Update org's admin certificate in channel config #channel #configtxgen #fabric-peer #fabric-questions #fabric-orderer


manju.venkatachalam@...
 

 
Hi all,

I created a test network which has 2 orgs (each with one peer), 1 orderer in kubernetes using BAF. Orgs are joined in the channel called testchannel. Orderer msp, peer msp and tls certs expired within 1 day. Before it expired, I renewed all the certs using dcm tool and kept it in my local. First I updated the orderer tls cert in system channel and in application channel from orderer cli, by fetching the channel config, decoded, updated renewed orderer tls certs under consenters, encoded and updated the channel config using peer channel update command. I received a successfully submitted message. 

Later replaced orderer msp, peer msp and tls certs in the vault and restarted all the services. When I checked the orderer logs, it didn't show any expiry error.

Now my network's previous certificate expired. Now it is using renewed certs. I am able to invoke and query transactions.

Now I want to add a new org called org3 to the existing (testchannel).

I created a new org (org3). When I tried to join that org to the channel, during peer channel update it failed. It shows the following error,

Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'testchannel': error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 2 of the 'Admins' sub-policies to be satisfied


This error is because of wrong admin certs. Then only I found that during certificate renewal, I updated only orderer tls certs. But the channel config also contains each org's admin certs and cacerts. Now the channel config contains expired certs. But the orgs and vault contain renewed certs. 
This is the cause for the above mentioned error.

Can anyone suggest a way to resolve this? How can we update org's admin certificate in the channel config which has expired certificate?

Thanks in advance......


chris.elder@...
 

The orderers need to be configured to allow the expired admin certificate to be used to sign the change to the channel configuration.
 
This can be accomplished by overriding the orderers to allow expired certificates to be used:
https://hyperledger-fabric.readthedocs.io/en/release-2.2/raft_configuration.html?highlight=noexpirationchecks#certificate-expiration-related-authentication
 
Set the NoExpirationChecks for each orderer in the orderer.yaml and restart.
 
Construct a channel update with the new admin certificates.
 
Update the channel using the expired certificate to sign the update.
 
Remove the orderride in the orderers and restart.


chris.elder@...
 

I'm not very familiar with BAF.   Is NodeOU enabled on the channels?

https://hyperledger-fabric.readthedocs.io/en/release-2.2/msp.html?highlight=nodeou#organizational-units