Hyperledger fabric 订购方节点的TLS证书轮换-Cryptogen到结构CA

我一直在致力于将订购方节点证书从cryptogen转到Fabric CA。 我一直在关注这里的官方文件-

以下是我迄今为止尝试过的步骤-

使用*fabric CA server为每个节点生成新证书

使用为订购方创建的新msp路径更新

configtx.yaml

msp路径

基于新的

configtx.yaml

使用jq使用新证书更新系统频道

当前，我在尝试更新系统通道“testchainid”时遇到问题。所看到的错误是-

错误：获得意外状态：错误的\u请求--将配置更新应用于现有通道“testchainid”时出错：授权更新时出错：验证DeltaSet时出错：元素[Group]的mod\u策略无效/channel/Application:未设置mod\u策略

共享在对等cli上执行的步骤：

peer channel fetch config config_block.pb -o orderer.org.com:7050 -c $CHANNEL_NAME --tls --cafile $ORDERER_CA

configtxlator proto_decode --input config_block.pb --type common.Block | jq .data.data[0].payload.data.config > config.json

# Find the diff between current config and new config, then output a new json file
jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"OrdererMSP":.[1]}}}}}' config.json Orderer.json > modified_config.json

# add fabric ca tls certs

jq 'del(.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters[])' modified_config.json > modified_config_1.json

#new ca cert for orderer to update system channel
cert1=$(base64 /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/org.com/orderer/tls-msp/signcerts/cert.pem | sed ':a;N;$!ba;s/\n//g')

#new ca cert for orderer1 to update in system channel
cert2=$(base64 /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/org.com/orderer1/tls-msp/signcerts/cert.pem | sed ':a;N;$!ba;s/\n//g')

#new ca cert for orderer2 to update in system channel
cert3=$(base64 /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/org.com/orderer2/tls-msp/signcerts/cert.pem | sed ':a;N;$!ba;s/\n//g')

#update the new certs on to channel
jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert1'", "host": "orderer.org.com", "port": 7050, "server_tls_cert": "'$cert1'"}] | .channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert2'", "host": "orderer1.org.com", "port": 7050, "server_tls_cert": "'$cert2'"}] | .channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert3'", "host": "orderer2.org.com", "port": 7050, "server_tls_cert": "'$cert3'"}] ' modified_config_1.json > modified_config_2.json

# Converts config.json into config.pb
configtxlator proto_encode --input config.json --type common.Config --output config.pb

# Converts modified_config.pb into modified_config.json
configtxlator proto_encode --input modified_config.json --type common.Config --output modified_config.pb

# Converts modified_config.pb into modified_config.json
configtxlator proto_encode --input modified_config_1.json --type common.Config --output modified_config_1.pb

# Converts modified_config.pb into modified_config.json
configtxlator proto_encode --input modified_config_2.json --type common.Config --output modified_config_2.pb

# Calculates the delta between modified_config.json config.json then output
configtxlator compute_update --channel_id $CHANNEL_NAME --original config.pb --updated modified_config_2.pb --output Orderer_ca_update.pb

configtxlator proto_decode --input Orderer_ca_update.pb --type common.ConfigUpdate | jq . > Orderer_ca_update.json

echo '{"payload":{"header":{"channel_header":{"channel_id":"testchainid", "type":2}},"data":{"config_update":'"$(cat Orderer_ca_update.json)"'}}}' | jq . > Orderer_ca_update_in_envelope.json

configtxlator proto_encode --input Orderer_ca_update_in_envelope.json --type common.Envelope --output Orderer_ca_update_in_envelope.pb

peer channel signconfigtx -f Orderer_ca_update_in_envelope.pb

peer channel update -f Orderer_ca_update_in_envelope.pb -c $CHANNEL_NAME -o orderer.org.com:7050 --tls --cafile $ORDERER_CA

如果您能帮助解决这个问题，我们将不胜感激