argo-cd: Received cert error when configuring AroCD SSO to use OIDC with self signed certificate

If you are trying to resolve an environment-specific issue or have a one-off question about the edge case that does not require a feature then please consider asking a question in argocd slack channel.

Checklist:

  • I’ve searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I’ve included steps to reproduce the bug.
  • I’ve pasted the output of argocd version.

Describe the bug

When configuring ArgoCD to use SSO using an existing OIDC provider that is using a self-signed certificate, you receive the following error message when attempting to authenticate to the ArgoCD UI: “Failed to query provider “https://exmaple.com/adfs”: Get “https://example.com/adfs/.well-known/openid-configuration”: x509: certificate signed by unknown authority”. The argocd-server deployment also had the --insecure flag set.

To Reproduce

Configure ArgoCD to use SSO with an IDP that uses a self-signed certificate.

Expected behavior

When logging into ArgoCD using SSO, you should be able to authenticated and based on RBAC policy see projects available to you.

Screenshots

If applicable, add screenshots to help explain your problem.

Version

v1.5.8

Logs

Paste any relevant application logs here.

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Reactions: 15
  • Comments: 16 (3 by maintainers)

Most upvoted comments

I am using this workaround when deploying argocd with helm chart (inspired by devops-stack approaches)

  1. Create a TLS secret in the argued namespace with the issuing or Root CA in it for verifying your self-signed Keycloak certificate or other OIDC certs. i.e. “argocd-tls-ca”.
  2. In the argocd override chart value file, customize the argocd “server” block with:
  volumeMounts:
     - name: certificate
       mountPath: /etc/ssl/certs/ca.crt # your self-signed CA part inside the secret 
       subPath: ca.crt 
  volumes:
     - name: certificate
       secret:
         secretName: argocd-tls-ca
         defaultMode: 420 

Deploy argocd and configure Keycloak … then your argocd login will trust your self-signed cert for keycloak.

We don’t currently support configuring argo cd to a identity provider with a self-signed cert.

We are also facing this same issue. We need to configure SSO using an IdM that uses self-signed certificates (for development environments) and certificates from a private CA (for upper environments). Any news or plans to support this feature?

@jessesuen does ArgoCD also not support custom CAs for oidc?

Weirdly I wasn’t getting this issue, but since upgrading to 2.4.7 (from 2.4.3 I think) I am now getting this problem.

Yeah, there was a security issue where we simply didn’t validate the cert at all. Now it’s necessary to set the root CA.

Posting to also request support for this. This feature is much needed. Either this or ability to specify a CA to be trusted by the system/pod/container.