Criticial: Admin Certificate expired in Fabric production network V1.4. Lockout situation. #fabric #fabric-ca #tls #hyperledger-fabric


keerthycbe@...
 

We have a production blockchain network using  Fabric 1.4.0. Recently we came to know that all the org admin certs expired. We were trying to update the network to replace the admin certificate with new ceritifcate. We did this channel config update with old admin cert. But the network checks for signing identity expiry and rejects the channel config update by the old admin cert. We also looked for this kind of issue reported anywhere and then we encountered FAB-16141 where the same issue has been reported. Based on the comments in that issue, I understood that the Fabric has been updated in v2.0 to allow to replace admin cert even if it is expired and the same has been backported to v1.4.X. As our current network is set up with 1.4.0, we upgraded it to 1.4.6 belivieing this had fix for this. But this did not work and we still have the same issue. The chaincode transactions are going throught but we can't perfrom administrative operations using this expired admin cert. we are in a lockout situation and we don't know how to get out of this. We really need immediate help here to address this issue. Our company is part of Hyperledger consoritum. As Fabric 1.4 provides LTS, I'm asking for help here. Please let me know if this is not the right place to ask and if I've to go to different forum to get immediate attention and remedy for this issue.  


Yacov
 

It should work with 1.4.6, there is an integration test that simulates this very thing:

https://github.com/hyperledger/fabric/blob/release-1.4/integration/e2e/cft_test.go#L471-L600

When("admin certificate expires", func() {


It("is still possible to replace them", func() {

Make sure to boot your orderer(s) with ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS=true  
to prevent checking for expiration.





From:        keerthycbe@...
To:        fabric@...
Date:        03/05/2020 07:43 AM
Subject:        [EXTERNAL] [Hyperledger Fabric] Criticial: Admin Certificate expired in Fabric production network V1.4. Lockout situation. #fabric #fabric-ca #tls #hyperledger-fabric
Sent by:        fabric@...




We have a production blockchain network using  Fabric 1.4.0. Recently we came to know that all the org admin certs expired. We were trying to update the network to replace the admin certificate with new ceritifcate. We did this channel config update with old admin cert. But the network checks for signing identity expiry and rejects the channel config update by the old admin cert. We also looked for this kind of issue reported anywhere and then we encountered FAB-16141 where the same issue has been reported. Based on the comments in that issue, I understood that the Fabric has been updated in v2.0 to allow to replace admin cert even if it is expired and the same has been backported to v1.4.X. As our current network is set up with 1.4.0, we upgraded it to 1.4.6 belivieing this had fix for this. But this did not work and we still have the same issue. The chaincode transactions are going throught but we can't perfrom administrative operations using this expired admin cert. we are in a lockout situation and we don't know how to get out of this. We really need immediate help here to address this issue. Our company is part of Hyperledger consoritum. As Fabric 1.4 provides LTS, I'm asking for help here. Please let me know if this is not the right place to ask and if I've to go to different forum to get immediate attention and remedy for this issue.  




keerthycbe@...
 

Hi Yacov
 
Thanks for your immediate reponse. We upgraded all our nodes to 1.4.6 with ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS flag set to true in orderer nodes. After this, we created a channel config update to add new admin certificate. This updated channel config was signed with old admin certificate and submitted it to orderer. There is an error in the orderer saying the channel config update did not meet the policy. Except the expired admin certificate, we are not sure what else could be wrong. Please let us know your thoughts.
 
Error details:
 
2020-03-05 10:42:01.024 UTC [orderer.common.broadcast] ProcessMessage -> WARN 8960 [channel: channel1 ] Rejecting broadcast of config message from 192.168.36.132:42070 because of error: error applying config update to existing channel 'channel1': error authorizing update: error validating DeltaSet: policy for [Value]  /Channel/Application/org1/MSP not satisfied: signature set did not satisfy policy 
 
Thanks and Regards
Keerthi


Yacov
 

The error has nothing to do with an expired certificate.
I suggest you turn on the MSP logging to debug level and then see why the policy wasn't satisfied.



From:        keerthycbe@...
To:        fabric@...
Date:        03/05/2020 03:56 PM
Subject:        [EXTERNAL] Re: [Hyperledger Fabric] Criticial: Admin Certificate expired in Fabric production network V1.4. Lockout situation. #fabric #fabric-ca #tls #hyperledger-fabric
Sent by:        fabric@...




Hi Yacov
 
Thanks for your immediate reponse. We upgraded all our nodes to 1.4.6 with ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS flag set to true in orderer nodes. After this, we created a channel config update to add new admin certificate. This updated channel config was signed with old admin certificate and submitted it to orderer. There is an error in the orderer saying the channel config update did not meet the policy. Except the expired admin certificate, we are not sure what else could be wrong. Please let us know your thoughts.
 
Error details:
 
2020-03-05 10:42:01.024 UTC [orderer.common.broadcast] ProcessMessage -> WARN 8960 [channel: channel1 ] Rejecting broadcast of config message from 192.168.36.132:42070 because of error: error applying config update to existing channel 'channel1': error authorizing update: error validating DeltaSet: policy for [Value]  /Channel/Application/org1/MSP not satisfied: signature set did not satisfy policy
 
Thanks and Regards
Keerthi




keerthycbe@...
 

Hi Yacov

Thanks for your timely help. We were able to restore our network by updating with new admin cert and orderer not checking expiry check with ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS=true.

Thanks and Regards
Keerthi


ramesh.bobbala1990@...
 

Hi Keerthi,

I am using 1.4.0 version, Is this option available in 1.4.0 version?
Even I was trying to set this ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS=true env variable in my orderer container.
But still getting expired certificate error.

Regards,
Ramesh.


Gari Singh
 

You need to use 1.4.3 or later


On Wed, May 12, 2021 at 4:03 PM <ramesh.bobbala1990@...> wrote:
Hi Keerthi,

I am using 1.4.0 version, Is this option available in 1.4.0 version?
Even I was trying to set this ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS=true env variable in my orderer container.
But still getting expired certificate error.

Regards,
Ramesh.


ramesh.bobbala1990@...
 

Hi Gari Singh,

Thanks for the reply.
I was unable to use ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS=true and  --tlsHandshakeTimeShift options in 1.4.0 version.

Can you suggest how to renew my orderer and peer admin certificates which are expired in 1.4.0 version?

If we change our containers date to before expiry date will it works?