Kitchen converge returns OpenSSL::SSL::SSLError: SSL_connect

I was trying to run kitchen converge while using test-kitchen with my role mentioned in run_list with chef_solo as my provisioner .This leads me to an error with OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed. But, If am using chef_zero as my provisioner,I don’t receive that error for the same role. can any one help me understand what could I be doing wrong while using chef_solo as my provisioner, as compared to chef_zero for this error. I also checked if I have an openssl gem installed and it looks like i didn’t have it. Is that something i need to install and configure before doing my testing. I was also setting ssl_verify_mode to none in my kitchen.yml.

Chef Development Kit Version: 0.12.0 chef-client version: 12.8.1 berks version: 4.3.0 kitchen version: 1.6.0


  "name": "test_role",
  "json_class": "Chef::Role",
  "description": "testing roles",
  "run_list": ["recipe[JMSP_Tomcat_AppServer_Provision]", 


  name: chef_solo
    ssl_verify_mode: :verify_none
    verify_api_cert: false


2016-05-16T09:59:35.689217 #18785] INFO – default-rhel-67: [2016-05-16T10:58:46-04:00] ERROR: remote_file[/prod/msp/mspcert/mspcert.jks] (007_JavaMSP_AppServer_Configuration::install_mspcert line 10) had an error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
I, [2016-05-16T09:59:35.743126 #18785] INFO – default-rhel-67: [2016-05-16T10:58:46-04:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

Chef Solo does not use the client.rb hence your directive of ssl_verify_mode: :verify_none is being ignored.

From the sounds of it, the error is actually coming from your remote_file resource, not chef-solo / chef-zero, as they do not use a Chef server.

Nathan Clemons
DevOps Engineer
Moxie Cloud Services (MCS)

O +1.425.467.5075
M +1.360.861.6291
W www.gomoxie.com

@jdunn, I have tried to run kitchen converge by removing the values listed under client.rb, but it still doesn’t seemed to succeed when trying to test…unfortunately.

Thanks for looking into it. I observed that we have an internal ssl certificate, that might be causing the kitchen converge to fail, but how do I refer the ssl file abc.pem that i have downloaded locally in my kitchen.yml . Is that to be placed under “/opt/chefdk/embedded/ssl/certs/” or a different location and refer later.please advise, this is my first time working with ssl certificates through my kitchen.yml.Thanks

I was able to resolve this issue with the SSL certificate by downloading our SSL certificate and adding it to /opt/chefdk/embedded/ssl/certs/cacert.pem on an ec2 instance after kitchen create and then did kitchen converge.But, I would like to know if there is a way to set an ENV for the CERT_FILE and refer that in kitchen.yml so that we need not login to the instance every time and copy the file.Any suggestions in this approach.thanks