Connectivity errors in automate preflight

Chef Automate
1

I am attempting to install Automate on a brand-new Centos7 VM. I'm following the steps at https://automate.chef.io/docs/install/. I've downloaded and gunzipped, run ./chef-automate init-config, and then get failures when trying to run the install, both with and without the included chef infra server.

ca version
Version: 2
  CLI Build: 20200813174915

I'm getting these errors in the preflight checks:

FAIL| https://licensing.chef.io/status is not reachable
FAIL| https://bldr.habitat.sh is not reachable
FAIL| https://raw.githubusercontent.com is not reachable
 OK | https://packages.chef.io is reachable
FAIL| https://github.com is not reachable
 OK | https://downloads.chef.io is reachable

i can ping them just fine:

ping raw.githubusercontent.com
PING github.map.fastly.net (151.101.64.133) 56(84) bytes of data.
64 bytes from 151.101.64.133 (151.101.64.133): icmp_seq=1 ttl=57 time=2.09 ms

there seems to be a cert error:

DEBU[0000] failed to HEAD https://licensing.chef.io/status  error="Head \"https://licensing.chef.io/status\": x509: certificate signed by unknown authority"
DEBU[0000] Connectivity check failed                     error="Head \"https://licensing.chef.io/status\": x509: certificate signed by unknown authority" url="https://licensing.chef.io/status"
DEBU[0000] failed to HEAD https://bldr.habitat.sh        error="Head \"https://bldr.habitat.sh\": x509: certificate signed by unknown authority"
DEBU[0000] Connectivity check failed                     error="Head \"https://bldr.habitat.sh\": x509: certificate signed by unknown authority" url="https://bldr.habitat.sh"
DEBU[0000] failed to HEAD https://raw.githubusercontent.com  error="Head \"https://raw.githubusercontent.com\": x509: certificate signed by unknown authority"
DEBU[0000] Connectivity check failed                     error="Head \"https://raw.githubusercontent.com\": x509: certificate signed by unknown authority" url="https://raw.githubusercontent.com"
DEBU[0001] failed to HEAD https://github.com             error="Head \"https://github.com\": x509: certificate signed by unknown authority"
DEBU[0001] Connectivity check failed                     error="Head \"https://github.com\": x509: certificate signed by unknown authority" url="https://github.com"

DeployError: Unable to install, configure and start the service: Get "https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh": x509: certificate signed by unknown authority

FileAccessError: Unable to access the file or directory: Connecting to deployment-service failed: Failed to read deployment-service TLS certificates: Could not read the service cert: open /hab/svc/deployment-service/data/deployment-service.crt: no such file or directory

curl "https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh"
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

i can never tell if these kinds of errors are on the client or server side.
Do i need to change my config, or get my identity/server team to generate a new CA cert, or what else?

2

If you try chef-automate deploy config.toml —skip-preflight do you get past this?

3

Hi, i tried that, this is the output:

[root@mtpvdachef01 engineering] ca deploy --product automate --product infra-server --accept-terms-and-mlsa -d --skip-preflight
DEBU[0000] chef-automate 20200813174915 (42f2eaff3ba548ddb8ef081bb7a3e92fd47b7690)
DEBU[0000] Not checking version
DEBU[0000] running external command                      cmd="[hostname -f]" env="[]"
DEBU[0000] external command successful                   cmd="[hostname -f]" time_ms=3.9534080000000005

Bootstrapping Chef Automate
  Fetching Release Manifest
DEBU[0000] Checking manifest signature                   url="https://packages.chef.io/manifests/current/automate/latest.json.asc"
  Installing Habitat
  Installing Habitat 1.6.56/20200618202635
DEBU[0000] running external command                      cmd="[bash -c command -v hab]" env="[]"
DEBU[0000] external command failed                       cmd="[bash -c command -v hab]" stderr="(no stderr available)" time_ms=1.655626
DEBU[0000] Stack trace:
DeployError: Unable to install, configure and start the service: Get "https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh": x509: certificate signed by unknown authority
4

Does this machine have native internet access?

Is there a transparent proxy in place? Did you customise the certificates store on the node on which you are attempting to install? Is the node itself clean with no prior installed software?

5

Hi!

  1. yes i can ping all the addresses in question, i just get errors when connecting to them.
  2. no proxy, we do have a Zscaler in place that has caused problems before. (Is that the same thing?)
  3. no, i am just following the installation instructions at https://automate.chef.io/docs/install/
  4. Yes, this is a brand-new centos7 VM spun up just for this purpose.

thanks!

6

Do you have an http_proxy or https_proxy defined? I found they can get in the way of Automate like you're seeing, and it's not obvious that the proxy (or lack thereof) is at fault.

7

I do not. We've never had to set that before - we don't have to specify a proxy anywhere, not just not in chef. Perhaps that is the invisible proxy you're referring to.

8

I spoke with a peer who's had a similar issue with the zscaler before, and he provided me with two sets of certs to add to the box. I created them, but get errors when running the sudo update-ca-trust extract command:

[root@mtpvdachef01 engineering] update-ca-trust extract
p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit

(lots of these)

I know this has nothing to do with Automate, but is there any experience anyone can share around these issues?

update: after yum upgrading everything, which had its own challenges, i re-ran the trust update command and it seems to have worked. trying to install automate again...

update 2: yes! after getting through those yum conflicts, the cert updates seem to have worked, and the automate installer is running smoothly now.

for anyone who comes here with this issue - not related to Automate, to be clear -- i ultimately had to yum remove grub2-tools, yum install grub2-tools, and then run all the updates/upgrades again.

1 Like
9

So the installer ran smoothly and completed with no errors. The services are all up and running with 'ok' status. However i get no response when loading the FQDN in a browser. What should I be looking for here to confirm configuration?

UPDATE: this is a big derp. I had to disable the firewall daemon.