error: x509 certificate signed by unknown authority when logging in OpenShift 4 after replacing API certificate

Solution Verified - Updated 1 Jan 2026

Environment

Red Hat OpenShift Container Platform
- 4.x

Issue

API certificate has been replaced and now oc loginfails with the next error:

$ oc login https://api.cluster.domain.tld:6443
error: x509: certificate signed by unknown authority

Below command also throws same x509: certificate error :

$ oc get clusteroperator authentication

Adding the CA in the command line doesn't help:

$ oc login --certificate-authority=ca-cert.pem https://api.cluster.domain.tld:6443
error: x509: certificate signed by unknown authority

Resolution

Replace the default Ingress certificate as detailed in This page is not included, but the link has been rewritten to point to the nearest parent document.the documentation with one signed by a trusted CA
OR
Add the CA which signed the default Ingress certificate as trusted in the system where the login is run. For more details, see this article.

Root Cause

During a login operation two different hosts are reached: API and Authentication, therefore as they use different certificates both of them must be properly validated
The parameter --certificate-authority is only used to validate the API connections, so the Authentication URL must be validated using the CA bundle in the system.

Diagnostic Steps

Running oc login with a higher loglevel shows that the URL which is not properly signed is the related with OpenShift authentication:

$ oc login --loglevel 6 https://api.cluster.domain.tld:6443
I0305 03:08:57.308023   13450 loader.go:359] Config loaded from file /root/.kube/config
I0305 03:08:57.314299   13450 round_trippers.go:438] HEAD https://api.cluster.domain.tld:6443/ 403 Forbidden in 5 milliseconds
I0305 03:08:57.314326   13450 request_token.go:86] GSSAPI Enabled
I0305 03:08:57.314954   13450 round_trippers.go:438] GET https://api.cluster.domain.tld:6443/.well-known/oauth-authorization-server 200 OK in 0 milliseconds
I0305 03:08:57.333734   13450 round_trippers.go:438] HEAD https://oauth-openshift.apps.cluster.domain.tld  in 18 milliseconds
I0305 03:08:57.333756   13450 request_token.go:438] falling back to kubeconfig CA due to possible x509 error: x509: certificate signed by unknown authority
I0305 03:08:57.339936   13450 round_trippers.go:438] GET https://oauth-openshift.apps.cluster.domain.tld/oauth/authorize?client_id=openshift-challenging-client&code_challenge=kqB7i4cQYkI8gN9J_D8P8MD91Yju-I8CuJjRtQ6lT9c&code_challenge_method=S256&redirect_uri=https%3A%2F%2Foauth-openshift.apps.api.cluster.domain.tld%2Foauth%2Ftoken%2Fimplicit&response_type=code  in 6 milliseconds
F0305 03:08:57.339999   13450 helpers.go:114] error: x509: certificate signed by unknown authority

Additionally, verify the curl command for the OAuth route to confirm there are no proxy-related issues:

$ curl -k https://oauth-openshift.apps.cluster.domain.tld

SBR

Shift

Product(s)

Red Hat OpenShift Container Platform

Components

Client
oc

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.