hyperledger TLS problem when adding an orderer and exchanging crypto material

Question

I'm currently trying to add an additional org (with its own orderer nodes) to our running network. I'm not sure what (exactly) needs to be copied at the step where you are supposed to "port the Orderer Org’s MSP material into the Org3 crypto-config directory". (reference: https://hyperledger-fabric.readthedocs.io/en/release-1.4/channel_update_tutorial.html#generate-the-org3-crypto-material) I tried to include everything except the private keys, but that caused tls issues between the orderers of each org. Including the private keys (i.e. copying everything like the command shows) solved the tls issue. But I cannot imagine this being the expected method. Am I missing something?

Answer 1

The organization public cryptographic material referenced in the configtx.yaml has the following structure:

With NodeOUs:

msp
├── cacerts
│   └── localhost-ca.pem
├── config.yaml
├── IssuerPublicKey
├── IssuerRevocationPublicKey
└── tlscacerts
    └── tls-localhost-7054-ca.pem

Without NodeOUs:

msp
├── admincerts
│   └── admin.pem
├── cacerts
│   └── localhost-ca.pem
├── IssuerPublicKey
├── IssuerRevocationPublicKey
└── tlscacerts
    └── tls-localhost-7054-ca.pem

I think IssuerPublicKey and IssuerRevocationPublicKey are not necessary, but fabric-ca-client generates them and they are public, so I leave them.

If you are using EtcdRaft consensus, you will also need your orderers' public certificates to be accessible as described by ClientTLSCert and ServerTLSCert in your configtx.yaml. EtcdRaft demands TLS.