Unable to login into conjur-cli against SSL certificate downloded via conjur init

Hi,

I am able to fetch the pem file on my local machine from https://172.18.X.X (This is docker container - ngx-proxy) while performing below steps:

conjur init
appliance url - https://172.18.X.X
accountName - MyAccountName

Got below output:
Enter the URL of your Conjur service: https://172.18.0.2

SHA1 Fingerprint=B9:DA:15:02:CF:8F:B7:E9:A6:88:5A:A6:B0:CC:03:F1:47:81:95:41

Please verify this certificate on the appliance using command:

  •          openssl x509 -fingerprint -noout -in ~conjur/etc/ssl/conjur.pem*
    

Trust this certificate (yes/no): yes
Enter your organization account name: myConjurAccount
Wrote certificate to /root/conjur-myConjurAccount.pem
File /root/.conjurrc exists. Overwrite (yes/no): yes
Wrote configuration to /root/.conjurrc

After this step, I ran command - conjur auth login with username - admin from my local machine and I received below error:
error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unspecified certificate verification error)

I tried getting the certificate using:

openssl s_client --showcerts --connect 172.18.0.2:443 < /dev/null 2> /dev/null | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ and saw certificates are same one downloaded via conjur init.

Am i missing anything from ssl side since downloaded the correct certificate?

Verified the certificate using the command:

openssl s_client -connect 172.18.0.2:443 -showcerts -CAfile ./conjur-myConjurAccount.pem

and it displays output attached here.[openssl_output.txt|attachment]. It states SSL handshake has read 1556 bytes and written 429 bytes

Verification: OK

Please suggest.

(upload://kY84UjHClxDz72imWJY8nGKaaj0.txt) (1.4 KB)openssl_output.txt (1.4 KB)

Typically the self signed certificate is created with using the hostname of the appliance, in this case we are trying to connect using an ip address. I would recommend using the hostname rather than the IP address.

Regards,
Andrew

Thanks Andrew !!! tagged ip address with proxy and then it worked which is acting as a hostname. via Conjur-CLI I am able to login …

Now I am stucked with certificate issue via ansible which is triggering me below error:

task path: /home/fedora/ansible/conjur-quickstart/ansible_project/playbook.yml:17
conf file: /etc/conjur.conf
Loading configuration from: /etc/conjur.conf
identity file: /etc/conjur.identity
Loading identity from: /etc/conjur.identity for https://proxy
Authentication request to Conjur at: https://proxy/authn/myConjurAccount/admin/authenticate, with user: admin
fatal: [localhost]: FAILED! => {
“msg”: “An unhandled exception occurred while running the lookup plugin ‘conjur_variable’. Error was a <class ‘urllib.error.URLError’>, original message: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1076)>”
}

Any suggestion ???

Whats your conjur.config look like, it should have a certificate section within there and should point to the same certificate that exists on the conjur cli container located “~/myConjurAccount-conjur.pem”.

Also of these issues seem to be related to conjur using a self signed certificate. We recommend using this product with a valid certificate in production and you will not run into these issues.

Thanks,
Andrew

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.