Renew certificates

In order to trigger the renewal of the certificates, either for the orderer or for the peer, we can use the hlf ca renew <node_type> command.

Renewing certificates for the peer#

PEER_NAME=org1-peer0
PEER_NS=default
kubectl hlf peer renew --name=$PEER_NAME --namespace=$PEER_NS

You can monitor the state of the renewal by using:

kubectl get fabricpeers.hlf.kungfusoftware.es -w

Renewing certificates for the orderer#

ORDERER_NAME=ord-node1
ORDERER_NS=default
kubectl hlf ordnode renew --name=$ORDERER_NAME --namespace=$ORDERER_NS

You can monitor the state of the renewal by using:

kubectl get fabricorderernodes.hlf.kungfusoftware.es -w

!!!! IMPORTANT !!!!#

When renewing the orderer certificates, the channel which the orderer is consenter of must be updated with the new certificates generated by the operator.

This operation is not handled by the operator, since the operator does not know the channels that the orderer is consenter of, neither has the authority to update the channel since the signatures needed can vary depending on the configuration.

Renewing certificates for the consenter#

For this operation to work, the ordering service must have at least 3 nodes, for the consensus to work, since for 2 nodes or less, the consensus will not be able to reach a quorum.

Generate channel block update#

CHANNEL_NAME=demo
kubectl hlf channel consenter replace --config=ordservice.yaml \
--orderer="$ORDERER_NAME.$ORDERER_NS" \
--user=admin --channel=$CHANNEL_NAME \
--mspid=OrdererMSP --output=replace_orderers_consenter.pb

Submit update channel#

kubectl hlf channel update --channel=$CHANNEL_NAME -f replace_orderers_consenter.pb \
--config=ordservice.yaml --user=admin --mspid=OrdererMSP
Edit this page