Issue

When trying to connect to Panther using the CI/CD developer role, I get the error "OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint".

Resolution

Follow AWS documentation on generating a thumbprint for a web service

When following the AWS instructions, note the following:

Note that it is safe to share the thumbprint with our support team, since the thumbprint identifies only GitHub servers, and contains no information about you or your organization.

Cause

This issue occurs because CA certificates, which are used by servers across the internet to prove their identity, have an expiry date (typically 1 year). OpenID uses these certificated to ensure that you're connecting to the real server, and not an imposter. When the thumbprint from the server matches the thumbprint AWS has on file, OpenID knows the connection is authentic.

However, when a server updates it's CA certificates, the thumbprint it sends to OpenID changes and no longer matches the one AWS has on file. This causes OpenID to believe the server is an imposter, and it prevents the connection. By updating the thumbprint in AWS, you essentially inform OpenID that it can trust the new certificates.