Issue updating TLS certificates for Raft Consenters #consensus #configtxgen #fabric-orderer


afrancoc2000@...
 

Hi, 

I'm having trouble updating the TLS certificates for my blockchain's orderers, when I created my certificates, I was using hlf v1.4, golang 1.14 and SANs wasn't enforced, now I have upgraded my blockchain to v2.4 and updated the certificates to include SANs but as the configuration doesn't allow to update both consenters at the same time I updated orderer1 and left orderer2 unchanged and now they are running but they don't reach consensus. Orderer 1 is saying the certificate is wrong because SANs is missing and even though I added the GODEBUG="netdns=go,x509ignoreCN=0" environment variable I'm still getting the error and without consensus I cannot change the second certificate.

Another issue I ran into is that I also had to update the ca intermediate certificate, so I'm setting the orderers properties like this:

Orderer1 (updated certificate):
ORDERER_GENERAL_TLS_ROOTCAS=/var/hyperledger/orderer/tls/newcachain.crt
ORDERER_GENERAL_TLS_CLIENTROOTCAS=/var/hyperledger/orderer/tls/oldcachain.crt

Orderer1 (old certificate):
ORDERER_GENERAL_TLS_ROOTCAS=/var/hyperledger/orderer/tls/oldcachain.crt
ORDERER_GENERAL_TLS_CLIENTROOTCAS=/var/hyperledger/orderer/tls/newcachain.crt

Is there another way to bypass SANs verification? I downgraded both orderers to v2.3 with no luck, or how could I revert the changes in the configuration? and restore my old configtx, and try to change both certificates at once?

Thank you very much

Ana Maria Franco
Tech Leader - Ceiba Software


Yacov
 

Can't you just issue the certificate with the same public key but with SANs?
You don't need to do the config update if the public key of the TLS certificate stays the same.
You can just change the certificate and that's it.

From: fabric@... <fabric@...> on behalf of afrancoc2000@... <afrancoc2000@...>
Sent: Wednesday, February 9, 2022 12:01 AM
To: fabric@... <fabric@...>
Subject: [EXTERNAL] [Hyperledger Fabric] Issue updating TLS certificates for Raft Consenters #consensus #configtxgen #fabric-orderer
 
Hi, I'm having trouble updating the TLS certificates for my blockchain's orderers, when I created my certificates, I was using hlf v1.4, golang 1.14 and SANs wasn't enforced, now I have upgraded my blockchain to v2.4 and updated the certificates ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd
Hi, 

I'm having trouble updating the TLS certificates for my blockchain's orderers, when I created my certificates, I was using hlf v1.4, golang 1.14 and SANs wasn't enforced, now I have upgraded my blockchain to v2.4 and updated the certificates to include SANs but as the configuration doesn't allow to update both consenters at the same time I updated orderer1 and left orderer2 unchanged and now they are running but they don't reach consensus. Orderer 1 is saying the certificate is wrong because SANs is missing and even though I added the GODEBUG="netdns=go,x509ignoreCN=0" environment variable I'm still getting the error and without consensus I cannot change the second certificate.

Another issue I ran into is that I also had to update the ca intermediate certificate, so I'm setting the orderers properties like this:

Orderer1 (updated certificate):
ORDERER_GENERAL_TLS_ROOTCAS=/var/hyperledger/orderer/tls/newcachain.crt
ORDERER_GENERAL_TLS_CLIENTROOTCAS=/var/hyperledger/orderer/tls/oldcachain.crt

Orderer1 (old certificate):
ORDERER_GENERAL_TLS_ROOTCAS=/var/hyperledger/orderer/tls/oldcachain.crt
ORDERER_GENERAL_TLS_CLIENTROOTCAS=/var/hyperledger/orderer/tls/newcachain.crt

Is there another way to bypass SANs verification? I downgraded both orderers to v2.3 with no luck, or how could I revert the changes in the configuration? and restore my old configtx, and try to change both certificates at once?

Thank you very much

Ana Maria Franco
Tech Leader - Ceiba Software


afrancoc2000@...
 

Hi Yacov,

Thanks, I saw the commits with that change so I tried that first, I generated the new certs using the same private keys and uploaded them without changing the configuration but I don't know why, it didn't work, the orderers didn't start. That's why I'm changing the config.

I just tried downgrading to v2.3, and forcing GODEBUG=x509ignoreCN=0 by running the orderer command like this: "GODEBUG="x509ignoreCN=0 orderer" and it worked! now I've got consensus and I'm updating the config again.

Thanks!

Ana