Symptoms
After the CA certificate is changed, when attempting to log in to the UI, the following error is presented.
{
"error_code" : 500,
"message" : "Failed to create SSL connection"
}
Causes
When an instance of the Event Manager is created, a CA certificate secret can be referenced in the EventEndpointManagement
custom resource YAML. If a CA certificate secret is not referenced, then the Event Endpoint Management operator creates a default one during the deployment process.
This failure occurs when the referenced CA certificate secret is changed or added after the instance has been created.
The Event Endpoint Management operator will pick up on the change to the configuration. It will mount the new CA certificate secret into the instance. It will change the Issuer custom resource used by the certificate manager to generate the leaf certificates.
However, due to the way Cert Manager works, the leaf certificates are not regenerated with the Issuer change. This means the new CA does not trust the previous leaf certificate, both of which are mounted into the Event Manager pod. This failure in trust causes the SSLHandshakeException.
Resolving the problem
This error can be resolved by forcing a refresh of the leaf certificate.
To refresh the leaf certificate, delete the secret that is generated by the certificate manager. The name of the secret that is generated by the certificate manager is <my-instance>-ibm-eem-manager
.