Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint #579

Closed
andrewdavey opened this issue Nov 15, 2022 · 16 comments
Labels
bug Something isn't working

Comments

@andrewdavey
Copy link

Describe the bug

My github workflows that use aws-actions/configure-aws-credentials@v1-node16 have stopped working today. No changes have been made recently to the workflows, or my AWS accounts.

Expected Behavior

The step should succeed without any error.

Current Behavior

Error logged in the GitHub runner

Run aws-actions/configure-aws-credentials@v1-node16
  with:
    role-to-assume: arn:aws:iam::xxxxxxxxxxx:role/github-actions-role
    aws-region: eu-west-2
    audience: sts.amazonaws.com
Error: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint

Reproduction Steps

I've copied what I think are the relevant parts of my workflow yml.

name: Test Workflow
on: push
permissions:
  id-token: write
  contents: read
env:
  aws_tools_account: "00000000000"
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: "Configure AWS Credentials: Tools account"
        uses: aws-actions/configure-aws-credentials@v1-node16
        with:
          role-to-assume: arn:aws:iam::${{ env.aws_tools_account }}:role/github-actions-role
          aws-region: eu-west-2

Possible Solution

No response

Additional Information/Context

No response

@andrewdavey andrewdavey added bug Something isn't working needs-triage This issue still needs to be triaged labels Nov 15, 2022
@andrewdavey
Copy link
Author

Sorry, I just found this closed issue that sounds similar:
#357

Has the problem reoccurred?

@sionelt
Copy link

sionelt commented Nov 15, 2022

Seeing the same error as well in our pipeline just now. No changes were made to our OpenIDConnect provider in IAM. We are using v1 with nodev16.

@excruzme
Copy link

Same issue this morning. Can confirm our thumbprint didn't change overnight. Also using @v1-node16.

@alakin-11
Copy link

Same error I am seeing as well using aws-actions/configure-aws-credentials@v1.

@l0b0
Copy link

l0b0 commented Nov 16, 2022

Open source project seeing the same issue, using this OIDC provider, in case that helps with reproduction. From a recent job:

Run aws-actions/configure-aws-credentials@v1.7.0
  with:
    aws-region: […]
    mask-aws-account-id: true
    role-to-assume: arn:aws:iam::[…]:role/CiOidc
    audience: sts.amazonaws.com
  env:
    NPM_CONFIG_USERCONFIG: /home/runner/work/_temp/.npmrc
    NODE_AUTH_TOKEN: […]
    pythonLocation: /opt/hostedtoolcache/Python/3.9.13/x64
    PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.9.13/x64/lib/pkgconfig
    Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.9.13/x64
    Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.9.13/x64
    Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.9.13/x64
    LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.9.13/x64/lib
    AWS_DEFAULT_REGION: ap-southeast-2
    CiOidc: arn:aws:iam::[…]:role/CiOidc
    NonProdOidc: arn:aws:iam::[…]:role/NonProdOidc
    ProdOidc: arn:aws:iam::[…]:role/ProdOidc
Error: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint

FYI, this was caused by a bug in CDK. It seems to have been fixed three days ago.

@faiare
Copy link

faiare commented Nov 16, 2022

I had a same issue, but solved it by adding the latest fingerprint from this one-liner to ID provider.
#357 (comment)

@kchandra548
Copy link

AWS pins OIDC IdentityProvider's ICA(Intermediate CA) thumbprint while creating an IdP from the AWS console.

I dont see any change in the ICA and the thumbprint (6938fd4d98bab03faadb97b34396831e3780aea1)
Could you please share the thumbprint that you are using.

FYI: If you are creating IDP from CLI, follow this doc to get thumbprint.

@jetexe
Copy link

jetexe commented Nov 16, 2022

I dont see any change in the ICA and the thumbprint (6938fd4d98bab03faadb97b34396831e3780aea1)
Could you please share the thumbprint that you are using.

I can get f879abce0008e4eb126e0097e46620f5aaae26ad using one-liner from #357 (comment)

@kchandra548
Copy link

kchandra548 commented Nov 16, 2022

Yeah I think that is certificate's thumbprint. If you try creating IdP frm IAM console it uses ICA's thumbprint
image

The thumbprint of the certificate will vary with each rotation, but the not the ICA's(This is also not guaranteed but generally ppl use same ICA for certian period).
FYI : Here is the last time's blog post https://github.blog/changelog/2022-01-13-github-actions-update-on-oidc-based-deployments-to-aws which mentions using 6938fd4d98bab03faadb97b34396831e3780aea1 as the thumbprint

@pbrisbin
Copy link

Using the 6938 Thumprint fixed it for us. We must have been using an old certificate (not ICA), which we probably got from a similar one-liner that is giving the f879 number now. So I'd expect that to work again too, but break again later. Be careful out there!

@andrewdavey
Copy link
Author

Thanks for all the links everyone - Adding the new thumbprint fixed it for me.

I had originally created the Open ID Connect Provider using AWS CDK like this:

const provider = new OpenIdConnectProvider(this, "GitHubProvider", {
  url: "https://token.actions.githubusercontent.com",
  clientIds: ["sts.amazonaws.com"],
});

There is an optional thumbprints property I wasn't passing, so I think it used a now out of date value.

@dacort
Copy link

dacort commented Nov 17, 2022

AWS CDK

CDK fetches the thumbprint for you when you deploy. GitHub recently updated the certificate (which will happen again in another year), hence the reason this came up.

* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.actions.githubusercontent.com
*  start date: Nov  4 00:00:00 2022 GMT
*  expire date: Nov  7 23:59:59 2023 GMT

@peterwoodworth
Copy link
Contributor

Just to confirm, everyone running into this issue is defining the OIDC provider through CDK right?

@excruzme
Copy link

excruzme commented Nov 17, 2022

Just to confirm, everyone running into this issue is defining the OIDC provider through CDK right?

I had a same issue, but solved it by adding the latest fingerprint from this one-liner to ID provider. #357 (comment)

Yep, that's how I ran into the issue 👍 And this solution worked for me. All sorted now.

@peterwoodworth peterwoodworth removed the needs-triage This issue still needs to be triaged label Nov 17, 2022
@jetexe
Copy link

jetexe commented Nov 18, 2022

Update to aws-cdk with fix is now available

@github-actions
Copy link

⚠️Comment Visibility Warning⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests