ERROR: SSL Validation failure connecting


#1

Hi All,

I’ getting below error when I’m trying to bootstrap before it was working fine.

1.1.1.1 Creating a new client identity for host-172-18-8-48.localdomain.com using the validator key.
1.1.1.1 [2014-12-08T17:46:24+05:30] ERROR: SSL Validation failure connecting to host: jccsops.jamcracker.com - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
1.1.1.1
1.1.1.1 ================================================================================
1.1.1.1 Chef encountered an error attempting to create the client "host-172-18-8-48.localdomain.com"
1.1.1.1 ================================================================================
1.1.1.1
1.1.1.1 [2014-12-08T17:46:24+05:30] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
1.1.1.1 Chef Client failed. 0 resources updated in 1.843931443 seconds
1.1.1.1 [2014-12-08T17:46:24+05:30] ERROR: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
1.1.1.1 [2014-12-08T17:46:24+05:30] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
Regards,
PullaReddy
TechOps


#2

On Monday, December 8, 2014 at 4:26 AM, Malli Pulla Reddy wrote:

Hi All,

I’ getting below error when I’m trying to bootstrap before it was working fine.

1.1.1.1 Creating a new client identity for host-172-18-8-48.localdomain.com (http://host-172-18-8-48.localdomain.com) using the validator key.
1.1.1.1 [2014-12-08T17:46:24+05:30] ERROR: SSL Validation failure connecting to host: jccsops.jamcracker.com (http://jccsops.jamcracker.com) - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
1.1.1.1
1.1.1.1 ================================================================================
1.1.1.1 Chef encountered an error attempting to create the client "host-172-18-8-48.localdomain.com (http://host-172-18-8-48.localdomain.com)"
1.1.1.1 ================================================================================
1.1.1.1
1.1.1.1 [2014-12-08T17:46:24+05:30] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
1.1.1.1 Chef Client failed. 0 resources updated in 1.843931443 seconds
1.1.1.1 [2014-12-08T17:46:24+05:30] ERROR: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
1.1.1.1 [2014-12-08T17:46:24+05:30] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
Regards,
PullaReddy
TechOps

You’re probably installing Chef 12.0 now, which verifies SSL certificates by default. To accommodate self-signed certificates, Chef has had a trusted_certs directory for quite a while now; any certificates in there will be trusted the same as a regular root CA cert. You can use knife ssl fetch to pull down your self-signed certificates from your server, and knife ssl check to debug SSL issues. knife bootstrap in Chef 12.0 will copy certificates from your workstation’s trusted_certs directory to the remote machine.

Finally, you can revert to the old behavior by setting ssl_verify_mode to :verify_none in your client.rb, but if you’re gonna do this, you might as well just run your chef server on HTTP (no “S”) since the encryption can be trivially broken by a MITM so it’s a waste of CPU cycles at that point.


Daniel DeLeo