Chef 11.8 - certificate verify failed

Chef Infra (archive)

Nikhil_Shah February 1, 2016, 10:25pm 1

I recently started having issues with SSL all of a sudden without anything being changed and was hoping someone can be of assistance:

Bootstrapping to windows using winrm, getting the following error:

10.40.1.23 [2016-02-01T17:16:35-05:00] FATAL: OpenSSL::SSL::SSLError: SSL Error connecting to https://XXXXXX/clients - SSL_connect returned=1 errno=0 state=error: certificate verify failed.

Nothing in the configs changed and it worked perfectly fine in the past. I did try to add the following line to bypass ssl verification but it doesn’t seem to be working

verify_api_cert false
ssl_verify_mode :verify_none

Any help would be great!

coderanger February 1, 2016, 10:28pm 2

Check the expiration date on the Chef Server’s certificate.

Nikhil_Shah February 1, 2016, 10:46pm 3

Its valid until 2024. I even tried to run a knife ssl fetch and received the following (no firewalls are on on any of the servers):

OpenSSL Configuration:

Version: OpenSSL 1.0.1l 15 Jan 2015
Certificate file: C:/projects/openssl/knap-build/var/knapsack/software/x86-win
dows/openssl/1.0.1q/ssl/cert.pem
Certificate directory: C:/projects/openssl/knap-build/var/knapsack/software/x8
6-windows/openssl/1.0.1q/ssl/certs
Chef SSL Configuration:
ssl_ca_path: nil
ssl_ca_file: “C:/opscode/chef/embedded/ssl/certs/cacert.pem”
trusted_certs_dir: “C:/Users/codegenagent\.chef\trusted_certs”

TO FIX THIS ERROR:

If the server you are connecting to uses a self-signed certificate, you must
configure chef to trust that server’s certificate.

By default, the certificate is stored in the following location on the host
where your chef-server runs:

/var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt

Copy that file to your trusted_certs_dir (currently: C:/Users/codegenagent.chef
\trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server’s certificate is now trusted.

C:\Windows\system32>knife ssl fetch
WARNING: No knife configuration file found
WARNING: Certificates from localhost will be fetched and placed in your trusted_
cert
directory (C:/Users/codegenagent.chef\trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

ERROR: Network Error: No connection could be made because the target machine act
ively refused it. - connect(2)
Check your knife configuration and network settings

Topic		Replies	Views	Activity
SSL Cert Error Chef Infra (archive)	4	352	March 27, 2015
OpenSSL::SSL::SSLError: certificate verify failed Chef Infra (archive)	10	7941	July 13, 2016
Knife ssl check/fetch/check against a self-signed winrm ssl-transport host fails Chef Infra (archive)	1	934	September 29, 2015
SSL validation failed during Windows bootstrap? Chef Infra (archive)	2	680	January 15, 2015
Knife ssl check error? Chef Infra (archive)	1	1198	December 31, 2016