Troubleshooting CyberArk Conjur Follower Setup and Postgres Connectivity

During our work with a CyberArk Conjur environment, we encountered strange behavior during the Conjur follower setup.

The setup process on the follower would start, the seed was received, imported, and expanded, but after a few more steps, the process would hang and end with a generic “System Error.”

After displaying the error message, the Conjur follower would restart.

We performed troubleshooting inside the Conjur Follower pod and verified that the follower could connect to the Conjur API leader successfully, but it was unable to connect to the Postgres database and complete the initial replication.

The correct way to verify Postgres connectivity from the follower to the leader is with the following command:

echo "" | openssl s_client -starttls postgres -connect <lb_DNS>:5432 -showcerts

If the server certificate is returned, Postgres connectivity is working as expected.

In our case, we were unable to retrieve the certificate, which pointed us to an issue with the network load balancer. A colleague was able to fix the problem there.

Thanks to CyberArk support for providing us with the openssl command, which is easy to run from the container or any server. We had tried other verification methods, but openssl s_client is readily available on most containers and servers.

For more information about openssl s_client and its options, check out this helpful blog post.