Google OIDC - Certificate signed by unknown authority

[Matt-STN]

Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug

I followed the doc here to setup Google SSO on my ArgoCD.
When I click on "Login with Google", I get to the Google authentification page, login, and then return to Argo. I see for less than a second the Argo interface, as if I were logged in, but immediately after that I return to the login page.

In the Argo CD Server logs, I get an error which informs me that the token verification failed.

I tried with the CLI (by running argocd login argocd.MYDOMAIN --sso). I got my browser opening, and all seems to go well (I get a message saying that the authentication did well), and I'm effectively logged in (I can run commands on my ArgoCD instance).

To Reproduce

My Argo CD infra is in a Kubernetes cluster. A Traefik ingress serves the requests and generates certificates with Let's Encrypt.
When connecting to https://argocd.MYDOMAIN/api/dex/.well-known/openid-configuration, the certificate is right (cert for argocd.MYDOMAIN, issued by Let's Encrypt and valid) and I can see the configuration in my browser.

IngressRoute config

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: argocd-server
  namespace: {{ .Values.namespace }}
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`{{ .Values.routes.argocd.domain }}`)
      priority: 10
      services:
        - name: argocd-server
          namespace: argocd
          port: 80
    - kind: Rule
      match: Host(`{{ .Values.routes.argocd.domain }}`) && Header(`Content-Type`, `application/grpc`)
      priority: 11
      services:
        - name: argocd-server
          namespace: argocd
          port: 80
          scheme: h2c

argocd-cm

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
data:
  timeout.reconciliation: 120s
  url: https://argocd.MYDOMAIN
  dex.config: |
    connectors:
    - config:
        issuer: https://accounts.google.com
        clientID: XXX.apps.googleusercontent.com
        clientSecret: XXX
      type: oidc
      id: google
      name: Google

argocd-cmd-params-cm (I tried all commented options)

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cmd-params-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-cmd-params-cm
    app.kubernetes.io/part-of: argocd
data:
  server.insecure: "true"
  #dexserver.disable.tls: "true"
  #server.dex.server.strict.tls: "false"
  #server.dex.server.plaintext: "true"
  #reposerver.disable.tls: "true"

argocd-rbac-cm

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.default: role:readonly

Expected behavior

I should be able to get access to the Argo CD interface.

Version

argocd: v2.14.2+ad27246
  BuildDate: 2025-02-06T02:19:55Z
  GitCommit: ad2724661b66ede607db9b5bd4c3c26491f5be67
  GitTreeState: clean
  GoVersion: go1.23.6
  Compiler: gc
  Platform: darwin/arm64
argocd-server: v2.14.2+ad27246

Logs

time="2025-03-05T11:12:53Z" level=warning msg="Failed to verify token: failed to verify token: token verification failed for all audiences: error for aud \"argo-cd\": Failed to query provider \"https://argocd.MYDOMAIN/api/dex\": Get \"https://argocd.MYDOMAIN/api/dex/.well-known/openid-configuration\": tls: failed to verify certificate: x509: certificate signed by unknown authority, error for aud \"argo-cd-cli\": Failed to query provider \"https://argocd.MYDOMAIN/api/dex\": Get \"https://argocd.MYDOMAIN/api/dex/.well-known/openid-configuration\": tls: failed to verify certificate: x509: certificate signed by unknown authority"

Here is the same, but with line breaks for readability

time="2025-03-05T11:12:53Z" level=warning msg="Failed to verify token: failed to verify token: token verification failed for all audiences: 
error for aud \"argo-cd\": Failed to query provider \"https://argocd.MYDOMAIN/api/dex\": Get \"https://argocd.MYDOMAIN/api/dex/.well-known/openid-configuration\": tls: failed to verify certificate: x509: certificate signed by unknown authority, 
error for aud \"argo-cd-cli\": Failed to query provider \"https://argocd.MYDOMAIN/api/dex\": Get \"https://argocd.MYDOMAIN/api/dex/.well-known/openid-configuration\": tls: failed to verify certificate: x509: certificate signed by unknown authority"

[andrii-korotkov-verkada]

Didn't have time today to discuss at the contributors meeting https://docs.google.com/document/d/1xkoFkVviB70YBzSEa4bDnu-rUZ1sIFtwKKG1Uw8XsY8/edit?tab=t.0. Feel free to join next time and put this topic for discussion.

[Matt-STN]

I'm sorry I don't think I'll be able to attend, but I'll answer here asap if you need anymore info