OpenOnDemand gives 500 Internal Server Error

[OliverTUBAF]

When trying to access OpenOnDemand via https://localhost:3443 the browser shows an "Internal Server Error". I traced it back to an expired SSL certificate inside the container:

docker exec -it ondemand bash

• I was looking around in /var/log, where I found a hint in /var/log/httpd/localhost_error_ssl.log:

cat /var/log/httpd/localhost_error_ssl.log

[Fri Feb 20 07:37:45.744300 2026] [auth_openidc:error] [pid 133:tid 137883857164032] [client 172.18.0.1:49340] oidc_util_http_call: curl_easy_perform() failed on: https://localhost:5554/.well-known/openid-configuration (SSL certificate problem: certificate has expired)
[Fri Feb 20 07:37:45.744393 2026] [auth_openidc:error] [pid 133:tid 137883857164032] [client 172.18.0.1:49340] oidc_provider_static_config: could not retrieve metadata from url: https://localhost:5554/.well-known/openid-configuration

• So I checked the certificates directly:

openssl x509 -in /etc/pki/tls/certs/localhost.crt -noout -dates

notBefore=Feb 10 16:14:23 2025 GMT
notAfter=Feb 10 16:14:23 2026 GMT

openssl verify -CAfile /etc/pki/tls/ca.crt /etc/pki/tls/certs/localhost.crt

C = US, ST = NY, O = HPC Tutorial, CN = localhost
error 10 at 0 depth lookup: certificate has expired
error /etc/pki/tls/certs/localhost.crt: verification failed

• I've tried docker com logs at first, but that did not show any usable hint:

docker compose logs -f ondemand

ondemand  | ---> Starting ondemand-dex...
ondemand  | ---> Starting ondemand httpd24...
ondemand  | time="2026-02-20T07:16:26Z" level=info msg="Dex Version: v2.36.0, Go Version: go1.19.2, Go OS/ARCH: linux amd64"
ondemand  | time="2026-02-20T07:16:26Z" level=info msg="config issuer: https://localhost:5554"
ondemand  | AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.18.0.11. Set the 'ServerName' directive globally to suppress this message
ondemand  | (2026-02-20  7:16:27): [be[default]] [server_setup] (0x3f7c0): Starting with debug level = 0x0070
ondemand  | (2026-02-20  7:16:27): [nss] [server_setup] (0x3f7c0): Starting with debug level = 0x0070
ondemand  | (2026-02-20  7:16:27): [pam] [server_setup] (0x3f7c0): Starting with debug level = 0x0070
ondemand  | time="2026-02-20T07:16:27Z" level=info msg="config storage: sqlite3"
ondemand  | time="2026-02-20T07:16:27Z" level=info msg="config static client: OnDemand"
ondemand  | time="2026-02-20T07:16:27Z" level=info msg="config connector: ldap"
ondemand  | time="2026-02-20T07:16:27Z" level=info msg="config skipping approval screen"
ondemand  | time="2026-02-20T07:16:27Z" level=info msg="config refresh tokens rotation enabled: true"
ondemand  | time="2026-02-20T07:16:27Z" level=info msg="keys expired, rotating"
ondemand  | time="2026-02-20T07:16:27Z" level=info msg="keys rotated, next rotation: 2026-02-20 13:16:27.806993557 +0000 UTC"
ondemand  | time="2026-02-20T07:16:27Z" level=info msg="listening (telemetry) on 0.0.0.0:5558"
ondemand  | time="2026-02-20T07:16:27Z" level=info msg="listening (http) on 0.0.0.0:5556"
ondemand  | time="2026-02-20T07:16:27Z" level=info msg="listening (https) on 0.0.0.0:5554"
ondemand  | 2026/02/20 07:37:45 http: TLS handshake error from [::1]:52812: local error: tls: bad record MAC

So my guess is, that the containers need to be rebuild somehome, but this is the first time I'm using docker, so I dont know how to do it.

I resolved the issue for now by enrolling a new certificate inside the container:

openssl x509 -req \
  -in /etc/pki/tls/certs/localhost.csr \
  -CA /etc/pki/tls/ca.crt \
  -CAkey /etc/pki/tls/ca.key \
  -CAcreateserial \
  -out /etc/pki/tls/certs/localhost.crt \
  -days 365 \
  -extfile /etc/pki/tls/localhost.ext

• Then reboot the container from outside with the following command:

docker restart ondemand