FabricNetwork-2.x icon indicating copy to clipboard operation
FabricNetwork-2.x copied to clipboard

Published 20 hours ago verified publisher icon adhavpavan

Error in orderer2 step_1

Open szvarhegyi opened this issue 3 years ago • 0 comments

Hy,

First of all, this is very good guide! Thanks a lot! I try to make this based on your repository, but when i try to fetch config to update orderer2 certificate, i can't fetch it. I got an TLS handsake error.

root@hlf-workstation:~/FabricNetwork-2.x/artifacts/channel/create-certificate-with-ca/rotate-certs/step_1/orderer2$ ./add_tls_o2_sys_channel.sh 
2022-03-02 23:37:56.447 UTC 0001 ERRO [comm.tls] ClientHandshake -> Client TLS handshake failed after 1.570332ms with error: x509: certificate has expired or is not yet valid: current time 2022-01-28T15:37:56Z is before 2022-03-02T22:47:00Z remoteaddress=127.0.0.1:7050
2022-03-02 23:37:57.451 UTC 0002 ERRO [comm.tls] ClientHandshake -> Client TLS handshake failed after 1.509486ms with error: x509: certificate has expired or is not yet valid: current time 2022-01-28T15:37:57Z is before 2022-03-02T22:47:00Z remoteaddress=127.0.0.1:7050
2022-03-02 23:37:59.054 UTC 0003 ERRO [comm.tls] ClientHandshake -> Client TLS handshake failed after 1.11307ms with error: x509: certificate has expired or is not yet valid: current time 2022-01-28T15:37:59Z is before 2022-03-02T22:47:00Z remoteaddress=127.0.0.1:7050
Error: failed to create deliver client for orderer: orderer client failed to connect to localhost:7050: failed to create new connection: context deadline exceeded
## Encode Orderer2
....
----------------------------
root@hlf-workstation:~/FabricNetwork-2.x/artifacts/channel/create-certificate-with-ca/rotate-certs/step_1/orderer2$ date
Wed Mar  2 23:38:00 UTC 2022

The steps what i did:

  • [x] turn off the ntp and set the date to 2022.01.05
  • [x] create ca's
  • [x] change configurations (720h)
  • [x] Create Network participant certificates using CA
  • [x] Create Channel Artifacts
  • [x] Run all peer services(Persist data for each service)
  • [x] Create Channel & Deploy Chaincode
  • [x] Start API Server & invoke tx

Everythings is good, and then:

  • [x] turn on the ntp
  • [x] wait for the time sync
  • [x] edit docker-compose for env variables (ORDERER_GENERAL_TLS_TLSHANDSHAKETIMESHIFT, ORDERER_GENERAL_CLUSTER_TLSHANDSHAKETIMESHIFT, ORDERER_GENERAL_AUTHENTICATION_NOEXPIRATIONCHECKS)
  • [x] restart orderers
  • [x] remove old msp directories from orderers and peers
  • [x] copy new msp directories from new-certs to crypto-config (yes only the msp directories)
  • [x] restart services
  • [x] i can update the first orderer with the new tls certificate and can commit to sys-channel
  • [x] i can update the application channel with first orderer certificate

All the changes what i do in your config is change 200h to 800h because this is an older date.

szvarhegyi avatar Mar 02 '22 23:03 szvarhegyi