Installation Failure (PEBKAC, more than likely)


#1

Hello All -

I’m having issues running chef-client post-validation through the webUI,
wondered if anyone can spot my ‘gotcha’.
Error as reported in server.log:
~ WARNING: making https request to
https://puck.test.5to1.com/openid/server/node/Titania without verifying
server certificate; no CA path was specified.
~ Discovery failed for https://puck.XXX.XXX.com/openid/server/node/Titania:
Failed to fetch identity URL
https://puck.XXX.XXX.com/openid/server/node/Titania : Error connecting to
SSL URL https://puck.XXX.XXX.com/openid/server/node/Titania: hostname does
not match - (Merb::ControllerExceptions::BadRequest)
Error running chef-client on Titania: (Titania.XXX.XXX.com)
/usr/lib/ruby/1.8/open-uri.rb:32:in `initialize’: Permission denied -
/var/log/chef/client.log (Errno::EACCES)
(let me know if trace is important)
@Titania: openssl s_client -connect puck.XXX.XXX.com

CN result:
subject=/C=US/ST=Several/L=Locality/O=Example/OU=Operations/CN=Puck./emailAddress=ops@
issuer=/C=US/ST=Several/L=Locality/O=Example/OU=Operations/CN=Puck./emailAddress=ops@

Notes:
OS: Ubuntu 8.10
Puck and Titania are on the same subnet


#2

I’m guessing that you may need to update /etc/chef/server.rb to
include your openid provider.

openid_providers [ “https://puck.test.5to1.com/openid/” ]

On Wed, Jun 17, 2009 at 1:16 PM, Joseph Smithjoseph.smith@5to1.com wrote:

Hello All -

I’m having issues running chef-client post-validation through the webUI,
wondered if anyone can spot my ‘gotcha’.
Error as reported in server.log:
~ WARNING: making https request to
https://puck.test.5to1.com/openid/server/node/Titania without verifying
server certificate; no CA path was specified.
~ Discovery failed for https://puck.XXX.XXX.com/openid/server/node/Titania:
Failed to fetch identity URL
https://puck.XXX.XXX.com/openid/server/node/Titania : Error connecting to
SSL URL https://puck.XXX.XXX.com/openid/server/node/Titania: hostname does
not match - (Merb::ControllerExceptions::BadRequest)
Error running chef-client on Titania: (Titania.XXX.XXX.com)
/usr/lib/ruby/1.8/open-uri.rb:32:in `initialize’: Permission denied -
/var/log/chef/client.log (Errno::EACCES)
(let me know if trace is important)
@Titania: openssl s_client -connect puck.XXX.XXX.com

CN result:
subject=/C=US/ST=Several/L=Locality/O=Example/OU=Operations/CN=Puck./emailAddress=ops@
issuer=/C=US/ST=Several/L=Locality/O=Example/OU=Operations/CN=Puck./emailAddress=ops@

Notes:
OS: Ubuntu 8.10
Puck and Titania are on the same subnet


#3

It looks like you generated the certificates with capitalized
hostnames that are not fully qualified, which is your issue. The SSL
certificate must match the fqdn you are using in chef - so try again
with certificates build for cn=puck.xxx.xxx.com.

Adam

On Wed, Jun 17, 2009 at 10:16 AM, Joseph Smithjoseph.smith@5to1.com wrote:

Hello All -

I’m having issues running chef-client post-validation through the webUI,
wondered if anyone can spot my ‘gotcha’.
Error as reported in server.log:
~ WARNING: making https request to
https://puck.test.5to1.com/openid/server/node/Titania without verifying
server certificate; no CA path was specified.
~ Discovery failed for https://puck.XXX.XXX.com/openid/server/node/Titania:
Failed to fetch identity URL
https://puck.XXX.XXX.com/openid/server/node/Titania : Error connecting to
SSL URL https://puck.XXX.XXX.com/openid/server/node/Titania: hostname does
not match - (Merb::ControllerExceptions::BadRequest)
Error running chef-client on Titania: (Titania.XXX.XXX.com)
/usr/lib/ruby/1.8/open-uri.rb:32:in `initialize’: Permission denied -
/var/log/chef/client.log (Errno::EACCES)
(let me know if trace is important)
@Titania: openssl s_client -connect puck.XXX.XXX.com

CN result:
subject=/C=US/ST=Several/L=Locality/O=Example/OU=Operations/CN=Puck./emailAddress=ops@
issuer=/C=US/ST=Several/L=Locality/O=Example/OU=Operations/CN=Puck./emailAddress=ops@

Notes:
OS: Ubuntu 8.10
Puck and Titania are on the same subnet


Opscode, Inc.
Adam Jacob, CTO
T: (206) 508-4759 E: adam@opscode.com


#4

Hello Joseph,

Your ‘CN=Puck.’ isn’t a fully qualified domain. You can specify this
for the SSL certificate request in a json file per the Chef
Installation document.

I ran into similar troubles on EC2 nodes where the internal hostname
contained upcase letters (ie, domU-xx-xx-xx). Forcing these to be
lowercase via the json file (chef server_fqdn, for example) resolved
the issue for me.

On Jun 17, 2009, at 11:16 AM, Joseph Smith wrote:

Hello All -

I’m having issues running chef-client post-validation through the
webUI, wondered if anyone can spot my ‘gotcha’.
Error as reported in server.log:
~ WARNING: making https request to https://puck.test.5to1.com/openid/server/node/Titania
without verifying server certificate; no CA path was specified.
~ Discovery failed for https://puck.XXX.XXX.com/openid/server/node/Titania
: Failed to fetch identity URL https://puck.XXX.XXX.com/openid/server/node/Titania
: Error connecting to SSL URL https://puck.XXX.XXX.com/openid/server/node/Titania
: hostname does not match - (Merb::ControllerExceptions::BadRequest)
Error running chef-client on Titania: (Titania.XXX.XXX.com)
/usr/lib/ruby/1.8/open-uri.rb:32:in `initialize’: Permission denied

  • /var/log/chef/client.log (Errno::EACCES)
    (let me know if trace is important)
    @Titania: openssl s_client -connect puck.XXX.XXX.com

    CN result:
    subject=/C=US/ST=Several/L=Locality/O=Example/OU=Operations/CN=Puck./
    emailAddress=ops@
    issuer=/C=US/ST=Several/L=Locality/O=Example/OU=Operations/CN=Puck./
    emailAddress=ops@

Notes:
OS: Ubuntu 8.10
Puck and Titania are on the same subnet


Opscode, Inc
Joshua Timberman, Senior System Engineer
C: 720.878.4322 E: joshua@opscode.com


#5

Also, capital letters are not valid in hostnames.

Adam

On Wed, Jun 17, 2009 at 11:05 AM, Joshua Timbermanjoshua@opscode.com wrote:

Hello Joseph,

Your ‘CN=Puck.’ isn’t a fully qualified domain. You can specify this for the
SSL certificate request in a json file per the Chef Installation document.

I ran into similar troubles on EC2 nodes where the internal hostname
contained upcase letters (ie, domU-xx-xx-xx). Forcing these to be lowercase
via the json file (chef server_fqdn, for example) resolved the issue for me.

On Jun 17, 2009, at 11:16 AM, Joseph Smith wrote:

Hello All -

I’m having issues running chef-client post-validation through the webUI,
wondered if anyone can spot my ‘gotcha’.
Error as reported in server.log:
~ WARNING: making https request to
https://puck.test.5to1.com/openid/server/node/Titania without verifying
server certificate; no CA path was specified.
~ Discovery failed for
https://puck.XXX.XXX.com/openid/server/node/Titania: Failed to fetch
identity URL https://puck.XXX.XXX.com/openid/server/node/Titania : Error
connecting to SSL URL https://puck.XXX.XXX.com/openid/server/node/Titania:
hostname does not match - (Merb::ControllerExceptions::BadRequest)
Error running chef-client on Titania: (Titania.XXX.XXX.com)
/usr/lib/ruby/1.8/open-uri.rb:32:in `initialize’: Permission denied -
/var/log/chef/client.log (Errno::EACCES)
(let me know if trace is important)
@Titania: openssl s_client -connect puck.XXX.XXX.com

CN result:

subject=/C=US/ST=Several/L=Locality/O=Example/OU=Operations/CN=Puck./emailAddress=ops@

issuer=/C=US/ST=Several/L=Locality/O=Example/OU=Operations/CN=Puck./emailAddress=ops@

Notes:
OS: Ubuntu 8.10
Puck and Titania are on the same subnet


Opscode, Inc
Joshua Timberman, Senior System Engineer
C: 720.878.4322 E: joshua@opscode.com


Opscode, Inc.
Adam Jacob, CTO
T: (206) 508-4759 E: adam@opscode.com