In an ArgoCD’s user interface (UI), if you select a connection method “VIA HTTPS” and try to add a private repository, despite the fact that you’ll get a message “Successfully updated <repoURL> repository”, the actual repository connection status may be marked as ❌ Failed.
The reason of this may be in a self-signed certificate, or a certificate signed by a custom Certificate Authority (CA).
This post shows how to fix the “x509: certificate signed by unknown authority” error while adding the private repository in ArgoCD.
Cool Tip: ArgoCD’s “FATA[0005] Unauthenticated” error resolution! Read more →
ArgoCD: “x509: certificate signed by unknown authority”
To debug the ❌ Failed connection status of a repository in ArgoCD, you can either check the ArgoCD repository server logs:
$ kubectl logs -l app.kubernetes.io/component=repo-server -f
Or try to add the repository using an argocd command:
$ argocd repo add <repoURL>
In both cases, if the issue is caused by the certificates, you will get something like:
FATA[0000] rpc error: code = Unknown desc error testing repository connectivity: Get “<repoURL>”: x509: certificate signed by unknown authority
The similar error will pop-up in the UI if you try to create an ArgoCD application that requires a connection to a private repository with a self-signed certificate, or a certificate signed by a custom CA which are not known to ArgoCD.
To workaround the “x509: certificate signed by unknown authority” error you can add the private repository without verifying the server’s TLS certificate using the --insecure-skip-server-verification flag:
$ argocd repo add <repoURL> --insecure-skip-server-verification
But the much better solution is to add the server’s self-signed certificate or the CA certificate to the ArgoCD’s trusted certificates storage:
$ argocd cert add-tls <repoDomainName> - example - $ argocd cert add-tls git.local - sample output - Enter TLS certificate data in PEM format. Press CTRL-D when finished. -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Created entry with 2 PEM certificates for repository server git.local
Cool Tip: How to get an SSL certificate from a server (site’s URL)! Read more →
The certificates can also be added through the ArgoCD’s UI, by going to ⚙️ “Settings” → “Repository certificates and knows hosts” and clicking on ➕ “ADD TLS CERTIFICATES”.
Once the certificates have been added, you should not get the “x509: certificate signed by unknown authority” error anymore.