Just ran chef-server-ctl reconfigure by mistake and now CHEF is broken :-(

Hello Chefs

My colleague ran chef-server-ctl reconfigure by mistake after creating a new user on the CHEF server. Since the chef-server-ctl reconfigure command was run, knife status and my chef runs fail with the following error.

Unexpected Error: OpenSSL::SSL::SSLError: SSL Error connecting to https://CHEF01.xxxx.xxx/organizations/xxxx_xxxxx01/nodes/xxxxx01 - SSL_connect returned=1 errno=0 state=error: certificate verify failed

after running knife ssl fetch on my knife workstation I get the following

ERROR: SSL Validation failure connecting to host: CHEF01.xxxx.xxx - hostname "CHEF01.xxxx.xxx" does not match the server certificate
ERROR: SSL Error connecting to https://CHEF01.xxxx.xxx/organizations/xxxx_xxxxx01/search/node?q=*:*&sort=X_CHEF_id_CHEF_X%20asc&start=0, retry 1/5

The web UI is still working as normally. We use chef vault and have all our secrets owned by a number of users as we previously broke all our chef vaults by downloading the starter kit again.

Any ideas on how to get knife commands and my chef runs working would be greatly received.

Thanks in advance


I have an update, knife ssl check gave me the following output

Connecting to host CHEF01.xxxx.xxxx:443 ERROR: The SSL cert is signed by a trusted authority but is not valid for the given hostname ERROR: You are attempting to connect to: 'CHEF01xxxx.xxxx' ERROR: The server's certificate belongs to 'CHEF01'

I updated my knife.rb and created a host file entry to resolve CHEF01 and now I can run knife status and decrypt chef vault items.

So I am assuming my issue is because the chef server is now referring to itself by host name rather than FQDN. I tried a quick and dirty on my chef node by updating the chef.rb and creating the host file entry for the host-name but the chef ruyn fails with the following error

[2016-08-18T16:25:46+01:00] ERROR: SSL Validation failure connecting to host: CHEF01 - SSL_connect returned=1 errno=0 state=error: certificate verify failed

I assume this is beacuse it still has the origional FQDN cert from its origional bootstrap.

So assuming I am correct how can I re-add my chef node to get the new non FQDN cert or is there a better way to fix my issue?



Hopefully the final update.

I copied the new chef cert from my knife workstation to the trusted certs folder on my node and updated the client.rb to point to the non fqdn and I can now do chef runs :slight_smile:

I think I have fixed my issue but would be happy for any comments from the community.