Search code examples
hyperledger-fabrichyperledgerhyperledger-fabric-ca

How to renew TLS certs in hyperledger fabric after they have expired?

My orderers and peers aren't able to communicate . They are giving bad certificate errorr. I don't want to loose any data .

2020-12-18 12:47:46.820 UTC [core.comm] ServerHandshake -> ERRO 990 TLS handshake failed with error remote error: tls: bad certificate server=PeerServer remoteaddress=172.29.0.7:58636
Solution

  • For peers, it's very straightforward:

    • issue new TLS certificates from the same CA which issued their current certs
    • replace the existing certificates (or update core.yaml to point to the new certificates if using different paths/filenames)
    • restart the peer(s)

    For orderers using Raft, it's a bit trickier. Assuming you are on the latest 1.4.x version, what you need to do for orderers is use their existing private keys to generate new CSRs and then have the CA issue a new public certificate. You will then replace / update orderer.yaml the public certificate and restart the orderers one at a time.