István Fajth created HDDS-10189:
-----------------------------------
Summary: Test the change from old to new trust chain encoding
approach
Key: HDDS-10189
URL: https://issues.apache.org/jira/browse/HDDS-10189
Project: Apache Ozone
Issue Type: Sub-task
Reporter: István Fajth
In a cluster with 1.3 it is possible that newly added Datanodes have different
signers for their certificates than the original DataNodes if the leader SCM
has been changed from the one that initially signed the certificates for the
initial services in the cluster.
It is an interesting scenario to ensure that in such environments, switching to
just using the rootCA in the truststores instead of all CA certificates is
working fine, and there are no issues on the cluster after.
It is a bit complex but we have seen issues in such clusters where DataNodes
could not create Pipelines due to the lack of trust, and failed the Pipeline
creation with an exception ultimately caused by this:
{code}
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
{code}
This issue can be fixed by clearing out the DN certificates with that upon
restart forcing them to download their new certificate bundle from the SCM, or
by clearing our the certificates and keys from the DN with that forcing them to
sign a new certificate with a new private-public keypair.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
