Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Server ignores initial TLS cert #995

mgoodness opened this issue Jan 9, 2019 · 5 comments

Server ignores initial TLS cert #995

mgoodness opened this issue Jan 9, 2019 · 5 comments


Copy link

@mgoodness mgoodness commented Jan 9, 2019

When I deploy Argo CD for the first time I create argocd-secret with the following manifest (sensitive data redacted):

apiVersion: v1
kind: Secret
  annotations: ClusterIssuer
    app: argo-cd argocd-server
    component: server
  name: argocd-secret
  dex.ldap.bindPW: <base64>
  repo.password: <base64>
  repo.username: <base64>
  tls.crt: <base64>
  tls.key:  <base64>
type: Opaque

All pods start correctly and I'm able to authenticate with LDAP. Argo CD also connects to my repos using the provided credentials. But when I open the dashboard I get a self-signed TLS cert instead of the one I just provided. Running kubectl get secrets argocd-secret -o json|jq -r '.data."tls.crt"'|base64 -D|openssl x509 -noout -textshows that my cert has in fact been overwritten with a self-signed one.

I then have to re-apply my manifest, after which Argo CD will use my cert. (Note: before rc5 I had to delete the argocd-server pod for the cert to be used.)

I know the self-signed cert isn't supposed to be generated unless tls.cert and tls.key are empty, but it seems like it's being created regardless. Happy to provide logs & help troubleshoot.

@mgoodness mgoodness changed the title Server ignores initial TLS certs Server ignores initial TLS cert Jan 9, 2019

This comment has been minimized.

Copy link

@jessesuen jessesuen commented Jan 9, 2019

I took a closer look. It seems we consider the settings as “incomplete” when other fields like admin password are missing, and blindly clobber the tls.key/tls.crt. I am working on the fix.


This comment has been minimized.

Copy link

@wreed4 wreed4 commented Apr 25, 2019

This is still happening for me. Even if the cert exists before argo server is started, I need to kill the pod at least once for it not to initialize its own tls.


This comment has been minimized.

Copy link

@jd0x jd0x commented Jul 10, 2019


Same issue mentioned above. The self-signed cert embedded below will overwrite my existing certificate requiring me to recreate my Ingress or patch the argocd-secret with my TLS crt and key.

Subject Alternative Names: localhost, argocd-server, argocd-server.argocd, argocd-server.argocd.svc, argocd-server.argocd.svc.cluster.local
Organization: Argo CD
Valid From: June 9, 2019
Valid To: June 8, 2020
Issuer: Argo CD
Serial Number: 
@alexec alexec reopened this Jul 10, 2019
@alexec alexec added the bug label Jul 10, 2019

This comment has been minimized.

Copy link

@alexec alexec commented Jul 10, 2019

It would be really useful to have repro steps.

@alexec alexec added the security label Jul 10, 2019

This comment has been minimized.

Copy link

@stale stale bot commented Sep 8, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Sep 8, 2019
@alexmt alexmt closed this Sep 8, 2019
@alexmt alexmt reopened this Sep 8, 2019
@stale stale bot removed the wontfix label Sep 8, 2019
@alexec alexec added this to the v1.4 milestone Oct 4, 2019
@alexec alexec added the M label Oct 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
6 participants
You can’t perform that action at this time.