Error with certificates trying to retrieve a secret #176

R3DRUN3 · 2023-06-12T16:06:30Z

Summary

When I try to retrieve a secret, I get the following error:
x509: certificate is not standards compliant.

I noticed it may be related to this issue however, even trying from ubuntu, I get a certificate error, albeit a different one:
x509: certificate signed by unknown authority.

Steps to Reproduce

The following is the Go script that I am using:

package main

import (
	"fmt"
	"os"

	"github.com/cyberark/conjur-api-go/conjurapi"
	"github.com/cyberark/conjur-api-go/conjurapi/authn"
)

func main() {
	variableIdentifier := "secrets/TEST-VARIABLE-TEKTON-PIPELINE"

	config, err := conjurapi.LoadConfig()
	if err != nil {
		panic(err)
	}

	conjur, err := conjurapi.NewClientFromKey(config,
		authn.LoginPair{
			Login:  os.Getenv("CONJUR_AUTHN_LOGIN"),
			APIKey: os.Getenv("CONJUR_AUTHN_API_KEY"),
		},
	)
	if err != nil {
		panic(err)
	}

	// Retrieve a secret into []byte.
	secretValue, err := conjur.RetrieveSecret(variableIdentifier)
	if err != nil {
		panic(err)
	}
	fmt.Println("The secret value is: ", string(secretValue))

	// Retrieve a secret into io.ReadCloser, then read into []byte.
	// Alternatively, you can transfer the secret directly into secure memory,
	// vault, keychain, etc.
	secretResponse, err := conjur.RetrieveSecretReader(variableIdentifier)
	if err != nil {
		panic(err)
	}

	secretValue, err = conjurapi.ReadResponseBody(secretResponse)
	if err != nil {
		panic(err)
	}
	fmt.Println("The secret value is: ", string(secretValue))
}

Expected Results

The program complete the secret retrieval without errors.

Actual Results

See the above errors.

Reproducible

Always (in my environment)

Version/Tag number

go version: go1.20.4 darwin/amd64
library version: github.com/cyberark/conjur-api-go v0.11.0

Environment setup

The script is launched from localhost and the Conjur instance is on a remote VM (connection via VPN).

Additional Information

I get the same error with the terraform conjur provider.
The config env vars are ok: I've succesfully run a bash script with the same values and it works.

It seems that the problem is related to self signed certificates, is there a way to bypass this check?
Thank you.

R3DRUN3 · 2023-06-13T15:25:37Z

NOTE I was able to bypass this problem by specifying the full certificate chain instead of just the Conjur host certificate, this also solved the problems that I was having with terraform-provider-conjur (based upon this Go library).

I don't know if this behavior is intentional, it seems a little strange having to specify the entire certificate chain bundle... In fact, it seems strange and a bit unconventional having to specify a public SSL certificate at all 🤔

The same problem occurred (and was bypassed) in the same way in the conjur-puppet module as well (see this issue).

szh · 2023-06-14T15:16:19Z

Hi @R3DRUN3,

Are you using a self-signed certificate? Can you please post the values of your loaded config?

R3DRUN3 · 2023-06-14T15:26:58Z

Hi @szh,
yes it is a self signed certificate:

I saved this in a file called conjur and then I launch the Go script via a bash script:

#!/bin/bash

export CONJUR_APPLIANCE_URL="https://10.7.0.122"
export CONJUR_ACCOUNT="default"
export CONJUR_AUTHN_LOGIN="host/conjur/tekton-pipeline-demo"
export CONJUR_AUTHN_API_KEY="<conjur-api-key-here>"
export CONJUR_CERT_FILE="conjur"

go run main.go

doodlesbykumbi · 2023-06-15T21:26:25Z

I'll take some time tomorrow to try to reproduce

doodlesbykumbi · 2023-06-27T15:01:59Z

I haven't been able to reproduce this yet

doodlesbykumbi · 2023-06-27T15:21:05Z

Please try validating the connection by running a curl command against the same CONJUR_APPLIANCE_URL

R3DRUN3 · 2023-06-27T15:50:50Z

@doodlesbykumbi already done it.
this is the bash script I am using and it works:

#!/bin/bash

echo "Retrieving secret from Conjur..."
TOKEN=$(curl -s --insecure -X POST --header "Accept-Encoding: base64" --data <API-KEY-HERE> https://10.7.0.122/authn/default/host%2Fconjur%2Ftekton-pipeline-demo/authenticate)
SECRET=$(curl -s --insecure -H "Authorization: Token token=\"$TOKEN\"" https://10.7.0.120/secrets/default/variable/secrets%2FTEST-VARIABLE-TEKTON-PIPELINE)
echo "The secret value is: $SECRET"

doodlesbykumbi · 2023-06-27T16:46:17Z

Let's try and isolate this issue from conjur-api-go and see if it shows upon the HTTP client @R3DRUN3.

Try replace your main.go with this one. Run it with all the same configuration

// main.go
package main

import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"log"
	"net/http"
	"net/http/httputil"
	"time"

	"github.com/cyberark/conjur-api-go/conjurapi"
)

func main() {
	config, err := conjurapi.LoadConfig()
	if err != nil {
		log.Fatal(err)
	}
	cert, err := config.ReadSSLCert()
	if err != nil {
		log.Fatal(err)
	}
	httpClient, err := newHTTPSClient(cert)
	if err != nil {
		log.Fatal(err)
	}
	if err != nil {
		// Handle error
		fmt.Println("Error creating HTTP client:", err)
		return
	}

	resp, err := httpClient.Get(config.ApplianceURL)
	if err != nil {
		// Handle error
		fmt.Println("Error making GET request:", err)
		return
	}
	defer resp.Body.Close()

	dump, err := httputil.DumpResponse(resp, true)
	if err != nil {
		log.Fatal(err)
	}

	fmt.Printf("%s", dump)

	// Process the response
	// ...
}

func newHTTPSClient(cert []byte) (*http.Client, error) {
	pool := x509.NewCertPool()
	ok := pool.AppendCertsFromPEM(cert)
	if !ok {
		return nil, fmt.Errorf("Can't append Conjur SSL cert")
	}

	tr := &http.Transport{
		TLSClientConfig: &tls.Config{RootCAs: pool},
	}
	return &http.Client{Transport: tr, Timeout: time.Second * 10}, nil
}

R3DRUN3 · 2023-06-28T07:08:55Z

I will close this issue as I am able to bypass the problem specifying the certificate chain.
My suggestion to you is to add a flag to bypass certificate validation (for testing purpose).

doodlesbykumbi · 2023-06-28T10:50:23Z

Hey @R3DRUN3. Thanks for closing the issue but I would appreciate if you can test out the code from the previous comment. It would help us to figure out if the issue is related to code we wrote or if its present on the Go HTTP client.

R3DRUN3 added the kind/bug label Jun 12, 2023

R3DRUN3 mentioned this issue Jun 13, 2023

Error with self signed certificate cyberark/conjur-puppet#258

Open

3 tasks

szh self-assigned this Jun 14, 2023

szh added the contributor label Jun 14, 2023

R3DRUN3 closed this as completed Jun 28, 2023

R3DRUN3 reopened this Feb 14, 2024

R3DRUN3 closed this as completed Feb 14, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Error with certificates trying to retrieve a secret #176

Error with certificates trying to retrieve a secret #176

R3DRUN3 commented Jun 12, 2023

R3DRUN3 commented Jun 13, 2023

szh commented Jun 14, 2023

R3DRUN3 commented Jun 14, 2023 •

edited

Loading

doodlesbykumbi commented Jun 15, 2023

doodlesbykumbi commented Jun 27, 2023

doodlesbykumbi commented Jun 27, 2023

R3DRUN3 commented Jun 27, 2023

doodlesbykumbi commented Jun 27, 2023

R3DRUN3 commented Jun 28, 2023

doodlesbykumbi commented Jun 28, 2023

Error with certificates trying to retrieve a secret #176

Error with certificates trying to retrieve a secret #176

Comments

R3DRUN3 commented Jun 12, 2023

Summary

Steps to Reproduce

Expected Results

Actual Results

Reproducible

Version/Tag number

Environment setup

Additional Information

R3DRUN3 commented Jun 13, 2023

szh commented Jun 14, 2023

R3DRUN3 commented Jun 14, 2023 • edited Loading

doodlesbykumbi commented Jun 15, 2023

doodlesbykumbi commented Jun 27, 2023

doodlesbykumbi commented Jun 27, 2023

R3DRUN3 commented Jun 27, 2023

doodlesbykumbi commented Jun 27, 2023

R3DRUN3 commented Jun 28, 2023

doodlesbykumbi commented Jun 28, 2023

R3DRUN3 commented Jun 14, 2023 •

edited

Loading