Error with self signed certificate

[R3DRUN3]

Summary

I get an error when I try to retrieve a secret from Conjur (with self signed cert).

Steps to Reproduce

1. Apply the following puppet manifest:

$sslcert = @("EOT")
-----BEGIN CERTIFICATE-----
MIID0DCCArigAwIBAgIUeO2/+zmaBjmfJRxB1bwzM93lnmAwDQYJKoZIhvcNAQEL
BQAwUTEQMA4GA1UECgwHZGVmYXVsdDESMBAGA1UECwwJQ29uanVyIENBMSkwJwYD
VQQDDCBjb25qdXItbGIudnNwaGVyZS5wbGF5Z3JvdW5kLmNvbTAeFw0yMzAxMTAx
MTI3MzRaFw0zMzAxMDcxMTI3MzRaMCsxKTAnBgNVBAMMIGNvbmp1ci1sYi52c3Bo
ZXJlLnBsYXlncm91bmQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAvP11Ad8F8rVQXGrvhqv4yBhCLW+E85KnNV9TjNiV0fojrQMNHTIWwY5TL8vL
kTohi6NTHPZCBu6ig1sAwlvwF72oHrjDITN7YUxUcgCAuQzEG4lK2cPNWkmsMlaZ
e9ECJguvIh1QF+TW+72CIESR9IQeQKuPwZis7VBqbInQboiYHb849xVWIpzdQH2D
4IGhknuZQCUUOYbtpp1aJOJnQvEwFZ2hwzlK2i63JA18SafPHxt91r4TC9Jih3wN
CriL/TtFaz9/n0CQM1HETpt3B00aRom6QI6dnqixACJ2fuNqyiqnn53c7HiLWCvQ
/vJ46CTGxOKeae+sBeDjGrjTkQIDAQABo4HFMIHCMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwgZAGA1UdEQSBiDCBhYIgY29u
anVyLWxiLnZzcGhlcmUucGxheWdyb3VuZC5jb22CH2Nvbmp1ci0xLnZzcGhlcmUu
cGxheWdyb3VuZC5jb22CH2Nvbmp1ci0yLnZzcGhlcmUucGxheWdyb3VuZC5jb22C
H2Nvbmp1ci0zLnZzcGhlcmUucGxheWdyb3VuZC5jb20wDQYJKoZIhvcNAQELBQAD
ggEBADjwsbz7BG641cWjokup7b4MT6Q1ts8cbKg3rFRH8IP2p3KA0amzDvnGXehF
RJ83rj9wXdPBpxfzRCvkqw8u4et1fXZ7XyirrqBZh0eQWu5ix/Sd9NdOE8DLw+Xz
wAsaGp7NgpBK3gs3k5iX38yk0Gstk3Y7fjzqUmRSeJ9EOs3Wpe+hxfkurS9HDAMy
M0iVnZDvEsRLeGYELa685Ga6/lSBXshMbmLDISF0M3LqgNYDCJZPJLYY5pf6XDfv
Wt4QUEbBrpX11OMBRyRYZW3Nf7LIaNGxzitTbNdCpJqjwyJV2J9eX3VFtrVaPczs
TmwipMTS+WBhDto0a6pZ74J5shU=
-----END CERTIFICATE-----
|-EOT

$secret = Deferred(conjur::secret, ['host/conjur/tekton-pipeline-demo', {
  appliance_url => "https://conjur-lb.vsphere.playground.com",
  account => "default",
  authn_login => "host/conjur/tekton-pipeline-demo",
  authn_api_key => Sensitive("<my-api-key-here>"),
  ssl_certificate => $sslcert
}])

file { '/tmp/creds.txt':
  ensure => file,
  mode => '0600',
  content => $secret,
}

Expected Results

The procedure completes without errors.

Actual Results

I get the following error:

Notice: Compiled catalog for ubuntu2304.localdomain in environment production in 0.01 seconds
Error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)

Reproducible

• Always
• Sometimes
• Non-Reproducible

Version/Tag number

puppet --version && echo " " && puppet module list
7.24.0

/etc/puppetlabs/code/environments/production/modules
├── cyberark-conjur (v3.1.0)
└── puppetlabs-registry (v3.2.0)

Environment setup

Puppet server and agent are both installed (and working) on a local Ubuntu VM.
Conjur is installed on a remote VM (Connection via VPN).

Additional Information

From the Ubuntu VM I can reach conjur api and retrieve secrets.

[R3DRUN3]

NOTE I was able to bypass this problem by specifying the full certificate chain instead of just the Conjur host certificate.

I don't know if this behavior is intentional, it seems a little strange having to specify the entire certificate chain bundle... In fact, it seems strange and a bit unconventional having to specify a public SSL certificate at all 🤔

The same problem occurred (and was bypassed) in the same way in the conjur-api-go library as well (see this issue).