Symptoms
After the CA certificate is changed, when attempting to log in to the UI, the following error is presented.
{
"error_code" : 500,
"message" : "Failed to create SSL connection"
}
Causes
When an instance of Event Processing is created, a CA certificate secret can be referenced in the EventProcessing
custom resource YAML. If a CA certificate secret is not referenced, then the Event Processing operator creates a default one during the deployment process.
This failure occurs when the referenced CA certificate secret is changed or added after the instance has been created. This happens because of the behavior of IBM Cert Manager; Cert Manager does not refresh leaf certificates if an Issuer is changed.
The Event Processing operator will pick up on the change to the configuration. It will mount the new CA certificate secret into the instance. It will change the Issuer custom resource used by IBM Cert Manager to generate the leaf certificates.
However, due to the way Cert Manager works, the leaf certificates are not regenerated with the Issuer change. This means the new CA does not trust the previous leaf certificate, both of which are mounted into the Event Processing pod. This failure in trust causes the SSLHandshakeException.
Resolving the problem
This error can be resolved by forcing a refresh of the leaf certificate.
To refresh the leaf certificate, delete the secret that is generated by the IBM Cert Manager. The name of the secret that is generated by the IBM Cert Manager is <my-instance>-ibm-eventprocessing
.