diff --git a/ansible/roles/common/defaults/main.yml b/ansible/roles/common/defaults/main.yml
index 9da9cc5b49..f50c325ec3 100644
--- a/ansible/roles/common/defaults/main.yml
+++ b/ansible/roles/common/defaults/main.yml
@@ -47,6 +47,7 @@ fluentd_elasticsearch_user: ""
 fluentd_elasticsearch_password: ""
 fluentd_elasticsearch_ssl_version: "TLSv1_2"
 fluentd_elasticsearch_ssl_verify: "true"
+fluentd_elasticsearch_cacert: "{{ openstack_cacert }}"
 
 ####################
 # Docker
diff --git a/ansible/roles/common/templates/conf/output/00-local.conf.j2 b/ansible/roles/common/templates/conf/output/00-local.conf.j2
index 2a826bc648..6d053513ee 100644
--- a/ansible/roles/common/templates/conf/output/00-local.conf.j2
+++ b/ansible/roles/common/templates/conf/output/00-local.conf.j2
@@ -21,6 +21,9 @@
 {% if fluentd_elasticsearch_scheme == 'https' %}
        ssl_version {{ fluentd_elasticsearch_ssl_version }}
        ssl_verify {{ fluentd_elasticsearch_ssl_verify }}
+{% if fluentd_elasticsearch_cacert | length > 0 %}
+       ca_file {{ fluentd_elasticsearch_cacert }}
+{% endif %}
 {% endif %}
 {% if fluentd_elasticsearch_user != '' and fluentd_elasticsearch_password != ''%}
        user {{ fluentd_elasticsearch_user }}
@@ -78,6 +81,9 @@
 {% if fluentd_elasticsearch_scheme == 'https' %}
        ssl_version {{ fluentd_elasticsearch_ssl_version }}
        ssl_verify {{ fluentd_elasticsearch_ssl_verify }}
+{% if fluentd_elasticsearch_cacert | length > 0 %}
+       ca_file {{ fluentd_elasticsearch_cacert }}
+{% endif %}
 {% endif %}
 {% if fluentd_elasticsearch_user != '' and fluentd_elasticsearch_password != ''%}
        user {{ fluentd_elasticsearch_user }}
diff --git a/ansible/roles/common/templates/conf/output/01-es.conf.j2 b/ansible/roles/common/templates/conf/output/01-es.conf.j2
index 38500e8e94..c586938668 100644
--- a/ansible/roles/common/templates/conf/output/01-es.conf.j2
+++ b/ansible/roles/common/templates/conf/output/01-es.conf.j2
@@ -11,6 +11,9 @@
 {% if fluentd_elasticsearch_scheme == 'https' %}
        ssl_version {{ fluentd_elasticsearch_ssl_version }}
        ssl_verify {{ fluentd_elasticsearch_ssl_verify }}
+{% if fluentd_elasticsearch_cacert | length > 0 %}
+       ca_file {{ fluentd_elasticsearch_cacert }}
+{% endif %}
 {% endif %}
 {% if fluentd_elasticsearch_user != '' and fluentd_elasticsearch_password != ''%}
        user {{ fluentd_elasticsearch_user }}
diff --git a/releasenotes/notes/fluentd-elasticsearch-cacert-0e8824dd57052913.yaml b/releasenotes/notes/fluentd-elasticsearch-cacert-0e8824dd57052913.yaml
new file mode 100644
index 0000000000..61e014daf5
--- /dev/null
+++ b/releasenotes/notes/fluentd-elasticsearch-cacert-0e8824dd57052913.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    Adds a new variable ``fluentd_elasticsearch_cacert``, which defaults to the
+    value of ``openstack_cacert``. If set, this will be used to set the path of
+    the CA certificate bundle used by Fluentd when communicating with
+    Elasticsearch. `LP#1885109
+    <https://bugs.launchpad.net/kolla-ansible/+bug/1885109>`__