Error when logging in to UI after changing CA certificate

Symptoms

After the CA certificate is changed, when attempting to log in to the UI, the following error is displayed:

Screen capture displaying the error for when changing CA certificate

Causes

When an instance of Event Processing is created, a CA certificate secret can be referenced in the EventProcessing custom resource YAML. If a CA certificate secret is not referenced, then the Event Processing operator creates a default one during the deployment process.

This failure occurs when the referenced CA certificate secret is changed or added after the instance has been created.

The Event Processing operator will pick up on the change to the configuration. It will mount the new CA certificate secret into the instance. It will change the Issuer custom resource used by the certificate manager to generate the leaf certificates.

However, due to the way Cert Manager works, the leaf certificates are not regenerated with the Issuer change. This means the new CA does not trust the previous leaf certificate, both of which are mounted into the Event Processing pod. This failure in trust causes the SSLHandshakeException.

Resolving the problem

This error can be resolved by forcing a refresh of the leaf certificate. To refresh the leaf certificate, delete the secret that is generated by the the certificate manager. The name of the secret that is generated by the the certificate manager is <my-instance>-ibm-eventprocessing.