New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Received cert error when configuring AroCD SSO to use OIDC with self signed certificate #4344
Comments
We don't currently support configuring argo cd to a identity provider with a self-signed cert. |
Thank you for the information. Are there any plans to support a identity provider that uses a self-signed cert in the future, if so any idea of the time frame. |
@jessesuen Does this also apply when the SSO host is using a certificate from a private/custom CA? If not, how would one permit the CA? This sounds like it only applies to repositories. |
@jessesuen does ArgoCD also not support custom CAs for oidc? |
We are also facing this same issue. We need to configure SSO using an IdM that uses self-signed certificates (for development environments) and certificates from a private CA (for upper environments). |
Today I also stumbled upon this problem while deploying argo-cd in a new staging environment. The OIDC provider (Keycloak) is deployed using a custom CA signed wildcard certificate (argo-cd is using the same wildcard). We are using argo version Now comes the interesting part: The only differences between these two environments are:
And that's it (as far as I currently know). I would need to see if I get more testing details, but it seems argo-cd CAN work with custom CA signed certs. It would be nice to get some insights as to what the requirements are. @AnyBody who also has this issue: are you guys using wildcard certificates? Could you also check your arog-cd versions? Maybe we can pinpoint the problem and find the solution to always get this running. |
We do not use wildcard certs for neither keycloak nor ArgoCD. Keycloak is running on a VM outside of the cluster with a cert signed by our custom root CA. ArgoCD is naturally running in an ArgoCD cluster with a certificate created by Cert-Manager through a custom CA signed by our custom root CA. As noted above, previously it seemed like restarting argocd-server helped a bit sometimes. We have multiple instances of the same layout. Some work, some don't. ("custom" CA/cert above relates to our own managed x509 PKI) |
Posting to also request support for this. This feature is much needed. |
I am using this workaround when deploying argocd with helm chart (inspired by devops-stack approaches)
Deploy argocd and configure Keycloak ... then your argocd login will trust your self-signed cert for keycloak. |
Posting to also request this feature. For me this is an security issue because it forces you to expose both, keycloak and argocd into extranet, and that is not an option for us. |
would also like to request this, its pretty common for people to run something like keycloak internally and with a custom ca. we just ran into this as well |
Weirdly I wasn't getting this issue, but since upgrading to 2.4.7 (from 2.4.3 I think) I am now getting this problem. For full disclosure, the CA cert is loaded in arcocd-tls-certs-cm for my internal git system (gitea) with a key matching the internal dns name for this system but the certificate being the CA certificate, so I don't know if this was being used previously to validate keycloak's certificate in any way? |
Ok ignore this, I've just found #6712 which allows specifying the root CA of a private CA Server specifically for oidc, but it's not on the Keycloak page, it's on https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#configuring-a-custom-root-ca-certificate-for-communicating-with-the-oidc-provider |
Yeah, there was a security issue where we simply didn't validate the cert at all. Now it's necessary to set the root CA. |
I deployed Keycloak through the Bitnami Help and I am having this problem. Internally, everything is HTTP but externally, its HTTPS. Not sure what the solution to fix this is. This is my repository. |
this rootCA configuration value worked perfectly for me: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#configuring-a-custom-root-ca-certificate-for-communicating-with-the-oidc-provider |
argocd version: 2.8.3 We can close this, I'm able to login to argocd via keycloak with rootCA, example,
commit: https://github.com/argoproj/argo-cd/pull/6712/commits |
If you are trying to resolve an environment-specific issue or have a one-off question about the edge case that does not require a feature then please consider asking a
question in argocd slack channel.
Checklist:
argocd version
.Describe the bug
When configuring ArgoCD to use SSO using an existing OIDC provider that is using a self-signed certificate, you receive the following error message when attempting to authenticate to the ArgoCD UI:
"Failed to query provider "https://exmaple.com/adfs": Get "https://example.com/adfs/.well-known/openid-configuration": x509: certificate signed by unknown authority". The argocd-server deployment also had the --insecure flag set.
To Reproduce
Configure ArgoCD to use SSO with an IDP that uses a self-signed certificate.
Expected behavior
When logging into ArgoCD using SSO, you should be able to authenticated and based on RBAC policy see projects available to you.
Screenshots
If applicable, add screenshots to help explain your problem.
Version
v1.5.8
Logs
The text was updated successfully, but these errors were encountered: