<Errno::ECONNRESET: Connection reset by peer - SSL_connect> when chef-server-ctl test


#1

Hello

After successfull chef installation on AWS Ubuntu 12.04 (default instance), chef version chef-server_11.0.8-1.ubuntu.12.04_amd64.deb
When I run
sudo chef-server-ctl test

Receive error <Errno::ECONNRESET: Connection reset by peer - SSL_connect> (full error listing: https://gist.github.com/Houdini/5868356)
I noticed that error is in file
/opt/chef-server/embedded/service/chef-pedant/lib/pedant/opensource/platform.rb:81:in `create_client’
I added puts there, and url is “https://ip-10-0-1-86/clients” that actually is localhost.

And really:
curl https://ip-10-0-1-86/clients
curl: (35) Unknown SSL protocol error in connection to ip-10-0-1-86:443

Any ideas how to fix it?

Thanks


#2

Try openssl s_client -connect ip-10-0-1-86:443 and curl http://ip-10-0-1-86:443/clients’ to see if it’s actually just serving HTTP (non-TLS/SSL traffic) on port 443.

On Thursday, June 27, 2013 at 12:49 AM, Dmitrii Golub wrote:

Hello

After successfull chef installation on AWS Ubuntu 12.04 (default instance), chef version chef-server_11.0.8-1.ubuntu.12.04_amd64.deb
When I run
sudo chef-server-ctl test

Receive error <Errno::ECONNRESET: Connection reset by peer - SSL_connect> (full error listing: https://gist.github.com/Houdini/5868356)
I noticed that error is in file
/opt/chef-server/embedded/service/chef-pedant/lib/pedant/opensource/platform.rb:81:in `create_client’
I added puts there, and url is “https://ip-10-0-1-86/clients” that actually is localhost.

And really:
curl https://ip-10-0-1-86/clients
curl: (35) Unknown SSL protocol error in connection to ip-10-0-1-86:443

Any ideas how to fix it?

Thanks


#3

Really there are no certificates installed

ubuntu@ip-10-0-1-86:~$ openssl s_client -connect ip-10-0-1-86:443
CONNECTED(00000003)
write:errno=104

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 226 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

Nginx config use two:
ssl_certificate /var/opt/chef-server/nginx/ca/ip-10-0-1-86.crt;
ssl_certificate_key /var/opt/chef-server/nginx/ca/ip-10-0-1-86.key;

I am not good in certificates, really. As I understand openssl can’t find peer certificate. Where it’s locates and how to make linux use it by default. Moreover, other clients should use that custom certificate. Right?

Things become hard

On Jun 27, 2013, at 9:41 PM, Daniel Condomitti daniel@condomitti.com wrote:

Try openssl s_client -connect ip-10-0-1-86:443 and curl http://ip-10-0-1-86:443/clients’ to see if it’s actually just serving HTTP (non-TLS/SSL traffic) on port 443.
On Thursday, June 27, 2013 at 12:49 AM, Dmitrii Golub wrote:

Hello

After successfull chef installation on AWS Ubuntu 12.04 (default instance), chef version chef-server_11.0.8-1.ubuntu.12.04_amd64.deb
When I run
sudo chef-server-ctl test

Receive error <Errno::ECONNRESET: Connection reset by peer - SSL_connect> (full error listing: https://gist.github.com/Houdini/5868356)
I noticed that error is in file
/opt/chef-server/embedded/service/chef-pedant/lib/pedant/opensource/platform.rb:81:in `create_client’
I added puts there, and url is “https://ip-10-0-1-86/clients” that actually is localhost.

And really:
curl https://ip-10-0-1-86/clients
curl: (35) Unknown SSL protocol error in connection to ip-10-0-1-86:443

Any ideas how to fix it?

Thanks


#4

Funny thing

ubuntu@ip-10-0-1-86:/etc$ ps ax | grep nginx
7352 ? Ss 1:18 runsv nginx
7353 ? S 0:26 svlogd -tt /var/log/chef-server/nginx
26862 pts/0 T 0:00 sudo vim /var/opt/chef-server/nginx/etc/chef_https_lb.conf
26863 pts/0 T 0:00 vim /var/opt/chef-server/nginx/etc/chef_https_lb.conf
32048 ? Ss 0:00 /opt/chef-server/embedded/sbin/nginx -c /var/opt/chef-server/nginx/etc/nginx.conf
32050 pts/0 S+ 0:00 grep --color=auto nginx

As you can see there are no master nginx process. I didm’ t notice this as problem, however, when I reboot instance everything works again:
ubuntu@ip-10-0-1-86:~$ ps ax | grep nginx
755 ? Ss 0:00 runsv nginx
766 ? S 0:00 svlogd -tt /var/log/chef-server/nginx
768 ? Ss 0:00 nginx: master process /opt/chef-server/embedded/sbin/nginx -c /var/opt/chef-server/nginx/etc/nginx.conf
814 ? S 0:03 nginx: worker process
815 ? S 0:00 nginx: cache manager process
1577 pts/1 S+ 0:00 grep --color=auto nginx

So I suppose, that it’s error in initial chef recipe, in nginx section, it doesn’t start nginx.
Any way thanks for help

On Jun 28, 2013, at 1:46 PM, Dmitrii Golub dmitrii.golub@me.com wrote:

Really there are no certificates installed

ubuntu@ip-10-0-1-86:~$ openssl s_client -connect ip-10-0-1-86:443
CONNECTED(00000003)
write:errno=104

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 226 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

Nginx config use two:
ssl_certificate /var/opt/chef-server/nginx/ca/ip-10-0-1-86.crt;
ssl_certificate_key /var/opt/chef-server/nginx/ca/ip-10-0-1-86.key;

I am not good in certificates, really. As I understand openssl can’t find peer certificate. Where it’s locates and how to make linux use it by default. Moreover, other clients should use that custom certificate. Right?

Things become hard

On Jun 27, 2013, at 9:41 PM, Daniel Condomitti daniel@condomitti.com wrote:

Try openssl s_client -connect ip-10-0-1-86:443 and curl http://ip-10-0-1-86:443/clients’ to see if it’s actually just serving HTTP (non-TLS/SSL traffic) on port 443.
On Thursday, June 27, 2013 at 12:49 AM, Dmitrii Golub wrote:

Hello

After successfull chef installation on AWS Ubuntu 12.04 (default instance), chef version chef-server_11.0.8-1.ubuntu.12.04_amd64.deb
When I run
sudo chef-server-ctl test

Receive error <Errno::ECONNRESET: Connection reset by peer - SSL_connect> (full error listing: https://gist.github.com/Houdini/5868356)
I noticed that error is in file
/opt/chef-server/embedded/service/chef-pedant/lib/pedant/opensource/platform.rb:81:in `create_client’
I added puts there, and url is “https://ip-10-0-1-86/clients” that actually is localhost.

And really:
curl https://ip-10-0-1-86/clients
curl: (35) Unknown SSL protocol error in connection to ip-10-0-1-86:443

Any ideas how to fix it?

Thanks