Knife ec2 problem on windows: Unable to verify certificate


#1

Ohai,

We’ve been using our own version of the knife-ec2 plugin since some
features were missing. We’ve just upgraded to the official version and this
brings in excon 0.31 which results in the following error:

C:\chef>bundle exec knife ec2 server list
←[33m[fog][WARNING] Unable to load the ‘unf’ gem. Your AWS strings may not
be properly encoded.←[0m
ERROR: Excon::Errors::SocketError: Unable to verify certificate, please set
Excon.defaults[:ssl_ca_path] = path_to_certs, ENV['SSL_CERT_DIR'] = path_to_certs, Excon.defaults[:ssl_ca_file] = path_to_file,
ENV['SSL_CERT_FILE'] = path_to_file or Excon.defaults[:ssl_verify_peer] = false (less secure).

We used to pin excon to 0.24, but the latest knife-ec2 requires 0.31. We’re
using chef 11.12.4.

Any hints (besides disabling verification which is not an option :slight_smile:

/Jeppe


#2

On Tuesday, June 10, 2014 at 7:16 AM, Jeppe Nejsum Madsen wrote:

Ohai,

We’ve been using our own version of the knife-ec2 plugin since some features were missing. We’ve just upgraded to the official version and this brings in excon 0.31 which results in the following error:

C:\chef>bundle exec knife ec2 server list
←[33m[fog][WARNING] Unable to load the ‘unf’ gem. Your AWS strings may not be properly encoded.←[0m
ERROR: Excon::Errors::SocketError: Unable to verify certificate, please set Excon.defaults[:ssl_ca_path] = path_to_certs, ENV['SSL_CERT_DIR'] = path_to_certs, Excon.defaults[:ssl_ca_file] = path_to_file, ENV['SSL_CERT_FILE'] = path_to_file or Excon.defaults[:ssl_verify_peer] = false (less secure).

We used to pin excon to 0.24, but the latest knife-ec2 requires 0.31. We’re using chef 11.12.4.

Any hints (besides disabling verification which is not an option :slight_smile:

/Jeppe

The omnibus package includes a certificate bundle in embedded/ssl/certs/cacert.pem which chef sets to the config value ssl_ca_file https://github.com/opscode/chef/blob/master/lib/chef/config.rb#L373

Something like this in your knife.rb should work:

ENV[‘SSL_CERT_FILE’] = ssl_ca_file

HTH,


Daniel DeLeo


#3

Hi,

Yes, setting the SSL_CERT_FILE manually solves the problem but would rather
avoid to add this if possible.

I’m wondering though, why it doesn’t find the file automatically, as that
seems to be the purpose of the code?

We’re using the omnibus installer (just upgraded to 11.12.8), but also
bundler for the various knife plugins. Is this mix causing a problem?

/Jeppe

On Tue, Jun 10, 2014 at 5:42 PM, Daniel DeLeo dan@kallistec.com wrote:

On Tuesday, June 10, 2014 at 7:16 AM, Jeppe Nejsum Madsen wrote:

Ohai,

We’ve been using our own version of the knife-ec2 plugin since some
features were missing. We’ve just upgraded to the official version and this
brings in excon 0.31 which results in the following error:

C:\chef>bundle exec knife ec2 server list
←[33m[fog][WARNING] Unable to load the ‘unf’ gem. Your AWS strings may
not be properly encoded.←[0m
ERROR: Excon::Errors::SocketError: Unable to verify certificate, please
set Excon.defaults[:ssl_ca_path] = path_to_certs, ENV['SSL_CERT_DIR'] = path_to_certs, Excon.defaults[:ssl_ca_file] = path_to_file,
ENV['SSL_CERT_FILE'] = path_to_file or Excon.defaults[:ssl_verify_peer] = false (less secure).

We used to pin excon to 0.24, but the latest knife-ec2 requires 0.31.
We’re using chef 11.12.4.

Any hints (besides disabling verification which is not an option :slight_smile:

/Jeppe

The omnibus package includes a certificate bundle in
embedded/ssl/certs/cacert.pem which chef sets to the config value
ssl_ca_file
https://github.com/opscode/chef/blob/master/lib/chef/config.rb#L373

Something like this in your knife.rb should work:

ENV[‘SSL_CERT_FILE’] = ssl_ca_file

HTH,


Daniel DeLeo


#4

On Tuesday, June 10, 2014 at 2:10 PM, Jeppe Nejsum Madsen wrote:

Hi,

Yes, setting the SSL_CERT_FILE manually solves the problem but would rather avoid to add this if possible.

I’m wondering though, why it doesn’t find the file automatically, as that seems to be the purpose of the code?

We’re using the omnibus installer (just upgraded to 11.12.8), but also bundler for the various knife plugins. Is this mix causing a problem?

/Jeppe
Chef automatically configures its own HTTP (e.g., Chef::HTTP and Chef::REST classes) client via the code I linked, but it doesn’t configure other HTTP client code, such as fog (excon library). For reasons I don’t recall (I’ll ask my colleagues), Ruby on windows either can’t or doesn’t configure a default location to find the certificate bundle, so you have to specify the path manually at runtime. This is different than on Unix where we configure OpenSSL to use the embedded certificate bundle by default.


Daniel DeLeo


#5

Here’s a thread on the RubyInstaller mailing list that explains the problem in more detail: https://groups.google.com/forum/#!topic/rubyinstaller/DVIDvs7xKC0


Daniel DeLeo

On Tuesday, June 10, 2014 at 2:16 PM, Daniel DeLeo wrote:

On Tuesday, June 10, 2014 at 2:10 PM, Jeppe Nejsum Madsen wrote:

Hi,

Yes, setting the SSL_CERT_FILE manually solves the problem but would rather avoid to add this if possible.

I’m wondering though, why it doesn’t find the file automatically, as that seems to be the purpose of the code?

We’re using the omnibus installer (just upgraded to 11.12.8), but also bundler for the various knife plugins. Is this mix causing a problem?

/Jeppe

Chef automatically configures its own HTTP (e.g., Chef::HTTP and Chef::REST classes) client via the code I linked, but it doesn’t configure other HTTP client code, such as fog (excon library). For reasons I don’t recall (I’ll ask my colleagues), Ruby on windows either can’t or doesn’t configure a default location to find the certificate bundle, so you have to specify the path manually at runtime. This is different than on Unix where we configure OpenSSL to use the embedded certificate bundle by default.


Daniel DeLeo


#6

As a follow-up, we’ve tried to reproduce this Jeppe with 11.12 and didn’t
hit the problem – everything worked without the environment variable. Are
you still seeing it Jeppe?

-Adam

-----Original Message-----
From: Daniel DeLeo [mailto:ddeleo@kallistec.com] On Behalf Of Daniel DeLeo
Sent: Wednesday, June 11, 2014 6:06 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: Re: knife ec2 problem on windows: Unable to verify
certificate

Here’s a thread on the RubyInstaller mailing list that explains the problem
in more detail:
https://groups.google.com/forum/#!topic/rubyinstaller/DVIDvs7xKC0


Daniel DeLeo

On Tuesday, June 10, 2014 at 2:16 PM, Daniel DeLeo wrote:

On Tuesday, June 10, 2014 at 2:10 PM, Jeppe Nejsum Madsen wrote:

Hi,

Yes, setting the SSL_CERT_FILE manually solves the problem but would
rather avoid to add this if possible.

I’m wondering though, why it doesn’t find the file automatically, as
that seems to be the purpose of the code?

We’re using the omnibus installer (just upgraded to 11.12.8), but also
bundler for the various knife plugins. Is this mix causing a problem?

/Jeppe

Chef automatically configures its own HTTP (e.g., Chef::HTTP and
Chef::REST classes) client via the code I linked, but it doesn’t configure
other HTTP client code, such as fog (excon library). For reasons I don’t
recall (I’ll ask my colleagues), Ruby on windows either can’t or doesn’t
configure a default location to find the certificate bundle, so you have
to specify the path manually at runtime. This is different than on Unix
where we configure OpenSSL to use the embedded certificate bundle by
default.


Daniel DeLeo