I am trying to create a new build node (using the new beta features) and am running into a SSL certificate issue. Our setup is that we have an Amazon Load Balancer setup in front of our Chef Server instances and it has our wildcard certificate installed.
Here is the error I’m getting:
[root@chef-automate-1 ~]# /opt/delivery/bin/delivery-ctl install-build-node --installer /home/ec2-user/chefdk_0.18.30-1_amd64.deb -f chef-build-2 --username ubuntu -i -V v2 -a -t -e
Password for ubuntu on chef-build-2 (use ‘none’ if passwordless sudo is enabled):
Connecting to chef-build-2…
Fetching Chef Server certificates for local use
/opt/delivery/embedded/bin/knife ssl fetch -u delivery -k /etc/delivery/delivery.pem --server-url https://chef.firstfuelsoftware.net/organizations/automate-org returned 100
When try running the knfe ssl fetch manually I also get an error:
Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.
Adding certificate for *.firstfuelsoftware.net in /root/.chef/trusted_certs/wildcard_firstfuelsoftware_net.crt
Adding certificate for Go Daddy Secure Certificate Authority - G2 in /root/.chef/trusted_certs/Go_Daddy_Secure_Certificate_Authority_-G2.crt
Adding certificate for Go Daddy Root Certificate Authority - G2 in /root/.chef/trusted_certs/Go_Daddy_Root_Certificate_Authority-_G2.crt
/opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/knife/ssl_fetch.rb:93:in cn_of': undefined method[]’ for nil:NilClass (NoMethodError)
from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/knife/ssl_fetch.rb:119:in write_cert' from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/knife/ssl_fetch.rb:138:inblock in run’
from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/knife/ssl_fetch.rb:137:in each' from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/knife/ssl_fetch.rb:137:inrun’
from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/knife.rb:421:in block in run_with_pretty_exceptions' from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/local_mode.rb:44:inwith_server_connectivity’
from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/knife.rb:420:in run_with_pretty_exceptions' from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/knife.rb:219:inrun’
from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/application/knife.rb:148:in run' from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/bin/knife:25:in<top (required)>'
from /opt/delivery/embedded/bin/knife:23:in load' from /opt/delivery/embedded/bin/knife:23:in’
Can you check to make sure that you have the entire certificate chain on the load balancer in front of your Chef Server? Run openssl s_client -connect chef.firstfuelsoftware.net:443 (if that’s not the correct url it should be the chef server).
You should have the whole certificate chain installed on the load balancer (the cert you were issued, any intermediate certificates, and the root certificate).
If nothing jumps out at you could you post the output and we can help you troubleshoot?
(Updated to remove the paths from the URL for openssl connect)
Hi David, thanks for the reply. Nothing jumps out at me. And I know this is the same process (from a AWS & certificates) that we use elsewhere, so I’m not sure what’s different here.
[ec2-user@chef-automate-1 ~] openssl s_client -connect chef.firstfuelsoftware.net:443
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.firstfuelsoftware.net
verify return:1
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.firstfuelsoftware.net
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
Server certificate
-----BEGIN CERTIFICATE-----
MIIFQDCCBCigAwIBAgIJAL5zM6lADMh/MA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE1MDQxOTE1MjQzOFoX
DTE3MDUyMDE4MjYwMVowRTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMSAwHgYDVQQDDBcqLmZpcnN0ZnVlbHNvZnR3YXJlLm5ldDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANEmrWCe3CvFM/J8PXZTDqq/+hiTSW7oWQmR
WqNExtgaeueECRiLZfshASlVOinBwh3Mibot8KmDllPy5jqQkDuCn/lDPYehqyV6
6EpPtHJtu4Zzw/0zjLOUFcxUCiRSNSVVRJgfLeB6T1q3asPKAjVHjycGU4LFU+x+
T2ooRHUNO7wvZ5GsGntsejJEY0N+ChCpM2nZ3HoiXGcyjsSdjVoMO9BOZXUu9G19
QrfsHG7mMSdRVIn7uQ3n7zCuO0eMcJdyyKSDIeJkdk5vFog2FxWpNguHZ+lrmvpv
FfCAocWjGNoY8eB5mx3W+nzMiPYXXDqr7c5BbJBD4/emY9MW1ykCAwEAAaOCAcEw
ggG9MAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MA4GA1UdDwEB/wQEAwIFoDA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLmdv
ZGFkZHkuY29tL2dkaWcyczEtODcuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEH
FwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNv
bS9yZXBvc2l0b3J5LzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6
Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEFBQcwAoY0aHR0cDovL2NlcnRpZmlj
YXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNVHSMEGDAW
gBRAwr0njsw0gzCiM9f7bLPwtCyAzjA5BgNVHREEMjAwghcqLmZpcnN0ZnVlbHNv
ZnR3YXJlLm5ldIIVZmlyc3RmdWVsc29mdHdhcmUubmV0MB0GA1UdDgQWBBRZ8+jA
BzkavDnSvZs7OmYr035A4TANBgkqhkiG9w0BAQsFAAOCAQEAU3C/T5i6SqupwfPO
A60+5xht3Hu/nsGFjZCGzd0xn5pbKgAYcHlRQ9qzGdPRcgWWxaTAJP2neCPopJEe
mqbuoQu1PRHPlx5hbFq9F6O5Iei/Sozd4mpEOM0ONMRREzTznhd38R2yFRSXSOYb
vz9HmNPy5RNOymlSXQKiv0Rj/x7fd+5UBnudyZCPGYRN2mtAnLfH1AieCJPgljuW
5Wp/dmMieYF8eHrXKzMWHNi0f94aV0C3p0AcASmCMF0SwIJTSTtvBS26FtdqNGD3
UHzzeSX7/cn8AL83+wN7FZDV7kxKKs8TDY62MPnCCB8niC3xZAcjvtC8Lxl6hJY/
n8vb9g==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.firstfuelsoftware.net
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
SSL handshake has read 5428 bytes and written 375 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 03EB6D0669B4E11E261B0B73F6550A86F8F60CF6DCBDB398D5E1F31894165247
Session-ID-ctx:
Master-Key: D4C474F2C1387BF5602A48707EF0EF3E3DD2DC80A6B079E8104E28F3AE10211BC6B1322E562E659FB901285D68CD05CB
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 50 17 34 2e 2e df 4a 1a-9c bc df 44 d7 24 d1 eb P.4...J....D.…
0010 - 99 8b 09 e5 9d 51 07 a5-06 4b ec 5b f6 69 1f f1 …Q…K.[.i…
0020 - 5c e2 d3 c3 b2 16 64 f2-8f 03 87 87 52 bc 3c bd …d…R.<.
0030 - fd aa ab 9b 3a 95 88 0d-20 8c 96 df 59 d0 fc 27 …:… …Y…'
0040 - 71 51 2e 75 64 e3 07 03-64 40 4c 0c 83 c1 ce 24 qQ.ud…d@L…$
0050 - dd f2 3e 2b 0f b5 f2 75-7c bb ee f1 b7 d7 60 8e …>+…u|…`.
0060 - 9c 12 7f 4b d5 b5 83 2b-ec e8 c1 46 79 cb 85 cf …K…+…Fy…
0070 - dd 28 74 12 57 31 bf 90-fc f2 a9 d0 85 cb 4d 43 .(t.W1…MC
0080 - 31 a6 76 fa 52 80 e5 cf-bc 0c b8 2f 43 34 75 87 1.v.R…/C4u.
0090 - 74 2c 20 ba 09 41 f5 70-d1 52 7e d1 51 63 8b b2 t, …A.p.R~.Qc…
From the output, it appears that the third cert in your chain does not have a CN defined:
3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
What’s happening is that knife ssl fetch assumes all certificates have a defined CN, though this is not required by the x.509 spec. We’re looking into resolving this issue. In the meantime the fix would be to only chain certificates with defined CNs.
If you’ve got the time, we’d love to talk more about your experience with delivery-ctl install-build-node and how we can improve it. Let us know if you’re interested and we’ll be happy to set up a chat. I will also make a note to reply to this thread when a fix is available.
Greetings! We fixed this with https://github.com/chef/chef/pull/5498 which was released in Chef 12.16. The next release of Automate will have this updated Chef.
Note: I edited my original reply. I originally said this fix will be available in the next version of the ChefDK then realized that would not help you!
I am facing the same issue :
/opt/delivery/embedded/bin/knife ssl fetch -u delivery -k /etc/delivery/delivery.pem --server-url https://chefserver.aws.org/organizations/automate_chef-org returned 100
Whats the fix now?
I am using chef automate delivery_0.6.7-1_amd64.deb and trying to install a build node (chefdk_1.1.16-1_amd64.deb)
Thanks
Geetha