Device Not Reconnecting After Pod Restart (TLS – Failed to Create SSL Context)

[techprakashverma]

I am using Lighty.io with RESTCONF/NETCONF over TLS, deployed in Kubernetes with Persistent Volume Claims (PVC) enabled.
As part of PVC configuration, I have mounted the following two paths:

1. /lighty-rnc/data 2. /lighty-rnc/state

Problem:

After adding keystore entries (private key and certificates) for TLS connectivity via the RESTCONF APIs and mounting the keystore path to a PVC, I configured a NETCONF device (node-1) to use TLS. The device connected successfully and was verified using the GET API.

However, after restarting the Lighty pod, although the keystore entries are still present (confirming that PVC persistence is working as expected) and the device configuration also persists, the device does not reconnect. Instead, the connection status shows: "Failed to create SSL Context".

Below is the complete scenario:

1. Added keystore entries (private key and certificates) required for TLS connectivity using the appropriate RESTCONF APIs.
2. Successfully mounted the keystore path to a PVC.
3. Added a NETCONF device (node-1) configured to use TLS.
4. Verified using the GET API — the device was successfully connected.
5. Restarted the Lighty pod.
6. After restart:
   * Verified keystore entries using the GET API — they are still present (PVC working as expected).
   * Retrieved the previously added device (node-1) — the device entry still exists.
   * However, the device is now disconnected, and the connection status shows: "Failed to create SSL Context"

Expected Behavior:

Since PVC is implemented:

• Keystore data should persist (which it does).
• Device configuration should persist.
• The device should automatically re-establish the TLS session and return to the connected state after pod restart.

Observed Behavior:

After pod restart:

• Keystore entries are visible.
• Device configuration is visible.
• But TLS handshake fails with "Failed to create SSL Context".

Lighty Log:
INFO 06:32:31 [org.opendaylight.netconf.topology.spi.NetconfNodeHandler] (NetconfNodeHandler.java:195) - Concurrent rpc limit is smaller than 1, no limit will be enforced for device RemoteDeviceId[name=node-1, address=/100.90.42.46:831] WARN 06:32:31 [org.opendaylight.netconf.topology.spi.NetconfNodeHandler] (NetconfNodeHandler.java:220) - RemoteDevice{Uri{value=node-1}} failed to connect java.lang.IllegalStateException: Failed to initialize SSL context at org.opendaylight.netconf.client.mdsal.impl.DefaultSslContextFactory.createSslContext(DefaultSslContextFactory.java:46) at org.opendaylight.netconf.topology.spi.NetconfClientConfigurationBuilderFactoryImpl.createClientConfigurationBuilder(NetconfClientConfigurationBuilderFactoryImpl.java:79)

Questions:

1. Why does the device fail to reconnect after the pod restart, even though bot the keystore and device configuration persisted?
2. Does Lighty reload keystore/truststore entries automatically after restart?
3. Is there an additional initialization step required to rebuild the SSL context?
4. Could this be related to:
   • File path changes after restart?
   • Truststore/keystore alias resolution failure?
5. Is there any known limitation where devices must be re-mounted or re-initialized after restart?

I would appreciate any insights into resolving this TLS reconnection issue after pod restart.

Please feel free to let me know if any additional details, logs, or configuration information are required for further analysis.

Attached lighty.log file.