argo-cd: Received cert error when configuring AroCD SSO to use OIDC with self signed certificate
If you are trying to resolve an environment-specific issue or have a one-off question about the edge case that does not require a feature then please consider asking a question in argocd slack channel.
Checklist:
- I’ve searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
- I’ve included steps to reproduce the bug.
- I’ve pasted the output of
argocd version
.
Describe the bug
When configuring ArgoCD to use SSO using an existing OIDC provider that is using a self-signed certificate, you receive the following error message when attempting to authenticate to the ArgoCD UI: “Failed to query provider “https://exmaple.com/adfs”: Get “https://example.com/adfs/.well-known/openid-configuration”: x509: certificate signed by unknown authority”. The argocd-server deployment also had the --insecure flag set.
To Reproduce
Configure ArgoCD to use SSO with an IDP that uses a self-signed certificate.
Expected behavior
When logging into ArgoCD using SSO, you should be able to authenticated and based on RBAC policy see projects available to you.
Screenshots
If applicable, add screenshots to help explain your problem.
Version
v1.5.8
Logs
Paste any relevant application logs here.
About this issue
- Original URL
- State: open
- Created 4 years ago
- Reactions: 15
- Comments: 16 (3 by maintainers)
I am using this workaround when deploying argocd with helm chart (inspired by devops-stack approaches)
Deploy argocd and configure Keycloak … then your argocd login will trust your self-signed cert for keycloak.
We don’t currently support configuring argo cd to a identity provider with a self-signed cert.
We are also facing this same issue. We need to configure SSO using an IdM that uses self-signed certificates (for development environments) and certificates from a private CA (for upper environments). Any news or plans to support this feature?
@jessesuen does ArgoCD also not support custom CAs for oidc?
Yeah, there was a security issue where we simply didn’t validate the cert at all. Now it’s necessary to set the root CA.
this rootCA configuration value worked perfectly for me: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#configuring-a-custom-root-ca-certificate-for-communicating-with-the-oidc-provider
Posting to also request support for this. This feature is much needed. Either this or ability to specify a CA to be trusted by the system/pod/container.