Skip to content
Latchkey

kubectl "x509: certificate signed by unknown authority" in CI - Fix it

kubectl opened a TLS connection to the API server but could not verify its certificate chain. The cluster CA is not in the kubeconfig (certificate-authority-data) or the runner trust store, so the handshake is rejected.

What this error means

A kubectl call fails with Unable to connect to the server: x509: certificate signed by unknown authority. The endpoint is reachable; only certificate validation fails.

kubectl
Unable to connect to the server: x509: certificate signed by unknown authority

Common causes

The kubeconfig lacks the cluster CA

A hand-built kubeconfig omits certificate-authority-data, so kubectl has nothing to validate the server certificate against.

A self-signed or private CA not trusted by the runner

The cluster uses an internal CA the runner image does not trust, and verification is not skipped or pointed at the right bundle.

How to fix it

Regenerate the kubeconfig with the CA embedded

Provider credential commands embed certificate-authority-data automatically. Fetch the kubeconfig from the provider instead of assembling it by hand.

Terminal
aws eks update-kubeconfig --name prod --region us-east-1
kubectl get nodes

Point kubectl at the correct CA file

If you must supply the CA out of band, set it in the cluster entry rather than disabling verification.

Terminal
kubectl config set-cluster prod \
  --certificate-authority=/etc/ci/cluster-ca.pem \
  --embed-certs=true

How to prevent it

  • Fetch kubeconfigs from the provider so the CA is always embedded.
  • Avoid --insecure-skip-tls-verify as a permanent workaround.
  • Keep the cluster CA bundle current in custom runner images.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →