Error connecting to SSL URL


#1

Hi,

I’m able to install chef server 7.8 on centos5.3 per wiki guide. I’m also able
to run chef client on a node and then ‘validate’ registration from the server
web UI. However, subsequent chef-client runs fail. Looks like openid issues.
Am hoping someone can point me in the right direction.

BTW, previous 7.6 install worked perfectly (server & nodes).

Here is the output from client:

/usr/lib/ruby/1.8/net/http.rb:2097:in error!': 400 "Bad Request" (Net::HTTPServerException) from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/rest.rb:233:inrun_request’
from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/rest.rb:95:in
post_rest' from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/client.rb:232:inauthenticate’
from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/client.rb:74:in
run' from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/application/client.rb:186:inrun_application’
from
/usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/application/client.rb:178:in
loop' from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/application/client.rb:178:inrun_application’
from
/usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/application.rb:57:in run' from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/bin/chef-client:26 from /usr/bin/chef-client:19:inload’
from /usr/bin/chef-client:19

And here is the chef server.log:

~ Started request handling: Mon Aug 24 03:26:23 -0700 2009
~ Params: {“submit”=>“Verify”, “action”=>“start”,
“controller”=>“chef_server_slice/openid_consumer”,
“openid_identifier”=>“https://chef001.blah.com:444/openid/server/node/node001_blah_com”}
~ WARNING: making https request to
https://chef001.blah.com:444/openid/server/node/node001_blah_com without
verifying server certificate; no CA path was specified.
~ Discovery failed for
https://chef001.blah.com:444/openid/server/node/node001_blah_com: Failed to
fetch identity URL
https://chef001.blah.com:444/openid/server/node/node001_blah_com : Error
connecting to SSL URL
https://chef001.blah.com:444/openid/server/node/node001_blah_com: hostname does
not match - (Merb::ControllerExceptions::BadRequest)


#2

HI,

On 25/08/2009, at 5:38 AM, m2matson@gmail.com wrote:

Hi,

I’m able to install chef server 7.8 on centos5.3 per wiki guide.
I’m also able
to run chef client on a node and then ‘validate’ registration from
the server
web UI. However, subsequent chef-client runs fail. Looks like
openid issues.
Am hoping someone can point me in the right direction.

BTW, previous 7.6 install worked perfectly (server & nodes).

Here is the output from client:

/usr/lib/ruby/1.8/net/http.rb:2097:in error!': 400 "Bad Request" (Net::HTTPServerException) from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/rest.rb:233:inrun_request’
from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/rest.rb:95:in
post_rest' from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/client.rb:232:inauthenticate’
from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/client.rb:74:in
run' from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/application/ client.rb:186:inrun_application’
from
/usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/application/
client.rb:178:in
loop' from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/application/ client.rb:178:inrun_application’
from
/usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/application.rb:57:in
run' from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/bin/chef-client:26 from /usr/bin/chef-client:19:inload’
from /usr/bin/chef-client:19

And here is the chef server.log:

~ Started request handling: Mon Aug 24 03:26:23 -0700 2009
~ Params: {“submit”=>“Verify”, “action”=>“start”,
“controller”=>“chef_server_slice/openid_consumer”,
“openid_identifier”=>“https://chef001.blah.com:444/openid/server/node/node001_blah_com
”}
~ WARNING: making https request to
https://chef001.blah.com:444/openid/server/node/node001_blah_com
without
verifying server certificate; no CA path was specified.
~ Discovery failed for
https://chef001.blah.com:444/openid/server/node/node001_blah_com:
Failed to
fetch identity URL
https://chef001.blah.com:444/openid/server/node/node001_blah_com :
Error
connecting to SSL URL
https://chef001.blah.com:444/openid/server/node/node001_blah_com:
hostname does
not match - (Merb::ControllerExceptions::BadRequest)

This error means that the URL your chef server is attempting to
connect to does not match the Common Name of the SSL certificate
running there. You should re-generate your cert (our repo has a task)
for chef001.blah.com and change it your Apache configuration
appropriately.

I believe the Opscode Chef Server recipe can do this automatically by
supplying values for ‘server_ssl_req’ and ‘server_fqdn’ in JSON or
Attributes (Roles), then running Solo.


AJ Christensen, Software Engineer
Opscode, Inc.
E: aj@opscode.com


#3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

On Aug 24, 2009, at 11:38 AM, m2matson@gmail.com
m2matson@gmail.com wrote:

I’m able to install chef server 7.8 on centos5.3 per wiki guide.
I’m also able
to run chef client on a node and then ‘validate’ registration from
the server
web UI. However, subsequent chef-client runs fail. Looks like
openid issues.
Am hoping someone can point me in the right direction.

~ Started request handling: Mon Aug 24 03:26:23 -0700 2009
~ Params: {“submit”=>“Verify”, “action”=>“start”,
“controller”=>“chef_server_slice/openid_consumer”,
“openid_identifier”=>“https://chef001.blah.com:444/openid/server/node/node001_blah_com
”}
~ WARNING: making https request to
https://chef001.blah.com:444/openid/server/node/node001_blah_com
without
verifying server certificate; no CA path was specified.
~ Discovery failed for
https://chef001.blah.com:444/openid/server/node/node001_blah_com:
Failed to
fetch identity URL
https://chef001.blah.com:444/openid/server/node/node001_blah_com :
Error
connecting to SSL URL
https://chef001.blah.com:444/openid/server/node/node001_blah_com:
hostname does
not match - (Merb::ControllerExceptions::BadRequest)

First, on the server side, you need to make sure all the SSL bits line
up properly. For example from my CentOS 5.3 test system:

grep _url /etc/chef/server.rb

registration_url "https://centos5test.int.example.com"
openid_url "https://centos5test.int.example.com:444"
template_url "https://centos5test.int.example.com"
remotefile_url "https://centos5test.int.example.com"
search_url "https://centos5test.int.example.com"
role_url “https://centos5test.int.example.com

grep SSLCert /etc/httpd/sites-enabled/chef_server.conf

SSLCertificateFile /etc/chef/certificates/
centos5test.int.example.com.pem
SSLCertificateKeyFile /etc/chef/certificates/
centos5test.int.example.com.pem
SSLCertificateFile /etc/chef/certificates/
centos5test.int.example.com.pem
SSLCertificateKeyFile /etc/chef/certificates/
centos5test.int.example.com.pem

The first two are for the 443 vhost (webui etc) and the second two 444
vhost (openid). They should both match.

openssl x509 -noout -text -fingerprint < /etc/chef/certificates/

centos5test.int.example.com.pem | grep Subject:
Subject: C=US, ST=Several, L=Locality, O=Example,
OU=Operations, CN=centos5test.int.example.com/emailAddress=ops@int.example.com

The certificate file is the same as used in the vhosts, and the CN
should match the FQDN of the server.

You can regenerate this by editing the JSON data used with the Chef
Solo bootstrap and adding an attribute for “server_ssl_req”. The
configuring server/clients wiki page has an example of how this string
should look (hint: similar to the subject line).


Opscode, Inc
Joshua Timberman, Senior Solutions Engineer
C: 720.878.4322 E: joshua@opscode.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkqS094ACgkQO97WSdVpzT1X/ACcDlEMQ+Mv42Ol77Wmoh5IXWkX
u0UAnRnkJylkwUqEXgtk0snTc1EKjM+j
=tgd3
-----END PGP SIGNATURE-----


#4

AJ,

That was it! I generated a new cert with the rake task and updated Apache
configs (sites-enabled sites-available).

chef-client now runs like a champ and the node shows up in the Web UI under
’Nodes’.

Thanks!

On Mon, Aug 24, 2009 at 10:42 AM, Arjuna Christensen aj@opscode.com wrote:

HI,

On 25/08/2009, at 5:38 AM, m2matson@gmail.com wrote:

Hi,

I’m able to install chef server 7.8 on centos5.3 per wiki guide. I’m also
able
to run chef client on a node and then ‘validate’ registration from the
server
web UI. However, subsequent chef-client runs fail. Looks like openid
issues.
Am hoping someone can point me in the right direction.

BTW, previous 7.6 install worked perfectly (server & nodes).

Here is the output from client:

/usr/lib/ruby/1.8/net/http.rb:2097:in error!': 400 "Bad Request" (Net::HTTPServerException) from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/rest.rb:233:inrun_request’
from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/rest.rb:95:in
post_rest' from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/client.rb:232:inauthenticate’
from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/client.rb:74:in
`run’
from

/usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/application/client.rb:186:in
`run_application’
from

/usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/application/client.rb:178:in
`loop’
from

/usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/application/client.rb:178:in
run_application' from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/application.rb:57:inrun’
from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/bin/chef-client:26
from /usr/bin/chef-client:19:in `load’
from /usr/bin/chef-client:19

And here is the chef server.log:

~ Started request handling: Mon Aug 24 03:26:23 -0700 2009
~ Params: {“submit”=>“Verify”, “action”=>“start”,
“controller”=>“chef_server_slice/openid_consumer”,
“openid_identifier”=>“
https://chef001.blah.com:444/openid/server/node/node001_blah_com”}
~ WARNING: making https request to
https://chef001.blah.com:444/openid/server/node/node001_blah_com without
verifying server certificate; no CA path was specified.
~ Discovery failed for
https://chef001.blah.com:444/openid/server/node/node001_blah_com: Failed
to
fetch identity URL
https://chef001.blah.com:444/openid/server/node/node001_blah_com : Error
connecting to SSL URL
https://chef001.blah.com:444/openid/server/node/node001_blah_com: hostname
does
not match - (Merb::ControllerExceptions::BadRequest)

This error means that the URL your chef server is attempting to connect to
does not match the Common Name of the SSL certificate running there. You
should re-generate your cert (our repo has a task) for chef001.blah.comand change it your Apache configuration appropriately.

I believe the Opscode Chef Server recipe can do this automatically by
supplying values for ‘server_ssl_req’ and ‘server_fqdn’ in JSON or
Attributes (Roles), then running Solo.


AJ Christensen, Software Engineer
Opscode, Inc.
E: aj@opscode.com adam@opscode.com


#5

On Mon, Aug 24, 2009 at 10:42 AM, Arjuna Christensenaj@opscode.com wrote:

HI,
On 25/08/2009, at 5:38 AM, m2matson@gmail.com wrote:

Hi,

I’m able to install chef server 7.8 on centos5.3 per wiki guide. I’m also
able
to run chef client on a node and then ‘validate’ registration from the
server
web UI. However, subsequent chef-client runs fail. Looks like openid
issues.
Am hoping someone can point me in the right direction.

BTW, previous 7.6 install worked perfectly (server & nodes).

Here is the output from client:

/usr/lib/ruby/1.8/net/http.rb:2097:in error!': 400 "Bad Request" (Net::HTTPServerException) from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/rest.rb:233:inrun_request’
from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/rest.rb:95:in
post_rest' from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/client.rb:232:inauthenticate’
from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/client.rb:74:in
run' from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/application/client.rb:186:inrun_application’
from
/usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/application/client.rb:178:in
loop' from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/application/client.rb:178:inrun_application’
from
/usr/lib/ruby/gems/1.8/gems/chef-0.7.8/lib/chef/application.rb:57:in run' from /usr/lib/ruby/gems/1.8/gems/chef-0.7.8/bin/chef-client:26 from /usr/bin/chef-client:19:inload’
from /usr/bin/chef-client:19

And here is the chef server.log:

~ Started request handling: Mon Aug 24 03:26:23 -0700 2009
~ Params: {“submit”=>“Verify”, “action”=>“start”,
“controller”=>“chef_server_slice/openid_consumer”,
“openid_identifier”=>“https://chef001.blah.com:444/openid/server/node/node001_blah_com”}
~ WARNING: making https request to
https://chef001.blah.com:444/openid/server/node/node001_blah_com without
verifying server certificate; no CA path was specified.
~ Discovery failed for
https://chef001.blah.com:444/openid/server/node/node001_blah_com: Failed to
fetch identity URL
https://chef001.blah.com:444/openid/server/node/node001_blah_com : Error
connecting to SSL URL
https://chef001.blah.com:444/openid/server/node/node001_blah_com: hostname
does
not match - (Merb::ControllerExceptions::BadRequest)

This error means that the URL your chef server is attempting to connect to
does not match the Common Name of the SSL certificate running there. You
should re-generate your cert (our repo has a task) for chef001.blah.com and
change it your Apache configuration appropriately.
I believe the Opscode Chef Server recipe can do this automatically by
supplying values for ‘server_ssl_req’ and ‘server_fqdn’ in JSON or
Attributes (Roles), then running Solo.

AJ Christensen, Software Engineer
Opscode, Inc.
E: aj@opscode.com

I’ve ran into this problem as well. My script that sets up chef asks
the user what they expect the fqdn to be and it sets that before
configuring chef. It’s a pretty easy thing to forget to do.

It would be awesome if that could be part of the installation routine
for debian (and maybe rpm packages) – asking the user what the fqdn
name should be and configuring that for them.


Joe Van Dyk
http://fixieconsulting.com


#6

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

On Aug 24, 2009, at 4:21 PM, Joe Van Dyk wrote:

It would be awesome if that could be part of the installation routine
for debian (and maybe rpm packages) – asking the user what the fqdn
name should be and configuring that for them.

The Debian package will set up 2 Merb mongrel workers by default,
listening on ports 4000 and 4001. We couldn’t do our default Apache
+Passenger configuration because Passenger doesn’t have a Debian /
Ubuntu package yet. To encrypt the front end connection, an Apache,
Nginx or other proxy with SSL needs to be set up. I plan to add that
to the Chef cookbook.

And yes, Debian / Ubuntu packages for Chef are coming soon, we’re
waiting for archive approval and upload, we’ll have a blog and mailing
list post about it.


Opscode, Inc
Joshua Timberman, Senior Solutions Engineer
C: 720.878.4322 E: joshua@opscode.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkqTF8wACgkQO97WSdVpzT37GgCdG/cUCGo8eDYCi5UhDKMEfidA
TusAn35evdWpYmM51jgkAGo38Wq7XCkU
=yPF2
-----END PGP SIGNATURE-----