Chef bootstrap error: Could not establish trust relationship for the SSL/TLS secure channel

Chef Infra (archive)
1

We are getting the following error when trying to bootstrap Windows servers (2012 and 2008 R2):

powershell.exe -ExecutionPolicy Unrestricted -InputFormat None -NoProfile -NonInteractive -File  C:\chef\wget.ps1 "https://www.chef.io/chef/download?p=windows&pv=2012&m=x86_64&DownloadContext=PowerShell&v=12" "C:\Users\builder\AppData\Local\Temp\chef-client-latest.msi"
Exception calling "DownloadFile" with "2" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
At C:\chef\wget.ps1:14 char:1
$webClient.DownloadFile($remoteUrl, $localPath);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WebException

Have not seen this error before so could use some guidance. Does this error have anything to do with trusted site certificate? How do we resolve?

Thanks,
Keith

2

This problem is generated by PowerShell, rather than chef. For some reason, PowerShell does not trust the certificate for www.chef.io.

Can you get to https://www.chef.io from Internet Explorer on that server?

Kevin Keane
Whom the IT Pros Call
The NetTech
http://www.4nettech.com
Our values: Privacy, Liberty, Justice
See https://www.4nettech.com/corp/the-nettech-values.html

3

On the Server 2012 machine, I cannot reach https://www.chef.io/ using IE, however, on one of the Server 2008 R2 machines, I can reach that site, however I do hit this: “There is a problem with this website’s security certificate.”

4

Check what specifc problem the IE reports. Odds are that it’s either a certificate name mismatch, or that the certificate wasn’t issued by a trusted authority.

Kevin Keane
Whom the IT Pros Call
The NetTech
http://www.4nettech.com
Our values: Privacy, Liberty, Justice
See https://www.4nettech.com/corp/the-nettech-values.html

5

So I think we’re on the right track with the certificates. The problem servers are in our pre-prod environment, but our other servers in down-level that we’ve bootstrapped successfully had two additional certs that our pre-prod servers do not. Anyway, after importing these two certs to one of our pre-prod Server 2012 machines I was able to get past the chef.io site problem and download the chef-client MSI for the bootstrap. However, now we’re getting another SSL validation error with our Chef server:

ERROR: SSL Validation failure connecting to host: chefserver.domain.com - SSL_connect returned=1 errno=0 state=error: certificate verify failed
Chef encountered an error attempting to load the node data for "node"
Unexpected Error:
OpenSSL::SSL::SSLError: SSL Error connecting to https://chefserver.domain.com/organizations/ourorg/nodes/node - SSL_connect returned=1 errno=0 state=error: certificate verify failed
6

I take it that chefserver.domain.com is your own chef server? Does it have a self-signed cert, a cert issued by your own CA, or a cert issued by a recognized CA?

I usually prefer to use my own CA for the chef server, and then import the CA certificate before the bootstrap process. But that is on Linux.

Kevin Keane
Whom the IT Pros Call
The NetTech
http://www.4nettech.com
Our values: Privacy, Liberty, Justice
See https://www.4nettech.com/corp/the-nettech-values.html

7

Our Chef server is maintained by our team in IL, so I will have to contact them to get the cert. Thanks for your help so far! Much appreciated.

Keith

8

After getting the cert I’m still having the same problem. I did notice that the cert is untrusted, so is that part of the issue? Also, from the node server I can login to the Chef server via web UI, but bootstrapping still yields the error:

OpenSSL::SSL::SSLError: SSL Error connecting: SSL_connect returned=1 errno=0 state=error: certificate verify failed
9

The SSL (certificate verify) error connecting to the Chef server was resolved by doing a knife ssl fetch, then copying the trusted_certs folder (containing the certs from Chef server) to C:\chef on the node server. After that I was able to successfully bootstrap.