Kitchen-Verify causing SSL: certificate verification failure


#1

Hi,

I was trying to run kitchen verify and was encountering certificate failure. I have installed certificate using knife ssl fetch and not sure what’s causing it to break. could any one advice how this could be resolved. Thanks.

Error log:

/opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient/ssl_socket.rb:46:in connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Faraday::SSLError) from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient/ssl_socket.rb:46:inssl_connect’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient/ssl_socket.rb:24:in create_socket' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient/session.rb:739:inblock in connect’
from /opt/chefdk/embedded/lib/ruby/2.1.0/timeout.rb:91:in block in timeout' from /opt/chefdk/embedded/lib/ruby/2.1.0/timeout.rb:101:incall’
from /opt/chefdk/embedded/lib/ruby/2.1.0/timeout.rb:101:in timeout' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient/session.rb:735:inconnect’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient/session.rb:497:in query' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient/session.rb:170:inquery’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient.rb:1238:in do_get_block' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient.rb:1021:inblock in do_request’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient.rb:1129:in protect_keep_alive_disconnected' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient.rb:1016:indo_request’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient.rb:858:in request' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.2/lib/faraday/adapter/httpclient.rb:36:incall’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.2/lib/faraday/request/retry.rb:116:in call' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.2/lib/faraday/response.rb:8:incall’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.2/lib/faraday/rack_builder.rb:139:in build_response' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.2/lib/faraday/connection.rb:377:inrun_request’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.2/lib/faraday/connection.rb:140:in get' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-api-client-2.0.2/lib/berkshelf/api_client/connection.rb:60:inuniverse’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-4.3.0/lib/berkshelf/source.rb:49:in build_universe' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-4.3.0/lib/berkshelf/installer.rb:21:inblock (2 levels) in build_universe’ "


#2

I tried setting my environment variable to the /opt/chefdk/embedded/ssl/certs. when i ran knife client list i was getting this error. Any suggestion on where i could be going wrong.thanks

"WARNING: No knife configuration file found WARN: Failed to read the private key /etc/chef/client.pem: #<Errno::ENOENT: No such file or directory @ rb_sysopen - /etc/chef/client.pem> ERROR: Your private key could not be loaded from /etc/chef/client.pem

I do observe cacert.pem installed at this location
ls -l /opt/chefdk/embedded/ssl/certs/


#3

There are two sets of certificates you need to care about when running chef in client-server mode.

One set is used for typical SSL/TLS verification. The certs /opt/chefdk/embedded/ssl/certs/ are just the normal root CA certs like you would have in a web browser, these are there so you can verify you’re talking to the correct server when making a TLS connection, again, the same as when you connect to a HTTPS website or whatever.

The other certificates are used for application-level authentication, so the Chef Server can confirm the identity of the user/program sending requests. These will usually be stored in /etc/chef/client.pem or a .chef directory when on a workstation.

When you install the chef server, there is one administrative user created for you; you can create new users with chef-server-ctl. When you create a new user, it will make a key and you use that to authenticate to the server. For Chef Client, you usually use some kind of bootstrapping process to create the account (called a client) on the server. You can manually create a client via knife with a working user account, or if you use knife bootstrap, that’s done automatically. You can also use the validator, which is a sort of guest account for unattended bootstrapping of new clients.

Hope that helps, without more specific info about what you’re doing I can’t give more specific advice but hopefully this general overview will give you enough to get going.


#4

Thank you @kallistec for providing me the information and it’s helpful for me to understand the different certificates present in my chefdk environment. I am sorry for not posting more details of the scenario i was running into, should have done better in beginning.I will try to mention my scenario and things i have done so far, excuse for my long description of things.

using chefdk ruby
opt/chefdk/embedded/bin/ruby - ruby 2.1
using test-kitchen with ec2 driver for testing

I am writing a cookbook which depends on some other cook books and i did mention them in my Berksfile. As, I was trying to perform berks install to download them, I was able to fetch the cookbooks from the git repositories but encountering this certificate verification failure. We have an internal chef supermarket at my work place , where the cookbooks are uploaded and I was using that URL https://supermarket.abc.com in my Berksfile.

  1. Before running berks install I tried knife ssl fetch https://supermarket.abc.com to download the certificate as I observed from https://docs.chef.io/chef_client_security.html#ssl-certificates. I observed the supermarket certificate installed to my ~/.chef/trusted_certs

  2. When I do berks install, it fetches the cookbooks from repo’s and while trying to "Fetching cookbook index from https://supermarket.abc.com ", it’s failing with the SSL certificate verify failed

  3. I found that setting an environment variable point to my /opt/chefdk/embedded/ssl/certs/cacert.pem might resolve this issue, as referencing to https://github.com/berkshelf/berkshelf/issues/1360 and tried that approach.It did seem to help me resolve the issue.

  4. I realized that my organization has their own certificate, root.pem file for authentication, which I was not sure if its required to be copied over to /opt/chefdk/embedded/ssl/certs along with the cacert.pem or I need to add organization certificate at the end of cacert.pem to move forward. This is so far I could get to and trying to figure out what needs to be done to move forward on this issue. It has never happened earlier.

Thanks for your time.