Error with self signed certificate

[R3DRUN3]

Summary

I get an error when I try to retrieve a secret from Conjur (with self signed cert).

Steps to Reproduce

1. Apply the following puppet manifest:

   
   $sslcert = @("EOT")
   -----BEGIN CERTIFICATE-----
   MIID0DCCArigAwIBAgIUeO2/+zmaBjmfJRxB1bwzM93lnmAwDQYJKoZIhvcNAQEL
   BQAwUTEQMA4GA1UECgwHZGVmYXVsdDESMBAGA1UECwwJQ29uanVyIENBMSkwJwYD
   VQQDDCBjb25qdXItbGIudnNwaGVyZS5wbGF5Z3JvdW5kLmNvbTAeFw0yMzAxMTAx
   MTI3MzRaFw0zMzAxMDcxMTI3MzRaMCsxKTAnBgNVBAMMIGNvbmp1ci1sYi52c3Bo
   ZXJlLnBsYXlncm91bmQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
   AQEAvP11Ad8F8rVQXGrvhqv4yBhCLW+E85KnNV9TjNiV0fojrQMNHTIWwY5TL8vL
   kTohi6NTHPZCBu6ig1sAwlvwF72oHrjDITN7YUxUcgCAuQzEG4lK2cPNWkmsMlaZ
   e9ECJguvIh1QF+TW+72CIESR9IQeQKuPwZis7VBqbInQboiYHb849xVWIpzdQH2D
   4IGhknuZQCUUOYbtpp1aJOJnQvEwFZ2hwzlK2i63JA18SafPHxt91r4TC9Jih3wN
   CriL/TtFaz9/n0CQM1HETpt3B00aRom6QI6dnqixACJ2fuNqyiqnn53c7HiLWCvQ
   /vJ46CTGxOKeae+sBeDjGrjTkQIDAQABo4HFMIHCMA4GA1UdDwEB/wQEAwIFoDAd
   BgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwgZAGA1UdEQSBiDCBhYIgY29u
   anVyLWxiLnZzcGhlcmUucGxheWdyb3VuZC5jb22CH2Nvbmp1ci0xLnZzcGhlcmUu
   cGxheWdyb3VuZC5jb22CH2Nvbmp1ci0yLnZzcGhlcmUucGxheWdyb3VuZC5jb22C
   H2Nvbmp1ci0zLnZzcGhlcmUucGxheWdyb3VuZC5jb20wDQYJKoZIhvcNAQELBQAD
   ggEBADjwsbz7BG641cWjokup7b4MT6Q1ts8cbKg3rFRH8IP2p3KA0amzDvnGXehF
   RJ83rj9wXdPBpxfzRCvkqw8u4et1fXZ7XyirrqBZh0eQWu5ix/Sd9NdOE8DLw+Xz
   wAsaGp7NgpBK3gs3k5iX38yk0Gstk3Y7fjzqUmRSeJ9EOs3Wpe+hxfkurS9HDAMy
   M0iVnZDvEsRLeGYELa685Ga6/lSBXshMbmLDISF0M3LqgNYDCJZPJLYY5pf6XDfv
   Wt4QUEbBrpX11OMBRyRYZW3Nf7LIaNGxzitTbNdCpJqjwyJV2J9eX3VFtrVaPczs
   TmwipMTS+WBhDto0a6pZ74J5shU=
   -----END CERTIFICATE-----
   |-EOT

$secret = Deferred(conjur::secret, ['host/conjur/tekton-pipeline-demo', { appliance_url => "https://conjur-lb.vsphere.playground.com", account => "default", authn_login => "host/conjur/tekton-pipeline-demo", authn_api_key => Sensitive(""), ssl_certificate => $sslcert }])

file { '/tmp/creds.txt': ensure => file, mode => '0600', content => $secret, }

## Expected Results

The procedure completes without errors.

## Actual Results

I get the following error:
```console
Notice: Compiled catalog for ubuntu2304.localdomain in environment production in 0.01 seconds
Error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)

Reproducible

• [X] Always
• [ ] Sometimes
• [ ] Non-Reproducible

Version/Tag number

puppet --version && echo " " && puppet module list
7.24.0

/etc/puppetlabs/code/environments/production/modules
├── cyberark-conjur (v3.1.0)
└── puppetlabs-registry (v3.2.0)

Environment setup

Puppet server and agent are both installed (and working) on a local Ubuntu VM.
Conjur is installed on a remote VM (Connection via VPN).

Additional Information

From the Ubuntu VM I can reach conjur api and retrieve secrets.

[R3DRUN3]

NOTE I was able to bypass this problem by specifying the full certificate chain instead of just the Conjur host certificate.

I don't know if this behavior is intentional, it seems a little strange having to specify the entire certificate chain bundle... In fact, it seems strange and a bit unconventional having to specify a public SSL certificate at all 🤔

The same problem occurred (and was bypassed) in the same way in the conjur-api-go library as well (see this issue).