Knife ssl check succeeds but knife user list fails


#1

I ran knife ssl fetch.
Then I ran knife ssl check successfully:
$ knife ssl check
Connecting to host chef12.mycompany.com:443
Successfully verified certificates from `chef12.mycompany.com

But the following command fails:
$ knife user list
ERROR: SSL Validation failure connecting to host: chef12.mycompany.com - SSLect returned=1 errno=0 state=error: certificate verify failed

Thanks in advance for any tips to fix this.


#2

knife.rb in the chef-repo/.chef directory on my Chef DK workstation points to user.pem, org-validator.pem, and Chef server’s URL. When I use knife to communicate with my Chef server, are the following statements true?

  1. user.pem is my private key. Its public key is stored on the Chef server. user.pem proves to the Chef server who I am. Success of knife ssl check means user.pem and Chef server’s .crt are OK. Does this command also use the org-validator.pem?

  2. org-validator.pem is a private key (its public key is stored on the Chef server). It tells Chef server which org the knife commands target.


#3

Do you have both chef and chefdk installed? That can lead to conflicts like this.

Also, are you using a self-signed certificate? I note that you used a .com FQDN, so it may not be self-signed (or it’s an artifact of what you chose as your domain name). If not, knife ssl fetch is the wrong tool. Instead, edit the file /opt/chef/embedded/certs/cacert.pem and append the CA that issued your certificate. Do the same for the corresponding file in /opt/chefdk .

Kevin Keane
The NetTech
http://www.4nettech.com
Our values: Privacy, Liberty, Justice
See https://www.4nettech.com/corp/the-nettech-values.html


#4

Kevin, my Chef server and my Chef DK are installed on 2 separate Linux VMs. The Chef server uses a self-signed .crt. Regardless of self-signed or signed by a CA like Verisign, why does “knife ssl check” run without problems but “knife node list” complains “ssl validation failure”?


#5

I wasn’t talking about the chef server, but the chef client.

The chef DK is a superset of the chef client, so you don’t need both.

Yes, knife ssl verify succeeding while knife node list fails had surprised me, too. My guess had been that for some reason one or the other of these commands may have used a plugin from chef client instead of the chef DK.

Kevin Keane
The NetTech
760-721-8339
http://www.4nettech.com
Our values: Privacy, Liberty, Justice
See https://www.4nettech.com/corp/the-nettech-values.html


#6

I installed Chef DK on this Linux VM. I didn’t bootstrap it (which would install another Chef client on it I suppose). The output of the following commands points to the chefdk installation and not another Chef client installation. Any other ways to check?

“which knife” says /opt/chefdk/embedded/bin/knife

“which chef” says /opt/chefdk/embedded/bin/chef

“which chef-client” says /opt/chefdk/embedded/bin/chef-client