Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ConjurCLI fails to authenticate/verify conjur server with certificate issued via LetsEncrypt #2700

Open
3 tasks
kindrajeets opened this issue Jan 11, 2023 · 0 comments
Open
3 tasks

ConjurCLI fails to authenticate/verify conjur server with certificate issued via LetsEncrypt #2700

kindrajeets opened this issue Jan 11, 2023 · 0 comments
Labels
contributor kind/bug

Comments

@kindrajeets
Copy link

Summary

The conjur cli container "cyberark/conjur-cli:5" always fails to authenticate to the conjur server using the certificates issued via LetsEncrypt.

Steps to Reproduce

  • Generated letsencrypt certificates and then followed the link

  • Also followed the link

  • Entire setup is running on AKS cluster and the conjur service is exposed via external LoadBalancer

  • Able to view the conjur endpoint with valid certificates generated from LetsEncrypt on the browsers (chrome+safari)

  • Created the conjur-cli container and loaded "CONJUR_URL" & "Account"
    $ docker run --rm -it --entrypoint bash cyberark/conjur-cli:5

  • export CONJUR_URL="https://ConjurEndpoint"

  • export ACCOUNT=default

  • conjur init -u $CONJUR_URL -a $ACCOUNT

  • conjur authn login -u admin -p <admin_api_key_printed_by_helm_install>
    conjur authn login -u admin -p "key"
    error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate)

Expected Results

  • Should be able to authenticate to the conjur server

Actual Results

$ docker run --rm -it --entrypoint bash cyberark/conjur-cli:5

  • export CONJUR_URL="https://ConjurEndpoint"
  • export ACCOUNT=default
  • conjur init -u $CONJUR_URL -a $ACCOUNT
  • conjur authn login -u admin -p <admin_api_key_printed_by_helm_install>
    conjur authn login -u admin -p "key"
    error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate)

Reproducible

  • Always
  • Sometimes
  • Non-Reproducible

Version/Tag number

AKS version : v1.22.6
Conjur Version : 2.0.3
Certificate issuer : LetsEncrypt

Environment setup

AKS cluster and conjur deployed via helm chart.

helm install \
   -n conjur \
   -f values.yaml \
   "conjur \
   https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v2.0.3/conjur-oss-2.0.3.tgz

$ kubectl get pods -n conjur NAME READY STATUS RESTARTS AGE conjur-conjur-oss-55d84ff4f8-sv5h8 2/2 Running 0 32h

$ kubectl get svc -n conjur NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE conjur-conjur-oss LoadBalancer 10.0.194.43 x.x.x.x 443:30698/TCP 14d

Additional Information

We wanted to know by any chance if conjur only supports proper issuer or is there any issues in using certificates from LetsEncrypt.
Attaching the snippet of the endpoint.

image
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
contributor kind/bug
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ConjOps @kindrajeets