Hi All,
I am receiving an error after I excurte a conjur init --url https://XXX --account XX. The error is unable to retrieve certificate from localhost.localdomain:443. Any help on this ?
Please attempt the following command on the same server:
curl https://localhost.localdomain -v
And please provide the output. It looks like your url should be localhost rather than localhost.localdomain.
Regards,
Andrew
Thanks for your reply @AndrewCopeland. Here is the output:
- About to connect() to localhost.localdomain port 443 (#0)
- Trying ::1…
- Connected to localhost.localdomain (::1) port 443 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none - Server certificate:
-
subject: CN=localhost.localdomain -
start date: Oct 08 20:43:22 2019 GMT -
expire date: Oct 05 20:43:22 2029 GMT -
common name: localhost.localdomain -
issuer: CN=localhost.localdomain,OU=Conjur CA,O=org1 - NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
- Peer’s certificate issuer has been marked as not trusted by the user.
- Closing connection 0
curl: (60) Peer’s certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
@AndrewCopeland , When I used the same command with the IP address of the machine it didnt gave me any error. When I tried to authenticate the user using conjur authn login user , it gives me an error SSL_connect returned=1 errno=0 state=error: certificate verify failed. May be this will give you more clarity.
When you installed conjur what docker commands did you run.
There should be 2 commands you executed (docker run & docker exec).
Could you provide both of these commands.
Also please provide the output of the following commands:
curl https://localhost.localdomain/info -k
curl https://localhost.localdomain/health -k
Regards,
Andrew
@AndrewCopeland , yes I did run those 2 commands.
Here is the output of the …/info -k:
“release”: “10.9.0”,
“version”: “5.4.0”,
“services”: {
“evoke”: {
“desired”: “i”,
“status”: “i”,
“err”: null,
“name”: “conjur-evoke”,
“version”: “5.14.0.1-2cc2300”,
“arch”: “amd64”
},
“ldap-sync”: {
“desired”: “i”,
“status”: “i”,
“err”: null,
“name”: “conjur-ldap-sync”,
“version”: “2.1.3.6-f3877ba”,
“arch”: “amd64”
},
“possum”: {
“desired”: “i”,
“status”: “i”,
“err”: null,
“name”: “conjur-possum”,
“version”: “1.4.1.0-04c8383”,
“arch”: “amd64”
},
“ui”: {
“desired”: “i”,
“status”: “i”,
“err”: null,
“name”: “conjur-ui”,
“version”: “2.10.13.21-c37a5b11”,
“arch”: “amd64”
}
},
"role": “master”,
** “configuration”: {**
** “conjur”: {**
** “role”: “master”,**
** “account”: “org1”,**
** “hostname”: “localhost.localdomain”,**
** “master_altnames”: [**
** “localhost.localdomain”,**
** “localhost”,**
** “conjur”**
]
}
},
“authenticators”: {
“installed”: [
“authn”,
“authn-iam”,
“authn-k8s”,
“authn-ldap”,
“authn-oidc”
],
“configured”: [
“authn”
],
“enabled”: [
“authn”
]
}
Here is the output for the …/health -k
{
“services”: {
“possum”: “ok”,
“ui”: “ok”,
“ok”: true
},
“database”: {
“ok”: true,
“connect”: {
“main”: “ok”
},
“free_space”: {
“main”: {
“kbytes”: 15041120,
“inodes”: 9289515
}
},
“replication_status”: {
“pg_current_xlog_location”: “0/194B740”,
“pg_current_xlog_location_bytes”: 26523456
}
},
“ok”: true
Was there any solution for this issue? I am running into the same issue
I think there may be multiple reasons why this can happen.
What did you type in for the --url parameter?
Also could you please try curling the /info or /health endpoints mentioned above and provide the outputs.
Also if you want to provide the commands you used to install conjur so that I can replicate within my lab.
Regards,
Andrew
I managed to resolve the issue. The hostname was not resolving because of some DNS issues and I reran the docker exec with the IP address as the host name and then with the new certificate it is working good. Thank you for response
2 Likes
The hostname you enter after entering conjur init must be the same hostname you configured when installing the conjur master or conjur follower.
The conjur init command will only fetch the self-signed certificate if the conjur instance was configured with a self-signed certificate. If conjur were configured with a CA signed certificate then this step does not occur.
Regards,
Andrew
@AndrewCopeland @sjohnkennedy,
I started to do everything from scratch to do a clean installation of Conjur. The UI is up and running and no issues.
When I tried to the conjur init command, When I give the URL as https:// it gives me an error saying Unable to retrieve certificate from :443. But When I try with http:// it won’t issue the previous error.
I don’t want to use the http:// to retrieve the certificate but the https://. I have used the same hostname that I used for the docker run and exec commands.
Any idea on this ?
Thanks,
Nahom
1 Like
Hi Nahom,
Does your setup still use a hostname of localhost.localdomain?
I’m not sure if this will lead to any more clues, but can you capture the command output for the following:
nslookup <hostname>
(where <hostname> is your URL minus the https:// prefix).
Next, using the IPv4 address that the nslookup command resolves to, can you then capture the output for the following:
openssl s_client -showcerts -connect <hostname>:443 </dev/null | openssl x509 -text
This should display your Conjur server’s SSL certficate.
Not that this should matter, as far as I can tell, but your debug output from a while back shows that localhost.localdomain was resolving to the IPv6 localhost of ::1. This should be okay, since it’s local, but I would like to compare that to the server’s SSL cert.
1 Like