Conjur OSS on Kubernetes - CONJUR_SSL_CERTIFICATE problem

Hi,

I’ve followed the Conjur OSS guide to authenticate my app via Kubernetes Authenticator Client sidecar. I’ve used the defaults as far as possible, keeping “https://conjur.myorg.com” as the domain/URL and mapping this via an /etc/hosts entry instead of configuring a DNS. The conjur-oss apps are up, I can hit the server and create all the required policies.

I’ve tried to follow the steps to the letter and am getting close but in the container logs:
requests.go:23: CAKC011I Login request to: https://conjur-oss.conjur-oss.svc.cluster.local/authn-k8s/test/inject_client_cert
ERROR: 2020/08/11 21:40:00 authenticator.go:133: CAKC029E Received invalid response to certificate signing request. Reason: status code 403,

I’m sure it’s linked to the section “Create the public SSL certificate required for connecting to the Conjur follower service and store in a ConfigMap”. For the CONJUR_SSL_CERTIFICATE parameter it says that:

The SSL certificate is generated during Conjur appliance configuration and stored in a .pem file located in the root folder where Conjur was created

In the Conjur server container what is the root folder? I can’t find any .pem files within the server itself (/opt/conjur/etc/ssl/cert and /opt/conjur/etc/ssl//ca are empty). When the Conjur client is initialised via conjur init, conjur-default.pem is created so I assumed I can use this:
kubectl create configmap conjur-cert --from-file=ssl-certificate="/home/lee/conjur-default.pem".

Any clues as to where I might be going wrong would be welcome. There are so many steps and config values in the sidecar manifest that I’m really not sure where to start debugging. I have attached the manifest in case it is of use.

Many thanks,
Leesidecar-manifest.txt (2.1 KB)

Hey Lee!
That part of the instructions that you are reading are for the enterprise appliance version where the certificate is stored in the same container. When you use the Conjur OSS product though, the SSL certificate handling is moved to the NGINX/proxy container so the cert will be there.

Depending on how you deployed Conjur OSS, you can either:

  • Grab the certificate from the NGINX container.
  • Use openssl or my prototype tool crtool (crtool dump -t <conjur_server> -o mycert.pem) to grab it from a live server.

Let me know if that helps,
Srdjan

2 Likes

Hi Srdjan,

Thanks for the feedback.

I was using openssl but I’ll try and grab the certificate directly from the NGINX container or else use crtool. I will let you know how I get on.

Is there any way to set DEBUG on the k8s authenticator sidecar to see what is happening? Or may a way to set the JVM option -Djavax.net.debug=ssl,handshake when it is launched from the deployment?

Thanks again,
Lee