Monday, November 21, 2022

CyberArk Conjur follower, system error and reboot during configuration: how troubleshoot it and verify the Postgres communication in the right way

During this period working on a CyberArk Conjur environment, we experienced a strange behavior during Conjur follower setup. 

The setup on the follower was starting, the seed received, imported, and expanded but after some other steps the process was hanging and ending with a generic "System Error".

After the error message, the Conjur follower was restarted. 

We did some troubleshooting inside the Conjur Follower pod and we have verified that the Follower was able to connect to the Conjur API leader successfully but it wasn't able to connect to the Postgres database and finish the initial replication.

The correct way to verify the Postgres connectivity from the follower to the leader is the following command:

echo "" | openssl s_client -starttls postgres -connect <lb_DNS>:5432 -showcerts

if the server certificate will be returned, the Postgres connectivity will work as expected.

In our case, we were unable to get the certificate, so this points us to the network LB where a colleague fixed the issue.

Thanks to CyberArk support which provided us the openssl command, easy to be executed from the container or any server. 
We did the same verification in another way but the openssl s_client could be found easily on containers and servers.

To have more explanation about openssl s_client and see more options, check this nice blog post.

No comments:

Post a Comment