I had the same exact error message too and posting what I finally did to hopefully save someone else hours of troubleshooting. During the upgrade process linkerd was reading from the secret linkerd-config-overrides. Ours had the externalCA set to true but also still had certs defined in it. I deleted the certs after ‘scheme: kubernetes.io/tls’ and before ‘identityTrustAnchorsPEM:’ (Note: KEEP identityTrustAnchorsPEM cert). My snippet in my newly modified secret looked like:
identity:
externalCA: true
issuer:
scheme: kubernetes.io/tls
identityTrustAnchorsPEM: |
After making this change running linkerd upgrade worked