ConjurCLI fails to authenticate/verify conjur server with certificate issued via LetsEncrypt
kindrajeets opened this issue · comments
Summary
The conjur cli container "cyberark/conjur-cli:5" always fails to authenticate to the conjur server using the certificates issued via LetsEncrypt.
Steps to Reproduce
-
Generated letsencrypt certificates and then followed the link
-
Also followed the link
-
Entire setup is running on AKS cluster and the conjur service is exposed via external LoadBalancer
-
Able to view the conjur endpoint with valid certificates generated from LetsEncrypt on the browsers (chrome+safari)
-
Created the conjur-cli container and loaded "CONJUR_URL" & "Account"
$ docker run --rm -it --entrypoint bash cyberark/conjur-cli:5 -
export CONJUR_URL="https://ConjurEndpoint"
-
export ACCOUNT=default
-
conjur init -u $CONJUR_URL -a $ACCOUNT
-
conjur authn login -u admin -p <admin_api_key_printed_by_helm_install>
conjur authn login -u admin -p "key"
error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate)
Expected Results
- Should be able to authenticate to the conjur server
Actual Results
$ docker run --rm -it --entrypoint bash cyberark/conjur-cli:5
- export CONJUR_URL="https://ConjurEndpoint"
- export ACCOUNT=default
- conjur init -u $CONJUR_URL -a $ACCOUNT
- conjur authn login -u admin -p <admin_api_key_printed_by_helm_install>
conjur authn login -u admin -p "key"
error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate)
Reproducible
- Always
- Sometimes
- Non-Reproducible
Version/Tag number
AKS version : v1.22.6
Conjur Version : 2.0.3
Certificate issuer : LetsEncrypt
Environment setup
AKS cluster and conjur deployed via helm chart.
helm install \
-n conjur \
-f values.yaml \
"conjur \
https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v2.0.3/conjur-oss-2.0.3.tgz
$ kubectl get pods -n conjur NAME READY STATUS RESTARTS AGE conjur-conjur-oss-55d84ff4f8-sv5h8 2/2 Running 0 32h
$ kubectl get svc -n conjur NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE conjur-conjur-oss LoadBalancer 10.0.194.43 x.x.x.x 443:30698/TCP 14d
Additional Information
We wanted to know by any chance if conjur only supports proper issuer or is there any issues in using certificates from LetsEncrypt.
Attaching the snippet of the endpoint.