if we try to login to Conjur where its SSL certificate is a wildcard cert, an error Failed to execute command. Reason: The machine's hostname did not match any names on the certificate. Make sure the names on the certificate (common name or SANs) match the machine's hostname will be shown. It cannot be bypassed by --insecure parameter
Steps to Reproduce
conjur -d login -i <user>-p <password>
See error
Expected Results
Login successful
Actual Results
$ conjur --insecure -d login -i admin -p $(grep admin admin.out | cut -c20-)
2021-11-19 05:49:48,175 DEBUG: Unable to initialize SecretService: Environment variable DBUS_SESSION_BUS_ADDRESS is unset
2021-11-19 05:49:48,176 DEBUG: Warning: Running the command with '--insecure' makes your system vulnerable to security attacks
2021-11-19 05:49:48,176 WARNING: You chose to initialize the client in insecure mode. If you prefer to communicate with the server securely, you must reinitialize the client in secure mode.
2021-11-19 05:49:48,176 DEBUG: Attempting to fetch 'admin' API key from Conjur...
2021-11-19 05:49:48,178 DEBUG: Starting new HTTPS connection (1): conjur-oss-ingress-conjur-server.2886795274-80-hazel05.environments.katacoda.com:443
2021-11-19 05:49:48,292 WARNING: Certificate did not match expected hostname: conjur-oss-ingress-conjur-server.2886795274-80-hazel05.environments.katacoda.com. Certificate: {'subject': ((('commonName', '*.environments.katacoda.com'),),), 'issuer': ((('countryName', 'US'),), (('stateOrProvinceName', 'Arizona'),), (('localityName', 'Scottsdale'),), (('organizationName', 'GoDaddy.com, Inc.'),), (('organizationalUnitName', 'http://certs.godaddy.com/repository/'),), (('commonName', 'Go Daddy Secure Certificate Authority - G2'),)), 'version': 3, 'serialNumber': '4ADF7260143801A4', 'notBefore': 'Oct 13 22:37:49 2021 GMT', 'notAfter': 'Oct 13 20:51:30 2022 GMT', 'subjectAltName': (('DNS', '*.environments.katacoda.com'), ('DNS', 'environments.katacoda.com')), 'OCSP': ('http://ocsp.godaddy.com/',), 'caIssuers': ('http://certificates.godaddy.com/repository/gdig2.crt',), 'crlDistributionPoints': ('http://crl.godaddy.com/gdig2s1-3374.crl',)}
2021-11-19 05:49:48,293 DEBUG: Traceback (most recent call last):
File "urllib3/connectionpool.py", line 706, in urlopen
File "urllib3/connectionpool.py", line 382, in _make_request
File "urllib3/connectionpool.py", line 1010, in _validate_conn
File "urllib3/connection.py", line 464, in connect
File "urllib3/connection.py", line 512, in _match_hostname
File "ssl.py", line 287, in match_hostname
ssl.CertificateError: hostname 'conjur-oss-ingress-conjur-server.2886795274-80-hazel05.environments.katacoda.com' doesn't match either of '*.environments.katacoda.com', 'environments.katacoda.com'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "requests/adapters.py", line 449, in send
File "urllib3/connectionpool.py", line 756, in urlopen
File "urllib3/util/retry.py", line 574, in increment
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='conjur-oss-ingress-conjur-server.2886795274-80-hazel05.environments.katacoda.com', port=443): Max retries exceeded with url: /authn/default/login (Caused by SSLError(CertificateError("hostname 'conjur-oss-ingress-conjur-server.2886795274-80-hazel05.environments.katacoda.com' doesn't match either of '*.environments.katacoda.com', 'environments.katacoda.com'",),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "conjur/wrapper/http_wrapper.py", line 104, in invoke_request
File "requests/api.py", line 76, in get
File "requests/api.py", line 61, in request
File "requests/sessions.py", line 542, in request
File "requests/sessions.py", line 655, in send
File "requests/adapters.py", line 514, in send
requests.exceptions.SSLError: HTTPSConnectionPool(host='conjur-oss-ingress-conjur-server.2886795274-80-hazel05.environments.katacoda.com', port=443): Max retries exceeded with url: /authn/default/login (Caused by SSLError(CertificateError("hostname 'conjur-oss-ingress-conjur-server.2886795274-80-hazel05.environments.katacoda.com' doesn't match either of '*.environments.katacoda.com', 'environments.katacoda.com'",),))
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "conjur/cli.py", line 546, in run
File "conjur/cli.py", line 735, in run_action
File "conjur/cli.py", line 614, in handle_login_logic
File "conjur/controller/login_controller.py", line 47, in load
File "conjur/controller/login_controller.py", line 90, in get_api_key
File "conjur/logic/login_logic.py", line 57, in get_api_key
File "conjur/wrapper/http_wrapper.py", line 67, in invoke_endpoint
File "conjur/wrapper/http_wrapper.py", line 109, in invoke_request
conjur.errors.CertificateHostnameMismatchException: The machine's hostname did not match any names on the certificate. Make sure the names on the certificate (common name or SANs) match the machine's hostname.
Failed to execute command. Reason: The machine's hostname did not match any names on the certificate. Make sure the names on the certificate (common name or SANs) match the machine's hostname.
Summary
if we try to login to Conjur where its SSL certificate is a wildcard cert, an error
Failed to execute command. Reason: The machine's hostname did not match any names on the certificate. Make sure the names on the certificate (common name or SANs) match the machine's hostnamewill be shown. It cannot be bypassed by--insecureparameterSteps to Reproduce
conjur -d login -i <user>-p <password>Expected Results
Login successful
Actual Results
Reproducible
Version/Tag number
7.0.1
Environment setup
RHEL 8
Additional Information
n/a