Argo-cd: Received cert error when configuring AroCD SSO to use OIDC with self signed certificate

Created on 15 Sep 2020  路  5Comments  路  Source: argoproj/argo-cd

If you are trying to resolve an environment-specific issue or have a one-off question about the edge case that does not require a feature then please consider asking a
question in argocd slack channel.

Checklist:

  • [ ] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • [ ] I've included steps to reproduce the bug.
  • [ ] I've pasted the output of argocd version.

Describe the bug

When configuring ArgoCD to use SSO using an existing OIDC provider that is using a self-signed certificate, you receive the following error message when attempting to authenticate to the ArgoCD UI:
"Failed to query provider "https://exmaple.com/adfs": Get "https://example.com/adfs/.well-known/openid-configuration": x509: certificate signed by unknown authority". The argocd-server deployment also had the --insecure flag set.

To Reproduce

Configure ArgoCD to use SSO with an IDP that uses a self-signed certificate.

Expected behavior

When logging into ArgoCD using SSO, you should be able to authenticated and based on RBAC policy see projects available to you.

Screenshots

If applicable, add screenshots to help explain your problem.

Version

v1.5.8

Logs

Paste any relevant application logs here.
enhancement
Source
picture ayalam26
👍4 👀2

Most helpful comment

We are also facing this same issue. We need to configure SSO using an IdM that uses self-signed certificates (for development environments) and certificates from a private CA (for upper environments).
Any news or plans to support this feature?

picture jpertejo on 23 Dec 2020
👍2

All 5 comments

We don't currently support configuring argo cd to a identity provider with a self-signed cert.

jessesuen picture jessesuen on 16 Sep 2020
😕1

Thank you for the information. Are there any plans to support a identity provider that uses a self-signed cert in the future, if so any idea of the time frame.

ayalam26 picture ayalam26 on 21 Sep 2020

We don't currently support configuring argo cd to a identity provider with a self-signed cert.

@jessesuen Does this also apply when the SSO host is using a certificate from a private/custom CA? If not, how would one permit the CA? This sounds like it only applies to repositories.
Background: We face this problem occasionally right after deploying ArgoCD. Usually it was enough to restart the argocd-server pod and it worked (we use a repository which has a certificate from the same CA which is configured in argocd-tls-certs-cm.yaml for the repository host). (Using ArgoCD 1.7).

Timoses picture Timoses on 14 Oct 2020

@jessesuen does ArgoCD also not support custom CAs for oidc?

jbarrick-mesosphere picture jbarrick-mesosphere on 24 Nov 2020
👍2

We are also facing this same issue. We need to configure SSO using an IdM that uses self-signed certificates (for development environments) and certificates from a private CA (for upper environments).
Any news or plans to support this feature?

jpertejo picture jpertejo on 23 Dec 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rosscdh picture rosscdh  路  3Comments
ksaito1125 picture ksaito1125  路  3Comments
hulu1522 picture hulu1522  路  3Comments
everesio picture everesio  路  3Comments
jessesuen picture jessesuen  路  3Comments