I recently started having issues with SSL all of a sudden without anything being changed and was hoping someone can be of assistance:
Bootstrapping to windows using winrm, getting the following error:
10.40.1.23 [2016-02-01T17:16:35-05:00] FATAL: OpenSSL::SSL::SSLError: SSL Error connecting to https://XXXXXX/clients - SSL_connect returned=1 errno=0 state=error: certificate verify failed.
Nothing in the configs changed and it worked perfectly fine in the past. I did try to add the following line to bypass ssl verification but it doesn’t seem to be working
verify_api_cert false
ssl_verify_mode :verify_none
Any help would be great!
Check the expiration date on the Chef Server’s certificate.
Its valid until 2024. I even tried to run a knife ssl fetch and received the following (no firewalls are on on any of the servers):
OpenSSL Configuration:
- Version: OpenSSL 1.0.1l 15 Jan 2015
- Certificate file: C:/projects/openssl/knap-build/var/knapsack/software/x86-win
dows/openssl/1.0.1q/ssl/cert.pem
- Certificate directory: C:/projects/openssl/knap-build/var/knapsack/software/x8
6-windows/openssl/1.0.1q/ssl/certs
Chef SSL Configuration:
- ssl_ca_path: nil
- ssl_ca_file: “C:/opscode/chef/embedded/ssl/certs/cacert.pem”
- trusted_certs_dir: “C:/Users/codegenagent\.chef\trusted_certs”
TO FIX THIS ERROR:
If the server you are connecting to uses a self-signed certificate, you must
configure chef to trust that server’s certificate.
By default, the certificate is stored in the following location on the host
where your chef-server runs:
/var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt
Copy that file to your trusted_certs_dir (currently: C:/Users/codegenagent.chef
\trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server’s certificate is now trusted.
C:\Windows\system32>knife ssl fetch
WARNING: No knife configuration file found
WARNING: Certificates from localhost will be fetched and placed in your trusted_
cert
directory (C:/Users/codegenagent.chef\trusted_certs).
Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.
ERROR: Network Error: No connection could be made because the target machine act
ively refused it. - connect(2)
Check your knife configuration and network settings