERER_GENERAL_TLS_TLSHANDSHAKETIMESHIFT=200h
ORDERER_GENERAL_CLUSTER_TLSHANDSHAKETIMESHIFT=200h

Now, since ord1 & ord2 have expired certs i think i need the TimeShift, in fact they are able to reach consensus (I can pull the latest config block from the system channel). 
But with this settings, certs of ord0 result not yet valid since ord1 & ord2 are in the past. 

So I tried a different configuration just to see what happens:
 
ORD0
ORDERER_GENERAL_TLS_TLSHANDSHAKETIMESHIFT=200h
ORD1 -> no timeshift set
ORD2 -> Stopped to not flood the logs of the others orderer

In this way on the system channel I can get the quorum using ord0 (new certs) and ord1 (expired). I think I got the procedure. But there is a thing that I'm not sure of:
Now I'm in a situation in which I'm able to get 2 orderers out of 3 to communicate thanks to the time shift parameter. If update all the orderers in the system channel with new certs i would have the system channel correctly configured and all the certs on the FS of the orderers updated.
 
Now the problem comes with the application channel  "mychannel"
 
After udpating the system channel I have new certs in the FS of the orderers, but the update wouldn't be possible on mychannel because I have a mismatch between the certs on the FS and the certs on the config block of the channel, am I right?
 
So I should update a orderer at a time in every channel, that's what I'm considering

Join fabric@lists.hyperledger.org to automatically receive all group messages.