Kitchen-Verify causing SSL: certificate verification failure

darknight · April 14, 2016, 12:26am

Hi,

I was trying to run kitchen verify and was encountering certificate failure. I have installed certificate using knife ssl fetch and not sure what’s causing it to break. could any one advice how this could be resolved. Thanks.

Error log:

/opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient/ssl_socket.rb:46:in connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Faraday::SSLError) from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient/ssl_socket.rb:46:inssl_connect’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient/ssl_socket.rb:24:in create_socket' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient/session.rb:739:inblock in connect’
from /opt/chefdk/embedded/lib/ruby/2.1.0/timeout.rb:91:in block in timeout' from /opt/chefdk/embedded/lib/ruby/2.1.0/timeout.rb:101:incall’
from /opt/chefdk/embedded/lib/ruby/2.1.0/timeout.rb:101:in timeout' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient/session.rb:735:inconnect’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient/session.rb:497:in query' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient/session.rb:170:inquery’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient.rb:1238:in do_get_block' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient.rb:1021:inblock in do_request’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient.rb:1129:in protect_keep_alive_disconnected' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient.rb:1016:indo_request’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.7.1/lib/httpclient.rb:858:in request' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.2/lib/faraday/adapter/httpclient.rb:36:incall’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.2/lib/faraday/request/retry.rb:116:in call' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.2/lib/faraday/response.rb:8:incall’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.2/lib/faraday/rack_builder.rb:139:in build_response' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.2/lib/faraday/connection.rb:377:inrun_request’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.2/lib/faraday/connection.rb:140:in get' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-api-client-2.0.2/lib/berkshelf/api_client/connection.rb:60:inuniverse’
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-4.3.0/lib/berkshelf/source.rb:49:in build_universe' from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-4.3.0/lib/berkshelf/installer.rb:21:inblock (2 levels) in build_universe’ "

darknight · April 14, 2016, 3:17pm

I tried setting my environment variable to the /opt/chefdk/embedded/ssl/certs. when i ran knife client list i was getting this error. Any suggestion on where i could be going wrong.thanks

"WARNING: No knife configuration file found WARN: Failed to read the private key /etc/chef/client.pem: #<Errno::ENOENT: No such file or directory @ rb_sysopen - /etc/chef/client.pem> ERROR: Your private key could not be loaded from /etc/chef/client.pem

I do observe cacert.pem installed at this location
ls -l /opt/chefdk/embedded/ssl/certs/

kallistec · April 14, 2016, 3:36pm

There are two sets of certificates you need to care about when running chef in client-server mode.

One set is used for typical SSL/TLS verification. The certs /opt/chefdk/embedded/ssl/certs/ are just the normal root CA certs like you would have in a web browser, these are there so you can verify you’re talking to the correct server when making a TLS connection, again, the same as when you connect to a HTTPS website or whatever.

The other certificates are used for application-level authentication, so the Chef Server can confirm the identity of the user/program sending requests. These will usually be stored in /etc/chef/client.pem or a .chef directory when on a workstation.

When you install the chef server, there is one administrative user created for you; you can create new users with chef-server-ctl. When you create a new user, it will make a key and you use that to authenticate to the server. For Chef Client, you usually use some kind of bootstrapping process to create the account (called a client) on the server. You can manually create a client via knife with a working user account, or if you use knife bootstrap, that’s done automatically. You can also use the validator, which is a sort of guest account for unattended bootstrapping of new clients.

Hope that helps, without more specific info about what you’re doing I can’t give more specific advice but hopefully this general overview will give you enough to get going.

darknight · April 14, 2016, 4:48pm

Thank you @kallistec for providing me the information and it’s helpful for me to understand the different certificates present in my chefdk environment. I am sorry for not posting more details of the scenario i was running into, should have done better in beginning.I will try to mention my scenario and things i have done so far, excuse for my long description of things.

using chefdk ruby
opt/chefdk/embedded/bin/ruby - ruby 2.1
using test-kitchen with ec2 driver for testing

I am writing a cookbook which depends on some other cook books and i did mention them in my Berksfile. As, I was trying to perform berks install to download them, I was able to fetch the cookbooks from the git repositories but encountering this certificate verification failure. We have an internal chef supermarket at my work place , where the cookbooks are uploaded and I was using that URL https://supermarket.abc.com in my Berksfile.

Before running berks install I tried knife ssl fetch https://supermarket.abc.com to download the certificate as I observed from https://docs.chef.io/chef_client_security.html#ssl-certificates. I observed the supermarket certificate installed to my ~/.chef/trusted_certs
When I do berks install, it fetches the cookbooks from repo’s and while trying to "Fetching cookbook index from https://supermarket.abc.com ", it’s failing with the SSL certificate verify failed
I found that setting an environment variable point to my /opt/chefdk/embedded/ssl/certs/cacert.pem might resolve this issue, as referencing to https://github.com/berkshelf/berkshelf/issues/1360 and tried that approach.It did seem to help me resolve the issue.
I realized that my organization has their own certificate, root.pem file for authentication, which I was not sure if its required to be copied over to /opt/chefdk/embedded/ssl/certs along with the cacert.pem or I need to add organization certificate at the end of cacert.pem to move forward. This is so far I could get to and trying to figure out what needs to be done to move forward on this issue. It has never happened earlier.

Thanks for your time.

Topic		Replies	Views
ERROR: SSL Validation Failure connecting to host Chef Infra (archive)	0	714	May 21, 2019
Kitchen converge returns OpenSSL::SSL::SSLError: SSL_connect Chef Infra (archive)	5	3482	May 25, 2016
[SSL Error connecting to https://supermarket.chef.io/universe...certificate verify failed] on default-centos-72 Chef Infra (archive)	2	2736	September 10, 2020
[RESOLVED] Kitchen converge "certificate verify failed" error in chef tutorials Chef Infra (archive)	1	2785	April 12, 2017
Test Kitchen SSL error during Chef Client install Chef Infra (archive)	4	2078	November 24, 2017

Kitchen-Verify causing SSL: certificate verification failure

Related Topics