Hello Can you help me to find a way to renew the certitifcate expire date I have serach alot but didno't find any good help
export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1
fabric-ca-client reenroll
export FABRIC_CA_CLIENT_HOME=$HOME/fabric-ca/clients/peer1
Set FABRIC_CA_CLIENT_HOME every time you enroll the any peer or admin or user because it will create fabric-ca-client-config.yaml which are require to re-enroll certificate before it will expire
Related
What is the procedure of replacing a root CA cert with another one of a different key pair.
Q-1 : Is that required to follow config update steps to do as we do in add/remove org, since RCA need to change?
(Understood that changing the RCA require to reCreate all peers,nodes, identities as well)
When we use the default setup of fabric CA, then
it bootstraps the fabric ca server with bootstrap administrator - 'fabric-ca-server start -b admin:adminpw -d'
On enrolling the bootstrap administrator -
It creates the following in msp : cacerts, Keystore, sign certs (Set-A)
now when we have to create identities then it uses Set-A, and all such stuff also got bind to the genesis block as well, as certificate got configured via ConfigTX file, and that got stored in the config channel of fabric.
Q-2 : Now If we have to change the RCA's cacerts, Keystore, sign certs (Set-B), then what is the procedure to do that ?
Not found any guidelines or documents on this, It's just logically understood if that is possible then maybe follow the similar steps as we do in add/remove orgs.
Q-3: But even to replace all identities with new RCA along with RCA's cert, key pair etc, then I don't think existing data may work?
if the live network already has x data, but RCA's cacerts, Keystore, sign certs and all identities got changed and also updated the config file with config-update way as we do in add/remove orgs so it has new certificate info ?
I noticed that HLf admincerts and tls certs, by default, have an expiration date of 1 year. In my case, they have expired and my orderer and peer nodes are giving me a bad certificate error.
Is there any way to do certificate rotation? I don't want to loose any data as the network is in a production enviroment. I am using hyperledger fabric 1.4 version with the raft ordering service.
You can change the default expiry time of an x509 certificate by changing its duration in the fabric-ca-server configuration file. You'll find this file inside CA's docker container.
Reference to the fabric-ca-server configuration file can be found here.
Change the value of expiry from 8760h to xxxx in the signing section of the file. signing section looks like this:
signing:
default:
usage:
- digital signature
expiry: 8760h
profiles:
ca:
usage:
- cert sign
- crl sign
expiry: 43800h
caconstraint:
isca: true
maxpathlen: 0
tls:
usage:
- signing
- key encipherment
- server auth
- client auth
- key agreement
expiry: 8760h
After changing the value of expiry, you'll have to restart your CA container for the changes to take effect.
Once your container is restarted, re-enroll your admin to create a new x509 certificate with the updated expiry duration. You can read about reenrolling an identity from here.
If you want to avoid such scenarios in the future for any user, you can reenroll it before doing a transaction. You can perform the re-enroll operation if the certificate has already expired or going to expire in the next x amount of time.
I am on fabric v2.3 and using Fabric CA.
When we re-enroll the peers, orderer or admin it will generate a new pair of certifcates.
Please correct me if i am wrong, these newly generated certificates needs to be updated in the channel configuration as well? At least this is what the doc says here
I tried to follow the doc and it does contains the root_certs and tls_certs which we need to replace. A usual sample config block after decoding it into json files looks something like this. The respective certs needs to replaced here which seems quite error prone since it's manual and a lot of certs needs to be replaced (depending on the number of peers, orderers, and organisations you've got). And, also not to forget these certs are referenced by the ccp.yaml and ccp.json as well which is used by the fabric sdk.
I am not sure if my understanding is correct about this, as I am struggling with this thing as well. I haven't been able to successfully pull this of as of now. It's strange that hyperledger fabric/Fabric CA doesn't really has a straightforward way of doing this.
Our case: k8s, fabric v2.2, mutual tls requied for all hyperledger connections, certificates expired 3 days ago.
First of all we need to pass through expired tls. Add to the orderer config:
ORDERER_GENERAL_TLS_TLSHANDSHAKETIMESHIFT: 120h
ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS: "true"
The latest parameter will allow to use expired MSP entities later.
To skip tls checks on the peer side, use the --tlsHandshakeTimeShift 120h parameter.
After the connection was restored, we need to update certificates in the blockchain. Unfortunately there is no analog of the _NOEXPIRATIONCHECKS option for the peer, so we need to use a time-shifted environment. I didn't manage to run the one in the kubernetes, so I had to use a notebook with ntp disabled and port-forwarded orderer endpoint. Be aware that if your kubernetes authentication is token-based, it can stop working because of having the incorrect time. In Azure, this is fixed by getting admin config.
That environment should be enough for step-by-step replaying of your standard certificate rotating scripts. If you don't have any, dive into this issue.
I am using cryptogen to generate all of the crypto material for the Fabric network I am building. I can successfully bring the network up and deploy chaincode. However, I am running into problems when trying to register a new user. I am following along with the asset-transfer-private-data tutorial, and after deploying the chaincode, I run
fabric-ca-client register --caname ca.org1 --id.name org1-client --id.secret org1-password --id.type client --mspdir ./config/crypto-config/peerOrganizations/org1/msp
and get the error
2020/10/03 12:20:11 [INFO] Configuration file location: /home/user/network3.2/config/crypto-config/peerOrganizations/org1/fabric-ca-client-config.yaml
2020/10/03 12:20:11 [ERROR] Enrollment check failed: Idemix enrollment information does not exist
Error: Enrollment information does not exist. Please execute enroll command first. Example: fabric-ca-client enroll -u http://user:userpw#serverAddr:serverPort
There is no fabric-ca-client-config.yaml file. The mspdir I specify has the directories signcerts, keystore, and cacerts which according to Hyperledger Fabric: Enrollment check failed: Idemix enrollment information does not exist are needed. However, both the signcerts and keystore directories are empty whereas they should include a public cert and a private key respectively.
How can I generate these files? Thanks.
For Idemix, you can use idemixgen tool.
But both cryptogen tool and idemixgen tool are used for testing purpose. For production level use, you have to use Hyperledger Fabric CA.
cryptogen is an utility for generating Hyperledger Fabric key material. It is provided as a means of preconfiguring a network for testing purposes. It would normally not be used in the operation of a production network.
Link: https://hyperledger-fabric.readthedocs.io/en/release-2.2/commands/cryptogen.html?highlight=cryptogen#cryptogen
cryptogen is a utility to quickly allow you to generate crypto material to get things started. It does not have any direct ties to Fabric CA (intentionally).
The only thing you can do is to leverage the CA key pair generated for each organization (under the ca folder) as the root key pair used when starting up an instance of Fabric CA.
In the Hyperledger Fabric documentation it states to use the fabric-ca-client reenroll if a certificate is about to expire.
Should it work also after a certificate has already expiry?
After doing the reenroll request I get the following below:
reenroll: x509: certificate has expired or is not yet valid
Are there any other options to renew already expired certificates?
According to the official document, MSP identities never expire. You should be able to reenroll the admin identity.
However, you can also enroll the admin identity again if you have the enrollment secret.
fabric-ca-client enroll -u http://admin:adminpw#localhost:7054
I faced the same issue for the admin user and solved it by running the below command
export FABRIC_CA_CLIENT_TLS_CERTFILES=/tmp/crypto-config/peerOrganizations/org1.example.com/tlsca/ca/ca.org1.example.com-cert.pem
export FABRIC_CA_CLIENT_HOME=/tmp/crypto-config/hyperledger/tls-ca/admin
fabric-ca-client reenroll -d -u https://admin:adminpw#ca.org1.example.com:7054 --caname ca-org1
You will get two .pem files
Stored client certificate at /tmp/crypto-config/hyperledger/tls-ca/admin/msp/signcerts/cert.pem
Stored root CA certificate at /tmp/crypto-config/hyperledger/tls-ca/admin/msp/cacerts/ca-org1-example.com-com-7054-ca-org1.pem
But I didn't find any documentation for javascript libraries to use reenroll function. if anyone has please post links
I am trying to deploy a production Hyperledger Fabric network on kubernetes and when trying out the example from fabric-ca sample, I can see that the pod running fabric-ca-tools is not generating and giving an error at line number 51 from setup-fabric.sh in function registerOrdererIdentities where the ORDERER is registered with CA for identity using command fabric-ca-client register -d --id.name $ORDERER_NAME --id.secret $ORDERER_PASS --id.type orderer. It fails to register and says,Error: Response from server: Error Code: 0 - Registration of 'orderer1-org0failed: Identity 'orderer1-org0' is already registered
.
I am not able to understand, that if the identity was not previously registered by root-ca and intermediate ca then why this error is coming.
Stuck here from a long time, any help is appreciated.
This error is thrown whenever you try to re-register an identity which is already registered. So that means you have already run fabric-ca-client register command for --id.name orderer1-org0. The next step would be you enrol orderer1-org0 with the appropiate password and in return you will recieve certificate and private key. from CA server.The interesting part is, now I am searching a way where I can edit attributes of already generated certificate. Kind of like edit it at the first place. But I keep getting this error. For a moment I though that revoking the certificate will make it work but nonetheless that only made a requirement to run fabric-ca-client reenroll Unable to find any help anywhere.