How to renew an expired API certificate from a Master node in OpenShift 4

Solution Verified - Updated 29 Jan 2026

Environment

Red Hat OpenShift Container Platform (RHOCP)
- 4

Issue

Node certificate is expired on Master nodes.
Normal users get Unable to connect to the server: EOF while oc login.
Login to system:admin user reports an errorerror: You must be logged in to the server (Unauthorized).

Resolution

Access to a master node (using oc debug node or ssh):

$ oc get nodes
[...]
$ oc debug node/[node_name]
Starting pod/[node_name]-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.0.1
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host bash

If the above doesn't work, then SSH to the master node:

$ ssh core@[node_name]
[core@node_name ~]$ sudo -i
[root@node_name ~]#

Execute below command to approve pending csr:

# export KUBECONFIG=/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/lb-int.kubeconfig
# oc get csr -o name | xargs oc adm certificate approve

After renewal of Master nodes certificates, the access to the cluster is restored.

If there are no pending csr to approve, check How to renew or recreate a node's certificate in OpenShift 4.x

Root Cause

The issue occurred due to pending node certificates (or csr).

Diagnostic Steps

Try to login with any normal user or with kubeadmin user:

$ oc login api.example.com:6443 -u kubeadmin
$ oc login api.example.com:6443 -u normaluser

Check if there are any pending certificates:
```
$ oc get csr -A
```

SBR

Shift

Product(s)

Red Hat OpenShift Container Platform

Components

openshift-node

Category

Secure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.