
In the following post, we will see how Replacing the ingress certificate in OpenShift helps this error. When operating an OpenShift cluster you will run into several certificate issues. One of the common issues we see with customers is the ingress certificate expiring with the following error:

Unable to connect to the server: x509: certificate has expired or is not yet valid

For example:

$ oc get nodes
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-09-08T14:43:53+03:00 is after 2023-09-04T11:41:44Z

Our commands are on a cluster where a certificate was already been replaced in the past using Replace OpenShift default ingress certificate procedure.


Let’s create a new Certificate Signing Request(csr) called based on the previous csr_answers.txt file.

$ openssl req -new -key  -out -config <(cat csr_answers.txt)

Then, we’ll create the certificate based on the csr and CA files.

$ openssl x509 -req -in -CA myCA.crt -CAkey myCA.key -CAcreateserial -days 365 -sha256 -out -extfile wildcard.ext -extensions req_ext

Patch OpenShift

Now that we have the certificates, let’s put them in OpenShift.

First, make sure you have the full chain in your pem file:

$ cat /path/to/myCA.crt >

Then, let’s create a secret to hold our certificate

$ oc create secret tls \
  --cert=/path/to/ \
  --key=/path/to/ \
  -n openshift-ingress --insecure-skip-tls-verify=true

Finally, patch the ingress controller

$ oc patch ingresscontroller.operator default \
  --type=merge -p \
  '{"spec":{"defaultCertificate": {"name": ""}}}' \
   -n openshift-ingress-operator --insecure-skip-tls-verify=true

Check the replacing of the pods:

$ watch -d -n1 oc get pods -n openshift-ingress --insecure-skip-tls-verify=true

Patch the OpenShift API endpoint

We need to also replace the API endpoint certificate. In our case the * is also in the certificate. So we can use the same certificate to both ingress and api.

Create the secret for the API certificate:

$ oc create secret tls \
  --cert=/path/to/ \
  --key=/path/to/ \
     -n openshift-config --insecure-skip-tls-verify=true

Patch the API server with the certificate.

$ oc patch apiserver cluster \
     --type=merge -p \
     '{"spec":{"servingCerts": {"namedCertificates":
     [{"names": [""], 
     "servingCertificate": {"name": ""}}]}}}' --insecure-skip-tls-verify=true

Follow the replacement process with this command:

$ watch -d -n1 oc get clusteroperators kube-apiserver --insecure-skip-tls-verify=true


We can make sure we have Fix OpenShift “certificate has expired or is not yet valid” error with the following commands for example:

$ oc get nodes
$ oc get co

To see the current certificate details, use the following command:

$ echo | openssl s_client -connect  | openssl x509 -noout -text | less


Working with OpenShift can occasionally lead to certificate-related roadblocks. In explaining how to fix the “certificate has expired or is not yet valid” error by replacing the ingress certificate. We hope our insights help you to tackle it with confidence. Stay proactive, and ensure your OpenShift deployments run seamlessly.

Additional hardening and improvements for OpenShift and Kubernetes can be found at our Security Blogs Category.



Recovering from expired Openshift-ingress certificates (OCP4.x)

kube-apiserver pod does not come up