Panorama does not show logs and the log collector ES in red status after upgrade to 11.1.x

• Logs are not visible on Panorama since the upgrade to 11.1.x
• ES status on all LC's in the cluster are red with multiple unassigned shards
• You noticed the Elasticsearch certificate on LC's are expired by running the command "debug elasticsearch show certs".

> debug elasticsearch show certs 
ElasticSearch Certificate info
CA Cert
  Subject: 2dfde7b5-XXX-473a-a1bb-YYYYYYYYYY
  Issuer:  CCCCCCCC-XXX-473a-a1bb-YYYYYYYYYY
  Validity
    From:  Aug 17 12:34:16 2022 GMT
    To:    Aug 16 12:34:16 2032 GMT
  Status:  CA
CC Cert
  Subject: AAAAAAA-b52f-BBBB-bca7-CCCCCCCCCCCC
  Issuer:  CCCCCCC-XXXX-473a-a1bb-YYYYYYYYYYYY
  Validity
    From:  Oct 31 04:02:03 2024 GMT
    To:    Jan 29 04:02:03 2025 GMT <<<<< Expired
  Status:  Ok

>less es-log __pan_cluster__.log
2025-02-20T10:34:48,996][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [xxxxSLNU]client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=/x.y.z.q:9300, remoteAddress=/x.y.z.m:36415, profile=default}

• The symptoms are exactly the same as this KB article and the steps has been performed to renew the certificates, but the certificates are still not renewed.

• Panorama and Logger
• PAN-OS 11.1.x
• Custom Certificate
• Log Collector

• This scenario involves Panorama using a custom certificate to connect to Log Collector, while ElasticSearch uses SC3 certificates (for Inter-LC communication).
• The problem arises when SC3 requests a certificate renewal on top of the custom certificate used for the Panorama connection, which is not permitted.
• Panorama will validate its current connection context CN name with it's requested CN for the renewal.
•  There is a mismatch of requested CN against its custom connection context CN, hence the renewal fails.

1. On the Panorama, switch from custom certificate to pre-defined to establish the secure communication from Panorama to Log collector (Panorama -> Managed Collectors  -> Communication) and perform a CG push.
2. Re-onboard the LC to Panorama by resetting SC3 by following the article Newly added Dedicated Log Collectors running PAN-OS 10.1 cannot be registered to Panorama.
3. Renew the Elasticsearch certificate by running the command "debug elasticsearch repair certs"
4. Run the command "debug elasticsearch show certs" and ensure Elasticsearch CC certificate is renewed.
5. Once the certificate on all the LC's in the cluster are renewed, ES should turn to yellow and eventually to green once all the shards are assigned.