added sample for certifiate renewal in test-network #1163
Conversation
Signed-off-by: Aditya Joshi <[email protected]>
|
@denyeart can you please take a look into this PR. |
There was a problem hiding this comment.
This is good to see since many people have questions about renewing certs.
Did you test to see if this actually works? It would be good to extend the automated tests to make sure transactions work after the renew. Maybe extend
https://github.com/hyperledger/fabric-samples/blob/main/ci/scripts/run-test-network-basic.sh and the associated app to create another asset after the renew.
It is unclear if you are trying to renew the root cert, or at least the TLS root cert. Most of the time when you renew identity certs you don't renew the root cert (create a 2nd root cert). I wouldn't recommend it. If you do intend to create a 2nd root cert, a channel config transaction will be required to add it to the channel.
| function renewCerts(){ | ||
| . ./organizations/fabric-ca/reEnroll.sh | ||
|
|
||
| rm "${PWD}"/organizations/fabric-ca/ordererOrg/tls-cert.pem |
There was a problem hiding this comment.
Why do you delete the tls-cert.pem? Usually when you renew certs the root cert remains the same.
Could you add comments to explain the intent.
| . ./organizations/fabric-ca/reEnroll.sh | ||
|
|
||
| rm "${PWD}"/organizations/fabric-ca/ordererOrg/tls-cert.pem | ||
| docker restart ca_orderer |
There was a problem hiding this comment.
Why do you need to restart the CA?
Again, add comments to explain intent.
|
|
||
| function reEnrollOrg1() { | ||
| infoln "Re-enrolling the CA admin" | ||
| mkdir -p organizations/peerOrganizations/org1.example.com/ |
There was a problem hiding this comment.
Doesn't this directory already exist from the initial creation?
| { set +x; } 2>/dev/null | ||
|
|
||
| # Copy org1's CA cert to org1's /msp/tlscacerts directory (for use in the channel MSP definition) | ||
| mkdir -p "${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts" |
There was a problem hiding this comment.
Why do you re-create the directory, doesn't it already exist?
|
|
||
| # Copy org1's CA cert to org1's /msp/tlscacerts directory (for use in the channel MSP definition) | ||
| mkdir -p "${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts" | ||
| cp "${PWD}/organizations/fabric-ca/org1/ca-cert.pem" "${PWD}/organizations/peerOrganizations/org1.example.com/msp/tlscacerts/ca.crt" |
There was a problem hiding this comment.
Usually when you renew certs the root cert remains the same.
|
|
||
| infoln "Generating the peer0 msp" | ||
| set -x | ||
| fabric-ca-client reenroll -u https://peer0:peer0pw@localhost:7054 --caname ca-org1 -M "${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp" --csr.hosts peer0.org1.example.com --tls.certfiles "${PWD}/organizations/fabric-ca/org1/ca-cert.pem" --csr.keyrequest.reusekey |
There was a problem hiding this comment.
No need to use -csr.hosts for enrollment cert, only needed for tls certs to generate the SANS.
| fabric-ca-client reenroll -u https://peer0:peer0pw@localhost:7054 --caname ca-org1 -M "${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp" --csr.hosts peer0.org1.example.com --tls.certfiles "${PWD}/organizations/fabric-ca/org1/ca-cert.pem" --csr.keyrequest.reusekey | ||
| { set +x; } 2>/dev/null | ||
|
|
||
| cp "${PWD}/organizations/peerOrganizations/org1.example.com/msp/config.yaml" "${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/config.yaml" |
There was a problem hiding this comment.
I don't think anything in the config.yaml changes when you reenroll. Did you find something that changed?
This PR adds a script to demonstrate the certificates renewal in the
test-network.A new mode
renewCertshas been added to support certificate renewalCertificate renewal can be done using
network.sh renewCerts