I’m just starting my journey with Conjur and hope eventually to have it integrated into various automation tools (e.g. Ansible, Jenkins, etc.). I’ve written a playbook to deploy servers and install/config Conjur according to the Quick Start guide and things seem to be working.
In so doing, I figured out where the nginx container was looking for certs to secure the server and swapped those out with certs signed by our CA (Certbot service).
As such, when I visit https://myconjurhost.example.com:8443 I see a status page that says “Your Conjur server is running!”. Furthermore, my browser trusts the site as I have our org’s CA certs loaded into my OS/browser.
From the same workstation, I’m using docker to launch the CLI container:
docker run --rm -it --name conjur-client cyberark/conjur-cli:5
This gets me into the container where I then init:
conjur init --url https://myconjurhost.example.com:8443 --account myConjurAccount
I’m shown a certificate fingerprint with instructions on how to validate. I hop over to the Conjur server and run the openssl command to print the fingerprint; they match. I accept the certificate and see the output:
Wrote configuration to /root/.conjurrc
Now I’m ready to login as admin to manage policies and the like:
conjur authn login admin
I’m prompted for a password. I copy the API key for admin from the admin_data file I created during initial server install/config and supply that password to the prompt:
Please enter admin’s password (it will not be echoed):
I see this output:
error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate)
This “feels like” the running container is missing various intermediate certs in the CA chain of trust. I know I have all of these certs on my local machine/OS/browser since I get the “green padlock” in my browser.
I’ve gone so far as mounting my /usr/local/share/ca-certificates folder to the container at runtime as follows:
docker run --rm -it -v /usr/local/share/ca-certificates:/usr/local/share/ca-certificates --name conjur-client cyberark/conjur-cli:5
But I get the same SSL connection error. How can I overcome this?