Symptoms
After the CA certificate is changed, when attempting to log in to the UI, the following error is presented.
{
"error_code" : 500,
"message" : "Failed to create SSL connection"
}
Causes
When an instance of Event Endpoint Management is created, a CA certificate secret can be referenced in the EventEndpointManagement
custom resource YAML. If a CA certificate secret is not referenced, then the Event Endpoint Management operator creates a default one during the deployment process.
This failure occurs when the referenced CA certificate secret is changed or added after the instance has been created. This happens because of the behavior of IBM Cert Manager; IBM Cert Manager does not refresh leaf certificates if an Issuer is changed.
The Event Endpoint Management operator will pick up on the change to the configuration. It will mount the new CA certificate secret into the instance. It will change the Issuer custom resource used by Cert Manager to generate the leaf certificates.
However, due to the way Cert Manager works, the leaf certificates are not regenerated with the Issuer change. This means the new CA does not trust the previous leaf certificate, both of which are mounted into the Event Manager pod. This failure in trust causes the SSLHandshakeException.
Resolving the problem
This error can be resolved by forcing a refresh of the leaf certificate.
To refresh the leaf certificate, delete the secret that is generated by the Cert Manager. The name of the secret that is generated by the IBM Cert Manager is <my-instance>-ibm-eem-manager
.