Switching from cert-util to cert-manager

Elasticsearch version: 7.6.2
Running it with Helm on AWS EKS

Old setup (v1): cert-util is run manually (some makefile/script) before helm install in CI. Not using InitContainers

Current setup (v2): helm chart now creates Certificate and Issuer resources that create the necessary secrets using cert-manager API

Upgrading from v1 to v2 fails with the following errors:

"stacktrace": ["io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",

"Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",

"Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",

"Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",

If I do a clean install of v2 when either there are no helm releases of this chart or v2 is running, the upgrade works fine. It fails to upgrade only when v1 is running. I suspect there is an issue where elasticsearch cannot switch to the new ca/cert.

Has anyone come across this before?

Couldn't find a way. Ended up helm deleting and doing a fresh helm install :man_shrugging:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.