We were hitting the same issue. It turned out to be that that the etcd_proxy (temporarily on etcd_z2) was advertising dns for cf-etcd.service.cf.internal which caused some of the below services to try and contact the proxy securely which would fail. What we did is added a step after you generate the manifest and get ready to deploy the upgrade to v241, edit and delete the following consul property on your etcd_z2 job before deploying:
consul: agent: services: etcd: name: cf-etcd
That solved the issue. Once everything is talking to the secure etcd standalone and you scale back up the generation scripts will add it back in and your good to go. Hope this helps.
