diff --git a/pkg/cli/login/error_translation.go b/pkg/cli/login/error_translation.go
index 4fc61b346d..45e231292a 100644
--- a/pkg/cli/login/error_translation.go
+++ b/pkg/cli/login/error_translation.go
@@ -78,6 +78,9 @@ func detectReason(err error) int {
 			return noServerFoundReason
 		case strings.Contains(err.Error(), "tls: oversized record received"):
 			return tlsOversizedRecordReason
+		// TODO: this is a temporary workaround until issue is resolved in upstream Go: https://github.com/golang/go/issues/52010
+		case strings.Contains(err.Error(), "certificate is not trusted"):
+			return certificateAuthorityUnknownReason
 		}
 		switch err.(type) {
 		case x509.UnknownAuthorityError:
diff --git a/pkg/cli/login/helpers.go b/pkg/cli/login/helpers.go
index 6273ab6d61..948379159c 100644
--- a/pkg/cli/login/helpers.go
+++ b/pkg/cli/login/helpers.go
@@ -95,6 +95,11 @@ func promptForInsecureTLS(reader io.Reader, out io.Writer, reason error) bool {
 			insecureTLSRequestReason = fmt.Sprintf("The server is using a certificate that does not match its hostname: %s", reason.Error())
 		case x509.CertificateInvalidError:
 			insecureTLSRequestReason = fmt.Sprintf("The server is using an invalid certificate: %s", reason.Error())
+		default:
+			// TODO: this is a temporary workaround until issue is resolved in upstream Go: https://github.com/golang/go/issues/52010
+			if strings.Contains(reason.Error(), "certificate is not trusted") {
+				insecureTLSRequestReason = "The server uses a certificate signed by an unknown authority."
+			}
 		}
 	}
 	var input bool
diff --git a/pkg/helpers/tokencmd/request_token.go b/pkg/helpers/tokencmd/request_token.go
index 3066509314..b17f72040c 100644
--- a/pkg/helpers/tokencmd/request_token.go
+++ b/pkg/helpers/tokencmd/request_token.go
@@ -467,6 +467,12 @@ func transportWithSystemRoots(issuer string, clientConfig *restclient.Config) (h
 		klog.V(4).Infof("falling back to kubeconfig CA due to possible x509 error: %v", err)
 		return restclient.TransportFor(clientConfig)
 	default:
+		// TODO: this is a temporary workaround until issue is resolved in upstream Go: https://github.com/golang/go/issues/52010
+		if strings.Contains(err.Error(), "certificate is not trusted") {
+			klog.V(4).Infof("falling back to kubeconfig CA due to possible x509 error: %v", err)
+			return restclient.TransportFor(clientConfig)
+		}
+
 		switch err {
 		case io.EOF, io.ErrUnexpectedEOF, io.ErrNoProgress:
 			// also fallback on various io errors