Ansible fetching secrets from conjur : faces error -> Error was a <class 'urllib2.HTTPError'>, original message: HTTP Error 404: Not Found" - which is fetched by Api

Actually I have used Self signed certificate to conjurise my ansible host but upon fetching secrets its failing via summon and with conjur_variable lookup plugin too !

TASK [debug] ***********************************************************************************************************************************************************
task path: /vandana_ansible/conjur_Ans_https/test_Conjur.yml:5
conf file: /etc/conjur.conf
Loading configuration from: /etc/conjur.conf
identity file: /etc/conjur.identity
Loading identity from: /etc/conjur.identity for https://10.1.242.1xx
Authentication request to Conjur at: https://10.1.242.1xx/authn/quick-start/host/vuhplabgtawx001b/authenticate, with user: host/vuhplabgtawx001b
fatal: [localhost]: FAILED! => {
“msg”: “An unhandled exception occurred while running the lookup plugin ‘conjur_variable’. Error was a <class ‘urllib2.HTTPError’>, original message: HTTP Error 401: Unauthorized”
}

PLAY RECAP *************************************************************************************************************************************************************
localhost : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

Sometimes gives 404 too in above command


[root@vuhplabgtawx003 conjur_Ans_https]# /usr/local/lib/summon/summon-conjur ansible/ssh_private_key
Post https://10.1.242.1xx/authn/quick-start/host%2Fvuhplabgtawx001b/authenticate: x509: cannot validate certificate for 10.1.242.1xx because it doesn’t contain any IP SANs[root@vuhplabgtawx003 conjur_Ans_https]#
[root@vuhplabgtawx003 conjur_Ans_https]#

\Also the conjur.identity file is …
[root@vuhplabgtawx003 conjur_Ans_https]#
[root@vuhplabgtawx003 conjur_Ans_https]# cat /etc/conjur.identity
machine https://10.1.242.1xx/authn
login host/vuhplabgtawx001b
password 180z7hg2ce7k3m1gvh6e6gvga1r08v058x14hjvxb0937x0h7r
[root@vuhplabgtawx003 conjur_Ans_https]#

Should i not use the self signed cert ? I have posted the crt and key generated path --> to file nginx.conf in nginx-proxy container – is this wrong ?

Hey @ReadingConjur,

  • Ansible: A 401 error is definitely not a certificate-related error but a permissions/authentication/ID problem so the Ansible issue is probably the encoding of the username (try using host%2Fvuhplabgtawx001b) or encoding of the authenticator path slash. If it was a certificate error, you would see that before a 401 error. Let us know if this works as it may be a bug with the Ansible module but a manual encoding may work.

  • summon-conjur: This issue is a certificate problem and as far as I can tell, it’s a bad certificate as all newer certificates must have a SAN section. You can check what the server is sending with openssl s_client or crtool dump -t 10.1.242.1xx but it’s probably something messed up with that nginx cert. Keep a keen eye on the CN section and ServerAltNames sections and make sure that the conjur server DNS name matches at least the SAN items.

Let us know if this doesn’t help.

Thanks,
Srdjan

So can we use a self signed cert created with openssl ?

I Created 1 with Openssl and placed it nginx-proxy container (doing --> docker exec -it sh ): Path: /etc/nginx/ and mentioned the same in conf.d/default.conf
So that it gets picked.

Apparently the conjurization Ansible-Role went fine with “validate certs: yes” .
But summon - fetching secrets failed with :

https://10.1.242.1xx/authn/quick-start/host%2Fvuhplabgtawx001b/authenticate: x509: cannot validate certificate for 10.1.242.1xx because it doesn’t contain any IP SANs

and Yes i used - ( host%2Fvuhplabgtawx001b )
Still i get :
“msg”: “An unhandled exception occurred while running the lookup plugin ‘conjur_variable’. Error was a <class ‘urllib2.HTTPError’>, original message: HTTP Error 401: Unauthorized”

Was i wrong anywhere in above steps ?

Heya @ReadingConjur again,

After googling a bit about this, the cert that you created as-is is not really valid. Since you are using an IP as the identifier of the host, you cannot use the commonName field like most standard certificates do. You must use the serverAltNames part of the x509 certificate for placing that IP address and it looks like Golang checks this condition and Ansible (Python) does not. In your cert’s case, this field is empty and the cert will need to be regenerated to use it with summon (and hopefully no other issues exist).

As for Ansible 401 error it will be hard to really diagnose but if it’s not the encoding, then it’s starting to seem like there’s either a problem with your policy or the user/API key combo is invalid. I would try to connect manually using Conjur CLI or maybe even Python CLI as a test to make sure that the login info and the policy are correct.

@sgnn7 i created the self signed cert using Ip in below command :

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Shall i use some different way ?

@ReadingConjur Yeah, you may need to use a bit more accurate cert generation using something similar like this openssl config file to add the subjectAltName correctly or maybe follow these instructions. You can see in this script how it’s used and how the certs are generated but keep in mind the script uses DNS names and you need to change the prefix to IP: to support IP SAN names.

Edit: your posted command is fine for creating the keypair - it’s the CSR that needs to be redone and resigned