How do I resolve the Panther CI/CD developer role error "OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint"?
When trying to connect to Panther using the CI/CD developer role, I get the error "OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint".
Follow AWS documentation on generating a thumbprint for a web service.
When following the AWS instructions, note the following:
- The web address to use in Step 2 is https://token.actions.githubusercont...-configuration
- In Step 7, unless you use a legacy self-hosted Panther installation, you will need a support agent to update the thumbprint in AWS for you.
Note that it is safe to share the thumbrpint with our support team, since the thumbprint identifies only GitHub servers, and contains no information about you or your organization.
This issue occurs because CA certificates, which are used by servers across the internet to prove their identity, have an expiry date (typically 1 year). OpenID uses these certificated to ensure that you're connecting to the real server, and not an imposter. When the thumbprint from the server matches the thumbprint AWS has on file, OpenID knows the connection is authentic.
However, when a server updates it's CA certificates, the thumbprint it sends to OpenID changes and no longer matches the one AWS has on file. This causes OpenID to believe the server is an imposter, and it prevents the connection. By updating the thumbprint in AWS, you essentially inform OpenID that it can trust the new certificates.