JWT Authenticator JWKS CA PEM

Hi Folks,

i am trying to get the authn-jwt authenticator to work.
I did setup the authenticator as described in the documentation:

We are using our own, self-hosted gitlab instance and the conjur server is not able to validate/trust the https certificate of the JWKS provider/uri, as indicated by the following error in the logs (when i actually try to athenticator via the authenticator URL):
<84>1 2021-11-26T07:02:22.698+00:00 887cbb48facb conjur bef609dd-f3b7-410b-a5da-c2bac982fb20 authn [subject@43868 role=":user:USERNAME_MISSING"][auth@43868 authenticator=“authn-jwt” service=":webservice:conjur/authn-jwt/gitlab" user=“not-found”][client@43868 ip=""][action@43868 result=“failure” operation=“authenticate”][meta sequenceId=“1”] customer-account:user:USERNAME_MISSING failed to authenticate with authenticator authn-jwt service :webservice:conjur/authn-jwt/gitlab: CONJ00087E Failed to fetch JWKS from ‘https:///-/jwks/’. Reason: ‘#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)>’
(i removed / replaced customer specific information with italic <> placeholders)

Unfortunately, the jwt authenticator does not offer a setting like the LDAP integration to provide the ca-cert of the corresponding endpoint. Therefore i am at a loss how to implement the authenticator.

Any assistance is appreciated.

Hi,

Thank you for reaching out!

If I understood correctly, you are using self hosted Gitlab instance which means you are not working with the Gitlab official root CA.
This flow is currently not supported for JWT authenticator. JWT authentication to Conjur is currently supported only when the JWT is signed with the root CA of the JWT vendor.

You will be able to work with this authenticator on other gitlab instances where the public key used is the Gitlab root CA.
In this case the JWKS URI should be ‘https://gitlab.com/-/jwks/’.

Is there anything else we can assist with? any other feedback or issue you would like to raise on this subject (technical / documentation related)?

Thank you,
Sapir.

Hi,

thank you for the response. You are correct - we are using a self-hosted Gitlab instance with certificates from the customers CA.

I don’t really understand the limitiation as the only issue currently seems to be the certificate trust relationship and not the authentication flow in general. If i am not mistaken, JWT should also not be limited to gitlab or a specific vendor in general. Furthermore, the documentation does also not reflect the limitation to the official Gitlab repository. I would have expected (or suggest) a similar configuration as for the LDAP authenticator where one can provide a trusted certificate for the authenticator communication.

Are there any plans to support a general implementation or is there a workaround to still use the authenticator? The use case has recently risen in importance for our customer.

Thanks,

Leonard

I’m able to get authn-jwt working with Jenkins so long as the Jenkins SSL root CA issuer matches the same root CA issuer that is imported into Conjur. I would assume if you’re rolling a self-hosted GitLab instance, this would be the same. So, if you had Sectigo sign the SSL certificates imported into Conjur, you’d want Sectigo to also sign the SSL certificates in use by GitLab.

Hey Joe, I appreciate the idea. Unfortunately we are currently not running our Conjur instance with a certificate from the same authority because the customers policy prevents us from rolling out certificates that themselves may act as a CA (which is needed for conjur and the kubernetes integration).

I will, however, take this as another reason to discuss this issue further with the customer. A different option we a exploring is using a publicly valid certificate (with a valid domain) for our self-hosted gitlab instance.

Nevertheless I would suggest and appreciate looking into the option to provide the SSL-Certificate with the authenticator configuration as this would be the most flexible way, and I don’t really see a downside from a security perspective (as i mentioned - similar to the other authenticators).

1 Like

@SapirZamir can you please bring the above comment from @Ire internal to the proper parties for authn-jwt?


I’m not aware of the experience in GitLab, but I know the experience in Jenkins is that you can alternatively add the Conjur public SSL certificate to the Java keystore for Jenkins in order to create a trusted relationship between the two when the signing CA is not a match. I would investigate GitLab’s platform to see if there is a way that this can be done.\

Actually, doing a quick Google search turned up this process for trusting a public certificate in GitLab: SSL Configuration | GitLab.

Hope this helps!

1 Like

Hi @joe.garcia and @ire,

Yes we are considering adding this capability to our JWT authenticator configuration.
Hope to update soon about this.

Thank you!
Sapir.