Hyperledger Fabric - KFS
Posts
Renewing expired certificates in Hyperledger Fabric

Renewing expired certificates in Hyperledger Fabric

I'm sure you had the certificates expired at one time in your project

DAVID VIEJO
March 16, 2024

One of the best ways to automate processes in Hyperledger Fabric is to use programming languages.

Go is one of the best languages for automation since we have native libraries for software that was built with Go, such as:

Kubernetes
Docker
Hyperledger Fabric
And many other products

So, let’s see how we can interact with the operator's CRDs to automate processes and inspect the API.

A common use case I use is to renew expired certificates on the Ordering service.

The code is in the following gist.

main.go

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com/dviejokfs/45b9a5eda7853c85a463aeef600cfcc1

However, to understand the code, we need to understand how the renewal of certificates works.

When the orderer is created, two certificates are created: one for signing data and the other for the server.

The operator does the following:

Creates a key pair ED25519
Creates a CSR
Send the CSR to the Fabric CA
Then we get the certificate

For the consensus to work, we need to reuse the key pair created by the operator.

We can also use reenroll from fabric-ca, but sometimes, we don’t have access to it or need to redeploy it to support expired certificates.

This is the documentation for the reenroll using fabric-ca-client

Fabric CA User’s Guide — Hyperledger Fabric CA Docs main documentation

Reenroll Identity

hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#reenrolling-an-identity

So, if we have three orderer nodes. We need to get the key pair used for the certificates we are about to renew.

And you will ask, don’t we have to update the channel when we update the certificates?

No, because Fabric checks for the public key! The certificates are used to know the identity of the orderer node, but we can have any certificate in our orderer nodes as long as the public key is the same.

This is the function that checks if an orderer is part of the channel: https://github.com/hyperledger/fabric/blob/release-2.5/orderer/consensus/etcdraft/consenter.go#L298-L305

Which was introduced in Hyperledger Fabric 2.4.9 and 2.5 onwards.

So, all we need is to execute the go script at the start of this post:

But before executing the following instruction

go run main.go

We need to change the following variables:

	kubeconfig := os.Getenv("KUBECONFIG")

	orderersToRenew := []*OrdererToRenew{
		// list of orderers to renew
		{
			Name:      "orderer0",
			Namespace: "default",
		},
		{
			Name:      "orderer1",
			Namespace: "hlf",
		},
		{
			Name:      "orderer2",
			Namespace: "hlf",
		},
	}

	caName := "<ORDERER_CA_NAME>"
	caNamespace := "<ORDERER_CA_NAMESPACE>"

This script will work if you are using the bevel-operator-fabric.

Then, after running the script, you’ll need to restart the orderer’s nodes.

I hope you learnt something new 😀

See you next week!