cyberark / cyberark-conjur-cli

CyberArk Conjur command line interface written in Python
https://www.conjur.org
Apache License 2.0
17 stars 16 forks source link

Host name mismatch if wildcard certificate is used #365

Open quincycheng opened 3 years ago

quincycheng commented 3 years ago

Summary

if we try to login to Conjur where its SSL certificate is a wildcard cert, an error Failed to execute command. Reason: The machine's hostname did not match any names on the certificate. Make sure the names on the certificate (common name or SANs) match the machine's hostname will be shown. It cannot be bypassed by --insecure parameter

Steps to Reproduce

  1. conjur -d login -i <user>-p <password>
  2. See error

Expected Results

Login successful

Actual Results


$ conjur --insecure -d login -i admin -p $(grep admin admin.out | cut -c20-) 
2021-11-19 05:49:48,175 DEBUG: Unable to initialize SecretService: Environment variable DBUS_SESSION_BUS_ADDRESS is unset
2021-11-19 05:49:48,176 DEBUG: Warning: Running the command with '--insecure' makes your system vulnerable to security attacks
2021-11-19 05:49:48,176 WARNING: You chose to initialize the client in insecure mode. If you prefer to communicate with the server securely, you must reinitialize the client in secure mode.
2021-11-19 05:49:48,176 DEBUG: Attempting to fetch 'admin' API key from Conjur...
2021-11-19 05:49:48,178 DEBUG: Starting new HTTPS connection (1): conjur-oss-ingress-conjur-server.2886795274-80-hazel05.environments.katacoda.com:443
2021-11-19 05:49:48,292 WARNING: Certificate did not match expected hostname: conjur-oss-ingress-conjur-server.2886795274-80-hazel05.environments.katacoda.com. Certificate: {'subject': ((('commonName', '*.environments.katacoda.com'),),), 'issuer': ((('countryName', 'US'),), (('stateOrProvinceName', 'Arizona'),), (('localityName', 'Scottsdale'),), (('organizationName', 'GoDaddy.com, Inc.'),), (('organizationalUnitName', 'http://certs.godaddy.com/repository/'),), (('commonName', 'Go Daddy Secure Certificate Authority - G2'),)), 'version': 3, 'serialNumber': '4ADF7260143801A4', 'notBefore': 'Oct 13 22:37:49 2021 GMT', 'notAfter': 'Oct 13 20:51:30 2022 GMT', 'subjectAltName': (('DNS', '*.environments.katacoda.com'), ('DNS', 'environments.katacoda.com')), 'OCSP': ('http://ocsp.godaddy.com/',), 'caIssuers': ('http://certificates.godaddy.com/repository/gdig2.crt',), 'crlDistributionPoints': ('http://crl.godaddy.com/gdig2s1-3374.crl',)}
2021-11-19 05:49:48,293 DEBUG: Traceback (most recent call last):
  File "urllib3/connectionpool.py", line 706, in urlopen
  File "urllib3/connectionpool.py", line 382, in _make_request
  File "urllib3/connectionpool.py", line 1010, in _validate_conn
  File "urllib3/connection.py", line 464, in connect
  File "urllib3/connection.py", line 512, in _match_hostname
  File "ssl.py", line 287, in match_hostname
ssl.CertificateError: hostname 'conjur-oss-ingress-conjur-server.2886795274-80-hazel05.environments.katacoda.com' doesn't match either of '*.environments.katacoda.com', 'environments.katacoda.com'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "requests/adapters.py", line 449, in send
  File "urllib3/connectionpool.py", line 756, in urlopen
  File "urllib3/util/retry.py", line 574, in increment
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='conjur-oss-ingress-conjur-server.2886795274-80-hazel05.environments.katacoda.com', port=443): Max retries exceeded with url: /authn/default/login (Caused by SSLError(CertificateError("hostname 'conjur-oss-ingress-conjur-server.2886795274-80-hazel05.environments.katacoda.com' doesn't match either of '*.environments.katacoda.com', 'environments.katacoda.com'",),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "conjur/wrapper/http_wrapper.py", line 104, in invoke_request
  File "requests/api.py", line 76, in get
  File "requests/api.py", line 61, in request
  File "requests/sessions.py", line 542, in request
  File "requests/sessions.py", line 655, in send
  File "requests/adapters.py", line 514, in send
requests.exceptions.SSLError: HTTPSConnectionPool(host='conjur-oss-ingress-conjur-server.2886795274-80-hazel05.environments.katacoda.com', port=443): Max retries exceeded with url: /authn/default/login (Caused by SSLError(CertificateError("hostname 'conjur-oss-ingress-conjur-server.2886795274-80-hazel05.environments.katacoda.com' doesn't match either of '*.environments.katacoda.com', 'environments.katacoda.com'",),))

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "conjur/cli.py", line 546, in run
  File "conjur/cli.py", line 735, in run_action
  File "conjur/cli.py", line 614, in handle_login_logic
  File "conjur/controller/login_controller.py", line 47, in load
  File "conjur/controller/login_controller.py", line 90, in get_api_key
  File "conjur/logic/login_logic.py", line 57, in get_api_key
  File "conjur/wrapper/http_wrapper.py", line 67, in invoke_endpoint
  File "conjur/wrapper/http_wrapper.py", line 109, in invoke_request
conjur.errors.CertificateHostnameMismatchException: The machine's hostname did not match any names on the certificate. Make sure the names on the certificate (common name or SANs) match the machine's hostname.

Failed to execute command. Reason: The machine's hostname did not match any names on the certificate. Make sure the names on the certificate (common name or SANs) match the machine's hostname.

Reproducible

Version/Tag number

7.0.1

Environment setup

RHEL 8

Additional Information

n/a