Bootstrap FreeKB - ArgoCD - Resolve "certificate signed by unknown authority"
ArgoCD - Resolve "certificate signed by unknown authority"
Updated:   |  ArgoCD articles

Let's say something like this is being returned.

FATA[0000] rpc error: code = Unknown desc = Get "https://api.openshift.example.com:6443/version?timeout=32s": tls: failed to verify certificate: x509: certificate signed by unknown authority

 

I got this when attempted to add a cluster to ArgoCD.

~]$ argocd cluster add default/api-openshift-example-com:6443/john.doe --grpc-web --yes
INFO[0000] ServiceAccount "argocd-manager" already exists in namespace "kube-system"
INFO[0000] ClusterRole "argocd-manager-role" updated
INFO[0000] ClusterRoleBinding "argocd-manager-role-binding" updated
FATA[0000] rpc error: code = Unknown desc = Get "https://api.openshift.example.com:6443/version?timeout=32s": tls: failed to verify certificate: x509: certificate signed by unknown authority

 

If SSL is not required, for example, if you are attempting to connect ArgoCD to a cluster in an internal network, then you can try making an insecured connection. I tried using the --insecure flag but I still got the "certificate signed by unknown authority" error.

argocd cluster add default/api-openshift-example-com:6443/john.doe --grpc-web --yes --insecure

 

What I ended up doing is creating a YAML file to create a cluster secret in the namespace I've ArgoCD running in (openshift-gitops in this example) with tlsClientConfig set to insecure: true.

apiVersion: v1
kind: Secret
metadata:
  namespace: openshift-gitops <- must be the namespace ArgoCD was installed
  name: my-cluster
  labels:
    argocd.argoproj.io/secret-type: cluster
type: Opaque
stringData:
  name: dev-onprem
  server: https://api.openshift.example.com:6443
  config: |
    {
      "bearerToken": "<bearer token>", <- get this from your hidden .kube/config file
      "tlsClientConfig": {
        "insecure": true
      }
    }

 

And then create the secret using the kubectl apply (Kubernetes) or oc apply (OpenShift) command to create the secret, which should add the cluster to ArgoCD.

kubectl apply -f cluster.yaml

 

If you cannot go with an insecured connection, the openssl s_client command can be used to display the certificates being presented by the cluster you are attempting to add to ArgoCD. Since the error message is "certificate signed by unknown authority" this probably has something to do with the Certificate Authority (CA).

~]$ echo Q | openssl s_client -showcerts -connect api.openshift.example.com:6443
CONNECTED(00000003)
depth=2 CN = MYROOTCA
verify return:1
depth=1 DC = com, DC = acme , CN = myCA
verify return:1
depth=0 C = US, ST = CA, L = Los Angles, O = Acme, OU = Information Technology, CN = api.openshift.example.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = CA, L = Los Angles, O = Acme, OU = Information Technology, CN = api.openshift.example.com
   i:DC = com, DC = acme, CN = myCA
-----BEGIN CERTIFICATE-----
MIIGeDCCBWCgAwIBAgITSAAABQYtuSDqwfVvKQABAAAF................7g==
-----END CERTIFICATE-----
 1 s:DC = com, DC = Acme, CN = myCA
   i:CN = THRVDEVROOTCA
-----BEGIN CERTIFICATE-----
MIID5DCCAsygAwIBAgITUAAAAAdlNt+xj0oR+gABAAAA...............2Tmw==
-----END CERTIFICATE-----
---
Server certificate
subject=C = US, ST = CA, L = Los Angles, O = Acme, OU = Information Technology, CN = api.openshift.example.com

issuer=DC = com, DC = Acme, CN = myCA

---
Acceptable client certificate CA names
OU = openshift, CN = admin-kubeconfig-signer
CN = openshift-kube-controller-manager-operator_csr-signer-signer@1731149744
CN = kube-csr-signer_@1733871501
CN = openshift-kube-controller-manager-operator_csr-signer-signer@1733741771
CN = kube-csr-signer_@1735167503
CN = openshift-kube-apiserver-operator_kube-apiserver-to-kubelet-signer@1727624296
CN = openshift-kube-apiserver-operator_kube-control-plane-signer@1733672652
CN = openshift-kube-apiserver-operator_kube-control-plane-signer@1731080626
OU = openshift, CN = kubelet-bootstrap-kubeconfig-signer
CN = openshift-kube-apiserver-operator_node-system-admin-signer@1712614517
CN = openshift-kube-apiserver-operator_aggregator-client-signer@1735038445
CN = openshift-kube-apiserver-operator_aggregator-client-signer@1733742427
Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4176 bytes and written 418 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

 

In the "server" pod the trusted Certificate Authority (CA) certificates are in the tls-ca-bundle.pem file in the /etc/pki/ca-trust/extracted/pem/ directory. If the Certificate Authority (CA) certificate of the cluster you are attempted to add to ArgoCD is not in the tls-ca-bundle.pem, this can cause "certificate signed by unknown authority" to be returned.

~]$ oc exec pod/openshift-gitops-server-dfdf6d598-ktn8n --namespace openshift-gitops -- ls -l /etc/pki/ca-trust/extracted/pem/
total 884
-rw-r--r--. 1 root root    898 Jul 24 09:51 README
-r--r--r--. 1 root root 165521 Oct 31 00:00 email-ca-bundle.pem
-r--r--r--. 1 root root 502506 Oct 31 00:00 objsign-ca-bundle.pem
-r--r--r--. 1 root root 226489 Oct 31 00:00 tls-ca-bundle.pem

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter fabf6e in the box below so that we can be sure you are a human.