Getting netrc.NetrcParseError: bad toplevel token

Secrets Management - Conjur, Secrets Hub & CP
1

Hello,

We have a Conjur EE PoC/Demo that has been setup by Cyberark and I believe I’ve retrieved my API Key however when I am using the Python CLI I get the following response back:

Getting the API Key

> curl --silent --verbose --insecure --user ${USER}:${PASSWORD} ${URL}/authn/${ACCOUNT}/login
> 
> 
> < HTTP/1.1 200 OK
> < Server: nginx
> < Date: Fri, 20 Sep 2019 08:14:45 GMT
> < Content-Type: text/html; charset=utf-8
> < Transfer-Encoding: chunked
> < Connection: keep-alive
> < X-Frame-Options: SAMEORIGIN
> < X-XSS-Protection: 1; mode=block
> < X-Content-Type-Options: nosniff
> < ETag: W/"d6b622cb43a2740bb4eeb552f03ac06e"
> < Cache-Control: max-age=0, private, must-revalidate
> < X-Request-Id: c8df728b-e6bc-4210-9104-8dcbff4e1d83
> < X-Runtime: 0.287601
> < 
> * Connection #0 to host <redacted>.eu-west-1.compute.amazonaws.com left intact
> REDACTED396m0ya27wvvez1qsef4g1ydtf702a3rvepndk46r20m1q0a3x2ymzb%

And here is the response, is this the correct way to authenticate as the docs don’t make it quite clear:

> conjur-cli --debug --verbose --insecure --url ${URL} --account ${ACCOUNT} --api-key ${CONJUR_API_KEY} list
> 2019-09-20 09:16:07,778 INFO: Initializing configuration...
> 2019-09-20 09:16:07,778 INFO: Not all expected variables were provided. Using conjurrc as credential store...
> 2019-09-20 09:16:07,778 INFO: Trying to get configuration from filesystem (/Users/jimsmith/.conjurrc)...
> 2019-09-20 09:16:07,780 INFO: Trying to get API key from netrc...
> Traceback (most recent call last):
>   File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/conjur/client.py", line 70, in __init__
>     on_disk_config = dict(api_config_class())
>   File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/conjur/config.py", line 57, in __init__
>     netrc_obj = netrc.netrc(netrc_file)
>   File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/netrc.py", line 30, in __init__
>     self._parse(file, fp, default_netrc)
>   File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/netrc.py", line 63, in _parse
>     "bad toplevel token %r" % tt, file, lexer.lineno)
> netrc.NetrcParseError: bad toplevel token 'REDACTED396m0ya27wvvez1qsef4g1ydtf702a3rvepndk46r20m1q0a3x2ymzb' (/Users/jimsmith/.netrc, line 2)
> 
> During handling of the above exception, another exception occurred:
> 
> Traceback (most recent call last):
>   File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/bin/conjur-cli", line 10, in <module>
>     sys.exit(Cli.launch())
>   File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/conjur/cli.py", line 178, in launch
>     Cli().run()
>   File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/conjur/cli.py", line 107, in run
>     Cli.run_client_action(resource, args)
>   File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/conjur/cli.py", line 132, in run_client_action
>     debug=args.debug)
>   File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/conjur/client.py", line 80, in __init__
>     raise ConfigException(exc)
> conjur.client.ConfigException: bad toplevel token 'REDACTED396m0ya27wvvez1qsef4g1ydtf702a3rvepndk46r20m1q0a3x2ymzb' (/Users/jimsmith/.netrc, line 2)


ls -la ~/.netrc ; cat ~/.netrc
-rw-r--r--  1 jimsmith  staff  56 Sep 20 09:18 /Users/jimsmith/.netrc
REDACTED396m0ya27wvvez1qsef4g1ydtf702a3rvepndk46r20m1q0a3x2ymzb
2

I’ve updated the .netrc file

machine https://REDACTED.eu-west-1.compute.amazonaws.com/authn                                                                                                                     
  login REDACTED                                                                                                                                                                                 
  password REDACTED396m0ya27wvvez1qsef4g1ydtf702a3rvepndk46r20m1q0a3x2ymzb

But now getting SSL verification errors and I’m using the --insecure switch

conjur-cli --verbose --debug --insecure --url ${URL} --account ${ACCOUNT} list                               [20/09/2019|10:50AM] 
2019-09-20 10:50:24,258 INFO: Initializing configuration...
2019-09-20 10:50:24,259 INFO: Not all expected variables were provided. Using conjurrc as credential store...
2019-09-20 10:50:24,259 INFO: Trying to get configuration from filesystem (/Users/jimsmith/.conjurrc)...
2019-09-20 10:50:24,260 INFO: Trying to get API key from netrc...
2019-09-20 10:50:24,262 INFO: Using API key with netrc credentials...
2019-09-20 10:50:24,262 WARNING: ************************************************************
2019-09-20 10:50:24,262 WARNING: 'ssl_verify' is False - YOU ARE VULNERABLE TO MITM ATTACKS!
2019-09-20 10:50:24,262 WARNING: ************************************************************
2019-09-20 10:50:24,262 INFO: Client initialized
2019-09-20 10:50:24,262 INFO: API token missing or expired. Fetching new one...
2019-09-20 10:50:24,263 INFO: Authenticating to https://<redacted>.eu-west-1.compute.amazonaws.com...
2019-09-20 10:50:24,274 DEBUG: Starting new HTTPS connection (1): <redacted>.eu-west-1.compute.amazonaws.com:443
2019-09-20 10:50:24,394 ERROR: Certificate did not match expected hostname: <redacted>.eu-west-1.compute.amazonaws.com. Certificate: {'subject': ((('commonName', 'conjur-master'),),), 'subjectAltName': [('DNS', 'conjur-master'), ('DNS', 'localhost'), ('DNS', 'conjur')]}
Traceback (most recent call last):
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/urllib3/connectionpool.py", line 603, in urlopen
    chunked=chunked)
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/urllib3/connectionpool.py", line 344, in _make_request
    self._validate_conn(conn)
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/urllib3/connectionpool.py", line 843, in _validate_conn
    conn.connect()
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/urllib3/connection.py", line 390, in connect
    _match_hostname(cert, self.assert_hostname or server_hostname)
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/urllib3/connection.py", line 400, in _match_hostname
    match_hostname(cert, asserted_hostname)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 323, in match_hostname
    % (hostname, ', '.join(map(repr, dnsnames))))
ssl.SSLCertVerificationError: ("hostname '<redacted>.eu-west-1.compute.amazonaws.com' doesn't match either of 'conjur-master', 'localhost', 'conjur'",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/urllib3/connectionpool.py", line 641, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/urllib3/util/retry.py", line 399, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='<redacted>.eu-west-1.compute.amazonaws.com', port=443): Max retries exceeded with url: /authn/cyberark/<redacted>/authenticate (Caused by SSLError(SSLCertVerificationError("hostname '<redacted>.eu-west-1.compute.amazonaws.com' doesn't match either of 'conjur-master', 'localhost', 'conjur'")))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/bin/conjur-cli", line 10, in <module>
    sys.exit(Cli.launch())
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/conjur/cli.py", line 178, in launch
    Cli().run()
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/conjur/cli.py", line 107, in run
    Cli.run_client_action(resource, args)
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/conjur/cli.py", line 135, in run_client_action
    result = client.list()
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/conjur/client.py", line 115, in list
    return self._api.list_resources()
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/conjur/api.py", line 147, in list_resources
    api_token=self.api_token,
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/conjur/api.py", line 90, in api_token
    self._api_token = self.authenticate()
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/conjur/api.py", line 133, in authenticate
    self.api_key, ssl_verify=self._ssl_verify).text
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/conjur/http.py", line 59, in invoke_endpoint
    headers=headers)
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/requests/api.py", line 116, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/requests/api.py", line 60, in request
    return session.request(method=method, url=url, **kwargs)
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/Users/jimsmith/Workspace/virtualenv/conjur-ee-poc-ce-python3.7/lib/python3.7/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='<redacted>.eu-west-1.compute.amazonaws.com', port=443): Max retries exceeded with url: /authn/cyberark/<redacted>/authenticate (Caused by SSLError(SSLCertVerificationError("hostname '<redacted>.eu-west-1.compute.amazonaws.com' doesn't match either of 'conjur-master', 'localhost', 'conjur'")))
3

I believe the --insecure switch is just ignoring whether or not the certificate is trusted, it isn’t skipping the step where it compares the names in the certificate returned back from the server to the name used in the connection request. Easiest way around this is to setup an entry in your hosts file to point conjur-master to the IP address of your ec2 instance, then change the name in your request URL to conjur-master.

4

Hey Jim,
I tracked this down a bit - if you specify a ca_bundle / cert_file either on the CLI or in your .conjurrc file, it will override the --insecure flag and try to verify the hostname. See here. Either @nathan.whipple’s suggestion should work or you can snip out “cert_file” from your .conjurrc.

Let me know if that works.

5

@sgnn7 Hey thanks for replying back.
I’ve been trying (without success for passing the CA bundle cert that conjur init generates)

conjur-cli --debug --verbose --ca-bundle ~/conjur-cyberark.pem --url ${URL} --account ${ACCOUNT} --user foo --password bar list     

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='<redacted>.eu-west-1.compute.amazonaws.com', port=443): Max retries exceeded with url: /authn/cyberark/login (Caused by SSLError(SSLCertVerificationError("hostname '<redacted>.eu-west-1.compute.amazonaws.com' doesn't match either of 'conjur-master', 'localhost', 'conjur'")))


cat ~/.conjurrc                                                                                      
---
account: cyberark
plugins: []
appliance_url: https://<redacted>.eu-west-1.compute.amazonaws.com
cert_file: "/Users/jimsmith/conjur-cyberark.pem"

sadly hosts file is locked down :frowning:

6

there is no ca_bundle switch
-c CA_BUNDLE, --ca-bundle CA_BUNDLE

I’ve tried -c
and also --ca_bundle without success

7

also tried ca_bundle: “/Users/jimsmith/conjur-cyberark.pem” in

~/.conjurrc

8

Hey Jim,
There’s the --ca-bundle that you tried but maybe I am having trouble understanding what you are trying to accomplish here so I’ll list the relevant config loading logic paths that might be relevant:

  • If you care about verifying the SSL cert, you have to have the matching SAN name in the cert and the client must be able to resolve that. This is a security feature.
  • You can fake the SAN mapping by editing /etc/hosts on the machine if you have the proper cert
  • You do not need any conjur init setup for the python CLI but the python CLI will use it if it’s present
  • If you do not specify authentication details in python CLI, it will use .conjurrc/.netrc to configure itself
  • Python CLI uses $HOME to resolve the path of those two files so you could change $HOME before invoking the python CLI to make it think those files are somewhere else (HOME=/foo conjur-cli ... might work I think)
  • If the CLI ends up using .conjurrc / netrc, it will override (see client.py#L64) any setting passed into the CLI
  • Passing the bundle into the CLI will verify the certificate, including the SAN names
  • The only setting that will allow SAN override is --insecure + no --ca-bundle + no reading of .conjurrc. The last one in the list can be accomplished by setting the appropriate auth details as you invoke the CLI.
1 Like
9

Hey @sgnn7
ok so I’ve removed .conjurrc and also .netrc so they aren’t in the picture anymore.

I’ll report back as seems there is old settings from previously using Ruby CLI client…

10

@sgnn7

That works when removing those files out the way:

conjur-cli --debug --verbose --insecure --url ${URL} --account ${ACCOUNT} --user foo --api-key ${CONJUR_API_KEY} list                                                                                                                                                                                        
2019-09-20 16:05:28,582 INFO: Initializing configuration...
2019-09-20 16:05:28,582 INFO: Using API key from parameters...
2019-09-20 16:05:28,582 WARNING: ************************************************************
2019-09-20 16:05:28,582 WARNING: 'ssl_verify' is False - YOU ARE VULNERABLE TO MITM ATTACKS!
2019-09-20 16:05:28,583 WARNING: ************************************************************
2019-09-20 16:05:28,583 INFO: Client initialized
2019-09-20 16:05:28,583 INFO: API token missing or expired. Fetching new one...
2019-09-20 16:05:28,583 INFO: Authenticating to https://redacted.eu-west-1.compute.amazonaws.com...
2019-09-20 16:05:28,587 DEBUG: Starting new HTTPS connection (1): redacted.eu-west-1.compute.amazonaws.com:443
2019-09-20 16:05:28,859 DEBUG: https://redacted.eu-west-1.compute.amazonaws.com:443 "POST /authn/cyberark/foo/authenticate HTTP/1.1" 200 None
2019-09-20 16:05:28,863 DEBUG: Starting new HTTPS connection (1): redacted.eu-west-1.compute.amazonaws.com:443
2019-09-20 16:05:29,122 DEBUG: https://redacted.eu-west-1.compute.amazonaws.com:443 "GET /resources/cyberark HTTP/1.1" 200 None
[
    "cyberark:variable:JimSSHKeys/database"
]
11

TIL: that bit about the .conjurrc overriding settings passed into the CLI. That makes way more sense than what I was guessing at!

12

This topic was automatically closed 60 minutes after the last reply. New replies are no longer allowed.