How to renew and redeploy internal logging certificates in OpenShift

Solution Verified - Updated -


  • fluentd is not sending any container logs to ElasticSearch;
  • Internal logging certificates expired.
  • Elasticsearch pods have readinessProbe errors:

    Warning  Unhealthy  16s (x59 over 5m)  kubelet,  Readiness probe failed: Elasticsearch node is not ready to accept HTTP requests yet [response code: 000]

    Logs show:

    [2019-12-01 00:00:00,000][ERROR][            ] Timed out waiting for Elasticsearch to be ready
    cat: elasticsearch_connect_log.txt: No such file or directory

    Elasticsearch logs (logging-es.log) reports failed certificate with errors: General SSLEngine problem
    Caused by: validity check failed
    Caused by: NotAfter: Sun Dec 08 16:51:12 UTC 2019
  • ES seems to be stuck at early boot, only few logs and CrashLoop

    [INFO ][            ] Setting heap dump location /elasticsearch/persistent/heapdump.hprof
    [INFO ][            ] Checking if Elasticsearch is ready on https://localhost:9200


  • Red Hat Openshift Container Platform (OCP)
    • 3.11
    • 3.10
    • 3.9

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In