On Thu Dec 18 2014 at 11:16:01 AM Daniel DeLeo dan@kallistec.com wrote:
On Thursday, December 18, 2014 at 9:58 AM, Ryan Kelley wrote:
i'm running into this issue with the out of the box install of ChefDK on
both a OSX system and Ubuntu. using chef generate cookbook and getting the
default .kitchen.yml file and then running kitchen create to pull down and
create the box. i'm getting an error at what i'm assuming is the embedded
curl operation to pull down opscode ubuntu or centos box i get this
------Exception-------
Class: Kitchen::ActionFailed
Message: Failed to complete #create action: [Expected
process to exit with [0], but received '1'
---- Begin output of vagrant up --no-provision --provider=virtualbox ----
STDOUT: Bringing machine 'default' up with 'virtualbox' provider...
==> default: Box 'opscode-ubuntu-12.04' could not be found. Attempting
to find and install...
default: Box Provider: virtualbox
default: Box Version: >= 0
==> default: Adding box 'opscode-ubuntu-12.04' (v0) for provider:
virtualbox
default: Downloading: https://opscode-vm-bento.s3.amazonaws.com/vagrant/
virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box
SSL certificate problem: unable to get local issuer certificate
More details here: curl - SSL CA Certificates
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option
this has to be a bug seeing that myself and other co-workers are getting
the same error with DK 3.5.1 .
i have tried adding the embedded SSL cert in the chefdk package to my
local cert store , no dice. on my mac i have set insecure globally for curl
in .curlrc which works ( i dont want this to be the fix) ,that does not
work on my linux machines. i'm running the support versions of ubuntu for
DK. really need to figure out what i'm doing wrong and how to fix it.
thanks
Ryan
Can you determine which copy of curl vagrant is using, and what CA cert
bundle curl is using? Also, are you unable to make any HTTPS requests, or
just to S3, e.g., what does curl -I https://google.com say?
I wonder if this is the same issue as Chef Software, Inc. · GitHub
chef-dk/issues/199#issuecomment-60644778 In short, some root certs got
removed from the curl CA bundle because they’re using SHA1, but AWS’s cert
is signed by one of these, so you need it.
how do i find how vagrant is calling curl ?
I poked around in the /Applications/Vagrant directory on my mac and it looks like vagrant is bundling its own version of curl and its own cacert.pem (though I haven’t upgraded vagrant in forever, I have 1.4.2). Are you always seeing the errors from vagrant downloading boxes from S3 like in your original post, or do you get them during other operations as well? If you’re only seeing errors from vagrant, it’s possible they got bit by the Curl CA cert thing I linked. You might want to peruse their issue tracker to see if it’s been reported and fixed.
how do i find how vagrant is calling curl ?
I poked around in the /Applications/Vagrant directory on my mac and it looks like vagrant is bundling its own version of curl and its own cacert.pem (though I haven’t upgraded vagrant in forever, I have 1.4.2). Are you always seeing the errors from vagrant downloading boxes from S3 like in your original post, or do you get them during other operations as well? If you’re only seeing errors from vagrant, it’s possible they got bit by the Curl CA cert thing I linked. You might want to peruse their issue tracker to see if it’s been reported and fixed.
I poked around in the /Applications/Vagrant directory on my mac and it looks
like vagrant is bundling its own version of curl and its own cacert.pem
(though I haven’t upgraded vagrant in forever, I have 1.4.2). Are you always seeing the errors from vagrant downloading boxes from S3 like in
your original post, or do you get them during other operations as well? If
you’re only seeing errors from vagrant, it’s possible they got bit by the
Curl CA cert thing I linked. You might want to peruse their issue tracker to
see if it’s been reported and fixed.