Troubleshoot Apigee mTLS

This section describes some common errors and resolutions that you might encounter when installing Apigee mTLS.

Certificate errors

ZooKeeper hosts might experience blocks when executing the following commands:

  • consul operator raft list-peers
  • systemctl consul_server state returns green

If this happens, try executing the following command:

journalctl -u consul_server  | grep "x509: certificate signed by unknown authority"

If you find instances of the 509 error shown in the response, then multiple CAs are being used and the Consul servers are failing to verify one another. In this case, Apigee recommends that you uninstall apigee-mtls and then reinstall it on all nodes in the cluster. For more information, see Uninstall Apigee mTLS.