Merge c5f953ba88 into 119d3bc53f

This patch updates Fabric versions:
- Fabric v2.5.16 and v3.1.5
- Fabric CA v1.5.21

fabric-ca-client v1.5.21 appends the default port 7054 when omitted,
breaking register/enroll against the ingress (443). Make the CA URL
port explicit (:443).

Signed-off-by: Tatsuya Sato <tatsuya.sato.so@hitachi.com>

.github/actions/fsat-setup/action.yaml

@@ -12,10 +12,10 @@ inputs:
     default: v0.50.15
   fabric-version:
     description: Version of Hyperledger Fabric
-    default: "2.5.15"
+    default: "2.5.16"
   ca-version:
     description: Version of Hyperledger Fabric CA
-    default: "1.5.15"
+    default: "1.5.21"
 
 runs:
   using: "composite"

.github/actions/test-network-setup/action.yaml

@@ -12,10 +12,10 @@ inputs:
     default: 25.x
   fabric-version:
     description: Version of Hyperledger Fabric
-    default: 2.5.15
+    default: 2.5.16
   ca-version:
     description: Version of Hyperledger Fabric CA
-    default: 1.5.15
+    default: 1.5.21
 
 runs:
   using: "composite"

.github/workflows/test-network-bft-orderer.yaml

@@ -38,7 +38,7 @@ jobs:
         # Note: The default Fabric version for CI is currently the latest LTS (v2.5.x).
         # To test BFT Orderers, Fabric v3.x is explicitly specified here.
         with:
-          fabric-version: 3.1.4
+          fabric-version: 3.1.5
 
       - name: Run Test Network with BFT Orderers
         working-directory: test-network

full-stack-asset-transfer-guide/infrastructure/multipass-cloud-config.yaml

@@ -27,7 +27,7 @@ write_files:
       # set -o pipefail
 
       if [ -z $1 ]; then
-        HLF_VERSION=2.5.15
+        HLF_VERSION=2.5.16
       else
         HLF_VERSION=$1
       fi

full-stack-asset-transfer-guide/infrastructure/sample-network/network

@@ -33,8 +33,8 @@ function context() {
   export ${name}="${!override_name:-${default_value}}"
 }
 
-context FABRIC_VERSION            2.5.15
-context FABRIC_CA_VERSION         1.5.15
+context FABRIC_VERSION            2.5.16
+context FABRIC_CA_VERSION         1.5.21
 
 context CLUSTER_RUNTIME           kind                  # or k3s for Rancher
 context CONTAINER_CLI             docker                # or nerdctl for containerd

full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/rest_sample.sh

@@ -21,12 +21,12 @@ fabric-ca-client  register \
   --id.name       $USERNAME \
   --id.secret     $PASSWORD \
   --id.type       client \
-  --url           https://$WORKSHOP_NAMESPACE-$ORG-ca-ca.$WORKSHOP_INGRESS_DOMAIN \
+  --url           https://$WORKSHOP_NAMESPACE-$ORG-ca-ca.$WORKSHOP_INGRESS_DOMAIN:443 \
   --tls.certfiles $WORKSHOP_CRYPTO/cas/$ORG-ca/tls-cert.pem \
   --mspdir        $WORKSHOP_CRYPTO/enrollments/$ORG/users/rcaadmin/msp
 
 fabric-ca-client enroll \
-  --url           https://$USERNAME:$PASSWORD@$WORKSHOP_NAMESPACE-$ORG-ca-ca.$WORKSHOP_INGRESS_DOMAIN \
+  --url           https://$USERNAME:$PASSWORD@$WORKSHOP_NAMESPACE-$ORG-ca-ca.$WORKSHOP_INGRESS_DOMAIN:443 \
   --tls.certfiles $WORKSHOP_CRYPTO/cas/$ORG-ca/tls-cert.pem \
   --mspdir        $WORKSHOP_CRYPTO/enrollments/$ORG/users/$USERNAME/msp
 

full-stack-asset-transfer-guide/tests/20-cloud-e2e.sh

@@ -332,12 +332,12 @@ fabric-ca-client  register \
   --id.name       $USERNAME \
   --id.secret     $PASSWORD \
   --id.type       client \
-  --url           https://$WORKSHOP_NAMESPACE-$ORG-ca-ca.$WORKSHOP_INGRESS_DOMAIN \
+  --url           https://$WORKSHOP_NAMESPACE-$ORG-ca-ca.$WORKSHOP_INGRESS_DOMAIN:443 \
   --tls.certfiles $WORKSHOP_CRYPTO/cas/$ORG-ca/tls-cert.pem \
   --mspdir        $WORKSHOP_CRYPTO/enrollments/$ORG/users/rcaadmin/msp
 
 fabric-ca-client enroll \
-  --url           https://$USERNAME:$PASSWORD@$WORKSHOP_NAMESPACE-$ORG-ca-ca.$WORKSHOP_INGRESS_DOMAIN \
+  --url           https://$USERNAME:$PASSWORD@$WORKSHOP_NAMESPACE-$ORG-ca-ca.$WORKSHOP_INGRESS_DOMAIN:443 \
   --tls.certfiles $WORKSHOP_CRYPTO/cas/$ORG-ca/tls-cert.pem \
   --mspdir        $WORKSHOP_CRYPTO/enrollments/$ORG/users/$USERNAME/msp
 

test-network-k8s/docs/BFT_ORDERERS.md

@@ -39,8 +39,8 @@ First, run the following command to verify that the environment variables are co
 ```shell
 $ ./network
 
-Fabric image versions: Peer (3.1.4), CA (1.5.15)
-Fabric binary versions: Peer (3.1.4), CA (1.5.15)
+Fabric image versions: Peer (3.1.5), CA (1.5.21)
+Fabric binary versions: Peer (3.1.5), CA (1.5.21)
 
 --- Fabric Information
 Fabric Version          : 3.1

test-network/compose/podman/podman-compose-test-net.yaml

@@ -11,4 +11,3 @@ services:
   peer0.org2.example.com:
     volumes:
       - ./podman/peercfg:/etc/hyperledger/peercfg
-

test-network/network.config

@@ -1,7 +1,7 @@
-# default image tag, example: "2.5.13".  "default" will download the latest. (-i)
+# default image tag, example: "2.5.16".  "default" will download the latest. (-i)
 IMAGETAG="default"
 
-# default ca image tag, example: "1.5.15". "default" will download the latest. (-cai)
+# default ca image tag, example: "1.5.21". "default" will download the latest. (-cai)
 CA_IMAGETAG="default"
 
 # Using crpto vs CA. default is cryptogen
@@ -55,4 +55,3 @@ CC_INVOKE_CONSTRUCTOR=''{\"Args\":[\"InitLedger\"]}''
 # Default constructor for testing a chaincode query (-cciq)
 CC_QUERY_CONSTRUCTOR=''{\"Args\":[\"GetAllAssets\"]}''
 
-

test-network/network.sh

@@ -678,6 +678,9 @@ elif [ "$MODE" == "cc" ] && [ "$SUBCOMMAND" == "invoke" ]; then
   invokeChaincode
 elif [ "$MODE" == "cc" ] && [ "$SUBCOMMAND" == "query" ]; then
   queryChaincode
+elif [ "$MODE" == "renew" ]; then
+  infoln "Renewing certificates"
+  ./scripts/renewCerts.sh
 else
   printHelp
   exit 1

test-network/scripts/renewCerts.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+#
+# Copyright IBM Corp All Rights Reserved
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# This script is used to renew certificates in the test network.
+# It re-enrolls the identities using the Fabric CA.
+
+. scripts/utils.sh
+
+function renewOrg1() {
+  infoln "Renewing Org1 certificates"
+
+  export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org1.example.com/
+
+  # Remove existing MSP and TLS - this is important to avoid 'malformed serial number'
+  # and other parsing errors when fabric-ca-client tries to use old certs for auth.
+  rm -rf "${FABRIC_CA_CLIENT_HOME}/msp"
+  rm -rf "${FABRIC_CA_CLIENT_HOME}/tls"
+  rm -rf "${FABRIC_CA_CLIENT_HOME}/ca"
+  rm -rf "${FABRIC_CA_CLIENT_HOME}/tlsca"
+  rm -rf "${FABRIC_CA_CLIENT_HOME}/peers"
+  rm -rf "${FABRIC_CA_CLIENT_HOME}/users"
+
+  # Re-enroll everything
+  . organizations/fabric-ca/registerEnroll.sh
+  createOrg1
+}
+
+function renewOrg2() {
+  infoln "Renewing Org2 certificates"
+
+  export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/peerOrganizations/org2.example.com/
+
+  rm -rf "${FABRIC_CA_CLIENT_HOME}/msp"
+  rm -rf "${FABRIC_CA_CLIENT_HOME}/tls"
+  rm -rf "${FABRIC_CA_CLIENT_HOME}/ca"
+  rm -rf "${FABRIC_CA_CLIENT_HOME}/tlsca"
+  rm -rf "${FABRIC_CA_CLIENT_HOME}/peers"
+  rm -rf "${FABRIC_CA_CLIENT_HOME}/users"
+
+  . organizations/fabric-ca/registerEnroll.sh
+  createOrg2
+}
+
+function renewOrderer() {
+  infoln "Renewing Orderer certificates"
+
+  export FABRIC_CA_CLIENT_HOME=${PWD}/organizations/ordererOrganizations/example.com
+
+  rm -rf "${FABRIC_CA_CLIENT_HOME}/msp"
+  rm -rf "${FABRIC_CA_CLIENT_HOME}/tls"
+  rm -rf "${FABRIC_CA_CLIENT_HOME}/ca"
+  rm -rf "${FABRIC_CA_CLIENT_HOME}/tlsca"
+  rm -rf "${FABRIC_CA_CLIENT_HOME}/orderers"
+  rm -rf "${FABRIC_CA_CLIENT_HOME}/users"
+
+  . organizations/fabric-ca/registerEnroll.sh
+  createOrderer
+}
+
+# Check if CAs are running
+if [ $(docker ps -q --filter name=ca_org1 --filter status=running | wc -l) -eq 0 ]; then
+  fatalln "Fabric CAs must be running to renew certificates. Please run './network.sh up -ca' first."
+fi
+
+renewOrg1
+renewOrg2
+renewOrderer
+
+infoln "Certificates renewed successfully. You may need to restart your network nodes (peer/orderer) to pick up the new certificates."

test-network/scripts/utils.sh

@@ -17,8 +17,8 @@ function printHelp() {
     println
     println "    Flags:"
     println "    Used with \033[0;32mnetwork.sh prereq\033[0m:"
-    println "    -i     FabricVersion (default: '2.5.15')"
-    println "    -cai   Fabric CA Version (default: '1.5.15')"
+    println "    -i     FabricVersion (default: '2.5.16')"
+    println "    -cai   Fabric CA Version (default: '1.5.21')"
     println
   elif [ "$USAGE" == "up" ]; then
     println "Usage: "
@@ -143,8 +143,15 @@ function printHelp() {
     println "   network.sh cc invoke -c channel1 -ccic '{\"Args\":[\"CreateAsset\",\"asset1\",\"red\",\"10\",\"fred\",\"500\"]}'"
     println "   network.sh cc query -c channel1 -ccqc '{\"Args\":[\"ReadAsset\",\"asset1\"]}'"
     println
+    println
     println " NOTE: Default settings can be changed in network.config"
     println
+  elif [ "$USAGE" == "renew" ]; then
+    println "Usage: "
+    println "  network.sh \033[0;32mrenew\033[0m"
+    println
+    println "    Example:"
+    println "      network.sh renew"
   else
     println "Usage: "
     println "  network.sh <Mode> [Flags]"
@@ -156,11 +163,12 @@ function printHelp() {
     println "      \033[0;32mdeployCC\033[0m - Deploy a chaincode to a channel (defaults to asset-transfer-basic)"
     println "      \033[0;32mcc\033[0m - chaincode functions, use \"network.sh cc -h\" for options"
     println "      \033[0;32mdown\033[0m - Bring down the network"
+    println "      \033[0;32mrenew\033[0m - Renew certificates for the network"
     println
     println "    Flags:"
     println "    Used with \033[0;32mnetwork.sh prereq\033[0m"
-    println "    -i     FabricVersion (default: '2.5.15')"
-    println "    -cai   Fabric CA Version (default: '1.5.15')"
+    println "    -i     FabricVersion (default: '2.5.16')"
+    println "    -cai   Fabric CA Version (default: '1.5.21')"
     println
     println "    Used with \033[0;32mnetwork.sh up\033[0m, \033[0;32mnetwork.sh createChannel\033[0m:"
     println "    -ca - Use Certificate Authorities to generate network crypto material"