danny-krueger opened a new issue, #285:
URL: https://github.com/apache/pulsar-helm-chart/issues/285
**Describe the bug**
The reissued certificates from the Cert Manager will not be used by Pulsar
until the pods are rebooted.
**To Reproduce**
Steps to reproduce the behavior:
1. Activate Cert Manager with the internal issuer.
2. Wait until the certificate has expired.
3. The certificates have been updated, but the Java Services have not
checked this and SSL errors occur in the Zookeeper.
`ERROR org.apache.zookeeper.server.NettyServerCnxnFactory - Unsuccessful
handshake with session 0x0`
`2022-08-03T14:53:45,862+0000 [epollEventLoopGroup-7-2] WARN
org.apache.zookeeper.server.NettyServerCnxnFactory - Exception caught
io.netty.handler.codec.DecoderException:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_expired
at
io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:480)
~[io.netty-netty-codec-4.1.74.Final.jar:4.1.74.Final]
at
io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:279)
~[io.netty-netty-codec-4.1.74.Final.jar:4.1.74.Final]
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[io.netty-netty-transport-4.1.74.Final.jar:4.1.74.Final]
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[io.netty-netty-transport-4.1.74.Final.jar:4.1.74.Final]
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[io.netty-netty-transport-4.1.74.Final.jar:4.1.74.Final]
at
io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
[io.netty-netty-transport-4.1.74.Final.jar:4.1.74.Final]
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[io.netty-netty-transport-4.1.74.Final.jar:4.1.74.Final]
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[io.netty-netty-transport-4.1.74.Final.jar:4.1.74.Final]
at
io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
[io.netty-netty-transport-4.1.74.Final.jar:4.1.74.Final]
at
io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:795)
[io.netty-netty-transport-classes-epoll-4.1.74.Final.jar:4.1.74.Final]
at
io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:480)
[io.netty-netty-transport-classes-epoll-4.1.74.Final.jar:4.1.74.Final]
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378)
[io.netty-netty-transport-classes-epoll-4.1.74.Final.jar:4.1.74.Final]
at
io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
[io.netty-netty-common-4.1.74.Final.jar:4.1.74.Final]
at
io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
[io.netty-netty-common-4.1.74.Final.jar:4.1.74.Final]
at
io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
[io.netty-netty-common-4.1.74.Final.jar:4.1.74.Final]
at java.lang.Thread.run(Thread.java:829) [?:?]`
**Expected behavior**
When the Cert Manager issues new certificates, Pulsar should also be aware
of this and use the new certificates.
**Additional context**
The certificates have been correctly reissued by the Cert Manager. They were
also correct in the Config Maps and in the Secrets. Also where we were in the
pods per shell, the new correct SSL certificates were there. But since Pulsar
itself was already running, it did not re-read them. We think that Java caches
the certificates.
**Quick fix**
After all pods were restarted everything worked again.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@pulsar.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
