diff --git a/test/framework/ownerreference_helpers.go b/test/framework/ownerreference_helpers.go
index 36cf0f350889..c6184d661380 100644
--- a/test/framework/ownerreference_helpers.go
+++ b/test/framework/ownerreference_helpers.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"reflect"
 	"sort"
+	"strings"
 	"time"
 
 	. "github.com/onsi/gomega"
@@ -85,7 +86,13 @@ func AssertOwnerReferences(namespace, kubeconfigPath string, assertFuncs ...map[
 	Eventually(func() error {
 		allErrs := []error{}
 		graph, err := clusterctlcluster.GetOwnerGraph(namespace, kubeconfigPath)
-		Expect(err).To(BeNil())
+		// Sometimes the conversion-webhooks are not ready yet / cert-managers ca-injector
+		// may not yet have injected the new ca bundle after the upgrade.
+		// If this is the case we return an error to retry.
+		if err != nil && strings.Contains(err.Error(), "x509: certificate signed by unknown authority") {
+			return err
+		}
+		Expect(err).ToNot(HaveOccurred())
 		for _, v := range graph {
 			if _, ok := allAssertFuncs[v.Object.Kind]; !ok {
 				allErrs = append(allErrs, fmt.Errorf("kind %s does not have an associated ownerRef assertion function", v.Object.Kind))