Comment 2 for bug 1474614

I just repro'd again, but this time it fixed itself up after a short time. I think the difference is that the first time I did it, one of the state servers didn't upgrade, and stayed on 1.24.0 (not sure why, didn't look into it).

So I *think* what is happening is that each of the state servers individually generates a new CA cert/key, because there's not one in /etc/juju/rsyslog. That's because we're not migrating the files from /var/lib/juju to /etc/juju/rsyslog; we only migrate from /var/log/juju to /etc/juju/rsyslog if you upgrade from <=1.23.x to 1.24.2. So each state server generates a new CA cert/key, then publishes to state, then each other one reacts to that and generates new cert/key for rsyslog; they should converge, *if* they all upgrade.

I think we should probably update the upgrade steps so that going from 1.24.0->1.24.2 migrates the existing certs, rather than creating new ones.