Details
-
Sub-task
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
-
None
Description
In a cluster with 1.3 it is possible that newly added Datanodes have different signers for their certificates than the original DataNodes if the leader SCM has been changed from the one that initially signed the certificates for the initial services in the cluster.
It is an interesting scenario to ensure that in such environments, switching to just using the rootCA in the truststores instead of all CA certificates is working fine, and there are no issues on the cluster after.
It is a bit complex but we have seen issues in such clusters where DataNodes could not create Pipelines due to the lack of trust, and failed the Pipeline creation with an exception ultimately caused by this:
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This issue can be fixed by clearing out the DN certificates with that upon restart forcing them to download their new certificate bundle from the SCM, or by clearing our the certificates and keys from the DN with that forcing them to sign a new certificate with a new private-public keypair.