Conjur CLI access to server with CA cert

Greetings,

I’m just starting my journey with Conjur and hope eventually to have it integrated into various automation tools (e.g. Ansible, Jenkins, etc.). I’ve written a playbook to deploy servers and install/config Conjur according to the Quick Start guide and things seem to be working.

In so doing, I figured out where the nginx container was looking for certs to secure the server and swapped those out with certs signed by our CA (Certbot service).

As such, when I visit https://myconjurhost.example.com:8443 I see a status page that says “Your Conjur server is running!”. Furthermore, my browser trusts the site as I have our org’s CA certs loaded into my OS/browser.

From the same workstation, I’m using docker to launch the CLI container:

docker run --rm -it --name conjur-client cyberark/conjur-cli:5

This gets me into the container where I then init:

conjur init --url https://myconjurhost.example.com:8443 --account myConjurAccount

I’m shown a certificate fingerprint with instructions on how to validate. I hop over to the Conjur server and run the openssl command to print the fingerprint; they match. I accept the certificate and see the output:

Wrote configuration to /root/.conjurrc

Now I’m ready to login as admin to manage policies and the like:

conjur authn login admin

I’m prompted for a password. I copy the API key for admin from the admin_data file I created during initial server install/config and supply that password to the prompt:

Please enter admin’s password (it will not be echoed):

I see this output:

error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate)

This “feels like” the running container is missing various intermediate certs in the CA chain of trust. I know I have all of these certs on my local machine/OS/browser since I get the “green padlock” in my browser.

I’ve gone so far as mounting my /usr/local/share/ca-certificates folder to the container at runtime as follows:

docker run --rm -it -v /usr/local/share/ca-certificates:/usr/local/share/ca-certificates --name conjur-client cyberark/conjur-cli:5

But I get the same SSL connection error. How can I overcome this?

Thanks!

Took me a while but I found my problem and I’ll leave information here for posterity.

After running the command:

conjur init --url https://myconjurhost.example.com:8443 --account myConjurAccount

I see a *.pem file written to /root/conjur-myConjurAccount.pem

The *.pem file is a certificate bundle with the server’s certificate along with the intermediate CA. Apparently this is the file Certbot delivers and that is used by NGINX, (I’ll confirm that). What is missing here is the root CA cert that issued the intermediate one. I chased down a copy of the root CA *.pem file I have on my machine and appended it to conjur-myConjurAccount.pem and the login now works.