Chef Certificates


#1

Hi,

I get the following error in a recipe:

remote_file("my-script.ps1") do
  provider Chef::Provider::RemoteFile
  action "create"
  retries 0
  retry_delay 2
  default_guard_interpreter :default
  path "my-script.ps1"
  backup 5
  atomic_update true
  source ["https://myrepo.internal.local/dev/Chef/raw/master/src/BLD/Chef.BLD/Recipes/my-script.ps1"]
  use_etag true
  use_last_modified true
  declared_type :remote_file
  cookbook_name "windows"
  recipe_name "runmyscript"
end

[2015-05-19T08:34:04+01:00] INFO: Running queued delayed notifications before re-raising exception

Running handlers:
[2015-05-19T08:34:04+01:00] ERROR: Running exception handlers
Running handlers complete
[2015-05-19T08:34:04+01:00] ERROR: Exception handlers complete
[2015-05-19T08:34:04+01:00] FATAL: Stacktrace dumped to c:/chef/cache/chef-stacktrace.out
Chef Client failed. 2 resources updated in 29.838761 seconds
[2015-05-19T08:34:04+01:00] FATAL: OpenSSL::SSL::SSLError: remote_file[my-script.ps1] (windows::runmyscript line
8) had an error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

The source uses a valid certificate (not self-signed) and I have put the pem files (full cert chain) under /opt/chef-server/embedded/ssl/certs on my chef server.

How do I get the chef-client to use them?

Cheers,
Simon.


Disclaimer

This message is intended only for the use of the person(s) (“Intended Recipient”) to whom it is addressed. It may contain information which is privileged and confidential. Accordingly any dissemination, distribution, copying or other use of this message or any of its content by any person other than the Intended Recipient may constitute a breach of civil or criminal law and is strictly prohibited. If you are not the Intended Recipient, please contact the sender as soon as possible.

Totaljobs Group Limited Registered Office: Bluefin Building, 110 Southwark Street, London, SE1 0TA, UK Registered in England and Wales under company no. 4269861



#2


Daniel DeLeo

On Tuesday, May 19, 2015 at 12:42 AM, Simon Hawkins wrote:

Hi,

I get the following error in a recipe:

remote_file(“my-script.ps1”) do
provider Chef::Provider::RemoteFile
action "create"
retries 0
retry_delay 2
default_guard_interpreter :default
path "my-script.ps1"
backup 5
atomic_update true
source [“https://myrepo.internal.local/dev/Chef/raw/master/src/BLD/Chef.BLD/Recipes/my-script.ps1”]
use_etag true
use_last_modified true
declared_type :remote_file
cookbook_name "windows"
recipe_name "runmyscript"
end

[2015-05-19T08:34:04+01:00] INFO: Running queued delayed notifications before re-raising exception

Running handlers:
[2015-05-19T08:34:04+01:00] ERROR: Running exception handlers
Running handlers complete
[2015-05-19T08:34:04+01:00] ERROR: Exception handlers complete
[2015-05-19T08:34:04+01:00] FATAL: Stacktrace dumped to c:/chef/cache/chef-stacktrace.out
Chef Client failed. 2 resources updated in 29.838761 seconds
[2015-05-19T08:34:04+01:00] FATAL: OpenSSL::SSL::SSLError: remote_file[my-script.ps1] (windows::runmyscript line
8) had an error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

The source uses a valid certificate (not self-signed) and I have put the pem files (full cert chain) under /opt/chef-server/embedded/ssl/certs on my chef server.

How do I get the chef-client to use them?

Cheers,
Simon.

Firstly, you need to configure your server so that the nginx load balancer will use your certs. To do so, create a chef-server.rb file and configure the relevant settings, which are described here: http://docs.chef.io/config_rb_server_optional_settings.html#nginx After doing that, running chef-server-ctl reconfigure will apply them.

From the client, you can debug ssl issues with knife ssl check. On a server system, you’ll want to run knife ssl check -c /etc/chef/client.rb. When it’s all working, that command should tell you that.


Daniel DeLeo