Chef 11.8 - certificate verify failed


#1

I recently started having issues with SSL all of a sudden without anything being changed and was hoping someone can be of assistance:

Bootstrapping to windows using winrm, getting the following error:

10.40.1.23 [2016-02-01T17:16:35-05:00] FATAL: OpenSSL::SSL::SSLError: SSL Error connecting to https://XXXXXX/clients - SSL_connect returned=1 errno=0 state=error: certificate verify failed.

Nothing in the configs changed and it worked perfectly fine in the past. I did try to add the following line to bypass ssl verification but it doesn’t seem to be working

verify_api_cert false
ssl_verify_mode :verify_none

Any help would be great!


#2

Check the expiration date on the Chef Server’s certificate.


#3

Its valid until 2024. I even tried to run a knife ssl fetch and received the following (no firewalls are on on any of the servers):

OpenSSL Configuration:

  • Version: OpenSSL 1.0.1l 15 Jan 2015
  • Certificate file: C:/projects/openssl/knap-build/var/knapsack/software/x86-win
    dows/openssl/1.0.1q/ssl/cert.pem
  • Certificate directory: C:/projects/openssl/knap-build/var/knapsack/software/x8
    6-windows/openssl/1.0.1q/ssl/certs
    Chef SSL Configuration:
  • ssl_ca_path: nil
  • ssl_ca_file: “C:/opscode/chef/embedded/ssl/certs/cacert.pem”
  • trusted_certs_dir: “C:/Users/codegenagent\.chef\trusted_certs”

TO FIX THIS ERROR:

If the server you are connecting to uses a self-signed certificate, you must
configure chef to trust that server’s certificate.

By default, the certificate is stored in the following location on the host
where your chef-server runs:

/var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt

Copy that file to your trusted_certs_dir (currently: C:/Users/codegenagent.chef
\trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server’s certificate is now trusted.

C:\Windows\system32>knife ssl fetch
WARNING: No knife configuration file found
WARNING: Certificates from localhost will be fetched and placed in your trusted_
cert
directory (C:/Users/codegenagent.chef\trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

ERROR: Network Error: No connection could be made because the target machine act
ively refused it. - connect(2)
Check your knife configuration and network settings