Private CA Server / SSL Error

#1

Hope someone can help me out with this.

On the Node:
I downloaded the certs from our private ca and copied them to /etc/pki/ca-trust/source/anchors
did an update-ca-trust
update-ca-trust enable

Error:
Unexpected Error:

OpenSSL::SSL::SSLError: SSL Error connecting to https://chefdevserver.comt.net/organizations/nonprod-corp/nodes/node1 - SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate)

Temporary Fix:
If I copy the certs from that location to /opt/chef/embedded/ssl/certs and rename it to cacerts.pem everything works.

Problem:
This is not something I can do for every node I want to bootstrap. This would be a manual process.
How can I get chef to import the right certs?
Is there some where on the chef server I can put these certs that the node can grab it from?

#2

When are you encountering this issue? when trying to bootstrap?

I had a similar problem to this due to our internal PKI not being publicly signed when trying install ruby gems, I took a copy of that cacerts.pem file and added it to my base cookbook as a template so it gets applied to all my nodes. All of the root certs in this file will outlive most of my servers but a huge amount of time so I just update my template as new versions of the chef-client are updated.

Alternately if you don't want to do that you could put your certs in a file and then append them to the end of that cacert.pem file using echo cert.file >> /opt/chef/embedded/ssl/certs/cacerts.pem

#3

Thanks Larry, Thats what I ended up doing. A lot of trial and error to get to that. I was hoping that chef would see them in the trusted ca list so I could create my servers with the certs before chef was installed. If I have to count on the cacerts.pem in the chef location I have to bootstrap using --node-ssl-verify-mode none.