We’re trying to integrate Conjur with our local Gitlab for CI.
Conjur tries to retrieve the JWKS from Gitlab for validating the JWT token presented by the Gitlab runner job. But as the Gitlab is a local instance with our own certificate signed by our own CA, Conjur does not recognize the CA and we get a :
failed to authenticate with authenticator authn-jwt service conjur:webservice:conjur/authn-jwt/gitlab: CONJ00087E Failed to fetch JWKS from ‘https://gitlab01.ourinternaldomain.com’. Reason: ‘#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)>’
How can we add our CA certificate to Conjur for enabling the connection to Gitlab?
Conjur’s Gitlab integration relies on our generic JWT Authenticator, which offers an optional configuration variable ca-cert. A description of the variable from the documentation reads:
When the JWKS provider server uses a self-signed certificate or the certificate is signed by third-party CA, use this variable to establish a TLS connection and validate server identity.
Certificates from this variable (can be one or many certificates) override default operating system CA certificate bundles when fetching the JWKS from the remote URI.
Value: The X.509 public key certificate or certificate bundle. Each certificate in the bundle should be in PEM (RFC7468) format.
Required: No
Adding a !variable ca-cert entry to your conjur/authn-jwt/gitlab policy branch and loading your CA certificate should solve your problem.