Existing cluster http to https migration

[ework30]

Hello

I am currently trying to migrate existing cluster from http to https.

After changing from http to https and adding certificates configuration:
ETCD_LISTEN_PEER_URLS="http://0.0.0.0:2380"
ETCD_LISTEN_CLIENT_URLS="http://0.0.0.0:2379
[Cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://FQDN1:2380"
ETCD_ADVERTISE_CLIENT_URLS="http://FQDN1:2379"
ETCD_INITIAL_CLUSTER="server1=http://FQDN1:2380,server2=http://FQDN1:2380"
ETCD_INITIAL_CLUSTER_STATE="existing"

My cluster still starts as http and peers is trying to connect with peers in http, not https.
From logs I can see lines like:
recognized and used environment variable
All of my configured variables are read by etcd.

Next thing I see is:
"msg":"Running http and grpc server on single port. This is not recommended for production."}
msg":"configuring client listeners","listen-client-urls":["https://0.0.0.0:2379"]}
and after that:
Detected member only in v3store but missing in v2store","member":"{ID:e027a822b884750e RaftAttributes:{PeerURLs:[http://FQDN1:2380] IsLearner:false} Attributes:{Name:name ClientURLs:[http://FQDN1:2379]}}"}

So peer connections are still done via http not https
After that comes:
"error":"tls: first record does not look like a TLS handshake"}

I saw old thread about this, but I did not see the solution..

Deleting etcd working directory helps, but this is not something I would like to do.

etcd --version
etcd Version: 3.6.4
Git SHA: 5400cdc
Go Version: go1.23.11
Go OS/Arch: linux/amd64

[ahrtr]

Please read https://etcd.io/docs/v3.6/op-guide/security/#example-5-convert-an-existing-non-tls-etcd-cluster-to-tls