Certification Rotation/Renewal in Hyperledger Fabric: Recover Expired certificate Fabric Network
Certificate rotation is one of the most important and crucial parts of Hyperledger fabric.
There are three sections under signing
1) CA
2)Enrollment
3) TLS
Please check the signing section in any fabric-ca-server-config.yaml
Signing section:
The “default” subsection is used to sign enrollment certificates; the default expiration (“expiry” field) is “8760h”, which is 1 year in hours.
Profile: ca
The “ca” profile subsection is used to sign intermediate CA certificates; the default expiration (“expiry” field) is “43800h” which is 5 years in hours. Note that “isca” is true, meaning that it issues a CA certificate. A maxpathlen of 0 means that the intermediate CA cannot issue other intermediate CA certificates, though it can still issue end-entity certificates.
Profile: tls
The “tls” profile subsection is used to sign TLS certificate requests; the default expiration (“expiry” field) is “8760h”, which is 1 year in hours.
Default expiry of tls and enrollment certificate is 1 year(8760h). If your network is completed 1 year, you may face a certification expiration issues, in fact, you won't be able to interact with the network, practically your network would be down.
Solutions:
1) Rotate Certificate before expiry. (We should follow this)
2) Rotate Certificate after expiry. (This is not recommended way if you forgot to renew certificates, this is the way you can follow to restore certificates)
Let's divide this article into two parts
- Create a network with an expired certificate
- Recover Network of expired certificate(You can consider this activity as certificate rotation)
I would recommend going through my youtube video, its having all information. In this article, I have just mentioned steps, not all coding parts. I have used my own repo to create a network. In my previous video have all info about how to create a network from scratch.
Part I
Note: If you have already networked with an expired certificate, you can start with part 2.
- Set your machine time to past date (32 days before)
- Create CA Services for all orgs
- Change fabric-ca-server-config.yaml file as given below
4. Restart CA Services.
5. Create All participant Certificates.
6. Create channel Artifacts
7. Run all other services(Peer, orderer, CouchDB)
8. Deploy Chainocde.
9 . In API Create a connection profile.
10. Invoke some transaction and verify if everything working.
Note: At this stage, we have a working network. Default certificate expiration time is 720h(30 days) for both enrollment and TLS.
Part 2
- Change date to present. Now we have a network which created before 32 days, and the default expiration is 30 days(720h). At this stage, we have a network with an expired certificate. For verification, you can check the log of any service(peer, orderer), there might be errors.
- We have to create new certificates(Enrollment, TLS) for all participants in the network. In repo there is a renew-cert.sh script available, just run it, it will create new certificates.
- Now we required there env variable in all orderer services. Add those variables and restart the orderer.
- ORDERER_GENERAL_TLS_TLSHANDSHAKETIMESHIFT=200h- ORDERER_GENERAL_CLUSTER_TLSHANDSHAKETIMESHIFT=200h- ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS=true
4. Change all MSP folders with newly created MSP folders for all orderers, all peers, and restart services.
5. We have to make a configuration update to change the orderer tls certificate. In the current network, we have one Application channel, one system channel.
6. We can do configuration update one orderer at a time. We have two channels, which means we have to do a 3x2=6, 6 configuration update.
7. In the above-mentioned video, I have covered all steps, please go through it and in repo all codes available
8. Make configuration update for System channel first and hen application channel. Once successfully done, replace the newly created tls certificate and restart the orderer.
9. Do the same above procedure for all orderer.
10. Replace tls folder of all peers with newly created tls folder and restart all peers
11. In API recreate the connection profile and restart the server.
12. Remove admin identity from the wallet as it's expired, register new user, try to invoke new transaction. Verify if it gets executed successfully.
13. One important thing, while registering a new user at API, we have to store secret returned from CA(in registration), otherwise we won't be able to re-enroll the same user.
14. You can use the same script for certificate rotation or renewal. Here we are doing some activity on the expired network. you can renew certificates before expiry so that our network will be up and running with no downtime due to expired certificates.
15. Sample Config update script mentioned below.
That's all for this article, I know it's very brief, but in the video, I have covered most of the things required to rotate/renew certificates.
In case you are facing any issues, please let me know, I would love to help you. You can get in touch with me on linked in or Instagram.
https://www.instagram.com/pavanadhavofficial/
https://www.linkedin.com/in/pavan-adhav/
Email: adhavpavan@gmail.com
References
Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing
