HTTP/1.1 401 Unauthorized error on creating hosts , while using hftoken using conjur hostfactory tokens create --duration-days 1 --cidr hosts

HTTP/1.1 401 Unauthorized error on creating hosts , while using hftoken using conjur hostfactory tokens create --duration-days 1 --cidr hosts

Policy used -
# === Layer for Automated Secret Access ===
- !policy
id: hosts
description: Layer & Host Factory for machines that can read secrets
- !layer
- !host-factory
layer: !layer # <— *** linked layer here ***
- !permit
role: !group ansible/secrets-users
privileges: [ read, execute ]
resource: !variable ansible/ssh_private_key
#member: !layer hosts
Token created --------------------------------------------------------------
:root@c76bf5191edd:/# conjur hostfactory tokens create --duration-days 1 --cidr hosts
“token”: “3hrfeh12p4fp6w3swsvsb1w1b5xe88ygk43t4f7z6hg0dzc26zryq1”,
“expiration”: “2020-07-02T11:16:35+00:00”,
“cidr”: [

BUT the host creation is failing every time…:frowning:

conjur]# curl -vvv --request POST --data-urlencode id=brand-new -H "Authorization: Token token=“3hrfeh12p4fp6w3swsvsb1w1b5xe88ygk43t4f7z6hg0dzc26zryq1"” --insecure

  • About to connect() to port 8443 (#0)
  • Trying…
  • Connected to ( port 8443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • skipping SSL peer certificate verification
  • Server certificate:
  •   subject: CN=proxy,OU=Onyx,O=CyberArk,L=Madison,ST=Wisconsin,C=US
  •   start date: Jun 30 07:19:50 2020 GMT
  •   expire date: Jun 30 07:19:50 2021 GMT
  •   common name: proxy
  •   issuer: CN=proxy,OU=Onyx,O=CyberArk,L=Madison,ST=Wisconsin,C=US

POST /host_factories/hosts HTTP/1.1
User-Agent: curl/7.29.0
Accept: /
Authorization: Token token=3hrfeh12p4fp6w3swsvsb1w1b5xe88ygk43t4f7z6hg0dzc26zryq1
Content-Length: 12
Content-Type: application/x-www-form-urlencoded

  • upload completely sent off: 12 out of 12 bytes
    < HTTP/1.1 401 Unauthorized
    < Server: nginx/1.13.6
    < Date: Wed, 01 Jul 2020 11:17:06 GMT
    < Content-Type: text/html
    < Transfer-Encoding: chunked
    < Connection: keep-alive
    < Cache-Control: no-cache
    < X-Request-Id: 816ed63e-5b08-421e-9b9b-a3dbca106cef
    < X-Runtime: 0.008276
  • Connection #0 to host left intact

Please help !!!

First stab at this, I think you need to escape your quotes around the host factory token. So instead of the above, make it read: curl -vvv --request POST --data-urlencode id=brand-new -H "Authorization: Token token=\"3hrfeh12p4fp6w3swsvsb1w1b5xe88ygk43t4f7z6hg0dzc26zryq1\"" --insecure. Additionally, it looks like you have a different ascii character for the quotation marks. I’ve seen that cause issues as well. Let us know if that works for you!

  • Nate
1 Like

Thanks @nathan.whipple Your suggestion was a help!.

Also could you help me here ?

Actuallay ia have use Self singed certificate to conjurise my ansible host but upon fetching secrets its failing via summon and with conjur_variable lookup plugin too !

TASK [debug] ***********************************************************************************************************************************************************
task path: /vandana_ansible/conjur_Ans_https/test_Conjur.yml:5
conf file: /etc/conjur.conf
Loading configuration from: /etc/conjur.conf
identity file: /etc/conjur.identity
Loading identity from: /etc/conjur.identity for
Authentication request to Conjur at:, with user: host/vuhplabgtawx001b
fatal: [localhost]: FAILED! => {
“msg”: “An unhandled exception occurred while running the lookup plugin ‘conjur_variable’. Error was a <class ‘urllib2.HTTPError’>, original message: HTTP Error 401: Unauthorized”

PLAY RECAP *************************************************************************************************************************************************************
localhost : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

[root@vuhplabgtawx003 conjur_Ans_https]# /usr/local/lib/summon/summon-conjur ansible/ssh_private_key
Post x509: cannot validate certificate for because it doesn’t contain any IP SANs[root@vuhplabgtawx003 conjur_Ans_https]#
[root@vuhplabgtawx003 conjur_Ans_https]#
\Also the conjur.identity file is …
[root@vuhplabgtawx003 conjur_Ans_https]#
[root@vuhplabgtawx003 conjur_Ans_https]# cat /etc/conjur.identity
login host/vuhplabgtawx001b
password 180z7hg2ce7k3m1gvh6e62cr14ra1r08v058x14hjvxb0937x0h7r
[root@vuhplabgtawx003 conjur_Ans_https]#

Your certificate validation is failing because you’ve used the IP address of your conjur master, but the public certificate presented by the master does not have an IP address in the subject or subject alternate names. You need to make it so that Ansible can either use DNS to resolve the master url, or make it so Ansible uses an /etc/hosts file for name resolution.


Hi @ReadingConjur,
I would also suggest to use our collection from Ansible Galaxy. The lookup plugin within the collection is the most up to date and any updates will firstly be done there. It has been enhanced with:
• The lookup plugin can be configured through environment variables
• An option has been added to use self signed certs
• Encoding of the host id is not required anymore.

To install the collection:

$ ansible-galaxy collection install cyberark.conjur

You would then use:

msg: "{{ lookup('cyberark.conjur.conjur_variable', '/path/to/secret') }}"

Rather than:

msg: "{{ lookup('conjur_variable', '/path/to/secret') }}"

Let us know how it goes,