I was trying to run kitchen verify and was encountering certificate failure. I have installed certificate using knife ssl fetch and not sure what’s causing it to break. could any one advice how this could be resolved. Thanks.
connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Faraday::SSLError) from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient/ssl_socket.rb:46:inssl_connect’
create_socket' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient/session.rb:739:inblock in connect’
block in timeout' from /opt/chefdk/embedded/lib/ruby/2.1.0/timeout.rb:101:incall’
timeout' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient/session.rb:735:inconnect’
query' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient/session.rb:170:inquery’
do_get_block' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient.rb:1021:inblock in do_request’
protect_keep_alive_disconnected' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient.rb:1016:indo_request’
request' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.2/lib/faraday/adapter/httpclient.rb:36:incall’
call' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.2/lib/faraday/response.rb:8:incall’
build_response' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.2/lib/faraday/connection.rb:377:inrun_request’
get' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-api-client-2.0.2/lib/berkshelf/api_client/connection.rb:60:inuniverse’
build_universe' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-4.3.0/lib/berkshelf/installer.rb:21:inblock (2 levels) in build_universe’ "
I tried setting my environment variable to the /opt/chefdk/embedded/ssl/certs. when i ran knife client list i was getting this error. Any suggestion on where i could be going wrong.thanks
"WARNING: No knife configuration file found WARN: Failed to read the private key /etc/chef/client.pem: #<Errno::ENOENT: No such file or directory @ rb_sysopen - /etc/chef/client.pem> ERROR: Your private key could not be loaded from /etc/chef/client.pem
I do observe cacert.pem installed at this location
ls -l /opt/chefdk/embedded/ssl/certs/
There are two sets of certificates you need to care about when running chef in client-server mode.
One set is used for typical SSL/TLS verification. The certs
/opt/chefdk/embedded/ssl/certs/ are just the normal root CA certs like you would have in a web browser, these are there so you can verify you’re talking to the correct server when making a TLS connection, again, the same as when you connect to a HTTPS website or whatever.
The other certificates are used for application-level authentication, so the Chef Server can confirm the identity of the user/program sending requests. These will usually be stored in
/etc/chef/client.pem or a
.chef directory when on a workstation.
When you install the chef server, there is one administrative user created for you; you can create new users with
chef-server-ctl. When you create a new user, it will make a key and you use that to authenticate to the server. For Chef Client, you usually use some kind of bootstrapping process to create the account (called a client) on the server. You can manually create a client via knife with a working user account, or if you use
knife bootstrap, that’s done automatically. You can also use the validator, which is a sort of guest account for unattended bootstrapping of new clients.
Hope that helps, without more specific info about what you’re doing I can’t give more specific advice but hopefully this general overview will give you enough to get going.
Thank you @kallistec for providing me the information and it’s helpful for me to understand the different certificates present in my chefdk environment. I am sorry for not posting more details of the scenario i was running into, should have done better in beginning.I will try to mention my scenario and things i have done so far, excuse for my long description of things.
using chefdk ruby
opt/chefdk/embedded/bin/ruby - ruby 2.1
using test-kitchen with ec2 driver for testing
I am writing a cookbook which depends on some other cook books and i did mention them in my Berksfile. As, I was trying to perform
berks install to download them, I was able to fetch the cookbooks from the git repositories but encountering this certificate verification failure. We have an internal
chef supermarket at my work place , where the cookbooks are uploaded and I was using that URL
https://supermarket.abc.com in my Berksfile.
berks install I tried
knife ssl fetch https://supermarket.abc.com to download the certificate as I observed from https://docs.chef.io/chef_client_security.html#ssl-certificates. I observed the supermarket certificate installed to my
When I do
berks install, it fetches the cookbooks from repo’s and while trying to "Fetching cookbook index from
https://supermarket.abc.com ", it’s failing with the
SSL certificate verify failed
I found that setting an environment variable point to my
/opt/chefdk/embedded/ssl/certs/cacert.pem might resolve this issue, as referencing to https://github.com/berkshelf/berkshelf/issues/1360 and tried that approach.It did seem to help me resolve the issue.
I realized that my organization has their own certificate,
root.pem file for authentication, which I was not sure if its required to be copied over to
/opt/chefdk/embedded/ssl/certs along with the
cacert.pem or I need to add organization certificate at the end of
cacert.pem to move forward. This is so far I could get to and trying to figure out what needs to be done to move forward on this issue. It has never happened earlier.
Thanks for your time.