When managing Git repositories with ArgoCD ApplicationSet, you might encounter the frustrating error message: Server Certificate Verification Failed. Cafile: None Crlfile: None. This error typically arises when your Git repository uses a custom Certificate Authority (CA) that is not trusted by default by the ApplicationSet controller. While your main ArgoCD instance might be configured to trust this custom CA, the ApplicationSet generator might not inherit these settings, leading to connection failures.
This issue manifests when the ApplicationSet attempts to fetch data from the Git repository, as seen in the error logs:
time="2021-07-22T12:46:06Z" level=error msg="`git fetch origin --tags --force` failed exit status 128: fatal: unable to access 'https://gitlab.intern/myrepo.git/': server certificate verification failed. CAfile: none CRLfile: none"The core problem is that git fetch command invoked by ApplicationSet lacks the necessary certificate information to verify the server’s SSL certificate. The message CAfile: none CRLfile: none indicates that Git is not using any CA certificate file or CRL file for verification.
Why does this happen in ApplicationSet but not ArgoCD?
ArgoCD, at the application level, allows for specific repository configurations, including custom CA certificates or insecure connection settings. However, ApplicationSet, which operates at a higher level to generate ArgoCD applications, might not automatically propagate these configurations. This distinction can lead to successful repository access in ArgoCD itself but failures within ApplicationSet generators.
Addressing the “server certificate verification failed” Error
To resolve this, you need to ensure that the ApplicationSet controller, or the Git commands it executes, trusts your custom CA. Here are potential approaches:
-
Configure Custom CA for ApplicationSet: Investigate if ApplicationSet provides a mechanism to configure custom CA certificates. This might involve:
- Specifying CA certificates within the ApplicationSet resource definition itself. (Check ApplicationSet documentation for certificate related configurations).
- Configuring the ArgoCD ApplicationSet controller deployment to trust the custom CA system-wide. This could involve mounting a ConfigMap containing your CA certificate to the controller pod and updating the controller’s trust store.
-
Allow Insecure Connections (Use with Caution): As a less secure workaround, you might explore options to allow insecure connections for the ApplicationSet’s Git operations. This should be considered carefully and only for internal or testing environments where security risks are acceptable. Look for configurations within ApplicationSet or Git settings that might disable SSL verification.
-
Verify ArgoCD Repository Configuration: Double-check how your Git repository is configured within ArgoCD. Ensure that the custom CA certificate is correctly set up at the ArgoCD repository level. While ApplicationSet might not directly inherit this, understanding the ArgoCD configuration is crucial for troubleshooting.
Example Scenario and Error Context
Consider the following ApplicationSet definition:
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: foobar-as
spec:
generators:
- git:
repoURL: https://gitlab.intern/myrepo.git
revision: master
directories:
- path: foobar/*
template:
metadata:
name: 'foobar-{{path.basename}}'
spec:
project: foobar
source:
repoURL: https://gitlab.intern/myrepo.git
targetRevision: HEAD
path: '{{path}}'
destination:
server: foobar
namespace: defaultThe error logs clearly indicate that the git fetch command is failing due to certificate verification issues when ApplicationSet processes this definition.
Conclusion
The “server certificate verification failed. cafile: none crlfile: none” error in ArgoCD ApplicationSet points to a trust issue with your custom CA. To resolve this, prioritize configuring ApplicationSet to trust your CA, similar to how ArgoCD is configured. Carefully evaluate the security implications before considering insecure connection options. By addressing the certificate trust for ApplicationSet’s Git operations, you can effectively manage your applications from Git repositories using custom CAs.
