You can create additional SAS Cloud Analytic Services (CAS) servers by running the create-cas-server.sh script to generate Custom Resources (CR). As described in step 11 of the Pre-update Checklist, you need to regenerate all additional CAS servers as part of updating to a new version of SAS Viya. If you do not follow these regenerate steps, these custom CAS servers might not be ready after a SAS Viya version update or a patch update.
This issue occurs because the custom CAS server pod is unable to find the TLS certificate that is generated for the pod. As a result, the following occurs:
NAME READY STATUS
sas-cas-server-shared-custom-cas-controller 2/3 Running
When this issue occurs, the CAS server log contains the following error message:
{"level":"error","message":"Secure communications error status 807ff00d description \"::ffff:10.xx.9.1: SSL Error: Certificate was not found.\"","messageKey":"TCP_CIPHER_ERROR_TEXT","properties":{"caller":"skstssl.c:1293","logger":"App.tk.tcp.ssl","pod":"sas-cas-server-shared-custom-cas-controller","sessionIndex":"MAIN","sessionPid":"MAIN","sessionUser":"NoUser"
,"thread":"00000998"},"source":"cas-shared-custom-cas","timeStamp":"2026-05-20T18:27:57.633000+00:00","version":1}
This message is issued each time that Kubernetes attempts the readiness probe for the pod.
To resolve this issue, complete the steps in Regenerate CAS Servers to update the custom CAS servers and redeploy SAS Viya.
As a workaround, you can add two environment variables to the ConfigMap of the custom CAS server. Each custom CAS server contains a ConfigMap, which starts with sas-cas-config, then the custom CAS server name.
1. Use labels to find the ConfigMap. For example, if the CAS pod is named sas-cas-server-shared-custom-cas-controller, you would find the ConfigMap name with the following:
kubectl -n <NS> get cm casoperator.sas.com/instance=custom-cas,casoperator.sas.com/tenant=shared
NAME DATA AGE
sas-cas-config-shared-custom-cas-26bg5m9gb4 1 3d5h
2. Edit the ConfigMap of the custom CAS server. Here is an example:
kubectl -n <NS> edit cm sas-cas-config-shared-custom-cas-26bg5m9gb4
3. Add two environment variables, SSLCERTLOC and SSLPVTKEYLOC, to the Data section of the ConfigMap:
data:
CASCLOUDNATIVE: "1"
SSLCERTLOC: /security/tls.crt
SSLPVTKEYLOC: /security/tls.key
4. Then, delete the custom CAS pod. Here is an example:
kubectl -n <NS> delete pod sas-cas-server-shared-custom-cas-controller
5. After the CAS operator recreates the CAS pod, the pod reaches the Ready state.
Note: This is a temporary workaround. You must follow the steps in Regenerate CAS Servers to fix this issue permanently.
If the custom CAS server still does not show as Ready, contact SAS Technical Support and provide the output of the get-k8s-info tool.