Re: Re: ChefDK and Test Kitchen SSL issue


#1

using straight curl alone seems to work fine. i had a co-worker confirm
also.

rykelley@EOS01:~$ curl -I
https://opscode-omnibus-packages.s3.amazonaws.com/windows/2008r2/x86_64/chefdk-0.3.5-1.msi
HTTP/1.1 200 OK
x-amz-id-2:
w6BxBcDRByJUndEiNPu8sEXVmdsKx/r6XweQXrTmX7nVk5U3NyzJ1qw0s8+FT2soQfjHUBSn+9E=
x-amz-request-id: 855D326C32841822
Date: Thu, 18 Dec 2014 18:52:41 GMT
Last-Modified: Fri, 14 Nov 2014 02:57:44 GMT
ETag: "39a194da347481a41f88f0b02bc0fcc6"
Accept-Ranges: bytes
Content-Type: application/x-msi
Content-Length: 229429754
Server: AmazonS3

how do i find how vagrant is calling curl ?

On Thu Dec 18 2014 at 11:16:01 AM Daniel DeLeo dan@kallistec.com wrote:

On Thursday, December 18, 2014 at 9:58 AM, Ryan Kelley wrote:

i’m running into this issue with the out of the box install of ChefDK on
both a OSX system and Ubuntu. using chef generate cookbook and getting the
default .kitchen.yml file and then running kitchen create to pull down and
create the box. i’m getting an error at what i’m assuming is the embedded
curl operation to pull down opscode ubuntu or centos box i get this

------Exception-------
Class: Kitchen::ActionFailed
Message: Failed to complete #create action: [Expected
process to exit with [0], but received ‘1’

---- Begin output of vagrant up --no-provision --provider=virtualbox ----
STDOUT: Bringing machine ‘default’ up with ‘virtualbox’ provider…
==> default: Box ‘opscode-ubuntu-12.04’ could not be found. Attempting
to find and install…
default: Box Provider: virtualbox
default: Box Version: >= 0
==> default: Adding box ‘opscode-ubuntu-12.04’ (v0) for provider:
virtualbox
default: Downloading: https://opscode-vm-bento.s3.amazonaws.com/vagrant/
virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box

SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option

this has to be a bug seeing that myself and other co-workers are getting
the same error with DK 3.5.1 .
i have tried adding the embedded SSL cert in the chefdk package to my
local cert store , no dice. on my mac i have set insecure globally for curl
in .curlrc which works ( i dont want this to be the fix) ,that does not
work on my linux machines. i’m running the support versions of ubuntu for
DK. really need to figure out what i’m doing wrong and how to fix it.
thanks
Ryan

Can you determine which copy of curl vagrant is using, and what CA cert
bundle curl is using? Also, are you unable to make any HTTPS requests, or
just to S3, e.g., what does curl -I https://google.com say?

I wonder if this is the same issue as https://github.com/opscode/
chef-dk/issues/199#issuecomment-60644778 In short, some root certs got
removed from the curl CA bundle because they’re using SHA1, but AWS’s cert
is signed by one of these, so you need it.


Daniel DeLeo


#2

On Thursday, December 18, 2014 at 10:54 AM, Ryan Kelley wrote:

using straight curl alone seems to work fine. i had a co-worker confirm also.

rykelley@EOS01:~$ curl -I https://opscode-omnibus-packages.s3.amazonaws.com/windows/2008r2/x86_64/chefdk-0.3.5-1.msi
HTTP/1.1 200 OK
x-amz-id-2: w6BxBcDRByJUndEiNPu8sEXVmdsKx/r6XweQXrTmX7nVk5U3NyzJ1qw0s8+FT2soQfjHUBSn+9E=
x-amz-request-id: 855D326C32841822
Date: Thu, 18 Dec 2014 18:52:41 GMT
Last-Modified: Fri, 14 Nov 2014 02:57:44 GMT
ETag: "39a194da347481a41f88f0b02bc0fcc6"
Accept-Ranges: bytes
Content-Type: application/x-msi
Content-Length: 229429754
Server: AmazonS3

how do i find how vagrant is calling curl ?
I poked around in the /Applications/Vagrant directory on my mac and it looks like vagrant is bundling its own version of curl and its own cacert.pem (though I haven’t upgraded vagrant in forever, I have 1.4.2). Are you always seeing the errors from vagrant downloading boxes from S3 like in your original post, or do you get them during other operations as well? If you’re only seeing errors from vagrant, it’s possible they got bit by the Curl CA cert thing I linked. You might want to peruse their issue tracker to see if it’s been reported and fixed.


Daniel DeLeo


#3

Looks like this issue was just fixed

Sent from my iPad

On Dec 18, 2014, at 12:33 PM, Daniel DeLeo dan@kallistec.com wrote:

On Thursday, December 18, 2014 at 10:54 AM, Ryan Kelley wrote:
using straight curl alone seems to work fine. i had a co-worker confirm also.

rykelley@EOS01:~$ curl -I https://opscode-omnibus-packages.s3.amazonaws.com/windows/2008r2/x86_64/chefdk-0.3.5-1.msi
HTTP/1.1 200 OK
x-amz-id-2: w6BxBcDRByJUndEiNPu8sEXVmdsKx/r6XweQXrTmX7nVk5U3NyzJ1qw0s8+FT2soQfjHUBSn+9E=
x-amz-request-id: 855D326C32841822
Date: Thu, 18 Dec 2014 18:52:41 GMT
Last-Modified: Fri, 14 Nov 2014 02:57:44 GMT
ETag: "39a194da347481a41f88f0b02bc0fcc6"
Accept-Ranges: bytes
Content-Type: application/x-msi
Content-Length: 229429754
Server: AmazonS3

how do i find how vagrant is calling curl ?
I poked around in the /Applications/Vagrant directory on my mac and it looks like vagrant is bundling its own version of curl and its own cacert.pem (though I haven’t upgraded vagrant in forever, I have 1.4.2). Are you always seeing the errors from vagrant downloading boxes from S3 like in your original post, or do you get them during other operations as well? If you’re only seeing errors from vagrant, it’s possible they got bit by the Curl CA cert thing I linked. You might want to peruse their issue tracker to see if it’s been reported and fixed.


Daniel DeLeo


#4

Yes, I had it in test-kitchen too (same stacktrace as first mail in
this thread) and can tell that this is now fixed with Vagrant 1.7.2

Cheers, Torben

On Wed, Jan 7, 2015 at 5:06 AM, Ryan Kelley rykelley@gmail.com wrote:

https://github.com/mitchellh/vagrant/issues/5001#issuecomment-68931516

Looks like this issue was just fixed

Sent from my iPad

On Dec 18, 2014, at 12:33 PM, Daniel DeLeo dan@kallistec.com wrote:

On Thursday, December 18, 2014 at 10:54 AM, Ryan Kelley wrote:

using straight curl alone seems to work fine. i had a co-worker confirm
also.

rykelley@EOS01:~$ curl -I
https://opscode-omnibus-packages.s3.amazonaws.com/windows/2008r2/x86_64/chefdk-0.3.5-1.msi

HTTP/1.1 200 OK

x-amz-id-2:
w6BxBcDRByJUndEiNPu8sEXVmdsKx/r6XweQXrTmX7nVk5U3NyzJ1qw0s8+FT2soQfjHUBSn+9E=

x-amz-request-id: 855D326C32841822

Date: Thu, 18 Dec 2014 18:52:41 GMT

Last-Modified: Fri, 14 Nov 2014 02:57:44 GMT

ETag: “39a194da347481a41f88f0b02bc0fcc6”

Accept-Ranges: bytes

Content-Type: application/x-msi

Content-Length: 229429754

Server: AmazonS3

how do i find how vagrant is calling curl ?

I poked around in the /Applications/Vagrant directory on my mac and it looks
like vagrant is bundling its own version of curl and its own cacert.pem
(though I haven’t upgraded vagrant in forever, I have 1.4.2). Are you
always seeing the errors from vagrant downloading boxes from S3 like in
your original post, or do you get them during other operations as well? If
you’re only seeing errors from vagrant, it’s possible they got bit by the
Curl CA cert thing I linked. You might want to peruse their issue tracker to
see if it’s been reported and fixed.


Daniel DeLeo