OpenSSL::SSL::SSLError

I am all of a sudden getting the following error…

[2016-06-07T08:55:42-05:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2016-06-07T08:55:42-05:00] FATAL: OpenSSL::SSL::SSLError: machine_batch[default] (@recipe_files::C:/GIT Repositories/cookbook-relativity_scaled-autom
ation/recipes/automated_build_cluster_parallel.rb line 72) had an error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read serve
r certificate B: certificate verify failed

The StackTrace

Generated at 2016-06-07 08:55:42 -0500
OpenSSL::SSL::SSLError: machine_batch[default] (@recipe_files::C:/GIT Repositories/cookbook-relativity_scaled-automation/recipes/automated_build_cluster_parallel.rb line 72) had an error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
C:/Ruby21-x64/lib/ruby/2.1.0/net/http.rb:923:in `connect'
C:/Ruby21-x64/lib/ruby/2.1.0/net/http.rb:923:in `block in connect'
C:/Ruby21-x64/lib/ruby/2.1.0/timeout.rb:75:in `timeout'
C:/Ruby21-x64/lib/ruby/2.1.0/net/http.rb:923:in `connect'
C:/Ruby21-x64/lib/ruby/2.1.0/net/http.rb:863:in `do_start'
C:/Ruby21-x64/lib/ruby/2.1.0/net/http.rb:852:in `start'
C:/Ruby21-x64/lib/ruby/2.1.0/net/http.rb:583:in `start'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/vmware-vra-1.6.1/lib/vra/http.rb:39:in `call'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/vmware-vra-1.6.1/lib/vra/http.rb:7:in `execute'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/vmware-vra-1.6.1/lib/vra/client.rb:172:in `http_post'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/vmware-vra-1.6.1/lib/vra/client.rb:103:in `generate_bearer_token'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/vmware-vra-1.6.1/lib/vra/client.rb:87:in `authorize!'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/vmware-vra-1.6.1/lib/vra/client.rb:118:in `http_fetch'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/vmware-vra-1.6.1/lib/vra/client.rb:135:in `http_get'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/vmware-vra-1.6.1/lib/vra/client.rb:139:in `http_get!'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/vmware-vra-1.6.1/lib/vra/client.rb:144:in `get_parsed'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/vmware-vra-1.6.1/lib/vra/catalog_item.rb:45:in `fetch_catalog_item'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/vmware-vra-1.6.1/lib/vra/catalog_item.rb:38:in `initialize'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/vmware-vra-1.6.1/lib/vra/catalog_request.rb:36:in `new'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/vmware-vra-1.6.1/lib/vra/catalog_request.rb:36:in `initialize'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/vmware-vra-1.6.1/lib/vra/catalog.rb:38:in `new'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/vmware-vra-1.6.1/lib/vra/catalog.rb:38:in `request'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/chef-provisioning-vra-0.3.0/lib/chef/provisioning/vra_driver/driver.rb:162:in `catalog_request'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/chef-provisioning-vra-0.3.0/lib/chef/provisioning/vra_driver/driver.rb:143:in `create_resource'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/chef-provisioning-vra-0.3.0/lib/chef/provisioning/vra_driver/driver.rb:58:in `block in allocate_machine'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/chef-12.10.24-universal-mingw32/lib/chef/mixin/why_run.rb:52:in `add_action'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/chef-12.10.24-universal-mingw32/lib/chef/provider.rb:176:in `converge_by'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/chef-provisioning-1.7.1/lib/chef/provisioning/chef_provider_action_handler.rb:54:in `perform_action'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/chef-provisioning-1.7.1/lib/chef/provisioning/add_prefix_action_handler.rb:31:in `perform_action'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/chef-provisioning-vra-0.3.0/lib/chef/provisioning/vra_driver/driver.rb:57:in `allocate_machine'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/chef-provisioning-1.7.1/lib/chef/provisioning/driver.rb:241:in `block in allocate_machines'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/chef-12.10.24-universal-mingw32/lib/chef/chef_fs/parallelizer/parallel_enumerable.rb:267:in `call'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/chef-12.10.24-universal-mingw32/lib/chef/chef_fs/parallelizer/parallel_enumerable.rb:267:in `process_input'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/chef-12.10.24-universal-mingw32/lib/chef/chef_fs/parallelizer/parallel_enumerable.rb:257:in `process_one'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/chef-12.10.24-universal-mingw32/lib/chef/chef_fs/parallelizer.rb:93:in `call'
C:/Ruby21-x64/lib/ruby/gems/2.1.0/gems/chef-12.10.24-universal-mingw32/lib/chef/chef_fs/parallelizer.rb:93:in `worker_loop'

I’ve since upgraded to the latest chefdk, still got same issues. And I’ve configured my knife.rb to:

ssl_verify_mode :verify_none
trusted_certs_dir “#{current_dir}/trusted_certs”

I’m not sure what else to try…

Try setting verify_ssl to false in your chef-provisioning-vra driver config. That controls tyhe ssl validation level between you and the VRA server which it looks like where things are breaking down in your stack trace. The ssl_verify_mode in your knife.rb would likely have no effect here since that controls the validation level between you and your chef server.

@Matt_Wrock

I am facing a similar issue when using chef-provisioning-aws to provision a Windows box. I tried using option ssl_verify_mode: :verify_none under convergence options in machine resource but it doesn’t work and I still get the error. How to bypass the SSL verification now? Or do I need to place the chef server cert on my box before the chef client run, I thought it would automatically do a SSL cert fetch after client installation and before chef-client run?

Please help!

Thanks.

Setting ssl_verify_mode: :verify_none in the convergence options should allow your node to reach your chef server. The error displayed above is coming from the SSL connection between the maching running provisioning and the vRA server. See the vra driver readme re garding how to set SSL options there. In short it looks something like:

driver_options username: 'my@email.address',
               password: 's00pers33cret',
               tenant: 'vsphere.local',
               verify_ssl: false,
               max_wait_time: 1800

Yes. That worked after I re-did the converge from beginning (removed old node, re-ran the recipe to create new node).
Thanks!