Cannot create a build node

I am trying to create a new build node (using the new beta features) and am running into a SSL certificate issue. Our setup is that we have an Amazon Load Balancer setup in front of our Chef Server instances and it has our wildcard certificate installed.

Here is the error I’m getting:

[root@chef-automate-1 ~]# /opt/delivery/bin/delivery-ctl install-build-node --installer /home/ec2-user/chefdk_0.18.30-1_amd64.deb -f chef-build-2 --username ubuntu -i -V v2 -a -t -e
Password for ubuntu on chef-build-2 (use ‘none’ if passwordless sudo is enabled):

Connecting to chef-build-2…
Fetching Chef Server certificates for local use
/opt/delivery/embedded/bin/knife ssl fetch -u delivery -k /etc/delivery/delivery.pem --server-url https://chef.firstfuelsoftware.net/organizations/automate-org returned 100

When try running the knfe ssl fetch manually I also get an error:

[root@chef-automate-1 ~]# /opt/delivery/embedded/bin/knife ssl fetch -VV -u delivery -k /etc/delivery/delivery.pem --server-url https://chef.firstfuelsoftware.net/organizations/automate-org
INFO: Using configuration from /root/.chef/knife.rb
DEBUG: Checking SSL cert on https://chef.firstfuelsoftware.net/organizations/automate-org
WARNING: Certificates from chef.firstfuelsoftware.net will be fetched and placed in your trusted_cert
directory (/root/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for *.firstfuelsoftware.net in /root/.chef/trusted_certs/wildcard_firstfuelsoftware_net.crt
Adding certificate for Go Daddy Secure Certificate Authority - G2 in /root/.chef/trusted_certs/Go_Daddy_Secure_Certificate_Authority_-G2.crt
Adding certificate for Go Daddy Root Certificate Authority - G2 in /root/.chef/trusted_certs/Go_Daddy_Root_Certificate_Authority
-_G2.crt
/opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/knife/ssl_fetch.rb:93:in cn_of': undefined method[]’ for nil:NilClass (NoMethodError)
from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/knife/ssl_fetch.rb:119:in write_cert' from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/knife/ssl_fetch.rb:138:inblock in run’
from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/knife/ssl_fetch.rb:137:in each' from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/knife/ssl_fetch.rb:137:inrun’
from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/knife.rb:421:in block in run_with_pretty_exceptions' from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/local_mode.rb:44:inwith_server_connectivity’
from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/knife.rb:420:in run_with_pretty_exceptions' from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/knife.rb:219:inrun’
from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/lib/chef/application/knife.rb:148:in run' from /opt/delivery/embedded/lib/ruby/gems/2.2.0/gems/chef-12.11.19/bin/knife:25:in<top (required)>'
from /opt/delivery/embedded/bin/knife:23:in load' from /opt/delivery/embedded/bin/knife:23:in

Hey Peter,

Can you check to make sure that you have the entire certificate chain on the load balancer in front of your Chef Server? Run openssl s_client -connect chef.firstfuelsoftware.net:443 (if that’s not the correct url it should be the chef server).

You should have the whole certificate chain installed on the load balancer (the cert you were issued, any intermediate certificates, and the root certificate).

If nothing jumps out at you could you post the output and we can help you troubleshoot?

(Updated to remove the paths from the URL for openssl connect)

Thanks!
David

Hi David, thanks for the reply. Nothing jumps out at me. And I know this is the same process (from a AWS & certificates) that we use elsewhere, so I’m not sure what’s different here.

[ec2-user@chef-automate-1 ~] openssl s_client -connect chef.firstfuelsoftware.net:443 CONNECTED(00000003) depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority verify return:1 depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2 verify return:1 depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2 verify return:1 depth=0 OU = Domain Control Validated, CN = *.firstfuelsoftware.net verify return:1 Certificate chain 0 s:/OU=Domain Control Validated/CN=*.firstfuelsoftware.net i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority 3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority Server certificate -----BEGIN CERTIFICATE----- MIIFQDCCBCigAwIBAgIJAL5zM6lADMh/MA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0 cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE1MDQxOTE1MjQzOFoX DTE3MDUyMDE4MjYwMVowRTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh dGVkMSAwHgYDVQQDDBcqLmZpcnN0ZnVlbHNvZnR3YXJlLm5ldDCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBANEmrWCe3CvFM/J8PXZTDqq/+hiTSW7oWQmR WqNExtgaeueECRiLZfshASlVOinBwh3Mibot8KmDllPy5jqQkDuCn/lDPYehqyV6 6EpPtHJtu4Zzw/0zjLOUFcxUCiRSNSVVRJgfLeB6T1q3asPKAjVHjycGU4LFU+x+ T2ooRHUNO7wvZ5GsGntsejJEY0N+ChCpM2nZ3HoiXGcyjsSdjVoMO9BOZXUu9G19 QrfsHG7mMSdRVIn7uQ3n7zCuO0eMcJdyyKSDIeJkdk5vFog2FxWpNguHZ+lrmvpv FfCAocWjGNoY8eB5mx3W+nzMiPYXXDqr7c5BbJBD4/emY9MW1ykCAwEAAaOCAcEw ggG9MAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC MA4GA1UdDwEB/wQEAwIFoDA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLmdv ZGFkZHkuY29tL2dkaWcyczEtODcuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEH FwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNv bS9yZXBvc2l0b3J5LzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6 Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEFBQcwAoY0aHR0cDovL2NlcnRpZmlj YXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNVHSMEGDAW gBRAwr0njsw0gzCiM9f7bLPwtCyAzjA5BgNVHREEMjAwghcqLmZpcnN0ZnVlbHNv ZnR3YXJlLm5ldIIVZmlyc3RmdWVsc29mdHdhcmUubmV0MB0GA1UdDgQWBBRZ8+jA BzkavDnSvZs7OmYr035A4TANBgkqhkiG9w0BAQsFAAOCAQEAU3C/T5i6SqupwfPO A60+5xht3Hu/nsGFjZCGzd0xn5pbKgAYcHlRQ9qzGdPRcgWWxaTAJP2neCPopJEe mqbuoQu1PRHPlx5hbFq9F6O5Iei/Sozd4mpEOM0ONMRREzTznhd38R2yFRSXSOYb vz9HmNPy5RNOymlSXQKiv0Rj/x7fd+5UBnudyZCPGYRN2mtAnLfH1AieCJPgljuW 5Wp/dmMieYF8eHrXKzMWHNi0f94aV0C3p0AcASmCMF0SwIJTSTtvBS26FtdqNGD3 UHzzeSX7/cn8AL83+wN7FZDV7kxKKs8TDY62MPnCCB8niC3xZAcjvtC8Lxl6hJY/ n8vb9g== -----END CERTIFICATE----- subject=/OU=Domain Control Validated/CN=*.firstfuelsoftware.net issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits SSL handshake has read 5428 bytes and written 375 bytes New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 03EB6D0669B4E11E261B0B73F6550A86F8F60CF6DCBDB398D5E1F31894165247 Session-ID-ctx: Master-Key: D4C474F2C1387BF5602A48707EF0EF3E3DD2DC80A6B079E8104E28F3AE10211BC6B1322E562E659FB901285D68CD05CB Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 50 17 34 2e 2e df 4a 1a-9c bc df 44 d7 24 d1 eb P.4...J....D.
0010 - 99 8b 09 e5 9d 51 07 a5-06 4b ec 5b f6 69 1f f1 …Q…K.[.i…
0020 - 5c e2 d3 c3 b2 16 64 f2-8f 03 87 87 52 bc 3c bd …d…R.<.
0030 - fd aa ab 9b 3a 95 88 0d-20 8c 96 df 59 d0 fc 27 …:… …Y…'
0040 - 71 51 2e 75 64 e3 07 03-64 40 4c 0c 83 c1 ce 24 qQ.ud…d@L…$
0050 - dd f2 3e 2b 0f b5 f2 75-7c bb ee f1 b7 d7 60 8e …>+…u|…`.
0060 - 9c 12 7f 4b d5 b5 83 2b-ec e8 c1 46 79 cb 85 cf …K…+…Fy…
0070 - dd 28 74 12 57 31 bf 90-fc f2 a9 d0 85 cb 4d 43 .(t.W1…MC
0080 - 31 a6 76 fa 52 80 e5 cf-bc 0c b8 2f 43 34 75 87 1.v.R…/C4u.
0090 - 74 2c 20 ba 09 41 f5 70-d1 52 7e d1 51 63 8b b2 t, …A.p.R~.Qc…

Start Time: 1475676427
Timeout   : 300 (sec)
Verify return code: 0 (ok)

Thanks for pasting that output.

We dug a little deeper and it looks like you are running into this issue: https://github.com/chef/chef/issues/2919

From the output, it appears that the third cert in your chain does not have a CN defined:

3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

What’s happening is that knife ssl fetch assumes all certificates have a defined CN, though this is not required by the x.509 spec. We’re looking into resolving this issue. In the meantime the fix would be to only chain certificates with defined CNs.

If you’ve got the time, we’d love to talk more about your experience with delivery-ctl install-build-node and how we can improve it. Let us know if you’re interested and we’ll be happy to set up a chat. I will also make a note to reply to this thread when a fix is available.

David

Greetings! We fixed this with https://github.com/chef/chef/pull/5498 which was released in Chef 12.16. The next release of Automate will have this updated Chef.

Note: I edited my original reply. I originally said this fix will be available in the next version of the ChefDK then realized that would not help you!

I am facing the same issue :
/opt/delivery/embedded/bin/knife ssl fetch -u delivery -k /etc/delivery/delivery.pem --server-url https://chefserver.aws.org/organizations/automate_chef-org returned 100
Whats the fix now?
I am using chef automate delivery_0.6.7-1_amd64.deb and trying to install a build node (chefdk_1.1.16-1_amd64.deb)
Thanks
Geetha