Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Intermittent failure on this error: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint #757

Closed
JasonIamAUnixAdmin opened this issue Jun 28, 2023 · 8 comments
Closed

Intermittent failure on this error: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint #757

JasonIamAUnixAdmin opened this issue Jun 28, 2023 · 8 comments
Labels
bug Something isn't working duplicate This issue or pull request already exists

Comments

@JasonIamAUnixAdmin
Copy link

Describe the bug

Not a consistent error.
On a GHA with 14 different steps 2 fail with OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint all use the same role to do work.

Re-running will eventually clear the error

This also happens on GHA with a single step so not related to volume of requests.

Expected Behavior

Not getting HTTPS errors

Current Behavior

Intermitent failures with the above error

Screen Shot 2023-06-28 at 7 02 11 AM

Reproduction Steps

Run a job and get this error. Is intermittent. Like a host in a clusters clock is off far enough to fail a cert.

Possible Solution

No response

Additional Information/Context

No response
@JasonIamAUnixAdmin JasonIamAUnixAdmin added bug Something isn't working needs-triage This issue still needs to be triaged labels Jun 28, 2023
@JasonIamAUnixAdmin
Copy link
Author

Could be https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/

@n1ngu
Copy link

n1ngu commented Jun 28, 2023

See #669

@n1ngu n1ngu mentioned this issue Jun 28, 2023
Closed
@n1ngu
Copy link

n1ngu commented Jun 28, 2023

See #357 as well

@JasonIamAUnixAdmin
Copy link
Author

Based on above links the error message might include a hint like "Please check thumbprint"

@mrparkers
Copy link

For anyone that uses Terraform to configure their OIDC provider in AWS, this snippet may be helpful:

data "tls_certificate" "github" {
  url = "https://token.actions.githubusercontent.com/.well-known/openid-configuration"
}

resource "aws_iam_openid_connect_provider" "github" {
  url = "https://token.actions.githubusercontent.com"

  client_id_list = [
    "sts.amazonaws.com",
  ]

  thumbprint_list = [
    for c in data.tls_certificate.github.certificates : c.sha1_fingerprint
  ]
}

@n1ngu
Copy link

n1ngu commented Jun 28, 2023

@mrparkers because github is serving multiple certificate chains, a single

data "tls_certificate" "github" {
  url = "https://token.actions.githubusercontent.com/.well-known/openid-configuration"
}

can't fetch them all. See #357 (comment)

@peterwoodworth peterwoodworth added duplicate This issue or pull request already exists and removed needs-triage This issue still needs to be triaged labels Jun 28, 2023
@peterwoodworth
Copy link
Contributor

Please see the most recent update to our readme, and please go to #357 for any further discussion related to this topic. Thanks all!

@github-actions
Copy link

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mrparkers @JasonIamAUnixAdmin @peterwoodworth @n1ngu