Open Mehdi-Bendriss opened 2 weeks ago
Thank you for reporting us your feedback!
The internal ticket has been created: https://warthogs.atlassian.net/browse/DPE-5283.
This message was autogenerated
The issue comes from two separate root causes:
When requesting new admin certificates (after the CA certificate has been updated), a new private key is generated as well. This leads to situations where the app-admin
secret already contains the new private key, but not yet the new certificate (which can only be updated by the leader unit). This is addressed in https://github.com/canonical/opensearch-operator/pull/436.
When processing the newly requested certificates (from 1.), the operator defers the CertificateAvailableEvent
even after updating the certificate on disk and on the secret, in cases when the old-ca
has not been removed from the truststore yet (see here). This is not necessary, but causes almost endless deferral loops.
Issues are addressed in https://github.com/canonical/opensearch-operator/pull/436.
After a successful CA renewal, 2 issues occur:
....
unit-main-0: 15:18:13 DEBUG unit.main/0.juju-log Executing command: openssl pkcs12 -export -in /tmp/tmp1uvvhlyo.cert -inkey /tmp/tmp2hqex7t8.pem -out /var/snap/opensearch/current/etc/opensearch/certificates/app-admin.p12 -name app-admin -passout pass:xxx unit-main-0: 15:18:13 ERROR unit.main/0.juju-log err: No cert in -in file '/tmp/tmp1uvvhlyo.cert' matches private key 4007AF64F67E0000:error:05800074:x509 certificate routines:X509_check_private_key:key values mismatch:../crypto/x509/x509_cmp.c:405: / out: unit-main-0: 15:18:13 ERROR unit.main/0.juju-log Error storing the TLS certificates for app-admin: unit-main-0: 15:18:13 INFO unit.main/0.juju-log TLS certificate for app-admin stored.