$ knife client list
ERROR: SSL Validation failure connecting to host: chefserver.example.com - SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
ERROR: Could not establish a secure connection to the server.
Use knife ssl check to troubleshoot your SSL configuration.
If your Chef Server uses a self-signed certificate, you can use knife ssl fetch to make knife trust the server’s certificates.
Original Exception: OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
================
I can telnet to the server 443 without problem so proxy should not be an issue.
I bet your proxy does MITM SSL inspection and downgrade TLS to use SSLV3 which is not supported anymore by chef-server out of the box since poodle security release.
A telnet gives you no more information than ‘the port is open’, the error is about SSL negociation (the read server hello A part).
Without more information about your infrastructure it would be divination to give an advice but let’s say what come on top of my head:
Get your netadmin to configure the proxy properly to not use SSLV3 anymore (best idea)
Update the ssl protocols allowed on chef-server nginx by updating the chef-server.rb see here
mqian@chefwork:~/chef-repo$ knife client list
ERROR: SSL Validation failure connecting to host: chefserver - SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
ERROR: Could not establish a secure connection to the server.
Use knife ssl check to troubleshoot your SSL configuration.
If your Chef Server uses a self-signed certificate, you can use knife ssl fetch to make knife trust the server's certificates.
And still the "check" return normally:
mqian@chefwork:~/chef-repo$ knife ssl check
Connecting to host chefserver:443
Successfully verified certificates from `chefserver'
and "fetch" return normally too:
mqian@chefwork:~/chef-repo$ knife ssl fetch
WARNING: Certificates from chefserver will be fetched and placed in your trusted_cert
directory (/home/mqian/chef-repo/.chef/trusted_certs).
Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.
Adding certificate for chefserver in /home/mqian/chef-repo/.chef/trusted_certs/chefserver.crt
mqian@chefwork:~/chef-repo$ knife ssl fetch
WARNING: Certificates from chefserver.example.com will be fetched and placed in your trusted_cert
directory (/home/mqian/chef-repo/.chef/trusted_certs).
Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.
Adding certificate for chefserver in /home/mqian/chef-repo/.chef/trusted_certs/chefserver.crt
mqian@chefwork:~/chef-repo$ knife ssl cehck
FATAL: Cannot find sub command for: 'ssl cehck’
Available ssl subcommands: (for details, knife SUB-COMMAND --help)
mqian@chefwork:~/chef-repo$ knife client list
ERROR: Service temporarily unavailable
/opt/chefdk/embedded/lib/ruby/2.1.0/net/http/response.rb:325:in stream_check': undefined methodclosed?’ for nil:NilClass (NoMethodError)
from /opt/chefdk/embedded/lib/ruby/2.1.0/net/http/response.rb:199:in read_body' from /opt/chefdk/embedded/lib/ruby/2.1.0/net/http/response.rb:226:inbody’
from /opt/chefdk/embedded/apps/chef/lib/chef/knife.rb:507:in rescue in format_rest_error' from /opt/chefdk/embedded/apps/chef/lib/chef/knife.rb:505:informat_rest_error’
from /opt/chefdk/embedded/apps/chef/lib/chef/knife.rb:485:in humanize_http_exception' from /opt/chefdk/embedded/apps/chef/lib/chef/knife.rb:435:inhumanize_exception’
from /opt/chefdk/embedded/apps/chef/lib/chef/knife.rb:426:in rescue in run_with_pretty_exceptions' from /opt/chefdk/embedded/apps/chef/lib/chef/knife.rb:417:inrun_with_pretty_exceptions’
from /opt/chefdk/embedded/apps/chef/lib/chef/knife.rb:214:in run' from /opt/chefdk/embedded/apps/chef/lib/chef/application/knife.rb:142:inrun’
from /opt/chefdk/embedded/apps/chef/bin/knife:25:in <top (required)>' from /opt/chefdk/bin/knife:51:inload’
from /opt/chefdk/bin/knife:51:in `’
Certificate directory: /opt/chefdk/embedded/ssl/certs
Chef SSL Configuration:
ssl_ca_path: nil
ssl_ca_file: nil
trusted_certs_dir: "/home/mqian/chef-repo/.chef/trusted_certs"
WARNING: There are invalid certificates in your trusted_certs_dir.
OpenSSL will not use the following certificates when verifying SSL connections:
/home/mqian/chef-repo/.chef/trusted_certs/chefserver.crt: certificate is not yet valid
TO FIX THESE WARNINGS:
We are working on documentation for resolving common issues uncovered here.
If the certificate is generated by the server, you may try redownloading the
server’s certificate. By default, the certificate is stored in the following
location on the host where your chef-server runs:
/var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt
Copy that file to your trusted_certs_dir (currently: /home/mqian/chef-repo/.chef/trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server’s certificate is now trusted.
Connecting to host chefserver.example.com:443
ERROR: The SSL certificate of chefserver.example.com could not be verified
Certificate issuer data: /C=US/ST=WA/L=Seattle/O=YouCorp/OU=Operations/CN=chefserver/emailAddress=you@example.com
If the server you are connecting to uses a self-signed certificate, you must
configure chef to trust that server’s certificate.
By default, the certificate is stored in the following location on the host
where your chef-server runs:
/var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt
Copy that file to your trusted_certs_dir (currently: /home/mqian/chef-repo/.chef/trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server’s certificate is now trusted.
I then followed the instructions above to manually copy the chefserver.crt over and run the check again I always got the same check result with the error and running client list result the same…
That’s expected, fetch gets only the chef certificate, you’ll have to get the proxy certificate wich doing a MITM will be the CA for the server certificate.
Best option is to use a browser to open the server webui if you have it, or any other https site, then in your browser show certificates, and save them in file as x509 in the trusted_certs dir (last time I tried I had to add it to chef cacert.pem file for this case)