Elasticsearch version: 7.6.2
Running it with Helm on AWS EKS
Old setup (v1): cert-util
is run manually (some makefile/script) before helm install in CI. Not using InitContainers
Current setup (v2): helm chart now creates Certificate
and Issuer
resources that create the necessary secret
s using cert-manager
API
Upgrading from v1 to v2 fails with the following errors:
"stacktrace": ["io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
"Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
"Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
"Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
If I do a clean install of v2 when either there are no helm releases of this chart or v2 is running, the upgrade works fine. It fails to upgrade only when v1 is running. I suspect there is an issue where elasticsearch
cannot switch to the new ca/cert.
Has anyone come across this before?