Conjur init error

Hi All,

I am receiving an error after I excurte a conjur init --url https://XXX --account XX. The error is unable to retrieve certificate from localhost.localdomain:443. Any help on this ?

Please attempt the following command on the same server:
curl https://localhost.localdomain -v

And please provide the output. It looks like your url should be localhost rather than localhost.localdomain.

Regards,
Andrew

Thanks for your reply @AndrewCopeland. Here is the output:

  • About to connect() to localhost.localdomain port 443 (#0)
  • Trying ::1…
  • Connected to localhost.localdomain (::1) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • Server certificate:
  •   subject: CN=localhost.localdomain
    
  •   start date: Oct 08 20:43:22 2019 GMT
    
  •   expire date: Oct 05 20:43:22 2029 GMT
    
  •   common name: localhost.localdomain
    
  •   issuer: CN=localhost.localdomain,OU=Conjur CA,O=org1
    
  • NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
  • Peer’s certificate issuer has been marked as not trusted by the user.
  • Closing connection 0
    curl: (60) Peer’s certificate issuer has been marked as not trusted by the user.
    More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

@AndrewCopeland , When I used the same command with the IP address of the machine it didnt gave me any error. When I tried to authenticate the user using conjur authn login user , it gives me an error SSL_connect returned=1 errno=0 state=error: certificate verify failed. May be this will give you more clarity.

When you installed conjur what docker commands did you run.
There should be 2 commands you executed (docker run & docker exec).

Could you provide both of these commands.

Also please provide the output of the following commands:
curl https://localhost.localdomain/info -k
curl https://localhost.localdomain/health -k

Regards,
Andrew

@AndrewCopeland , yes I did run those 2 commands.

Here is the output of the …/info -k:
“release”: “10.9.0”,
“version”: “5.4.0”,
“services”: {
“evoke”: {
“desired”: “i”,
“status”: “i”,
“err”: null,
“name”: “conjur-evoke”,
“version”: “5.14.0.1-2cc2300”,
“arch”: “amd64”
},
“ldap-sync”: {
“desired”: “i”,
“status”: “i”,
“err”: null,
“name”: “conjur-ldap-sync”,
“version”: “2.1.3.6-f3877ba”,
“arch”: “amd64”
},
“possum”: {
“desired”: “i”,
“status”: “i”,
“err”: null,
“name”: “conjur-possum”,
“version”: “1.4.1.0-04c8383”,
“arch”: “amd64”
},
“ui”: {
“desired”: “i”,
“status”: “i”,
“err”: null,
“name”: “conjur-ui”,
“version”: “2.10.13.21-c37a5b11”,
“arch”: “amd64”
}
},
"role": “master”,
** “configuration”: {**
** “conjur”: {**
** “role”: “master”,**
** “account”: “org1”,**
** “hostname”: “localhost.localdomain”,**
** “master_altnames”: [**
** “localhost.localdomain”,**
** “localhost”,**
** “conjur”**
]
}
},
“authenticators”: {
“installed”: [
“authn”,
“authn-iam”,
“authn-k8s”,
“authn-ldap”,
“authn-oidc”
],
“configured”: [
“authn”
],
“enabled”: [
“authn”
]
}

Here is the output for the …/health -k

{
“services”: {
“possum”: “ok”,
“ui”: “ok”,
“ok”: true
},
“database”: {
“ok”: true,
“connect”: {
“main”: “ok”
},
“free_space”: {
“main”: {
“kbytes”: 15041120,
“inodes”: 9289515
}
},
“replication_status”: {
“pg_current_xlog_location”: “0/194B740”,
“pg_current_xlog_location_bytes”: 26523456
}
},
“ok”: true