Improve error message for invalid consenter cert (#2587)

When channel config had an invalid consenter cert, the error message did not indicate which cert was being verified. The error message now indicates that a consenter cert is invalid, and which consenter cert is invalid. Signed-off-by: David Enyeart <enyeart@us.ibm.com> (cherry picked from commit dbf7eb1)
hyperledger · May 14, 2021 · 3f2158a · 3f2158a
1 parent 94ace65
commit 3f2158a
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/integration/raft/config_test.go b/integration/raft/config_test.go
@@ -402,6 +402,9 @@ var _ = Describe("EndToEnd reconfiguration and onboarding", func() {
 			newConsenterCert, err := x509.ParseCertificate(newConsenterCertPem.Bytes)
 			Expect(err).NotTo(HaveOccurred())
 
+			newConsenterHost := "127.0.0.1"
+			newConsenterPort := uint32(network.OrdererPort(orderer3, nwo.ListenPort))
+
 			current, updated := consenterAdder(
 				network,
 				peer,
@@ -410,13 +413,13 @@ var _ = Describe("EndToEnd reconfiguration and onboarding", func() {
 				etcdraft.Consenter{
 					ServerTlsCert: client.Cert,
 					ClientTlsCert: client.Cert,
-					Host:          "127.0.0.1",
-					Port:          uint32(network.OrdererPort(orderer3, nwo.ListenPort)),
+					Host:          newConsenterHost,
+					Port:          newConsenterPort,
 				},
 			)
 			sess = nwo.UpdateOrdererConfigSession(network, orderer, network.SystemChannel.Name, current, updated, peer, orderer)
 			Eventually(sess, network.EventuallyTimeout).Should(gexec.Exit(1))
-			Expect(sess.Err).To(gbytes.Say(fmt.Sprintf("BAD_REQUEST -- error applying config update to existing channel 'systemchannel': consensus metadata update for channel config update is invalid: invalid new config metadata: verifying tls client cert with serial number %d: x509: certificate signed by unknown authority", newConsenterCert.SerialNumber)))
+			Expect(sess.Err).To(gbytes.Say(fmt.Sprintf("BAD_REQUEST -- error applying config update to existing channel 'systemchannel': consensus metadata update for channel config update is invalid: invalid new config metadata: consenter %s:%d has invalid certificate: verifying tls client cert with serial number %d: x509: certificate signed by unknown authority", newConsenterHost, newConsenterPort, newConsenterCert.SerialNumber)))
 		})
 	})
 

diff --git a/orderer/consensus/etcdraft/util.go b/orderer/consensus/etcdraft/util.go
@@ -247,7 +247,7 @@ func VerifyConfigMetadata(metadata *etcdraft.ConfigMetadata, verifyOpts x509.Ver
 			return errors.Errorf("metadata has nil consenter")
 		}
 		if err := validateConsenterTLSCerts(consenter, verifyOpts, true); err != nil {
-			return err
+			return errors.WithMessagef(err, "consenter %s:%d has invalid certificate", consenter.Host, consenter.Port)
 		}
 	}