Error authenticator.go:185: CAKC029 Received invalid response to certificate signing request. Reason: status code 401

Secrets Management - Conjur, Secrets Hub & CP Conjur Enterprise
, ,
1

Hi dears!!!

I’m having a problem starting the Conjur Operator configurator container on Openshift:
" INFO: 2024/11/04 15:03:06.000955 authenticator.go:84: CAKC040 Authenticating as user ‘host/conjur-follower’
ERROR: 2024/11/04 15:03:06.029198 authenticator.go:185: CAKC029 Received invalid response to certificate signing request. Reason: status code 401,
ERROR: 2024/11/04 15:03:06.029237 authenticator.go:271: CAKC015 Login failed
ERROR: 2024/11/04 15:03:06.029252 main.go:49: CAKC016 Failed to authenticate
ERROR: 2024/11/04 15:03:06.029266 main.go:72: CAKC031 Retransmission backoff exhausted
[configure-follower] INFO: Parsing Conjur token…
/usr/bin/configure-follower: line 193: /run/conjur/access-token: No such file or directory
[configure-follower] ERROR: API token is invalid (empty)!"

Note: I configured both the Operator and the Conjur Cluster using the official documentation (Version: 13.4):

I’m not sure where the problem might be generating the error, whether it’s a certificate or a problem with TLS or policy. I can send you more data for viewing.

Captura de tela 2024-11-04 101548
Captura de tela 2024-11-04 1015481931×933 156 KB

Captura de tela 2024-11-04 101500
Captura de tela 2024-11-04 1015001920×928 112 KB

I need help.

2

Hi @jonas.ribas,

This is an authentication error. Can you check the Conjur logs for more details as to why authentication has failed?

3

Yes.
Follow command output:

[cyberark@dev-cjurleader ~]$ sudo docker logs -f conjur-leader | grep failed
<14>1 2024-11-04T14:53:09.000+00:00 9b512d697d83 conjur-possum 2503173 - [meta sequenceId="93557"] [origin=10.0.23.67] [request_id=85371206-fb4a-4255-9cf9-df4b9c9b55b3] [tid=2503178] CONJ00048I Authentication Error: #<Kubeclient::HttpError: HTTP status code , SSL_connect returned=1 errno=0 peeraddr=10.0.23.8:6443 state=error: certificate verify failed (self-signed certificate in certificate chain)>
<14>1 2024-11-04T14:53:11.000+00:00 9b512d697d83 conjur-possum 2503172 - [meta sequenceId="93587"] [origin=10.0.23.67] [request_id=68ffb330-d77f-4134-a726-2bfc0baadb6f] [tid=2503203] CONJ00048I Authentication Error: #<Kubeclient::HttpError: HTTP status code , SSL_connect returned=1 errno=0 peeraddr=10.0.23.8:6443 state=error: certificate verify failed (self-signed certificate in certificate chain)>
<14>1 2024-11-04T15:09:33.000+00:00 9b512d697d83 conjur-possum 2503172 - [meta sequenceId="96912"] [origin=10.0.23.67] [request_id=5b8c7fbd-7a70-4ed2-bc6f-f70746e489fb] [tid=2503187] CONJ00048I Authentication Error: #<Kubeclient::HttpError: HTTP status code , SSL_connect returned=1 errno=0 peeraddr=10.0.23.8:6443 state=error: certificate verify failed (self-signed certificate in certificate chain)>

[cyberark@dev-cjurleader ~]$ sudo docker logs -f conjur-leader | grep erro
<43>1 2024-11-04T10:25:49.280+00:00 9b512d697d83 syslog-ng 35 - [meta sequenceId="41877"] Error reading RFC6587 style framed data; fd='44', error='Connection reset by peer (104)'
<43>1 2024-11-04T10:25:59.293+00:00 9b512d697d83 syslog-ng 35 - [meta sequenceId="41894"] SSL error while reading stream; tls_error='SSL routines:(null):unexpected eof while reading', location='/etc/syslog-ng/conf.d/60-conjur-audit-listen.conf:12:3'
<43>1 2024-11-04T10:25:59.293+00:00 9b512d697d83 syslog-ng 35 - [meta sequenceId="41895"] Error reading RFC6587 style framed data; fd='46', error='Connection reset by peer (104)'
<43>1 2024-11-04T10:26:09.302+00:00 9b512d697d83 syslog-ng 35 - [meta sequenceId="41912"] SSL error while reading stream; tls_error='SSL routines:(null):unexpected eof while reading', location='/etc/syslog-ng/conf.d/60-conjur-audit-listen.conf:12:3'
<43>1 2024-11-04T10:26:09.302+00:00 9b512d697d83 syslog-ng 35 - [meta sequenceId="41913"] Error reading RFC6587 style framed data; fd='46', error='Connection reset by peer (104)'
<43>1 2024-11-04T10:26:19.300+00:00 9b512d697d83 syslog-ng 35 - [meta sequenceId="41944"] SSL error while reading stream; tls_error='SSL routines:(null):unexpected eof while reading', location='/etc/syslog-ng/conf.d/60-conjur-audit-listen.conf:12:3'
<43>1 2024-11-04T10:26:19.300+00:00 9b512d697d83 syslog-ng 35 - [meta sequenceId="41945"] Error reading RFC6587 style framed data; fd='46', error='Connection reset by peer (104)'
<43>1 2024-11-04T10:26:20.163+00:00 9b512d697d83 syslog-ng 35 - [meta sequenceId="41947"] Error reading RFC6587 style framed data; fd='45', error='Connection timed out (110)'
<43>1 2024-11-04T10:26:29.354+00:00 9b512d697d83 syslog-ng 35 - [meta sequenceId="41964"] SSL error while reading stream; tls_error='SSL routines:(null):unexpected eof while reading', location='/etc/syslog-ng/conf.d/60-conjur-audit-listen.conf:12:3'
<43>1 2024-11-04T10:26:29.354+00:00 9b512d697d83 syslog-ng 35 - [meta sequenceId="41965"] Error reading RFC6587 style framed data; fd='43', error='Connection reset by peer (104)'
4

Thank you for that. It’s clear from these logs that there is a certificate related error here. In particular, from the first snippet, it seems that Conjur is unable to verify the certificate used by the Kubernetes API due to it being self-signed instead of being signed by a trusted root CA.
If further troubleshooting is necessary, I would recommend submitting a support case.

5

Hi @szh !!!
I understand.
Thank you for your time and review our reports.

6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.