OpenSSL::SSL::SSLError: certificate verify failed

I get the following error when I attempt a chef run from a linux server:

OpenSSL::SSL::SSLError
----------------------
SSL_connect returned=1 errno=0 state=error: certificate verify failed

if I run the following:

knife ssl fetch

I get the following output:

[engineering@SERVERNAME cookbook-relativity_scaled-automation]$ knife ssl fetch
WARNING: Certificates from chef.SERVERNAME.com will be fetched and placed in your trusted_cert
directory (/home/engineering/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for *.SERVERNAME.com in /home/engineering/.chef/trusted_certs/wildcard_SERVERNAME_com.crt
Adding certificate for DigiCert High Assurance EV Root CA in /home/engineering/.chef/trusted_certs/DigiCert_High_Assurance_EV_Root_CA.crt
Adding certificate for DigiCert SHA2 High Assurance Server CA in /home/engineering/.chef/trusted_certs/DigiCert_SHA2_High_Assurance_Server_CA.crt

Looks promising, I can run

knife node list
knife client list
knife cookbook list

And all of them give me what I expect, I then run a:

knife ssl check

And I get the following output:

[engineering@SERVERNAME cookbook-relativity_scaled-automation]$ knife ssl check

Configuration Info:

OpenSSL Configuration:
* Version: OpenSSL 1.0.1t  3 May 2016
* Certificate file: /opt/chefdk/embedded/ssl/cert.pem
* Certificate directory: /opt/chefdk/embedded/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: nil
* trusted_certs_dir: "/home/engineering/.chef/trusted_certs"
WARNING: There are invalid certificates in your trusted_certs_dir.
OpenSSL will not use the following certificates when verifying SSL connections:

/home/engineering/.chef/trusted_certs/wildcard_consilio_com.crt: unable to get local issuer certificate
/home/engineering/.chef/trusted_certs/DigiCert_SHA2_High_Assurance_Server_CA.crt: unable to get local issuer certificate
/home/engineering/.chef/trusted_certs/wildcard_SERVERNAME.crt: unable to get local issuer certificate


TO FIX THESE WARNINGS:

We are working on documentation for resolving common issues uncovered here.

* If the certificate is generated by the server, you may try redownloading the
server's certificate. By default, the certificate is stored in the following
location on the host where your chef-server runs:

  /var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt

Copy that file to your trusted_certs_dir (currently: /home/engineering/.chef/trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server's certificate is now trusted.

Connecting to host chef.SERVERNAME.com:443
Successfully verified certificates from `chef.SERVERNAME.com'

So, when I attempt to run my provisioning script, I get the Certificate Verify Failed Error.

Any assistance would be greatly appreciated!!

Thank You!

This is my knife.rb file:

log_level                :info
log_location             STDOUT
node_name                'kxmoss'
client_key               '/home/engineering/.chef/kxmoss.pem'
validation_client_name   'SERVER-dev-validator'
validation_key           '/home/engineering/.chef/SERVER-dev-validator.pem'
chef_server_url          'https://chef.SERVER.com/organizations/SERVER-dev'
syntax_check_cache_path  '/home/engineering/.chef/syntax_check_cache'
ssl_verify_mode          :verify_none
driver_options          username: 'kxmoss@consilio.com',
                                        password: 'PASSWORD',
                                        tenant: 'Engineering',
                                        verify_ssl: false,
                                        max_wait_time: 1800

Where does the provisioning script run and which HTTP call raises the error? The local knife ssl fetch will affect calls to the chef server from your workstation and therefore takes care of problems reaching out to the server to create the node object.Assuming your provisioning runs locally. Later in the provisioning, the node may try to reach out to the server to pull cookbook files in order to execute its runlist. So the node itself either needs the server’s cert in its own trusted certs or you need the node to disable certificate verification.

I’m running from a linux/centos machine remotely,what do you suggest for this?

We need to determine which machine is receiving the SSL error. Is it from your workstation to the chef server? from the new node to the chef server? from a provisioning node to the chef server? Its difficult to tell based on the error output we have in this thread.

Looking at debug out put and a stack trace can help to pinpoint these details.

Here is the output…

Chef run debug output

Hmm. I don’t see a SSL verification error there. Looks like it is talking to the chef server successfully but not finding the recipe to run.

let me look and see why I’m getting that…one sec

my bad, ran it from wrong directory

Updated Chef Debug Output

ok thanks. So it look like this ssl error is coming from the connection between your workstation and your vmware VRA infrastructure. You either need to import the cert from your vra server or set the chef-provisioning-vra driver options: verify_ssl: false.

I figured out what it was, the latest version of the vmware-vra 1.61 is the issue. I am running vmware-vra 1.51 on my workstation and when I set up the environment in linux the gem that was installed was 1.61 and that version is what is throwing the error. After I removed it and installed 1.51, I’m no longer getting this error…

I’m pretty sure that version of vmware-vra was included when I downloaded the the chefdk, if that is the case, that may be an issue for more people than myself when they upgrade to the latest…idk