[
https://issues.apache.org/jira/browse/HDDS-10189?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Szabolcs Gál reassigned HDDS-10189:
-----------------------------------
Assignee: Szabolcs Gál
> Test the change from old to new trust chain encoding approach
> -------------------------------------------------------------
>
> Key: HDDS-10189
> URL: https://issues.apache.org/jira/browse/HDDS-10189
> Project: Apache Ozone
> Issue Type: Sub-task
> Reporter: István Fajth
> Assignee: Szabolcs Gál
> Priority: Major
>
> In a cluster with 1.3 it is possible that newly added Datanodes have
> different signers for their certificates than the original DataNodes if the
> leader SCM has been changed from the one that initially signed the
> certificates for the initial services in the cluster.
> It is an interesting scenario to ensure that in such environments, switching
> to just using the rootCA in the truststores instead of all CA certificates is
> working fine, and there are no issues on the cluster after.
> It is a bit complex but we have seen issues in such clusters where DataNodes
> could not create Pipelines due to the lack of trust, and failed the Pipeline
> creation with an exception ultimately caused by this:
> {code}
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> {code}
> This issue can be fixed by clearing out the DN certificates with that upon
> restart forcing them to download their new certificate bundle from the SCM,
> or by clearing our the certificates and keys from the DN with that forcing
> them to sign a new certificate with a new private-public keypair.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
