Getting started with Delivery - push jobs problem

Chef Automate
1

Hi,

I’m trying to follow the Delivery tutorial, although I am using the vagrant provisioner rather than AWS. I have got the chef server, delivery server and a build node up and running, but I seem to have a configuration problem with push jobs.

When I do ‘knife node status’ neither node shows as available. If I ssh to the build node, in /var/log/opscode-push-jobs-client/current I see errors:

SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

If I do:
sudo /opt/opscode-push-jobs-client/bin/pushy-client
it receives an abort:

[2015-12-12T03:01:16+00:00] INFO: [build-node-test-1] Using Chef server: https://33.33.33.10/organizations/test
[2015-12-12T03:01:16+00:00] INFO: [build-node-test-1] Using private key: /etc/chef/client.pem
[2015-12-12T03:01:16+00:00] INFO: [build-node-test-1] Using org name: test
[2015-12-12T03:01:16+00:00] INFO: [build-node-test-1] Incarnation ID: 6e4a909d-3b1e-4e9b-92dc-94315c51f6e4
[2015-12-12T03:01:16+00:00] INFO: [build-node-test-1] Starting client …
[2015-12-12T03:01:16+00:00] INFO: [build-node-test-1] Retrieving configuration from https://33.33.33.10/organizations/test/pushy/config/build-node-test-1
[2015-12-12T03:01:16+00:00] INFO: [build-node-test-1] Connecting to command channel at tcp://33.33.33.10:10002
[2015-12-12T03:01:16+00:00] INFO: [build-node-test-1] Listening for server heartbeat at tcp://33.33.33.10:10000
[2015-12-12T03:01:16+00:00] INFO: [build-node-test-1] Starting command / server heartbeat receive thread …
[2015-12-12T03:01:16+00:00] INFO: [build-node-test-1] Started client.
[2015-12-12T03:01:16+00:00] INFO: [build-node-test-1] Starting reconfigure thread. Will reconfigure / reload keys after 3600 seconds.
[2015-12-12T03:01:16+00:00] INFO: [build-node-test-1] Starting heartbeat / offline detection thread on interval 1.0 …
[2015-12-12T03:01:16+00:00] INFO: [build-node-test-1] Received abort

I’m guessing this may be due to the CA cert problem. However, in /etc/chef/client.rb, ssl_verify_mode is :none.

Any suggestions?

Regards,
Christine

2

I’ve made some progress by setting ssl_verify_mode to :verify_none in /etc/chef/push-jobs-client.rb

Of course, I’d like to know how to get this to work with :verify_peer. I’m guessing it’s to do with openssl verifying the self-signed server certificate. There is a certificate for the server in /etc/chef/trusted_certs, and it matches the one in /var/opscode/nginx/ca on the server.

BTW, I’m using the opscode_ubuntu-14.04_chef-provisionerless vagrant box.

3

Hey Christine,

I’m super sorry you ran into the SSL issues you’ve encountered. I believe there’s an issue at the moment related to how push-jobs trusts certain certificates on the system.

As you have already discovered, you’ll need to set some attributes to disable certificate checking at the moment. You’ll need to set:
"verify_api_cert": false "ssl_verify_mode": "verify_none"

I’m not sure when a fix will be available in push-jobs, but I will make a note that we need to update our documentation so others don’t get stuck on the same problem.

Let me know if you need help with getting your Delivery cluster up and running!

Thanks,

David

4

Hi Christine,

This issue is very similar to the GH Issue https://github.com/chef-cookbooks/delivery-cluster/issues/188 - currently there is a way (described on the issue) to pass this attributes but the right way to do this is to make Push Jobs to trust the Chef Server Certificate. You do this by manually adding the certificate at the end of the file /opt/push-jobs-client/embedded/ssl/certs/cacert.pem then just restart push-jobs and you should be good to go.

I am going to start working on an automation that does that inside delivery-cluster… Stay tuned! :slightly_smiling:

5

Sorry the right location is: /opt/opscode-push-jobs-client/embedded/ssl/certs/cacert.pem