ArgoCD: “x509: certificate signed by unknown authority”
source link: https://www.shellhacks.com/argocd-x509-certificate-signed-by-unknown-authority/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
ArgoCD: “x509: certificate signed by unknown authority”
In an ArgoCD’s user interface (UI), if you select a connection method “VIA HTTPS” and try to add a private repository, despite the fact that you’ll get a message “Successfully updated <repoURL> repository”, the actual repository connection status may be marked as Failed.
The reason of this may be in a self-signed certificate, or a certificate signed by a custom Certificate Authority (CA).
This post shows how to fix the “x509: certificate signed by unknown authority” error while adding the private repository in ArgoCD.
Cool Tip: ArgoCD’s “FATA[0005] Unauthenticated” error resolution! Read more →
ArgoCD: “x509: certificate signed by unknown authority”
To debug the Failed connection status of a repository in ArgoCD, you can either check the ArgoCD repository server logs:
$ kubectl logs -l app.kubernetes.io/component=repo-server -f
Or try to add the repository using an argocd
command:
$ argocd repo add <repoURL>
In both cases, if the issue is caused by the certificates, you will get something like:
FATA[0000] rpc error: code = Unknown desc error testing repository connectivity: Get “<repoURL>”: x509: certificate signed by unknown authority
The similar error will pop-up in the UI if you try to create an ArgoCD application that requires a connection to a private repository with a self-signed certificate, or a certificate signed by a custom CA which are not known to ArgoCD.
To workaround the “x509: certificate signed by unknown authority” error you can add the private repository without verifying the server’s TLS certificate using the --insecure-skip-server-verification
flag:
$ argocd repo add <repoURL> --insecure-skip-server-verification
But the much better solution is to add the server’s self-signed certificate or the CA certificate to the ArgoCD’s trusted certificates storage:
$ argocd cert add-tls <repoDomainName> - example - $ argocd cert add-tls git.local - sample output - Enter TLS certificate data in PEM format. Press CTRL-D when finished. -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Created entry with 2 PEM certificates for repository server git.local
Cool Tip: How to get an SSL certificate from a server (site’s URL)! Read more →
The certificates can also be added through the ArgoCD’s UI, by going to “Settings” → “Repository certificates and knows hosts” and clicking on “ADD TLS CERTIFICATES”.
Once the certificates have been added, you should not get the “x509: certificate signed by unknown authority” error anymore.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK