Kitchen converge failing with ssl error

I am following the tutorials https://learn.chef.io/tutorials/local-development/ubuntu/virtualbox/apply-a-cookbook/#step4 and when I do a chef converge I get the following error

Starting Kitchen (v1.16.0)
Converging ...
Preparing files for transfer
Preparing dna.json
Resolving cookbook dependencies with Berkshelf 5.6.4...
------Exception-------
Class: Kitchen::ActionFailed
Message: 1 actions failed.
Failed to complete #converge action: [SSL_connect return
state=error: certificate verify failed] on default-ubuntu-1404

Please see .kitchen/logs/kitchen.log for more details
Also try running kitchen diagnose --all for configuration

I tried debugging the issue and got the following logs for kitchen converge -l debug

-----> Starting Kitchen (v1.16.0)
D [Vagrant command] BEGIN (vagrant --version)
D [Vagrant command] END (0m0.00s)
D Berksfile found at D:/chef->>>>>>repo/cookbooks/learn_chef_apache2/Berksfile, loading Berkshelf
D Berkshelf 5.6.4 library loaded
-----> Converging ...
Preparing files for transfer
Creating local sandbox in >>>>>>C:/Users/AKANKS~1/AppData/Local/Temp/default-ubuntu-1404-sandbox-20170412-13904-1auim7
Preparing dna.json
Creating dna.json from {:run_list=>["recipe[learn_chef_apache2::default]"
]}
Resolving cookbook dependencies with Berkshelf 5.6.4...
Using Berksfile from D:/chef-repo/cookbooks/learn_chef_apache2/Berksfile
Cleaning up local sandbox in >>>>>>C:/Users/AKANKS~1/AppData/Local/Temp/default
-ubuntu-1404-sandbox-20170412-13904-1auim7
------Exception-------
Class: Kitchen::ActionFailed
Message: 1 actions failed.
Failed to complete #converge action: [SSL_connect returned=1 errno=0
state=error: certificate verify failed] on default-ubuntu-1404

Please see .kitchen/logs/kitchen.log for more details
Also try running kitchen diagnose --all for configuration

 ------Exception-------
 Class: Kitchen::ActionFailed
 Message: 1 actions failed.
Failed to complete #converge action: [SSL_connect returned=1 errno=0

state=error: certificate verify failed] on default-ubuntu-1404
D ----------------------
D ------Backtrace-------
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/test-kitchen-1.16.0/l
ib/kitchen/command.rb:183:in report_errors' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/test-kitchen-1.16.0/l ib/kitchen/command.rb:174:in run_action'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/test-kitchen-1.16.0/l
ib/kitchen/command/action.rb:36:in block in call' D D:/opscode/chefdk/embedded/lib/ruby/2.3.0/benchmark.rb:293:in measure'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/test-kitchen-1.16.0/l
ib/kitchen/command/action.rb:34:in call' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/test-kitchen-1.16.0/l ib/kitchen/cli.rb:53:in perform'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/test-kitchen-1.16.0/l
ib/kitchen/cli.rb:187:in block (2 levels) in <class:CLI>' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/ command.rb:27:in run'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/
invocation.rb:126:in invoke_command' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/test-kitchen-1.16.0/l ib/kitchen/cli.rb:334:in invoke_task'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor.
rb:359:in dispatch' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/ base.rb:440:in start'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/test-kitchen-1.16.0/b
in/kitchen:13:in block in <top (required)>' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/test-kitchen-1.16.0/l ib/kitchen/errors.rb:171:in with_friendly_errors'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/test-kitchen-1.16.0/b
in/kitchen:13:in <top (required)>' D D:/opscode/chefdk/bin/kitchen:24:in load'
D D:/opscode/chefdk/bin/kitchen:24:in <main>' D ----End Backtrace----- D -Composite Exception-- D Class: Kitchen::ActionFailed D Message: Failed to complete #converge action: [SSL_connect returned=1 err no=0 state=error: certificate verify failed] on default-ubuntu-1404 D ---------------------- D ------Backtrace------- D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/ httpclient/ssl_socket.rb:103:in connect'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/
httpclient/ssl_socket.rb:103:in ssl_connect' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/ httpclient/ssl_socket.rb:41:in initialize'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/
httpclient/ssl_socket.rb:26:in new' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/ httpclient/ssl_socket.rb:26:in create_socket'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/
httpclient/session.rb:752:in block in connect' D D:/opscode/chefdk/embedded/lib/ruby/2.3.0/timeout.rb:91:in block in time
out'
D D:/opscode/chefdk/embedded/lib/ruby/2.3.0/timeout.rb:101:in timeout' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/ httpclient/session.rb:748:in connect'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/
httpclient/session.rb:511:in query' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/ httpclient/session.rb:177:in query'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/
httpclient.rb:1242:in do_get_block' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/ httpclient.rb:1019:in block in do_request'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/
httpclient.rb:1133:in protect_keep_alive_disconnected' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/ httpclient.rb:1014:in do_request'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/
httpclient.rb:856:in request' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/faraday-0.9.2/lib/far aday/adapter/httpclient.rb:36:in call'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/faraday-0.9.2/lib/far
aday/request/retry.rb:116:in call' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/faraday-0.9.2/lib/far aday/response.rb:8:in call'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/faraday-0.9.2/lib/far
aday/rack_builder.rb:139:in build_response' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/faraday-0.9.2/lib/far aday/connection.rb:377:in run_request'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/faraday-0.9.2/lib/far
aday/connection.rb:140:in get' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/berkshelf-api-client- 3.0.0/lib/berkshelf/api_client/connection.rb:60:in universe'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/berkshelf-5.6.4/lib/b
erkshelf/source.rb:58:in build_universe' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/berkshelf-5.6.4/lib/b erkshelf/installer.rb:21:in block (2 levels) in build_universe'
D ----End Backtrace-----
D ---Nested Exception---
D Class: Kitchen::ActionFailed
D Message: Failed to complete #converge action: [SSL_connect returned=1 err
no=0 state=error: certificate verify failed]
D ----------------------
D ------Backtrace-------
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/
httpclient/ssl_socket.rb:103:in connect' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/ httpclient/ssl_socket.rb:103:in ssl_connect'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/
httpclient/ssl_socket.rb:41:in initialize' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/ httpclient/ssl_socket.rb:26:in new'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/
httpclient/ssl_socket.rb:26:in create_socket' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/ httpclient/session.rb:752:in block in connect'
D D:/opscode/chefdk/embedded/lib/ruby/2.3.0/timeout.rb:91:in block in time out' D D:/opscode/chefdk/embedded/lib/ruby/2.3.0/timeout.rb:101:in timeout'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/
httpclient/session.rb:748:in connect' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/ httpclient/session.rb:511:in query'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/
httpclient/session.rb:177:in query' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/ httpclient.rb:1242:in do_get_block'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/
httpclient.rb:1019:in block in do_request' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/ httpclient.rb:1133:in protect_keep_alive_disconnected'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/
httpclient.rb:1014:in do_request' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/httpclient-2.8.3/lib/ httpclient.rb:856:in request'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/faraday-0.9.2/lib/far
aday/adapter/httpclient.rb:36:in call' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/faraday-0.9.2/lib/far aday/request/retry.rb:116:in call'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/faraday-0.9.2/lib/far
aday/response.rb:8:in call' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/faraday-0.9.2/lib/far aday/rack_builder.rb:139:in build_response'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/faraday-0.9.2/lib/far
aday/connection.rb:377:in run_request' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/faraday-0.9.2/lib/far aday/connection.rb:140:in get'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/berkshelf-api-client-
3.0.0/lib/berkshelf/api_client/connection.rb:60:in universe' D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/berkshelf-5.6.4/lib/b erkshelf/source.rb:58:in build_universe'
D D:/opscode/chefdk/embedded/lib/ruby/gems/2.3.0/gems/berkshelf-5.6.4/lib/b
erkshelf/installer.rb:21:in `block (2 levels) in build_universe'
D ----End Backtrace-----

What could be the fix for this?

I changed berksfile source to point to 'http://api.berkshelf.com' and it worked. Not sure why though.

I can confirm this worked for me also. I literally just made a topic on this same issue a few minutes before you did… There must be an issue with the Berskelf version on the supermarket.

Can you let us know where in the tutorials you generate a Berksfile that contains https://api.berkshelf.com please? Nowadays if you generate a new Berksfile it should contain https://supermarket.chef.io.

The api.berkshelf.com ssl cert looks valid, and I can’t reproduce this behaviour locally. Can you both run chef -v and paste the output?

Thanks,
-Thom

@thommay - to clarify, the tutorials don’t instruct you to point your Berksfile to 'http://api.berkshelf.com'. What @akajain and @ViggyNash are saying is that they needed to modify their Berksfile like this to get things working.

@tpetchel

That’s correct. However, after a bit of checking, I think the issue is not the location of the Berkshelf source, but whether or not you use a secure connection. 'http://supermarket.chef.io' also worked for me (changing https -> http).

Is it important to retain the ssl authentication step for Berkshelf?

VV I am on Win 10
Here’s my CDK versions:

Chef Development Kit Version: 1.2.22 chef-client version: 12.18.31 delivery version: master (0b746cafed65a9ea1a79de3cc546e7922de9187c) berks version: 2017-04-12T11:22:04.509394 11340] 2017-04-12T11:22:04.509895 11340] 2017-04-12T11:22:04.509895 11340] 2017-04-12T11:22:04.509895 11340] 2017-04-12T11:22:04.637530 11340] 2017-04-12T11:22:04.637530 11340] 5.6.0 kitchen version: 1.15.0

Oh, @akajain you changed it from https://supermarket.chef.io to http://api.berkshelf.com? Sorry, I assumed that you would’ve tried http://supermarket.chef.io if you started with an https URL. :slight_smile:

Can you run chef -v as requested, please? I can’t see a problem with the supermarket cert either, and berkshelf works for me, so i’d like to narrow down what’s going on. Are you all on Windows?

Another followup to this issue.

It seems that bypassing the ssl auth creates yet another issue. Berkshelf runs into an error when attempting to access the resource universe at http://supermarket.chef.io beacuse it is being redirected (301 code). It’s likely that it is being redirected to the https version of the site. That answers my earlier question of whether the ssl check is necessary (it is).

So the issue now becomes what options we have for dealing with the original ssl certificate verification issue. A friend suggested running berks vendor beforehand, which seems to download cached versions of the packages. I will test this and let you guys know if this works.

ok I changed to http://supermarket.chef.io now and kitchen converge worked for me. I am not sure if this would create problems further.

@ViggyNash are you talking about this error

I think this is because the hrrp url we are using.

Yes, that is the issue. Berkshelf isn’t able to properly connect to the supermarket to pull cookbooks. Try running berks vendor and then kitchen converge .

berks vendor does not work. Any solution for this?

Resolving cookbook dependencies...
Fetching 'lamp' from source at .
Fetching cookbook index from http://supermarket.chef.io...
Error retrieving universe from source: http://supermarket.chef.io/
  * [Berkshelf::APIClient::BadResponse] bad response #<Faraday::Response:0x4eac3
80 @on_complete_callbacks=[], @env=#<Faraday::Env @method=:get @body="<html>\r\n
<head><title>301 Moved Permanently</title></head>\r\n<body bgcolor=\"white\">\r\
n<center><h1>301 Moved Permanently</h1></center>\r\n<hr><center>nginx/1.8.1</cen
ter>\r\n</body>\r\n</html>\r\n" @url=#<Addressable::URI:0x275b0a4 URI:http://sup
ermarket.chef.io/universe> @request=#<Faraday::RequestOptions timeout=30, open_t
imeout=3> @request_headers={"User-Agent"=>"Faraday v0.9.2"} @ssl=#<Faraday::SSLO
ptions verify=true> @response=#<Faraday::Response:0x4eac380 ...> @response_heade
rs={"Content-Type"=>"text/html", "Date"=>"Thu, 13 Apr 2017 13:27:44 GMT", "Locat
ion"=>"https://supermarket.chef.io/universe", "Server"=>"nginx/1.8.1", "Content-
Length"=>"184", "Connection"=>"Keep-Alive", "Age"=>"0"} @status=301>>
Unable to satisfy the following requirements:

- `httpd (~> 0.4.5)` required by `lamp-0.1.0`
Unable to find a solution for demands: lamp (0.1.0)

Hi,
please can you let us know which version of the Chef DK (run chef -v ) and on which platform you’re running on so that we can figure out why you’re having the SSL problems. Once those are fixed everything else you’re struggling with should go away.

Thanks,
-Thom

Chef Development Kit Version: 1.3.40
chef-client version: 12.19.36
delivery version: master (69bfa4a76959a8d093511a90fddd7a1f7e43e354)
berks version: 5.6.4
kitchen version: 1.16.0

My workstation is Windows 7 , chef server and client is Ubuntu 14.04 , I am using a vagrant machine for kitchen converge. I am stuck at this since long now.

ok i added .berkshelf/config.json and disabled ssl verification there and everything is working fine now.

Before running berks vendor, change the bershelf source to https://supermarket.chef.io. You need to use the secure version of the link (https) in order for berskelf to access the supermarket.