Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: failed to verify certificate: x509 while connecting to Delinea Secret Server #602

Open
shrishs opened this issue Jan 29, 2024 · 2 comments
Open

tls: failed to verify certificate: x509 while connecting to Delinea Secret Server #602

shrishs opened this issue Jan 29, 2024 · 2 comments

Comments

@shrishs
Copy link

shrishs commented Jan 29, 2024
edited

Describe the bug
While connecting to Delinea Secret Server there is no parameter to specify CA certificate. official document
does not have such kind of parameter mentioned.

To Reproduce
Steps to reproduce the behavior:

  1. Create a secret with the following data
    stringData:
    AVP_TYPE: delineasecretserver
    AVP_DELINEA_URL: https://xx-thycotic.abc.local/SecretServer
    AVP_DELINEA_USER: admin
    AVP_DELINEA_PASSWORD: xxxxxxxx
    AVP_DELINEA_DOMAIN: local
    Tried the following combination
    VAULT_CACERT: /etc/pki/tls/certs/ca-bundle.crt
    CACERT: /etc/pki/tls/certs/ca-bundle.crt
    AVP_DELINEA_CACERT: /etc/pki/tls/certs/ca-bundle.crt

  2. CA certificate is mounted to /etc/pki/tls/certs/ca-bundle.crt

     # Attention: overriding the ca-bundle.crt from Thycotic CA server            
 - name: custom-tools
   subPath: xx-thycotic.abc.local-root.pem
   mountPath: /etc/pki/tls/certs/ca-bundle.crt

  3. Create the application. Following logs are displayed in the pod

error generating manifests in cmp: rpc error: code = Unknown desc = error generating manifests: sh -c \"helm template $ARGOCD_APP_NAME --include-crds -n $ARGOCD_APP_NAMESPACE ${ARGOCD_ENV_HELM_ARGS} . |\\nargocd-vault-plugin generate --verbose-sensitive-output -\\n\" failed exit status 1: 2024/01/29 17:27:32 reading configuration from environment, overriding any previous settings
[ERROR] grant response error:Post " https://xx-thycotic.abc.local/SecretServer/oauth2/token\": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead\n2024/01/29
[ERROR] error getting accessToken:Post "https://xx-thycotic.abc.local/SecretServer/oauth2/token\": tls: failed to verify certi...

  1. Using curl from the command of the pod it works.
    API_USERNAME=admin
    API_PASSWORD=xxxxxxxx
    SECRETID_ACCESS=522
    requestBody="username=$API_USERNAME&password=$API_PASSWORD&grant_type=password"
    PAM_URL=https://xx-thycotic.abc.local/SecretServer
    apiUrl=$PAM_URL/api/v1/secrets/$SECRETID_ACCESS/fields/Password
    pamUrl=$PAM_URL/oauth2/token

curl -s -X POST -H "Accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d $requestBody $pamUrl
{"access_token":"AgKO8......","token_type":"bearer","expires_in":28800,"refresh_token":"vof...."}
@shrishs
Copy link
Author

shrishs commented Jan 31, 2024
edited

I also tried running the command directly.But still the same result.There is no way I can pass the CACERT.It is setting the VAULT_CACERT and VAULT_CAPATH .But I believe that is for the Hashicorp Vault not for Delinea

argocd-vault-plugin generate -s thycotic-poc:avp-delinea-backend-secret
argocdvault/example/samplesecret/templates/testsecret.yaml --verbose-sensitive-output

2024/01/31 07:44:36 reading configuration from secret thycotic-poc:avp-delinea-backend-secret
2024/01/31 07:44:36 parsed secret name as avp-delinea-backend-secret from namespace thycotic-poc
2024/01/31 07:44:36 Setting VAULT_CACERT to /etc/pki/tls/certs/ca-bundle.crt for backend SDK
2024/01/31 07:44:36 Setting VAULT_CAPATH to /etc/pki/tls/certs/ca-bundle.crt for backend SDK
2024/01/31 07:44:36 reading configuration from environment, overriding any previous settings
2024/01/31 07:44:36 AVP configured with the following settings:

2024/01/31 07:44:36 avp_delinea_url: https://[xx-thycotic.abc.local/SecretServer]
2024/01/31 07:44:36 avp_delinea_cacert: /etc/pki/tls/certs/ca-bundle.crt
2024/01/31 07:44:36 avp_delinea_domain: local
2024/01/31 07:44:36 vault_capath: /etc/pki/tls/certs/ca-bundle.crt
2024/01/31 07:44:36 avp_kv_version: 2
2024/01/31 07:44:36 avp_delinea_user: admin
2024/01/31 07:44:36 insecureskipverify: true
2024/01/31 07:44:36 cacert: /etc/pki/tls/certs/ca-bundle.crt
2024/01/31 07:44:36 avp_type: delineasecretserver
2024/01/31 07:44:36 delinea_capath: /etc/pki/tls/certs/ca-bundle.crt
2024/01/31 07:44:36 delinea_cacert: /etc/pki/tls/certs/ca-bundle.crt
2024/01/31 07:44:36 vault_cacert: /etc/pki/tls/certs/ca-bundle.crt
2024/01/31 07:44:36 avp_delinea_password: xxxxxxxx

[ERROR] grant response error:Post "https://xx-thycotic.abc.local/SecretServer/oauth2/token": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead
2024/01/31 07:44:36 [ERROR] error getting accessToken:Post "https://xx-thycotic.abc.local/SecretServer/oauth2/token": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead
Error: could not access secret 522, error: Post "https://xx-thycotic.abc.local/SecretServer/oauth2/token": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead

@shrishs
Copy link
Author

shrishs commented Feb 6, 2024

Got it working by building a separate image
Use following instruction in Docker file
COPY ./x-thycotic.abc-root.pem /etc/pki/tls/certs/ca-bundle.crt

jtudelag added a commit to jtudelag/gitops-multicluster-onfiguration that referenced this issue Feb 7, 2024
@jtudelag
Change CA mount path.
9160b5f 
According to this issue:
argoproj-labs/argocd-vault-plugin#602 (comment).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@shrishs