Can't bootstrap new nodes


#1

I am getting authentication problems when I try to bootstrap a new node. It’s been a while ,and I had not switched over to the new ssl certificate method. So I took this time to try and do that.

I ran knife ssl fetch and I have .chef/trusted_certs with two files in there.

When I run knife check ssl I get the following.

Configuration Info:

OpenSSL Configuration:
* Version: LibreSSL 2.2.4
* Certificate file: /etc/ssl/cert.pem
* Certificate directory: /etc/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: "/etc/ssl/"
* ssl_ca_file: "cacert.pem"
* trusted_certs_dir: "/home/gregf/code/cookbooks/chef-gregf.org/.chef/trusted_certs"
WARNING: There are invalid certificates in your trusted_certs_dir.
OpenSSL will not use the following certificates when verifying SSL connections:

/home/gregf/code/cookbooks/chef-gregf.org/.chef/trusted_certs/wildcard_opscode_com.crt: unable to get local issuer certificate
/home/gregf/code/cookbooks/chef-gregf.org/.chef/trusted_certs/DigiCert_SHA2_Secure_Server_CA.crt: unable to get local issuer certificate


TO FIX THESE WARNINGS:

We are working on documentation for resolving common issues uncovered here.

* If the certificate is generated by the server, you may try redownloading the
server's certificate. By default, the certificate is stored in the following
location on the host where your chef-server runs:

  /var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt

Copy that file to your trusted_certs_dir (currently: /home/gregf/code/cookbooks/chef-gregf.org/.chef/trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server's certificate is now trusted.

Connecting to host api.opscode.com:443
Successfully verified certificates from `api.opscode.com'

#2

Seems like the 2 certificates in your trusted dir are ‘wrong’, as they are unused (the check works at end without them) I woudl just suppress them.

As far as I know, you should not have to fetch any certificate when using hosted chef, it is signed by a CA wich is already in the cacert.pem file.