Conjur init error

Hi All,

I am receiving an error after I excurte a conjur init --url https://XXX --account XX. The error is unable to retrieve certificate from localhost.localdomain:443. Any help on this ?

Please attempt the following command on the same server:
curl https://localhost.localdomain -v

And please provide the output. It looks like your url should be localhost rather than localhost.localdomain.

Regards,
Andrew

Thanks for your reply @AndrewCopeland. Here is the output:

  • About to connect() to localhost.localdomain port 443 (#0)
  • Trying ::1…
  • Connected to localhost.localdomain (::1) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • Server certificate:
  •   subject: CN=localhost.localdomain
    
  •   start date: Oct 08 20:43:22 2019 GMT
    
  •   expire date: Oct 05 20:43:22 2029 GMT
    
  •   common name: localhost.localdomain
    
  •   issuer: CN=localhost.localdomain,OU=Conjur CA,O=org1
    
  • NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
  • Peer’s certificate issuer has been marked as not trusted by the user.
  • Closing connection 0
    curl: (60) Peer’s certificate issuer has been marked as not trusted by the user.
    More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

@AndrewCopeland , When I used the same command with the IP address of the machine it didnt gave me any error. When I tried to authenticate the user using conjur authn login user , it gives me an error SSL_connect returned=1 errno=0 state=error: certificate verify failed. May be this will give you more clarity.

When you installed conjur what docker commands did you run.
There should be 2 commands you executed (docker run & docker exec).

Could you provide both of these commands.

Also please provide the output of the following commands:
curl https://localhost.localdomain/info -k
curl https://localhost.localdomain/health -k

Regards,
Andrew

@AndrewCopeland , yes I did run those 2 commands.

Here is the output of the …/info -k:
“release”: “10.9.0”,
“version”: “5.4.0”,
“services”: {
“evoke”: {
“desired”: “i”,
“status”: “i”,
“err”: null,
“name”: “conjur-evoke”,
“version”: “5.14.0.1-2cc2300”,
“arch”: “amd64”
},
“ldap-sync”: {
“desired”: “i”,
“status”: “i”,
“err”: null,
“name”: “conjur-ldap-sync”,
“version”: “2.1.3.6-f3877ba”,
“arch”: “amd64”
},
“possum”: {
“desired”: “i”,
“status”: “i”,
“err”: null,
“name”: “conjur-possum”,
“version”: “1.4.1.0-04c8383”,
“arch”: “amd64”
},
“ui”: {
“desired”: “i”,
“status”: “i”,
“err”: null,
“name”: “conjur-ui”,
“version”: “2.10.13.21-c37a5b11”,
“arch”: “amd64”
}
},
"role": “master”,
** “configuration”: {**
** “conjur”: {**
** “role”: “master”,**
** “account”: “org1”,**
** “hostname”: “localhost.localdomain”,**
** “master_altnames”: [**
** “localhost.localdomain”,**
** “localhost”,**
** “conjur”**
]
}
},
“authenticators”: {
“installed”: [
“authn”,
“authn-iam”,
“authn-k8s”,
“authn-ldap”,
“authn-oidc”
],
“configured”: [
“authn”
],
“enabled”: [
“authn”
]
}

Here is the output for the …/health -k

{
“services”: {
“possum”: “ok”,
“ui”: “ok”,
“ok”: true
},
“database”: {
“ok”: true,
“connect”: {
“main”: “ok”
},
“free_space”: {
“main”: {
“kbytes”: 15041120,
“inodes”: 9289515
}
},
“replication_status”: {
“pg_current_xlog_location”: “0/194B740”,
“pg_current_xlog_location_bytes”: 26523456
}
},
“ok”: true

Was there any solution for this issue? I am running into the same issue

I think there may be multiple reasons why this can happen.

What did you type in for the --url parameter?
Also could you please try curling the /info or /health endpoints mentioned above and provide the outputs.

Also if you want to provide the commands you used to install conjur so that I can replicate within my lab.

Regards,
Andrew

I managed to resolve the issue. The hostname was not resolving because of some DNS issues and I reran the docker exec with the IP address as the host name and then with the new certificate it is working good. Thank you for response

1 Like

The hostname you enter after entering conjur init must be the same hostname you configured when installing the conjur master or conjur follower.

The conjur init command will only fetch the self-signed certificate if the conjur instance was configured with a self-signed certificate. If conjur were configured with a CA signed certificate then this step does not occur.

Regards,
Andrew