Giters

cyberark / conjur

CyberArk Conjur automatically secures secrets used by privileged users and machine identities

Home Page:https://conjur.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ConjurCLI fails to authenticate/verify conjur server with certificate issued via LetsEncrypt

kindrajeets opened this issue · comments

commented

Summary

The conjur cli container "cyberark/conjur-cli:5" always fails to authenticate to the conjur server using the certificates issued via LetsEncrypt.

Steps to Reproduce

  • Generated letsencrypt certificates and then followed the link

  • Also followed the link

  • Entire setup is running on AKS cluster and the conjur service is exposed via external LoadBalancer

  • Able to view the conjur endpoint with valid certificates generated from LetsEncrypt on the browsers (chrome+safari)

  • Created the conjur-cli container and loaded "CONJUR_URL" & "Account"
    $ docker run --rm -it --entrypoint bash cyberark/conjur-cli:5

  • export CONJUR_URL="https://ConjurEndpoint"

  • export ACCOUNT=default

  • conjur init -u $CONJUR_URL -a $ACCOUNT

  • conjur authn login -u admin -p <admin_api_key_printed_by_helm_install>
    conjur authn login -u admin -p "key"
    error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate)

Expected Results

  • Should be able to authenticate to the conjur server

Actual Results

$ docker run --rm -it --entrypoint bash cyberark/conjur-cli:5

  • export CONJUR_URL="https://ConjurEndpoint"
  • export ACCOUNT=default
  • conjur init -u $CONJUR_URL -a $ACCOUNT
  • conjur authn login -u admin -p <admin_api_key_printed_by_helm_install>
    conjur authn login -u admin -p "key"
    error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate)

Reproducible

  • Always
  • Sometimes
  • Non-Reproducible

Version/Tag number

AKS version : v1.22.6
Conjur Version : 2.0.3
Certificate issuer : LetsEncrypt

Environment setup

AKS cluster and conjur deployed via helm chart.

helm install \
   -n conjur \
   -f values.yaml \
   "conjur \
   https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v2.0.3/conjur-oss-2.0.3.tgz

$ kubectl get pods -n conjur NAME READY STATUS RESTARTS AGE conjur-conjur-oss-55d84ff4f8-sv5h8 2/2 Running 0 32h

$ kubectl get svc -n conjur NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE conjur-conjur-oss LoadBalancer 10.0.194.43 x.x.x.x 443:30698/TCP 14d

Additional Information

We wanted to know by any chance if conjur only supports proper issuer or is there any issues in using certificates from LetsEncrypt.
Attaching the snippet of the endpoint.

image