Build are failing and nodes returns "no serving certificate available for the kubelet" in OCP 3

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform (OCP)
    • 3.11
    • 3.1

Issue

  • Failing builds
  • Multiple OpenShift client commands (oc logs and oc rsh) are failing with:
 'Error from server: Get https://master.example.com:10250/containerLogs/kube-system/master.example.com/api: remote error: tls: internal error
  • OpenShift node logs show repeating error:
atomic-openshift-node[7122]: I0228 20:08:05.039291    7122 logs.go:49] http: TLS handshake error from 192.168.14.2:47808: no serving certificate available for the kubelet
  • Unable to handle requests
$ for i in `oc get nodes -o jsonpath=$'{range .items[*]}{.metadata.name}\n{end}'`; do oc get --raw /api/v1/nodes/$i/proxy/healthz; echo -e "\t$i"; done
Error from server (ServiceUnavailable): the server is currently unable to handle the request

Resolution

In case of errors as Error from server (ServiceUnavailable): the server is currently unable to handle the request

  • Make sure that there are no certificates pending approval with command $ oc get csr | head.

    • If yes, approve them and the nodes should be back communicate to each other again:

      $ oc adm certificate approve

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

2 Comments

Can you please let me know if there are any workarounds? Whats the ETA for the fix?

How do you approve the certificats?

for i in $(oc get csr | head | grep -i pending | awk '{ print $1 }'); do oc adm certificate approve $i; done