Renew certificates

In order to trigger the renewal of the certificates, either for the orderer or for the peer, we can use the hlf ca renew <node_type> command.

Renewing certificates for the peer

PEER_NAME=org1-peer0
PEER_NS=default
kubectl hlf peer renew --name=$PEER_NAME --namespace=$PEER_NS

You can monitor the state of the renewal by using:

kubectl get fabricpeers.hlf.kungfusoftware.es  -w

Renewing certificates for the orderer

ORDERER_NAME=ord-node1
ORDERER_NS=default
kubectl hlf ordnode renew --name=$ORDERER_NAME --namespace=$ORDERER_NS

You can monitor the state of the renewal by using:

kubectl get fabricorderernodes.hlf.kungfusoftware.es  -w

!!!! IMPORTANT !!!!

When renewing the orderer certificates, the channel which the orderer is consenter of must be updated with the new certificates generated by the operator.

This operation is not handled by the operator, since the operator does not know the channels that the orderer is consenter of, neither has the authority to update the channel since the signatures needed can vary depending on the configuration.

Renewing certificates for the consenter

For this operation to work, the ordering service must have at least 3 nodes, for the consensus to work, since for 2 nodes or less, the consensus will not be able to reach a quorum.

Generate channel block update

CHANNEL_NAME=demo
kubectl hlf channel consenter replace --config=ordservice.yaml \
    --orderer="$ORDERER_NAME.$ORDERER_NS" \
    --user=admin --channel=$CHANNEL_NAME \
    --mspid=OrdererMSP --output=replace_orderers_consenter.pb

Submit update channel

kubectl hlf channel update --channel=$CHANNEL_NAME -f replace_orderers_consenter.pb \
   --config=ordservice.yaml --user=admin --mspid=OrdererMSP

Renewing certificates for the peer​

Renewing certificates for the orderer​

!!!! IMPORTANT !!!!​

Renewing certificates for the consenter​

Generate channel block update​

Submit update channel​