| id | renew-certificates |
|---|---|
| title | Renew certificates |
In order to trigger the renewal of the certificates, either for the orderer or for the peer, we can use the hlf ca renew <node_type> command.
PEER_NAME=org1-peer0
PEER_NS=default
kubectl hlf peer renew --name=$PEER_NAME --namespace=$PEER_NSYou can monitor the state of the renewal by using:
kubectl get fabricpeers.hlf.kungfusoftware.es -wORDERER_NAME=ord-node1
ORDERER_NS=default
kubectl hlf ordnode renew --name=$ORDERER_NAME --namespace=$ORDERER_NSYou can monitor the state of the renewal by using:
kubectl get fabricorderernodes.hlf.kungfusoftware.es -wWhen renewing the orderer certificates, the channel which the orderer is consenter of must be updated with the new certificates generated by the operator.
This operation is not handled by the operator, since the operator does not know the channels that the orderer is consenter of, neither has the authority to update the channel since the signatures needed can vary depending on the configuration.
For this operation to work, the ordering service must have at least 3 nodes, for the consensus to work, since for 2 nodes or less, the consensus will not be able to reach a quorum.
CHANNEL_NAME=demo
kubectl hlf channel consenter replace --config=ordservice.yaml \
--orderer="$ORDERER_NAME.$ORDERER_NS" \
--user=admin --channel=$CHANNEL_NAME \
--mspid=OrdererMSP --output=replace_orderers_consenter.pbkubectl hlf channel update --channel=$CHANNEL_NAME -f replace_orderers_consenter.pb \
--config=ordservice.yaml --user=admin --mspid=OrdererMSP